Admin Guide Core 70

MobileIron Core
Administration Guide
Core Version 7.0

Standalone Sentry Version 6.0
Integrated Sentry Version 6.0
Android Client Version 6.0
iOS Client Version 6.0
Windows Phone Client Version 6.0
June 29, 2014
Proprietary and Confidential

Do Not Distribute
2009-2014 Mobile Iron, Inc. All Rights Reserved. Any
reproduction or redistribution of part or all of these materials is
strictly prohibited. Information in this publication is subject to
change without notice. Mobile Iron, Inc. does not warrant the
use of this publication.
For some phone images, a third-party database and image

library, 2007-2009 Aeleeta's Art and Design Studio, is used.
This database and image library cannot be distributed separate
from the Mobile Iron product.
MobileIron, Connected Cloud, and MyPhone@Work are

registered trademarks of Mobile Iron, Inc. BlackBerry is a
registered trademark of RIM. Windows is a registered trademark
of Microsoft, Inc. iPhone is a trademark of Apple, Inc. Android is
a trademark of Google Inc. B-SAFE, SSL-J are registered
trademarks of RSA Security LLC.
Contents
Section I: Device Management - - - - - - - - - - - - - - - - - - - - 31
Chapter 1 Getting Started .......................................................................... 33
Administration tools ............................................................................ 34
Installation ........................................................................................ 34
Starting Admin Portal .......................................................................... 34
Bookmarking Admin Portal pages .................................................................. 34
Logging out ........................................................................................ 34
Setup tasks ........................................................................................ 35
Setting the enterprise name ................................................................. 35
Setting the external hostname .............................................................. 35
Setting the EULA or other login text ...................................................... 35
Enabling last login information display ................................................... 36
Enabling iOS MDM support ................................................................... 36
If you intend to develop and distribute in-house apps .............................. 37
If you have already enabled iOS MDM support ........................................ 37
If you have not requested an MDM certificate yet .................................... 37
If you already have your MDM certificate ................................................ 38
Confirming MDM for an iOS device ........................................................ 39
Denying check-Ins for devices having expired MDM certificates ................. 39
Displaying a report of devices having expired MDM certificates .................. 39
Using the Admin Portal ........................................................................ 40
Navigating the Admin Portal ................................................................. 40
Displaying hints in the Admin Portal ...................................................... 41
Supported features by OS .................................................................... 43
Common feature set ............................................................................ 43
Android ............................................................................................. 46
BlackBerry 10 ..................................................................................... 48
iOS ................................................................................................... 48
Mac OS X ........................................................................................... 50
Windows Phone 7 ................................................................................ 50
Windows Phone 8 ................................................................................ 51
Windows Phone 8.1 ............................................................................. 52
Windows RT/Pro ................................................................................. 53
Windows 8.1 RT/Pro ............................................................................ 53
Supported platforms ............................................................................ 54
Supported OS X devices ............................................................................... 54
Chapter 2 Managing Users ......................................................................... 57

Introduction to user management ......................................................... 58
User sources ...................................................................................... 58
misystem user ............................................................................................ 58
1
Local Users Created During Setup .................................................................. 58
Users and roles ................................................................................... 59
LDAP groups and roles ................................................................................. 59
Enforce Single Session role and concurrent session control ............................... 59
User management page ....................................................................... 60
Required role .............................................................................................. 60
Managing LDAP users .......................................................................... 61

Displaying available LDAP users ............................................................ 61
Viewing LDAP user/group associations ................................................... 62
Configuring the set of LDAP groups ....................................................... 62
Synchronizing with the LDAP server ....................................................... 63
Changing the LDAP Sync Interval .................................................................. 63
Setting the LDAP sync discard option ..................................................... 64
When the LDAP sync declines ........................................................................ 65
Deleting LDAP users ............................................................................ 65
Moving between the LDAP user display and the local user view ................. 66
Changing passwords for LDAP users ...................................................... 66
Dont append _MIxx ............................................................................ 66
Assigning and removing device user roles ............................................... 67
Managing local users in Admin Portal ..................................................... 69
Adding local users in Admin Portal ......................................................... 69
Editing local users in Admin Portal ......................................................... 70
Linking local users to LDAP users .......................................................... 71
Deleting local users in Admin Portal ....................................................... 71
Forcing a password change for local users .............................................. 72
Language support ............................................................................... 74
Translated versions of clients ................................................................ 74
Selecting languages ............................................................................ 74
Setting the system default language ..................................................... 75
Changing language selection from Admin Portal ...................................... 76
Chapter 3 Registering Devices .................................................................... 77
Overview of registration methods .......................................................... 78
Admin registers a single device ............................................................. 78
Best for ..................................................................................................... 78
Level of end-user interaction ........................................................................ 78
Prerequisites .............................................................................................. 78
See ........................................................................................................... 78
Admin registers a list of devices (bulk registration) .................................. 79
Best for ..................................................................................................... 79
Prerequisites .............................................................................................. 79
See ........................................................................................................... 79
Admin invites users to register .............................................................. 79
See ........................................................................................................... 80
In-app registration for iOS and Android .................................................. 80
Best for ..................................................................................................... 80
2
Prerequisites .............................................................................................. 80
See ........................................................................................................... 80
Users register additional devices ........................................................... 80
Best for ..................................................................................................... 80
Prerequisites .............................................................................................. 81
See ........................................................................................................... 81
Admin registers ActiveSync devices ....................................................... 81
Best for ..................................................................................................... 81
Prerequisites .............................................................................................. 81
See ........................................................................................................... 81
Registering an Apple TV ....................................................................... 81
Registration via web portal ................................................................... 82
Registering Android devices via web portal (MIRP) ........................................... 82
Usage notes ............................................................................................... 83
Registration considerations by OS ......................................................... 84

iOS ................................................................................................... 84
Android ............................................................................................. 84
Windows RT, and Windows 8 Pro ........................................................... 85
Windows Phone 8 ................................................................................ 85
Windows Phone 8.1 ............................................................................. 85
Windows 8.1 RT and Pro devices ........................................................... 86
Registration by administrator: individual devices ..................................... 87
What the user sees ............................................................................. 88
Registration by administrator: multiple devices (bulk registration) ............. 90
Contents of the CSV ............................................................................ 90
Multiple devices registration sample file .......................................................... 92
Guidelines for multiple devices bulk registration content ................................... 93
Loading the multiple devices registration CSV ......................................... 93
Invite users to register ........................................................................ 94
In-app registration for iOS and Android .................................................. 96
Auto-populating the MobileIron Core server name during registration ......... 96
Auto-populating the MobileIron Core server name based on email address .. 96
Registering your MobileIron Core with MobileIron ............................................ 96
Auto-populating the MobileIron Core server name based on the phone number
(Android) ........................................................................................... 97
ActiveSync device registration .............................................................. 98
Tracking registration status .................................................................. 99
Managing operators and countries ....................................................... 100
Enabling operators .............................................................................100
3
Enabling additional countries for registration .........................................100
Disabling operators ............................................................................100
Filtering operators ..............................................................................101
Searching for an operator ........................................................................... 101
Displaying operators by country .................................................................. 101
Displaying operators by status .................................................................... 101
Specifying eligible platforms for registration .......................................... 102

Configuring user authentication requirements for registration (iOS, Android,
Windows Phone) ............................................................................... 103
Limit for failed attempts to enter a registration password ........................103
PIN-based authentication for WP8 devices .............................................103
If the PIN expires for WP8 devices ............................................................... 104
PIN-based authentication for WP8.1 devices ..........................................104
Customizing registration messages ...................................................... 105
Displaying registration templates .........................................................105
Editing registration messages ..............................................................105
Using variables in registration messages ...............................................106
Variable descriptions .................................................................................. 107
Filtering registration messages ............................................................108
Restoring registration messages to default content .................................108
Registration notes ............................................................................. 109
iOS profile fails to install .....................................................................109
Removing old MobileIron profiles on iOS devices ........................................... 109
Chapter 4 Managing Devices..................................................................... 111

Overview of managing devices and users ............................................. 112
The Users and Devices pages ..............................................................112
Access to Users and Devices pages .............................................................. 112
Displaying device assets .................................................................... 113

Alerts displayed in the Devices page .....................................................115
Displaying more device and user information .........................................116
Device detail information ............................................................................ 117
Adding a comment to device details ............................................................. 118
Displaying log data for a selected device ...................................................... 118
Export to CSV ....................................................................................118
Searching for a device record ..............................................................121
Basic searching ......................................................................................... 121
Advanced searching ...........................................................................122
To access advanced search: ....................................................................... 122
Searchable fields ....................................................................................... 122
Advanced search using the query builder ...................................................... 123
Advanced search using a manually edited search expression ........................... 123
Advanced search using both the query builder and manual editing ................... 123
To clear an advanced search: ..................................................................... 125
Searching for retired devices ...................................................................... 125
Searching for blocked devices ..................................................................... 125
Save to label .....................................................................................125
4
Creating a label based on custom LDAP user attributes ...........................126
Using the Users & Devices dashboard ..................................................126
Devices dashboard charts ........................................................................... 127
Arranging the dashboard charts ...........................................................127
Changing the charts included in the device dashboard .............................127
Reporting on managed devices ............................................................128
Registration-related features and tasks ................................................ 129
Reprovision device .............................................................................129
Retire ...............................................................................................129
Resend provision message ..................................................................130
Security-related features and tasks ..................................................... 131
Lock .................................................................................................131
Unlock ..............................................................................................132
Wipe ................................................................................................133
Selective Wipe ...................................................................................133
Block AppTunnels ...............................................................................134
Lost .................................................................................................134
Found ...............................................................................................135
Locate ..............................................................................................135
Reset device PIN (WP8.1 devices only) .................................................137
Maintenance features and tasks .......................................................... 138
Send Message ...................................................................................138
Update Roaming Settings ....................................................................139
Enabling roaming for iOS devices .........................................................140
Disabling roaming for iOS Devices ........................................................140
Viewing roaming settings for iOS devices ..............................................141
Change Ownership .............................................................................141
Apply To Label ...................................................................................141
Remove From Label ...........................................................................142
Using labels to establish groups .......................................................... 143
Default labels ....................................................................................143
Filter and manual type labels ...............................................................144
Creating labels ..................................................................................144
Editing Labels ....................................................................................145
Viewing devices currently associated with a label ...................................145
Associating a filter with a label: dynamic labels ......................................145
Example: Creating a label for devices by operator ......................................... 145
Example: Creating a label for devices by LDAP group .................................... 145
Deleting labels ...................................................................................146
Delegated administration ................................................................... 147
Administrator types ............................................................................147
Designing MobileIron Core to use delegated administration ......................149
Creating device spaces and assigning administrators ..............................150
Updating device spaces .............................................................................. 152
5
Specifying devices for device spaces ............................................................ 152
Searchable fields ....................................................................................... 153
Switching device spaces ......................................................................154
Managing device spaces ......................................................................154
Managing device space priority ................................................................... 154
Deleting device spaces ............................................................................... 155
Assigning administrators to spaces .......................................................156
Removing administrators from Device Spaces ............................................... 156
Editing administrator roles .......................................................................... 157
Labels and delegated administration ............................................................ 160
Role correspondences .........................................................................161
Working with Apple DEP devices .......................................................... 163
Adding Your MobileIron Core to the DEP Portal .......................................163
Assigning Apple DEP device to MobileIron Core ......................................163
Associating DEP Devices with MobileIron Core ........................................164
Viewing DEP accounts .........................................................................164
Managing DEP accounts ......................................................................165
Adding DEP Enrollment Profiles ................................................................... 166
Assigning devices to DEP enrollment profiles ................................................. 167
Removing DEP device enrollment profile assignments ..................................... 168
Deleting DEP enrollment profiles ................................................................. 168
Editing DEP Account Information ................................................................. 169
Deleting DEP Accounts ............................................................................... 169
Checking for Apple DEP Account Updates ...................................................... 169
Disowning DEP devices .............................................................................. 169
Creating DEP device file for assigning devices to enrollment profiles ................. 170
Chapter 5 Managing Policies ..................................................................... 173

Overview of managing policies ............................................................ 174
Policies page .....................................................................................174
Required role ............................................................................................ 175
Working with policies ......................................................................... 176

Displaying policies ..............................................................................176
Editing policies .................................................................................176
Applying policies to labels ...................................................................176
Removing Policies from labels ..............................................................177
Creating a new policy .........................................................................177
Deleting policies ................................................................................177
What happens when you delete a policy ....................................................... 178
Displaying custom policies for a selected label .......................................178
Displaying custom policies for a selected user ........................................178
Prioritizing policies .............................................................................178
Displaying policy status ......................................................................179
Displaying supported platforms for policies ............................................179
Enabling profile encryption ..................................................................180
Working with default policies .............................................................. 181
Working with security policies ............................................................. 182
6
Windows 8.1 RT and Pro password specifications: .......................................... 191
If you change password specifications ...................................................192
Compliance actions for security policy violations .....................................192
Default compliance actions ......................................................................... 193
Custom compliance actions ......................................................................... 194
Creating a custom compliance action ........................................................... 194
When the compliance action takes effect ...................................................... 198
Confirming removal of configurations for iOS ................................................ 198
Restoring configurations ............................................................................. 199
Viewing quarantine information ............................................................199
Devices page: quarantined devices .............................................................. 199
Configurations page: configurations removed due to quarantine ...................... 199
Working with privacy policies .............................................................. 200

Working with lockdown policies ........................................................... 203
Working with sync policies .................................................................. 208
Sync policies and battery use ..............................................................212
Country changes and alerts .................................................................212
iOS multitasking sync interval and sending device details to MobileIron Core ..
212
Android devices and the Client Is Always Connected option ......................212
Working with Docs@Work policies ....................................................... 214
Working with single-app mode policies for iOS ...................................... 215
Finding the bundle ID .........................................................................215
Working with global HTTP proxy policies ............................................... 217
Working with Android kiosk policies ..................................................... 219
Working with Android Quick Setup policies ............................................ 220
Working with Samsung general policies ................................................ 222
Attestation support for Samsung KNOX .................................................222
Configuring attestation on MobileIron Core ................................................... 223
Configuring attestation step-by-step ............................................................ 223
Attestation behavior on the device ............................................................... 225
Troubleshooting policies ..................................................................... 227

Troubleshooting: compliance actions ....................................................227
Troubleshooting: Android encryption ....................................................227
Troubleshooting: quarantine on iOS devices ..........................................227
Chapter 6 Managing Device Settings with Configurations .............................. 229
About managing device settings .......................................................... 230
Configurations page ...........................................................................231
Required role ............................................................................................ 231
Default configurations .........................................................................232
Editing default iOS MDM settings ................................................................. 232
Restoring system web clips (iOS) ................................................................ 234
Displaying configurations status ...........................................................234
7
Adding new configurations ..................................................................234
Editing configurations .........................................................................235
Deleting configurations .......................................................................235
Android Samsung browser settings ...................................................... 236
Configuring SmartCard browser authentication ......................................236
Step-by-step ............................................................................................ 236
SmartCard browser behavior on the device ................................................... 237
Android Samsung kiosk settings .......................................................... 238

Android Samsung KNOX Container settings ........................................... 239
Supported variables ................................................................................... 242
Exchange settings ............................................................................. 243

Multiple Exchange Support for Android ..................................................249
iOS/OS X Exchange profiles and password caching .................................249
Email settings (POP and IMAP) ............................................................ 250
Supported variables ...........................................................................252
Wi-Fi settings ................................................................................... 253
For Windows 8.1 RT and Pro devices .....................................................253
For WP8.1 devices .............................................................................253
Wi-Fi profiles and password caching .....................................................253
Authentication types ...........................................................................253
Open authentication .................................................................................. 254
Shared authentication ................................................................................ 257
WPA Enterprise authentication .................................................................... 260
WPA2 Enterprise authentication .................................................................. 263
WPA Personal authentication ....................................................................... 265
WPA2 Personal authentication ..................................................................... 266
VPN settings ..................................................................................... 268
Note the following for WP8.1 devices: .......................................................... 268
PPTP ................................................................................................268
L2TP ................................................................................................269
IPSec (Cisco) .....................................................................................270
IKEv2 ...............................................................................................275
Note the following ..................................................................................... 276
Samsung KNOX IPsec .........................................................................277
Cisco AnyConnect ..............................................................................278
Juniper SSL (Junos Pulse) ...................................................................282
F5 SSL .............................................................................................286
Custom SSL for iOS ............................................................................290
iOS VPN profiles and password caching .................................................294
MobileIron Tunnel ..............................................................................294
AppConnect settings .......................................................................... 296
8
AppConnect Configuration settings ...................................................... 297
AppConnect Container policy settings ................................................... 298
Bookmarks settings ........................................................................... 299
Certificates settings ........................................................................... 300
SCEP settings ................................................................................... 301
Why proxy? .......................................................................................304
If SCEP integration is not an option ............................................................. 305
Using Symantec Managed PKI ..............................................................305
Prerequisites ............................................................................................ 305
Using the OpenTrust integration ...........................................................305
Compatibility notes .................................................................................... 305
Pre-requisites ........................................................................................... 306
Configuring the integration with OpenTrust ................................................... 306
Using Symantec Web Services Managed PKI ..........................................308
Before you begin ....................................................................................... 308
Configuring the Symantec Web Services Managed PKI settings ........................ 309
Revoking the certificate .............................................................................. 312
MobileIron Core as a SCEP reverse proxy for WP8.1 devices ................... 313
Before you begin ...............................................................................313
Setting up SCEP proxy for WP8.1 devices ..............................................313
Configuring SCEP Settings for WP8.1 devices .........................................313
Configuring SCEP Reverse Proxies (WP8.1) ............................................314
Docs@Work settings .......................................................................... 315
Web@Work settings .......................................................................... 316
iOS and OS X settings ........................................................................ 317
General settings ................................................................................317
CalDAV settings .................................................................................317
Supported Variables .................................................................................. 318
CardDAV settings ...............................................................................318
Web Clips settings ..............................................................................319
Configuration profile settings ...............................................................320
LDAP settings ....................................................................................320
iOS settings ..................................................................................... 322
AirPlay settings ..................................................................................322
AirPrint settings .................................................................................323
Restrictions settings ...........................................................................324
Subscribed Calendars settings .............................................................329
Supported Variables .................................................................................. 330
APN settings ......................................................................................330
Provisioning Profile settings .................................................................331
9
Web content filter settings ..................................................................331
Configuring the web content filter ................................................................ 331
Browser impact ......................................................................................... 333
Removing a Web content configuration from a device ..................................... 334
Multiple web content configurations on a device ............................................ 334
Managed app configuration settings ......................................................334
Managed app configuration overview ........................................................... 334
Configuring the managed app config setting ................................................. 335
Viewing the plist file .................................................................................. 336
Removing a managed app config setting from a device ................................... 336
Sample plist ............................................................................................. 336
Enterprise single sign-on settings .........................................................337
iOS and OS X differences ................................................................... 340

Samsung KNOX support ..................................................................... 341
Disabling the container .......................................................................341
Re-enabling the container ...................................................................341
Chapter 7 Managing Certificates................................................................ 343
Overview of certificates ...................................................................... 344
Types of certificates ...........................................................................345
Android SAFE devices and certificates managed by MobileIron Core ..........346
Supported certificate scenarios ........................................................... 347
Using MobileIron Core as a Certificate Authority .....................................347
Using MobileIron Core as a certificate proxy ..........................................347
Using Kerberos constrained delegation ..................................................348
Using AppConnect app configuration .....................................................349
More information ...............................................................................349
Chapter 8 Troubleshooting Devices............................................................ 351
Overview of troubleshooting devices .................................................... 352
Force Device Check-In ....................................................................... 353
Using logs ........................................................................................ 354
MDM Log ..........................................................................................354
Viewing Errors .......................................................................................... 354
Certificate Log ...................................................................................354
Removing a Certificate From the Certificate Log ............................................ 355
Revoking a Certificate ................................................................................ 355
Browse All Logs (General Log) .............................................................355
Browsing all log entries .............................................................................. 356
Displaying related log entries ...................................................................... 356
Searching log entries ................................................................................ 356
Service Diagnostic screen ................................................................... 358

Chapter 9 Working with Events ................................................................. 359
About events .................................................................................... 360
10
Events page ......................................................................................360
Required role ............................................................................................ 360
Managing events ............................................................................... 361

Creating an event ..............................................................................361
Making sure the alert is sent to the correct recipients .............................361
Applying the event to a label ...............................................................362
Editing an event ................................................................................362
Deleting an event ..............................................................................362
Setting alert preferences .....................................................................362
Event types ...................................................................................... 363
International roaming event ................................................................363
SIM changed event ............................................................................366
Memory size exceeded event ...............................................................369
System event ....................................................................................371
Policy violations event ........................................................................375
Displaying event center templates ........................................................380
Adding custom Event Center messages .................................................381
Using variables in Event Center messages .............................................383
Specifying which template to use .........................................................385
Filtering Event Center messages ..........................................................385
Editing Event Center messages ............................................................386
Deleting Event Center messages ..........................................................386
Customizing Event Center messages .................................................... 387
Displaying Event Center templates .......................................................387
Adding custom Event Center messages .................................................387
Using variables in Event Center messages .............................................389
Specifying which template to use .........................................................391
Filtering Event Center messages ..........................................................391
Editing Event Center messages ............................................................391
Deleting Event Center messages ..........................................................392
Events ............................................................................................. 393
Marking as Read or Unread .................................................................393
Filtering events ..................................................................................393
Event lifecycle and status ........................................................................... 394
Exporting event history .......................................................................394
Adding a note ....................................................................................394
Chapter 10 Working with MobileIron Sentry.................................................. 395
MobileIron Sentry ............................................................................. 396
Adding, editing, and deleting a Sentry on MobileIron Core ...................... 397
Adding an entry for MobileIron Integrated Sentry ...................................397
Adding a MobileIron Standalone Sentry entry ........................................398
11
Editing MobileIron Sentry settings ........................................................405
Deleting a Sentry entry .......................................................................405
Disabling a Sentry entry .....................................................................406
451 redirect processing ...................................................................... 407
Disabling redirect processing ...............................................................407
Device and server authentication support for Standalone Sentry .............. 408
Device authentication .........................................................................408
Server authentication .........................................................................409
Configuring device and server authentication .........................................409
Authentication using Pass Through .......................................................410
Authentication using a group certificate ................................................410
Authentication using an identity certificate and Pass Through ...................411
Authentication using an identity certificate and Kerberos constrained delegation
412
Device Authentication Configuration section .................................................. 413
ActiveSync Configuration section ................................................................. 414
App Tunneling Configuration section ............................................................ 414
Kerberos Authentication Configuration section ............................................... 415
Authentication using Trusted Front-End .................................................416
Managing certificates for Standalone Sentry ......................................... 417
Generating a self-signed certificate for Sentry ........................................417
Generating a CSR for Sentry ................................................................418
Uploading Sentry certificates ...............................................................420
Viewing a Sentry certificate .................................................................421
Email attachment control support for Standalone Sentry ........................ 422
Supported devices and email apps .......................................................422
iOS email apps .......................................................................................... 422
Android email apps .................................................................................... 422
Email attachment control options .........................................................423
Remove attachment .................................................................................. 423
Open Only with Docs@Work and Protect with Encryption ................................ 424
Deliver as is ............................................................................................. 425
Open with Secure Email App ....................................................................... 425
Forwarding emails with attachments .....................................................425
Standalone Sentry S/MIME handling to sign or encrypt emails ..................425
Digitally signed emails ............................................................................... 425
Encrypted emails ...................................................................................... 426
Configuring email attachment control ................................................... 427

Configure the Standalone Sentry ..........................................................427
Checking for configuration errors .........................................................428
Changing the encryption option ...........................................................429
Attachment control recommendation for multiple Sentrys ........................429
Default file name exclusion list .............................................................430
Regenerate the encryption key if it is compromised ................................431
ActiveSync server background health check .......................................... 434
12
Viewing the ActiveSync server status ....................................................434
Setting Sentry preferences ................................................................. 435
Auto blocking unregistered devices .......................................................435
Setting the Sentry Sync Interval ..........................................................435
Setting the Service Account Notification Email .......................................436
Default ActiveSync Policy behavior .......................................................436
Chapter 11 Working with ActiveSync Phones via MobileIron Sentry.................. 439
ActiveSync devices and MobileIron Sentry ............................................ 440
Working with ActiveSync policies ......................................................... 442
Adding multiple ActiveSync accounts to a registered device .................... 448
Viewing ActiveSync associations .......................................................... 449
Click the ActiveSync Associations link.Information displayed for ActiveSync
associations ......................................................................................449
Filtering the ActiveSync associations list ................................................450
Displaying more information for an ActiveSync association ......................450
Taking Actions on ActiveSync associations ............................................ 452
Allow ................................................................................................452
Block ................................................................................................453
Wipe ................................................................................................455
Registering ActiveSync phones ............................................................456
Removing ActiveSync phones ..............................................................456
Linking an ActiveSync device to a managed device .................................457
Overriding and re-establishing MobileIron Core management of a device ...457
Assigning an ActiveSync policy ............................................................458
Reverting an ActiveSync policy ............................................................458
Allowing Windows 7 devices to sync ..................................................... 460
Chapter 12 Using the SMS Archive Feature................................................... 463
About the SMS Archive feature ........................................................... 464
Supported devices .............................................................................464
Setting Up the SMS Archive feature ......................................................464
SMS archival and privacy policies .........................................................465
Monitoring SMS archival ..................................................................... 466
Checking the SMS archive queue ..........................................................466
Overriding the SMS delivery interval .....................................................466
Checking the number of delivered SMSes ..............................................466
Event Center options ..........................................................................466
Chapter 13 Using Enterprise Connector........................................................ 469
Enterprise Connector for MobileIron Core ............................................. 470
Installation and configuration tasks ......................................................470
Viewing Enterprise Connector status .....................................................470
13
Working with the Connector ............................................................... 471
Viewing the Connector detailed information ...........................................471
Changing user passwords ....................................................................472
Changing a users password on MobileIron Core ............................................ 472
Changing a users password on the Connector ............................................... 472
Changing the status reporting interval ..................................................472
Configuring connector LDAP timeout .....................................................473
Section II: Apps and Data Management - - - - - - - - - - - - - - - 475

Chapter 14 Managing Mobile Apps with Apps@Work ...................................... 477
About managing mobile apps .............................................................. 478
What is the app distribution library? .....................................................478
What is app control? ...........................................................................478
What is app inventory? .......................................................................479
Working with apps for iOS devices ....................................................... 481
Customizing the App Storefront ...........................................................482
Prerequisites .....................................................................................482
iOS managed apps .............................................................................483
Registration PIN and managed apps ............................................................. 483
iOS managed app configuration ...........................................................483
AppConnect apps ...............................................................................483
Apps@Work container for iOS ..............................................................484
Authentication options and iOS versions ................................................484
Setting up Apps@Work for iOS ............................................................484
Setting authentication options ..................................................................... 485
Assigning the iOS label to the Apps@Work web clip ....................................... 485
Populating Apps@Work for iOS ............................................................485
Importing app store apps for iOS: App Store import ...............................485
Manually adding App Store apps for iOS ................................................486
Getting the iTunes app ID .......................................................................... 490
Per app VPN priority ...........................................................................492
Adding in-house apps for iOS ...............................................................492
Publishing apps in Apps@Work for iOS devices .......................................496
User notification of newly-published apps ..................................................... 497
Removing apps from the app distribution library ....................................498
Linking app store apps to inventory apps ..............................................498
Upgrading apps .................................................................................498
Changing iOS app information .............................................................499
Changing the iOS app icon and screenshots ...........................................500
Creating a category for iOS apps ..........................................................500
Changing or adding a category for an iOS app .......................................500
Turning user-paid apps into managed apps ...........................................501
Informing users of new apps and upgrades for featured apps ...................501
Editing app distribution messages ........................................................502
Using variables in app distribution messages ................................................. 502
Customizing the Apps@Work icon on iOS ..............................................502
14
Unpublishing iOS apps (removing from labels) .......................................503
Managing iOS Volume Purchase Program (VPP) apps with redemption codes ...
504
How Apples program works ................................................................504
Where MobileIron comes in .................................................................504
What device users see ........................................................................504
Setup tasks .......................................................................................504
Uploading the payment file to MobileIron Core .......................................505
Applying VPP labels ............................................................................505
Example: Recommend an app to all iOS users, pay for executives ................... 505
Configuring a VPP alert .......................................................................505
Apples Volume Purchase Plan (VPP) license management ....................... 507
New VPP features ...............................................................................507
Reclaim VPP licenses ................................................................................. 507
Sync VPP license usage with Apple .............................................................. 507
Manage multiple VPP accounts .................................................................... 508
Using redemption codes and licenses ....................................................508
Differences between redemption codes and licenses ...............................508
App Licenses page .............................................................................509
Adding a VPP account .........................................................................509
Before you begin ....................................................................................... 509
To add a VPP account: ............................................................................... 509
Importing VPP apps from the VPP account .............................................510
Importing VPP apps from the App Distribution Library .............................510
Applying VPP labels ............................................................................511
Viewing VPP account information ..........................................................511
Viewing VPP app information ...............................................................511
Taking actions on a VPP account ..........................................................512
What the user sees ............................................................................512
Working with apps for Android devices ................................................. 513
What are Google Play apps? ................................................................513
What are in-house apps? ....................................................................513
What are secure apps? .......................................................................513
Silent install and uninstall on Samsung SAFE devices ..............................513
Adding Google Play apps for Android ....................................................514
Android app versions and device counts ....................................................... 516
Adding in-house apps for Android .........................................................517
Adding secure apps for Android ............................................................518
Adding apps to the app storefront for Android devices .............................521
User notification of newly-published apps ..................................................... 521
Enhanced Apps@Work ........................................................................522
Using Apps@Work on an Android device ................................................522
Featured tab ............................................................................................. 523
Categories tab .......................................................................................... 523
Updates tab .............................................................................................. 523
App details ............................................................................................... 523
Searching for an app ................................................................................. 523
15
Localized Apps@Work ................................................................................ 523
Troubleshooting: Android apps ............................................................524
Working with apps for Windows Phone 8 devices ................................... 525
Importing recommended apps for WP8 devices ......................................525
In-house and third-party apps for WP8 devices ......................................525
Before you develop in-house apps for WP8 devices .................................526
Certificates and tokens for in-house apps for WP8 devices .............................. 526
Third-party apps for WP8 devices ................................................................ 526
WP8 app file specifications for upload to MobileIron Core ................................ 527
Adding the AET and applying a label .....................................................527
Adding in-house and third-party apps for distribution to WP8 devices ........527
Upgrading to a new version of an app on WP8 devices ............................529
Editing WP8 app information ...............................................................529
Deleting a Windows Phone 8 app from MobileIron Core ...........................529
Setting up your WP8 device .................................................................530
Working with apps for Windows 8.1 RT and Pro devices .......................... 531
Importing recommended apps .............................................................531
In-house and third-party apps for Windows 8.1 Pro and RT devices ..........531
Certificates and sideloading keys ..........................................................532
Certificates ............................................................................................... 532
Sideloading keys ....................................................................................... 532
App file specifications .........................................................................532
Adding and updating in-house and third-party apps for distribution ...........532
Editing the app information .................................................................533
Deleting an app from MobileIron Core ...................................................534
Setting up your Windows 8.1 RT or Pro device .......................................534
Working with Web Application ............................................................. 535
Taking actions on web applications .......................................................536
Installing web applications ..................................................................536
View number of devices installed ..........................................................536
What the device user sees ...................................................................537
Enable Installation of Web Applications on iOS is not checked .............. 537
Enable Installation of Web Applications on iOS is checked ................... 537
Setting up app control ....................................................................... 538
App control alerts ..............................................................................538
App control rule types ........................................................................539
App control rule criteria ......................................................................539
App control rules applied in security policies ..........................................539
Configuring app control alerts ..............................................................540
Adding an app control rule ..................................................................540
Editing app control rules ............................................................................. 541
Identifying the GUID for the Windows Phone app ........................................... 541
Applying an app control rule to a security policy .....................................542
Viewing app control status ..................................................................542
Viewing app inventory ....................................................................... 543
16
Whats in an app name? ......................................................................543
Synchronizing app inventory ...............................................................543
App filters .........................................................................................544
Filtering the inventory display ..............................................................544
Displaying the devices on which an app is installed .................................544
Managing app inventory ..................................................................... 545
Determining which apps are new ..........................................................545
Determining when an app was first reported ..........................................545
Launching a web search for a selected app ............................................545
Displaying permissions for Android apps ...............................................546
Deciding whether an app is OK ............................................................546
What happens when a bad app is removed? .................................................. 546
Moving directly to the App Control screen ..............................................547
Upgrading the MobileIron client application ........................................... 548
Override for in-house app URLs ........................................................... 549
Implementing app source override on MobileIron Core ............................549
Manual synchronization of apps ...........................................................550
Malware prevention: App reputation .................................................... 551
Enabling app reputation ......................................................................551
Confirming configuration of the app reputation service ................................... 552
Viewing app reputation data ................................................................553
Chapter 15 Docs@Work ............................................................................ 555
About Docs@Work ............................................................................ 556
Docs@Work for content servers ...........................................................556
For iOS .................................................................................................... 556
For Android .............................................................................................. 556
Docs@Work for email attachment control ..............................................556
Attachment handling for iOS ....................................................................... 556
Attachment handling for Android ................................................................. 557
Encryption for iOS Docs@Work documents sent as email attachments .......557
iOS 7 considerations .................................................................................. 558
Limitations ............................................................................................... 558
Annotating documents with Docs@Work for iOS .....................................559
Single Sign On for Docs@Work ............................................................559
Supported content servers ..................................................................559
Content Server Port Requirements ............................................................... 560
Supported authentication to content servers ..........................................560
Supported ActiveSync servers for attachment control ..............................560
Supported devices .............................................................................560
iOS devices .............................................................................................. 560
Android devices with AppConnect enabled .................................................... 561
Other platform devices ............................................................................... 561
Docs@Work requirements ...................................................................561
File viewers .......................................................................................561
SharePoint Prerequisites .....................................................................561
17
File synchronization (iOS) ...................................................................562
Data security (iOS) ............................................................................562
Configuring email attachment control ................................................... 563
Configuring Docs@Work for content servers (Android) ........................... 564
Configuring Docs@Work for content servers (iOS) ................................. 565
Docs@Work setup tasks ..................................................................... 566
Enable Docs@Work ............................................................................566
For Android, obtain and configure apps .................................................566
Set up Docs@Work configurations ........................................................567
Implementing priority folders ...................................................................... 569
Specify the URL of the Docs@Work configuration (SharePoint) ........................ 570
For iOS: Set up Docs@Work policies .....................................................571
Set up your preference for saving passwords on MobileIron Core ..............576
Impacts of other MobileIron features (iOS) ........................................... 577
Quarantine impact on documents .........................................................577
Retire and wipe impact on documents ...................................................577
Block impact on documents .................................................................578
Jailbreak impact on documents ............................................................578
Impacts of other MobileIron features (Android) ..................................... 579
Supported files in the Mobile@Work for iOS app .................................... 580
Chapter 16 AppConnect ............................................................................ 581
About AppConnect ............................................................................. 582
What are AppConnect-enabled apps? ....................................................582
Secure apps from MobileIron ...................................................................... 582
AppConnect and third-party/in-house secure apps ......................................... 582
AppConnect and AppTunnel .................................................................583
Standard AppTunnel .................................................................................. 583
Advanced AppTunnel ................................................................................. 583
AppConnect apps and Single Sign On ....................................................583
App-specific configuration from MobileIron Core .....................................584
What operating systems support AppConnect? .......................................584
AppConnect for Android ......................................................................584
Supported Android devices ......................................................................... 584
Component compatibility ............................................................................ 584
The Mobile@Work app and the Secure Apps Manager ..................................... 585
Data loss prevention for secure apps for Android ........................................... 585
Data encryption for secure apps for Android .................................................. 586
Special badging for secure apps for Android .................................................. 586
AppConnect for iOS ............................................................................586
Data loss prevention for secure apps for iOS ................................................. 586
Data encryption for secure apps for iOS ....................................................... 586
How to configure AppConnect ............................................................. 588

Basic configuration .............................................................................588
Adding third-party and in-house secure apps .........................................588
18
Adding AppTunnel or Advanced AppTunnel support .................................588
Adding compliance actions ..................................................................589
AppConnect configuration tasks .......................................................... 590
Adding secure apps for deployment ......................................................590
Configuring the AppConnect global policy ..............................................590
AppConnect passcode requirements ............................................................. 591
Configuration steps ................................................................................... 592
Interaction with the lockdown policy ............................................................ 602
Configuring AppConnect container policies .............................................603
AppConnect app authorization ..................................................................... 603
Data loss prevention settings ...................................................................... 603
Automatically created AppConnect container policies ...................................... 603
Configuration tasks ................................................................................... 604
Enabling MobileIron secure apps ..........................................................607
Enabling AppConnect third-party and in-house apps ...............................607
Configuring an AppTunnel service ........................................................608
Configuring an AppConnect app configuration ........................................614
Automatically created AppConnect app configuration ...................................... 614
Automatically provided key-value pairs ........................................................ 615
Configuration tasks ................................................................................... 615
Enabling AppTunnel ............................................................................621
Configuring the Open With Secure Email App option ...............................621
Configuring compliance actions ............................................................621
Managing AppTunnel ......................................................................... 623
Manually blocking the AppTunnel feature on a device ..............................623
Viewing App Tunnels ..........................................................................623
Taking actions on app tunnels ..............................................................624
Using AppConnect for Android ............................................................. 625
Why a Secure Apps Manager? ..............................................................625
AppConnect apps that MobileIron provides for Android ............................625
Third-party AppConnect apps that MobileIron provides for Android ...........626
Hybrid web app support ......................................................................628
PhoneGap apps ..................................................................................628
Hybrid web apps using Advanced AppTunnel ..........................................629
Enabling MobileIron Core licensing options for Android secure apps ..........630
License key support ...........................................................................631
Document types supported by ThinkFree Document Viewer .....................631
Using AppTunnel with the SharePoint Client app .....................................632
Using AppTunnel with the IBM Notes Traveler client app ..........................632
Lock, unlock, and retire impact on AppConnect for Android ......................633
Lock impact .............................................................................................. 633
Unlock impact ........................................................................................... 633
Retire impact ............................................................................................ 634
Copy/Paste for AppConnect for Android .................................................634
Comparison with AppConnect for iOS copy/paste policy .................................. 635
Interaction with Exchange setting ................................................................ 636
DLP policy for browser launching ..........................................................636
19
Secure File Manager features ...............................................................637
Secure folder access ...........................................................................637
Situations that wipe Android AppConnect app data .................................638
Accessible Android apps to preserve the user experience .........................638
Device details for AppConnect apps for Android ......................................639
Secure Apps Manager Android permission .............................................640
Using AppConnect for iOS .................................................................. 641
AppConnect apps that MobileIron provides for iOS ..................................641
Mobile@Work and AppConnect apps .....................................................641
App checkin and Mobile@Work .................................................................... 642
The AppConnect passcode inactivity timeout and Mobile@Work ....................... 642
Situations that wipe AppConnect for iOS app data ..................................643
Dual-mode apps ................................................................................643
Detailed logging for AppConnect apps for iOS ........................................644
Component compatibility ............................................................................ 644
Log levels ................................................................................................ 644
Log data collection overview ....................................................................... 645
Configuring the log level and debug code ..................................................... 646
Apply labels if necessary ............................................................................ 646
Log level configuration impact on the device ................................................. 647
Activating verbose or debug logging on the device ......................................... 648
Collecting the logs ..................................................................................... 649
Viewing the logs ........................................................................................ 650
Remove log level configuration when no longer needed .................................. 651
Upgrade considerations .............................................................................. 651
Chapter 17 Web@Work ............................................................................. 653

Overview ......................................................................................... 654
AppConnect and non-AppConnect modes: Web@Work for iOS ..................654
Web@Work overview ..........................................................................655
Multi-factor authentication and authorization for device users ..................657
Web@Work URL schemesiOS ............................................................658
Pasteboard data loss prevention handlingiOS ......................................658
Situations when Web@Work deletes its sensitive dataiOS .....................659
Web@Work for iOS distribution ............................................................659
Web@Work for Android distribution ......................................................659
Secure enterprise web site access using AppTunnel ............................... 660
Web@Work user agent string ............................................................. 662
Configuring Web@Work on the Admin Portal ......................................... 663
Enabling Web@Work ..........................................................................665
Set up a Standalone Sentry to support AppTunnel for Web@Work ............665
Set up a device passcodeiOS only ............................................................. 670
Configure an AppConnect global policy ..................................................670
Configure an AppConnect container policy for Web@Work ............................... 671
Configure a Web@Work setting ............................................................672
Add Web@Work for iOS to the app distribution library .............................676
Upload Web@Work for Android to MobileIron Core and apply labels ..........676
20
Obtaining the Web@Work for Android app .................................................... 677
Obtaining other Android AppConnect apps that interact with Web@Work for Android
677
Section III: System Management - - - - - - - - - - - - - - - - - - 679

Chapter 18 Overview of System Manager ..................................................... 681
Introduction to System Manager ......................................................... 682
Getting started ................................................................................. 683
Starting System Manager ....................................................................683
Starting System Manager from Admin Portal ..........................................684
Logging out .......................................................................................684
Saving a configuration ........................................................................684
Chapter 19 Configuring MobileIron Core System Settings ............................... 685
Overview ......................................................................................... 686
Interfaces ........................................................................................ 687
Managing network interfaces ...............................................................687
Changing physical interfaces ...............................................................687
Adding VLAN interfaces .......................................................................688
Deleting a VLAN interface ....................................................................689
Routes ............................................................................................. 690
Adding network routes ........................................................................690
Deleting network routes ......................................................................690
DNS and Hostname ........................................................................... 692
Static Hosts ...................................................................................... 693
Adding hosts ............................................................................................ 693
Editing hosts ............................................................................................ 694
Deleting hosts .......................................................................................... 694
Date and Time (NTP) ......................................................................... 695

CLI ................................................................................................. 697
Syslog ............................................................................................. 698
Splunk Forwarder .............................................................................. 699
Adding the Splunk indexer on MobileIron Core .......................................699
Editing the Splunk indexer ..................................................................700
Deleting the Splunk indexer ................................................................700
SNMP .............................................................................................. 701
Enabling the SNMP service ......................................................................... 701
Editing the Read only community string ....................................................... 701
Adding a trap receiver ............................................................................... 701
Editing a trap receiver ............................................................................... 702
Deleting a trap receiver .............................................................................. 702
Email Settings .................................................................................. 703
21
Port Settings .................................................................................... 705
Data Purge ....................................................................................... 707
Specifying what gets purged ....................................................................... 708
Checking actual system storage .................................................................. 709
Setting up the system storage alert ............................................................. 709
Manual purging ......................................................................................... 709
Reporting Database Exporter .............................................................. 710

Generating the authentication token .....................................................710
Configuring the Reporting Database Exporter .........................................710
Services .......................................................................................... 711
Chapter 20 Configuring MobileIron Core Security Settings .............................. 713
Overview ......................................................................................... 714
Identity Source > Local Users ............................................................. 715
Adding local users for System Manager .................................................715
Editing local users for System Manager .................................................716
Deleting local users for System Manager ...............................................717
Certificate Mgmt ............................................................................... 718
To generate a self-signed certificate .....................................................718
To generate a certificate signing request (CSR) ......................................719
Uploading certificates .........................................................................722
Viewing certificates ............................................................................723
Access Control Lists ........................................................................... 724
Editing an ACL ...................................................................................726
Copying an ACL .................................................................................726
Deleting an ACL .................................................................................727
Networks and Hosts .......................................................................... 728
Network Services .............................................................................. 730
Access Control Lists: ACLs .................................................................. 732
Portal ACLs ...................................................................................... 733
Chapter 21 Configuring MobileIron Core Maintenance Settings ........................ 735
Overview ......................................................................................... 736
Getting MobileIron server software updates .......................................... 737
Exporting the configuration ................................................................ 738
Importing a configuration ................................................................... 739
Clearing the configuration .................................................................. 740
Rebooting ........................................................................................ 741
Manually purging data (system storage) .............................................. 742
Backing up and restoring MobileIron Core ............................................. 743
22
Configuring system backups ................................................................743
Pre-requisites ........................................................................................... 743
Backup settings ........................................................................................ 743
Enabling backups ...................................................................................... 745
Running an immediate system backup ......................................................... 745
Backup file ............................................................................................... 745
Viewing backup status ........................................................................745
Viewing backup logs ...........................................................................746
Restoring from a system backup ..........................................................747
Requirements ........................................................................................... 747
Procedure ................................................................................................ 747
Restoring data only ............................................................................748
Chapter 22 Troubleshooting ....................................................................... 749
Overview ......................................................................................... 750
Working with logs ............................................................................. 751
Enabling debugging for MobileIron modules ...........................................751
Disabling debugging ...........................................................................751
Disabling all debugging .............................................................................. 751
Disabling debugging for MICS or the employee portal ..................................... 752
Disabling debugging for MIFS packages ........................................................ 752
Clearing logs .....................................................................................752
Viewing logs ......................................................................................752
Viewing only new log entries ....................................................................... 753
Viewing logs by device or user .................................................................... 753
Exporting logs ...................................................................................753
Working with remote (Sentry) logs .......................................................755
Enabling remote logs ................................................................................. 755
Viewing remote logs .................................................................................. 756
Network monitor ............................................................................... 757

Service diagnosis .............................................................................. 758
LDAP sync history ..............................................................................758
Section IV: Command Line Interface (CLI) - - - - - - - - - - - - - - 759

Chapter 23 Command Line Interface ........................................................... 761
About CLI ........................................................................................ 761
Logging in .........................................................................................761
Logging out .......................................................................................761
Help commands .................................................................................761
Auto-complete keys ...........................................................................762
Movement keys .................................................................................762
Deletion keys ....................................................................................762
Modes ..............................................................................................763
EXEC mode commands ...................................................................... 764
enable ..............................................................................................764
exit ..................................................................................................765
23
help .................................................................................................765
host .................................................................................................765
logout ..............................................................................................766
ping .................................................................................................766
show banner .....................................................................................766
show clock ........................................................................................766
show hostname .................................................................................767
show interfaces .................................................................................767
show ip ............................................................................................767
show log ...........................................................................................768
show logging .....................................................................................770
show logtail .......................................................................................770
show memory ...................................................................................771
show ntp status .................................................................................771
show processes .................................................................................771
show service .....................................................................................772
show software repository ....................................................................772
show tcp ...........................................................................................772
show timeout ....................................................................................773
show version .....................................................................................774
timeout ............................................................................................774
traceroute .........................................................................................774
EXEC PRIVILEGED commands ............................................................. 775
clear arp-cache ..................................................................................776
configure terminal ..............................................................................776
dbcleanup app_inventory ....................................................................777
disable .............................................................................................777
diskcleanup retired_devices .................................................................777
diskcleanup trashed_apps ...................................................................777
end ..................................................................................................778
exit ..................................................................................................778
failover .............................................................................................778
grubupdate .......................................................................................778
install rpm ........................................................................................778
no install rpm ....................................................................................780
poweroff ...........................................................................................780
reload ..............................................................................................780
service .............................................................................................780
setup ...............................................................................................781
show portalacl ...................................................................................782
show running-config ...........................................................................782
show statichost ..................................................................................783
show system .....................................................................................783
show tech .........................................................................................785
software checkupdate .........................................................................785
24
software update .................................................................................785
ssh ..................................................................................................786
telnet ...............................................................................................786
write ................................................................................................786
CONFIG commands ........................................................................... 787
banner .............................................................................................788
certificate client .................................................................................788
certificate portal ................................................................................789
clock set ...........................................................................................789
do ....................................................................................................789
enable secret ....................................................................................790
end ..................................................................................................790
eula .................................................................................................791
hostname .........................................................................................791
interface GigabitEthernet ....................................................................791
interface VLAN ...................................................................................792
ip arp ...............................................................................................792
ip domain-name ................................................................................793
ip name-server ..................................................................................793
ip route ............................................................................................793
kparam ............................................................................................793
no ....................................................................................................794
ntp ..................................................................................................795
portalacl ...........................................................................................796
service .............................................................................................796
service support ..................................................................................796
software repository ............................................................................797
statichost ..........................................................................................797
syslog ..............................................................................................798
system user ......................................................................................798
INTERFACE mode commands .............................................................. 799
end ..................................................................................................799
ip address .........................................................................................800
no ....................................................................................................800
physical interface GigabitEthernet ........................................................801
shutdown ..........................................................................................801
Section V: Appendixes - - - - - - - - - - - - - - - - - - - - - - - 803

Appendix A Web-based Registration for iOS and OS X Devices 805
What is web-based registration? ......................................................... 806
Preparation .......................................................................................806
Supported browsers for iOS and OSX devices ................................................ 806
Installing the Mobile@Work app for iOS ................................................806
25
Implementing web-based registration for iOS and OS X devices .............. 807
Create a pending device report ............................................................808
Appendix B Distributing iOS MDM Profiles with Apple Configurator 809
Notes on using Apple Configurator .......................................................809
How to use Apple Configurator for MobileIron registration .......................809
Acquiring serial numbers ............................................................................ 810
Bulk-registering the devices ........................................................................ 810
Exporting the MDM profile from MobileIron Core ............................................ 810
Importing the MDM profile into the Configurator ............................................ 810
Applying the MDM profile to the tethered device ............................................ 813
Importing the iOS MDM profile using Apple Configurator 1.4.2 ......................... 814
Appendix C Secure Apps on Android Devices 817

Download and install the secure apps .................................................. 818
Create the secure apps passcode ........................................................ 819
Secure apps notifications ................................................................... 820
Secure apps status bar icons .............................................................. 821
Camera, gallery, and media player warning messages ............................ 822
Appendix D Secure apps on iOS Devices 823
Secure apps passcode management .................................................... 824
Creating a secure apps passcode ..........................................................824
Logging in with the secure apps passcode .............................................826
Logging out of secure apps ..................................................................827
Resetting the secure apps passcode - user initiated ................................828
Resetting the secure apps passcode - administrator initiated ....................832
Handling a forgotten secure apps passcode ...........................................834
When the device user realizes that he has forgotten the passcode ................... 835
When the device user exceeds the maximum number of attempts ................... 837
Forgotten secure apps passcode with Mobile@Work 5.7 and VSP 5.5 ............... 838
Secure apps status display ................................................................. 839

Navigating to the secure apps status display ..........................................839
The secure apps status display contents ................................................839
Status details for a specific secure app ..................................................840
Appendix E Docs@Work for iOS 843
Accessing content server documents ....................................................844
Setting up access to a content server yourself ............................................... 844
Logging in to a content server that an administrator set up ............................. 846
Viewing a content server document ............................................................. 846
Accessing priority folder documents ......................................................847
Accessing email attachments ...............................................................849
Opening an email attachment in Mobile@Work .............................................. 849
Viewing the Replacement file for an email attachment .................................... 851
Managing local files ............................................................................852
Saving a content server document as a local file ............................................ 852
26
Saving an email attachment as a local file .................................................... 854
Viewing a local file ..................................................................................... 855
Viewing a local file that has changed on the content server ............................. 856
Deleting a local file .................................................................................... 858
Managing recently opened email attachments ........................................859
Viewing a recent attachment ...................................................................... 859
Saving a recent attachment to a local file ..................................................... 860
Deleting a recent attachment ...................................................................... 862
Opening documents in other apps ........................................................864
Annotating documents in Docs@Work for iOS ........................................866
Saving files for annotation .......................................................................... 866
Saving PDF annotations in the same local file ................................................ 869
Saving a remote SharePoint file for annotation .............................................. 870
Annotating PDFs in Docs@Work ...........................................................871
Adding a note ........................................................................................... 872
Editing text in a note ................................................................................. 872
Removing a note ....................................................................................... 872
Copying and pasting a note ........................................................................ 872
Editing the color or style of a note ............................................................... 873
Adding an annotation (highlight, underline, strike-through) ............................. 873
Editing an annotation ................................................................................. 874
Adding a note to an annotation ................................................................... 875
Removing an annotation ............................................................................ 875
Removing a note attached to an annotation .................................................. 876
Copying an annotation ............................................................................... 876
Editing the color of an annotation ................................................................ 876
Changing Docs@Work Settings ............................................................877
.............................................................................................................. 879
Supported files in the Mobile@Work for iOS app .....................................880
Mobile@Work on an iPad .....................................................................880
The master pane and the detail pane ........................................................... 880
Placement of file handling icons ................................................................... 881
Appendix F The SharePoint Client App for Android 883

Accessing a content server ..................................................................883
Set up content server access ...............................................................883
View the content server repositorys documents .....................................887
Refresh the content server ..................................................................889
Save documents locally ......................................................................890
Email a document ..............................................................................892
Automatically saved documents ...........................................................894
Appendix G Working with the MobileIron App and Related Agents for Android 895
Uninstalling the MobileIron app for Android ........................................... 896
Uninstalling the Samsung DM Agent .................................................... 899
For Mobile@Work 5.9, Samsung MDM 4.0 .............................................899
Troubleshooting email setup on Android devices .................................... 900
How the Email Setup screen works .......................................................901
Device Administrator privileges for the Samsung email app .....................902
Troubleshooting based on results .........................................................903
27
Troubleshooting Wi-Fi setup on Android devices .................................... 904
Displaying the Wi-Fi Setup page ...........................................................905
Understanding and using the Wi-Fi Setup page ......................................907
If the device user enters the wrong password ............................................... 909
Troubleshooting based on results .........................................................909
Profile invalid: Configuration Error ............................................................... 909
Certificate configuration support on the MobileIron for Android app .......... 910
Certificate Setup screen ......................................................................910
Certificate support for Wi-Fi setup ........................................................911
Certificate alerts ................................................................................911
Appendix H Multi-User Support for iOS 913
Using Secure Sign-In ......................................................................... 914
Setting Secure Sign-In preferences ..................................................... 917
Setting unique restrictions for signed-out devices .................................. 918
Example ...........................................................................................918
Enabling Secure Sign-In ..................................................................... 919
User certificates and device certificates .................................................919
Remote sign-out ............................................................................... 920
What gets removed on sign-out .......................................................... 921
Appendix I Android Kiosk Support 923
Requirements ....................................................................................923
Setup steps ...................................................................................... 924
Finding the package name for an Android app ........................................924
Creating an Android Kiosk policy ......................................................... 925
Single-app kiosk policy .......................................................................925
Multiple-apps kiosk policy ...................................................................926
Creating an Android Kiosk configuration ............................................... 929
Enabling/Disabling Android kiosk mode ................................................ 930
From the Admin Portal ........................................................................930
From the kiosk device .........................................................................930
Example .......................................................................................... 931
Device details ................................................................................... 932
Deployment notes ............................................................................. 933
Appendix J The User Portal: MyPhone@Work 935
What is MyPhone@Work? ................................................................... 936
Browser Settings ....................................................................................... 936
Adobe Flash Player .................................................................................... 936
Supported platforms ...........................................................................936
28
Getting started ................................................................................. 937
Logging in .........................................................................................937
Registering phones .............................................................................938
Searching .........................................................................................939
Logging out .......................................................................................940
Home .............................................................................................. 941
Communication Graph ........................................................................941
Turning nodes into contacts ........................................................................ 943
My Usage ..........................................................................................944
Storage ............................................................................................944
Lost Phone ........................................................................................945
Finding the last known location ................................................................... 945
Locking your phone ................................................................................... 947
Wipe It .................................................................................................... 947
Restoring your phone ................................................................................ 947
If you have more than one phone ........................................................948
My Apps ...........................................................................................948
Contacts .......................................................................................... 949
Displaying contacts ............................................................................949
Searching contacts .............................................................................950
Adding contacts .................................................................................950
Editing contacts .................................................................................951
Deleting contacts ...............................................................................952
Calls & Texts .................................................................................... 953
Showing/Hiding content ......................................................................953
Filtering calls and text ........................................................................953
Using keywords ........................................................................................ 953
Displaying calls and/or texts ....................................................................... 954
Restricting the display to a date range ......................................................... 954
Activity ............................................................................................ 955

Filtering activity .................................................................................955
Displaying underlying data ..................................................................955
Apps ............................................................................................... 957
Browsing apps ...................................................................................957
Installing apps ...................................................................................958
Uninstalling apps ...............................................................................959
Preferences ...................................................................................... 960
Privacy settings .................................................................................960
Account settings ................................................................................960
Change Password ...................................................................................... 960
Certificate ................................................................................................ 960
Appendix K Physical Appliance Hardware Specification 961

MobileIron Standard Appliance (M2100 3rd Generation) ......................... 962
29
MobileIron Standard Appliance (M2100 2nd Generation) ......................... 964
MobileIron M2500 Series Appliance ...................................................... 966
Appendix L Configuring Outbound HTTP Proxy for Gateway Transactions / System
Updates 969
What the HTTP outbound proxy does not apply to ..................................970
30
Section I: Device Management
Getting Started
Managing Users
Registering Devices
Managing Devices
Managing Policies
Managing Device Settings with Configurations
Managing Certificates
Troubleshooting Devices
Working with Events
Working with MobileIron Sentry
Working with ActiveSync Phones via MobileIron Sentry
Using the SMS Archive Feature
Using Enterprise Connector
Company Confidential
31
32
Chapter 1
Getting Started
Administration tools
Setup tasks
Using the Admin Portal
Supported features by OS
33
Getting Started
Administration tools
MobileIron Core as the following administration tools:
Admin Portal
System Manager
Admin Portal handles the most common administrative tasks.
System Manager handles Core configuration and system troubleshooting. See Sec-
tion III: System Management for information on using System Manager.
Installation
The Admin Portal is installed as part of the system setup. See the Installation Guide
for installation details.
Starting Admin Portal

To log into Admin Portal:
1. Enter the URL for the MobileIron Admin Portal in a supported browser:
https://<fully_qualified_hostname>/mifs
2. Enter a user ID and password having a role that provides access to at least a por-
tion of the Admin Portal. The ID and password are case sensitive.
Note: The Super Administrator created during installation has an appropriate role.
3. Click Sign In.
If you enter the wrong password five consecutive times, the user ID you entered
will be locked out temporarily. Wait 30 seconds and try again.
Bookmarking Admin Portal pages

Do not create bookmarks for Admin Portal pages. Session IDs will be included in the
bookmark and may cause connection problems. If you would like to create a book-
mark for the Admin Portal, create one manually for the following URL:
https://<fully_qualified_hostname>/mifs
Logging out
To log out of the MobileIron Admin Portal, click the Log Out link in the upper right cor-
ner. If you do not log out, your session will expire after a period of inactivity.
34
Getting Started
Setup tasks
Setting the enterprise name

The company name entered during of MobileIron Core installation is used as the
default enterprise name identifying your organization in email, SMSes, alerts, and cer-
tificates. If the company name you entered is not the one you want to use in these
contexts, you can change the name. Be sure to do so before you upload certificates,
or you may impact all registered devices. To change this name:
1. Go to Settings >Preferences in the Admin Portal.
2. In the Enterprise Name field, enter the text to use when referring to the enterprise.
3. Click Save.
Setting the external hostname

The external hostname is set during installation. It is used in the registration URL sent
to users for completing the registration process. It is also used in self-signed certifi-
cates. Note that changing this field requires the following:
Regeneration of any self-signed certificates or uploading matching portal-HTTPS
and client-TLS certificates
Rebooting the appliance
To specify a different host name to use for external access:

1. Go to Settings > Preferences in the Admin Portal.
2. In the External Host field, enter the fully-qualified domain name to be used for
accessing MobileIron.
3. Click Save.
Setting the EULA or other login text

You can configure MobileIron Core to display an End User License Agreement (EULA)
or any other text on the Admin Portal login screen and on the System Manager login
screen.
To enable this setting:

1. In the Admin Portal, go to Settings > Preferences.
2. Scroll down to Security Preferences.
3. For Enable Login Text Box, select On.
4. In Text To Display, enter the text.
Note: Core treats the text as plain characters. It does not recognize, for example,
HTML tags. The text must be ASCII only; no multi-byte characters are allowed.
5. Click Save.
The Admin Portal and the System Manager display the text the next time a user
logs in.
35
Getting Started
Note: The MobileIron Core CLI command banner, available in CLI CONFIG mode, also
sets this text.
To disable this setting:

3. For Enable Login Text Box, select Off.
The text you had entered in Text To Display is grayed out.
4. Click Save.
The Admin Portal and the System Manager do not display the text the next time a user
logs in.
Enabling last login information display

You can enable a setting to show the current Admin Portal user some login information
about his last login to the Admin Portal. This information provides you security insight
about Admin Portal use.The information displays on the top, right corner of the Admin
Portal, beneath the user ID. An example of the information is:
Last login was 3/11/2014 1:28:52 PM from 171.15.10.221
The information includes:

the date of the last login
the time of the last login
the IP address of the computer that was used for the last login
To configure this setting:

3. For Always Show Last Login, select Yes.
4. Click Save.
The Admin Portal displays the last login information the next time a user logs in.
Enabling iOS MDM support

Once you have completed all steps required by Apple, you can enable iOS MDM sup-
port in MobileIron. See the following source for information on Apples current pro-
gram:
http://www.apple.com/ipad/business/integration/mdm/
MobileIron uses Apples enhanced MDM certificate infrastructure to streamline the
process of acquiring and uploading an MDM certificate. You can now complete the fol-
lowing tasks from a single screen within the Admin Portal:
generate a Certificate Signing Request (CSR)
upload the CSR
36
Getting Started
access the Apple Push Certificates Portal to request a certificate

upload the MDM certificate
If you already have an MDM certificate, but have not uploaded it, you can upload it
from the same screen.
If you intend to develop and distribute in-house apps

If you intend to develop in-house apps for distribution, then you still need to partici-
pate in Apples iDEP program. The enhanced MDM certificate infrastructure does not
eliminate this requirement.
If you have already enabled iOS MDM support

If you enabled iOS MDM support in a previous MobileIron release, then you should not
use the enhanced certificate infrastructure at this time unless otherwise instructed by
Apple or MobileIron. Doing so will disable your current certificates for all registered
iOS devices.
If you have not requested an MDM certificate yet

To complete the process if you have not yet requested the MDM certificate from Apple:
1. In the Admin Portal, select Settings.
2. Scroll down to the MDM Preferences section.
3. Select the Enable MDM Profile option.
4. Click Install MDM Certificate.
The following dialog displays.
37
Getting Started
5. Click Create a CSR to generate the required property list in Apples .PLIST XML
format.
This may take a few minutes. Click the Refresh icon to update the status of this
task.
6. Once the plist has been generated, click Download plist.
7. Select a location for the plist when prompted.
The downloaded file is req-plist.txt.
8. Click the Apple Push Certificates Portal link to start the process of requesting the
MDM certificate.
9. When you receive the MDM certificate from Apple, click Upload MDM Certificate.
The Upload MDM Certificate dialog appears.
10. Click Browse to select the MDM certificate.
11. Click Upload Certificate.
If you already have your MDM certificate

If you have already requested and received your MDM certificate from Apple, you can
upload the certificate using the following steps:
1. In the Admin Portal, select Settings.
2. Scroll down to the MDM Preferences section.
3. Select the Enable MDM Profile option.
4. Click Install MDM Certificate.
The MDM Certificate Generation dialog displays.
38
Getting Started
5. Select I already have an MDM Certificate, and want to upload it.
6. Click Display Upload Certificate Form. The Upload MDM Certificate dialog appears.
7. Click Choose File to select the MDM certificate.
Confirming MDM for an iOS device

To confirm that MDM is operational for an iOS device:
9. Go to Users & Devices > Devices.
10. Select any iOS device and click the up arrow to expand the device details.
11. In the Device Details tab, confirm that the MDM Operational flag value is Yes.
Denying check-Ins for devices having expired MDM

certificates
By default, MobileIron Core allows iOS devices with expired MDM certificates to check
in. To deny check-ins to these devices, do the following:
1. Select Settings > Preferences in Admin Portal.
2. In the MDM Preferences section, clear the Permit expired client certificate option.
3. Click Save.
Displaying a report of devices having expired MDM

certificates
To display a list of iOS devices having expired MDM certificates, do the following:
1. Select Settings > Preferences in Admin Portal.
2. In the MDM Preferences section, click the MDM Certificate Report link.
3. Open or save the resulting CSV file.
39
Getting Started
Using the Admin Portal

There are some basic points to review before you start using the Admin Portal.
Navigating the Admin Portal
Displaying hints in the Admin Portal
Navigating the Admin Portal
The following table describes the UI elements in the Admin Portal
Number Element Description

1 Main menu The main navigation menu.
2 Secondary menu Displays the sub-level menus for the main menu.
3 Page level task Includes the set of actions you can take on each
bar record displayed in the page.
4 Login information Displays the user logged in, and the function to
sign out.
5 Information Provides links to the MobileIron support website
center and MobileIron Core version information.
Getting Documentation
The MobileIron support website also includes
product documentation. You will need credentials
to access the MobileIron support website.
6 System manager Links to the System Manager.
7 Page Displays all the records for the menu.
8 Details panel Displays more information for each record in the
Page.
40
Getting Started
To switch from the Admin Portal to the System Manager, select the System Manager
link at the top of any page in the Admin Portal.
You will be prompted to enter a user ID and password. Enter the user ID and pass-
word for the local user created during setup or a local user created in the System
Manager under Security > Local Users.
Note: During setup, two local users having the same credentials are created, one for
Admin Portal and one for System Manager. If you have made changes to the roles or
password for the Admin Portal user, these changes will not affect the System Manager
user.
To switch from the System Manager to the Admin Portal, select the Admin Portal link
at the top right of any page in the System Manager. Note that certain actions per-
formed in the System Manager may require you to log in again when you switch to
Admin Portal.
Displaying hints in the Admin Portal

Each screen in the Admin Portal includes a hidden panel displaying basic information
about the use of the screen. Two buttons are available for displaying the panel.
To display the panel and leave it open, click the double arrow button in the upper right
portion of the screen. To display the panel and have it close automatically when you
move the cursor away from the panel, click the ? button.
41
Getting Started
42
Supported features by OS
Each operating system has features and limitations that differentiate it from the other
operating systems. Depending on the devices operating system and native API, some
of the MobileIron features are available and some are not.
Below is information about the features available for each supported operating sys-
tem:
Common feature set on page 43
Android on page 46
BlackBerry 10 on page 48
iOS on page 48
Mac OS X on page 50
Windows Phone 7 on page 50
Windows Phone 8 on page 51
Windows Phone 8.1 on page 52
Windows RT/Pro on page 53
Windows 8.1 RT/Pro on page 53
Supported platforms on page 54
Common feature set

This table lists features across Android, iOS, Mac OS X, Windows Phone 7, Windows
Phone 8, Windows Phone 8.1, and Windows 8.1 RT/Pro devices.
All features in this table are common to both Android and iOS devices. If a feature is
available on only iOS or Android, but not on both, it will not be listed in this table.
Other operating systems are included in this table to provide quick access to informa-
tion about the availability of features in comparison with Android and iOS.
See the remaining sections for the full feature set of each operating system.
BlackBe Win Win 8.1

Provisioning Android iOSa rry 10 OS Xa WP7 WP8 WP8.1 RT/Pro RT/Pro
Per Device yes yes - yes - yes yes - -
Bulk yes yes - yes - yes yes - -
User Self-Service
(By Invitation) yes yes - - - yes yes - yesx
BlackBe Win Win 8.1

Asset Management Android iOSa rry 10 OS Xa WP7 WP8 WP8.1 RT/Pro RT/Pro
Device Inventory yes yes - yes - yes yes - yes
Device Details yes yes - yes - yes yes - yes
Ownership Status yes yes - yes - yes yes - yes
Designate Lost Device yes yes - yes - - - - -
43
Designate Found
Device yes yes - yes - - - - -
Retire Device yes yes - yes - yes yes - yes
Send Message yes yes - - - partialq partialq - -
Force Check-In yes yes - yes - - yes - yes
Reprovision Client yes yes - - - - - - -
Sync Policy yes yes - - - partialr partialr - -
Group Actions (Labels) yes yes - yes - yes yes - yes
BlackBe Win Win 8.1

Security Android iOSa rry 10 OS Xa WP7 WP8 WP8.1 RT/Pro RT/Pro
Lock yes yes - yes - - yes - yes
Unlock yes yes - - - - - - -
Wipe b c c c
yes yes yes yes yes yes yes yes -
Selective Wipe yesd yesd - - - yesd yesd - yesd
Certificate
Distribution yesi yes - yes - yesf, v yesf, v - yesw
Encryption Policy
(Internal Storage) yesg,i yest - - - yesh yesh - yesy
Encryption Policy
(SD Card) yesi N/A - - - - - - -
Password Policy yes yes yesc yes yesc yes yes yesc yes
Lockdown Policy yesi yesj - - - yesl yes - -
Privacy Policy partialm partialm - partialm - - - - -
Block Registration
by OS yes yes - yes - yes yes - yes
Locate yes yes - - - - - - -
Email Attachment
Control yesn yesn - - partialk,n - - partialn -
Sentry Access BlackBe Win Win 8.1

Control Android iOSa rry 10 OS Xa WP7 WP8 WP8.1 RT/Pro RT/Pro
Device Inventory yes yes yes - yes yes yes yes -
Device Details yes yes yes - yes yes yes yes yes
Allow / Block yes yes yes - yes yes yes yes yes
Wipe yes yes yes - yes yes yes yes yes
Register yes yes - - - yes yes - yes
ActiveSync Policy yes yes yes - yes yes yes yes yes
BlackBe Win Win 8.1

Compliance Actions Android iOSa rry 10 OS Xa WP7 WP8 WP8.1 RT/Pro RT/Pro
Alert via Event
Center yes yes - yes - yesq yesq - yes
Block ActiveSync via
Sentry yes yes - - - yes yes - -
Quarantine yes yes - - - - - - -
Block AppConnect Apps yes yes - - - - - - -
Block App Tunnels yes yes - - - - - - -
Wipe AppConnect Apps yes yes - - - - - - -
Remove Configurations yes yes - - - - - - -
44
BlackBe Win Win 8.1
App Management Android iOSa rry 10 OS Xa WP7 WP8 WP8.1 RT/Pro RT/Pro
Enterprise App
Storefront yes yes - - - yes yes - yes
App Distribution Library yes yes - - - yes yes - yes
App Control Policy yes yes - - - - yes - -
App Inventory yes yes - yes - yesu yesu - -
Install yesi yes - - - yes yes - yes
App Tunneling yes yes - - - - - - -
Content BlackBe Win Win 8.1

Management Android iOSa rry 10 OS Xa WP7 WP8 WP8.1 RT/Pro RT/Pro
Content Server Access yes yes - - - - - - -
Secure Web Browsing yes yes - - - - - - -
BlackBe Win Win 8.1

Application Settings Android iOSa rry 10 OS Xa WP7 WP8 WP8.1 RT/Pro RT/Pro
Exchange yesi,p yes - partials - yes yes - -
VPN yese yes - yes - - yes - yesz
Wi-Fi yes yes - yes - - yes - yes
BlackBe Win Win 8.1

Alerting Android iOSa rry 10 OS Xa WP7 WP8 WP8.1 RT/Pro RT/Pro
International
Roaming yes yes - - - - - - -
Event Center partial partial - - - - - - -
BlackBe Win Win 8.1

Troubleshooting Android iOSa rry 10 OS Xa WP7 WP8 WP8.1 RT/Pro RT/Pro
Email Client Logs yes yes - - - - - - -
MyPhone@Work BlackBe Win Win 8.1

Portal Android iOSa rry 10 OS Xa WP7 WP8 WP8.1 RT/Pro RT/Pro
Register yes yes - - - yes - - -
Lock yes yes - - - - - - -
Wipe yes yes - - - yes - - -
Find It yes yes - - - - - - -
a Requires an APNS certificate for MDM (provided by Apple).
b Includes SD cards for most devices.
c Through MobileIron Sentry and ActiveSync.
d The Selective Wipe command is not supported. For Android, iOS, and WP8 devices, selective wipe of email is done
through security compliance actions, removing the device from the associated label, or retiring the device. For Win
8.1 RT/Pro devices, retiring the device from MobileIron Core removes the VPN settings, and partially removes the
Security policies.
e Supported for Ciscos AnyConnect, Juniper JunOS Pulse, and Samsung KNOX IPsec VPN on Android.
f Only root certificates are supported.
g Supported for Android 3.0 and higher.
h Cannot be disabled.
i Specific versions of Android, SAFE APIs, or Mobile@Work are required for some features. See the detailed documen-
tation.
j Through iOS Restriction settings.
k One or more significant parts of this feature are not supported. See the detailed documentation for this feature.
45
l SD cards only.
m Device location and app inventory collection can be disabled on iOS and Android devices. App inventory collection
can be disabled on OS X. SMS can be disabled for Android.
n Through Docs@Work.
p Through integration with selected devices and email apps.
q Via email only.
r Push notifications are not supported; therefore, initial sync is supported at registration only, and subsequent changes are
not recognized.
s Only contacts are supported for OS X 10.7 and 10.8. For 10.9 Mavericks, contacts, mail, notes, reminders, and calendar
are supported.
t Via iOS Data Protection.
u In-house and third-party apps only.
v Identity certificates can be distributed via Mobile@Work.
w Only for Wi-Fi settings.
x User registers the device using the native MDM client. An invitation is not sent to the user.
y MobileIron Core only reports the device posture, whether the device is encrypted or not. Encryption policy settings are
not enforced. Device encryption is enabled by default on Windows 8.1 RT devices.
z For Windows 8.1 Pro and RT devices, only PPTP, Juniper SSL, F5 SSL, and SonicWALL Mobile Connect VPN types
are supported.
Android
Bold text indicates that the feature is available on Android and not available on iOS.
Security Asset Management Application Management

Lock Device Inventory Enterprise App Storefront
Unlock Device Details App Distribution Library
Wipe a Ownership Status App Control Policy
Selective Wipe (Email) Designate Lost Device On-Device Inventory
Certificate Distribution Designate Found Device Install
Encryption Policy (Internal Retire Device Uninstall
Storage)b,c Send Message Silent Install/Uninstalllg
Encryption Policy (SD Card) Force Check-In Content Server Access
b
Reprovision Client AppConnect Wrapper
Password Policy
Sync Policy
Lockdown Policyb,c,d Group Actions (Labels)
Privacy Policy (partial)e Extended Lockdown Policyd
Block Registration by OS
Locate
Email attachment controlf
App Tunneling
Sentry Access Control Content Management Application Settings
46
Device Inventory Secure Web Browsing Exchanged
Device Details Content Server Access Wi-Fi
Allow / Block VPNh
Wipe Kioskd
Register
ActiveSync Policy
Provisioning Compliance Actions Alerting

Per Device Alert via Event Center International Roaming
Bulk Block ActiveSync via Sentry Event Centeri
User Self-Service (By Invita- Quarantine
tion) Block AppConnect Apps
Wipe AppConnect Apps
Remove Configurations
Troubleshooting MyPhone@Work Portal

Email Client Logs Register
Lock
Wipe
Find It
a Includes SD cards for most devices.
b Supported for devices on which the Samsung SAFE APIs are present.
c Supported on Android 3.0 and higher.
d Specific versions of Android, SAFE APIs, or Mobile@Work are required for some features. See the detailed documen-
tation.
e Only Location, SMS, and Apps privacy settings currently apply.
f Through Docs@Work.
g Starting with Mobile@Work 5.1, supports silent install and uninstall on Samsung SAFE devices running Android 2.2
or later.
h Supported for Cisco AnyConnect, Juniper JunOS Pulse, and Samsung KNOX IPsec VPN.
i One or more significant parts of this feature are not supported. See the detailed documentation for this feature.
47
BlackBerry 10
Security Sentry Access Control
Password Policya Device Inventory

Device Details
Encryption Policya
Allow / Block
Selective Wipe
ActiveSync Policy
a Via MobileIron Sentry and ActiveSync.
iOS
Bold text indicates that the feature is available on iOS and not available on Android.

Unlock Device Details App Distribution Library
Wipe Ownership Status App Control Policy
Selective Wipea Designate Lost Device On-Device Inventory
Certificate Distribution Designate Found Device Install
Encryption Policy (Internal Retire Device Uninstall
Storage)g Send Message AppConnect Wrapper
Password Policy Force Check-In AppConnect SDK
Lockdown Policyb Reprovision Client
Privacy Policy (partial)c Sync Policy
Block Registration by OS Group Actions (Labels)
Locate
Email Attachment Controld
App Tunneling
Sentry Access Control Content Management Application Settings

Device Inventory Secure Web Browsing Exchange
Device Details Content Server Access Wi-Fi
Allow / Block VPN
Wipe
Register
ActiveSync Policy
48
Compliance Actions Provisioning Alerting
Alert via Event Center Per Device International Roaming
Quarantine Bulk Service Quality Monitoringe
Block ActiveSync via Sentry User Self-Service (By Invi- Event Centerf
Block AppConnect Apps tation)
Wipe AppConnect Apps

Remove Configurations
Troubleshooting MyPhone@Work Portal

Email Client Logs Register
Wipe
Lock
Find It
a Selective wipe of email through security compliance actions, removing the device from the associated label, or retiring
the device; the Selective Wipe command is not supported.
b Via iOS Restrictions settings.
c Only Location and Apps privacy settings currently apply.
d Through Docs@Work.
e Speed-test and user-reported dropped calls only.
f One or more significant parts of this feature are not supported. See the detailed documentation for this feature.
g Via iOS Data Protection.
49
Mac OS X

Lock Device Inventory On-Device Inventory
Unlock Device Details
Wipe Ownership Status
Certificate Distribution Designate Lost Device
Password Policy Designate Found Device
Privacy Policya Retire Device
Block Registration by OS Force Check-In
Group Actions (Labels)
Application Settings
Exchangeb
Wi-Fi
VPN
Provisioning
Per Device
Bulk
a Only apps privacy settings apply.

b Only contacts are synchronized.
Windows Phone 7

Wipe a Device Inventory
Password Policya Device Details
Email Attachment Control b Allow / Block

Wipe
ActiveSync Policy

b Through Docs@Work. One or more significant parts of this feature are not supported. See the detailed documentation
for this feature.
50
Windows Phone 8

Wipe Device Inventory Enterprise App Storefront
Selective Wipe (Email) f Device Details App Distribution Library
Certificate Distributionb Ownership Status Install
Encryption Policy (Internal Retire Device Silent App Update (In-
Storage)c Sync Policy e house apps)
Password Policy Group Actions (Labels) App Inventory (In-house/
third-party apps)
Lockdown Policyd
Sentry Access Control Provisioning Application Settings

Device Inventory Per Device Exchange
Device Details Bulk
Allow / Block User Self-Service (By Invi-
Wipe tation)
Register
ActiveSync Policy
Compliance Actions MyPhone@Work Portal

Alert via Event Centere Wipe
Block ActiveSync via Sentry
b Identity certificates can be distributed via Mobile@Work.

c Enabled by default; cannot be disabled.
d SD card only.
e Push notifications are not supported; therefore, initial sync is supported at registration only, and subsequent changes are
not recognized.
f Selective wipe of email through security compliance actions, removing the device from the associated label, or retiring
51
Windows Phone 8.1

Wipe Device Details App Distribution Library
Selective Wipe (Email) a Ownership Status Install
Certificate Distributionb Retire Device Silent App Update (In-
Sync Policy d house apps)
Encryption Policy (Inter-
nal Group Actions (Labels) App Inventory (In-house/
Storage)c third-party apps)
Password Policy App Control
Lockdown Policy

Device Inventory Per Device Exchange
Device Details Bulk Wi-Fi
Allow / Block User Self-Service (By VPN
Wipe Invitation)
Register
ActiveSync Policy
Compliance Actions
Alert via Event Centere
Block ActiveSync via
Sentry
a Selective wipe of email through security compliance actions, removing the device from the associated label, or retiring
c Enabled by default; cannot be disabled.
d Initial sync is supported at registration only, and subsequent changes are not recognized.
e Only out of contact and out of policy violations are supported. Alerts are only sent by email.
52
Windows RT/Pro

Wipea Device Inventory
Password Policya Device Details
Email Attachment Control b Allow / Block

Wipe
ActiveSync Policy

b Through Docs@Work. One or more significant parts of this feature are not supported. See the detailed documentation
for this feature.
Windows 8.1 RT/Pro
Certificate Distributionb Device Inventory Enterprise App Store-

Encryption Policy (Internal Device Details frontd
Storage)c Ownership Status App Distribution Librarye
Password Policyi Retire Device Install
Block Registration by OS Force Check-In
Group Actions (Labels)

Device Details User Self-Serviceg Wi-Fih
Allow / Block
VPNj
Wipe
Register
ActiveSync Policy
b Only for Wi-Fi.

c Enabled by default; cannot be disabled for Win 8.1 RT devices.
d Only the United States Windows app store is supported.
e Only recommended apps are supported.
g Device registration by the administrator is not supported. Users register their device.
h Only WPA2 Personal and WPA2 Enterprise are supported.
i. Grace period for Device Lock is not supported. Password policies are not applied to LDAP accounts. They are only
partially supported for MSA accounts.
j Only PPTP, Juniper SSL, F5 SSL, and SonicWALL Mobile Connect VPN types are supported.
53
Supported platforms
The following platforms are supported:
Android 2.3 through 4.4
BlackBerry 10
iOS versions 5.0 through 7.1 (4.x for web-based registrations)
OS X Lion, Mountain Lion
Windows Phone 7, 8, 8.1
Windows RT/Pro
Windows 8.1 RT/Pro
Supported OS X devices
Note: Mac Mini models are not included in the following list. There are no known
issues that would prevent use of the Mac Mini, but this model is currently not covered
by the MobileIron product warranty.
Model ID Model Name

MacBook7,1 MacBook (13-inch, Mid 2010)
MacBook6,1 MacBook (13-inch, Late 2009)
MacBook5,2 MacBook (13-inch, Early/Mid 2009)
MacBook4,1 MacBook (13-inch, Early/Late 2008)
MacBook2,1 MacBook (13-inch, Late 2006/Mid 2007)
MacBookAir5,2 MacBook Air (13-inch, Mid 2012)
MacBookAir3,2 MacBook Air (13-inch, Late 2010)
MacBookAir3,1 MacBook Air (11-inch, Late 2010)
MacBookAir2,1 MacBook Air (13-inch, Late 2008/Mid 2009)
MacBookAir1,1 MacBook Air (13-inch, Early 2008)
MacBookPro10,2 MacBook Pro (13-inch, Retina, Late 2012)
MacBookPro10,1 MacBook Pro (15-inch, Retina, Mid 2012)
MacBookPro9,2 MacBook Pro (13-inch, Mid 2012)
MacBookPro8,3 MacBook Pro (17-inch, Early/Late 2011)
54
Model ID Model Name
MacBookPro5,2 MacBook Pro (17-inch, Early/Mid 2009)
MacBookPro5,1 MacBook Pro (15-inch, Late 2008)
MacBookPro4,1 MacBook Pro (15/17-inch, Early/Late 2008)
MacBookPro3,1 MacBook Pro (15/17-inch, Mid/Late 2007)
55
56
Chapter 2
Managing Users
Introduction to user management
Managing LDAP users
Assigning and removing device user roles
Managing local users in Admin Portal
Language support
57
Managing Users
Introduction to user management

This chapter explains how to manage local and LDAP users for Admin Portal. For infor-
mation on managing local users in System Manager, see Identity Source > Local
Users on page 715.
User sources
MobileIron supports local users and LDAP users. Local users are entities created in the
local MobileIron database. They are not known to the network or other corporate ser-
vices. LDAP users are imported from your organizations LDAP server.
In most cases, you will configure an LDAP server and import LDAP users.
Local users are best for the following scenarios:

administration
testing
Local users created in the Admin Portal can be used for registering devices and
accessing Admin Portal and MyPhone@Work. Local users created in the System Man-
ager can be used in the System Manager and the CLI.
misystem user
misystem is a default MobileIron Core user used for the following tasks:
creates the default rules and policies
executes system maintenance tasks
This user is not listed in the Admin Portal, and it has no roles assigned to it.
Local Users Created During Setup

The local user you define during setup actually results in two local users, one in Admin
Portal and one in System Manager.
Though these two users start with the same name and password, they are separate
users stored in separate databases. Changes made to one do not affect the other. For
58
Managing Users
example, if you change the password for the Admin Portal user, the password for the
System Manager user does not change.
Users and roles

You work with the following basic user and administrator types in Admin Portal:
Device users
Super Administrators, who manage devices and users throughout your MobileIron
Core system. These administrators are assigned to the global space. The role that
these administrators have that set them apart is Manage administrators and device
spaces. Only administrators with this role can create and manage device spaces
and assign roles and device spaces to administrators. A MobileIron Core system can
have one or more Super Administrators.
Global Administrators also manage devices throughout your MobileIron Core sys-
tem. These administrators are assigned to the global space and can be assigned
any roles other than Manage administrators and device spaces.
Device Space Administrators manage only the devices and users assigned to the
device spaces to which they are assigned. For example, an administrator assigned
to the Dallas Help Desk device space can only manage devices assigned to that
device space. The roles that can be assigned to Device Space Administrators are
limited. For example, Device Space Administrators, if assigned the correct role, can
view configurations or apply and remove configurations from a label. However, they
cannot create or edit configurations.
LDAP groups and roles

In a large organization, assigning roles to individual users can be cumbersome.
Instead, you can assign roles to LDAP groups or organizational units. Assigning roles
to these LDAP entities applies them to all members of these entities.
Enforce Single Session role and concurrent session control

Concurrent session control is applied to administrators by assigning them the Enforce
Single Session role. The concurrent session control feature automatically logs off a
MobileIron Core session if the administrator has logged in on another machine or
browser.
Note that an administrator can use multiple tabs of a single browser without being
logged off. An administrator can also use multiple windows of the same browser on
the same machine without being logged off.
To enable concurrent session control:

1. In the Admin Portal, go to Admin > Admins.
2. Select an administrator.
3. Go to Actions > Edit Roles.
4. Select Enforce Single Session.
5. Click Save.
The role appears as Allow only one http session per user in the list of roles for the
administrator.
59
Managing Users
User management page

In the Users & Devices page in Admin Portal, click Users to display the user manage-
ment screen.
By default, the user management screen displays the Authorized Users view. This
view includes LDAP and local users. Select LDAP Entities from the To dropdown list to
display only LDAP entities.
Required role
The Manage user role is required for access to the user management screen.
60
Managing Users
Managing LDAP users

The Installation Guide explains how to configure LDAP servers for use in your Mobile-
Iron implementation. Once you have configured one or more LDAP servers, the asso-
ciated LDAP entities can be displayed in the Users & Devices > Users screen. LDAP
entities are useful for assigning roles that are inherited by the members of an entity.
LDAP users are immediately available for device registration.
For each LDAP server you configured according to the Installation Guide, you specified
the set of LDAP groups that MobileIron Core gets from the LDAP server. Specifying this
set improves Core performance when you use the Admin Portal to access LDAP
groups. Because Core has already stored all necessary LDAP group information, no
immediate communication with the LDAP server is necessary to complete a task
involving LDAP groups.
Note: If you want an LDAP user to have access to MyPhone@Work, then you must
assign the User Portal role. Likewise, access to features in the Admin Portal requires
the appropriate roles.
Displaying available LDAP users

To display the LDAP users that are available:
1. In the Users & Devices page, click Users.
2. Select LDAP Entities from the To dropdown list.
3. Select LDAP Users from the Category dropdown list.
61
Managing Users
4. In the Search by Name field, enter text that will match an LDAP user entry in the
selected category, based on first name, last name, or account name.
You may use % as a wildcard. For example, to search for all users having smith at
the end of the user ID, you would enter %smith.
5. Click the search icon.
The matching user records are displayed.
LDAP does not report members for a group that is also the Primary Group for those
members. If you do not see the users you expect, examine your LDAP configuration.
Consider using OUs, instead.
Viewing LDAP user/group associations

The Users screen includes links for displaying associations between users and groups.
For example, if you have assigned a role to the Engineering group, you can display the
users associated with that group.
Click the link next to an authorized LDAP entity to display the associated entities.
Configuring the set of LDAP groups

During MobileIron Core installation, you configure the set of LDAP groups that you can
reference in Core. To later modify the set, do the following steps for each LDAP server:
1. Go to Settings > LDAP.
2. Select an LDAP server and click Edit.
62
Managing Users
3. In the Modifying LDAP Setting page, scroll down to the LDAP Groups setting.
4. In the text box labeled Search By LDAP Groups, enter the first characters of an
LDAP Group that you want to select.
5. Click the search icon.
The LDAP Groups in the LDAP server that match the search request appear in the
Available section.
6. Click the right arrow to move one or more LDAP groups to the Selected section.
7. Repeat steps 4 through 6 for other LDAP Groups.
8. Click save.
Synchronizing with the LDAP server

MobileIron synchronizes user data from the LDAP server every 24 hours, by default. If
you want to synchronize immediately, as when you have added new users, then click
the Resync with LDAP button in the Users page.
Note: For LDAP groups, each synchronization syncs only the LDAP groups that you
specified in the LDAP Setting page at Settings > LDAP.
Changing the LDAP Sync Interval

To change the amount of time between each synchronization with LDAP servers:
63
Managing Users
1. Select Settings > LDAP > Preferences.
2. Select the preferred interval from the dropdown.

3. Click Save.
Setting the LDAP sync discard option

The LDAP sync discard option under LDAP preferences provides control over:
whether to discard the LDAP sync data if the reloaded data set declines significantly
at what point the decline is considered significant
This option is enabled by default and set to 25%. This default ensures that abnormal
behavior on the part of the LDAP system will not result in unnecessary, disruptive
updates in MobileIron Core and removal of configurations from registered devices.
Consider changing or disabling this setting if you are going to make major changes to
your LDAP system. Be sure to confirm that the changes are acceptable before dis-
abling this feature.
To change this option:

1. Select Settings > LDAP.
2. Click the Preferences link.
3. Adjust the setting as needed:

To change the threshold at which the sync is discarded, enter a different per-
centage.
64
Managing Users
To disable the setting, clear the Enable Sync Discard checkbox.

4. Click Save.
When the LDAP sync declines

Typical reasons for a significant decline in the LDAP sync include:
changes in the LDAP environment
slow response from the LDAP server
network congestions
When a sync is discard, a message appears under Settings > Service Diagnostic. The
message contains the LDAP counts before and after the sync and the percentage con-
figured in the Enable Sync Discard setting.
Consider the following steps when the sync fails for this reason:
1. Did the issue first start at about the same time as a major change to the LDAP envi-
ronment?
This would suggest that a valid change in the LDAP environment triggered the dis-
card.
2. Has the sync failed once or multiple times?
If sync has failed once, try a manual sync. If sync has failed multiple times, determine
whether a change was made to the LDAP environment. If you are unable to find a
major change, consider changing the percentage for the Enable Sync Discard setting.
Deleting LDAP users

You can delete an LDAP user if that user is not associated with a registered device.
To delete an LDAP user:

1. In the Users & Devices page, click the Users.
2. Click the checkbox for the user you want to delete.

3. Click Delete User.
65
Managing Users
Moving between the LDAP user display and the local user
view
To move back to the local user view, select Authorized Users from the To dropdown
list.
Changing passwords for LDAP users

The Admin Portal does not currently provide an LDAP interface that enables changing
an LDAP users password.
Dont append _MIxx

Avoid creating user IDs that include _MIxx, where xx is a number. This sequence is
reserved for user IDs requiring special processing, which includes stripping the _MI
sequence and all characters following it.
66
Managing Users
Assigning and removing device user roles

Note: The Manage administrators and device spaces role is required for this task.
Assign roles to enable access to product features available through MyPhone@Work.

To assign device user roles to devices:
1. In Admin Portal, go to Users & Devices > Users.
2. Select one or more local users or LDAP groups.
Use the To: field to change between displaying local and LDAP users.
3. Go to Actions and select Assign Roles.
4. Select roles for the users.
5. Click Save.
The MobileIron Server recognizes the following roles for device users:
Role Description
User Portal Allows access to the User Portal (MyPhone@Work).
For iOS and Android, this role is required for registration
unless PIN-based registration is configured.
For WP8, this role is required for registration.
With User Portal selected, you can choose to enable or dis-
able the following roles:
MyPhone@Work Locate
MyPhone@Work Lock
MyPhone@Work Wipe
MyPhone@Work Registration
Local users receive User Portal access by default, but LDAP
users do not.
MyPhone@Work Enables end users to locate their phones from
Locate MyPhone@Work.
MyPhone@Work Enables end users to lock their phones from
Lock MyPhone@Work.
MyPhone@Work Enables end users to wipe their phones from
Wipe MyPhone@Work.
MyPhone@Work Enables end users to register phones from the
Registration MyPhone@Work user portal. If this role is not applied, then
the Add a Phone link does not appear in the
MyPhone@Work portal. However, iOS and Android users
can still register devices from within the MobileIron app. If
you want to prevent additional registrations from within
the app, consider requiring a Registration PIN (Settings >
Preferences).
67
Managing Users
The new roles take effect the next time an affected user logs in. A user who is logged
in when the change is made must log out and log back in to see the effects of the
change.
68
Managing Users
Managing local users in Admin Portal

This section explains how to manage local users in Admin Portal. For information on
managing local users in System Manager, see Identity Source > Local Users on
page 715.
Adding local users in Admin Portal

Note: The Manage user role is required for completing this task.
To add a user account in the local MobileIron database for Admin Portal:
2. Click the Add Local User button.
3. Use the following guidelines to complete the information:
69
Managing Users
Field Description
User ID Enter the unique identifier to assign to this user.
Note: If you are using local users and LDAP users, the
user ID cannot match that of an LDAP user.
First Name Enter the users first name.
Last Name Enter the users last name.
Display Name Optional name used to identify the device user. If you
leave this field blank, then the display name will have the
following format:
Firstname Lastname
Password Enter a password for the user. The password has the fol-
lowing requirements:
Passwords must have at least 8 characters.
Passwords must contain at least 1 alphabetic character.
Passwords must contain at least 1 numeric character.
Passwords cannot have 4 or more repeating characters.
Passwords cannot be the same as the user ID.
Password may contain Unicode characters, except for
CLI access.
Users cannot change a password more than once
during a 24 hour period.
Confirm Password Confirm the password for the user.

Email Enter the users email address.
4. Click Save.
5. Assign the necessary roles. See Assigning and removing device user roles on
page 67.
Editing local users in Admin Portal

You can edit account information for local users. For example, you can:
change the MobileIron password
edit the first name, last name, or display name
update the email address
Note: The Manage user role is required for completing this task.
To edit local user account information:

1. Display the Users & Devices page.
2. Click Users.
70
Managing Users
3. Click the Edit icon for the user entry to display the Edit User dialog.
4. Make the changes to the displayed information.
See Adding local users in Admin Portal on page 69 for information on completing
each field.
5. To change the user password, click the Change Password link.
6. Click Save.
Linking local users to LDAP users

A local user can be matched with its corresponding LDAP user. For example, suppose
you created a local user for preliminary system rollout and testing, but for the produc-
tion rollout, you want that user matched with its LDAP equivalent.
To match a local user to its corresponding LDAP entry:

2. Click the checkbox for the local user you want to match.
3. Click Link to LDAP.
Note: Existing roles for the local user are removed. The next time the user authenti-
cates, roles will be applied based on the LDAP group of the corresponding LDAP user.
Deleting local users in Admin Portal

You can delete a local user if that user is not associated with a registered device.
To delete a local user:

71
Managing Users
2. Click the checkbox for the user you want to delete.

3. Click Delete User.
Forcing a password change for local users

If there is a possibility that a local users credentials have been exposed or compro-
mised, you can force that user to change the password during the next login. For
example, if you have emailed credentials, you should consider forcing the user to set a
new password.
To force a password change for a local user:

1. Select the user in the User management screen.
2. Click the Force Password Change button.
3. Click Yes to confirm the action.
The next time that user completes a successful login, the following dialog will dis-
play to prompt the user to set a new password.
72
Managing Users
73
Managing Users
Language support
MobileIron currently provides the following language support features:
Translated versions of clients
Selection of supported languages
Default language selection
Changing language selection from Admin Portal
Translated versions of clients

For the supported languages on a client, see the client Getting Started guide.
Selecting languages
You may choose to enable or disable languages for the messages sent from MobileIron
Core to devices. For example, if you have only Japanese-speaking users, you may
prefer to remove the other message templates from the Admin Portal.
To determine which languages are enabled:

1. Select Settings > Preferences.
2. Under Language Preferences, move the supported languages to the preferred list:
Disabled Languages or Enabled Languages.
3. Click Save.
74
Managing Users
The following languages are supported for messages sent to devices:

English
Japanese
Korean
German
French (France)
Italian
Spanish (Latin American)
Simplified Chinese
Traditional Chinese
Romanian
Portuguese (Brazilian)
Russian
Slovak
Dutch
Setting the system default language

The System Default Language setting under Settings > Preferences determines the
language to be used if the locale of the device cannot be determined or the corre-
sponding language is not supported. The languages available for this setting are
determined by the languages in the Enabled Languages list.
75
Managing Users
Changing language selection from Admin Portal

Administrators can manually change the language selection for devices that do not
report their locale. In this case, language selection applies only to the messages sent
from MobileIron Core (e.g., Event Center alerts). If the device later reports a different
locale, then Core honors the reported locale.
To change the language selection for a device:

1. In the Admin Portal, go to Users & Devices > Devices.
2. Click on the checkbox next to the device.
3. Click on Actions > Change Language.
The following dialog displays.
4. In the Set Language dropdown, select the preferred language.

5. Click Change Language.
76
Chapter 3
Registering Devices
Overview of registration methods
Registration considerations by OS
Registration by administrator: individual devices
Registration by administrator: multiple devices (bulk registration)
Invite users to register
In-app registration for iOS and Android
ActiveSync device registration
Tracking registration status
Managing operators and countries
Specifying eligible platforms for registration
Configuring user authentication requirements for registration (iOS, Android, Win-
dows Phone)
Customizing registration messages
Registration notes
77
Registering Devices
Overview of registration methods

Registering a device designates it for management by MobileIron Core.
The following registration methods are available:
admin registers a single device
admin registers a list of devices
admin invites users to register
in-app registration for iOS and Android
users register additional devices
admin registers ActiveSync devices
registration via web portal
The process resulting from these methods may vary by device OS.
Note: Windows Phone 7 does not require registration.
Admin registers a single device

The admin can register a single device from the Admin Portal.
Best for
This method is best for the following scenarios:
adding the first few devices to a new system
adding a few new devices to an existing system
Level of end-user interaction

Medium for most OSes.
Prerequisites
The user (local or LDAP) associated with the device must be available for selection
at the time of registration.
For iOS, WP8, WP8.1, and Android, the User Portal role must be assigned to the
user.
The following information must be available for the device:
phone number (if any)
country
platform
See
Registration by administrator: individual devices on page 87
78
Registering Devices
Admin registers a list of devices (bulk registration)

The admin can register a large group of devices by uploading a CSV file containing the
information required for registration.
Best for
This method is best for the following scenarios:
adding a significant number of devices
rolling out multiple devices into a production environment
registering devices managed by BES 4.x
using web-based registration with iOS devices (see Web-based Registration for iOS
and OS X Devices on page 805)

Medium for most OSes.
Prerequisites
LDAP users specified in the CSV file must be available for selection. Local users that
have not been created already will be created as part of the Bulk Registration pro-
cess.
For iOS, WP8, and Android, the User Portal role must be assigned to the users.
The following information must be available for the device:
country
platform
See
Registration by administrator: multiple devices (bulk registration) on page 90
Admin invites users to register

For users who are mobility savvy and do not require significant assistance, you can
send an invitation and enable them to register their own phones. You can send an
invitation to multiple users from the Users Management screen. The invitation
includes instructions on how to log into MyPhone@Work to register phones.
, WP8, and Android, the User Portal role must be assigned to the user, and the
MyPhone@Work Registration option must be enabled.
The user needs to know the following information for the device:
country
platform
79
Registering Devices
See
Invite users to register on page 94

One way to reduce the load on IT personnel is to instruct iOS and Android users to
download the MobileIron app directly from the App Store on iTunes or from Google
Play (formerly Android Market) and initiate registration from within the app.
Best for
adding iOS or Android devices for users who do not require assistance

High. Users must download the app, initiate the registration process, and respond to
registration prompts.
Prerequisites
This feature depends on access to the MobileIron Gateway; therefore, the corre-
sponding port must be properly configured. See the Pre-Deployment Checklist in
the Installation Guide for details.The User Portal role must be assigned to the user.
To auto-populate the MobileIron Core server name during registration, the following
setup is required:
The user associated with the device must be known as an LDAP user or defined
as a local user.
To auto-populate based on the device phone number, for details.
To auto-populate based on the email address, you must register your VSP with
MobileIron.
See
In-app registration for iOS and Android on page 96
Users register additional devices

Once a device has been registered, an authorized user can use MyPhone@Work to
register additional devices without administrative help.
Best for
adding devices for users who do not require assistance

High. The user initiates the registration process, enters registration information, and
responds to registration prompts on the device.
80
Registering Devices
Prerequisites
Users must have the User Portal role assigned, with the MyPhone@Work Registra-
tion option enabled.
The user needs to know the following information for the device:
country
platform
See
MyPhone@Work User Guide
Admin registers ActiveSync devices

If you have a MobileIron Sentry configured, then you can see the devices that are
connecting to your ActiveSync server. To incorporate these devices into your Mobile-
Iron Core inventory, you can use the Register button in the ActiveSync Associations
screen.
Best for
devices accessing email via ActiveSync

Medium. Users must respond to installation prompts on the device.
Prerequisites
MobileIron Sentry must be installed and configured.
The user (local or LDAP) associated with the device must be available for selection
at the time of registration.
For iOS, WP8, and Android, the User Portal role must be assigned to the user.
You need to know the following information for the device:
country code
platform
See
ActiveSync device registration on page 98
Registering an Apple TV
You can register an Apple TV to MobileIron Core only through the Apple Configurator
1.4.2 or 1.5.
Before you begin:
81
Registering Devices
The Apple TV must be running Apple TV software update 6.0.1 through 6.1.
The Apple TV must be connected to your corporate network. You can do this by
configuring Wi-Fi on the Apple TV or connecting the Apple TV to Ethernet.
To register your Apple TV:

1. Export the iOS MDM profile from MobileIron Core.
See Appendix C: Distributing iOS MDM profiles with Apple Configurator.
2. Import the iOS MDM profile using Apple Configurator.
See Appendix C: Distributing iOS MDM profiles with Apple Configurator.
Note: Using the Apple TV Assistant to import the MDM profile results in an error
message. Cancel out of the Apple TV Assistant and follow the steps in Importing
the iOS MDM profile using Apple Configurator.
You can do the following when you manage an Apple TV running iOS 7 with MobileIron
Core:
View device information.
Distribute Wi-Fi profiles to the Apple TV.
Retire the device.
Registration via web portal

A web portal can be used to streamline the registration process. This process is not
covered in this guide.
Registering Android devices via web portal (MIRP)

Administrators who use web portals to initiate registrations can provide a URL in the
web portal to help device users register Android devices with little or no typing. Users
just download Mobile@Work from Google Play and then tap the URL in the web portal
from the device. Tapping the URL launches the Mobile@Work app and populates the
registration screen with the available information, such as the username. The infor-
mation that is available depends on the web portal being used.
The URL is based on the MobileIron Registration Protocol (MIRP). The link you provide
on the web portal must have the following format:
mirp://<Core URL><php style key value pairs>
The following style keys are available:

user: The username for the device user.
pin: The PIN generated for this user for PIN-based registration.
bypassSplash: true or false to indicate whether to bypass the Mobile@Work splash
screen.
Example: mirp://sales.mobileiron.com &user=android&user=android&pin=1234&

bypassSplash=true
82
Registering Devices
Usage notes
The ampersand character is reserved. If you require an ampersand in a field value,
it must be URL-escaped to a character code (i.e., %26).
Unsupported keys will be ignored.
83
Registering Devices
Registration considerations by OS
Before you begin registering devices, you should be aware of OS-specific features and
dependencies.
iOS
iOS registration currently depends on acquiring the MobileIron Client from the
iTunes App Store. Therefore, an iTunes account is required. You do not need a
credit card in order to establish an iTunes account; just start downloading the
MobileIron app to a PC or Mac, click Create New Account, and select None as your
payment method.
If you have configured a MobileIron Sentry to support iOS devices connecting via
ActiveSync, then you can initiate registration from the ActiveSync Devices screen.
By default, the user is required to enter a password to register the device. If you
prefer, you can change this behavior to require a MobileIron-generated Registration
PIN instead, or to require both a password and a Registration PIN. See Configuring
user authentication requirements for registration (iOS, Android, Windows Phone)
on page 103 for information on specifying behavior for this feature. Note that regis-
tration PINs are not supported for iOS managed apps.
For MDM-enabled iOS devices, MDM features are not dependent on the MobileIron
Client after registration. Therefore, if a user uninstalls the MobileIron Client, fea-
tures like app inventory will continue to function.
If you need to register many iOS devices on behalf of users, as when iPhones are
purchased by the corporation and rolled out in bulk, depot-style registration may be
preferable. See Web-based Registration for iOS and OS X Devices on page 805.
You can register an Apple TV to MobileIron Core only through the Apple Configura-
tor. See Registering an Apple TV on page 81.
Android
Android registration currently depends on acquiring the MobileIron Client from the
Google Play (formerly Android Market).
For devices that cannot access Google Play, provide another way for the device
users to get the Mobile@Work for Android app. For example, email the app to the
device users. You can also place the app on a website and provide the URL to the
device users.
1. Configuring the Server Name Lookup preference (in Admin Portal under Settings >
Preferences) makes registration easier by automatically filling in the server address
for the user (US only). Note that the administrator must initiate registration or
invite the user to register. Contact Customer Support to register your server.
If you have configured a MobileIron Sentry to support Android devices connecting
via ActiveSync, then you can initiate registration from the ActiveSync Devices
screen.
By default, the user is required to enter a password to register the device. If you
prefer, you can change this behavior to require a MobileIron-generated Registration
PIN instead, or to require both a password and a Registration PIN. See Configuring
84
Registering Devices
user authentication requirements for registration (iOS, Android, Windows Phone)

on page 103 for information on specifying behavior for this feature.
Windows RT, and Windows 8 Pro

There is no MobileIron Client software provided for Windows Phone 7, Windows RT,
and Windows 8 Pro devices.
MobileIron Sentry is required for the available device management features.
Note: These devices do not have device management features. However, these
devices can sync using Exchange ActiveSync and be managed using ActiveSync poli-
cies.
Windows Phone 8
Single device registration, bulk registration, and invitations to register are sup-
ported for Windows Phone 8 (WP8) devices.
Registration of the WP8 device is done through the WP8 native client.
The Mobile@Work app is installed as part of the registration process.
The User Portal role is required for WP8 device registration whether PIN-based reg-
istration is required or not.
If PIN registration is enabled on MobileIron Core (in the Admin Portal, Setting >
Preferences) the device user must first verify the PIN before registering the device.
The device user is required to enter a username (email) and password to register
the WP8 device even when PIN registration is enabled.
Device registration fails if the device user enters a password that contains UTF-8
characters.
If auto discovery is not set up, the registration process requires the device user to
enter the VSP server address (FQDN). The device user will also have to enter the
VSP server address when logging into Mobile@Work for the first time.
Windows Phone 8.1

A root or intermediate certificate from a trusted certificate authority (CA) is
required.
Registration of the WP8.1 device is done through the WP8.1 native client.
The Mobile@Work app is installed as part of the registration process.
The User Portal role is required for the user to register with MobileIron Core.
Single device registration, bulk registration, invitations to register are supported.
Registering your WP8.1 device in the User Portal (MyPhone@Work) is supported.
Select Windows Phone 8 as the device platform. Windows Phone includes Windows
Phone 8 and Windows Phone 8.1.
Reprovisioning the device is not supported. To reprovision the device, first retire the
device, then re-register.
85
Registering Devices
If auto discovery is not set up, the registration process requires the device user to
enter the VSP server address (FQDN). The device user will also have to enter the
VSP server address when logging into Mobile@Work for the first time.
Device registration fails if the device user enters a password that contains special
characters.
Windows 8.1 RT and Pro devices

Autodiscovery is not required. We recommend autodiscovery for a seamless regis-
tration experience.
A Subject Alternative Name (SAN) SSL certificate from a trusted Certificate Author-
ity (CA), such as Verisign or GoDaddy, is required.
Device registration from the Admin Portal or the MyPhone@Work portal is not sup-
ported. Users can register only from their device.
The User Portal role is required for the user to register with MobileIron Core.
Pin-based registration is not supported. If pin-based registration is selected in Set-
tings > Preferences, Windows 8.1 defaults to password only, and registration is not
impacted.
The following registration status are supported:
Verified: After the device registers and before the first check in.
Active: The device has successfully synced with Core.
Retired: The Retire action was successfully applied.
Force Device Check-In may not be available for a few minutes after the Windows
8.1 RT or Pro device registers. If you try to retire the device during this time, it may
take up to 24 hours to retire the device.
86
Registering Devices
Registration by administrator: individual

devices
See Overview of registration methods on page 78 for points to consider before using
this registration method.
To register a single device:
1. In Admin Portal, go to Users & Devices > Devices.
2. Click +Add > Single Device.
3. Use the following guidelines to complete the registration information.
Item Description
User Enter user information to locate the user account. For
example, you might enter the user ID, first name, last
name, or email address. Select the user you want to work
with from the dropdown list of matching accounts.
This device has no If you do not have a cellular operator for the device or a
phone number. data plan with your current operator, select This device
has no number.
Why: MobileIron Core will communicate with the Mobile-
Iron Client that will be installed on the phone. For devices
that have cellular services, cellular is used. For devices
that do not have cellular service, such as iPods and PDAs,
Wi-Fi can be used.
Device Platform Select the name of the operating system used on this
phone.
If you do not see the platform you want, it may be dis-
abled. See Specifying eligible platforms for registration
on page 102.
Why: The operating system specified determines which
MobileIron Client will be downloaded to the phone.
Country Select one of the supported countries from the dropdown
list. Selecting the correct country populates the Country
Code field. If the country you need is not displayed, you
may need to alter the default country list. Select Settings
> Preferences.
Mobile Enter the phone number for the device. Your selection
from the Country list will populate the Country Code field.
Enter the prefix and number without spaces, dashes, lead-
ing zeros, or parentheses.
For example, you would enter a typical US phone number
as 4085555555. You would enter a typical UK phone num-
ber as 7889524526.
Why: This is the number that MobileIron will use as the
target for the registration SMS message.
87
Registering Devices
Item Description
Operator Select the name of the mobile service operator for this
phone. If you selected a country having a country code
other than 1, then this field is hidden.
Why: The name of the operator is required for proper
transmission of SMS messages used for communication
between MobileIron Core and the device. For devices hav-
ing a country code other than 1, the operator is automati-
cally identified and need not be specified.
Note: You can determine whether an operator is displayed
in the list by selecting Operators under the Settings tab in
the Admin Portal.
Device Owner Select Company if this phone is owned by the enterprise.
Select Employee if this phone is owned by the user. Note
that MobileIron automatically assigns default labels based
on ownership. See Using labels to establish groups on
page 143 for information on labels.
Why: Administrators may want to assign different polices
to phones based on ownership.
Device Language To communicate with the device user in a language other
than the default language, select a language from the
dropdown list. Languages must first be enabled under Set-
tings > Preferences. Note that, if the device reports a
locale associated with a different language, then the lan-
guage associated with the locale will be used.
Email User Clear this check box if you do not want the user to receive
email concerning registration status. For example, if you
are in possession of the phone, and notifying the user
about registration activities is not necessary, then clear
this option. Select this option if the device is in the
owners possession.
Why: Users may be confused if they begin receiving notifi-
cations about the phone if it is not in their possession.
4. Click Register.
After a brief pause, a popup displays listing instructions for the next step. The con-
tent of this popup varies based on the OS and type of the device. Consider leaving
this message displayed until the registration has been completed. Also note that
the instructions also appear in the log.
What the user sees

For most OSes, this registration method results in user notification by SMS and email.
PDA users are notified by email. The SMS contains a live URL link. The email includes
a URL, instructions, and the information the user will need to enter during registra-
tion. The user can click the live URL in the SMS or enter the URL directly into the
88
Registering Devices
device browser to complete the registration process. See the MobileIron end-user doc-
ument for the specific OS for details on the input expected from the user.
If the user does not respond within 24 hours, MobileIron sends a reminder. After 120
hours, the registration expires. This expiration interval is configurable (Settings >
Preferences > Passcode Expiry). The maximum value is 4320 hours (6 months).
For BES 4.x devices deployed via BES, the user does not receive the SMS or email and
does not enter any input.
89
Registering Devices
Registration by administrator: multiple devices

(bulk registration)
Bulk registration can be performed using a CSV file. When you import the registration
CSV file, MobileIron completes the following tasks:
Creates specified local user accounts, if they do not already exist.
Finds specified LDAP user accounts.
Initiates the registration process.
Contents of the CSV

Each line in the file must contain the following fields, separated by tabs or commas, in
the following order:
Field Description Example

User ID Specifies the user ID for either jdoe
an existing local user, a local
user to be created, or an LDAP
user that can be looked up as an
LDAP user on the configured
LDAP server. Spaces are not
supported for local users.
Country Code Specifies the country code cor- 1
responding to the phone num-
ber.
For PDAs, such as the iPod
touch, enter 0 in this field.
Number Specifies the phone number. 4085551212
For PDAs, such as the iPod
touch, enter PDA .
Operator Specifies the service provider Sprint
name. This field is not required
for PDAs, such as the iPod
touch, or for countries having a
country code other than 1. See
Settings > Operators for a list. If
the operator does not appear in
this list, contact MobileIron
Technical Support.
90
Registering Devices

OS Specifies a character indicating I
the operating system. Use the
following characters:
I: iOS
A: Android
M: WP8
Windows Phone 7 devices are
not supported for bulk registra-
tion.
Entries are case sensitive.
If the specified platform has
been disabled for registration,
then the registration will fail.
See Specifying eligible plat-
forms for registration on
page 102.
E/C Specifies phone ownership. Use C
the following characters:
C: Company
E: Employee
Source Specifies the identity source of D
the user name. Use the following
characters:
L: Local
D: Directory (LDAP)
Entries are case sensitive.
First Name If the Source field contains L, John
provide the users first name.
Last Name If the Source field contains L, Doe
provide the users last name.
Email If the Source field contains L, jdoe@mycompany.com
provide the users email
address.
Password Specifies the password to set for p@$sW0rd
a new local user account. If you
do not intend to use this field or
the user is an LDAP user, then
you can leave it blank.
91
Registering Devices

Device Language Specifies the language to use for ja-JP
communicating with the device
user if the device has not
reported its locale.
en-US: English
ja-JP: Japanese
ko-KR: Korean
fr-FR: French
de-DE: German
zh-CN: Chinese
zh-TW: Traditional Chinese
es-ES: Spanish
pt-BR: Portuguese (Brazil)
This field is optional.
User Display Name Specifies an alternate name Smith, Ken
used to identify the device user.
If you leave this field blank, then
the display name will have the
following format:
Firstname Lastname
This field is optional.
Notify User Specifies whether the user
should receive email concerning
registration status. For example,
if you are in possession of the
phone, and notifying the user
about registration activities is
not necessary, then set this
option to FALSE. Specify TRUE if
the device is in the owners pos-
session.
Why: Users may be confused if
they begin receiving notifica-
tions about the phone if it is not
in their possession.
Multiple devices registration sample file

You can click the Sample CSV File button in the Adding Multiple Devices screen to start
with a sample file you can use as a starting point.
92
Registering Devices
Guidelines for multiple devices bulk registration content

Note the following requirements when entering your bulk registration content:
Local user IDs cannot contain spaces. Spaces are allowed for LDAP users.
The Platform field is case sensitive. Enter only uppercase letters in this field.
Phone numbers cannot contain spaces or non-numeric characters.
Loading the multiple devices registration CSV

To load the bulk file:
2. Click +Add > Multiple Devices.Click the Browse button to select the CSV file con-
taining the bulk registration data.
3. Click Import File.Click Apply. Review the Status column to confirm that each entry
was successfully imported.
4. If any items failed, scroll to the right and hover over the Message column to display
information about the reason the item was not applied successfully.
What the user sees

For most OSes, this registration method results in user notification by SMS and email.
PDA users are notified by email. The SMS contains a live URL link. The email includes
a URL, instructions, and the information the user will need to enter during registra-
tion. The user can click the live URL in the SMS or enter the URL directly into the
device browser to complete the registration process. See the MobileIron end-user doc-
ument for the specific OS for details on the input expected from the user.
If the user does not respond within 24 hours, MobileIron sends a reminder. After 120
hours, the registration expires. This expiration interval is configurable (Settings >
Preferences > Passcode Expiry). The maximum value is 4320 hours (6 months).
93
Registering Devices
Invite users to register

Administrators can invite users to perform self-service registration through
MyPhone@Work. (See The User Portal: MyPhone@Work on page 935 for information
on this self-service user portal.) The administrator sends invitations that provide the
instructions necessary to complete the registration process.
Note: Language-specific templates are not currently available for invitations.
To send invitations:
1. Click the Users Management link in the Users & Devices page.
2. Select the type of user accounts you want to work with:
Select Authorized Users from the To dropdown list to select from local user
accounts.
Select LDAP Entities from the To dropdown list to select users from the config-
ured LDAP server.
3. Click the checkbox next to each user you want to invite.
4. Click the Send Invitation button.
5. Review the default text for the invitation and make any changes.
The text is displayed here with HTML markup. The user will receive the formatted
version.
6. Click Send.
94
Registering Devices
What the user sees

This registration method results in user notification via email. The email contains
instructions for registering devices via the MyPhone@Work user portal. See The User
Portal: MyPhone@Work on page 935 for information on what the user is expected to
do to complete the registration process.
95
Registering Devices

You can ask iOS and Android users to download the MobileIron app from the iOS App
Store or Google Play (formerly Android Market) and register by themselves. To pre-
pare for this option, complete the following steps:
1. Make sure that the user has a user record (local or LDAP) available in MobileIron.
See Managing Users on page 57.
2. Instruct the user on downloading the app and registering. The user will need the
following information:
user name
password and/or Registration PIN
server (and the port number, if you did not use the default port number for TLS)
What the user sees

See the MyPhone@Work for iOS or MyPhone@Work for Android document for informa-
tion on the registration process from the users point of view.
Auto-populating the MobileIron Core server name during

registration
Auto-populating the MobileIron Core server name streamlines the registration process
and eliminates the need for the user to type it. You can auto-populate the Core server
address based on the device phone number or the email address.
Auto-populating the MobileIron Core server name based on

email address
To auto-populate the server name based on the device users email address, you only
need to register your MobileIron Core with MobileIron. Additional configuration on
Core is not required.
Users must enter their full email address when prompted to enter their user name in
the registration screen. MobileIron matches the email domain to the appropriate
MobileIron Core and populates the registration screen with the correct server name.
Registering your MobileIron Core with MobileIron

To register your MobileIron Core, open a ticket on the MobileIron Support portal and
provide the following information:
your company name (e.g. MobileIron)
your email domain (e.g. mobileiron.com)
96
Registering Devices
your MobileIron Core hostname for on-premise Core, or m.mobileiron.net:<appro-

priate port number> for Connected Cloud.
Auto-populating the MobileIron Core server name based on

the phone number (Android)
You can also auto-populate the MobileIron Core server name based on the phone
number. The following setup is required:
Core access to the MobileIron Gateway. Configure the required ports. See the
Changing Firewall Rules section in the Installation Guide for details.
Enable server name look up in the Admin Portal > Settings > Preferences page.
To enable server name lookup:

1. In the Admin Portal, select the Preferences link in the Settings page.
2. Select Yes for the Enable Server Name Lookup option under iOS/Android In-App
Registration Preferences.
3. Click Save.
Note the following:

Because this feature relies on a mobile number, it does not apply to iOS devices.
The mobile number must also be present on the SIM in order for the Enable Server
Name Lookup option to work.
Registering MobileIron Core with MobileIron is not required.
97
Registering Devices
ActiveSync device registration

The ActiveSync Devices view displays the devices that are accessing ActiveSync. This
view is populated only if you have a MobileIron Sentry configured. From this view, you
can decide to register selected devices.
To register an ActiveSync phone with MobileIron:
1. Select the ActiveSync Associations link under the Users & Devices tab.
2. Select the checkbox for the ActiveSync phone to be registered.
3. Click the Register button.
4. See Registration by administrator: individual devices on page 87 for instructions
on completing the registration process.
98
Registering Devices
Tracking registration status

The Users & Devices > Devices page displays the state for each device:
Pending means that the users device has been registered on the MobileIron Server,
but the MobileIron Client download has not yet been completed.
Verified means that the user has confirmed that the download of the MobileIron Cli-
ent should proceed.
Active means that the MobileIron Client has been successfully downloaded and con-
nected back to MobileIron Core at least once.
Lost means that this phone has been manually marked as Lost. This status does
not affect other functionality.
Infected means that Core detected a virus attached to a document on the device
and attempted to remove the virus.
Wiped means that the phone has been restored to factory defaults.
Note: If a BES-managed device does not change from the Verified state to the Active
state, consider resending the provision message.
99
Registering Devices
Managing operators and countries

MobileIron provides a default list of operators for users to select from during registra-
tion. You can enable or disable operators to determine whether they appear in the list
of operators displayed during registration of US devices and other devices having a
country code of 1.
For non-US devices, country selection is an important part of the registration process.
MobileIron also provides a default list of countries enabled for registration purposes.
You may need to adjust this list to enable additional countries.
This section explains how to customize displayed operators and countries.
Enabling operators
Enabling an operator displays it in the list of operators presented to users during reg-
istration.
In the Admin Portal, select the Operators link under the Settings tab to display the
Operators screen. By default, the Operators screen shows only Enabled operators.
5. Select Disabled or All from the Status dropdown.
6. Click the checkbox next to each operator you want to enable.
7. Click Enable.
Enabling additional countries for registration

A subset of countries are enabled for device registration by default. You should check
this list and determine if any of your users have home countries not represented in the
default list. Complete the following steps to enable additional countries:
1. In Admin Portal, go to Settings > Preferences > Registration Preferences.
2. Select countries from the Disabled Countries list.
3. Click the arrow button to move them to the Enabled Countries list.
4. Click Save.
Disabling operators
Disabling an operator removes it from the list of operators presented to users during
registration.
1. In the Admin Portal, select the Operators link under the Settings tab to display the
Operators screen.
By default, the Operators screen shows only Enabled operators.
2. Click the checkbox next to each operator you want to disable.
3. Click Disable.
100
Registering Devices
Filtering operators
You can use filters to display only those operators you want to work with in the Oper-
ators screen. You can:
Search for a specific operator
Display operators by country
Display operators by status
Searching for an operator

To search for a specific operator:
1. Enter a portion of the operators name in the Search by Name field.
2. Click the search icon to display the matching operators.
3. Click the x that appears in the search field to return to the default display.
Displaying operators by country

To narrow the list of operators by country, select a country from the Country drop-
down list.
Displaying operators by status

To display operators by status, select from the Status dropdown list. The following
options are available:
Enabled
Disabled
All
101
Registering Devices
Specifying eligible platforms for registration

In some cases, you may want to exclude from registration for all devices of a particu-
lar platform. For example, if corporate policy dictates that a particular device platform
will not be supported, you may want to prevent users from selecting the platform
during self registration. Likewise, you may want to prevent helpdesk personnel from
mistakenly registering the unsupported platform in the Admin Portal.
To exclude a device platform from registration:

1. In Admin Portal, select Settings > Preferences.
2. Scroll to the Registration Preferences section.
3. In the Enabled Platforms list, select the platform you want to exclude.
Shift-click platforms to select more than one.
4. Click the left arrow button to move the selected platforms to the Disabled Platforms
list.
5. Click Save.
All methods of registration now exclude the selected platforms.
102
Registering Devices
Configuring user authentication requirements

for registration (iOS, Android, Windows Phone)
By default, iOS, Android, and Windows Phone 8 users must enter a password to regis-
ter a device. You have the option to require a MobileIron-generated Registration PIN in
place of or in addition to the password.
To change user authentication requirements:

2. Scroll down to the iOS/Android/Windows Phone 8 Preferences.
3. Select the type of authentication for registration.
4. Scroll down to the Registration PIN code Preferences, specify the minimum length
for the PIN (6-12 characters).
5. Click Save.
Limit for failed attempts to enter a registration password

After the sixth failed attempt to enter a registration password, MobileIron Core locks
the device users account for 30 seconds. The device user sees a message stating that
the account is locked and will be released after the specified interval.
PIN-based authentication for WP8 devices

If PIN registration is enabled on MobileIron Core (in the Admin Portal, Setting > Pref-
erences), the registration email that the WP8 device user receives contains the PIN
and URL with instructions for verifying the PIN.
At this point, the device Status in the Users & Devices > Devices page shows as Pend-
ing.
The device user must verify the PIN before completing the registration process on the
WP8 device. If the PIN is not verified before continuing the registration process on the
device, the device registration fails.
After the PIN is verified, the device Status in theUsers & Devices > Devices page
shows as Verified.
Once the PIN is verified, the device user is ready to complete the registration on the
device. See Getting started with Windows Phone 8 for instructions on how to register
the WP8 device. After registration on the device is completed, the device Status in the
Users & Devices > All Devices page shows as Active.
Note the following:

Username and password are always required for WP8 device registration.
The User Portal role is required for WP8 device registration whether PIN-based reg-
istration is enabled or not.
103
Registering Devices
When a WP8 device is in Verified state, the device user can successfully register
another device using the same username.
If the PIN expires for WP8 devices

By default, the PIN expires in 120 hours. If the PIN expires before the WP8 device
user verifies the PIN, you must first retire the device, then re-register the device. This
generates a new PIN.
Re-provisioning is not supported for WP8 devices.
PIN-based authentication for WP8.1 devices

If only PIN registration is enabled, password is not required. However you will be
asked to enter your email during registration.
If the user removes the MobileIron account from the WP8.1 device, a new PIN is
required to re-register the device.
If the PIN expires you must first Retire the device in the Admin Portal, then re-register
the device. This generates a new PIN. Re-provisioning is not supported (Users &
Devices > Devices > Action > More Actions > Re-provision Device).
User Portal role is required even if PIN registration is configured.
104
Registering Devices
Customizing registration messages

The registration process is a critical part of deployment. You can customize the mes-
sages involved in this process by editing the registration templates. Registration tem-
plates enable you to specify content and basic formatting using HTML markup.
MobileIron sends multiple messages related to registration:
registration SMS
registration email and reminder email
post registration email
These messages may vary by:

platform
language
In addition, messages may vary by device type:

phones
PDAs
To accommodate this range of messages:

Separate registration templates are provided for each language/platform combina-
tion.
Each registration template contains separate text for each registration message
type.
Each registration template contains separate text for phones and PDAs.
Displaying registration templates

To display MobileIron message templates:
1. In Admin Portal, select Settings > Templates.Select Registration Templates.
2. Click the View link for the template you want to view.
Editing registration messages

To edit registration messages:
1. In Admin Portal, select Settings > Templates > Registration Templates.
Click the Edit icon for the template you want to edit.Registration messages are dis-
played with the HTML markup that provides the basic formatting for the content.
2. Make changes to the displayed registration messages.
Click the Variables Supported link to display a guide to the supported variables. See
Using variables in registration messages on page 106 for additional details.
3. Click Save.
105
Registering Devices
Using variables in registration messages

Each field in a registration template has a set of supported variables, most of which
are required. Supported and required variables also differ by OS. Use the following
variables to guide your customization. You can also click the Variables Supported link
to display this information. All variables except $BRANDING_COMPANY_NAME$ are also
required in the specified field.
iOS/Android Field Supported Variables
Registration SMS (Phones) $REG_LINK$

Registration Email
Subject (Phones) $ENT_NAME$, $USER$, $PHONE$
Subject (PDAs) $ENT_NAME$, $USER$, $PHONE$
Body (Phones) $ENT_NAME$, $BRAND_COMPANY_NAME$,
$PHONE$, $INAPP_REG_STEPS$, $REG_LINK
Body (PDAs) $ENT_NAME$, $BRAND_COMPANY_NAME$,
$PHONE$, $INAPP_REG_STEPS$, $REG_LINK$
Reminder Subject (Phones) $ENT_NAME$, $USER$, $PHONE$
Reminder Subject (PDAs) $ENT_NAME$, $USER$, $PHONE$
Reminder Body (Phones) $ENT_NAME$, $BRAND_COMPANY_NAME$,
Reminder Body (PDAs) $ENT_NAME$, $BRAND_COMPANY_NAME$,
$INAPP_REG_STEPS$
Server $SERVER_URL$
Username $USER_ID$
Password $PASSCODE$, $PASSCODE_TTL$
Post Registration Email
Subject (Phones) $BRAND_COMPANY_NAME$, $USER$, $PHONE$
Subject (PDAs) $BRAND_COMPANY_NAME$, $USER$, $PHONE$
Body (Phones) $BRAND_COMPANY_NAME$, $PHONE$
Body (PDAs) $BRAND_COMPANY_NAME$, $PHONE$
Field (Other OSes) Supported Variables
Registration SMS (Phones) $REG_LINK$

Registration Email
Subject (Phones) $ENT_NAME$, $USER$, $PHONE$
Subject (PDAs) $ENT_NAME$, $USER$, $PHONE$
106
Registering Devices
Body (Phones) $ENT_NAME$, $BRAND_COMPANY_NAME$,

$PHONE$, $PASSCODE$, $PASSCODE_TTL$,
$REG_LINK$
Body (PDAs) $PASSCODE$, $PASSCODE_TTL$, $REG_LINK$
Reminder Subject (Phones) $ENT_NAME$, $USER$, $PHONE$
Reminder Subject (PDAs) $ENT_NAME$, $USER$, $PHONE$
Reminder Body (Phones) $ENT_NAME$, $BRAND_COMPANY_NAME$,
$PHONE$,$PASSCODE$, $PASSCODE_TTL$,
$REG_LINK$
Reminder Body (PDAs) $PASSCODE$, $PASSCODE_TTL$, $REG_LINK$
Post Registration Email
Subject (Phones) $BRAND_COMPANY_NAME$, $USER$, $PHONE$
Subject (PDAs) $BRAND_COMPANY_NAME$, $USER$,
$PHONE%
Body (Phones) $BRAND_COMPANY_NAME$, $PHONE$
Body (PDAs) $BRAND_COMPANY_NAME$, $PHONE$
Variable descriptions
The following table describes the variables used in registration messages.
Variable Description
$BRAND_COMPANY_NAME$ An internal variable.
$ENT_NAME$ The name of the organization using MobileIron
Core to secure the device. See Settings > Pref-
erences > Enterprise Name.
$INAPP_REG_STEPS$ Combines $SERVER_URL$, the users LDAP
password, $PASSCODE$, and $USER_ID$.
$PASSCODE$ The registration PIN generated for the device by
Core.
$PASSCODE_TTL$ The number of hours that the registration PIN
remains valid. See Settings > Preferences >
Passcode Expiry.
$PHONE$ The phone number associated with the device.
$REG_LINK$ The URL that users access to complete the reg-
istration process (i.e., https://server
name:port/i for iOS, https://server name:port/
a/ for Android, and https://server name:port/v/
passcode for others).
$SERVER_URL$ The MobileIron Core server address used for
iOS/Android registration.
107
Registering Devices
$USER$ The name of the user associated with the
device, as displayed in MobileIron Core.
$USER_ID$ The user ID for the user associated with the
device, as defined in the user account on Core.
Filtering registration messages

In the Registration Templates page, you can filter registration messages by:
language
platform
To filter registration messages:

1. If you want to restrict the templates displayed based on language, select the pre-
ferred language from the Language list.
2. If you want to restrict the templates displayed based on device platform, select the
preferred platform from the Platform list.
Restoring registration messages to default content

To restore a registration message to the default content provided by MobileIron:
1. In the Registration Templates page, select the template you want to restore.
2. Click Restore to Factory Default.
108
Registering Devices
Registration notes
iOS profile fails to install
Removing old MobileIron profiles on iOS devices

During testing or in the event that the registration process is interrupted, you may
have expired profiles left on your iOS device. These profiles may interfere with your
efforts to complete the registration process. To address this issue, you should remove
the MobileIron profiles left on the device.
To remove MobileIron profiles from an iOS device:

1. Tap the Setting icon on the device.
2. Tap General.
3. Scroll down to the Profiles section.
4. Tap Profiles.
5. Select the profile.
6. Tap the Remove button.
109
Registering Devices
110
Chapter 4
Managing Devices
Overview of managing devices and users
Displaying device assets
Registration-related features and tasks
Security-related features and tasks
Maintenance features and tasks
Using labels to establish groups
Delegated administration
Working with Apple DEP devices
111
Managing Devices
Overview of managing devices and users

Most of the day-to-day tasks necessary for managing enterprise devices and their
users fall into the following basic categories:
Inventory management
Theft/loss protection
Basic maintenance
The Users & Devices page in the Admin Portal provides access to these features.
The Users and Devices pages

The Users and Devices pages enable you to manage enterprise devices. Use these
pages to:
Register/enroll a new device and associate it with a user
Register/enroll devices in bulk mode
Display a list of registered devices
View and manage devices connected through ActiveSync
Apply labels in order to group devices
Create, edit, and delete labels
Locate, Lock, Wipe or perform other administrative actions on a device.
Access to Users and Devices pages

To view the Users page, you must have the Manage user role. To view the Devices
page, you must have the View device role or a role that includes that permission.
112
Managing Devices
Displaying device assets

Go to the Users & Devices > Devices page to display the devices being managed by
MobileIron. The following information is displayed for each device.
Column Description
User Displays the full name of the user registered with this
phone.
Number Displays the phone number.
Device Displays the make and model of the device.
If you have MDM for iOS enabled and the View MDM Alerts
option selected under Settings > Preferences > MDM Pref-
erences, then entries for iOS devices that need attention
will include alert icons. See Alerts displayed in the
Devices page on page 115 for information on alerts and
what they mean.
OS Displays the operating system running on the phone as
reported by the MobileIron Client running on the phone.
Country Displays the home country for the device.
Status Displays the state for each device:
Pending means that the users device has been regis-
tered on the MobileIron Server, but the MobileIron Cli-
ent download has not yet been completed.
Verified means that the user has confirmed that the
download of the MobileIron Client should proceed.
Active means that the MobileIron Client has been suc-
cessfully downloaded and connected back to MobileIron
Core at least once.
Lost means that this phone has been manually marked
as Lost. This status does not affect other functionality.
Infected means that MobileIron Core detected a virus
attached to a document on the device and attempted to
remove the virus.
Wiped means that the phone has been restored to fac-
tory defaults.
Registration Date Date the device registered.
Last Check-In Displays the elapsed time since the device was able to
update profiles and configurations from MobileIron Core.
E/C Indicates whether the phone has been registered as
employee owned (E) or company owned (C).
113
Managing Devices
Column Description
Operator Displays the name of the service provider specified when
the phone was registered with MobileIron.
Language Displays the language currently used for messages sent to
the device. If the device reports a locale, then the lan-
guage associated with that account is used. If the device
has not reported a locale, then the default language is
used, or you can set a specific language by selecting More
Actions > Change Language.
114
Managing Devices
Alerts displayed in the Devices page

The following table describes the alerts that may be displayed in the Users & Devices
> Devices page (Device column) for devices.
Alert
Icon Alert Name Description Action
Data Protection Data Protection: Display the tooltip for the
Disabled (iOS One of the following alert icon.
only) MDM-mandated security For tooltip Passcode
MobileIron iOS requirements is not being Required, inform the user
Multitasking is met: that MDM mandates set-
Disabled Passcode is not set ting a passcode on the
device.
Encryption is not fully
For tooltip Restore
enabled
Required, inform the user
that the device must
Multitasking: undergo a complete
The MobileIron multitask- restore after upgrade from
ing feature for iOS is not iOS 3.x to fully enable
enabled, most likely encryption features.
because Location Ser- For tooltip MobileIron iOS
vices has not been Multitasking is Disabled,
enabled on the device. confirm that Location Ser-
vices is enabled on the
device. For iOS 4.2, go to
Settings > General >
Loca-tion Services. For
iOS 4.3 and higher, go to
Settings > Location Ser-
vices. For iOS 7.0 and
higher, go to Settings >
Privacy > Location Ser-
vices > MobileIron and
enable.
Unlocked Device The OS has been com- If the device connects to
(iOS and promised. email via ActiveSync, then
Android only) On iOS devices, block it using the Block
Mobile@Work prevents feature in the ActiveSync
the user from accessing Association page.
Docs@Work features. Inform the user that the
See Jailbreak impact on device must be restored.
documents on page 578.
115
Managing Devices
Alert
Icon Alert Name Description Action
App Control Vio- An app control rule has Expand the devices
lation been violated. Device Details panel to
see specific information on
the violation. See App
control alerts on
page 538.
Quarantined Configurations have been See Viewing quarantine
(iOS only) removed from the device information on page 199.
due to a security viola-
tion.
Device Adminis- Device Administrator Not If the device connects to
trator Not Acti- Activated: email via ActiveSync, then
vated (Android) The device administrator
block it using the Block
MDM Profile feature in the ActiveSync
privilege is not activated
Removed (iOS) Association page.
for the MobileIron app or
the Samsung DM Agent. Inform the user that the
(See Uninstalling the privilege must be
Samsung DM Agent on restored.
page 899 for information
on this agent.) The
device administrator priv-
ilege is required for most
of the device manage-
ment features that Mobil-
eIron provides.
MDM Profile Removed:
The MDM profile has been

removed from the device.
An MDM profile is
required for the Mobile-
Iron app on iOS to oper-
ate with full functionality.
Displaying more device and user information

Detailed information about each device is available on the Users & Devices > Devices
page. To expand the device details panel, find the device in the table, and click the up
arrow next to the checkbox. The device details panel expands immediately below the
row. You can have multiple device detail panels open at once.
To close device details, click the X in the top right of the panel, or click the down arrow
next to the checkbox.
116
Managing Devices
Device detail information

When you expand the device details panel, the following is displayed:
Link to view the Log
Link to Push Profiles (if applicable)
User name
User email
Image of the device
Phone number (if applicable)
Device model
OS version
Device capacity
Status
Last check-in time
Registration date
Operator and country name
Additional information is found in the tabs on the right side of the panel.
The categories and information available on the right side of the Device Details panel
are:
Category Information Available

Device Details Device-specific details received from the device,
including:
Build Version
MDM Operational flag
Data Protection Enabled flag (iOS)
UDID (iOS)
and many others. The attribute names can be used
in Advanced Search.
Policies Status of policy distribution
Label Membership Labels applied to this device
iOS Links to iOS-specific information:
(only if MDM is Certificate Inventory
enabled; appears
only for iOS devices Profile Inventory
MDM Log
Managed Apps Inventory
Apps List of apps that are installed on the device.
117
Managing Devices
Category Information Available

Configurations Status of configurations distribution, e.g.,
Exchange, VPN, etc.
Comments added by a MobileIron administrator to record infor-
mation about this device
For information about details displayed relating to AppConnect for Android, see
Device details for AppConnect apps for Android on page 639.
For WP8 devices, the device capacity, RAM, and storage used information is not avail-
able. The phone number and the country information is available only if the Admin or
the device user provides the information when registering the device on the Admin
Portal or on MyPhone@Work (User Portal).
For Windows 8.1 RT and Pro devices, the phone number, country, and operator infor-
mation is not available.
In addition, for WP8.1 devices, the following information is also displayed for dual SIM
phones:
IMEI2
IMSI2
WP Roaming2
Adding a comment to device details

The Comments tab in the device details panel enables you to add brief text to the
device record. To add a comment:
1. Click the Comments tab.
2. Enter the text.
3. Click Submit to save your changes, or Cancel to revert to the original comment.
The comment pane displays the date and time the comment was created or modi-
fied.
Displaying log data for a selected device

To display log data for a selected device in the Users & Devices > Devices page:
1. Expand the device details panel by clicking the up arrow next to the checkbox.
Device details appear below.
2. Click the View Logs for Device link, found at the top left of the device details panel.
Export to CSV
Click on Export to CSV to download the records shown on the Admin Portal > Users &
Devices > Devices page as a CSV file.
The enhanced Export to CSV feature provides access to numerous additional device
attributes that were previously unavailable. The attributes are organized into plat-
118
Managing Devices
form-specific groups to make it easy to report on the relevant attributes for the
devices youre working with.
To use the enhanced Export to CSV feature:

2. Use the Advanced Search feature or select a label to filter the devices you are inter-
ested in. All of the devices in the table will appear in the exported file, up to a limit
of 5000 records.
3. Click Export to CSV.
The Export CSV Spreadsheet dialog appears.
4. Select the information to export. The exported fields for each selection are listed
below.
5. Click Export.
The DeviceSearchResult.csv file is exported to your computer.
Selection Fields exported

Include Only Basic UID, EMAIL ADDRESS, USER, NUMBER, DEVICE,
Device Information OS, COUNTRY, STATUS, REGISTERED ON DATE,
LAST CHECK-IN, E/C, OPERATOR, LANGUAGE,
PASSCODE, PASSCODE EXPIRATION
Include all device
data, including the
following:
(Select one or more
options below)
User Attributes User ID, Device UUID, Attribute Distinguished

Name, custom1, custom2, custom3, custom4,
Display Name, Email Address, First Name, Last
Admin Portal Login Time, Last Name, LDAP
Group Distinguished Name, LDAP User Distin-
guished Name, LDAP User Locale, memberOf,
Name, Principal, upn, User UUID.
(Note: If defined in LDAP settings, custom attri-
butes appear here also).
119
Managing Devices

Common Device User ID, Device UUID, APNS Capable, Battery
Attributes Level, Block Reason, Blocked, Cellular Technol-
ogy, Client Build Date, Client Id, Client Last
Check-in, Client Name, Client Version, Com-
ment, Compliant, Creation Date, Current Coun-
try Code, Current Country Name, Current
Operator Name, Current Phone Number, Device
Locale, Device Owner, Display Size, EAS Last
Sync Time, Ethernet MAC, Home Country Code,
Home Country Name, Home Operator Name,
Home Phone Number, IMEI, IMSI, IP Address,
Language, Last Check-In, Manufacturer, MDM
Managed, Memory Capacity, Memory Free,
Model, Model Name, Non-compliance Reason,
OS Version, Passcode, Passcode Expiration Time,
Platform, Platform Name, Processor Architec-
ture, Quarantined, Quarantined Reason, Regis-
tration Date, Registration IMSI, Registration
UUID, Retired, Roaming, Security State, Status,
Storage Capacity, Storage Free, Wi-Fi MAC
Android Attributes User ID, Device UUID, Admin Activated, Attesta-
tion, Brand, C2DM Token, Code Name, Device,
Device Roaming Flag, Incremental, MDM
Enabled, Media Card Capacity, Media Card Free,
Multi MDM, OS Build Number, OS Update Status,
Platform Flags, Samsung KNOX Version, Sam-
sung SAFE Version, Secure Apps Enabled,
Secure Apps Encryption Enabled, Secure Apps
Encryption Mode, Security Detail, USB Debug-
ging
120
Managing Devices

iOS Attributes User ID, Device UUID, APNS Token, Bluetooth
MAC, Build Version, Carrier Settings Version,
Current Mobile Country Code, Current Mobile
Network Code, Data Protection, Data Roaming
Enabled, Device Locator Service Is Enabled,
Device Name, Do Not Disturb Is In Effect, Force
Encrypted Backup, Hardware Encryption Caps,
iOS Background Status, iPhone ICCID, iPhone
Mac Address, iPhone Product, iPhone UDID,
iPhone User ID, iPhone User Long Name, iPhone
User Short Name, iPhone Version, IT Policy
Result, iTunes Store Account Is Active, Modem
Firmware Version, Passcode Compliant, Pass-
code Compliant with Profiles, Passcode Present,
Product Name, Security Reason Code, Serial
Number, Signal Strength, Subscriber Carrier
Network, Subscriber MCC, Subscriber MNC,
Supervised, Voice Roaming Enabled, VPN IP
Address
Windows Phone User ID, Device UUID, Cert Renewal Timestamp,
Attributes DM Client Version, DM ID, Exchange ID, Firm-
ware Version, Hardware Version, Local Time,
Network Adapter, Processor Type, Processor
Type Description, Signed DM ID, WNS Channel
URL, WP ENT Device Name, WP Management
Service Address, WP MPNS Notification URI, WP
OS Platform, WP Publisher Device ID, WP Radio
SWV
Searching for a device record

The Users & Devices > Devices page offers basic and advanced searching. Basic
search provides a way to find devices or users using a limited set of criteria. Advanced
search allows you to create complex search queries using the full set of available crite-
ria.
You can also apply advanced search criteria to a new or existing label.
Basic searching
You can quickly search for devices based on the following criteria:
label
iOS MAC Address
iOS Serial Number
iOS UDID
121
Managing Devices
User Principal/ID
User Email Address
User First/Last Name
To search by label, select the appropriate label name from the Labels list.
To search by the other criteria, select any automatic label in the Labels list, and then
use the following syntax in the Search By User Or Device field:
mac:<iOS MAC Address>
sn:<iOS Serial Number>
udid:<iOS UDID>
uid:<User Principal/ID>
mail:<User Email Address>
name:<User First/Last Name>
Note that the prefixes mail: and name: are optional. All others are required. For
example, to find the devices registered with the email address jdoe@mobile-
iron.com, you can enter the following:
mail:jdoe@mobileiron.com
or just
jdoe@mobileiron.com
Advanced searching
As data sets get larger, it is increasingly important to have a powerful search. You can
use advanced search to build complex queries using the full set of available criteria.
You can also create a new label using the advanced search criteria, or apply the crite-
ria to an existing label.
To access advanced search:

1. Go to Users & Devices > Devices
2. Click the Advanced Search icon located at the top right, above the table.
The query builder appears.
You can enter search criteria using the query builder, or type the search expression
directly.
Searchable fields
To see the complete list of searchable fields in the query builder:
122
Managing Devices
1. Click the Field dropdown to see the categories

2. Click Expand All.
The fields are organized into these categories for convenience:

Common fields: apply to any device type
Android fields, iOS fields, Windows phone fields: apply to devices of the speci-
fied platform
User fields: apply to the devices user, including LDAP fields for groups and cus-
tom attributes.
Advanced search using the query builder

To use the query builder to create a search:
1. Select a field to search on. Hint: you can type a few letters of the field name to see
a short list of matching fields, or press the Expand All button within the field list to
see all the fields.
For example, you might select Status. Your choice of field may determine the pos-
sible values in the next field, the logical operator.
2. Click the Operator field to select an operator.
For example, select Equals.
3. Click the Value field and make a selection or type in the value you are searching for.
Some fields have predetermined values that you can select.
4. Select additional fields and criteria as needed.
Click the All button, located above the criteria, to combine the criteria with a logical
AND, or click the Any button to combine the criteria with OR.
5. Click Search to display the matching devices and their owners.
Note: To include retired devices in the results, uncheck the check box to the left of the
Search button.
Advanced search using a manually edited search expression
To enter a search expression directly into the expression field:

1. Type or paste the search criteria into the expression field. The automatic syntax
check displays a status icon next to the expression field. A green icon indicates that
the syntax is correct, and a red icon if incorrect.
2. When the syntax is correct, click Search to display the matching devices and their
owners.
Advanced search using both the query builder and manual editing
Use the query builder to start an expression, look up field syntax, and select predeter-
mined values. Then, edit the expression directly to meet your needs.
1. Select fields and criteria as needed.
123
Managing Devices
2. Click the All button to combine multiple criteria with a logical AND, or the Any but-
ton to combine them with OR. You can manually edit individual logical operators in
the expression field, as needed.
3. In the expression field, edit the expression directly.
For example, you can add parentheses, change logical operators, or manually edit
field names or values.
The automatic syntax check displays a status icon next to the expression field. A
green icon indicates that the syntax is correct, and a red icon if incorrect.
4. When the syntax is correct, click Search to display the matching devices and their
owners.
Once you manually edit the expression, the query builder is covered with a gray box
to indicate it no longer represents the current state of the expression. Click the Reset
link to remove your manual edits and continue using the query builder.
Example: Find all iOS or Android devices that use AT&T as their service operator.
Click the Advanced Search icon, and then build the expression to match the above
image:
1. Select Platform for the field; select Equals for the operator; iOS for the value.
2. Click the plus icon two times to add two more rows for criteria.
3. In the second row, select Platform, Equals, and Android for the field, operator, and
value.
4. In the next row, select Home Operator Name for the field, and Equals for the oper-
ator.
Notice that the value field adjusts automatically to display service operator values
by country. Select AT&T in the second value field, leaving the first field as is.
Next, manually edit the expression:

5. Replace the first AND with OR. The syntax is checked automatically as you type.
You will see a red icon indicating incorrect syntax while you are in the process of
editing the expression.
124
Managing Devices
6. Add parentheses around the phrase:

"common.platform" = "iOS" OR "common.platform" = "Android".
Your advanced search should look the same as the image above. To revert to the orig-
inal expression without your manual edits, click the Reset link to the right of the
expression.
7. Click Search to display the matching devices and their owners.
To clear an advanced search:

In the Advanced Search, click the Clear link, or
Apply a different search by entering a Basic search.
Closing the advanced search query builder does not clear the search.
Searching for retired devices

By default, retired devices are excluded from search results. To include them, uncheck
the Exclude Retired Devices From Search Results checkbox, located to the left of the
Search button in advanced search.
To find only retired devices:

1. Uncheck the checkbox to exclude retired devices
2. Select the following in the advanced search query builder:
Field: Retired
Operator: Equals
Value: true
3. Click Search.
The matching records are displayed.
Searching for blocked devices

You can search for devices for which the status field value is Blocked, which means
that the device is blocked from accessing the ActiveSync server. For iOS devices, it
also means that the device cannot access Docs@Work features. However, the Status
column does not show the value Blocked. Instead, the ActiveSync Association view
shows this information. See Viewing ActiveSync associations on page 449.
Save to label
Click the Save To Label button in advanced search to create a new label using the
search criteria, or to apply the criteria to an existing label.
To create a new label, type a new label name in the Label field and type a
description. The new filter label is created with the advanced search criteria
applied.
To apply the criteria to an existing label, choose a label from the Label selec-
tions. Only labels that have no members and no criteria are shown.
125
Managing Devices
Creating a label based on custom LDAP user attributes

If you have one or more custom user attributes defined in your LDAP settings, you can
create a label using the custom attributes.
There are two types of custom LDAP attributes available in advanced search.
Custom 1 through Custom 4 are always available in the field list in advanced
search, and appear as custom1 through custom4.
Custom Attribute 1, Custom Attribute 2, and so on, are available in advanced
search only if they are assigned in LDAP settings. These custom attributes
appear in the field list as the value they were assigned in the setting. For exam-
ple, if Custom Attribute 1 is set to Manager in LDAP settings, it appears in the
advanced search field list as Manager, under User Fields> LDAP >User Attri-
butes.
To view the custom attributes in the LDAP settings, go to Settings > LDAP. Click the
LDAP instance to open the LDAP details. If you make changes to LDAP settings, LDAP
is synced automatically.
To create a label based on an LDAP custom attribute with advanced search:

2. Click the advanced search icon.
3. In the query builder, click Field and select the custom attribute, found under User
Fields > LDAP > User Attributes.
Complete your search criteria using the query builder or by manually editing the
expression.
4. Click Save To Label.
5. Type a name and description for the new label.
Using the Users & Devices dashboard

The Users & Devices > Dashboard page provides a snapshot of the devices known to
MobileIron Core. Each chart on the dashboard can be displayed as a:
Pie chart
Bar chart
Table
To switch among the chart choices, select the chart-type icon at the bottom of the
chart. Note that the New Device Registrations chart and the Pending Device Registra-
tions chart are displayed only as tables.
MobileIron Core continuously updates the information in the device dashboard.
126
Managing Devices
Devices dashboard charts

The Devices dashboard contains these charts:
Chart Description
Device By Status Displays the percentage of phones having each regis-
tration status (for example, Pending).
Device By Compliance Displays the percentage of devices that are in compli-
ance with the assigned policy.
Device By OS Type Displays the percentage of devices running each sup-
ported operating system.
Device By OS Version Displays the percentage of devices running each ver-
sion of the supported operating systems.
Device Roaming By Displays the percentage of devices that are roaming for
Country each country.
Device By Ownership Displays the percentage of devices that are company-
owned and the percentage of devices that are user-
owned.
Device By Operator Displays the percentage of devices each service pro-
vider reported, including Wi-Fi.
New Device Registra- Displays the latest phones to begin the registration pro-
tions cess.
Pending Device Regis- Displays the phones that have a status of Pending.
trations
Arranging the dashboard charts

You can move the dashboard charts from one position to another on your screen,
enabling you to align the charts in any order you choose. When you move a chart, you
move it to the position of one of the other charts or an empty spot on the dashboard.
To move the device dashboard charts:

1. Click on the dashboard chart name.
2. Drag the chart to the new position.
Unless there is an empty space on your device dashboard, the chart you moved and
the chart in the new position trade places on your screen.
Changing the charts included in the device dashboard

You can remove any of the charts from the device dashboard and add them back to
the dashboard when you choose.
To remove and add device dashboard charts:

1. Click the X in the upper-right corner of the chart to remove it from the device dash-
board.
127
Managing Devices
2. Click Add, select a chart from the list, and then click Add Chart to add a closed
chart to the device dashboard.
The chart is added as the last chart on your display.
Reporting on managed devices

MobileIron provides a Web Services API that enables you to create reports for many
aspects of your managed devices. See the MobileIron API documentation for informa-
tion.
128
Managing Devices
Registration-related features and tasks

The following table summarizes features and tasks related to registration.
Feature Description Use Case

Reprovision Device Restarts the MobileIron Troubleshooting incomplete
provisioning process for registration
the device
Retire Ends the registration (and Moving devices out of inven-
MobileIron management) tory
for a device
This section explains how to use these features.
Reprovision device
Win 8.1
Android iOS Win 7 WP8 WP8.1 RT/Pro
yes yes - - - -
Select Re-provision Device to restart the MobileIron provisioning process without

repeating the whole registration process. For example, you might want to do this if the
initial attempt was interrupted, leaving the registration in the Pending state.
Note
This action applies only to devices in the Pending or Verified state. To reinstall the
MobileIron Client for devices in the Active state, you can either restore from a backup
snapshot or retire the device and re-register it. To reinstall the MobileIron Client for
devices in the Wiped state, you must re-register the device.
To re-provision devices:
2. Select the checkbox for the device.
3. Select Actions > More Actions > Re-provision Device.
The same registration settings are used.
Retire
Win 8.1
Android iOS OS X Win 7 WP8 WP8.1 RT/Pro
yes yes yes - yes yes yes
129
Managing Devices
Retiring a device archives the data for that device and removes the configurations and
settings applied by MobileIron Core. The entry for the device no longer appears in the
Users & Devices page (unless you specifically search for retired devices), and the user
is notified that the software has been removed.
If the retired device is also in the ActiveSync Association view, it remains there. How-
ever, because the device is retired, it can no longer access the ActiveSync server. You
can manually remove the device from the ActiveSync Association page. See Remov-
ing ActiveSync phones on page 456.
Also note:
Retiring an iOS device also removes from the device the documents and configura-
tions related to Docs@Work. See Retire and wipe impact on documents on
page 577.
Retiring an Android device means the device user cannot access any AppConnect
apps or data.
For details, Lock, unlock, and retire impact on AppConnect for Android on
page 633.
Retiring a Windows 8.1 RT or Pro device from MobileIron Core, removes the VPN
profiles. The Retire action also partially removes the Security policies.
To retire a device:
3. Select Retire from the Actions menu.
The Retire dialog appears.
4. In the Retire dialog, confirm the user and device information and enter a note.
5. Click Retire.
The user receives notification of the action.
To see a list of retired devices, See Searching for retired devices on page 125.
Resend provision message
Android iOS Win 7 WP8
- - - -
No longer supported.
130
Managing Devices
Security-related features and tasks

The following table summarizes the features and tasks related to security.

Lock Forces the user to enter a Dealing with lost and stolen
password before access- devices
ing the device
Unlock Reverses the Lock function Dealing with lost and stolen
devices
Wipe Removes content and set- Dealing with lost and stolen
tings to return the device devices
to factory default settings Preparing a device for a dif-
ferent user
Block AppTunnels Immediately blocks access Dealing with lost and stolen
to all AppTunnels for all devices
AppConnect apps on a Immediately removing
device access to servers behind the
firewall
Lost Flags a device as lost Dealing with lost and stolen
devices
Found Flags a device as found Dealing with lost and stolen
devices
Locate Reports the last known Dealing with lost and stolen
location for a device devices
Reset PIN (WP8.1 only) Resets the If a user forgets the device
device PIN. PIN, or you locked the device
Lock
Win 8.1
yes yes yes - - yes yes
Locking a device forces the user to enter a password to access the phone and pre-
vents the user from reversing this restriction. The user is informed of this action via
email. If the user has set a password for the device, then that password must be
entered. Locking an Android device also causes the device user to be locked out of
AppConnect apps. For details, see Lock, unlock, and retire impact on AppConnect for
Android on page 633.
To lock a device:
131
Managing Devices

3. Select Lock from the Actions menu.
Note: If the MobileIron Client on the selected device is currently connected, then this
action will be applied immediately. If the MobileIron Client is not currently connected,
then MobileIron Core will attempt to complete the operation by means of the opera-
tors SMTP service. If SMTP is used, it may take more time to execute the operation,
and the time required may vary by operator.
To remove the lock, create a new Security policy that specifies that passwords are
optional and assign it to the device. This task enables the user to remove the restric-
tion on their phone. The phone will continue to request a password until the user turns
off the restriction on the phone. Also, because only one active policy of the same type
can be applied to a phone, you may choose to remove this policy from the phone once
the user has successfully turned off the lock. You can do this by applying the previous
policy or removing the phone from the policy used to remove the lock. See Using
labels to establish groups on page 143 for information on working with labels.
For iOS 7 devices, the Lock Action dialogue displays additional options to enter a con-
tact number and a message. The Lock Message field allows you enter up to 500 char-
acters. The contact number and the message appear on the screen for the device you
locked. The device user can call the number displayed on the locked device.
For WP8.1 devices, the device can be unlocked with a new device PIN. The administra-
tor performs a Reset PIN action in the Admin Portal, and provides the new device PIN
to the device user.
Unlock
Win 8.1
Unlock yes1 yes - - - -

Passcode
to Unlock - - - - -
1 Not supported for encrypted devices.
To unlock an Android device or an iOS device with MDM support:

3. Select Unlock from the Actions menu.
Notes:
This function does not apply to Android devices locked using face or pattern locks.
Because the MobileIron app cannot remove the passcode on an encrypted Android
device, the Unlock command sets the passcode to "un!ockm3!" on encrypted
devices.
132
Managing Devices
On Android devices using AppConnect apps, unlock also removes the secure apps
passcode.
For details, see Lock, unlock, and retire impact on AppConnect for Android on
page 633.
Wipe
Win 8.1
yes1 yes yes2 - yes yes -
1 Includes SD cards for most devices.
2 Requires FileVault2 (i.e., FDE) to be enabled.
Warning
Wiping a device returns it to factory defaults, which can result in loss of data.
Wiping a device returns its settings to the factory defaults and informs the user of this
action via email. The Wipe task differs considerably by OS due to the limitations of
each OS.
Required Role: The Wipe device role is required to use this feature.
To wipe a device:
Note: For Mac computers, the wipe command applies only if the computer has File-
Vaulte2 (i.e., FDE) enabled.
2. Select the checkbox for the device to be wiped.
3. Select Wipe from the Actions menu.
Note: If the MobileIron Client on the selected device is currently connected, then this
action will be applied immediately. However, if the MobileIron Client is not currently
connected, then MobileIron Core will attempt to complete the operation by means of
the SMTP configuration. If SMTP is used, it may take more time to execute the opera-
tion, and the time required may vary by operator.
Selective Wipe
Win 8.1
Android iOS Win 7 WP8 WP8.1 RT/Pro h
Selective
Wipe
(Files) - - - - - -
133
Managing Devices
Selective
Wipe
(Email) -f, g -e, g - - g
-g -
Selective
Wipe
(SMS) - - - - - -
e Using MobileIron Sentry and ActiveSync
f For Exchange through integration with selected devices and email apps.
g Selective wipe of email for this operating system is accomplished through security compliance actions, removing the
device from the associated label, or retiring the device.
h For Win 8.1 RT/Pro devices, retiring the device from MobileIron Core removes the VPN settings, and partially
removes the Security policies.
The Selective Wipe command is no longer supported.
Block AppTunnels
Win 8.1
Android iOS Win 7 WP8 RT/Pro
- yes - - -
You can manually block the AppTunnel feature (standard and Advanced) in AppCon-
nect apps on a device. The authorized AppConnect apps remain authorized, but the
apps will no longer be able to access the web sites configured to use the AppTunnel
feature.
Note: For the Docs@Work features in Mobile@Work, blocking the AppTunnel feature
blocks access to all the Docs@Works features.
To manually block the AppTunnel feature in AppConnect apps on a device:

3. Select More Actions > Block App Tunnels from the Actions menu.
The Block AppTunnels dialog appears.
4. Add a note.
5. Click Block AppTunnels.
Lost
Win 8.1
yes yes - - -
When a user reports a lost device, you can set its status to Lost. Setting this status
does not have a functional effect on the phone. It just flags the phone as lost for
tracking purposes and to ensure that it appears in the Lost Phones screen.
To designate a device as lost:
134
Managing Devices

3. Select More Actions > Lost from the Actions menu.
4. In the displayed dialog, confirm the user and device information and enter a note.
5. Click Lost.
The entry for this device will appear with a status of Lost. Use the Found action to
undo this status. See Found on page 135.
Found
Win 8.1
yes yes - - -
If a user reports that a lost phone has been found, you can use the Found action to
remove the Lost indicator from the entry for the phone. Setting this status does not
have a functional effect on the phone.
To designate a lost device as found:

3. Select More Actions > Found from the Actions menu.
4. In the displayed dialog, confirm the user and device information and enter a note.
5. Click Found.
The entry for this device returns to Active status.
Locate
Win 8.1
via Cell
Tower yes yes - - -
via GPS yes - - - -
Most registered phones can be located on a map using cell tower IDs. The MobileIron
Client records tower data until the next time data is synchronized between the Mobile-
Iron Client and MobileIron Core. See Working with security policies on page 182 for
information on changing the Sync Interval setting. Using the Connect Now feature on
the device will result in immediate synchronization.
Exceptions currently include certain GSM phones, which do not provide the necessary
location data.
135
Managing Devices
Required Role
The Locate device role is required to use this feature.
To display the last known location for a device:

3. Select More Actions > Locate from the Actions menu to display the last known loca-
tion of the phone.
Note: To ensure that old and misleading location information is eliminated, location
data expires after 72 hours.
4. Click the phone icon on the map to display the date on which the location informa-
tion was collected.
136
Managing Devices
Reset device PIN (WP8.1 devices only)

If a user forgets the device PIN for a WP8.1 device managed by MobileIron, or you
locked the device, you can reset the device PIN from the Admin Portal.
To reset the device PIN:

2. Select the WP8.1 device.
3. Click on Actions > Windows Phone Only > Reset PIN.
4. In the Reset PIN pop-up, click Reset PIN.
A new PIN is displayed.
The device user can unlock the device using the new PIN.
Note the following about the Reset action:

The new PIN is generated by the device and communicated to MobileIron Core.
Since the new PIN may contain complex characters, we recommend that the user
reset the PIN.
137
Managing Devices
Maintenance features and tasks

The following table summarizes the features and tasks related to device maintenance.

Send Message Sends a message via SMS, Communicating with users
email, and/or Push Notifi-
cation (i.e., APNs or C2DM)
Update Roaming Enable or disables roaming Disabling roaming for a trav-
Settings for voice and data on iOS eling employee.
devices. Support for this Re-enabling roaming when
feature varies by operator. the employee returns.
Change Ownership Switches ownership status Managing company vs pri-
between Company and vate assets and information
Employee
Apply To Label Assigns the device to the Managing groups
selected label
Remove From Label Removes the device from Managing groups
the selected label
Send Message
Win 8.1
yes yes - - -
You can send an SMS text, email or Push Notification (i.e., APNs or C2DM) to selected
devices.
Note the following:

For SMS delivery from MobileIron Core, you may send up to the maximum number
of messages per month as permitted by MobileIron.
If the phone is currently connected to Core, then the message is sent through the
data channel.
To send a message to a device:

3. Select Send Message from the Actions menu. The Send Message dialog appears.
4. Select the message types you want to send:

SMS
138
Managing Devices
Email
Push Notification (i.e., APNs for iOS or C2DM for Android)
Note: The character limit for SMS is 125. The character limit for Email and Push
Notification is 200. If you select SMS and another option, then the 125 character
limit applies.
5. If you are sending email, enter a subject in the Subject field. (The Subject field is
applicable to email only.)
6. Enter your message in the Message area.
7. Click Send Message.
Update Roaming Settings
Win 8.1
- yes - - -
The Update Roaming Settings action allows you to enable or disable roaming for voice
and data on iOS devices. Support for this feature varies by operator.
Note: The Apply settings option in the iOS MDM app setting must be selected, or this
feature will not work. This setting is selected in the default iOS MDM app setting. If
you have edited this setting or created your own iOS MDM app setting, make sure this
option is selected.
139
Managing Devices
Enabling roaming for iOS devices

To enable roaming for the selected iOS device:
1. In the Devices page, select the iOS devices you want to work with.
2. Select iOS Only > Update Roaming Settings from the Actions menu.
The Update Roaming Settings dialog appears.
3. Select Enable Voice Roaming.
4. Select Enable Data Roaming if you want to enable data roaming, as well.
5. Optionally, enter a note, which will appear in the device log.
6. Click Update Roaming Settings.
Disabling roaming for iOS Devices

To disable roaming for the selected iOS devices:
1. In the Devices page, select the iOS devices you want to work with.
2. Select iOS Only > Update Roaming Settings from the Actions menu.
The Update Roaming Settings dialog appears.
Note: the check boxes remain unselected, regardless of whether roaming had pre-
viously been enabled for the selected devices.
140
Managing Devices
3. Optionally, enter a note, which will appear in the device log.

4. Click Update Roaming Settings.
Clicking Update Roaming Settings without making changes in this dialog disables
roaming on the selected devices. To exit this dialog without making any changes,
click the X in top corner.
Viewing roaming settings for iOS devices

To view the existing roaming settings on the selected iOS device:
1. In the Devices page, find the iOS device you want to work with.
2. Click the up arrow to expand the device details panel. In the Device Details tab,
find the Voice Roaming Enabled and Data Roaming Enabled settings.
Note: N/A indicates that the operator for the selected device does not support this
feature. Also note that data roaming might display as enabled, but is effectively dis-
abled if voice roaming is disabled.
Change Ownership
Win 8.1
yes yes - yes yes yes
When you register a device, you specify whether the phone is owned by the company
or the employee. Specifying ownership is important if you want to assign different pol-
icies or take actions based on whether a phone is company property or the property of
an employee.
To change the device ownership designation:

3. Select Change Ownership from the Actions menu.
The Change Owner dialog appears.
4. Select the preferred ownership setting (Company or Employee) in the displayed
dialog.
5. Add text to the Note field.
6. Click Change Owner to save the changes, or click the X in the top corner of the dia-
log to cancel without saving changes.
Apply To Label
Win 8.1
141
Managing Devices
Applying a device to a label tags the phone as part of the associated group. When you
specify a label for an action, you perform the action on all devices having the label.
See Using labels to establish groups on page 143 for more information on labels.
To apply a device to a label:

3. Select Apply To Label from the Actions menu.
4. Select the label to apply from the Apply To Label dialog.
Only labels that have not already been associated with this device will be displayed.
For example, iOS devices are automatically applied to the iOS label, so that label
does not appear in the list. Also, automatic labels that are not applicable to this
device do not appear in the list. For example, the iOS label will not appear for a
selected Android phone.
5. Click Apply.
Remove From Label
Win 8.1
Removing a device from a label removes the tag that makes it a part of the associated
group. See Using labels to establish groups on page 143 for more information on
labels.
To remove device from a label:

3. Select Remove From Label from the Actions menu.
4. Select the label from the Remove From Label dialog.
Removing the device from the label causes MobileIron to undo the policies specified
by the label and return the phone to the default policy specified in MobileIron.
5. Click Remove.
142
Managing Devices
Using labels to establish groups

You can use labels for devices, apps, policies, and events. This process forms a group.
For example, you might create a label called Executives to tag devices belonging to
employees at the executive level. You can then locate all of these devices quickly in a
search, or apply policies based on whether a device has this label.
Default labels
The following system labels are always available, by default:
Label Description
All-Smartphones Automatically applied to all devices at registration.
Android Automatically applied to registered devices that have the
Android platform selected during registration.
Company-Owned Automatically applied to registered devices that have the
Company checkbox selected during registration.
Employee-Owned Automatically applied to registered devices that have the
Employee checkbox selected during registration.
iOS Automatically applied to registered devices that have the
iOS platform selected during registration.
OS X Automatically applied to registered Apple devices that
have OS X selected during registration.
Signed-Out Automatically applied to any multi-user iOS device that
does not have a signed-in user.
Windows Phone Automatically applied to Windows Phone devices.
Windows Pro/RT Automatically applied to Windows 8.1 Pro and RT devices.
143
Managing Devices
Note: You cannot delete default labels.
Filter and manual type labels

Labels fall into the following categories:
Filter
Manual
Filter labels use specific criteria to specify a group of devices. Manual labels have no
criteria associated with them; you select each device associated with a manual label.
When you initially create a label, it is stored as a filter label. If you use the Advanced
Search feature to specify the criteria for a label, then it remains a filter label. If you
select phones in a Admin Portal screen and apply a label to them, then the label
becomes a manual label.
Creating labels
There are two ways to create a label:
Use Advanced Search and save the criteria to a new label, as described in Save to
label on page 125, or
Create a new label with no associated criteria.
To create a new label:

1. Go to Users & Devices > Labels.
2. Click Add New.
The Add Label dialog appears.
3. Use these guidelines to complete these fields.

Name Enter a unique name Executive Team
that clearly identifies
the purpose of the
label.
Description Provide additional For members of the
meaning and usage executive staff
information. reporting to John
Smith
4. Click Save.
You can now apply this label to devices, policies, and configurations. See Apply To
Label on page 141.
144
Managing Devices
Editing Labels
You can edit the name or description of any existing label. A labels criteria cannot be
edited.
To edit a label:
2. Click the edit control next to the label.
The Edit Label dialog appears.
3. Edit the name and/or description.
The label name must be unique.
4. Click Save.
The updated name and description appear in the table.
Viewing devices currently associated with a label

To view the devices currently associated with a specific label:
5. Go to Users & Devices > Labels.Click the link in the View Devices column.
The devices are filtered by the label, and shown on the Users & Devices > Devices
page. To return to the Labels page, click the Labels tab.
Associating a filter with a label: dynamic labels

You can use the Advanced Search feature in the Users & Devices > Devices page to
associate a filter (search) with a label. The resulting dynamic label represents the
devices defined by the filter at a given time. See Searching for a device record for
information on using Advanced Search.
Example: Creating a label for devices by operator

To create a label for all devices having a specific operator:
1. In the Users & Devices > Devices page, click the Advanced Search icon.
2. In the Field dropdown, type operator and select either Current Operator Name or
Home Operator Name.
3. Select a logical operator from the operator dropdown.
4. Select the Country and Operator.
5. Click Save To Label, and provide a name and description for the new label.
Example: Creating a label for devices by LDAP group

To create a label for all devices associated with a specific LDAP group:
1. In the Users & Devices > Devices page, click the Advanced Search icon.
2. In the Field dropdown, click to expand User Fields > LDAP > Groups.
Select Name .
3. Select a logical operator from the operator dropdown.
145
Managing Devices
4. Select an LDAP group from the dropdown.

Note: the dropdown shows the LDAP groups that are selected in Settings > LDAP, in
the LDAP Groups section of the Modifying LDAP Settings dialog.
5. Click Save To Label, and provide a name and description for the new label.
For another example, See Creating a label based on custom LDAP user attributes on
page 126.
Deleting labels
To delete a label:
2. Select the label you want to work with.
3. Click Delete.
Note
Default labels cannot be deleted. See Default labels on page 143.
146
Managing Devices
Delegated administration
Delegated administration enables you to decentralize managing MobileIron Core
devices. Dividing a MobileIron Core system into several areas of influence enables the
main Core administrators to maintain control over all critical areas of system manage-
ment and also give limited control of specific areas of the system to other administra-
tors.
Using delegated administration with MobileIron Core 7.0 and later, administrators are
assigned areas of influence called device spaces. Device spaces can represent depart-
ments, offices other than headquarters or any other portion of your company that you
choose. To delegate administration tasks, administrators are assigned roles that
define what tasks they can perform for the devices and users assigned to the device
spaces they manage.
The original device space in MobileIron Core is called the global space. If you do not
use delegated administration, this is the only device space in your Core system.
Administrators assigned to the global space can be assigned any roles. Administrators
assigned to other device spaces can be assigned most, but not all, roles. For example,
only administrators assigned to the global space can be assigned the Manage configu-
ration role, which enables them to create and manage configurations for all the device
spaces.
Note: In MobileIron Core 7.0 and later, role assignment is divided between the Users
& Devices tab and the Admin tab:
User roles are assigned and edited using the Devices page (Users & Devices >
Devices)
Administrator roles can be assigned when defining device spaces (Admin > Device
Spaces > Add)
Administrator roles can be assigned and edited using the Admins tab (Admin >
Admins > Actions > Edit Roles)
Administrator types
For delegated administration, MobileIron Core is managed by three types of adminis-
trators.
Super Administrators, who manage devices and users throughout your MobileIron
Core system. These administrators are assigned to the global space. The role that
these administrators have that set them apart is Manage administrators and device
spaces. Only administrators with this role can create and manage device spaces
and assign roles and device spaces to administrators. A MobileIron Core system can
have one or more Super Administrators.
Global Administrators also manage devices throughout your MobileIron Core sys-
tem. These administrators are assigned to the global space and can be assigned
any roles other than Manage administrators and device spaces.
Device Space Administrators manage only the devices and users assigned to the
device spaces to which they are assigned. For example, an administrator assigned
to the Dallas Help Desk device space can only manage devices assigned to that
147
Managing Devices
device space. The roles that can be assigned to Device Space Administrators are
limited. For example, Device Space Administrators, if assigned the correct role, can
view configurations or apply and remove configurations from a label. However, they
cannot create or edit configurations.
For complete information about roles and actions available to each type of administra-
tor, see Editing administrator roles on page 157.
When MobileIron Core is installed, one Super Administrator is created. The default
roles for this administrator are listed in the following table.
Management Type Roles

Device Management View apps in device details
Manage devices
Locate device
Add device
Manage ActiveSync device
Manage AppTunnel
Manage device enrollment (iOS only)
Wipe device
Label Management Manage label, which includes creating, view-
ing and editing labels.
User Management Manage user, which includes editing and
viewing users.
App Management Manage app, which includes viewing and
editing available apps
Configuration Management Manage configurations, which includes:
Creating, viewing and editing configura-
tions
Applying configurations to and removing
them from labels.
Policy Management Manage policies, which includes:
Creating, viewing and editing policies
Applying policies to and removing them
from labels
Viewing and editing ActiveSync policy
Viewing and editing compliance actions
Settings Management Manage settings, which includes viewing,
specifying and editing settings.
148
Managing Devices
Management Type Roles

Logs and Events Management Manage logs and events, which includes cre-
ating, viewing and editing logs and events.
Admin Management Manage administrators and device spaces,
which includes:
Assigning administrator privileges
Creating and managing device spaces
Assigning administrators to device spaces
Some adminstrator tasks are only available to administrators assigned to the global
space (Super Administrators and Global Administrators). Only administrators assigned
to the global space who are assigned the necessary roles can:
Create device spaces (Super Administrators only)
Assign and remove administrator roles (Super Administrators only)
Assign administrators to and delete them from device spaces (Super Administrators
only)
Manage apps
Manage logs and events
Access the V1 API
Device Space Administrators are created from the list of local users and LDAP users
and groups available when you go to Admin > Admins.
Depending on the roles assigned to them, Device Space Administrators can:

Perform most device management tasks
Impose and remove privacy controls
View, add, delete, edit, and apply and remove labels
View, add and edit users
View policies and add and remove policies from labels
View configurations and add and remove configurations from labels
Note: Device Space Administrators cannot create, delete or edit configurations and
policies.
For details about Device Space Administrator management tasks and available roles
and permissions, see Editing administrator roles on page 157.
Designing MobileIron Core to use delegated administration

If you have a reason to assign different policies, labels, configurations or apps to a
group like help desk workers or executive staff, then you have a reason to create a
device space for that group and assign an administrator or group of administrators to
manage the devices and users in that device space.
149
Managing Devices
When you design a MobileIron Core system that uses delegated administration, there
are questions you need to answer about your Core system. The first task is to decide
how you want to divide your system into device spaces. For example, you could create
a device space for:
Help desk groups in your company (Help Desk France, Help Desk Germany)
Business units (West Coast Sales, HQ Finance)
Countries where your company has offices (England Office, Holland Office)
Your Core system can support any combination of these device space types and more.
After you decide what device spaces to create, plan what tasks the administrators
assigned to each device space will perform. For example:
Do you want to give administrators in the Toronto office the ability to view the
devices and users assigned to that office, or should they be able to perform addi-
tional tasks, like wiping all corporate apps from the devices they manage?
Do you want to give your front-line help desk workers in Texas the ability to view
application details for their callers' devices?
Should administrators in the Sydney office be able to assign labels and policies to
the devices they manage?
Once you answer these and other questions about your MobileIron Core system, study
the available roles and permissions presented in Editing administrator roles on
page 157 to determine which roles to assign each group of administrators in each
device space.
Using roles, you can create administrative tiers within a device space. Suppose you
set up device spaces for different countries (for example, the United States, Germany
and France). You could then create two help desk administrator groups for each device
space, one for front-line workers, who have minimal permissions and one for back-line
workers, who have additional permissions. To this scenario, you could also add the
ability for a local administrator to assign policies and configurations.
You need to think about the reasons why you would segment your user population.
These needs will guide how you set up your device spaces.
Creating device spaces and assigning administrators

Super Administrators are the only administrators that can create and delete device
spaces, assign and remove administrators, and assign roles and permissions to and
remove them from administrators.
Assigning an administrator to a device space enables that administrator to manage

devices assigned to that device space. The administrative tasks that the administrator
can perform depend on the roles assigned to that administrator. Administrators can be
assigned to more than one device space and can have different roles and permissions
in each assigned device space.
Note: Although Super Administrators and Global Administrators have roles that enable
them to perform specific tasks, they can perform these tasks only in device spaces to
150
Managing Devices
which they are assigned. By default, these administrator types are assigned to the
global space, but not to individual device spaces.
Creating device spaces is a two-step process. First, you name the device space (for
example, France Android) and define criteria that determine which devices belong to
the device space (for example, all Android devices used in the France help desk
group).
In step two, you select the administrators for the device space and assign them the
roles they need to perform the management actions you have chosen for administra-
tors in this device space.
When creating device spaces:

You cannot change the device criteria for a device space once you save it.
Although you can close the New Admin Space dialog after saving the device space
definition, MobileIron suggests that you assign administrators to the new device
space and assign them the roles necessary for their planned management tasks
before closing the dialog. Assigning administrators and roles later limits you to add-
ing administrators and roles one at a time rather than as a group.
Using the New Admin Space dialog, you can only select one set of users and assign
them one set of roles.
For devices assigned to device spaces, an administrator assigned the necessary
roles can view the name of the device space to which the device is assigned in the
Devices page.
After deciding how to use delegated administration in your MobileIron Core system,
create the device spaces, assign administrators to the device spaces, and then assign
roles to the administrators using the following procedure:
1. In the Admin Portal, select Admin > Device Spaces.
2. Click the Add+ button to add a device space.
3. Enter the name for the device space in Space Name.
4. To specify which devices are assigned to the device space, create a query using the
All and Any buttons and the Fields, Operators and Values fields displayed (see
Specifying devices for device spaces on page 152 for details).
5. Click Save to create the device space and move to assigning administrators to the
device space.
6. To assign administrators to the device space, complete one of the following actions
Click LDAP Entities, select LDAP OU, LDAP Groups or LDAP Users, and then
enter one or more characters in the search box below LDAP Entities to display a
list of LDAP users that meet the search criteria.
Click Individual Admins, and then enter one or more characters in the search
box next to Individual Admins to display a list of local users that meet the
search criteria.
7. Select the device space administrators from the list.
8. Select roles for the device space administrators from the lists of roles in the dialog
(see Editing administrator roles on page 157 for information about the available
roles and permissions).
151
Managing Devices
When you select a role from one of the categories, Device Management for exam-
ple, the permissions for the selected role move from the Available Permissions col-
umn to the Selected Permissions column. If the permissions associated with a role
are included in a previously selected role, no permissions are added to the Selected
Permissions column.
Note: The new device space status is Pending after you click Save. Until the status
of all device spaces is Active rather than Pending, the device counts for the device
spaces are not reliable and devices may not be listed in the correct device space.
Updating device spaces

Updating device spaces involves several MobileIron Core actions:
Update device space
Device space evaluation
LDAP synchronization
You update device spaces after creating spaces or changing device space priority.
MobileIron recommends that you wait until you finish creating all your device spaces,
including assigning administrators and roles, or complete changing device space prior-
ity before you update device spaces. This saves system resources.
To update device spaces:

1. Finish creating your device spaces or complete changing device space priorities.
2. Click Update Spaces Now.
MobileIron Core displays a message that it might take several hours to update Core
with the new device space. The actual time it will take to update Core with the new
device space depends on the number of devices assigned to the device space, the
priority of the new device space and how it affects the priorities of the other device
spaces in Core.
Specifying devices for device spaces

This section explains how to use the query tool available in the New Admin Space dia-
log to select devices for device spaces. The information and procedure in this section
expands the information available in Step 4 of the procedure in Creating device
spaces and assigning administrators on page 150.
When specifying the criteria for selecting devices for a device space, follow these
instructions to use the search tool provided in the New Admin Space dialog:
Note: This procedure assumes that you are already defining a device space using the
New Admin Space dialog.
1. Click Any or All to specify whether the search result includes devices that meet one
or more of the conditions (Any), or must meet all the specified conditions (All).
2. Click the Field dropdown, navigate to the search field and select it (see Searchable
fields on page 153 for the list of available fields).
Hint: Type a few letters of the field name to display a list of matching fields, or
press the Expand All button within the field list to display all possible fields.
3. In Operator, select one of the possible operators for the selected field.
152
Managing Devices
4. In Value, select or enter the value for the selected search field.
Note: A green icon indicates that the query syntax is correct; a red icon indicates
that the syntax is incomplete or incorrect.
5. (Optional) Click the plus sign to the right of the query condition you just created to
add another condition.
6. (Optional) Repeat Step 2 through Step 5 for each additional query.
7. (Optional) To remove a condition from the search criteria, click the minus sign to
the right of that condition.
A sample listing of the devices that meet the query criteria is displayed below the
query as you complete each condition.
8. Check the sample device list to ensure that the query results are returning the
types of devices you intended. The sample list contains up to twenty devices. To
test that the search criteria returns all the devices to be included, run the same
query using MobileIron Core advanced search in the Devices tab.
Searchable fields
The fields available as search criteria for devices assigned to a device space are
divided into two categories: User Fields and Common Fields. User Fields specify which
users are connected with the devices. Common Fields specify information, like plat-
form, that the devices have in common.
To select a User Field for the search item:

1. Select User Fields and then LDAP.
The choices listed for search field depend upon how your LDAP server is set up.
2. Select one of the following to specify the search field:
User Attributes, which lets you select a user attribute, like displayName, as a
search field
LDAP User Locale
Principal
upn
Groups, which lets you specify an LDAP group
LDAP User Distinguished Name
Attribute Distinguished Name
To select a Common Field for the search item:

1. Select Common Fields.
2. Select one of the following for the search field:
Home Operator Name
MDM Managed
Device Owner
Model
Platform
Platform Name
153
Managing Devices
Home Country Name

Home Country Code
Language
Manufacturer
Switching device spaces

If you use delegated administration, all administrators will see a device space list at
the top right of the Admin Portal. The list contains all the device spaces assigned to
that administrator. Using this list, administrators can easily switch between spaces
without logging out and then logging in again.
To switch device spaces:

1. Click the device space list at top right of the Admin Portal.
2. Select the device space you want to manage next.
Managing device spaces

Managing device spaces for your MobileIron Core system can include:
Managing device space priority
Deleting device spaces
Assigning and removing administrators from device spaces, including the global
space
Changing the roles assigned to device space administrators
Device space information for your MobileIron Core system is displayed when you go to
Admin > Device Spaces. The information displayed includes:
Column Description
Space Name Name given to device space
Criteria Query that defines which devices are assigned
to the device space
Admins Administrators assigned to the device space
Status Current status of the device space
Num of Devices Number of devices currently assigned to the
device space
Priority Device space priority
Managing device space priority

Device spaces are assigned a priority when you create them. The first device space
you create has the highest priority, which is one. The second device space you create
has priority two.
154
Managing Devices
Go to Admin > Device Spaces to view the priorities of device spaces. The priority of
each device space is listed in the Priority column.
Note: The global space is always assigned the lowest priority among the device
spaces.
You can change device space priority at any time. To change device space priority:
1. In Admin Portal, go to Admin > Device Spaces.
The device spaces are listed in priority order. The device space with the highest pri-
ority is listed first.
2. Select the device space to change.
3. Drag the device space entry to the new priority position in the list. For example, to
move HQ Space from the highest priority to the third-highest priority, select HQ
Space from the list of device spaces and drag it to the third position in the list.
Note: Until MobileIron Core completes the device space priority change, the num-
ber of devices in each device space is unreliable. When the status of all device
spaces is Active, the update is complete and the device counts are correct for each
device space.
Deleting device spaces

You can remove device spaces from MobileIron Core. When you delete device spaces
from Core:
Devices assigned to the deleted device space are assigned to a different device
space. The device space each device is assigned to depends on the device criteria
for the other device spaces in MobileIron Core and device space priority. For exam-
ple, if DeviceA needs reassignment, Core checks whether DeviceA meets the crite-
ria for inclusion in the highest priority device space. If DeviceA does not meet that
device spaces criteria, Core continues down the priority list of device spaces until it
finds the highest-priority device space for which DeviceA qualifies.
Note: Devices that do not meet the criteria for any other device space, are assigned
to the global space.
Administrators assigned to the deleted device space are not reassigned. If they are
administrators in other device spaces, those assignments remain. However, if they
are not assigned as administrators in other device spaces, they no longer have any
administrator roles or permissions.
To delete device spaces:

1. In the Admin Portal, go to Admin > Device Spaces.
2. Check the box next to the name of the device space to delete.
You can select and delete one or more device spaces.
3. Go to Actions and select Delete Space.
4. Click Yes to confirm deleting the device space.
5. Click Update Spaces Now.
Note: The status of all devices assigned to the deleted device space is Pending until
MobileIron Core processes the deletion. However, devices registered with Core after
you delete the device space are not assigned to the deleted device space.
155
Managing Devices
While the Delete Space action is processed, actions such as Force Device Check-in,
Change Language and Change Ownership cause devices assigned to the deleted
device space to change device spaces immediately.
Therefore, while the status of devices assigned to the deleted device space is Pend-
ing and various device actions are occurring, device counts for all device spaces are
unreliable.
Assigning administrators to spaces

MobileIron suggests that you add administrators to device spaces when you add
device spaces to MobileIron Core. The New Admin Space dialog enables you to assign
a group of administrators to a device space and assign them the necessary roles.
Assigning administrators after a device space is added allows you to add only one
administrator at a time.
To assign an administrator to a space:

1. In Admin Portal, go to Admin > Admins.
2. In the To field, select Authorized Users or LDAP Entities.
3. If you selected:
LDAP Entities, select an LDAP category (LDAP Groups, LDAP OU, LDAP Users),
and then specify criteria in Search by Name for the LDAP user to assign as an
administrator.
Authorized Users, enter criteria in Search by Name to find the local user to
assign as an administrator.
4. Press Enter to run the search, and then select one local or LDAP user from the
search results.
5. Go to Actions > Assign to Space.
6. From Space Name, select the device space that the selected user will manage.
7. Assign roles to the administrator for that device space (see Editing administrator
roles on page 157 for role and permission details).
8. Click Save.
Note: You cannot save the device space assignment until you assign the adminis-
trator at least one role.
Removing administrators from Device Spaces

To remove an administrator from a Device Space:
1. In Admin Portal, select Admin > Admins and then check the box next to the admin-
istrator's name.
2. Go to Actions and select Remove from Space.
3. If the administrator is assigned to more than one device space, select the correct
device space from the dropdown.
4. Click Yes to remove the administrator from the specified device space.
If the removed administrator is currently logged into the device space, the adminis-
trator is logged off the device space the next time an administrator task is
attempted. The message MobileIron Core displays to the administrator is Session
timed out.
156
Managing Devices
Editing administrator roles

Permission to perform various management tasks depends on the roles assigned to an
administrator. The defined roles provide a wide range of possibilities for designing
your management system.
Roles sometimes share permissions with other roles. For example, the View apps in
device details and Wipe device roles both include the permissions View dashboard,
view device and View device details.
To assign roles to administrators:

1. In Admin Portal, go to Admin > Admins.
2. Check the name of the administrator to edit.
3. Go to Actions > Edit Roles.
4. Select one or more roles for the administrator (roles and permissions are listed and
explained later in this section).
5. Click Save.
If an administrator is currently logged in to MobileIron Core, that administrator
must log out of Core and then log back in before the role changes take effect.
The available roles are divided into the following categories:

Device Management
Label Management
User Management
App Management (Super and Global Administrators only)
Configuration Management
Policy Management
Settings Management (Super and Global Administrators only)
Logs and Events Management (Super and Global Administrators only)
Admin Management (Super and Global Administrators only)
Others (some Super and Global Administrators only)
The roles within each category and the permissions associated with each role are
listed in the following table.
Note: These roles are different from the roles defined in previous MobileIron Core
releases. For installations that used previous MobileIron releases, the roles assigned
current administrators are mapped to the new roles when the system is upgraded to
MobileIron Core 7.0 so that administrators have the same permissions they had in the
previous release.
157
Managing Devices
Management Type Roles Available To

Device Management Manage devices Super Administrator
Locate device Global Administrator
Add device
Manage ActiveSync device
Manage AppTunnel
Manage device enrollment (iOS
only)
Wipe device
Device Management View apps in device details Device Space Admin-
Manage devices istrator
Locate device
Add device
Wipe device
Privacy Control View apps in device details Super Administrator
Locate device Global Administrator
Device Space Admin-
istrator
Label Management View label Super Administrator
Manage label Global Administrator
Device Space Admin-
istrator
User Management Manage user, which includes creat- Super Administrator
ing, editing and viewing users. Global Administrator
Device Space Admin-
istrator
158
Managing Devices

App Management Manage app, which includes view- Super Administrator
ing and editing apps Global Administrator
View and edit app
The Manage app role enables
administrators assigned to the
global space to view and edit the
apps available to devices.
Note: The AppTunnel tab is not
included in MobileIron Core for
administrators who are assigned
the Manage app role. This is a
change from MobileIron Core
releases earlier than 7.0. In earlier
releases, AppTunnel access was
included in this role.
Configuration Man- View configuration Super Administrator
agement Manage configuration, which Global Administrator
includes creating and editing con-
figurations
Apply and remove configuration
label.
Configuration Man- View configuration Device Space Admin-
agement Apply and remove configuration istrator
label.
Policy Management View policies Super Administrator
Apply and remove policy label Global Administrator
Manage policy, which includes:
Creating, viewing and editing
policies.
Viewing and editing ActiveSync
policy
Viewing and editing compliance
actions.
Policy Management View policies Device Space Admin-
Apply and remove policy label istrator
Settings Manage- Manage settings, which includes Super Administrator

ment specifying, viewing and editing Global Administrator
settings.
159
Managing Devices

Logs and Events Manage logs and events, which Super Administrator
Management includes viewing and editing logs Global Administrator
and events.
Admin Management Manage administrators and device Super Administrators
spaces, which includes:
Assigning administrator privi-
leges
Creating and managing device
spaces
Assigning administrators to
device spaces
Delete administrators from
device spaces
Note: The Connector, API, and Mobile app roles are not management roles. These
roles are used by some applications to access certain APIs. MobileIron suggests that
you create a dedicated user for each of theses three roles so that the account is only
used for the specific purpose and does not provide access to the Admin Portal.
Labels and delegated administration

Delegated administration enables Super Administrators to create labels and to assign
other administrators the roles to view, apply and remove labels. This section describes
label behavior in MobileIron Core systems using delegated administration.
Within a device space, you can view both local and global labels. However, from a
device space you cannot edit global labels or apply and remove them.
The Labels page has a new column, Space, that lists the device space where the
label was created (either global or a device space name).
Label names are unique within a MobileIron Core. For example, you cannot have a
label named Android in the global space and another label named Android in the
device space Boston Help Desk.
MobileIron Core enforces this restriction. For example, suppose an administrator
creates a label for the device space Boston Help Desk, and gives it the name
HelpDesk. If another administrator in a different device space attempts to create a
label named HelpDesk, Core returns an error message to the second administrator,
stating that label name is already in use in Core.
Local labels can be deleted only from the device space in which they are defined.
Global labels can be deleted only from the global space.
You can save labels from an advanced search so they can be applied later to poli-
cies or configurations.
Although policies and configurations are created in the global space, policies and
configurations available in a device space can be applied to local labels.
160
Managing Devices
Role correspondences
MobileIron Core 7.0 adds delegated administration. Due to delegated administration,
roles assigned to administrators in MobileIron VSP releases earlier than 7.0 differ from
the ones assigned in MobileIron Core 7.0.
When you update from MobileIron Core 6.02 or earlier, the roles that are assigned to
users and administrators in your current system are translated into the new roles, but
provide your users and administrators with the same permissions as before.
The table in this section present the correspondences between the old roles and the
new ones.
Old Role New Roles Permissions

User Management Manage User View user, Edit user
Users & Devices Manage devices View dashboards, View device,
Manage label, View device details, Retire
Manage ActiveSync device, Other device actions,
device Push profiles in device details,
Add device Edit comments in device details,
View apps in device View label, Edit label, View
details ActiveSync device, Edit
Manage AppTunnel ActiveSync device, Add device,
View apps in device details,
AppTunnel
Apps & Configs Manage app View and edit app, View configu-
Manage configuration ration, Edit configuration, Apply
Manage AppTunnel and remove configuration label,
AppTunnel
Policies Manage policy View policy, Edit policy, Apply
and remove policy label, View
and edit ActiveSync policy, View
and edit compliance action
Events Manage logs and View logs and events, Edit logs
events and events
Settings Manage settings View settings, Edit settings
Logs View logs and events View logs and events
API API Acces V1 API
Sentry For iPad Mobile App Mobile App Access
Connector Connector Connector
Enforce Single Enforce single session Enforce single session
Session (all spaces)
161
Managing Devices
Old Role New Roles Permissions

Admin Wipe Wipe device Wipe device, View dashboard,
View device, View device details
Admin Locate Locate device Locate device, View dashboard,
View device, View device details
162
Managing Devices
Working with Apple DEP devices

Apple's Device Enrollment Program (DEP) enables you to purchase and preconfigure
devices in bulk. The Device Enrollment Program provides a fast, streamlined way to
deploy company-owned iPad and iPhone devices and Mac computers that are pur-
chased directly from Apple.
Using the Apple DEP program with MobileIron Core, you can streamline the DEP
devices can be assigned in MDM during activation and can skip basic setup steps, get-
ting users up and running quickly.
Adding your Apple DEP account devices to your MobileIron Core is a three-step pro-
cess:
1. Add your MobileIron Core to the Apple DEP Portal
2. Assign the Apple DEP devices to MobileIron Core DEP server
3. Add the Apple DEP account to Core
Note: MobileIron Core 7.0 supports Apple DEP devices for Apple iOS 7.1.
Adding Your MobileIron Core to the DEP Portal

When you add a MobileIron Core instance to the DEP Portal, you register Core as an
MDM server. To add a Core instance to the Apple DEP server, go to Apple's DEP portal
at https://deploy.apple.com and sign in using a dedicated Apple ID.
Navigate to the Manage Servers page on the Apple DEP Portal and add Core as an
MDM server. After registering the MobileIron Core instance with the Apple DEP Portal,
Core can communicate with the Apple DEP server to manage the devices in the DEP
program.
Assigning Apple DEP device to MobileIron Core

To assign the Apple DEP devices to the MobileIron Core instance registered as an MDM
server with the Apple DEP program:
1. In MobileIron Core Admin Portal, go to Users & Devices > Apple DEP.
2. Click Add+.
3. Click Download Certificate to download the .crt file that will be connected to the
DEP account.
Note: The same certificate can be used for more than one Apple DEP account. The
certificate is associated with a MobileIron Core instance. Once a certificate is down-
loaded, this step is unnecessary for other DEP accounts.
4. Go to the Apple DEP Portal and navigate to the Manage Servers page.
5. Select the Core MDM server.
6. Upload the certificate that you downloaded from MobileIron Core.
7. Save the server token file (.p7m file) that you receive from Apple. You upload it
later in this procedure to MobileIron Core.
163
Managing Devices
Associating DEP Devices with MobileIron Core

After registering your MobileIron Core as a server on the Apple DEP Portal, you add
the DEP account devices in Core. When you add the DEP account devices in Core, you
set up a mapping between them.
To associate MobileIron Core with an Apple DEP account:

1. In Admin Portal, go to Users & Devices > Apple DEP.
2. Click Add+ to begin adding DEP devices to MobileIron Core.
3. Go to Users & Devices > Apple DEP and then click Add+.
4. To specify the server token, click Browse next to Server Token, find and select the
server token file received from Apple, and then click Open.
5. Enter a description, for example, Devices for France Marketing.
6. Click Save.
The account information is displayed:
Organization name (for example, New York HQ), which is used in messages
from Apple for the account
Apple ID for the administrator assigned to these devices
Account name
Organization email address
Organization phone number
7. Click Done after reviewing the new account information.
Viewing DEP accounts

After setting up DEP accounts in MobileIron Core, you can view the status of these
accounts. To view DEP device accounts:
1. In Admin Portal, go to Users & Devices.
2. Go to Apple DEP to display the list of Apple DEP accounts enrolled on the MobileIron
Core instance.
Note: If you have not added a DEP account to a particular MobileIron Core, a mes-
sage is displayed instead of a DEP account list. The message explains that no DEP
accounts are associated with this MobileIron Core yet.
The information available for each Apple DEP account is listed in the following table:
Item Description
Account Name Name assigned to account
Admin Apple ID Administrator ID received from Apple
Organization Name Name that you provide to Apple for the organi-
zation associated with the DEP account. Apple
uses this name when displaying messages about
the account.
164
Managing Devices
Item Description
Organization Description Description that you provide to Apple for the
organization associated with the DEP account
Status Account status can be one of three states:
Active, indicates the MobileIron Core instance
is associated with one or more active DEP
accounts.
Invalid Token, indicates the Apple server
token is either expired or invalid.
Inactive, indicates the MobileIron Core
instance is associated with a deleted Apple
DEP account.
Expires Date the server token expires
Devices Number of devices in the DEP account. Click the
number to view the devices in the Devices page.
Enrollment Profile Number of enrollment profiles defined for the
DEP account devices. Click the number to list
the enrollment profiles (see Adding DEP Enroll-
ment Profiles on page 166).
Managing DEP accounts

After adding DEP accounts to MobileIron Core, several actions are available to help
manage the accounts. You can:
Manage enrollment profiles that specify the MDM and setup options applied to DEP
devices that you specify (see Adding DEP Enrollment Profiles on page 166 and
Editing DEP Account Information on page 169)
Assign one or more devices to enrollment profiles and remove them (see Assigning
devices to DEP enrollment profiles on page 167 and Removing DEP device enroll-
ment profile assignments on page 168)
Change the Apple server token file associated with the account (see Editing DEP
Account Information on page 169)
Change the account description (see Editing DEP Account Information on
page 169)
Delete DEP accounts from MobileIron Core (Deleting DEP Accounts on page 169)
Sync with Apple servers to update the list of devices belonging to the account (see
Checking for Apple DEP Account Updates on page 169)
Remove a DEP device that is sold, lost or damaged beyond repair from the list of
DEP devices MobileIron Core manages (see Disowning DEP devices on page 169)
Note: MobileIron Core waits ten minutes after DEP devices are associated with Core
before pushing apps to those devices, allowing the user to complete the DEP assign-
ment process and finish device setup.
165
Managing Devices
Adding DEP Enrollment Profiles

DEP enrollment profiles specify MDM options to apply to the devices assigned to the
enrollment profile. For example, you can specify if the device should be supervised.
The profile also defines the setup options for the Setup Assistant, allowing your users
to skip one or more setup steps that are unnecessary for your MobileIron Core.
To add an enrollment profile:

2. Select a DEP account, and then go to Actions > Add Enrollment Profile.
3. In the indicated fields, enter:
Profile name (required)
Description
Department associated with the account (required)
Phone number to call for support with this account (required)
4. Select or clear MDM options:
Enable supervision
Require MDM enrollment
Allow MDM profile removal
Allow pairing
5. Select which Setup Assistant steps, if any, to skip.
The steps you can choose are:
Location Services
Restore from Backup
Signing in to Apple ID and iCloud
Terms and Conditions
Siri
Automatically sending diagnostic information.
Passcode creation
6. (Optional) In Anchor Certificates, click Browse, navigate to one or more anchor cer-
tificates and select them.
Note: The files must be in DER or PEM format.
Anchor certificates are certificates needed to trust the connection to the MobileIron
Core. Anchor certificates are certificates that are explicitly trusted by the system.
7. (Optional) In Pairing Certificates, click Browse, navigate to one or more pairing cer-
tificates and select them.
Note: The files must be in DER or PEM format.
Pairing certificates allow devices to use pairing when Allow pairing is not selected
for all devices in a DEP account. Pairing certificates are available from Apple Config-
urator (Apple Configurator > Ctrl+Option+File > Export > Supervising Certs). Refer
to the Apple website for more information.
8. Click Save.
166
Managing Devices
Assigning devices to DEP enrollment profiles

DEP enrollment profiles define MDM options and setup options for DEP devices. When
you assign devices to enrollment profiles, you can specify the devices in a .csv file
(see Creating DEP device file for assigning devices to enrollment profiles on
page 170) or select devices from the Apple DEP Devices page.
To assign devices to a DEP enrollment profile using a .csv file:
Note: Create the .csv file containing the devices to assign to the profile before begin-
ning this procedure.
2. Select the number in the Profiles column for the Apple DEP account.
3. Select a profile.
4. Go to Actions > Assign Devices to Profile.
5. Click Upload to browse for the .csv file containing the devices that you want to
assign to this profile.
6. Click Assign.
To assign devices to a DEP enrollment profile from the Apple DEP Devices page:
1. In Admin Portal, go to Users & Devices > Apple DEP
2. Click the number in the Devices column for the enrollment profile.
3. (Optional) Select All Enrollment Profiles or a specific enrollment profile from the All
Enrollment Profiles field.
4. (Optional) Specify a device status to use as a filter:
Any Status, indicates that status is not considered when filtering the devices
assigned to the enrollment profile.
Unassigned, specifies devices that are not currently assigned to an enrollment
profile.
Assigned, specifies devices assigned to an enrollment profile.
Pushed, specifies devices assigned to pushed enrollment profiles.
5. (Optional) In Search by device fields, specify a value for one of the device fields,
like color or model, that further defines the devices to assign to the enrollment pro-
file. For example, enter Blue to assign devices to the enrollment profile only if
they are blue.
Note: In Search by device fields, you can specify a value for:
serial_number
asset_tag
description
model
color
6. Run the query and then click the checkbox next to Serial Number at the top of the
device results list to select the devices the query returned.
7. Go to Actions > Assign enrollment profile.
167
Managing Devices
8. In Select Enrollment Profile, select an existing enrollment profile or Create New

Enrollment Profile.
9. If you select:
An existing enrollment profile, click Save.
Create New Enrollment Profile, enter the name for the new enrollment profile,
enter the information for that profile, and then click Save (see page 166 for
more information).
Removing DEP device enrollment profile assignments

Removing DEP devices from an enrollment profile removes the MDM and setup options
from the devices.
Note: After DEP device enrollment profile assignments are pushed to devices and the
devices complete setup, removing DEP device enrollment profile assignments or
changing DEP device profiles has no effect.
To remove devices from an enrollment profile:

2. Select an account and click the number in the Enrollment Profiles column for that
account.
MobileIron Core lists the defined enrollment profiles for that account.
3. Click the number in the devices column for the selected enrollment profile.
4. In All Enrollment Profiles, select All Enrollment Profiles or a specific enrollment pro-
file.
5. Select the devices to remove from the profile or use the filters to select devices.
To use the filters, use one or more of these fields:
In Any Status, select a status or Any Status.
In Search for Device Fields, specify a device field and value, for example for
device color, select Blue.
6. Go to Actions > Remove enrollment profile.
7. When prompted, click Yes to remove the devices from the enrollment profile or No
to cancel the deletion.
Deleting DEP enrollment profiles

When you delete a DEP enrollment profile, the devices assigned to the enrollment pro-
file no longer have defined MDM or setup options.
To delete a DEP enrollment profile:

2. Select an account and click the number in the Enrollment Profiles column for that
account.
MobileIron Core lists the defined enrollment profiles for that account.
3. Select the enrollment profile to delete, and then go to Actions > Delete.
4. When prompted, click Yes to delete the profile or No to cancel the deletion.
168
Managing Devices
Editing DEP Account Information

Most Apple DEP account information is derived from Apple, and cannot be edited in
MobileIron Core. To edit the Apple-derived DEP account information, go to https://
deploy.apple.com.
You can, however, change the server token associated with the account or edit the
MobileIron Core DEP account description in Core.
To edit the MobileIron Core DEP account information:

1. In Admin Portal, go to Users & Devices > Apple DEP, and then select an account.
2. Go to Actions > Edit Account.
3. (Optional) To change the server token, click Browse, locate the file, select it, and
then click Open.
4. (Optional) To change the account description, edit the text in Description.
5. Click Save.
Deleting DEP Accounts
If you delete a MobileIron Core DEP account, the account is no longer associated with
Core. Deleting a DEP account from Core does not have any affect on the Apple DEP
account.
To delete one or more DEP accounts:

1. In Admin Portal, go to Users & Devices > Apple DEP, and then select one or more
accounts.
2. Go to Actions > Delete Account.
3. When prompted, select Yes to delete the chosen accounts or No to cancel the
action.
Checking for Apple DEP Account Updates

Apple controls the DEP device accounts. To ensure that the list of devices associated
with a DEP account is correct in MobileIron Core, Core needs to sync with the Apple
server to get information about the DEP devices, including the device states.
To check the Apple server for device updates:

2. Click Check for Updates.
Disowning DEP devices

If a DEP device is sold, lost or damaged beyond repair, you can remove that device
from the list of DEP devices that MobileIron Core manages. Removing the device is
called disowning the device.
Note: Disowning a device cannot be reversed. Once a DEP device is disowned from the
Device Enrollment Program it cannot be added back to the program.
169
Managing Devices
The Disown action is disabled by default and is not included in the list of actions for
DEP devices. To add Disown to Actions in the Apple DEP device page, call Customer
Support.
To disown a device:
1. If prompted, restart MobileIron Core.
2. Go to Users & Devices > Apple DEP.
3. Select the number in the Devices column for the correct Apple DEP account.
4. Select the DEP device or devices to disown.
5. Go to Actions and then select Disown.
Creating DEP device file for assigning devices to enrollment profiles

To assign DEP devices to enrollment profiles using Assign Devices to Profile, you cre-
ate a .csv file containing a list of the DEP devices to assign. You can create DEP device
files for particular enrollment profiles or for all enrollment profiles.
Note: The .csv files that you create for MobileIron DEP devices can contain no more
than 5,000 devices.
To select DEP devices to assign to enrollment profiles:

2. Select the number in the Devices column for the Apple DEP account.
3. (Optional) In All Enrollment Profiles:
Select All Enrollment Profiles to enable all enrollment profiles to use the .csv
device file created with this procedure.
Select an enrollment profile to restrict assigning the .csv file to the specified
enrollment profile.
4. (Optional) Select a device status for the devices you want to include in the .csv file:
Any Status indicates that status is not considered when filtering the devices
assigned to the profile
Unassigned filters for devices that are not currently assigned to a profile
Assigned filters for devices that are currently assigned to a profile
Pushed filters for devices with profiles that are Pushed [WHAT IS THIS?]
5. (Optional) In Search by device fields, specify a value for one of the device fields,
like color or model, that further defines the devices for the .csv file. For example,
enter Blue in Search by device fields to add devices to the .csv file list only if they
are blue.
6. Run the query.
7. Click the check box next to Serial Number to select all devices the query returned,
and then select Export to CSV.
Note: If the .csv file contains UTF-8 characters (for example, values for the descrip-
tion column), Microsoft Excel does not recognize the encoding of the text in the file,
and will display the characters incorrectly. However, the .csv file is encoded correctly
and does not cause any problems.
170
Managing Devices
171
Managing Devices
172
Chapter 5
Managing Policies
Overview of managing policies
Working with policies
Working with default policies
Working with security policies
Working with privacy policies
Working with lockdown policies
Working with sync policies
Working with Docs@Work policies
Working with single-app mode policies for iOS
Working with global HTTP proxy policies
Working with Android kiosk policies
Working with Android Quick Setup policies
Working with Samsung general policies
Troubleshooting policies
173
Managing Policies
Overview of managing policies

MobileIron uses policies to regulate the behavior of the devices it manages. Each
policy consists of a set of rules.
The following policy types are available:

Default (See Working with default policies on page 181.)
Security (See Working with security policies on page 182.)
Privacy (See Working with privacy policies on page 200.)
Lockdown (See Working with lockdown policies on page 203.)
Sync (See Working with sync policies on page 208.)
Docs@Work (See For iOS: Set up Docs@Work policies on page 515.)
Single-App Mode (See Working with single-app mode policies for iOS on
page 215.)
Global HTTP Proxy (See Working with global HTTP proxy policies on page 215.)
Android Kiosk (See Working with Android kiosk policies on page 219.)
ActiveSync (See Working with ActiveSync policies on page 398.)
AppConnect global policy (See Configuring the AppConnect global policy on
page 533).
Android Quick Setup (See Working with Android Quick Setup policies on
page 220.)
Samsung General (See Working with Samsung general policies on page 222.)
You can create multiple policies for each policy type, but only one active policy of each
type can be applied to a specific device.
Policies page
Use the Policies page at Policies & Configs > Policies to specify and control aspects of
enterprise device behavior.
Each policy page displays the following information about the policies belonging to
the corresponding policy type:
Field Description
Policy Name Identifier for this policy. The policy name must
be unique for policies of the same type.
Priority Priority set for this policy in relation to other
policies of the same type.
Status Current status of this policy. The status can be
Active or Inactive.
Description Additional information about the policy, such as
its purpose.
174
Managing Policies
Field Description
Type Which policy category this policy belongs to. See
Overview of managing policies on page 174 for
a list of types.
Last Modified The date and time of the last change made to
this policy.
# Phones The number of phones affected by this policy.
Click the link to display a list of the devices.
Labels The labels applied to this policy. See Using
labels to establish groups on page 136 for
information on labels.
Watchlist Displays the number of devices for which the
policy is queued. Click the link to display a list of
the devices.
Exception: Backup & Restore policies are not
distributed to the MobileIron Clients. In this
case, the Watchlist column indicates the devices
that are awaiting backup.
Required role
Users must have one of the following roles to access the Policies page:
View policies
Apply and remove policy label
Manage policy
175
Managing Policies
Working with policies

Each policy type is displayed in a separate screen. You can use the same procedures
to work with each type of policy.
Displaying policies
To display policies:
1. Click the corresponding link under Policies & Configs to display the policies you
want to work with:
Policies: the standard MobileIron policies, including default and custom policies
Default Policies: the standard MobileIron policies automatically assigned to
most devices
ActiveSync Policies: the specialized policies for devices that connect to the
enterprise via ActiveSync
2. If you selected the Policies link, you can filter the displayed policies by selecting
from the Policy Type list.
3. Select a policy to display the details of that policy in the right pane.
Editing policies
To edit an existing policy:
want to work with.
2. If you selected the Policies link, you can filter the displayed policies by selecting
from the Policy type list.
3. Select a policy to display the details of that policy in the right pane.
4. Click the Edit button in the right pane to display editable settings for the policy.
5. Make the changes to the displayed settings.
6. Click Save.
Note
Policy changes may cause devices to which that policy is applied to prompt the user to
restart the device.
Applying policies to labels

Use labels to apply policies to devices. See Using labels to establish groups on
page 136 for information on creating and managing labels.
To apply a label to a policy:
176
Managing Policies
want to work with.
2. Select the checkbox next to the policy.
3. Select More Actions > Apply To Label.
4. Select the label.
5. Click Apply.
Removing Policies from labels

You can remove a policy from a label when you no longer want changes to that policy
to affect devices having a given label. See Using labels to establish groups on
page 136.
To remove a label from a policy:
want to work with.
2. Select the checkbox next to the policy.
3. Select More Actions > Remove From Label.
4. Select the label.
5. Click Remove.
Creating a new policy

To create a new policy:
1. Go to Policies & Configs > Policies.
2. Select Add New.
3. Select the policy type from the displayed submenu.
4. Adjust the displayed settings.
See Working with security policies on page 182.
See Working with privacy policies on page 200.
See Working with lockdown policies on page 203.
See Working with sync policies on page 208.
See For iOS: Set up Docs@Work policies on page 515.
See Working with ActiveSync policies on page 398.
See Configuring the AppConnect global policy on page 533.
5. Click Save.
6. Apply the policy to the appropriate labels. If you do not complete this step, then the
policy will not affect any devices. See Applying policies to labels on page 176.
Deleting policies
To delete a policy from the Admin Portal:
1. Click one of the filters under the Policies & Configs tab to display the policy you
want to delete.
177
Managing Policies
2. Select the checkbox for the policy you want to delete.

3. Click Delete in the upper left.
You cannot delete a default policy.
What happens when you delete a policy

When you delete a policy, all devices to which that policy were applied are updated
with the default version of that policy.
Displaying custom policies for a selected label

To display a list of the policies associated with a specific label:
1. Select a policies page under Policies & Configs.
2. Select a label from the Labels drop-down list.
Note: Default policies are not included.
Displaying custom policies for a selected user

To display a list of the policies associated with a specific user:
1. Select a policies page under Policies & Configs.
2. Enter any portion of the users first name, last name, or user ID and click the
search icon to find policies assigned to user records matching the entered criteria.
Note: Default policies are included. See Working with default policies on page 181.
Prioritizing policies
When you create a custom policy, you can assign a priority relative to the other
custom policies of the same type. This priority determines which policy is applied if
more than one policy is associated with a specific device. For example, if you create a
security policy for executives and a security policy for iOS devices, then an executive
with an iPhone would have two different possible policies applied. Because only one
policy of a given type can be applied to a device, the priority defined for the policies
determines which is applied.
You can manage priorities for individual policies, or you can use the Modify Priority
screen to manage priorities for a policy type in a single screen. To manage priorities in
a single screen:
2. Select a type from the Policy Type dropdown.
3. Select Modify Priority. The Modify Policy Priorities dialog appears.
4. Drag and drop policies until they reflect the priorities you want to set, with highest
priority of 1 appearing at the top of the list.
5. Click Save.
178
Managing Policies
Displaying policy status

The Device Details pane on the Users & Devices > Devices page displays status for the
following tasks:
apply lockdown policies
apply security policies
The statuses you will see in the Policies tab are:

Pending: The process of applying the policy has been started.
Sent: The policy has been successfully sent to the device.
Applied: MobileIron Core has confirmed that the verifiable settings appear to have
been applied to the device. For Android devices, expand the DETAILS section of the
Policies tab to see the verifiable results for Security and Lockdown policies.
Partially Applied: One or more settings may have been rejected by the device. This
can mean that the feature is not supported by the device. For Android devices,
expand the DETAILS section of the Policies tab to see the verifiable results.
Displaying supported platforms for policies

To clarify which policies are supported for which platforms, Platforms Supported
links are included in the policy dialogs.
Each link displays a table outlining the platform support for each policy feature.
179
Managing Policies
Enabling profile encryption

Profile encryption is enabled by default. The administrator has the option to disable
this setting. This allows the administrator to control encryption of the backup to
iTunes. If profile encryption is enabled, the backup to iTunes is also encrypted. If
profile encryption is disabled, the backup to iTunes is not encrypted.
Note: If you disable profile encryption, backup to iTunes continues to be encrypted for
devices that are already registered. The backup to iTunes will be unencrypted for
devices that registered after the setting change.
To enable or disable profile encryption:

1. Go to Admin Portal > Settings > Preferences.
2. In the MDM Preferences section check or uncheck the Enable Profile Encryption
setting.
Unchecking disables profile encryption, and checking the setting enables profile
encryption.
3. Click Save.
180
Managing Policies
Working with default policies

Default policies are the policies applied to a device automatically when it is registered.
Default policy values are also used as a starting point when you create a custom
policy. MobileIron provides the values for each default policy specification. You can
then edit the default policies to your needs. If you do edit a default policys values,
those new values become the starting point when you create a new custom policy.
MobileIron provides defaults for the following policy types:

Security
Privacy
Lockdown
Sync
Docs@Work
ActiveSync (See Working with ActiveSync policies on page 398.)
AppConnect global policy
Note: You cannot delete default policies.
The default settings for each policy type are listed in the section for each type.
181
Managing Policies
Working with security policies
Win 8.1
Encryption
Policy
(Internal
Storage) yesj,h yes - - yes yes yes
Encryption
Policy
(SD Card) yesh - - - - - -
Password
Policy yes yes yes - yes yes yes
App Control
yes yes - - - yes -
e Using MobileIron Sentry and ActiveSync.
j Supported for Android 3.0 and higher.
h Supported for Samsung SAFE devices.
Security policies specify how MobileIron addresses several areas of mobile

security.Use the following guidelines to create or edit Security policies.
Item Description Default Policy Setting

Name Required. Enter a descriptive name Default Security Policy
for this policy. This is the text that
will be displayed to identify this
policy throughout the Admin
Portal. This name must be unique
within this policy type.
Tip: Though using the same name
for different policy types is allowed
(e.g., Executive), consider keeping
the names unique to ensure
clearer log entries.
Status Select Active to turn on this policy. Active
Select Inactive to turn off this
policy.
Why: Use the Status feature to
turn a policy on or off across all
phones affected by it. The policy
definition is preserved in case you
want to turn it on again.
182
Managing Policies

Priority Specifies the priority of this custom
policy relative to the other custom
policies of the same type. This
priority determines which policy is
applied if more than one policy is
associated with a specific device.
Select Higher than or Lower
than, then select an existing
policy from the dropdown list. For
example, to give Policy A a higher
priority than Policy B, you would
select Higher than and Policy B.
See Prioritizing policies on
page 178 for more information.
Because this priority applies only
to custom policies, this field is not
enabled when you create the first
custom policy of a given type.
Description Enter an explanation of the Default Security Policy
purpose of this policy.
Password
Password Select Mandatory to specify that Optional
the user must enter a password
before being able to access the
device. Otherwise, select Optional,
which allows the user to determine
whether the password will be set.
Note: If you intend to use the
Lock feature in case the phone
is lost or stolen, then a
password must be set on the
phone. Therefore, specifying a
mandatory password is strongly
advised.
For OS X: Select Mandatory to

specify that the device user must
comply with the password policy
when resetting the password for
the device. This does not force a
user to change an existing
password.
183
Managing Policies

Password Type Specify restrictions general Dont Care
restrictions for the password:
Simple: Restricts to numeric input.
Alphanumeric: Restricts to
alphabetic and numeric characters.
Dont Care: Applies the basic
requirements specified by the
device OS/model.
For WP8 and WP8.1 devices, the
Dont Care option requires that the
password is either simple or
alphanumeric.
For Win 8.1 RT/Pro devices, the
The Simple option is not
supported.
Minimum Password Enter a number between 1 and 10 6
Length to specify the minimum length for
the password. Leave this setting
blank to specify no minimum.
184
Managing Policies

Maximum Inactivity Select the maximum amount of 30 minutes
Timeout time to allow as an inactivity
timeout. To disable this feature,
select Never. The user can then
specify up to this value as the
interval after which the screen
locks.
For OS X:
Enter the maximum timeout
interval that the device user can
set for the device before the
screensaver engages.
For iOS:
The Grace Period for Device Lock
option determines whether the
user must enter a password to
unlock the screen. Also consider
the case when the maximum
inactivity timeout that you specify is
greater than the maximum
inactivity timeout that the device
supports. In this case, the
inactivity timeout that the user can
specify is limited by the devices
maximum inactivity timeout.
For WP8.1:
If the Maximum Inactivity Timeout
is set to one minute, the WP8.1
device uses the timeout set on the
device.
185
Managing Policies

Minimum Number iOS, OSX, and Android 3.0 and 0
of Complex higher only: Specify the minimum
Characters number of special characters that
must be included in a password.
WP8, WP8.1: Specify the minimum
level of complexity, 1 to 4, required
in a password. The values indicate
the minimum number of character
types required. The character
types are lowercase, uppercase,
numbers, and non-alphanumeric.
Win 8.1 RT/Pro: A minimum level
of 3 is required for local accounts
and a minimum level of 2 is
required for MSA accounts. If the
level is set to 2 or anything less
than 2, level 2 is applied. If the
level is set as 3 or anything more
than 3, level 3 is applied.
Maximum Password iOS, OSX, and Android 3.0 and 0
Age higher only: Specify the numbers
of days after which the password
will expire. 0 indicates no limit.
186
Managing Policies

Maximum Number For iOS, OSX, and Android: Specify 0
of Failed Attempts the maximum number of times the
user can enter an incorrect
password before the device is
wiped.
iOS: After the number of failed
attempts, the device imposes a
time delay before a passcode can
be entered again. The time delay
increases with each failed attempt.
The passcode time delays always
begin after the sixth attempt, so if
you set this value to 6 or lower, no
time delays are imposed and the
device is erased when the attempt
value is exceeded. 0 indicates no
limit. For iPhone OS 4, the range is
4 to 16. In prior versions, the
range is 2 to 11.
Win 8.1 RT/Pro: Irrespective of the
number set in the password policy,
the device is wiped after four failed
attempts.
WP8.1: If Maximum Number of
Failed Attempts is set as 1, the
user is not prompted to enter the
device password.
Password History iOS and Android 3.0 and higher 0
only: Specify the number of
passwords remembered to ensure
that users define a different
password.
For example, if you want to
prevent users from repeating a
password for the next four
password changes, enter 4.
187
Managing Policies

Grace Period for For OS X: Specify the maximum None
Device Lock amount of time the device can be
on the screensaver without
prompting for a passcode on wake
from the screensaver.
For iOS: Specify the interval after
the device locks during which the
user can unlock the device without
entering a passcode.
Android: Not used.
Win 8.1 RT/Pro: This option is not
supported.
Data Encryption
Device Encryption Android 3.0 and higher, Samsung Off
SAFE devices running Android 2.3
or higher, and WP8 only: Select On
to turn on encryption. Otherwise,
select Off.
Note: If Device Encryption is
turned On, then the Password
option is automatically set to
Mandatory.
For WP8 and WP8.1 devices: If
Device Encryption is turned on, it
cannot be turned off. You have to
reset the device to factory settings
to turn off device encryption.
Data Type Not supported. none selected
File Types Not supported. none specified
SD Card Encryption Samsung SAFE devices only: Off
Select On to turn on encryption.
Otherwise, select Off.
Windows - Pro/RT
Firewall This setting is specific to Windows On
8.1 RT and Pro devices.
This setting is turned on by default
on a Windows 8.1 RT device.
Anti-Virus This setting is specific to Windows On
188
Managing Policies

Auto-Update This setting is specific to Windows On
Access Control
For the following options, select the compliance action you want to apply to
devices that trigger access control. For detailed information on the impact that
compliance actions have on devices, see Compliance actions for security policy
violations on page 192.
For All Platforms
Apply compliance Select the compliance action you
action when a want to apply if a device has not
device has not connected to MobileIron Core in
connected to the specified number of days.
MobileIron in x days iOS: Supports all compliance
actions.
Android, starting with
Mobile@Work for Android 5.6 and
Secure Apps Manager 5.7:
Supports only the following
compliance actions:
Sending alert
Blocking email access if you are
using a Standalone Sentry for
email access.
Blocking app tunnels.
action when a want to apply if a device has not
policy has been out met policy requirements for the
of date for x day specified number of days.
iOS: Supports all compliance
actions.
Android, starting with
Mobile@Work for Android 5.6 and
Secure Apps Manager 5.7:
Supports only the following
compliance actions:
Sending alert
Blocking email access if you are
using a Standalone Sentry for
email access.
Blocking app tunnels.
189
Managing Policies

action when a want to apply when a device
device violates violates the specified App Control
following App rules. See Applying an app control
Control rules rule to a security policy on
page 488.
This option does not apply to
WP8.1 devices.
For iOS devices
action when iOS want to apply when MobileIron
version is less than detects an iOS device having a
version number less than the
specified version.
action when Data want to apply when MobileIron
Protection is detects an iOS device that has the
disabled Data Protection feature disabled.
action when a want to apply when MobileIron
compromised iOS detects an iOS device that has
device is detected been modified to circumvent
manufacturer restrictions.
Note that when the device is
compromised, Mobile@Work
prevents the user from accessing
Docs@Work features. See
Jailbreak impact on documents
on page 521
action for the want to apply when MobileIron
following disallowed detects a specified iOS device.
devices
action when device want to apply when MobileIron
MDM is deactivated detects that the MDM profile has
(iOS 5 or higher) been removed from the device.
For Android devices
action when want to apply when MobileIron
Android version is detects an Android device having a
less than x version number less than the
specified version.
190
Managing Policies

action when a want to apply when MobileIron
compromised detects an Android device that has
Android device is been rooted, that is, root access
detected has been given to an app.
Encryption is detects an Android device that has
disabled the Data Encryption feature
disabled.
Note: The quarantine action
Remove All Configurations has no
impact when data encryption is
disabled.
action when device want to apply when MobileIron
administrator is detects that the device
deactivated administrator privilege has been
removed from the MobileIron app.
Note: The quarantine action
Remove All Configurations has no
impact when the device
administrator is deactivated.
For Windows Phone devices
Encryption is detects an WP8 device that has the
disabled Data Encryption feature disabled.
Application For WP8.1 devices, select the
Restrictions checkbox, then select the app
control rule from the dropdown
list.
WP8 devices ignore the app control
rule.
Windows 8.1 RT and Pro password specifications:
Local MSA LDAP

Account Account Account
Password Length (number of characters) 0 - 14 0-8 NA
Password Complexity (number of character 3 2 NA
groups)
Password History (number of passwords) 0 - 24 NA NA
191
Managing Policies
Local MSA LDAP

Account Account Account
Password Expiration (number of days) 0 - 999 NA NA
Idle Time Until Lock (in seconds) 1 - 1200 1 - 1200 -
Failed password attempts before wipe 4 - 16 4 - 16 -
If you change password specifications

If you change password specifications, users may be prompted to reset their
passwords. Consider notifying users of the new specifications before making changes
to the policy.
Compliance actions for security policy violations

When you configure access control in a security policy, you can select default
compliance actions that are provided with MobileIron Core. You can also select custom
compliance actions that you create.
Note: To create the custom compliance actions, see Custom compliance actions on
page 194.
192
Managing Policies
Default compliance actions

The following table describes the default compliance actions:
Default compliance action Description

Send Alert Sends alert that you configured for the policy
violation.
To configure the alert, see Policy violations event
on page 335.
Block Email, AppConnect Sends alert that you configured for the policy
Apps And Send Alert violation.
Restricts access to email via ActiveSync if you
are using a Standalone Sentry for email access.
Note: If you manually block, allow, or wipe a
device on the ActiveSync Associations page,
blocking email access in a compliance action has
no impact. The manual action overrides Mobile-
Iron Cores automatic decision-making about
access to email via ActiveSync. See Overriding
and re-establishing VSP management of a
device on page 412.
Immediately blocks access to the web sites
configured to use the AppTunnel feature.
This action blocks tunnels that AppConnect apps
and iOS managed apps use.
Unauthorizes AppConnect apps.
iOS: AppConnect apps become unauthorized
when the next app checkin occurs. When
launched, an AppConnect app displays a mes-
sage and exits. Some iOS AppConnect apps that
have portions that involve only unsecured func-
tionality can allow the user to use only those
portions.
Android, starting with Mobile@Work for Android
5.6 and Secure Apps Manager 5.7: AppConnect
apps become unauthorized when the next
device checkin occurs. When the device user
tries to launch an AppConnect app, the Secure
Apps Manager displays a small pop-up message
with the reason the app is unauthorized.
This action impacts AppConnect apps that are
part of the Docs@Work for Android solution, as
well as third-party AppConnect for Android
apps.
iOS: Docs@Work for iOS: Blocks the use of
Docs@Work features in Mobile@Work for iOS.
193
Managing Policies
Custom compliance actions

You can customize the compliance actions that you want to take for the settings in the
Access Control section of security policies. Custom compliance actions enable you to
specify combinations of the following actions:
Send alert
Block email access and AppConnect apps (includes blocking app tunnels)
Quarantine: block email access, block app tunnels, block AppConnect apps, and
wipe AppConnect app data
Remove configurations (i.e., profiles)
Specify exceptions for WiFi-only devices
iOS only (iOS 5, iOS6 or iOS 7): remove managed apps, and block new downloads
Once you create a set of these actions, you can select that set from the dropdowns in
the Access Control section of security policies.
Creating a custom compliance action

To create a custom compliance action for access control:
1. Go to Policies & Configs > Compliance Actions.
2. Click Add.The Add Compliance Action dialog appears.
3. Use the following guidelines to complete this screen.
Item Description
Name Enter an identifier for this set of compliance
actions. Consider specifying the resulting action
so that the option will be more readable in the
context of the security policy settings.
Alert via Event Center Select if you want to trigger a message
indicating that the violation has occurred.
To configure the alert, see Policy violations
event on page 335.
194
Managing Policies
Item Description
Block email access and Selecting this option has the following impact to
AppConnect apps the device:
Restricts access to email via ActiveSync if you
are using a Standalone Sentry for email
access.
Note: If you manually block, allow, or wipe a
device on the ActiveSync Associations page,
blocking email access in a compliance action
has no impact. The manual action overrides
MobileIron Cores automatic decision-making
about access to email via ActiveSync. See
Overriding and re-establishing VSP manage-
ment of a device on page 412.
This action blocks tunnels that AppConnect
apps and iOS managed apps use.
Unauthorizes AppConnect apps.
when the next app checkin occurs. When
launched, an AppConnect app displays a mes-
sage and exits. Some iOS AppConnect apps
that have portions that involve only unse-
cured functionality can allow the user to use
only those portions.
Android, starting with Mobile@Work for
Android 5.6 and Secure Apps Manager 5.7:
AppConnect apps become unauthorized when
the next device checkin occurs. When the
device user tries to launch an AppConnect
app, the Secure Apps Manager displays a
small pop-up message with the reason the
app is unauthorized.
part of the Docs@Work for Android solution,
as well as third-party AppConnect for Android
apps.
Docs@Work features in Mobile@Work for iOS.
195
Managing Policies
Item Description
Quarantine Selecting this option has the following impact to
the device:
This action blocks tunnels that AppConnect
apps and iOS managed apps use.
AppConnect apps are retired, which means
they become unauthorized and their secure
data is deleted (wiped).
and their secure data is wiped when the next
app checkin occurs. When launched, an
AppConnect app displays a message and
exits. Some iOS AppConnect apps that have
portions that involve only unsecured function-
ality can allow the user to use only those por-
tions.
Android, starting with Mobile@Work for
Android 5.6 and Secure Apps Manager 5.7:
AppConnect apps become unauthorized and
their data is wiped when the next device
checkin occurs. When the device user tries to
launch an AppConnect app, the Secure Apps
Manager displays a small pop-up message
with the reason the app is unauthorized.
part of the Docs@Work for Android solution,
as well as third-party AppConnect for Android
apps.
Docs@Work features in Mobile@Work for iOS
and wipes its data.
196
Managing Policies
Item Description
Remove All Configurations iOS: Select if you want to remove the
configurations (i.e., profiles) that provide access
to corporate resources.
Android: Select to remove the following
configurations:
Exchange
VPN
Wi-Fi
Docs@Work
However, because of Android limitations, this

action does not remove any certificates used in
SCEP, Certificate, and Wi-Fi configurations.
These certificates are installed into the devices
credential storage. Only the device user can
remove them by using the Clear Credential
Storage command in the Android Settings app
on the device. Certificates used in Exchange and
VPN configurations are removed because these
certificates are stored in the respective apps.
Note: Starting with Mobile@Work 5.9 for

Android, certificates installed in a Samsung
SAFE devices credential store are removed.
Do not remove Wi-Fi Select if you want to retain the Wi-Fi
settings from Wi-Fi only configurations for devices that do not have
devices cellular access. You might select this option to
ensure that you can still contact these devices.
iOS: The iOS version determines how MobileIron
decides whether a device supports Wi-Fi only.
Prior to iOS 4.2.6, the device model (e.g., iPod)
is used.
Do not remove Wi-Fi iOS: Select if you want to retain the Wi-Fi
settings configurations for any device, regardless of
whether it has cellular access. You might select
this option to preserve limited network access
despite the policy violation.
Remove Managed apps, and iOS 5, iOS 6 or iOS 7 only: Select if you want to
block new downloads remove managed apps and prevent
reinstallation of these apps. This setting applies
only to managed apps for which you selected
Remove app when device is quarantined or
signed out in the app distribution library.
4. If you have selected Show for the Android Custom ROM features in Settings >
Preferences, then the wipe action is available. To enable wipe, first read and select
197
Managing Policies
the caution statement. You can then select Wipe the device.
Note: Wipe applies only to Android devices. It applies to all Android devices.
5. Click Save.
This new compliance action now appears in the drop down list of compliance
actions in the Access Control section of security policies, on the Policies & Configs >
Policies page.
When the compliance action takes effect

When you first apply a security policy, several factors affect the amount of time
required to communicate the changes to targeted devices:
sync interval
time the device last checked in
battery level
number of changes already queued
the app checkin interval for AppConnect for iOS
Once the change reaches the device, MobileIron Core checks the device for
compliance. If the device is out of compliance, then the action is performed.
Confirming removal of configurations for iOS

The following entries in the MDM log (Logs & Events > MDM Log) indicate that
configurations have been removed.
198
Managing Policies
Restoring configurations
MobileIron automatically restores the configurations once the device user addresses
the policy violation. For example, if the policy violation resulted from an old version of
iOS, then upgrading resolves the issue. The same factors that apply to establishing
the quarantine affect the amount of time required to release the device from
quarantine.
Exception: If the WiFi configuration has been removed from a WiFi-only device, then
configurations must be restored manually.
Viewing quarantine information

Devices that have had configurations removed due to policy violations are considered
quarantined. You can view quarantine information in the following places:
Users & Devices > Devices page
Policies & Configs > Configurations page
Devices page: quarantined devices

To see if an individual device has been quarantined:
2. Note devices that have been highlighted and appear with a quarantine icon.
3. Expand the device details for a quarantined device.
4. Click the Configurations tab in the device details panel to see which configurations
have been removed due to quarantine.
Configurations page: configurations removed due to quarantine

To see which configurations have been removed due to quarantine:
1. Go to Policies & Configs > Configurations.
2. Click a number link in the Quarantined column to display a list of devices that have
had the configuration removed.
199
Managing Policies
Working with privacy policies
Win 8.1
Android iOS OS X Win 7 WP8 RT/Pro
partialg partialg partialg - - -
g Only Location and Apps privacy settings currently apply to iOS and Android. Only Apps privacy settings apply to OS X.
Privacy policies specify which files to synchronize with MobileIron Core and whether
activity or content should be synchronized for each type of data. Privacy policies also
specify which information the MobileIron Client should include in its log. Use the
following guidelines to create or edit Privacy policies:
Default Policy
Item Description Setting
Name Required. Enter a descriptive name for Default Privacy
this policy. This is the text that will be Policy
displayed to identify this policy
throughout the Admin Portal. This
name must be unique within this policy
type.
Tip: Though using the same name for
different policy types is allowed (e.g.,
Executive), consider keeping the
names unique to ensure clearer log
entries.
Select Inactive to turn off this policy.
Priority Specifies the priority of this custom
policy relative to the other custom
policies of the same type. This priority
determines which policy is applied if
more than one policy is associated with
a specific device. Select Higher than
or Lower than, then select an existing
policy from the dropdown list. For
example, to give Policy A a higher
priority than Policy B, you would select
Higher than and Policy B. See
Prioritizing policies on page 178 for
more information.
Because this priority applies only to
custom policies, this field is not
enabled when you create the first
Description Enter an explanation of the purpose of Default Privacy
this policy. Policy
200
Managing Policies
Default Policy
SMS Specify synchronization for SMS: Sync Activity
Sync Activity: Collect SMS statistics.
Sync Content: Collect SMS statistics
and store SMS data on the MobileIron
Server.
None: Do not collect SMS statistics or
store SMS data.
Note that, except in the case of the
SMS archiving feature, if the users
privacy settings in MyPhone@Work
specify that SMS content shall not by
synced, then the Sync Content option
here results in syncing of SMS activity
data only.
Apps Specify synchronization for apps: Sync Inventory
Sync Inventory: Obtain identifying
information (i.e., meta data) for the
apps installed on the device.
None: Do not obtain app information.
If you select this option, then app data
for the device will not be reflected in
the App Inventory page.
Exception: Identifying information on
iOS managed apps is stored,
regardless of the setting you select.
See iOS managed apps on page 435
for information on managed apps.
MobileIron iOS Specify whether to enable or disable Disabled
App the multitasking for the MobileIron iOS
Multitasking app. This fea-ture governs whether the
OS can bring the MobileIron app into
memory periodically. No data is
transmitted to the app by the OS when
this occurs.
201
Managing Policies
Default Policy
Location Specify which location data, if any, is Sync Cell Tower
stored on MobileIron Core:
None: No location data is stored.
Sync Cell Tower: Cell tower data is
stored.
Sync GPS if available: GPS data is
stored.
iOS Installed App Specify the app type, if installed on the All Apps
Inventory device, that will be displayed in the
Device App Inventory page.
All Apps: All apps installed on the
device are displayed.
Managed Apps Only (iOS 7, iOS 7.1):
Only managed apps installed on the
device are displayed.
Managed + Specified Apps Only (iOS
7, iOS 7.1): Only the following types of
installed apps are displayed:
Managed apps.
Apps with the bundle IDs entered
here.
If you have app control rules, add
the app bundle IDs here. Otherwise,
the app will not be displayed in the
Device App Inventory page.
You do not have to enter the bundle
IDs for managed apps.
202
Managing Policies
Working with lockdown policies
Win 8.1
yes m - - partial n
partial -
m Camera lockdown supported for Android 4.x and also on devices on which the Samsung SAFE APIs are present. Blue-
Tooth and Wi-Fi lockdown are supported on devices on which Samsung SAFE APIs are present. Extended lockdown policies
are supported with Android 4.x if the device has Samsung SAFE APIs present and is running Mobile@Work version 5.1.
Note: To lock down features on iOS devices, go to Policies & Configs > Configurations.
Click Add New > iOS and OS X > Restrictions.
Lockdown policies specify which features should be disabled in the event that device
access must be restricted. To create a lockdown policy, go to Policies & Configs >
Policies. Click Add New > Lockdown.
Use the following guidelines to create or edit Lockdown policies:
Default Policy
Name Required. Enter a descriptive name for Default
this policy. This is the text that will be Lockdown Policy
displayed to identify this policy
throughout the Admin Portal. This name
must be unique within this policy type.
Executive), consider keeping the names
unique to ensure clearer log entries.
Status Select Active to turn on this policy. Select Active
Inactive to turn off this policy.
Priority Specifies the priority of this custom policy
relative to the other custom policies of
the same type. This priority determines
which policy is applied if more than one
policy is associated with a specific device.
Select Higher than or Lower than,
then select an existing policy from the
dropdown list. For example, to give Policy
A a higher priority than Policy B, you
would select Higher than and Policy B.
See Prioritizing policies on page 178 for
more information.
Because this priority applies only to
custom policies, this field is not enabled
when you create the first custom policy of
a given type.
203
Managing Policies
Default Policy
Description Enter an explanation of the purpose of Default
this policy. Lockdown Policy
Bluetooth Enable or disable access to Bluetooth Enable Audio &
features. You can enable both Audio and Data
Data or just Audio.
Caution: MobileIron recommends against
disabling audio because hands-free
Bluetooth access is disabled. Legal
requirements for hands-free use of
devices while driving is becoming more
widespread.
Camera Enable or disable camera access. Enable
NFC Enable or disable NFC (Near-field Enable
Communication) data exchange when the
device touches another device.
USB Mass Enable or disable access to the devices Enable
Storage USB storage from a computer.
SD Card Not for Android unless Samsung Enable
Enterprise APIs are present on the
device. Enable or disable access to the
secure data card.
Wi-Fi Enable or disable access to wireless LANs. Enable
Roaming Data Enable or disable access to data services Enable
while roaming.
Copy / Paste Enable or disable access to copy / paste Enable
functionality.
Screen Capture Enable or disable screen capture. Enable
GPS User Control Enable or disable the device users ability Enable
to turn GPS on and off.
GPS If GPS User Control is disabled, specify Enable
whether GPS is enabled or disabled on
the device.
Android
204
Managing Policies
Default Policy
Lockscreen Android 4.2, 4.3, 4.4: Enable or disable Enable
Widgets the ability to add widgets to the
lockscreen. Placing widgets on the
lockscreen means device users can
perform tasks without unlocking the
device.
Note: Though Samsung SAFE devices
have a feature that is very similar, it is
not the Android lockscreen widgets
feature, which is what MobileIron Core
controls. this option has no effect on
SAFE devices.
Microphone Enable or disable access by apps to the Enable
microphone. This feature does not impact
voice calls.
USB Debug Enable or disable the device users ability Enable
to enable USB debugging.
Samsung SAFE
Android 4.x with Samsung Enterprise APIs and running version 5.6 through 5.9
of the Mobile@Work for Android app:
Android Browser Enable or disable access to the Android Enable
browser.
Email Account Enable or disable the device users ability Enable
Creation to configure an email account on the
device.
Factory Reset Enable or disable the ability to reset the Enable
device to factory defaults.
Google Backup Enable or disable backup to Google Enable
servers.
Google Play Enable or disable access to Google Play. Enable
Make Passwords Enable to allow users to change the Enable
Visible Make Passwords Visible setting on their
device. Disable to prevent users from
changing this setting and make password
characters not visible.
Management Enable or disable the device users ability Enable
Removal to remove the Mobile@Work app and the
Samsung DM Agent.
205
Managing Policies
Default Policy
OTA Upgrade Enable or disable over-the-air upgrades of Enable
the device firmware.
Warning: Do not disable Setting Changes
if OTA Upgrade is enabled. Disabling
Setting Changes when OTA Upgrade is
enabled can result in a non-functional
device because setting changes are
required for upgrade.
Roaming Voice Enable or disable voice calls while Enable
Calls roaming.
Setting Changes Enable or disable the device user access Enable
to the settings app.
Warning: Do not disable Setting Changes
if OTA Upgrade is enabled. Disabling
Setting Changes when OTA Upgrade is
enabled can result in a non-functional
device because setting changes are
required for upgrade.
Tethering - Enable or disable Bluetooth tethering. Enable
Bluetooth
Tethering - USB Enable or disable USB tethering. Enable
Tethering - Wi-Fi Enable or disable Wi-Fi tethering. Enable
Unknown Enable or disable installation of apps from Enable
Sources sources other than Google Play.
USB Media Player Enable or disable the USB media player. Enable
YouTube Enable or disable access to YouTube. Enable
Windows Phone
Options for WP8.1
Internet Sharing Enable or disable Internet sharing. Enable
Microsoft Store Enable or disable access to the Windows Enable
Phone Store.
Manual Email Enable or disable ability to manually add Enable
Set-up an email account on the device.
VPN while Roam- Enable or disable VPN when device is out Enable
ing of network.
Hotspot Discov- Enable or disable Hotspot Discovery. Enable
ery
Microsoft Account Enable or disable Microsoft SkyDrive or Enable
Live Account.
Save as of MS- Enable or disable the Save As operation Enable
Office for a MS-Office document.
206
Managing Policies
Default Policy
Browser Enable or disable Internet Explorer. Enable
The option does not have any impact on
any other browsers installed from the
Windows Store.
Manual Wi-Fi Enable or disable ability to manually add Enable
Setup a Wi-Fi setup.
Wi-Fi Sense Enable or disable the device to automati- Enable
Hotspots cally connect to Wi-fi Hotspots and friend
social network.
MS Error Report- Enable or disable Error Reporting. Enable
ing
Sharing Of MS- Enable or disable sharing MS-Office files. Enable
Office Files
Profile Roaming Enable or disable cellular data roaming. Enable
Action Center Enable or disable Action Center notifica- Enable
Notifications tions.
Developer Unlock Enable or disable Developer Unlock. Enable
Search to Use Enable or disable the Access to my loca- Enable
Location tion feature on the device. Disabling this
feature impacts the Cortana and bing.
Manual Root Cer- Enable or disable ability to manually Enable
tificate Installa- install a root certificate on the device. If
tion disabled, the device user cannot install a
root certificate to the device.
Store Images Enable or disable the Visual Search option Enable
From Visual in bing.
Search
Voice Recording Enable or disable voice recording Enable
in Cortana.
Return Without Enable or disable ability for the device Enable
Password user to set grace period for locking. If
enabled, the device user can set the
grace period for locking the device. If dis-
abled, the Security policy sets the grace
period, and the option is not available to
the device user.
Cortana Enable or disable Cortana. Enable
Note: Policy changes may cause devices to which that policy is applied to prompt the
user to restart the device.
207
Managing Policies
Working with sync policies
Win 8.1
Android iOS Win 7 WP8 WP8 RT/Pro
yes - - partiala partiala -
a Only the sync interval is applied, and only at enrollment.
Sync policies specify how the MobileIron Client behaves on the device and interacts
with MobileIron Core. These interactions include synchronization of profiles,
configurations, and app inventory.
Windows 8.1 RT and Pro devices only sync every 24-hours. The sync interval cannot
be set through the Sync settings. Force Device Check-In is supported. The Admin can
force the device to check-in at any time.
For Windows Phone 8.1 devices, only Sync Interval is applied. The sync interval is
applied when the device registers with MobileIron Core. Any changes to the sync
interval after the device has registered are not applied to the device.
Use the following guidelines to create or edit sync policies:
Default Policy
Name Required. Enter a descriptive name for this Default Sync
policy. This is the text that will be displayed Policy
to identify this policy throughout the Admin
Portal. This name must be unique within
this policy type.
Status Select Active to turn on this policy. Select Active
Inactive to turn off this policy.
208
Managing Policies
Default Policy
Priority Specify a priority for this policy in relation
to other custom policies of this type.
Priority determines which policy is applied
in the case of a conflict. For example, if a
device has two labels assigned to it, and
each label has a different sync policy, then
the priority determines which policy is
applied.
Select Higher than or Lower than and
select the relative policy from the
dropdown list. Because priority applies only
to custom policies, this setting is not
available when you create the first custom
policy of this type. Default policies are not
included in prioritization.
Description Enter an explanation of the purpose of this Default Sync
policy. Policy
Server IP/Host Displays the IP address or host name of the
Name MobileIron Core instance that the
MobileIron Client will communicate with.
This setting is completed automatically
when the first phone registration is
requested.
Use TLS Specify whether to use Transport Layer selected
Security for interactions between
MobileIron Core and the MobileIron Client
installed on devices.
209
Managing Policies
Default Policy
Sync While Specifies which data, if any, should be Only Activity and
Roaming synchronized with Core while the device is SMS Content
roaming.
All Activity and Content: Causes all activity
and content to be synchronized while the
device is roaming.
Only Activity and SMS Content: Restricts
synchronized data to activity and SMS
content while the device is roaming.
Eliminates synchronization of some data to
reduce the cost of data transfer when
additional charges may apply. This option is
selected by default.
Only Roaming Status: Restricts
synchronized data to roaming status while
the device is roaming. Eliminates
synchronization of most data to minimize
the cost of data transfer when additional
charges may apply. Synchronizing roaming
status ensures that location data is
communicated to the server and that
roaming alerts can be generated in a timely
fashion. International roaming alerts are
not generated.
No Sync: Prevents all data from being
synchronized while the device is roaming.
Roaming alerts may not be generated by
Event Center in a timely fashion because
the device cannot communicate its roaming
status. Therefore, if international roaming
alerts have been configured, the MobileIron
Client on the device will generate a local
roaming alert.
210
Managing Policies
Default Policy
Heartbeat Not for iOS: Specify the maximum amount 14
Interval of time that the MobileIron Client will wait
before:
sending a request to the MobileIron
Server to confirm that the client and
server are connected.
Note that the MobileIron Client does not
connect to the server according to this
interval unless the Client is Always Con-
nected option is selected.
Core will close the network connection for

clients that have been inactive for twice the
interval specified for this setting, thereby
reducing demand on Core.
Why: Increasing the heartbeat interval can
help preserve battery life. Decreasing the
heartbeat interval helps the MobileIron
Client detect disconnection from the
MobileIron Server more quickly.
Sync Interval Specify the frequency for starting the 240
synchronization process between the
device and the MobileIron Server.
Note: Decreasing this interval requires
additional resources that may increase the
drain on phone batteries.
MobileIron iOS Specifies the minimum duration between 15 minutes
App attempts to send iOS device details to
Multitasking Core. This duration adhered to when iOS
Sync Interval brings the MyPhone@Work iOS app into
memory following major location change
events.
See iOS multitasking sync interval and
sending device details to MobileIron Core
on page 212 for additional information.
Client is Always Not for iOS. Specify whether the Disabled
Connected MobileIron Client should remain connected
to MobileIron Core during the sync interval.
Keeping the client connected ensures
timely communication between the client
and Core. You might consider disabling this
feature if battery drain becomes an issue.
For Android devices, see Android devices
and the Client Is Always Connected option
on page 212.
211
Managing Policies
Sync policies and battery use

If you note significant battery impact after installing the MobileIron Client, consider
reviewing and optimizing your sync policies.
Country changes and alerts

Country changes are monitored by the MobileIron Client. Assuming that the Sync
While Roaming option is not set to No Sync, each country change causes the
MobileIron Client to send the change to MobileIron Core. If the MobileIron Client can
connect, then the Event Center generates the configured alerts, regardless of the sync
interval. If connectivity is not established, then the MobileIron Client generates a local
alert, if configured.
iOS multitasking sync interval and sending device details to

MobileIron Core
MobileIron uses multitasking features available starting in iOS 4.0 on devices that are
cellular enabled, i.e., iPhone and iPad 3G. For all other iOS devices, synchronization of
device details has not changed. This approach reduces the dependence on manual
start of the app to report critical changes to the device.
The synchronization process is as follows:

Each time the iOS Multitasking Sync Interval elapses, if the MobileIron app is
awake, the MobileIron app reports device details to MobileIron Core. These details
include whether the SIM has been changed and whether the device has been
compromised. This sync interval is set to 15 minutes by default, but is configurable
in the Sync policy. The app does not wake up on its own.
Independently of the multitasking sync interval, the operating system may wake up
the app based on changes in cell tower location. In this case, the app determines if
device details have been sent to Core within the specified multitasking sync
interval. If device details have not been sent during that interval, then the app
sends those details to Core. If the app wakes up and determines that the device
has been compromised or the SIM state has changed, this information is
immediately sent to Core.
Android devices and the Client Is Always Connected option

Android devices that are running Mobile@Work version 5.6 or later support the Client
is Always Connected option on the sync policy. Enable this option only when C2DM
cannot be used. These situations include:
Devices running Android versions prior to 4.0 that have no Google account
configured.
Regions and countries in which C2DM is not available.
Select commercial and government use cases.
Devices which do not support C2DM, such as the Amazon Kindle.
212
Managing Policies
MobileIron Core uses C2DM to immediately send lock, unlock, retire, and wipe
commands to devices. With this field enabled, the Core can send these commands to
the device at any time without using C2DM.
MobileIron recommends that you enable Always Connected mode on a maximum of

5000 devices per Core instance The reason is that the device generates a regular
connection status check to Core when using Always Connected mode.
This status check can impact the device as follows:

It will cause a small increase in battery power consumption on the device.
It will cause a small increase in bandwidth usage on the device, which sometimes is
a concern when using cellular networks.
213
Managing Policies
Working with Docs@Work policies
Win 8.1
- yes - - -
Docs@Work policies specify settings that change the behavior of the Mobile@Work for
iOS app.
For information on configuring a Docs@Work policy, see For iOS: Set up Docs@Work
policies on page 571.
214
Managing Policies
Working with single-app mode policies for iOS

Single-app mode enables you to configure an iOS device for kiosk-like use, restricting
use of the device to the designated app. For example, you might want to configure an
iPad for use as an electronic catalog. The Home button and features such as taking a
screenshot or receiving notifications are disabled. The Single-App Mode policy
specifies the app to use.
This policy applies only to supervised iOS 6 devices, that is, devices that have been
deployed using the Apple Configurator.
To configure a single-app mode policy:

1. Select Policies & Configs > Policies > Add New > Single-App Mode.
2. Use the following guidelines to complete this form:
Name Required. Enter a descriptive name for this policy. This is

the text that will be displayed to identify this policy
throughout the Admin Portal. This name must be unique
Tip: Though using the same name for different policy
types is allowed (e.g., Executive), consider keeping the
names unique to ensure clearer log entries.
Status Select Active to turn on this policy. Select Inactive to turn
off this policy.
Why: Use the Status feature to turn a policy on or off
across all phones affected by it. The policy definition is
preserved in case you want to turn it on again.
Priority Specifies the priority of this custom policy relative to the
other custom policies of the same type. This priority
determines which policy is applied if more than one policy
is associated with a specific device. Select Higher than
or Lower than, then select an existing policy from the
dropdown list. For example, to give Policy A a higher
priority than Policy B, you would select Higher than and
Policy B. Because this priority applies only to custom
policies, this field is not enabled when you create the first
Description Enter an explanation of the purpose of this policy.
Identifier Enter the bundle ID of the app to be used. Example:
com.apple.mobilesafari.
3. Click Save.
4. Apply the policy to the appropriate labels.
Finding the bundle ID

To determine the bundle ID:
215
Managing Policies
1. Sync your device to your iTunes library.

2. On your PC or Mac, open the Mobile Applications folder in the iTunes library.
3. Duplicate the app file and assign a .zip extension.
4. Open the iTunesMetadata.plist file in the zip file.
5. Find the softwareVersionBundleId key in the list.
216
Managing Policies
Working with global HTTP proxy policies

The Global HTTP Proxy policy applies only to supervised iOS 6 devices, that is, devices
that have been deployed using the Apple Configurator. The web proxy monitors traffic
and detects sensitive data that is being sent in violation of information security
policies, enabling administrators to address DLP and content filtering needs.
When the global HTTP proxy policy is configured on an iOS device, HTTP traffic is
routed to a proxy server that the IT admin specifies. If that server is not reachable for
any reason, the apps on the device that use HTTP as a transport mechanism cannot
send or receive data. The global HTTP proxy works over both cellular and Wi-Fi
networks and requires that apps use the native iOS networking APIs.
Important: Confirm that you have specified the correct proxy information, and that
the proxy is reachable. An invalid or unreachable proxy server will make the device
unreachable by the network. In this case, physical access is required to reset the
device.
To configure a global HTTP proxy policy:

2. Select Add New > Global HTTP Proxy.
Name Required. Enter a descriptive name for this policy. This is

the text that will be displayed to identify this policy
Status Select Active to turn on this policy. Select Inactive to turn
off this policy.
determines which policy is applied if more than one policy
is associated with a specific device. Select Higher than
or Lower than, then select an existing policy from the
dropdown list. For example, to give Policy A a higher
priority than Policy B, you would select Higher than and
Policy B. Because this priority applies only to custom
policies, this field is not enabled when you create the first
217
Managing Policies
Proxy Type Select Manual or Auto. If you select Manual, then you
must specify the proxy server address and port. A
username and password for the server are optional input.
If you select Auto proxy type, then you have the option of
entering a proxy autoconfiguration (PAC) URL.
Proxy Server If you selected the Manual proxy type, enter the network
address for the proxy server.
Proxy Server Port If you selected the Manual proxy type, enter the port
number for the proxy server.
User Name Optional. Enter the user name for authenticating to the
proxy server.
Password Optional. Enter the password for authenticating to the
proxy server.
Proxy PAC URL Optional. If you selected the Auto proxy type, enter proxy
autoconfiguration (PAC) URL. If you leave this field blank,
the device will use the web proxy autodiscovery protocol
(WPAD) to determine the location of the PAC file.
4. Click Save.
5. Apply the policy to the appropriate labels.
218
Managing Policies
Working with Android kiosk policies

The Android kiosk policy specifies whether the kiosk devices use single-app mode or
multiple-app mode.
See Android Kiosk Support on page 859 for information on configuring this policy.
219
Managing Policies
Working with Android Quick Setup policies

The Android Quick Setup policy offers additional options for getting devices configured
quickly:
optional Device Administrator role for Mobile@Work
cache registration password for Exchange and Wi-Fi configuration.
To set up an Android Quick Setup policy:

2. Select Add New > Android > Android Quick Setup.
3. Use the following guidelines to complete the form:
Name Required. Enter a descriptive name for this policy. This

is the text that will be displayed to identify this policy
Status Select Active to turn on this policy. Select Inactive to
turn off this policy.
determines which policy is applied if more than one
policy is associated with a specific device.
Select Higher than or Lower than, then select an
existing policy from the dropdown list. For example, to
give Policy A a higher priority than Policy B, you would
select Higher than and Policy B.
Because this priority applies only to custom policies, this
field is not enabled when you create the first custom
policy of a given type.
220
Managing Policies
Policy Parameters Clear the Device Administrator option to complete

registration without applying the Device Administrator
role to the Mobile@Work app. Clearing this option
streamlines the registration process by eliminating the
need for the device user to approve granting the Device
Administrator role.
Clearing the option also disables the following features
on the device:
Password requirements
Device encryption
Device lock/unlock
Wipe
Camera lock
Lockdown policies
Samsung SAFE features
Samsung native email configuration
Samsung KNOX container
Kiosk mode
Use registration Select the Exchange and/or Wi-Fi checkbox to cache the
password for registration password on the device for use in
configuring the Exchange and/or Wi-Fi settings.
Selecting these options streamlines the configuration
process if you are using LDAP for authentication as part
of the registration and Exchange/Wi-Fi configuration
processes.
Note that the password is cached in memory only.
Terminating the app drops the password from memory.
4. Click Save.
5. Apply the policy to the appropriate labels (More Actions > Apply to Labels).
221
Managing Policies
Working with Samsung general policies

Use the Samsung general policy to manage Samsung KNOX license keys on Samsung
devices.
Upgrade Note: The Samsung KNOX license key for Samsung KNOX activation has
been moved from the Samsung (KNOX) Container policy (Policies & Configs >
Configurations) to the Samsung General policy (Policies & Configs > Policies). If a
license key is configured in the Container policy, then a new Samsung general policy is
automatically created.
To configure a Samsung general policy:

1. In the Admin Portal go to Policies & Configs > Policies.
2. Click Add New > Android > Samsung General.
Item Description
Name Enter a unique name for the policy.
Status Select Active to turn on this policy.
Priority Select Higher than or Lower than, then select an existing
policy from the dropdown list.
If you have multiple policies, use the Priority setting to
select which policy gets applied. See Prioritizing policies
in the MobileIron Core Administration Guide.
Description Enter a description for the policy.
KNOX License Key Enter the Samsung KNOX license key
KNOX Device To enable attestation, first select the I understand
Attestation Enabled checkbox, then select KNOX Device Attestation Enabled.
See also: Attestation support for Samsung KNOX on
page 222
The attestation feature is supported starting in VSP
version 6.0, and Mobile@Work for Android version 6.0.
4. Click Save.
Attestation support for Samsung KNOX

In a BYOD environment, it is possible for employees to use rooted Android devices
with customized firmware. An enterprise can validate a devices integrity before it
installs a Samsung KNOX container on the device using the attestation feature.
The attestation feature requires Samsung Android devices that are attestation
capable.
222
Managing Policies
Attestation works by sending a challenge to the device to test its integrity. The device
responds, and MobileIron Core returns its final verification. A device responds to the
challenge in one of three ways:
Correctly, resulting in attestation state of PASS
Incorrectly, resulting in attestation state of FAIL
No response, resulting in attestation state of UNKNOWN.
A device without attestation support does not respond. A device that supports
attestation may also not respond, for example, if it has no network connectivity, or if it
was compromised and sends no response.
An attestation challenge is sent to a device when the device checks-in with MobileIron
Core, but not more frequently than once per hour. The attestation result determines
whether a Samsung KNOX container is removed, installed, or left unchanged.
Additional compliance actions triggered by an attestation fail can be defined in a
security policy.
Important Note: For all Samsung Android devices, whether or not they are
attestation-capable, enabling attestation for the device removes a pre-existing
Samsung KNOX container from the device.
See Attestation behavior on the device, below, for more details.
Configuring attestation on MobileIron Core
Prerequisites
You must have a Samsung KNOX License Key to enable attestation.
Samsung Android devices that support attestation are required to take
advantage of this feature.
Recommendations
For the best user experience, apply attestation to a new device deployment. If
you enable attestation on a previously deployed device, any existing Samsung
KNOX container will be removed, and replaced only if the device passes the
attestation challenge.
We recommend enabling attestation in a homogeneous environment where all
the devices are known to support attestation. For example, where all
attestation-capable Samsung devices are corporate owned and assigned to an
LDAP group.
We strongly recommend against enabling attestation to groups of devices
where attestation support is unknown or mixed.
Configuring attestation step-by-step
Follow these steps to enable attestation, create a related security policy with optional
custom compliance actions, and assign the policy to devices.
223
Managing Policies
In the Admin Portal:

1. Create a label to use for attestation-related policies and devices:
1.1 Go to Users & Devices > Labels
1.2 Select Add Label. Name the label Attestation Label, for example.
2. Enable attestation in the Samsung General Policy:
2.1 Go to Policies & Configs > Policies.
2.2 Select Add New > Android > Samsung General. The New Samsung General
Policy dialog appears.
2.3 Enter the Name.
2.4 Enter the KNOX License Key.
2.5 Read the Caution statement, and then select the I understand beneath it.
2.6 Select KNOX Device Attestation Enabled.
2.7 Click Save.
3. Assign the Samsung General Policy to a label:
3.1 Select the policy.
3.2 Select More Actions > Apply to Label.
3.3 Select the desired label (for example, Attestation Label).
3.4 Click Apply.
4. Optionally, create a custom compliance action to use in the attestation security
policy:
4.1 Go to Policies & Configs > Compliance Actions.
4.2 Select Add.
4.3 Select the actions to take if attestation fails.
4.4 Click Save.
5. Create a security policy to define the consequences when attestation fails:
5.2 Select Add New > Security. The New Security Policy dialog appears.
5.3 Enter a name. For example, Attestation Security Policy.
5.4 Scroll down to Access Control and find the For Android devices section.
5.5 Select the checkbox for when Samsung KNOX device attestation fails.
5.6 Choose the compliance action from the dropdown. If you created a custom
compliance action for attestation, it appears as one of the options.
5.7 Click Save.
6. Assign the Security Policy to a label:
6.1 Select the policy.
6.2 Select More Actions > Apply to Label.
6.3 Select the desired label (for example, Attestation Label).
6.4 Click Apply.
7. Assign devices to the label with the attestation policies.
7.1 Go to Users & Devices > Devices.
7.2 Select attestation-capable Samsung device(s).
7.3 Select Actions > Apply to Label.
224
Managing Policies
7.4 Select the label with attestation policies (for example, Attestation Label).
7.5 Click Apply.
Warning: For all Android devices, KNOX containers that were created before
attestation is enabled are removed when the attestation policy is applied.
Attestation behavior on the device
A label that includes a Samsung Global Policy with the attestation feature enabled is
applied to a device. MobileIron Core sends attestation challenges to the device
periodically. The behavior of each device type is detailed below.
Note: applying attestation to non-attestation capable devices is not recommended.
iOS or Windows devices

Attestation is not supported.
Android devices that are not attestation-capable

Attestation state is reported as UNKNOWN in Device Details in the Admin Portal.
Attestation state will always be UNKNOWN because the device is incapable of
responding to an attestation challenge.
Any existing Samsung KNOX container is removed from the device.
No new Samsung KNOX container is installed.
Android devices that are attestation-capable

An attestation-capable device will respond to the attestation challenge. A challenge
result can be PASS, FAIL, or UNKNOWN.
If the attestation result is PASS:

Attestation state is reported as PASS in Device Details in the Admin Portal.
For a new device deployment, a Samsung KNOX container is installed.
For an existing device which has a KNOX container that was installed before
attestation was enabled:
Pre-attestation KNOX container is removed.
New KNOX container is installed.
For a device that previously passed, the KNOX container remains unchanged.
If the attestation result is FAIL:

Attestation state is reported as FAIL in Device Details in the Admin Portal.
Samsung KNOX container is removed.
Additional compliance actions are taken based on the security policy in effect
for the device, triggered by the when Samsung KNOX device attestation fails
condition.
225
Managing Policies
If there is no response, the attestation result is UNKNOWN:

Attestation state is reported as UNKNOWN in Device Details in MobileIron Core.
If the device has previously passed attestation, it continues to function as if it
has passed. The KNOX container remains unchanged.
If the device has not ever passed attestation, then:
Any pre-attestation KNOX container is removed.
226
Managing Policies
Troubleshooting: compliance actions

The application settings were not removed from the device.
1. Confirm that the device is an MDM-enabled iOS device.
2. Confirm that the device has checked in.
3. Confirm that the sync interval has elapsed since you made the change to policy.
Troubleshooting: Android encryption

Data Encryption is not enabled, but the Android device has not been blocked and no
alert has been issued.
1. Confirm that the device supports encryption (Android 3.x/4.x or Samsung with
Enterprise APIs).
2. Confirm that the event is assigned to a label.
3. Confirm that the device has been applied to the correct label.
4. Use the Force Device Check-In option to override the Sync Interval setting and
prompt the device to connect to the server.
5. Confirm that the battery level on the device is not below the sync threshold set in
the sync policy.
6. If the user insists that encryption has been enabled, the encryption may be delayed
by battery level constraints imposed by Android devices. Ask the device user to
plug in the device so that encryption can be implemented.
Troubleshooting: quarantine on iOS devices

An iOS device that is out of compliance with the security policy has not been
quarantined.
1. Confirm that the device is an iOS device with MDM enabled.
2. Confirm that the app setting that has not been removed is currently supported for
quarantine.
3. Confirm that the security policy containing the quarantine flag is assigned to a
label. Exception: Assignment to a label is not required for the default security
policy.
4. Confirm that the device has been applied to the correct label.
the sync policy.
The user has addressed the security policy violation, but the device is still
quarantined.
227
Managing Policies
the sync policy.
228
Chapter 6
Managing Device Settings with

Configurations
About managing device settings
Android Samsung browser settings
Android Samsung kiosk settings
Android Samsung KNOX Container settings
Exchange settings
Email settings (POP and IMAP)
Wi-Fi settings
VPN settings
AppConnect settings
AppConnect Configuration settings
AppConnect Container policy settings
Bookmarks settings
Certificates settings
SCEP settings
MobileIron Core as a SCEP reverse proxy for WP8.1 devices
Docs@Work settings
Web@Work settings
Working with Android Kiosk Settings
iOS and OS X settings
iOS settings
iOS and OS X differences
Samsung KNOX support
229
About managing device settings

Configuring major settings across a large inventory of different devices can mean a
major daily time investment for IT personnel. You can automate this process by spec-
ifying and distributing configurations, previously called app settings. A configuration is
a group of settings to be applied to devices.
The following table summarizes the device settings managed by MobileIron Core.
Category Types
Android Samsung Samsung Browser
Samsung Kiosk
Samsung KNOX Container
Infrastructure Exchange
Email
Wi-Fi
VPN
Bookmarks
Certificates
SCEP
MobileIron AppCon- Configuration
nect Container Policy
MobileIron Features Docs@Work
Web@Work
iOS and OS X (Mac) General
CalDAV
CardDAV
Web Clips
Configuration Profile
LDAP
230
Category Types
iOS Only AirPlay (starting with iOS 7)
AirPrint (starting with iOS 7)
APN
Provisioning Profile
Restrictions
Subscribed Calendars
Web Content Filter (starting with iOS 7)
Managed App Config (starting with iOS 7)
Single Sign-On Account (starting with iOS 7)
Windows Phone 8 Enrollment Token (AET)
Configurations page
Use the Policies & Configs > Configurations page to create and manage configurations.
It displays the following information for each configuration.
Field Description
Name Indicates a name for this group of settings.
Setting Type Indicates the kind of configuration.
Description Displays additional information about this group of set-
tings.
# Phones Indicates the number of phones to which this group of set-
tings has been applied. Click the link to display a list of the
devices.
Labels Indicates the labels to which this group of settings has
been applied.
WatchList Displays the number of devices for which this group of set-
tings is queued. Click the link to display a list of the
devices.
Quarantined Displays the number of devices that have had configura-
tions removed due to policy violations. Click the link to dis-
play a list of the devices. See Creating a custom
compliance action on page 194 for information on quar-
antining devices.
Required role
Users must have the View configuration role to access the Configurations page.
231
Default configurations
The following table summarizes the default configurations packaged with MobileIron
Core:
Setting Type Description

System - iOS Enroll- CERTIFICATE System certificate to support the built-in
ment CA Certificate SCEP server.
System - iOS Enroll- SCEP System settings for the built-in SCEP
ment SCEP server. Note that the default URL contains
HTTP. Do not change this to HTTPS without
configuring a third-party certificate. The
default is a self-signed certificate, which
iOS does not support with HTTPS.
System - iOS Enter- WEBCLIP System settings for Apps@Work web clip.
prise AppStore
System - iOS Enter- SCEP
prise AppStore SCEP
System - iOS MDM MDM Default MDM profile for iOS MDM.
System - iOS MDM CERTIFICATE Certificate that the mobile device will trust
CA Certificate for the purpose of accepting OTA MDM
requests.
System - Multi-User WEBCLIP System settings for Secure Sign-In web
Secure Sign-In clip, which enables access to multi-user
function for iOS devices. See Multi-User
Support for iOS on page 913 for more
information.
System - APPENROLL- App enrollment token for the Mobile@Work
Mobile@Work AET MENTTOKEN app for WP8 devices. See Working with
apps for Windows Phone 8 devices on
page 525.
System - Windows SCEP System settings for WP8 devices.
Phone Enrollment
SCEP
Note: System SCEP and Certificate settings are no longer available for selection as
Identity Certificates in a customer configurations (Policies & Configs > Configura-
tions). System SCEP and Certificate settings will continue to be available in configura-
tions that already use them as Identity Certificates prior to Core Version 7.0.
Editing default iOS MDM settings

iOS MDM settings are editable, though, in most cases, you should not change access
rights here. To edit the default iOS MDM settings:
2. Select the System - iOS MDM configuration.
3. Click Edit. The Modify Profile MDM Setting dialog appears.
232
4. If changing an access right is necessary, select an access right and click the appro-
priate arrow to move the access right to the Available list. The following table sum-
marizes these access rights.
Access Right Notes

Allow inspection of installed config- Enables inventory of configuration profiles.
uration profiles.
Allow installation and removal of Enables overall configuration tasks.
configuration profiles.
Allow device lock and passcode Enables remote lock and unlock capabilities.
removal.
Allow device erase. Enables remote wipe.
Allow query of Device Information. Enables inventory of standard device items,
such as device capacity, serial number.
Allow query of Network Informa- Enables inventory of standard network
tion. items, such as phone/SIM numbers, MAC
addresses.
Allow inspection of installed provi- Enables a device user to run select in-house
sioning profiles. apps.
Allow installation and removal of Enables installation of select in-house apps.
provisioning profiles.
Allow inspection of installed appli- Enables app inventory.
cations.
Allow restriction-related queries. Enables reports on the restrictions of each
configuration profile on the device. These
correspond to the settings in the iOS
Restrictions and Passcode payloads.
Allow security-related queries. Enables report on security items, such as
whether a passcode is present.
Allow manipulation of settings. Enables an administrator to turn on/off
voice and data roaming.
Allow app management. Enables the "managed apps" capability
introduced in iOS 5 so that an administrator
can push requests to install apps, prevent
iCloud backup, and remove the apps and all
app data on demand.
5. If you want MobileIron Core to indicate that the MDM profile has been removed
from iOS devices, select Check out when MDM profile is removed.
Note: Receipt of this alert is not guaranteed. Therefore, this setting does not
ensure notification upon removal of the profile.
6. If you want to automatically alert iOS users when a new iOS MDM configuration is
available, select Send an APNs message to iOS 5 and later devices...
7. Click Save.
233
Restoring system web clips (iOS)

If you enable the Removable option for the Multi-User web clip or the Apps@Work web
clip, and the device user removes one of these web clips, use one of the following
methods to restore the web clip:
Remove the MDM profile on the device and tap Update Configuration Profile in
Mobile@Work.
Push the web clip from the Devices page by selecting the device and clicking Push
Profiles.
Displaying configurations status

The Device Details panel in the Users & Devices > Devices page displays status for
application of configurations.
The statuses you will see are:

Pending: The process of applying the settings has been started.
Sent: The settings have been successfully sent to the device.
Applied: MobileIron Core has confirmed that the verifiable settings appear to have
been applied to the device. For Android devices, use the View Details button to see
the verifiable results.
Partially Applied: One or more settings may have been rejected by the device. This
can mean that the feature is not supported by the device. For Android devices, use
the View Details button to see the verifiable results.
Click the View Details button for Android devices to see information on each configura-
tion.
Adding new configurations
Win 8.1
Android iOS WP8 WP8 RT/Pro
yesa,b yes yesc yesc yesd

a. Through integration with selected devices and email apps.
b. Through MobileIron Sentry and ActiveSync.
c. Only Exchange and Certificates.
d. Only Wi-Fi and VPN.
To add new configurations:

8. Go to Policies & Configs > Configurations.Select the Add New dropdown.
9. Select the type of configuration you want to create.
AppConnect configuration (See Configuring an AppConnect app configuration
on page 614).
10. Complete the displayed form for the configuration.
234
11. Click Save.

12. To push the configuration to devices, apply it to the appropriate labels. Select More
Actions > Apply to Label.
Editing configurations
Win 8.1
yesa,b yes - yesc yesd

To edit configurations:
1. In the Configurations screen, select the configuration you want to edit.
2. Click Edit.
Deleting configurations
Win 8.1
Android iOS Win 7 WP8 WP8 RT/Pro
yesa,b yes - yesc yesc yesd

To delete configurations:
1. In the Configurations screen, select the settings you want to delete.
2. Click Delete.
235
Android Samsung browser settings

Select Policies & Configs > Configurations > Add New > Android > Samsung Browser
to configure web browser options for Samsung SAFE devices (SAFE API 4.x).
The following settings are available:
Item Description
Auto Fill Select to enable automatic completion of web
forms.
Cookies Select to allow use of cookies.
Javascript Select to enable Javascript.
Pop-ups Select to allow pop-ups.
Show Security Warning Select to display browser security warnings.
Note: Not supported for Samsung Galaxy S4.
SmartCard Authentication Select to enable SmartCard authentication. To
use SmartCard authentication, also select Pop-
ups and Show Security Warning. See Configur-
ing SmartCard browser authentication on
page 236.
Configuring SmartCard browser authentication

SmartCard browser support enables users to use a SmartCard to access secured web-
sites on their device.
Prerequisites:
Samsung KNOX license
Access to websites that require SmartCard authentication
To use this feature, you also need:

SmartCard reader with an active and valid card
A Samsung device that supports the SmartCard reader (for example Samsung Gal-
axy S4, or Samsung Galaxy Note 3; with Android 4.3-4.4)
Refer to the SmartCard readers instructions to install and pair the SmartCard reader
with the Samsung device.
Step-by-step
The following steps create a policy that enables KNOX, configure the Samsung
browser to enable SmartCard authentication, and configure the KNOX container to use
the browser configuration. (Note: In each step, you can edit an existing configuration
or policy instead of creating a new one.)
236
In the Admin Portal:

1. Create a Samsung General Policy to enable KNOX:
1.2 Select Add New > Android > Samsung General. The New Samsung General Pol-
icy dialog appears.
1.3 Enter a Name.
1.4 Enter the KNOX License Key.
1.5 Click Save.
2. Create a Samsung Browser configuration:
2.1 Go to Policies & Configs > Configurations.
2.2 Select Add New > Android > Samsung Browser.
2.3 Enter a Name. For example SmartCard Browser
2.4 Select to enable or allow the following fields:
Pop-ups
Show Security Warnings
SmartCard Authentication
2.5 Click Save.
3. Create a Samsung KNOX Container configuration, including the Samsung Browser
under App Settings:
3.1 Go to Policies & Configs > Configurations.
3.2 Select Add New > Android > Samsung KNOX Configuration.
3.3 Enter a Name.
3.4 In the App Settings section, for Browser select the Samsung Browser you con-
figured in the previous step. If you used the example name, select SmartCard
Browser.
3.5 Fill out other KNOX container settings as needed.
3.6 Click Save.
4. Apply the policy and configurations to a label.
5. Apply the same label to the devices that are to use SmartCard authentication.
SmartCard browser behavior on the device
Start with a device that has the SmartCard-related policies and configurations applied
as described in the previous section.
To use SmartCard authentication in the browser:

1. In the Samsung KNOX container on the device, launch the native browser app.
2. Type in the URL of a secure website that requires SmartCard authentication.
3. An authentication prompt appears. Choose to authenticate using the SmartCard.
4. Use the SmartCard per its instructions to authenticate to the secure website.
Access to the website should be granted when the authentication is validated.
237
Android Samsung kiosk settings

See Android Kiosk Support on page 923.
238
Android Samsung KNOX Container settings

Select Policies & Configs > Configurations > Add New > Android > Samsung KNOX
Container to configure settings for the Samsung KNOX Container.
See Samsung KNOX support on page 341 for information on configuring Samsung
KNOX support.
Use these settings to:

specify requirements for the container password.
specify which apps to install in the container.
specify restrictions
select the Android Samsung browser configuration to use in the container.
select the Exchange configuration to use in the container.
select the VPN configuration to use in the container.
Note: Make sure only one Samsung KNOX container setting applies to each device.
Item Description
Authentication
Password Type Select the kind of password to require:
Alphanumeric: Must include at least one alphabetic
and one numeric character.
Complex: Must include at least one alphabetic, one
numeric, and one special character (i.e., a sym-
bol).
Min Password Length Specify a minimum length for he password. The
accepted range is 6-16.
Min Number of Complex Specify the minimum number of complex characters
Characters for the passcode. Valid entries are 0-10.
For example, to require at least two complex charac-
ters in the passcode, enter 2.
Max Character Specify a limit for the number of times a specific char-
Occurrences acter can occur in the passcode.
For example, to prevent a specific character from
occurring 3 or more times, enter 2.
Max Character Sequence Specify a limit for the number of characters that can
Length appear in sequence in a passcode.
For example, to prevent abc from occurring in a
passcode, enter 2.
239
Item Description
Max Numeric Sequence Specify a limit for the number of numeric characters
Length that can appear in sequence in a passcode.
For example, to prevent 123 from occurring in a
passcode, enter 2.
Min Character Change Specify a minimum number of characters that must
Length change when the passcode is reset.
For example, to ensure that at least 2 characters
change, enter 2.
Forbidden Strings Specify any strings that must not be present in the
passcode.
To add a string:
Click + to add an entry.
Click the Name placeholder in the new entry.
Replace Name with the string you want to add.
For example, to prevent the passcode from including
the users email address or last name, enter $EMAIL$,
$LAST_NAME.
See Supported variables on page 242 for a list of
supported variables.
Max Inactivity Timeout Specify the idle time duration after which the lock
should be enabled. If password is set, the user will be
prompted for a password when unlocking the con-
tainer.
Max Password Age Specify the number of days after which the password
will expire.
Stored Password History Specify the number of previous passwords that are
stored and cannot be used when setting a new pass-
word.
Max Number of Failed Specify the maximum number of failed password
Attempts attempts to allow. When this number is exceeded, the
container will be disabled.
Password Visible Option Select Off to disable the Make password visible
option.
Apps
Select the in-house apps to be installed in the con-
tainer:
Click the + button.
Select an app from the Name list.
The Version and Package Name fields are filled in
automatically.
Restrictions
240
Item Description
Allow Camera Select to allow the device user or third-party apps to
use the photo camera, video camera, and video tele-
phony features.
Allow Content Sharing Select to allow use of the Share Via List, which is dis-
(i.e., Share Via) played in certain apps that share content with other
apps.
Allow Email Account Cre- Select to allow user to create email accounts. By
ation default, this is unselected and end users cannot cre-
ate email accounts in the KNOX container.
Allow Non-Secure Keypad Select to allow keyboards inside the container,
regardless of whether they are pre-loaded or third-
party keyboards.
Allow Samsung KNOX Select to allow device users to download apps from
App Store the Samsung KNOX app store (www.samsung-
knox.com).
App Settings
Browser Specifies the Android Samsung Browser configuration
to use in the container. You need to create the Sam-
sung Browser configuration separately. Otherwise,
this list will be empty.
241
Item Description
Exchange Specifies the Exchange configuration to use in the
container. You need to create the Exchange configura-
tion separately. Otherwise, this list will be empty.
VPN Specifies the VPN configuration to use for Samsung
KNOX IPsec in the container. You need to create the
configuration separately. Otherwise, this list will be
empty.
Note: The KNOX VPN client must be installed on the
device before you push the KNOX VPN configuration.
1. Download the KNOX VPN client from the Samsung
KNOX portal:
https://www.samsungknox.com/en/resources/sdk/
download-knox-vpn-client
Go to Resources -> Tools (at the bottom) -> Down-
load KNOX VPN Client. To create a user ID in the
Samsung KNOX portal, an active KNOX license key
(trial or product) is required.
2. Upload the KNOX VPN client to the App Distribution
Library.
3. Create a new VPN configuration with Samsung
KNOX IPsec specified as the connection type (Poli-
cies & Configs > Configurations > Add New >
VPN).
4. Select the new VPN configuration in the Samsung
KNOX container (Policies & Configs > Configura-
tions > Add New > Android > Samsung KNOX Con-
tainer).
Supported variables
The following variables are supported for Android Samsung KNOX Containers:
$EMAIL$
$USERID$
$FIRST_NAME$
$LAST_NAME$
$DISPLAY_NAME$
$USER_CUSTOM1$
$USER_CUSTOM2$
$USER_CUSTOM3$
$USER_CUSTOM4$
$NULL$
242
Exchange settings
Win 8.1
Android iOS OS X Win 7 WP8 WP8 RT/Pro
yesa,b yes yes - yes yes -

a. With selected devices and email apps.
Select Policies & Configs > Configurations > Add New > Exchange to specify the set-
tings for the ActiveSync server that devices use. The ActiveSync server can be a Mic-
rosoft Exchange server, an IBM Lotus Notes Traveler server, Microsoft Office 365,
or other servers.
For OS X 10.7 and 10.8: Only contacts are synchronized. ActiveSync is not supported.
For OS X 10.9 Mavericks: Contacts, mail, notes, reminders, and calendar are synchro-
nized. ActiveSync is not supported.
For iOS:
If an Exchange profile already exists on the device, then attempts to distribute new
ActiveSync settings using MobileIron will fail.
For iOS and OS X:

iOS/OS X can take advantage of the optional Save User Password feature under
Settings > Preferences to facilitate Exchange configuration.
For Android:
The Exchange configuration works with:
Android devices using the NitroDesk TouchDown email app and Android version 2.2
through 4.4
Android devices using the Android Email+ email app and Android version 4.0
through 4.4
Samsung SAFE devices running the Samsung native email app and Android version
2.2. or through 4.4
HTC devices using HTC Sense 4.0 or later using the HTC native email app
Note: The HTC native email app does not work with Lotus Notes Traveler.
Motorola devices with Enterprise Device Management APIs and running Android
4.0, and using the Motorola native email app
For more a detailed list of Motorola devices, see
http://developer.motorola.com/products/?filters=1425#filter
Note: The Motorola native email app does not work with Lotus Notes Traveler.
Consider the following behavior on Motorola devices:
243
On some Motorola devices, the native email app exits after each setup step. On
these devices, the device user must relaunch the native email app to continue with
the next setup step.
After setup is completed, the Mobile@Work homescreen displays. On all other
devices, the email app starts after setup is completed.
The Exchange server or Sentry must use a trusted certificate. Motorola devices will
not configure an Exchange account to servers using untrusted certificates.
AppConnect-enabled email clients that do not use an Exchange setting

Some AppConnect-enabled email clients do not use an Exchange setting. Instead, you
configure the email clients using an AppConnect app configuration. For example:
Divide iOS
Mail+ for iOS
NitroDesk TouchDown for iOS
Divide PIM for Android
IBM Notes Traveler for Android
Exchange settings
The following table describes the Exchange settings you can specify.
Item Description
General
Name Enter brief text that identifies this group of Exchange set-
tings.
Description Enter additional text that clarifies the purpose of this
group of Exchange settings.
244
Item Description
Server Address Enter the address of the ActiveSync server.
If you are using Standalone Sentry, do the following:
Enter the Standalone Sentrys address.
If you are using Lotus Domino server 8.5.3.1 Upgrade
Pack 1 for your ActiveSync server, set the server
address to <Standalone Sentrys fully qualified domain
name>/traveler.
If you are using a Lotus Domino server earlier than
8.5.3.1 Upgrade Pack 1, set the address to <Stand-
alone Sentry fully qualified domain name>/servlet/trav-
eler.
If you are using load balancers, contact MobileIron Pro-
fessional Services.
When using Integrated Sentry, set the server address to

Microsoft Exchange Servers address.
Note: When using Sentry, you can do preliminary verifica-
tion of your Exchange configuration choices for the
ActiveSync User Name, ActiveSync User Email, and
ActiveSync Password fields. To do so, first set the server
address to the ActiveSync server. After you have verified
that users can access their email using this Exchange con-
figuration, change the server address to the appropriate
Sentry address.
Use SSL Select to use secure connections.
For Android: SSL is always used, regardless of whether
this setting is selected.
Use alternate device Replaces the Use Standalone Sentry option. Use this
handling option only under the direction of MobileIron Support.
Domain Specify the domain configured for the server.
ActiveSync User Specify the variable for the user name to be used with this
Name Exchange configuration. You can specify any or all of the
following variables $EMAIL$, $USERID$, $PASSWORD$.
You can also specify custom formats, such as $USE-
RID$_US.
Typically, you use $USERID$ if your ActiveSync server is a
Microsoft Exchange Server, and you use $EMAIL$ if your
ActiveSync server is an IBM Lotus Notes Traveler server.
For WP8 devices, if the User Name setting is modified after
the Exchange setting is provisioned, the device cannot
sync. The workaround is to remove the Exchange setting
and reapply, or retire the device and register the device
with the new User Name.
245
Item Description
ActiveSync User Specify the variable for the email address to be used with
Email this Exchange configuration. You can specify any or all of
the following variables $EMAIL$, $USERID$, $PASS-
WORD$. You can also specify custom formats, such as
$USERID$_US.
Typically, you use $EMAIL$ in this field.
ActiveSync User Specify the variable for the password to be used with this
Password Exchange configuration. You can specify any or all of the
following variables $EMAIL$, $USERID$, $PASSWORD$.
You can also specify custom formats, such as $USE-
RID$_US.
Enter additional variables or text in the text box adjacent
to the Password field. Entries in this text box are kept hid-
den and will not be visible to any MobileIron Core adminis-
trator.
Note: All variables and text upto the last valid variable will
be visible. Anything after the last valid variable will not be
visible. The valid variable may appear in either of the
password fields. Valid variables are variables in the drop-
down list.
Identity Certificate Select the SCEP entry you created for supporting
Exchange ActiveSync, if you are implementing certificate-
based authentication.
Password is also Specify whether to prompt device users for a password
required when certificate authentication is implemented. The pass-
word prompt is turned off by default. Once you specify an
Identify Certificate, this option is enabled. Select the
option if you want to retain the password prompt.
Items to Synchro- Not for iOS, OS X or Android: Select the Outlook items to
nize be synchronized: Contacts, Calendar, Email, Tasks.
Past Days of Email Specify the maximum amount of email to synchronize
to Sync each time by selecting an option from the dropdown list.
On Android devices, this setting works only with these
email apps:
NitroDesk TouchDown
However, the TouchDown app does not display this
information in its settings screen.
Samsung SAFE devices native email app
Email+
On WP8 devices, the 1 Day option maps to the All option.
246
Item Description
Move/Forward Mes- Starting with iOS 5: Specifies whether device users can
sages to Other Email move or forward email from the originating email account.
Accounts This feature is not supported for WP8 devices or for
Android devices.
Enable S/MIME Enables support for S/MIME encryption.
This feature is not supported for WP8 devices.
S/MIME Signing Select a certificate as a signing identity.
identity This feature is not supported for WP8 devices.
S/MIME Encryption Select a certificate as an encryption identity.
identity This feature is not supported for WP8 devices.
ActiveSync Not for iOS or OS X. Limited support for Android.
Sync during
Peak Time Select the preferred synchronization approach for peak
times.
This field is applicable to only some Android devices. On
those devices, the synchronization approach that you
choose applies at all times, not just peak times. The other
ActiveSync settings, such as Off-peak times, do not apply
to Android devices.
The only Android devices that this field applies to are:
Android devices using the NitroDesk TouchDown email
app
Samsung SAFE devices using their native email app
Android devices using Email+
For WP8 devices, the following Peak times are not sup-
ported:
Every 5 minutes, Every 10 minutes, Every 2 hours, Every
4 hours.
Off-peak Time Select the preferred synchronization approach for off-peak
times.
Use above settings Specify whether to apply synchronization preferences
when roaming while roaming.
Send/receive when Specify whether queued messages should be sent and
send received whenever the user sends a message.
Peak Time
Peak Days Specify which days should be considered peak days.
247
Item Description
Start Time Specify the beginning of the peak period for all peak days.
End Time Specify the end of the peak period for all peak days.
iOS 5 and Later Set-
tings
Email access to Specifies whether third-party apps can use the account for
Third-Party apps email access.
Recent Address iOS 6 and iOS 7.
syncing Specifies whether of recently-used email addresses can be
synchronized.
Android
Exchange App Prior- Drag and drop email configurations to specify which are
ity allowed. Change the order of selected configurations to
specify priority.
If there are no email apps specified in the Selected col-
umn, then Mobile@Work uses the following provisioning
priority:
1. Android Email+
2. NitroDesk TouchDown
3. Native email app
General
Accept all SSL certif- Enables device users to set Android devices to accept all
icates SSL certificates. This setting applies to Android Email+,
Samsung SAFE Email, and TouchDown and is intended for
use when the MobileIron Sentry uses self-signed certifi-
cates.
Note: Use caution when enabling this setting, as device
users might unknowingly expose the device to attack.
Copy/Paste Prevents use of the copy and paste commands in the
NitroDesk TouchDown email app and in Android Email+.
Allow access to Specify whether to publish contacts and calendar items to
secure info from non-secure email clients running on the same device.
outside container For Secure Android Email+, you can allow access to both
contacts and calendar. For Secure NitroDesk TouchDown,
you can allow access to contacts.
NitroDesk Touch- If you are using NitroDesks TouchDown to manage
Down Exchange on Android devices, enter the license key you
received from NitroDesk. The license key will be provi-
sioned with the other Exchange settings in this profile.
Samsung SAFE (Samsung SAFE 4.x)
248
Item Description
Email Account Cre- Select this option to allow Samsung SAFE device users to
ation By User create an email account on the device. Otherwise, email
accounts can be created only as part of Core-initiated pro-
visioning of supported email clients.
HTML Email Select this option to allow viewing of HTML email. This
option is not enabled by default, which prevents rendering
of HTML-based email.
SmartCard Authenti- Select this option to enable SmartCard authentication.
cation SmartCard authentication is generally reserved for high-
security environments using multi-factor authentication.
Multiple Exchange Support for Android

Multiple Exchange mailboxes are supported for devices running Android versions 4.0
4.4 or Samsung SAFE 4.0 devices, using either Android Email+ or Samsung Native
Email client apps. For Samsung Native Email client, SCEP is not supported as the
authentication method with multiple mailboxes.
The MobileIron Core administrator can configure and apply up to two Exchange set-
tings for each device. Exchange settings are found in the Admin Portal under Policies &
Configs > Configurations. The device must be running Mobile@Work version 6.0 when
it receives the configuration.
On the device, both mailboxes appear in a single email app. The email app is deter-
mined by 1) the email apps priority as specified in the Exchange Settings Exchange
App Priority, and 2) the email apps availability on the device. For example, if both
Samsung Native Email and Email+ are available on the device, the app with the high-
est priority is used.
Note that Mobile@Works Options > Email Status is not supported for multiple
Exchange accounts.
iOS/OS X Exchange profiles and password caching

To facilitate iOS and OS X deployments, MobileIron offers the option of caching a
users email password. This option is turned off by default. Cached passwords are
encrypted, stored on the appliance, and used only for authentication. Note that the
email password must match the LDAP password in order for this feature to be of use.
249
Email settings (POP and IMAP)
Win 8.1
- yes yes - - -
Select Policies & Configs > Configurations > Add New > Email to set up POP or IMAP
email.
The following table describes the email settings you can specify:
Item Description
Name Enter brief text that identifies this group of email settings.
group of email settings.
Account Type Select POP or IMAP to indicate the type of email account
you are configuring. The internet service provider (ISP)
can give you information on which type of account is avail-
able.
User Email Specify the email address to use. The default value is
$EMAIL$. Use this field to specify an alternate format. For
example, your email standard might be $EMAIL$_US for
users in the United States.
See Supported variables on page 252.
Incoming Mail
Server Settings
Path Prefix Specify the IMAP path prefix for the email client. A prefix is
generally required when all IMAP folders are listed under
the Inbox. ISPs that require prefixes usually provide infor-
mation on the specific prefix to configure.
Server Address Specify the address for the server handling incoming mail.
The internet service provider (ISP) can give you this
address.
Server Port Specify the port number for the server handling incoming
mail. The internet service provider (ISP) can give you this
information.
Require SSL Specify whether secure sockets layer (SSL) is required for
incoming email transport. This is determined by the way in
which the user mailboxes are set up. Your internet service
provider (ISP) can give you this information.
250
Item Description
User Name Specify the email address to use. The default value is
example, your standard might be $USERID$.
Why: Some enterprises have a strong preference concern-
ing which identifier is exposed.
Use Password iOS and OS X only: Specify whether to authenticate the
Authentication password for email access.
Password Specify the password to use. The default value is $PASS-
WORD$. Use this field to specify a custom format, such as
$PASSWORD$_$USERID$.
Outgoing (SMTP)
Mail Server Settings
Server Address Specify the address for the SMTP server handling outgoing
mail.
Server Port Specify the port number for the SMTP server handling out-
going mail.
Require SSL Specify whether to use secure sockets layer (SSL) outgo-
ing email transport.
Require Authentica- Specify whether to use secure sockets layer (SSL) for out-
tion going email transport.
Use Same User Specify whether to use the same user name and password
Name and Password used for incoming email. If you select this option, then the
for Sending Email Server User Name option is disabled.
Server User Name Specify the user name to use. The default value is
Use Password iOS and OS X only: Specify whether to authenticate the
Authentication password for email access.
Advanced Settings Not for iOS, OSX
Automatic Send/ Specify how new email should be sent and retrieved. You
Receive can set an automatic time interval or select Manual to con-
figure no automatic email exchange.
251
Item Description
Download Messages Specify the number of messages to download to the device
during send/receive.
Message Format Indicate whether messages should be formatted in plain
text or HTML.
Message Download Specify a size limit for a single message to be downloaded.
Limit
Download Attach- Specify a size limit for an attachment to be downloaded, or
ment specify that attachments are not be downloaded.
iOS 5 Settings
Block move/forward Enables the iOS 5 feature that prevents users from moving
messages to other email messages to other email accounts or forwarding
email accounts email from accounts other than the originating account.
Block email access Prevents third-party apps from using the account for email
to 3rd party apps access.
Enable S/MIME Enables support for S/MIME encryption.
S/MIME Signing Enables selection of a certificate as the signing identity. If
identity you do not select a certificate, then the device user will be
prompted to select from the certificates that are already
on the device.
S/MIME Encryption Enables selection of a certificate as the encryption identity.
identity If you do not select a certificate, then the device user will
be prompted to select from the certificates that are
already on the device.
Allow Recent iOS 6 and iOS 7.
Address syncing Enables synchronization of recently-used email addresses.
Supported variables
You can use the following variables in fields that support variables.
$USERID$
$EMAIL$
$PASSWORD$
$USER_CUSTOM1$ ... $USER_CUSTOM4$ (custom fields defined for LDAP)
252
Wi-Fi settings
Win 8.1
yes yes - - yes yes
Select Policies & Configs > Configurations > Add New > Wi-Fi to configure wireless
network access.
For Windows 8.1 RT and Pro devices

Note the following for Windows 8.1 RT and Pro devices:
For Wi-Fi settings, only WPA2 Personal and WPA2 Enterprise are supported.
For both types of settings, only PEAP, TTLS, and TLS authentication protocols are
supported. If you selected TTLS, only MSCHAPv2 is supported for the Inner Identity
Authentication Protocol.
For Data Encryption, only AES is supported.
To use Wi-Fi with TLS on Windows 8.1 RT and Pro devices, you must have applied
the Microsoft Server 2008 R2 patch to the SCEP server. The server side certificate
must include a valid revocation list and template name.
The SCEP server must be exposed to the device.
For WP8.1 devices

For Wi-Fi settings, only WPA2 Personal and WPA2 Enterprise are supported.
For WPA2 Enterprise settings, only PEAP, TTLS, and TLS authentication protocols
are supported. If you selected TTLS, only MSCHAPv2 is supported for the Inner
Identity Authentication Protocol.
For Data Encryption, only AES is supported.
Wi-Fi profiles and password caching

To facilitate deployments, MobileIron offers the option of caching a users Wi-Fi pass-
word. This option is turned off by default. Cached passwords are encrypted, stored on
the appliance, and used only for authentication. Note that the password must match
the LDAP password in order for this feature to be of use.
Authentication types
The fields that appear in the New Wifi Setting dialog change based on values selected.
The following tables describe the fields required for each selection in the Authentica-
tion field:
Open authentication
Shared authentication
WPA Enterprise authentication
253
WPA2 Enterprise authentication

WPA Personal authentication
WPA2 Personal authentication
Open authentication
Use the following guidelines to set up Open authentication.
Item Description
Name Enter the name to use to reference this configuration in
MobileIron.
Network Name Enter the name (i.e., service set identifier) of the Wi-Fi
(SSID) network these settings apply to. This field is case sensi-
tive.
Description Enter additional text to clarify the purpose of this group of
Wi-Fi settings.
Hidden Network Select this option if the SSID is not broadcast.
Authentication Select Open.
Data Encryption Not Applicable for iOS. Select the data encryption method
associated with the selected authentication type. The
selection affects which of the following fields are dis-
played. For Open authentication, the following encryption
Disabled
WEP
WEP Enterprise (Not Applicable for Android)
Network Key WEP encryption
Not Applicable for iOS. Enter the network key necessary
for accessing this network. The network key should be 5 or
13 ASCII characters or 10 or 26 hexadecimal digits.
Key Index WEP encryption
If using multiple network keys, select a number indicating
the memory position of the correct encryption key.
Confirm Network Not Applicable for iOS. Re-enter the network key to con-
Key firm.
User Name WEP Enterprise encryption
Specify the variable to use as the user name when estab-
lishing the Wi-Fi connection. See Supported variables on
page 267.
254
Item Description
Password WEP Enterprise encryption
Specify the variable to use and any necessary custom for-
matting for the Wi-Fi password. The default variable
selected is $PASSWORD$.
trator.
Note the following:
If you specify $PASSWORD$, also enable Save User
Password under Settings > Preferences.
All variables and text up to the last valid variable will be
visible. Anything after the last valid variable will not be
password fields.

Apply to Certificates WEP Enterprise encryption
Configure this field with the CA certificate needed to
validate the Identity Certificate presented by the Wi-Fi
Access Point. It is not the CA certificate needed to vali-
date the Identity Certificate sent to the device in the
Wi-Fi config.
Trusted Certificate WEP Enterprise encryption.
Names If you did not specify trusted certificates in the Apply to
Certificates list, then enter the names of the authentica-
tion servers to be trusted. You can specify a particular
server, such as server.mycompany.com or a partial name
such as *.mycompany.com.
Allow Trust Excep- WEP Enterprise encryption.
tions Select this option to let users decide to trust a server when
the chain of trust cant be established. To avoid these
prompts, and to permit connections only to trusted ser-
vices, turn off this option and upload all necessary certifi-
cates.
Use Per-connection WEP Enterprise encryption.
Password Select this option to prompt the user to enter a password
each time the device connects to the Wi-Fi network.
255
Item Description
EAP Type Select the authentication protocol used:
EAP-FAST (Does not apply for Android)
EAP-SIM (Does not apply for Android)
LEAP (Does not apply for Android)
PEAP
TLS
TTLS
For iOS, you can make multiple selections.

For Android, you must select only one protocol.
If you select EAP-FAST, then you also need to specify the
Protected Access Credential (PAC).
If you select TLS, then you must specify an Identity Certif-
icate.
If you select TTLS, then you must also specify the Inner
Identity Authentication Protocol. You may optionally spec-
ify an Outer Identity, which on Android devices (running
Mobile@Work client 5.9.0.2 or later) is propagated to the
Anonymous Identity field in the Android system Wi-Fi set-
tings.
Connects To Select Internet or Work.
iOS 5 Settings
Auto Join Specifies whether devices should automatically join the
corresponding Wi-Fi network. If this option is not selected,
device users must tap the network name on the device to
join the network.
Proxy Type Specifies whether a proxy is configured, and which type.
Available types are Manual and Auto.
Proxy PAC URL Specifies the URL for the proxy auto-configuration (PAC)
file.
Proxy Server Specifies the proxy servers IP address.
Proxy User Name For manual proxies, specifies the optional user name for
server access.
256
Proxy Password For manual proxies, specifies the optional password for
server access.
Priority For iOS 7 and iOS 7.1 only.
Enter a number between -100 and +100 to set the priority
for the Wi-Fi setting.
If multiple Wi-Fi settings are applied, the device selects
the Wi-Fi setting with the higher priority. The lower the
number the higher the priority.
Shared authentication
Use the following guidelines to set up shared authentication:
Item Description
MobileIron.
tive.
Wi-Fi settings.
Authentication Select Shared.
associated with the selected authentication type. The
selection affects which of the following fields are dis-
played. For Shared authentication, the following encryp-
tion options are available:
Disabled
WEP
WEP Enterprise (Not Applicable for Android)
Network Key WEP encryption
Not Applicable for iOS. Enter the network key necessary
for accessing this network. The network key should be 5 or
13 ASCII characters or 10 or 26 hexadecimal digits.
Key Index WEP encryption
If using multiple network keys, select a number indicating
the memory position of the correct encryption key.
Key firm.
User Name WEP Enterprise encryption
Specify the variable to use as the user name when estab-
page 267.
257
Item Description
Password WEP Enterprise encryption
Specify the variable to use and any necessary custom for-
trator.
Note the following:
password fields.

Apply to Certificates WEP Enterprise encryption
Configure this field with the CA certificate needed to vali-
date the Identity Certificate presented by the Wi-Fi Access
Point. It is not the CA certificate needed to validate the
Identity Certificate sent to the device in the Wi-Fi config.
Trusted Certificate WEP Enterprise encryption.
Names If you did not specify trusted certificates in the Apply to
Certificates list, then enter the names of the authentica-
tion servers to be trusted. You can specify a particular
server, such as server.mycompany.com or a partial name
such as *.mycompany.com.
Allow Trust Excep- WEP Enterprise encryption.
tions Select this option to let users decide to trust a server when
the chain of trust cant be established. To avoid these
prompts, and to permit connections only to trusted ser-
vices, turn off this option and upload all necessary certifi-
cates.
Use Per-connection WEP Enterprise encryption.
Password Select this option to prompt the user to enter a password
each time the device connects to the Wi-Fi network.
258
Item Description
PEAP
TLS
TTLS

icate.
tings.
iOS 5 Settings
join the network.
file.
259
WPA Enterprise authentication

Use the following guidelines to set up WPA Enterprise authentication:
Item Description
MobileIron.
tive.
Wi-Fi settings.
Authentication Select WPA Enterprise.
associated with the selected authentication type. For WPA
Enterprise authentication, the following encryption options
are available:
AES
TKIP
User Name Specify the variable to use as the user name when estab-
page 267.
Password Specify the variable to use and any necessary custom for-
trator.
Note the following:
password fields.
260
Item Description
Apply to Certificates Configure this field with the CA certificate needed to vali-
Android only: Though this section allows multiple certifi-
cates to be configured, Android supports only one entry in
this field. If more than one is configured, only one of them
will be installed on the device. If more than one CA certifi-
cate is required to validate the Access Point Identity Certif-
icate, they must be installed using separate Wi-Fi profiles.
Trusted Certificate Not applicable for Android. If you did not specify trusted
Names certificates in the Apply to Certificates list, then enter the
names of the authentication servers to be trusted. You can
specify a particular server, such as server.mycompany.com
or a partial name such as *.mycompany.com.
Allow Trust Excep- Not applicable for Android. Select this option to let users
tions decide to trust a server when the chain of trust cant be
established. To avoid these prompts, and to permit con-
nections only to trusted services, turn off this option and
upload all necessary certificates.
Use Per-connection Not applicable for Android. Select this option to prompt
Password the user to enter a password each time the device con-
nects to the Wi-Fi network.
261
Item Description
PEAP
TLS
TTLS

icate.
tings.
iOS 5 Settings
join the network.
file.
262
WPA2 Enterprise authentication

Use the following guidelines to configure WPA2 Enterprise authentication.
Item Description
tive.
Wi-Fi settings.
Authentication Select WPA2 Enterprise.
associated with the selected authentication type. For
WPA2 Enterprise authentication, the following encryption
AES
TKIP
User Name Specify the variable to use as the user name when estab-
page 267.
Password Specify the variable to use and any necessary custom for-
trator.
Note the following:
password fields. Valid variables are variables in the
dropdown list.
Apply to Certificates Configure this field with the CA certificate needed to vali-
Android only: Though this section allows multiple certifi-
cates to be configured, Android supports only one entry in
this field. If more than one is configured, only one of them
will be installed on the device. If more than one CA certifi-
cate is required to validate the Access Point Identity Certif-
icate, they must be installed using separate Wi-Fi profiles.
263
Item Description
Trusted Certificate Not applicable for Android. If you did not specify trusted
Names certificates in the Apply to Certificates list, then enter the
names of the authentication servers to be trusted. You can
specify a particular server, such as server.mycompany.com
or a partial name such as *.mycompany.com.
Allow Trust Excep- Not applicable for Android. Select this option to let users
tions decide to trust a server when the chain of trust cant be
established. To avoid these prompts, and to permit con-
nections only to trusted services, turn off this option and
upload all necessary certificates.
Use Per-connection Not applicable for Android. Select this option to prompt
Password the user to enter a password each time the device con-
nects to the Wi-Fi network.
PEAP
TLS
TTLS

icate.
tings.
iOS 5 Settings
join the network.
264

file.
WPA Personal authentication

Use the following guidelines to configure WPA Personal authentication.
Item Description
MobileIron.
tive.
Wi-Fi settings.
Authentication Select WPA Personal.
Personal authentication, the following encryption options
are available:
AES
TKIP
Network Key Not Applicable for iOS. Enter the network key necessary
for accessing this network. The key should be at least 8
characters long.
Key firm.
EAP Type Not applicable.
265
iOS 5 Settings
join the network.
file.
WPA2 Personal authentication

Use the following guidelines to configure WPA2 Personal authentication.
Item Description
MobileIron.
tive.
Wi-Fi settings.
Authentication Select WPA2 Personal.
Personal authentication, the following encryption options
are available:
AES
TKIP
Network Key Not Applicable for iOS. Enter the network key necessary
for accessing this network. The key should be at least 8
characters long.
Key firm.
EAP Type Not applicable.
266
iOS 5 Settings
join the network.
file.
Supported variables
$PASSWORD$ (only supported in the password field)
$EMAIL$
$USERID$
$DEVICE_MAC$
$NULL$
267
VPN settings
Win 8.1
yesa yes yes - - yes yes

a. Supported for Ciscos AnyConnect VPN client on Android.
Select Policies & Configs > Configurations > Add New > VPN to configure VPN access.
The fields that appear in the New VPN Setting dialog change based on values selected.
The following tables describe the fields required for each selection in the Connection
Type field.
Note the following for Windows 8.1 for RT and Pro devices:
If you change the name of a VPN profile, it is pushed as a new profile to the device.
Under Settings > Preferences, the Save User Password Preferences setting is not
supported. If a VPN setting with Username as $USERID$ and Password as $PASS-
WORD$ is pushed to the device, the user is still prompted for a password.
Only PPTP, Juniper SSL, F5 SSL, and SonicWALL Mobile Connect VPN types are sup-
ported.
Note the following for WP8.1 devices:

Only IKEv2 is supported.
If you change the name of a VPN profile, it is pushed as a new profile to the device.
PPTP
Use the following guidelines to configure PPTP VPN.
Item Description
Name Enter brief text that identifies this group of VPN settings.
group of VPN settings.
Connection Type Select PPTP (iOS, OSX, and Android only).
Server Enter the IP address, hostname, or URL for the VPN server.
User Name Specify the user name to use. The default value is
268
Item Description
Authentication Select the authentication method to use: Password or RSA
SecureID.
Encryption Level Select None, Automatic or Maximum (128 bit).
Domain Specify the network domain.
Send all Traffic Selecting this option protects data from being compro-
mised, particularly on public networks.
Proxy Select Manual or Automatic to configure a proxy. If you
select Manual, you must specify the proxy server name
and port number. If you select Automatic, you must spec-
ify the proxy server URL.
L2TP
Use the following guidelines to configure L2TP VPN.
Item Description
Connection Type Select L2TP (iOS, OSX, and Android only).
$PASSWORD$_$USERID$.This field does not display if you
selected RSA SecureID for authentication.
Authentication Select the authentication method to use: Password or RSA
SecureID.
Shared Secret The shared secret passcode. This is not the users pass-
word; the shared secret must be specified to initiate a
connection.
269
Item Description
Confirm Shared Re-enter the shared secret to confirm.
Secret
Send all Traffic Selecting this option protects data from being compro-
mised, particularly on public networks.
IPSec (Cisco)
Use the following guidelines to configure IPSec (Cisco) VPN.
Item Description
Connection Type Select IPSec (Cisco).
XAuth Enabled Specifies that IPsec XAuth authentication is enabled.
Select this option if your VPN requires two-factor authenti-
cation, resulting in a prompt for the password. This option
is enabled by default.
Authentication Select the authentication method to use: Shared Secret/
Group Name or Certificate.
Group Name Shared Secret/Group Name authentication.
Specify the name of the group to use. If Hybrid Authenti-
cation is used, the string must end with [hybrid].
Shared Secret Shared Secret/Group Name authentication.
The shared secret passcode. This is not the users pass-
connection.
270
Item Description
Confirm Shared Shared Secret/Group Name authentication.
Secret Re-enter the shared secret to confirm.
Use Hybrid Authenti- Shared Secret/Group Name authentication.
cation Select to specify hybrid authentication, i.e., server pro-
vides a certificate and the client provides a pre-shared
key.
Prompt for Password Shared Secret/Group Name authentication.
Specify whether the user should be prompted for a pass-
word when connecting.
Identity Certificate Certificate authentication.
Select the SCEP entry you created for supporting VPN, if
you are implementing certificate-based authentication.
Include User PIN Certificate authentication.
Select to prompt the user for a PIN.
VPN on Demand Certificate authentication.
Select to enable the VPN on Demand section. Click Add
New to specify a domain or hostname and the preferred
connection option.
Per app VPN Certificate authentication.
Select Yes to create a per app VPN setting.
Note the following:
This feature is only supported for iOS 7 and iOS 7.1.
You must update your VPN software to a version that
supports iOS 7 features.
An additional license may be required for this feature.
You cannot delete a per app VPN setting that is being
used by an app. Remove the per app VPN setting from
the app before you delete the setting.
You can enable per app VPN for an app when you:
add the app using the Add App Wizard.
edit an in-house app or an App Store app in the App
Distribution Library.
See Adding in-house apps for iOS on page 492 and
Changing iOS app information on page 499 for informa-
tion on how to add or edit iOS apps.
271
Item Description
On Demand Rules (VPN on Demand, iOS 7 and iOS 7.1)
VPN On Demand rules are applied when the device's primary network interface
changes, for example when the device switches to a different Wi-Fi network.
Note the following:
A matching rule is not required. The Default Rule is applied if a matching rule is
not defined.
If you select Evaluate Connection, a matching rule is not required.
You can create upto 10 On Demand matching rules.
For each matching rule you can create upto 50 Type and Value pairs.
Add New Matching Click to add a new On Demand matching rule.
Rule
Action Select one of the following actions to apply to the match-
ing rule:
Connect
Disconnect
Allow
Ignore
Evaluate Connection
Add New Click to add a new Type Value pair.
- Click to delete either an On Demand rule, or a matching
rule.
Matching Rules:
For each matching rule to which the action is applied enter the type and value
pair.
Type Select from one of the following key types:
DNS Domain
Interface Type
DNS Server Address
SSID
URL String Probe
272
Item Description
Value For each key selected, enter a value.
DNS DomainEnter a list of domain names to match
against the domain being accessed. Wildcard '*' prefix is
supported, e.g. *.example.com would match any-
thing.example.com
Interface TypeEnter either Wifi or Cellular.
DNS Server AddressEnter a list of DNS servers to match
against. All DNS servers have to match the devices cur-
rent DNS servers or this match will fail. Wildcard '*' is sup-
ported, e.g. 1.2.3.* would match any DNS servers with
1.2.3. prefix.
SSIDEnter a list of SSIDs to match against the current
network. If the network is not a Wi-Fi network or if its
SSID does not appear in the list, the match will fail.
URL String ProbeEnter a URL to a trusted HTTPS server.
This is used to probe for reachability. Redirection is not
supported.
Description Enter additional information about this matching rule.
Domain Action Only appears if the Action is Evaluate Connection.
Select one of the following Actions for the domain:
Connect if neededThe specified domains trigger a VPN
connection attempt if domain name resolution fails. For
example: The DNS server indicates that it cannot
resolve the domain, or responds with a redirection to a
different server, or fails to respond (timeout).
Never connectThe specified domains do not trigger a
VPN connection attempt.
Action Parameters:
Only appears if the Action is Evaluate Connection. Define the Evaluation Type and
Value pair.
Evaluation Type Select the Evaluation type as one of the following:
Domain (Required)
Required DNS Server (only available with Connect if
needed)
Required URL Probe (only available with Connect if
needed)
273
Item Description
Value Enter the value for the evaluation type selected.
DomainEnter a list of domains for which this evaluation
applies. Wildcard prefixes are supported, for example,
*.example.com.
Required DNS ServerEnter a list of IP addresses of DNS
servers to use for resolving the domains. These servers do
not need to be part of the devices current network config-
uration. If these DNS servers are not reachable, VPN is
triggered. Either configure an internal DNS server or
trusted external DNS server.
Required URL ProbeEnter an HTTP or HTTPS (preferred)
URL. The device to probes this URL using a GET request.
The probe is successful if the DNS resolution for this
server is successful. VPN is triggered if the probe fails.
Description Enter additional information about this Evaluation Type
and Value pair.
Default Rule:
The default rule (action) is applied to a connection that does not match any of the
matching rules.
If none of the rules Select the action for the Default Rule.
above match or if
there is no rule
defined, choose VPN
connection to:
Safari Domains (iOS 7 only) Certificate authentication.

If the server ends with one of these domain names, the device user can VPN to
the domain in Safari.
Note: You must update your VPN software to a version that supports per app VPN.
Safari Domain Enter a domain name.
Only alphanumeric characters and periods (.) are sup-
ported.
Description Enter a description for the domain.
Add New Click to add a domain.
274
IKEv2
Use the following guidelines to configure IKEv2 VPN.
IKEv2 settings are used only for WP8.1 devices.
Item Description
Connection Type Select IKEv2 (WP8.1 only).
Proxy Select None, Manual or Automatic to configure a proxy. If
you select Manual, you must specify the proxy server
name and port number. If you select Automatic, you must
specify the proxy server URL.
Note: WP8.1 devices do not currently support Automatic
Proxy.
Proxy Server URL Automatic Proxy
Enter the URL for the proxy server.
Are there any considerations for format of the URL?
Proxy Server Manual Proxy
Enter the name for the proxy server.
Proxy Server Port Manual Proxy
Enter the port for the proxy server.
Type Manual Proxy
Select Static or Variable.
Proxy Server User Manual Proxy
Name If the type is Static, enter the username for the proxy
server
If the type is Variable, the default variable selected is
$USERID$.
Note: WP8.1 devices do not support Proxy Server User
Name.
Proxy Server Manual Proxy
Password If the type is Static, enter the password for the proxy
server
If the type is Variable, the default variable selected is
$PASSWORD$.
Note: WP8.1 devices do not support Proxy Server Pass-
word.
275
Item Description
Username Specify the user name to use. The default value is
$USERID$. Use this field to specify an alternate format.
For example, your standard might be $EMAIL$.
Why: Some enterprises have a strong preference
concerning which identifier is exposed.
Custom variables are not supported. See Supported
variables.
User Authentication Select the authentication method to use: Password or
Certificate.
Password Specify the password to use. The default value is
$PASSWORD$. Use this field to specify a custom format,
such as $PASSWORD$_$USERID$.
Custom variables are not supported. See Supported
variables.
Identity Certificate Certificate User Authentication
Select the WIN*SCEP setting generated using reverse
proxy.
Supported variables
You can use the following variables in fields that support variables:
$USERID$
$EMAIL$
$PASSWORD$
$NULL$
Enter $NULL$ if you want the field presented to the user to be blank.
Note the following

VSP-9841: WP8.1 devices do not support pushing $USERID$ and $PASSWORD$ to
the device in VPN settings. The device user must enter username and password to
connect to VPN.
For certificate authentication, WP8.1 devices only support identity certificates using
SCEP reverse proxy.
276
Samsung KNOX IPsec

Samsung KNOX IPsec is used for VPN access in the Samsung KNOX container
(Android Samsung KNOX Container settings on page 239). Use the following guide-
lines to configure Samsung KNOX IPsec.
Item Description
Connection Type Select Samsung KNOX IPsec.
Backup Server Enter the IP address, hostname, or URL for the fallback
server to use in the event that the primary server is not
available.
Authentication Type Select the authentication method to use: Pre-Shared Key
or Certificate.
Shared Secret Pre-Shared Secret authentication.
The shared secret passcode. This is not the users pass-
connection.
Confirm Shared Pre-Shared Secret authentication.
Secret Re-enter the shared secret to confirm.
CA Certificate Certificate authentication.
User Authentication Select to enable user authentication as an additional fac-
tor.
Username If User Authentication is selected, review the default vari-
able to determine if it meets your needs. If it does not
meet your needs, enter a different variable. See Sup-
ported variables on page 294.
Password If User Authentication is selected, review the default vari-
able to determine if it meets your needs. default variable
to determine if it meets your needs. If it does not meet
your needs, enter a different variable. See Supported
variables on page 294.
IKE Version Enter the Internet Key Exchange (IKE) version in use by
your IPsec VPN server. IPsec uses the IKE to negotiate the
protocols and algorithms used for the connection, and to
generate the encryption and authentication keys.
277
Item Description
Phase 1 Mode If you selected IKE Phase 1, select the mode of operation
in use by your IPsec VPN server:
Main: Has three two-way exchanges between the initia-
tor and the receiver.
Aggressive: Fewer exchanges are made, and with fewer
packets.
Group ID Type Select the Group ID type your IPsec VPN server uses to
authenticate to IKE peers.
Group Name Enter the group name for your IPsec VPN server. This
name corresponds to the value selected in Group ID Type.
Cisco AnyConnect
Use the following guidelines to configure Cisco AnyConnect VPN.
Item Description
Connection Type Select Cisco AnyConnect (iOS, OSX, and Android only).
Group Specify the name of the group to use.
User Authentication Select Password or Certificate.
connection option.
278
Item Description
Note the following:
Proxy Not for Android. Select Manual or Automatic to configure a
proxy. If you select Manual, you must specify the proxy
server name and port number. If you select Automatic,
you must specify the proxy server URL.
Note the following:
not defined.
Rule
ing rule:
Connect
Disconnect
Allow
Ignore
Evaluate Connection
279
Item Description
rule.
Matching Rules:
pair.
DNS Domain
Interface Type
DNS Server Address
SSID
URL String Probe
thing.example.com
1.2.3. prefix.
supported.
280
Item Description
Action Parameters:
Value pair.
Domain (Required)
needed)
needed)
*.example.com.
and Value pair.
Default Rule:
matching rules.
above match or if
there is no rule
defined, choose VPN
connection to:

Note: You must update your VPN software to a version that supports Per App VPN.
ported.
281
Juniper SSL (Junos Pulse)

Use the following guidelines to configure Juniper SSL VPN.
Item Description
Connection Type Select Juniper SSL.
User Name Specify the user name to use for authentication. The
default value is $EMAIL$. Use this field to specify an alter-
nate format. For example, your standard might be $USE-
RID$.
Role Specify the Juniper user role to use as a restriction.
Realm Specify the Juniper realm to use as a restriction.
iOS only. Select to enable the VPN on Demand section.
Click Add New to specify a domain or hostname and the
preferred connection option.
282
Item Description
iOS 7 and iOS 7.1 only. Select Yes to create a per app VPN
setting.
Note the following:
Note the following:
not defined.
Rule
ing rule:
Connect
Disconnect
Allow
Ignore
Evaluate Connection
rule.
283
Item Description
Matching Rules:
pair.
DNS Domain
Interface Type
DNS Server Address
SSID
URL String Probe
thing.example.com
1.2.3. prefix.
supported.
Action Parameters:
Value pair.
284
Item Description
Domain (Required)
needed)
needed)
*.example.com.
and Value pair.
Default Rule:
matching rules.
above match or if
there is no rule
defined, choose VPN
connection to:

ported.
285
F5 SSL
Use the following guidelines to configure F5 SSL VPN.
Item Description
Connection Type Select F5 SSL (iOS and OSX only).
connection option.
286
Item Description
Note the following:
Note the following:
not defined.
Rule
ing rule:
Connect
Disconnect
Allow
Ignore
Evaluate Connection
287
Item Description
rule.
Matching Rules:
pair.
DNS Domain
Interface Type
DNS Server Address
SSID
URL String Probe
thing.example.com
1.2.3. prefix.
supported.
288
Item Description
Action Parameters:
Value pair.
Domain (Required)
needed)
needed)
*.example.com.
and Value pair.
Default Rule:
matching rules.
above match or if
there is no rule
defined, choose VPN
connection to:

ported.
289
Custom SSL for iOS

The Custom SSL connection type is for SSL VPN solutions that have a third-party app
in the App Store. Use the following guidelines to configure a custom SSL solution.
Item Description
Connection Type Select Custom SSL (iOS and OSX only).
Identifier App Store identifier for the VPN app being configured. The
app creator should provide this information.
connection option.
290
Item Description
Note the following:
Custom Data Key/value pairs necessary to configure the app. Click Add
New to display a popup for entering each pair. The app
creator should provide the necessary key/value pairs.
Note the following:
not defined.
Rule
291
Item Description
ing rule:
Connect
Disconnect
Allow
Ignore
Evaluate Connection
rule.
Matching Rules:
pair.
DNS Domain
Interface Type
DNS Server Address
SSID
URL String Probe
thing.example.com
1.2.3. prefix.
supported.
292
Item Description
Action Parameters:
Value pair.
Domain (Required)
needed)
needed)
*.example.com.
and Value pair.
Default Rule:
matching rules.
above match or if
there is no rule
defined, choose VPN
connection to:
293
Item Description

ported.
Supported variables
$USERID$
$EMAIL$
$PASSWORD$
$NULL$
iOS VPN profiles and password caching

To facilitate iOS deployments, MobileIron offers the option of caching a users VPN
password. This option is turned off by default. Cached passwords are encrypted,
stored on the appliance, and used only for authentication. Note that the password
must match the LDAP password in order for this feature to be of use.
MobileIron Tunnel
Use this setting to configure per app VPN with MobileIron Tunnel.
Use the following guidelines to configure MobileIron Tunnel:
Item Description
Name Enter a name for the MobileIron Tunnel VPN profile.
Description Enter a description for the profile.
Connection Type Select MobileIron Tunnel.
Only fields relevant to MobileIron Tunnel are displayed.
Sentry Select the Sentry on which you created the TCP tunnel
service.
Sentry Service Select the TCP service that the Safari domain or managed
app will use.
294
Item Description
Identity Certificate Select the SCEP setting you created.
Custom Data (optional)

Enter Key Value pair to configure the MobileIron Tunnel VPN disconnect behavior.
Key Enter disconnectTimeoutInSeconds.
The VPN is disconnected after the number of seconds
entered in the Value field. The default is 60 seconds.
Value Enter 0 or a number greater than 0.
If the value is 0, then the MobileIron Tunnel VPN is never
disconnected. You have to manually disconnect the VPN in
the MobileIron Tunnel.
If the value is > 0, the MobileIron Tunnel VPN is discon-
nected after number entered.
Add New Click to add a key-value pair.
Key Enter debugInfoRecipient.
Value Enter an email address to forward the debug information.
Safari Domains
The device user can access servers ending with these domains in Safari.
ported.
295
AppConnect settings
Configuring an AppConnect app can involve the following configurations:
AppConnect configuration
This configuration is necessary if the AppConnect app requires app tunneling or
app-specific configurations.
See Configuring an AppConnect app configuration on page 614.
AppConnect container policy
The presence of an AppConnect container policy for a device is what authorizes the
app on the device. You also set whether certain features, such as copy/paste or
Open In, are enabled.
See Configuring AppConnect container policies on page 603.
296
AppConnect Configuration settings

297
AppConnect Container policy settings

298
Bookmarks settings
No longer supported. See Web@Work on page 653 for information on creating book-
marks in Web@Work.
299
Certificates settings
Android iOS OS X Win 7 WP8
yes yes yes - yesa

a. Only root certificates.
Select Policies & Configs > Configurations > Add New > Certificates to configure the
necessary identity certificates for your organization.
The following table describes the Certificate settings you can specify:
Item Description
Name Enter brief text that identifies this group of certificate set-
tings.
group of certificate settings.
File Name Click the Browse button to select the certificate to be
uploaded to the MobileIron Server. Note that the certificate
will also appear in the File Management page.
Password Specify any password required for decrypting the certifi-
cate.
Confirm Password Enter the password again to match and confirm.
300
SCEP settings
Win 8.1
yes yes yes - yes yesb yes

Select Policies & Configs > Configurations > Add New > SCEP to specify settings that
allow the device to obtain certificates from a CA using Simple Certificate Enrollment
Protocol (SCEP).
Creating a SCEP entry is part of a larger process of setting up a SCEP server to sup-
port authentication for VPN on demand, Wi-Fi, Exchange ActiveSync, and so on. A
default SCEP setting is included for the built-in SCEP server, which supports iOS and
OS X enrollment.
We recommend using a separate SCEP setting for each configuration.
Item Description
Name Enter brief text that identifies this group of SCEP settings.
group of SCEP settings.
Enable Proxy Indicate whether to enable proxy functions. See Why
proxy? on page 304.
Cache locally Specifies whether MobileIron Core stores the private key
generated keys sent to each device. Removing the caching requirement
after devices have been provisioned will require reprovi-
sioning of certificates for all impacted devices.
User Certificate Specifies that the certificate is distributed to multiple
devices assigned to a single user.
Device Certificate Specifies that the certificate is bound to the given device.
301
Setting Type Select SCEP for standard certificate-based authentication

using a separate CA.
Select Local if you are using MobileIron Core as the CA.
Select Symantec Managed PKI if you are using Symantecs
SCEP solution. See Using Symantec Managed PKI on
Select User Provided if device users will upload their per-
sonal certificates, they would for S/MIME apps. The
MyPhone@Work user portal includes a certificate upload
section for this purpose.
Select OpenTrust if you are using the OpenTrust integra-
tion. See Using the OpenTrust integration on page 305.
Select Symantec Web Services Managed PKI if you are
using the Symantec Web Services Managed PKI solution.
See Using Symantec Web Services Managed PKI on
URL Enter the URL for the server that corresponds to the
selected setting type.
For example, if you selected SCEP in the Setting Type field,
enter the URL for the SCEP server.
For iOS and OSX: Note that iOS and OSX do not support
https with self-signed certificates. Therefore, should you
choose to use https, you must have a trusted certificate
installed for the portal certificate in order for provisioning
to function properly.
Certificate See Using the OpenTrust integration on page 305.
MPS Mobile Profiles See Using the OpenTrust integration on page 305.
Description See Using the OpenTrust integration on page 305.
Application Descrip- See Using the OpenTrust integration on page 305.
tion
Subject Enter an X.509 name represented as a comma-separated
array of OIDs and values. Typically, the subject is set to
the users fully qualified domain name. For example,
C=US,DC=com,DC=MobileIron,OU=InfoTech or
CN=www.mobileiron.com.
You can also customize the Subject by appending a vari-
able to the OID. For example, CN=www.mobileiron.com-
$DEVICE_CLIENT_ID$.
Refer to X.509 Codes for information about X.509 OIDs.
For ease of configuration you can also use the $USER_DN$
variable to populate the Subject with the users FQDN.
302
Subject Common Select the CN type specified in the certificate template.

Name Type If you enter the $USER_DN$ variable in the Subject field,
select None from the drop-down list.
Subject Alternative Select NT Principal Name, RFC 822 Name, or None, based
Name Type on the attributes of the certificate template. You can enter
four alternative name types.
Note: If this SCEP setting is for authenticating the device
to the Standalone Sentry using an identity certificate:
Select NT Principal Name.
Select Distinguished Name for a second Subject Alter-
native Name Type field, if you are using Kerberos sever
authentication.
Subject Alternative Select from the dropdown list of supported variables. Only
Name Value valid values for Subject Alternative Name Type selected
will be shown in the drop down list.
Note: If this SCEP setting is for authenticating the device
to the Standalone Sentry using an identity certificate:
Enter $USER_UPN$ for the value corresponding to NT
Principal Name.
Enter $USER_DN$ for the value corresponding to Dis-
tinguished Name.
Key Size Select a key size (1024, 2048, or 4096).
CSR Signature Algo- Select the signature algorithm for the certificate signing
rithm request (CSR).
Key Usage Specify acceptable use of the key (signing and/or encryp-
tion).
Finger Print If your Certificate Authority uses HTTP, use this field to
provide the fingerprint of the CAs certificate.
You can enter a SHA1 or MD5 fingerprint.
Challenge Type Select None, Microsoft SCEP, or Manual to specify the type
of challenge to use.
Challenge For a Manual challenge type, enter a pre-shared secret the
SCEP server can use to identify the request or user.
Challenge URL For a Microsoft SCEP challenge type, enter the URL of the
trustpoint defined for your Microsoft CA.
User Name Enter the user name for the Microsoft SCEP CA.
303
Password Enter the password for the Microsoft SCEP CA.

Issue Test Certificate Click to verify the SCEP settings. A test certificate is gen-
erated only if there are no errors in the SCEP setting. A
real certificate is not generated.
You can save the SCEP setting without having to generate
a test certificate. The SCEP will be saved even if there are
errors in the setting.
Any errors in the SCEP settings are reported in Settings >
Diagnostics.
X.509 Codes
The Subject field uses an X.509 distinguished name. You can use one or more
X.509 codes, separated by commas. This table describes the valid X.509 codes:
Code Name Type Max Size Example

C Country/Region ASCII 2 C=US
DC Domain Component ASCII 255 DC=company, DC=com
S State or Province Unicode 128 S=California
L Locality Unicode 128 L=Mountain View
O Organization Unicode 64 O=Company Name, Inc.
OU Organizational Unit Unicode 64 OU=Support
CN Common Name Unicode 64 CN=www.company.com
Note: If the SCEP entry is not valid, then you will be prompted to correct it; partial
and invalid entries cannot be saved.
Why proxy?
Choosing to enable SCEP proxy functions has the following benefits:
A single certificate verifies Exchange ActiveSync, Wi-Fi, and VPN configurations
There is no need to expose a SCEP listener to the internet.
MobileIron can detect and address revoked and expired certificates.
Supported variables
$USERID$
$FIRST_NAME$
$LAST_NAME$
$DISPLAY_NAME$
$EMAIL$
$USER_DN$
$USER_UPN$
304
$USER_LOCALE$
$NULL$
$DEVICE_UUID$
$DEVICE_UDID$
$DEVICE_IMSI$
$DEVICE_IMEI$
$DEVICE_SN$
If SCEP integration is not an option

If SCEP integration is not an option for your organization, consider configuring Mobile-
Iron Core as an intermediate or root CA. See Local Certificate Authorities: Using the
VSP as a CA for more information.
Using Symantec Managed PKI

Symantec Managed PKI support enables you to configure certificate-based authentica-
tion. Symantec Managed PKI is a source for certificates that you can reference in a
variety of configurations, such as for Exchange, VPN, and AppConnect.
Prerequisites
A valid Symantec VeriSign Managed PKI account is required.
To configure SCEP settings for Symantec Managed PKI, select the Symantec Managed
PKI option in the New SCEP Setting dialog (Policies & Configs > Configurations > Add
New > SCEP).
Selecting this option displays the following Symantec-specific settings:

URL Mode: Specifies the mode and the corresponding URL supplied by Symantec.
CA-Identifier: Required information supplied by Symantec.
Upload Certificate: Used to upload the certificate supplied by Symantec.
Using the OpenTrust integration

MobileIron Core supports integration with the OpenTrust Mobile Provisioning Server
(MPS). This integration enables OpenTrust to perform the proxy tasks that would nor-
mally be performed by Core.
Compatibility notes
This integration does not involve or support OpenTrust SCEP (decentralized) imple-
mentations. It is intended for those who want to deploy a non-SCEP implementa-
tion.
This integration does not support the pushing Certificate Authorities Bundles to
devices, which is offered by OpenTrust.
305
MobileIron Core supports one certificate per OpenTrust configuration. OpenTrust

supports creating profiles having multiple credentials (called application in the
OpenTrust context). Therefore, the SCEP settings dialog automatically omits Open-
Trust profiles that specify multiple credentials.
Pre-requisites
The information in this section assumes the following:
You have the URL for your OpenTrust cloud instance.
You have the client-side JSON connector identity certificate MobileIron Core will use
to authenticate to the MPS.
You have implemented a centralized (non-SCEP) OpenTrust cloud.
You have created a Mobile Management Profile on MPS containing a single central-
ized credential.
Configuring the integration with OpenTrust

Configuring the integration with OpenTrust requires creating a new SCEP configura-
tion. Though SCEP is not supported with this integration, you still specify the integra-
tion data as part of a SCEP configuration.
To specify OpenTrust settings:

1. Select Policies & Configs > Configurations > Add New > SCEP.
2. Select Setting Type > OpenTrust.
3. In the URL field, enter the URL for your OpenTrust MPS server (received from
OpenTrust).
5. Click Browse.
6. Select the certificate you created for the integration.
8. Enter the password for the certificate when prompted.
9. Select the MPS Mobile Profile to use for the integration.
If you do not see an expected profile, then it most likely contains multiple creden-
tials, a configuration that MobileIron Core does not currently support.
The Description and Application Description fields are populated automatically with
the corresponding OpenTrust content associated with the selected profile. In addi-
tion, Required Fields and Optional Fields for the certificate (as defined in the
selected MPS profile) are displayed. (MPS stands for the Mobile Provisioning Service
in OpenTrust.)
306
10. Enter supported variables for each field.

Note: Though Optional Fields are not required by OpenTrust, they are still used if
present. Therefore, you must still specify the appropriate variable for each optional
field. For example, the phone number might be an optional field because the tab-
lets in your organization do not have phone numbers. However MPS might still use
this information to request a certificate from the PKI server if it is present.
11. Click Save.
Note: You can save the configuration before you have completed all required fields,
enabling you to enter and save the information in stages.
Supported variables
The following variables are supported for the required and optional fields in a SCEP
configuration for OpenTrust:
$EMAIL$
$USERID$
$FIRST_NAME$
$LAST_NAME$
$DISPLAY_NAME$
307
$USER_DN$
$USER_UPN$
$USER_LOCALE$
$DEVICE_UUID$
$DEVICE_UDID$
$DEVICE_IMSI$
$DEVICE_IMEI$
$DEVICE_SN$
$DEVICE_MAC$
$USER_CUSTOM1$
$USER_CUSTOM2$
$USER_CUSTOM3$
$USER_CUSTOM4$
$NULL$
Using Symantec Web Services Managed PKI

Integration with Symantec Web Services Managed PKI version 8.x enables you to con-
figure certificate-based authentication.
Before you begin

Set up your account for Symantec Web Services Managed PKI with Symantec.
Create an MDM (Web Service Client) profile in the Symantec PKI manager that you
will use for the MobileIron integration.
SeatID
Be sure to include the Symantec SeatID as a required certificate profile field. In a
Symantec Web Services Managed PKI environment, Symantec uses the SeatID to
track the number of seats for billing purposes.
To correctly track the number of seats, the SeatID value in the MobileIron Core
SCEP settings must map to the value you created for the SeatID in the Symantec
PKI Manager. For example, if the user's email address is used as the SeatID in
Symantec PKI Manager, the Core SCEP settings should map the Core email address
attribute to the Symantec SeatID.
Core associates each issued Symantec certificate to a SeatID in the Symantec PKI
Manager. If the SeatID does not exist, a new Symantec user account and SeatID is
automatically created for the user at the time the certificate is requested.
Gather the following items:
The server address for the Symantec Web Services Managed PKI.
On MobileIron Core the default is set to pki-ws.symauth.com.
The Registration Authority (RA) certificate MobileIron Core will use to authenti-
cate to the Symantec CA.
308
Configuring the Symantec Web Services Managed PKI settings

To specify the Symantec Web Services PKI settings in the Admin Portal:
1. Select Policies & Configurations > Configurations > Add New > SCEP.
2. Use the following guidelines to specify the settings:
Item Description
Name Enter brief text that identifies this group of settings.
group of settings.
Enable Proxy Indicate whether to enable proxy functions.
Cache locally gener- Specifies whether MobileIron Core stores the private key
ated keys sent to each device. Removing the caching requirement
after devices have been provisioned will require reprovi-
sioning of certificates for all impacted devices.
User Certificate Specifies that the certificate is distributed to multiple
devices assigned to a single user.
Device Certificate Specifies that the certificate is bound to the given device.
309
Setting Type Select Symantec Web Services Managed PKI.

Server Enter the server address for the Symantec Web Services
Managed PKI (received from Symantec).
The default is set to pki-ws.symauth.com.
Note: Do not add https:// before the server name, and do
not add path information after the server name.
Only the hostname of the Symantec CA server should be
provided.
Certificate: Upload Click Upload Certificate to navigate and select the RA cer-
Certificate tificate you received from Symantec. This is usually a
.p12 file.
Enter the password for the certificate when prompted.
Mobile Profiles Select the MDM (Web Services Client) profile to use for
this setting.
Only the object ID (OID) for each profile is listed. The OID
is a series of numbers. Before selecting the profile, you
may want to check the Symantec Web Services PKI man-
ager for the correct OID.
Description The description is populated automatically with the corre-
sponding content associated with the selected profile.
Application Descrip- The application description is populated automatically
tion with the corresponding content associated with the
selected profile.
The Required Fields and Optional Fields for the certificate are displayed based on
how the MDM (Web Service Client) profile was set up in the Symantec PKI man-
ager.
Required Fields Enter supported variables for each field.
Note: The SeatID value in the SCEP settings must map to
the value you created for the SeatID in the Symantec PKI
Manager.
310
Optional Fields Enter supported variables for each field.

Note: Though Optional Fields are not required by Syman-
tec, they are still used if present. Therefore, you must still
specify the appropriate variable for each optional field. For
example, the phone number might be an optional field
because the tablets in your organization do not have
phone numbers. However, the Symantec Web Services
server might still use this information to request a certifi-
cate from the PKI server if it is present.
Issue Test Certifi- Click to verify the SCEP settings. A test certificate is gen-
cate erated only if there are no errors in the SCEP setting. A
real certificate is not generated.
You can save the SCEP setting without having to generate
a test certificate. The SCEP will be saved even if there are
errors in the setting.
Any errors in the SCEP settings are reported in Settings >
Diagnostics.
3. Click Save.
Note: You can save the setting before you have completed all required fields,
enabling you to enter and save the information in stages.
Supported variables
The following variables are supported for the required and optional fields:
$EMAIL$
$USERID$
$FIRST_NAME$
$LAST_NAME$
$DISPLAY_NAME$
$USER_DN$
$USER_UPN$
$USER_LOCALE$
$DEVICE_UUID$
$DEVICE_UDID$
$DEVICE_IMSI$
$DEVICE_IMEI$
$DEVICE_SN$
$DEVICE_MAC$
$USER_CUSTOM1$
$USER_CUSTOM2$
$USER_CUSTOM3$
$USER_CUSTOM4$
311
$NULL$
Revoking the certificate

You can revoke a Symantec Web Services Managed PKI certificate.
Revoking a certificate adds the certificate to the CRL (Certificate Revocation List). The
certificate is also removed from the Symantec Web Services Managed PKI manager.
When a device authenticates with MobileIron Core, the system first checks the CRL to
verify that the certificate is not on the list. If the certificate is on the list, authentica-
tion fails.
To revoke a certificate:
1. Navigate to Logs & Events > Certificate Logs.
2. Select the certificate that you want to revoke.
3. Click Revoke.
312
MobileIron Core as a SCEP reverse proxy for

WP8.1 devices
If you are using identity certificates for Exchange, VPN, and Wi-Fi, you must set up
SCEP reverse proxy.
Unlike iOS and Android devices, WP8.1 devices originate the certificate request. When
the WP8.1 device requests a certificate, the MobileIron Core acts as a SCEP reverse
proxy and communicates with the SCEP server to deliver the certificate to the device.
Before you begin

The MobileIron Core must be set up to use a root certificate from a trusted certificate
authority.
Setting up SCEP proxy for WP8.1 devices

To set up the MobileIron Core as the SCEP proxy for WP8.1 devices:
1. In the Admin Portal, configure a SCEP setting.
2. In the Core System Manager, configure SCEP Reverse Proxies
Configuring SCEP Settings for WP8.1 devices

(Admin Portal > Policies & Configs > Configurations > Add New > SCEP)
To configure SCEP settings:

1. In the Admin Portal, go to Polices & Configs > Configurations.
2. Click Add New > SCEP.
3. Enter the information requested in the SCEP Settings.
The following fields are required when you configure SCEP setting for WP8.1
devices:
For Setting type, select SCEP.
URL
Subject
Subject Common Name Type
Finger Print
For Challenge Type, select Microsoft SCEP
Challenge URL
Username
Password
313
Configuring SCEP Reverse Proxies (WP8.1)

(Core System Manager > Security > SCEP Reverse Proxies)
Before you configure SCEP Reverse Proxies, you must have configured a SCEP setting.
To configure SCEP Reverse Proxies:

1. Go to the Core System Manager > Security.
2. Click on the SCEP Reverse Proxies in the left navigation panel.
3. Click Generate.
The URL that will be exposed to the device and the internal URL that Core commu-
nicates with are displayed.
In the Admin Portal > Policies & Configs > Configurations page, a new SCEP setting
with prefix WIN is created. You will reference the WIN*SCEP in the Exchange, VPN,
or Wi-Fi configuration you create for WP8.1 devices.
Note the following:

The Exposed/Internal URLs are generated and displayed in In the SCEP Reverse
Proxies. However, the URLs are no longer displayed when you refresh the page.
Do not edit the URL field in a SCEP setting with WIN prefix. If the URL is changed,
the reverse proxy configuration will be out of sync.
Exchange configuration is not re-pushed to the device when the WIN*SCEP setting
referenced in the configuration is changed.
If a WIN*SCEP with incorrect details (Subject, Challenge URL) is referenced in a
VPN configuration, the configuration is not pushed to the device. The configuration
will not be pushed even after the a WIN*SCEP with correct details is generated. To
re-push the VPN profile to WP8.1 devices, edit and save the VPN configuration.
Only SCEP NDES server 2008 or greater support reverse proxy for WP8.1 devices.
SCEP Server 2008 requires additional patches to support reverse proxy.
314
Docs@Work settings
Win 8.1
yes yes - - -
Select Policies & Configs > Configurations > Add New > Docs@Work to configure
access to content servers.
For information about setting up the Docs@Work configuration, see Set up

Docs@Work configurations on page 567.
315
Web@Work settings
For the Web@Work app, use the Web@Work app setting (Select Policies & Configs >
Configurations > Add New > Web@Work to specify bookmarks and AppTunnel settings
for the Web@Work app. See Configure a Web@Work setting on page 672.
316
iOS and OS X settings

The following iOS- and OS X- specific settings are available:
General
CalDAV
CardDAV
Web Clips
Configuration Profile
LDAP
General settings
Select Policies & Configs > Configurations > Add New > iOS and OS X> General to
specify the basic information for interactions with the iOS and OS X configuration pro-
files.
Note: General settings can be set once; if you want to use this screen to change these
settings, then the user must manually delete the profile.
Item Description
Name Enter brief text that identifies this group of iOS and OS X
general settings.
group of iOS and OS X general settings.
Identifier Specify the profile identifier. It must uniquely identify this
profile. Use the format
com.companyname.identifier
where identifier describes the profile, as in com.mycom-
pany.work.
Organization Specify the issuing organization of the profile, as it will be
shown to the user.
Control when the Not for iOS with MDM: Specify when configuration profiles
profile can be should be removed:
removed Always: always removable.
With Authentication: removable with authentication.
Never: never removable. Select this option to prevent
users from removing the profile.
CalDAV settings
Select Policies & Configs > Configurations > Add New > iOS and OS X > CalDAV to
specify parameters for connecting to CalDAV-compliant calendar servers. CalDAV (or
317
Calendaring Extensions to WebDAV), is a remote calendar access standard supported

by iOSand OS X.
The user may be prompted for any settings you do not specify.
Item Description
CalDAV settings.
group of iOS and OS X general settings.
HostName Enter the host name of the calendar server.
Port Enter the port for the calendar server.
Principal URL Enter the URL for accessing calendar services.
Use SSL Select to use SSL for data transfer.
User Name Specify the user name to use. The default value is $USE-
RID$. Use this field to specify an alternate format.
See Supported Variables on page 318.
$PASSWORD$_US.
iOS 4 supports only a single CalDAV setting. Therefore, only the first CalDAV configu-
ration applied to an iOS 4 will take effect.
Supported Variables
$USERID$
$EMAIL$
$NULL$
CardDAV settings
Select Policies & Configs > Configurations > Add New > iOS and OS X > CardDAV to
configure access to subscription address books compatible with this protocol.
318
Note: This configuration is supported on iOS and OS X v10.8. OS X v10.7 Lion is not
supported.
Item Description
subscribed address book settings.
group of iOS and OS X subscribed address book settings.
HostName Enter the hostname or IP address of the CardDAV account.
Port Enter the port number of the CardDAV account.
Principal URL Enter the Principal URL for the CardDAV account.
Supported variables
$USERID$
$EMAIL$
$NULL$
Web Clips settings

Select Policies & Configs > Configurations > Add New > iOS and OS X > Web Clips to
add web clips to the Home screen of the users device.
Web clips provide fast access to favorite web pages. Make sure the URL you enter
includes the prefix http:// or https://.
Item Description
Web Clips Set Name Enter brief text that identifies this group of iOS and OS X
web clips settings.
group of iOS and OS X web clips settings.
319
When you click Add New, the following popup displays.
Use the following guidelines to complete the web clip entry:
Item Description
Name Enter brief text to describe the web clip. This is the text
that users will see.
Address/URL Enter the address or URL for the target of the web clip.
Removable iOS only: Clear the Removable checkbox to prevent users
from removing the web clip once it is pushed out to their
phones.
Full Screen iOS only: By default, Full Screen is selected. When
selected, the web clip is displayed as a full-screen applica-
tion.
Precomposed iOS only: By default, Precomposed is selected. When
selected, iOS will not add the bezel shading effect to the
icon.
Icon Select an icon to display for the web clip.
Configuration profile settings

Occasionally, you may find it necessary to upload an iOS or OS X configuration profile
generated from outside of MobileIron (e.g., from Profile Manager). In this case, you
can select Policies & Configs > Configurations > iOS and OS X > Configuration Profile
to upload the file.
LDAP settings
Select Policies & Configs > Configurations > Add New > iOS and OS X > LDAP to con-
figure an LDAP profile for iOS and OS X devices.
320
Use the following guidelines to complete this form. The iOS 5 Configuration Reference
may also be useful.
Item Description
Name Descriptive name to use when referencing this configura-
tion.
Account Description Optional. Description of the LDAP account.
Account Username Optional. Username for accessing the LDAP account.
Account Password Optional. Password that corresponds to the Account User-
name value. The password applies to encrypted accounts.
Account Confirm Optional. Confirms the password entered in the Account
Password Password field.
Account Hostname The hostname for the LDAP server.
Use SSL Whether to use SSL.
Search Settings Should have at least one entry for the account. Each entry
represents a node in the LDAP tree from which to start
searching. Click the + button to add a new entry, then edit
the entry.
An entry consists of the following values:
Description: Explains the purpose of the search setting.
Scope: Select Base, Subtree, or One Level to indicate the
scope of the search. Base indicates just the node level,
Subtree indicates the node and all children, One Level
indicates the node and one level of children.
Search Base: The conceptual path to the specified note
(e.g., ou=people, o=mycorp).
321
iOS settings
The following iOS-specific settings are available:
AirPlay (starting with iOS 7)
AirPrint (starting with iOS 7)
Restrictions
Subscribed Calendars
APN
Provisioning Profile
Web Content Filter (starting with iOS 7)
Managed App Config (starting with iOS 7)
Enterprise single sign-on (starting with iOS 7)
AirPlay settings
This feature is only supported for iOS 7 and iOS 7.1 devices.
AirPlay is an iOS feature that allows you to mirror the content displayed on your iOS
device on to a destination device, for example, an HDTV.
For iOS 7 and iOS 7.1 devices, you can now configure your MobileIron Core to control
the AirPlay resources that supervised devices can access. You can configure the fol-
lowing settings:
Specify the passcode for the AirPlay destination device so that devices can connect
seamlessly.
Specify a whitelist of destination devices to which you can mirror the content that is
displayed on the screen of your supervised iOS 7 device.
To configure AirPlay:
1. In the Admin Portal, go to Policies & Configs > Configurations.
2. From the Add New drop-down menu, go to iOS and OS X > AirPlay.
The New AirPlay Configuration screen displays.
3. Enter a name for the AirPlay Configuration.
4. Enter additional information that describes the AirPlay Configuration.
5. In the AirPlay Destination Devices section, click + to add a new destination device.
6. For each destination device, enter the following information:
Field Description
Device Name Enter the name of the destination device.
Password Enter the password for the destination device.
322
Field Description
Description Enter additional information that describes this destina-
tion device.
- Click if you want to delete this device.
7. In the AirPlay Whitelist Devices section, click + to add a new destination device to
the whitelist.
Note: Whitelists are only supported on supervised devices.
8. For each destination device in the whitelist, enter the following information:
Field Description
Device MAC Address Enter the Bonjour Device ID.
tion device.
9. Click Save.
AirPrint settings
This feature is only supported for iOS 7 and iOS 7.1 devices.
AirPrint is an iOS feature that allows you to print to an AirPrint printer from your iOS
device without the need to install drivers or download software.
For iOS 7 and iOS 7.1 devices, you can configure your MobileIron Core to control the
printing resources that devices can access. You can specify a whitelist of AirPrint print-
ers that devices can access.
To configure AirPrint:
2. From the Add New drop-down menu, go to iOS and OS X > AirPrint.
The New AirPrint Configuration screen displays.
3. Enter a name for the AirPrint Configuration.
4. Enter additional information that describes the AirPrint Configuration.
5. In the AirPrint Destination Whitelist section, click + to add a new destination
printer.
323
6. For each destination printer, enter the following information:
Field Description
IP Address Enter the IP address of the AirPrint printer.
Path Enter the Resource Path associated with the AirPrint
printer. This corresponds to the rp parameter of the
_ipps.tcp Bonjour record. For example:
printers/Canon_MG5300_series
printers/Xerox_Phaser_7600
ipp/print
Epson_IPP_Printer.
Note: The resource path is case sensitive.

tion device.
7. Click Save.
Restrictions settings
Select Policies & Configs > Configurations > Add New > iOS > Restrictions to specify
lockdown capabilities for iOS.
The following table summarizes the settings.
Item Description
Name Enter brief text that identifies this group of iOS restric-
tion settings.
group of iOS restriction settings.
Device Functionality
Allow Installing Apps Select to enable the user to install applications. Unse-
lect to disable the App Store and remove its icon from
the Home Screen. As a result, users will be unable to
install App Store applications on the device. This setting
does not impact installation of in-house apps.
Allow removing apps iOS 7.0 and iOS 7.1. Supervised devices only.
If disabled, end-users cannot remove non-native apps
on the device.
Allow use of Camera Select to enable the user to operate the camera. Unse-
lect to disable the camera and remove its icon from the
Home screen. As a result, users will be unable to take
photographs.
324
Item Description
Allow FaceTime Select to allow the user to run FaceTime if the camera is
enabled.
Allow Screen Capture Select to allow the user to operate the native screen
capture function.
Allow automatic sync Select to allow synchronization of mail accounts while
while roaming the device is outside of its home country.
Allow Siri Select to allow the personal assistant app on supported
devices.
Allow Siri while device Select to allow the personal assistant app to perform
locked tasks even when the device is locked.
Show user-generated iOS 7.0 and iOS 7.1. Supervised devices only.
content in Siri If disabled, prevents Siri from querying user-generated
content on the web.
Allow voice dialing Select to allow users to access voice dialog features.
Allow in app purchases Select to allow users to make purchases through apps
running on the device.
Force users to enter Select to force device users to enter their iTunes pass-
store password for all word for each App Store transaction. If this option is
purchases (iOS 5 and not selected, then the device user can make multiple
later) transactions on a single authentication.
Allow multiplayer gam- Select to allow users to play games that include other
ing users.
Allow adding Game Select to allow device users to friends to their gaming
Center friends social network in the Apple Game Center.
Allow interactive instal- iOS 6.0 and iOS 7. Supervised devices only.
lation of configuration Select to allow users to install configuration profiles and
profiles and certificates certificates interactively.
Allow Passbook notifica- iOS 6.0 and iOS 7.
tions while locked Select to allow Passbook notifications to be shown on
the lock screen.
Allow AirDrop For supervised iOS 7 devices, select to allow use of Air-
Drop for iOS on the device (iOS 7 or iOS 7.1).
AirDrop is Apples ad hoc Wi-Fi system that enables file
sharing with nearby users. By restricting this feature,
you ensure that sensitive documents are not leaked to
unauthorized or unsecured devices.
Allow modifying Find iOS 7.0 and iOS 7.1. Supervised devices only.
my Friends settings If disabled, changes to the Find My Friends app are dis-
abled.
Allow Touch ID to iOS 7.0 and iOS 7.1.
unlock device If disabled, prevents Touch ID from unlocking a device.
325
Item Description
Show Control Center in iOS 7.0 and iOS 7.1.
lock screen If disabled, prevents Control Center from appearing on
the Lock screen.
Show Notification Cen- iOS 7.0 and iOS 7.1.
ter in lock screen If disabled, prevents the Notification Center from
appearing on the lock screen.
Show Today view in lock iOS 7.0 and iOS 7.1.
screen If disabled, the Today view in Notification Center on the
lock screen is disabled.
Allow changes to cellu- iOS 7.0 and iOS 7.1. Supervised devices only.
lar data usage for apps If disabled, changes to cellular data usage for apps are
disabled.
Applications
Allow Use of YouTube Select to allow use of the YouTube site. Unselect to dis-
able YouTube and remove its icon from the Home
screen.
Allow Use of iTunes Select to allow use of the iTunes Music Store. Unselect
Music Store to disable iTunes Music store and remove its icon from
the Home screen. As a result, users will not be able to
preview, purchase or download content.
Allow use of Safari Select to allow use of the Safari web browser. Unselect
to disable the Safari web browser, remove its icon from
the Home screen, and prevent users from opening web
clips.
Enable autofill Select to turn on the autofill feature for fields displayed
in Safari.
Force fraud warning Select to prompt Safari to attempt to prevent the user
from visiting websites identified as being fraudulent or
compromised.
Enable Javascript Select to turn on Javascript support for Safari.
Block pop-ups Select to block pop-ups for Safari.
Accept cookies Select to allow cookies.
iCloud (iOS 5 and later)
Allow backup Select to allow the device to back up data via Apples
iCloud service.
Allow document sync Select to allow documents to be synchronized via
Apples iCloud service.
Allow Photo Stream Select to allow photos to be synchronized to your other
iOS devices via Apples iCloud.
Allow shared photo iOS 6.0 and iOS 7
streams Select to allow synchronization of shared photos.
326
Item Description
Allow use of iBookStore iOS 6.0 and iOS 7. Supervised devices only.
Select to allow access to iBookstore.
Allow Game Center iOS 6.0 and iOS 7. Supervised devices only.
Select to allow access to Game Center.
Allow iMessage iOS 6.0 and iOS 7. Supervised devices only.
Select to allow use of iMessage.
Allow ability to modify Select to allow users with supervised iOS 7 devices to
account settings add email accounts and make changes to email
accounts that have already been configured.
Security and Privacy
Allow diagnostic data to iOS 6.0 and later.
be sent to Apple Select to allow automatic submission of diagnostic data
to Apple.
Force limited ad track- iOS 7.0 and iOS 7.1.
ing If enabled, limits ad tracking. It is disabled by default.
Allow user to accept Select to allow the device user to accept untrusted
untrusted TLS certifi- HTTPS certificates. If this option is not selected, then
cates the device will automatically reject untrusted HTTPS
certificates without prompting the device user.
Allow automatic iOS 7.0 and iOS 7.1.
updates to certificate If disabled, over-the-air PKI updates are disabled.
trust settings
Force encrypted back- Requires encrypted backups via iTunes. Automatically
ups selected due to SCEP requirements.
Allow pairing with non- For supervised iOS 7 devices, select to allow host pair-
Configurator hosts ing for iTunes synchronization. In effect, enabling this
option allows supervised devices to sync with iTunes on
a Mac other than the supervision host. Disabling this
option disables all host pairing with the exception of the
supervision host. If no supervision host certificate has
been configured, all pairing is disabled.
Allow open documents Additional license required to disallow this action.
from managed apps and Select to allow documents in managed apps and
accounts to unman- accounts to be opened in unmanaged apps and
aged apps and accounts accounts. Disabling this option prevents exchange of
documents from managed to unmanaged apps and
accounts. For example, you might want to keep enter-
prise documents from being opened with personal apps.
327
Item Description
Allow open documents Additional license required to disallow this action.
from unmanaged apps Select to allow documents in unmanaged apps and
and accounts to man- accounts to be opened in managed apps and accounts.
aged apps and accounts Disabling this option prevents exchange of documents
from unmanaged to managed apps and accounts. For
example, you might want to keep users from sending
personal documents using company email.
Content Ratings
Allow explicit music & Select to allow access to websites having adult ratings.
podcasts Explicit content is marked as such by content providers,
such as record labels, when sold through the iTunes
Store.
Allow iBookstore media iOS 6.0 and iOS 7. Supervised devices only.
that has been tagged as Select to allow users to download iBookstore material
erotica that has been tagged as erotica.
Ratings region Select a region from the dropdown list to change the
region associated with the rating selections for applica-
tions, tv shows, and movies.
Allowed content ratings Select the allowed rating for each type of medium:
movies, tv shows, and apps.
Movies Select a rating limit for movies stored on the device:
Dont Allow Movies
G
PG
PG-13
R
NC-17
TV Shows Select a rating limit for TV shows stored on the device:
Dont Allow TV Shows
TV-Y
TV-Y7
TV-G
TV-PG
TV-14
TV-MA
Allow All TV Shows
328
Item Description
Apps Select a rating limit for applications on the device:
Dont Allow Apps
4+
9+
12+
17+
Allow All Apps
App whitelist for Single Specify a list of apps that can autonomously enter sin-
App Mode gle app mode on iOS 7 supervised devices. For exam-
ple, you can specify custom exam apps for students. As
soon as the student launches the app, the app enters
single app mode to ensure that the student cannot use
other resources while taking the exam. This feature
applies to supervised iOS devices only apps developed
for autonomous single app mode. Supervision is estab-
lished with Apple Configurator.
Use the following guidelines to complete each entry:

Enter the app name defined in the apps bundle.
Enter the bundle identifier for this app.
One way to find the bundle identifier is to add the
app to the app distribution library on MobileIron
Core. After you add the app, edit the app entry to
see the Inventory Apps field, which lists the bundle
ID for the app.
Enter an optional description for the app.
Note that this feature is separate from the single app

mode policy feature, which enables an administrator to
define and invoke single app mode.
Subscribed Calendars settings

Select Policies & Configs > Configurations > Add New > iOS > Subscribed Calendars
to configure read-only calendar subscriptions for the devices Calendar application.
A list of public calendars you can subscribe to is available at www.apple.com/down-
loads/macosx/calendars/.
Item Description
Name Enter brief text that identifies this group of iOS subscribed
calendar settings.
group of iOS subscribed calendar settings.
329
Item Description
URL Enter the URL for accessing the subscribed calendar.
iOS devices accept settings for up to four subscribed calendars. Therefore, any addi-
tional calendar settings applied to an iOS device will be ignored.
Supported Variables
$USERID$
$EMAIL$
$NULL$
APN settings
Select Policies & Configs > Configurations > Add New > iOS > APN to define parame-
ters for access point interactions, which define how the device accesses the operators
network.
Item Description
Access Point Name Identifier available from the operator.
group of iOS APN settings.
User Name Enter a user name authorized for this access point.
Password Enter the password corresponding to the user name
entered.
Proxy Server Enter the IP address or URL of the APN proxy.
Port Enter the port number of the APN proxy.
330
Provisioning Profile settings

Occasionally, you may find it necessary to upload an iOS provisioning profile gener-
ated from outside of MobileIron. In this case, you can select Policies & Configs > Con-
figurations > Add New > iOS > Provisioning Profile to upload the file.
Web content filter settings

Starting with iOS 7, supervised iOS devices support web content filtering. Web content
filtering restricts the web sites that any browser on a supervised device can access.
This feature is useful, for example, in fleet-based lock down environments, such as
retail stores or schools.
MobileIron Core supports configuring the web content filter on the Admin Portal. You
can do one of the following:
Block access to sites containing adult content.
Configure the devices set of accessible sites.
Configuring the web content filter

To configure the web content filter:
1. Go to Policies and Configs > Configurations on the Admin Portal.
2. Select Add New > iOS And OS X > Web Content Filter.
The New Web Content Configuration page displays.
3. Use the following guidelines to create or edit a web content configuration:
Item Description
Name Enter brief text that identifies this web content configura-
tion.
Description Enter additional text that clarifies the purpose of this web
content configuration.
Allowed Websites Limit Adult Content
Select this option if you want to block access to web
sites based on iOS automatic filters. These filters
attempt, with a high degree of accuracy, to block web-
sites with inappropriate content.
Specific Web Sites Only
Select this option if you want to manually list the acces-
sible web sites.
Permitted URLs Available only if you selected Limit Adult Content.
These URLs are accessible even if the iOS automatic filters
block them.
331
Item Description
To add a permitted URL, click + .
To delete a permitted URL, click - .
You can add up to 50 permitted URLs.
URL Enter the permitted URL. The URL must begin with either:
http://
https://
Note: If you want to permit both http:// and https:// for
the same site, include a row for each URL.
All URLs for which the initial characters match the given
permitted URL are accessible.
Example:
http://www.someCompanySite.com
permits access to the following:
http://www.someCompanySite.com/jobs
http://www.someCompanySite.com/products
Description Enter additional text that clarifies the purpose of this per-
mitted URL.
Blacklisted URLs Available only if you selected Limit Adult Content.
These URLs are blocked even if the iOS automatic filters
allow them.
To add a blacklisted URL, click + .
To delete a blacklisted URL, click - .
You can add up to 50 blacklisted URLs.
URL Enter the blacklisted URL. The URL must begin with either:
http://
https://
Note: If you want to block both http:// and https:// for the
same site, include a row for each URL.
All URLs for which the initial characters match the given
blacklisted URL are blocked.
Example:
blocks access to the following:
http://www.someCompanySite.com/jobs
http://www.someCompanySite.com/products
332
Item Description
blacklisted URL.
Specific Websites Available only if you selected Specific Web Sites Only.
These URLs are the only accessible sites. On Safari, they
are added as bookmarks. Any existing bookmarks on
Safari are disabled.
To add an accessible URL, click + .
To delete an accessible URL, click - .
URL Enter the URL of a website you want to make accessible.
The URL must begin with either:
http://
https://
Note: If you want to make both http:// and https:// for the
same site accessible, include a row for each URL.
If you are using the Apps@Work or Secure Sign-in web
clips, include an entry for the URL of MobileIron Core. Oth-
erwise, these web clips cannot work.
Name The title of the bookmark in Safari.
Bookmark Optionally enter the folder into which the bookmark should
be added in Safari.
Example:
/Sales/Products/
If absent, the bookmark is added to the default bookmarks
directory.
Description Optionally enter additional text that clarifies the purpose
of this URL.
4. Click Save.
5. Select the web content configuration you just created.
7. Select the labels to which you want to apply this web content configuration.
8. Click Apply.
Browser impact
The web content filter feature impacts all browsers and web views on the device
including:
Safari
When using the option Specific Web Sites Only, only Safari displays the book-
marks that you specify. Other browsers do not.
Web@Work
333
Apps@Work
the Secure Sign-in web clip
other browsers and web views
Therefore, if you use the option Specific Web Sites Only, be sure to include the URL
for your MobileIron Core so that the Apps@Work and Secure Sign-in web clips work.
Removing a Web content configuration from a device

A web content configuration is removed from a device when:
You remove the label associated with the device from the setting, and the device
checks in.
You remove the web content configuration, and the device checks in.
You retire the device.
Multiple web content configurations on a device

If you apply multiple web content configurations to a device, web access works as fol-
lows:
The URL is accessible only if all of the web content configurations on the device
allow it and none of the web content configurations block it.
The URL is blocked if any of the web content configurations block it.
Managed app configuration settings

An additional license is required for this feature.
Managed app configuration requires iOS 7 or iOS 7.1. Select Policies & Configs > Con-
figurations > Add New > iOS and OS X > Managed App Config to provide app configu-
ration to a managed app.
When a managed app gets its configuration from MobileIron Core, the device user
does not have to manually enter the configuration. This feature results in easier app
deployment and fewer support calls for you, and a better user experience for the
device user.
Managed app configuration overview

Providing a managed app with an app configuration involves these high-level steps:
1. You get a file containing the app configuration from the app vendor or developer.
The file is a property list (plist). It is a text file in XML format.
2. Edit the file as directed by the apps managed app configuration documentation. For
example, documentation can instruct you to replace a default server value in the
plist with a URL for one of your enterprise servers.
3. You create a managed app config setting on MobileIron Core.
4. When you create the setting, you upload the plist file to Core.
5. You apply labels to the setting to indicate which devices the setting applies to.
334
6. MobileIron Core sends the setting to the device when the device checks in.
7. The managed app installed on the device accesses the configuration using iOS 7
programming interfaces.
Note: You can apply a managed app config setting to a device before the app is
installed on the device. When the app is installed, it accesses the configuration.
Until then, the configuration has no impact on the device.
Configuring the managed app config setting

Before you begin: Edit the provided plist with values specific to your enterprise, as
directed by the app documentation. You can use any text editor or plist editor. Put the
edited plist file into a folder accessible from your Admin Portal.
To configure the managed app config setting:

1. On the Admin Portal, go to Policies & Configs > Configurations.
2. Select Add New > iOS And OS X > Managed App Config.
3. Use the following guidelines to create or edit a managed app config setting:
Item Description
Name Enter brief text that identifies this managed app config
setting.
Description Enter additional text that clarifies the purpose of this man-
aged app config setting.
BundleId Enter the bundle ID of the managed app.
File Click Choose File.
Select the plist file that contains the app configuration for
the app.
Note: MobileIron Core does not validate the plist files type
or contents.
4. Click Save.
5. Select the managed app config setting you just created.
MobileIron Core assigns the setting the type MDM APP CONFIG.
7. Select the labels to which you want to apply this managed app config setting.
8. Click Apply.
Note:
You cannot edit the managed app config setting, including uploading a different
plist file. If changes are necessary, delete the managed app config setting and cre-
ate a new one. Be sure to re-apply labels.
You can apply only one managed app config setting for each app to each device,
including when more than one version of the app is installed on a device.
The configuration information is not encrypted on the device. The configuration
should therefore not contain any sensitive information.
335
Viewing the plist file

To view the contents of the plist file:
1. On the Admin Portal, go to Policies & Configs > Configurations.
2. Select a managed app setting.
3. Select View File Data in App Settings Detail pane.
A pop-up displays the file contents.
4. Close the pop-up when you are done viewing the file contents.
Removing a managed app config setting from a device

A managed app config setting is removed from a device when:
You remove the label associated with the device from the setting, and the device
checks in.
You remove the managed app config setting, and the device checks in.
When the managed app config setting is removed, the managed app automatically
removes its use of the configuration.
Supported variables
The plist can use the following MobileIron Core variables:
$DEVICE_MAC$ The Wi-Fi MAC (Media Access Control) address of the
device.
$DEVICE_UDID$ The unique device identifier of the device.
$DISPLAY_NAME$ The display name of the device user.
$EMAIL$ The email address of the device user.
$FIRST_NAME$ The first name of the device user.
$LAST_NAME$ The last name of the device user.
$USERID$ The user ID of the device user.
When MobileIron Core sends the configuration to a device, it substitutes the appropri-
ate values for the variables.
Sample plist
A plist is a text file in XML format. The XML content vary for each app, and the con-
tents have been validated by the app developer. The following is a sample plist,
included here only to illustrate the format you can expect:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
336
<dict>
<key>Server</key>
<string>http://www.somecompanyserver.com</string>
<key>Some Dict</key>
<dict>
<key>A</key>
<string>$DISPLAY_NAME$</string>
<key>C</key>
<string>$DEVICE_UDID$</string>
</dict>
<key>Some Array</key>
<array>
<string>abc</string>
<string>val</string>
<string>$DEVICE_MAC$</string>
</array>
</dict>
</plist>
Enterprise single sign-on settings

This feature is only supported for iOS 7 and iOS 7.1 devices. With Enterprise Single
Sign-On, device users can log into apps and websites without having to re-enter their
credentials.
For iOS 7 and iOS 7.1 devices, you can now configure your MobileIron Core to manage
the enterprise apps and resources that device users can access without having to
enter their enterprise credentials.
Consider the following:

This feature requires that you have Kerberos configured in your environment.
Devices must have access to a Kerberos Domain Controller (KDC) and the websites
or resources specified in this configuration.
To configure single sign-on:

2. From the Add New drop-down menu, go to iOS and OS X > Single Sign-On
Account.
The New Single Sign-On (SSO) Configuration screen displays.
3. Complete the form using the following guidelines:
Field Description
Name Enter a name for this configuration.
Description Enter additional information that describes this configura-
tion.
Principal Name (Required) Enter the Kerberos principal name.
You can also specify a variable. See Supported vari-
ables on page 339.
337
Field Description
Realm (Required) The default is $Realm$. This is the only valid
variable. $Realm$ is supported for LDAP users only.
The realm is calculated by extracting the base DN (e.g.
DC=auto, DC=MyCompany, DC=com) and converting to
a domain. Example: AUTO.MYCOMPANY.COM.
You can also enter a domain name. The domain name
you enter is automatically capitalized. Example:
AUTO.MYCOMPANY.COM.
URL Prefix Matches (Required)

Add the URLs or resources that the device user can access using SSO. Atleast
one URL is required. You can add upto twenty URLs per configuration.
If a bundle ID (application ID) is configured, SSO is enabled for the specified
apps only when the apps access the URLs that match the configured URL pre-
fixes. If a bundle ID (application ID) is not configured, SSO is applicable to all
apps that support SSO when they access the URLs that match the configured
URL prefixes.
+ Click to add an URL.
URL Enter the URL that the user can access using SSO.
The website or resource must support Kerberos based
authentication.
URLs must have either an HTTP or an HTTPS prefix.
You can enter only the prefix. In this case the device
user can access any website or resource with that pre-
fix.
Description Enter additional information describing this resource.
- Click to delete the URL.
Application Identifier Matches (Optional)

Add the apps that the device user can use to access the URLs or resources listed
in URL Prefix Matches without having to enter their enterprise credentials.
You can add upto twenty bundle IDs (application IDs) per configuration.
If no apps are entered, the device user can access the URLs or resources from
any app without having to enter their enterprise credentials.
+ Click to add an app.
BundleID Enter the bundle ID (application ID) for the app.
Description Enter additional information describing the app.
_ Click to delete the app.
4. Click Save.
5. In the Configurations page, select the configuration.
6. Click More Actions > Apply To Label
7. Select a label to apply, and click Apply.
338
The app is pushed to the devices to which the label is applied.
Supported variables
The following variables are supported:
$EMAIL$
$USERID$
$FIRST_NAME$
$LAST_NAME$
$DISPLAY_NAME$
$USER_DN$
$USER_UPN$
$USER_CUSTOM1$
$USER_CUSTOM2$
$USER_CUSTOM3$
$USER_CUSTOM4$
339
iOS and OS X differences

The following table outlines important differences in feature support between OS X
and iOS.
Feature Mac OS X iOS

CalDAV MDM authenticates the MDM does not authenticate the
account before pushing pro- account before pushing pro-
files. Therefore, if MobileIron files. The device user is
Core does not have valid cre- prompted to enter a password.
dentials, it will not push the
profile.
"Save user password" (Set-
tings > Preferences > Save
User Password Preferences)
must be enabled.
CardDAV MDM does not authenticate MDM does not authenticate the
the account. If no credentials account before pushing pro-
are available, the contacts will files. The device user is
not be synchronized and the prompted to enter a password.
device user will not be
prompted for a password.
Exchange Only Contacts are synchro- Email, contacts, tasks, and
nized. SSL is required. appointments are synchronized.
web clip Profiles will not be pushed if Profiles will be pushed, regard-
the size of the web clip image less of the size of the web clip
is greater than 20K. image.
340
Samsung KNOX support

The Samsung KNOX Container enables BYOD initiatives by creating a zone for corpo-
rate apps within each device. This zone secures access to corporate apps and data.
To configure support for the Samsung KNOX Container:

1. Create a Samsung Browser configuration.
If you do not intend to specify browser behavior in the container, you can skip this
step.
See Android Samsung browser settings on page 236.
2. Create an Exchange configuration for the container.
If you do not intend to specify email client behavior in the container, you can skip
this step.
3. Create a Samsung KNOX Container configuration.
The Samsung KNOX Container configuration will specify the Samsung Browser con-
figuration and the Exchange configuration you created for the container.
See Android Samsung KNOX Container settings on page 239.
4. Create one or more labels to identify the devices that will receive the Samsung
KNOX Container configuration.
5. Assign the Samsung KNOX Container configuration to the appropriate labels.
Once the configuration is present on the device, then the device begins creating the
container as specified.
Disabling the container

To manually disable the Samsung KNOX container:
1. In the Devices page, select the devices that have received the Samsung KNOX Con-
tainer configuration.
2. Select Actions > Android Only > Disable Samsung KNOX Container.
3. Choose the container you want to disable and click Disable Samsung KNOX Con-
tainer.
The container remains disabled until you manually re-enable it.
Re-enabling the container

A Samsung KNOX container can be automatically disabled by policy, such as when the
device user enters the container password incorrectly too many times. You can manu-
ally disable the container using the Disable Samsung KNOX Container action.
To manually re-enable the Samsung KNOX container:

1. In the Devices page, select the devices on which the container has been disabled.
2. Select Actions > Android Only > Enable Samsung KNOX Container.
3. Choose the container you want to enable and click Enable Samsung KNOX Con-
tainer.
341
342
Chapter 7
Overview of certificates
Supported certificate scenarios
343
Overview of certificates
MobileIron is capable of distributing and managing certificates.
Certificates are mainly used for the following purposes:

Establishing secure communications
Encrypting payloads
Authenticating users
Certificates establish user identity while eliminating the need for users to enter user
names and passwords on their mobile devices. Certificates streamline authentication
to key enterprise resources, such as email, Wi-Fi, and VPN. Some application require
the use of certificates for authentication.
The following diagram compares a certificate to a passport:
The certificate includes information that identifies the user, device, or server that
holds the certificate.
The MobileIron solution provides the flexibility to use MobileIron Core as a local certif-
icate authority, an intermediate certificate authority, or as a proxy for a trusted certif-
icate authority.
344
Types of certificates
MobileIron uses the following types of certificates:
Certificate type Description

Client TLS Secures communication between a client device and Mobile-
Iron Core, over port 9997.
Portal Secures HTTP communication, over port 443, between a
web browser and Core. Can be the same certificate as the
client TLS certificate.
MobileIron Core Can be either self-signed or third-party certificates. By
server SSL default, Core generates self-signed certificates. You can use
trusted certificates from third-party certificate providers
such as Verisign, Thawte, or Go Daddy. Kerberos and
Entrust certificates are also supported.
Sentry server SSL Identifies the Sentry to the client and secures communica-
tion, over port 443, between devices and the Sentry.
iOS MDM Validates profile authenticity for iOS. Enables the MDM fea-
ture set for iOS devices. Uses port 2195 to communicate
with Apple APNS.
iOS enrollment Verifies the identity of the iOS configuration profile. We
recommend using the same certificate for the client TLS,
portal, and iOS enrollment certificates.
Windows Phone 8 Issued by Core to authenticate the device. This is the local
(WP8) enrollment CA certificate.
Client identity Verifies the identity of users and devices and can be distrib-
uted through SCEP/NDES.
The following diagram illustrates where each certificate type is used in the MobileIron
architecture:
345
Android SAFE devices and certificates managed by MobileIron

Core
Certificates managed by MobileIron Core are automatically removed from a Samsung
SAFE device when the device is retired and when the label that applied the certificate
to the device is removed from the certificate.
346
Supported certificate scenarios

MobileIron supports the following certificate scenarios:
Using MobileIron Core as a Certificate Authority
Using MobileIron Core as a certificate proxy
Using Kerberos constrained delegation
Using AppConnect app configuration
More information
Using MobileIron Core as a Certificate Authority

Standard SCEP integration requires SCEP enrollment with a certificate server. If SCEP
integration is not an option for your organization, you can configure MobileIron Core
as an intermediate Certificate Authority (CA) or independent root CA instead, elimi-
nating the need for an additional server.
You can configure MobileIron Core as a local certificate authority for the following
scenarios:
Core as an Independent Root CA (self-signed)Configure Core as an independent
root certificate authority if you are using a self-signed certificate. Use this option if
your company does not have its own certificate authority and you are using Core as
the certificate authority.
Core as an Intermediate CAUse this option when your company already has its
own certificate authority. Using Core as an Intermediate CA gives your mobile
device users the advantage of being able to authenticate to servers within your
company intranet.
Using MobileIron Core as a certificate proxy

MobileIron Core can act as a proxy to a 3rd party CA by using SCEP or APIs exposed
by the 3rd party CA. This enables you to configure certificate-based authentication for
iOS, WP8, and Android devices.
Using Core as a certificate proxy has the following benefits:

Certificate verifies Exchange ActiveSync, Wi-Fi and/or VPN connections, eliminating
the need for passwords that are complex to manage
MobileIron can detect and address certificate renewal and ensure that devices
cannot reconnect to enterprise resources if they are out of compliance with
company policies
Simplified enrollment with the following:
MS SCEP
Entrust
Local CA
Symantec Managed PKI
User provided certificates
347
Open Trust
Symantec Web Services Managed PKI
The following applications are supported
Win 8.1
Android iOS WP8e RT/Pro
ActiveSync yesa yesb yes -
VPN yesc yesd - -
Wi-Fi yes yes - yes
a Android with Email+ and TouchDown

b Mail+, iOS native mail client
c Cisco AnyConnect
d IPSec, Cisco AnyConnect, and JunOS Pulse
e Only root and intermediate CA are supported
The following certificates are supported
Win 8.1
Certificate Android iOS WP8 RT/Pro
MS SCEP yes yes yes yes
Entrust yes yes -
Local CA yes yes yes yes
Symantec Managed PKI yes yes -
User provided certificates yes yes -
Open Trust yes yes -
Symantec Web Services yes yes -
Managed PKI
For information about how to create SCEP settings in MobileIron Core, see See SCEP
settings on page 301.
Using Kerberos constrained delegation

You can use Kerberos constrained delegation (KCD) for authenticating the device to
the ActiveSync server and the app server.
For detailed information about how to configure MobileIron to use Kerberos

authentication, see:
Device and server authentication support for Standalone Sentry on page 408.
the Authentication Using Kerberos Constrained Delegation tech note, available on
the MobileIron Support site.
348
Using AppConnect app configuration

An AppConnect app can authenticate to an app server using a certificate. You pass the
certificate to the app on the device by using a key-value pair in the apps AppConnect
app configuration. After configuring a SCEP or Certificate setting, you specify that set-
ting as the keys value.
For details, see Configuring an AppConnect app configuration on page 614.
More information
For detailed information about how to set up MobileIron Core as a SCEP proxy in a
managed PKI environment, see Setting up Symantec VeriSign Managed PKI Integra-
tion tech note, available on the MobileIron Support site.
For detailed information about how to set up certificate-based authentication for iOS,
see the Certificate-based Authentication for iOS tech note, available on the MobileIron
Support site.
For detailed information about how to set up MobileIron to use Entrust, see the
Authentication Using Entrust Certificate Types tech note, available on the MobileIron
Support site.
349
350
Chapter 8
Overview of troubleshooting devices
Force Device Check-In
Using logs
Service Diagnostic screen
351
Overview of troubleshooting devices

MobileIron provides troubleshooting features that help you support your device users
and diagnose problems:
Troubleshooting page
Using logs
To troubleshoot issues involving MobileIron Server operation, see Section III: System
Management.
352
Win 8.1
yes yes yes - - -
You can use the Force Device Check-in feature to force the device to connect to the
MobileIron Server. You might use this feature if the MobileIron Client has not con-
nected for some time, or you want to override a long sync interval to download
updates.
You can use this feature to troubleshoot MobileIron operations.
Note regarding AppConnect policies and settings:

On iOS devices, the Force Device Check-in feature on the Admin Portal does not
sync the policies and settings related to AppConnect. The app check-in interval on
the AppConnect global policy controls updates to those policies and settings. See
Configuring the AppConnect global policy on page 590. However, in the
Mobile@Work for iOS app on the device, the Force Device Check-in option does
sync the policies and settings related to AppConnect.
On Android devices, both the Force Device Check-in on the Admin Portal and the
Connect Now option in Mobile@Work for Android update the policies and settings
related to AppConnect. The app check-in interval on the AppConnect global policy
does not apply to Android devices.
To force registered devices to check in:

1. Display the Users & Devices > Devices page.
3. Select Force Device Check-in from the Actions menu. The Force Device Check-In
dialog appears.
4. In the dialog, confirm the user and device information and enter a note.
5. Click Force Device Check-in.
Note that the device user may have a Connect Now option that forces the MobileIron
Client to attempt to connect to the MobileIron Server.
353
Using logs
The following Log pages in the Admin Portal under Logs & Events enable you to easily
navigate through the MobileIron log entries to find the information you need.
MDM Log: for iOS MDM entries
Certificate Log: for certificate-related entries
Browse All: for MobileIron device management entries
MDM Log
The MDM Log displays MDM-specific log entries.
Filter the log entries using the following criteria:

Actions
States
User
Device
Error text
Detail text
Date range
Viewing Errors
Errors result in the display of a View Error link in the Error column. Click the link to
display error details.
Certificate Log
The Certificate Log displays certificate-related log entries. You can remove selected
certificates from the log and revoke selected certificates.
Filter the log entries using the following criteria:

User name
Setting name
Expiration date range
354
SCEP Displays the name of the SCEP setting.

Setting Displays the configuration using the SCEP.
The configuration is displayed only for a non-cached SCEP. Configura-
tion names are not available for certificates created in VSP Version 6.0
or earlier.
For a cached SCEP certificate, you will always see - in the Setting
Name, regardless of whether it was created prior to version 7.0 or cre-
ated in version 7.0.
For iOS devices, - is displayed in the Setting Name for certificates gen-
erated by the Default Docs@Work Policy.
For Android devices, the Setting Name is displayed only for APPCON-
FIG, APPPOLICY, and WEB@WORK settings, otherwise a - is displayed.
Removing a Certificate From the Certificate Log

To remove a certificate from the Certificate Log:
1. Go to Logs & Events > Certificate Logs.
2. Select the certificate that you want to remove.
3. Click Remove.
Revoking a Certificate
You can revoke certificates created using a Local Certificate Authority. Revoking a cer-
tificate adds the certificate to the CRL (Certificate Revocation List). When a device
authenticates with MobileIron Core, the system first checks the CRL to verify that the
certificate is not on the list. If the certificate is on the list, authentication fails.
To revoke a certificate:
1. Navigate to Logs & Events > Certificate Logs.
2. Select the certificate that you want to revoke.
3. Click Revoke.
The certificate will be added immediately to the CRL so the next time the device
attempts to authenticate, authentication will fail.
Browse All Logs (General Log)

The Admin Portal tracks status and operations for each managed device using log
entries. You can use log entries to confirm that your actions have been completed and
to investigate problems.
Browsing all log entries
Displaying related log entries
Searching log entries
355
Browsing all log entries

The All Logs screen enables you to work with all log entries, regardless of whether the
corresponding action has been completed.
Displaying related log entries

Once you find a log entry of interest, you can filter the display to show only that entry
and related entries:
1. Select the entry of interest.
2. Click Show Related.
Searching log entries

To search the log entries for specific information:
1. Click the Search button.
2. Use the following guidelines to enter criteria for your search:
Item Description
Subject Related To If you are looking for log entries
related to a specific phone number,
enter the phone number.
Actions Select the types of actions you want
to see log entries for.
Requested Specify a range of time during which
the action was requested.
356
Item Description
Completed Specify a range of time during which
the action was completed.
Status Specify whether you want to see log
entries having a specific status.
3. Click Search.
357

The Service Diagnostic screen in Admin Portal provides a health check for the follow-
ing services:
LDAP
Sentry
Connector
To display the Service Diagnostic screen, select Settings > Service Diagnostics.
Click Verify All to recheck the listed services, or click the Verify button next to a spe-
cific service to verify just that service.
358
Chapter 9
Working with Events

About events
Managing events
Event types
Customizing Event Center messages
Events
359
Working with Events
About events
The Event Center enables MobileIron administrators to connect events to specific
alerts. For example, you can specify an SMS to be sent each time a user enters a dif-
ferent country, informing the user that different rates may apply.
The Event Center currently recognizes the following events:

International Roaming Event
SIM Changed Event
Memory (Storage) Size Exceeded Event
System Event
Policy Violations Event
Events page
Use the Events (Admin Portal > Logs & Events > Event Settings) page to manage the
events you are interested in and the corresponding actions you want to automate.
Required role
Users must have the Manage logs and events role to access the Event Settings page.
360
Working with Events
Managing events
Each event type recognized by the Event Center has settings specific to the event
type. See Event types on page 363 for information on specific settings. This section
explains tasks related to all event types:
Creating an event
Editing an event
Deleting an event
Setting alert preferences
Creating an event
To create an event:
1. Click Logs & Events > Event Settings in the Admin Portal.
2. Click Add New.
3. Select the type of event from the dropdown.
4. Complete the information for the selected event.
5. Click Save.
6. Refresh the screen to display the new event.
Making sure the alert is sent to the correct recipients

When you create an event, you have the opportunity to designate recipients for the
resulting alert. Each event type includes the alert configuration section shown in the
following figure.
For each type of alert (i.e., SMS, email, and push notification (i.e., APNs or C2DM),
you can select one of the following:
User only
User + Admin
Admin only
361
Working with Events
If you select one of the Admin options, then a CC to Admins section displays in the
dialog.
Use this section to select those users, other than the device user, who should be noti-
fied. Only users having registered devices display in this list.
Applying the event to a label

To specify the devices to which the event should apply, you select one or more labels
when you create the event. The amount of time it takes to apply an event to a label
depends on the number of devices identified by the label. Therefore, it may take some
time for the label name to display as selected for the event.
Editing an event
To edit a event:
1. Click Logs & Events > Event Settings in Admin Portal.
2. Select the event you want to edit.
3. Click the Edit button.
4. Make your changes.
5. Click Save
Deleting an event
To delete an event:
1. Click the Events Center tab in Admin Portal.
2. Select the event you want to delete.
3. Click the Delete button.
Setting alert preferences

You can specify the number of times that MobileIron repeats an attempt to send an
email or SMS alert:
1. Click the Settings tab in the Admin Portal.
2. Click the Preferences link.
3. In the Alert Preferences section, enter the number of retries for SMS and email.
4. Click Save.
362
Working with Events
Event types
Each event type has specific settings that need to be configured. This section
describes the settings for each type.
The current event types are:

International roaming event
SIM changed event Event
Memory size exceeded event
System Event
Policy Violations Event
International roaming event
Win 8.1
yes yes - - -
Note that international roaming detection is not supported for dual-mode devices (i.e.,
devices that switch between GSM and CDMA).
To create an international roaming event:

2. Click Add New.
3. Select International Roaming Event from the dropdown menu.
363
Working with Events
4. Use the following guidelines to create an international roaming event:
Field Description
Name Identifier for this notification.
Description Additional text to clarify the purpose of this noti-
fication.
Generate Alert Turns on/off the alert defined for this event. Not
currently implemented.
Alert for Every Generates an alert for each country visited after
Country Visited in the user leaves the home country.
the Trip
Maximum Alerts Specifies whether there is a limit on the number
of alerts generated for a given trip. If you select
Limited, then you can specify the number of
alerts to allow. Once the user returns to the
home country, the count is returned to 0.
Severity Specifies the severity defined for the alert: Criti-
cal, Warning, and Information.
364
Working with Events
Field Description
Template Specifies the template to populate the resulting
alert. Click View to display the content of the
current template. Select an alternate template
from the dropdown or click Create to create a
new template. See The MobileIron Event Center
sends emails, SMSes, and push notification mes-
sages based on triggering events. When you
configure events, you can use the default mes-
sage template or create a new one. Event Cen-
ter templates enable you to specify content and
basic formatting using HTML markup. on
page 380 for information on creating a new tem-
plate.
Send SMS Specifies whether to send an alert in a text mes-
sage, and whether to send it to the user, the
admin, or both. Specify users in the Apply to
Users section or by selecting a label in the Apply
to Labels section. If you select Admin only or
User + Admin, then the CC to Admins section
displays. Use this section to specify administra-
tive users who should receive the alert.
Send Email Specifies whether to send an alert in an email,
and whether to send it to the user, the admin, or
both. Specify users in the Apply to Users section
or by selecting a label in the Apply to Labels sec-
tion. If you select Admin only or User +
Admin, then the CC to Admins section displays.
Use this section to specify administrative users
who should receive the alert.
Send through Push Specifies whether to send a message via Apple
Notification Push Notification service or Android C2DM, and
whether to send it to the user, the admin, or
The length of the message is limited to 255
characters.
Apply to Labels Associate this event with the selected labels.
See Using labels to establish groups on
Search Users Enter the user ID to find devices to which you
want to apply this event.
Apply to Users Associate this group of settings with the selected
users.
365
Working with Events
Field Description
Exclude Labels Do not apply this event to selected labels. See
Using labels to establish groups on page 143
for information on labels.
Search Users Enter the user ID to find devices that should not
have this event applied.
Exclude Users Do not apply this event to the selected users.
CC to Admins If you selected Admin only or User + Admin,
then the CC to Admins section displays. Use this
section to specify administrative users who
should receive the alert.
5. Click Save.
Note: If more than one international roaming event applies to a device, only the last
one you edited and saved is triggered.
SIM changed event
Win 8.1
yes yes - - -
For iOS devices that are not MDM-managed, the device user must start the MobileIron
app on the device to trigger this event.
To create a SIM changed event:
2. Click Add New.
3. Select SIM Changed Event from the dropdown menu.
366
Working with Events
4. Use the following guidelines for creating a SIM changed event.
Field Description
Name Identifier for this event.
Description Additional text to clarify the purpose of this
event.
plate.
367
Working with Events
Field Description
characters.
users.
5. Click Save.
368
Working with Events
Note: If more than one SIM changed event applies to a device, only the last one you
edited and saved is triggered.
Memory size exceeded event
Win 8.1
yes yes - - -
To create a memory size exceeded event:

2. Click Add New.
3. Select Memory Size Exceeded Event from the dropdown menu.
4. Use the following guidelines to create a memory size exceeded event:
Field Description
fication.
369
Working with Events
Field Description
Used Memory Size Specifies the percentage of total memory that
Exceeds triggers the alert.
Alert every Specifies the interval for generating the alert.
Select 1,2,3 or 4 weeks.
plate.
370
Working with Events
Field Description
characters.
users.
5. Click Save.
Notes:
Memory exceeded events are sent only once per week when the configured mem-
ory limit is reached.If more than one memory size exceeded event applies to a
device, only the last one you edited and saved is triggered.
System event
A system event generates an alert when components of a MobileIron implementation
is not working. To create a system event:
2. Click Add New.
371
Working with Events
3. Select System Event from the dropdown menu.

Field Description
fication.
Sentry (standalone and inte- Generates an alert if MobileIron Core is unable
grated) is unreachable to contact the MobileIron Sentry.
Sentry (standalone and inte- Generates an alert if the MobileIron Sentry is
grated) cannot reach EAS unable to contact the ActiveSync server.
server
MobileIron gateway is Select this option to send an alert if Core cannot
unreachable connect to the MobileIron gateway.
BES is unreachable Select this option to send an alert if Core cannot
connect to an integrated BES server.
LDAP server is unreachable Select this option to send an alert if Core cannot
connect to any of the configured LDAP servers.
DNS server is unreachable Select this option to send an alert if Core and
one of the configured DNS servers.
Mail server is unreachable Select this option to send an alert if Core cannot
connect to the configured SMTP server.
NTP server is unreachable Select this option to send an alert if Core con-
nect to the configured NTP server.
Certificate Expired Select this option to send an alert for certificate
expiration. An alert is sent 30 days before expi-
ration and on the expiration date. Certificates
supported include MDM APNS/Client (iOS only),
Admin Portal, and device certificates.
Provisioning Profile Expired Generates an alert if an iOS provisioning profile
distributed via MobileIron has expired. In gen-
eral, this profile will be associated with an in-
house app.
SMTP Relay server is Generates an alert if the configured SMTP relay
unreachable (for SMS archive) does not respond to a ping or
SMTP ping.
See Settings > Preferences in Admin Portal for
the configured SMTP relay.
SMTP Relay server error Generates an alert if the configured SMTP relay
(for SMS archive) returns an error. The alert
includes available details to enable troubleshoot-
ing.
See Settings > Preferences in Admin Portal for
the configured SMTP relay.
372
Working with Events
Field Description
SMS Message archive queue Generates an alert if the queue of messages to
is full be archived exceeds 100. This indicates a possi-
ble problem with the service, causing a backlog
in the queue.
In response to this alert, you should check the
health of the SMTP relay server and confirm that
it is correctly configured under Settings > Pref-
erences in Admin Portal.
System storage threshold Generates an alert if the system storage thresh-
has been reached old has been reached. See Manually purging
data (system storage) on page 742 for infor-
mation on setting this threshold.
Connector state events Generates an alert if the health of the Connector
changes. MobileIron defines a healthy connector
as one that connects to the server at expected
intervals and syncs successfully with the LDAP
server. An alert is generated if a Connector
changes from healthy to unhealthy, or from
unhealthy to healthy.
Connector requires upgrade Generates an alert if the automated upgrade of
the Connector fails. This alert prompts you to
manually upgrade the Connector.
Connector can not connect Generates an alert if a configured LDAP server is
to LDAP server no longer reachable.
Connector is unreachable Generates an alert if the MobileIron server does
not receive the expected response to the sched-
uled probe of the Connector. This alert generally
indicates network problems.
VPP Percent Used Threshold Generates an alert if the percentage of VPP
tokens for an iOS app purchased via VPP
reaches the specified level. The default thresh-
old is 99 percent, meaning an alert is generated
when 99 percent of the tokens for any VPP-pur-
chased app have been redeemed.
of alerts generated for a given event. If you
select Limited, then you can specify the number
of alerts to allow.
Alert Every Specifies the interval for generating alerts for a
given event. Select the number of hours from
the dropdown.
Severity Specifies the severity defined for the alert.
Select Critical, Warning, or Information.
373
Working with Events
Field Description
plate.
Send through Push Notifica- Specifies whether to send a message via Apple
tion Push Notification service or Android C2DM, and
characters.
Apply to Labels Send the alert to users in the selected labels.
Note: In most cases, if you do select a label, it
should not be a label with broad coverage. Sys-
tem event alerts are usually not appropriate for
device users.
374
Working with Events
Field Description
Search Users Enter the user ID to find users to which you
want to send the alert.
Apply to Users Send the alert to the selected users.
Exclude Labels Do not send the alert to the selected labels. Use
this option to specify groups of users who should
not receive the alert. For example, you might
specify a custom Executive label if you want to
keep executives from receiving the alert. See
Search Users Enter the user ID to find users who should not
receive this alert.
Exclude Users Do not send the alert to the selected users.
Search Users Enter the user ID to find users who act as tele-
com administrators and should receive the alert.
5. Click Save.
Policy violations event
Win 8.1
yes yes - yes1 yes1 yes1
1 Only out of contact and out of policy violations are supported. Alerts are only sent by email.
To create a policy violation event:

2. Click Add New.
3. Select Policy Violation Event from the dropdown menu.
375
Working with Events
Field Description
fication.
Connectivity
Out-of-contact with Select this option to send an alert when a device
Server for X number of has been out of contact for the number of days
days specified in the Security policy assigned to it.
Out-of-policy for X num- Select this option to send an alert when a policy
ber of days has been out of date for the number of days
specified in the Security policy assigned to it.
Device Settings
Passcode is not compli- Generates an alert if a device is detected having
ant a passcode that does not meet the requirements
specified in the associated security policy.
App Control
376
Working with Events
Field Description
Disallowed app found Generates an alert if an app that is specified as
Disallowed is not installed on a device. Apps are
specified as Required, Allowed, or Disallowed
under Apps & Configs > App Control.
App found that is not in Generates an alert if an app that does not
Allowed Apps list appear on the list of allowed apps has been
detected on a device. Apps are specified as
Required, Allowed, or Disallowed under Apps &
Configs > App Control.
Required app not found Generates an alert if an app that is specified as
Required is not installed on a device. Apps are
specified as Required, Allowed, or Disallowed
under Apps & Configs > App Control.
Data Protection/Encryp-
tion - iOS - Android
Data Protection/Encryp- Generates an alert if an iOS device has its Data
tion is disabled Protection feature turned off, or an Android
device has its Data Encryption feature turned
off.
iOS
Disallowed iOS model Select this option to send an alert when a
found restricted iOS model is registered.
Disallowed iOS version Select this option to send an alert when a
found restricted iOS version is registered.
Compromised iOS device Select this option to send an alert when a com-
promised iOS is registered or connects to the
server. That is, an iOS device has been compro-
mised by circumventing the operator and usage
restrictions imposed by the operator and manu-
facturer.
iOS Configuration not Generates an alert if an iOS device does not
compliant have the expected security policy or app set-
tings. This state may indicate that a setting was
changed or was not applied successfully.
Restored Device con- Generates an alert if a previously wiped device
nected to server has been restored and attempts to connect
through the MobileIron deployment.
MobileIron iOS App Mul- Generates an alert if the device user disables
titasking disabled by multitasking for the MobileIron iOS app. Dis-
user abling multitasking increases the likelihood that
a compromised device will go undetected for a
significant period of time.
Device MDM deactivated Generates an alert when the MDM profile on a
(iOS 5 and later) managed iOS 5 device is removed.
Android
377
Working with Events
Field Description
Disallowed Android OS Generates an alert if an Android device having a
version found disallowed OS version is detected. You can spec-
ify disallowed versions in the security policy.
Compromised Android Generates an alert if a modified Android device
device detected is detected. That is, an Android device has been
compromised by circumventing the operator and
usage restrictions imposed by the operator and
manufacturer.
Device administrator not Generate an alert when a managed Android
activated for DM client or device is found to have no device administrator
agent privilege activated for the MobileIron app or the
Samsung DM Agent.
Note: The Samsung DM Agent is not required on
Samsung MDM 4.x, starting with Mobile@Work
for Android version 5.9.
Actions
of alerts generated for a given event. If you
select Limited, then you can specify the number
of alerts to allow.
Alert Every Specifies the interval for generating alerts for a
given event. Select the number of days from the
dropdown.
Severity Specifies the severity defined for the alert.
Select Critical, Warning, or Information.
plate.
378
Working with Events
Field Description
tive users who should receive the alert.inistra-
Send through Push Noti- Specifies whether to send a message via Apple
fication Push Notification service or Android C2DM, and
characters.
Apply to Labels Send the alert to users in the selected labels.
Search Users Enter the user ID to find users to which you
want to send the alert.
Apply to Users Send the alert to the selected users.
Exclude Labels Do not send the alert to the selected labels. Use
this option to specify groups of users who should
not receive the alert. For example, you might
specify a custom Executive label if you want to
keep executives from receiving the alert. See
Search Users Enter the user ID to find users who should not
receive this alert.
Exclude Users Do not send the alert to the selected users.
379
Working with Events
Field Description
Search Users Enter the user ID to find users who act as tele-
com administrators and should receive the alert.
5. Click Save.
The MobileIron Event Center sends emails, SMSes, and push notification messages
based on triggering events. When you configure events, you can use the default mes-
sage template or create a new one. Event Center templates enable you to specify con-
tent and basic formatting using HTML markup.
Note: If more than one policy violations event applies to a device, only the last one
you edited and saved is triggered. Therefore, do not create a separate policy viola-
tions event for each type of security policy violation. Instead, apply only one policy
violations event to each device. In that one event, select all of the security policy set-
tings that you want to trigger the event. Use the template variable $DEFAULT_POLI-
CY_VIOLATION_MESSAGE in your message template to specify the security policy
violation that triggered the event.
Displaying event center templates

To display Event Center templates:
1. In Admin Portal, select Settings > Templates.
2. Select Event Center Templates.
This list includes the default template for each Event Center type. These are not
editable.
3. Click the View link for the message template you want to view.
380
Working with Events
Adding custom Event Center messages

To add a custom Event Center message:
1. Either click the Create button in the event dialog or select the event type from Set-
tings > Templates > Event Center Templates > Add New.
The following figure shows the event dialog.
381
Working with Events
The dialog for the corresponding event type displays.
382
Working with Events
Event Center messages are displayed with the HTML markup that provides the
basic formatting for the content.
2. In the Name field, enter a name for the template.
The name must be unique for events of the same type.
3. In the Edit Template for field, select the language this template will be used for.
Note that only those languages that have been enabled for the system will be dis-
played in this list.
4. Make changes to the displayed messages.
5. Click Save.
Using variables in Event Center messages

Supported and required variables for Event Center messages vary by the type of mes-
sage. The following table summarizes these variables. You can also click the Variables
Supported link to display this information. Note that, unlike variables used for regis-
tration variables, Event Center variable do not end with $.
You can remove the variables that you do not want to use from a field in the Event
Center template. This allows you to further customize the Event Center messages.
Template Type Required Variables

International Roaming $CURRENT_COUNTRY
$HOME_COUNTRY
$PHONE_NUMBER
$SEVERITY
$USER_NAME
Threshold Reached $PHONE_NUMBER
$SEVERITY
$THRESHOLD_ON
$THRESHOLD_TYPE
$THRESHOLD_UNIT
$THRESHOLD_VALUE
$USED_VALUE
$USER_NAME
SIM Changed $CURRENT_PHONE_NUMBER
$NEW_PHONE_NUMBER
$SEVERITY
$USER_NAME
383
Working with Events

Memory Size Exceeded $FREE_MEMORY_SIZE
$MEMORY_SIZE_LIMIT
$PHONE_NUMBER
$SEVERITY
$TOTAL_MEMORY_SIZE
$USER_NAME
System Event $DEFAULT_SYSTEM_MESSAGE
$SERVER_IP
$SERVER_NAME
$SEVERITY
Policy Violation $DEFAULT_POLICY_VIOLATION_MESSAGE
$PHONE_NUMBER
$SEVERITY
$USER_NAME
The following table describes the variables used in Event Center messages.
$CURRENT_COUNTRY The country in which the device is cur-
rently located.
$CURRENT_PHONE_NUMBER The phone number currently associ-
ated with the device in MobileIron
Core, but not matching the phone
number currently used by the device.
$DEFAULT_POLICY_VIOLATION_MES- The hardcoded message associated
SAGE with the policy violation that triggered
the alert.
Note: Due to the length limits of SMS,
C2DM, and APNs, the text might be
truncated.
$DEFAULT_SYSTEM_MESSAGE The third-party system message or
error that triggered the alert.
$FREE_MEMORY_SIZE The amount of free memory currently
available on the device.
$HOME_COUNTRY The home country of the device.
$MEMORY_SIZE_LIMIT The threshold set for the device mem-
ory.
384
Working with Events
$NEW_PHONE_NUMBER The phone number replacing the
$CURRENT_PHONE_NUMBER$ as a
result of a SIM change.
$PHONE_NUMBER The phone number used by the device.
$SERVER_IP The IP address of the server triggering
a system event alert.
$SERVER_NAME The hostname of the server triggering
the system event alert.
$SEVERITY The defined severity of the system
event, i.e., Information, Warning, or
Critical.
$THRESHOLD_ON The total used for calculations, i.e.,
International Roaming or Total Usage.
$THRESHOLD_TYPE The type of usage measured, i.e.,
SMS, Data, or Voice.
$THRESHOLD_UNIT The unit associated with the type of
usage, i.e., minutes, messages, or MB.
$THRESHOLD_VALUE The defined threshold value for this
event, e.g., 1000 (voice minutes).
$TOTAL_MEMORY_SIZE The total memory reported by the
device.
$USED_VALUE The amount of memory currently used
on the device.
$USER_NAME The display name of the user associ-
ated with the device.
Specifying which template to use

When you create or edit an event, you specify which template to use for resulting
alerts. To select a template:
1. Create or edit an event.
2. Select a template from the dropdown or click the Create button to create a new
template.
Filtering Event Center messages

In the Event Center Templates page, you can filter messages by event type. Just
select the preferred event type from the Event Type dropdown.
385
Working with Events
Editing Event Center messages

You can edit your custom Event Center templates. However, default Event Center tem-
plates are not editable.
To edit a custom Event Center template:

1. In Admin Portal, select Settings > Templates > Event Center Templates.
2. Click the edit icon for the custom template you want to edit.
3. Make your changes
4. Click Save.
Deleting Event Center messages

You can delete any of the Event Center messages you have created:
2. Select the items you want to delete.
3. Click Delete.
386
Working with Events
Customizing Event Center messages

The MobileIron Event Center sends emails, SMSes, and push notification messages
based on triggering events. When you configure events, you can use the default mes-
sage template or create a new one. Event Center templates enable you to specify con-
tent and basic formatting using HTML markup.
Displaying Event Center templates

To display Event Center templates:
1. In Admin Portal, select Settings > Templates.
2. Select Event Center Templates.
This list includes the default template for each Event Center type. These are not
editable.
3. Click the View link for the message template you want to view.
Adding custom Event Center messages

To add a custom Event Center message:
1. Either click the Create button in the event dialog or select the event type from Set-
tings > Templates > Event Center Templates > Add New.
The following figure shows the event dialog.
387
Working with Events
The dialog for the corresponding event type displays.
Event Center messages are displayed with the HTML markup that provides the
basic formatting for the content.
2. In the Name field, enter a name for the template.
The name must be unique for events of the same type.
3. In the Edit Template for field, select the language this template will be used for.
388
Working with Events
Note that only those languages that have been enabled for the system will be dis-
played in this list.
4. Make changes to the displayed messages.
5. Click Save.
Using variables in Event Center messages

Supported and required variables for Event Center messages vary by the type of mes-
sage. The following table summarizes these variables. You can also click the Variables
Supported link to display this information. Note that, unlike variables used for regis-
tration variables, Event Center variable do not end with $. All variables are required.

International Roaming $CURRENT_COUNTRY
$HOME_COUNTRY
$PHONE_NUMBER
$SEVERITY
$USER_NAME
Threshold Reached $PHONE_NUMBER
$SEVERITY
$THRESHOLD_ON
$THRESHOLD_TYPE
$THRESHOLD_UNIT
$THRESHOLD_VALUE
$USED_VALUE
$USER_NAME
SIM Changed $CURRENT_PHONE_NUMBER
$NEW_PHONE_NUMBER
$SEVERITY
$USER_NAME
Memory Size Exceeded $FREE_MEMORY_SIZE
$MEMORY_SIZE_LIMIT
$PHONE_NUMBER
$SEVERITY
$TOTAL_MEMORY_SIZE
$USER_NAME
389
Working with Events

System Event $DEFAULT_SYSTEM_MESSAGE
$SERVER_IP
$SERVER_NAME
$SEVERITY
Policy Violation $DEFAULT_POLICY_VIOLATION_MES-
SAGE
$PHONE_NUMBER
$SEVERITY
$USER_NAME
The following table describes the variables used in Event Center messages.
$CURRENT_COUNTRY The country in which the device is cur-
rently located.
$CURRENT_PHONE_NUMBER The phone number currently associ-
ated with the device in MobileIron
Core, but not matching the phone
number currently used by the device.
$DEFAULT_POLICY_VIOLATION_MES- The hardcoded message associated
SAGE with the policy violation that triggered
the alert.
Note: Due to the length limits of SMS,
C2DM, and APNs, the text might be
truncated.
$DEFAULT_SYSTEM_MESSAGE The third-party system message or
error that triggered the alert.
$FREE_MEMORY_SIZE The amount of free memory currently
available on the device.
$HOME_COUNTRY The home country of the device.
$MEMORY_SIZE_LIMIT The threshold set for the device mem-
ory.
$NEW_PHONE_NUMBER The phone number replacing the
$CURRENT_PHONE_NUMBER$ as a
result of a SIM change.
$PHONE_NUMBER The phone number used by the device.
$SERVER_IP The IP address of the server triggering
a system event alert.
$SERVER_NAME The hostname of the server triggering
the system event alert.
390
Working with Events
$SEVERITY The defined severity of the system
event, i.e., Information, Warning, or
Critical.
$THRESHOLD_ON The total used for calculations, i.e.,
International Roaming or Total Usage.
$THRESHOLD_TYPE The type of usage measured, i.e.,
SMS, Data, or Voice.
$THRESHOLD_UNIT The unit associated with the type of
usage, i.e., minutes, messages, or MB.
$THRESHOLD_VALUE The defined threshold value for this
event, e.g., 1000 (voice minutes).
$TOTAL_MEMORY_SIZE The total memory reported by the
device.
$USED_VALUE The amount of memory currently used
on the device.
$USER_NAME The display name of the user associ-
ated with the device.
Specifying which template to use

When you create or edit an event, you specify which template to use for resulting
alerts. To select a template:
1. Create or edit an event.
2. Select a template from the dropdown or click the Create button to create a new
template.
Filtering Event Center messages

In the Event Center Templates page, you can filter messages by event type. Just
select the preferred event type from the Event Type dropdown.
Editing Event Center messages

You can edit your custom Event Center templates. However, default Event Center tem-
plates are not editable.
To edit a custom Event Center template:

2. Click the edit icon for the custom template you want to edit.
3. Make your changes
4. Click Save.
391
Working with Events
Deleting Event Center messages

You can delete any of the Event Center messages you have created:
2. Select the items you want to delete.
3. Click Delete.
392
Working with Events
Events
Use the Events screen to track the events that have triggered alerts. To display the
Events screen, go to Logs & Events > Events.
Marking as Read or Unread

To enable tracking of which events have been noted and/or addressed by an adminis-
trator, you can mark an event as Read. Likewise, you can switch this flag back to
Unread.
To set the Read/Unread flag:

1. Select one or more events.
2. Select Read or Unread from the Actions menu.
Filtering events
You can filter the displayed events using the following criteria:
Read/Unread
Labels
User
Start Date/End Date
Event Type
Event Status
The following table summarizes these filters.
Filter Description
Read/Unread Select Read or Unread from the Show dropdown
list. To resume displaying all events, select All.
Labels Select the preferred label from the Labels drop-
down to filter based on the label specified in the
event.
User Enter a user ID and click the search icon to filter
based on the user IDs specified in the event.
Start Date/End Date Select dates in the Start Date and End Date
fields to filter events by date range.
Event Type Select an event type from the Type dropdown to
filter by event type.
Event Status Select an event status from the status dropdown
to filter based on the events lifecycle state.
393
Working with Events
Event lifecycle and status

Events go through the following lifecycle:
Created -> Dispatch Pending -> Dispatching -> Dispatched
The following two failure states may also occur:

Dispatch Failed: The process of generating the alert failed. This is usually the result
of an SMTP problem. Check the SMTP configuration in System Manager, as well as
the health of your SMTP server.
Expired: Another event occurred that makes the alert obsolete, resulting in expira-
tion before dispatch.
Exporting event history

To export a CSV file containing the currently displayed events, click the Export button.
Adding a note
You can add a note to one or more events to help track the work that has been done
in response. Each event can hold one note; adding another note replaces the existing
note. To add a note:
1. Select one or more events.
2. Select Actions > Add Note.
3. Enter the text of the note.

4. Click Add.
5. Press F5 to refresh the screen and confirm that the note displays in the Note field
for the selected events.
394
Chapter 10

MobileIron Sentry
Adding, editing, and deleting a Sentry on MobileIron Core
451 redirect processing
Device and server authentication support for Standalone Sentry
Managing certificates for Standalone Sentry
Email attachment control support for Standalone Sentry
Configuring email attachment control
ActiveSync server background health check
Setting Sentry preferences
395
MobileIron Sentry
MobileIron Sentry is a component of a MobileIron deployment that interacts with your
companys ActiveSync server. The ActiveSync server provides employees access to
their email, contacts, calendar, and tasks. Sentry, with input from MobileIron Core,
protects the ActiveSync server from wrongful access from the devices.
The Sentry is either a Standalone Sentry or an Integrated Sentry. Standalone Sentry

is a separate appliance, whereas Integrated Sentry is a software module on the Micro-
soft Exchange Server.
You perform Sentry-related configuration as follows:

On MobileIron Core, use the Admin Portal for configuration pertaining to connectiv-
ity, devices, policies, and security.
On Standalone Sentry, use the Sentry System Manager for Standalone Sentry sys-
tem management.
Before continuing with Sentry configuration using the Admin Portal, see the following:
For details about Sentry and an overview of the configuration tasks that you do, see
the MobileIron Sentry Administration Guide.
For information on Sentry installation if you are using an on-premise MobileIron
Core, see the MobileIron Installation Guide.
For information on Sentry installation if you are using Connected Cloud, see Getting
Started with the MobileIron Connected Cloud.
In the Admin Portal, you configure the following information pertaining to Sentry con-
figuration:
Standalone or Integrated Sentry connectivity.
See Adding, editing, and deleting a Sentry on MobileIron Core on page 397.
Certificate management for the certificate that Standalone Sentry presents to
devices.
See Managing certificates for Standalone Sentry on page 417.
Device authentication (how the device authenticates to the Standalone Sentry) and
server authentication (how the Standalone Sentry authenticates the device to the
server).
See Device and server authentication support for Standalone Sentry on
page 408.
Email attachment control.
See Email attachment control support for Standalone Sentry on page 422.
Sentry preferences.
See Setting Sentry preferences on page 435.
You also use the Admin Portal to manage ActiveSync associations. See Working with
ActiveSync Phones via MobileIron Sentry on page 439.
396
Adding, editing, and deleting a Sentry on

MobileIron Core
Use the Admin Portal to add and edit a Sentry to work with MobileIron Core. You can
also delete a Sentry.
Adding an entry for MobileIron Integrated Sentry

To create an entry for a MobileIron Integrated Sentry on MobileIron Core:
1. Select Settings > Sentry in the Admin Portal.
2. Select Add New > Integrated Sentry.
For information about filling in this form, see Installing Integrated Sentry in the
MobileIron Installation Guide.
397
Adding a MobileIron Standalone Sentry entry

Ensure the following if you are configuring ActiveSync and AppTunnel on the same
Sentry:
The Exchange profile matches the device authentication options.
The Sentry Version is 4.7 or above.
Note: Sentry versions 4.6 and 4.5 do not support configuring ActiveSync and AppTun-
nel on the same Sentry. Versions prior to 4.5 do not support AppTunnel. A misconfigu-
ration can result in disruption of traffic. This could be a temporary interruption or a
complete mailbox resync.
To create a MobileIron Standalone Sentry entry:
1. In the Admin Portal, go to Setting > Sentry.
2. Select Add New > Standalone Sentry.
3. Use the following guidelines to complete the form.
Item Description
Sentry Host / IP Enter the host name or IP address of the server on which
the Standalone Sentry is installed.
Sentry Port Enter the port that MobileIron Core will use to access the
Standalone Sentry. The default is 9090.
Enable Active Sync Select Enable ActiveSync to configure the Standalone Sen-
try for ActiveSync.
The ActiveSync Configuration section displays.
Enable App Tunnel- Select Enable App Tunneling to configure the Standalone
ing Sentry for AppTunnel.
The AppTunnel Configuration section displays.
Enable Kerberos Select Enable Kerberos Proxy to configure the Standalone
Proxy Sentry as a Kerberos Key Distribution Center Proxy
(KKDCP) server.
The Kerberos Proxy Configuration section displays.
Device Authentication Configuration (ActiveSync and AppTunnel)

Device Authentica- Select how users attempting to connect to the ActiveSync
tion or app server authenticate with the Sentry.
If you configure the Sentry for AppTunnel you can only
choose either Group Certificate or Identity Certificate.
Depending on the method of device authentication, addi-
tional fields display.
See Device and server authentication support for Stand-
alone Sentry on page 408 for information on selecting
and configuring a method of device authentication.
398
Item Description
ActiveSync Configuration
This section of the form displays only if you choose Enable ActiveSync.
Server Authentica- Select how the Sentry authenticates the user to the
tion ActiveSync server.
Select Pass Through or Kerberos.
The Kerberos option is only available if you selected Iden-
tity Certificate for Device Authentication.
ActiveSync Servers Enter the ActiveSync server hostnames or IP addresses,
separated by semicolons (;). The ActiveSync servers in
this list provide failover support for each other.
The maximum number of characters accepted is 4000
characters.
For Microsoft Office 365, enter outlook.office365.com.
For Gmail, enter m.google.com.
Enable Server TLS Specify whether the ActiveSync servers require SSL (i.e.,
port 443).
399
Item Description
Enable Redirect Pro- To disable redirect processing, clear the check box.
cessing (451) If Enable Redirect Processing (451) is disabled, the Stand-
alone Sentry does not handle redirection, and passes the
redirect URL to the device.
Limit Protocol Ver- Check this option to choose the ActiveSync protocol ver-
sion sion that the device and Microsoft Exchange use to com-
municate with the Standalone Sentry.
If the device is already registered, you have to push the
exchange profile to the device to force the device to use
the new protocol.
Attachment Control Specify whether to enable email attachment control, and
then specify the type of email attachment control. For
more information, see Email attachment control support
for Standalone Sentry on page 422.
ActiveSync Server Configuration

This section of the form displays only if Enable ActiveSync is checked.
Enable Client TLS Specify whether the client must use TLS.
Note: Though the field label reads TLS, the intended
requirement is SSL.
Enable Background The default setting is enabled.
Health Check Clear the check box to disable the ActiveSync server
health check.
If enabled, when the ActiveSync server fails for the num-
ber of times configured in the Dead Threshold setting and
within the number configured in the Failure Window, then
the ActiveSync server status shows Unreachable.
When the background health check determines that the
server is live for the number configured for Live Threshold,
the ActiveSync server status shows Reachable.
Interval Specify the time interval, in seconds, that Sentry performs
a background health check.
The valid range is 10 through 600. The default is 60.
Live Threshold Specify the number of times the ActiveSync server back-
ground health check is successful before the server is
marked as live.
400
Item Description
App Tunneling Configuration

This section of the form displays only if Enable App Tunneling is checked.
To add a new AppTunnel or Advanced AppTunnel (TCP) service, click +.

See Configuring an AppTunnel service on page 608 for information on configur-
ing an AppTunnel service. The Configuring an AppTunnel service section also
contains information about Context Headers, Advanced Traffic Control, and
Server-side Proxy.
Configuring a TCP tunnel service

A TCP tunnel service is a secure tunnel that Safari domains, iOS managed apps or
iOS AppConnect apps use to access the backend resource. Also, on Android
devices starting with Android Secure Apps 6.0, AppConnect-enabled hybrid web
apps can use a TCP tunnel service to secure data in motion to a backend resource.
Note the following for TCP tunnel:
For device authentication with Trusted Front-End, only F5 supports TCP Tun-
nels.
Context headers is not supported for TCP tunnel.
Service Name The TCP tunnel Service Name is used in the MobileIron
Tunnel VPN configuration.
Enter one of the following:
A unique name for the service that Safari domain or the
app accesses. The name must begin with TCP. TCP is
not case sensitive.
Example: tcp-mail.
The service name cannot contain these characters:
'space' \ ; * ? < > " |.
<TCP_ANY>.
Select <TCP_ANY> to allow tunneling to any URL that
the app or Safari browser requests.
Server Auth The Server Auth is always Pass Through. The Sentry
passes through all TCP packets to the app server.
401
Item Description
Server List Enter the app servers host name or IP address (usually an
internal host name or IP address). Include the port num-
ber on the app server that the Sentry can access.
Example: resource1.companyname.com:443
You can enter multiple servers. The Sentry uses a round-
robin distribution to load balance the servers. That is, it
sets up the first tunnel with the first app server, the next
with the next app server, and so on. Separate each server
name with a semicolon.
Example: resource1.companyname.com:443;
resource2.companyname.com:443.
Note: The Server List field is not applicable when the ser-
vice name is <TCP_ANY>.
TLS Enabled NA
Proxy Enabled/ATC Select if you want to direct the TCP Tunnel service traffic
through the proxy server.
You must also have configured Server-side Proxy or
Advanced Traffic Control (ATC).
Server SPN List NA
Kerberos Authentication Configuration

This section only displays if the Kerberos option is specified for server authentica-
tion either for the ActiveSync configuration or for an AppTunnel service.
See Device and server authentication support for Standalone Sentry on

page 408 for information on configuring Kerberos for server authentication.
Kerberos Proxy Configuration

This section displays only if Enable Kerberos Proxy is selected.
Note: A separate Standalone Sentry is required for Kerberos proxy. Enabling Ker-
beros proxy, will disable the ActiveSync and AppTunnel options. The Kerberos
proxy option is disabled on a Standalone Sentry enabled for ActiveSync or
AppTunnel.
+ Click to add the realm to KDC mapping.
Realm name Enter the realm name for the KDC.
402
Item Description
KDC server list Specify the KDC servers to request the Kerberos ticket.
Include the port number for the KDC server. Typically, the
port number is 88.
Enter the KDC servers separated by semicolon(;). The
KDC servers in the list provide failover support for each
other.
Example: kdc1.example.com:88;kdc2.example.com:88
You must specify atleast one KDC server.
Global Server Configuration
Scheduling Specify Priority or Round Robin scheduling if multiple serv-

ers are specified.
Priority means that the first available server in the speci-
fied list will be used, with the first server in the list having
highest priority. So if the first server in the list is never
unavailable, then the other servers will never be used.
Round Robin means that each server in the list will be used
in turn.
Dead Threshold Specify the number of times that an server connection can
fail before the server will be marked dead. The valid
range is 1 through 1000.
Failure Window Specify the time interval in milliseconds during which the
specified number of server connection failures must occur
in order for the server to be marked dead. The valid
range is 1 though 86400000 milliseconds (24 hours).
Dead Time Specify the amount of time in milliseconds that the server
should be marked dead after the specified number of
connection failures. The valid range is 1 through
172800000 milliseconds (48 hours).
403
Item Description
Advanced Configuration
This feature provides you the addition flexibility to configure Standalone Sentry
session timeouts. You may want to configure the session timeouts to manage
server resources. For example, you may want to configure larger timeouts when
using a Lotus Notes Traveler server with Standalone Sentry.
Note: Do not make changes to the settings unless specifically instructed in the
documentation or by MobileIron Professional Services.
Socket read/write Specify the time in milliseconds, the Sentry should check
timeout for the socket read/write time out from either the device
or the server.
Enter a valid integer.
The default setting is 10000, and the minimum is 1.
Server connection Specify the time in milliseconds after which the Sentry will
timeout time out when connecting to the server.
Server response Specify the time in milliseconds after which the Sentry will
timeout time out when waiting for an HTTP response from the
server.
If the Sentry is dedicated to AppTunnel support for the IBM
Notes Traveler client, set this value to 900,000 millisec-
onds. See Using AppTunnel with the IBM Notes Traveler
client app on page 632.
Device request time- Specify the time in milliseconds after which the Sentry will
out time out when waiting for an HTTP request from the device
on a new or existing connection.
If the Sentry is dedicated to AppTunnel support for the IBM
Notes Traveler client, set this value to 900,000 millisec-
onds. See Using AppTunnel with the IBM Notes Traveler
client app on page 632.
4. Click Save.
5. Perform this step if you configured the Sentry for app tunneling and the Sentry
uses a self-signed certificate:
In the Settings > Sentry page, for the Sentry configured for app tunneling, click the
View Certificate link.
This makes the Sentrys certificate known to MobileIron Core.
404
Editing MobileIron Sentry settings

Ensure the following if you are configuring ActiveSync and AppTunnel on the same
Sentry:
The Exchange profile matches the device authentication options.
The Sentry Version is 4.7 or above.
Note: Sentry versions 4.6 and 4.5 do not support configuring ActiveSync and AppTun-
nel on the same Sentry. Versions prior to 4.5 do not support AppTunnel. A misconfigu-
ration can result in disruption of traffic. This could be a temporary interruption or a
complete mailbox resync.
To edit settings for a MobileIron Sentry:
1. Select Settings > Sentry in Admin Portal.
2. Select the entry to be edited.
3. Click the edit icon next to the entry.
4. Make the necessary changes.

5. Click Save.
To verify that the changes are pushed to the Sentry, check that the Status shows
Success.
For information about editing Integrated Sentry configuration, see Installing Inte-
grated Sentry in the MobileIron Installation Guide.
Deleting a Sentry entry

To delete a Sentry entry:
1. Select Settings > Sentry in the Admin Portal Admin Portal.
2. Select the entry to be deleted.
3. Click Delete.
4. Click Yes to the verification prompt.
Caution: Do not remove a Standalone Sentry entry without first making sure that no
devices are using Exchange app settings that use that Standalone Sentry. Devices
with such Exchange app settings are still accessing the Standalone Sentry. These
devices can continue to access the ActiveSync server even if they violate their security
policy or if you manually attempt to block them. See Exchange settings on
page 243.
405
Disabling a Sentry entry

If a Sentry is not reachable, processes like retiring a device, pin registration, or delet-
ing a record from the Devices page may be blocked. A Sentry may be unreachable
when you are performing maintenance tasks or the connection is down. The Enable
and Disable options allow you to actively enable or disable any updates or notification
from MobileIron Core to the Sentry.
When you disable the Sentry, the notifications from MobileIron Core to the Sentry are
disabled. This allows Core processes to continue without any disruption, and it keeps
the Sentry configuration. The disabled Sentry continues to process traffic from clients
and continues to communicate with Core.
When you re-enable the Sentry, notifications from MobileIron Core to the Sentry are
re-established.
To disable a Sentry:
1. In the Admin portal, go to Settings > Sentry.
2. Select the Sentry.
3. Click Disable.
The Disable option is only available if the Sentry is enabled.
4. In the pop-up dialog, click Yes.
The State for the Sentry in Settings > Sentry will show Disabled.
The message for the Sentry in Settings > Service Diagnostics will show that the
Sentry has been disabled.
You can change the Sentry setting when it is disabled.
To enable a Sentry:
1. In the Admin portal, go to Settings > Sentry.
2. Select the Sentry.
3. Click Enable.
The Enable option is only available if the Sentry is disabled.
4. In the pop-up dialog, click Yes.
The State for the Sentry in Settings > Sentry will show Enabled.
The message for the Sentry in Settings > Service Diagnostics will show that the
Sentry is reachable.
Any changes made to the Sentry settings will be pushed to the Sentry.
Note: When you disable or enable a Sentry, the warning message indicates that Sen-
try is restarted. Only Standalone Sentry is restarted. Integrated Sentry is not
restarted when it is disabled or enabled.
406
451 redirect processing

If 451 redirect URL is set up on your ActiveSync server, the Standalone Sentry handles
the redirection when a device tries to sync. The redirect URL is not forwarded to the
device.
You configure 451 redirect processing on the Standalone Sentry by enabling or dis-
abling the Enable Redirect Processing (451) field in the Edit Standalone Sentry page.
From the Admin Portal, go to Settings > Sentry, and click on the edit icon for the Sen-
try.
Redirect processing is enabled by default.
Disabling redirect processing

To disable 451 redirect processing:
1. From the Admin Portal, go to Settings > Sentry.
2. Select the Sentry to edit, and click the edit icon next to the entry.
3. Clear the checkbox next to Enable Redirect Processing (451).
4. Click Save.
407
Device and server authentication support for

Standalone Sentry
Standalone Sentry supports device authentication using user name and password,
certificate-based authentication, or Kerberos Constrained Delegation. Device authenti-
cation involves configuring:
device authentication (how the device authenticates to the Standalone Sentry)
server authentication (how the Standalone Sentry authenticates the device to the
server).
Device authentication
Device authentication specifies how the device authenticates to the Standalone Sen-
try.
Standalone Sentry supports the following types of device authentication:
Device Authentication Description

Pass Through Only available if you are using the Sentry for ActiveSync
only.
The Sentry passes through the authentication provided by
the device, for example, user name and password, NTLM.
Note: This is the only authentication option you can use
with Microsoft Office 365.
Group Certificate Available for ActiveSync and AppTunnel.
Requires the following:
A trusted group certificate for device authentication.
A authentication method like user name and password
or NTLM for authenticating the device to the server.
Note: KCD is not supported with Group Certificates.
Identity Certificate Available for ActiveSync and AppTunnel.
A certificate issued by a Trusted Root Authority for
device authentication
A user name and password or a properly configured Ker-
beros implementation for authenticating the device to
the server.
Trusted Front-End Available for ActiveSync and AppTunnel.
Setting up an Apache or F5 proxy to front-end the
Standalone Sentry.
Additional minor changes to references to the hostname
in some profiles.
408
Server authentication
Server authentication specifies how the Sentry authenticates the device to the back-
end server. This can be the ActiveSync server or the app server.
Standalone Sentry supports the following types of server authentication. These are
supported for both ActiveSync and AppTunnel.
Server Authentication Description

Pass Through The Sentry passes through the authentication provided
by the device.
For example: user name and password, NTLM.
Kerberos Only available if you choose Identity Certificate for
device authentication.
Requires a properly configured Kerberos implementa-
tion.
Configuring device and server authentication

You specify the device and server authentication in the Sentry configuration under
Settings > Sentry in the Admin Portal. Click Add New > Standalone Sentry or click the
edit icon for an existing Sentry.
Device authentication is configured in the Device Authentication Configuration sec-
tion.
Server authentication is configured:
in the ActiveSync Configuration section for the ActiveSync server.
in the App Tunneling Configuration section for each AppTunnel service.
If you do device authentication with Identity certificates, you can specify different
server authentication types for the ActiveSync configuration and for each AppTunnel
service. For example, you can specify Pass Through for the ActiveSync server and Ker-
beros Constrained Delegation (KCD) for the servers listed for an AppTunnel service.
To configure authentication:
1. Complete the necessary infrastructure changes.
See Adding a MobileIron Standalone Sentry entry on page 398.
2. Obtain the certificates required for your implementation.
3. In the Admin Portal, select Settings > Sentry.
409
4. Click the edit icon for the existing Standalone Sentry.
5. In the Device Authentication Configuration section, select one of the following

authentication options, depending on your implementation:
Pass Through
See Authentication using Pass Through on page 410 for next steps.
Group Certificate
See Authentication using a group certificate on page 410 for next steps.
Identity Certificate
See Authentication using an identity certificate and Pass Through on page 411 for
next steps.
OR
See Authentication using an identity certificate and Kerberos constrained delega-
tion on page 412 for next steps.
Authentication using Pass Through

If you select Pass Through for device authentication, then Pass Through is only option
available for server authentication for the ActiveSync server.
Click Save to save your configuration.
Authentication using a group certificate

If you select Group Certificate for device authentication, additional configuration fields
display in the Device Authentication Configuration section.
For device authentication with group certficate, Pass Through is the only option avail-
able for server authentication.
410
To complete the configuration:

1. In the Device Authentication Configuration section, click Upload Certificate.
2. Select the certificate (usually a .cer file) you trust.
3. Click Upload.
Note: The certificate is uploaded at this time, but does not persist until you click
Save.
4. If you want to validate the certificates presented by the device against the Certifi-
cate Revocation List (CRL) published by the CA, then select Check Certificate Revo-
cation List (CRL).
Note that only HTTP- and HTTPS-based CRLs are supported. Some CAs create
LDAP-based CRLs by default that will not work with Sentry.
For CRL validation to work, Sentry requires network connectivity to the CRL Distri-
bution Point (CDP), usually the CA that issued the certificate, through an HTTP or
HTTPS port.
5. If you are configuring the Sentry for ActiveSync, in the ActiveSync Server Configu-
ration section, Server Authentication defaults to Pass Through.
If you are configuring the Sentry for AppTunnel, in the App Tunneling Configuration
section, select Pass Through for Server Auth for the AppTunnel Service.
6. Click Save.
Note: The Sentry restarts when you click Save.
Authentication using an identity certificate and Pass Through

This section describes the configuration when you choose Identity Certificate to
authenticate the device to the Sentry and Pass Through for how Sentry authenticates
the device to the ActiveSync or app server.
If you select Identity Certificate for device authentication, additional configuration
fields display in the Device Authentication Configuration section.
411
To complete the form:

1. In the Device Authentication section, click Upload Certificate.
2. Select the Root certificate (this may be a root certificate chain) that you received
from the CA you trust. The CA may be a Root Authority or an Intermediate Author-
ity.
3. Click Upload.
Note that the certificate is uploaded at this time, but does not persist until you click
Save.
cation List (CRL).
Note that only HTTP and HTTPS based CRLs are supported. Some CAs create LDAP-
based CRLs by default that will not work with Sentry.
HTTPS port.
Note: The Certificate Field Mapping fields are used only if the server authentication is
done with Kerberos.
5. If you are configuring the Sentry for ActiveSync, in the ActiveSync Server Configu-
ration section, Server Authentication defaults to Pass Through.
If you are configuring the Sentry for AppTunnel, in the App Tunneling Configuration
section, select Pass Through for Server Auth for the AppTunnel Service.
6. Click Save.
Note: The Sentry restarts when you click Save after uploading the certificate.
Authentication using an identity certificate and Kerberos

constrained delegation
Before you configure Kerberos authentication for Sentry, you must set up your envi-
ronment. See Authentication Using Kerberos Constrained Delegation on the Mobile-
Iron Support site.
412
This section describes the configuration when you choose Identity Certificate to
authenticate the device to the Sentry and Kerberos for how Sentry authenticates the
device to the ActiveSync or app server.
Note the following:

For ActiveSync, Sentry supports Kerberos authentication only with Microsoft
Exchange Servers.
For AppTunnel, Sentry does not support Kerberos with CIFs enabled content serv-
ers.
If you select Identity Certificate for device authentication, additional configuration

fields display in the Device Authentication Configuration section.
To complete the form:
Device Authentication Configuration section

2. Select the Root certificate (this may be a root certificate chain) that you received
from the CA you trust. The CA may be a Root Authority or an Intermediate Author-
ity.
3. Click Upload.
Note that the certificate is uploaded at this time, but does not persist until you click
Save.
cation List (CRL).
Note that only HTTP- and HTTPS-based CRLs are supported. Some CAs create
LDAP-based CRLs by default that will not work with Sentry.
HTTPS port.
413
5. Use the Subject Alternate Name Type list to select the field in the client certificate
that will be used to identify the user for Kerberos Constrained Delegation.
The Type is the same type that you specified when generating the client certificate.
This is often the NT Principal Name.
6. Use the Value list to select the value used in the Subject Alternate Name field.
Usually, the User UPN (user principal name) is used to identify the user.
ActiveSync Configuration section

If you are configuring Kerberos for ActiveSync, in the ActiveSync Server Configuration
section, configure the following:
1. For Server Authentication, select Kerberos.
2. Configure the ActiveSync Server SPNs:
If you used the fully-qualified domain name of the ActiveSync server as the
basis for the Service Principal Name of the server in the ActiveSync Server(s)
field above, then select Derive SPN From FQDN Of ActiveSync Server.
If you configured the IP address or alternate DNS name of the ActiveSync
server in the ActiveSync Server(s) field above, then deselect Derive SPN From
FQDN Of ActiveSync Server.
Enter the SPNs for each of your ActiveSync servers, separated by semicolons, in
the field that appears when this option is selected. Typically, SPNs are in the
form: http/<FQDN>. For example, http/CAS.ironmobile.com.
Note that the SPN is case-sensitive. The name of the CAS node that uses KCD
must exactly match the name of the node.
To view the CAS node:
- Log on to the Active Directory server as an Administrator.
- From Start > All Programs, select Administrative Tools > Active Directory
Users and Computers.
- Navigate to the Computers folder for the Kerberos realm (Kerberos refers to a
domain as a realm).
- Note the exact host name of the CAS.
App Tunneling Configuration section

If you are configuring Kerberos for AppTunnel, in the App Tunneling Configuration sec-
tion, for an AppTunnel Service configure the following:
1. For Server Auth, select Kerberos.
2. Enter the Service Principal Name (SPN) for each server listed in the Server List.
414
Each SPN must be separated by semicolons. Example: sharepoint1.com-

pany.com;sharepoint2.company.com.
The Server SPN List applies only when the Service Name is not <ANY> and the
Server Auth is Kerberos.
If each server in the Server List has the same name as its SPN, you can leave
the Server SPN List empty. However, if you include a Server SPN List, the num-
ber of SPNs listed must equal the number of servers listed in the Server List.
The first server in the Server List corresponds to the first SPN in the Server SPN
List, the second server in the Server List corresponds to the second server in
the Server SPN List, and so on.
Note: When the Service Name is <ANY> and the Server Auth is Kerberos, the
Standalone Sentry assumes that the SPN is the same as the server name received
from the device.
For details on configuring AppTunnel, see Adding AppTunnel or Advanced AppTun-
nel support on page 588.
Kerberos Authentication Configuration section

If you intend to use a Kerberos-generated keytab file:
1. Select Use Keytab File.
2. Click Upload File.
3. Select the keytab file.
4. Click Upload.
The keytab file provides the required Kerberos authentication information. For
information about generating a keytab, see Authentication Using Kerberos Con-
strained Delegation on the MobileIron Support site.
5. Optionally, configure one or more Key Distribution Centers.
The Key Distribution Center is the network service that supplies session tickets and
temporary session keys. This is generally the Active Directory domain controller
host name. Enter either the IP address or the FQDN of the AD.
You can enter multiple KDCs. Separate each KDC with a semicolon.
For example: KDCdomainname1.com;KDCdomainname2.com.
If you do not configure a KDC, the system auto-detects the KDC.
6. Click Save.
Note: The Sentry restarts when you click Save
If you did not upload a keytab file:

1. Complete the Kerberos configuration fields. Use the following guidelines:
Realm
The Kerberos administrative domain. The realm is usually the company domain
name, in all uppercase characters.
Sentry Service Principal
The service principal for the Sentry service account, preceded by HTTP/. For
example, if the user name of the service account is sentry1_eas_kcd, the ser-
vice principal would be HTTP/sentry1_eas_kcd.
415
Password
Password for the Sentry service account.
2. Optionally, configure one or more Key Distribution Centers.
The Key Distribution Center is the network service that supplies session tickets and
temporary session keys. This is generally the Active Directory domain controller
host name.
If you do not configure a KDC, the system auto-detects the KDC.
3. Click Save.
Note: The Sentry restarts when you click Save.
Authentication using Trusted Front-End

You can configure the Standalone Sentry to be deployed behind a proxy, for example,
an Apache or an F5 server. This allows for SSL termination to occur in front of the Sen-
try even when using certificate based authentication.
By terminating SSL in the DMZ, Standalone Sentry enables an added layer of security,
as well as accommodates the DMZ firewall policies.
Leveraging this configuration requires:

Setting up an Apache or F5 proxy to front-end the Standalone Sentry.
Additional minor changes to references to hostname in some profiles.
Contact MobileIron Professional Services or a MobileIron certified partner to set up

this deployment.
416
Managing certificates for Standalone Sentry

You can generate, upload, and view certificates for Standalone Sentry from the Set-
tings > Sentry page on the Admin Portal.
Standalone Sentry presents this certificate to devices so that the devices know that
the Sentry server is a trusted server. Sentry also presents its certificate to other serv-
ers connecting to it, such as a server that performs health checks on Sentry.
This certificate is not the same as:

The certificate that devices use to authenticate themselves to Sentry.
For information about device certificates, see Device and server authentication
support for Standalone Sentry on page 408.
The portal certificate that Sentry presents to browsers to identify itself as a trusted
server.
For more information, see Certificate Management in the MobileIron Sentry
Administration Guide.
The Standalone Sentry certificate can be one of the following:

A certificate from a trusted Certificate Authority (CA), such as Verisign or Entrust.
A self-signed certificate.
If you use a self-signed certificate, a device or server that is connecting to Sentry is

warned that the Sentrys certificate is not from a trusted source. Therefore, we recom-
mend that you use a certificate from a trusted Certificate Authority.
To get a certificate from a trusted Certificate Authority, use the Sentry page on the
Admin Portal to generate a certificate signing request (CSR) to the CA. Once you
receive the signed certificate, you can use the same page to upload it to MobileIron
Core, which sends it to Sentry.
Generating a self-signed certificate for Sentry

To generate a self-signed certificate for Sentry:
2. Click the Manage Certificate link for the Standalone Sentry.
417
3. Select Generate Self-Signed Certificate from the drop-down list.
4. Click Generate Self-Signed Certificate.
Generating a CSR for Sentry

You can use the Admin Portal to generate a certificate signing request (CSR) to a Cer-
tificate Authority.
To generate a CSR for Sentry:

2. Click the Manage Certificate link.
418
3. Select Generate CSR.
Field Description
Common Name Enter the server host name.
E-Mail Enter the email address of the contact person in your
organization who should receive the resulting certificate.
Company Enter the name of the company requesting the certificate.
Department Enter the department requesting the certificate.
City Enter the city in which the company is located.
State Enter the state in which the company is located.
Country Enter the two-character abbreviation for the country in
which the company is located.
Key Length Select 1024 or 2048 to specify the length of each key in
the pair.
5. Click Generate.
419
A message similar to the following displays.
6. Copy the content between BEGIN CERTIFICATE REQUEST and END CERTIFICATE
REQUEST to a text file.
7. Copy the content between BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY to
another text file.
8. Click OK.
9. Submit the file you created in step 6 to the certifying authority.
Uploading Sentry certificates

When you receive the CA certificate from the certifying authority, upload the certifi-
cate files to Standalone Sentry as follows:
2. Click the Manage Certificate link.
420
3. Click the Browse button and select a file to be uploaded. If there are additional
files, click the Add another file link.
Select the certificates as indicated in the following table:
Field File to Select

Key file The file created in step 8 of Generating a CSR for Sen-
try on page 418.
Server certificate The CA certificate file you received from the certifying
authority.
CA certificate The generic CA certificate file.
Viewing a Sentry certificate

To view the current Sentry certificate:
2. Click the View Certificate link.
421
Email attachment control support for

Standalone Sentry
Email attachment control is part of the Docs@Work feature. It determines if and how
mobile devices view email attachments. For an overview of Docs@Work, see
Docs@Work for email attachment control on page 556.
Up to four emails embedded within the email are supported. All attachment control
options are supported for each of the embedded emails. If an email contains five or
more levels of embedded emails, Sentry encrypts/converts all attachments, including
text and image files.
Supported devices and email apps

The devices that Standalone Sentry supports for email attachment control are listed in
the Docs@Work chapter in Supported devices on page 560.
Note: Attachment control for iOS 7 devices requires Standalone Sentry Version 4.7.1
or later.
iOS email apps

On iOS devices, Sentry supports email attachment control only for the iOS native
email client and the secure, AppConnect-enabled email apps in the following table:
AppConnect-enabled app Supported starting with this Standalone Sentry version

Divide iOS Standalone Sentry 4.9
NitroDesk TouchDown for iOS Standalone Sentry 5.0
Mail+ for iOS Standalone Sentry 5.0
If you are using attachment control, and some iOS devices use other third-party iOS
email clients, configure a separate Sentry for those devices. On that Sentry, do not
enable attachment control.
Android email apps

Android devices using unsecured email apps have limited email attachment control
support. You can configure the Standalone Sentry to remove the attachment or to
deliver the attachment as is, without added security. However, for secure, AppCon-
nect-enabled email apps on Android devices, you can configure the Standalone Sentry
to deliver the attachment for the secure app to open in the secure container.
The Android AppConnect-enabled email apps that Standalone Sentry supports for
attachment control are:
NitroDesk TouchDown for Android
Email+
Divide PIM (starting with Standalone Sentry version 4.9)
422
Email attachment control options

For each Standalone Sentry, you can configure the type of email attachment control
you want to use using in the Admin Portal. For configuration steps, see Configuring
email attachment control on page 427.
The following table summarizes the email attachment control options that are sup-
ported on different devices:
iOS devices Android Other

using devices using Platforms
iOS devices supported supported (Including
using the iOS AppConnect- AppConnect- Android using
Email attachment native email enabled email enabled email unsecured
control option client appsi apps apps)
Remove attach- Supported, Supported, Supported, Supported
ment on but typically but typically but typically
page 423 not used not used not used
Open Only with Supported Not sup- Not sup- Not sup-
Docs@Work and ported ported ported
Protect with
Encryption on
page 424
Deliver as is on Supported, Not sup- Not sup- Supported
page 425 but typically ported ported
not used
Open with Secure Not sup- Supported Supported Not sup-
Email App on ported ported
page 425
Remove attachment
The Remove attachment option causes the Standalone Sentry to remove attach-
ments from emails, replacing each attachment with another file. The name of the
replacement file is the original attachment file name appended with removed.html.
For example, myDocument.pdf is replaced with myDocument.pdf.removed.html.
The replacement file contains the following text message:
"The original attachment was removed as required by the security policies of your
administrator."
On iOS devices, the message is translated according to the language setting of the
device. The language defaults to United States English if the language setting is not
one of the supported languages.
Supported devices: This option is available on all platforms for all email clients..
Note: Typically, you wont use this option on iOS devices with native email or sup-
ported AppConnect-enabled email apps or on Android devices that use secure apps.
423
Other options are available on these devices that are less intrusive, but still keep the
attachments secure.
Open Only with Docs@Work and Protect with Encryption

The Open only with Docs@Work, and protect with encryption option means that
attachments open only in Mobile@Work. The user cannot open the attachment using
any other apps on the device. The user also cannot cut and paste content from the
attachment into any other app. Furthermore, the Standalone Sentry encrypts the
attachment, and only Mobile@Work is able to decrypt it, and therefore, display it.
The Standalone Sentry appends the file name of the attachment with .secure. For
example, myDocument.pdf is renamed myDocument.pdf.secure. Mobile@Work is the
only app that can open files with the .secure file extension.
Mobile@Work is unable to display the file in the following cases:

It does not support the file type. In this case, it presents an error message when
the user tries to view the attachment.
See Supported files in the Mobile@Work for iOS app on page 580.
Its encryption key does not match the attachments encryption key.
For more information about this case and how to avoid it, see Regenerate the
encryption key if it is compromised on page 431.
Note: When the device user saves a local copy of an email attachment, the saved copy
is protected by the devices data encryption.
When the device user sends Docs@Work documents as email attachments, the docu-
ments are also encrypted. See Encryption for iOS Docs@Work documents sent as
email attachments on page 557.
When to use encryption

The encryption protection provides additional access control for the attachment, mak-
ing it prohibitively difficult for a malicious app to view the content. However, encryp-
tion protection has an impact to Standalone Sentry performance.
Therefore, use the encryption option only if the following statements are true:
You are operating in a high security environment.
For Standalone Sentry versions prior to 4.9, you are using a physical appliance for
your Standalone Sentry or you are using the Virtual Standalone Sentry large con-
figuration. Starting with Standalone Sentry 4.9, the physical appliance and any size
virtual configuration supports the encryption option.
Note: Attempts to configure the encryption option fail for other Standalone Sentry
configurations.
Configuration considerations
Changing to or from this option requires you to re-push the Exchange app setting to
the Standalone Sentrys devices. For more information, see Changing the encryption
option on page 429.
424
Supported devices: This option is available only on iOS devices using the native email
client.
Deliver as is
The Deliver as is option delivers all email attachments in their original form. The
device user views attachments with any available apps that work with the type of
attachment.
Supported devices: This option is available on iOS devices using the native email cli-
ent, and on Android devices using unsecured email apps, and on other platforms..
Typically, you wont use this option on iOS devices using the native email client
because other options that keep the attachments secure are available.
Open with Secure Email App

Typically, you use this option on:
Android devices for which you have enabled secure apps and are using a supported
AppConnect-enabled secure email app. This option delivers attachments to the
secure AppConnect container. Only AppConnect apps can open the attachment.
For more information, see Using AppConnect for Android.
iOS devices using a supported AppConnect-enabled email app. This option delivers
attachments to the email app.
Supported devices: This option is available on Android devices that are using secure
apps and iOS devices using a supported AppConnect-enabled email app.
Forwarding emails with attachments

When a device user forwards an email that has an attachment, the attachment in the
forwarded email is the original attachment. However, if the ActiveSync server delivers
the email to another device that Standalone Sentry manages, Standalone Sentry
applies the email attachment control to the forwarded emails attachment.
Note: The exception to this behavior involves the behavior of the iOS native email cli-
ent.. If the email attachment control option is Remove Attachment, the iOS native
email client forwards the replacement file -- the file that contains the replacement text
and has the .removed.html file extension. The original attachment is not forwarded.
However, you typically do not use the "Remove Attachment" option on iOS devices.
Standalone Sentry S/MIME handling to sign or encrypt emails
Digitally signed emails

Most email apps can use S/MIME (Secure/Multipurpose Internet Mail Extensions) to
digitally sign an email, if the email user requests it. The receiving email app processes
this email signature to validate the following:
The senders identity
425
Whether the email has been tampered with
The Standalone Sentry does some processing on each email that is directed to an
ActiveSync device when the email attachment control option is one of the following:
Open only with Docs@Work and protect with encryption
Remove attachment
This processing breaks the security of the email signature. Therefore, when an email
app receives a signed email in these cases, the app always indicates to the user that it
cannot validate the senders identity and that the email has been tampered with.
For example, the iOS native email client displays the emails From field in red if:
an iOS device user has enabled S/MIME in the iOS Mail app
the iOS native email client receives an S/MIME email through Standalone Sentry
the email attachment control option is one of the options mentioned above
Encrypted emails
S/MIME can also be used to encrypt emails, although this use of S/MIME is not com-
mon. Standalone Sentry passes along an S/MIME encrypted email with no impact to
the email.
426

Use the Admin Portal to configure email attachment control.
Do the following high-level steps:

1. Enable the Docs@Work preference setting.
See Enable Docs@Work on page 566.
2. Configure each Standalone Sentrys attachment control options.
See Configure the Standalone Sentry on page 427.
3. Regenerate the encryption key if the key is compromised.
See Regenerate the encryption key if it is compromised on page 431.
Configure the Standalone Sentry

You configure each Standalone Sentry with an email attachment control option for:
iOS devices using the native email client
iOS and Android devices using secure email apps.
The list of supported secure email apps is in Supported devices and email apps on
page 422.
Other platforms, including Android devices using unsecured email apps.
If you require different options for different users, use a different Standalone Sentry
for each set of users.
Before you configure Open only with Docs@Work and protect with encryption
options for iOS devices, make sure you have enabled Docs@Work as described in
Enable Docs@Work on page 566. The default setting for Attachment Control is dis-
abled. If Attachment Control is set to disabled, Standalone Sentry delivers attach-
ments as is to all devices.
To configure email attachment control options:

1. Go to Settings -> Sentry in the Admin Portal.
2. Click Edit next to the Standalone Sentry entry.Select Enable Attachment Control.
This option is available only if you selected Enable ActiveSync.
Note: Not selecting this option means the Standalone Sentry delivers attachments
as is to all devices.
3. For iOS Using Native Email, select the type of attachment control that you want to
use.
For a description of the options, see Email attachment control options on
page 423.
Note: Make sure you have enabled Docs@Work as described in Enable
Docs@Work on page 566 if you choose Open only with Docs@Work and protect
with encryption.
427
4. For iOS And Android Using Secure Apps, select the type of attachment control that
you want to use. The list of supported secure email apps is in Supported devices
and email apps on page 422
page 423.
5. For Other Platforms (Including Android Using Unsecured Apps), select the type of
attachment control that you want to use.
Note: This option does not impact iOS devices at all.
page 423.
6. For File Name Exclusion List, enter any file extensions that you always want Stand-
alone Sentry to deliver as is, regardless of the attachment control option selected.
Specify a comma-separated list.
If you make no entry into the text box, the default file name extension list is
applied. See Default file name exclusion list on page 430.
7. Click Save.
The Standalone Sentry restarts when you click Save. A restart can cause a brief
interruption in email service to device users.
8. If you changed to or from the option Open only with Docs@Work and protect with
encryption, you see the following:
Click Yes if you understand and agree to the impact.

For more information about re-pushing the Exchange app setting, see Changing
the encryption option on page 429.
Checking for configuration errors

If the Standalone Sentry is not available when you click Save, it does not receive the
new settings. When the Standalone Sentry is available again, open the Edit Stand-
alone Sentry view and click Save to send the new settings.
To find out if the Standalone Sentry failed to apply the changes, go to Settings ->
Sentry. Click View Errors on Standalone Sentrys setting for the detailed error mes-
sage.
428
Changing the encryption option

Changing the option Open only with Docs@Work, and protect with encryption
requires you to re-push the Exchange setting to the iOS devices using the iOS native
email client that the Standalone Sentry works with. Otherwise, those users will be
unable to read or forward previously received attachments.
Important: The re-push sends the Exchange setting to all devices with the appropriate
label, not just the iOS devices.
On each affected device, the re-push causes the email app that uses the Exchange
setting to:
resync its emails, calendar items, tasks, and contacts. For example, the email app
removes all emails from its email folders and then re-fetches the emails from the
ActiveSync server.
in some cases, prompt the device user to reenter his password for accessing email.
The easiest way to re-push an Exchange setting to a device is to make a simple

change, such as adding a space at the end of the Description field. The next time each
device checks in, MobileIron Core will send the Exchange setting to the device.
Therefore, change to or from the encryption option only if:

you can make the change during a planned maintenance period or non-peak oper-
ating hours.
you have notified users about what to expect.
To re-push the Exchange setting after changing the encryption option:

2. Select an Exchange setting that uses the Standalone Sentry with the changed
attachment control option.
3. Click Edit.
The Modify Exchange Setting screen displays.
4. Add a space to the end of the Description field.
5. Click Save.
6. Repeat steps 2 through 5 for each Exchange setting that uses the Standalone Sen-
try with the changed attachment control option.
Attachment control recommendation for multiple Sentrys

The attachment control encryption key, once it is generated, is persistent on VSP and
Core. The encryption key is pushed to the iOS device when it syncs. Devices that have
the encryption key will encrypt documents emailed from Mobile@Work and will be able
to view encrypted documents in Mobile@Work.
If your deployment has multiple Sentrys and some have Open only with Docs@Work
and protect with Encryption enabled and others do not, attachment control may fail.
An encrypted document is forwarded as is by a Sentry not configured to protect with
encryption. In this case, you will not be able to view the encrypted document on
429
mobile devices that do not have an encryption key. Since the document remains
encrypted, you will also not be able to view it on non-mobile devices or on non-iOS
email clients.
If you are using attachment control, we recommend that all Sentrys have Open only
with Docs@Work and protect with Encryption enabled for iOS using Native Email.
Default file name exclusion list

The File Name Exclusion text box specifies the file extensions that you always want
Standalone Sentry to deliver as is, even though the attachment control option
selected is Open only with Docs@Work and protect with encryption.
If the text box specifies no file extensions, the Standalone Sentry uses the following
file extensions by default for the exclusion list:
txt
html
htm
jpg
jpeg
gif
png
eml
rpms
rpmsg
bmp
tiff
tif
sdtid
log
ics
430
The following table summarizes how the exclusion list impacts whether the Stand-
alone Sentry applies each attachment control option:
File extensions not in

File extensions in exclusion list exclusion list
Option not applied. Applied.
Open only with Any appropriate app can Files open only with
Docs@Work and open the file, which the Docs@Work and are pro-
protect with encryption Sentry delivers as is. tected with encryption.
Applied. Applied.
Sentry removes the attach- Sentry removes the attach-
Remove Attachment ment. ment.
Applied. Applied.
Sentry delivers the attach- Sentry delivers the attach-
Deliver as is ment as is. ment as is.
Applied. Applied.
Open with Secure Email Only secure email apps can Only secure email apps can
App open the attachment. open the attachment.
Regenerate the encryption key if it is compromised

Standalone Sentry uses an encryption key to encrypt email attachments when the
attachment control option is Open only with Docs@Work, and protect with encryp-
tion. MobileIron Core provides one encryption key to all Standalone Sentries using
the encryption option. Core generates the encryption key the first time you select the
encryption option. The encryption key is compromised if malicious third-party apps
are using it to view email attachments.
If you think the key is compromised, you can generate a new key. However, before
generating a new key, consider the following:
Key regeneration causes a restart for all Standalone Sentries that are using encryp-
tion for attachment control.
A restart can cause a brief interruption in email service to device users.
Key regeneration prevents iOS device users who use the iOS native email client
from reading previously received attachments, unless you subsequently re-push
the Exchange setting to the devices.
Previously received attachments are encrypted with the old key, but Mobile@Work
uses the new key after key regeneration. Therefore, Mobile@Work cannot display
the old attachment.
Furthermore, consider the scenario when a device user forwards an email with an
attachment encrypted with the old key.The Standalone Sentry is unable to decrypt
the attachment because it is using the new key. In this case, the Standalone Sentry
replaces the attachment with a text file with an explanatory message.
Therefore, key regeneration requires you to re-push the Exchange setting to the
iOS devices using the iOS native email client that the Standalone Sentry works
431
with. The re-push causes the email app to remove all emails from its email folders
and then re-fetch the emails from the ActiveSync server. Re-fetching the emails
means that the Standalone Sentry encrypts the email attachments with the new
key.
Important: The re-push sends the Exchange setting to all devices with the appro-
priate label, not just the iOS devices.
The re-push causes the email app on each affected device to:
resynch its emails, calendar items, tasks, and contacts with the ActiveSync
server. For example, the email app removes all emails from its email folders and
then re-fetches the emails from the ActiveSync server.
in some cases, prompt the device user to reenter his password for accessing
email.
The easiest way to re-push an Exchange setting to a device is to make a simple
modification, such as adding a space at the end of the Description field. The next
time each device checks in, MobileIron Core will send the Exchange setting to the
device.
Therefore, regenerate the key only if:

the key has been compromised.
you can regenerate the key during a planned maintenance period or non-peak
operating hours.
you have notified users about what to expect.
To regenerate the key, do the following.

1. In the Admin Portal, go to Settings -> Sentry -> Preferences.
2. Click Regenerate Key.
3. Click Yes if you are sure you want to regenerate the key.
5. Select an Exchange setting that uses a Standalone Sentry configured with the
attachment control encryption option.
6. Click Edit.
The Modify Exchange Setting screen displays.
7. Add a space to the end of the Description field.
8. Click Save.
9. Repeat steps 5 through 8 for each Exchange setting that uses a Standalone Sentry
configured with the attachment control encryption option.
432
Note: If a Standalone Sentry is not available when you regenerate the key, its entry in
Sentry > Settings displays an error:
To send the new encryption key when the Standalone Sentry is available again:
1. Go to Settings > Sentry in the Admin Portal.
2. Click Edit next to the Standalone Sentry entry.
3. Click Save in the Edit Standalone Sentry screen.
433
ActiveSync server background health check

Standalone Sentry performs periodic background health checks to determine if the
ActiveSync server is up. Background health check is enabled by default.
Note: Disable Background health check if you are using only one ActiveSync server or
if you are using Lotus Notes Traveler 8.5.3.
Perform the following steps to change the Background health check settings for the
ActiveSync server:
1. In the Admin Portal, go to Settings > Sentry.
2. Click on the edit icon for the Sentry.
3. In the Edit Standalone Sentry page, under ActiveSync Configuration, expand
ActiveSync Server Configuration.
Use the following guidelines to configure background health check for ActiveSync
servers:
Item Description
Enable Back- Clear the check box to disable the ActiveSync server health
ground Health check.
Check If enabled, when the ActiveSync server fails for the number
of times configured in the Dead Threshold setting and within
the number configured in the Failure Window, then the
ActiveSync server status shows Unreachable.
When the background health check determines that the
server is live for the number configured for Live Threshold,
the ActiveSync server status shows Reachable.
Interval Specify the time interval, in seconds, that Sentry performs a
background health check.
Live Threshold Specify the number of times the ActiveSync server back-
ground health check is successful before the server is
marked as live.
Viewing the ActiveSync server status

To view the status for the ActiveSync server go to any of the following:
In the Admin Portal, go to Settings > Service Diagnostic.
In the Standalone Sentry System Manager, go to Troubleshooting > Service Diagnosis.
434
Setting Sentry preferences

Using Settings > Sentry > Preferences in the Admin Portal, you can set the following
preferences for the MobileIron integration with ActiveSync:
Auto Block Unregistered Devices
See Auto blocking unregistered devices on page 435.
Sentry Sync Interval
See Setting the Sentry Sync Interval on page 435.
Service Account Notification Email
See Setting the Service Account Notification Email on page 436
Default ActiveSync Policy behavior
See Default ActiveSync Policy behavior on page 436.
Using Settings > Sentry > Preferences, you can also regenerate the encryption key
that Standalone Sentries use when they encrypt email attachments.
See Regenerate the encryption key if it is compromised on page 431.
Auto blocking unregistered devices

By default, Sentry allows unregistered devices to access the ActiveSync server. Use
this setting to change Sentrys behavior to block unregistered devices from access.
Note: When you change this setting, Standalone Sentry immediately changes its
behavior to reflect the setting. Integrated Sentry informs the Microsoft Exchange
Server to change its behavior the next time Integrated Sentry syncs with MobileIron
Core.
To automatically block ActiveSync phones that are not registered with MobileIron:
1. Click Settings in the Admin Portal.
2. Click Sentry.
3. Click Preferences.
4. Select Auto Block Unregistered Devices.
For other methods for blocking devices from accessing the ActiveSync server, see the
following:
Block on page 453
Working with security policies on page 182
Setting the Sentry Sync Interval

The Sentry Sync Interval is only applicable to Integrated Sentry. This setting tells how
often MobileIron Core and Integrated Sentry sync their data. For example:
Core gets the Microsoft Exchange servers ActiveSync policies and devices from
Integrated Sentry.
Core gives its ActiveSync policies to Integrated Sentry to give to the Microsoft
Exchange server.
435
To change the Sentry Sync Interval value:

2. Click Sentry.
4. Set the Sentry Sync Interval to the preferred interval.
Setting the Service Account Notification Email

Configure this setting if you use a Standalone Sentry that uses Kerberos for device
authentication. This setting specifies the email addresses to notify if the Kerberos ser-
vice account is locked, disabled, or about to expire.
To change the Service Account Notification Email:

2. Click Sentry.
4. In the Service Account Notification Email field, entry one or more email addresses.
Separate the email addresses commas.
For more information, see Authentication Using Kerberos Constrained Delegation.
Default ActiveSync Policy behavior

The Default ActiveSync Policy behavior is applied if an ActiveSync policy is not applied
to the device.
This behavior determines whether the Sentry applies the ActiveSync servers policy to
the device syncing with the ActiveSync server.
To change the settings:
Note: It may take up to twenty-four hours for any changes to the Default ActiveSync
Policy behavior to take effect.
1. In the Admin Portal, go to Sentry > Preferences.
436
2. Set the default behavior. The settings are described in the following table.
Item Description
Remove AS Server policy The ActiveSync servers policy is not applied to
the device.
Pass-through AS Server policy The ActiveSync servers policy is applied to the
device.
3. Click Save.
437
438
Chapter 11
Working with ActiveSync Phones via

MobileIron Sentry
ActiveSync devices and MobileIron Sentry
Working with ActiveSync policies
Adding multiple ActiveSync accounts to a registered device
Viewing ActiveSync associations
Taking Actions on ActiveSync associations
Allowing Windows 7 devices to sync
439
ActiveSync devices and MobileIron Sentry

ActiveSync devices use the ActiveSync protocol to access a users email, contacts, cal-
endar, tasks, and notes. The Standalone Sentry associates the user with the device
accessing the ActiveSync server, and allows you to manage these associations.
Note: The terms ActiveSync devices, ActiveSync phones, and ActiveSync associations
are used interchangeably and refer to the user and device accessing the ActiveSync
server. Actions which specifically impact only the user or the device are called out.
Before working with ActiveSync devices on the Admin Portal, see the MobileIron Sen-
try Administration Guide for information about the following:
ActiveSync protocol versions
ActiveSync devices
ActiveSync policies, including how they compare to the security policies
MobileIron Core, Standalone Sentry, and ActiveSync device interaction
Use the Admin Portal to configure information relating to the Sentries that MobileIron
Core works with. See Working with MobileIron Sentry on page 395.
Once you have configured your Sentrys and understand ActiveSync devices in a Mobil-
eIron deployment, use the Admin Portal to manage the ActiveSync devices. You can
do the following tasks:
Create and assign Exchange App Settings to devices.
See Exchange settings on page 243.
Create and assign Security policies to devices.
See Working with security policies on page 182.
Create and assign ActiveSync policies to mailboxes.
See Working with ActiveSync policies on page 442.
Add multiple ActiveSync accounts to a registered device.
See Adding multiple ActiveSync accounts to a registered device on page 448.
View information about ActiveSync devices.
See Viewing ActiveSync associations on page 449.
Block an ActiveSync device from accessing the ActiveSync server.
See Block on page 453.
Allow an ActiveSync device to access the ActiveSync server.
See Allow on page 452.
Wipe an ActiveSync device.
See Wipe on page 455.
Register an ActiveSync device.
See Registering ActiveSync phones on page 456.
Remove an ActiveSync device.
See Removing ActiveSync phones on page 456.
440
Associate an ActiveSync device with a registered device.

See Linking an ActiveSync device to a managed device on page 457.
Re-establish Core management of a device.
See Overriding and re-establishing MobileIron Core management of a device on
page 457
Assign an ActiveSync Policy to a device.
See Assigning an ActiveSync policy on page 458.
Revert the ActiveSycn Policy to a device.
See Reverting an ActiveSync policy on page 458.
441
Working with ActiveSync policies
Win 8.1
yes yes yes yes yes yes
ActiveSync policies specify settings to apply to selected ActiveSync devices.

ActiveSync devices use the ActiveSync protocol to connect to an ActiveSync server to
access a users email, calendar, tasks, contacts.
Note: We recommend assigning a MobileIron ActiveSync policy to devices other than

iOS, Android, and WP8 devices.
Before you configure ActiveSync policies, see The ActiveSync Policy in the Mobile-
Iron Sentry Administration Guide.
Also, see the following information:

Working with security policies on page 182 for detailed information about security
policies.
Working with policies on page 176 for information on general procedures for cre-
ating, editing, and applying policies.
To work with ActiveSync policies, from the Admin Portal go to Policies & Configs >
ActiveSync Policies.
442
Use the following guidelines to create or edit ActiveSync policies:

Name Required. Enter a descriptive Default ActiveSync Policy
name for this policy. This is the
text that will be displayed to
identify this policy throughout
the Admin Portal. This name
must be unique within this pol-
icy type.
Tip: Though using the same
name for different policy types
is allowed (e.g., Executive),
consider keeping the names
unique to ensure clearer log
entries.
Status Select Active to turn on this Active
policy. Select Inactive to turn
off this policy.
Description Enter an explanation of the
purpose of this policy.
443

Password
Password Select Mandatory to specify Optional
that the user must enter a
password before being able to
access the device. Otherwise,
select Optional, which allows
the user to determine whether
the password will be set.
Note: If you intend to use the
Lock feature in case the phone
is lost or stolen, then a pass-
word must be set on the
phone. Therefore, specifying a
mandatory password is
strongly advised.
Password Type Specify whether the password Simple
should be simple numeric
input, be restricted to alphanu-
meric characters, or have no
restrictions (that is, Dont
Care).
Minimum Password Enter a number between 1 and
Length 10 to specify the minimum
length for the password. Leave
this setting blank to specify no
minimum.
Maximum Password Select the maximum amount of
Inactivity Timeout time to allow as an inactivity
timeout. The user can then
specify up to this value as the
interval after which the pass-
word must be re-entered.
Minimum Number Specify the minimum number
of Complex Charac- of special characters that must
ters be included in a password.
Maximum Password Select Unlimited or Limited to
Age indicate whether to enforce
limits on password age. If you
select Limited, specify the
numbers of days after which
the password will expire.
Maximum Number Specify the maximum number
of Failed Attempts of times the user can enter an
incorrect password before all
access is denied. Select a num-
ber between 4 and 16.
444

Password History Specify the number of pass-
words remembered to ensure
that users define a different
password.
For example, if you want to
prevent users from repeating a
password for the next four
password changes, enter 4.
Lockdown
Text Messaging Specify whether to enable text Enable
messaging on the phone via
ActiveSync.
POP/IMAP Email Specify whether to enable Enable
email forwarding access on the
phone via ActiveSync.
DesktopSync Specify whether to enable Enable
DesktopSync on the phone.
HTML Email Specify whether to enable Enable
HTML Email access on the
phone.
Browser Specify whether to enable Enable
browser access on the phone.
Security
Policy Refresh Specify the time that should Limited: 0 Days, 0 Hours
Interval elapse between attempts to
synchronize policy settings with
the ActiveSync server.
Block ActiveSync Select Per-Mailbox smart-
connection for phone count exceeds to block
smartphone when ActiveSync connections if too
many devices have the same
mailbox. Specify the number of
devices to set as the limit.
When the limit is exceeded, the
last device that attempts to
access the ActiveSync server is
blocked.
Blocking an iOS device also
includes blocking its access to
the Docs@Work features. See
Block impact on documents
on page 578.
Data Encryption
445

Require Device Specifies whether the device Off
Encryption should be blocked from access-
ing the ActiveSync server if the
device does not support
encryption.
Blocking an iOS device also
includes blocking its access to
the Docs@Work features. See
on page 578.
Enable Device Specifies whether to automati- Off
Encryption cally turn on encryption if the
phone supports it.
Search Mailboxes Enter a portion of the mailbox None
ID to find a mailbox.
Note: This field is not available
for the default ActiveSync pol-
icy for Standalone Sentry.
Apply to Mailboxes Apply the policy to the selected Default not applicable
mailboxes.
Starting with Standalone Sen-
try version 4.5, mailboxes con-
figured in an ActiveSync policy
only enforce the number of
devices set in the Per-Mailbox
smartphone count exceeds
field.
To manage devices with the
ActiveSync policy, you must
manually apply the ActiveSync
policy to each device.
In earlier versions of the Sen-
try, the ActiveSync policy is
automatically applied to
devices with mailboxes config-
ured in the policy. The Default
ActiveSync Policy is automati-
cally applied to devices that do
not have mailboxes configured
in an ActiveSync policy.
Note: This field does is not
available for the default
ActiveSync policy for Stand-
alone Sentry.
446
In the ActiveSync Policies page, the # Phones for an ActiveSync Policy displays the
number of devices to which the policy is applied. Since we don't recommend assigning
an ActiveSync policy to iOS, Android, and WP8 devices, you may only see devices
other than iOS, Android, WP8.
The ActiveSync policy is assigned to a device in the ActiveSync Association page.
447
Adding multiple ActiveSync accounts to a

registered device
yes
Standalone Sentry and Integrated Sentry support multiple email accounts on the
same device for the following use cases:
The device user requires access to another users email account.
The device user is a member of a group and requires access to the groups email
account.
Add additional ActiveSync email accounts in one of the following ways:

The admin creates a new Exchange setting and pushes it to the device.
Before creating the Exchange setting, set a custom attribute, $User_Custom$, for
the user on the ActiveSync Server. In the Exchange setting, in the ActiveSync User
Name field, enter $USER_CUSTOM1$.
For information on how to create an Exchange setting, see Exchange settings on
page 243.
No actions are required by the device user. To access the email account, the device
user requires the password for the email account.
The device user manually adds the ActiveSync email account to the device.
To add the email account, the device user requires the following information:
The user name and password for the ActiveSync email account.
The Sentry FQDN.
Note: If multiple mailboxes are registered on a device and each uses a different
Exchange profile, in the ActiveSync Association page:
The second mailbox displays as the same User as the first mailbox.
The Mailbox ID for the second mailbox displays correctly.
448
Viewing ActiveSync associations
Win 8.1
- yes yes yes yes
To display the users and the devices that connect via ActiveSync:
1. In the Admin Portal, click the Users & Devices tab.
Click the ActiveSync Associations link.Information displayed for

ActiveSync associations
The information displayed for ActiveSync associations includes the following:
Column Description
DeviceID The DeviceID for the device.
User The device user.
Number The device number.
Phone The device model.
OS The device platform.
Status Indicates whether the device is registered with MobileIron.
When a record is associated with a registered device on
MobileIron Core, the status displays as Regis-
tered(Linked).
When a record is not associated with a registered
device on MobileIron Core, the status displays as
Unregistered (Unlinked).
Use the Link To feature to link the record to the corre-
sponding registered device.
Sync Status Indicates whether ActiveSync access for the device is
Allowed or Blocked.
If an iOS device is blocked, it also cannot access the
Docs@Work features. See Block impact on documents
on page 578.
First Sync Time For Integrated Sentry, the First Sync Time displays the
time stamp for the first successful synchronization of data
from the Exchange server.
For Standalone Sentry, the First Sync Time displays the
time stamp when the device is first reported by Sentry to
MobileIron Core as a new device.
449
Column Description
Mailbox ID Displays the ID for the synchronized mailbox as defined in
ActiveSync.
Domain Indicates whether the device connects via Integrated Sen-
try or Standalone Sentry.
Filtering the ActiveSync associations list

To filter the devices displayed in the ActiveSync Devices page, select one of the crite-
ria in the drop-down list for Show.
You can filter the ActiveSync Devices list by these additional criteria:
Item Description
Registered(linked) Displays records that are associated with a regis-
tered device on MobileIron Core.
Unregistered(unlinked) Displays records that are not associated with a
registered device on Core.
ActiveSync Policy Assigned Displays associations with device to which an
ActiveSync policy is manually assigned.
ActiveSync Action Applied in Displays associations with device on which an
CY ActiveSync action is applied in the calendar year.
Displaying more information for an ActiveSync association

In the ActiveSync Association page, select an ActiveSync record.
The ActiveSync Details pane on the right displays additional information about the
record. Click the arrow for a category to display additional details.
The following table summarizes the information available in the ActiveSync Details
pane.
Label Description
User The user (email account) accessing the ActiveSync
server.
Phone The device number and model.
450
Label Description
Device Details Additional details received from the device.
Mailbox Details The ActiveSync policy applied to the mailbox.
Redirect URL, if there is a redirect URL, to which the
device is redirected.
Comment Comments you may have added to this record.
451
Taking Actions on ActiveSync associations

Each ActiveSync user (email account) on the device displays as a separate record in
the ActiveSync Association page.
Actions applied on a record in the ActiveSync Association page only impact the user
associated with the device in that record. If the user is also available on another
device, the user on that device is not impacted.
Note the following:
The wipe behavior differs depending on the platform. For example, for any Android
device, the Email+ client does not support ActiveSync Wipe.
The Apply Policy and Revert Policy actions are applied to the device, not to the user.
Additional users on the Samsung native client display as unregistered in the
ActiveSync Associations page. To register the user, select the record, then click Link
To to link to the corresponding device.
You can take the following actions on ActiveSync associations:

Allow
Block
Wipe
Register
Remove
Link To
Assign Policy
Revert Policy
Note: Allow, Block, and Wipe actions override MobileIron Cores automatic decision-
making about a devices ability to access the ActiveSync server. For more information,
see Overriding and re-establishing MobileIron Core management of a device on
page 457.
Note: We recommend applying ActiveSync actions to devices other than iOS, Android,
and WP8 devices. Wipe, Assign Policy, and Revert Policy are ActiveSync actions.
Allow
Win 8.1
Use the Allow button to allow blocked ActiveSync devices to access the ActiveSync
server. The Allow button also allows blocked iOS devices to access the Docs@Work
features as described in Block impact on documents on page 578.
Do the following:
452
1. In the Admin Portal, click the ActiveSync Associations link under the Users &
Devices tab.
2. Select the entry for the blocked ActiveSync phone.

3. Click the Allow button.
4. Enter a note in the Allow ActiveSync dialog.

5. Click Allow ActiveSync.
Note: When you select Allow, you are overriding any MobileIron Core logic that wipes
the device or allows or blocks the devices access to the ActiveSync server. For more
information, see Overriding and re-establishing MobileIron Core management of a
device on page 457.
Block
Win 8.1
453
Use the Block button to block selected ActiveSync devices from accessing the
ActiveSync server.
For iOS devices, the Block button also keeps the selected ActiveSync devices from
accessing the Docs@Work features as described in Block impact on documents on
page 578.
The behavior when blocking access to the ActiveSync server is different depending on
whether you are using Standalone Sentry or Integrated Sentry (available only with
on-premise MobileIron Core), as given in the following table..
Sentry type Block action behavior

Standalone Sentry Block the user on the device.
The Block action means that the selected ActiveSync
devices are blocked. However, if another ActiveSync
device uses the same mailbox, it is not blocked.
Integrated Sentry with Block by mailbox.
Microsoft Exchange The Block action means that the mailboxes of the
2007 selected ActiveSync devices are blocked. All other
ActiveSync devices using those mailboxes are also
blocked. If you later use the Allow action on a device, all
the devices using the same mailbox are allowed.
Integrated Sentry with Block by device.
Microsoft Exchange The Block action means that the selected ActiveSync
Server 2010 SP1 and devices are blocked. However, if another ActiveSync
Microsoft Office 365 device uses the same mailbox, it is not blocked.
For Integrated Sentry, once a single phone has been blocked, you need to use the
Allow command to grant connections to future phones.
Complete the following steps to block an ActiveSync phone:

1. In the Admin Portal, click the ActiveSync Associations link under the Users &
Devices tab.
454
2. Select the entry for the ActiveSync phone.

3. Click the Block button.
4. Enter a note in the Block ActiveSync dialog.

5. Click Block ActiveSync.
Note: When you click Block, you are overriding any MobileIron Core logic that wipes
device on page 457.
Wipe
Win 8.1
Wiping an ActiveSync phone sends an ActiveSync Wipe command to the phone, which
removes all data from the phone, returning the phone to factory defaults. Once you
455
wipe a phone, its status changes to Wiped, and the only valid action you can apply is
Remove.
Warning
Returning the phone to factory defaults removes all data. Once a wipe has started, do
not restart your phone. Interfering with the wipe process can render your phone non-
functional.
Note: Apply this action only to devices other than iOS, Android, and WP8 devices.
To wipe an ActiveSync phone:

1. Select the ActiveSync Devices view under the Users & Devices tab.
2. Select the checkbox for the ActiveSync phone to be wiped.
3. Click the Wipe button.
Note: The device is wiped only when it attempts to sync, or the user takes an action.
For example, the device is wiped when the device user attempts to send an email.
Note: When you click Wipe, you are overriding any MobileIron Core logic that wipes
device on page 457.
Registering ActiveSync phones
Win 8.1
yes yes - - yes -
Registering an ActiveSync phone with MobileIron enables device management and

intelligence functions for the phone. See ActiveSync device registration on page 98
for information.
Removing ActiveSync phones

Removing an ActiveSync device removes the association between the phone and the
ActiveSync mailbox. All information about the phone is removed, including any previ-
ously configured Allow, Block or Wipe commands.
To remove an ActiveSync phone:
1. Select the ActiveSync Devices view under the Users & Devices tab.
2. Select the checkbox for the ActiveSync phone to be removed.
3. Click the Remove button.
4. Enter a note in the Remove dialog.
5. Click ActiveSync Remove.
456
For more information about using Remove, see Overriding and re-establishing Mobil-
eIron Core management of a device on page 457.
Linking an ActiveSync device to a managed device

In most cases, MobileIron automatically matches the device record on the ActiveSync
server to the corresponding device record on MobileIron Core. If this link does not
happen automatically, you can use the Link To feature to establish this match.
To link a device in the ActiveSync Associations page to a device in the Devices page:
1. Select the device in the ActiveSync Devices page.
2. Click the Link to button.
3. Select the corresponding device from the popup.
4. Click Link To.
Overriding and re-establishing MobileIron Core management

of a device
Unless you use the Allow, Block, or Wipe button for a device on the ActiveSync
Devices view, MobileIron Core automatically makes decisions to perform allow, block,
or wipe actions based on the following:
the devices security policy
whether the maximum number of devices per mailbox has been exceeded
whether you specified to auto block unregistered devices
However, once you select the Allow, Block, or Wipe button for the device, MobileIron
Core no longer automatically makes these decisions. You can only manually make
these decisions using the Allow, Block, or Wipe buttons. To cause Core to once more
automatically make these decisions, click the Remove button. The next time the
device attempts to access its email, Core and Sentry resync information about the
device, and Core again makes these decisions automatically.
For example, consider the scenario where an executives device is being blocked from
accessing email due to the devices security policy. Take the following steps:
1. Select the Allow Button on the ActiveSync Devices view for the executives device.
This action immediately allows the executive to access email, without waiting for
your further actions.
2. Use the Admin Portal to update the devices security policy.
For example, exclude the device from using the existing security policy, and create
a new security policy for executives.
3. Click the Remove Button on the ActiveSync Devices view.
MobileIron Core removes the device from the ActiveSync Devices view. The next
time the device accesses its email, Core adds the device back to the view, and once
again manages the device based on its security policy.
457
You can determine if a device was recently blocked or allowed, and if it was a manual
or automatic action. Using the Admin Portal, do the following
1. Select Log > Browse All.
2. Look for Block or Reinstate (which means allowed) in the Action column.
The message column indicates if the action was due to the security policy. If the action
was manual, the message column is either empty, or contains a note added by the
administrator who performed the manual action.
Assigning an ActiveSync policy

Starting with Sentry Version 4.5, you have to manually apply an ActiveSync policy to a
device. If an ActiveSync policy is not applied to a device, the Default ActiveSync Policy
behavior configured in Settings >Sentry > Preferences is applied to the Sentry inter-
action with the ActiveSync server.
Note: Apply this action only to devices other than iOS, Android, and WP8 devices.
Note: Manually assigning an ActiveSync policy with earlier versions of Standalone

Sentry or with Integrated Sentry has no impact. In earlier versions of Standalone Sen-
try, the default ActiveSync policy is automatically applied to a device if the mailbox is
not configured in an ActiveSync policy on the Sentry.
Follow these steps to assign an ActiveSync policy to a device:

1. In the Admin Portal, go to User & Devices > ActiveSync Devices.
2. Select the device to apply the policy to.
You may select multiple devices.
3. Click the Assign Policy button.
4. Select the policy to assign.
5. Click Assign Policy.
Reverting an ActiveSync policy

Reverting an ActiveSync policy reverts the device to the Default ActiveSync Policy
behavior configured in Settings > Sentry > Preferences. The default behavior is
applied only when the device engages in an ActiveSync Provision.
Follow these steps to Revert to the Default ActiveSync Policy behavior:

1. In the Admin Portal, go to User & Devices > ActiveSync Associations.
2. Select the device or devices.
3. Enter a note in the Revert Policy dialog box.
458
4. Click Revert Policy.
459
Allowing Windows 7 devices to sync

Windows 7 devices cannot register with MobileIron Core, because Windows 7 does not
have device management features. However, these devices sync using Exchange
ActiveSync and are managed using ActiveSync policies. The following setup is required
to allow Windows 7 devices to sync.
1. On MobileIron Core, set Auto Block Unregistered Devices to No.
In the Admin Portal, click Settings.
Navigate to Sentry > Preferences.
For Auto Block Unregistered Devices, select No.
Note: The default setting for Auto Block Unregistered Devices is set to No.
2. (Optional) Download the self-signed certificate and its signing certificate, the CA
certificate.
Perform this step if your Sentry uses a self-signed certificate. If your Sentry has a cer-
tificate signed by a third-party CA, go to step 4.
The specific steps differ slightly for each browser type. The following steps detail how
to download the certificates using the Chrome browser.
On Mac OSX
Navigate to https://sentryhostname, where sentryhostname is the Sentry's
fully-qualified domain name.
Click on the Https padlock icon in the address bar.
Click Certificate Information.
Click the signing certificate (CA), then drag the certificate icon from the panel to
your desktop.
Click the self-signed certificate, then drag the certificate icon from the panel to
your desktop.
Go to step 3.
On Windows
Navigate to https://sentryhostname, where sentryhostname is the Sentry's
fully-qualified domain name.
Click on the Https padlock icon in the address bar.
Click Certificate information.
Click the Details tab.
Click Copy to File...
The Certificate Export Wizard appears.
Click Next.
Select the format you want to use as Base-64 encoded X.509 (.CER), click
Next.
Click Browse to navigate to the Desktop to save the file.
460
Enter a name for the file and click Save, then Next, then Finish.
Note: Other formats are recognized by Windows Phone 7 as valid certificates, but
other formats will not work with an Exchange ActiveSync account.
Click the Certification Path tab.
Select the signing certificate (CA certificate).
Click the Details tab.
Click Copy to File...
The Certificate Export Wizard appears.
Click Next.
Select the format you want to use as Base-64 encoded X.509 (.CER), then click
Next.
Click Browse to navigate to the Desktop to save the file.
Enter a name for the file and click Save, then Next, then Finish.
Go to step 3.
3. Install the self-signed certificate and its signing certificate, the CA certificate.
Perform this step after performing step 2. If your Sentry has a certificate signed by a
third-party CA, go to step 4.
Email the two certificates (self-signed and CA) to an email account on the
device, for example, a GMail or a Yahoo account.
On the device, tap on the attachments to download.
Tap the shield icons to install the certificates.
Go to step 4.
4. Configure the Exchange ActiveSync account on the device.
On the device, tap Settings > email + accounts > add an account > advanced
setup.
Enter your email address and Password, then tap Next.
Tap Exchange ActiveSync as the email account type.
In the Domain field, enter the domain of the email server.
In the Server field, enter sentryhostname, where sentryhostname is the Sen-
try's fully-qualified domain name.
Check Server requires encrypted (SSL) connection.
Tap sign in. The device begins to sync.
461
462
Chapter 12

About the SMS Archive feature
Monitoring SMS archival
463
About the SMS Archive feature

The optional SMS Archive feature enables organizations to address regulatory require-
ments for archiving inbound and outbound SMSes. Because most archival systems are
designed for archiving email (and, therefore, parsing SMTP content), the MobileIron
SMS Archive feature forwards SMS content and other data via email. MMS data is not
captured as part of this feature.
Supported devices
The SMS archival feature is supported on Samsung SAFE devices running MDM 2.0
through MDM 4.x.
Setting Up the SMS Archive feature
Android BlackBerry 10 iOS Win 7 WP8
yes - - - -
Complete the following steps to set up the SMS Archive feature.

1. In the Admin Portal, select Settings > Preferences.
2. Scroll down to the SMS Archive Preferences section.
3. Use the following guidelines to complete the settings:
Setting Description
Forward SMS as Select On to enable the SMS Archive feature.
Email
Default From Enter the email address to include in the From
Address field of the emails generated for archiving the
SMSes.
Destination Email Enter the email addresses for the archival sys-
Addresses tems to which the generated emails are being
sent. Separate the email addresses with com-
mas (,).
Host/IP Addresses Enter the host name or IP address of each SMTP
server to use for relaying the email to the SMS
archival destinations. You may specify the same
SMTP server that you specified when you config-
ured MobileIron Core. If you specify multiple
addresses, then MobileIron attempts to connect
to each in the order specified until a successful
connection is established.
TLS Enabled Select Yes if you want to enable TLS for commu-
nication with the SMTP relay server.
464
Setting Description
STARTTLS Required If you selected Yes for the TLS Enabled option,
indicate whether the STARTTLS protocol is
required for the specified SMTP servers.
SMS Delivery Inter- Enter the number of hours that MobileIron Core
val should wait before forwarding collected SMSes
to their archival destinations. The default value
is 4.
4. Click the Check SMTP Connection button to confirm SMTP access.

5. Click Save at the bottom of the Preferences screen.
SMS archival and privacy policies

MobileIron privacy policies specify whether SMS content is synchronized. These poli-
cies impact whether SMS content will be archived, as well. To configure a privacy pol-
icy to support SMS archival:
1. Select Policies & Configs > Policies in the Admin Portal.
2. Select the privacy policy entry intended for supported SMS archive devices.
3. Click Edit.
4. Set the SMS option to Sync Content.
5. Click Save.
6. If the policy has not already been applied to the SMS archive devices, apply the
policy to the proper labels (More Actions > Apply To Label).
465
Monitoring SMS archival

The following monitoring options are available to track:
the number of SMSes queued for delivery
the total number of SMSes delivered
Checking the SMS archive queue

You can display the number of SMSes currently waiting to be forwarded from Mobile-
Iron Core to the configured archival destinations:
3. Note the Number of SMS in Queue statistic at the bottom of the section.
A large number of queued SMSes can mean high activity or a problem with SMTP
connectivity. Click the Check SMTP Connection to confirm connectivity. See Over-
riding the SMS delivery interval on page 466 for information on attempting to
delivery SMSes by overriding the delivery interval.
Overriding the SMS delivery interval

When you set up the SMS Archival feature, you specify the SMS Delivery Interval,
which determines how often MobileIron Core forwards the collected SMSes to the
archival destinations. To override this interval and send the SMSes immediately:
3. Click the Send Now button.
Note that the Send Now button is enabled only if there are queued SMSes.
Checking the number of delivered SMSes

MobileIron keeps a perpetual count of the SMSes delivered to archival destinations. To
view this number:
3. Note the Number of SMS in Queue statistic at the bottom of the section.
Event Center options

The following Event Center options are available to help manage the health of the SMS
Archive feature:
SMTP Relay server is unreachable
SMTP Relay server error
SMS Message archive queue is full
466
See System event on page 371 for information on these events.
467
468
Chapter 13

Enterprise Connector for MobileIron Core
Working with the Connector
469
Enterprise Connector for MobileIron Core

Enterprise Connector is a component that connects MobileIron Core to corporate
directories, such as Microsoft Active Directory or LDAP, by means of secure HTTPS
connections. Enterprise Connector helps to secure LDAP communication by eliminating
the need for Core LDAP requests to be initiated from the DMZ directly to your local
LAN LDAP directory source. Inbound firewall rules from the DMZ to the LAN are no
longer required to support LDAP connections.
Installation and configuration tasks

Installation and configuration tasks for Enterprise Connector are included as optional
steps in the Installation Guide. If you are about to install a new MobileIron system,
then incorporate these optional steps. If you want to add Enterprise Connector to an
existing MobileIron implementation, then you will need to complete the following
tasks:
1. Configure the Enterprise Connector on MobileIron Core.
Assign the Connector role to a new or existing local user.
Add Connector entries on Core.
2. Install the Enterprise Connector.
3. Configure the Enterprise Connector to access Core.
4. Verify the Core connection from the Enterprise Connector.
5. Verify LDAP connectivity from Core.
6. Remove the firewall rules that are no longer necessary for LDAP integration with
Core.
See the Installation Guide for details on steps 1 through 5.
Viewing Enterprise Connector status

Once Enterprise Connector is installed and configured, you can view status and other
details from MobileIron Core. Complete the following steps:
1. Log in to the Admin Portal:
https://<fully-qualified_domain_name>.
2. Select the Users & Devices tab.
3. Click the Settings tab.
4. Select Connector.
5. Select the Connector of interest to display additional details in the pane on the
right.
470
Working with the Connector
Viewing the Connector detailed information

1. Log on to the Admin Portal:
2. Click the Settings tab.
3. Select Connector to open the Connector.
4. Select the Connector of interest

The detailed information appears on the right-side pane.
5. View the Connector detailed information.
Package version: The Connector software version.
Protocol version: The Connector protocol version.
Host platform: The platform that is used by this Connector.
Host platform release: The build for the Connector.
Host name: The host name.
Host address: The host IP address.
Host OS: The host operating system.
URL: The URL to MobileIron Core.
uptime: The length of time the Connector has been up since the last restart of
the Connector service.
Last upgraded: The time when the last upgrade occurred.
Compatibility mode: Options are NO or YES.
-- NO indicates that the auto upgrade was successful.
-- YES indicates that the auto upgrade failed.
Note: A failed auto upgrade does not affect your system operations.
Your system always maintains the previous working version.
Perform a manual upgrade if you want to upgrade to a newer
version after the auto upgrade failed, perform a manual upgrade.
Services/Backend status: The name and status of the backend services.
Session id: An internal generated session ID.
User id: The user account for this Connector.
Last Error: The last error message.
471
Changing user passwords

The administrator can change the user password periodically for security purposes.
These passwords must be changed in MobileIron Core and Connector, respectively.
Changing a users password on MobileIron Core

2. Select the Users & Devices tab.
3. Select Users to open the User management page.
4. Select the user whose password you want to change.
5. Click Edit to display the Edit User page.
6. Enter the new password in the Password field.
7. Re-type the new password in the Confirm Password field.
8. Click Save.
9. Click OK.
Changing a users password on the Connector

1. Log in to the Connector (https://<fully-qualified_domain_name:8443>/mics) to
open the Physical Interfaces page.
2. Select Connector from the left panel to open the Connector Settings page.
3. Click Update Password.
4. Enter the new password.
5. Re-enter to confirm the password.
6. Click Apply.
Note: Apply saves the configuration in the current session only. It is not
persistent after the machine reboots.
7. Click Yes.
A dialog appears informing the status.
8. Click OK.
9. Click Save on the upper right corner.
Note: Make sure to click Save to make the configuration persistent after
the machine reboots.
Changing the status reporting interval

The status reporting interval defines how often the Connected Cloud generates a
report on the Connectors health status. MobileIron Core also uses this interval to
monitor Connector health. The default interval is 15 minutes. Once defined, the inter-
val applies to all Connectors.
To change the status reporting interval:

472
2. Go to Settings > Connector.
3. Click Preferences. The preferences panel is displayed.
4. For Status Reporting Interval, enter a value between 1 and 59 minutes.

5. Click Save.
Configuring connector LDAP timeout

You can specify the duration after which the LDAP request from MobileIron Core to the
Connector will time out. The default is set at 25 seconds.
Caution: Do not make changes to these settings without explicit direction from either
MobileIron support or a knowledge base article.
To specify the Connector response timeout:

1. In the Admin Portal, go to Settings > Connector > Preferences.
2. Enter the following information:
Item Description
LDAP Timeout Specify the time in seconds after which the LDAP
request to the Connector will time out.
LDAP Request Specify the number of times that MobileIron
Retries Core will retry the LDAP request to the Connec-
tor before reporting an error.
Note: Increasing the number of retries will
increase the cumulative timeout.
LDAP Test Timeout Specify the time in seconds when connection will
time out for a test request. For example, when
you modify the LDAP settings.
473
474
Section II: Apps and Data
Management
Managing Mobile Apps with Apps@Work
Docs@Work
AppConnect
Web@Work
475
476
Chapter 14
Managing Mobile Apps with

Apps@Work
About managing mobile apps
Working with apps for iOS devices
Managing iOS Volume Purchase Program (VPP) apps with redemption codes
Apples Volume Purchase Plan (VPP) license management
Working with apps for Android devices
Working with apps for Windows Phone 8 devices
Working with apps for Windows 8.1 RT and Pro devices
Working with Web Application
Setting up app control
Viewing app inventory
Managing app inventory
Upgrading the MobileIron client application
Override for in-house app URLs
Malware prevention: App reputation
477
About managing mobile apps

Apps@Work provides the tools for distributing and managing mobile apps. You can use
Apps@Work tools to facilitate installation of standard corporate apps, as well as to
help regulate the apps that your users are bringing into the enterprise. These tools
consist of:
app distribution library
app access control
app inventory
What is the app distribution library?

The app distribution library provides a centralized location for the apps you want to
manage for your users. App distribution is customized for each supported platform.
For iOS and Android, you can provide users with links to recommended apps on the
Apple Store or Google Play (formerly Android Market), or links to internally-developed
apps they can download from the MobileIron app distribution library.
For Windows Phone 8 (WP8), you can provide users with links to recommended apps
on the Windows Store, or links to internally-developed apps they can download from
the MobileIron app distribution library.
What is app control?

The app control feature enables you to exert control over which apps are installed on
managed devices. Using app control rules, you can define which apps are required,
allowed, or disallowed. You can then associate these rules with a security policy that
478
specifies the consequences of being out of policy. Consequences include blocking

ActiveSync access, including blocking access to Docs@Work features on iOS devices,
and sending an alert (configured in Event Center) to the specified administrator and
user.
What is app inventory?

The app inventory feature presents a snapshot of the apps installed across your
managed devices. The App Inventory screen displays the apps that have been
reported as installed by the Mobile@Work app on each device. You can use this list to
track new apps coming into the enterprise, determine the popularity of apps, and so
on. In addition, if you choose to link the entries in the app inventory with the apps you
have configured in the app distribution library, you can track the progress and impact
of your app management tasks.
Privacy policy settings determine whether app inventory information is reported.
479
480
Working with apps for iOS devices

If MobileIron Core has Apps@Work configured, then Core installs an Apps@Work web
clip on the users device after registration is complete. The user will see the default
Apps@Work web clip, or the custom icon if the app storefront is customized.
The device user can tap this web clip to access the Apps@Work enterprise app
storefront. Apps@Work displays lists of apps that you have configured for download
from the Apple App Store or MobileIron Core. The apps appear in these tabbed
sections:
Featured: The featured page lists all apps that the administrator designates as
featured. These apps can include in-house, recommended, web apps, and prepaid
apps.
Categories: An app can be listed under multiple categories, as well as be featured.

Uncategorized apps are displayed under the Uncategorized category. Only categories
that have at least one app will appear on the users device.
Updates: The updates page displays all apps that have an available update. The
Update All button allows the device user to update all apps at the same time.
481
The Categories page is the default page for Apps@Work. If the administrator has
designated any featured apps, then the Featured is the default page.
For comprehensive information on in-house app development, see the Apple website.
The device user must have an iTunes account to download these apps.
Customizing the App Storefront

This feature is available only for iOS devices.
You can upload a custom image to replace the MobileIron logo in the App Storefront.
This allows you to re-brand the App Storefront to reflect your organizations branding.
To customize the App Storefront:

1. In the Admin Portal, go to Apps > Apps@Work Settings.
2. In the App Storefront Branding section, select Custom Branding.
3. Click Browse to navigate to and select the custom image.
The image must be 280 x 68 pixels. Only png and jpeg images are supported.
4. Click Save.
The App Storefront displays the new image when the user accesses the storefront.
Prerequisites
Complete app functionality, including updates to badges resulting from inventory data,
requires:
482
iOS MDM certificate (See Enabling iOS MDM support on page 36.)
iOS MDM profile enabled (Settings > Preferences)
If you intend to develop and manage in-house apps, then participation in Apples iDEP
program is required. See the materials posted on the MobileIron Support site.
iOS managed apps

Starting with iOS 5, apps are managed, meaning the administrator can control
whether the app is backed up and whether the app is deleted when the MDM profile is
removed or the device is quarantined. Note that existing apps installed on a device do
not automatically become managed apps. Device users must delete existing apps and
reinstall them as managed apps.
Starting with iOS 7, you can also restrict document interaction between managed
apps and unmanaged apps. See Restrictions settings on page 324.
Registration PIN and managed apps

Registration PINs are not supported for use with managed apps.
iOS managed app configuration

This feature requires a MobileIron license.
Starting with iOS 7, a managed app can get its configuration from MobileIron Core.
The device user does not have to manually enter the configuration. This feature
results in easier app deployment and fewer support calls for you, and a better user
experience for the device user.
For more information, see Managed app configuration settings on page 334.
AppConnect apps
For information about AppConnect apps, see AppConnect on page 581.
You upload iOS AppConnect apps created with the AppConnect wrapping technology to
the app distribution library as in-house apps. AppConnect apps created with the SDK
can be distributed as either in-house apps or recommended apps. The process for
adding an AppConnect app to the app distribution library is the same as for any iOS
app.
When you upload an iOS AppConnect app as an in-house app to the app distribution
library, in some cases MobileIron Core automatically creates an AppConnect container
policy and AppConnect app configuration. Core takes this action when the app has
specified its desired default values for the policy and configuration in its IPA file. You
can override these values by editing the apps AppConnect container policy or
AppConnect app configuration. Core keeps in sync the labels that you apply to the app
and the labels that you apply to the AppConnect container policy and AppConnect app
configuration.
483
Apps@Work container for iOS

An unsigned Apps@Work container is available for iOS. You can download, rebrand,
and sign this container if you want device users to see badges for app updates. The
package will be available as a separate file in the Apps@Work Container App article in
the Customer Support knowledge base. You will need to click through a separate
license agreement before being able to download the file. See the Apps@Work
Container for iOS tech note for information on implementing and distributing this app.
Authentication options and iOS versions

The authentication options supported and the resulting user experience depend on the
iOS version being used:
Certificate-based app authentication
app downloads proceed without routing end-users to the app page in iTunes
(assuming an iTunes account has been properly configured on the device)
HTTP basic authentication
app downloads proceed without routing end-users to the app page in iTunes
(assuming an iTunes account has been properly configured on the device)
requires end-users to enter their MobileIron username and password to down-
load apps
Setting up Apps@Work for iOS

iOS device users do not receive access to Apps@Work by default. You must first set up
access by completing the following tasks:
1. Set authentication options.
See Setting authentication options on page 485.
2. Assign the iOS label to the Apps@Work web clip.
See Assigning the iOS label to the Apps@Work web clip on page 485.
If you do not complete this step, then iOS devices will not have access to your
enterprise app storefront. See Assigning the iOS label to the Apps@Work web clip
on page 485.
3. Populate Apps@Work with iOS apps.
See Populating Apps@Work for iOS on page 485.
4. Publish apps to iOS devices.
See Publishing apps in Apps@Work for iOS devices on page 496.
Because the Apps@Work web clip is deployed like any other configuration, there might
be considerable lag between device registration and the appearance of the web clip.
Note: As a web clip, Apps@Work is impacted by web content filters, available in

supervised devices starting with iOS 7. Make sure your web content filters do not
block access to MobileIron Core. If Core access is blocked, Apps@Work cannot work.
For more information, see Web content filter settings on page 331.
484
Setting authentication options

By default, both certificate-based app authentication and HTTP basic authentication
are enabled. To change the selected authentication options:
1. Select Apps > Apps@Work Settings.
2. Clear the authentication options you do not intend to support.
3. Select the authentication options you intend to support.
4. Click Save.
If neither authentication option is selected, then iOS devices will not have access to
your enterprise app storefront.
Assigning the iOS label to the Apps@Work web clip

MobileIron Core does not send the Apps@Work web clip to iOS devices until you
assign the iOS label to the web clip:
1. Select Policies & Configs > Configurations.
2. Select the System - iOS Enterprise AppStore setting.
3. Select More Actions > Apply to Label.
4. Select the iOS label.
5. Click Apply.
Populating Apps@Work for iOS

Shortly after you install MobileIron Core, Apps@Work is automatically populated with
default iOS apps. (There is a brief delay.) You can also add your own app selections
using any of the following methods:
Importing app store apps for iOS: App Store import
Manually adding App Store apps for iOS
Adding in-house apps for iOS
Importing app store apps for iOS: App Store import

App Store apps (i.e., recommended apps) are the commercial apps available from the
Apple App Store and displayed in Apps@Work. You can configure App Store apps by
importing the necessary information directly from the Apple App Store.
To import app information:

1. In Admin Portal, select Apps > App Distribution Library.
2. In the Select Platform list, select iOS.
3. Click the App Store Import button.
4. In the App Name field, enter text to search on.
The search is handled by the iTunes search engine, so enter the text you would nor-
mally enter when looking for an app in iTunes. iTunes matches the text against app
names, app IDs, app authors, and app descriptions.
5. In the App Store list, select the country for the App Store you want to search.
6. In the Limit field, enter the number of entries you want to retrieve.
485
To improve search performance, the default is set to 20. You can enter a number
between 20 and 200.
The matching apps are displayed.
8. Click the Import or Update link for an app to import the relevant information.
Import indicates an app that does not yet exist in the app distribution library.
Update indicates an app that exists in the app distribution library, but has an
update available for download.
9. Close the dialog.
The app is displayed in the App Distribution Library screen with an icon that identi-
fies the app as a recommended app.
10. Click the edit icon for the app.
11. Make any necessary changes to the default settings.
12. Click Save.
13. Select Actions > Apply To Label to specify the device groups that should see this
app.
Manually adding App Store apps for iOS

App Store apps (i.e., recommended apps) are the Apple Store apps displayed in the
MobileIron app. You can configure these apps manually using the MobileIron App
Wizard.
Important: To ensure that MobileIron Core is able to track the devices that have an
App Store app installed, you must associate the official app name with the displayed
app name. We recommend that you test an app installation to determine the official
name and create the association prior to distributing the app to users. See Linking
app store apps to inventory apps on page 498 for information on establishing this
association.
To manually set up an App Store app for iOS devices:

1. In the Admin Portal, select Apps > App Distribution Library.
2. Select iOS from the Select Platform list.
3. Click the Add App button.
The iOS Add App Wizard starts.
4. Click Next.
5. Select Recommended App.
486
6. Use the following guidelines to complete this screen:
Item Description
iTunes ID Enter the iTunes ID for the app. See Getting the iTunes
app ID on page 490 for detailed steps for getting the ID.
Note: The app ID is not editable later, so be sure to enter
the correct ID.
App Name Enter the name to display on the App Store Apps list on
devices. Only alphanumerics, underscores, dashes and
spaces are allowed in this field. App names longer than 25
characters will be truncated when displayed on the device.
Note that the App Inventory page in the Admin Portal will
display the name reported by the installed app, not the
app name entered here. You can create a link between
these app names. See Linking app store apps to inven-
tory apps on page 498 for information on creating this
link.
iPad Only Set to Yes if the app is designed only for iPads. This
ensures that the app is not displayed in Apps@Work for
other iOS devices.
Managed App Settings
Prevent backup of Ensures that iTunes will not attempt to back up possibly
the app data sensitive data associated with the given app. No further
action is necessary to apply this restriction.
Remove app when Set to Yes to ensure that the app will not remain on the
MDM profile is device if device management is disabled. No further action
removed is necessary to apply this restriction.
Note: If you change the setting after the app is added, the
changed setting will not be applied to the app.
Remove app when Set to Yes to enable configured compliance actions to
device is quaran- remove the app if a policy violation results in a quaran-
tined or signed out tined device or the device signs out in multi-user mode.
This option does not apply unless the corresponding
option has been specified in a compliance action, and that
compliance action has been selected for one or more pol-
icy options in the security policy for a device. Once the
device is no longer quarantined, the app can be down-
loaded again.
Note: If you change the setting after the app is added, the
changed setting will not be applied to the app.
This App Store app Set to Yes for free recommended apps.
is free iOS allows Managed App features to be applied to free
apps and apps purchased with VPP credits, but not to apps
paid for by the user. Specifying whether the app is free
ensures successful download of apps that require user
payment.
487
Item Description
Send installation Set to Yes to prompt device users to install this app once
request on device device registration is complete or a user signs in on a
registration or sign- multi-user device.
in
Per App VPN (iOS 7 iOS 7 and iOS 7.1: Select the VPN setting you created for
or later) per app VPN in the Available column, and click the right
arrow to move it to the Selected column. If the app will
use MobileIron Tunnel, select the MobileIron Tunnel VPN
setting you created. You can select multiple per app VPN
settings.
To reorder the per app VPN configurations in the Selected
column, drag the configuration names to the correct posi-
tions in the list.
See VPN settings on page 268 for information on creat-
ing a per app VPN or MobileIron Tunnel VPN setting.
See Per app VPN priority on page 492.
7. Click Next.
Item Description
App Name Displays the app name you entered in the previous
screen. This field is not editable.
Display Version Enter the version number you want to display to users.
You may enter numerals and periods (.) in this field.
Description Enter any additional text that helps describe what the
app is for.
Featured Select No if you do not want to highlight this app in the
Featured apps list. Note that the Message feature for iOS
apps applies only to featured apps. See Informing users
of new apps and upgrades for featured apps on
page 501 for information.
488
Item Description
App Updates Select Update managed app only to update previous
versions of the app only if they were installed as man-
aged apps.
Select Update managed or unmanaged app to update a
previous version of the app, regardless of whether it was
installed as managed. The update is then applied as an
unmanaged updated. This option is useful if you want to
support existing unmanaged installations of the app
without forcing users to uninstall and reinstall as a man-
aged app. (Apple prohibits installation of updates over
unmanaged apps.)
Note: This option applies only to apps that were installed
by means of a device user-initiated request on the app
storefront.
Hide in App Select Hide to prevent this app from displaying in the app
Storefront storefront. For example you might want to hide apps that
will be installed upon registration anyway. Hiding a man-
datory app reduces clutter in the app storefront, leaving
device users with a concise menu of the approved apps
they might find useful.
Select Show to display the apps if it is normally always
hidden, such as the Apps@Work Container.
Category Select one or more categories if you would like this app
to be displayed in a specific group of apps on the device.
Click Add New Category to define new categories.
9. Click Next.
10. Use the following guidelines to complete this page:
Item Description
App Icon Select the icon to be used to represent this app. The file
must be in JPG, PNG, or GIF format. PNG is recommended
for best resizing results. Acceptable dimensions are 57x57
pixels, 72x72 pixels, or 114x114 pixels. If you do not
select an icon, then a default icon will be displayed next to
this app in Apps@Work.
iPhone and iPod Select up to 4 optional screenshots to display for the app.
touch screenshots Screenshots must be in JPG, PNG, or GIF format. Accept-
able dimensions are 320x480 pixels, 480x320 pixels,
640x960 pixels, and 960x640 pixels. Note that the display
of rotated screenshots in the Admin Portal might not be
consistent with the display on the devices.
iPad screenshots Select up to 4 optional screenshots to display for the app.
Screenshots must be in JPG, PNG, or GIF format. Accept-
able dimensions are 768x1024 pixels and 1024x768 pix-
els.
489
11. Click Next.

If the graphics you specified are accepted, the Congratulations screen displays.
12. Click Finish.
fies the app as a recommended app.
13. Associate the app with a label to have that app listed on iOS devices.
Getting the iTunes app ID

To configure a recommended app in the Add App Wizard, you must supply the ID for
the app as defined on the iTunes website. However, IDs are not always readily
available.
To determine the iOS application ID:

1. Open iTunes.
2. Browse to the iTunes Store.
3. Browse to the App Store.
4. Locate the app you want to configure.
490
5. Open a text editor, like Notepad.

6. Copy the link for the app icon.
For example, using Firefox, you can right-click on the icon and select Copy Link.
7. Paste the link into the text editor.
8. Note the numbers following id and ending before ?mt=8.

These numbers are the application ID.
491
Per app VPN priority

The per app VPN configuration the app uses depends on:
The label to which the per app VPN configuration is applied (if the per app VPN is
applied to a label).
The assigned priority of the per app VPN configuration in the Per App VPN field of
the app.
The first per app VPN listed has the highest priority; the last per app VPN has the
lowest priority.
Note: To rearrange the per app VPN configurations (and their priority) drag the con-
figuration names listed in the Selected list in Per App VPN to the correct positions in
the list.
The priority of per app VPN configurations applied to labels is higher than per app VPN
configurations that are not applied to labels. For example, suppose the app lists VPN1,
VPN2 and VPN3 as the possible per app VPN configurations in the Selected list.
If VPN1 and VPN2 are applied to labels and VPN3 is not, then VPN1 is assigned to
the app when the per app VPN list order is:
VPN1 (applied to label)
VPN3
If VPN1 and VPN2 are applied to labels and VPN3 is not, then VPN1 is assigned to
the app if the per app VPN list is:
VPN3
The Apps tab in device details (Users & Devices > Devices > select the up arrow see
the device details) lists the activated per app VPN for the device so that users and
administrators can easily view which VPN the app is using on that device.
Note: If you are upgrading to MobileIron Core 7.0, existing per app VPN assignments
become the highest-priority per app VPN for the app.
Adding in-house apps for iOS

To add an iOS in-house app to the app distribution library:
The iOS Add App Wizard starts.
4. Click Next.
In-house App is selected by default.
492
Item Description
App Upload Click Browse and navigate to the in-house app (.ipa) you
want to upload.
Note: For iOS, MobileIron Core supports uploading apps
that are up to 5 GB.
iPad Only Set to Yes if the app is designed only for iPads, set the
iPad Only option to Yes. This ensures that the app is not
displayed in Apps@Work for other iOS devices.
Managed App Settings
Prevent backup of Ensures that iTunes will not attempt to back up possibly
the app data sensitive data associated with the given app. No further
action is necessary to apply this restriction.
Remove app when Set to Yes to ensure that the app will not remain on the
MDM profile is device if device management is disabled. No further
removed action is necessary to apply this restriction.
Note: If you change the setting after the app is added,
the changed setting is not applied to the app.
Allow app removal Set to Yes to enable configured compliance actions to
when device is quar- remove the app if a policy violation results in a quaran-
antined or signed tined device or the device signs out in multi-user mode.
out This option does not apply unless the corresponding
option has been specified in a compliance action, and that
compliance action has been selected for one or more pol-
icy options in the security policy for a device. Once the
device is no longer quarantined, the app can be down-
loaded again.
Note: If you change the setting after the app is added,
the changed setting is not applied to the app.
Send installation Set to Yes to prompt device users to install this app once
request on device device registration is complete or a user signs in on a
registration or sign- multi-user device.
in
Per App VPN (iOS 7 iOS 7 and iOS 7.1: Select the VPN setting you created for
or later) per app VPN in the Available column, and click the right
arrow to move it to the Selected column. If the app will
use MobileIron Tunnel, select the MobileIron Tunnel VPN
setting you created. You can select multiple per app VPN
settings.
To reorder the per app VPN configurations in the Selected
column, drag the configuration names to the correct posi-
tions in the list.
See VPN settings on page 268 for information on creat-
ing a per app VPN or MobileIron Tunnel VPN setting.
See Per app VPN priority on page 492.
493
6. Click Next.
The Add App Wizard examines the selected bundle to ensure that it meets require-
ments for in-house apps distributed for iOS devices. If the bundle is acceptable, the
following screen displays.
Note: Downloads of iOS in-house apps over 3G should be limited to 20 MB. Use Wi-
Fi for downloading larger in-house apps.
7. Use the following guidelines to complete the items in this screen:
Item Description
App Name Displays the App Name defined for the app bundle. You
can edit this text to display a different name to users.
Note that app names longer than 25 characters will be
truncated when displayed on the device.
Note: An iOS app is packaged as a bundle. A bundle is a
directory in the file system that groups related resources
together in one place. An iOS app bundle contains the
app executable file and supporting resource files such as
app icons, image files, and localized content.
Display Version Enter the version number to be displayed to users. You
may enter numerals and periods (.) in this field.
Bundle Version Displays the version defined for the bundle. This item is
not editable.
app is for.
Override URL If you are implementing an alternate URL for download-
ing in-house apps, enter that URL here. The URL must
point to the in-house app in its alternate location. See
Override for in-house app URLs on page 549 for the
requirements for this configuration.
Featured apps list. On the device, the user can a subset
of featured apps. Note that the Message feature for iOS
apps applies only to featured apps. See Informing users
of new apps and upgrades for featured apps on
page 501 for information.
Data Protection Select Yes to require that data protection be enabled in
Required order to install this app.
Note: Devices without data protection enabled will not
see the app at all in the In-house Apps list on the device
and will not know that data protection compliance is
required. Therefore, you may want to communicate the
requirement to users.
494
Item Description
App Updates Select Update managed app only to update previous
versions of the app only if they were installed as man-
aged apps.
Select Update managed or unmanaged app to update a
previous version of the app, regardless of whether it was
installed as managed. The update is then applied as an
unmanaged updated. This option is useful if you want to
support existing unmanaged installations of the app
without forcing users to uninstall and reinstall as a man-
aged app. (Apple prohibits installation of updates over
unmanaged apps.)
Note: This option applies only to apps that were installed
by means of a device user-initiated request on the app
storefront.
Storefront storefront. For example you might want to hide apps that
will be installed upon registration anyway. Hiding a man-
datory app reduces clutter in the app storefront, leaving
device users with a concise menu of the approved apps
they might find useful.
Provisioning Profile Displays the identifier for the provisioning profile incorpo-
rated in the bundle.
Note: The provisioning profile is a text document con-
taining verification information for the app. Apps are not
usable on iOS without a current provisioning profile.
Category Select one or more categories if you would like this app
to be displayed in a specific group of apps on the device.
Click Add New Category to define a new category.
8. Click Next.
495
Item Description
App Icon Required. The app icon is automatically extracted from the
IPA file. The file must be in PNG format.
If an icon cannot be automatically extracted from the IPA
file, then it must added manually.
Acceptable dimensions are 57x57, 72x72, 114x114,
120x120, 144x144, or 152x152 pixels.
iPhone and iPod Select up to 4 optional screenshots to display for the app.
touch screenshots Screenshots must be in JPG, PNG, or GIF format and one
of the following dimensions specifications:
320x480 pixels
640x960 pixels
480x320 pixels
960x640 pixels
iPad screenshots Select up to 4 optional screenshots to display for the app.
Screenshots must be in JPG, PNG, or GIF format and one
of the following dimensions specifications:
1024x768 pixels
768x1024 pixels
10. Click Next.

11. Click Finish.
fies the app as an in-house app.
The provisioning profile for the app is also stored on MobileIron Core and is dis-
played in the App Settings page. It is displayed for viewing only, and is automati-
cally deleted from Core if the app is deleted from Core.
12. Associate the app with a label to have that app listed on iOS devices.
Publishing apps in Apps@Work for iOS devices

Once you have added an iOS app (App Store or in-house) to the app distribution
library, you need to select one or more labels to specify which apps should be
published to which iOS devices. If you did not apply a label immediately after adding
the app, the app will not be visible to any iOS devices.
To publish an app for iOS devices:

3. Select the app you want to work with.
4. Select Actions > Apply to Label.
496
5. Select the label that represents the iOSs devices for which you want the selected
app to be displayed.
6. Click Apply.
7. If you have not done so already, consider linking any App Store app to the corre-
sponding entry in the app inventory.
This step will help with app tracking because the name you assign to the app is not
likely to be the same as the name reported by the app once it is installed. You
should also consider testing the first installation of each App Store app so that you
can record the corresponding reported app name. See Linking app store apps to
inventory apps on page 498.
User notification of newly-published apps

When a featured app or an update to an installed app is published to device users,
those users receive a notification in the form of a badge that appears on the
corresponding tab in Apps@Work. The number on the badge indicates the number of
apps or updates available. (The availability of an update is determined by comparing
the version number for the installed app to that of the newly-published app.
If the user deletes a published app, that app will not become available for reinstalling
again until the next sync interval causes MobileIron Core to be updated. You can
address user concerns by using the Force Device Check-in command to force the
MobileIron app to update Core.
497
Removing apps from the app distribution library

Removing an app from the app distribution library removes the listing for the app from
Apps@Work on iOS devices, and removes the app from iOS 5 devices. It does not
uninstall the app for iOS 4 devices. However, for in-house apps on iOS 4 devices, it
does remove the provisioning profile from the devices. This eventually prevents those
devices from running the app, though it may take a couple of days to take effect.
To remove an iOS app from the app distribution library:

3. Select the app you want to remove.
4. Click Delete.
A message displays warning that deleting the app from MobileIron Core will delete
it from devices running iOS 5 or later.
5. Click Yes to proceed.
For in-house apps, the app bundle and the provisioning profile are removed from
Core.
Linking app store apps to inventory apps

An App Store app is displayed in Apps@Work using the app name you specified when
you manually added it to the app distribution library. However, the App Inventory page
displays the name reported by the app. This name can often be quite different.
Therefore, to facilitate tracking of installed apps, you might want to create a link
between the two names.
To link the App Store app name to the reported app name:
3. Click the edit icon next to the app you want to work with.
4. Select the corresponding inventory app name from the Inventory Apps list.
5. Click Save.
Once the link is established, the # of Devices Installed column in the App Distribu-
tion screen displays the correct number. You should consider changing the app
name as specified in any app control rules to ensure it matches the official name.
Upgrading apps
When an upgrade for an app becomes available, you can just add it to the app
distribution library and assign it to appropriate labels like any other app. MobileIron
Core detects that it is an update and indicates its availability in the form of a badge
that appears on the corresponding tab in Apps@Work. Core also replaces the app
entry displayed in the apps lists on the devices.
498
Tapping the entry for the app having an update displays an UPDATE tag instead of an
INSTALL tag.
Updates to featured apps are published in the same way to all devices in the labels
assigned to the apps. You can also send a message to devices to announce the
availability of updates to featured apps.
Changing iOS app information

iOS app information includes:
name
version
description
featured option
Note: The iTunes ID is not editable. If you entered the wrong ID when you added this
app to the app distribution library, then you need to delete the app entry and create a
new one.
To change app information:

5. Click Save.
499
Changing the iOS app icon and screenshots

When you add an iOS app to the app distribution library, you have the option to
upload an app icon and several screenshots. If you skipped these steps or just want to
change the files you uploaded, you can edit the entry:
1. Obtain the icon or screenshot you want to use.
See Manually adding App Store apps for iOS on page 486 for information on sup-
ported formats and dimensions.
5. Click the edit icon under the icon or screenshot.
6. Select the file to use from the file browser.
7. Click Save.
Creating a category for iOS apps

You can create categories for organizing the apps displayed on managed iOS devices.
The categories appear as dividers in the app lists. To create a new category:
3. Click the edit icon next to any app.
4. Click Add New Category. .
5. Enter a category name (up to 64 characters) and description (up to 255 charac-
ters).
6. Click Save.
7. Click Cancel to close the Edit App for iOS dialog.
Note that categories cannot be deleted.
Changing or adding a category for an iOS app

To change or add a category for an iOS app:
3. Click the edit icon next to the app.
4. Move the desired category from the Available column to the Selected column to add
the app to the category, or vice versa to remove the app from the category. Click
the left or right arrows to move the category between columns.
The app will appear in all the categories in the Selected column.
5. Click Save.
500
Turning user-paid apps into managed apps

Upgrading an existing app does not automatically make it a managed app. Therefore,
if a device user has already installed an app directly from the Apple App Store, then
the user must uninstall that app and install a recommended or prepaid app from
Apps@Work. For example, if a new employee already has installed a paid app that
your organization ordinarily manages through the Apple VPP program, then the
employee must delete the app and reinstall it from the Prepaid tab in Apps@Work.
Otherwise, the app will remain unmanaged.
Informing users of new apps and upgrades for featured apps

You can send out a mass APNs message informing iOS users about the availability of a
new featured app or an update for an installed app. As with badge notifications,
updates are determined by comparing the version number of the installed app with
that of the update. This feature applies only to apps designated as Featured apps.
To send a message about an available app:

3. Select the featured app you want to work with.
4. Click Message.
5. Use the following guidelines to select the app installation option:
Prompts the device user to install the app, if not

Send request for new
installations already installed.
Prompts the device user to update the app, if not
Send request for updates already updated.
501
Prompts the device user to install or update the app.

Send request for both new
installations and updates
Skip the Apps@Work display and immediately install
Use iOS managed app
install/update action or update the app.
6. To check the content of the message prior to sending:

a. Select the Push Notification template from the list.
b. Click View Messages.
7. Click Send.
Again, the message is sent only for apps configured as featured apps in the app
distribution library.
Editing app distribution messages

To edit an app distribution message:
1. In the Admin Portal, select Settings > Templates > Others.
2. Click the edit icon for the template you want to edit.
The app distribution message is displayed.
3. Make changes to the displayed message.
4. Click Save.
Using variables in app distribution messages

App distribution messages must include the $APPNAME$ variable, which indicates the
application name of the app being distributed.
Customizing the Apps@Work icon on iOS

You can customize the Apps@Work icon to the needs of your organization. For
example, you can upload a different graphic or change the displayed name from
Apps@Work to something else.
To customize the Apps@Work icon:

1. Select Policies & Configs > Configurations .
2. Select the web clip for the iOS Enterprise AppStore.
3. Click Edit.
4. Click the Apps@Work link.
5. To display a different name with the web clip, enter your preferred name in the
Name field.
6. To select an alternate icon, click Browse.
In general, you should not edit the URL.
7. Click Save.
502
Unpublishing iOS apps (removing from labels)

Unpublishing an iOS app removes it from the lists of apps displayed on managed iOS
devices. To do this, you need to remove the app from the label that initiated the
distribution. If there is no other label creating an association between an iOS 5 device
and an app, then the app is removed from the device.
To remove an iOS app from a label:

4. Select Actions > Remove from Label.
5. Select the labels from which you want to remove the app.
6. Click Remove.
The app is immediately removed from the apps list on the devices associated with
the given label.
503
Managing iOS Volume Purchase Program (VPP)

apps with redemption codes
Apple provides a Volume Purchase Program (VPP) to facilitate app purchase and
distribution within an organization. The App Store Volume Purchase Program allows
participating organizations to purchase iOS apps in volume and distribute the apps to
their users. By participating in this program, organizations can buy iOS apps in
volume using a Volume Voucher, credit card, or PCard, and then distribute the apps to
multiple devices.
How Apples program works

Apples program involves the following basic steps:
1. Your Program Facilitator searches for and purchases apps at the App Store Volume
Purchase Portal.
2. The Program Facilitator receives app purchase codes (also called tokens or credits)
in the form of a payment file and distributes these codes to device users.
3. Device users redeem codes and download apps.
Where MobileIron comes in

MobileIron provides a way for Program Facilitators to distribute, track, and reconcile
the app purchase codes obtained from the App Store Volume Purchase Portal:
1. Program Facilitators can upload each payment file into the MobileIron app distribu-
tion library.
2. End users having a device managed by MobileIron can select a recommended app
from the list of Prepaid apps displayed in the MobileIron app on the device. The app
can be purchased using one of the uploaded purchase codes.
3. MobileIron Core records the use of the purchase code and updates the count of
remaining codes.
4. An optional alert warns the Program Facilitator (or other designated person) when
the number of remaining codes falls below a specified threshold.
What device users see

To support the Apple VPP, the MobileIron app on iOS devices now includes a Prepaid
filter for apps.
Setup tasks
Setup for VPP support requires the following tasks:
1. Upload the payment file to MobileIron Core.
2. Configure the optional alert.
504
Uploading the payment file to MobileIron Core

If you are participating in Apples Volume Purchase Program (VPP), you should
download payment files from the Apple VPP portal, one for each app. Each payment
file enables you to add and reconcile the codes purchased and used for the
corresponding app. The payment file must be in XLS format; XLSX and any other
derivatives are not supported.
Note: Some versions of Excel will attempt to save an XLS file as XLSX by default. If
you open the file in Excel, be sure not to save the file when you close it.
To upload a payment file:

1. If the app to which the payment file applies is not already present in the MobileIron
app distribution library, then add it now.
If the app is an iOS 5 Managed App, be sure to select No for This App Store app is
free in the App Wizard.
2. Once the app is present in the app distribution library, select Apps > App Distribu-
tion Library.
4. Select the app associated with the payment file.
5. Click the VPP button.
6. Click the Browse button and select the file to payment XLS.
7. Click Upload Payment File.
8. Click OK.
The entry for the app now displays the number of codes (or tokens) purchased and
the percentage that have been used (i.e., redeemed for apps).
Applying VPP labels

There may be cases in which you want to recommend an app to one group of users,
and provide VPP payment to a different group of users. In this case, you can use the
Actions > Manage VPP Labels option to apply the VPP availability to that select group
of users.
Example: Recommend an app to all iOS users, pay for executives

For example, suppose you want to recommend an app to all iOS users, but only
executives will have it paid for via VPP. Other users will need to provide their own
payment. You would apply the iOS label using Actions > Apply To Label. You would
apply the Executives label using Actions > Manage VPP Labels.
You can use the Actions > Remove From Label command to remove either or both
labels.
Configuring a VPP alert

You can configure alerts to inform appropriate personnel when the remaining VPP
tokens for an app have fallen below a specified threshold.
505
To configure a VPP alert:

1. In the Admin Portal, select Logs & Events > Event Settings.
2. Select Add New > System Event or select an existing system event entry.
3. Scroll down to the VPP Percent Used Threshold option.
4. Make sure the option is selected and specify the percentage threshold.
5. Configure the associated alert.
6. Select the labels and/or users to which the alert should be applied.
7. Clear any unwanted options in the event.
8. Click Save.
506
Apples Volume Purchase Plan (VPP) license

management
The VPP license management feature is only applicable to iOS 7 and iOS 7.1 devices.
The Apple Volume Purchase Program (VPP) allows you to purchase multiple copies of
an app to redistribute to your employees. With iOS 7, the program was updated to
provide additional benefits. On MobileIron Core, the new VPP license management is
available in parallel with the old redemption codes (purchase codes).
We strongly recommend that you purchase app licenses rather than redemption codes
through your Apple VPP.
Note: Open HTTPS port 443 for iOS VPP support. Port 443 is required for access to
https://vpp.itunes.apple.com from Core.
New VPP features

The VPP license management feature provides the following benefits:
Reclaim VPP licenses
Sync VPP license usage with Apple
Manage multiple VPP accounts
Reclaim VPP licenses

VPP licenses are reclaimed in the following instances:
An employee leaves the company or group applied to a VPP label.
A VPP account is deleted from MobileIron Core.
A device is retired.
The device user removes the app from the device.
Note: If the user has another registered device on which the app is installed, the app
license is not reclaimed.
Sync VPP license usage with Apple

The licenses associated with your VPP account are not specific to your MobileIron
Core; they are specific to the VPP account. Core syncs with the Apple servers once
every 15 minutes to reconcile each VPP account. The information reconciled includes:
Number of licenses purchased
Number of licenses redeemed
Inventory of purchased apps
The user and the device to which the license is applied
This gives the organization up-to-date visibility into app and license inventory for each
VPP account.
507
Manage multiple VPP accounts

You can manage multiple VPP accounts on MobileIron Core. This allows you to support
multiple buying centers that can purchase and distribute apps. For the same app, each
license pool is segmented and managed separately.
Using redemption codes and licenses

Previously, the VPP only used redemption codes (also referred to as purchase codes
or tokens). With iOS 7, the VPP supports both redemption codes and license man-
agement.
Redemption codes and licenses can coexist for an app on MobileIron Core.
There are no changes to how redemption codes are used and managed.
Redemption codes are applicable to all iOS devices. VPP licenses are applicable only
to iOS 7 and iOS 7.1 devices.
If both redemption codes and licenses are available for an app, then the redemp-
tion codes are used first. After the redemption codes are exhausted, licenses are
used.
Differences between redemption codes and licenses
Redemption codes Licenses

You have to manually upload Licenses are automatically available when
redemption codes to MobileIron Core you add a VPP account from the Admin
from Admin Portal > Apps > App Dis- Portal > Apps > App Licenses page.
tribution Library > Actions > Upload Licenses are updated each time Core
VPP Redemption Codes. syncs with Apples servers.
If an app is not applied to a VPP Licenses can be used only by devices that
label, redemption codes are used by are applied to a VPP label.
all devices in the labels to which an Devices that are only applied to non-VPP
app is applied. labels cannot redeem a VPP license.
If an app is applied to a VPP label, These devices are redirected to the Apple
then the redemption codes are used App Store to purchase the app.
only by the devices in the VPP label.
Once a redemption code is applied to To take advantage of the prepaid app
a device, no additional actions are licenses, the device user must enroll in
required by the device user to be the companys volume purchase pro-
able to install the prepaid app. gram.
The user is prompted to enroll in the vol-
ume purchase program when the app is
accessed in Apps@Work.
508
App Licenses page

Use the App Licenses page (Admin Portal > Apps > App Licenses) to view, add, and
manage your VPP accounts.
The following information is displayed for each VPP account:
Field Description
VPP Account Name The account name entered when adding the VPP account.
Description Additional information that describes this account.
Service Token The credential used to link the VPP account to MobileIron
Core.
Expires In Days Number of days before the service token expires.
Before the service token expires, you must download a
new service token from Apples VPP portal.
Uploaded Date when the service token was last added to Mobile-
Iron Core.
Click the inverted V icon to display the apps and associated license information.
App Name of the app purchased with the VPP account.
Added in App Distri- Indicates whether you imported the app into Core for dis-
bution tribution.
When you import an app, it is also displayed in the App
Distribution page.
Licenses Used Number of licenses redeemed for the app.
This is a total for the account. This number includes
licenses that were redeemed by other MobileIron Core
instances.
Licenses Purchased Number of licenses purchased for the app.
Adding a VPP account

You add a VPP account in the Admin Portal > App > App Licenses page.
Before you begin

1. You must have created a VPP account with Apple.
2. You must have downloaded the service token for the VPP account.
A service token is required to set up the VPP account on MobileIron Core.
3. Open HTTPS port 443 for iOS VPP support. Port 443 is required for access to
https://vpp.itunes.apple.com from the Core.
To add a VPP account:

1. Go to the Admin Portal > Apps > App Licenses.
2. Click +Add VPP Account.
509
Field Description
Account Name Enter an account name.
This could be the department or business unit to which
the app is applied.
Apple ID (Optional) Enter the Apple ID for the VPP account.
Description (Optional) Enter additional information that describes this
account.
Service Token Copy and paste the service token you received from
Apple.
4. Click Save.
A list of apps that were purchased with this VPP account is displayed.
Note: You do not have to import the apps at this point. See also, Importing VPP
apps from the VPP account and Importing VPP apps from the App Distribution
Library.
5. Click Done.
Importing VPP apps from the VPP account

To import VPP apps:
1. Select the VPP account name from the Admin Portal > Apps > App Licenses page.
2. Click Actions > Edit Update VPP Account.
3. Click Save.
4. In the Import Apps page, select the apps to import.
If an app is already available in the App Distribution Library, the app is grayed out;
you will not be able to select the app.
5. Click Done.
6. Click OK.
The apps and associated licenses are now available and managed through Mobile-
Iron Core.
Importing VPP apps from the App Distribution Library

You can also import VPP apps from the App Distribution Library.
See Importing app store apps for iOS: App Store import and Manually adding App
Store apps for iOS in the MobileIron Core Administration Guide.
For an app already listed in the App Distribution Library, the VPP Purchased / Used
column now displays the license information.
510
Note: For iOS 7 and iOS 7.1, when you import recommended apps that use licenses or
redemption codes, set the This App Store App is Free option to No. This allows the
device user to successfully download the app using licenses or redemption codes.
Applying VPP labels

You must apply the app to a VPP label. This assigns the licenses to the devices in the
VPP label.
To apply a VPP label:

1. Go to Admin Portal > Apps > App Distribution Library.
2. Select iOS from the Select Platforms drop down list.
3. Select the VPP app to apply the VPP label.
4. Click Actions > Manage VPP Labels.
5. In the Manage VPP Labels pop-up, select the label to apply.
6. Select the VPP account from the drop-down list for that label.
Note: If the app does not have any available licenses when you imported the app,
you will not see the VPP account. The VPP account becomes available in the drop-
down list after you add additional licenses for the app.
7. Click Save.
Viewing VPP account information

To view VPP account information:
1. Go to Admin Portal > Apps > App Licenses.
2. For the VPP account, click the inverted V icon.
The following information displays:
Apps purchased with the VPP account
Whether the app was imported to MobileIron Core
Number of licenses purchased and used
Viewing VPP app information

The App Distribution Library (Admin Portal > Apps > App Distribution Library)
provides the following app related information:
The app version.
Labels to which the app is applied.
Devices to which the app is downloaded.
Number of licenses purchased and used for the app.
The VPP purchased and used information includes both redemption codes and licenses
purchased and used for the VPP account.
511
To view the devices on which the app is installed, for the app, click the number in the
device installed column. The popup displays all devices on which the app is installed
and the associated VPP account.
Taking actions on a VPP account

To take an action on a VPP account:
1. Go to the Admin Portal > Apps > App Licenses.
2. Click Actions.
You can take the following actions on a VPP account:
Action Description
Update VPP Account Click to edit the VPP account information or
import apps.
Delete VPP Account Click to delete the VPP account from MobileIron
Core.
When you delete a VPP account:
All licenses for the apps purchased through
the VPP account are reclaimed.
Users have a grace period of 30 days to pur-
chase the apps.
What the user sees

When you tap a VPP app in Apps@Work, you are prompted to enroll in the companys
volume purchase program.
To install an app with a prepaid license (only for iOS 7 devices):

Note: The procedure for installing apps on previous iOS versions is not changed.
1. Tap on the prepaid app.
The app details page shows banner to enroll in your companys Volume Purchase
Program (VPP).
2. Follow the prompts to enroll in your companys VPP.
3. After you successfully enroll in the program, tap on the app in Apps@Work.
The app details page now displays the PREPAID status.
4. Tap Request and follow the prompts to install the app.
Once you have enrolled in your companys VPP, prepaid apps available to you through
the VPP will display the PREPAID status. Tap Request to install these apps like you
would a free app.
If you did not enroll in the program, tap View to purchase the app from the Apple App-
Store.
512
Working with apps for Android devices

You can add the following kinds of apps for Android devices:
Google Play apps
In-house apps
Secure apps
Secure apps are available only if you have configured the device to support
AppConnect.
What are Google Play apps?

Google Play apps are apps available for download from Google Play (formerly Android
Market). The MobileIron administrator adds recommendations (i.e., recommended
apps) to the app distribution library and determines on which Android devices these
recommendations are listed. When a device user selects a Googe Play app, a Google
Play download is started.
What are in-house apps?

In-house apps are mobile apps that you develop and distribute internally. MobileIron
enables you to distribute and track in-house apps. Distributed in-house apps appear in
the In-house Apps list on managed Android devices for devices running
Mobile@Work versions prior to 6.0. Starting with 6.0, both Google Play apps and in-
house apps appear in the Apps@Work list on the device.
What are secure apps?

Access to secure apps and their data on Android devices are protected by AppConnect
for Android. Secure apps, also known as AppConnect apps, are developed internally or
by third-party developers. You distribute secure apps internally like in-house apps.
Device users login with a single sign-on secure apps passcode to access these apps,
and the data associated with the apps is encrypted. Secure apps can share data only
with other secure apps.
Distributed secure apps appear in the Secure Apps list on managed Android devices.
For detailed information about AppConnect for Android and secure apps, see Using
AppConnect for Android on page 625.
Silent install and uninstall on Samsung SAFE devices

You can silently install and uninstall in-house apps on Samsung Approved for
Enterprise (SAFE) devices running Android 2.2 through 4.x.
The advantages that this feature provides are:

It eliminates any dependency on the device user for app install and uninstall.
513
You can protect in-house apps and associated data by using the Admin Portal to
uninstall in-house apps if a device is lost or stolen.
Some devices prevent the user from uninstalling the app. On other devices, if the
device user uninstalls the in-house app, it is automatically reinstalled.
This feature automatically uninstalls an in-house app when:

No label maps the in-house app to the device.
You apply labels to in-house apps to set up which devices can use the app. By
removing the appropriate label from a device or app, MobileIron Core notifies the
Mobile@Work app to uninstall the in-house app.
You remove the in-house app from Core.
Because installing and uninstalling apps is controlled administratively, in-house apps

using this feature are also known as managed apps.
This feature is not supported for:

Recommended Apps or AppConnect Apps.
Devices that are not Samsung SAFE devices.
Adding Google Play apps for Android

Google Play apps (i.e., recommended apps) are the Google Play (formerly Android
Market) apps displayed in the MobileIron app.
To set up a Google Play app for Android devices:

2. Select Android from the Select Platform list.
The Android Add App Wizard starts.
4. Click Next.
5. Select Recommended App.
514
Item Description
App Name Enter the name that the device reports if the app is
installed. Only alphanumerics, underscores, dashes and
spaces are allowed in this field.
It is important to enter the reported name to ensure
that app inventory will correctly reflect the presence of
this app.
If you do not know the reported name, enter a tempo-
rary name in this field, then distribute the app to a test
device and check the App Inventory page for the
reported name. You can then edit this field to reflect the
reported name.
Package Name Enter the unique, fully-qualified identifier for this app.
The package name for an Android app is included in the
Google Play (formerly Android Market) URL. The
following example highlights the package name:
https://market.android.com/
details?id=com.dataviz.docstogo&feature=top-free
Note that the package name provides the basis for
matching recommended apps with entries in the App
Inventory screen. Therefore, the requirement that the
package name be unique impacts the app inventory dis-
play.
Min. OS Version Select the minimum version required for this app.
Devices that do not meet the minimum version require-
ment will not display this app in the Google Play Apps
list.
7. Click Next.
Item Description
App Name Displays the app name you entered in the previous
screen. This field is not editable here.
app is for. This text appears on the target devices under
the app name in the Google Play Apps list.
515
Item Description
Featured apps list. On the device, the user can tap a but-
ton to display all recommended (i.e., Google Play) and
in-house apps or a subset of featured apps.
Category Select a category if you would like this app to be dis-
played in a specific group of apps in the Google Play
Apps list on the device. Click the here link to define new
categories.
9. Click Next.
Item Description
App Icon Select the icon to be used to represent this app. The file
must be 144 x 144 pixels and in JPG, PNG, or GIF format.
We recommend PNG for best resizing results. If you do
not select an icon, then a default icon will be displayed
next to this app in the Google Play Apps list.
To clear the field, such as if you select the wrong file,
click the - button next to the Browse button.
Android Screenshots Click the Browse button to select and upload optional
screenshot files. The supported dimensions are 480x800
pixels and 480x854 pixels. GIF, JPG, and PNG are sup-
ported. We recommend PNG for best resizing.
Once you upload the first screenshot, a + icon displays.
Click this icon to upload additional screenshots.
To clear the field, such as if you select the wrong file,
click the - button next to the Browse button.
11. Click Next.

If the graphics you specified are accepted, the Congratulations screen displays.
12. Click Finish.
The app is displayed in the App Distribution Library page with an icon that identifies
the app as a recommended app.
Note that the App Version field will remain blank until the app is installed on a
device.
13. Associate the app with a label to have that app listed on Android devices.
Android app versions and device counts

The App Version field displays the latest version found in the app inventory. Until a
managed device reports a version number, this field contains a dash. The # of
Installed Devices field displays the number of devices associated with the latest
version of the app. To see collective information on all installed versions of the app, go
to the App Inventory page.
516
Adding in-house apps for Android

In-house apps are the internally-developed mobile apps that are displayed in the In-
house Apps list.
To add an in-house app to the app distribution library:
3. Click Add App.
4. Click Next.
5. Select Yes for Silently Install if you want Samsung SAFE devices to silently install
and uninstall the app.
For more information, see Silent install and uninstall on Samsung SAFE devices
on page 513.
6. Click Browse and navigate to the in-house app (.apk) you want to upload.
Note: You cannot upload an in-house app that exceeds 2.15 GB.
7. Click Next.
The Add App Wizard examines the selected package to ensure that it meets
requirements for in-house apps distributed for Android devices. If the package is
acceptable, the following screen displays.
Item Description
App Name Displays the app name defined by the app developer.
This is the name that displays to device users. This field
is not editable.
Display Version Displays the version number defined by the app devel-
oper. This is the version that displays to device users.
This field is not editable.
Code Version Displays the version defined for the package. This item is
not editable.
the app name in the In-house Apps list.
ing in-house apps, enter that URL here. The URL must
point to the in-house app in its alternate location. See
517
Item Description
Featured apps list. On the device, the user can tap a but-
ton to display all recommended and in-house apps or a
subset of featured apps.
Category Select a category if you would like this app to be dis-
played in a specific group of apps on the device. Click the
here link to define new categories.
9. Click Next.
Note: The icon for Android in-house apps is defined by the app developer. However,
after you finish adding the app, you can edit the entry for the app and change the
icon.
10. If you would like to provide screenshots of the app, click the Browse button and
select the files. The supported dimensions are 480x800 pixels and 480x854 pixels.
GIF, JPG, and PNG are supported. We recommend PNG for best resizing.
Once you upload the first screenshot, a + icon displays. Click this icon to upload
additional screenshots.
11. Click Next when you are finished uploading screenshots.
12. Click Finish.
Adding secure apps for Android

You upload all secure apps and the Secure Apps Manager to MobileIron Core as in-
house apps. Core distributes the apps to Android devices based on labels that you
assign to the apps and devices.
The apps that you upload include:

the Secure Apps Manager that MobileIron provides.
The Secure Apps Manager is required for AppConnect to work. See The
Mobile@Work app and the Secure Apps Manager on page 585.
the AppConnect apps that MobileIron provides.
See AppConnect apps that MobileIron provides for Android on page 625 and
Third-party AppConnect apps that MobileIron provides for Android on page 626.
the AppConnect apps that your enterprise wrapped.
See AppConnect and third-party/in-house secure apps on page 582.
Before you begin: Get the Secure Apps Manager and the other AppConnect apps that
MobileIron provides from the support.mobileiron.com site. Save them to a location
accessible from your MobileIron Core.
To add a secure app to the app distribution library:
518

3. Click Add App.
4. Click Next.
5. Ignore the Silently Install option.
The Silently Install option is not applicable to AppConnect apps. No is selected by
default.
6. Click Browse and navigate to the AppConnect app (.apk) you want to upload.
Note: You cannot upload an AppConnect app that exceeds 2.15 GB.
7. Click Next.
The Add App Wizard examines the selected package to ensure that it meets
requirements for in-house apps distributed for Android devices. It also recognizes
that the app is an AppConnect app. If the package is acceptable, the following
screen displays.
Item Description
App Name Displays the app name defined by the app developer.
This is the name that displays to device users. This field
is not editable.
Display Version Displays the version number defined by the app devel-
oper. This is the version that displays to device users.
Note: The version number for AppConnect apps includes:
the version number defined by the app developer
additional numbers provided by the wrapping process
Code Version Displays the version defined for the package. This item is
not editable.
519
Item Description
the app name in the Secure Apps list.
MobileIron recommends that you add the following
descriptions for the AppConnect apps that MobileIron
provides:
the Secure Apps Manager
The Secure Apps Manager works with the
Mobile@Work app to secure and manage secure apps
on your device.
NitroDesk TouchDown
NitroDesk TouchDown provides secure access to your
company email, contacts, calendar, and tasks.
ThinkFree Document Viewer
ThinkFree Document Viewer provides secure access to
your company documents and email attachments.
File Manager
File Manager allows you to securely navigate and
manage your company files.
Android Email+
Android Email+ provides the native email client expe-
rience with ease of setup and important other fea-
tures.
Web@Work
Web@Work is a secure browser that allows your
device users to easily and securely access your organi-
zation's web content.
IBM Notes Traveler
IBM Notes Traveler is the client for the IBM Notes
Traveler server. It provides access to email, contacts,
calendar, and tasks.
Divide PIM
Divide PIM (Personal Information Manager) for
Android provides secure email, calendar, contacts, and
tasks on corporate-owned and BYOD Android devices
running Android 4.0 or higher.
ing secure apps, enter that URL here. The URL must
point to the secure app in its alternate location. See
Featured This field is not applicable for AppConnect apps.
Category This field is not applicable for AppConnect apps.
520
9. Click Next.
Note: The icon for Android secure apps is defined by the app developer. However,
after you finish adding the app, you can edit the entry for the app and change the
icon.
10. If you would like to provide screenshots of the app, click the Browse button and
select the files. The supported dimensions are 480x800 pixels and 480x854 pixels.
GIF, JPG, and PNG are supported. We recommend PNG for best resizing.
Once you upload the first screenshot, a + icon displays. Click this icon to upload
additional screenshots.
11. Click Finish.
Note: You know the app is an AppConnect app by looking at its version number. The
version number for an AppConnect app is a concatenation of the original apps ver-
sion number and a version number from wrapping the app.
Adding apps to the app storefront for Android devices

Once you have added an Android app (Google Play, in-house, or secure) to the app
distribution library, you need to select one or more labels to specify which Android
devices should have the app displayed in the app storefront.
1. In Admin Portal, select Apps > App Distribution Library.
4. Select Actions > Apply to Label.
5. Select the label that represents the Android devices on which you want the selected
app to be listed.
6. Click Apply.
User notification of newly-published apps

When a featured app or an update to an installed app is published to users, those
users receive a notification in the form of a badge that appears next to the appropriate
app list. The number on the badge indicates the number of apps available.
521
If the user deletes a published app, that app will not become available for reinstalling
again until the next sync interval causes MobileIron Core to be updated. You can
address user concerns by using the Force Device Check-In command to force the
MobileIron Client to update Core.
Enhanced Apps@Work
Enhanced Apps@Work is available on devices running Mobile@Work for Android
version 6.0 or later and Android OS versions 4.0-4.4.
The Google Play Apps and In-house Apps items in Mobile@Work are replaced by the
single Apps@Work item, to provide a consolidated and enhanced app store. Within
Apps@Work, apps are organized into the Featured and category tabs.
Apps@Work enables users to view, install, update, reinstall, and search for the apps
made available to them by the MobileIron Core administrator. If the administrator
enables ratings and reviews, the user sees reviews, and can rate apps and write
reviews.
Apps@Work displays the apps that the Core administrator makes available to the
device through labels. In the Admin Portal, the administrator assigns an app to one or
more labels. A device that is assigned to the same label as the app will have access to
that app in Apps@Work.
Using Apps@Work on an Android device

Tap Apps@Work on the main screen in Mobile@Work to access the app store. A badge
appears in line to indicate the number of new or updated apps available.
522
Apps@Work organizes the apps under three main tabs:
Featured tab
The featured screen lists all apps that are designated as featured apps by the
administrator.
In the Admin Portal, the administrator sets featured apps in Apps > App
Distribution Library > Add App dialog.
Categories tab
An app can be listed under Featured as well as under multiple categories.
Uncategorized apps are displayed under Uncategorized in the Categories tab.
Only categories that have at least one app are displayed.
In the Admin Portal, the administrator defines categories in the Apps > App
Distribution Library > Add App dialog.
Updates tab
The Updates tab displays all apps that have updates available.
Tap the Update button to install a new version of the existing app.
Apps are listed in alphabetical order.
App details
Tap the app to view its details screen. If the administrator enabled ratings and
reviews, tap the Reviews tab to read reviews or write a review.
One of the following buttons appears on the details screen:

View: takes you to view or install the app in the Google Play store.
Install: installs the app.
Reinstall: downloads and reinstalls the app.
Searching for an app

Tap the search icon on the title bar to initiate a search within Apps@Work. Type any
part of an apps name and tap the return key. The search results are displayed. Tap
Cancel next to the search text entry box to exit search mode.
Localized Apps@Work
Apps@Work is available translated to the languages supported by Mobile@Work. The

text and messages in Apps@Work will appear in the devices local language when the
language is enabled in the MobileIron Cores Language Preferences.
To enable languages in the Admin Portal:

1. Go to Settings > Preferences.
523
2. In the Language Preferences section, select the desired languages

3. Click the right arrow to move the selection to Enabled Languages.
Troubleshooting: Android apps

A newly-added app does not display in the Google Play Apps (recommended apps) list
on the device.
1. Confirm that you have applied the app to a label to which the device has been
added.
2. Confirm that the device meets the minimum OS requirement you specified when
you added the app.
3. If the MobileIron app is running, select Refresh from the app menu.
A newly-added app does not display in the in-house apps list on the device.
1. Confirm that you have applied the app to a label to which the device has been
added.
2. Confirm that the device meets the minimum OS requirement you specified when
you added the app.
3. Confirm that the device has been configured to accept apps from outside the Goo-
gle Play (formerly Android Market). (On the device, select Settings > Applications >
Unknown sources).
4. If the MobileIron app is running, select Refresh from the app menu.
524
Working with apps for Windows Phone 8 devices

App management for Windows Phone 8 (WP8) devices enables you to:
import recommended apps from the Windows Store
distribute in-house apps
Note: After registration, the WP8 device is in Verified state. The device state changes
to Active after the first successful MDM session. This may take approximately ten
seconds and upto one minute after registration. If the device user logs into the
Mobile@Work app before the device changes to Active state, the device user will not
see any recommended apps because MobileIron Core is not yet associated with the
device.
Importing recommended apps for WP8 devices

Follow these steps to import recommended apps from the Windows Store:
1. In the Admin Portal, go to Apps > App Distribution Library.
2. From the Select Platform drop-down list, select Windows Phone 8.
The Windows Store Import button appears.
3. Click Windows Store Import.
4. Enter an app name in the Search box.
between 20 and 50.
8. Click the Import link for the app you want to import.
The app information is imported into the App Distribution Library page.
9. Select the app in the App Distribution Library page.
10. Click Actions > Apply To Label.
11. Select a label to apply.
12. The app is pushed to the devices to which the label is applied.Click Apply.
The app is now available to device users to download from the Mobile@Work client
on their WP8 device.
In-house and third-party apps for WP8 devices

MobileIron enables you to distribute and track in-house and third-party apps to your
managed WP8 devices. These apps appear in the In-house Apps list on managed
WP8 devices.
The following sections provide information about developing and managing in-house
and third-party apps:
525
Before you develop in-house apps for WP8 devices on page 526
Adding the AET and applying a label on page 527
Adding in-house and third-party apps for distribution to WP8 devices on page 527
Upgrading to a new version of an app on WP8 devices on page 529
Editing WP8 app information on page 529
Deleting a Windows Phone 8 app from MobileIron Core on page 529
Before you develop in-house apps for WP8 devices

This section describes the certificates and tokens required for distributing in-house
apps for WP8 devices and the file specifications for the WP8 in-house apps for
distribution through MobileIron Core.
Certificates and tokens for in-house apps for WP8 devices

Before you develop in-house apps for WP8 devices, you must do the following:
1. Review the certificates and tokens required for in-house apps for WP8 devices at:
http://msdn.microsoft.com/en-us/library/windowsphone/develop/jj206943.aspx
2. Create a Windows Phone Dev Center account at
http://msdn.microsoft.com/en-us/library/windowsphone/help/jj206719.aspx
The next step requires the Publisher ID for your company that is provided when you
created the Dev Center account.
3. Get an enterprise mobile code signing certificate from Symantec at
https://products.websecurity.symantec.com/orders/enrollment/microsoftCert.do
Export the certificate in PFX format and be sure to export the private key with the
certificate.
You will sign your in-house app with the Symantec Enterprise Certificate. This is
required for WP8 devices.
4. Generate the application enrollment token (AET) using the AETGenerator tool pro-
vided by the Windows Phone SDK 8.0.
For more information see
http://msdn.microsoft.com/en-us/library/windowsphone/develop/jj735576.aspx
You upload the AET (.aetx file) to MobileIron Core. See Adding the AET and apply-
ing a label on page 527.
Third-party apps for WP8 devices

If you are uploading third-party apps for distribution through MobileIron Core, you
must also upload the AET (.aetx file) associated with the Symantec Enterprise
Certificate used to sign the app. See Adding the AET and applying a label on
page 527.
526
WP8 app file specifications for upload to MobileIron Core

The following file specifications apply to in-house and third-party apps for WP8
devices:
Item Format Size Number

App XAP 100 MB maximum
Icon PNG 99x99 pixels maximum One per app.
Screen shots PNG 480x800 pixels Upto four per app.
OR
480x854 pixels
Adding the AET and applying a label

Follow these steps to add the AET to MobileIron Core and apply a label:
1. From the Admin Portal, go to Policies & Configs > Configurations.
2. Click Add New > Windows Phone 8 > Enrollment Token (AET).
The New Application Enrollment Token window displays.
3. Enter a Name and Description for the AET.
4. Click Browse to navigate and select the AET file.
This is a .aetx file.
5. Click Save.
6. In the Configurations page, select the AET.
7. From the Labels drop-down list, select a label to apply.
The AET is pushed to the devices to which the label is applied.
Adding in-house and third-party apps for distribution to WP8

devices
Follow these steps to add in-house and third-party apps for WP8 devices:
2. From the Select Platform drop-down list, select Windows Phone 8.
The Add App Wizard starts.
4. Click Next.
5. Click Browse to navigate to and select the app.
This is a .xap file.
6. For Application Enrollment Token, select the token associated with the Symantec
Enterprise Certificate used to sign the app.
7. Click Next.
The app information, extracted from the .xap file, displays.
527
8. Use the following guidelines to edit the app information:
Item Description
App Name The name of the app as defined by the developer. This field is
not editable.
Version The version of the app. This field is not editable.
Author The author of the app as defined by the developer. This field is
not editable.
Description Enter a description for the app.
Featured Select Yes to display the app in the Featured list on the
device.
Select No if you do not want to list the app in the Featured list
on the device.
Category Select the category from the drop-down list. The app appears
under that category on the device.
To add a new category, click the provided link.
Silent Upgrade Specify how the app is upgraded on the WP8 device.
Only the latest version of the app is listed in the Mobile@Work
app.
The setting is only available when adding a new version of the
app.
Select Yes to update to the new version without any user
actions.
This is the default setting. The app is upgraded when the
device checks in with MobileIron Core.
Select No to only allow a manual update of the app.
The app is not automatically updated when the device checks
in with MobileIron Core, and the user is not prompted or noti-
fied to update the app.
The device user manually installs the latest version of the app
from the Mobile@Work app on the device.
9. Click Next.
10. (Optional) Click Browse to navigate and select the icon and screenshots for the app.
You can upload one icon and up to 4 screenshots per app.
11. Click Finish.
The app information appears in the App Distribution page.
12. In the App Distribution page, select the app.
13. Click Actions > Apply To Label and select a label to apply.
The app is pushed to the devices to which the label is applied.
Note: Only the latest version of the app is displayed in the Mobile@Work app.
528
When you remove the label, the app is no longer pushed to devices associated with
that label. The app is not deleted from MobileIron Core or from the devices on which it
is already installed.
Upgrading to a new version of an app on WP8 devices

1. When a new version of an app becomes available, follow the steps described in
Adding in-house and third-party apps for distribution to WP8 devices on page 527
to add the app to the App Distribution list for Windows Phone 8 devices.
Editing WP8 app information

Follow these steps to edit the app information, icons, and screenshots:
2. Select Windows Phone 8 from the Select Platform list.
You can edit the following information:
Item Description
App Name Edit the name of the app.
Description Edit the description for the app.
Featured App Change whether the app is a Featured App or not.
On the device, the featured apps display in a sepa-
rate Featured list. The app also displays in the In-
house apps list or the Recommended apps list.
Category Edit the category under which the app appears on
the device.
App Icon Click the edit icon under the graphic to navigate to
and select a new graphic. Click OK to replace the
existing graphic.
Windows Phone 8 Click the edit icon under the screenshot to navigate
Screenshots to and select a new screenshot. Click OK to replace
the existing screenshot.
4. Click Save.
Deleting a Windows Phone 8 app from MobileIron Core

Follow these steps to delete an app:
1. In Admin Portal, go to Apps > App Distribution Library.
2. Select Windows Phone 8 from the Select Platform list.
3. Select the app to delete.
4. Click Delete.
529
This action deletes the app from MobileIron Core, but does not delete it from the
device.
Setting up your WP8 device

For the following information about setting up your WP8 device, see Getting Started
with Windows Phone 8.
Registering your WP8 device with MobileIron and installing the Mobile@Work app.
Installing certificates on your WP8 device.
Downloading apps to your WP8 device.
530
Working with apps for Windows 8.1 RT and Pro

devices
App management for Windows 8.1 RT and Pro devices enables you to:
Import recommended apps from the Windows Store.
Add in-house and third-party apps.
Importing recommended apps

To import recommended apps from the Windows Store:
2. From the Select Platform drop-down list, select Windows Pro/RT.
The Windows Store Import button appears.
3. Click Windows Store Import
4. Enter an app name in the Search box.
Only the United States Windows Store is supported.
between 20 and 50.
8. Click the Import link for the app you want to import.
The app information is imported into the App Distribution Library page.
9. Select the app in the App Distribution Library page.
10. Click Actions > Apply To Label.
11. Select a label to apply, and click Apply.
The app is pushed to the devices in the label. The device user can download the
app from the Mobile@Work client.
In-house and third-party apps for Windows 8.1 Pro and RT

devices
The following sections provide information about distributing in-house and third-party
apps:
Certificates and sideloading keys on page 532.
App file specifications on page 532.
Adding and updating in-house and third-party apps for distribution on page 532.
Editing the app information on page 533.
Deleting an app from MobileIron Core on page 534.
531
Certificates and sideloading keys

Before you distribute in-house or third-party apps for Windows 8.1 RT and Pro
devices, ensure the following:
apps are signed with a publicly trusted certificate issued by a CA.
the Windows RT and Pro devices are sideload enabled.
Certificates
We strongly recommend that in-house or third-party apps for Windows 8.1 RT and Pro
devices are signed with a publicly trusted certificate issued by a Certificate Authority
(CA). The CAs root certificate must be supported by the Windows 8.1 OS. Signing
with a publicly trusted certificate eliminates any additional steps by the device user.
We do not recommend signing apps with a self-signed certificate, as this will require
the device user to perform additional steps before you can distribute the apps.
Sideloading keys
Typically, apps for Windows RT and Pro devices are signed and available only through
the Windows Store. However, in-house and third-party apps can be made available
through a process called sideloading. Each Window RT and Pro device must be
sideload enabled. You sideload enable a device with sideload activation keys that you
get directly from Microsoft.
For information about sideloading product activation keys, see
http://www.microsoft.com/licensing/activation/existing-customers/product-
activation.aspx
For information about sideload enabling devices see
http://technet.microsoft.com/en-us/library/hh852635.aspx
App file specifications

The following file specifications apply to in-house and third-party apps for Windows
8.1 RT and Pro devices:
Item Format Size Number

App APPX
Icon PNG 150x150 pixels maximum One per app.
Screen shots PNG 1920x1200 pixels Upto four per app.
Adding and updating in-house and third-party apps for

distribution
To add in-house or third-party apps or update existing apps to a newer version:
2. From the Select Platform drop-down list, select Windows Pro/RT.
532
The Add App Wizard starts.

4. Click Next.
5. Click Browse to navigate to and select the app.
This is a .appx file.
6. Click Next.
The app information, extracted from the .appx file, displays.
7. Use the following guidelines to update the app information:
Item Description
App Name The name of the app as defined by the developer.
This field is not editable when you add the app.
Version The version of the app. This field is not editable.
Author The author of the app as defined by the developer.
Description Enter a description for the app.
Featured Select Yes to display the app in the Featured list on the
device.
Select No if you do not want to list the app in the Featured list
on the device.
Category Select the category from the drop-down list. The app appears
under that category on the device.
8. Click Next.
9. (Optional) Click Browse to navigate and select the icon and screenshots for the app.
You can upload one icon and up to 4 screenshots per app.
10. Click Finish.
The app information appears in the App Distribution page.
11. In the App Distribution page, select the app.
12. Click Actions > Apply To Label and select a label to apply.
The app is pushed to the devices in the label.
Note: Apps are pushed silently to the device. No action is required by the device
user.
Only the latest version of the app is displayed in the Mobile@Work app.
Editing the app information

To edit the app information, icons, and screenshots:
2. Select Windows RT/Pro from the Select Platform dropdown list.
533
You can edit the following information:
Item Description
App Name Edit the name of the app.
Description Edit the description for the app.
Featured App Change whether the app is a Featured App or not.
On the device, the featured apps display in a sepa-
rate Featured list. The app also displays in the In-
house apps list or the Recommended apps list.
Category Edit the category under which the app appears on
the device.
App Icon Click the edit icon under the graphic to navigate to
and select a new graphic. Click OK to replace the
existing graphic.
Windows Phone 8 Click the edit icon under the screenshot to navigate
Screenshots to and select a new screenshot. Click OK to replace
the existing screenshot.
4. Click Save.
Deleting an app from MobileIron Core

To delete an app for Windows 8.1 RT and Pro devices:
1. In Admin Portal, go to Apps > App Distribution Library.
2. Select Windows RT/Pro from the Select Platform dropdown list.
The apps specific to Windows RT/Pro devices display.
3. Select the app to delete.
4. Click Delete.
This action deletes the app from MobileIron Core, but does not delete it from the
device.
Setting up your Windows 8.1 RT or Pro device

For the following information about setting up your Windows 8.1 device, see Getting
started with Windows 8.1 RT and Pro devices:
Registering your Windows 8.1 RT or Pro device with MobileIron.
Installing the Mobile@Work app.
Downloading company-approved apps.
534
Working with Web Application

A web application is a essentially a link to a web page. You can only launch the web
application from Apps@Work. Unlike a web clip, the web application icon is not
installed on the device.
Select the Web Application platform in the Admin Portal > Apps > App Distribution
Library, to add and deploy web applications through Apps@Work.
The Web Application feature is supported on iOS devices.
To add a web application:

2. Select Web Application from the Select Platform drop-down list.
3. Click on Add App.
The App New Web Application pop-up screen displays.
Item Description
Name Enter a name, no more than 127 characters, for the web
application.
This name is displayed on the device.
App Logo Click Browse to navigate and select a graphic for the web
clip.
If you do not select a graphic, the default graphic is used.
Click Use Default to clear the selected graphic and use
default graphic.
The graphic should be in PNG format and no more than
512 x 152 pixels.
Description Enter additional information to describe the app.
Developer Enter the name of the developer for this web application.
App URL Enter the address or URL for the target of the web clip.
The URL must include the prefix http://, https://, or
mibrowser://.
You can enter up to 255 characters.
If you enter the prefix mibrowser://, the URL opens in
Web@Work. Web@Work must be installed on the device.
Category Select a category if you would like this app to be displayed
in a specific group of apps on the device.
Select a category in the Available column and click the ->
arrow to move it to the Selected column.
Click Add New Category to define new categories.
535
Featured App Select Yes to display the app in the Featured List on the
device.
The app will also display in all the categories you selected.
Storefront storefront. For example, you might want to hide apps that
will be installed upon registration. Hiding a mandatory app
reduces clutter in the app storefront, leaving device users
with a concise menu of the approved apps they might find
useful.
5. Click Save.
Taking actions on web applications

You can take the following actions on a selected web application:
Action Description
Delete Click Delete to delete the web application from Mobile-
Iron Core and remove it from Apps@Work.
Apply To Label Click Actions > Apply to Label to select the label to apply.
The web application will be available in Apps@Work for
the devices associated with the label.
Remove From Label Click Actions > Remove From Label to deselect the labels.
The web application will be removed from Apps@Work for
the devices associated with the label.
Installing web applications

The Enable Installation of Web Applications on iOS option allows the device user to
install the web application to the device. The option is enabled by default.
To enable or disable installing web applications:

1. In the Admin Portal, go to Apps > Apps@Work Settings.
2. Under Web Applications, check or uncheck Enable Installation of Web Applications.
The feature is enabled by default.
View number of devices installed

To view the devices on which the web application is installed:
2. For Select Platform, select Web Application from the drop-down list.
The web applications in the App Distribution Library are displayed.
536
The number in the Devices column indicates the number of devices on which the
web application is installed.
Note: The number in the Devices column will display as 0 if the feature is disabled.
3. Click on the number to see a list of devices.
What the device user sees

The web application icon displays in Apps@Work.
Enable Installation of Web Applications on iOS is not checked

When you tap on the icon, the details page displays the Launch button. Tapping on the
Launch button brings up the web page in a browser.
If the web application points to a mibrowser:// URL, the web page opens in
Web@Work. You must have Web@Work installed on your device to view a web page
with the mibrowser:// prefix.
Enable Installation of Web Applications on iOS is checked

If the feature is enabled, when you tap on the web application in App@Work, the
details page displays the Request button.
Note: The details page will display the Launch button if Enable Installation of Web
Applications is disabled.
Tapping on the Request button installs the web clip to the device. The status of the
button changes to Installed after the web application is installed on the device.
The device user can tap on the web clip to access the link. You do not have to go to
the Apps@Work to access the link.
537
Setting up app control
Android iOS Win 7 WP8 WP8.1
yes yes - - yes
You can set up app control to enhance visibility into the apps being installed on
managed devices and help enforce corporate app policy. Setting up app control
involves the following tasks:
1. Configure alerts for when a device violates the app control rules in its security pol-
icy.
2. Define app control rules.
3. Select app control rules for the Access Control settings in the security policies
assigned to target devices.
This order of tasks is strongly recommended to ensure that alerts are generated if
devices are already in violation when they receive the corresponding policy from
MobileIron. Otherwise, these devices will not generate an alert until one of the
following actions occurs:
the administrator changes the security policy
the administrator edits the app control rule
the device updates app inventory
the device updates device detail
The app control rule defines which apps you want to control. Security policies specify
which devices the rules are applied to and the actions to associate with a rule
violation. The alert determines the information that is sent as the result of rule
violation, as well as the recipients of the information.
App control alerts

The app control rule specifies whether violating devices should just trigger an alert or
also be blocked from ActiveSync access and Docs@Work access. However, the
associated event must also be configured in Event Center, or no alert will be
generated.
Important: To ensure that the alert is generated in a timely fashion for devices that
are already in violation when the policy is created, you should create the event first.
Otherwise, the alert will not be generated until after one of the following:
change in security policy
edit of app control rule
device updates app inventory
device updates device detail
538
App control rule types

Each app control rule specifies that the apps meeting the given criteria be designated
as either Required, Allowed, or Disallowed:
Use Required rules (iOS and Android only) to ensure that certain apps are installed
on designated devices. The absence of one of these apps is considered a policy vio-
lation. For example, since MDM-enabled iOS devices report inventory even if the
MobileIron Client has been uninstalled, you can create a Required rule to ensure
that the removal of the MobileIron Client results in the appropriate response. Note
that Required rules take precedence over Disallowed rules in the case of a conflict.
Use Allowed rules to specify a small set of apps that are allowed on designated
devices. The presence of an app not on this list is considered a policy violation. For
example, you might create a set of Allowed rules for use by temporary employees
to ensure that they are not installing personal apps on a corporate device.
Use Disallowed rules to specify a small set apps that are forbidden on designated
devices. The presence of a disallowed app is considered a policy violation. For
example, you might use a set of Disallowed rules to help lower exposure to apps
with known security issues. Note that Required rules take precedence over Disal-
lowed rules in the case of a conflict.
App control rule criteria

App criteria match a specified string against the app name. (In this case, app name
refers to the uneditable app name defined by the author of the app. It does not refer
to an app name you may have specified when adding the app to the app distribution
library.) You can also restrict criteria to a specific platform. The following figure shows
an example of an app control rule with criteria for disallowed.
App control rules applied in security policies

The following figure shows app control rules applied in a security policy. In this case,
the selected compliance actions are applied if the specified apps are detected on a
device to which the security policy is applied.
539
Configuring app control alerts

To enable app control alerts:
1. In the Admin Portal, select Logs & Events > Event Settings.
2. Select Add New > Policy Violations Event.
3. Enter a name for the event.
4. Confirm that the app control alerts you want to generate have been selected.
The following table summarizes these alerts:
Item Description
Disallowed app found Generate an alert if a disallowed app is
found on a designated device.
App found that is not in Generate an alert if an app is found that
Allowed Apps list is not on the Allowed Apps list for the
designated device.
Required app not found Generate an alert if a required app is not
found on a designated device.
5. Disable any other alerts that you do not want to enable.

6. Click Save.
Adding an app control rule

To add an app control rule:
1. In the Admin Portal, select Apps > App Control.
2. Click Add.
3. In the Name field, specify an identifier for this rule.
4. For the Type option, select the type of rule you want to define:
540
Required: (iOS and Android only) This rule specifies criteria for apps that MUST
be installed. WP8.1 devices ignore this option.
Allowed: This rule specifies criteria for apps that MAY be installed, exclusive of
all other apps.
Disallowed: This rule specifies criteria for apps that MUST NOT be installed.
5. Under Rule Entries, specify one or more criteria to match the name of the app you
want to control:
For AppID, select IS or CONTAINS (iOS and Android only) to indicate whether to
use an exact match. Note that if you selected Required, then you must select
IS.
For WP8.1, select IS MS Store GUID. WP8.1 devices do not support IS
or CONTAINS.
In the App ID String, for iOS or Android, enter the app name text you want to
match. Do not enter wildcards. If you know the official name for the app, enter
it here. If you do not, enter text you will be able to identify with this app. Once
you have installed the app once, the App Inventory screen will display the offi-
cial name. You can then change this field to match.
For WP8.1 enter the GUID of the app.
In the Device Platform list, select the platform to which you want to apply this
entry.
In the optional Comment field, you can enter a note about the purpose of the
entry.
6. To add an additional entry, click the + icon.
7. Click Save when you are finished.
8. Specify the rule in the appropriate security policies to apply the rule to managed
devices.
Editing app control rules

To edit an app control rule, click the edit icon next to the rule in the App Control page.
Note that you cannot change the type of an app control rule if that rule has been
applied to a security policy.
Identifying the GUID for the Windows Phone app

The GUID is a unique number that identifies the app in the Microsoft ecosystem. In
the Windows Phone Store, select the app. The URL for the app includes the GUID. The
GUID is the alpha numerical section at the end of the URL.
Example:
http://www.windowsphone.com/en-us/store/app/netflix/
c3a509cd-61d6-df11-a844-00237de2db9e
In the example, the GUID is c3a509cd-61d6-df11-a844-00237de2db9e.
541
Applying an app control rule to a security policy

To apply an app control rule to a security policy:
1. In Admin Portal, select Policies & Configs > Policies.
2. Select the security policy you want to work with.
3. Click the Edit button.
4. Scroll down to the Access Control section of the Edit Security Policy screen.
5. Select the checkbox for the App Control rules option.
6. In the dropdown list, select the action you want to perform if the rule is violated.
You can select from:
Block Email, AppConnect apps, and Send Alert: Prevents the device from
accessing email via ActiveSync and generates a policy violation alert, if config-
ured. This selection also unauthorizes AppConnect apps, blocks app tunnels,
and blocks access to Docs@Work features in Mobile@Work on iOS devices.
Send Alert: Generates a policy violation alert if configured in Event Center.
any custom compliance actions you have created.
7. Under Rule Type: Required, select the rules you want to apply, if any, and click the
arrow button to move them to the Enabled list.
8. To apply allowed-type or disallowed-type rules, select either Rule Types: Allowed or
Rule Types: Disallowed. You may not select both in the same security policy.
9. Select the allowed-type or disallowed-type rules you want to apply and click the
arrow button to move them to the Enabled list.
10. Click Save.
11. Configure App Control alerts.
Viewing app control status

In addition to the alerts you can configure, MobileIron displays app control status for
devices in the Devices page.
The following table summarizes the icons related to app control.
Icon Description
App control violation
Required app violation
Allowed app violation
Disallowed app violation
Select the entry for a device in violation to see details in the device details pane.
542
Viewing app inventory
yes yes yes - yesa

a In-house and third-party apps only.
The Device App Inventory page displays the apps that MobileIron has detected on
managed devices. Only apps that were installed after the manufacturers image was
loaded are listed.
To display the app inventory, in the Admin Portal, select Apps > Device App Inventory.
Whats in an app name?

The app names displayed in the App Inventory page are the names reported by the
apps installed on managed devices, not the name you assigned when you added an
app to the app distribution library. Therefore, if you are looking for an app you know is
installed, but you cannot find it in the inventory list, make sure you are looking for the
correct name. Note that any control characters found in the reported app name are
converted to spaces in MobileIron, and app names are stored in the database without
regard to case.
Synchronizing app inventory

The privacy policy assigned to a device determines whether that device reports data
associated with app inventory. If the Apps option in the privacy policy is set to None,
then inventory data for the device will not appear in this screen.
Note that inventory data is updated based on the Sync Interval specified in the Sync
policy. Therefore, inventory changes on the device are not reflected immediately on
the App Inventory page. During testing, you can use one of the following methods to
decrease the amount of time it will take to update the inventory:
decrease the Sync Interval in the Sync policy
use the Force Device Check-in feature in Admin Portal (for supported platforms)
use the Connect Now/Refresh feature in the MobileIron client (for supported plat-
forms)
check for updated configurations (for iOS)
Also note that setting Apps to None in the Sync policy drops the current inventory
data. Setting Apps back to Sync Inventory re-enables inventory reporting for iOS
(with timing governed by the Sync Interval specified in the sync policy). For all other
platforms, you must make an app distribution change or reboot the device in order to
restart the inventory process.
543
App filters
The App filters feature allows you to control which apps are reported in the Device App
Inventory page. You can configure App filters so that the device reports only managed
apps or a list of apps that the administrator specifies. All other apps on the users
device are not visible in the Device App Inventory page providing additional privacy on
the device.
You configure app filters in the privacy policy.
Filtering the inventory display

You can filter the inventory display by:
Platform
Label
App name
For example, to display iOS apps that are on company-owned devices and contain the
letter A, you would select iOS from the Platforms list, select Company-Owned from
the Labels list, and enter A in the Search by App field. Clicking the search icon in the
Search by App field applies the search.
Displaying the devices on which an app is installed

The entry for each app in the Device App Inventory page includes the number of
devices on which the app has been installed. The displayed number is a link. Click the
link to display a list of the devices on which the app is installed.
544
Managing app inventory
yes yes yes - -
You can use the Device App Inventory page to help manage the apps that are
appearing in your enterprise. We recommend the following approach:
determine which apps are new
determine when an app was first reported by a managed device
launch a web search for a selected app
display permissions for Android apps
move directly to the App Control screen
Determining which apps are new

The Status column in the Device App Inventory screen flags an app as New when it is
first detected on a managed device. Use the Status filter to display only those apps
flagged as New.
If a new version of an app flagged as OK appears, then the default status is New
Version.
Exception: If you have changed the status for an app to Bad, then a new version of it
will retain the Bad flag. See Deciding whether an app is OK on page 546 for
information on changing the flag.
Determining when an app was first reported

The date an app was first reported by a managed device can be an important piece of
information when investigating possible issues with the app. MobileIron tracks this
information for each app displayed in the Device App Inventory page.
Launching a web search for a selected app

When a new app appears in the Device App Inventory page, you may want to
investigate. Who develops and distributes the app? Is this a reputable vendor? Does
the app pose any security considerations? To start your research, click the link for the
app in the App Inventory page.
MobileIron launches a web search to get your research started.
545
Displaying permissions for Android apps

Androids unique approach to app permissions can pose a challenge to administrators,
as each app may have dozens of permissions associated with it. To provide easier
access to this information, MobileIron displays the permissions granted to each
Android app in the Device App Inventory page.
Just click the link in the Permissions column to display the list of Android permissions.
If multiple versions of an app have been detected, then the displayed permissions are
for the latest version of the app.
Deciding whether an app is OK

Once you have researched an app, you can change the New flag (or New Version flag)
to indicate the result of your research. To change the flag:
1. Double-click the New link to change the field to a dropdown list.
2. Select OK or Bad from the dropdown.
3. Click elsewhere on the page to save the selection.
What happens when a bad app is removed?

Once a bad app is removed from managed devices, the entry for that app no longer
appears in the App Inventory screen. However, the information about that app is
retained in the MobileIron database. If the app is again discovered on a managed
device, an entry will appear with the Bad flag displayed.
If you want to be able to track which apps you have determined to be bad, consider
adding the information in the Comment field for an app control rule.
546
Moving directly to the App Control screen

To move quickly from an app in the Device App Inventory screen to the App Control
screen, you can click the App Control Rules link for the app.
547
Upgrading the MobileIron client application

No longer supported.
548
Override for in-house app URLs

MobileIron supports an alternative for off-loading distribution of in-house apps to
alternate HTTP servers. This option is intended only for those customers who meet all
of the following criteria:
numerous internally-developed apps for distribution to thousands of devices
a trusted and secure internal network
available HTTP servers
concerns about performance impact on MobileIron Core
ability to manually synchronize apps between Core and an alternate location
This alternative enables you to specify an override URL, per app, to be used for in-
house app distribution. MobileIron Core routes download requests to this alternate
location. The following diagram illustrates a typical deployment.
This feature uses unauthenticated URLs. Therefore, a trusted and secure internal
network is an absolute requirement. This feature is intended for use behind the
firewall.
Implementing app source override on MobileIron Core

If you have the supporting infrastructure in place, complete the following steps to
implement app source override:
1. In Admin Portal on MobileIron Core, select Apps > App Distribution Library.
2. Select Android or iOS from the Platforms list.
3. As you complete the forms in the Add App Wizard, include an appropriate URL in
the Override URL field.
The URL must point to the in-house app in its alternate location.
549
4. When you complete the Add App Wizard, assign an appropriate label to the app.
Manual synchronization of apps

MobileIron Core does not synchronize the apps configured in Apps@Work with those
stored on the HTTP server in this configuration. The administrator must perform this
maintenance manually and develop a process for ensuring proper synchronization.
550
Malware prevention: App reputation

Integration with Appthority provides app reputation data for apps detected on
managed devices. This information helps you protect your organization from malware.
Enabling app reputation

Before using an app reputation service:
Find out whether or not the service supports the MobileIron APIs and can be used
with MobileIron Core
Get a URL for their service
Determine the services rating range (for example, 0 to 50)
Determine what the low and high numbers in the services rating range indicate (do
low numbers indicate a high or low threat?)
To enable the app reputation feature:

1. Consider configuring debug mode for MIFS logs (in System Manager).
Debug logs will capture successful configuration. Otherwise, you will have no indi-
cation if you mistype the license key for the reputation service.
3. Scroll down to the App Reputation section.
4. Select the Enable App Reputation option.
5. Use the following guidelines to complete the displayed fields:
Item Description
Reputation Service URL Enter the URL your app reputation service pro-
vided.
Authentication Type Select Basic or Token Authentication.
Name/Password Specify a username and password when you
select Basic Authentication.
Authentication Key Provide an authentication key when you select
Token Authentication.
Rating Range Low Enter the low number of the services range.
Value
Rating Range High Enter the high number of the services range.
Value
551
Item Description
Rating Scale Click Low to indicate that apps with ratings lower
than the Rating Threshold have the highest
threat level (for example, if the range is 0 to
100, and the Rating Threshhold is 60, apps with
a rating of 60 or below have a high threat rat-
ing)
Click High to indicate that apps with rathings
higher than the Rating Threshold have the high-
est threat level (for example, if the range is 0 to
100, and the Rating Threshhold is 65, apps with
a rating of 65 or more have a high threat rating)
Rating Threshold Specify the rating you select as the limit for
determining whether an app has a high or low
threat rating. It is used in combination with Rat-
ing Scale to determine the app threat risk.
Check Interval Select an interval for contacting the reputation
service to retrieve updated reputation data:
Daily: Update occurs at midnight each day.
Weekly: Update occurs at midnight between
Saturday and Sunday.
Monthly: Update occurs at midnight before
the first of the month.
The reputation data is stored on MobileIron

Core.
Note: The day of the week and time of the

update are not configurable.
6. Click Save.
An initial sync begins shortly after initial configuration. Thereafter, the Check Inter-
val setting determines when Core contacts the reputation service.
Confirming configuration of the app reputation service

You can use the following keywords to check the logs for successful configuration of
the reputation service:
appReputationEnabled=true
Enabling Appthority-Sync-Job with schedule: 0 30 22 * * ?
appReputationServiceOption=Appthority
appRatingThreshold
appReputationIntervalOption
Rescheduling Appthority-Sync-Job with schedule
552
AppthoritySyncJob.execute
Done with sync job
scores.length
Viewing app reputation data

The Device App Inventory page (Apps > App Inventory) displays the information
about apps detected on managed devices.
The following table summarizes the values that can display in the App Rating field:
Rating Description
Not Rated With a score of 0 indicates that MobileIron Core
has not processed the app yet.
With a blank score indicates that the app is not
currently in the designated services database.
The app might be new or the service might pro-
vide app data only for specific operating sys-
tems.
OK Indicates that the apps score exceeds the
threshold specified in the App Reputation set-
tings.
Risky Indicates that the apps score does not exceed
the threshold specified in the App Reputation
settings.
553
554
Chapter 15
Docs@Work
About Docs@Work
Configuring Docs@Work for content servers (Android)
Configuring Docs@Work for content servers (iOS)
Docs@Work setup tasks
Impacts of other MobileIron features (iOS)
Impacts of other MobileIron features (Android)
Supported files in the Mobile@Work for iOS app
555
Docs@Work
About Docs@Work
The Docs@Work feature gives device users an intuitive way to access, store, and view
attachments (from email) and documents from content servers, such as Microsoft
SharePoint sites. It also lets administrators establish data loss prevention controls to
protect these documents from unauthorized distribution. Docs@Work uses certain
aspects of AppConnect, including passcode access and app tunneling; however, you do
not require an AppConnect license for Docs@Work.
Docs@Work for content servers

Device users can view folders and documents that are shared on content servers, such
as a Microsoft SharePoint site, for which they have a valid user ID and password.
Device users can:

Log in to the content server.
Navigate through the folders.
Preview documents on the content server site.
These documents are known as a remote files or file shares.
Save local copies of the documents.
These local copies are known as local files.
View local files.
For iOS
Docs@Work for iOS is a feature contained within the Mobile@Work app. Implementing
Docs@Work on an iOS device (as explained in this document) displays the
Docs@Work-related tabs in Mobile@Work. See Docs@Work for iOS on page 843 for
information on using Docs@Work once it is configured on an iOS device.
For Android
Docs@Work for Android is a solution involving separate AppConnect-enabled apps that
work together. See The SharePoint Client App for Android on page 883 for informa-
tion on using Docs@Work once it is configured on an Android device.
Docs@Work for email attachment control

Standalone Sentry controls email access between the ActiveSync server and devices.
You can configure Docs@Work and the email attachment control settings for Stand-
alone Sentry to determine if and how mobile devices view email attachments.
For detailed information, see Email attachment control support for Standalone Sen-
try on page 422.
Attachment handling for iOS

Email attachment control works with the iOS native email client and supported
AppConnect-enabled email apps.
556
Docs@Work
When using the iOS native email client:

The 20 most recently viewed email attachments are available in Mobile@Work with-
out requiring the user to reopen the attachment from its email. The user can also
save an attachment as a local file. Like the attachments, the local files are available
for viewing only in Mobile@Work.
Without attachment control, the device user can view email attachments using any
app that works with the attachment type. Configuring attachment control allows
you to restrict viewing email attachments to Mobile@Work. This containerization
secures the attachment from applications which could leak the attachment outside
of the device. For additional access control, you can encrypt the email attachments.
When using AppConnect-enabled email apps:

the AppConnect-enabled email app can receive the attachment.
attachments can be shared with other apps only according to the AppConnect Open
In rules that you specify. See Configuring AppConnect container policies on
page 603.
Starting with iOS 7, you can also restrict document interaction between managed
apps and unmanaged apps. See Restrictions settings on page 324.
Attachment handling for Android

For Android devices using an AppConnect-enabled email app, configuring attachment
control allows you to restrict viewing to AppConnect-enabled apps.
Encryption for iOS Docs@Work documents sent as email

attachments
On iOS devices, starting with Mobile@Work 5.8, work-related attachments of emails
that the device sends are encrypted. These work-related attachments are Docs@Work
documents, which are documents in the File Shares or Local Files tabs of
Mobile@Work, including the Recent Attachments stored under Local Files. This feature
helps prevent the leaking of sensitive content to unsecured email accounts while sup-
porting the emailing of documents to work colleagues.
This feature requires all of the following:

You have configured the Standalone Sentry with the email attachment control
option Open only with Docs@Work and protect with encryption.
The device user is using the iOS native email app account that you configured using
an Exchange setting on MobileIron Core. Any other email account is considered a
non-work account.
The email attachment comes from the File Shares or Local Files tabs of
Mobile@Work, including the Recent Attachments stored under Local Files.
You have configured an AppConnect container policy for Mobile@Work (bundle ID
com.mobileiron.builtin.docsatwork) and specified the bundle ID for the iOS native
email app (com.apple.mobilemail) in the Open In whitelist. Without this step, the
Email option is not available when viewing Docs@Work documents.
557
Docs@Work
Mobile@Work encrypts the document when the device user selects it to send as an
attachment. Mobile@Work also appends .secure to the attachments file name.
The recipient of the email can read the attachment if:

The recipient is a work colleague who is also using Mobile@Work. The received
attachment is encrypted.
The recipient is a non-work contact.
In this case, the attachment that the non-work contact receives is not encrypted.
When Standalone Sentry receives the email from the sending device, it decrypts
the attachment when the email is addressed to a non-work contact. However,
because the email goes through the Sentry, you have a record of the email and the
attachment being sent.
Note: Attachments in emails sent from a non-work account to a non-work recipient

are not readable by the recipient. The reason is that when the user sends the email,
the attachment is encrypted. Since emails from non-work accounts do not go through
the Sentry, Sentry does not decrypt the attachment.
The following table summarizes when the recipient receives an encrypted attachment
and whether the attachment is readable.
To work colleague To non-work colleague

Encrypted Not encrypted
From work account Readable Readable
Encrypted Not encrypted
From non-work
account Readable Not readable
iOS 7 considerations
In iOS 7, the native email client recognizes if a device user is emailing someone in a
domain that matches any of the email accounts. In this case, the email client auto-
matically changes the from email address to match the recipients domain.
For example, consider the case when gmail is the default account in the email client,
and the device user emails a work colleagues Exchange account. The email client
automatically changes the from email address to be the device users Exchange
account. Therefore, in this example, the email is from a work account to a work
account. The attachment is encrypted and the recipient, a work colleague, can read it.
Limitations
Consider the case where you change attachment control handling on MobileIron Core
to no longer be Open only with Docs@Work and protect with encryption. When
Standalone Sentry sends subsequent emails to devices, is no longer encrypts the
emails. However, the devices continue to encrypt Docs@Work attachments in emails
that the user sends. If the recipient is a work colleague, the recipient can still read the
attachment in Mobile@Work. However, non-work recipients cannot read the attach-
ment. The reason is that the Standalone Sentry no longer decrypts the attachment in
the sent email.
558
Docs@Work
Annotating documents with Docs@Work for iOS

Mobile@Work v5.8 introduces Docs@Work document annotation. You can mark-up
documents downloaded from document repositories, such as SharePoint, as well as
mark-up documents from email and securely return your feedback to the sender.
Docs@Work supports PDF annotation for the document types supported by the native
iOS PDF viewer, including CSV files and Microsoft Office files such as TXT, DOC, DOCX,
RTF, XLS, XLSX, PPT, and PPTX. When you initiate annotation on non-PDF file, the file
is exported to PDF and saved to the Local Files folder where you can annotate it from
there.
Annotations created in Docs@Work can be viewed in other PDF viewers such as Adobe
Acrobat Reader, and Preview in OS X. PDF annotations created in other apps can be
viewed in Docs@Work.
For details on how to initiate annotation on files from different sources, see Annotat-
ing documents in Docs@Work for iOS on page 866.
For details on how to tap and hold to use the annotation feature within Docs@Work,
see Annotating PDFs in Docs@Work on page 871.
See Mobile@Work for iOS Release Upgrade Guide, Version 5.8 for further details.
Single Sign On for Docs@Work

Single Sign On (SSO) for Docs@Work is supported. The device user registers
Mobile@Work with MobileIron Core by entering his MobileIron credentials. Then, the
device user can use the Docs@Work feature to access content servers without having
to enter any further credentials.
To use SSO:
The content server must support authentication using Kerberos Constrained Dele-
gation (KCD).
Docs@Work must use the AppTunnel feature, configured so that the Standalone
Sentry uses KCD to authenticate the user to the content server.
The content server must be either a Microsoft SharePoint server or IIS-based Web-
DAV content repository or Apache-based content repository. MobileIron does not
support KCD with CIFS-based content repositories.
Supported content servers

Docs@Work supports the following content servers:
Microsoft SharePoint 2007
IIS-based WebDAV content repositories
CIFS Windows 2008 R2 SP1
559
Docs@Work
CIFS Samba CentOS 6.2

Apache-based WebDAV content repositories
To determine whether a specific content repository will function with Docs@Work, con-
tact the vendor for information on the basis for the WebDAV or CIFS implementation.
Note: Android Secure Apps 5.7 and later versions of the SharePoint Client app support
IIS-based WebDAV content repositories, Microsoft SharePoint 2013, and CIFS-based
content repositories. The SharePoint Client app supports Apache-based WebDAV con-
tent respositories starting with Android Secure Apps 5.9.
Content Server Port Requirements

See the MobileIron Installation Guide for information on required ports and firewall
rules associated with different content servers.
Supported authentication to content servers

Docs@Work supports the following authentication types from the client to the content
server.
Docs@Work for iOS:

Basic
Digest
NTLM
KCD
Docs@Work for Android (the Android SharePoint Client app):

Basic
NTLM
KCD
Supported ActiveSync servers for attachment control

The list of ActiveSync servers that Standalone Sentry supports are in the MobileIron
Sentry Administration Guide. Email attachment control works with all the listed
ActiveSync servers.
Supported devices
iOS devices
To support Docs@Work, including full email attachment control, an iOS device must
have:
iOS 5, iOS 6, or iOS 7
the Mobile@Work for iOS app
560
Docs@Work
Note: Email attachment control works only with the iOS native email client and sup-
ported AppConnect-enabled email apps. For the list of apps, see Supported devices
and email apps on page 422..
Android devices with AppConnect enabled

Android devices running Android Secure Apps 5.7 or later support the Docs@Work
features using the AppConnect technology. See Using AppConnect for Android on
page 625.
Note: Email attachment control can deliver attachments only to supported AppCon-
nect-enabled apps. For the list of apps, see Supported devices and email apps on
page 422.
Other platform devices

Devices that do not support the Docs@Work feature can support the email attachment
control option to remove attachments from email before delivery to a managed
device. However, because the device users experience can vary by device, MobileIron
has verified the remove attachments option on the following non-iOS devices:
Android devices and associated email apps as specified in Exchange settings on
page 243.
Windows Phone 7
Windows Phone 8
Docs@Work requirements
The Docs@Work feature requires the following versions of MobileIron products:
VSP 5.0 or later (5.7 or later for CIFS-based content servers)
Standalone Sentry 4.0 or later to support email attachment control (4.7 or later for
CIFS-based content servers)
File viewers
On iOS devices, when Mobile@Work displays files, it uses the native file viewer to
display the contents of different file types. See Supported files in the Mobile@Work
for iOS app on page 580.
On Android devices, the ThinkFree Viewer displays the contents of different file
types. See Document types supported by ThinkFree Document Viewer on
page 631.
SharePoint Prerequisites
To access a SharePoint site from Mobile@Work for iOS or from the SharePoint Client
app on Android devices, a device user must have the correct SharePoint permission
level. The permission level must include the following SharePoint site permission:
561
Docs@Work
Browse Directories - Enumerate files and folders in a Web site using SharePoint
Designer and Web DAV interfaces.
The contribute permission level includes this site permission by default. Therefore,
device users with this permission level or higher can access the SharePoint site. The
read permission level does not include this site permission by default. However, you
can change the read permission level to include this site permission. Another option
is that you can create another read permission level that includes this site permis-
sion.
For more information about SharePoint permission levels, see SharePoint documenta-
tion.
File synchronization (iOS)

Each time the device user views the remote files of a content server, Mobile@Work
syncs the folders and files so that the user sees the latest contents.
Each time the device user views local copies of files on the content server,
Mobile@Work syncs the local files so that their contents reflect the latest corre-
sponding file on the content server.
Data security (iOS)

When the device user saves local copies of documents or email attachments, the
saved copies are protected by the devices native data encryption.
Note: To enable data encryption on an iOS device, apply a security policy that
requires a password/passcode on the device.
The device user cannot cut and paste data from documents or email attachments
that they view in Mobile@Work into any other app.
Docs@Work is integrated with these features:
quarantining devices
wiping devices
retiring devices
blocking devices from accessing the ActiveSync server.
jailbreak detection
When any of these situations occur, the secured documents are no longer available
to the device user. See Impacts of other MobileIron features (iOS) on page 577.
562
Docs@Work

See Configuring email attachment control on page 427.
Note: For Android devices, a supported AppConnect-enabled email app is required.

For the list of apps, see Supported devices and email apps on page 422.
563
Docs@Work
Configuring Docs@Work for content servers

(Android)
Configuring Docs@Work for content server access from Android devices requires the
following tasks:
1. Enable the Docs@Work feature.
2. Obtain and configure the AppConnect-enabled apps required for Docs@Work.
See For Android, obtain and configure apps on page 566.
This task includes configuring AppConnect and, if preferred, AppTunnel, including
the Single Sign On feature. The AppConnect instructions explain how to configure
the AppConnect configuration and container settings.
Note: Be sure to set up requirements for an AppConnect passcode as part of config-
uring the AppConnect global policy.
3. Configure a Docs@Work configuration for each content server.
Be sure to apply labels to each Docs@Work configuration . Applying labels is how
you specify which devices can access the content server.
See Set up Docs@Work configurations on page 567.
4. Configure the option to save passwords on MobileIron Core.
Skip this step if you chose not to use $PASSWORD$ in the password field for the
Docs@Work configuration.
See Set up your preference for saving passwords on MobileIron Core on
page 576.
564
Docs@Work
Configuring Docs@Work for content servers

(iOS)
Configuring Docs@Work for content server access from iOS devices requires the fol-
lowing tasks:
1. Enable the Docs@Work feature.
2. Set up requirements for an AppConnect passcode, if you require one.
Docs@Work uses certain aspects of the AppConnect feature, including the ability to
require the device user to enter an AppConnect passcode to access the Docs@Work
feature. Set up the passcode requirements in an AppConnect global policy. See
Configuring the AppConnect global policy on page 590.
3. Configure a Docs@Work configuration for each content server.
Be sure to apply labels to each configuration. Applying labels is how you specify
which devices can access the content server.
4. Configure a Docs@Work policy, if necessary.
A Docs@Work policy is necessary if you want to specify settings that change the
behavior of Mobile@Work for iOS, such as the ability to open documents in apps
other than Mobile@Work. It is also necessary if you want to use AppTunnel for iOS
and if you want to use the Single Sign On feature. Be sure to apply labels to the
policy. Applying labels is how you specify which devices use the policy.
Note: App tunneling is required for CIFS-based content servers.
See For iOS: Set up Docs@Work policies on page 571.
5. Configure the option to save passwords on MobileIron Core.
Skip this step if you chose not to use $PASSWORD$ in the password field for the
See Set up your preference for saving passwords on MobileIron Core on
page 576.
565
Docs@Work
Docs@Work setup tasks
Enable Docs@Work
Enable Docs@Work if:
you are supporting viewing documents from content servers.
you are using email attachment control, even if you are not supporting viewing
documents from content servers.
To enable the Docs@Work feature:

2. Under Additional Products, select Enable Docs@Work.
Do not select Enable AppConnect For Third-Party And In-House Apps unless you are
also using third-party or in-house AppConnect apps.
3. Click Save.
Caution: For iOS devices, if you disable Docs@Work after it has been enabled, the
Mobile@Work app on each registered iOS device does the following:
Removes all content server configurations, whether the device user added them
manually or you configured them with Docs@Work app settings on MobileIron Core
Removes all local copies of content server files and email attachments
Removes the list of recent attachments
For Android, obtain and configure apps

The apps required for the Docs@Work solution for Android are:
Secure Apps Manager
File Manager (including the SharePoint client)
An AppConnect-enabled email app
Note: For a description of all the AppConnect apps that MobileIron provides, see:
AppConnect apps that MobileIron provides for Android on page 625
Third-party AppConnect apps that MobileIron provides for Android on page 626
1. Download these apps from:

https://support.mobileiron.com/mi/android-secureapks/current/
Note: Android Email+ is available at:
https://support.mobileiron.com/mi/android-email+/current/
2. Complete the steps for configuring AppConnect for these in-house apps.
See How to configure AppConnect on page 588.
566
Docs@Work
Note: Some of the apps might be duplicates of apps you have already uploaded to
support another MobileIron product. If the app upload fails with a message stating
that the app is already uploaded, skip to the next app.
Set up Docs@Work configurations

Use Docs@Work configurations to specify the content servers that devices can access.
After you create a Docs@Work configuration, apply it to the labels for the appropriate
devices. Device users can also configure access to content servers on the device. For
iOS, they use Mobile@Work. For Android, they use the SharePoint Client app, which is
provided with the File Manager app.
For general information about app settings, see Managing Device Settings with Con-
figurations on page 229.
To create a Docs@Work configuration:
1. In the Admin Portal, select Policies & Configs > Configurations.
2. Select Add New > Docs@Work.
3. Use the following guidelines to create or edit a Docs@Work configuration:.
Item Description
Name Enter brief text that identifies this Docs@Work
configuration.
URL Enter the URL of a content server site, subsite, library, or
folder. The URL may include the port number.
The format of the SharePoint URL is described in Specify
the URL of the Docs@Work configuration (SharePoint) on
page 570.
For CIFS-based content servers, specify http or https
instead of smb for the server URL; this is necessary
because Docs@Work currently tunnels only http/https.
Also specify the port number. Example: https://
cifs1.mycompany.com:445/docs.
Variables are supported, including the following:
$USERID$
$EMAIL$
$USER_CUSTOM1$
$USER_CUSTOM2$
$USER_CUSTOM3$
$USER_CUSTOM4$
567
Docs@Work
Item Description
User Name Specify the user name that the device user uses to access
the content server.
Enter one of the following variables: $EMAIL$, $USERID$,
$USER_CUSTOM1$, $USER_CUSTOM2$,
$USER_CUSTOM3$, $USER_CUSTOM4$, or $NULL$.
You can also enter a combination of one or more variables
and text, such as $USERID$:$EMAIL$ or
$USERID$_$EMAIL$.
When the device user attempts to access the content
server, the app on the device that handles content server
access fills a user name field with the users information
based on the variables you specify in this field. On iOS
devices, the app is Mobile@Work for iOS. On Android
devices, the app is the SharePoint Client app.
Enter $NULL$ if you want the app on the device that
handles SharePoint access to leave the user name field
empty, requiring the device user to manually enter the
user name.
Password Specify the password that the device user uses to access
the content server.
Enter one of the following variables: $PASSWORD$,
$USER_CUSTOM1$, $USER_CUSTOM2$,
$USER_CUSTOM3$, $USER_CUSTOM4$, or $NULL$.
You can also enter a combination of one or more variables
and text.
When the device user attempts to access the content
server, the app on the device that handles content server
access fills a password field with the users information
based on the variables you specify in this field. However,
the text is hidden with asterisks.
Enter $NULL$ if you want the app on the device that
handles content server access to leave the password field
empty, requiring the device user to manually enter the
password.
On iOS devices, the app that handles content server
access is Mobile@Work for iOS. On Android devices the
app is the SharePoint Client app.
Note: If you include $PASSWORD$, enable Save User
Password. See Set up your preference for saving
passwords on MobileIron Core on page 576.
Priority Folders Mobile@Work for iOS 5.10 or later, VSP 5.9.1 or later:
Select to automatically download the latest version of files
in a specified folder. See Implementing priority folders
on page 569 for more information on priority folders.
568
Docs@Work
Item Description
Update Interval Mobile@Work for iOS 5.10 or later, VSP 5.9.1 or later:
Specify the period of time that Docs@Work should wait
before checking for changes in the priority folder.
Enter a number greater than zero in the text box. Select
Minutes, Hours, or Days from the dropdown list.
Update Method Mobile@Work for iOS 5.10 or later, VSP 5.9.1 or later: If
you want to restrict downloading of folder updates to Wi-
Fi, then select Wi-Fi only. If you want to permit download-
ing of folder updates by means of Wi-Fi or cellular net-
work, then select Wi-Fi or Cellular.
Restricting downloads to WiFi can help ensure optimized
billing, but will delay downloads until the update interval
coincides with Wi-Fi access.
Allow Users to Save Select this field to give the device user the option to save
Password content server passwords on the device. If the user
chooses to save a content server password, the app on the
device that handles content server access does not
present a login screen to the user when the user next
accesses the content server.
On iOS devices, the app that handles content server
access is Mobile@Work for iOS. On Android devices the
app is the SharePoint Client app.
If this option and the Save User Passwords option
(Settings > Preferences) are enabled, then the Remember
Password option is automatically selected in the Remote
Shares screen on the device.
4. Click Save.
5. Select the new Docs@Work configuration.
7. Select the labels to which you want to apply this configuration.
Implementing priority folders

The Priority Folder feature enables iOS device users to automatically download the lat-
est version of files in a specified folder in the Docs@Work content repository. This
gives device users offline access to these files. Priority folders display separately from
remote folders.
Note the following:

This feature requires VSP version 5.9.1.
Only the files in the folder specified in the Docs@Work configuration are down-
loaded; subfolders and their files are not downloaded.
Use multiple Docs@Work configurations to define multiple priority folders.
Use separate Docs@Work configurations to specify remote folders.
569
Docs@Work
New and changed files are automatically downloaded to the device after the speci-
fied interval. If Docs@Work is unable to access the content repository when the
interval has elapsed, the download will start as soon as access is restored.
The device user can tap on an unsynchronized file while the priority folder is down-
loading to move that file to the top of the priority list for download.
Any changes made to the file on the device will not be updated to the target folder.
The first time a device user launches Docs@Work after receiving the priority folder
configuration, the folder displays as Never Updated until the downloading of files
has completed.
If the Docs@Work configuration does not specify the credentials necessary for
accessing the content repository, then the device user must enter valid credentials
to continue the download.
Documents that are pending download or in the process of downloading have a blue
icon.
Documents that have been downloaded or updated display with a green icon to
indicate that they have been synchronized with the content repository.
When a cellular or Wi-Fi connection is not available, the documents display with a
gray icon, indicating offline access.
Specify the URL of the Docs@Work configuration (SharePoint)

For SharePoint, the URL that you enter in the URL field of the Docs@Work configura-
tion specifies one of the following:
A SharePoint site
A SharePoint subsite
A SharePoint library
A SharePoint folder
The URL includes a hierarchical list of names that drills down to the site, subsite,
library, or document you want the device user to access. This URL is not the same as
the URL that you see in a web browser open to the same site, subsite, library, or doc-
ument.
For example, use:

https://companySharePointSite.com
This example specifies the root SharePoint site.
https://companySharePointSite.com/Marketing
This example specifies the Marketing subsite in the root SharePoint site.
https://companySharePointSite.com/Marketing/Demo
This example specifies the Demo subsite within the Marketing site.
https://companySharePointSite.com/Marketing/NewProductDocuments
This example specifies the NewProductDocuments library in the Marketing site.
https://companySharePointSite.com/Marketing/NewProductDocuments/TopFea-
tures
This example specifies the TopFeatures folder in the NewProductDocuments library.
570
Docs@Work
Note:
Do not copy the URL you see in a browsers URL address bar into this field. The URL
in this field is not the same as the browsers URL. For example, for the root site on
Microsoft SharePoint 2010, the browsers URL field appears as:
https://companySharePointSite.com/SitePages/Home.aspx
In this field, you specify:
https://companySharePointSite.com
A valid URL does not contain spaces or certain special characters. For example, a
space is entered in a valid URL as %20. That is, instead of entering:
https://companySharePointSite/Shared Documents
Enter:
https://companySharePointSite/Shared%20Documents.
Such substitutions are known as URL encoding.
The URL can include these variables: $USERID$, $EMAIL$, $USER_CUSTOM1$,
$USER_CUSTOM2$, $USER_CUSTOM3$, and $USER_CUSTOM4$.
Combinations of text and variables are supported, as shown in the following exam-
ple:
https://companySharePointSite.com/$USER_CUSTOM1$/$USERID$.
When using these variables, make sure the URL still specifies a SharePoint site,
subsite, library, or folder.
For iOS: Set up Docs@Work policies

Docs@Work policies specify settings that change the behavior of Mobile@Work for
iOS. You can also specify AppTunnel settings. Use AppTunnel if you want a secure net-
work connection to your content servers or if you need to support a CIFS-based con-
tent server. You also use AppTunnel to provide the Single Sign On feature using
Kerberos Constrained Delegation.
Note: For Android devices, you address these requirements as part of the AppConnect
configuration. The AppConnect instructions explain how to configure the AppConnect
app configuration and container settings.
For general information about policies, see Managing Policies on page 173.
To configure a Docs@Work policy:
1. If you intend to use AppTunnel with Docs@Work for iOS, set up AppTunnel.
Note: App tunneling is required for CIFS-based content servers.
See Adding AppTunnel or Advanced AppTunnel support on page 588. Note that
steps that apply to separate AppConnect apps do not apply to Docs@Work for iOS.
For example, you do not create an AppConnect container policy for Docs@Work for
iOS.
2. In the Admin Portal, select Policies & Configs > Policies.
3. Edit the default Docs@Work policy, or select Add New > Docs@Work to create a
new one.
571
Docs@Work
4. Use the following guidelines to configure the Docs@Work policy:

Name Required. Enter a descriptive name for Default Docs@Work
this policy. This is the text that will be Policy
displayed to identify this policy through-
out the Admin Portal. This name must be
unique within this policy type.
Priority Specifies the priority of this custom pol-
icy relative to the other custom policies
of the same type. This priority deter-
mines which policy is applied if more
than one policy is associated with a spe-
cific device. Select Higher than or
Lower than, then select an existing
policy from the dropdown list. For exam-
ple, to give Policy A a higher priority
than Policy B, you would select Higher
than and Policy B. See Prioritizing
Policies.
Because this priority applies only to cus-
tom policies, this field is not enabled
when you create the first custom policy
of a given type.
Description Enter an explanation of the purpose of Default
this policy.
572
Docs@Work

Allow Open In Select this field if you want to allow Not selected
device users to:
Open documents that they are view-
ing in Mobile@Work in other apps.
Email documents that they are view-
ing in Mobile@Work.
This option applies to all the documents

that they view in Mobile@Work:
Remote files on a content server
Email attachments
Note: Consider the case when the
Standalone Sentrys attachment con-
trol settings restrict attachment view-
ing to Mobile@Work. In this case,
when the device user opens the
attachment from the email, it opens
in Mobile@Work. From there, the user
has the option to open the document
in other applications.
Local copies you made of content
server files and email attachments.
Note: You can use the AppConnect
global policy to specify which apps can
be used to open documents.
AppTunnel Configure AppTunnel settings, if necessary, for the Docs@Work
feature of Mobile@Work. These settings specify the URLs that
Docs@Work should direct to the AppTunnel Sentry.
When Mobile@Work tries to connect to the URL configured
here, the Sentry creates a tunnel to the content server.
573
Docs@Work

URL Wildcard Enter one of the following: None
a content servers hostname
Example: finance.yourcompany.com
a hostname with wildcards. The wild-
card character is *.
Example:
*.yourcompanyname.com
If Mobile@Work requests to access this

hostname, the Sentry tunnels the data
to the content server. The Sentry and
Service fields that you specify in this
AppTunnel row determine the target
content server.
Note:
The Docs@Work policy applies only to
iOS devices, for which only the host-
name, not the port number, deter-
mines whether the data is tunneled.
A hostname with wildcards works only
with the service <ANY> or
<CIFS_ANY>. Unlike services with
specific service names, these services
do not have associated content serv-
ers. The Sentry tunnels the data to
the content server that has the URL
that Mobile@Work specified.
The order of these AppTunnel rows
matters. If you specify more than one
AppTunnel row, the first row that
matches the hostname that
Mobile@Work requested is chosen.
That row determines the Sentry and
Service to use for tunneling.
Do not include a URI scheme, such as
http:// or https://, in this field.
574
Docs@Work

Port Enter the port number that None
Mobile@Work requests to access.
The Docs@Work policy applies only to
iOS devices, for which only the host-
name, not the port number, determines
whether the data is tunneled.
Nevertheless, entering a port number in
this field is required when both of the
following are true:
The hostname in the URL Wildcard
field does not contain a wildcard.
The service is not <ANY> or
<CIFS_ANY>.
Sentry Select a Sentry configured for app tun- None
neling from the drop-down list.
Service Select a service name from the drop- None
down list.
Note: If you entered a URL with wild-

cards in the URL Wildcard field, you can
only select <ANY> or <CIFS_ANY> as
the service. The <ANY> or <CIFS_ANY>
service must be configured in the App
Tunneling Configuration section of the
Sentry configured for app tunneling.
If the service on the Sentry is configured
with its Server Auth set to Kerberos,
Docs@Work uses Single Sign On. That
is, the device user does not enter any
further credentials when Docs@Work
accesses the content server.
Identity Certifi- Select the Certificate or the SCEP profile None
cate that you created for app tunneling.
For more information, see SCEP set-
tings on page 301 and Certificates set-
tings on page 300.
5. Click Save.
6. Select the new Docs@Work policy.
8. Select the labels to which you want to apply this policy.
575
Docs@Work
Set up your preference for saving passwords on MobileIron

Core
If you use the $PASSWORD$ variable in your Docs@Work configurations (or other
configurations such as the Exchange configuration), do the following:
1. Go to Settings > Preferences in the Admin Portal.
2. Select Yes for Save User Password.
Selecting Yes means that MobileIron Core keeps the user password and can pass it
to the device. For example, when Mobile@Work displays the screen for logging into
a remote share, the password field is filled in.
3. Click Save.
Caution: If you plan to use the $PASSWORD$ field in any configurations, be sure to
set Save User Password to Yes before any device users register. Device users who reg-
istered before you set Save User Password to Yes will have to log in to the
MyPhone@Work web portal. Logging in to the MyPhone@Work web portal provides the
users password to MobileIron Core.
576
Docs@Work
Impacts of other MobileIron features (iOS)
Quarantine impact on documents

MobileIron Core takes a compliance action on a device if the device violates a security
policy that you specify. One compliance action that you can configure is to quarantine
the device. Quarantine means that the device user no longer has access to corporate
resources, such as email and WiFi.
Regarding the Docs@Work feature, if a device is quarantined, Mobile@Work does the

following:
Prevents the user from accessing the Docs@Work features of the Mobile@Work
app. That is, Mobile@Work makes the Local Files and File Shares tabs unavailable.
Removes the content server entries that you created with Docs@Work configura-
tions on MobileIron Core, depending on the compliance action that you configured.
When you create a compliance action that specifies quarantine, you can choose
whether to remove the configurations from the device. Removing the configurations
includes removing any Docs@Work configurations. Since the Docs@Work configu-
rations specify content servers, Mobile@Work removes the content server entries.
If the user had saved the content server password, Mobile@Work removes it, too.
When the device is no longer quarantined, Mobile@Work makes the Local Files and
Files Shares tabs available again. Docs@Work configurations are restored, and the
user can once again access the content servers that you configured. However, if the
user had saved the content server password, Mobile@Work no longer has it. The user
will have to re-enter it.
You can also create a quarantine action that retires AppConnect apps on iOS devices.
Retiring an AppConnect app makes it unauthorized and deletes (wipes) all its secure
data. This compliance action also blocks and wipes the data of the Docs@Work fea-
tures in Mobile@Work.
Retire and wipe impact on documents

When you retire or wipe a device, Mobile@Work does the following regarding the
Docs@Work feature:
Removes all content server configurations, whether the device user added them
manually or you created them with Docs@Work configurations on MobileIron Core
577
Docs@Work

Devices can be blocked from accessing the ActiveSync server and AppConnect apps.
You can cause a device to be blocked by doing the following:
Configure a security policy to automatically block a device if it violates certain set-
tings in the policy. This action blocks email and AppConnect apps.
Configure an ActiveSync policy to automatically block a device from accessing email
if it violates certain settings in the policy.
Manually block the device from accessing email.
Blocking a device impacts the Docs@Work features. Specifically, Mobile@Work does

the following:
When the device is no longer blocked, Mobile@Work makes the Local Files and File
Shares tabs available again.
Jailbreak impact on documents

If the device user jailbreaks the device, Mobile@Work does the following regarding the
Docs@Work feature:
Mobile@Work notifies MobileIron Core that the device is jailbroken. Core takes further
actions depending on the security policy that you configured.
When the device is no longer jailbroken, Mobile@Work makes the Local Files and File
Shares tabs available again.
578
Docs@Work
Impacts of other MobileIron features (Android)

See Lock, unlock, and retire impact on AppConnect for Android on page 633.
579
Docs@Work

Mobile@Work uses the native file viewer that iOS provides to display the contents of
different file types. The following list shows the types of documents that Mobile@Work
can display:
Microsoft Word documents (.doc, Apple Pages documents (.pages,

.docx) pages.zip)
Microsoft Excel documents (.xls, Apple Numbers spreadsheet files
.xlsx) (.numbers, .numbers.zip)
Microsoft PowerPoint documents Apple Keynote presentation files
(.ppt, .pptx) (.key, .key.zip)
Adobe Acrobat documents (.pdf) AVI video files (.avi)
Rich Text Format files (.rtf) Quicktime video files (.mov)
Rich Text Format directory (.rtfd.zip) MPEG4 audio/video files (.mp4)
Image files (.png, .bmp, .jpg, .jpeg, MPEG2 audio/video files (.mpeg)
.gif, .tiff)
CSS stylesheet files (.css) WAV files (.wav)
Plain text files (.txt) MP3 audio files (.mp3)
If a user tries to open a file that Mobile@Work does not support, Mobile@Work dis-
plays an error message.
Some files that the device user cannot view in Mobile@Work are:
executable files (for example, .exe, .msi, or .ipa files)
archive files (for example, .zip, .rar, or .tar files)
system files (for example, .dll or .sys, files)
Note: For information about default file types that Standalone Sentry does not apply
email attachment control to, see Default file name exclusion list on page 430.
580
Chapter 16
AppConnect
About AppConnect
How to configure AppConnect
AppConnect configuration tasks
Managing AppTunnel
Using AppConnect for Android
Using AppConnect for iOS
581
AppConnect
About AppConnect
AppConnect is a MobileIron feature that containerizes apps to protect data on the
device. Each AppConnect-enabled app becomes a secure container whose data is
encrypted, protected from unauthorized access, and removable. Because each user
has multiple business apps, each app container is also connected to other secure app
containers. This connection allows the AppConnect-enabled apps to share data, like
documents. MobileIron Core uses policies to manage the AppConnect-enabled apps.
What are AppConnect-enabled apps?

AppConnect-enabled apps are apps that have been containerized using one of the fol-
lowing methods:
wrapping (iOS and Android)
AppConnect SDK (iOS)
You configure the set of AppConnect-enabled apps by using the Admin Portal. You also
configure which AppConnect-enabled apps are available to which devices. Once
installed and configured on the device, AppConnect-enabled apps are called secure
apps. Secure apps can share data only with other secure apps. Unsecured apps can-
not access the data.
With a single sign-on, the device user can access all the secure apps. On the Admin
Portal, you configure the rules for the single sign-on passcode. This passcode is called
the AppConnect passcode or the secure apps passcode. The AppConnect passcode is
not the same as the passcode used to unlock the device.
Secure apps from MobileIron

Web@Work is an example of a MobileIron app that is a secure app using AppConnect.
The apps that comprise the Docs@Work solution (Mobile@Work on iOS, and a suite of
apps on Android) are also secure apps using AppConnect. Configuring these secure
apps as part of your AppConnect offering does not require a separate AppConnect
license.
AppConnect and third-party/in-house secure apps

Third-party providers can work with MobileIron to wrap their apps. For iOS apps, they
can use the AppConnect SDK to develop secure apps. These apps are called third-
party secure apps. Likewise, your organization can develop an in-house secure app
and submit it to MobileIron for wrapping or use the AppConnect SDK for iOS. These
apps are called in-house secure apps.
Configuring these apps as part of your AppConnect offering requires the purchase of a
separate AppConnect license.
Note: You cannot wrap an app that you get from Google Play or the Apple App Store.
See the following for details about how to wrap an app or how to develop an app using
the AppConnect for iOS SDK:
582
AppConnect
MobileIron AppConnect for iOS App Wrapping Developers Guide

MobileIron AppConnect for iOS SDK App Developers Guide
MobileIron AppConnect for Android App Wrapping Developers Guide
AppConnect and AppTunnel

MobileIron AppTunnel provides secure tunneling and access control to protect app
data as it moves between the device and corporate data sources. App-by-app session
security protects the connection between each app container and the corporate net-
work. AppTunnel is particularly useful when an organization does not want to open up
VPN access to all apps on the device. This feature requires a Standalone Sentry con-
figured to support app tunneling.
Standard AppTunnel
Standard AppTunnel tunnels HTTP/S connections between an iOS or Android AppCon-
nect-enabled app and a corporate data source. Contact the application vendor or
developer to find out if the app works with standard AppTunnel.
Advanced AppTunnel
Advanced AppTunnel tunnels TCP connections between an app and a corporate data
source.
On iOS devices, one use case of Advanced AppTunnel is to support TCP tunneling for
iOS managed apps. Since AppConnect apps are iOS managed apps, Advanced
AppTunnel also supports TCP tunneling for iOS AppConnect apps. The MobileIron Tun-
nel app must be installed on the iOS device.
On Android devices, Advanced AppTunnel supports AppConnect-enabled hybrid web

apps starting with Android Secure Apps 6.0. Contact the application vendor or devel-
oper to find out if the app works with Advanced AppTunnel.
AppConnect apps and Single Sign On

Single Sign On (SSO) for AppConnect apps provides a better user experience for
device users. A device user registers Mobile@Work with MobileIron Core by entering
his MobileIron credentials. Then, the device user can use an AppConnect app to
access an enterprise app server without having to enter any further credentials.
To use this feature, the app must do the following:

Use the AppTunnel feature, configured for authenticating the user to the enterprise
server using Kerberos Constrained Delegation (KCD).
Interact with an enterprise server that supports authentication using KCD.
All AppConnect apps can use this feature, including:

Android third-party AppConnect apps
iOS third-party AppConnect apps built with the AppConnect for iOS SDK 1.5 or later
Web@Work for iOS, version 1.1.1 and later
583
AppConnect
Web@Work for Android, version 1.1 and later

The Docs@Work feature in Mobile@Work for iOS
The Android SharePoint client app
Note: MobileIron does not support KCD with CIFS-based content servers.
App-specific configuration from MobileIron Core

On the Admin Portal, you can configure settings that are specific to an AppConnect
app. Because MobileIron Core provides these settings to the app, device users do not
have to manually enter configuration details that an AppConnect app requires. By
automating the configuration for the device users, each user has a better experience
when installing and setting up apps. Also, the enterprise has fewer support calls, and
the app is secured from misuse due to configuration. This feature is also useful for
apps which do not want to allow the device users to provide certain configuration set-
tings for security reasons.
Each AppConnect apps documentation should specify the necessary configuration for
the app.
What operating systems support AppConnect?

AppConnect is currently available for iOS and Android. Due to the fundamental differ-
ences in these two operating systems, there are some differences in the way AppCon-
nect works and the way in which you configure AppConnect for each operating
system.
AppConnect for Android

MobileIron supports AppConnect for Android by wrapping Android apps written in
Java. Details are in the MobileIron AppConnect for Android App Wrapping Developers
Guide.
Supported Android devices

AppConnect on Android is supported on devices with 32-bit ARM processors that are
running Android 2.3 through 4.4.
Some AppConnect for Android features require one of the more recent Android ver-
sions. These exceptions are noted in specific feature descriptions.
Note: AppConnect and AppConnect with AppTunnel are not supported with Samsung
KNOX. AppConnect apps can run outside of the KNOX container.
Component compatibility
To run Android secure apps, the device must be running the following:
Version 5.7 or later of the Mobile@Work for Android app
Version 5.7 or later of the Secure Apps Manager
584
AppConnect
The following table summarizes which Secure Apps Manager versions are compatible
with specific Mobile@Work versions:
Mobile@Work Mobile@Work
5.7.x 5.9.x Mobile@Work 6.0
Secure Apps Manager 5.7.x Supported Not supported Not supported
Secure Apps Manager 5.9.x Not supported Supported Supported
Secure Apps Manager 6.0 Not supported Supported Supported
The following table summarizes which Secure Apps Manager versions are compatible
with apps wrapped with specific wrapper versions:
Wrapper 5.7.x Wrapper 5.9.x Wrapper 6.0

Secure Apps Manager 5.7.x Supported Not supported Not supported
Secure Apps Manager 5.9.x Not supported Supported Not supported
Secure Apps Manager 6.0 Not supported Supported Supported
The Mobile@Work app and the Secure Apps Manager

Two MobileIron apps work together on the Android device to support AppConnect.
Together, they provide the security and management of all the AppConnect apps.
These MobileIron apps are:

the Mobile@Work for Android app
The Mobile@Work for Android app is the next version of the MyPhone@Work app. This
app provides all the features that MyPhone@Work provided, plus support of AppCon-
nect apps.
The Secure Apps Manager works with the Mobile@Work for Android app to support
AppConnect apps. For example, the Secure Apps Manager provides a list of all
AppConnect apps on the device. The device user can launch an AppConnect app from
this list, from the device app list, or from a shortcut on the home screen. On the
device, the apps are called secure apps.
Data loss prevention for secure apps for Android

You determine whether device users can take screen captures of protected data. You
also determine whether AppConnect apps can access camera photos or gallery
images, and whether they can stream media to media players. Starting with Secure
Apps 5.9 for Android, you can also specify copy/paste restrictions and a web browser
policy.
Note: Document interaction (Open In) is always restricted to all AppConnect apps for
Android.
585
AppConnect
Data encryption for secure apps for Android

Application data on the device is encrypted. Prior to Android Secure Apps 5.9, AES-
128 encryption (which uses a key size of 128 bits) is used. Starting with 5.9, AES-256
encryption (which uses a key size of 256 bits) is used. The encryption key is not
stored on the device. It is programmatically derived, in part from the device users
AppConnect passcode. Therefore, the application data is secure even on a device that
becomes compromised.
Special badging for secure apps for Android

An Android device user recognizes that an app is an secure app because its icon is
overlaid with a special badge.
AppConnect for iOS

AppConnect for iOS is built into the Mobile@Work for iOS app. No separate Secure
Apps Manager is required.
Note:
AppConnect for iOS works on devices running iOS 7 and iOS 7.1 only if:
The app is built with AppConnect for iOS SDK version 1.6 or later or the app is
wrapped with the AppConnect for iOS Wrapper version 1.8 or later.
Mobile@Work 5.7.4 through 5.10 for iOS is running on the device.
AppConnect for iOS apps wrapped with AppConnect for iOS Wrapper Library 2.1 are
not supported on iOS 5.x devices.
Data loss prevention for secure apps for iOS

You determine whether an app can use the iOS pasteboard, the document interaction
feature (Open In), or print. AppConnect for iOS uses this information to limit the apps
functionality to prevent data loss through these features.
Data encryption for secure apps for iOS

AppConnect-related data, such as app configuration and policies, is encrypted on the
device.
The data of AppConnect apps also is encrypted on the device as follows.

For devices running a Mobile@Work for iOS release prior to 5.7:
AppConnect app data stored in the iOS file system is encrypted only when both of
the following are true:
the app uses iOS data protection APIs.
the device has a device passcode.
Note: Wrapped AppConnect for iOS apps use this encryption mechanism regardless
of the Mobile@Work release.
For devices running a Mobile@Work for iOS release starting with 5.7:
AppConnect apps built starting with the AppConnect for iOS SDK version 1.5 sup-
port encryption without dependencies on a device passcode. For these apps, the
586
AppConnect
app determines which files are secure. The app encrypts the data in those files, but
file names and paths are not encrypted.
This data encryption is supported when Mobile@Work for iOS is registered with VSP
5.5 through 6.0.
The encryption key is not stored on the device. It is programmatically derived, in
part from the device users AppConnect passcode. Encrypted files cannot be
decrypted without the AppConnect passcode or the user's full MobileIron login cre-
dentials.
587
AppConnect
How to configure AppConnect

The steps required to configure AppConnect depend on which aspects you intend to
enable and deploy.
Basic configuration
Complete the following steps to implement a basic AppConnect configuration:
1. Add the MobileIron secure apps you intend to deploy.
These are AppConnect apps provided by MobileIron.
See Adding secure apps for deployment on page 590.
2. Configure the AppConnect Global policy.
See Configuring the AppConnect global policy on page 590.
3. Configure the AppConnect Container policy.
4. Enable any MobileIron secure apps you intend to deploy.
See Enabling MobileIron secure apps on page 607.
Adding third-party and in-house secure apps

If you intend to deploy secure apps developed by your organization or a third-party
provider, complete the following steps:
1. Complete the steps in Basic configuration on page 588.
2. Enable AppConnect third-party and in-house apps.
See Enabling AppConnect third-party and in-house apps on page 607.
Adding AppTunnel or Advanced AppTunnel support

If you intend to secure the data that moves between your secure apps and your cor-
porate data sources, complete the following steps:
2. Complete the steps in Adding third-party and in-house secure apps on page 588,
if applicable.
3. Set up a SCEP setting or certificates setting for authenticating devices to the Sen-
try.
See Certificates settings on page 300 or SCEP settings on page 301.
Note: Do not assign labels to the setting to distribute it to the appropriate devices.
You will configure an AppConnect app configuration to refer to the setting. That
action distributes the setting to the appropriate devices.
4. Configure an AppTunnel service.
See Configuring an AppTunnel service on page 608
This step includes setting up the Standalone Sentry for AppTunnel support and
specifying the device and server authentication type. For an app to use Single Sign
On, you use Kerberos Constrained Delegation for authentication.
588
AppConnect
5. Configure an AppConnect app configuration.

6. Enable AppTunnel, if you are deploying third-party or in-house apps.
See Enabling AppTunnel on page 621.
7. Configure the Open With Secure Email App option.
See Configuring the Open With Secure Email App option on page 621.
Adding compliance actions

You have the option of specifying AppConnect compliance actions as part of a security
policy. To specify these compliance actions:
2. Complete the steps in Adding third-party and in-house secure apps on page 588,
if applicable.
3. Complete the steps in Adding AppTunnel or Advanced AppTunnel support on
page 588, if applicable.
4. Configure compliance actions.
See Configuring compliance actions on page 621.
589
AppConnect
AppConnect configuration tasks

This section details the configuration tasks related to AppConnect configuration. See
How to configure AppConnect on page 588 to determine which tasks you need to
complete and in what order.
Adding secure apps for deployment
Configuring the AppConnect global policy
Configuring AppConnect container policies
Enabling MobileIron secure apps
Enabling AppConnect third-party and in-house apps
Configuring an AppTunnel service
Configuring an AppConnect app configuration
Enabling AppTunnel
Configuring the Open With Secure Email App option
Configuring compliance actions
Adding secure apps for deployment

You use the app distribution library on the Admin Portal to deploy secure apps. The
app distribution library has two kinds of apps for both iOS and Android: in-house apps
and recommended apps. Whether you choose in-house or recommended when adding
a secure app depends on the operating system and source for the app.
OS In-house app Recommended app

Android All secure apps Not supported
iOS Secure apps from Third-party secure apps available
MobileIron in the Apple App Store
Secure apps developed by
your organization
Secure apps developed by
and received from a third
party
For details on using the App Wizard to add AppConnect apps to the app distribution
library, see:
Working with apps for iOS devices on page 481
Working with apps for Android devices on page 513
Configuring the AppConnect global policy

The AppConnect global policy applies to all AppConnect apps on devices. These
AppConnect apps include third-party and in-house AppConnect apps, as well as the
Docs@Work solution and Web@Work.
590
AppConnect
MobileIron Core applies a default AppConnect global policy automatically to all

devices. You can modify the default AppConnect global policy. You can also create cus-
tom AppConnect global policies and apply those to specific devices.
Note: If you are using AppConnect on iOS devices but not on Android devices, do not
apply the same AppConnect global policy to both Android and iOS devices. For Android
devices that do not use AppConnect apps, make sure the AppConnect field of the
AppConnect global policy is disabled.
In the AppConnect global policy, you configure:

Whether AppConnect is enabled for the devices
AppConnect passcode requirements
out-of-contact timeouts
the app checkin interval
the default end-user message for when an app is not authorized
whether AppConnect apps with no AppConnect container policy are authorized by
default
default policies for these data loss prevention features: copy/paste, print, docu-
ment interaction, screen capture, accessing camera photos, accessing gallery
images, and streaming media to media players.
AppConnect passcode requirements

Several fields of the AppConnect global policy relate to the AppConnect passcode. By
entering the AppConnect passcode, also called the secure apps passcode, the device
user can access all the AppConnect-enabled apps on the device. On Android devices,
an AppConnect passcode is always required. On iOS devices, use the Passcode
Enabled field in the AppConnect global policy to require an AppConnect passcode.
The other fields for configuring the AppConnect passcode are:

Passcode Type
Minimum Passcode Length
Minimum Number of Complex Characters
Maximum Passcode Age
Auto-Lock Time (formerly called Inactivity Timeout)
Passcode history
Maximum Number of Failed Attempts
If the device user fails to correctly enter the AppConnect passcode after a certain
number of attempts, the user cannot access AppConnect-enabled apps. Specifically:
On iOS devices, the device user must enter his user credentials and then create a
new AppConnect passcode.
On Android devices, send an unlock command to the device from the Admin Portal.
The unlock command removes both the device passcode and the secure apps pass-
code. The user can then create both passcodes again.
591
AppConnect
Detailed behavior on a device registered with Core 7.0 depends on the version of
Mobile@Work as given in the following table:
Device and software version Failed attempt behavior

iOS: Mobile@Work 6.0.X After the maximum number of failed attempts, the
device user must enter his user credentials and then
create a new AppConnect passcode.
If the maximum is greater than 5, after the 5th
attempt, the user can attempt to reenter the secure
apps passcode only after waiting longer and longer time
periods. Specifically, after the 5th, 6th, 7th, 8th, and
9th attempts, the user must wait 1, 5, 15, 60, and 60
minutes respectively.
iOS: Mobile@Work 5.10 After the maximum number of failed attempts, the
and prior device user must enter his user credentials and then
Android: Secure Apps Uses a fixed value of 5 regardless of the setting you
Manager 6.0 and 5.9.0.1 specify in Maximum Number of Failed Attempts.
After 5 attempts, the device user can no longer access
secure apps until you send an unlock command to the
device.
Android: Secure Apps Uses a fixed value of 10 regardless of the setting you
Manager 5.9 specify in Maximum Number of Failed Attempts.
After 10 attempts, the device user can no longer access
secure apps until you send an unlock command to the
device.
After the 5th attempt, the user can attempt to reenter
the secure apps passcode only after waiting longer and
longer time periods. Specifically, after the 5th, 6th, 7th,
8th, and 9th attempts, the user must wait 1, 5, 15, 60,
and 60 minutes respectively.
Android: Secure Apps After the maximum number of failed attempts, the
Manager 5.7.X device user can no longer access secure apps until you
send an unlock command to the device.
If the maximum is greater than 6, after the 6th, 7th,
8th, and 9th failed attempt, the user cannot attempt to
enter the secure apps passcode for 1, 5, 15, and 60
minutes respectively.
Configuration steps
To configure an AppConnect global policy:
2. Edit the default AppConnect global policy, or select Add New > AppConnect to cre-
ate a new one.
592
AppConnect
Use the following guidelines to create or edit an AppConnect global policy:
Item Description Default Value

Name Required. Enter a descriptive name for Default AppConnect
this policy. This is the text that will be Global Policy
displayed to identify this policy through-
out the Admin Portal. . This name must
be unique within this policy type.
Priority Specifies the priority of this custom pol-
icy relative to the other custom policies
of the same type. This priority deter-
mines which policy is applied if more
than one policy is associated with a spe-
cific device. Select Higher than or
Lower than, then select an existing
policy from the dropdown list. For exam-
ple, to give Policy A a higher priority
than Policy B, you would select Higher
than and Policy B. See Prioritizing
policies on page 178.
Because this priority applies only to cus-
tom policies, this field is not enabled
when you create the first custom policy
of a given type.
Description Enter an explanation of the purpose of Default AppConnect
this policy. Global Policy
AppConnect Select Enabled to enable AppConnect on Disabled
the device.
Select Disabled to disable AppConnect
on the device.
When you select Enabled, the screen
displays the rest of its fields.
AppConnect
Passcode
Passcode Type Specify whether the passcode can con- Alphanumeric
tain only simple numeric input, or can
contain alphanumeric and special char-
acters. When the type is complex, the
passcode must contain at least one digit
and one letter.
593
AppConnect

Minimum Pass- Select a number between 1 and 16 to 4
code Length specify the minimum length for the
passcode.
Note for iOS:
A device running a Mobile@Work for iOS
version prior to 6.0 requires a length of
4 for numeric AppConnect passcodes. An
alphanumeric passcode length can be
between 1 and 16.
Minimum Num- Select a number between 1 and 10 to 1
ber of Complex specify the minimum number of special
Characters characters that must be included in the
passcode. Select - to require no special
characters in the passcode.
Maximum Pass- iOS starting with Mobile@Work 5.9 and None
code Age Android starting with Secure Apps 5.9
Enter a value between 1 and 730.
This value is the number of days until
the device user must change the secure
apps passcode. The value is updated on
a device when the next device check-in
occurs. After the passcode age is
exceeded (that is, the passcode
expires), the device user is prompted for
a new passcode the next time the device
user attempts to login to secure apps.
The device user must create a new pass-
code before he can access secure apps.
If you do not want the passcode to
expire, leave the field blank, which is the
default.
For previous versions of Mobile@Work
for iOS or Android Secure Apps, no pass-
code age is enforced. The passcode
never expires regardless of this setting.
Auto-Lock Time Select the maximum amount of time to 15 minutes
allow as an inactivity timeout. After this
period of inactivity in AppConnect apps,
the device user is locked out of the apps.
The device user must reenter the
AppConnect passcode to access AppCon-
nect apps.
Note: This field was formerly called
Inactivity Timeout.
594
AppConnect

Passcode history iOS starting with Mobile@Work 5.9 and 1
Android starting with Secure Apps 5.9:
Select a value from 1 to 10, or -.
This value specifies the number of most
recently used secure apps passcodes
that the device user cannot use when
changing his passcode.
The default value is 1, which means that
when the user creates a new passcode,
the only restriction is that he cannot
reuse his current passcode.
If you do not want a passcode history,
select -. In this case, the user can
reuse any previous passcode, including
the current passcode.
If you change this field value from none
to a value between 1 and 10:
On iOS devices, the next time that
the user changes the passcode,
Mobile@Work puts the new passcode
in the history. Therefore, after this
policy change, a user can reuse the
current passcode the first time he
changes the passcode.
On Android devices, the Secure Apps
Manager puts the current passcode in
the history the next time that the
user logs in. Therefore, after this pol-
icy change, a user who is already
logged in can reuse the current pass-
code the first time he changes the
passcode.
For previous versions of Mobile@Work

for iOS or Android Secure Apps, no pass-
code history is enforced. The device user
can reuse passcodes regardless of this
setting.
595
AppConnect

Maximum Num- Select a value between 2 and 10. Select 10
ber of Failed -- if you do not want to limit failed
Attempts attempts.
If the device user fails to correctly enter

the AppConnect passcode after a certain
number of attempts, the user cannot
access AppConnect-enabled apps. Spe-
cifically:
On iOS devices, the device user must
enter his user credentials and then
On Android devices, send an unlock
command to the device from the
Admin Portal. The unlock command
removes both the device passcode
and the secure apps passcode. The
user can then create both passcodes
again.
Detailed behavior depends on the

Mobile@Work app as described in
AppConnect passcode requirements on
page 591.
Passcode iOS only: Enabled
Enabled Select this field if you require device
users to enter an AppConnect passcode
to use any AppConnect apps or the
Docs@Work features in Mobile@Work.
Important: For Android devices, an
AppConnect passcode is always required
so no similar checkbox is necessary for
Android.
AppConnect Security Controls On Device
Device Out Of Contact
Wipe AppCon- Specify a value from 1 through 90 days. 30 days
nect Apps After Leave the field empty if you do not want
to wipe AppConnect apps when the
device is out of contact with MobileIron
Core.
Android
Device Compro- This feature is under construction.
mised
USB Debug This feature is under construction.
Enabled
596
AppConnect

App
Authorization
App Check-in iOS only: 60 minutes
Interval Select the maximum number of minutes
until devices running AppConnect apps
receive updates of their AppConnect
global policy, their AppConnect app con-
figuration, and their AppConnect con-
tainer policies.
Note: These policies and settings are not
updated on the device when:
the device checks in at its regular
sync interval.
you force a device checkin from the
Users & Devices screen.
However, in the Mobile@Work for iOS

app on the device, the Force Device
Check-in option does sync the policies
and settings related to AppConnect.
Regarding Android:
The app checkin interval does not apply
to Android. However, the AppConnect-
related policies and settings are updated
on the device when the device checks in.
Device checkin occurs:
according to the sync interval speci-
fied on the devices sync policy.
when you force a device checkin from
the Users & Devices screen.
when the device user uses the Con-
nect Now feature in Mobile@Work on
the device.
Unauthorized Enter the default message that None
Message Mobile@Work displays if the app is not
authorized on the device. If you do not
enter a default message, the system
provides one.
Data Loss Pre-
vention Policies
597
AppConnect

Apps without an Select Authorize if you want AppConnect Not selected
AppConnect apps to be authorized by default. If you
container policy do not select this option, app authoriza-
tion is determined by the labels on the
AppConnect container policy and on the
device user.
If you select this option, then you can
also select:
the iOS data loss prevention policies
the Android screen capture policy
iOS
Copy/Paste To iOS only: Not selected
Select Allow if you want the device user
to be able to copy content from AppCon-
nect apps to other apps by default. You
can override this option in each apps
individual AppConnect container policy.
When you select this option, then select
either:
All Apps
Select All Apps if you want the device
user to be able to copy content from
the AppConnect app and paste it into
any other app.
AppConnect Apps
This feature is under construction. Do
not select.
For more information, see Comparison

with AppConnect for iOS copy/paste pol-
icy on page 635.
Print iOS only: Not selected
Select Allow if you want AppConnect
apps to be allowed to use print capabili-
ties by default. You can override this
option in each apps individual AppCon-
nect container policy.
598
AppConnect

Open In iOS only: Not selected
apps to be allowed to use the Open In
(document interaction) feature by
default. You can override this option in
each apps AppConnect container policy.
When you select this option, then select
either:
All Apps
Select All Apps if you want the app to
be able to send documents to any
other app.
AppConnect Apps
Starting with Mobile@Work for iOS
version 5.7:
Select AppConnect Apps to allow an
AppConnect app to send documents
to only other AppConnect apps.
Whitelist
Select Whitelist if you want the app to
be able to send documents only to the
apps that you specify.
Enter the bundle ID of each app, one
per line, or in a semi-colon delimited
list. For example:
com.myAppCo.myApp1
com.myAppCo.myApp2;com.myAppCo.myApp3
The bundle IDs that you enter are
case sensitive.
Note for Android: For AppConnect for

Android apps, Open In is restricted to all
AppConnect apps, regardless of this set-
ting.
Android
599
AppConnect

Copy/Paste Android 4.0 through 4.4 only, starting No restrictions
with Android Secure Apps 5.9: Specify
one of the following options:
No restrictions
The device user can copy and paste
between any apps, whether the apps
are AppConnect apps or unsecured
apps. The device exhibits standard
copy/paste behavior. This option is
the default.
Clipboard use: The device uses the
standard Android clipboard for all
copy/paste activity. That is, AppCon-
nect apps and unsecured apps all use
the same clipboard.
Among AppConnect apps
Copy and paste is not possible
between AppConnect apps and unse-
cured apps. The device user can copy
and paste among AppConnect apps,
and within an AppConnect app. The
user can also copy and paste among
unsecured apps and within an unse-
cured app.
This option prevents data leaks into
or out of the secure container.
Clipboard use: AppConnect apps
share a clipboard, and unsecured
apps share a separate clipboard.
Within an AppConnect app
The device user can copy and paste
within each AppConnect app. How-
ever, the user cannot copy and paste
among AppConnect apps, or between
AppConnect apps and unsecured
apps. The user can also copy and
paste among unsecured apps and
within an unsecured app.
This option is the most restrictive.
Clipboard use: Each AppConnect app
has its own clipboard. Unsecured
apps share one clipboard among all
unsecured apps.
For more information, see Copy/Paste

for AppConnect for Android on
page 634.
600
AppConnect

Camera Android only, starting with Mobile@Work Not selected
5.6 and Android Secure Apps 5.7:
Select Allow to allow camera photo
access for all the AppConnect apps on an
Android device.
When you select this setting, an
AppConnect app can, for example, use a
camera app to take a photo with the
camera and allow the device user to
save the photo.
For more information, see Interaction
with the lockdown policy on page 602.
Gallery Android only, starting with Mobile@Work Not selected
Select Allow to allow all the AppConnect
apps on an Android device to access
images from the gallery.
When you select this setting, an
AppConnect app can, for example, allow
a device user to attach images from the
gallery to an email.
Media Player Android only, starting with Mobile@Work Not selected
Select Allow to allow all the AppConnect
apps to stream media to media players.
For example, consider an AppConnect
email app which has an email with a
voice recording attached. When you
select this setting, the email app can
play the recording by using a media
player on the device.
When you select Allow, AppConnect apps
can stream the following file types to
media players:
MP3 audio files
WAV audio files
MP4 video files
The files must be smaller than 3MB.

Note: An encrypted copy of the media
file is temporarily stored on the devices
SD card to enable streaming.
601
AppConnect

Screen Capture Android only, starting with Android 3.0 Not selected
and Mobile@Work 5.6:
apps to allow screen capture by default.
You can override this option in each
apps AppConnect container policy.
Web Starting with Android Secure Apps 5.9: Not selected
Select Allow to allow an unsecured
browser to attempt to display a web
page when a device user taps the pages
URL in a secure app.
If you do not select Allow, only
Web@Work can display the page.
For more information, see DLP policy
for browser launching on page 636.
3. Click Save.
4. If you created a new policy, apply the appropriate labels to the AppConnect global
policy.
If you are using the default AppConnect global policy, it automatically applies to all
devices.
Interaction with the lockdown policy

The lockdown policy for the device has an option to enable or disable the camera. The
lockdown policy applies to all apps on the device, not just AppConnect apps. The inter-
actions between the lockdown policy and the AppConnect global policy are:
If the lockdown policy prohibits camera use, AppConnect apps cannot use the cam-
era. Camera use is prohibited even if you allow camera access on the AppConnect
global policy.
If the lockdown policy allows camera use, AppConnect apps can access photos from
the camera only if you allow camera access on the AppConnect global policy.
The following table summarizes this interaction of the lockdown policy and the
AppConnect global policy:
AppConnect global policy: AppConnect global policy:

Camera access allowed Camera access prohibited
AppConnect apps can use AppConnect apps cannot
Lockdown policy:
Camera enabled the camera. use the camera.
AppConnect apps cannot AppConnect apps cannot
Lockdown policy:
Camera disabled use the camera. use the camera.
602
AppConnect
Configuring AppConnect container policies

An AppConnect container policy is applicable for iOS AppConnect apps, and for
Android AppConnect apps starting with Mobile@Work 5.6 for Android.
The AppConnect container policy:

authorizes an AppConnect app.
specifies the data loss prevention settings for an AppConnect app.
can be automatically created by MobileIron Core.
Note: For each AppConnect app, make sure only one AppConnect container policy
applies to each device.
AppConnect app authorization

Each AppConnect app requires an AppConnect container policy. The presence of an
AppConnect container policy for a device is what authorizes the app on the device. You
apply a label to the AppConnect container policy to apply it to a device.
If you later remove the AppConnect container policy, or remove the devices label
from the policy:
an iOS AppConnect app becomes retired. A retired app becomes unauthorized on
the device and the app deletes (wipes) all its sensitive data.
Note: For information on other cases when an iOS AppConnect app becomes
retired, see Situations that wipe AppConnect for iOS app data on page 643.
an Android AppConnect app becomes unauthorized. If the app is unauthorized,
when the device user tries to run it, the Secure Apps Manager displays a message
that the app is unauthorized.
Note: For information on when an Android AppConnect app becomes retired, see
Situations that wipe Android AppConnect app data on page 638.
Data loss prevention settings

In the AppConnect container policy, you also configure data loss prevention (DLP) set-
tings. Specifically, you configure whether you want the app to be allowed to use these
features:
Copy / paste (iOS only)
Print (iOS only)
Open In (document interaction) (iOS only)
Screen capture (Android only)
An apps AppConnect container policy overrides the corresponding settings on the

AppConnect global policy.
Automatically created AppConnect container policies

When you upload an AppConnect app to MobileIron Cores app distribution library,
Core creates an AppConnect container policy automatically as follows:
603
AppConnect
For Android AppConnect apps:

MobileIron Core always takes this automatic action. If the app has specified DLP
settings, Core uses those settings. Otherwise, Core creates an AppConnect con-
tainer policy with all the values set to not allowed.
For iOS AppConnect apps built with the AppConnect for iOS SDK:
CoreP takes this automatic action only if the app has specified its desired default
values for the policy in its IPA file. Also, this automatic action does not occur when
you specify an Apple App Store AppConnect app as a recommended app.
For wrapped iOS AppConnect apps:
Core always takes this automatic action, setting all the DLP values to not allowed.
The name of the AppConnect container policy is:
For iOS AppConnect apps Default <bundle ID of app> Container Policy

For Android AppConnect apps Default <package ID of app> Container Policy
Note: In the Admin Portal, on Policies & Configs > Configurations, the name of the
app, not the name of the AppConnect container policy, displays in the name column.
You can override these values by editing the apps AppConnect container policy. Mobil-
eIron Core keeps in sync the labels that you apply to the app and the labels that you
apply to the AppConnect container policy that Core automatically created.
Configuration tasks
To configure an AppConnect container policy:
1. In the Admin Portal, select Policy & Configs > Configurations.
2. Select the existing container policy for the app, or select Add New > AppConnect >
Container Policy to create a new one.
Use the following guidelines to create or edit an AppConnect container policy:.
Item Description
Name Enter brief text that identifies this AppConnect container
policy.
Note: If MobileIron Core automatically created this policy:
You cannot edit the name.
The name is not the same as the name that appears in
the name column in Policy & Configs > Configurations.
AppConnect container policy.
604
AppConnect
Item Description
Application Android, starting with Mobile@Work 5.6:
Select an Android AppConnect app from the MobileIron
Core app distribution library.
iOS:
Select an iOS AppConnect app from the MobileIron Core
app distribution library or enter the bundle ID of an iOS
AppConnect app. A bundle ID that you enter is case
sensitive.
Note: The dropdown selection includes an iOS AppConnect
app only if both of the following statements are true:
The app was added to the Core app distribution library
as an in-house app.
The app specifies default feature policies (copy/paste,
document interaction, print).
Exempt from iOS only:
AppConnect Select this option if you want to allow the device user to
passcode policy use the app without entering the AppConnect passcode.
Data Loss Preven-
tion Policies
Print iOS only:
Select Allow if you want AppConnect apps to be allowed to
use print capabilities.
Copy/Paste To iOS only:
Select Allow if you want the device user to be able to copy
content from the AppConnect app to other apps.
When you select this option, then select either:
All Apps
Select All Apps if you want the device user to be able to
copy content from the AppConnect app and paste it into
any other app.
AppConnect Apps
This feature is under construction. Do not select.
605
AppConnect
Item Description
Open In iOS only:
Select Allow if you want AppConnect apps to be allowed to
use the Open In (document interaction) feature.
When you select this option, then select either:
All Apps
Select All Apps if you want the app to be able to send
documents to any other app.
AppConnect Apps
Starting with Mobile@Work for iOS version 5.7:
Select AppConnect Apps to allow an AppConnect app to
send documents to only other AppConnect apps.
Whitelist
Select Whitelist if you want the app to be able to send
documents only to the apps that you specify.
Enter the bundle ID of each app, one per line, or in a
semi-colon delimited list. For example:
com.myAppCo.myApp1
com.myAppCo.myApp2;com.myAppCo.myApp3
The bundle IDs that you enter are case sensitive.
Note for Android: For AppConnect for Android apps, Open

In is restricted to all AppConnect apps, regardless of this
setting.
Allow Screen Android only, starting with Android 3.0 and Mobile@Work
Capture 5.6:
Select Allow if you want the app to allow screen capture.
3. Click Save.
4. Select the new app policy.
6. Select the labels to which you want to apply this AppConnect container policy.
7. Click Apply.
Be sure to apply one of the labels that you selected to the device. To check the
devices labels:
1. Go to Users and Devices > Devices.
2. Expand the device details panel by clicking the up arrow for the desired device.
3. In the Device Details panel, select Label Membership.
To add a label to the device:

1. Select the device.
2. Select Apply To Label in the Actions menu.
606
AppConnect
3. Select the labels to apply to the device.

4. Click Apply.
Enabling MobileIron secure apps

If you are deploying secure apps developed by MobileIron, you need to enable those
products:
2. Scroll down to Additional Products.
3. Select the option for each product.

For example, if you are deploying Web@Work, select Enable Web@Work.
4. Click Save.
Also see Enabling MobileIron Core licensing options for Android secure apps on
page 630.
Enabling AppConnect third-party and in-house apps

If you are deploying secure apps developed by your organization or a third party, you
need to enable an additional product:
3. Select Enable AppConnect For Third-party And In-house Apps.

Select this option only if your organization has purchased it. Enabling AppConnect
means that MobileIron Core supports third-party and in-house AppConnect apps.
607
AppConnect
4. Click Save.
Also see Enabling MobileIron Core licensing options for Android secure apps on
page 630.
Configuring an AppTunnel service

Follow these steps to configure an AppTunnel service:
2. Edit the entry for the Standalone Sentry you intend to use for app tunneling.
3. Use the following guidelines to configure app tunnels:
Note: Do not configure AppTunnel for email client AppConnect apps that are send-
ing ActiveSync traffic to an email server through a Standalone Sentry.
Item Description
Host / IP Enter the external host name or IP address of the server on
which the Standalone Sentry is installed.
The host name or IP address must be external because AppCon-
nect apps on devices that are tunneling data must be able to
access the Sentry.
MobileIron Core also needs to connect to this same host name
or IP address. If the host name or IP address is not accessible
by Core and devices, use the name or IP address that the
devices use. Then, using the System Manager, add a static host
entry to Core.
Port Enter the port that the Standalone Sentry is listening on. The
default is 9090.
Enable Clear the check box to disable ActiveSync support on the Sentry.
ActiveSync
Enable App Click the check box to enable AppTunnel support on the Sentry.
Tunneling
Device Authentication Configuration

Note: See Device and server authentication support for Standalone Sentry on
page 408 for authentication information for both ActiveSync and AppTunnel.
Device Authen- Select how devices attempting to connect to the app server
tication authenticate with the Standalone Sentry.
Choose Identity Certificate, Group Certificate or Trusted Front-
End.
Note:
If you are using Kerberos Constrained Delegation to authenti-
cate the user to the app server, choose Identity Certificate.
For the Trusted Front-End option, MobileIron supports only F5
servers as the trusted front-end server for TCP tunneling.
608
AppConnect
Item Description
Upload Certifi- If you chose Group Certificate, upload the certificate (generally
cate a .cer file) you trust.
If you chose Identity Certificate, upload the Root certificate (this
may be a root certificate chain) from the CA you trust. The CA
may be a Root Authority or an Intermediate Authority.
Check certifi- Select Check Certificate Revocation List (CRL) if you want to val-
cate revoca- idate the certificates presented by the device against the Certifi-
tion list (CRL) cate Revocation List (CRL) published by the CA.
Note that only HTTP and HTTPS based CRLs are supported.
Some CAs create LDAP-based CRLs by default that will not work
with Sentry.
For CRL validation to work, Sentry requires network connectivity
to the CRL Distribution Point (CDP), usually the CA that issued
the certificate, through an HTTP or HTTPS port.
Subject Alter- Use the Subject Alternate Name Type list to select the field in
native Name the client certificate that will be used to identify the user for Ker-
Type beros Constrained Delegation.
The Type is the same type that you specified when generating
the client certificate. This type is often the NT Principal Name.
Value Use the Value list to select the value used in the Subject Alter-
nate Name field.
Usually, the User UPN (user principal name) is used to identify
the user.
AppTunnel Configuration
Add Context Select the check box to forward additional device context infor-
Headers mation to your corporate backend resource.
This allows your corporate backend resources to further validate
the device.
This feature is available only with Standalone Sentry Version 4.9
through 5.0.
Note: Context headers are not supported for Advanced AppTun-
nel (TCP tunneling).
Advanced Traf- Select the checkbox to enable advanced traffic control.
fic Control The Server-side Proxy section is replaced with the Advanced
Traffic Control (ATC) section.
Server-side Proxy List

Traffic is directed to the proxy servers listed here based on the backend resource
and action defined in Traffic Control Rules.
Name Enter a unique name for the proxy server.
The name for the proxy server will be available for selection in
the Proxy field.
Hostname Enter the IP address or FQDN for the proxy server.
609
AppConnect
Item Description
Port Enter the port number for the proxy server.
+ Click to add a proxy server.
Traffic control rules

Specify whether traffic to the backend resource is through a proxy server, allowed
direct access, or blocked.
Note: Rules are matched based on the order in which they are listed. This is espe-
cially important for domain names with wildcards. For example, if the Block action
is selected for *.company.com, and the Proxy action is selected for *.inter-
nal.company.com, and the rule for *.company.com is listed first, then all com-
pany.com domains will be blocked. Use the up and down arrows to order the rules.
Destination Enter the IP address or domain name of the backend resource.
Host Port numbers are not supported.
Wildcards are supported. Only the suffix after the * wildcard is
matched.
Example: *.acme.com.
Action Select Proxy, Allow, or Block.
Proxy If you selected Proxy for Action, then select the proxy server for
the backend resource.
+ Click to add a backend resource.
Default Action The default action is applied if traffic control rules is not defined
for a backend resource.
Proxy If you choose Proxy as the default action, select the proxy
server for traffic to the backend resource.
Server-side Proxy
If Advanced Traffic Control (ATC) is enabled, the Server-side Proxy section is no
longer available. If you had configured a proxy server, and you enable advanced
traffic control, the proxy server will be listed in the Server-side Proxy List as
global. The Default Action is selected as Proxy and the default Proxy server is
selected as global.
To configure Server-side Proxy, enter the HTTP proxy server information. Config-
uring an HTTP proxy server provides access to corporate resources without having
to open the ports that Standalone Sentry would otherwise require.
This feature is available only with Standalone Sentry Version 4.9 through 6.0.
Proxy Host Enter the FQDN of the proxy server.
Name / IP Do not include a URI scheme, such as http:// or https://, in this
field.
Proxy Port Enter the port number for the proxy server.
To add a new AppTunnel service, click +.
610
AppConnect
Item Description
Service Name The Service Name is used in the AppConnect app configuration.
The app configuration uses the service name to restrict the app
to accessing servers in the Server List field. It is similarly used
in the Web@Work setting and Docs@Work policy, for setting up
tunneling for Web@Work for Android or iOS, and for the
Docs@Work feature of Mobile@Work for iOS, respectively.
Enter one of the following:
A unique name for the service that the AppConnect app on
the device accesses. One or more of your internal app servers
provide the service. You list the servers in the Server List
field.
For example, some possible service names are:
SharePoint
Human Resources
A service name cannot contain these characters: 'space' \ ; *
? < > " |.
Special prefixes:
For app tunnels that point to CIFS-based content servers,
the service name must begin with CIFS_.
For Advanced AppTunnel (TCP tunneling), the name must
begin with TCP (case-insensitive).
Example: TCP_Finance
<ANY>
Select <ANY> to allow tunneling to any URL that the app
requests. Typically, you select <ANY> if an AppConnect apps
app configuration specifies a URL with wildcards for tunneling,
such as *.myCompany.com. The Sentry tunnels the data for
any URL request that the app makes that matches the URL
with wildcards.
The Sentry tunnels the data to the app server that has the
URL that the app specified. The Server List field is therefore
not applicable when the Service Name is <ANY>.
For example, consider when the app requests URL
myAppServer.mycompany.com, which matches *.mycom-
pany.com in the app configuration. The Sentry tunnels the
data to myAppServer.myCompany.com.
Web@Work typically uses the <ANY> service, so that it can
browse to any of your internal servers.
Note: Do not select this option for tunneling to CIFS-based
content servers. Select <CIFS_ANY> instead.
611
AppConnect
Item Description
<TCP_ANY>.
Select <TCP_ANY> to allow Advanced AppTunnel (TCP tun-
neling) to any backend server that the app requests.
<CIFS_ANY>
Select <CIFS_ANY> to allow tunneling to any URL for a CIFS-
based content server. Typically, you select <CIFS_ANY> if the
URL for a CIFS-based content server contains wildcards for
tunneling, such as *.myCompany.com.
Note: The order of the Service Name entries does not matter.
Server Auth Select the authentication scheme for the Standalone Sentry to
use to authenticate the user to the app server:
Pass Through
The Sentry passes through the authentication credentials,
such as the user ID and password (basic authentication) or
NTLM, to the app server.
Note: For TCP tunneling, select Pass Through, which is the
only option available when the service name begins with
TCP. The Sentry passes through all TCP packets to the app
server.
Kerberos
The Sentry uses Kerberos Constrained Delegation (KCD).
KCD supports Single Sign On (SSO). SSO means that the
device user does not have to enter any credentials when the
AppConnect app accesses the app server.
The Kerberos option is only available if you selected Identity
Certificate for Device Authentication.
MobileIron does not support Kerberos for CIFS-based content
servers.
Server List Enter the app servers host name or IP address (usually an
internal host name or IP address). Include the port number on
the app server that the Sentry can access.
For example:
sharepoint1.companyname.com:443
You can enter multiple servers. The Sentry uses a round-robin
distribution to load balance the servers. That is, it sets up the
first tunnel with the first app server, the next with the next app
server, and so on. Separate each server name with a semicolon.
For example:
sharepoint1.companyname.com:443;sharepoint2.compa-
nyname.com:443.
Note: The Server List field is not applicable when the service
name is <ANY>, <TCP_ANY>, or <CIFS_ANY>.
612
AppConnect
Item Description
TLS Enabled Select TLS Enabled if the app servers listed in the Server List
field require SSL.
This option is not applicable when the service name is <ANY>,
<TCP_ANY>, or <CIFS_ANY>.
Note: Although port 443 is typically used for https and requires
SSL, the app server can use other port numbers requiring SSL.
Proxy/ATC Select if you want to direct the AppTunnel service traffic through
the proxy server.
You must also have configured Server-side Proxy or Advanced
Traffic Control (ATC).
Server SPN List Enter the Service Principal Name (SPN) for each server, sepa-
rated by semicolons. For example:
sharepoint1.company.com;sharepoint2.company.com.
The Server SPN List applies only when the Service Name is not
<ANY> and the Server Auth is Kerberos.
If each server in the Server List has the same name as its SPN,
you can leave the Server SPN List empty. However, if you
include a Server SPN List, the number of SPNs listed must equal
the number of servers listed in the Server List. The first server
in the Server List corresponds to the first SPN in the Server SPN
List, the second server in the Server List corresponds to the sec-
ond server in the Server SPN List, and so on.
Note: When the Service Name is <ANY> and the Server Auth is
Kerberos, the Standalone Sentry assumes that the SPN is the
same as the server name received from the device.
If you select Kerberos for the Server Auth field for an AppTunnel service, this sec-
tion appears. For Kerberos authentication information for both ActiveSync and
AppTunnel, see Authentication using an identity certificate and Kerberos con-
strained delegation on page 412.
Use keytab file Select this field to upload a Kerberos-generated keytab file. Click
Upload File to upload the keytab file. Uploading the keytab file
populates the Realm and Sentry Service Principal fields.
Realm If you do not upload a keytab file, enter the Kerberos adminis-
trative domain. The realm is usually the company domain name,
in all uppercase characters.
Sentry Service If you do not upload a keytab file, enter the service principal for
Principal the Sentry service account, preceded by HTTP/ if you do not
upload a keytab file. For example, if the user name of the ser-
vice account is sentry1_kcd, the service principal would be HTTP/
sentry1_kcd.
613
AppConnect
Item Description
Password If you do not upload a keytab file, enter the password for the
Sentry service account.
Key distribu- Optionally enter the key distribution center, which is the network
tion center service that supplies session tickets and temporary session
keys. This field is generally the Active Directory domain control-
ler hostname.
If you do not enter a key distribution center, the system auto-
detects it.
4. Click Save.
5. If the Sentry uses a self-signed certificate, in the Settings > Sentry page, for the
Sentry configured for app tunneling, click the View Certificate link.
This makes the Sentrys certificate known to MobileIron Core.
Configuring an AppConnect app configuration

An AppConnect app configuration is applicable for iOS AppConnect apps, and for
Android AppConnect apps starting with Mobile@Work 5.6 for Android.
An AppConnect app configuration:

specifies AppTunnel settings for the app.
specifies app-specific configuration for the app.
can be automatically created by MobileIron Core.
Note: For each AppConnect app, make sure only one AppConnect app configuration
applies to each device.
Automatically created AppConnect app configuration

When you upload an AppConnect app to MobileIron Cores app distribution library,
Core creates an AppConnect app configuration automatically as follows:
For Android AppConnect apps:
Core always takes this automatic action. If the app has specified configuration
requirements, Core uses that configuration. Otherwise, Core creates an AppCon-
nect app configuration with no configuration values.
For iOS AppConnect apps built using the AppConnect for iOS SDK:
Core takes this automatic action only if the app has specified configuration require-
ments in its IPA file. Also, this automatic action does not occur when you specify an
Apple App Store AppConnect app as a recommended app.
For wrapped iOS AppConnect apps:
Core does not take this automatic action.
614
AppConnect
The name of the automatically created AppConnect app configuration is:
For iOS AppConnect apps Default <bundle ID of app> Configuration

For Android AppConnect apps Default <package ID of app> Configuration
Note: In the Admin Portal, on Policies & Configs > Configurations, the name of the
app, not the name of the AppConnect app configuration, displays in the name column.
MobileIron Core keeps in sync the labels that you apply to the app and the labels that
you apply to the AppConnect app configuration that Core automatically created.
Important: Use the automatically created app configuration only as a reference. The
reason is that if you modify the key-value pairs in an automatically created AppCon-
nect app configuration, your modified settings are lost when you upload a new version
of the app. They will be replaced with the key-value pairs specified in the uploaded
app. This replacement can result in device users losing previously configured settings.
Therefore, manually create an AppConnect app configuration, copying into it the keys
from the automatically created app configuration. Then enter appropriate values for
the keys you copied.
Automatically provided key-value pairs

MobileIron Core takes a special action for some iOS AppConnect apps in the Apple App
Store that you specify as recommended apps. When you enter the bundle ID of one of
these apps in the Application field of an app configuration, when you save the app
configuration, the special action occurs. Core automatically populates the key-value
pairs for the recommended app. Core does not overwrite any key-value pairs that you
manually added. You can then edit the app configuration to change the provided key-
value pairs, if necessary.
Configuration tasks
To configure an AppConnect app configuration:
1. In the Admin Portal, select Policy & Configs > Configurations.
2. Select Add New > AppConnect > Configuration to create an AppConnect app con-
figuration.
615
AppConnect
Use the following guidelines to create or edit an AppConnect app configuration:
Item Description
Name Enter brief text that identifies this AppConnect app
configuration.
Note: If MobileIron Core automatically created this
AppConnect app configuration:
You cannot edit the name.
The name is not the same as the name that appears in
the name column in Policy & Configs > Configurations.
AppConnect app configuration.
616
AppConnect
Item Description
Application Android, starting with Mobile@Work 5.6:
Select an Android AppConnect app from the MobileIron
Core app distribution library.
iOS:
Select an iOS AppConnect app from the MobileIron Core
app distribution library or enter the bundle ID of an iOS
AppConnect app. A bundle ID that you enter is case
sensitive.
Note: The dropdown selection includes an iOS AppConnect

app only if both of the following statements are true:
The app was added to the Core app distribution library
as an in-house app.
The app specifies default app-specific configurations.
AppTunnel Configure AppTunnel settings for this app.

First, configure the Standalone Sentry to support AppTun-
nel. See Configuring an AppTunnel service on page 608.
When the app tries to connect to the URL (and port, for
Android) configured here, the Sentry creates a tunnel to
the app server.
617
AppConnect
Item Description
URL Wildcard Enter one of the following:
an app servers hostname
Example: finance.yourcompany.com
a hostname with wildcards. The wildcard character is *.
Example:
If the app requests to access this hostname, the Sentry

tunnels the app data to an app server. The Sentry and Ser-
vice fields that you specify in this AppTunnel row deter-
mine the target app server.
Note:
On Android devices, the app data is tunneled only if the
apps request matches this hostname and the port
number specified in the Port field of this AppTunnel row.
On iOS devices, only the hostname, not the port num-
ber, determines whether the app data is tunneled.
A hostname with wildcards works only with the service
<ANY>, <TCP_ANY>, or <CIFS_ANY>. Unlike services
with specific service names, these services do not have
associated app servers. The Sentry tunnels the data to
the app server that has the URL that the app specified.
The order of these AppTunnel rows matters. If you
specify more than one AppTunnel row, the first row that
matches the hostname (and port, for Android) that the
app requested is chosen. That row determines the Sen-
try and Service to use for tunneling.
Do not include a URI scheme, such as http:// or
https://, in this field.
Port Enter the port number that the app requests to access.
On Android devices: The app data is tunneled only if the
apps request matches the hostname in the URL Wildcard
field and this port number. If you do not enter a port num-
ber, the port in the apps request is not used to determine
whether data is tunneled.
On iOS devices: Only the hostname, not the port number,
determines whether the app data is tunneled.
Note: Entering a port number in this field is required when
both of the following are true:
The hostname in the URL Wildcard field does not con-
tain a wildcard.
The service is not <ANY> or <CIFS_ANY>.
618
AppConnect
Item Description
Sentry Select a Sentry configured for app tunneling from the
drop-down list.
Service Select a service name from the drop-down list.
This service name specifies an AppTunnel service config-
ured in the App Tunneling Configuration section of the
specified Sentry.
Note: If you entered a URL with wildcards in the URL Wild-
card field, you can only select <ANY> or <CIFS_ANY> as
the service. The <ANY> or <CIFS_ANY> service must be
configured in the App Tunneling Configuration section of
the Sentry configured for App Tunneling.
If the service on the Sentry is configured with its Server
Auth set to Kerberos, the AppConnect app uses Single
Sign On. That is, the device user does not enter any fur-
ther credentials when the app accesses its enterprise app
server.
Identity Certificate Select the Certificate or the SCEP profile that you created
for app tunneling.
For more information, see SCEP settings on page 301
and Certificates settings on page 300.
Configurations
Specify app-specific configuration settings as key-value
pairs.
To add a key-value pair, click + .
To delete a key-value pair, click - .
619
AppConnect
Item Description
Key Enter the key. The key is any string that the app
recognizes as a configurable item.
For example: userid, appURL
Value Enter the value. The value is either:
a string
The string can have any value that is meaningful to the
app. It can also include one or more of these MobileIron
Core variables: $USERID$, $EMAIL$, $USER_CUS-
TOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$,
$USER_CUSTOM4$.
If you do not want to provide a value, enter $NULL$.
The $NULL$ value tells the app that the app user will
need to provide the value.
For example:
$USERID$
https://someEnterpriseURL.com
a SCEP or Certificate setting
SCEP and Certificate settings that you configured in Pol-
icy & Configs > Configurations appear in the dropdown
list. When you choose a SCEP or Certificate setting,
MobileIron Core sends the contents of the certificate as
the value.
If the certificate is password-encoded, Core automati-
cally sends another key-value pair. The keys name is
the string <name of key for certificate>_MI_CERT_PW.
The value is the certificates password.
3. Click Save.
4. Select the new AppConnect app configuration.
6. Select the labels to which you want to apply this AppConnect app configuration.
7. Click Apply.
devices labels:
3. In the Device Details Pane, select Label Membership.

620
AppConnect
4. Click Apply.
Enabling AppTunnel
If you are deploying secure apps developed by your organization or a third party, you
need to enable an additional product to use app tunnels with these apps:
3. Select Enable AppTunnel for third-party and in-house apps.

4. Click Save.
Note: Do not select this option if you are using AppTunnel only for Docs@Work.
Configuring the Open With Secure Email App option

When you use AppConnect for Android, device users use a secure email app so that,
when Standalone Sentry delivers emails with attachments to these Android devices,
the attachments remain in the secure container. Therefore, you typically configure
Standalone Sentry to use the email attachment control setting called Open With
Secure Email App for Android devices that support AppConnect.
Do the following:
2. Select the Standalone Sentry.
3. Click the Edit icon.
4. Select Enable Attachment Control, which is in the Attachment Control Configuration
section of the ActiveSync Configuration section.
5. For Android Using Secure Apps, select Open With Secure Email App.
Configuring compliance actions

The security policy that is applied to a device determines what situations make a
device non-compliant. For each situation, the security policy specifies a compliance
621
AppConnect
action. These actions can be either default compliance actions or custom compliance
actions.
Some compliance actions impact AppConnect apps as follows:

Immediately block access to the web sites configured to use the AppTunnel feature.
Unauthorize AppConnect apps.
Delete (wipe) the secure data of AppConnect apps.
For details about compliance actions that impact AppConnect apps, see Compliance
actions for security policy violations on page 192.
To specify a compliance action:

1. Go to Policies & Config > Policies on the Admin Portal.
2. Select a security policy.
3. Click Edit.
4. Select an access control setting.
For example, select When A Compromised iOS Device Is Detected.
5. Select a default or custom compliance action from the dropdown list.

6. Click Save.
622
AppConnect
Managing AppTunnel
Manually blocking the AppTunnel feature on a device on page 623
You can block all the AppConnect apps of a particular device from using the
AppTunnel feature.
Viewing App Tunnels on page 623
View all the tunnels for every app and device.
Taking actions on app tunnels on page 624
You can direct the Standalone Sentry to block a particular app on a particular
device from using an AppTunnel.
Manually blocking the AppTunnel feature on a device

You can manually block the AppTunnel feature on a device for all AppConnect apps.
The authorized AppConnect apps remain authorized, but the apps will no longer be
able to access the web sites configured to use the AppTunnel feature.
AppConnect apps provided by MobileIron, as well as apps developed in-house or by

third parties, are all impacted.
Note: On iOS devices, the set of impacted apps includes the Docs@Work features in
Mobile@Work for iOS.
To manually block the AppTunnel feature in AppConnect apps on a device:

2. Select a device.
3. Select Actions > More Actions > Block App Tunnels.
4. Add a note.
5. Click Block AppTunnels.
Later, you can unblock the AppTunnel feature:

2. Select a device.
3. Select Actions > More Actions > Allow App Tunnels.
4. Add a note.
5. Click Allow AppTunnels.
Viewing App Tunnels

Once an app tunnel is established, you can view the AppTunnel details in the App Tun-
nels page.
To view app tunnels, in the Admin Portal, go to Apps > App Tunnels.
623
AppConnect
The following information is displayed:
Column Description
Application The app bundle ID. For Docs@Work, the app name is dis-
played.
User The AppConnect app user.
Status The status of the device.
State The app tunnel state. The state can be Allow or Block.
Version The app tunnel headers version that the device uses to
talk to the Sentry.
Service Service name of the app tunnel.
If your Standalone Sentry is not Version 5.0, the Service
field will be empty for new Version 1 tunnels.
Creation Time The time when the app tunnel was created.
App Bundle The app bundle ID for iOS AppConnect apps, and the
package ID for Android AppConnect apps.
Taking actions on app tunnels

Follow these steps to take action on an app tunnel:
1. In the Admin Portal, go to App > App Tunnels.
2. Select the app tunnel you wish to take action on.
3. Click on one of the actions described in the following table.
Action Description
Allow Permits the AppConnect app on the device to access the app
server(s) through a Sentry.
Block Prohibits the AppConnect app on the device from accessing the
app server(s) through a Sentry.
Remove Deletes the app tunnel information.
After a Remove, Sentry will not have any memory of the app
tunnel. When the user on the device uses the app, a new a app
tunnel is established. Remove is generally used for troubleshoot-
ing purposes.
624
AppConnect
Using AppConnect for Android

An Android device user can use an AppConnect app only if:
The device user has been authenticated through MobileIron Core.
The user must use the Mobile@Work for Android app to register a device with
MobileIron Core. Registration authenticates the device user.
You have authorized the app to run on the device.
If the app is not authorized, the app does not allow the device user to access any
secure data or functionality. If a device user launches an unauthorized wrapped
app, the app displays a message and exits.
To authorize an AppConnect app for a device, you apply the appropriate labels to
the apps AppConnect container policy.
No situation has caused an authorized AppConnect app to become unauthorized for
a device.
These situations include, for example, when the device has been out of contact with
Core for a period of time that you configure.
The device user has entered the AppConnect passcode.
You configure the rules about the complexity of the passcode.
Why a Secure Apps Manager?

The Secure Apps Manager performs the following tasks to support AppConnect-
enabled apps on Android devices:
manages the data encryption key.
handles the single sign-on for all AppConnect apps.
provides a list of all the AppConnect apps on the device.
AppConnect apps that MobileIron provides for Android

MobileIron provides the following AppConnect apps:
This secure ThinkFree Document Viewer is part of the MobileIron Docs@Work solu-
tion. It allows the device user to securely view documents from other AppConnect
apps. For example, ThinkFree Document Viewer displays email attachments opened
with secure email client apps. It also displays documents opened with the secure
SharePoint Client app.
The ThinkFree Document Viewer has no shortcut on the homescreen. It launches
automatically when the device user selects a document for viewing from an
AppConnect app, if the document is a type that ThinkFree Document Viewer sup-
ports.
File Manager
This secure File Manager app is part of the Docs@Work solution. It allows a user to
save, browse, and manage files in the secure container. For example, the user can
browse saved email attachments. The user can also save documents from any
other AppConnect app.
625
AppConnect
File Manager with SharePoint Client

The secure File Manager app is also available with the secure SharePoint Client app
included. The SharePoint Client app is part of the Docs@Work solution. It allows a
device user to view folders and documents that are shared on a content server,
such as Microsoft SharePoint. The device user needs to have a valid user ID and
password to access the content server.
In Android Secure Apps 5.7 and later, the SharePoint Client app supports Microsoft
SharePoint 2007, 2010, and 2013. It also supports IIS-based WebDAV and CIFS-
based content repositories. Android Secure Apps 5.9 adds support for Apache-
based WebDAV content repositories. The Android SharePoint Client app supports
both basic and NTLM authentication from the client to the content server. It also
supports Kerberos Constrained Delegation.
Working with the AppConnect versions of ThinkFree Document Viewer and File
Manager, the SharePoint Client app provides the document viewing and storage
capability of the Docs@Work solution.
Note: The .apk file for the File Manager also contains the SharePoint Client app.
Therefore, the SharePoint Client does not appear as a separate app in the list of
secure apps that the device user installs. The File Manager installation includes
installing the SharePoint Client.
Android Email+
Android Email+ provides the native email client experience with ease of setup and
important other features. You can deploy it as part of your Docs@Work solution
along with Secure Apps Manager, ThinkFree Viewer, and File Manager. However, this
app is provided under different MobileIron licensing.
See the Android Email+ Release Upgrade Guide for details on obtaining and deploy-
ing Android Email+.
Web@Work
Web@Work is a secure browser that allows your device users to easily and securely
access your organization's web content. It is not part of the Docs@Work solution; it
is provided under different MobileIron licensing.
See Web@Work on page 653 for details on obtaining and deploying Web@Work.
Third-party AppConnect apps that MobileIron provides for

Android
MobileIron provides the following third-party AppConnect apps:
Divide PIM
Divide PIM (Personal Information Manager) for Android provides secure email, cal-
endar, contacts, and tasks on corporate-owned and BYOD Android devices running
Android 4.0 through Android 4.4. Divide PIM is not part of the Docs@Work solution.
It is a third-party AppConnect app. To use it, you must have a MobileIron license for
third-party AppConnect apps.
Manager, emails and their attachments are available only in the AppConnect con-
tainer.
626
AppConnect
For more information about Divide PIM, including how to deploy it, see the Divide
PIM Release Upgrade Guide. The version that MobileIron supports is at
https://support.mobileiron.com/support/CDL.html.
IBM Notes Traveler
IBM Notes Traveler is the client for the IBM Notes Traveler server. It provides access
to email, contacts, calendar, and tasks. Contact IBM for licensing for IBM Notes
Traveler.
IBM Notes Traveler is not part of the Docs@Work solution. It is a third-party
AppConnect app. To use it, you must have a MobileIron license for third-party
AppConnect apps.
Manager, emails and their attachments are available only in the AppConnect con-
tainer. You can secure data-in-motion using the AppTunnel feature. See Using
AppTunnel with the IBM Notes Traveler client app on page 632.
The automatically generated AppConnect app configuration includes configuration
settings, such as the IBM Notes Traveler server. You can edit these settings so that
the device user does not have to enter them manually. You do not configure an
Exchange app setting when using IBM Notes Traveler.
Note: Standalone Sentry email attachment control does not support the IBM Notes
Traveler client. When you configure attachment control on the Standalone Sentry,
the settings you select have no impact on email attachment delivery to IBM Notes
Traveler. The attachment control settings apply only to ActiveSync servers and
email clients.
Starting with Secure Apps 5.9.0.1, MobileIron provides a secure version of IBM
Notes Traveler version 9.0.1.0_201404021602. The version that MobileIron sup-
ports is at https://support.mobileiron.com/support/CDL.html.
Polaris Office
Polaris Office for Android provides secure document viewing and editing on Android
devices. Using it requires an additional license. Polaris Office is not part of the
Docs@Work solution. It is a third-party AppConnect app. To use it, you must have a
MobileIron license for third-party AppConnect apps.
Polaris Office also requires a license key. The license key allows MobileIron to track
how many devices in your company are using the app. You provide the license key
to the devices that use the app by including it in the AppConnect app configuration
for the app. For more information, see License key support on page 631.
NitroDesk TouchDown
The AppConnect version of the NitroDesk TouchDown email app provides a consis-
tent user experience across a broad range of Android devices. Working with the
AppConnect versions of ThinkFree Document Viewer and File Manager, emails and
their attachments are available only in the AppConnect container. This combination
of secure apps can provide the secure email attachment capability of the
Docs@Work solution.
Starting with Secure Apps 5.7, MobileIron provides a secure version of NitroDesk
TouchDown 8.1.00052. The version that MobileIron supports is at
https://support.mobileiron.com/support/CDL.html.
627
AppConnect
Hybrid web app support

Android Secure Apps 6.0 adds full containerization support for Appconnect-enabled
hybrid web apps on devices running Android 4.0 through 4.4. A hybrid web app is an
Android app (APK file) that the device user installs on the device, unlike a pure web
app that the user accesses through a web browser.
Note: Web@Work for Android, the secure browser that MobileIron provides, allows
you to run pure web apps in the AppConnect secure container.
In a hybrid web app, business logic and content presentation occurs using Android
WebView and WebKit technologies, specifically within an object of the Java class
android.Webkit.WebView. The WebView object locally renders content using web tech-
nologies such as HTML, CSS, and Javascript. The WebView object can access the web
content from a network resource or from embedded web content.
Starting with Android Secure Apps 6.0, like other app data, data related to the
android.webkit.WebView class is encrypted. This web-related data can include cook-
ies, the web cache, and web databases.
The following diagram illustrates a hybrid web app on an Android device.
PhoneGap apps
Android Secure Apps 6.0 adds support for AppConnect-enabled PhoneGap apps on
devices running Android 4.0 through 4.4. That is, you can now wrap an APK file that
was created using the PhoneGap mobile development framework. The wrapped
PhoneGap app is a type of AppConnect-enabled hybrid web app.
See phonegap.com for information about creating PhoneGap apps.
628
AppConnect
Hybrid web apps using Advanced AppTunnel

Hybrid web apps, including PhoneGap apps, use Android WebView and WebKit tech-
nologies to access and display web content. Wrapped hybrid web apps typically access
the content on app servers that are behind the enterprise firewall. Advanced AppTun-
nel supports securing this data in motion starting with Android Secure Apps 6.0.
Advanced AppTunnel is supported only on devices running Android 4.0 through 4.4.
Note: Advanced AppTunnel supports TCP tunneling from the app to enterprise servers
behind the firewall. Standard AppTunnel supports only HTTP/S tunneling. Because
WebView does not use one of the HTTP/S APIs that Android AppConnect wrapping
supports, Advanced AppTunnel is required for AppConnect-enabled hybrid web apps.
When a hybrid web app uses Advanced AppTunnel, the traffic between the device and
the Standalone Sentry is secured using an Secure Sockets Layer (SSL) session, as
shown in the following diagram:
Note:
Advanced AppTunnel does not support wrapped hybrid web apps using UDP.
Only hybrid web apps can use Advanced AppTunnel. An app written in Java without
using Android WebView and WebKit technologies can use only standard AppTunnel
to tunnel HTTP/S connections. MobileIron supports standard AppTunnel in Java
apps only if app uses the HTTP/S APIs specified in the MobileIron AppConnect for
Android App Developers Guide.
Contact the application vendor or developer to find out whether to configure
Advanced AppTunnel or standard AppTunnel.
The procedure to configure Advanced AppTunnel is mostly the same as the proce-
dure to configure standard AppTunnel (HTTP/S tunneling). The difference involves
the AppTunnel service that you configure on the Standalone Sentry. See Configur-
ing a TCP tunnel service on page 401.
629
AppConnect
Enabling MobileIron Core licensing options for Android secure

apps
On the Admin Portal, in Settings > Preferences, you specify whether you have a
license for:
Docs@Work
AppConnect for third-party and in-house apps
AppTunnel for third-party and in-house apps
Web@Work
The following table shows which Android secure apps you can deploy for the options
Docs@Work, AppConnect for third-party and in-house apps, and Web@Work. Select
each option only if your organization has purchased it.
If you enable AppConnect for If you enable

If you enable Docs@Work, you can third-party and in-house apps, Web@Work,
deploy: you can deploy: you can deploy:
Secure Android Email+ Secure Android Email+ Web@Work
NitroDesk TouchDown* NitroDesk TouchDown*
FileManager FileManager
ThinkFree Document Viewer ThinkFree Document Viewer
SharePoint Client IBM Notes Traveler
Divide PIM*
Polaris Office*
Other third-party AppCon-
nect apps*
In-house AppConnect apps
*In addition to purchasing the Additional Products option, these apps have an additional cost.
Enable AppTunnel for third-party and in-house apps for the following apps if your
organization has purchased AppTunnel:
IBM Notes Traveler if you are securing data-in-motion with AppTunnel.
Note: The data-in-motion for email apps Secure NitroDesk TouchDown, Android
Email+, and Divide PIM are secure without using AppTunnel.
Any third-party or in-house apps if you are securing data-in-motion with AppTun-
nel.
Note: When using AppTunnel only to tunnel data from the SharePoint client app to
content servers, you do not need to select the option to enable AppTunnel for third-
party and in-house apps.
To enable the appropriate licensing options:

630
AppConnect

3. Select the appropriate option.
4. Click Save.
License key support

Starting with Android Secure Apps 5.9, third-party AppConnect apps that MobileIron
provides can require a license key to run. Currently, only Polaris Office requires a
license key. The license key allows MobileIron to track how many devices in your com-
pany are using the app. When your company purchased the app, MobileIron provided
a license key with the order.
An example of a license key is 1adadecd357456c123456.
You provide the license key to the devices that use the app by including in the
AppConnect app configuration for the app. When the app first runs on a device, the
Secure Apps Manager validates the license key and passes it to a MobileIron activation
server. The MobileIron activation server logs the use of the app on that device.
If this process fails, the app does not run. Possible failure reasons are configuring an
invalid license key, configuring no license key, or no network connectivity on the
device.
Note: The Secure Apps Manager communicates with the MobileIron activation server
using HTTPS. Therefore, devices are required to have access to the public Internet the
first time the app launches for this feature to work.
To provide the license key to the app, add a key-value pair to the apps AppConnect
app configuration:
Key: MI_APP_LICENSE
Value: The license key that you received with your order. For example:
1adadecd357456c123456
Document types supported by ThinkFree Document Viewer

AppConnect apps can display documents using the secure ThinkFree Document
Viewer. The ThinkFree Document Viewer supports the following types of documents:
.doc (MS Word 97/2000/XP/2003)
.docx (MS Word 2007/2010)
.rtf (Rich Text Format)
.dot/.dotx (MS Word template)
.xls (MS Excel 97/2000/XP/2003)
.xlsx (MS Excel 2007/2010)
.csv (Comma Separated Value)
.xlt/xltx (MS Excel template)
.ppt (MS Powerpoint 97/2000/XP/2003)
631
AppConnect
.pptx (MS Powerpoint 2007/2010)

.pot/.potx (MS Powerpoint template)
.pps/.ppsx (MS Powerpoint slide show)
.pdf (Portable Document Format, supports version 1.6 or above)
If the device user tries to view a document type that is not in this list, the Android OS
indicates that no app is available to open the selected file.
Note: AppConnect apps can use other secure file viewers if they are also AppConnect
apps.
Using AppTunnel with the SharePoint Client app

Starting with Mobile@Work 5.6, you can use AppTunnel capabilities to provide a
unique secure connection from the SharePoint Client app on the device to a content
server, such as the SharePoint service. A Standalone Sentry is necessary to support
tunneling. You can also set up the AppTunnel capabilities for Single Sign On if your
environment and the content server supports Kerberos Constrained Delegation.
The SharePoint Client is part of the secure File Manager. Therefore, the SharePoint Cli-
ent does not appear as a separate app in the list of secure apps that the device user
installs. It also does not appear as a separate app in the app distribution library on
MobileIron Core. When a device user installs the secure File Manager, they also install
the SharePoint Client.
Set up the AppTunnel as described in Adding AppTunnel or Advanced AppTunnel sup-

port on page 588. Part of that process is to set up the tunneling section of the
AppConnect app configuration. Because the SharePoint Client app is part of the secure
File Manager, you set up SharePoint tunneling in the AppConnect app configuration for
the File Manager app.
Using AppTunnel with the IBM Notes Traveler client app

Starting with Android Secure Apps 5.7, you can use AppTunnel capabilities to provide
a unique secure connection from the IBM Notes Traveler client on the Android device
to the IBM Notes Traveler server. A Standalone Sentry is necessary to support tunnel-
ing.
Set up the AppTunnel as described in Adding AppTunnel or Advanced AppTunnel sup-

port on page 588. Part of that process is to set up the tunneling section of the
AppConnect app configuration. You set up tunneling in the AppConnect app configura-
tion for the IBM Notes Traveler app.
Additional Standalone Sentry requirements exist for using the AppTunnel feature for
the IBM Notes Traveler client. Do one of the following:
Use VSP 5.7 through 6.0 and Standalone Sentry 4.7 through 4.9.
No special configuration is necessary for IBM Notes Traveler with these versions of
VSP and Sentry.
632
AppConnect
Dedicate a Standalone Sentry to tunneling for IBM Notes Traveler if you are using a
Standalone Sentry version prior to 4.7.
This option requires you to configure session timeout values for the Sentry.
To configure session timeout values, do the following steps in the Admin Portal:
1. Go to Settings > Sentry.
2. Select the entry to edit.
3. Click the edit icon next to the entry.
4. Scroll down to Advanced Configuration.
5. Click to expand.
6. Click Yes when prompted.
7. Enter the following values:
Setting Value
Socket read/write timeout 10000 milliseconds, which is the default value
Server connection timeout 10000 milliseconds, which is the default value
Server response timeout 900000 milliseconds
Device request timeout 900000 milliseconds
8. Click Save.
For more information, see Adding a MobileIron Standalone Sentry entry on

page 398.
Lock, unlock, and retire impact on AppConnect for Android

Locking, unlocking, or retiring an Android device impacts access to AppConnect apps
and their associated data.
Lock impact
Locking a device causes the device user to be locked out of AppConnect apps. The
user must reenter the secure apps passcode to access AppConnect apps. The Secure
Apps Manager prompts the user to reenter the passcode when the user launches:
any AppConnect app
If the device also uses a device passcode, the user must first reenter the device pass-
code.
Unlock impact
Unlocking a device removes the device passcode and also removes the secure apps
passcode. The Secure Apps Manager notifies the device user to create a new secure
apps passcode when the user launches:
the Mobile@Work app
633
AppConnect

any AppConnect app
No data relating to AppConnect apps is removed when a device is unlocked. Once the
device user creates a new secure apps passcode, the data becomes accessible again.
Issuing an Unlock command is useful in the following scenarios:

You enabled secure apps in an AppConnect global policy and applied it to a device.
The device user installed the secure apps and created the secure apps passcode.
Later, you disable secure apps and repush the policy to the device. Finally, you
reenable secure apps and repush the policy to the device. The device user cannot
access the secure apps until you send an Unlock command to the device. Then, the
device user creates a new secure apps passcode and can access the secure apps.
You change the secure apps passcode requirements in an AppConnect global policy,
and repush the policy to the device. The device user does not have to update his
secure apps passcode to meet the new requirements. However, you can send an
Unlock command to the device, which results in prompting the device user to cre-
ate a new secure apps passcode. The new passcode must adhere to the new policy
requirements.
Retire impact
Retiring a device unregisters the device from MobileIron Core.
Retiring a device impacts AppConnect apps as follows:

The device user cannot open any AppConnect apps or the Secure Apps Manager.
Data that the AppConnect apps saved to device storage is deleted.
However, the device user must manually uninstall the AppConnect apps and the
Secure Apps Manager.
Retiring a device, therefore, retires the AppConnect apps on the device. For more
information about retiring AppConnect apps, see AppConnect app authorization on
page 603.
Copy/Paste for AppConnect for Android

You configure the copy/paste DLP policy for AppConnect for Android in the AppCon-
nect global policy. You can choose no restrictions for copy/paste, copy/paste only
among AppConnect apps, or copy/paste only within each AppConnect app.
634
AppConnect
Each row of the following table summarizes whether copy/paste is allowed for a set of
apps depending on the copy/paste setting:
Copy/Paste setting in AppConnect global policy
Among AppConnect Within an

No restrictions apps AppConnect app
Allowed Not allowed Not allowed

Between an
AppConnect app and
an unsecured app
Allowed Allowed Not allowed

Between different
AppConnect apps
Allowed Allowed Allowed

Within each
AppConnect app
Between different Allowed Allowed Allowed

unsecured apps
Allowed Allowed Allowed
Within each
unsecured app
Comparison with AppConnect for iOS copy/paste policy

Symmetrical versus one-way
AppConnect for Android: Copy/paste restrictions are symmetrical. For example, if
you restrict copy/paste to among AppConnect apps, you cannot copy out of an
AppConnect app into a unsecured app, and you cannot copy out of an unsecured
app into an AppConnect app.
AppConnect for iOS: The iOS Copy/Paste To DLP setting prohibits copying out of an
AppConnect app into an unsecured app, but you can copy from an unsecured app
into an AppConnect app.
Restriction levels
AppConnect for Android: The copy/paste policy provides three restriction levels:
No copy/paste restrictions
Allow copy/paste only among AppConnect apps.
Allow copy/paste only within an AppConnect app.
AppConnect for iOS: The iOS Copy/Paste To DLP setting provides only two restric-
tion levels:
Do not allow copying from an AppConnect app.
Allow copying from an AppConnect app to any other app.
Default setting
635
AppConnect
AppConnect for Android: The default copy/paste option is no restrictions. This

behavior is consistent with the behavior of your AppConnect for Android
installed base.
AppConnect for iOS: The default option is to not allow the user to copy data
from AppConnect apps to unsecured apps.
Interaction with Exchange setting

The Exchange setting for a device has a copy/paste option for NitroDesk TouchDown
and Android Email+. This option allows or disables the use of copy/paste commands in
these apps. The option applies to both the AppConnect-enabled version and the unse-
cured version of these apps.
If the Exchange setting disables copy/paste commands, then no copy/paste use is

possible in these apps. In this case, the copy/paste DLP setting in the AppConnect
global policy has no impact on these apps.
If the Exchange setting allows copy/paste commands, the copy/paste DLP setting in
the AppConnect global policy determines the extent of copy/paste use in these apps,
just as it does with other apps.
The following table summarizes the copy/paste behavior for secure and unsecured
TouchDown and Email+, depending on the Exchange setting and the AppConnect
global policy setting:
Copy/Paste DLP setting on AppConnect global policy
Among AppConnect Within an

No restrictions apps AppConnect app
Not allowed for Not allowed for Not allowed for

secure and unse- secure and unse- secure and unse-
Exchange setting cured TouchDown cured TouchDown cured TouchDown
disables copy/paste and Email+. and Email+. and Email+.
Allowed for secure Allowed among Allowed within
and unsecured AppConnect apps each of secure
TouchDown and for secure Touch- TouchDown and
Email+. Down and Email+ Email+
Allowed among Allowed among
unsecured apps unsecured apps
Exchange setting for unsecured for unsecured
allows copy/paste TouchDown and TouchDown and
Email+ Email+
DLP policy for browser launching

You configure the DLP policy for browser launching in the AppConnect global policy.
This Web DLP policy specifies whether an unsecured browser can attempt to display a
web page when a device user taps the pages URL in a secure app.
636
AppConnect
For example, consider a device user who is viewing an email in a secure email app,
and the email body contains a URL. The user taps on the URL to view the web page in
a browser. The following table describes the behavior for opening browsers from
secure apps:
Web@Work installed Web@Work not installed

Web DLP policy: The user is prompted to Unsecured browser attempts
allowed choose between Web@Work to display the web page.
and available unsecured
browsers to attempt to dis-
play the web page.
Web DLP policy: Web@Work displays the web Web page does not display.
not allowed page. An error message is displayed
that indicates that a secure
browser is required but not
installed.
Note: If the URL points to a server behind the enterprises firewall, an unsecured
browsers attempt to display the web page fails.
Secure File Manager features

The Secure File Manager allows a user to save, browse, and manage files in the secure
container. For example, the user can browse saved email attachments or SharePoint
documents. The user can also save documents from any other AppConnect app.
The secure File Manager app also supports the following:

Unzipping files from a secure app (starting with Android Secure Apps 5.7.1)
When the device user taps a ZIP file in a secure app, such as when a ZIP file is an
email attachment, the File Manager app opens. The files in the ZIP file are stored in
the folder sdcard/UnzippedFiles. If the device user subsequently unzips a ZIP file
containing files with the same name as previously stored files, the files are over-
written.
File download using the Android DownloadManager API (starting with Android
Secure Apps 5.9)
Some secure use the Android DownloadManager API to download files securely to
the device. For such downloads to be successful, the FileManager that MobileIron
provides must also be installed on the device. The FileManager ensures downloaded
files remain in the secure container. Only secure apps in the container can access
the files.
Secure folder access

Starting with Android Secure Apps 5.9, AppConnect apps have read-only access to the
devices system folder. The system folder contains, for example, ringtone files and
font files. System folder access means that:
637
AppConnect
An AppConnect app such as NitroDesk TouchDown can allow a device user to select
one of the system folders ringtones.
An AppConnect app such as Polaris Office can now access the system folders font
files.
The secure File Manager can display the system folder.
Situations that wipe Android AppConnect app data

When an AppConnect app is retired, it becomes unauthorized (blocked), and its data
is deleted (wiped). The following situations retire an AppConnect app:
You disable AppConnect in the AppConnect global policy for the device (starting
with Android Secure Apps 5.7).
The device user uninstalls Mobile@Work or the Secure Apps Manager on the device
The number of days specified in the Wipe AppConnect Data After field of the
devices AppConnect global policy has passed.
You remove the Secure Apps Manager in Apps > App Distribution Library (starting
with Android Secure Apps 5.7).
You remove the label for a device from the Secure Apps Manager on Apps > App
Distribution Library (starting with Android Secure Apps 5.7).
You quarantine the device due to a compliance action (starting with Android Secure
Apps 5.7).
Accessible Android apps to preserve the user experience

AppConnect apps can share data only with other AppConnect apps.
However, some exceptions exist to this rule to:

Preserve the device user experience.
Enable the use of system services, such as making voice calls.
The exceptions are:

Browsers
Tapping a link in an AppConnect app launches a browser.
Maps
Tapping a meeting location in an AppConnect email app launches a maps app.
Phone calls
Tapping a phone number in any AppConnect app will make a phone call.
SMS
An AppConnect app such as TouchDown can allow the device user to send an SMS
to a corporate contact.
638
AppConnect
Device details for AppConnect apps for Android

The Admin Portal shows the status of AppConnect apps on Android devices.
To see these device details:

1. On the Admin Portal, go to Users & Devices > Devices.
2. Expand the device details panel of an Android device, by clicking the up arrow next
to the checkbox.
3. Select the Device Details tab.
The following details relate to AppConnect apps on the device:
Item Description
Secure Apps Encryption Indicates one of the following values:
Mode Unavailable
A version of Secure Apps Manager prior to 5.9
is installed on the device.
Secure Apps Manager is not installed on the
device.
AES-128
The device user upgraded to Secure Apps Manager
5.9 from a prior version.
AES-256
The device user installed Secure Apps Manager
5.9 on a device that had no prior version.
The device user upgraded to Secure Apps Man-
ager 5.9 from a prior version. Then you dis-
abled and re-enabled AppConnect on the
device. This procedure wiped all the AppCon-
nect data and changed the encryption mode to
AES-256.
Secure Apps Encryption The value is Enabled if the device user has created a
State secure apps passcode.
Otherwise, the value is Disabled.
Secure Apps State Indicates the state of secure apps on the device:
not installed
The device user has not yet installed all the secure
apps.
installed
The device user has installed all the secure apps.
However, he has not yet created the secure apps
passcode.
ready
The device user has installed the secure apps, and
created the secure apps passcode.
639
AppConnect
Secure Apps Manager Android permission

The following table shows the Android permissions that Secure Apps Manager uses,
and why.
Permission Reason needed

Your personal information Accessing contacts from secure IBM Notes Trav-
read contact data eler
Network communication Application activation tracking

full Internet access
Network communication Application activation tracking
view network state
Your accounts Removing secure accounts when the device is
manage the accounts list retired or AppConnect apps are retired.
discover known accounts

Hardware controls Accessing the camera from secure apps
take pictures and videos
Services that cost you Allows Secure Apps Manager to place phone
money calls on behalf of a secure app
directly call phone num-
bers
System tools Allows Secure Apps Manager to start automati-
automatically start at cally when the device starts.
boot, kill background pro- Allows Secure Apps Manager to close secure
cesses apps when the device is retired or AppConnect
apps are retired.
Storage Encryption of secure content on the SD card
modify/delete SD card
contents
640
AppConnect
Using AppConnect for iOS

An iOS device user can use an AppConnect app only if:
The device user has been authenticated through MobileIron Core.
The user must use the Mobile@Work for iOS app to register the device with Mobile-
Iron Core. Registration authenticates the device user.
You have authorized the app to run on the device.
If the app is not authorized, the app does not allow the device user to access any
secure data or functionality. If a device user launches an unauthorized wrapped
app, the app displays a message and exits. An SDK app should have the same
behavior if the app handles only secure data and functionality. Otherwise, an SDK
app runs but restricts the user to only unsecured functionality and data.
To authorize an AppConnect app for a device, you apply the appropriate labels to
the apps AppConnect container policy.
No situation has caused an authorized AppConnect app to become unauthorized for
a device.
These situations include, for example, when the device OS is compromised.
Mobile@Work reports device information to MobileIron Core. Core then determines
whether to change the AppConnect apps on the device to unauthorized based on
security policies and associated compliance actions that you configure.
The device user has entered the AppConnect passcode.
You configure whether the AppConnect passcode is enabled, and also configure
rules about its complexity.
AppConnect apps that MobileIron provides for iOS

Besides using third-party or in-house AppConnect apps created with app wrapping or
the SDK, you can use AppConnect apps that MobileIron provides. These AppConnect
apps are:
the Mobile@Work capabilities to view and store documents from content servers
and email attachments. These Docs@Work features of Mobile@Work for iOS are
essentially an AppConnect app within Mobile@Work.
Web@Work, which is a MobileIron iOS app that allows your users to easily and
securely access your organization's web content
Note: You do not have to purchase the AppConnect feature that supports third-party
and in-house apps to use Web@Work or the Docs@Work features of Mobile@Work.
Mobile@Work and AppConnect apps

Mobile@Work for iOS supports AppConnect apps, including the following:
It communicates with MobileIron Core to get management and security-related
information and passes the information to the AppConnect apps.
Mobile@Work periodically does an app checkin with Core to get this information.
You configure the app checkin interval in the AppConnect global policy. It is the
641
AppConnect
maximum time between app checkins while an AppConnect app is running. See
Configuring the AppConnect global policy on page 590.
It enforces the AppConnect passcode.
Mobile@Work prompts the device user to create an AppConnect passcode when
first launching any AppConnect app. You configure a passcode inactivity timeout in
the AppConnect global policy. When this timeout expires, Mobile@Work prompts
the device user to reenter his AppConnect passcode.
App checkin and Mobile@Work

On each app checkin, Mobile@Work gets AppConnect policy updates for all the
AppConnect apps that have already run on the device. These updates include changes
to:
the AppConnect global policy for the device.
AppConnect container policies for each of the AppConnect apps that have run on
the device.
AppConnect app configurations for each of the AppConnect apps that have run on
the device.
the current authorization status for each of the AppConnect apps that have run on
the device.
Mobile@Work does an app checkin in the following situations:

The device user launches an AppConnect app for the first time.
In this situation, Mobile@Work finds out about the app for the first time, and adds it
to the set of AppConnect apps for which it gets updates.
The app checkin interval expires while an AppConnect app is running.
The app checkin interval expired while no AppConnect apps were running and then
the device user launches an AppConnect app.
In each of these situations, Mobile@Work launches, and the device user sees the
Mobile@Work app momentarily. Once Mobile@Work has completed the app checkin,
the device user automatically returns to the AppConnect app.
Note: The Force Device Check-in feature on the Admin Portal does not sync the poli-
cies and settings related to AppConnect for iOS. The app check-in interval on the
AppConnect global policy controls these updates. However, in the Mobile@Work for
iOS app on the device, the Force Device Check-in option does sync the policies and
settings related to AppConnect.
The AppConnect passcode inactivity timeout and Mobile@Work

Mobile@Work launches to prompt the device user for the AppConnect passcode in the
following situations:
The AppConnect passcode inactivity timeout expires while the device is running an
AppConnect app.
Note: If the device user is interacting with the app, the inactivity timeout does not
expires. This case occurs only when the device user has not touched the device for
the duration of the timeout interval.
642
AppConnect
The device user used Mobile@Work to log out of AppConnect apps, and then
launches an AppConnect app.
The MobileIron Core administrator has changed the complexity rules of the
AppConnect passcode, and an app checkin occurs.
In each of these situations, Mobile@Work launches, and presents the device user with
a screen for entering his AppConnect passcode. After the device user enters the pass-
code, the device user automatically returns to the AppConnect app.
Situations that wipe AppConnect for iOS app data

When an iOS AppConnect app is retired, it becomes unauthorized (blocked), and its
data is deleted (wiped). The following situations retire an AppConnect app:
In Settings > Preferences, you disable AppConnect for third-party and in-house
apps.
Note: If you disable Web@Work, Web@Work is retired. If you disable Docs@Work,
Docs@Work is retired by blocking access to the Docs@Work features in
Mobile@Work, and wiping Docs@Work data.
You disable AppConnect in the AppConnect global policy for the device.
You set the AppConnect global policy for the device to inactive.
The devices AppConnect global policy does not have Apps without an AppConnect
container policy checked, and you remove the apps AppConnect container policy
from the device. To remove the policy from the device, you can delete it, or remove
the devices label from it.
The device has not completed an AppConnect checkin in the number of days speci-
fied in the Wipe AppConnect Data After field of the devices AppConnect global
policy.
You quarantine the device due to a compliance action.
Mobile@Work is not present on the device, or present but not registered to Mobile-
Iron Core.
The app has retired itself. This action can occur in some apps that behave as either
AppConnect apps or regular, unsecured apps.
Dual-mode apps
Some apps can behave as either an AppConnect-enabled app, or a regular, unsecured,
standalone app. These apps are called dual-mode apps. For example, Divide iOS is a
dual-mode app. As a dual-mode app, the same app can behave as a secure, enter-
prise app for enterprise users, or as a regular app for general consumers.
A dual-mode app behaves as an AppConnect-enabled app on a device when:

Mobile@Work is installed on the device and registered to MobileIron Core.
You have configured Core to support AppConnect.
643
AppConnect
You have configured an AppConnect container policy for the app (or have config-
ured the AppConnect global policy to authorize apps that have no AppConnect con-
tainer policy).
Otherwise, the app behaves as a regular, unsecured, standalone app.
Some dual-mode apps allow the device user to change the app into an AppConnect-
enabled app or regular app after having already run it the other way. Other dual-mode
apps require the user to uninstall and reinstall the app to make this change.
Detailed logging for AppConnect apps for iOS

Starting with Mobile@Work 5.9, you can collect detailed log data for AppConnect for
iOS apps. This capability directs the AppConnect app and the AppConnect library con-
tained in the app to log detailed data to the devices console. The log data provides
information to help you troubleshoot issues with the apps.
Component compatibility
This feature requires:
Mobile@Work 5.9
Apps built with the AppConnect for iOS SDK version 1.7 or apps wrapped with iOS
AppConnect Wrapper version 1.9.
Log levels
You choose one of four log levels for an AppConnect app. The two highest levels can
log sensitive data. To prohibit unauthorized users from accessing sensitive data, the
two highest levels require the device user to enter a debug code that you specify.
Exactly what sensitive data is logged depends on the app, but can include, for
example:
Device user data, including document names and contents, contact lists, notes, and
bookmarks
Encryption keys, passwords, certificates, signing identities, and cookies
Complete URLs and URL POST data
Data that reveals the contents of encrypted data
644
AppConnect
The following table describes the log levels from lowest (least verbose) to highest
(most verbose):
Requires the
Contains user to enter
sensitive the debug
Log level Description data? code?
Error Provides error, warning, and status No No
messages.
This level is the default. It is always
turned on.
Error messages are for events that block
access to part or all of the app.
Example: Corrupt or missing data
Warning messages are for events that
are suspicious, but not quite failures like
errors.
Example: Unexpected data that is
ignored
Status messages indicate major changes
in the state of the app.
Example: User successfully logged in
Info Provides error, warning, and status No No
messages, plus more information.
Info messages indicate minor changes in
the state of the app.
Example: AppConnect app check-in times
Verbose Provides error, warning, status, and info Yes Yes
messages, plus more, possibly sensitive,
information.
Verbose messages provide more
extensive information, possibly including
sensitive details.
Example: Server URLs
Debug Provides error, warning, status, info, and Yes Yes
verbose messages, plus further
information, which is possibly sensitive.
Debug messages have the most
information, possibly including sensitive
details.
Example: URL request details
Log data collection overview

To collect log data, you do the following high-level steps:
645
AppConnect
1. Modify an AppConnect apps app configuration to increase the log level for the app.
You create a key-value pair that specifies one of four log levels. For the two highest
log levels, verbose and debug, you create a key-value pair that is the debug code
that activates logging.
See Configuring the log level and debug code on page 646.
2. If you chose one of the two highest log levels, ask the device user to turn on log-
ging for the app on the device, and to enter the debug code .
See Activating verbose or debug logging on the device on page 648.
3. Collect the data from the device.
See Collecting the logs on page 649.
4. View the logs.
Viewing the logs on page 650
5. Revert to the default log level.
See Remove log level configuration when no longer needed on page 651
Configuring the log level and debug code

To configure the log level and debug code for an app, do the following:
1. In the Admin Portal, select Policies & Configs > Configurations
2. Select the app configuration for the app and click Edit.
If the app does not already have an app configuration, select Add New > AppCon-
nect > Configuration. Enter a name and description for the new app configuration
and the apps bundle ID.
3. In App-specific Configurations, click + to add a key-value pair.
4. Enter MI_AC_LOG_LEVEL in the key field.
The key name is case-sensitive.
5. Enter one of the following in the value field: error, info, verbose, or debug.
This value is not case-sensitive.
6. If you entered verbose or debug, click + to add another key-value pair.
7. Enter MI_AC_LOG_LEVEL_CODE in the key field.
The key name is case-sensitive.
8. Enter a string for the value.
The device user will enter this string to activate the verbose or debug log level. You
can make up any string. For example, enter 37!8D. For the most security, use a
code that is difficult to guess.
The string is case-sensitive.
9. Click Save.
Apply labels if necessary

If this is a new AppConnect app configuration, apply labels that correspond to the
appropriate devices. For an existing app configuration, verify the labels are for the
appropriate devices.
Consider that the debug level impacts all devices with the applied labels. The same
debug code works for all impacted devices. Although you have to tell a device user the
646
AppConnect
debug code for the app to log sensitive data, the user can share the debug code with
other users. Therefore, carefully consider which labels are applied to an existing app
configuration to which you add the verbose or debug log levels.
If the app had no app configuration, you can easily narrow down the set of devices
that can log sensitive data. Create a new label and apply it to the app configuration
that you create for assigning log levels. Then add the same label to the devices of
interest.
To apply a label to a new AppConnect app configuration:

1. Select the new AppConnect app configuration.
3. Select the labels to which you want to apply the new AppConnect app configura-
tion.
4. Click Apply.
devices labels:
3. In the Device Details Pane, select Label Membership.

4. Click Apply.
Log level configuration impact on the device

Error level logging is always on, regardless of whether you have configured the
MI_AC_LOG_LEVEL key-value pair, and it requires no actions from the device user.
Info level logging also does not require device user interaction. However, verbose or
debug level logging do not begin until the device user activates debug mode in
Mobile@Work.
The status details for an AppConnect app include a Debug Mode switch only when you
have configured both of the following in the apps AppConnect app configuration:
a log level of verbose or debug
a debug code
In this case, the status details for an AppConnect app shows the Debug Mode switch:
647
AppConnect
Note: The keys MI_AC_LOG_LEVEL and MI_AC_LOG_LEVEL_CODE are not included in

the configuration count on an apps detailed status display.
Activating verbose or debug logging on the device

To activate verbose or debug level logging, instruct the device user to do the follow-
ing:
1. Open Mobile@Work on the device.
2. Tap Settings.
3. Tap Check For Updates.
4. Tap Force Device Check-In to make sure that Mobile@Work has received the
updated log level.
5. Tap Settings.
6. Tap Secure Apps Manager.
7. Tap the app for which you want verbose or debug level logging.
8. Tap Debug Mode.
648
AppConnect
9. Enter the debug code.

10. Tap Next.
Verbose or debug level logging is activated for 24 hours, after which it is automatically
deactivated the next time that the device user launches or switches to the app.
However, the device user can deactivate it any time by tapping Debug Mode again.
Collecting the logs

The log data is sent to the devices console. The iPhone Configuration Utility (IPCU),
available for free from Apple for both Mac OS X and Windows computers, provides the
capability to view a devices console. However, iOS limits the amount of data in the
console. Once the maximum size is reached, iOS removes the oldest data when new
data is logged. The amount of time until iOS removes old data depends on activity on
the device. Typically, it is less than 15 minutes.
Therefore, after the device user has activated debug mode on the device, and can
reproduce the issue, instruct the device user to do the following:
1. Download IPCU from Apples web site and install it on a Mac OS X or Windows com-
puter.
See http://support.apple.com/downloads/#iphone configuration utility.
2. Connect the device to the computer using a USB cable.
3. Open IPCU on the computer.
4. Select the device in the left pane.
5. Select the Console tab.
649
AppConnect
6. When the issue occurs on the device, click Save Console As...
7. Save the data to a file.
8. Email the file to you.
Viewing the logs

Typically, you work with MobileIron Tech Support to diagnose a problem with AppCon-
nect apps. When you set the log level for an app, messages logged by the following
components are impacted:
the AppConnect app
the MobileIron AppConnect library contained in the AppConnect apps
the AppConnect wrapper (only applicable for wrapped AppConnect apps)
The messages logged by AppConnect apps, the AppConnect library, and the
AppConnect wrapper include the log level as shown in the following table:
App name in log

Component message How the log level appears in messages
An AppConnect The apps name [Error]
app [Warning]
[Status]
[Info]
[Verbose]
[Debug]
Note: The value error for the
MI_AC_LOG_LEVEL key in an apps
AppConnect app configuration, can result in
messages with [Error], [Warning], and
[Status].
650
AppConnect
App name in log

Component message How the log level appears in messages
AppConnect The apps name [AppConnect:Error]
library [AppConnect:Warning]
contained in an [AppConnect:Status]
AppConnect
[AppConnect:Info]
app
[AppConnect:Verbose]
[AppConnect:Debug]
messages with [AppConnect:Error],
[AppConnect:Warning], and [AppConnect:Status].
The The apps name [AppConnectWrapper:Error]
AppConnect [AppConnectWrapper:Warning]
wrapper (only [AppConnectWrapper:Status]
applicable for
[AppConnectWrapper:Info]
wrapped
[AppConnectWrapper:Verbose]
AppConnect
apps) [AppConnectWrapper:Debug]
messages with [AppConnectWrapper:Error],
[AppConnectWrapper:Warning], and
[AppConnectWrapper:Status].
Remove log level configuration when no longer needed

Once you have collected the logs from the device user, remove the MI_AC_LOG_LEVEL
and MI_AC_LOG_LEVEL_CODE key-value pairs from the apps AppConnect app config-
uration. This best practice ensures the app does not continue logging sensitive data
unnecessarily.
Do the following:
1. In the Admin Portal, select Policies & Configs > Configurations
2. Select the app configuration for the app and click Edit.
3. In App-specific Configurations, click - to remove the key-value pairs.
4. Click Save.
Upgrade considerations
Consider the case when the AppConnect app configuration on MobileIron Core con-
tains the log-related key-value pairs before a device user upgrades to Mobile@Work
5.9. When the device user upgrades, the configured log levels are not automatically
applied. The log level defaults to error.
To apply the configured log levels:
651
AppConnect
1. Modify the AppConnect app configuration.

For example, modify its description field. When you save the modification, the
device will receive the log-related key-value pairs when the device next checks in.
2. To apply immediately, do a Force Device Check-in on the device.
On Users & Devices > Devices, select the device, and then select Actions > Force
Device Check-in.
652
Chapter 17
Web@Work
Overview
Secure enterprise web site access using AppTunnel
Web@Work user agent string
Configuring Web@Work on the Admin Portal
653
Web@Work
Overview
Web@Work is an AppConnect app provided by MobileIron that allows your users to
securely access your organization's web content on iOS and Android devices using
AppTunnel technology rather than requiring VPN configuration. The way you configure
Web@Work on MobileIron Core is essentially the same for both iOS and Android
devices, except for how each app is distributed. iOS and Android versions of
Web@Work support the same core functionality. However, some features of
Web@Work are specific to only one or the other operating system. Where the feature
set is not commonly shared, this chapter denotes features specific to only one
operating system as iOS or Android, as applicable.
AppConnect and non-AppConnect modes: Web@Work for iOS

Starting with version 1.1.3, Web@Work for iOS operates as a standalone, non-
AppConnect web browser if it is installed from the Apple App Store and launched for
the first time on a device where Mobile@Work is not installed. Web@Work installed in
this manner always remains in non-AppConnect mode (unmanaged by MobileIron),
even if you later install Mobile@Work on the device.
For Web@Work to be in AppConnect mode (managed by MobileIron), the following

conditions must be met:
The device must have Mobile@Work installed and must be registered to MobileIron
Core when Web@Work is launched for the first time.
On Core, the Authorize Apps without an AppConnect container policy option must
be selected (checked) in the AppConnect Global Policy, or there must be a valid
AppConnect container policy.
If Mobile@Work is already installed on the device and registered to MobileIron Core,

an install or update of Web@Work from the App Store puts Web@Work into
AppConnect mode when Web@Work is launched for the first time.
To view whether Web@Work is operating as a standalone or AppConnect-enabled app,

check the AppConnect setting under Settings > Web@Work on the iOS device.
654
Web@Work
Notes: If you have installed Web@Work in non-AppConnect mode on a device, the

only way to change it to AppConnect mode is to remove it from the device, install
Mobile@Work, register the device to Core, then re-install and launch Web@Work.
See MobileIron Web@Work for iOS Release Upgrade Guide, Version 1.1.3 for
additional details.
Web@Work overview
Web@Work has the following features.
Platform
Web@Work Feature Support Description
Secure access to web iOS, Web@Work uses AppConnect and AppTunnel
sites hosted on servers Android capabilities to provide this secure access.
behind your firewall, Note: You can use Web@Work without
without requiring the purchasing AppConnect for third-party or in-
device user to use VPN house apps and without purchasing
AppTunnel.
See Secure enterprise web site access using
AppTunnel on page 660.
Configuration: See Configure a Web@Work
setting on page 672
Support for Single Sign iOS, The device user registers Mobile@Work with
On using Kerberos Android MobileIron Core by entering his MobileIron
Constrained Delegation credentials. Then, the device user can use
(KCD) Web@Work to access an enterprise app
server without having to enter any further
credentials. This support depends on your
environment being set up to use KCD, plus
the necessary AppTunnel configuration.
See Authentication using an identity
certificate and Kerberos constrained
delegation on page 412.
Admin-specified iOS, Web@Work supports bookmarks that you
bookmarks Android specify on the Admin Portal.
Configuration: See Configure a Web@Work
setting on page 672.
655
Web@Work
Platform
Ability to provide iOS, You can provide different Web@Work-related
different Web@Work- Android settings to different devices and users,
related settings to depending on, for example, device attributes
different devices and and user membership in the enterprise
users directory. MobileIron Core provides this
capability through labeling.

page 143.
Web content iOS Because Web@Work uses iOS web
presentation and technologies, Web@Work automatically
interaction similar to inherits any related iOS security updates that
Safari are installed on the device.
Web content Android Web@Work for Android uses the Chromium
presentation and engine.
interaction similar to
Google Chrome.
Browser data is iOS This data includes the browser cache, HTML5
encrypted while the local storage, cookies, URL history, and
device is locked with a bookmarks.
passcode Note: The security policy must require a
device passcode on the iOS device to enable
browser data encryption.
Prevent device user iOS This behavior protects secure documents
from opening a from leaking to unsecured apps.
downloaded document
in another app
Prevent the device user iOS See Pasteboard data loss prevention
from pasting into other handlingiOS on page 658.
apps any data that the To enable or disable Allow Copy/Paste To
user copied from data loss prevention policy, see Configure an
Web@Work AppConnect container policy for Web@Work
on page 671
User-specified iOS The device user names, organizes, and
bookmarks removes bookmarks that he creates.
However, the device user cannot name,
organize, or remove bookmarks that you
specify in the Admin Portal. The device user
can organize bookmarks that he creates so
that they display between bookmarks that
you specified.
See Configure a Web@Work setting on
page 672
656
Web@Work
Platform
URL schemes that open iOS See Web@Work URL schemesiOS on
web pages page 658
automatically, and only,
in Web@Work
User can open Android
downloaded documents
in other secure apps,
such as ThinkFree
Viewer or File Manager.
Encrypt downloaded Android Screen capture can be disabled, as well.
documents and prevent These behaviors protect documents from
sharing them outside of leaking to unsecure apps.
the secure container
Delete downloaded Android For example, automatic wipe of downloaded
documents based on documents can occur in the following cases:
device compliance The device has been out of contact for the
status
specified amount of time.
The device is retired.
Multi-factor authentication and authorization for device users

A device user can use Web@Work only if the device user is:
using a device that is registered with MobileIron Core
Registering a device with Core authenticates the device user.
authorized to use Web@Work.
Using the Admin Portal, you authorize a device to use Web@Work. You use Cores
labeling mechanism to indicate which devices are authorized to use Web@Work.
Note: If the device is not authorized to use Web@Work, the device user cannot use
it even for accessing public web sites.
in compliance with the security policy applied to the device
Using the Admin Portal, you can set up security policies to block access to
Web@Work if the device fails to meet conditions that you specify. When access is
blocked, the device becomes unauthorized to use Web@Work. Also, all AppTunnel
access is blocked, which blocks access to enterprise web sites.
Note: On iOS devices, be sure to require a device passcode on the security policy,
since a device passcode enables iOS data encryption capabilities. Web@Work uses
iOS data encryption capabilities to encrypt browser data.
logged in with his or her secure apps passcode
Web@Work is an AppConnect app, and therefore, you can optionally require the
iOS device user to enter a secure apps passcode to use it. For Android device users,
the secure apps passcode is mandatory. The device user uses one secure apps
passcode to access all AppConnect apps. The secure apps passcode is managed by
the Mobile@Work app.
657
Web@Work
When the device user first launches Web@Work, Mobile@Work prompts the user to
create a secure apps passcode if he had not already created one to use some other
AppConnect app. On subsequent launches of Web@Work, Mobile@Work prompts
the user to enter the secure apps passcode, unless he had recently entered it to
use some other AppConnect app.
Note: On Android the AppConnect implementation uses its own encryption
implementation and does not require a device passcode. Instead, the secure apps
passcode is required.
Once a device user has registered the device with MobileIron Core and, if required,
entered his secure apps passcode, he has no further Web@Work setup to do.
Note: A device user cannot specify Web@Work as the default browser on the device.
This prohibition ensures that the device user always has easy access to a browser for
non-enterprise browsing, even if the device becomes unauthorized to use Web@Work.
Web@Work URL schemesiOS

You can use the following URL schemes to make sure URLs are opened automatically
in Web@Work for iOS:
mibrowser:// for HTTP connections
mibrowsers:// for HTTPS connections
For example, a web page opens automatically in Web@Work when the device user:
taps a link in Safari that uses one of these URL schemes.
taps a web clip that uses one of these URL schemes.
Note: These URL schemes work in web clips only on devices running iOS 6.0
through iOS 7.1.
Because iOS otherwise automatically opens HTTP and HTTPS URLs only in Mobile
Safari, the native web browser, using these URL schemes in web clips and web pages
for mobile devices can improve the user experience when Web@Work is used for
tunneling.
Pasteboard data loss prevention handlingiOS

Web@Work for iOS supports the copy/paste data loss prevention policy. This policy
determines whether to prevent the device user from pasting secure data from
Web@Work into an unsecured app. You configure it on MobileIron Core in the Allow
Copy/Paste To field of the AppConnect global policy or in the AppConnect container
policy for Web@Work.
When Allow Copy/Paste To is not selected, the device user is not allowed to paste
secure data from Web@Work into an unsecured app. Therefore, Web@Work clears the
pasteboard when it exits only if the device user copied content from inside
Web@Work.
658
Web@Work
Note: Similarly, when Mobile@Work exits, it clears data copied from inside
Mobile@Work because the Docs@Work content of Mobile@Work is also secure data.
This behavior means that the device users copy/paste experience for other apps is
not impacted. For example, consider the following scenario:
1. Allow Copy/Paste To is not selected.
2. The device user copies a URL from an unsecured app.
3. The device user launches Web@Work.
4. Mobile@Work launches to prompt the device user for his AppConnect passcode.
At this point, although Web@Work exited, it did not clear the URL from the
pasteboard, since the URL was not copied from inside Web@Work. The device user
can still paste the content into any app, secured or not.
5. When the device user returns to Web@Work, the URL is still available on the paste-
board.
6. The device user pastes the URL into the Web@Work address bar.
Situations when Web@Work deletes its sensitive dataiOS

Web@Work for iOS deletes (wipes) website data and closes its tabs in the following
cases:
The device is not in compliance and you have specified in the compliance action for
the particular non-compliance case to delete data.
The device user is no longer authenticated with MobileIron Core.
Web@Work for iOS distribution

Make Web@Work for iOS available to device users as a recommended app in the app
distribution library in the Admin Portal (under Apps > App Distribution Library > Add
App). The device user uses the Apps@Work web clip or the Apps@Work web container
app to discover and install Web@Work from the Apple AppStore.
See Add Web@Work for iOS to the app distribution library on page 676 for further
details.
Web@Work for Android distribution

You make Web@Work for Android available to device users as an in-house app in the
app distribution library in the Admin Portal (under Apps > App Distribution Library >
Add App). The device user launches Mobile@Work for Android to discover and install
Web@Work, where it will appear under Secure Apps within the Mobile@Work app.
Once installed, the Android device user can open Web@Work from the Secure Apps
Manager or from a shortcut to the app on the home page.
See Upload Web@Work for Android to MobileIron Core and apply labels on page 676
for further details.
659
Web@Work
Secure enterprise web site access using

AppTunnel
Web@Work uses MobileIrons AppTunnel technology to securely access web sites
behind your enterprises firewall. This technology allows you to:
Set up Web@Work to access enterprise web sites without requiring the device user
to set up VPN.
Support Single Sign On using Kerberos Constrained Delegation (KCD).
The device user registers Mobile@Work with MobileIron Core by entering his
MobileIron credentials. Then, the device user can use Web@Work to access an
enterprise app server without having to enter any further credentials. This support
depends on your environment being set up to use KCD, plus the necessary
AppTunnel configuration.
Limit enterprise access to Web@Work.
Other apps, such as mobile email and calendar synchronization, are not impacted
by Web@Works enterprise access. Therefore, unlike when you use VPN for
enterprise access, you do not have to retest the behavior of these existing apps.
Limit the enterprise sites that a device user can access.
You can specify accessible sites in the tunneling configuration. Specifically, as long
as the device stays on the external network, internal sites that are not specified in
the tunneling configuration remain inaccessible. Furthermore, you can vary the
accessible sites according to device and user attributes, such as user membership
in the enterprise directory.
Terminate enterprise website access based on compliance policies.
Using the security policy for a device, you can specify which non-compliance
situations block AppTunnel access.
Perform URL filtering to audit and enforce web use policies.
If you direct all outgoing traffic through a filtering proxy, you can direct traffic that
you tunnel through the proxy, too. For example, by setting up Web@Work to tunnel
all requests to www.SomeExternalWebSite.com, you can set the URL rules in your
filtering proxy to block access to that site.
Benefit from split-tunneling.
You can allow device users to access some public web sites without tunneling, while
enforcing tunneling for other external as well as enterprise web sites. By setting up
this split-tunneling, your device users can access public sites without incurring
additional load on enterprise network infrastructure. In addition, split-tunneling
allows users to access public websites without visibility to the enterprise. Regional
privacy regulations sometimes require this for personally-owned devices.
Secure tunneled web traffic using multi-factor authentication and authorization.
To use Web@Work, a device must be registered with MobileIron Core and
authorized to use Web@Work.
For iOS you can optionally require a secure apps passcode to access
Web@Work, in addition to the device passcode.
For Android, it is mandatory to require a secure apps passcode to access
Web@Work.
660
Web@Work
Furthermore, establishing an AppTunnel requires a unique client-side certificate,

ensuring that only managed and authorized devices can access enterprise web
sites. You can get certificates from a third-party certificate authority (CA) or from
the CA built into MobileIron Core.
661
Web@Work
Web@Work user agent string

The user agent for a browser identifies the browser to web server applications,
allowing the applications to make choices about the pages and content that they
serve. For example:
For iOS, the user agent string for Web@Work on an iPad running iOS 7.0.4 is:
Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML,
like Gecko) Mobile/11B554a MobileIron/1.3.0 Version/7.0.4 Safari/537.51.1
For Android, the user agent string for Web@Work on a Nexus 10 tablet running
Android 4.2.2 is:
Mozilla/5.0 (Linux; Android 4.2.2; Nexus 10 Build/JDQ39) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/28.0.1500.94 Safari/537.36
Make sure your web server applications handle Web@Work requests just as they
would handle native browser requests on the iOS or Android device.
662
Web@Work
Configuring Web@Work on the Admin Portal

The following steps are a high level overview of what to configure the Admin Portal to
provide Web@Work to device users. You can also refer to the how-to guide, Setting up
Docs@Work and Secure Browser with App Tunneling from the Support site.
Note: To understand when AppConnect-related policies and settings are updated on

the device, see Force Device Check-In on page 353.
Action Configuration Description

1. Enable Web@Work Settings > Preferences The Web@Work license is
> Additional Products required on MobileIron Core.
> Enable Web@Work This setting enables support by
indicating that you have the
required license to deploy
See Enabling Web@Work.
Web@Work on
page 665 Do not select Enable
AppConnect For Third-Party And
In-house Apps under Settings,
unless you also purchased that
license.
2. Set up a SCEP set- See Certificates Do not assign labels to the
ting or certificates settings on page 300 setting to distribute it to the
setting for authen- or SCEP settings on appropriate devices. You will
ticating devices to page 301. configure a Web@Work setting
the Sentry. to refer to the SCEP or
certificates setting. That action
distributes the SCEP or
certificates setting to the
appropriate devices.
3. Set up a Stand- Settings > Sentry > Web@Work requires AppTunnel
alone Sentry to Edit to be configured on a
support AppTun- Standalone Sentry
nel for Web@Work
See Set up a
Standalone Sentry to
support AppTunnel for
Web@Work on
page 665
4. iOS onlySet up a Policies & Configs > Web@Work for iOS requires a
device passcode Policies device passcode.
See Set up a device
passcodeiOS only
on page 670.
663
Web@Work

5. Configure an Policies & Configs > The AppConnect global policy is
AppConnect global Policies > Default required because Web@Work is
policy AppConnect Global an AppConnect app. It specifies,
Policy > Edit for example, secure apps
OR Add New > passcode rules and data loss
AppConnect prevention policies.
See Configure an
AppConnect global
policy on page 670
6. Configure an Policies & Configs > The AppConnect container policy
AppConnect con- Configurations > Add for Web@Work is used to
tainer policy for New > AppConnect > authorize the device user to use
Web@Work Container Policy Web@Work. This policy also
OR Edit existing policy configures data loss prevention
policies for the device.
See Configure an
AppConnect container
policy for Web@Work
on page 671
7. Configure a Policies & Configs > A Web@Work setting configures:
Web@Work setting Configurations > Add AppTunnel settings for
New > Web@Work Web@Work
See Configure a admin-specified browser
Web@Work setting on
bookmarks
page 672
key-value pairs for custom
configuration
8. iOS onlyAdd Apps & Configs > App For iOS device users, add
Web@Work as a Distribution Web@Work for iOS to the app
recommended app See Add Web@Work distribution library as a
for iOS to the app recommended app.
distribution library on
page 676
9. Android only Add Apps & Configs > App Web@Work for Android can only
Web@Work as an Distribution be added to the app distribution
in-house app See Upload library as an in-house app.
Web@Work for Android
to MobileIron Core and
apply labels on
page 676
664
Web@Work

10. Define the situa- See Working with You configure these situations in
tions that mean security policies on the security policy that you
the device is not in page 182 apply to the device. For each
compliance. situation, you specify a
compliance action. The
compliance action blocks
Web@Work from accessing the
web sites configured to use
AppTunnel. The compliance
action also blocks the device
from using AppConnect apps,
which include Web@Work. The
action can also delete (wipe) all
of Web@Works sensitive data
and close its tabs.
11. iOS onlyMake See Web content filter Starting with iOS 7, supervised
sure the web con- settings on page 331 iOS devices support web content
tent filters block filtering.
and allow web
sites according to
your enterprise
requirements.
Enabling Web@Work
A Web@Work license is required on MobileIron Core to enable support. This setting
indicates that you have the required license to deploy Web@Work.
Note: Although Web@Work uses AppConnect capabilities, do not select Enable
AppConnect For Third-party and In-house Apps under Settings, unless you also
purchased that license.
To enable Web@Work:
3. Select Enable Web@Work.
4. Click Save.
Set up a Standalone Sentry to support AppTunnel for

Web@Work
Web@Work requires the AppTunnel feature to be configured on a Standalone Sentry.
665
Web@Work
On the Admin Portal, do the following:

2. Click Add New and choose Standalone Sentry.
If you already have a Standalone Sentry that supports AppTunnel, click its edit
icon.
3. Use the following guidelines to configure the AppTunnel for Web@Work.
Item Description
Sentry Host / Enter the external host name or IP address of the server on
IP which the Standalone Sentry is installed.
The host name or IP address must be external because
Web@Work on devices must be able to access the Sentry.
MobileIron Core also needs to connect to this same host name
or IP address. If the host name or IP address is not accessible
by Core and devices, use the name or IP address that the
devices use. Then, using the System Manager, add a static host
entry to Core.
Sentry Port Enter the port that the Standalone Sentry is listening on. The
default is 9090.
Enable App Click the check box to enable AppTunnel support on the Sentry.
Tunneling
Device Authentication Configuration

Note: See Device and server authentication support for Standalone Sentry on
page 408 for authentication information for both ActiveSync and AppTunnel.
Device Select how devices attempting to connect to internal servers
Authentication authenticate with the Standalone Sentry.
Choose Identity Certificate or Group Certificate. If you are using
Kerberos Constrained Delegation to authenticate the user to the
app server, choose Identity Certificate.
Upload If you chose Group Certificate, upload your existing certificate
Certificate (.cer) file.
If you chose Identity Certificate, upload the Root certificate (this
may be a root certificate chain) from the CA you trust. The CA
may be a Root Authority or an Intermediate Authority.
Check Select Check Certificate Revocation List (CRL) if you want to
certificate validate the certificates presented by the device against the
revocation list Certificate Revocation List (CRL) published by the CA.
(CRL) Note that only HTTP and HTTPS based CRLs are supported.
Some CAs create LDAP-based CRLs by default that will not work
with Sentry.
For CRL validation to work, Sentry requires network connectivity
to the CRL Distribution Point (CDP), usually the CA that issued
the certificate, through an HTTP or HTTPS port.
666
Web@Work
Item Description
Subject Use the Subject Alternate Name Type list to select the field in
Alternative the client certificate that will be used to identify the user for
Name Type Kerberos Constrained Delegation.
The Type is the same type that you specified when generating
the client certificate. This type is often the NT Principal Name.
Value Use the Value list to select the value used in the Subject
Alternate Name field.
Usually, the User UPN (user principal name) is used to identify
the user.
App Tunneling Configuration

Add Context Select the check box to forward additional device context infor-
Headers mation to your corporate backend resource.
This allows your corporate backend resources to further validate
the device.
This feature is available only with Standalone Sentry Version 4.9
or later.
Server-side Proxy
Enter the HTTP proxy server information. Configuring an HTTP proxy server pro-
vides access to corporate resources without having to open the ports that Stand-
alone Sentry would otherwise require.
This feature is available only with Standalone Sentry Version 4.9 or later.
Proxy Host Enter the FQDN of the proxy server.
Name / IP Do not include a URI scheme, such as http:// or https://, in this
field.
Proxy Port Enter the port number for the proxy server.
To add a new service for Web@Work, click +.
Service Name Use the dropdown to select <ANY>
Note: <CIFS_ANY> is not relevant to Web@Work.
Selecting <ANY> means that the Web@Work user can reach any
of your internal servers. Typically, you do not want to restrict
users access. However, if you do want to restrict their access to
internal servers, you can list the services here instead of
selecting <ANY>. The service name is any unique identifier for
the internal servers.
For example, some possible service names are:
SharePoint
Human Resources
The following characters are invalid: 'space' \ ; * ? < > " |.

The Service Name is used in the Web@Work setting.
667
Web@Work
Item Description
Server Auth Select the authentication scheme for the Standalone Sentry to
use to authenticate the user to the enterprise server:
Pass Through
The Sentry passes through the authentication credentials,
such as the user ID and password (basic, digest or NTLM
authentication) to the enterprise server.
Kerberos
The Sentry uses Kerberos Constrained Delegation (KCD).
KCD supports Single Sign On (SSO). SSO means that the
device user does not have to enter any credentials when
Web@Work accesses the enterprise server.
The Kerberos option is only available if you selected Identity
Certificate for Device Authentication.
Server List Since you typically select <ANY> for the service name for
Web@Work, the server list is not applicable.
If you do specify service names, enter the internal servers host
name or IP address (usually an internal host name or IP
address). Include the port number on the internal server that
the Sentry can access.
For example:
sharepoint1.companyname.com:443
You can enter multiple servers. The Sentry uses a round-robin
distribution to load balance the servers. That is, it sets up the
first tunnel with the first internal server, the next with the next
internal server, and so on. Separate each server name with a
semicolon.
For example:
sharepoint1.companyname.com:443;sharepoint2.companynam
e.com:443.
TLS Enabled Since you typically select <ANY> for the service name for
Web@Work, TLS Enabled is not applicable.
If you do specify service names, select TLS Enabled if the
enterprise servers listed in the Server List field require SSL.
Note: Although port 443 is typically used for https and requires
SSL, the enterprise server can use other port numbers requiring
SSL.
Proxy Enabled Select if you want to direct the AppTunnel service traffic through
the proxy server.
You must also have configured Server-side Proxy.
668
Web@Work
Item Description
Server SPN List Since you typically select <ANY> for the service name for
Web@Work, Server SPN List is not applicable.
Note: When the Service Name is <ANY> and the Server Auth is
Kerberos, the Standalone Sentry assumes that the SPN is the
same as the server name received from the device.
If you do specify service names, Enter the Service Principal
Name (SPN) for each server, separated by semicolons. For
example:
sharepoint1.company.com;sharepoint2.company.com.
The Server SPN List applies only when the Service Name is not
<ANY> and the Server Auth is Kerberos.
If each server in the Server List has the same name as its SPN,
you can leave the Server SPN List empty. However, if you
include a Server SPN List, the number of SPNs listed must equal
the number of servers listed in the Server List. The first server
in the Server List corresponds to the first SPN in the Server SPN
List, the second server in the Server List corresponds to the
second server in the Server SPN List, and so on.
If you select Kerberos for the Server Auth field for an AppTunnel service, this
section appears. For Kerberos authentication information for both ActiveSync and
AppTunnel, see Authentication using an identity certificate and Kerberos
constrained delegation on page 412.
Use keytab file Select this field to upload a Kerberos-generated keytab file. Click
Upload File to upload the keytab file. Uploading the keytab file
populates the Realm and Sentry Service Principal fields.
Realm If you do not upload a keytab file, enter the Kerberos
administrative domain. The realm is usually the company
domain name, in all uppercase characters.
Sentry Service If you do not upload a keytab file, enter the service principal for
Principal the Sentry service account, preceded by HTTP/ if you do not
upload a keytab file. For example, if the user name of the
service account is sentry1_kcd, the service principal would be
HTTP/sentry1_kcd.
Password If you do not upload a keytab file, enter the password for the
Sentry service account.
Key Optionally enter the key distribution center, which is the network
distribution service that supplies session tickets and temporary session
center keys. This field is generally the Active Directory domain
controller hostname.
If you do not enter a key distribution center, the system auto-
detects it.
4. Click Save.
669
Web@Work
5. If the Sentry uses a self-signed certificate, in the Settings > Sentry page, for the
Sentry configured for AppTunneling, click the View Certificate link. This makes the
Sentrys certificate known to MobileIron Core.
Set up a device passcodeiOS only

In the security policy that you apply to the iOS device, require a device passcode. A
device passcode enables iOS data protection, which is necessary for Web@Work to
encrypt browser data.
To set up a device passcode on iOS devices:

1. On the Admin Portal, go to Policies & Configs > Policies.
2. Select the security policy that applies to the devices that you want to run
Web@Work.
3. Click Edit.
4. For the Password option, select Mandatory.
5. Fill in the remaining options relating to passwords.
6. Click Save.
7. Repeat steps 2 through 6 for all security policies that apply to devices that you
want to run Web@Work.
For detailed information about security policies, see Working with security policies
on page 182.
Configure an AppConnect global policy

Because Web@Work is an AppConnect app, configure an AppConnect global policy. On
this policy, you configure AppConnect global settings, which are settings that are not
specific to an AppConnect app. For example, you configure the AppConnect passcode
requirements.
You also configure default data loss prevention policies. Note that:
Web@Work for iOS supports only the Allow Copy/Paste To option. Enabling the
other options has no impact on Web@Work.
Web@Work for Android supports only the Screen Capture data loss prevention
policy option in the AppConnect global policy.
To configure an AppConnect global policy:

2. Select Add New > AppConnect.
If you already have an AppConnect global policy, select it, and click Edit.
3. Fill in the fields as described in Configuring the AppConnect global policy on
page 590.
Most fields default to suitable values, but make sure that you select Enabled to
enable AppConnect on the device.
4. Click Save.
670
Web@Work
5. Apply the appropriate labels to the AppConnect global policy. If you are using the
default AppConnect global policy, it automatically applies to all devices.
Configure an AppConnect container policy for Web@Work

An AppConnect container policy is typically necessary to authorize a device user to
use Web@Work. It also allows you to define app-specific data loss prevention policies..
When you upload Android AppConnect apps to MobileIron Core, it automatically

creates a container policy and an app configuration policy. You can use this container
policy, or create a new one.
Note: You can also authorize device users to use Web@Work on the AppConnect
global policy by selecting the option to authorize apps without an AppConnect
container policy.
Note: Make sure only one AppConnect container policy for Web@Work applies to each
device.
To configure an AppConnect container policy for Web@Work:

2. Select Add New > AppConnect > Container Policy.
3. Enter a name for the policy. For example, enter Web@Work container policy.
4. Enter a description for the policy.
5. In the Application field, enter com.mobileiron.securebrowser.
6. Select the data loss prevention settings you want for Web@Work.
Note: Web@Work supports only the Allow Copy/Paste To option. Enabling the other
options has no impact on Web@Work. Regarding the open in feature, Web@Work
does not allow the device user to open a downloaded document in another app.
7. Select Save.
8. Select the Web@Work container policy.
10. Select the labels to which you want to apply this policy.
11. Click Apply.
devices labels:
2. Expand the device details for the desired device, by clicking the up arrow next to
the checkbox.
3. Select Label Membership.

2. Select Actions > Apply To Label.
4. Click Apply.
671
Web@Work
Configure a Web@Work setting

A Web@Work setting configures:
AppTunnel settings for Web@Work
admin-specified browser bookmarks
key-value pairs for custom configuration
AppTunnel
Web@Work uses the AppTunnel feature to provide secure access to web sites behind
your firewall. A device user can use Web@Work only if you have set up AppTunnel for
Web@Work.
Setting up AppTunnel for Web@Work requires:

A Standalone Sentry configured to support AppTunnel for Web@Work.
See Set up a Standalone Sentry to support AppTunnel for Web@Work on
page 665.
A Web@Work setting applied to the devices that use Web@Work.
Browser bookmarks
You can configure a list of secure web sites that Web@Work automatically sets up as
browser bookmarks for the device user.
Custom configurations
You can specify key-value pairs that provide configurable data that impact Web@Work
behavior. These key-value pairs are analogous to the key-value pairs that an
AppConnect app configuration provides in its App-specific Configurations section. The
only currently supported key-value pairs for both Web@Work for iOS and Web@Work
for Android are for use by MobileIron Technical Support for troubleshooting.
Note: Make sure only one Web@Work setting applies to each device.
To configure a Web@Work setting:

2. Select Add New > Web@Work.
Use the following guidelines to create or edit a Web@Work setting:
Item Description
Name Enter brief text that identifies this Web@Work setting.
Web@Work setting.
Application The application is set to Web@Work for you.
672
Web@Work
Item Description
AppTunnel Configure AppTunnel settings for Web@Work.
First, configure the Standalone Sentry to support
AppTunnel. See Set up a Standalone Sentry to support
AppTunnel for Web@Work on page 665.
When Web@Work tries to connect to the URL (and port,
for Android) configured here, the Sentry creates a tunnel
to the Service.
To add an AppTunnel entry, click + .

To delete an AppTunnel entry, click - .
673
Web@Work
Item Description
URL Wildcard Typically, for the Web@Work AppTunnel, enter a hostname
with wildcards. The wildcard character is *..
Example:
If you want finer granularity regarding what requests the
Standalone Sentry tunnels, configure multiple AppTunnel
rows.
If Web@Work requests to access this hostname, the Sen-
try tunnels the Web@Work data to an app server. The Sen-
try and Service fields that you specify in this AppTunnel
row determine the target app server.
Note:
On Android devices, the Web@Work data is tunneled
only if Web@Works request matches this hostname and
the port number specified in the Port field of this
AppTunnel row. On iOS devices, only the hostname, not
the port number, determines whether the Web@Work
data is tunneled.
If Web@Work requests a hostname that does not match
the value of any of the AppTunnel entries in the
Web@Work setting, tunneling does not occur. In this
case, if the requested hostname is behind your firewall,
Web@Work informs the device user that it cannot
access the requested hostname.
A hostname with wildcards works only with the service
<ANY>. Unlike services with specific service names,
these services do not have associated app servers. The
Sentry tunnels the data to the app server that has the
URL that Web@Work specified.
The order of these AppTunnel rows matters. If you
specify more than one AppTunnel row, the first row that
matches the hostname (and port, for Android) that
Web@Work requested is chosen. That row determines
the Sentry and Service to use for tunneling.
Do not include a URI scheme, such as http:// or
https://, in this field.
674
Web@Work
Item Description
Port Enter the port number that Web@Work requests to access.
On Android devices: The Web@Work data is tunneled only
if Web@Works request matches the hostname in the URL
Wildcard field and this port number. If you do not enter a
port number, the port in Web@Works request is not used
to determine whether data is tunneled.
On iOS devices: Only the hostname, not the port number,
determines whether Web@Work data is tunneled.
Note: Entering a port number in this field is required when
both of the following are true:
The hostname in the URL Wildcard field does not con-
tain a wildcard.
The service is not <ANY> or <CIFS_ANY>.
Sentry Select the Standalone Sentry that you want to tunnel the
URLs listed in this AppTunnel entry. The drop-down list
contains all Standalone Sentrys that are configured to
support AppTunnel.
Service Select a Service Name from the drop-down list. Typically,
for Web@Work, the service is <ANY>.
This service name specifies an AppTunnel service
configured in the App Tunneling Configuration section of
the specified Sentry.
If the service on the Sentry is configured with its Server
Auth set to Kerberos, Web@Work uses Single Sign On for
the enterprise server. That is, the device user does not
enter any further credentials when Web@Work accesses
the enterprise app server.
Identity Certificate Select the Certificate or the SCEP profile that you created
for devices to present to the Standalone Sentry that
supports app tunneling.
For more information, see SCEP settings on page 301
and Certificates settings on page 300.
Bookmarks
Specify the bookmarks that you want to appear
automatically in the Bookmarks screen of Web@Work.
To add a bookmark, click + .
To delete a bookmark, click - .
The bookmarks appear in the Bookmarks screen of
Web@Work in the same order that they appear in the
Web@Work setting. To change the ordering, drag the
bookmarks in the Web@Work setting.
675
Web@Work
Item Description
Bookmark Enter the name of the bookmark. The name is any string
that describes the URL that the bookmark points to.
For example:
Sales information
Address Enter the URL for the bookmark.
For example:
https://sales.mySecureCompany.com
Custom
Configurations
Specify Web@Work custom configuration settings as key-
value pairs.
To add a key-value pair, click + .
To delete a key-value pair, click - .
Key Enter the key. The key is any string that Web@Work
recognizes as a configurable item.
The only currently supported key-value pairs for both
Web@Work for iOS and Web@Work for Android are for use
by MobileIron Technical Support for troubleshooting.
Value Enter the value.
3. Click Save.
4. Select the new Web@Work setting.
6. Select the labels to which you want to apply this Web@Work setting.
7. Click Apply.
Be sure to apply one of the labels that you selected to the appropriate devices.
Add Web@Work for iOS to the app distribution library

Make Web@Work for iOS available to iOS device users as a recommended app in the
app distribution library in the Admin Portal. This installs Web@Work onto iOS devices
via the Apple App Store. For information about adding iOS apps to the app distribution
library, see Working with apps for iOS devices on page 481.
Upload Web@Work for Android to MobileIron Core and apply

labels
Web@Work for Android can only be obtained from the MobileIron support site and
needs to be distributed as an in-house app. Use the Admin Portal to upload the
Web@Work for Android APK file to MobileIron Core just as you would any in-house
app. Device users will download Web@Work from Secure Apps within the
Mobile@Work for Android app.
676
Web@Work
Devices running Web@Work for Android must also have Secure Apps Manager
installed. Optionally, they can have other AppConnect apps installed that interact with
Web@Work.
For details about uploading in-house Android apps, see Adding in-house apps for
Android on page 517.
Obtaining the Web@Work for Android app

The Web@Work for Android app is available from the following location:
https://support.mobileiron.com/mi/android-browser/current/
Use your credentials for MobileIron software downloads to access Web@Work for
Android. Contact Customer Support if your account does not have access to this
software.
Obtaining the Secure Apps Manager
Web@Work for Android requires that you also install the Secure Apps Manager on the
device. It is available at:
https://support.mobileiron.com/mi/android-secureapks/current
Obtaining other Android AppConnect apps that interact with Web@Work for
Android
You can also use the following AppConnect apps that interact with Web@Work for
additional secure functionality:
File Manager (the File Manager with the SharePoint client app is sufficient)
These apps are available at:
https://support.mobileiron.com/mi/android-secureapks/current
677
Web@Work
678
Section III: System Management
Overview of System Manager
Configuring MobileIron Core System Settings
Configuring MobileIron Core Security Settings
Configuring MobileIron Core Maintenance Settings
Troubleshooting
679
680
Chapter 18

Introduction to System Manager
Getting started
681
Introduction to System Manager

After installation, most configuration tasks are performed in the System Manager por-
tion of the MobileIron Admin Portal. The System Manager enables you to:
complete the configuration steps necessary to implement MobileIron Core
manage basic network settings established during installation
manage how MobileIron fits into your infrastructure
upgrade Core
troubleshoot Core issues
perform basic maintenance tasks
682
Getting started
Starting System Manager

To start System Manager:
Enter the following URL:

https://<fully_qualified_hostname>:8443/mics
1. Enter the user ID and password of a System Manager user.

The user created during setup is valid, as well as any users created in the System
Manager under Security > Local Users. The user ID is case sensitive.
2. Click SIGN IN.
683
Starting System Manager from Admin Portal

If you have logged into Admin Portal, you can click the System Mgr link at the top of
the screen to start System Manager.
Logging out
Select the Sign Out link in the upper right corner to exit.
Saving a configuration
If you want to save configuration settings in the System Manager, click the Save link in
the upper right corner of the System console.
Why: System Manager does not automatically save changes you make to system set-
tings. Though these settings are retained if you log out, rebooting MobileIron Core
without saving these settings would return Core to its previously-saved configuration.
684
Chapter 19
Configuring MobileIron Core System

Settings
Overview
Interfaces
Routes
DNS and Hostname
Static Hosts
Date and Time (NTP)
CLI
Syslog
Splunk Forwarder
SNMP
Email Settings
Port Settings
Data Purge
Reporting Database Exporter
Services
685
Overview
The Settings page in System Manager contains links for configuring MobileIron Core.
The following table summarizes the tasks associated with each link.
Network: Interfaces Change physical interface settings

Add VLAN interfaces
Change VLAN interfaces
Network: Routes Change the default gateway
Route through different gateways
DNS and Hostname Change DNS servers
Static Hosts Edit the host list for MobileIron Core
Date and Time Change the time source used by Core
(NTP)
CLI Change the Enable Secret set during
installation
Enable/Disable ssh and telnet access
Change ssh/telnet settings
Syslog Configure Syslog servers
Splunk Forwarder Configure a Splunk indexer
SNMP Configure SNMP servers
Email Settings Configure SMTP settings for communi-
cation between Core and devices
Port Settings Change default port configuration for
Core
Data Purge Configure automated data purging
Reporting Database Configure the authentication token for
Exporter the Reporting Database
Services Enable/Disable Core services
686
Interfaces
The Settings > Interfaces screen enables you to change parameters for the network
interface points for MobileIron Core:
physical and VLAN interfaces
static routes
Managing network interfaces

You configure a physical network interface as part of the installation process. You can
use the Interfaces screen to:
Edit the physical interface settings specified during installation
Add physical interfaces
Add VLAN interfaces
Change VLAN interfaces
Changing physical interfaces

To change a physical interface:
1. Click the interface name.
687
2. Change any or all of the following fields:
Field Description
IP Enter the IP address of the physical
network interface.
Unless you are configuring a stand-
alone implementation for a small trial,
you should specify at least one physi-
cal interface.
Mask Enter the netmask of the physical net-
work interface.
ACL Name Select an Access Control List for this
interface. See Access Control Lists
on page 724.
Admin State To enable this interface for use with
the MobileIron system, click Enable. To
temporarily prevent use of this inter-
face with the MobileIron system, click
Disable.
3. Click Save.
Adding VLAN interfaces

Virtual Local Area Network (VLAN) interfaces are optional interfaces you can configure
on MobileIron Core to manage bandwidth and load balancing.
To add a VLAN interface:

1. Click Add VLAN.
688
2. Use the following guidelines to complete the configuration:
Field Description
VLAN ID Specify a number between 2 and
4094.
IP Address Enter the IP address for this
VLAN interface.
Mask Enter the netmask for this VLAN
interface.
Physical Interface Select the physical interface that
corresponds to this VLAN inter-
face.
ACL Name Select an Access Control List for
this interface. See Access Con-
trol Lists on page 724.
Admin State To enable this interface, click
Enable. To temporarily suspend
use of this VLAN, click Disable.
3. Click Save.
Deleting a VLAN interface

To delete a Virtual Local Area Network (VLAN) interface:
1. Select the VLAN you want to remove.
2. Click Delete VLAN.
689
Routes
The Settings > Network > Routes screen enables you to create and maintain static
network routes within the enterprise.
Adding network routes

To add a route:
1. Click Add.
2. Use the following guidelines to complete the fields:
Field Description
Network Enter the network IP address.
Mask Enter the subnet mask.
Gateway Enter the IP address for the
gateway.
3. Click Save.
Deleting network routes

To delete a route:
1. Select the entry.
690
2. Click Delete.
691
DNS and Hostname

The DNS and Hostname screen displays the hostname, default domain, and DNS
information entered during installation. Use this screen to:
Change the hostname
Change the default domain
Change or add DNS servers
Field Description
Host name Specify the fully-qualified host
name for the appliance.
Default Domain Specify the default domain for
the appliance.
Preferred DNS Server Specify the IP address of the pri-
mary DNS server to use.
Alternate DNS Server Specify the IP address of an
1 optional alternate DNS server.
Alternate DNS Server Specify the IP address of an
2 optional alternate DNS server.
2. Click Save.
692
Static Hosts
The Static Hosts page enables you to edit the hosts file. Use this feature in the follow-
ing cases:
DNS is not available or does not resolve the necessary names
DNS resolves the hostname to the external IP, but you want the traffic to go via the
internal IP
Adding hosts
To add a host:
1. Click the Add button.
2. Use the following guidelines to complete the displayed fields:
Field Description
IP Address The IP address for the host you are
adding.
FQDN The fully-qualified domain name for
this host, as in appdoc1.mycom-
pany.com.
Alias The alias for this host.
693
3. Click Save.
Editing hosts
To edit a host, click the IP address for the host displayed in the Static Hosts screen.
Deleting hosts
To delete a host:
1. In the Static Hosts screen, select the host to be deleted.
2. Click the Delete button.
694
Date and Time (NTP)

The Date and Time screen displays any NTP information specified during installation.
This an optional portion of the configuration, but is highly recommended due to the
effect of database timestamps on the behavior of the system, as well as on the quality
of reporting. Currently, only UTC time display is supported. If you choose to use a
local time source, instead, then you can specify the date in this screen.
To change your date and time configuration:

Field Description
Time Source Select NTP if you intend
to specify one or more
NTP servers. Select Local
if you intend to set the
system time for the Mobil-
eIron Server.
If you select NTP
Primary Server Specify the IP address or
fully-qualified host name
for the NTP server to use.
Secondary Server Specify the IP address or
for the first failover NTP
server to use.
Tertiary Server Specify the IP address or
for the second failover
NTP server to use.
695
Field Description
If you select Local
Date Enter the current date.
Time Enter the current time.
2. Click Save.
696
CLI
The CLI screen displays the command line interface access settings specified during
configuration. Use this screen to alter these settings.
Field Description
Enable Secret Click the Change Enable Secret
link to specify the password
required to access important
functions in the CLI.
Confirm Enable Re-enter the specified password
Secret to confirm. This field displays
only if you click the Change
Enable Secret link.
CLI Session Timeout Specify the duration of inactivity
on the Telnet or SSH connection
that should cause the session to
time out.
SSH Select Enable if you want to
allow SSH access to the Mobile-
Iron Administration tool.
Max SSH Sessions Specify the maximum number of
simultaneous SSH sessions to
allow.
Telnet Select Enable if you want to
allow Telnet access to the Mobil-
eIron Administration tool.
Max Telnet Sessions Specify the maximum number of
simultaneous Telnet sessions to
allow.
2. Click Save.
697
Syslog
Use the Syslog screen to configure any remote log servers you have set up on your
network. Logs are then written to both the syslog location and the local log location.
To add a syslog entry:

1. Click Add.
Field Description
Server Enter the IP address or host name for
the remote log server.
Log Level Select the log level from the dis-
played list.
Admin State Select Enable from the dropdown list
to apply these settings to your cur-
rent configuration. Select Disable to
suspend use of the configured log
server.
698
Splunk Forwarder
The Splunk Forwarder is a service on MobileIron Core that forwards information about
Core, including device information and system health logs to a Splunk indexer for
indexing.
System statistics for the following are provided:

MobileIron Core Java Virtual Machine (JVM)
CPU: Includes overview and breakdown by host, process, user, stat, and source.
Memory: Includes overview, and breakdown by host, process, user, and source.
Disk: Includes usage by host, source, and files opened by command, type, and
user.
Network: Includes interfaces, interface throughput, connection details, and net-
work sources.
For information on the device fields that are provided, see the Data Dictionary sec-
tion in the MobileIron Core Reporting Database Guide.
Before you configure a Splunk indexer on MobileIron Core, you must enable the
Splunk Forwarder service in Settings > Services. The Core data is forwarded to the
configured Splunk indexer.
Adding the Splunk indexer on MobileIron Core

To configure the Splunk indexer:
1. In the System Manager, go to Settings > Splunk Forwarder.
2. Click Add.
3. In the pop-up dialog, enter the following information:
Field Description
Splunk Indexer IP address for the Splunk indexer.
You can enter only one IP address. If you have
multiple Splunk indexers, configure a separate
instance for each Splunk indexer.
Port Port number on which the Splunk indexer is lis-
tening.
Enable SSL Secures the connection between MobileIron
Core and the Splunk indexer.
SSL requires the appropriate configuration on
the Splunk indexer.
4. Click OK.
5. Restart the Splunk Forwarder service to connect to the indexer.
To restart the Splunk Forwarder service, disable then enable the service.
699
After you restart the Splunk Forwarder service, the Status for the Splunk Indexer
shows as Connected.
If the status is Not Connected, check the IP address and the Port for the Splunk
Indexer.
Note: The Splunk Forwarder service forwards the MobileIron Core system health logs
at an interval set on the Splunk indexer.
Editing the Splunk indexer

To edit the Splunk indexer:
2. Click on the IP address for the Splunk indexer.
The Modify Splunk Indexer dialog pops up.
You can edit the Port and the Enable SSL option.
3. After making your changes, click Apply.
The status changes to Not Connected.
4. Restart the Splunk Forwarder service to connect to the indexer.
After you restart the Splunk Forwarder service, the Status for the Splunk indexer
shows as Connected.
If the status is Not Connected, check the IP address and the Port for the Splunk
indexer.
Deleting the Splunk indexer

To delete the Splunk indexer:
2. Select the Splunk indexer to delete.
3. Click Delete.
4. Restart the Splunk Forwarder service for the changes to take effect.
700
SNMP
Use the SNMP screen to manage SNMP trap receivers. MobileIron currently supports
link up/down traps and the host-resources MIB file.
Enabling the SNMP service

The SNMP service is turned off by default. To turn it on:
1. Select Enable in the SNMP Control section.
2. Click Apply.
Editing the Read only community string

The default community string for the SNMP is set to public. To change this string:
1. Edit the default string.
2. Click Apply.
Adding a trap receiver

To add an SNMP trap receiver:
1. In the SNMP screen, click Add.
701
2. Complete the form.

3. Click Save.
Editing a trap receiver

To edit an SNMP trap receiver:
1. In the SNMP screen, select the link for the trap receiver you want to edit:
3. Click Save.
Deleting a trap receiver

To delete an SNMP trap receiver:
1. In the SNMP screen, select the link for the trap receiver you want to delete.
2. Click Delete.
702
Email Settings
Use the Email Settings screen in the System Manager portion of the portal to set up
the SMTP server access required for MobileIron email alerts, such as policy violation
alerts. In the US and certain other countries, the SMTP server settings are also
required for alerts sent via SMS. In a few cases, the SMTP server may be used to
transmit a control command to certain devices.
1. From the Settings screen, click the Email Settings link in the navigation pane.
Field Description
From Email Specify the email address to use in the From field
for all administrative email notifications.
SMTP Server Specify the IP address or fully-qualified host
name for the SMTP server the MobileIron Server
will use.
SMTP Server Port Specify the port configured for the SMTP server.
Protocol If th SMTP server you are configuring is a secured
server, that is, it uses the SMTPS protocol, then
select the SMTPS button. Otherwise, leave SMTP
selected.
Authentication Specify whether this SMTP server requires
Required authentication. In most cases, this field will be
set to Yes.
User Name If you select Yes for Authentication Required,
then this field displays. Enter the user name
required for SMTP authentication.
703
Field Description
Password If you select Yes for Authentication Required,
then this field displays. Enter the password
Confirm Password If you select Yes for Authentication Required,
then this field displays. Confirm the password
3. Click the Test button.
4. Enter an email address and body for the test email.

5. Click OK.
6. Confirm that the email arrives as expected.
7. Click Save.
704
Port Settings
Use the Port Settings screen to change settings, if necessary, for the following Mobile-
Iron services:
Sync Service
Sync TLS
Help Desk
Provisioning
Each must have a unique port. Changes to the default settings are seldom necessary.
Making changes to these settings requires re-registering phones, so use caution when
making changes.
Provision protocol (http/https) is also specified in this screen. Port 443 is entered
automatically for https and cannot be changed. Note that changing this protocol does
not automatically change the associated port. You must manually specify 443 for the
https provisioning port, or 8080 for the http provisioning port.
Modifying the values for the Provision Protocol or Provisioning Port fields updates the
Local CA URLs for the CRL distribution point and the CA certificate access location for
newly issued certificates. Previously generated certificates will continue to reference
the old location.
To use the new values for these fields, remove the previously issued certificates from
MIFS > Log > Certificate Log. MobileIron Core pushes the updated setting to the
device(s) on the next device check-in.
If you change the provisioning port after generating a certificate signing request, you
must generate a new CSR and replace the old certificate with the newly returned
certificate in Admin Portal in Settings > Local Certificate Authorities.
Note: Port 9999 is unnecessary in most instances, as the sync service is

generally configured to use TLS (over 9997). Therefore, 9999 is not
listed in the ports that must be opened before installation. Should you
705
configure the sync service to use 9999, then you must open port 9999.
Note: The Provisioning Protocol and Provisioning Port settings do not apply to
Windows Phone 8 (WP8)devices. WP8 devices use https and port 443.
706
Data Purge
MobileIron Core stores significant amounts of data, such as:
call records
SMS records
data records
backup snapshots
log files
client logs
notification tables
Every four hours, MobileIron Core automatically purges client logs and notification
tables. You can automatically or manually purge the remaining stored data. Purging
enables you to:
manage system storage
fulfill corporate or legal requirements for data disposal
For example, a production system managing thousands of phones can exhaust avail-
able system storage. In addition, certain industries and countries must adhere to legal
mandates requiring purging of data after a number of years.
MobileIron provides a data purging feature that enables you to:

turn auto-purging on/off
configure auto-purging based on system storage usage or the age of the data
specify what gets purged
set up a system storage alert if space falls below a defined level
manually purge data
You can configure auto-purging based on either the amount of system storage used or
the age of the data stored. To configure auto-purging:
1. In System Manager, go to Settings > Data Purge.
707
2. Set Auto Purge to ON or OFF.

3. To purge data based on the amount of remaining system storage:
a. Select Delete data older than.
b. Specify the number of days to use as a baseline for the age of the data to be
purged.
c. Specify the percentage of system storage capacity that should trigger the
purge.
4. To purge data based on the age of the data:
a. Select Keep data no more than.
b. Specify the number of days to keep data before auto-purging.
5. Use Purge Daily at to specify the time of day at which the purge should happen.
Note that the selected time is based on the MobileIron Core system time.
6. Click Apply.
7. See Specifying what gets purged on page 708 for information on selecting the
types of data to be purged.
Specifying what gets purged

Use the Data to Purge section to specify the types of data to be removed.
708
Select or clear checkboxes to indicate whether the following types of data should be
purged:
Call Records Voice call information

SMS Records Text message information
Data Records Data transfer information
Log Files System log files (archived logs
only)
Device File Snapshots Backup snapshots of device
files
Checking actual system storage

To determine the actual space used and available for system storage:
1. In System Manager, go to Settings > Data Purge or Maintenance > System Stor-
age.
2. Hover over the System Storage bar to see a popup indicating the actual storage
usage and capacity.
Setting up the system storage alert

You can set up a System Event to alert you when system storage reaches the level
specified. You can use this alert, for example, to indicate the need for manual purging
or to prompt personnel to confirm successful auto-purging.
To set up the system storage alert:

1. In Admin Portal, click Event Center > All Events.
2. Click Add New > System Event.
3. Select System storage threshold has been reached.
Manual purging
You can perform ad hoc data purging. See Manually purging data (system storage)
on page 742 for information.
709
Reporting Database Exporter

MobileIron RDB (Reporting Database) is a reporting database for MobileIron Core that
provides a source you can query for creating reports. Use the Reporting Database
Exporter page to:
generate the authentication token for the reporting database
configure the database export options
See the Reporting Database Guide for information on configuring and using the
Reporting Database.
Generating the authentication token

To generate the authentication token for the Reporting Database:
1. In System Manager, go to Settings > Reporting Database Exporter.
2. Click Generate.
3. Copy the displayed token to the clipboard.
You will use the authentication token when you configure the Reporting Database.
Configuring the Reporting Database Exporter

To configure the Reporting Database Exporter:
1. In the Admin Portal, click the System Manager link in the upper right corner.
2. Log into System Manager.
3. Select Reporting Database Exporter.
4. Under Data to Export, select or clear data categories to specify the data to export
or omit.
The Device option is required and cannot be cleared.
5. Select a frequency from the Run RDB Export Every drop-down.
6. Select a retention time from the Retain Export Data For drop-down.
7. Click Apply.
710
Services
Use the Settings > Services screen to enable or disable the following MobileIron ser-
vices:
Core: Core MobileIron service.
Atlas: Atlas reporting console. See the Atlas Administration Guide for more infor-
mation.
Splunk Forwarder: Splunk Forwarder service.
Running is not a live link to the SplunkForwarder service.
When you disable the SplunkForwarder service, you also disable the connection to
the Splunk indexers configured in Settings > Splunk Forwarder.
If you re-enable the Splunk Forwarder service, MobileIron Core connects to the
indexers configured in Settings > Splunk Forwarder.
Reporting Database Exporter: MobileIron RDB (Reporting Database).
Enabling the Reporting Database Exporter allows the Reporting Database to extract
the relevant MobileIron Core data.
711
712
Chapter 20
Configuring MobileIron Core Security

Settings
Overview
Identity Source > Local Users
Certificate Mgmt
Access Control Lists
Networks and Hosts
Network Services
Access Control Lists: ACLs
Portal ACLs
713
Overview
The Security page in System Manager contains links for configuring aspects of Mobile-
Iron Core access. The following table summarizes the tasks associated with each link.
Identity Source: Create, delete, and manage local

Local Users users for System Manager.
Certificate Mgmt View and manage certificates for:
Portal HTTPS
Client TLS
iOS Enrollment
Access Control Lists: Create and manage entries for net-
Networks & Hosts works and hosts
Access Control Lists: Create and manage entries for net-
Network Services work services
Access Control Lists: Compile access control lists
ACLs
Access Control Lists: Compile access control lists for specific
Portal ACLs MobileIron Core components
714
Identity Source > Local Users

The System Manager has a separate user database from the Admin Portal. The user
you specify when you install MobileIron Core is created as a separate user in each
database. All users in the System Manager database are local users having the follow-
ing privileges, which cannot be changed:
Command Line Interface (CLI)
System Manager access
Adding local users for System Manager

To add a local user for System Manager:
1. With the Security page displayed, click Local Users.
2. Click the Add button.
715
Field Description
User ID Enter the unique identifier to
assign to this user. The user ID is
case sensitive.
First Name Enter the users first name.
Last Name Enter the users last name.
Password Enter a password for the user.
Passwords must have at least
8 characters.
Passwords must contain at
least 1 alphabetic character.
Passwords must contain at
least 1 numeric character.
Passwords cannot have 4 or
more repeating characters.
Passwords cannot be the same
as the user ID.
Password may contain Uni-
code characters, except for
CLI access.
Users cannot change a pass-
word more than once during a
24 hour period.
Confirm Password Confirm the password for the

user.
Group This field is not configurable.
Email Enter the users email address.
4. Click Apply.
5. Click Save.
Editing local users for System Manager

To edit a local user:
2. Select the user ID of the entry to display the information for that user.
Note: You cannot change the user ID.
4. Click Apply.
5. Click Save.
716
Deleting local users for System Manager

To delete a local user:
2. Select the checkbox for the user you want to delete.
3. Click Delete.
Note: You cannot delete the user ID you logged in with.
4. Click Save.
717
Certificate Mgmt
Use the Certificate Mgmt feature to fulfill certificate requirements your organization
may have for the MobileIron appliances or the TLS client. You can:
Generate a self-signed certificate
Generate a CSR for a certificate authority
You should also use this page to upload the required certificates.
Note: When you update a certificate, you are prompted to confirm that you want to
proceed because the HTTP service needs to be restarted, resulting in service disrup-
tion.
To generate a self-signed certificate

You can generate a self-signed certificate for:
the MobileIron iOS Mobility Management Best Practices
MobileIron Sentry configurations
the MobileIron Client for use with TLS
To generate a self-signed certificate:

1. In the MobileIron System Manager, select Certificate Mgmt from the Security page.
718
2. For MobileIron Core, click the Manage Certificate link for Portal HTTPS. For the
MobileIron Client, click the Manage Certificate link for Client TLS.
3. Select Generate Self-Signed Certificate from the dropdown list.
4. Click the Generate Self Signed Certificate button.
To generate a certificate signing request (CSR)

The following table summarizes the requirements and related information for each
component of a MobileIron deployment.
Component Requirements
Appliance Private key file
Certificate file
Root CA certificate file
Without password
719
Sentry Standalone Private key file

Certificate file
Without password
Sentry Integrated Without password
Client Private key file
Certificate file
Without password
To generate a CSR:
3. Select Generate CSR from the dropdown list.
720
4. Use the following guidelines to complete the displayed form:
Field Description
Common Name Enter the server host name.
E-Mail Enter the email address of the contact
person in your organization who
should receive the resulting certificate.
Company Enter the name of the company
requesting the certificate.
Department Enter the department requesting the
certificate.
City Enter the city in which the company is
located.
State Enter the state in which the company
is located.
Country Enter the two-character abbreviation
for the country in which the company
is located.
Key Length Select 1024 or 2048 to specify the
length of each key in the pair. Longer
keys provide stronger security, but
may impact performance.
5. Click Generate.
A message similar to the following displays.
721
6. Copy the content between BEGIN CERTIFICATE REQUEST and END CERTIFICATE
REQUEST to a text file.
7. Copy the content between BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY to
another text file.
8. Click Close.
9. Submit the file you created in step 6 to the certifying authority.
Uploading certificates
When you receive the CA certificate from the certifying authority:
722
3. Make sure Upload Certificate is selected in the dropdown list.

4. Select the certificates as indicated in the following table:
Field File to Select

Key file The file created in step 7.
Server certificate The CA certificate file you received
from the certifying authority.
CA certificate The generic CA certificate file.
Viewing certificates
To view a Portal HTTPS or Client-TLS certificate:
2. Click the View Certificate link for the certificate type you want to view.
723
Access Control Lists

Use the Access Control Lists screen to compile and manage the rules that define
inbound and outbound access for network hosts and services.
Each ACL consists of one or more access control entries (ACEs). Configuring ACLs
requires the following tasks:
1. Configure entries for each network and host requiring an ACL.
2. Configure entries for any network services requiring an ACL.
3. Create an ACL.
To add an ACL:
1. Click Add.
2. In the Name field, enter a name to identify the ACL.

3. In the Description field, enter text to clarify the purpose of the ACL.
4. Click Save.
The lower portion of the screen is now enabled.
724
5. Click Add to add an access control entry (ACE) to the ACL.

Each ACE consists of a combination of the network hosts and services you config-
ured for use in ACLs.
725
Field Description
Source Network Select the network from which
access will originate. This list is
populated with the networks and
hosts you created for use with
ACLs. See Networks and Hosts
on page 728.
Destination Network Select the network being
accessed. This list is populated
with the networks and hosts you
created for use with ACLs. See
Networks and Hosts on
page 728.
Service Select the network service to
which this entry permits or
denies access. This list is popu-
lated with the services you cre-
ated for use with ACLs. See
Network Services on page 730.
Action Select Permit or Deny from the
dropdown list.
Connections Per Enter the number of connections
Minute to allow per minute.
Description Enter text to describe the pur-
pose of this entry.
7. Click Save.
Editing an ACL
To edit an existing ACL:
1. Click the name in the ACLs list.
2. To delete an ACE, click its checkbox and click Delete.
3. To add an ACE, click Add.
4. To insert and ACE, select the ACE above which you want to insert a new ACE and
click Insert.
5. Click Save.
Copying an ACL
To start a new ACL based on an existing one:
1. Select the ACL to be copied.
2. Click the Copy button.
726
3. Enter a name for the new ACL.

4. Click OK.
Deleting an ACL
To delete an ACL:
1. Select the ACL to be deleted.
2. Click Delete.
727
Networks and Hosts

Use the Networks and Hosts screen to manage the servers and subnets you will use to
compile Access Control Lists (ACLs) for MobileIron Clients.
To add a host or subnet for compiling ACLs:

1. Click Add.
2. Use the following guidelines for completing the displayed form:
Field Description
Name Enter a name to use to identify
this host or network.
Description Enter additional text to provide
supporting information about this
host or network.
Type Select Subnet or Host from the
dropdown menu.
Network/Host Enter the IP address for this net-
work or host.
3. Click Save.
728
This host or network will now be available for ACLs configured in the ACLs screen.
729
Network Services
Use the Network Services screen to manage available services. MobileIron prepopu-
lates this screen with common services.
To add a service:
1. Click Add.
Field Description
Name Enter a name to use to identify
this service.
Description Enter additional text provide sup-
porting information about this
service.
Type Select TCP, UDP, or IP from the
dropdown menu.
Source Port Enter the number of the source
port for this service. Enter 0 to
allow any source port.
Destination Port Enter the number of the destina-
tion port for this service. Enter 0
to allow any destination port.
730
3. Click Save.
731
Access Control Lists: ACLs

See Access Control Lists on page 724.
732
Portal ACLs
Use Portal ACLs to further restrict access to various portals within MobileIron Core.
To enable an ACL:
1. Select the checkbox for the component you want to work with. The following table
describes each component.
Component Description
MyPhone@Work User Portal The MyPhone@Work portal that
enables device users to access a web-
site, download apps, manage con-
tacts, and so on.
Admin Portal Portal The Admin Portal portion of the Admin
Portal.
System Manager Portal The System Manager portion of the
Admin Portal.
Sentry Connection The MobileIron Sentry installed for
ActiveSync access control.
API Connection The MobileIron Web Services API.
733
Component Description
iOS MDM The iOS MDM service for profile man-
agement.
iOS iReg URL The iReg service that enables provi-
sioning iOS devices without installing
the MobileIron iOS app.
App Storefront Connection The app management service for iOS.
2. Enter the IP address or network/mask pair to specify servers or networks that may
access this component. Separate the entries with spaces.
Examples:
100.0.0.0 150.0.0.0
101.0.0.0 10.0.0.0/255.255.255.0
You must use the expanded form of the mask. Do not specify an entry similar to
10.0.0.0/24.
If your MobileIron Core is behind a NAT, enter the IP of the NAT network.
Note: Remember that the Sentry must be able to access Core. If it does not have
access, then the ActiveSync Devices page will not display devices.
734
Chapter 21
Configuring MobileIron Core

Maintenance Settings
Overview
Getting MobileIron server software updates
Exporting the configuration
Importing a configuration
Clearing the configuration
Rebooting
Manually purging data (system storage)
Backing up and restoring MobileIron Core
735
Overview

Rebooting
Managing System Storage
736

The following figure shows the Software Updates screen.
See the upgrade documentation for a specific release for instructions on when and
how to use this screen.
737

To back up the system configuration, you can export the MobileIron Server configura-
tion settings to XML format:
1. Click Export Configuration.
2. Click Export.
738
You can import a MobileIron Server configuration from a local XML file or FTP site:
1. Click Import Configuration.
2. Click Browse to select an import file.

3. Click Import.
739

To clear unsaved configuration settings and return to the default configuration:
1. Click Clear Configuration.
2. Click the Clear Configuration button.
740
Rebooting
You can reboot the MobileIron Server to clear the current configuration settings and
restart all server modules:
1. Click Reboot in the navigation pane.
2. Click the Reboot button.
741
Manually purging data (system storage)

You can manage system storage by purging old data. You can configure auto-purging
to perform this task regularly, as explained in Data Purge on page 707. You can also
perform one-time manual purges as needed.
To manually purge data:
1. In System Manager, go to Maintenance > System Storage.
2. Specify the age of the data to be purged in the Delete data older than field.
3. Click Purge Now.
See Specifying what gets purged on page 708 for information on selecting the data
to purge.
742
Backing up and restoring MobileIron Core

The system backup and restore feature includes the following:
view of backup logs
configuration of the host and protocol to use
scheduled backups
immediate backups
restore from backup
Configuring system backups
Pre-requisites
Sufficient disk space at the destination to store the archive
Protocol-specific requirements described in the following table
Protocol Pre-requisites
NFS Port 2049 open from MobileIron Core to the NFS server
Note: The NFS option assumes that user authentication is not
required for the specified server. Therefore, we recommend using
IP ACLs to restrict NFS mounts to MobileIron Core.
SCP Port 22 open from Core to the backup location
FTP Port 21 open from Core to the FTP server
CIFS Ports 137 (UDP), 138 (UDP), 139 (TCP), and 445(TCP) open from
Core to the Windows share server
Backup settings
Complete the following steps to configure the destination and schedule for backups:
1. In System Manager, select Maintenance > System Backup.
743
2. Use the following guidelines to complete the System Backup Configuration section.
Notification Email Enter the email address that should receive

backup/restore notifications. By default, notifi-
cations are sent if the backup fails.
Send email on successful Select this option to include notifications for
backup success and failure.
Start backup at Select the time (GMT) at which a daily backup
should occur, based on the system time set in
the System Manager.
Backup using Select from the following protocols:
FTP
SCP
NFS
CIFS
The selected protocol determines which of the
following fields display.
Server Enter the domain name or IP address for the
server to be used.
744
User Enter the user name for the account to be used.

Note: For CIFS, you might also need to specify
the domain (e.g., MYDOMAIN\myuserid).
Password Enter the password for the account to be used.
Password Confirm the password for the account to be
Confirmation used.
Server Path Enter any additional path necessary to specify
the location on the host server.
For example, if you want to write backups to
the Backups/Core folder on the specified server,
you would enter /Backups/Core in this field.
Note: Be sure to include the leading forward
slash (/), or the backup will fail.
3. Click Save.
Enabling backups
To enable the backup configured backup schedule, select Enabled in the System
Backup Control section.
Running an immediate system backup

To start an immediate system backup:
1. Scroll down to the Run System Backup Now section.
2. Click Run.
Backup file
The name of the resulting file has the following format:
<Core_FQDN>-backup-YYYY-MM-DD--HH-MM-SS.tgz
where <Core_FQDN> is the fully-qualified domain for Core.
Viewing backup status

When a backup starts, the Backup is running indicator displays in the System
Backup Logs/Status section. When it completes, a brief status message displays the
following information:
date and time of the backup
transfer mode (i.e., FTP, NFS, CIFS, or SCP)
whether the backup was scheduled (automatic) or manual (run now)
745
Viewing backup logs

The system backup logs are available on the Troubleshooting page in System Manager.
You can view them on demand and download them like other system logs.
746
Restoring from a system backup
Requirements
The MobileIron Core version used to create the backup must be used to restore the
backup.
Confirm that the location of the backup file is easily accessible to ensure that the
upload process does not time out. Uploading the file should complete within 15
minutes.
Procedure
Complete the following steps to restore your MobileIron Core from a backup:
1. Configure a new MobileIron Core or reset the existing Core to the factory default
state.
2. Move the backup file to a location that is reachable from System Manager.
3. In System Manager, select Maintenance > System Backup.
4. Scroll down to the Restore System section.
5. Click Browse.
6. Select the backup file.
7. Click Restore.
When the process is complete, a message displays prompting you to reboot.
8. If prompted to save the configuration, click Yes.
9. If you chose to configure a second MobileIron Core instead of resetting the original,
power down the original to prevent IP conflicts.
10. Select Maintenance > Reboot.
747
Restoring data only

Some situations call for restoring the data from a backup without restoring the system
configuration. These situations include:
confirming that expected data is included in backups
disaster recovery
To address these situations, use the Exclude System Configs on Restore option.
Restoring a system in this manner does not provide a replacement MobileIron Core.
You can use this restored system to view data or as the basis for a replacement sys-
tem.
748
Chapter 22
Troubleshooting
Overview
Working with logs
Network monitor
Service diagnosis
749
Troubleshooting
Overview
Use the Troubleshooting page in the System console to investigate possible problems
with MobileIron operation. In most cases, you will use this page under the direction of
MobileIron Customer Support.
750
Troubleshooting
Working with logs

The Logs screen under the Troubleshooting page enables you to:
Enable debugging for MobileIron modules
Disable debugging for MobileIron modules
Clear logs
View logs
Export logs
Work with remote (Sentry) logs
Enabling debugging for MobileIron modules

You can specify which MobileIron modules you want to place in debug mode. Placing a
module in debug mode causes more detailed messages to be recorded in the corre-
sponding log.
To enable debugging for MobileIron modules:

1. Under Troubleshooting > Logs, select the checkboxes for the modules you want to
place in debug mode:
Module Description
MICS MobileIron Configuration Service (i.e., the service that
supports System Manager)
Employee MyPhone@Work Portal (employee portal)
2. For MIFS (MobileIron File Service), which represents the rest of MobileIron Core,
select:
a. In the MIFS Debugging section, use the Package drop-down to select an area to
include in the log.
b. Use the Log level drop-down to select the level of detail you want to include.
c. Click the + icon to add additional packages and log levels.
3. Click Apply.
Disabling debugging
You can disable all debugging or you can select the modules for which you want to dis-
able debugging.
Disabling all debugging

To disable all debugging, which stops MobileIron Core from writing detailed informa-
tion to all logs, click Stop All Debugging under Troubleshooting > Logs. For MIFS pack-
ages, clicking this button sets the log level to Info for all selected packages.
751
Troubleshooting
Disabling debugging for MICS or the employee portal

To disable debugging for the MICS or employee portal modules:
1. Under Troubleshooting > Logs, clear the checkbox next to each module you want to
remove from debug mode.
2. Click Apply.
Disabling debugging for MIFS packages

To disable debugging for MIFS packages under Troubleshooting > Logs:
Remove the package from the list (sets lowest level of logging)
Set the log level to OFF (turns off all logging for the selected package)
Clearing logs
Clearing logs enables you to discard information for previous events, making it easier
to isolate the information you need. To clear all logs, click Clear All Logs under Trou-
bleshooting > Logs.
Viewing logs
The Troubleshooting screen enables you to view the contents of debug logs directly
from the console. Debugging must be enabled. The following table lists the available
logs:
Log Name Description

MICS MobileIron Configuration Service (i.e., the service that
supports System Manager)
MIFS MobileIron File Service
Employee MyPhone@Work (employee portal)
System Core status logs
Device Searchable device logs (search by mobile number or user)
MI
Catalina MobileIron application loading status
Catalina2 MobileIron application loading status
SystemBackup MobileIron System Backup process (see Backing up and
restoring MobileIron Core on page 743)
High Availability HA service, if configured
LDAP LDAP integration
To view a log:
1. In the View Module Logs section, click the link for the log you want to view.
752
Troubleshooting
The displayed window shows the most recent log entries. The window scrolls
dynamically as MobileIron Core adds entries to the log.
2. Click x to close the log view.
Note: If you close the log view window and then re-open it, the displayed window
shows only log entries made since you closed the window.
Viewing only new log entries

To remove existing log entries from the log view window and view only new log
entries, click the Clear Window button.
Viewing logs by device or user

To view logs by device or user:
1. Click the Device link in the View Module Logs section.
2. Select User or Phone to specify whether you want to view logs by user or device.
3. Enter the user name or phone number.
4. Click View Log.
Exporting logs
You can upload logs directly to the default support site or a designated alternate site.
To upload logs:
1. Select Troubleshooting > Logs.
2. Scroll down to the Export Logs section.
3. Select the log to download.
4. Select a database option.
753
Troubleshooting
Show tech logs can include database information that some companies consider too
sensitive to send to MobileIron Customer Support. Therefore, you can use the
Database Options to specify whether to include data and whether to remove poten-
tially sensitive information from the output.
The following options are available:
Sanitize: Remove sensitive information. This is the default selection.
Standard: Sensitive information included.
No Database: All database information omitted.
5. Select SFTP Upload, HTTPS Upload or Download from the Type drop-down list,
depending on the method you want to use.
6. If you received a MobileIron support ticket number associated with this export,
enter it in the Support Ticket Number field.
7. If you selected SFTP Upload or HTTPS Upload, select the Alternate Location check
box and configure a backup location or user authentication in case transmission to
the primary server or user fails.
If you receive technical support from a MobileIron partner instead of directly from
MobileIron, then you will need to obtain an alternate location from your vendor.
The following additional fields for the alternate location are displayed:
Host/IP or URL (e.g., https://support.mobileiron.com)
User Name
Password
Confirm Password
8. Click SFTP Upload, HTTPS Upload or Download.
754
Troubleshooting
Working with remote (Sentry) logs

If your system includes Sentries, you can configure and view the logs for each Sentry
from the Remote Logs section of the Troubleshooting page.
Note that changing the debug mode (log verbosity) here, overrides the settings con-
figured in the Sentry user interface.
Enabling remote logs

To start collecting Sentry log data, you need to specify the debug mode:
2. Select the Change Debug Mode link for the Sentry you want to troubleshoot.
The Change Debug Status dialog appears.
3. Select Sentry or Sentry HTTP Packet Trace.
Field Sentry 3.3 Sentry 3.2 and older

Sentry Provides Level 1 verbosity Provides Debug-level logs.
HTTP request/response infor-
mation.
Sentry HTTP Provides Level 2 verbosity Provides complete logs
Packet Trace HTTP request/response infor- including backup level details.
mation and detailed log mes-
sages with headers.
4. Click Submit.
The updated debug status is communicated to the Sentry and reflected in the Sentry
user interface the next time you refresh the Sentry Logs page.
If you selected Sentry, the Sentry is set to log at Level 1 and becomes enabled.
If you selected Sentry HTTP Packet Trace, the Sentry is set to log at Level 2 and
becomes enabled.
755
Troubleshooting
Viewing remote logs

To view the Sentry logs:
2. Click the View Logs link for the Sentry you want to troubleshoot.
The log window appears.
756
Troubleshooting
Network monitor
The Network Monitor screen enables you to produce a TCP dump for one of the Mobil-
eIron Server physical interfaces. The information provided might assist in trouble-
shooting device connectivity problems. Click Download to store the results in a pcap
file.
Use the following guidelines to complete this screen:
Option Description
Interface Select the physical interface for which you want
to produce a tcp dump.
Filter Not implemented.
Snap Length Not implemented.
Max no. of Packets Specifies the number of packets after which the
capture should stop. The default value is 1000.
Acceptable range of values is 1 to 1000000.
757
Troubleshooting
Service diagnosis
You can use the Service Diagnosis page under Troubleshooting to check the health of
the following services:
NTP
BES
Sentry
Email
DNS
MobileIron Gateway
SCEP
MapQuest
APNs
MobileIron support site
Click Verify All to recheck the listed services, or click the Verify button next to a spe-
cific service to verify just that service.
LDAP sync history

To confirm that LDAP synchronization has been performed as expected, click LDAP
Sync History.
758
Section IV: Command Line Interface
(CLI)
Command Line Interface
759
760
Chapter 23

About CLI
EXEC mode commands
EXEC PRIVILEGED commands
CONFIG commands
INTERFACE mode commands
About CLI
The CLI, or command line interface, enables authorized administrators to access cer-
tain functions from the command line in a terminal window.
Logging in
1. Use ssh or telnet to log in to the server.
2. Log in as the administrator user established during installation.
3. Enter the corresponding password.
Logging out
Use Ctrl-d to terminate the CLI session and close the terminal window. You can also
enter one of the following commands:
logout
exit
Help commands
Two commands are available to help you use the CLI:
help
?
Enter help to display a description of the interactive help system, including:
761
Auto-complete keys
Movement keys
Deletion keys
Enter ? to list available commands in the current mode or details for the current com-
mand.
For example, the following command lists all commands in the current mode:
>?
The following command lists details about the show command:

>show ?
The following command lists details about the show ip command:

>show ip ?
Note that the list of available commands varies according to the mode you are in. See
Modes on page 763.
Auto-complete keys
The following keys provide auto-completion capabilities:
Enter
Auto-completes the command line, performs syntax checking, and executes the
command if no syntax error exists. If a syntax error exists, help text is displayed.
Spacebar
Auto-completes the command.
Movement keys
[CTRL-A] Move to the start of the line
[CTRL-E] Move to the end of the line.
[up] Move to the previous command line held in history.
[down] Move to the next command line held in history.
[left] Move the insertion point left one character.
[right] Move the insertion point right one character.
Deletion keys
[CTRL-C] Delete and abort the current line.
[CTRL-D] Delete the character to the right on the insertion point.
[CTRL-K] Delete all the characters to the right of the insertion point.
[CTRL-U] Delete the whole line.
[backspace] Delete the character to the left of the insertion point.
762
[CTRL-Z] Quits the session.
Modes
The CLI uses the following modes:
EXEC
Default mode established when you log in successfully.
EXEC PRIVILEGED
Privileged mode, enabling commands that affect device management.
CONFIG
Configuration mode, enabling commands that affect network management. In this
mode, you can use the Tab key to cycle through the available commands and sub-
commands.
INTERFACE
Mode for configuring physical and VLAN interfaces.
Entry to each mode is sequential: EXEC, EXEC PRIVILEGED, CONFIG, INTERFACE. To

access each mode, enter the mode from the previous mode. For example, to access
the CONFIG mode, you must be in the EXEC PRIVILEGED mode.
To access the different modes:
Return to the
Mode Accessible through... Command to access previous mode
EXEC The default mode Not applicable exit
Exits the CLI
session.
EXEC EXEC mode enable disable
PRIVILEGED
CONFIG EXEC PRIVILEGED configure terminal end
mode
INTERFACE CONFIG mode interface GigabitEthernet n end
interface vlan n
763
EXEC mode commands

The commands specific to the EXEC mode are summarized in the following table, and
then listed in detail in alphabetical order.
Command Description
enable Accesses privileged commands.
exit Closes the terminal window.
help Describes of the interactive help system.
host Performs a DNS lookup for a specified IP
address or host name.
logout Closes the terminal window.
ping Sends echo messages.
show Shows running system information:
show banner
show clock
show hostname
show interfaces
show ip
show log
show logging
show logtail
show memory
show ntp status
show processes
show service
show software repository
show tcp
show timeout
show version
timeout Sets the idle timeout for the CLI.
traceroute Traces route to destination.
enable
Enables EXEC PRIVILEGED mode for access to advanced commands.
764
Prompts for the enable-secret password, which is the system password initially set
during installation. Entering the correct password changes the command line prompt
from > to #.
See enable secret on page 790.
Example:
> enable
Password:
#
exit
Exits the EXEC mode and closes the terminal window.
help
Displays a description of the interactive help system, including:
Auto-completion keys
Movement keys
Deletion keys
See Help commands on page 761.
host
Queries Internet name servers to perform a DNS lookup. Specify one of the following
parameters:
Parameter Description
hostname The host name of the destination server
to look up.
IP address The IP address of the destination server
to look up.
This command returns the hostname of the server if you specify an IP address, and it
returns the IP address if you specify the hostname.
Note: This command executes the Linux command nslookup. See Linux man pages for
more information.
Example:
>host yahoo.com
Server: 172.16.0.1
Address: 172.16.0.1#53
765
Non-authoritative answer:
Name: yahoo.com
Address: 98.137.149.56
Name: yahoo.com
Address: 98.139.180.149
Name: yahoo.com
Address: 209.191.122.70
Name: yahoo.com
Address: 72.30.2.43
logout
Exits from the EXEC mode and closes the terminal window.
ping
Sends echo messages. This command pings the destination server that the parameter
specifies.
Specify one of the following parameters:
hostname The destinations host name.
IP address The destinations IP address.
Example:
>ping yahoo.com
show banner
Displays the banner that was displayed when you logged on to the command line
interface.
Example:
>show banner
************************************************************
* MobileIron Core CLI *
* *
* *
************************************************************
Welcome user it is Tue Dec 13 21:27:03 UTC 2011
show clock
Displays the current system date, time, and time zone.
766
Example:
> show clock
Displaying system clock details
Tue Dec 13 21:25:12 UTC 2011
show hostname
Displays the hostname for MobileIron Core.
Example:
>show hostname
appname.domain.com
show interfaces
Displays the configuration of the network interfaces configured for MobileIron Core.
Example:
>show interfaces
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:6b:c6:23 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:0c:29:6b:c6:2d brd ff:ff:ff:ff:ff:ff
show ip
Displays IP information.
arp Displays the physical network address that corresponds to
the IP address of MobileIron Core. ARP is Address Resolu-
tion Protocol, a low-level network protocol.
domain-name Displays the domain name of MobileIron Core.
767
interface brief Displays IP interface status and configuration. Add the fol-
lowing parameters to the command:
<ifacename> <interfaceid>
The <ifacename> is either GigabitEthernet or VLAN.
The <interfaceid> has the value 1 to 4 for GigabitEthernet
and 1 - 4094 for VLAN.
These interfaces are configured using the System Manager
in the Admin Portal. See Managing network interfaces on
page 687.
name-server Displays the IP address of the Internet name servers that
MobileIron Core uses.
These interfaces are configured using the System Manager
in the Admin Portal. See DNS and Hostname on
page 692.
route Displays the routing table of Core. These static network
routes are configured using the System Manager in the
Admin Portal. See Routes on page 690.
Example:
>show ip domain-name
+------------------
Domain Name
+------------------
mydomain.com
>show ip interface brief GigabitEthernet 1

+----------------+-----------+--------------+-------------+-------------------
Interface IP Address Mask Hw Addr Admin State
+----------------+-----------+--------------+-------------+-------------------
GigabitEthernet1 10.10.17.152 255.255.0.0 00:50:56:91:22:7e up
>show ip route
192.168.57.0/24 via 10.10.1.1 dev eth0
10.10.0.0/16 dev eth0 proto kernel scope link src 10.10.17.80
default via 10.10.1.1 dev eth0
Note: In the show ip route output, default means that the network and mask are
both 0.0.0.0.
show log
Displays the log file that the parameter specifies.
Consider the following when viewing log files:

To navigate within the log, use standard vi commands.
768
To exit the log, enter q to quit.
Note: The log files are in the Linux directory /var/log.
The command takes one parameter that is the name of the log file. The following table
lists the log file names you can use:
Log file name Description

mi.log A superset of the information in the mics, mifs, and employee
logs.
startup.log Information logged during startup.
cron All cron jobs run since last reboot.
rpmpkgs A listing of all the deployed rpm packages on the system.
boot.log Information collected during boot up.
suspend.log Not used.
mysqld.log Information collected during MySQL startup.
messages All system messages since last restart.
dmesg Hardware status messages collected during startup.
secure List of executed commands since last restart.
mivmstat.log Running log of information about the virtual machine, including,
but not limited to, processes, free, buffered, and cached memory,
swap, i/o, system, and CPU.
mics.log WARN, INFO, and ERROR messages from the System Manager.
employee.log WARN, INFO, and ERROR messages about employee device regis-
tration activity.
mifs.log WARN, INFO, and ERROR messages from the Admin Portal.
mai.log MAI information, if MAI is enabled.
catalina.out Stdout for the tomcat1 server. Includes verbose Employee and
MIFS logs.
catalina2.out Stdout for the tomcat2 server. A verbose MIFS log.
catalina3.out Stdout for the tomcat3 server. A verbose MAI log, if MAI is
enabled.
catalina4.out Stdout for the tomcat4 server. A verbose Atlas log, if Atlas is
enabled.
Example:
> show log mifs.log
> --log 'tomcat/mifs.log' --
769
show logging
Displays the configured syslog server information:
IP address
log level
state
This information is configured in the System Manager, in Settings > Syslog. See Sys-
log on page 698.
The log level values displayed by this command correspond to the configured log lev-
els as follows:
Log level value Log level description

0 Emergency
1 Alert
2 Critical
3 Error
4 Warning
5 Notice
6 Info
7 Debug
Example:
>show logging
+--------------+--------------+---------------
IP Address + Loglevel + State
+--------------+--------------+---------------
myLogserver.com 5 enable
show logtail
Displays the last ten lines (the tail) of the specified log. The command takes one
parameter that is the name of the log file. See show log on page 768 for the list of
available log files.
To exit from the show logtail command, enter Ctrl-C.
Example:
>show logtail mifs.log
--log 'tomcat/mifs.log' --tail --
/mi/tomcat2/webapps/mics/WEB-INF/pages/include.jsp
/mi/tomcat2/webapps/mics/WEB-INF/pages/index.jsp
/mi/tomcat2/webapps/mics/WEB-INF/pages/styles
/mi/tomcat2/webapps/mics/WEB-INF/pages/styles/mobir.css
770
/mi/tomcat2/webapps/mics/WEB-INF/pages/listRadius.jsp
/mi/tomcat2/webapps/mics/WEB-INF/pages/micsLogin.jsp
/mi/tomcat2/webapps/mics/WEB-INF/remoting-servlet.xml
/mi/tomcat-properties/license.properties
/mi/tomcat-properties/datapurge.properties
/mi/tomcat-properties/mifs.properties
show memory
Displays information about free and used memory on MobileIron Core.
This command executes the Linux command free. See Linux man pages for more
information.
Example:
> show memory
total used free shared buffers cached
Mem: 2135892 2065440 70452 0 146848 456292
-/+ buffers/cache: 1462300 673592
Swap: 4192956 12 4192944
show ntp status

Displays the currently configured time sources. The time sources are Network Time
Protocol (NTP) servers. An NTP server figures out how much the system clock drifts
and smoothly corrects it.
You can configure the NTP servers using the System Manager in the Admin Portal. See
Date and Time (NTP) on page 695.
Example:
>show ntp status
+-----------+--------------------+
Index + NTP Server +
+-----------+--------------------+
0 172.16.0.1
show processes
Displays the processes running on MobileIron Core.
Note: This command executes the Linux command ps auxwww. See Linux man pages
for more information.
Example:
>show processes
771
show service
Displays the status for configured services such as Telnet, SSH, and NTP. You can
enable these services and set the maximum number of sessions using the System
Manager in the Admin Portal. See CLI on page 697.
Example:
>show service
+------------+-----------+---------------
Servicename + Enabled + Max.Sessions
+------------+-----------+---------------
ssh yes 5
telnet yes 5
ntp yes
show software repository

Displays the currently configured location for MobileIron software updates. This loca-
tion is configured using the System Manager in the Admin Portal. See Getting Mobile-
Iron server software updates on page 737.
Example:
>show software repository
+------------------------------------------+---------------+-----------
Software repository Username Password
+------------------------------------------+---------------+-----------
myRepositoryServer.com RepositoryUserId
show tcp
Lists information about all active TCP ports. This information provides traffic statistics
and can help identify network problems.
Note: This command executes the Linux command netstat -nat. See Linux man
pages for more information.
Example:
>show tcp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
.
.
.
772
The following table describes the information displayed:
Column heading Description

Proto The protocol. Always tcp.
Recv-Q The number of bytes not copied by the user
program connected to this socket.
Send-Q The number of bytes not acknowledged by
the remote host.
Local Address The IP address of the local computer and
the port number being used. If the port is
not yet established, the port number is
shown as an asterisk (*).
Foreign Address The IP address and port number of the
remote computer to which the socket is
connected. If the port is not yet estab-
lished, the port number is shown as an
asterisk (*).
State The state of the connection. Possible states
are:
LISTEN
SYN-SENT
SYN-RECEIVED
ESTABLISHED
FIN-WAIT-1
FIN-WAIT-2
CLOSE-WAIT
CLOSING
LAST-ACK
TIME-WAIT
These states are further described in http:/
/tools.ietf.org/html/rfc793.
show timeout
Displays the currently configured idle timeout for the CLI in minutes. The value 0 indi-
cates no timeout. The timeout value is configured using the System Manager in the
Admin Portal. See CLI on page 697.
Example:
>show timeout
+---------------------------
Cli Idle Timeout in Minute(s)
+---------------------------
773
show version
Displays the currently installed version of MobileIron Core software.
Example:
>show version
VSP 4.5.0 Build 47
timeout
Sets the idle timeout for the CLI. Enter the number of minutes between 0 and 9999.
Example:
>timeout 150
You can also set the CLI idle timeout using the System Manager in the Admin Portal.
See CLI on page 697.
traceroute
Displays the network route to the specified destination.
hostname The destinations host name.
IP address The destinations IP address.
Examples:
>traceroute 173.194.33.43
traceroute to 173.194.33.43 (173.194.33.43), 30 hops max, 40 byte packets
1 10.10.1.1 (10.10.1.1) 4.808 ms 5.481 ms 6.112 ms
2 * * *
.
.
.
>traceroute google.com
traceroute to google.com (173.194.33.45), 30 hops max, 40 byte packets
1 10.10.1.1 (10.10.1.1) 5.268 ms 5.933 ms 6.564 ms
2 * * *
.
.
.
774
EXEC PRIVILEGED commands

The commands specific to the EXEC PRIVILIGED mode are summarized in the follow-
ing table, and then listed in detail in alphabetical order.
Note: All EXEC mode commands, except enable and logout, are also available in EXEC
PRIVILEGED mode.
Command Description
clear arp-cache Clears the ARP cache on MobileIron Core.
configure terminal Enters configuration mode.
dbcleanup app_inventory Deletes duplicate and unused rows from
app inventory tables.
disable Returns to EXEC mode.
diskcleanup Remove retired devices data and deleted
apps from the disk.
diskcleanup retired_devices
diskcleanup trashed_apps
end Returns to EXEC mode.
failover Manages Core failover.
grubupdate Updates the grub configuration. Requires a
reload.
install rpm Installs VMware Tools.
no install rpm Deletes, resets, and disables various sys-
tem configurations.
poweroff Turns off Core.
reload Halts Core and performs a cold restart.
service Performs operations on the Tomcat and
iptables services.
setup Runs the setup wizard to reconfigure an
installation.
775
Command Description
show Shows running system information:
show portalacl
show portalacl
show running-config
show statichost
show system
show tech
show kparams
Note: In addition to the above commands,

all EXEC mode show commands are also
available in EXEC PRIVELEGED mode.
software checkupdate Checks the configured software repository
for available updates to Core.
software update Installs the updates located using software
checkupdate.
ssh Opens an ssh connection.
telnet Opens a telnet connection.
write Saves configuration changes.
clear arp-cache
Clears the ARP cache on MobileIron Core, listing each cleared ARP entry. The ARP
cache stores a mapping of IP addresses with link layer addresses, which are also
known as Ethernet addresses and MAC addresses. If the mapping in the cache is stale,
use this command to clear the cache. A mapping can become stale, if, for example, an
IP address has moved to a new host.
Example:
#clear arp-cache
Deleting Arp Entry for 100.10.10.10
Deleting Arp Entry for 10.10.19.21
configure terminal
Enters configuration mode. See CONFIG commands on page 787 for the commands
you can enter in configuration mode.
Example:
#configure terminal
Enter configuration commands, one per line.
/config#
776
dbcleanup app_inventory
Deletes duplicate and unused rows from app inventory tables. Requires portal service
restart.
Example:
#dbcleanup app_inventory
Requires portal service restart. Proceed? (y/n)y
Stopping tomcat: [ OK ]
AppInventry cleanup...
disable
Returns to EXEC mode.
Example:
#disable
>
diskcleanup retired_devices
Removes retired devices data from the disk.
Example:
#diskcleanup retired_devices
diskCleanup.pl - VSP disk cleanup script
[2] Finding device resources to delete...

=========================================
Searching and removing device files...
-----------------------
Found 0 devices with devices data, removed 0 devices' data.
0 bytes freed up
-----------------------
diskcleanup trashed_apps
Removes deleted apps from the disk.
Example:
#diskcleanup trashed_apps
diskCleanup.pl - VSP disk cleanup script
[1] Finding app-catalog resources to delete...
==============================================
777
Searching and removing app files...
-----------------------
Found 0 files, removed 0 files
0 bytes freed up
-----------------------
trashed_apps Removes deleted apps from the disk.
end
Returns to EXEC mode.
Example:
#end
>
exit
Terminates the CLI session and closes the terminal window.
failover
Commands to assist with managing MobileIron Core failover. Failover allows a second-
ary Core to take over if the primary Core fails when your installation requires high
availability. For more information about implementing a high availability solution, con-
tact MobileIron Technical Support.
Note: High availability is a non-standard Core feature.
grubupdate
Updates the grub configuration. Requires a reload.
Note: This command should not be used on VMs. It should be used only for the physi-
cal box.
Example:
#grubupdate
install rpm
Installs VMware Tools. If your MobileIron Core runs in VMware, use this command to
install the VMware Tools installation package. The installation package is an RPM file or
a .tar.gz. The parameter specifies where to find the file.
778
Warning: Use this command only to install third-party RPM or tar files that MobileIron
has approved, such as VMware Tools.
cdrom Installs the RPM from a CDROM.
file Unused.
url Installs the RPM from a URL.
Specify the URL as the final parameter.
info Displays a list of installed third-party RPMs.
To uninstall a third-party RPM, use no install rpm. See no install rpm on

page 780.
Examples:
The following example shows the initial output when installing VMwareTools from CD
ROM. Although not shown here, the installation continues with VMwareTools configura-
tion.
#install rpm cdrom
mount: block device /dev/cdrom is write-protected, mounting read-only Select
rpm/tar file to install 0. None - Do not install any thing 1
/mnt/VMwareTools-4.0.0-171294.tar.gz
Enter your selection: 1
Installing /mnt/VMwareTools-4.0.0-171294.tar.gz
Creating a new VMware Tools installer database using the tar4 format.
Installing VMware Tools.
In which directory do you want to install the binary files?

[/usr/bin]
What is the directory that contains the init directories (rc0.d/ to rc6.d/)?
[/etc/rc.d]
What is the directory that contains the init scripts?

[/etc/rc.d/init.d]
In which directory do you want to install the daemon files?

[/usr/sbin]
In which directory do you want to install the library files?

[/usr/lib/vmware-tools]
The path "/usr/lib/vmware-tools" does not exist currently. This program is going
to create it, including needed parent directories. Is this what you want?
[yes]
In which directory do you want to install the documentation files?

[/usr/share/doc/vmware-tools]
779
The path "/usr/share/doc/vmware-tools" does not exist currently. This program

is going to create it, including needed parent directories. Is this what you
want? [yes]
The installation of VMware Tools 4.0.0 build-171294 for Linux completed success-
fully. You can decide to remove this software from your system at any time by
invoking the following command: "/usr/bin/vmware-uninstall-tools.pl".
Before running VMware Tools for the first time, you need to configure it by
invoking the following command: "/usr/bin/vmware-config-tools.pl". Do you want
this program to invoke the command for you now? [yes]
....
no install rpm
Uninstalls a MobileIron-approved third-party RPM. See install rpm on page 778.
For the list of no commands possible in CONFIG mode, see no on page 794.
poweroff
Turns off MobileIron Core. This command not only logs you out of the CLI, but shuts
down the operating system and powers off Core.
Example:
#poweroff
System configuration may have been modified. Save? [yes/no]: yes
Configuration saved.
Proceed with power-off? [yes/no]
reload
Halts MobileIron Core and performs a cold restart.
Example:
#reload
System configuration mat have been modified. Save? [yes/no]: yes
Configuration saved.
Proceed with reload?
service
Performs operations on the Tomcat and iptables services. You can start and stop these
services, and check their status.
780
The parameters are:
service name The name of the Linux service. Possible
values are:
tomcat
iptables
operation The operation to perform on the specified
service. Possible values are:
start
stop
status
Example:
#service tomcat start
Starting tomcat: Using TOMCAT_ALLOCATION_MB=11235
.
.
.
[OK]
#service iptables start
Applying iptables firewall rules: [OK]
#service iptables status

Table: filter
Chain INPUT (policy ACCEPT)
.
.
.
#service iptables stop

Flushing firewall rules: [OK]
Setting chains to policy ACCEPT: filter nat[OK]
Unloading iptables modules: [OK]
setup
Runs the setup wizard to reconfigure an installation. This command takes you through
the initial configuration of MobileIron Core.
Example:
#setup
VSP 4.5.2 Build 32 (Branch r4.5.2)
781
Welcome to the Mobile Iron Configuration Wizard
Use the - character to move back to the previous field
Continue with configuration dialog? [yes/no]:
show portalacl
Displays the configured portal Access Control Lists (ACLs), which restrict access to
various portals of MobileIron Core. The access is restricted to certain servers or net-
works by specifying their IP addresses or network/mask pairs.
For more information, see Portal ACLs on page 733, which describes how you config-
ure the portal ACLs in the System Manager, Security > Access Control List > Portal
ACLs.
Example:
#show portalacl
+-----------------------------------------------------------------------
Module + Access Allowed From
+-----------------------------------------------------------------------
MyPhoneAtWork 10.10.17.12
show running-config
Displays the configuration under which MobileIron Core is currently running.
The following table lists the configuration information that this command displays. It
also shows where in the System Manager of the Admin Portal to configure this infor-
mation, and a reference to the corresponding documentation.
System Manager User

Configuration Displayed Interface More Information
Network interfaces Settings > Network > Managing network
Interfaces interfaces on page 687
DB config Not used.
Network routes Settings > Network > Routes on page 690
Routes
Telnet, ssh, and ntp status Settings > CLI CLI on page 697
DNS servers Settings > DNS and DNS and Hostname on
Hostname page 692
Core host name and Settings > DNS and DNS and Hostname on
domain name Hostname page 692
NTP servers Settings > Date and Date and Time (NTP)
Time (NTP) on page 695
782
System Manager User

Configuration Displayed Interface More Information
CLI session timeout Settings > CLI CLI on page 697
System Manager user Security > Identity Identity Source > Local
names Source > Local Users Users on page 715
Portal Access Control Lists Security > Access Con- Portal ACLs on
trol Lists > Portal ACLs page 733
Example:
#show running-config
show statichost
Displays the configured static hosts. The static hosts are configured using the System
Manager, in Settings > Static Hosts or with the CLI command statichost. See Static
Hosts on page 693 and statichost on page 797.
Example:
#show statichost
+------------------+-------------------------------------
IP Address FQDN
+------------------+-------------------------------------
172.16.80.2 mysentry.mycompany.com
show system
Displays system information as specified by the parameter. Most parameters result in
displaying output from Linux commands. For more information about Linux command
output, see the Linux man page description available on the Web.
disk Displays disk usage information for each
mounted file system.
Linux command: df -h
top Displays a snapshot of the running tasks and
threads, including their command-line
parameters.
Enter h for help on navigating the output.
Enter q to quit.
Linux command: top -bcHss -n 1
783
toprt Displays the running tasks, memory usage,
and the uptime status, updating the display
in real-time.
Enter h for help.
Enter q to quit.
Linux command: top
uptime Displays the following information:
the current time
the system status (up)
how long the system has been running
how many users are currently logged on
the system load averages for the last 1, 5,
and 15 minutes
Linux command: uptime

user Displays the list of System Manager users.
See Introduction to user management on
page 58.
Examples:
#show system disk
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 80G 3.0G 73G 4% /
/dev/sda1 99M 12M 82M 13% /boot
tmpfs 7.9G 8.0K 7.9G 1% /dev/shm
#show system user

+------------------------+
Users
+------------------------+
miadmin
#show system uptime

18:23:11 up 23:15, 2 users, load average: 0.00 0.00 0.00
#show system toprt

top - 18:25:57 up 23:15, 2 users, load average: 0.00 0.00 0.00
Mem: 1643612k total, 3412864k used, 13023136k free, 148648k buffers
Swap:1849804k total, 0k used, 18490804k free, 14869890k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
19186 root 20 0 67088 2732 1292 S 0.0 0.0 0:00.62 -bash
.
.
.
784
show tech
Gets MobileIron Core logs and database dumps for diagnostics. This command trans-
fers the diagnostic files to a server that you specify, using either HTTP(S) or SFTP.
Specify the following parameters:.
http sftp Select the transport method for the files.
URL When using HTTP, enter the URL for the destination
server. For example:
https://support.mobileiron.com/uploads
host When using SFTP, enter the host name or IP address of
the destination server. For example:
support.mobileiron.com
alllogs Enter No. Enter Yes only if MobileIron Core had
restarted since the issue occurred.
username Enter the user name for logging in to the server that
you specified. The command will prompt you for the
corresponding password.
support-ticket-number Enter the support ticket number, if you have one. This
parameter is optional.
For more information about the logs, see Working with logs on page 751.
Example:
#show tech http https://support.mobileiron.com/uploads No mysupportusername
Enter Password for user mysupportusername:
software checkupdate
Checks the configured software repository for available updates to MobileIron Core.
The repository information is configured using the System Manager, in Maintenance >
Software Updates. See Getting MobileIron server software updates on page 737.
Example:
#software checkupdate
software update
Installs the updates located using software checkupdate. Use the reload command
after using the software update command. See Getting MobileIron server software
updates on page 737.
785
Example:
#software update
...
#reload
ssh
Opens an ssh connection.
Specify the following parameters:
user The ID of the user making the connection.
server The IP address or hostname of the target
server.
Example:
#ssh miadmin 100.10.10.10
miadmin@100.10.10.10s password:
telnet
Opens a telnet connection.
server The IP address or hostname of the target
server.
Example:
#telnet 100.10.10.10
login: miadmin
password:
write
Saves configuration changes.
The changes you make in your CLI session are not saved across reboots of MobileIron
Core, although they are remembered between CLI sessions. Therefore, to ensure your
changes are not lost, use the write command to save your changes.
If you do not save your changes, a reboot will return Core to its previously-saved con-
figuration.
786
Example:
#write
CONFIG commands
The commands specific to the CONFIG mode are summarized in the following table,
and then listed in detail in alphabetical order.
In addition, the EXEC mode commands exit, help, and timeout are also available in
CONFIG mode...
Command Description
banner Defines the text to appear in the CLI login
banner.
certificate client Generates a self-signed certificate for the
MobileIron client for use with TLS.
certificate portal Generates a self-signed certificate for
MobileIron Sentry configurations.
clock set Sets the date and time on MobileIron Core.
do Runs EXEC or EXEC PRIVILEGED com-
mands from CONFIGURE mode.
enable secret Changes the enable-secret password.
end Returns to EXEC PRIVILEGED mode.
eula Sets the End User License Agreement infor-
mation.
hostname Configures Cores fully-qualified host name.
interface GigabitEthernet Switches to INTERFACE mode to configure
a physical interface.
interface VLAN Switches to INTERFACE mode to configure
a VLAN interface.
ip arp Updates the ARP cache on Core.
ip domain-name Sets the default domain name.
ip name-server Sets the preferred DNS server.
ip route Configures a static network route.
kparam Configures kernel parameters.
no Deletes, resets, and disables various sys-
tem configurations.
ntp Configures the time sources.
787
Command Description
portalacl Configures the portal Access Control Lists
(ACLs), which restrict access to various
portals of Core.
service Enables the service ssh, telnet, or ntp.
service support Unlocks and resets the password for the
support account.
software repository Configures the software repository URL.
statichost Maps a fully-qualified domain name to an IP
address.
syslog Configures syslog server information.
system user Creates a System Manager user account.
banner
Defines the text to appear in the CLI login banner. You can specify two strings. The
strings cannot include spaces.
bannername Multi-word string enclosed in quotes.
Example:
/config#banner Welcome MyCompany
certificate client
Generates a self-signed certificate for the MobileIron client for use with TLS.
For more information, see Certificate Mgmt on page 718, which describes how to do
this task in the System Manager, in Security > Certificate Mgmt.
Example:
/config#certificate client
Tlsproxy service will be disrupted.
Would you like to proceed? [y/n]:
/config#
Note: The CLI does not provide a confirmation that the certificate was generated.
788
certificate portal
Generates a self-signed certificate for MobileIron Sentry configurations.
For more information, see Certificate Mgmt on page 718, which describes how to do
this task in the System Manager, in Security > Certificate Mgmt.
Example:
/config#certificate portal
Services will be disrupted.
Would you like to proceed? [y/n]: y
/config#
Note: The CLI does not provide a confirmation that the certificate was generated.
clock set
Sets the date and time on MobileIron Core.
time Current time using the format HH:MM:SS. Specify the
hours as a value between 00 and 23.
day Day of the month as a value between 1 and 31.
month Month of the year. Specify one of the following: January,
February, March, April, May, June, July, August,
September, October, November, December.
year Specify as a 4 digit string. For example: 2012
Example:
/config#clock set 10:34:59 23 February 2012
/config#
do
Runs EXEC or EXEC PRIVILEGED commands from CONFIGURE mode.
Use the do command when you are in CONFIGURE mode and want to run a command
from EXEC PRIVILEGED mode, but dont want to have to exit and reenter CONFIGURE
mode. After the keyword do, enter the command. For example:
config#do ping someWebSite.com
789
The following table lists the commands you can run using do:
Command Description
clear arp-cache Clears the ARP cache on MobileIron Core.
clock set Sets the date and time on Core.
disable Returns to EXEC mode.
help Describes the interactive help system.
host Performs a DNS lookup for a specified IP address or
host name.
logout Closes the terminal window.
ping Sends echo messages.
poweroff Turns off MobileIron Core.
reload Halts Core and performs a code restart.
show Executes show commands specified in EXEC mode
commands on page 764 and EXEC PRIVILEGED
commands on page 775.
telnet Opens a telnet session.
timeout Sets the idle timeout for the CLI.
traceroute Traces route to destination.
write Saves configuration changes.
Example:
/config#do show banner
enable secret
Changes the enable-secret password. This password allows you to change from EXEC
mode to EXEC PRIVILEGED mode in the CLI.
For more information, see CLI on page 697, which describes how to do this task in
the System Manager, in Settings > CLI.
Example:
/config#enable secret NewPwd123
end
Returns to EXEC PRIVILEGED mode.
790
Example:
/config#end
eula
Sets the End User License Agreement (EULA) information.
companyname The name of the company accepting the EULA. Enclose
the name in double quotes if it contains spaces.
contactname The name of the contact at the company. Enclose the
name in double quotes if it contains spaces.
contactemail Email address of the contact.
Example:
/config#eula My Company Joe Doe jdoe@mycompany.com
hostname
Configures MobileIron Cores fully-qualified host name.
Specify the following parameter:
hostname The fully-qualified hostname for MobileIron Core.
For more information, see DNS and Hostname on page 692, which describes how to
do this task in the System Manager, in Settings > DNS and Hostname.
Example:
/config#hostname myhost123
Please reload the system for the changes to be effective.
/config#
interface GigabitEthernet
Switches to INTERFACE mode to configure a physical interface. Specify 1, 2, 3, or 4 to
specify which interface.
791
For more information, see Managing network interfaces on page 687, which
describes configuring the physical interfaces in System Manager, in Settings > Inter-
faces.
Example:
/config#interface GigabitEthernet 2
/config-if#
See INTERFACE mode commands on page 799 for available commands.
interface VLAN
Switches to INTERFACE mode to configure virtual Local Area Network (VLAN) inter-
faces. Specify a number between 1 and 4094 for the VLAN ID.
For more information, see Managing network interfaces on page 687, which
describes configuring the VLAN interfaces in System Manager, in Settings > Inter-
faces.
Example:
/config#interface vlan 2
/config-vlan#
See INTERFACE mode commands on page 799 for available commands.
ip arp
Updates the ARP cache on MobileIron Core. The ARP cache stores a mapping of IP
addresses with link layer addresses, which are also known as Ethernet addresses and
MAC addresses.
Typically, the ARP cache is updated automatically, making this command unnecessary.
IP address IP address of MobileIron Core.
Mac address Corresponding Mac address, using format:
xx:xx:xx:xx:xx:xx
Interface type Specify GigabitEthernet or VLAN.
Interface ID Specify 1 to 4 for GigabitEthernet.
Specify 1 - 4094 for VLAN.
Example:
/config#ip arp 10.10.15.41 00:50:56:91:71:1B GigabitEthernet 1
792
ip domain-name
Sets the default domain name. This value is shown in the System Manager, in
Settings > DNS and Hostname.
For more information, see DNS and Hostname on page 692.
Example:
/config# ip domain-name mycompany.com
/config#
ip name-server
Sets the preferred DNS server.
For more information, see DNS and Hostname on page 692, which describes config-
uring the DNS servers in System Manager, in Settings > DNS and Hostname.
Example:
/config# ip name-server 10.10.15.6
/config#
ip route
Configures a static network route. This command specifies the subnet mask and gate-
way to use for routing from a network IP address.
IP address Network IP address.
mask Subnet mask.
gateway IP address for the gateway.
For more information, see Routes on page 690, which describes configuring the
static network routes in System Manager, in Settings > Network > Routes.
Example:
/config#ip route 192.168.57.0 255.255.255.0 10.10.1.1
kparam
Configures kernel parameters.
793
name The name of the kernel parameter. Enter rp_filter or
log_martians.
Example:
/config#kparam rp_filter
no
Deletes, resets, and disables various system configurations, as described in the fol-
lowing table.
Command Description
no banner Reverts to the original login banner.
no hostname Reverts the system's fully qualified domain
name to localhost.localdomain. Requires
a system reload for the change to take
effect.
no interface vlan <vlan number 1 - Deletes the specified VLAN interface.
4094>
no ip arp <IP address> Deletes the specified IP address from the
ARP cache.
no ip domain-name Deletes the domain-name of MobileIron
Core.
no ip name-server <IP address> Deletes the specified Internet name server
from the list of Internet name servers that
Core uses for DNS lookup.
no ip route <IP address> <mask> Deletes the specified static network route
from Cores routing table.
no kparam <name> Disables the kernel parameter.
no ntp <IP address or hostname> Deletes the specified NTP server from Cores
list of NTP servers.
no portalacls Deletes portal ACLs.
no service <service name> Disables the specified service (ssh, telnet,
or ntp).
no service support Disables the password for the misupport
account.
no statichost <IP address> Deletes the static host entry.
794
Command Description
no syslog <IP address or hostname> Deletes the syslog server specified by the
parameter.
no system user <username> Deletes the system user specified by the
parameter.
ntp
Configures the time sources. The time sources are Network Time Protocol (NTP) serv-
ers. An NTP server figures out how much the system clock drifts and smoothly cor-
rects it.
You can configure the NTP servers in the System Manager, in Settings > Date and
Time (NTP). See Date and Time (NTP) on page 695.
server Hostname or IP address of the NTP server.
index The order this NTP server appears in the configura-
tion (0-2).
Example:
/config# ntp 172.16.0.1 0
795
portalacl
Configures the portal Access Control Lists (ACLs), which restrict access to various por-
tals of MobileIron Core. Access is restricted to servers or networks by specifying their
IP addresses, network and mask pairs, or hostname.
module Enter one of the following options:
MyPhoneAtWork
SmartphoneManagerPortal
SystemManagerPortal
SentryConnection
APIConnection
iOSMDM
iOSiRegURL
AppStorefrontConnection
host The IP address, network, or hostname from which
access is allowed. Only one host configuration is sup-
ported from CLI. Use the System Manager portal to
configure multiple hosts or Networks.
Example
/config#portalacl MyPhoneAtWork 10.101.1.119
service
Enables the service ssh, telnet, or ntp. For telnet and ntp, this command also sets the
number of instances allowed for the service.
name The name of the service. Enter either ssh, telnet, or ntp.
instances Maximum sessions allowed for ssh or telnet.
Example:
/config#service telnet 4
service support
Unlocks and resets the password for the support account. This command allows one-
time access to the misupport Linux user account, using the displayed account pass-
word.
796
Warning: Do not access the Linux misupport account unless you are working closely
with MobileIron Technical Support. MobileIron cannot help you recover if you damage
your system when working on your own in the Linux command shell.
Example:
/config#service support
One-time-password for account misupport set to XRXFHT1str
software repository
Configures the software repository URL. This URL specifies the location of software
updates for MobileIron Core. You can also configure the software repository in the
System Manager, in Maintenance > Software Updates. See Getting MobileIron server
software updates on page 737.
Specify the following parameter:.
urlstring URL for the software repository.
username The username portion of the credentials for
accessing the repository.
password The password portion of the credentials for
accessing the repository.
statichost
A static host configuration maps a fully-qualified domain name to an IP address. This
static mapping is useful in the following cases:
A DNS server is not available.
The DNS server entry for a fully-qualified domain name points to an external IP
address, outside of your firewall, although the ultimate destination is inside your
firewall. You can use this static mapping if you want to associate the fully-qualified
domain name with an internal IP address, inside your firewall.
The static hosts are also configured using the System Manager, in Settings > Static
Hosts. See Static Hosts on page 693.
ip IP address of the fully-qualified domain name.
fqdn The fully-qualified domain name.
797
Example:
/config#statichost 172.16.80.2 mysentry.mycompany.com
syslog
Configures syslog server information.
server Hostname or IP address of the syslog server
loglevel Specify the log level to be enabled (0-7)
The log level value you specify in this command corresponds to the log levels as fol-
lows:
Log level value Log level description

0 Emergency
1 Alert
2 Critical
3 Error
4 Warning
5 Notice
6 Info
7 Debug
For more information, see Syslog on page 698, which describes configuring the sys-
log servers in System Manager, in Settings > Syslog.
system user
Creates a System Manager user account. Specify the following parameters:.
username User name
password The unencrypted (cleartext) user password
For more information, see Identity Source > Local Users on page 715.
798
INTERFACE mode commands

INTERFACE mode comes in two flavors:
GigabitEthernet
Configures the physical ethernet interfaces.
VLAN
Configures the virtual Local Area Network (VLAN) interfaces.
You enter each INTERFACE mode from the CONFIG mode using the commands inter-
face GigabitEthernet on page 791 or interface VLAN on page 792. For example:
/config# interface GigabitEthernet 2
/config-if#
Each INTERFACE mode has its own set of commands that are applied to the specified
interface, such as GigabitEthernet 2 in the above example. Most commands are
shared by both modes.
The commands specific to the INTERFACE modes are summarized in the following
table, and then listed in detail in alphabetical order.
Command Description
do Runs EXEC or EXEC PRIVILEGED commands.
end Returns to CONFIGURE mode.
exit Exits the EXEC mode and closes the terminal
window.
ip address Configures the IP address of a physical or VLAN
interface.
no no ip address - Resets the IP address of a
physical or VLAN interface.
no shutdown - Enables a physical or VLAN
interface.
physical interface GigabitEthernet (Available in INTERFACE VLAN mode only.)
Creates a VLAN interface on the specified phys-
ical interface.
shutdown Disables the current VLAN or physical interface.
end
Returns to CONFIGURE mode.
Example:
/config-if#end
/config#
799
/config-vlan#end
/config#
ip address
Configures the IP address and mask of the interface you specified in the interface
command. The interface is one of the following:
a physical interface when in INTERFACE GigabitEthernet mode.
a VLAN interface when in INTERFACE VLAN mode. Before you can configure the IP
address of a VLAN interface, create the VLAN interface, using the command physi-
cal interface GigabitEthernet on page 801.
IP address IP address of the physical network interface when in INTER-
FACE GigabitEthernet mode.
IP address of the VLAN interface when in INTERFACE VLAN
mode.
mask The netmask of the interface.
Example:
/config-if#ip address 10.10.17.27 255.255.255.0
no
Use the no command in INTERFACE mode as described in the following table.
Command Description
no ip address Resets the IP address and mask of the
interface that you specified in the inter-
face command. The interface can be a
physical or VLAN interface. This command
sets both the IP address and the mask to
0.0.0.0.
no shutdown Enables the GigibitEthernet or VLAN inter-
face that you specified in the interface
command.
800
physical interface GigabitEthernet

Creates a VLAN interface on the specified physical interface. This command is avail-
able only in INTERFACE VLAN mode.
Specify the following parameter:
GigabitEthernet A value between 1 and 4 that specifies the Giga-
interface number bitEthernet interface on which to create the VLAN
interface.
Example:
/config-vlan#
/config-vlan#physical interface GigabitEthernet 1
shutdown
Disables the VLAN or physical interface that you specified in the interface command.
To enable the interface, use no shutdown. See no on page 800.
Examples:
The following command disables a physical interface:
/config-if#shutdown
/config-if#
The following command disables a VLAN interface:

/config-vlan#shutdown
/config_vlan#
801
802
Section V: Appendixes
Web-based Registration for iOS and OS X Devices
Distributing iOS MDM Profiles with Apple Configurator
Secure Apps on Android Devices
Secure apps on iOS Devices
Docs@Work for iOS
The SharePoint Client App for Android
Working with the MobileIron App and Related Agents for Android
Multi-User Support for iOS
Android Kiosk Support
The User Portal: MyPhone@Work
Physical Appliance Hardware Specification
Configuring Outbound HTTP Proxy for Gateway Transactions / System Updates
803
804
Appendix A
Web-based Registration for iOS and

OS X Devices
What is web-based registration?
Implementing web-based registration for iOS and OS X devices
805
What is web-based registration?
Web-based registration is a process of registering iOS and OS X devices in bulk for
large deployments. The benefits of this style of registration include:
iTunes accounts are not required
No end-user interaction is required
However, because a MobileIron app is not downloaded to the device, the management
features provided by the app, such as in-house app distribution, are not available.
Preparation
Because users will be informed of the registration via email before they receive the
device, you should consider turning off user notification when you bulk register the
devices. As an alternative, consider editing the registration template or informing
users that they should ignore the email. See Customizing registration messages on
page 105 for information on editing the template.
Supported browsers for iOS and OSX devices

Web-based registration requires a Safari browser on the device.
Installing the Mobile@Work app for iOS

The Mobile@Work app for iOS can be installed after web-based registration via in-app
registration. After the user or administrator installsthe Mobile@Work app and initiates
a new registration, MobileIron detects that the device already exists in the database
and updates the existing record. See In-app registration for iOS and Android on
page 96 for information on performing in-app registration.
806
Implementing web-based registration for iOS
and OS X devices
To implement web-based registration for iOS and OS X devices:
2. Scroll down to find the iOS/Android/Windows Phone 8 Registration Preferences sec-

tion, and set the iOS Web-based Registration Requires option to the preferred
option.
3. Set the In-App Registration Requires option to Password.
4. Bulk register the devices on MobileIron Core.
See Registration by administrator: multiple devices (bulk registration) on page 90
for information on using bulk registration.
Once these devices are registered, they will appear in the Users & Devices >
Devices page with a status of Pending.
5. Create a pending device report. See Create a pending device report on page 808.
6. On each device, point the browser to the following URL:
https://<fully-qualified domain name for Core>/ireg
The registration screen appears.
7. Enter the requested information for the user who will receive the device.
8. Click Register.
9. Instruct iOS device users to download the Mobile@Work app from the Apple App
Store and complete the in-app registration process.
MobileIron will detect that the device is already registered and match the new
Mobile@Work app to the existing entry for the device.
807
Create a pending device report
A pending device report is used to list the username and the PIN and/or password you
will need in order to complete the registration process on each users behalf. To create
this report, do the following:
2. Open Advanced Search by clicking the advanced search icon.
3. Using the query builder, select the following:
Select Status for Field
Select Equals for Operator
Select Pending for Value
4. Click Search. The devices in the pending state are shown in the table.
5. To download this report in CSV format, click Export To CSV. The report includes the
PIN and/or password required to complete registration, as appropriate.
808
Appendix B
Distributing iOS MDM Profiles with

Apple Configurator
MobileIron supports distribution of iOS MDM profiles by means of Apple Configurator.
In addition, you can use bulk registration in the Admin Portal to automatically match
users to devices based on serial number.
Note: Administrators who are experimenting or troubleshooting individual devices can

also use the iPhone Configuration Utility to deploy a registration profile to a device.
Notes on using Apple Configurator

Do not assign user-specific configurations to the iOS label. Devices registered
through the Configurator are initially registered as anonymous users, so pushing
user-specific configurations (e.g., Exchange configurations) introduces unnecessary
processing that must be repeated after MobileIron Core matches the device to the
user.
If you are using the Configurator to register devices that display the iOS Setup
Assistant, then enable supervision of the devices in the Configurator. The Setup
Assistant is the wizard-like interface you see when starting the device for the first
time. The Setup Assistant prevents display of the registration dialogs, causing
deployment of configuration profiles to fail, unless supervision is enabled.
Consider installing the Wi-Fi profile in a separate operation prior to installing the
MDM profile. This approach prevents the MDM profile installation from failing if the device
does not acquire an IP address (required for MobileIron Core connectivity) in a timely manner.
Just complete the steps in How to use Apple Configurator for MobileIron registration for the
Wi-Fi profile.
How to use Apple Configurator for MobileIron registration

Complete the following tasks to use Apple Configurator for registering devices with
your MobileIron Core:
1. Acquire serial numbers.
This step is necessary only if you want to match devices with serial numbers auto-
matically.
2. Bulk register the devices.
809
This step is necessary only if you want to match devices with serial numbers auto-
matically.
3. Export the MDM profile from MobileIron Core.
4. Import the MDM profile into the Configurator.
5. Apply the MDM profile to tethered devices.
Acquiring serial numbers

To automatically associate users to Configurator-registered devices, you must bulk-
register the devices on MobileIron Core and specify the device serial numbers in the
registration spreadsheet. Check the following sources for serial numbers:
the back of the device
in iOS (Settings > General > About)
on the retail and bulk device packaging (both in readable and barcode form)
For large roll-outs of devices, we recommend using a barcode scanner and the
iPhone Configuration Utility to quickly import serial numbers for tethered devices.
This is particularly useful since the serial number can by copied from IPCU and pasted into the
spreadsheet. This practice is also useful if you intend to recycle and re-register devices.
Bulk-registering the devices

To bulk-register the devices:
1. In the Admin Portal, select Users & Devices > Devices > Add > Multiple Devices.
2. Click Sample CSV File.
3. Save the sample file to your local drive.
4. Add an entry for each device, including the serial number.
See Registration by administrator: multiple devices (bulk registration) on page 90
for more information on completing the bulk registration CSV file.
5. In the Adding Multiple Devices dialog, click Browse to select the edited CSV file.
6. Click Import File.
Exporting the MDM profile from MobileIron Core

To export the iOS MDM profile:
2. Select the System - iOS MDM setting.
3. Click Export MDM Profile.
4. Save the file to your local drive.
The file will have a .mobileconfig extension.
Importing the MDM profile into the Configurator

To import the iOS MDM profile into the Configurator:
1. If you plan to configure supervised devices, complete that process in Apple Config-
urator.
2. In Apple Configurator, click Prepare at the top of the screen.
810
3. In the Name field, enter a name for the configuration.
4. Click the + under Profiles.
811
5. Select Import Profile.
6. Select the MDM profile you exported.
7. Click Open.
812
Applying the MDM profile to the tethered device
To apply the imported MDM profile using the Configurator:
1. Tether a device.
2. Select the checkbox next to the profile you just added.
813
3. Click the Prepare button at the bottom of the screen.
4. If prompted to confirm, click Apply.
5. For unsupervised devices, respond to the profile installation prompts displayed on
the device.
Prompts do not display on supervised devices.
6. Confirm that the registration has been completed on MobileIron Core.
If you did not bulk-register the devices, they will be displayed in the Admin Portal
with the "<Anonymous>" user account. When a device user installs and signs in to
Mobile@Work, Core switches the device to that user's account.
Importing the iOS MDM profile using Apple Configurator 1.4.2

To import the iOS MDM profile using Apple Configurator 1.4.2:
1. Open Apple Configurator.
814
2. Click Install Profiles...
3. Click Import to navigate to the iOS MDM profile you exported from MobileIron Core.
4. Select the iOS MDM profile and click Open.
You are returned to the Choose or create a profile screen, and the iOS MDM profile
displays.
815
5. Select the iOS MDM profile and click Next.
The Profile Installation Complete screen appears.
6. Click Close.
Follow the steps in Importing the iOS MDM profile using Apple Configurator 1.4.2 to
also import a Wi-Fi profile.
816
Appendix C
Secure Apps on Android Devices

Your administrator configures whether your device uses secure apps, and determines
which secure apps are downloaded and installed on your device.
A secure app:
keeps its data secure.
A secure app can share its data and files only with other secure apps.
requires you to log in with a secure apps passcode.
Logging in once time with your secure apps passcode allows you to access all the
secure apps.
overlays its icon with a special badge that indicates it is a secure app.
The Mobile@Work app works with another MobileIron app to download, install, and
manage your secure apps. The other MobileIron app is called the Secure Apps Man-
ager. The Secure Apps Manager is downloaded and installed along with the secure
apps.
Setting up your device to use secure apps requires you to do the following:
1. Download and install the secure apps on page 818
2. Create the secure apps passcode on page 819
Also related to secure apps, see:

Secure apps notifications on page 820
Secure apps status bar icons on page 821
Camera, gallery, and media player warning messages on page 822
817
Download and install the secure apps
To download and install the secure apps on Android devices:
1. Start the Mobile@Work app.
If you do not see the Secure Apps tab on your Mobile@Work home screen, your
administrator has not configured your device to use secure apps.
2. Follow the instructions to install secure apps, including the Secure Apps Manager
3. Continue to Create the secure apps passcode on page 819.
818
Create the secure apps passcode
After you download and install all your secure apps, you create a passcode for the
secure apps. Logging in one time provides access to all the secure apps.
Note: The secure apps passcode is not the same passcode as your device password, if
you have one. You can choose the same values for both the secure apps passcode and
the device password, or choose a different value for each of them.
To create your secure apps passcode:

1. Complete the steps in Download and install the secure apps on page 818.
2. Tap Continue on the Create Secure Apps Passcode screen.
3. Enter a passcode, and then enter it again.
Adhere to the passcode requirements that are stated under the Enter Passcode
field.
4. Tap Done.
After creating the secure apps passcode, note the lock icon in the status bar.
819
Secure apps notifications
Throughout the steps for setting up secure apps on your device, and after the steps
are completed, you receive notifications about the status of Mobile@Work and secure
apps. For example, a notification indicates whether you have logged in with the secure
apps passcode.
When you power on the device, a notification indicates that you have not logged in
with your secure apps passcode, and that you have no email connection. Be sure to
log in.
To log in:
1. Open any secure app or the Secure Apps Manager.
2. Enter your secure apps passcode.
Some secure apps, such as the email app, are active even when you are not using
them. For example, the email app syncs your email and calendar items. Until you log
in with your secure apps passcode, these apps cannot do their jobs.
820
Secure apps status bar icons
A secure apps icon appears in the status bar of the device.
When you have entered your secure apps passcode, the icon looks like the following:
When you are logged out of secure apps, the icon looks like the following:
For example, you are logged out when you have not used a secure app for five min-
utes.
The secure apps icon turns into a warning icon in some situations:
The warning icon appears when you need to reenter your secure apps passcode, such
as when you power on the device.
821
Camera, gallery, and media player warning
messages
The administrator can allow or prohibit secure apps on your device to do the following:
access camera photos from the app
access gallery images from the app
stream media from the app to a media player
If a capability is prohibited, if an app attempts to use the capability, a message dis-
plays indicating that the administrator has disabled the capability.
If the administrator allows accessing camera photos from secure apps, when an app
accesses the camera, the app displays a warning. The warning indicates that the
photo will not be secured, and that a photo from an unsecured camera app may com-
promise secure data.
If the administrator allows accessing gallery images from secure apps, when an app
accesses an image, the app displays a warning. The warning indicates that the image
will not be secured and that an image from an unsecured app may compromise secure
data.
If the administrator allows media streaming from secure apps, when an app is about
to stream media, the app displays a warning. The warning indicates that media will be
streamed outside the secure container.
The warnings also provide the option to turn off future warnings.
822
Appendix D
Secure apps on iOS Devices

Secure apps on iOS devices allow the device user to securely access sensitive work
documents and data on the device. You configure secure apps for a device as
described in How to configure AppConnect on page 588.
Mobile@Work provides the following features relating to secure apps:

Secure apps passcode management on page 824
Secure apps status display on page 839
823
Secure apps passcode management
Typically, you configure AppConnect to require the device user to use a secure apps
passcode to use secure apps. The device user creates and uses a secure apps pass-
code as follows:
Creating a secure apps passcode on page 824
Logging in with the secure apps passcode on page 826
Logging out of secure apps on page 827
Resetting the secure apps passcode - user initiated on page 828
Resetting the secure apps passcode - administrator initiated on page 832
Handling a forgotten secure apps passcode on page 834
The workflow and screenshots that follow use Mobile@Work 6.0.
Creating a secure apps passcode

When you have configured a device so that a secure apps passcode is required, the
Mobile@Work home screen looks like the following:
Mobile@Work prompts the device user to create a secure apps passcode the first time
the user does one of the following:
824
taps Log In
launches any secure app
taps the Local Files tab or File Shares tab in Mobile@Work.
If Docs@Work is enabled, the Local Files and File Shares tabs allow the user to
access file share documents and email attachments. Like secure apps, these
Mobile@Work capabilities require the secure apps passcode.
To create a secure apps passcode, the device user does the following:
1. Taps Log In.
2. Enters a passcode according to the specified instructions.

3. Taps Done.
825
4. Reenters the passcode.
5. Taps Done.
6. Taps Done.
Logging in with the secure apps passcode

After a period of time in which the device user uses no secure apps, Mobile@Work
automatically logs the device user out of secure apps. When the user once again
launches a secure app, or taps Log In, or taps the Local Files or File Shares tab in
826
Mobile@Work, Mobile@Work prompts the user to log in with the secure apps pass-
code:
The device user does the following:

1. Enters the secure apps passcode.
2. Taps Done.
The device user can now continue with the secure app.
Logging out of secure apps

The device user can log out of secure apps. Logging out is useful, for example, if the
user is lending the mobile device to a family member for a few minutes.
Note: The user is automatically logged out after a period of inactivity.
To log out of secure apps, the device user does the following:
1. Goes to the Mobile@Work home screen.
827
2. Taps Log Out.
Mobile@Work will prompt the device user for the secure apps passcode the next time
the user launches a secure app, taps Log In, or taps the Local Files or File Shares tab
in Mobile@Work.
Resetting the secure apps passcode - user initiated

The device user can choose to reset the secure apps passcode at any time. The user
does the following:
1. Taps the Settings tab on the Mobile@Work home screen.
828
2. Taps Secure Apps .
3. Taps Passcode.
829
4. Taps Change Passcode.
5. Enters the old secure apps passcode.

6. Taps Done.
830
7. Enters a new passcode according to the specified instructions.
8. Taps Done.

10. Taps Done.
831
11. Taps Done.
Resetting the secure apps passcode - administrator initiated

You can change the secure apps passcode requirements on MobileIron Core by modi-
fying the AppConnect global policy. When Mobile@Work checks in with Core,
Mobile@Work prompts the device user as follows:
832
1. Taps OK.
2. Enters the old secure apps passcode.

3. Taps Done.

5. Taps Done.
833
7. Taps Done.
8. Taps Done.
Handling a forgotten secure apps passcode

If a device user has forgotten the secure apps passcode, the user can reset the secure
apps passcode by providing his MobileIron credentials.
834
The device user either:
realizes that he has forgotten the passcode.
exceeds the maximum number of attempts to enter the passcode.
You configure this value in the AppConnect global policy.
Note: Forgotten secure apps passcode handling is different if Mobile@Work 5.7 is reg-
istered with a VSP 5.5. See Forgotten secure apps passcode with Mobile@Work 5.7
and VSP 5.5 on page 838.
When the device user realizes that he has forgotten the passcode
1. Launches a secure app, or taps Log In or taps the Local Files or File Shares tab in
Mobile@Work. Mobile@Work prompts the user to login with the secure apps pass-
code:
2. Taps Forgot Passcode.
835
3. Enters the User Name and Password for registering with MobileIron Core.

5. Taps Done.
836
7. Taps Done.
8. Taps Done.
When the device user exceeds the maximum number of attempts

The maximum number of attempts to correctly enter the secure apps passcode is con-
figurable. If it is greater than 5, after the device user makes five attempts to correctly
enter the secure apps passcode, Mobile@Work displays the following:
837
The user can attempt to reenter the secure apps passcode only after waiting longer
and longer time periods. Specifically, after the 5th, 6th, 7th, 8th, and 9th attempts,
the user must wait 1, 5, 15, 60, and 60 minutes respectively. After the 10th attempt,
maximum, the user can no longer access secure apps. To regain access, he must
enter his user credentials and then create a new secure apps passcode.
Forgotten secure apps passcode with Mobile@Work 5.7 and VSP 5.5
Forgotten secure apps passcode handling is different if Mobile@Work 5.7 is registered
with a VSP 5.5. Mobile@Work displays a message to the device user describing the
steps to take if the user has forgotten the passcode. Executing these steps means that
the device user cannot recover any secure data that the AppConnect apps had saved.
The steps are:

1. Uninstall Mobile@Work.
2. Reinstall Mobile@Work.
3. Re-register with the VSP.
4. Create a new secure apps passcode.
838
Secure apps status display
Starting with Mobile@Work 5.9 for iOS, a secure apps status display is available on
the device. This display provides detailed information about each secure app, allowing
you to troubleshoot issues more easily.
Navigating to the secure apps status display

To see the secure apps status display:
1. Open Mobile@Work on the device.
2. Tap Settings.
3. Tap Secure Apps.
4. All installed secure apps that have been opened at least once appear under the
heading Secure Apps.
If no secure apps have been opened at least once, then this list does not appear.
The secure apps status display contents

The secure apps status display shows the following information for each secure app:
The icon of the secure app
If the app uses an AppConnect for iOS SDK version prior to 1.7 or later, or was
wrapped with an iOS AppConnect wrapper version prior to 1.9, the icon is a default
icon.
The name of the secure app
The version number of the secure app
839
For apps built starting with AppConnect for iOS SDK 1.7 or wrapped with iOS
AppConnect wrapper 1.9, you see the short version number, followed by the long
version number in parenthesis. Apps built with a previous SDK version or wrapped
with a previous wrapper version show only the long version number.
An icon that indicates whether the app is authorized
Status details for a specific secure app

To see status details for one of the secure apps in the secure apps status display, tap
the apps entry.
The following table describes the status details for a secure app:
Field Description
App Version The version number of the secure app.
For apps built starting with AppConnect for iOS
SDK 1.7 or wrapped with iOS AppConnect
wrapper 1.9, you see the short version number,
followed by the long version number in
parenthesis. Apps built with a previous SDK
version or wrapped with a previous wrapper
version show only the long version number.
AppConnect Version The version of the AppConnect for iOS SDK for
apps built with the SDK.
The AppConnect for iOS Wrapper version for
wrapped apps. This version includes the SDK
version used in the Wrapper.
840
Field Description
Last Check-in The date and time when Mobile@Work last
fetched the AppConnect policies from MobileIron
Core.
Authorization Status Whether the device is authorized to use the app.
Possible values are:
Authorized
Unauthorized
Retired
Policies and Configurations
For more information, see Configuring AppConnect container policies
on page 603 and Configuring an AppConnect app configuration on
page 614.
Open In Whether Open In is allowed for the app. Possible
values are:
Not Allowed
Allowed (All Apps)
Allowed (Secure Apps Only)
Allowed (Whitelisted Apps)
Print Whether print capabilities are allowed for the
app. Possible values are:
Not Allowed
Allowed
841
Field Description
Copy/Paste Whether the device user can copy from the app
to other apps. Possible values are:
Not Allowed
Allowed
Encrypted
Note: The value Encrypted is not supported.
It corresponds to the unsupported Mobile-
Iron Core policy value Copy/Paste To
AppConnect Apps
Configuration Count The number of key-value pairs that the Core
sent to the app. This value corresponds to the
number of key-value pairs in the AppConnect
app configuration for the app.
Note:
If one of the key-value pairs in the
AppConnect app configuration is a SCEP or
certificate setting and the certificate is
password-encoded, Core automatically sends
another key-value pair for the password. The
configuration count includes that key-value
pair.
The keys that you use to turn on debug level
logging for an AppConnect app are not
included in the configuration count. These
keys are MI_AC_LOG_LEVEL and
MI_AC_LOG_LEVEL_CODE.
If an app has not applied a policy or configuration, the corresponding field in the
display also indicates one of the following:
Pending
The app has not yet applied the policy or configuration. The pending status shows
until the next time the device user launches the app.
Unsupported
The app does not support the policy or configuration.
Error
The app had an error when applying the policy or configuration.
When you change the policies or configuration on MobileIron Core, Mobile@Work

displays the updated status the next time it fetches the policies from Core. This action
occurs when the next time any app checks in, or when a force device check-in occurs.
842
Appendix E
Docs@Work for iOS

The Docs@Work feature, which includes email attachment control, gives iOS device
users an intuitive way to access, store, view and annotate documents from email and
content servers, such as SharePoint. It lets administrators establish data loss preven-
tion controls to protect these documents from unauthorized distribution. The
Docs@Work feature requires iOS users to have the Mobile@Work for iOS app on their
devices.
This chapter provides the iOS device user perspective of using Mobile@Work. For the
administrator perspective of the Docs@Work feature, see Docs@Work on page 555.
Using the Mobile@Work for iOS app, your iOS device has secure access to:
content server documents
You can securely access content server documents and save copies to your device.
See Accessing content server documents on page 844.
Email attachments
Your administrator determines how you view email attachments based on your
companys security policies.
See Accessing email attachments on page 849.
Using Mobile@Work, you can also:

Save local copies of content server documents and email attachments for later
viewing.
See Managing local files on page 852.
View the email attachments that you most recently opened.
See Managing recently opened email attachments on page 859.
Open documents you are viewing in other apps, if your administrator has config-
ured your device with this capability.
See Opening documents in other apps on page 864.
View and create PDF annotations in documents.
See Annotating documents in Docs@Work for iOS on page 866
For information about the types of files that Mobile@Work can display, see Supported
files in the Mobile@Work for iOS app on page 880.
843
The instructions that follow are based on using Mobile@Work on an iPhone running
iOS 5.1.1. Mobile@Work works a little differently on an iPad to take advantage of the
larger screen. See Mobile@Work on an iPad on page 880.
Note: These features are available only if your administrator has enabled the
Docs@Work feature on MobileIron Core.
Accessing content server documents

You can access content server documents from Mobile@Work in these cases:
Your administrator has set up access for you to a content server.
You set up access to a content server yourself using Mobile@Work, if you have cre-
dentials to log in to the content server.
Setting up access to a content server yourself

To set up access to a content server:
1. In Mobile@Work, tap File Shares.
2. Tap the + sign.
844
Field Description
Server The URL of a content server.
For SharePoint
Enter the URL of a SharePoint site, subsite,
library, or folder.
The URL includes a hierarchical list of names

that drills down to where you want to access.
This URL is not the same as the URL that you
see in a Web browser open to the same site,
subsite, library, or document.
For example, use:

http://companySharePointSite.com to spec-
ify the top of the SharePoint site.
http://companySharePointSite.com/Market-
ing to specify the Marketing subsite in the
SharePoint site.
ing/Demo to specify the Demo subsite within
the Marketing site.
ing/NewProductDocuments to specify the
NewProductDocuments library in the Market-
ing site.
ing/NewProductDocuments/TopFeatures to
specify the TopFeatures folder in the NewPro-
ductDocuments library.
Note: A valid URL does not contain spaces or

certain special characters. For example, a space
is entered in a valid URL as %20, as in https://
companySharePointSite/Shared%20Documents.
Name A descriptive name for the content server.
For example:
Marketing documents
User name Your user name for logging in to the content
server.
Password Your password for logging in to the content
server.
Remember Password Tap to change the value to ON if you want
Mobile@Work to remember the password.
845
4. Tap Go.
Mobile@Work logs you in to the content server and displays the sites folders.
Mobile@Work displays one of the following for each folder:
the number of items in the folder
Empty if no items are in the folder
Unauthorized if you do not have the authority to access the folder
Logging in to a content server that an administrator set up

To log in to a content server that an administrator set up:
1. In Mobile@Work, tap File Shares.
2. Tap the remote file share (content server) that you want to log in to.
Field Description
User name Your user name for logging in to the content server.
When setting up your access to a content server, your
administrator can choose whether the user name is filled
in. In that case, you cannot edit the field.
Password Your password for logging in to the content server.
Remember Password Tap to change the value to ON if you want Mobile@Work
to remember the password.
Note: Your administrator can choose whether remember-
ing the password is allowed.
4. Tap Go.
Mobile@Work logs you in to the content server and displays the sites folders.
Viewing a content server document

After you have logged in to a content server, to view a content server document:
1. Tap File Shares.
2. Tap the remote file share (content server) that contains the document that you
want to view.
3. Tap the folder containing the document that you want to view.
Navigate to the appropriate folder by tapping successive folder names.
4. Tap the document that you want to view.
Mobile@Work loads and displays the selected document.
Note: Loading a large document can take some time. Mobile@Work shows the load-
ing progress.To cancel loading, navigate back to the folder view by tapping the
folder name.
5. To view the document in full screen mode, tap the document.
6. Tap the document again to exit full screen mode.
846
Accessing priority folder documents
The Priority Folder feature enables you to automatically download the latest version of
files in a specified folder in the Docs@Work content repository. This gives you offline
access to these files. Priority folders display separately from remote folders.
Note the following:

Only the files in the priority folder are downloaded; subfolders and their files are
not downloaded.
Changed files are synchronized according to an interval set by the administrator.
Tap on an unsynchronized file while the priority folder is downloading to move that
file to the top of the priority list for download.
Any changes made to the file on the device will not be updated to the target folder.
The first time a device user launches Docs@Work after receiving the priority folder
configuration, the folder displays as Never Updated until the downloading of files has
completed.
If the administrator has not set the credentials necessary for accessing the content
repository, then the following form displays.
Enter valid credentials to continue the download.
847
Documents that are pending download or in the process of downloading have a blue
icon.
Documents that have been downloaded or updated display with a green icon to indi-
cate that they have been synchronized with the content repository.
When a cellular or Wi-Fi connection is not available, the documents display with a gray
icon, indicating offline access.
848
Accessing email attachments
Your administrator determines how you access email attachments when you are using
the Mail app on your device. The choice enforces the security policies of your com-
pany.
The administrator chooses one of the following:

You can open email attachments using any app appropriate for the attachments file
type.
This behavior is the normal behavior of the Mail app.
You can open email attachments only in Mobile@Work.
Each email attachment has .secure appended to its filename. When you tap the
filename, the file opens in Mobile@Work. You cannot open the file in any other app.
This behavior applies to all types of files except image and text files. You can open
image and text files using any appropriate app.
See Opening an email attachment in Mobile@Work on page 849.
You do not receive email attachments.
All email attachments are replaced. The name of the replacement file is the original
filename appended with .removed.html. The file contains the following text:
The original attachment was removed as required by the security policies of your
administrator.
Opening an email attachment in Mobile@Work

When your administrator has chosen that you can open email attachments only in
Mobile@Work, do the following:
1. In the Mail app Inbox, tap on the email.
849
2. Tap the attachment to fully download it, if it is surrounded by a dashed box. To fully
download one or more attachments, you can also scroll down the screen and tap
Download Full Message.
For smaller attachments that are already fully downloaded, skip to step 3.
3. Tap the fully downloaded attachment.
850
4. Tap Open in MobileIron.
You are now viewing the attachment in Recent Attachments in Local Files in
Mobile@Work.
Viewing the Replacement file for an email attachment

When your administrator has chosen that you cannot receive email attachments, all
email attachments are replaced with a text file.
To view the text file:

1. In the Mail app Inbox, tap on the email.
851
2. Tap on the attachment.
The attachment contains text that says The original attachment was removed as
required by the security policies of your administrator.
Managing local files

You can save content server documents and email attachments as local files for con-
venient viewing at a later time. Also, saving content server documents allows you to
view the documents when connectivity to the content server is not available.
Saving a content server document as a local file

While viewing a content server document, you can save it as a local file.
1. View a content server document. See Viewing a content server document on
page 846.
852
2. Tap the folder icon.
3. Tap Save To Local Files.
853
The document is now available for viewing under Local Files. See Viewing a local
file on page 855.
Saving an email attachment as a local file

While viewing an email attachment in Mobile@Work, you can save it as a local file.
1. View the email attachment in Mobile@Work. See Accessing email attachments on
page 849.
854
The document is now available for viewing under Local Files. It is no longer avail-
able under Recent Attachments.
Viewing a local file

To view a local file saved from a content server document or an email attachment:
1. In Mobile@Work, tap Local Files.
855
The files display in alphabetical order.
2. Tap the file that you want to view.
Note: Mobile@Work prompts you to log in if you are not currently logged in to the
content server, and you have not selected to have Mobile@Work remember your
content server password. Mobile@Work requires your login credentials because it is
checking if a newer version of the document is available on the content server.
Viewing a local file that has changed on the content server

When you view a local file from a content server document, if the file has changed on
the content server, you are prompted as follows:
856
Note: Mobile@Work prompts you to log in if you are not currently logged in to the
content server, and you have not selected to have Mobile@Work remember your
content server password. Mobile@Work requires your login credentials because it is
checking if a newer version of the document is available on the content server.
3. Tap Update Now to sync your local file to the updated remote file.
Mobile@Work updates the local file and displays it.
857
Deleting a local file
To delete a local file:
2. Swipe right or left on the file that you want to delete.
3. Tap Delete.
Mobile@Work deletes the file from the Local Files list.
858
Managing recently opened email attachments
Mobile@Work automatically saves to a special folder the 20 most recent email attach-
ments that you opened.
Viewing a recent attachment

To view a recently opened email attachment:
2. Tap Recent Attachments.
Mobile@Work displays the files, most recent first.
859
Saving a recent attachment to a local file

While viewing a recent attachment, you can save it to a local file to keep it perma-
nently.
To save a recent attachment:

3. Tap the file that you want to save.
860
861
Mobile@Work removes the file from the Recent Attachments folder and adds it to
the Local Files folder.
Deleting a recent attachment

To delete a recent attachment:
862
3. Tap Edit.
4. Tap the Delete icon on the file that you want to delete.
863
5. Tap Delete.
Mobile@Work removes the file from the Recent Attachments folder.
Opening documents in other apps

Your administrator can configure your device so that when viewing documents in
Mobile@Work, you can open the documents in other apps. If you have this capability,
you can also email documents that you are viewing. This capability applies to local
files, recent attachments, and remote files.
To open a document in another app or to email it:

1. Open the file for viewing in Mobile@Work.
864
2. Tap the Open In icon.
If you do not see the Open In icon, your administrator has not given you permission
to use this capability.
3. Tap Email or Open In...

If you tap Email, the iOS Mail app opens. It displays a new email with the document
as an attachment.
If you tap Open In..., Mobile@Work displays a list of appropriate apps for you to
choose from.
865
Annotating documents in Docs@Work for iOS
Starting from Mobile@Work iOS v5.8.0, Docs@Work for iOS supports viewing and cre-
ating PDF annotations in documents. You can open a secure email attachment, anno-
tate it as a PDF file, and securely email the annotated version back to a colleague
all in Docs@Work. You can annotate attachments you receive from email, files you
view on a remote server, or files you have saved locally.
Saving files for annotation

You can initiate annotation on files on a remote server, in Recent Files or in Local Files
in Mobile@Work. If you start annotation on a file in Recent Files, on a remote server,
or one that you saved to Local Files from a remote server, you are always prompted to
save a copy for annotation in Local Files with the - Annotated.pdf filename suffix.
Microsoft Office or non-PDF documents are exported to PDF first when they are saved
for annotation.
1. In Mobile@Work, tap the file you want to annotate.
866
2. Tap the Annotate icon (for iPads, this is in the top-left of the screen, for iPhones,
this is at the bottom of the screen).
867
3. Tap Create in the Creating a PDF to Annotate prompt to export a Microsoft Office
or non-PDF document to PDF and save it to Local Files for annotation.
4. Tap Create in the Annotating a Copy prompt to save a copy of a PDF file to Local
Files for annotation.
A filename suffix of - Annotated.pdf is appended to the annotation copy by
default. You can optionally edit this when saving the annotation copy; however, it is
recommended to preserve the - Annotated.pdf filename suffix.
868
5. Tap and hold anywhere in the document to start an annotation. See Annotating
PDFs in Docs@Work on page 871 for details.
Saving PDF annotations in the same local file
You have the option to save annotations in either the source file or an annotation copy
for PDF documents that are in Local Files and not associated to remote servers. These
files are typically those that you received as email attachments, downloaded from a
web browser, or saved from another app using Open In. You have to move or save
these documents from Recent Files to Local Files for the Save to this document
option to appear when you start the annotation. Note that you cannot save to the
source file if the source file is not a PDF.
2. Tap the file you want to annotate.
869
4. Tap Save to this document to keep all annotations in this same file in Local Files,
or
Tap Create an annotated copy to create a separate annotation copy ( - Anno-
tated.pdf) in Local Files.
Saving a remote SharePoint file for annotation

When annotating a file on a remote server or a local file synced with a remote server,
the annotation copy (- Annotated.pdf) is not synced with the remote server.
1. In Mobile@Work, tap Remote Files.
2. Tap the name of the remote SharePoint corporate server.
3. Navigate to the file you want to annotate.
870
5. Tap the Create button in the Annotating a Copy dialog that appears.
This saves the annotation copy of the file ( - Annotated.pdf) to your Local Files
folder, and lets you continue annotating the file from there. If the source file is a
Microsoft Office or non-PDF document, the document is first exported to PDF. Note
that the annotation copy is not synced with the remote server.
You can optionally edit the name of the file when saving the annotation copy; how-
ever, it is recommended to preserve the - Annotated.pdf filename suffix.
Annotating PDFs in Docs@Work

You can make the following types of PDF annotations in Docs@Work:
Highlight text
Underline text
Strike-through text
Add notes to a page
Change the color and icon style of notes added to a page
Add notes to a text annotation
871
Change the color of highlights
Adding a note
1. In your annotation file, tap and hold a non-text area of the document to bring up
the comment menu.
2. Tap the comment icon.
3. Type your comment in the Note dialog.

4. Tap outside the dialog to close it.
Editing text in a note

1. Tap the note icon to bring up the Note dialog.
2. Tap inside the dialog to edit text. You can type text or paste text that you selected
and copied previously.
3. Tap outside the dialog to collapse it.
Removing a note
2. Tap the trash icon.
Copying and pasting a note

2. Tap the Copy button.
872
3. Tap elsewhere in the document.
4. Tap Paste to paste the note and its icon in the new location.
Note: If you want to copy only some of the text within the Note dialog (rather than the
entire note), you can tap within the dialog, select, then copy text. You can then paste
the text into another note dialog later.
Editing the color or style of a note

You can change the color of the note and style of the note icon. Notes that you previ-
ously inserted will preserve their original color and style. When you edit the note color
and style, these changes persist in the document until you change them again.
1. In your annotation file, tap the note icon to bring up the Note dialog.
2. Tap the Edit button.
3. Tap a new icon style (from the top two rows of the menu options).
4. Tap a new color (from the bottom row of the menu options).
Adding an annotation (highlight, underline, strike-through)

You can highlight, underline, or strike-through text that you select.
1. In your annotation file, tap and hold on text anywhere in the document to bring up
the top-level annotation menu (Copy, Highlight, Underline, Strike-through, Define,
Search).
873
2. Drag the selection handles to select the text you want.
3. Tap one of the T icons to highlight, underline, or strike-through text. (The exam-
ple shows an underline annotation).
Note: Define and Search are iOS options that are only available when you select a
small portion of text. Larger text selections do not present the Define and Search
options.
Editing an annotation
For underline and strike-through annotations, you can attach a note, remove the
annotation, or copy the text selected for the annotation:
For highlight annotations, you can additionally change the color of the highlight:
1. In your annotation file, tap highlighted, underlined or strike-through text to bring

up the available edit options.
2. Tap Note to add a note to this annotation. See Adding a note to an annotation on
page 875.
3. Tap Remove to delete this annotation. See Removing an annotation on page 875.
4. Tap Copy to copy the selected text to the clipboard. You can then paste this text in
a note dialog later. See Copying an annotation on page 876.
874
5. For highlights only, tap Color to change the highlight color. See Editing the color of
an annotation on page 876.
Adding a note to an annotation

1. Tap highlighted, underlined or strike-through text to bring up the available edit
options.
2. Tap Note to add a note to this annotation.
When you add a note to a text annotation:

The dialog title is Text rather than Note (see Adding a note on page 872 for
how to add a general note).
For highlight annotations, a border appears around the highlighted text to indicate
there is a note attached (shown in the example).
For underline or strike-through annotations, a red highlight appears on the anno-
tated text to indicate there is a note attached.
Removing an annotation
options.
2. Tap Remove to delete the annotation and any associated note.
875
Note: If you have multiple annotations applied to the same selected text, tapping
Remove deletes one annotation style at a time, plus any note attached to that
style.
Removing a note attached to an annotation

options.
2. Tap Note to bring up the associated note.
3. Tap the trash icon to remove the note and the annotation.
Copying an annotation
options.
2. Tap Copy to copy the selected text to the clipboard. You can then paste this text in
a note dialog later.
Editing the color of an annotation

1. Tap the highlighted text to bring up the available edit options.
2. Tap Color.
3. Tap one of the four standard colors (yellow (default), green, blue, pink) to change
the highlight color.
4. Or, tap Custom to choose from a custom color palette.
876
5. Tap the page navigation dots at the bottom of the Choose Color dialog to bring up
different color swatches.
6. Tap a rectangle to choose that color for highlights.
Changing Docs@Work Settings

Starting with Mobile@Work for iOS 5.8, you can change the user name associated with
PDF annotations and the page scrolling behavior for annotated PDFs.
877
1. From Mobile@Work, tap Settings.
878
2. Tap Docs@Work Settings.
3. Optionally change the User Name associated with PDF Annotations:

Tap the User Name field to enter a new name. This changes the reviewer name
associated with any comments subsequently inserted into the Docs@Work doc-
ument. (The user name associated with previous comments is preserved.) By
default, this field is the full name of the user that is registered to MoblieIron
Core. The reviewer name entered here is visible when an annotated file is
opened by other recipients.
4. Optionally change the PDF Page Scrolling behavior:
Tap Scroll pages continuously (default) if you want pages to scroll continu-
ously when you swipe the document.
Tap View page-at-a-time if you want the document pages to advance one at a
time when you swipe the document. This option is useful, for example, if you
want to present a PowerPoint document from Docs@Work.
879
You can view most common file types in Mobile@Work. If you try to open a file that
Mobile@Work does not support, Mobile@Work displays an error message.
Some files that you cannot view in Mobile@Work are:

executable files (for example, .exe, .msi, or .ipa files)
archive files (for example, .zip, .rar, or .tar files)
system files (for example, .dll or .sys, files)
Mobile@Work on an iPad
The behavior of the Mobile@Work for iOS app is slightly different on an iPad than it is
on an iPhone.
The master pane and the detail pane

Mobile@Work uses two panes to display information on the iPad:
The two panes are:

The left pane which is the master pane
The right pane which is the detail pane
880
The left (master) pane contains:
information about what you are currently doing, such as looking at the home
screen, or navigating through content server folders.
the tabs for accessing the Mobile@Work home screen, Local Files, Remote Files,
and settings.
The right (detail) pane contains information depending on what the master pane is
displaying. For example, the detail pane displays:
a files content
About information for Mobile@Work
the Mobile Activity Map
In Portrait mode, you can tap on the detail pane to hide the master pane:
Swipe left to once again show the master pane.
Note: When viewing the Mobile Activity Map, to once again show the master pane, tap
the MobileIron button.
Placement of file handling icons

When viewing files, the Folder icon and the Open In icon are in the upper right corner.
881
The icons behave the same as they do in Mobile@Work on an iPhone. For example,
see:
Saving a content server document as a local file on page 852
Opening documents in other apps on page 864
882
Appendix F
The SharePoint Client App for Android

Your administrator can configure your Android device to use secure apps. The Share-
Point Client app is a secure app for Android that the administrator may have provided
to your device.
Using the SharePoint Client, you can:

Set up access to a remote file share for which you have login credentials.
A remote file share is a repository of documents located on a network content
server, such as a Microsoft SharePoint site.
View the repositorys documents.
Refresh your view of the repository, in case files on the repository have changed.
Save repository documents to your devices storage for offline viewing.
Note: The SharePoint Client app works with content servers other than SharePoint.
See Supported content servers on page 559.
Accessing a content server

If your administrator configured access to a content server, you should be able to con-
nect to the content server without making any changes on your device. Mobile@Work
automatically sets up access.
Set up content server access

If automatic configuration of content server access has not been implemented on your
system, complete the following steps to set up a content server on your device:
1. Open the SharePoint Client app.
883
2. Select the menu.
3. Tap Add Remote File Share in the menu.
884
885
Field Description
Name A descriptive name for the content server repository.
For example:
Marketing documents
URL The URL of a repository site, subsite, library, or folder.
The URL includes a hierarchical list of names that drills

down to where you want to access. This URL is not the
same as the URL that you see in a Web browser open to
the same site, subsite, library, or document.
For example, for a SharePoint site, use:

https://companySharePointSite.com to specify the top
of the SharePoint site.
Do not use, for example:
https://companySharePointSite.com/SitePages/
Home.aspx
https://companySharePointSite.com/Marketing to
specify the Marketing subsite in the SharePoint site.
https://companySharePointSite.com/Marketing/Demo
to specify the Demo subsite within the Marketing site.
https://companySharePointSite.com/Marketing/New-
ProductDocuments to specify the NewProductDocu-
ments library in the Marketing site.
https://companySharePointSite.com/Marketing/New-
ProductDocuments/TopFeatures to specify the TopFea-
tures folder in the NewProductDocuments library.
Username Your user name for logging in to the content server.
Password Your password for logging in to the content server.
Remember Password Select this option if you want the SharePoint Client to
remember the password. If you do not select this option,
you must reenter your content server password each time
you access the site.
5. Tap OK.
The SharePoint Client verifies your credentials and displays the entry for the con-
tent server repository.
886
Note: To delete a content server repository, long press the entry and tap Delete.
View the content server repositorys documents

After you have set up a content server, to view a document:
1. Tap the content server that contains the document that you want to view.
For example, tap Marketing Docs to display the files and folders in the Marketing
Docs content server.
2. Navigate to the appropriate folder by tapping successive folder names. This exam-
ple shows the file list after navigating to the following folder:
887
subteamsite1/Shared Documents
3. Tap the document that you want to view. The secure ThinkFree Document Viewer,
or other secure app, loads and displays the selected document. If the ThinkFree
Document Viewer does not support the type of document, an error message dis-
plays.
Consider the following when viewing documents:

Loading a large document can take some time. You can tap Cancel to cancel load-
ing.
888
If ThinkFree Document Viewer does not support the document type, the SharePoint
Client displays a list of secure apps to try to view the document with.
If no secure app supports viewing the document type, the Android OS indicates
that no app is available to open the selected file.
Attempting to open the document with an app that does not support the document
type results in an error message or erroneous behavior, depending on the app.
If the SharePoint Client does not support a document type, it displays a special icon
for the document:
Refresh the content server

When viewing a content server, you can refresh the folder you are viewing. Refreshing
the folder updates the set of documents in the folder to match the content server.
Use one of the following methods to refresh a folder:

Navigate to the folder.
Every time you navigate to a folder, the SharePoint Client refreshes the folder. You
can navigate away from the folder and back again to refresh the folder.
Tap Refresh on the menu while viewing a folder.
889
Save documents locally
You can save documents locally to your devices SD card.
To save a document:
1. In the SharePoint Client, navigate to the folder containing the document:
2. Long press (touch and hold the same position) the document you want to save:
890
3. Tap Save.
4. Navigate to the folder in which you want to save the document.

You can also tap the folder icon in the upper right corner to create a new folder.
5. Tap Copy Here.
891
You can now use the secure File Manager to view the local copy of the document.
Email a document
To email a document as an attachment:
1. In the SharePoint Client, navigate to the folder containing the document:
2. Long press (touch and hold the same position) the document you want to email:
3. Tap Send.
892
4. Tap Send Email.
The secure TouchDown email app opens with the document as an attachment.
5. Add the recipients, subject, and message body, and send the email.
893
Automatically saved documents
Whenever you open a document using the SharePoint Client, the SharePoint Client
saves the document on device storage. It saves the document in a folder structure
equivalent to the folder structure of the content server. The SharePoint Client opens
this local copy if the document has not changed on the content server.
You can use the secure File Manager to navigate to these automatically saved docu-
ments and open them.
894
Appendix G
Working with the MobileIron App and

Related Agents for Android
Uninstalling the MobileIron app for Android
Uninstalling the Samsung DM Agent
Troubleshooting email setup on Android devices
Troubleshooting Wi-Fi setup on Android devices
Certificate configuration support on the MobileIron for Android app
895
Uninstalling the MobileIron app for Android
The MobileIron app for Android requires Device Administrator privileges on the device.
An app having these privileges applied cannot be uninstalled. Therefore, you must
first remove the Device Administrator privilege if you want to uninstall the app.
Note: For Samsung SAFE devices, the MobileIron lockdown policy can specify that
uninstalling the app is not allowed. In this case, you need to change the policy before
uninstalling.
To uninstall the MobileIron app for Android:

1. On the device, go to Settings > Location & security > Select device administrators.
2. Uncheck MobileIron to remove it from the list of device administrators.
896
3. Tap Deactivate.
4. Go to Settings > Applications > Manage applications.
5. Select Downloaded > MobileIron.
897
6. Click Uninstall.
898
Uninstalling the Samsung DM Agent
For devices running versions of Mobile@Work prior to 5.9, access to Samsungs
extended features, which are provided in the Samsung Enterprise APIs, requires
installation of the Samsung DM AgentThe MobileIron app will detect whether your
device supports the extended features when you start it the first time and prompt you
to install the agent if it is supported. Uninstalling the MobileIron app does not uninstall
the Samsung DM Agent.
Note: For Samsung SAFE devices, the MobileIron lockdown policy can specify that
uninstalling the agent is not allowed. In this case, you need to change the policy
before uninstalling.
Complete the following steps to uninstall the Samsung DM agent:

1. On the device, go to Settings > Location & security > Select device administrators.
2. Uncheck the Samsung DM agent to remove it from the list of device administrators.
3. Tap Deactivate.
4. Go to Settings > Applications > Manage applications.
5. Select Downloaded.
6. Select the entry for the Samsung DM agent.
7. Click Uninstall.
For Mobile@Work 5.9, Samsung MDM 4.0

The Samsung DM Agent is no longer required for Mobile@Work on Samsung MDM 4.0
devices. This change simplifies the installation and registration process for these
devices. It has the following effects:
New installations on Samsung MDM 4.0 devices do not install the Samsung DM
Agent, and the Unknown Sources option does not need to be enabled during instal-
lation.
Upgrades of Mobile@Work on Samsung MDM 4.0 devices will silently uninstall and
delete the Samsung DM Agent.
Upgrades of Mobile@Work on Samsung MDM 4.0 devices on which the Samsung
KNOX Container has been implemented will result in removal of the container.
Users will automatically be prompted to redeploy the Samsung KNOX Container on
these devices.
899
Troubleshooting email setup on Android devices
If email is not set up or there is a configuration problem, the following screen displays.
The device user can access this screen by selecting Options > Email Setup from the
MobileIron app menu.
900
How the Email Setup screen works
The Email Setup screen displays a checklist of tests for email connectivity. The Mobile-
Iron app completes each test in the checklist until it finds an issue. A green check dis-
plays next to an item that has passed the test. A red X displays next to the first item
that does not pass the test. The MobileIron app does not proceed with the remaining
items on the checklist until the detected issue has been resolved.
The following table describes each item that appears in the list.
Passcode Compliant Indicates whether the device screen unlock

passcode complies with the security policy. If
this test fails, then a Set Passcode button dis-
plays at the bottom of the screen. The device
user can tap the button to set a compliant pass-
code.
Encryption Compliant Indicates whether the device encryption status
complies with the security policy. If this test
fails, then a Set Encryption button displays at
the bottom of the screen. The device user can
tap the button to turn on encryption.
Configuration Received Indicates whether the email settings have been
successfully delivered to the device. If this test
fails, then there are no details to examine. The
View Details button displays, but the content is a
configuration with no values. The lack of a con-
figuration might be due to label management
issues on MobileIron Core. For example, the
labels to which the device has been applied
might specify multiple Exchange app settings,
which would result in no configuration being
applied.
Email App Installed Indicates whether a compatible email app has
Email App (TouchDown) been located on the device. If a compatible
email app is not found, then this item displays
Email App (Samsung) with a red X. If a compatible email app is found,
then a green check and the name of the app dis-
play. The supported email apps are TouchDown
(from NitroDesk) and Samsung.
The device user can tap the displayed View
Details button to display details and email them
to the administrator.
901
Profile Complete Indicates whether the email password was
included in the profile. TouchDown manages its
password, so this test always passes for Touch-
Down. For the supported native email apps, if
the profile does not include a password, then the
test fails and a button labeled Enter Password
displays at the bottom of the screen. The device
user can tap the button to provide the password.
Email App Setup Indicates whether the MobileIron app can com-
municate with the email app.
If the device is using TouchDown, then Touch-
Down will launch and prompt the user to accept
the license agreement and enter the password.
If the device is using the Samsung native email
client, then the Go to Email button displays.
When the device user taps the button, the
MobileIron app displays an alert stating that the
configuration will take some time to complete,
and that a notification will prompt the user to
activate the Device Administrator privileges for
the email client.
If an error occurs, an error message displays.
The device user can tap the View Details button
and email details to the administrator.
If the device is using the HTC native email app,
the app launches after setup is completed.
If the device is using the Motorola native email
app, the app is configured successfully, but the
user must launch it manually. The user follows
the steps in the app. The app exits after each
step and the user must relaunch it. After one
time through this process, the app is completely
set up.
Device Administrator privileges for the Samsung email app

If the Samsung email app does not have Device Administrator privileges, then it will
prompt you to update security settings. To activate these privileges for the email app:
1. Tap the notification.
The security setting screen displays.
2. Activate Device Administrator privileges.
Note: Email will not sync until Device Administrator privileges have been activated.
If the device user does not receive the notification, then the Samsung email app
was not configured properly. Confirm that the Exchange app setting is correct.
If certificates are being used, make sure that the certificate meets the following cri-
teria:
902
It is from a source that the Android OS trusts (that is, it can be checked against
the trusted CA certificates installed on the device).
The CN attribute in the certificate must match the email address in the email
profile.
Troubleshooting based on results

Tap the View Details button to display key/value pairs that provide information about
the current settings. If a second email account has already been configured on the
device, then the device user can tap Email Detail to IT to send this data to an admin-
istrator.
903
Troubleshooting Wi-Fi setup on Android devices
Certain Wi-Fi configurations require user input. For example, WPA2 Enterprise config-
urations require the device user to enter the password. When input is required, the
device user receives an Android notification, as shown in the following screen.
The device user can tap the notification to begin the Wi-Fi setup process.
904
Displaying the Wi-Fi Setup page
If the device fails to access Wi-Fi, then the administrator can direct the device user to
the Wi-Fi Setup page:
1. Start the MobileIron for Android app.
2. Tap the menu button on the device.
905
3. Tap Options.
906
4. Tap Wi-Fi Setup.
Understanding and using the Wi-Fi Setup page

The screen that displays depends on how many Wi-Fi networks that MobileIron Core
has configured on the device. If Core has not provisioned any Wi-Fi networks, then
the Wi-Fi setup screen displays the following message:
No Wi-Fi networks configured.
If only one Wi-Fi network has been configured, then the setup screen for that network
is displayed.
If multiple networks have been configured, then a list of those networks is displayed,
as shown in the following figure.
Networks that are properly configured display with a green check. Networks that are
not properly configured or require input from the device user display with a red X. Tap
an entry to display the details for that networks configuration.
907
The following table describes the entries in the Wi-Fi Setup screen.
Passcode Compliant Indicates whether the device screen unlock passcode

complies with the specifications in the security policy. If
this test fails, then a Set Passcode button displays at
the bottom of the screen. The device user can tap the
button to set a compliant passcode.
Encryption Compliant Indicates whether the device encryption status com-
plies with the security policy. If this test fails, then a Set
Encryption button displays at the bottom of the screen.
The device user can tap the button to turn on encryp-
tion.
Profile Valid Indicates whether the Wi-Fi settings provided by Mobil-
eIron Core are valid for the device. For example, only
one EAP type may be configured for an Android device,
but the MobileIron Core configuration permits multiple
types to be defined. If this test fails, then a View Details
button displays at the bottom of the screen. The device
user can tap the button to view details and email them
to the administrator.
908
Profile Complete Indicates whether a required password is missing from
the profile. For example, certain Wi-Fi configurations
require a password, so a missing password would cause
this test to fail for those configurations. If this test fails,
then an Enter Password button displays at the bottom
of the screen. The device user can tap the button and
provide the password as specified by the administrator.
Wi-Fi Setup Complete Indicates that all tests have passed and setup is com-
plete.
To to view the completed Wi-Fi configuration, tap Go to Android Wi-Fi.
If the device user enters the wrong password

If the device user enters the wrong password when prompted, then the user must
clear the incorrect password. Tell the user to navigate to the Android Wi-Fi setup
screen, tap the Wi-Fi network entry, and tap Forget. Specific steps for this task vary
by device. The device user can then return to the MobileIron app and repeat the Wi-Fi
setup steps.
Troubleshooting based on results

Tap the View Details button to display key/value pairs that provide information about
the current settings. Tap Email Detail to IT to send this data to an administrator.
Profile invalid: Configuration Error

This error message in the View Details screen indicates any invalid configuration asso-
ciated with WPA Enterprise or WPA2 Enterprise configurations. For example, this mes-
sage occurs if you have no EAP type selected or multiple EAP types are selected.
909
Certificate configuration support on the
MobileIron for Android app
The MobileIron app includes the following certificate setup support:
Certificate Setup screen available from the Options menu
certificate provisioning triggered by Wi-Fi setup
certificate alerts
Certificate Setup screen

A Certificate Setup screen is available under Options.
Tap Certificate Setup to display all certificates currently installed.
910
Select a certificate and tap View Details to display certificate information. Tap Reprovi-
sion Certificates to retrieve new or updated certificates.
Certificate support for Wi-Fi setup

The Wi-Fi Setup screen includes a Certificates Setup test if certificates have been
defined for the Wi-Fi configuration. If certificates do not pass or have not been provi-
sioned, then a red X displays next to the Certificates Setup test.
Tap View Details to display more information. If certificates are present, but do not
meet requirements, then a Reprovision Certificates button displays, as well.
Certificate alerts
When the administrator pushes certificates to supported Android devices, the device
receives a system notification, provided the device is compliant with existing passcode
and encryption policies. Tap the notification to begin the provisioning process.
911
912
Appendix H
Multi-User Support for iOS

MobileIron supports multi-user access for iOS devices. This feature enables multiple
employees to use the same device. The Secure Sign-In feature ensures that the pro-
files and apps are removed when the device user signs out and reinstalled when the
next user signs in. Options enable you to specify whether Wi-Fi settings and pass-
codes are removed. Each app is handled based on how that app is configured for
quarantine.
913
Using Secure Sign-In
Devices configured for multi-user support receive a Secure Sign-In web clip.
Tapping the Secure Sign-In web clip displays the following page.
914
Entering a valid username and password prompts MobileIron Core to apply the profiles
configured for the device.
When the device user is ready to sign out, tapping the web clip displays the following
page:
915
Tapping Sign Out removes the managed apps and profiles.
Note: The Secure Sign-in web clip is impacted by web content filters, available in
supervised devices starting with iOS 7. Make sure your web content filters do not
block access to MobileIron Core. If Core access is blocked, the secure sign-in web clip
cannot work. For more information, see Web content filter settings on page 331.
916
Setting Secure Sign-In preferences
Before you enable Secure Sign-In, you should review the default global preferences to
ensure that they meet your needs:
2. Under Multi-User Preferences, select one of the following settings to specify how to
handle Wi-Fi settings when device users sign out:
Keep Wi-Fi settings
Remove Wi-Fi settings for cellular-enabled devices
Remove Wi-Fi settings for cellular-enabled and Wi-Fi-only devices
3. If you want to clear the passcode on the device when the device user signs out,
select the Clear passcode option.
4. Click Save.
917
Setting unique restrictions for signed-out
devices
The "Signed-Out" label enable you to specify more-stringent restrictions for multi-user
devices when a user signs out. This is a dynamic label that applies automatically to
any multi-user iOS device that does not have a signed-in user.
To specify restrictions:
1. Create the restrictions that you want applied when a user signs out.
For example, you might want to disable access to YouTube when an authorized user
is not signed in.
2. Apply each policy and configuration to the Signed-Out label.
Example
Suppose you want iPads to be restricted to basic web use when an authorized user is
not signed in. You would need to create a Restrictions configuration to lock down the
camera, inappropriate content, screen captures, app installation, and so on.
To implement these restrictions, you would complete the following steps:

1. Select Policies & Configs > Configurations > iOS > Restrictions.
2. Assign a name to the configuration.
3. Clear the checkboxes for the items you want to restrict.
4. Click Save.
5. Select the new configuration.
7. Select Signed-Out.
8. Click Apply.
From this point on, all multi-user devices will receive the new restriction settings upon
sign-out.
918
Enabling Secure Sign-In
To enable Secure Sign-In:
1. Select Policies & Configs > Configurations.
2. Select the System - Multi-User Secure Sign-In configuration.
4. Select the label or labels that represent the devices to be configured for multi-user
sign-in.
5. Click Apply.
User certificates and device certificates

If you intend to distribute certificates to multi-user devices, we recommend using user
certificates instead of device certificates. This practice ensures that email is configured
for the correct user.
919
Remote sign-out
To sign out a user on a multi-user device from the Admin Portal:
1. Select the device in the Devices page.
2. Select More Actions > iOS Only > Sign out.
920
What gets removed on sign-out
Item Remove on sign-out?

Apps@Work access Yes
Docs@Work access Yes
Passcode Optional
Restrictions No
Wi-Fi Optional
VPN, Per-app VPN, VPN on Demand Yes
Email Yes
Exchange Yes
LDAP Yes
CalDAV Yes
CardDAV Yes
Subscribed Calendars Yes
Web Clips No
Credentials (Certificates) Yes
SCEP Yes
Mobile Device Management No
APN No
Single-App Mode Yes
Global HTTP Proxy Yes
Generic Configuration Profiles No
Provisioning Profiles (Configurations) No
Provisioning Profiles (App Distribution) No
General No
AirPlay No
AirPrint No
Web Content Filter No
Managed App Config Yes
Single Sign-on Account Yes
921
922
Appendix I
Android Kiosk Support

The Android kiosk feature enables you to configure supported Samsung Android
devices to use only specified apps. It is intended for devices that will serve very spe-
cific functions for an organization.
Examples include:
A retail store might want to use tablets to provide one or two custom apps for cus-
tomers to use while shopping.
A school might want to distribute tablets that present only appropriate apps for the
user who signs in.
Note: Though the Android kiosk feature allows multiple users to log in on a given
device, it does not represent full multi-user support. It is intended as a view filter for
apps. The profiles on the device do not change when different users log in. Instead, a
different list of apps displays based on the current user.
The kiosk feature supports two modes of operation:

single app
multiple apps
Requirements
Android kiosk mode is supported for Samsung SAFE 3.0 devices.
923
Setup steps
To set up an Android kiosk device:
1. Create an Android kiosk policy.
2. For multiple-app mode, create an Android kiosk configuration for each combination
of LDAP group and accessible apps. Do not complete this step for single-app mode.
Note: The device user who logs in must belong to a specified LDAP group.
The policy specifies the kiosk type. The configuration specifies which apps to display to
which users in multiple-app mode.
These instructions assume that the apps are already installed on the devices. If any
apps specified in the kiosk setup are not installed on the device, that app will be rep-
resented by a blank icon.
Finding the package name for an Android app

For public apps available on the Google Play Store:
1. Use a web browser to locate the app in Google Play Store.
2. Select the app.
3. Examine the URL displayed in the browser.
The package name is included in the URL, as shown in the figure above.
For in-house apps:

1. Open the .apk as a zip file.
2. Use a text editor to open AndroidManifest.xml.
3. Locate the package manifest entry.
This entry is set to the package name.
924
Creating an Android Kiosk policy
The Android Kiosk policy specifies the behavior of a kiosk device. The behavior options
vary based on whether the policy specifies a single-app kiosk or multiple-app kiosk.
Single-app kiosk policy

A single-app kiosk policy specifies one app for use on the designated devices. For
example, if the device is intended to run an in-house app for staff in a hospital recov-
ery room, you can define a single-app kiosk policy to prevent users from accessing
other apps and device resources.
To specify a single-app kiosk policy:

1. Select Policies & Configs > Policies > Add New > Android Kiosk.
Single App is selected by default.
2. Use the following guidelines to complete remaining options:
Item Description
Single App package name Enter the package name for the app. The typical
package name has the following format:
com.company.app
Enable Android functions
System bar System bars are screen areas dedicated to navi-
gation and the display of notifications and status.
Clear this option if you want to hide the system
bar when the device is acting as a single-app
kiosk.
Task manager The task manager enables device users to open
an app that is currently running on the device.
Select this option if you want device users to be
able to access the built-in task manager on the
device.
Notification bar expansion The notification bar typically displays at the top of
the device. Swiping down expands the bar to the
full size of the screen so that the device user can
see notification details. Select this option if you
want device users to be able to expand the notifi-
cation bar.
925
Item Description
Navigation bar For Android 4.0, the navigation bar is present only
on devices that don't have the traditional hard-
ware keys. It contains the Back, Home, and
Recents controls. Select this option if you want
device users to be able to access the navigation
bar.
Note: For tablets, the status and navigation bars
are combined into a single bar at the bottom of
the screen.
Status bar The status bar displays pending notifications on
the left and status, such as time, battery level, or
signal strength, on the right.
Note: For tablets, the status and navigation bars
are combined into a single bar at the bottom of
the screen.
3. Click Save.
4. Assign the policy to the appropriate label to push it to the target devices.
Multiple-apps kiosk policy

A multiple-app kiosk policy specifies behavior for a device that will run multiple apps.
This type of kiosk policy depends on an Android kiosk configuration to specify the per-
mitted apps. This policy includes several additional options for specifying the following
behavior:
multiple user login support
inactivity logout interval
access to exit kiosk mode
branding for the kiosk launcher/desktop
To specify a multiple-app kiosk policy:

1. Select Policies & Configs > Policies > Add New > Android Kiosk.
2. Select Multiple Apps.
926
3. Use the following guidelines to complete the remaining options:
Item Description
Kiosk multi-user login Enable this option to allow different users to log
in. Device users enter their MobileIron credentials
to access the kiosk. The credentials entered
determine who is recorded as the current user,
the apps to display, and whether that user has
permission to exit kiosk mode from the device.
Note: The credentials entered do not affect the
profiles installed on the device.
Inactivity logout Select the duration of inactivity after which the
user will be signed out. This option applies to
multi-user kiosks only.
Administrative access to If you want to specify users who have permission
exit Kiosk mode to disable kiosk mode from the device, specify the
corresponding LDAP groups for those users.
You can choose from the LDAP groups that you
specified in Settings > LDAP for each LDAP server.
Branding
Background Color Enter the hex triplet for the color you want to
apply to the kiosk display background.
Banner Color Enter the hex triplet for the color you want to
apply to the banner at the top of the kiosk dis-
play.
Banner Text Color Enter the hex triplet for the color you want to
apply to the text in the banner at the top of the
kiosk display.
Banner Text Enter the text you want to display in the banner
at the top of the kiosk display.
Banner Logo Click Browse to select a logo. The logo must be a
JPEG or PNG graphic. Image sizes vary for differ-
ent devices. 120x120 pixels is appropriate for
most phones. 180x180 pixels is appropriate for
most tables. The image must be smaller than 100
KB.
Enable Android functions
System bar System bars are screen areas dedicated to navi-
gation and the display of notifications and status.
Clear this option if you want to hide the system
bar when the device is acting as a single-app
kiosk.
927
Item Description
Task manager The task manager enables device users to open
an app that is currently running on the device.
Select this option if you want device users to be
able to access the built-in task manager on the
device.
Notification bar expansion The notification bar typically displays at the top of
the device. Swiping down expands the bar to the
full size of the screen so that the device user can
see notification details. Select this option if you
want device users to be able to expand the notifi-
cation bar.
4. Click Save.
5. Assign the policy to the appropriate label to push it to the target devices.
6. Create an Android kiosk configuration to specify the apps to be used.
928
Creating an Android Kiosk configuration
The Android kiosk configuration has the following functions:
specifies the apps to be displayed for multiple-app devices
specifies which LDAP groups, (and, therefore, which users) have access to those
apps
You can apply multiple kiosk configurations. The union of the configurations deter-
mines which apps to display.
Note: Do not assign a kiosk configuration to a device configured for single-app mode.
The LDAP group access specified in the configuration would effectively disable the
specified apps on a single-app mode device.
To create an Android kiosk configuration:

1. Select Policies & Configs > Configurations > Add New > Android > Samsung Kiosk.
The New Android Kiosk Configuration dialog appears.
2. If you intend to use LDAP groups to restrict access to apps on kiosk devices, then
select the LDAP groups you want to use. You can choose from the LDAP groups that
you specified in Settings > LDAP for each LDAP server.
These users will have access to the specified apps on kiosk devices, that is, those
devices that have a kiosk policy applied.
If all kiosk users should have access to all specified apps, then do not select LDAP
groups.
Note: The LDAP groups that are available, and the corresponding attributes, are
based on the last sync between MobileIron Core and the LDAP server. If you made
a recent change to LDAP data, it will not be reflected on the next sync (scheduled
or manual).
3. Select the apps you want to make accessible for kiosk devices that receive this con-
figuration.
Note that the name displayed is the common name for the app. The package name
is the unique identifier determined by the app developer.
4. Click Save.
5. Assign the configuration to the appropriate label to push it to the target devices.
929
Enabling/Disabling Android kiosk mode
The first time the necessary policy and configuration are pushed to the device, a kiosk
item displays in the Apps@Work screen on the device. Tap Kiosk Mode to initiate kiosk
mode.
Afterwards, you can enable and disable Android kiosk mode from the Admin Portal.
Users with assigned privileges can also disable kiosk mode on a kiosk device.
From the Admin Portal

To enable Android kiosk mode from the Admin Portal:
1. Select the device in the Users & Devices > Devices page.
2. Select Actions > Android Only > Enable Samsung Kiosk.
To disable Android kiosk mode from the Admin Portal:

1. Select the device in the Devices page.
2. Select Actions > Android Only > Disable Samsung Kiosk.
From the kiosk device

To enable Android kiosk mode from the device:
1. Start the Mobile@Work app.
2. Tap Kiosk Mode.
Note: Kiosk Mode displays only if the kiosk policy has been configured and sent to
the device.
Only users configured for administrative access in the kiosk policy can disable kiosk
mode from the device. The kiosk must be configured to support multiple apps and
multiple users. To disable Android kiosk mode from the device:
1. Log in as a kiosk administrator.
2. Tap the Exit Kiosk icon at the top of the screen.
930
Example
Consider a school that wants to install the followings apps on several tablets. Though
all the apps will be installed on each tablet, the apps that are displayed depend on
which user has logged in.
The following table shows the apps and the LDAP groups that should have access to
them.
LDAP Apps
Groups
View Update Send 2 Send 2
Parents Teachers
Teachers yes yes yes yes
Tutors yes yes yes
Students yes
The following table shows one way to implement this scenario.
Android Kiosk LDAP Apps

configurations Groups
View Update Send 2 Send 2
Parents Teachers
KioskTeachers Teachers yes yes yes yes
KioskTutors Tutors yes yes yes
KioskStudents Students yes
931
Device details
The Device Details pane in the Admin Portal displays the following information about
kiosk mode:
whether kiosk mode has been enabled
the device user currently logged in on the device.
To view device details:

2. Expand device details by clicking the up arrow next to the checkbox for the device
of interest.
3. Look for the kiosk attributes in the Device Details tab.
932
Deployment notes
Kiosk mode is a viewing filter only
Kiosk mode is NOT an App Blocking feature. It only restricts the viewing of apps
which can be launched.
Apps must be installed on the device for them to launch from the kiosk.
Distribute apps with the silent install option enabled.
Eases the deployment process
Configuring which apps to run
Single App mode uses the Android kiosk policy.
Multiple Apps mode uses kiosk configurations
Apps defined in kiosk configurations with no LDAP groups defined apply to ALL
kiosk users.
The union of all kiosk configurations applicable for a kiosk user determines the
list of apps to display.
If the device loses its connection to MobileIron Core, then kiosk mode cannot be
disabled. You must do a factory reset.
933
934
Appendix J
The User Portal: MyPhone@Work

What is MyPhone@Work?
Getting started
Home
Contacts
Calls & Texts
Activity
Apps
Preferences
935
What is MyPhone@Work?
MyPhone@Work is a self-service web application that enables MobileIron users to par-
ticipate in the management of their devices. Registered users can do tasks like:
Track their activity
Manage contact information
Set privacy options
Remotely lock a phone
Note: Feature availability varies by operating system.
Browser Settings
Your browser needs to be configured to display mixed content to ensure full access to
all tabs in MyPhone@Work.
Adobe Flash Player

Adobe Flash Player 10 is required for display of some MyPhone@Work graphics.
Supported platforms
The following table lists the platforms supported for MyPhone@Work and its features.
MyPhone@Work Android iOS Win 7 WP8
Register yes yes - yes

Lock yes yes - -
Wipe yes yes - yes
Find It yes - - -
Communications
History - - - -
Voice / SMS /
Data Usage - - - -
SMS Log/Search - - - -
App Management - - - -
936
Getting started
MyPhone@Work gives device users the ability to perform basic tasks without adminis-
trative intervention.
Logging in
Users who did not self register will need the MobileIron administrator to provide the
URL to the MobileIron Server, as well as the user ID and password for their account.
As with the Admin Portal, the user ID and password are case sensitive.
The URL for accessing MyPhone@Work is:
https://<MobileIron_server>
To log in:
1. Enter the user ID.
2. Enter the password.
3. Click Sign In.
The following page displays.
Note: The following tabs will be disabled if you have default settings applied:
Contacts
937
Calls & Texts
Activity
To enable these tabs, click Settings and enable the displayed options. Note that it may
take some time for the data associated with these tabs to display.
Registering phones
If you have been assigned the Myphone@Work Registration role, then you can register
your own phones without help from your MobileIron administrator.
To register a phone from MyPhone@Work:
1. Click the Add a Phone link.
Item Description
My device has no Select this option if your device has no phone
phone number number. MobileIron will handle this device as a
WiFi-only device.
Country Select the home country for this device. The
country you select determines the content of the
Country Code field. This option is available only
if you have a cellular device; it is grayed out if
you selected My device has no phone number.
938
Item Description
Mobile Enter the prefix and number, if any, for this
device. Enter numbers only, with no leading
zeros or spaces. The Country Code is filled in
automatically based on your selection from the
Country list.
Operator Select the name of the mobile service provider
for this phone.
Why: The name of the operator is required for
proper transmission of SMS messages.
Platform Select the name of the operating system used
on this phone. If you do not see the platform
you want, it may be disabled for registration.
Why: The operating system specified determines
which MobileIron Client will be downloaded to
the phone.
Device Language Select a language from the dropdown list. Your
administrator must enable supported languages
to enable this feature. Note that, if the device
reports a locale associated with a different lan-
guage, then the language associated with the
locale will be used.
I own this device Select this option if this phone is your property,
and not provided by your company. Note that
MobileIron automatically assigns default labels
based on ownership. See Using labels to estab-
lish groups on page 143 for information on
labels.
Why: Administrators may want to assign differ-
ent polices to phones based on ownership.
3. Click Register.
Searching
You can search MyPhone@Work for specific content. Select one of the following con-
tent types from the dropdown list in the upper right corner:
Calls & Texts
Contacts
Applications
Enter the text to search for in the field to the right and click the icon.
939
Logging out
Click Log Out in the upper right corner to end your MyPhone@Work session.
940
Home
The Home page gives you an initial snapshot of your phone and your usage.
Communication Graph
The Communication Graph gives you a graphic snapshot of your communications.
Contacts are matched are indicated in the node labels. Non-contacts are identified by
number.
941
The lengths of the lines joining the nodes indicate the relative rank of the correspond-
ing contacts. In other words, those contacts you communicate with more frequently
are displayed with shorter lines. Click the arrow under the Communication Graph title
bar to display the underlying data for the graph.
942
Click a node in the graph to show the data for your interactions with just the corre-
sponding phone.
Turning nodes into contacts

For non-contacts, an Add Contact button displays with the data. Click the Add Contact
button to add the selected node as a contact.
943
My Usage
The My Usage section in the Home page provides a quick snapshot of your usage,
updated daily.
Click the My Usage link to move to the Activity page.
Storage
The Storage section provides a rough chart of internal and removable storage cur-
rently available on the phone.
944
Lost Phone
The Lost Phone section enables you to act in the event that your phone is lost or sto-
len. Select from the following options:
Find It
Lock It
Wipe It
Note: Your administrator must give you the required roles for access to these buttons.
Finding the last known location

1. Click Find It to display a map with the last known location of the phone. This fea-
ture is available only if you have been assigned the MyPhone@Work Locate role.
945
2. If the last know location may be out of date, click the Update Location button to
remotely enable GPS and obtain a lat/long reading.
946
3. Click OK to continue, despite the possibility that contacting the phone might take
some time.
A Cancel button is available in case the process takes longer than expected.
Locking your phone

You can remotely enable the locking mechanism for your phone. Just click Lock It.
This feature is available only if you have been assigned the MyPhone@Work Locate
role.
Wipe It
Click Wipe It to return your phone to factory defaults. This feature is available only if
you have been assigned the MyPhone@Work Wipe role.
Restoring your phone

You can restore data to your phone using a backup snapshot created by MobileIron:
1. Select Add a Phone.
2. Enter the registration information for the phone. See Registering phones on
page 938.
The following message displays.
3. Click Restore.
4. Select the device whose backup snapshots you want to select from.
5. Select the snapshot to use.
947
6. Select the resources to restore (i.e, User Files and/or Storage Card).
7. Click Apply.
If you have more than one phone

If you have more than one phone registered with MobileIron, use the dropdown list
under the phone thumbnail to select the phone you want to work with. This feature is
available only if you have been assigned the MyPhone@Work Registration role.
My Apps
The My Apps section lists newly added apps available for your phone.
Click the My Apps link to display the Applications screen, or click the link for a dis-
played app to go directly to that page.
948
Contacts
Click the Contacts tab to display the list of contacts synchronized between your phone
and MyPhone@Work. If the Contacts tab is not enabled, then your MobileIron admin-
istrator did not enable contact synchronization. See Preferences on page 960.
Note: Contacts stored on the SIM card are not synchronized at this time.
Displaying contacts
Click a contact to display the information for that contact.
949
Searching contacts
To search your contact list, enter text in the Search Contacts field. You can search
your contacts list based on any name or number fields, such as First Name, Last
Name, Home Phone, and so on.
Adding contacts
To add a contact:
1. Click New Contact.
950
2. Enter information for this contact.
Note: The contact name is limited to 32 characters. If you enter more than 32 char-
acters, then the contact name with be shorted to the first 32 characters when you
save your changes.
3. Click Save.
The next time your phone connects to MobileIron, this new contact will be added to
the list of contacts on your phone.
Editing contacts
To edit a contact:
1. Select the contact from the list in the Contacts page.
2. Click Edit.
951
3. Make the necessary changes.
4. Click Save.
Your changes will be copied to your phone the next time it connects to MobileIron.
Deleting contacts
To delete a contact:
1. Select the contact from the list in the Contacts page.
2. Click Delete.
952
Calls & Texts
Click the Calls & Texts tab to view your phone activity.
Click the heading for any column to sort the displayed list based on that column. Dis-
played contact names are links to the information for the corresponding contacts. If
you click an unknown contact, you are invited to add the contact to your address
book.
Showing/Hiding content
By default, the content of texts is hidden for privacy purposes. You can display the
content by clearing the Hide Text Content checkbox.
Filtering calls and text

You can filter calls and text messages by several criteria:
Keywords
Calls versus texts
Call types
Date range
Using keywords
Enter text in the Keywords field to restrict the display to those entries containing the
specified text. For texts, the keywords will be matched against the content as well as
the contact information.
953
Displaying calls and/or texts
Select Calls, Texts, or both to specify which to include in the display. If you select
Calls, all calls are included by default. Select Missed or Dropped to include only these
call types.
Note: Specifying Missed or Dropped excludes Texts from the filter criteria.
Restricting the display to a date range

To focus on calls and/or texts in a given date range, click in the From and To fields and
select the dates from the displayed calendards.
954
Activity
The Activity page displays your statistics for calls, SMS, and data, and compares them
to the average calculated for your MobileIron implementation.
Filtering activity
To filter display activity:
1. Select Call, SMS, or Data from the Select Activity list.
2. Click the From field to select a start date.
3. Click the To field to select an end date.
4. Select the Refresh link.
Displaying underlying data

To display the activity reflected in the Summary chart, click the View Log link.
955
956
Apps
Click the My Apps icon to display the Applications page.
Browsing apps
The Applications page lists the applications recommended by your organization. The
MobileIron administrator can group these applications into custom categories. Click a
category to browse the applications available for download.
To determine which applications are currently installed on your phone, click Apps On
My Phone.
957
Installing apps
You can install apps that are displayed in the My Apps page. To install an app:
1. Click the icon for the app.
2. Click Get App.

3. Click OK to confirm that you want to install the selected app.
The status of the app changes to Pending, indicating that it has been scheduled for
installation on your phone.
958
Uninstalling apps
To uninstall apps that are currently installed on your phone:
1. Click Apps On My Phone
2. Select the app from the displayed list.
3. Click Delete App.

The app will be removed the next time the device connect to the server.
959
Preferences
Use the Preferences page to change customizable settings.
Note: iOS users will see a subset of these options.
Privacy settings
Use the following guidelines for your privacy settings:
Setting Description
Sync contacts Specify whether you want to copy contact infor-
mation between your phone and
MyPhone@Work. If you choose not to synchro-
nize contacts, then the Contacts tab will be dis-
abled. Note that contacts stored on your SIM
card are not currently synchronized.
Sync text content Specify whether to maintain a record of SMS
text content on MyPhone@Work. Administrators
do not have access to this content, regardless of
your preference for this setting. However, note
that choosing not to sync content does not affect
activity data from being synced.
Account settings
Change Password
To change your MobileIron password, click the Change Password link. This option does
not apply to users whose accounts are managed through LDAP.
Certificate
To upload a personal certificate:
2. Click Browse to select the certificate.
3. Enter the password for the certificate.
4. Confirm the password.
960
Appendix K
Physical Appliance Hardware

Specification
MobileIron Standard Appliance (M2100 3rd Generation)
MobileIron Standard Appliance (M2100 2nd Generation)
MobileIron M2500 Series Appliance
961
MobileIron Standard Appliance (M2100 3rd
Generation)
The MobileIron appliance is a tightly integrated hardware, OS, application, and data-
base solution that is built, optimized, and certified by MobileIron. This section provides
the specs for the next generation appliance. If you received an earlier appliance, see
MobileIron Standard Appliance (M2100 2nd Generation) on page 966.
System
Processor 3.5 GHz Quadcore Xeon CPU
Memory 32 GB
Drives 2x 500 GB Hot-swap SATA
6.0 GB Hard Disk Drives (RAID 1)
1x Slim DVD drive
Chassis
Form Factor 19 1U Rackmount
Dimensions (D x H x W) 22.6 x 1.7 x 16.8 (574mm x 43mm
x 426 mm)
Weight 32 lbs (16.5 kg)
Front Panel
Buttons Power On/Off
System Reset
LEDs Power LED
Hard drive activity LED
2x Network activity LEDs
System Overheat LED
USB 2x USB Ports
Drives 2x 500 GB Hot-swap SATA
6.0 GB Hard Disk Drives (RAID1)
1x Slim DVD Drive
Back Panel
IPMI Intelligent Platform Management Inter-
face (IPMI) 2.0 with virtual media over
LAN and KVM-over-LAN support
1x 10/100BASE-T (RJ45)
Ethernet 2x 10/100/1000BASE-T (RJ45)
VGA 1x VGA (DB15)
PS/2 PS/2 keyboard and mouse ports
USB 2x USB rear ports
Serial 1x Serial port (DB9)
962
Power Supply
Power 350 W AC power supply w/ PFC AC
Voltage 100 240V, 50 - 60Hz, 4.2 - 1.8 Amp
Max
+5 V: 18 Amp
+5 V standby: 3 Amp
+12 V: 29 Amp
+3.3 V: 15 Amp
Connector IEC 60320-C13
Operating Environment
Operating Temperature: 50 to 95F (10 to
35C)
Relative Humidity: 8% to 90% (non-
condensing)
Non-Operating Temperature: -40 to 158F (-40 to
70C)
condensing)
Heat Output 682 BTU/hr (3.412 BTU/hr/W * 200 W)
963
MobileIron Standard Appliance (M2100 2nd
Generation)
The MobileIron appliance is a tightly integrated hardware, OS, application, and data-
base solution that is built, optimized, and certified by MobileIron. This section provides
the specs for the 2nd generation appliance.
System
Processor 2.53 GHz Quadcore Xeon CPU
Memory 16 GB
Drives 2x 250 GB Enterprise Hard Disk Drives
(RAID 1)
1x DVD drive
Chassis
Form Factor 19 1U Rackmount
Dimensions (D x H x W) 15.75 x 1.7 x 16.8 (400mm x 43mm
x 426 mm)
Weight 17 lbs (7.7 kg)
Front Panel
Buttons Power On/Off
LEDs Power LED
System Overheat LED
USB 2x USB Ports
Serial 1x Serial Console (RJ45)
Back Panel
IPMI Intelligent Platform Management Inter-
face (IPMI) 2.0 with virtual media over
LAN and KVM-over-LAN support; 1x
10/100BASE-T (RJ45)
Ethernet 2x 10/100/1000BASE-T (RJ45)
VGA 1x VGA (DB15)
PS/2 2x PS/2 keyboard and mouse ports
USB 2x USB Ports
Serial 1x Serial port (DB9)
Power Supply
Power 200 W maximum
Voltage 100 240V, 50-60Hz, 4 - 2 Amp Max
Connector IEC 60320-C13
Operating Environment
964
Operating Temperature: 50 to 95F (10 to
35C)
condensing)
Non-Operating Temperature: -40 to 158F (-40 to
70C)
condensing)
Heat Output 682 BTU/hr (3.412 BTU/hr/W * 200 W)
965
MobileIron M2500 Series Appliance
The M2500 Series large-scale deployment appliance provides the tightly integrated
solution of the standard appliance, with the resources necessary for larger deploy-
ments.
Form Factor
1U Rackmount Chassis, 27.75" Depth
Processors
2 x IntelXeon E5-2670 2600 Mhz, 8 Cores/16 Threads, 20MB Cache (16
Cores total)
Memory
64 GB, 1600 MHz
USB
2 x Front, 3x Back
LAN
Quad Intel I350 GbE connections
Storage
4 x 600 GB SAS 3Gb/s ports, RAID 10
1 SATA DVD-ROM
Drive Bays
4 x 3.5" hot swap drive bays + one Optical Drive support
VGA
Integrated 2D Video Controller
16MB DDR3 Memory
Expansion Slots
2 x PCI-E Gen3 x16 FHHL via two risers (1 each)
Power
1+1 Redundant 750W Power Supply, Platinum level efficiency
Management
Integrated Baseboard Management Controller, IPMI 2.0 compliant
Full RMM4 (Key and NIC)
Support for Intel Server Management Software
Cooling
Six dual rotor managed system fans
One power supply fan for each installed power supply module
966
967
968
Appendix L
Configuring Outbound HTTP Proxy for

Gateway Transactions / System
Updates
You can configure an outbound HTTP proxy for MobileIron Core. This proxy is intended
primarily for organizations that require an HTTP proxy for communications with the
MobileIron Gateway. To configure the proxy:
2. Scroll down to Outbound HTTP Proxy for Gateway Transactions and System
Updates.
3. Use the following guidelines to complete the fields in this section:
Field Description
HTTP Proxy URL Enter the URL for the outbound HTTP
proxy.
HTTP Proxy Auth Enter the authentication name for the
Name HTTP proxy.
HTTP Proxy Auth Enter the authentication password for the
Password HTTP proxy.
HTTP Client Connect Specify the amount of time to wait for the
Timeout connection setup to complete.
HTTP Client Socket Specify the amount of time to wait for a
Timeout response from the proxy server.
4. Click Save.
At this point, the settings are saved, but not applied.
5. To apply these changes, you need to restart the tomcat server for MobileIron Core.
Enter the following commands using the CLI:
enable
service tomcat stop
service tomcat start
969
What the HTTP outbound proxy does not apply to
The HTTP outbound proxy does not apply to the following areas:
APNS for MDM or the MobileIron Client
MobileIron Sentry
BES integration
SCEP-to-CA connections
970

Admin Guide Core 70

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Admin Guide Core 70

Diunggah oleh

Hak Cipta:

Format Tersedia

MobileIron Core

Core Version 7.0

June 29, 2014

Proprietary and Confidential

For some phone images, a third-party database and image

MobileIron, Connected Cloud, and MyPhone@Work are

Chapter 2 Managing Users ......................................................................... 57

Managing LDAP users .......................................................................... 61

Registration considerations by OS ......................................................... 84

Specifying eligible platforms for registration .......................................... 102

Chapter 4 Managing Devices..................................................................... 111

Displaying device assets .................................................................... 113

Chapter 5 Managing Policies ..................................................................... 173

Working with policies ......................................................................... 176

Working with privacy policies .............................................................. 200

Troubleshooting policies ..................................................................... 227

Android Samsung kiosk settings .......................................................... 238

Exchange settings ............................................................................. 243

iOS and OS X differences ................................................................... 340

Service Diagnostic screen ................................................................... 358

Managing events ............................................................................... 361

Configuring email attachment control ................................................... 427

Section II: Apps and Data Management - - - - - - - - - - - - - - - 475

How to configure AppConnect ............................................................. 588

Chapter 17 Web@Work ............................................................................. 653

Section III: System Management - - - - - - - - - - - - - - - - - - 679

Date and Time (NTP) ......................................................................... 695

Email Settings .................................................................................. 703

Reporting Database Exporter .............................................................. 710

Network monitor ............................................................................... 757

Section IV: Command Line Interface (CLI) - - - - - - - - - - - - - - 759

Section V: Appendixes - - - - - - - - - - - - - - - - - - - - - - - 803

Appendix C Secure Apps on Android Devices 817

Secure apps status display ................................................................. 839

Appendix F The SharePoint Client App for Android 883

Activity ............................................................................................ 955

Appendix K Physical Appliance Hardware Specification 961

Admin Portal handles the most common administrative tasks.

Starting Admin Portal

Bookmarking Admin Portal pages

Setting the enterprise name

Setting the external hostname

To specify a different host name to use for external access:

Setting the EULA or other login text

To enable this setting:

To disable this setting:

Enabling last login information display

Last login was 3/11/2014 1:28:52 PM from 171.15.10.221

The information includes:

To configure this setting:

Enabling iOS MDM support

access the Apple Push Certificates Portal to request a certificate

If you intend to develop and distribute in-house apps

If you have already enabled iOS MDM support

If you have not requested an MDM certificate yet

If you already have your MDM certificate

5. Select I already have an MDM Certificate, and want to upload it.

Confirming MDM for an iOS device

Denying check-Ins for devices having expired MDM

Displaying a report of devices having expired MDM

Using the Admin Portal

Navigating the Admin Portal

The following table describes the UI elements in the Admin Portal

Number Element Description