Administration Guide
1
Local Users Created During Setup .................................................................. 58
Users and roles ................................................................................... 59
LDAP groups and roles ................................................................................. 59
Enforce Single Session role and concurrent session control ............................... 59
User management page ....................................................................... 60
Required role .............................................................................................. 60
2
Level of end-user interaction ........................................................................ 80
Prerequisites .............................................................................................. 80
See ........................................................................................................... 80
Users register additional devices ........................................................... 80
Best for ..................................................................................................... 80
Level of end-user interaction ........................................................................ 80
Prerequisites .............................................................................................. 81
See ........................................................................................................... 81
Admin registers ActiveSync devices ....................................................... 81
Best for ..................................................................................................... 81
Level of end-user interaction ........................................................................ 81
Prerequisites .............................................................................................. 81
See ........................................................................................................... 81
Registering an Apple TV ....................................................................... 81
Registration via web portal ................................................................... 82
Registering Android devices via web portal (MIRP) ........................................... 82
Usage notes ............................................................................................... 83
3
Enabling additional countries for registration .........................................100
Disabling operators ............................................................................100
Filtering operators ..............................................................................101
Searching for an operator ........................................................................... 101
Displaying operators by country .................................................................. 101
Displaying operators by status .................................................................... 101
4
Creating a label based on custom LDAP user attributes ...........................126
Using the Users & Devices dashboard ..................................................126
Devices dashboard charts ........................................................................... 127
Arranging the dashboard charts ...........................................................127
Changing the charts included in the device dashboard .............................127
Reporting on managed devices ............................................................128
Registration-related features and tasks ................................................ 129
Reprovision device .............................................................................129
Retire ...............................................................................................129
Resend provision message ..................................................................130
Security-related features and tasks ..................................................... 131
Lock .................................................................................................131
Unlock ..............................................................................................132
Wipe ................................................................................................133
Selective Wipe ...................................................................................133
Block AppTunnels ...............................................................................134
Lost .................................................................................................134
Found ...............................................................................................135
Locate ..............................................................................................135
Reset device PIN (WP8.1 devices only) .................................................137
Maintenance features and tasks .......................................................... 138
Send Message ...................................................................................138
Update Roaming Settings ....................................................................139
Enabling roaming for iOS devices .........................................................140
Disabling roaming for iOS Devices ........................................................140
Viewing roaming settings for iOS devices ..............................................141
Change Ownership .............................................................................141
Apply To Label ...................................................................................141
Remove From Label ...........................................................................142
Using labels to establish groups .......................................................... 143
Default labels ....................................................................................143
Filter and manual type labels ...............................................................144
Creating labels ..................................................................................144
Editing Labels ....................................................................................145
Viewing devices currently associated with a label ...................................145
Associating a filter with a label: dynamic labels ......................................145
Example: Creating a label for devices by operator ......................................... 145
Example: Creating a label for devices by LDAP group .................................... 145
Deleting labels ...................................................................................146
Delegated administration ................................................................... 147
Administrator types ............................................................................147
Designing MobileIron Core to use delegated administration ......................149
Creating device spaces and assigning administrators ..............................150
Updating device spaces .............................................................................. 152
5
Specifying devices for device spaces ............................................................ 152
Searchable fields ....................................................................................... 153
Switching device spaces ......................................................................154
Managing device spaces ......................................................................154
Managing device space priority ................................................................... 154
Deleting device spaces ............................................................................... 155
Assigning administrators to spaces .......................................................156
Removing administrators from Device Spaces ............................................... 156
Editing administrator roles .......................................................................... 157
Labels and delegated administration ............................................................ 160
Role correspondences .........................................................................161
Working with Apple DEP devices .......................................................... 163
Adding Your MobileIron Core to the DEP Portal .......................................163
Assigning Apple DEP device to MobileIron Core ......................................163
Associating DEP Devices with MobileIron Core ........................................164
Viewing DEP accounts .........................................................................164
Managing DEP accounts ......................................................................165
Adding DEP Enrollment Profiles ................................................................... 166
Assigning devices to DEP enrollment profiles ................................................. 167
Removing DEP device enrollment profile assignments ..................................... 168
Deleting DEP enrollment profiles ................................................................. 168
Editing DEP Account Information ................................................................. 169
Deleting DEP Accounts ............................................................................... 169
Checking for Apple DEP Account Updates ...................................................... 169
Disowning DEP devices .............................................................................. 169
Creating DEP device file for assigning devices to enrollment profiles ................. 170
6
Windows 8.1 RT and Pro password specifications: .......................................... 191
If you change password specifications ...................................................192
Compliance actions for security policy violations .....................................192
Default compliance actions ......................................................................... 193
Custom compliance actions ......................................................................... 194
Creating a custom compliance action ........................................................... 194
When the compliance action takes effect ...................................................... 198
Confirming removal of configurations for iOS ................................................ 198
Restoring configurations ............................................................................. 199
Viewing quarantine information ............................................................199
Devices page: quarantined devices .............................................................. 199
Configurations page: configurations removed due to quarantine ...................... 199
7
Adding new configurations ..................................................................234
Editing configurations .........................................................................235
Deleting configurations .......................................................................235
Android Samsung browser settings ...................................................... 236
Configuring SmartCard browser authentication ......................................236
Step-by-step ............................................................................................ 236
SmartCard browser behavior on the device ................................................... 237
8
AppConnect Configuration settings ...................................................... 297
AppConnect Container policy settings ................................................... 298
Bookmarks settings ........................................................................... 299
Certificates settings ........................................................................... 300
SCEP settings ................................................................................... 301
Why proxy? .......................................................................................304
Supported variables ................................................................................... 304
If SCEP integration is not an option ............................................................. 305
Using Symantec Managed PKI ..............................................................305
Prerequisites ............................................................................................ 305
Using the OpenTrust integration ...........................................................305
Compatibility notes .................................................................................... 305
Pre-requisites ........................................................................................... 306
Configuring the integration with OpenTrust ................................................... 306
Supported variables ................................................................................... 307
Using Symantec Web Services Managed PKI ..........................................308
Before you begin ....................................................................................... 308
Configuring the Symantec Web Services Managed PKI settings ........................ 309
Supported variables ................................................................................... 311
Revoking the certificate .............................................................................. 312
MobileIron Core as a SCEP reverse proxy for WP8.1 devices ................... 313
Before you begin ...............................................................................313
Setting up SCEP proxy for WP8.1 devices ..............................................313
Configuring SCEP Settings for WP8.1 devices .........................................313
Configuring SCEP Reverse Proxies (WP8.1) ............................................314
Docs@Work settings .......................................................................... 315
Web@Work settings .......................................................................... 316
iOS and OS X settings ........................................................................ 317
General settings ................................................................................317
CalDAV settings .................................................................................317
Supported Variables .................................................................................. 318
CardDAV settings ...............................................................................318
Supported variables ................................................................................... 319
Web Clips settings ..............................................................................319
Configuration profile settings ...............................................................320
LDAP settings ....................................................................................320
iOS settings ..................................................................................... 322
AirPlay settings ..................................................................................322
AirPrint settings .................................................................................323
Restrictions settings ...........................................................................324
Subscribed Calendars settings .............................................................329
Supported Variables .................................................................................. 330
APN settings ......................................................................................330
Provisioning Profile settings .................................................................331
9
Web content filter settings ..................................................................331
Configuring the web content filter ................................................................ 331
Browser impact ......................................................................................... 333
Removing a Web content configuration from a device ..................................... 334
Multiple web content configurations on a device ............................................ 334
Managed app configuration settings ......................................................334
Managed app configuration overview ........................................................... 334
Configuring the managed app config setting ................................................. 335
Viewing the plist file .................................................................................. 336
Removing a managed app config setting from a device ................................... 336
Supported variables ................................................................................... 336
Sample plist ............................................................................................. 336
Enterprise single sign-on settings .........................................................337
Supported variables ................................................................................... 339
10
Events page ......................................................................................360
Required role ............................................................................................ 360
11
Editing MobileIron Sentry settings ........................................................405
Deleting a Sentry entry .......................................................................405
Disabling a Sentry entry .....................................................................406
451 redirect processing ...................................................................... 407
Disabling redirect processing ...............................................................407
Device and server authentication support for Standalone Sentry .............. 408
Device authentication .........................................................................408
Server authentication .........................................................................409
Configuring device and server authentication .........................................409
Authentication using Pass Through .......................................................410
Authentication using a group certificate ................................................410
Authentication using an identity certificate and Pass Through ...................411
Authentication using an identity certificate and Kerberos constrained delegation
412
Device Authentication Configuration section .................................................. 413
ActiveSync Configuration section ................................................................. 414
App Tunneling Configuration section ............................................................ 414
Kerberos Authentication Configuration section ............................................... 415
Authentication using Trusted Front-End .................................................416
Managing certificates for Standalone Sentry ......................................... 417
Generating a self-signed certificate for Sentry ........................................417
Generating a CSR for Sentry ................................................................418
Uploading Sentry certificates ...............................................................420
Viewing a Sentry certificate .................................................................421
Email attachment control support for Standalone Sentry ........................ 422
Supported devices and email apps .......................................................422
iOS email apps .......................................................................................... 422
Android email apps .................................................................................... 422
Email attachment control options .........................................................423
Remove attachment .................................................................................. 423
Open Only with Docs@Work and Protect with Encryption ................................ 424
Deliver as is ............................................................................................. 425
Open with Secure Email App ....................................................................... 425
Forwarding emails with attachments .....................................................425
Standalone Sentry S/MIME handling to sign or encrypt emails ..................425
Digitally signed emails ............................................................................... 425
Encrypted emails ...................................................................................... 426
12
Viewing the ActiveSync server status ....................................................434
Setting Sentry preferences ................................................................. 435
Auto blocking unregistered devices .......................................................435
Setting the Sentry Sync Interval ..........................................................435
Setting the Service Account Notification Email .......................................436
Default ActiveSync Policy behavior .......................................................436
Chapter 11 Working with ActiveSync Phones via MobileIron Sentry.................. 439
ActiveSync devices and MobileIron Sentry ............................................ 440
Working with ActiveSync policies ......................................................... 442
Adding multiple ActiveSync accounts to a registered device .................... 448
Viewing ActiveSync associations .......................................................... 449
Click the ActiveSync Associations link.Information displayed for ActiveSync
associations ......................................................................................449
Filtering the ActiveSync associations list ................................................450
Displaying more information for an ActiveSync association ......................450
Taking Actions on ActiveSync associations ............................................ 452
Allow ................................................................................................452
Block ................................................................................................453
Wipe ................................................................................................455
Registering ActiveSync phones ............................................................456
Removing ActiveSync phones ..............................................................456
Linking an ActiveSync device to a managed device .................................457
Overriding and re-establishing MobileIron Core management of a device ...457
Assigning an ActiveSync policy ............................................................458
Reverting an ActiveSync policy ............................................................458
Allowing Windows 7 devices to sync ..................................................... 460
Chapter 12 Using the SMS Archive Feature................................................... 463
About the SMS Archive feature ........................................................... 464
Supported devices .............................................................................464
Setting Up the SMS Archive feature ......................................................464
SMS archival and privacy policies .........................................................465
Monitoring SMS archival ..................................................................... 466
Checking the SMS archive queue ..........................................................466
Overriding the SMS delivery interval .....................................................466
Checking the number of delivered SMSes ..............................................466
Event Center options ..........................................................................466
Chapter 13 Using Enterprise Connector........................................................ 469
Enterprise Connector for MobileIron Core ............................................. 470
Installation and configuration tasks ......................................................470
Viewing Enterprise Connector status .....................................................470
13
Working with the Connector ............................................................... 471
Viewing the Connector detailed information ...........................................471
Changing user passwords ....................................................................472
Changing a users password on MobileIron Core ............................................ 472
Changing a users password on the Connector ............................................... 472
Changing the status reporting interval ..................................................472
Configuring connector LDAP timeout .....................................................473
14
Unpublishing iOS apps (removing from labels) .......................................503
Managing iOS Volume Purchase Program (VPP) apps with redemption codes ...
504
How Apples program works ................................................................504
Where MobileIron comes in .................................................................504
What device users see ........................................................................504
Setup tasks .......................................................................................504
Uploading the payment file to MobileIron Core .......................................505
Applying VPP labels ............................................................................505
Example: Recommend an app to all iOS users, pay for executives ................... 505
Configuring a VPP alert .......................................................................505
Apples Volume Purchase Plan (VPP) license management ....................... 507
New VPP features ...............................................................................507
Reclaim VPP licenses ................................................................................. 507
Sync VPP license usage with Apple .............................................................. 507
Manage multiple VPP accounts .................................................................... 508
Using redemption codes and licenses ....................................................508
Differences between redemption codes and licenses ...............................508
App Licenses page .............................................................................509
Adding a VPP account .........................................................................509
Before you begin ....................................................................................... 509
To add a VPP account: ............................................................................... 509
Importing VPP apps from the VPP account .............................................510
Importing VPP apps from the App Distribution Library .............................510
Applying VPP labels ............................................................................511
Viewing VPP account information ..........................................................511
Viewing VPP app information ...............................................................511
Taking actions on a VPP account ..........................................................512
What the user sees ............................................................................512
Working with apps for Android devices ................................................. 513
What are Google Play apps? ................................................................513
What are in-house apps? ....................................................................513
What are secure apps? .......................................................................513
Silent install and uninstall on Samsung SAFE devices ..............................513
Adding Google Play apps for Android ....................................................514
Android app versions and device counts ....................................................... 516
Adding in-house apps for Android .........................................................517
Adding secure apps for Android ............................................................518
Adding apps to the app storefront for Android devices .............................521
User notification of newly-published apps ..................................................... 521
Enhanced Apps@Work ........................................................................522
Using Apps@Work on an Android device ................................................522
Featured tab ............................................................................................. 523
Categories tab .......................................................................................... 523
Updates tab .............................................................................................. 523
App details ............................................................................................... 523
Searching for an app ................................................................................. 523
15
Localized Apps@Work ................................................................................ 523
Troubleshooting: Android apps ............................................................524
Working with apps for Windows Phone 8 devices ................................... 525
Importing recommended apps for WP8 devices ......................................525
In-house and third-party apps for WP8 devices ......................................525
Before you develop in-house apps for WP8 devices .................................526
Certificates and tokens for in-house apps for WP8 devices .............................. 526
Third-party apps for WP8 devices ................................................................ 526
WP8 app file specifications for upload to MobileIron Core ................................ 527
Adding the AET and applying a label .....................................................527
Adding in-house and third-party apps for distribution to WP8 devices ........527
Upgrading to a new version of an app on WP8 devices ............................529
Editing WP8 app information ...............................................................529
Deleting a Windows Phone 8 app from MobileIron Core ...........................529
Setting up your WP8 device .................................................................530
Working with apps for Windows 8.1 RT and Pro devices .......................... 531
Importing recommended apps .............................................................531
In-house and third-party apps for Windows 8.1 Pro and RT devices ..........531
Certificates and sideloading keys ..........................................................532
Certificates ............................................................................................... 532
Sideloading keys ....................................................................................... 532
App file specifications .........................................................................532
Adding and updating in-house and third-party apps for distribution ...........532
Editing the app information .................................................................533
Deleting an app from MobileIron Core ...................................................534
Setting up your Windows 8.1 RT or Pro device .......................................534
Working with Web Application ............................................................. 535
Taking actions on web applications .......................................................536
Installing web applications ..................................................................536
View number of devices installed ..........................................................536
What the device user sees ...................................................................537
Enable Installation of Web Applications on iOS is not checked .............. 537
Enable Installation of Web Applications on iOS is checked ................... 537
Setting up app control ....................................................................... 538
App control alerts ..............................................................................538
App control rule types ........................................................................539
App control rule criteria ......................................................................539
App control rules applied in security policies ..........................................539
Configuring app control alerts ..............................................................540
Adding an app control rule ..................................................................540
Editing app control rules ............................................................................. 541
Identifying the GUID for the Windows Phone app ........................................... 541
Applying an app control rule to a security policy .....................................542
Viewing app control status ..................................................................542
Viewing app inventory ....................................................................... 543
16
Whats in an app name? ......................................................................543
Synchronizing app inventory ...............................................................543
App filters .........................................................................................544
Filtering the inventory display ..............................................................544
Displaying the devices on which an app is installed .................................544
Managing app inventory ..................................................................... 545
Determining which apps are new ..........................................................545
Determining when an app was first reported ..........................................545
Launching a web search for a selected app ............................................545
Displaying permissions for Android apps ...............................................546
Deciding whether an app is OK ............................................................546
What happens when a bad app is removed? .................................................. 546
Moving directly to the App Control screen ..............................................547
Upgrading the MobileIron client application ........................................... 548
Override for in-house app URLs ........................................................... 549
Implementing app source override on MobileIron Core ............................549
Manual synchronization of apps ...........................................................550
Malware prevention: App reputation .................................................... 551
Enabling app reputation ......................................................................551
Confirming configuration of the app reputation service ................................... 552
Viewing app reputation data ................................................................553
Chapter 15 Docs@Work ............................................................................ 555
About Docs@Work ............................................................................ 556
Docs@Work for content servers ...........................................................556
For iOS .................................................................................................... 556
For Android .............................................................................................. 556
Docs@Work for email attachment control ..............................................556
Attachment handling for iOS ....................................................................... 556
Attachment handling for Android ................................................................. 557
Encryption for iOS Docs@Work documents sent as email attachments .......557
iOS 7 considerations .................................................................................. 558
Limitations ............................................................................................... 558
Annotating documents with Docs@Work for iOS .....................................559
Single Sign On for Docs@Work ............................................................559
Supported content servers ..................................................................559
Content Server Port Requirements ............................................................... 560
Supported authentication to content servers ..........................................560
Supported ActiveSync servers for attachment control ..............................560
Supported devices .............................................................................560
iOS devices .............................................................................................. 560
Android devices with AppConnect enabled .................................................... 561
Other platform devices ............................................................................... 561
Docs@Work requirements ...................................................................561
File viewers .......................................................................................561
SharePoint Prerequisites .....................................................................561
17
File synchronization (iOS) ...................................................................562
Data security (iOS) ............................................................................562
Configuring email attachment control ................................................... 563
Configuring Docs@Work for content servers (Android) ........................... 564
Configuring Docs@Work for content servers (iOS) ................................. 565
Docs@Work setup tasks ..................................................................... 566
Enable Docs@Work ............................................................................566
For Android, obtain and configure apps .................................................566
Set up Docs@Work configurations ........................................................567
Implementing priority folders ...................................................................... 569
Specify the URL of the Docs@Work configuration (SharePoint) ........................ 570
For iOS: Set up Docs@Work policies .....................................................571
Set up your preference for saving passwords on MobileIron Core ..............576
Impacts of other MobileIron features (iOS) ........................................... 577
Quarantine impact on documents .........................................................577
Retire and wipe impact on documents ...................................................577
Block impact on documents .................................................................578
Jailbreak impact on documents ............................................................578
Impacts of other MobileIron features (Android) ..................................... 579
Supported files in the Mobile@Work for iOS app .................................... 580
Chapter 16 AppConnect ............................................................................ 581
About AppConnect ............................................................................. 582
What are AppConnect-enabled apps? ....................................................582
Secure apps from MobileIron ...................................................................... 582
AppConnect and third-party/in-house secure apps ......................................... 582
AppConnect and AppTunnel .................................................................583
Standard AppTunnel .................................................................................. 583
Advanced AppTunnel ................................................................................. 583
AppConnect apps and Single Sign On ....................................................583
App-specific configuration from MobileIron Core .....................................584
What operating systems support AppConnect? .......................................584
AppConnect for Android ......................................................................584
Supported Android devices ......................................................................... 584
Component compatibility ............................................................................ 584
The Mobile@Work app and the Secure Apps Manager ..................................... 585
Data loss prevention for secure apps for Android ........................................... 585
Data encryption for secure apps for Android .................................................. 586
Special badging for secure apps for Android .................................................. 586
AppConnect for iOS ............................................................................586
Data loss prevention for secure apps for iOS ................................................. 586
Data encryption for secure apps for iOS ....................................................... 586
18
Adding AppTunnel or Advanced AppTunnel support .................................588
Adding compliance actions ..................................................................589
AppConnect configuration tasks .......................................................... 590
Adding secure apps for deployment ......................................................590
Configuring the AppConnect global policy ..............................................590
AppConnect passcode requirements ............................................................. 591
Configuration steps ................................................................................... 592
Interaction with the lockdown policy ............................................................ 602
Configuring AppConnect container policies .............................................603
AppConnect app authorization ..................................................................... 603
Data loss prevention settings ...................................................................... 603
Automatically created AppConnect container policies ...................................... 603
Configuration tasks ................................................................................... 604
Enabling MobileIron secure apps ..........................................................607
Enabling AppConnect third-party and in-house apps ...............................607
Configuring an AppTunnel service ........................................................608
Configuring an AppConnect app configuration ........................................614
Automatically created AppConnect app configuration ...................................... 614
Automatically provided key-value pairs ........................................................ 615
Configuration tasks ................................................................................... 615
Enabling AppTunnel ............................................................................621
Configuring the Open With Secure Email App option ...............................621
Configuring compliance actions ............................................................621
Managing AppTunnel ......................................................................... 623
Manually blocking the AppTunnel feature on a device ..............................623
Viewing App Tunnels ..........................................................................623
Taking actions on app tunnels ..............................................................624
Using AppConnect for Android ............................................................. 625
Why a Secure Apps Manager? ..............................................................625
AppConnect apps that MobileIron provides for Android ............................625
Third-party AppConnect apps that MobileIron provides for Android ...........626
Hybrid web app support ......................................................................628
PhoneGap apps ..................................................................................628
Hybrid web apps using Advanced AppTunnel ..........................................629
Enabling MobileIron Core licensing options for Android secure apps ..........630
License key support ...........................................................................631
Document types supported by ThinkFree Document Viewer .....................631
Using AppTunnel with the SharePoint Client app .....................................632
Using AppTunnel with the IBM Notes Traveler client app ..........................632
Lock, unlock, and retire impact on AppConnect for Android ......................633
Lock impact .............................................................................................. 633
Unlock impact ........................................................................................... 633
Retire impact ............................................................................................ 634
Copy/Paste for AppConnect for Android .................................................634
Comparison with AppConnect for iOS copy/paste policy .................................. 635
Interaction with Exchange setting ................................................................ 636
DLP policy for browser launching ..........................................................636
19
Secure File Manager features ...............................................................637
Secure folder access ...........................................................................637
Situations that wipe Android AppConnect app data .................................638
Accessible Android apps to preserve the user experience .........................638
Device details for AppConnect apps for Android ......................................639
Secure Apps Manager Android permission .............................................640
Using AppConnect for iOS .................................................................. 641
AppConnect apps that MobileIron provides for iOS ..................................641
Mobile@Work and AppConnect apps .....................................................641
App checkin and Mobile@Work .................................................................... 642
The AppConnect passcode inactivity timeout and Mobile@Work ....................... 642
Situations that wipe AppConnect for iOS app data ..................................643
Dual-mode apps ................................................................................643
Detailed logging for AppConnect apps for iOS ........................................644
Component compatibility ............................................................................ 644
Log levels ................................................................................................ 644
Log data collection overview ....................................................................... 645
Configuring the log level and debug code ..................................................... 646
Apply labels if necessary ............................................................................ 646
Log level configuration impact on the device ................................................. 647
Activating verbose or debug logging on the device ......................................... 648
Collecting the logs ..................................................................................... 649
Viewing the logs ........................................................................................ 650
Remove log level configuration when no longer needed .................................. 651
Upgrade considerations .............................................................................. 651
20
Obtaining the Web@Work for Android app .................................................... 677
Obtaining other Android AppConnect apps that interact with Web@Work for Android
677
21
Port Settings .................................................................................... 705
Data Purge ....................................................................................... 707
Specifying what gets purged ....................................................................... 708
Checking actual system storage .................................................................. 709
Setting up the system storage alert ............................................................. 709
Manual purging ......................................................................................... 709
22
Configuring system backups ................................................................743
Pre-requisites ........................................................................................... 743
Backup settings ........................................................................................ 743
Enabling backups ...................................................................................... 745
Running an immediate system backup ......................................................... 745
Backup file ............................................................................................... 745
Viewing backup status ........................................................................745
Viewing backup logs ...........................................................................746
Restoring from a system backup ..........................................................747
Requirements ........................................................................................... 747
Procedure ................................................................................................ 747
Restoring data only ............................................................................748
Chapter 22 Troubleshooting ....................................................................... 749
Overview ......................................................................................... 750
Working with logs ............................................................................. 751
Enabling debugging for MobileIron modules ...........................................751
Disabling debugging ...........................................................................751
Disabling all debugging .............................................................................. 751
Disabling debugging for MICS or the employee portal ..................................... 752
Disabling debugging for MIFS packages ........................................................ 752
Clearing logs .....................................................................................752
Viewing logs ......................................................................................752
Viewing only new log entries ....................................................................... 753
Viewing logs by device or user .................................................................... 753
Exporting logs ...................................................................................753
Working with remote (Sentry) logs .......................................................755
Enabling remote logs ................................................................................. 755
Viewing remote logs .................................................................................. 756
23
help .................................................................................................765
host .................................................................................................765
logout ..............................................................................................766
ping .................................................................................................766
show banner .....................................................................................766
show clock ........................................................................................766
show hostname .................................................................................767
show interfaces .................................................................................767
show ip ............................................................................................767
show log ...........................................................................................768
show logging .....................................................................................770
show logtail .......................................................................................770
show memory ...................................................................................771
show ntp status .................................................................................771
show processes .................................................................................771
show service .....................................................................................772
show software repository ....................................................................772
show tcp ...........................................................................................772
show timeout ....................................................................................773
show version .....................................................................................774
timeout ............................................................................................774
traceroute .........................................................................................774
EXEC PRIVILEGED commands ............................................................. 775
clear arp-cache ..................................................................................776
configure terminal ..............................................................................776
dbcleanup app_inventory ....................................................................777
disable .............................................................................................777
diskcleanup retired_devices .................................................................777
diskcleanup trashed_apps ...................................................................777
end ..................................................................................................778
exit ..................................................................................................778
failover .............................................................................................778
grubupdate .......................................................................................778
install rpm ........................................................................................778
no install rpm ....................................................................................780
poweroff ...........................................................................................780
reload ..............................................................................................780
service .............................................................................................780
setup ...............................................................................................781
show portalacl ...................................................................................782
show running-config ...........................................................................782
show statichost ..................................................................................783
show system .....................................................................................783
show tech .........................................................................................785
software checkupdate .........................................................................785
24
software update .................................................................................785
ssh ..................................................................................................786
telnet ...............................................................................................786
write ................................................................................................786
CONFIG commands ........................................................................... 787
banner .............................................................................................788
certificate client .................................................................................788
certificate portal ................................................................................789
clock set ...........................................................................................789
do ....................................................................................................789
enable secret ....................................................................................790
end ..................................................................................................790
eula .................................................................................................791
hostname .........................................................................................791
interface GigabitEthernet ....................................................................791
interface VLAN ...................................................................................792
ip arp ...............................................................................................792
ip domain-name ................................................................................793
ip name-server ..................................................................................793
ip route ............................................................................................793
kparam ............................................................................................793
no ....................................................................................................794
ntp ..................................................................................................795
portalacl ...........................................................................................796
service .............................................................................................796
service support ..................................................................................796
software repository ............................................................................797
statichost ..........................................................................................797
syslog ..............................................................................................798
system user ......................................................................................798
INTERFACE mode commands .............................................................. 799
end ..................................................................................................799
ip address .........................................................................................800
no ....................................................................................................800
physical interface GigabitEthernet ........................................................801
shutdown ..........................................................................................801
25
Implementing web-based registration for iOS and OS X devices .............. 807
Create a pending device report ............................................................808
Appendix B Distributing iOS MDM Profiles with Apple Configurator 809
Notes on using Apple Configurator .......................................................809
How to use Apple Configurator for MobileIron registration .......................809
Acquiring serial numbers ............................................................................ 810
Bulk-registering the devices ........................................................................ 810
Exporting the MDM profile from MobileIron Core ............................................ 810
Importing the MDM profile into the Configurator ............................................ 810
Applying the MDM profile to the tethered device ............................................ 813
Importing the iOS MDM profile using Apple Configurator 1.4.2 ......................... 814
26
Saving an email attachment as a local file .................................................... 854
Viewing a local file ..................................................................................... 855
Viewing a local file that has changed on the content server ............................. 856
Deleting a local file .................................................................................... 858
Managing recently opened email attachments ........................................859
Viewing a recent attachment ...................................................................... 859
Saving a recent attachment to a local file ..................................................... 860
Deleting a recent attachment ...................................................................... 862
Opening documents in other apps ........................................................864
Annotating documents in Docs@Work for iOS ........................................866
Saving files for annotation .......................................................................... 866
Saving PDF annotations in the same local file ................................................ 869
Saving a remote SharePoint file for annotation .............................................. 870
Annotating PDFs in Docs@Work ...........................................................871
Adding a note ........................................................................................... 872
Editing text in a note ................................................................................. 872
Removing a note ....................................................................................... 872
Copying and pasting a note ........................................................................ 872
Editing the color or style of a note ............................................................... 873
Adding an annotation (highlight, underline, strike-through) ............................. 873
Editing an annotation ................................................................................. 874
Adding a note to an annotation ................................................................... 875
Removing an annotation ............................................................................ 875
Removing a note attached to an annotation .................................................. 876
Copying an annotation ............................................................................... 876
Editing the color of an annotation ................................................................ 876
Changing Docs@Work Settings ............................................................877
.............................................................................................................. 879
Supported files in the Mobile@Work for iOS app .....................................880
Mobile@Work on an iPad .....................................................................880
The master pane and the detail pane ........................................................... 880
Placement of file handling icons ................................................................... 881
27
Troubleshooting Wi-Fi setup on Android devices .................................... 904
Displaying the Wi-Fi Setup page ...........................................................905
Understanding and using the Wi-Fi Setup page ......................................907
If the device user enters the wrong password ............................................... 909
Troubleshooting based on results .........................................................909
Profile invalid: Configuration Error ............................................................... 909
Certificate configuration support on the MobileIron for Android app .......... 910
Certificate Setup screen ......................................................................910
Certificate support for Wi-Fi setup ........................................................911
Certificate alerts ................................................................................911
Appendix H Multi-User Support for iOS 913
Using Secure Sign-In ......................................................................... 914
Setting Secure Sign-In preferences ..................................................... 917
Setting unique restrictions for signed-out devices .................................. 918
Example ...........................................................................................918
Enabling Secure Sign-In ..................................................................... 919
User certificates and device certificates .................................................919
Remote sign-out ............................................................................... 920
What gets removed on sign-out .......................................................... 921
Appendix I Android Kiosk Support 923
Requirements ....................................................................................923
Setup steps ...................................................................................... 924
Finding the package name for an Android app ........................................924
Creating an Android Kiosk policy ......................................................... 925
Single-app kiosk policy .......................................................................925
Multiple-apps kiosk policy ...................................................................926
Creating an Android Kiosk configuration ............................................... 929
Enabling/Disabling Android kiosk mode ................................................ 930
From the Admin Portal ........................................................................930
From the kiosk device .........................................................................930
Example .......................................................................................... 931
Device details ................................................................................... 932
Deployment notes ............................................................................. 933
Appendix J The User Portal: MyPhone@Work 935
What is MyPhone@Work? ................................................................... 936
Browser Settings ....................................................................................... 936
Adobe Flash Player .................................................................................... 936
Supported platforms ...........................................................................936
28
Getting started ................................................................................. 937
Logging in .........................................................................................937
Registering phones .............................................................................938
Searching .........................................................................................939
Logging out .......................................................................................940
Home .............................................................................................. 941
Communication Graph ........................................................................941
Turning nodes into contacts ........................................................................ 943
My Usage ..........................................................................................944
Storage ............................................................................................944
Lost Phone ........................................................................................945
Finding the last known location ................................................................... 945
Locking your phone ................................................................................... 947
Wipe It .................................................................................................... 947
Restoring your phone ................................................................................ 947
If you have more than one phone ........................................................948
My Apps ...........................................................................................948
Contacts .......................................................................................... 949
Displaying contacts ............................................................................949
Searching contacts .............................................................................950
Adding contacts .................................................................................950
Editing contacts .................................................................................951
Deleting contacts ...............................................................................952
Calls & Texts .................................................................................... 953
Showing/Hiding content ......................................................................953
Filtering calls and text ........................................................................953
Using keywords ........................................................................................ 953
Displaying calls and/or texts ....................................................................... 954
Restricting the display to a date range ......................................................... 954
29
MobileIron Standard Appliance (M2100 2nd Generation) ......................... 964
MobileIron M2500 Series Appliance ...................................................... 966
Appendix L Configuring Outbound HTTP Proxy for Gateway Transactions / System
Updates 969
What the HTTP outbound proxy does not apply to ..................................970
30
Section I: Device Management
Getting Started
Managing Users
Registering Devices
Managing Devices
Managing Policies
Managing Device Settings with Configurations
Managing Certificates
Troubleshooting Devices
Working with Events
Working with MobileIron Sentry
Working with ActiveSync Phones via MobileIron Sentry
Using the SMS Archive Feature
Using Enterprise Connector
Company Confidential
31
Company Confidential
32
Chapter 1
Getting Started
Administration tools
Setup tasks
Using the Admin Portal
Supported features by OS
Company Confidential
33
Getting Started
Administration tools
MobileIron Core as the following administration tools:
Admin Portal
System Manager
System Manager handles Core configuration and system troubleshooting. See Sec-
tion III: System Management for information on using System Manager.
Installation
The Admin Portal is installed as part of the system setup. See the Installation Guide
for installation details.
https://<fully_qualified_hostname>/mifs
Logging out
To log out of the MobileIron Admin Portal, click the Log Out link in the upper right cor-
ner. If you do not log out, your session will expire after a period of inactivity.
Company Confidential
34
Getting Started
Setup tasks
Company Confidential
35
Getting Started
Note: The MobileIron Core CLI command banner, available in CLI CONFIG mode, also
sets this text.
http://www.apple.com/ipad/business/integration/mdm/
MobileIron uses Apples enhanced MDM certificate infrastructure to streamline the
process of acquiring and uploading an MDM certificate. You can now complete the fol-
lowing tasks from a single screen within the Admin Portal:
generate a Certificate Signing Request (CSR)
upload the CSR
Company Confidential
36
Getting Started
If you already have an MDM certificate, but have not uploaded it, you can upload it
from the same screen.
Company Confidential
37
Getting Started
5. Click Create a CSR to generate the required property list in Apples .PLIST XML
format.
This may take a few minutes. Click the Refresh icon to update the status of this
task.
6. Once the plist has been generated, click Download plist.
7. Select a location for the plist when prompted.
The downloaded file is req-plist.txt.
8. Click the Apple Push Certificates Portal link to start the process of requesting the
MDM certificate.
9. When you receive the MDM certificate from Apple, click Upload MDM Certificate.
The Upload MDM Certificate dialog appears.
10. Click Browse to select the MDM certificate.
11. Click Upload Certificate.
Company Confidential
38
Getting Started
6. Click Display Upload Certificate Form. The Upload MDM Certificate dialog appears.
7. Click Choose File to select the MDM certificate.
8. Click Upload Certificate.
Company Confidential
39
Getting Started
Company Confidential
40
Getting Started
To switch from the Admin Portal to the System Manager, select the System Manager
link at the top of any page in the Admin Portal.
You will be prompted to enter a user ID and password. Enter the user ID and pass-
word for the local user created during setup or a local user created in the System
Manager under Security > Local Users.
Note: During setup, two local users having the same credentials are created, one for
Admin Portal and one for System Manager. If you have made changes to the roles or
password for the Admin Portal user, these changes will not affect the System Manager
user.
To switch from the System Manager to the Admin Portal, select the Admin Portal link
at the top right of any page in the System Manager. Note that certain actions per-
formed in the System Manager may require you to log in again when you switch to
Admin Portal.
To display the panel and leave it open, click the double arrow button in the upper right
portion of the screen. To display the panel and have it close automatically when you
move the cursor away from the panel, click the ? button.
Company Confidential
41
Getting Started
Company Confidential
42
Supported features by OS
Each operating system has features and limitations that differentiate it from the other
operating systems. Depending on the devices operating system and native API, some
of the MobileIron features are available and some are not.
Below is information about the features available for each supported operating sys-
tem:
Common feature set on page 43
Android on page 46
BlackBerry 10 on page 48
iOS on page 48
Mac OS X on page 50
Windows Phone 7 on page 50
Windows Phone 8 on page 51
Windows Phone 8.1 on page 52
Windows RT/Pro on page 53
Windows 8.1 RT/Pro on page 53
Supported platforms on page 54
All features in this table are common to both Android and iOS devices. If a feature is
available on only iOS or Android, but not on both, it will not be listed in this table.
Other operating systems are included in this table to provide quick access to informa-
tion about the availability of features in comparison with Android and iOS.
See the remaining sections for the full feature set of each operating system.
Company Confidential
43
Designate Found
Device yes yes - yes - - - - -
Retire Device yes yes - yes - yes yes - yes
Send Message yes yes - - - partialq partialq - -
Force Check-In yes yes - yes - - yes - yes
Reprovision Client yes yes - - - - - - -
Sync Policy yes yes - - - partialr partialr - -
Group Actions (Labels) yes yes - yes - yes yes - yes
Company Confidential
44
BlackBe Win Win 8.1
App Management Android iOSa rry 10 OS Xa WP7 WP8 WP8.1 RT/Pro RT/Pro
Enterprise App
Storefront yes yes - - - yes yes - yes
App Distribution Library yes yes - - - yes yes - yes
App Control Policy yes yes - - - - yes - -
App Inventory yes yes - yes - yesu yesu - -
Install yesi yes - - - yes yes - yes
App Tunneling yes yes - - - - - - -
Company Confidential
45
l SD cards only.
m Device location and app inventory collection can be disabled on iOS and Android devices. App inventory collection
can be disabled on OS X. SMS can be disabled for Android.
n Through Docs@Work.
p Through integration with selected devices and email apps.
q Via email only.
r Push notifications are not supported; therefore, initial sync is supported at registration only, and subsequent changes are
not recognized.
s Only contacts are supported for OS X 10.7 and 10.8. For 10.9 Mavericks, contacts, mail, notes, reminders, and calendar
are supported.
t Via iOS Data Protection.
u In-house and third-party apps only.
v Identity certificates can be distributed via Mobile@Work.
w Only for Wi-Fi settings.
x User registers the device using the native MDM client. An invitation is not sent to the user.
y MobileIron Core only reports the device posture, whether the device is encrypted or not. Encryption policy settings are
not enforced. Device encryption is enabled by default on Windows 8.1 RT devices.
z For Windows 8.1 Pro and RT devices, only PPTP, Juniper SSL, F5 SSL, and SonicWALL Mobile Connect VPN types
are supported.
Android
Bold text indicates that the feature is available on Android and not available on iOS.
Company Confidential
46
Device Inventory Secure Web Browsing Exchanged
Device Details Content Server Access Wi-Fi
Allow / Block VPNh
Wipe Kioskd
Register
ActiveSync Policy
Company Confidential
47
BlackBerry 10
iOS
Bold text indicates that the feature is available on iOS and not available on Android.
Company Confidential
48
Compliance Actions Provisioning Alerting
Alert via Event Center Per Device International Roaming
Quarantine Bulk Service Quality Monitoringe
Block ActiveSync via Sentry User Self-Service (By Invi- Event Centerf
Block AppConnect Apps tation)
a Selective wipe of email through security compliance actions, removing the device from the associated label, or retiring
the device; the Selective Wipe command is not supported.
b Via iOS Restrictions settings.
c Only Location and Apps privacy settings currently apply.
d Through Docs@Work.
e Speed-test and user-reported dropped calls only.
f One or more significant parts of this feature are not supported. See the detailed documentation for this feature.
g Via iOS Data Protection.
Company Confidential
49
Mac OS X
Application Settings
Exchangeb
Wi-Fi
VPN
Provisioning
Per Device
Bulk
Windows Phone 7
Company Confidential
50
Windows Phone 8
Register
ActiveSync Policy
Company Confidential
51
Windows Phone 8.1
Register
ActiveSync Policy
Compliance Actions
Alert via Event Centere
Block ActiveSync via
Sentry
a Selective wipe of email through security compliance actions, removing the device from the associated label, or retiring
the device; the Selective Wipe command is not supported.
b Identity certificates can be distributed via Mobile@Work.
c Enabled by default; cannot be disabled.
d Initial sync is supported at registration only, and subsequent changes are not recognized.
e Only out of contact and out of policy violations are supported. Alerts are only sent by email.
Company Confidential
52
Windows RT/Pro
Company Confidential
53
Supported platforms
The following platforms are supported:
Android 2.3 through 4.4
BlackBerry 10
iOS versions 5.0 through 7.1 (4.x for web-based registrations)
OS X Lion, Mountain Lion
Windows Phone 7, 8, 8.1
Windows RT/Pro
Windows 8.1 RT/Pro
Supported OS X devices
Note: Mac Mini models are not included in the following list. There are no known
issues that would prevent use of the Mac Mini, but this model is currently not covered
by the MobileIron product warranty.
Company Confidential
54
Model ID Model Name
MacBookPro7,1 MacBook Pro (13-inch, Mid 2010)
MacBookPro6,2 MacBook Pro (15-inch, Mid 2010)
MacBookPro6,1 MacBook Pro (17-inch, Mid 2010)
MacBookPro5,5 MacBook Pro (13-inch, Mid 2009)
MacBookPro5,4 MacBook Pro (15-inch, Mid 2009)
MacBookPro5,3 MacBook Pro (15-inch, Mid 2009)
MacBookPro5,2 MacBook Pro (17-inch, Early/Mid 2009)
MacBookPro5,1 MacBook Pro (15-inch, Late 2008)
MacBookPro4,1 MacBook Pro (15/17-inch, Early/Late 2008)
MacBookPro3,1 MacBook Pro (15/17-inch, Mid/Late 2007)
MacBookPro2,2 MacBook Pro (15-inch, Late 2006)
MacBookPro2,1 MacBook Pro (17-inch, Late 2006)
Company Confidential
55
Company Confidential
56
Chapter 2
Managing Users
Introduction to user management
Managing LDAP users
Assigning and removing device user roles
Managing local users in Admin Portal
Language support
Company Confidential
57
Managing Users
User sources
MobileIron supports local users and LDAP users. Local users are entities created in the
local MobileIron database. They are not known to the network or other corporate ser-
vices. LDAP users are imported from your organizations LDAP server.
In most cases, you will configure an LDAP server and import LDAP users.
Local users created in the Admin Portal can be used for registering devices and
accessing Admin Portal and MyPhone@Work. Local users created in the System Man-
ager can be used in the System Manager and the CLI.
misystem user
misystem is a default MobileIron Core user used for the following tasks:
creates the default rules and policies
executes system maintenance tasks
This user is not listed in the Admin Portal, and it has no roles assigned to it.
Though these two users start with the same name and password, they are separate
users stored in separate databases. Changes made to one do not affect the other. For
Company Confidential
58
Managing Users
example, if you change the password for the Admin Portal user, the password for the
System Manager user does not change.
Note that an administrator can use multiple tabs of a single browser without being
logged off. An administrator can also use multiple windows of the same browser on
the same machine without being logged off.
Company Confidential
59
Managing Users
By default, the user management screen displays the Authorized Users view. This
view includes LDAP and local users. Select LDAP Entities from the To dropdown list to
display only LDAP entities.
Required role
The Manage user role is required for access to the user management screen.
Company Confidential
60
Managing Users
For each LDAP server you configured according to the Installation Guide, you specified
the set of LDAP groups that MobileIron Core gets from the LDAP server. Specifying this
set improves Core performance when you use the Admin Portal to access LDAP
groups. Because Core has already stored all necessary LDAP group information, no
immediate communication with the LDAP server is necessary to complete a task
involving LDAP groups.
Note: If you want an LDAP user to have access to MyPhone@Work, then you must
assign the User Portal role. Likewise, access to features in the Admin Portal requires
the appropriate roles.
Company Confidential
61
Managing Users
4. In the Search by Name field, enter text that will match an LDAP user entry in the
selected category, based on first name, last name, or account name.
You may use % as a wildcard. For example, to search for all users having smith at
the end of the user ID, you would enter %smith.
5. Click the search icon.
The matching user records are displayed.
LDAP does not report members for a group that is also the Primary Group for those
members. If you do not see the users you expect, examine your LDAP configuration.
Consider using OUs, instead.
Click the link next to an authorized LDAP entity to display the associated entities.
Company Confidential
62
Managing Users
3. In the Modifying LDAP Setting page, scroll down to the LDAP Groups setting.
4. In the text box labeled Search By LDAP Groups, enter the first characters of an
LDAP Group that you want to select.
5. Click the search icon.
The LDAP Groups in the LDAP server that match the search request appear in the
Available section.
6. Click the right arrow to move one or more LDAP groups to the Selected section.
7. Repeat steps 4 through 6 for other LDAP Groups.
8. Click save.
Note: For LDAP groups, each synchronization syncs only the LDAP groups that you
specified in the LDAP Setting page at Settings > LDAP.
Company Confidential
63
Managing Users
This option is enabled by default and set to 25%. This default ensures that abnormal
behavior on the part of the LDAP system will not result in unnecessary, disruptive
updates in MobileIron Core and removal of configurations from registered devices.
Consider changing or disabling this setting if you are going to make major changes to
your LDAP system. Be sure to confirm that the changes are acceptable before dis-
abling this feature.
Company Confidential
64
Managing Users
When a sync is discard, a message appears under Settings > Service Diagnostic. The
message contains the LDAP counts before and after the sync and the percentage con-
figured in the Enable Sync Discard setting.
Consider the following steps when the sync fails for this reason:
1. Did the issue first start at about the same time as a major change to the LDAP envi-
ronment?
This would suggest that a valid change in the LDAP environment triggered the dis-
card.
2. Has the sync failed once or multiple times?
If sync has failed once, try a manual sync. If sync has failed multiple times, determine
whether a change was made to the LDAP environment. If you are unable to find a
major change, consider changing the percentage for the Enable Sync Discard setting.
Company Confidential
65
Managing Users
Moving between the LDAP user display and the local user
view
To move back to the local user view, select Authorized Users from the To dropdown
list.
Company Confidential
66
Managing Users
The MobileIron Server recognizes the following roles for device users:
Role Description
User Portal Allows access to the User Portal (MyPhone@Work).
For iOS and Android, this role is required for registration
unless PIN-based registration is configured.
For WP8, this role is required for registration.
With User Portal selected, you can choose to enable or dis-
able the following roles:
MyPhone@Work Locate
MyPhone@Work Lock
MyPhone@Work Wipe
MyPhone@Work Registration
Local users receive User Portal access by default, but LDAP
users do not.
MyPhone@Work Enables end users to locate their phones from
Locate MyPhone@Work.
MyPhone@Work Enables end users to lock their phones from
Lock MyPhone@Work.
MyPhone@Work Enables end users to wipe their phones from
Wipe MyPhone@Work.
MyPhone@Work Enables end users to register phones from the
Registration MyPhone@Work user portal. If this role is not applied, then
the Add a Phone link does not appear in the
MyPhone@Work portal. However, iOS and Android users
can still register devices from within the MobileIron app. If
you want to prevent additional registrations from within
the app, consider requiring a Registration PIN (Settings >
Preferences).
Company Confidential
67
Managing Users
The new roles take effect the next time an affected user logs in. A user who is logged
in when the change is made must log out and log back in to see the effects of the
change.
Company Confidential
68
Managing Users
Company Confidential
69
Managing Users
Field Description
User ID Enter the unique identifier to assign to this user.
Note: If you are using local users and LDAP users, the
user ID cannot match that of an LDAP user.
First Name Enter the users first name.
Last Name Enter the users last name.
Display Name Optional name used to identify the device user. If you
leave this field blank, then the display name will have the
following format:
Firstname Lastname
Password Enter a password for the user. The password has the fol-
lowing requirements:
Passwords must have at least 8 characters.
Passwords must contain at least 1 alphabetic character.
Passwords must contain at least 1 numeric character.
Passwords cannot have 4 or more repeating characters.
Passwords cannot be the same as the user ID.
Password may contain Unicode characters, except for
CLI access.
Users cannot change a password more than once
during a 24 hour period.
4. Click Save.
5. Assign the necessary roles. See Assigning and removing device user roles on
page 67.
Note: The Manage user role is required for completing this task.
Company Confidential
70
Managing Users
3. Click the Edit icon for the user entry to display the Edit User dialog.
4. Make the changes to the displayed information.
See Adding local users in Admin Portal on page 69 for information on completing
each field.
5. To change the user password, click the Change Password link.
6. Click Save.
2. Click the checkbox for the local user you want to match.
3. Click Link to LDAP.
Note: Existing roles for the local user are removed. The next time the user authenti-
cates, roles will be applied based on the LDAP group of the corresponding LDAP user.
Company Confidential
71
Managing Users
Company Confidential
72
Managing Users
Company Confidential
73
Managing Users
Language support
MobileIron currently provides the following language support features:
Translated versions of clients
Selection of supported languages
Default language selection
Changing language selection from Admin Portal
Selecting languages
You may choose to enable or disable languages for the messages sent from MobileIron
Core to devices. For example, if you have only Japanese-speaking users, you may
prefer to remove the other message templates from the Admin Portal.
2. Under Language Preferences, move the supported languages to the preferred list:
Disabled Languages or Enabled Languages.
3. Click Save.
Company Confidential
74
Managing Users
Company Confidential
75
Managing Users
Company Confidential
76
Chapter 3
Registering Devices
Overview of registration methods
Registration considerations by OS
Registration by administrator: individual devices
Registration by administrator: multiple devices (bulk registration)
Invite users to register
In-app registration for iOS and Android
ActiveSync device registration
Tracking registration status
Managing operators and countries
Specifying eligible platforms for registration
Configuring user authentication requirements for registration (iOS, Android, Win-
dows Phone)
Customizing registration messages
Registration notes
Company Confidential
77
Registering Devices
The process resulting from these methods may vary by device OS.
Best for
This method is best for the following scenarios:
adding the first few devices to a new system
adding a few new devices to an existing system
Prerequisites
The user (local or LDAP) associated with the device must be available for selection
at the time of registration.
For iOS, WP8, WP8.1, and Android, the User Portal role must be assigned to the
user.
The following information must be available for the device:
phone number (if any)
country
platform
See
Registration by administrator: individual devices on page 87
Company Confidential
78
Registering Devices
Best for
This method is best for the following scenarios:
adding a significant number of devices
rolling out multiple devices into a production environment
registering devices managed by BES 4.x
using web-based registration with iOS devices (see Web-based Registration for iOS
and OS X Devices on page 805)
Prerequisites
LDAP users specified in the CSV file must be available for selection. Local users that
have not been created already will be created as part of the Bulk Registration pro-
cess.
For iOS, WP8, and Android, the User Portal role must be assigned to the users.
The following information must be available for the device:
phone number (if any)
country
platform
See
Registration by administrator: multiple devices (bulk registration) on page 90
Company Confidential
79
Registering Devices
See
Invite users to register on page 94
Best for
adding iOS or Android devices for users who do not require assistance
Prerequisites
This feature depends on access to the MobileIron Gateway; therefore, the corre-
sponding port must be properly configured. See the Pre-Deployment Checklist in
the Installation Guide for details.The User Portal role must be assigned to the user.
To auto-populate the MobileIron Core server name during registration, the following
setup is required:
The user associated with the device must be known as an LDAP user or defined
as a local user.
To auto-populate based on the device phone number, for details.
To auto-populate based on the email address, you must register your VSP with
MobileIron.
See
In-app registration for iOS and Android on page 96
Best for
adding devices for users who do not require assistance
Company Confidential
80
Registering Devices
Prerequisites
Users must have the User Portal role assigned, with the MyPhone@Work Registra-
tion option enabled.
The user needs to know the following information for the device:
phone number (if any)
country
platform
See
MyPhone@Work User Guide
Best for
devices accessing email via ActiveSync
Prerequisites
MobileIron Sentry must be installed and configured.
The user (local or LDAP) associated with the device must be available for selection
at the time of registration.
For iOS, WP8, and Android, the User Portal role must be assigned to the user.
You need to know the following information for the device:
phone number (if any)
country code
platform
See
ActiveSync device registration on page 98
Registering an Apple TV
You can register an Apple TV to MobileIron Core only through the Apple Configurator
1.4.2 or 1.5.
Before you begin:
Company Confidential
81
Registering Devices
The Apple TV must be running Apple TV software update 6.0.1 through 6.1.
The Apple TV must be connected to your corporate network. You can do this by
configuring Wi-Fi on the Apple TV or connecting the Apple TV to Ethernet.
You can do the following when you manage an Apple TV running iOS 7 with MobileIron
Core:
View device information.
Distribute Wi-Fi profiles to the Apple TV.
Retire the device.
The URL is based on the MobileIron Registration Protocol (MIRP). The link you provide
on the web portal must have the following format:
Company Confidential
82
Registering Devices
Usage notes
The ampersand character is reserved. If you require an ampersand in a field value,
it must be URL-escaped to a character code (i.e., %26).
Unsupported keys will be ignored.
Company Confidential
83
Registering Devices
Registration considerations by OS
Before you begin registering devices, you should be aware of OS-specific features and
dependencies.
iOS
iOS registration currently depends on acquiring the MobileIron Client from the
iTunes App Store. Therefore, an iTunes account is required. You do not need a
credit card in order to establish an iTunes account; just start downloading the
MobileIron app to a PC or Mac, click Create New Account, and select None as your
payment method.
If you have configured a MobileIron Sentry to support iOS devices connecting via
ActiveSync, then you can initiate registration from the ActiveSync Devices screen.
By default, the user is required to enter a password to register the device. If you
prefer, you can change this behavior to require a MobileIron-generated Registration
PIN instead, or to require both a password and a Registration PIN. See Configuring
user authentication requirements for registration (iOS, Android, Windows Phone)
on page 103 for information on specifying behavior for this feature. Note that regis-
tration PINs are not supported for iOS managed apps.
For MDM-enabled iOS devices, MDM features are not dependent on the MobileIron
Client after registration. Therefore, if a user uninstalls the MobileIron Client, fea-
tures like app inventory will continue to function.
If you need to register many iOS devices on behalf of users, as when iPhones are
purchased by the corporation and rolled out in bulk, depot-style registration may be
preferable. See Web-based Registration for iOS and OS X Devices on page 805.
You can register an Apple TV to MobileIron Core only through the Apple Configura-
tor. See Registering an Apple TV on page 81.
Android
Android registration currently depends on acquiring the MobileIron Client from the
Google Play (formerly Android Market).
For devices that cannot access Google Play, provide another way for the device
users to get the Mobile@Work for Android app. For example, email the app to the
device users. You can also place the app on a website and provide the URL to the
device users.
1. Configuring the Server Name Lookup preference (in Admin Portal under Settings >
Preferences) makes registration easier by automatically filling in the server address
for the user (US only). Note that the administrator must initiate registration or
invite the user to register. Contact Customer Support to register your server.
If you have configured a MobileIron Sentry to support Android devices connecting
via ActiveSync, then you can initiate registration from the ActiveSync Devices
screen.
By default, the user is required to enter a password to register the device. If you
prefer, you can change this behavior to require a MobileIron-generated Registration
PIN instead, or to require both a password and a Registration PIN. See Configuring
Company Confidential
84
Registering Devices
Note: These devices do not have device management features. However, these
devices can sync using Exchange ActiveSync and be managed using ActiveSync poli-
cies.
Windows Phone 8
Single device registration, bulk registration, and invitations to register are sup-
ported for Windows Phone 8 (WP8) devices.
Registration of the WP8 device is done through the WP8 native client.
The Mobile@Work app is installed as part of the registration process.
The User Portal role is required for WP8 device registration whether PIN-based reg-
istration is required or not.
If PIN registration is enabled on MobileIron Core (in the Admin Portal, Setting >
Preferences) the device user must first verify the PIN before registering the device.
The device user is required to enter a username (email) and password to register
the WP8 device even when PIN registration is enabled.
Device registration fails if the device user enters a password that contains UTF-8
characters.
If auto discovery is not set up, the registration process requires the device user to
enter the VSP server address (FQDN). The device user will also have to enter the
VSP server address when logging into Mobile@Work for the first time.
Company Confidential
85
Registering Devices
If auto discovery is not set up, the registration process requires the device user to
enter the VSP server address (FQDN). The device user will also have to enter the
VSP server address when logging into Mobile@Work for the first time.
Device registration fails if the device user enters a password that contains special
characters.
Company Confidential
86
Registering Devices
Item Description
User Enter user information to locate the user account. For
example, you might enter the user ID, first name, last
name, or email address. Select the user you want to work
with from the dropdown list of matching accounts.
This device has no If you do not have a cellular operator for the device or a
phone number. data plan with your current operator, select This device
has no number.
Why: MobileIron Core will communicate with the Mobile-
Iron Client that will be installed on the phone. For devices
that have cellular services, cellular is used. For devices
that do not have cellular service, such as iPods and PDAs,
Wi-Fi can be used.
Device Platform Select the name of the operating system used on this
phone.
If you do not see the platform you want, it may be dis-
abled. See Specifying eligible platforms for registration
on page 102.
Why: The operating system specified determines which
MobileIron Client will be downloaded to the phone.
Country Select one of the supported countries from the dropdown
list. Selecting the correct country populates the Country
Code field. If the country you need is not displayed, you
may need to alter the default country list. Select Settings
> Preferences.
Mobile Enter the phone number for the device. Your selection
from the Country list will populate the Country Code field.
Enter the prefix and number without spaces, dashes, lead-
ing zeros, or parentheses.
For example, you would enter a typical US phone number
as 4085555555. You would enter a typical UK phone num-
ber as 7889524526.
Why: This is the number that MobileIron will use as the
target for the registration SMS message.
Company Confidential
87
Registering Devices
Item Description
Operator Select the name of the mobile service operator for this
phone. If you selected a country having a country code
other than 1, then this field is hidden.
Why: The name of the operator is required for proper
transmission of SMS messages used for communication
between MobileIron Core and the device. For devices hav-
ing a country code other than 1, the operator is automati-
cally identified and need not be specified.
Note: You can determine whether an operator is displayed
in the list by selecting Operators under the Settings tab in
the Admin Portal.
Device Owner Select Company if this phone is owned by the enterprise.
Select Employee if this phone is owned by the user. Note
that MobileIron automatically assigns default labels based
on ownership. See Using labels to establish groups on
page 143 for information on labels.
Why: Administrators may want to assign different polices
to phones based on ownership.
Device Language To communicate with the device user in a language other
than the default language, select a language from the
dropdown list. Languages must first be enabled under Set-
tings > Preferences. Note that, if the device reports a
locale associated with a different language, then the lan-
guage associated with the locale will be used.
Email User Clear this check box if you do not want the user to receive
email concerning registration status. For example, if you
are in possession of the phone, and notifying the user
about registration activities is not necessary, then clear
this option. Select this option if the device is in the
owners possession.
Why: Users may be confused if they begin receiving notifi-
cations about the phone if it is not in their possession.
4. Click Register.
After a brief pause, a popup displays listing instructions for the next step. The con-
tent of this popup varies based on the OS and type of the device. Consider leaving
this message displayed until the registration has been completed. Also note that
the instructions also appear in the log.
Company Confidential
88
Registering Devices
device browser to complete the registration process. See the MobileIron end-user doc-
ument for the specific OS for details on the input expected from the user.
If the user does not respond within 24 hours, MobileIron sends a reminder. After 120
hours, the registration expires. This expiration interval is configurable (Settings >
Preferences > Passcode Expiry). The maximum value is 4320 hours (6 months).
For BES 4.x devices deployed via BES, the user does not receive the SMS or email and
does not enter any input.
Company Confidential
89
Registering Devices
See Overview of registration methods on page 78 for points to consider before using
this registration method.
Company Confidential
90
Registering Devices
Company Confidential
91
Registering Devices
Company Confidential
92
Registering Devices
If the user does not respond within 24 hours, MobileIron sends a reminder. After 120
hours, the registration expires. This expiration interval is configurable (Settings >
Preferences > Passcode Expiry). The maximum value is 4320 hours (6 months).
Company Confidential
93
Registering Devices
See Overview of registration methods on page 78 for points to consider before using
this registration method.
To send invitations:
1. Click the Users Management link in the Users & Devices page.
2. Select the type of user accounts you want to work with:
Select Authorized Users from the To dropdown list to select from local user
accounts.
Select LDAP Entities from the To dropdown list to select users from the config-
ured LDAP server.
3. Click the checkbox next to each user you want to invite.
4. Click the Send Invitation button.
5. Review the default text for the invitation and make any changes.
The text is displayed here with HTML markup. The user will receive the formatted
version.
6. Click Send.
Company Confidential
94
Registering Devices
Company Confidential
95
Registering Devices
See Overview of registration methods on page 78 for points to consider before using
this registration method.
Users must enter their full email address when prompted to enter their user name in
the registration screen. MobileIron matches the email domain to the appropriate
MobileIron Core and populates the registration screen with the correct server name.
Company Confidential
96
Registering Devices
Company Confidential
97
Registering Devices
See Overview of registration methods on page 78 for points to consider before using
this registration method.
To register an ActiveSync phone with MobileIron:
1. Select the ActiveSync Associations link under the Users & Devices tab.
2. Select the checkbox for the ActiveSync phone to be registered.
3. Click the Register button.
4. See Registration by administrator: individual devices on page 87 for instructions
on completing the registration process.
Company Confidential
98
Registering Devices
Note: If a BES-managed device does not change from the Verified state to the Active
state, consider resending the provision message.
Company Confidential
99
Registering Devices
For non-US devices, country selection is an important part of the registration process.
MobileIron also provides a default list of countries enabled for registration purposes.
You may need to adjust this list to enable additional countries.
Enabling operators
Enabling an operator displays it in the list of operators presented to users during reg-
istration.
In the Admin Portal, select the Operators link under the Settings tab to display the
Operators screen. By default, the Operators screen shows only Enabled operators.
5. Select Disabled or All from the Status dropdown.
6. Click the checkbox next to each operator you want to enable.
7. Click Enable.
Disabling operators
Disabling an operator removes it from the list of operators presented to users during
registration.
1. In the Admin Portal, select the Operators link under the Settings tab to display the
Operators screen.
By default, the Operators screen shows only Enabled operators.
2. Click the checkbox next to each operator you want to disable.
3. Click Disable.
Company Confidential
100
Registering Devices
Filtering operators
You can use filters to display only those operators you want to work with in the Oper-
ators screen. You can:
Search for a specific operator
Display operators by country
Display operators by status
Company Confidential
101
Registering Devices
3. In the Enabled Platforms list, select the platform you want to exclude.
Shift-click platforms to select more than one.
4. Click the left arrow button to move the selected platforms to the Disabled Platforms
list.
5. Click Save.
All methods of registration now exclude the selected platforms.
Company Confidential
102
Registering Devices
At this point, the device Status in the Users & Devices > Devices page shows as Pend-
ing.
The device user must verify the PIN before completing the registration process on the
WP8 device. If the PIN is not verified before continuing the registration process on the
device, the device registration fails.
After the PIN is verified, the device Status in theUsers & Devices > Devices page
shows as Verified.
Once the PIN is verified, the device user is ready to complete the registration on the
device. See Getting started with Windows Phone 8 for instructions on how to register
the WP8 device. After registration on the device is completed, the device Status in the
Users & Devices > All Devices page shows as Active.
Company Confidential
103
Registering Devices
When a WP8 device is in Verified state, the device user can successfully register
another device using the same username.
If the user removes the MobileIron account from the WP8.1 device, a new PIN is
required to re-register the device.
If the PIN expires you must first Retire the device in the Admin Portal, then re-register
the device. This generates a new PIN. Re-provisioning is not supported (Users &
Devices > Devices > Action > More Actions > Re-provision Device).
Company Confidential
104
Registering Devices
Company Confidential
105
Registering Devices
Company Confidential
106
Registering Devices
Variable descriptions
The following table describes the variables used in registration messages.
Variable Description
$BRAND_COMPANY_NAME$ An internal variable.
$ENT_NAME$ The name of the organization using MobileIron
Core to secure the device. See Settings > Pref-
erences > Enterprise Name.
$INAPP_REG_STEPS$ Combines $SERVER_URL$, the users LDAP
password, $PASSCODE$, and $USER_ID$.
$PASSCODE$ The registration PIN generated for the device by
Core.
$PASSCODE_TTL$ The number of hours that the registration PIN
remains valid. See Settings > Preferences >
Passcode Expiry.
$PHONE$ The phone number associated with the device.
$REG_LINK$ The URL that users access to complete the reg-
istration process (i.e., https://server
name:port/i for iOS, https://server name:port/
a/ for Android, and https://server name:port/v/
passcode for others).
$SERVER_URL$ The MobileIron Core server address used for
iOS/Android registration.
Company Confidential
107
Registering Devices
Variable Description
$USER$ The name of the user associated with the
device, as displayed in MobileIron Core.
$USER_ID$ The user ID for the user associated with the
device, as defined in the user account on Core.
Company Confidential
108
Registering Devices
Registration notes
Company Confidential
109
Registering Devices
Company Confidential
110
Chapter 4
Managing Devices
Overview of managing devices and users
Displaying device assets
Registration-related features and tasks
Security-related features and tasks
Maintenance features and tasks
Using labels to establish groups
Delegated administration
Working with Apple DEP devices
Company Confidential
111
Managing Devices
The Users & Devices page in the Admin Portal provides access to these features.
Company Confidential
112
Managing Devices
Column Description
User Displays the full name of the user registered with this
phone.
Number Displays the phone number.
Device Displays the make and model of the device.
If you have MDM for iOS enabled and the View MDM Alerts
option selected under Settings > Preferences > MDM Pref-
erences, then entries for iOS devices that need attention
will include alert icons. See Alerts displayed in the
Devices page on page 115 for information on alerts and
what they mean.
OS Displays the operating system running on the phone as
reported by the MobileIron Client running on the phone.
Country Displays the home country for the device.
Status Displays the state for each device:
Pending means that the users device has been regis-
tered on the MobileIron Server, but the MobileIron Cli-
ent download has not yet been completed.
Verified means that the user has confirmed that the
download of the MobileIron Client should proceed.
Active means that the MobileIron Client has been suc-
cessfully downloaded and connected back to MobileIron
Core at least once.
Lost means that this phone has been manually marked
as Lost. This status does not affect other functionality.
Infected means that MobileIron Core detected a virus
attached to a document on the device and attempted to
remove the virus.
Wiped means that the phone has been restored to fac-
tory defaults.
Registration Date Date the device registered.
Last Check-In Displays the elapsed time since the device was able to
update profiles and configurations from MobileIron Core.
E/C Indicates whether the phone has been registered as
employee owned (E) or company owned (C).
Company Confidential
113
Managing Devices
Column Description
Operator Displays the name of the service provider specified when
the phone was registered with MobileIron.
Language Displays the language currently used for messages sent to
the device. If the device reports a locale, then the lan-
guage associated with that account is used. If the device
has not reported a locale, then the default language is
used, or you can set a specific language by selecting More
Actions > Change Language.
Company Confidential
114
Managing Devices
Alert
Icon Alert Name Description Action
Data Protection Data Protection: Display the tooltip for the
Disabled (iOS One of the following alert icon.
only) MDM-mandated security For tooltip Passcode
MobileIron iOS requirements is not being Required, inform the user
Multitasking is met: that MDM mandates set-
Disabled Passcode is not set ting a passcode on the
device.
Encryption is not fully
For tooltip Restore
enabled
Required, inform the user
that the device must
Multitasking: undergo a complete
The MobileIron multitask- restore after upgrade from
ing feature for iOS is not iOS 3.x to fully enable
enabled, most likely encryption features.
because Location Ser- For tooltip MobileIron iOS
vices has not been Multitasking is Disabled,
enabled on the device. confirm that Location Ser-
vices is enabled on the
device. For iOS 4.2, go to
Settings > General >
Loca-tion Services. For
iOS 4.3 and higher, go to
Settings > Location Ser-
vices. For iOS 7.0 and
higher, go to Settings >
Privacy > Location Ser-
vices > MobileIron and
enable.
Unlocked Device The OS has been com- If the device connects to
(iOS and promised. email via ActiveSync, then
Android only) On iOS devices, block it using the Block
Mobile@Work prevents feature in the ActiveSync
the user from accessing Association page.
Docs@Work features. Inform the user that the
See Jailbreak impact on device must be restored.
documents on page 578.
Company Confidential
115
Managing Devices
Alert
Icon Alert Name Description Action
App Control Vio- An app control rule has Expand the devices
lation been violated. Device Details panel to
see specific information on
the violation. See App
control alerts on
page 538.
Quarantined Configurations have been See Viewing quarantine
(iOS only) removed from the device information on page 199.
due to a security viola-
tion.
Device Adminis- Device Administrator Not If the device connects to
trator Not Acti- Activated: email via ActiveSync, then
vated (Android) The device administrator
block it using the Block
MDM Profile feature in the ActiveSync
privilege is not activated
Removed (iOS) Association page.
for the MobileIron app or
the Samsung DM Agent. Inform the user that the
(See Uninstalling the privilege must be
Samsung DM Agent on restored.
page 899 for information
on this agent.) The
device administrator priv-
ilege is required for most
of the device manage-
ment features that Mobil-
eIron provides.
To close device details, click the X in the top right of the panel, or click the down arrow
next to the checkbox.
Company Confidential
116
Managing Devices
Additional information is found in the tabs on the right side of the panel.
The categories and information available on the right side of the Device Details panel
are:
Company Confidential
117
Managing Devices
For information about details displayed relating to AppConnect for Android, see
Device details for AppConnect apps for Android on page 639.
For WP8 devices, the device capacity, RAM, and storage used information is not avail-
able. The phone number and the country information is available only if the Admin or
the device user provides the information when registering the device on the Admin
Portal or on MyPhone@Work (User Portal).
For Windows 8.1 RT and Pro devices, the phone number, country, and operator infor-
mation is not available.
In addition, for WP8.1 devices, the following information is also displayed for dual SIM
phones:
IMEI2
IMSI2
WP Roaming2
Export to CSV
Click on Export to CSV to download the records shown on the Admin Portal > Users &
Devices > Devices page as a CSV file.
The enhanced Export to CSV feature provides access to numerous additional device
attributes that were previously unavailable. The attributes are organized into plat-
Company Confidential
118
Managing Devices
form-specific groups to make it easy to report on the relevant attributes for the
devices youre working with.
Company Confidential
119
Managing Devices
Company Confidential
120
Managing Devices
You can also apply advanced search criteria to a new or existing label.
Basic searching
You can quickly search for devices based on the following criteria:
label
iOS MAC Address
iOS Serial Number
iOS UDID
Company Confidential
121
Managing Devices
User Principal/ID
User Email Address
User First/Last Name
To search by label, select the appropriate label name from the Labels list.
To search by the other criteria, select any automatic label in the Labels list, and then
use the following syntax in the Search By User Or Device field:
mac:<iOS MAC Address>
sn:<iOS Serial Number>
udid:<iOS UDID>
uid:<User Principal/ID>
mail:<User Email Address>
name:<User First/Last Name>
Note that the prefixes mail: and name: are optional. All others are required. For
example, to find the devices registered with the email address jdoe@mobile-
iron.com, you can enter the following:
mail:jdoe@mobileiron.com
or just
jdoe@mobileiron.com
Advanced searching
As data sets get larger, it is increasingly important to have a powerful search. You can
use advanced search to build complex queries using the full set of available criteria.
You can also create a new label using the advanced search criteria, or apply the crite-
ria to an existing label.
2. Click the Advanced Search icon located at the top right, above the table.
The query builder appears.
You can enter search criteria using the query builder, or type the search expression
directly.
Searchable fields
To see the complete list of searchable fields in the query builder:
Company Confidential
122
Managing Devices
Note: To include retired devices in the results, uncheck the check box to the left of the
Search button.
Advanced search using both the query builder and manual editing
Use the query builder to start an expression, look up field syntax, and select predeter-
mined values. Then, edit the expression directly to meet your needs.
1. Select fields and criteria as needed.
Company Confidential
123
Managing Devices
2. Click the All button to combine multiple criteria with a logical AND, or the Any but-
ton to combine them with OR. You can manually edit individual logical operators in
the expression field, as needed.
3. In the expression field, edit the expression directly.
For example, you can add parentheses, change logical operators, or manually edit
field names or values.
The automatic syntax check displays a status icon next to the expression field. A
green icon indicates that the syntax is correct, and a red icon if incorrect.
4. When the syntax is correct, click Search to display the matching devices and their
owners.
Once you manually edit the expression, the query builder is covered with a gray box
to indicate it no longer represents the current state of the expression. Click the Reset
link to remove your manual edits and continue using the query builder.
Example: Find all iOS or Android devices that use AT&T as their service operator.
Click the Advanced Search icon, and then build the expression to match the above
image:
1. Select Platform for the field; select Equals for the operator; iOS for the value.
2. Click the plus icon two times to add two more rows for criteria.
3. In the second row, select Platform, Equals, and Android for the field, operator, and
value.
4. In the next row, select Home Operator Name for the field, and Equals for the oper-
ator.
Notice that the value field adjusts automatically to display service operator values
by country. Select AT&T in the second value field, leaving the first field as is.
Company Confidential
124
Managing Devices
Your advanced search should look the same as the image above. To revert to the orig-
inal expression without your manual edits, click the Reset link to the right of the
expression.
7. Click Search to display the matching devices and their owners.
Closing the advanced search query builder does not clear the search.
Save to label
Click the Save To Label button in advanced search to create a new label using the
search criteria, or to apply the criteria to an existing label.
To create a new label, type a new label name in the Label field and type a
description. The new filter label is created with the advanced search criteria
applied.
To apply the criteria to an existing label, choose a label from the Label selec-
tions. Only labels that have no members and no criteria are shown.
Company Confidential
125
Managing Devices
There are two types of custom LDAP attributes available in advanced search.
Custom 1 through Custom 4 are always available in the field list in advanced
search, and appear as custom1 through custom4.
Custom Attribute 1, Custom Attribute 2, and so on, are available in advanced
search only if they are assigned in LDAP settings. These custom attributes
appear in the field list as the value they were assigned in the setting. For exam-
ple, if Custom Attribute 1 is set to Manager in LDAP settings, it appears in the
advanced search field list as Manager, under User Fields> LDAP >User Attri-
butes.
To view the custom attributes in the LDAP settings, go to Settings > LDAP. Click the
LDAP instance to open the LDAP details. If you make changes to LDAP settings, LDAP
is synced automatically.
To switch among the chart choices, select the chart-type icon at the bottom of the
chart. Note that the New Device Registrations chart and the Pending Device Registra-
tions chart are displayed only as tables.
Company Confidential
126
Managing Devices
Chart Description
Device By Status Displays the percentage of phones having each regis-
tration status (for example, Pending).
Device By Compliance Displays the percentage of devices that are in compli-
ance with the assigned policy.
Device By OS Type Displays the percentage of devices running each sup-
ported operating system.
Device By OS Version Displays the percentage of devices running each ver-
sion of the supported operating systems.
Device Roaming By Displays the percentage of devices that are roaming for
Country each country.
Device By Ownership Displays the percentage of devices that are company-
owned and the percentage of devices that are user-
owned.
Device By Operator Displays the percentage of devices each service pro-
vider reported, including Wi-Fi.
New Device Registra- Displays the latest phones to begin the registration pro-
tions cess.
Pending Device Regis- Displays the phones that have a status of Pending.
trations
Company Confidential
127
Managing Devices
2. Click Add, select a chart from the list, and then click Add Chart to add a closed
chart to the device dashboard.
The chart is added as the last chart on your display.
Company Confidential
128
Managing Devices
Reprovision device
Win 8.1
Android iOS Win 7 WP8 WP8.1 RT/Pro
yes yes - - - -
Note
This action applies only to devices in the Pending or Verified state. To reinstall the
MobileIron Client for devices in the Active state, you can either restore from a backup
snapshot or retire the device and re-register it. To reinstall the MobileIron Client for
devices in the Wiped state, you must re-register the device.
To re-provision devices:
1. Go to Users & Devices > Devices.
2. Select the checkbox for the device.
3. Select Actions > More Actions > Re-provision Device.
The same registration settings are used.
Retire
Win 8.1
Android iOS OS X Win 7 WP8 WP8.1 RT/Pro
Company Confidential
129
Managing Devices
Retiring a device archives the data for that device and removes the configurations and
settings applied by MobileIron Core. The entry for the device no longer appears in the
Users & Devices page (unless you specifically search for retired devices), and the user
is notified that the software has been removed.
If the retired device is also in the ActiveSync Association view, it remains there. How-
ever, because the device is retired, it can no longer access the ActiveSync server. You
can manually remove the device from the ActiveSync Association page. See Remov-
ing ActiveSync phones on page 456.
Also note:
Retiring an iOS device also removes from the device the documents and configura-
tions related to Docs@Work. See Retire and wipe impact on documents on
page 577.
Retiring an Android device means the device user cannot access any AppConnect
apps or data.
For details, Lock, unlock, and retire impact on AppConnect for Android on
page 633.
Retiring a Windows 8.1 RT or Pro device from MobileIron Core, removes the VPN
profiles. The Retire action also partially removes the Security policies.
To retire a device:
1. Go to Users & Devices > Devices.
2. Select the checkbox for the device.
3. Select Retire from the Actions menu.
The Retire dialog appears.
4. In the Retire dialog, confirm the user and device information and enter a note.
5. Click Retire.
The user receives notification of the action.
To see a list of retired devices, See Searching for retired devices on page 125.
- - - -
No longer supported.
Company Confidential
130
Managing Devices
Lock
Win 8.1
Android iOS OS X Win 7 WP8 WP8.1 RT/Pro
Locking a device forces the user to enter a password to access the phone and pre-
vents the user from reversing this restriction. The user is informed of this action via
email. If the user has set a password for the device, then that password must be
entered. Locking an Android device also causes the device user to be locked out of
AppConnect apps. For details, see Lock, unlock, and retire impact on AppConnect for
Android on page 633.
To lock a device:
Company Confidential
131
Managing Devices
Note: If the MobileIron Client on the selected device is currently connected, then this
action will be applied immediately. If the MobileIron Client is not currently connected,
then MobileIron Core will attempt to complete the operation by means of the opera-
tors SMTP service. If SMTP is used, it may take more time to execute the operation,
and the time required may vary by operator.
To remove the lock, create a new Security policy that specifies that passwords are
optional and assign it to the device. This task enables the user to remove the restric-
tion on their phone. The phone will continue to request a password until the user turns
off the restriction on the phone. Also, because only one active policy of the same type
can be applied to a phone, you may choose to remove this policy from the phone once
the user has successfully turned off the lock. You can do this by applying the previous
policy or removing the phone from the policy used to remove the lock. See Using
labels to establish groups on page 143 for information on working with labels.
For iOS 7 devices, the Lock Action dialogue displays additional options to enter a con-
tact number and a message. The Lock Message field allows you enter up to 500 char-
acters. The contact number and the message appear on the screen for the device you
locked. The device user can call the number displayed on the locked device.
For WP8.1 devices, the device can be unlocked with a new device PIN. The administra-
tor performs a Reset PIN action in the Admin Portal, and provides the new device PIN
to the device user.
Unlock
Win 8.1
Android iOS Win 7 WP8 WP8.1 RT/Pro
Notes:
This function does not apply to Android devices locked using face or pattern locks.
Because the MobileIron app cannot remove the passcode on an encrypted Android
device, the Unlock command sets the passcode to "un!ockm3!" on encrypted
devices.
Company Confidential
132
Managing Devices
On Android devices using AppConnect apps, unlock also removes the secure apps
passcode.
For details, see Lock, unlock, and retire impact on AppConnect for Android on
page 633.
Wipe
Win 8.1
Android iOS OS X Win 7 WP8 WP8.1 RT/Pro
Warning
Wiping a device returns it to factory defaults, which can result in loss of data.
Wiping a device returns its settings to the factory defaults and informs the user of this
action via email. The Wipe task differs considerably by OS due to the limitations of
each OS.
Required Role: The Wipe device role is required to use this feature.
To wipe a device:
1. Go to Users & Devices > Devices.
Note: For Mac computers, the wipe command applies only if the computer has File-
Vaulte2 (i.e., FDE) enabled.
2. Select the checkbox for the device to be wiped.
3. Select Wipe from the Actions menu.
Note: If the MobileIron Client on the selected device is currently connected, then this
action will be applied immediately. However, if the MobileIron Client is not currently
connected, then MobileIron Core will attempt to complete the operation by means of
the SMTP configuration. If SMTP is used, it may take more time to execute the opera-
tion, and the time required may vary by operator.
Selective Wipe
Win 8.1
Android iOS Win 7 WP8 WP8.1 RT/Pro h
Selective
Wipe
(Files) - - - - - -
Company Confidential
133
Managing Devices
Selective
Wipe
(Email) -f, g -e, g - - g
-g -
Selective
Wipe
(SMS) - - - - - -
e Using MobileIron Sentry and ActiveSync
f For Exchange through integration with selected devices and email apps.
g Selective wipe of email for this operating system is accomplished through security compliance actions, removing the
device from the associated label, or retiring the device.
h For Win 8.1 RT/Pro devices, retiring the device from MobileIron Core removes the VPN settings, and partially
removes the Security policies.
Block AppTunnels
Win 8.1
Android iOS Win 7 WP8 RT/Pro
- yes - - -
You can manually block the AppTunnel feature (standard and Advanced) in AppCon-
nect apps on a device. The authorized AppConnect apps remain authorized, but the
apps will no longer be able to access the web sites configured to use the AppTunnel
feature.
Note: For the Docs@Work features in Mobile@Work, blocking the AppTunnel feature
blocks access to all the Docs@Works features.
Lost
Win 8.1
Android iOS Win 7 WP8 RT/Pro
yes yes - - -
When a user reports a lost device, you can set its status to Lost. Setting this status
does not have a functional effect on the phone. It just flags the phone as lost for
tracking purposes and to ensure that it appears in the Lost Phones screen.
To designate a device as lost:
Company Confidential
134
Managing Devices
Found
Win 8.1
Android iOS Win 7 WP8 RT/Pro
yes yes - - -
If a user reports that a lost phone has been found, you can use the Found action to
remove the Lost indicator from the entry for the phone. Setting this status does not
have a functional effect on the phone.
Locate
Win 8.1
Android iOS Win 7 WP8 RT/Pro
via Cell
Tower yes yes - - -
via GPS yes - - - -
Most registered phones can be located on a map using cell tower IDs. The MobileIron
Client records tower data until the next time data is synchronized between the Mobile-
Iron Client and MobileIron Core. See Working with security policies on page 182 for
information on changing the Sync Interval setting. Using the Connect Now feature on
the device will result in immediate synchronization.
Exceptions currently include certain GSM phones, which do not provide the necessary
location data.
Company Confidential
135
Managing Devices
Required Role
The Locate device role is required to use this feature.
4. Click the phone icon on the map to display the date on which the location informa-
tion was collected.
Company Confidential
136
Managing Devices
Company Confidential
137
Managing Devices
Send Message
Win 8.1
Android iOS Win 7 WP8 RT/Pro
yes yes - - -
You can send an SMS text, email or Push Notification (i.e., APNs or C2DM) to selected
devices.
Company Confidential
138
Managing Devices
Email
Push Notification (i.e., APNs for iOS or C2DM for Android)
Note: The character limit for SMS is 125. The character limit for Email and Push
Notification is 200. If you select SMS and another option, then the 125 character
limit applies.
5. If you are sending email, enter a subject in the Subject field. (The Subject field is
applicable to email only.)
6. Enter your message in the Message area.
7. Click Send Message.
Win 8.1
Android iOS Win 7 WP8 RT/Pro
- yes - - -
The Update Roaming Settings action allows you to enable or disable roaming for voice
and data on iOS devices. Support for this feature varies by operator.
Note: The Apply settings option in the iOS MDM app setting must be selected, or this
feature will not work. This setting is selected in the default iOS MDM app setting. If
you have edited this setting or created your own iOS MDM app setting, make sure this
option is selected.
Company Confidential
139
Managing Devices
Note: the check boxes remain unselected, regardless of whether roaming had pre-
viously been enabled for the selected devices.
Company Confidential
140
Managing Devices
Note: N/A indicates that the operator for the selected device does not support this
feature. Also note that data roaming might display as enabled, but is effectively dis-
abled if voice roaming is disabled.
Change Ownership
Win 8.1
Android iOS Win 7 WP8 WP8.1 RT/Pro
When you register a device, you specify whether the phone is owned by the company
or the employee. Specifying ownership is important if you want to assign different pol-
icies or take actions based on whether a phone is company property or the property of
an employee.
Apply To Label
Win 8.1
Android iOS Win 7 WP8 WP8.1 RT/Pro
Company Confidential
141
Managing Devices
Applying a device to a label tags the phone as part of the associated group. When you
specify a label for an action, you perform the action on all devices having the label.
See Using labels to establish groups on page 143 for more information on labels.
Win 8.1
Android iOS Win 7 WP8 WP8.1 RT/Pro
Removing a device from a label removes the tag that makes it a part of the associated
group. See Using labels to establish groups on page 143 for more information on
labels.
Company Confidential
142
Managing Devices
Default labels
The following system labels are always available, by default:
Label Description
All-Smartphones Automatically applied to all devices at registration.
Android Automatically applied to registered devices that have the
Android platform selected during registration.
Company-Owned Automatically applied to registered devices that have the
Company checkbox selected during registration.
Employee-Owned Automatically applied to registered devices that have the
Employee checkbox selected during registration.
iOS Automatically applied to registered devices that have the
iOS platform selected during registration.
OS X Automatically applied to registered Apple devices that
have OS X selected during registration.
Signed-Out Automatically applied to any multi-user iOS device that
does not have a signed-in user.
Windows Phone Automatically applied to Windows Phone devices.
Windows Pro/RT Automatically applied to Windows 8.1 Pro and RT devices.
Company Confidential
143
Managing Devices
Filter labels use specific criteria to specify a group of devices. Manual labels have no
criteria associated with them; you select each device associated with a manual label.
When you initially create a label, it is stored as a filter label. If you use the Advanced
Search feature to specify the criteria for a label, then it remains a filter label. If you
select phones in a Admin Portal screen and apply a label to them, then the label
becomes a manual label.
Creating labels
There are two ways to create a label:
Use Advanced Search and save the criteria to a new label, as described in Save to
label on page 125, or
Create a new label with no associated criteria.
4. Click Save.
You can now apply this label to devices, policies, and configurations. See Apply To
Label on page 141.
Company Confidential
144
Managing Devices
Editing Labels
You can edit the name or description of any existing label. A labels criteria cannot be
edited.
To edit a label:
1. Go to Users & Devices > Labels.
2. Click the edit control next to the label.
The Edit Label dialog appears.
3. Edit the name and/or description.
The label name must be unique.
4. Click Save.
Company Confidential
145
Managing Devices
For another example, See Creating a label based on custom LDAP user attributes on
page 126.
Deleting labels
To delete a label:
1. Go to Users & Devices > Labels.
2. Select the label you want to work with.
3. Click Delete.
Note
Default labels cannot be deleted. See Default labels on page 143.
Company Confidential
146
Managing Devices
Delegated administration
Delegated administration enables you to decentralize managing MobileIron Core
devices. Dividing a MobileIron Core system into several areas of influence enables the
main Core administrators to maintain control over all critical areas of system manage-
ment and also give limited control of specific areas of the system to other administra-
tors.
Using delegated administration with MobileIron Core 7.0 and later, administrators are
assigned areas of influence called device spaces. Device spaces can represent depart-
ments, offices other than headquarters or any other portion of your company that you
choose. To delegate administration tasks, administrators are assigned roles that
define what tasks they can perform for the devices and users assigned to the device
spaces they manage.
The original device space in MobileIron Core is called the global space. If you do not
use delegated administration, this is the only device space in your Core system.
Administrators assigned to the global space can be assigned any roles. Administrators
assigned to other device spaces can be assigned most, but not all, roles. For example,
only administrators assigned to the global space can be assigned the Manage configu-
ration role, which enables them to create and manage configurations for all the device
spaces.
Note: In MobileIron Core 7.0 and later, role assignment is divided between the Users
& Devices tab and the Admin tab:
User roles are assigned and edited using the Devices page (Users & Devices >
Devices)
Administrator roles can be assigned when defining device spaces (Admin > Device
Spaces > Add)
Administrator roles can be assigned and edited using the Admins tab (Admin >
Admins > Actions > Edit Roles)
Administrator types
For delegated administration, MobileIron Core is managed by three types of adminis-
trators.
Super Administrators, who manage devices and users throughout your MobileIron
Core system. These administrators are assigned to the global space. The role that
these administrators have that set them apart is Manage administrators and device
spaces. Only administrators with this role can create and manage device spaces
and assign roles and device spaces to administrators. A MobileIron Core system can
have one or more Super Administrators.
Global Administrators also manage devices throughout your MobileIron Core sys-
tem. These administrators are assigned to the global space and can be assigned
any roles other than Manage administrators and device spaces.
Device Space Administrators manage only the devices and users assigned to the
device spaces to which they are assigned. For example, an administrator assigned
to the Dallas Help Desk device space can only manage devices assigned to that
Company Confidential
147
Managing Devices
device space. The roles that can be assigned to Device Space Administrators are
limited. For example, Device Space Administrators, if assigned the correct role, can
view configurations or apply and remove configurations from a label. However, they
cannot create or edit configurations.
For complete information about roles and actions available to each type of administra-
tor, see Editing administrator roles on page 157.
When MobileIron Core is installed, one Super Administrator is created. The default
roles for this administrator are listed in the following table.
Company Confidential
148
Managing Devices
Device Space Administrators are created from the list of local users and LDAP users
and groups available when you go to Admin > Admins.
Note: Device Space Administrators cannot create, delete or edit configurations and
policies.
For details about Device Space Administrator management tasks and available roles
and permissions, see Editing administrator roles on page 157.
Company Confidential
149
Managing Devices
When you design a MobileIron Core system that uses delegated administration, there
are questions you need to answer about your Core system. The first task is to decide
how you want to divide your system into device spaces. For example, you could create
a device space for:
Help desk groups in your company (Help Desk France, Help Desk Germany)
Business units (West Coast Sales, HQ Finance)
Countries where your company has offices (England Office, Holland Office)
Your Core system can support any combination of these device space types and more.
After you decide what device spaces to create, plan what tasks the administrators
assigned to each device space will perform. For example:
Do you want to give administrators in the Toronto office the ability to view the
devices and users assigned to that office, or should they be able to perform addi-
tional tasks, like wiping all corporate apps from the devices they manage?
Do you want to give your front-line help desk workers in Texas the ability to view
application details for their callers' devices?
Should administrators in the Sydney office be able to assign labels and policies to
the devices they manage?
Once you answer these and other questions about your MobileIron Core system, study
the available roles and permissions presented in Editing administrator roles on
page 157 to determine which roles to assign each group of administrators in each
device space.
Using roles, you can create administrative tiers within a device space. Suppose you
set up device spaces for different countries (for example, the United States, Germany
and France). You could then create two help desk administrator groups for each device
space, one for front-line workers, who have minimal permissions and one for back-line
workers, who have additional permissions. To this scenario, you could also add the
ability for a local administrator to assign policies and configurations.
You need to think about the reasons why you would segment your user population.
These needs will guide how you set up your device spaces.
Note: Although Super Administrators and Global Administrators have roles that enable
them to perform specific tasks, they can perform these tasks only in device spaces to
Company Confidential
150
Managing Devices
which they are assigned. By default, these administrator types are assigned to the
global space, but not to individual device spaces.
Creating device spaces is a two-step process. First, you name the device space (for
example, France Android) and define criteria that determine which devices belong to
the device space (for example, all Android devices used in the France help desk
group).
In step two, you select the administrators for the device space and assign them the
roles they need to perform the management actions you have chosen for administra-
tors in this device space.
After deciding how to use delegated administration in your MobileIron Core system,
create the device spaces, assign administrators to the device spaces, and then assign
roles to the administrators using the following procedure:
1. In the Admin Portal, select Admin > Device Spaces.
2. Click the Add+ button to add a device space.
3. Enter the name for the device space in Space Name.
4. To specify which devices are assigned to the device space, create a query using the
All and Any buttons and the Fields, Operators and Values fields displayed (see
Specifying devices for device spaces on page 152 for details).
5. Click Save to create the device space and move to assigning administrators to the
device space.
6. To assign administrators to the device space, complete one of the following actions
Click LDAP Entities, select LDAP OU, LDAP Groups or LDAP Users, and then
enter one or more characters in the search box below LDAP Entities to display a
list of LDAP users that meet the search criteria.
Click Individual Admins, and then enter one or more characters in the search
box next to Individual Admins to display a list of local users that meet the
search criteria.
7. Select the device space administrators from the list.
8. Select roles for the device space administrators from the lists of roles in the dialog
(see Editing administrator roles on page 157 for information about the available
roles and permissions).
Company Confidential
151
Managing Devices
When you select a role from one of the categories, Device Management for exam-
ple, the permissions for the selected role move from the Available Permissions col-
umn to the Selected Permissions column. If the permissions associated with a role
are included in a previously selected role, no permissions are added to the Selected
Permissions column.
Note: The new device space status is Pending after you click Save. Until the status
of all device spaces is Active rather than Pending, the device counts for the device
spaces are not reliable and devices may not be listed in the correct device space.
You update device spaces after creating spaces or changing device space priority.
MobileIron recommends that you wait until you finish creating all your device spaces,
including assigning administrators and roles, or complete changing device space prior-
ity before you update device spaces. This saves system resources.
When specifying the criteria for selecting devices for a device space, follow these
instructions to use the search tool provided in the New Admin Space dialog:
Note: This procedure assumes that you are already defining a device space using the
New Admin Space dialog.
1. Click Any or All to specify whether the search result includes devices that meet one
or more of the conditions (Any), or must meet all the specified conditions (All).
2. Click the Field dropdown, navigate to the search field and select it (see Searchable
fields on page 153 for the list of available fields).
Hint: Type a few letters of the field name to display a list of matching fields, or
press the Expand All button within the field list to display all possible fields.
3. In Operator, select one of the possible operators for the selected field.
Company Confidential
152
Managing Devices
4. In Value, select or enter the value for the selected search field.
Note: A green icon indicates that the query syntax is correct; a red icon indicates
that the syntax is incomplete or incorrect.
5. (Optional) Click the plus sign to the right of the query condition you just created to
add another condition.
6. (Optional) Repeat Step 2 through Step 5 for each additional query.
7. (Optional) To remove a condition from the search criteria, click the minus sign to
the right of that condition.
A sample listing of the devices that meet the query criteria is displayed below the
query as you complete each condition.
8. Check the sample device list to ensure that the query results are returning the
types of devices you intended. The sample list contains up to twenty devices. To
test that the search criteria returns all the devices to be included, run the same
query using MobileIron Core advanced search in the Devices tab.
Searchable fields
The fields available as search criteria for devices assigned to a device space are
divided into two categories: User Fields and Common Fields. User Fields specify which
users are connected with the devices. Common Fields specify information, like plat-
form, that the devices have in common.
Company Confidential
153
Managing Devices
Device space information for your MobileIron Core system is displayed when you go to
Admin > Device Spaces. The information displayed includes:
Column Description
Space Name Name given to device space
Criteria Query that defines which devices are assigned
to the device space
Admins Administrators assigned to the device space
Status Current status of the device space
Num of Devices Number of devices currently assigned to the
device space
Priority Device space priority
Company Confidential
154
Managing Devices
Go to Admin > Device Spaces to view the priorities of device spaces. The priority of
each device space is listed in the Priority column.
Note: The global space is always assigned the lowest priority among the device
spaces.
You can change device space priority at any time. To change device space priority:
1. In Admin Portal, go to Admin > Device Spaces.
The device spaces are listed in priority order. The device space with the highest pri-
ority is listed first.
2. Select the device space to change.
3. Drag the device space entry to the new priority position in the list. For example, to
move HQ Space from the highest priority to the third-highest priority, select HQ
Space from the list of device spaces and drag it to the third position in the list.
Note: Until MobileIron Core completes the device space priority change, the num-
ber of devices in each device space is unreliable. When the status of all device
spaces is Active, the update is complete and the device counts are correct for each
device space.
Company Confidential
155
Managing Devices
While the Delete Space action is processed, actions such as Force Device Check-in,
Change Language and Change Ownership cause devices assigned to the deleted
device space to change device spaces immediately.
Therefore, while the status of devices assigned to the deleted device space is Pend-
ing and various device actions are occurring, device counts for all device spaces are
unreliable.
Company Confidential
156
Managing Devices
Roles sometimes share permissions with other roles. For example, the View apps in
device details and Wipe device roles both include the permissions View dashboard,
view device and View device details.
The roles within each category and the permissions associated with each role are
listed in the following table.
Note: These roles are different from the roles defined in previous MobileIron Core
releases. For installations that used previous MobileIron releases, the roles assigned
current administrators are mapped to the new roles when the system is upgraded to
MobileIron Core 7.0 so that administrators have the same permissions they had in the
previous release.
Company Confidential
157
Managing Devices
Locate device
Add device
Wipe device
Privacy Control View apps in device details Super Administrator
Locate device Global Administrator
Device Space Admin-
istrator
Label Management View label Super Administrator
Manage label Global Administrator
Device Space Admin-
istrator
User Management Manage user, which includes creat- Super Administrator
ing, editing and viewing users. Global Administrator
Device Space Admin-
istrator
Company Confidential
158
Managing Devices
Company Confidential
159
Managing Devices
Note: The Connector, API, and Mobile app roles are not management roles. These
roles are used by some applications to access certain APIs. MobileIron suggests that
you create a dedicated user for each of theses three roles so that the account is only
used for the specific purpose and does not provide access to the Admin Portal.
Company Confidential
160
Managing Devices
Role correspondences
MobileIron Core 7.0 adds delegated administration. Due to delegated administration,
roles assigned to administrators in MobileIron VSP releases earlier than 7.0 differ from
the ones assigned in MobileIron Core 7.0.
When you update from MobileIron Core 6.02 or earlier, the roles that are assigned to
users and administrators in your current system are translated into the new roles, but
provide your users and administrators with the same permissions as before.
The table in this section present the correspondences between the old roles and the
new ones.
Company Confidential
161
Managing Devices
Company Confidential
162
Managing Devices
Using the Apple DEP program with MobileIron Core, you can streamline the DEP
devices can be assigned in MDM during activation and can skip basic setup steps, get-
ting users up and running quickly.
Adding your Apple DEP account devices to your MobileIron Core is a three-step pro-
cess:
1. Add your MobileIron Core to the Apple DEP Portal
2. Assign the Apple DEP devices to MobileIron Core DEP server
3. Add the Apple DEP account to Core
Note: MobileIron Core 7.0 supports Apple DEP devices for Apple iOS 7.1.
Navigate to the Manage Servers page on the Apple DEP Portal and add Core as an
MDM server. After registering the MobileIron Core instance with the Apple DEP Portal,
Core can communicate with the Apple DEP server to manage the devices in the DEP
program.
Company Confidential
163
Managing Devices
The information available for each Apple DEP account is listed in the following table:
Item Description
Account Name Name assigned to account
Admin Apple ID Administrator ID received from Apple
Organization Name Name that you provide to Apple for the organi-
zation associated with the DEP account. Apple
uses this name when displaying messages about
the account.
Company Confidential
164
Managing Devices
Item Description
Organization Description Description that you provide to Apple for the
organization associated with the DEP account
Status Account status can be one of three states:
Active, indicates the MobileIron Core instance
is associated with one or more active DEP
accounts.
Invalid Token, indicates the Apple server
token is either expired or invalid.
Inactive, indicates the MobileIron Core
instance is associated with a deleted Apple
DEP account.
Expires Date the server token expires
Devices Number of devices in the DEP account. Click the
number to view the devices in the Devices page.
Enrollment Profile Number of enrollment profiles defined for the
DEP account devices. Click the number to list
the enrollment profiles (see Adding DEP Enroll-
ment Profiles on page 166).
Note: MobileIron Core waits ten minutes after DEP devices are associated with Core
before pushing apps to those devices, allowing the user to complete the DEP assign-
ment process and finish device setup.
Company Confidential
165
Managing Devices
Company Confidential
166
Managing Devices
Note: Create the .csv file containing the devices to assign to the profile before begin-
ning this procedure.
1. In Admin Portal, go to Users & Devices > Apple DEP.
2. Select the number in the Profiles column for the Apple DEP account.
3. Select a profile.
4. Go to Actions > Assign Devices to Profile.
5. Click Upload to browse for the .csv file containing the devices that you want to
assign to this profile.
6. Click Assign.
To assign devices to a DEP enrollment profile from the Apple DEP Devices page:
1. In Admin Portal, go to Users & Devices > Apple DEP
2. Click the number in the Devices column for the enrollment profile.
3. (Optional) Select All Enrollment Profiles or a specific enrollment profile from the All
Enrollment Profiles field.
4. (Optional) Specify a device status to use as a filter:
Any Status, indicates that status is not considered when filtering the devices
assigned to the enrollment profile.
Unassigned, specifies devices that are not currently assigned to an enrollment
profile.
Assigned, specifies devices assigned to an enrollment profile.
Pushed, specifies devices assigned to pushed enrollment profiles.
5. (Optional) In Search by device fields, specify a value for one of the device fields,
like color or model, that further defines the devices to assign to the enrollment pro-
file. For example, enter Blue to assign devices to the enrollment profile only if
they are blue.
Note: In Search by device fields, you can specify a value for:
serial_number
asset_tag
description
model
color
6. Run the query and then click the checkbox next to Serial Number at the top of the
device results list to select the devices the query returned.
7. Go to Actions > Assign enrollment profile.
Company Confidential
167
Managing Devices
Note: After DEP device enrollment profile assignments are pushed to devices and the
devices complete setup, removing DEP device enrollment profile assignments or
changing DEP device profiles has no effect.
Company Confidential
168
Managing Devices
If you delete a MobileIron Core DEP account, the account is no longer associated with
Core. Deleting a DEP account from Core does not have any affect on the Apple DEP
account.
Note: Disowning a device cannot be reversed. Once a DEP device is disowned from the
Device Enrollment Program it cannot be added back to the program.
Company Confidential
169
Managing Devices
The Disown action is disabled by default and is not included in the list of actions for
DEP devices. To add Disown to Actions in the Apple DEP device page, call Customer
Support.
To disown a device:
1. If prompted, restart MobileIron Core.
2. Go to Users & Devices > Apple DEP.
3. Select the number in the Devices column for the correct Apple DEP account.
4. Select the DEP device or devices to disown.
5. Go to Actions and then select Disown.
Note: The .csv files that you create for MobileIron DEP devices can contain no more
than 5,000 devices.
Note: If the .csv file contains UTF-8 characters (for example, values for the descrip-
tion column), Microsoft Excel does not recognize the encoding of the text in the file,
and will display the characters incorrectly. However, the .csv file is encoded correctly
and does not cause any problems.
Company Confidential
170
Managing Devices
Company Confidential
171
Managing Devices
Company Confidential
172
Chapter 5
Managing Policies
Overview of managing policies
Working with policies
Working with default policies
Working with security policies
Working with privacy policies
Working with lockdown policies
Working with sync policies
Working with Docs@Work policies
Working with single-app mode policies for iOS
Working with global HTTP proxy policies
Working with Android kiosk policies
Working with Android Quick Setup policies
Working with Samsung general policies
Troubleshooting policies
Troubleshooting policies
Company Confidential
173
Managing Policies
You can create multiple policies for each policy type, but only one active policy of each
type can be applied to a specific device.
Policies page
Use the Policies page at Policies & Configs > Policies to specify and control aspects of
enterprise device behavior.
Each policy page displays the following information about the policies belonging to
the corresponding policy type:
Field Description
Policy Name Identifier for this policy. The policy name must
be unique for policies of the same type.
Priority Priority set for this policy in relation to other
policies of the same type.
Status Current status of this policy. The status can be
Active or Inactive.
Description Additional information about the policy, such as
its purpose.
Company Confidential
174
Managing Policies
Field Description
Type Which policy category this policy belongs to. See
Overview of managing policies on page 174 for
a list of types.
Last Modified The date and time of the last change made to
this policy.
# Phones The number of phones affected by this policy.
Click the link to display a list of the devices.
Labels The labels applied to this policy. See Using
labels to establish groups on page 136 for
information on labels.
Watchlist Displays the number of devices for which the
policy is queued. Click the link to display a list of
the devices.
Exception: Backup & Restore policies are not
distributed to the MobileIron Clients. In this
case, the Watchlist column indicates the devices
that are awaiting backup.
Required role
Users must have one of the following roles to access the Policies page:
View policies
Apply and remove policy label
Manage policy
Company Confidential
175
Managing Policies
Displaying policies
To display policies:
1. Click the corresponding link under Policies & Configs to display the policies you
want to work with:
Policies: the standard MobileIron policies, including default and custom policies
Default Policies: the standard MobileIron policies automatically assigned to
most devices
ActiveSync Policies: the specialized policies for devices that connect to the
enterprise via ActiveSync
2. If you selected the Policies link, you can filter the displayed policies by selecting
from the Policy Type list.
3. Select a policy to display the details of that policy in the right pane.
Editing policies
To edit an existing policy:
1. Click the corresponding link under Policies & Configs to display the policies you
want to work with.
2. If you selected the Policies link, you can filter the displayed policies by selecting
from the Policy type list.
3. Select a policy to display the details of that policy in the right pane.
4. Click the Edit button in the right pane to display editable settings for the policy.
5. Make the changes to the displayed settings.
6. Click Save.
Note
Policy changes may cause devices to which that policy is applied to prompt the user to
restart the device.
Company Confidential
176
Managing Policies
1. Click the corresponding link under Policies & Configs to display the policies you
want to work with.
2. Select the checkbox next to the policy.
3. Select More Actions > Apply To Label.
4. Select the label.
5. Click Apply.
Deleting policies
To delete a policy from the Admin Portal:
1. Click one of the filters under the Policies & Configs tab to display the policy you
want to delete.
Company Confidential
177
Managing Policies
Note: Default policies are included. See Working with default policies on page 181.
Prioritizing policies
When you create a custom policy, you can assign a priority relative to the other
custom policies of the same type. This priority determines which policy is applied if
more than one policy is associated with a specific device. For example, if you create a
security policy for executives and a security policy for iOS devices, then an executive
with an iPhone would have two different possible policies applied. Because only one
policy of a given type can be applied to a device, the priority defined for the policies
determines which is applied.
You can manage priorities for individual policies, or you can use the Modify Priority
screen to manage priorities for a policy type in a single screen. To manage priorities in
a single screen:
1. Go to Policies & Configs > Policies.
2. Select a type from the Policy Type dropdown.
3. Select Modify Priority. The Modify Policy Priorities dialog appears.
4. Drag and drop policies until they reflect the priorities you want to set, with highest
priority of 1 appearing at the top of the list.
5. Click Save.
Company Confidential
178
Managing Policies
Each link displays a table outlining the platform support for each policy feature.
Company Confidential
179
Managing Policies
Note: If you disable profile encryption, backup to iTunes continues to be encrypted for
devices that are already registered. The backup to iTunes will be unencrypted for
devices that registered after the setting change.
Company Confidential
180
Managing Policies
The default settings for each policy type are listed in the section for each type.
Company Confidential
181
Managing Policies
Win 8.1
Android iOS OS X Win 7 WP8 WP8.1 RT/Pro
Encryption
Policy
(Internal
Storage) yesj,h yes - - yes yes yes
Encryption
Policy
(SD Card) yesh - - - - - -
Password
Policy yes yes yes - yes yes yes
App Control
yes yes - - - yes -
Company Confidential
182
Managing Policies
Company Confidential
183
Managing Policies
Company Confidential
184
Managing Policies
Company Confidential
185
Managing Policies
Company Confidential
186
Managing Policies
Company Confidential
187
Managing Policies
Company Confidential
188
Managing Policies
Company Confidential
189
Managing Policies
Company Confidential
190
Managing Policies
Company Confidential
191
Managing Policies
Note: To create the custom compliance actions, see Custom compliance actions on
page 194.
Company Confidential
192
Managing Policies
Company Confidential
193
Managing Policies
Once you create a set of these actions, you can select that set from the dropdowns in
the Access Control section of security policies.
Item Description
Name Enter an identifier for this set of compliance
actions. Consider specifying the resulting action
so that the option will be more readable in the
context of the security policy settings.
Alert via Event Center Select if you want to trigger a message
indicating that the violation has occurred.
To configure the alert, see Policy violations
event on page 335.
Company Confidential
194
Managing Policies
Item Description
Block email access and Selecting this option has the following impact to
AppConnect apps the device:
Restricts access to email via ActiveSync if you
are using a Standalone Sentry for email
access.
Note: If you manually block, allow, or wipe a
device on the ActiveSync Associations page,
blocking email access in a compliance action
has no impact. The manual action overrides
MobileIron Cores automatic decision-making
about access to email via ActiveSync. See
Overriding and re-establishing VSP manage-
ment of a device on page 412.
Immediately blocks access to the web sites
configured to use the AppTunnel feature.
This action blocks tunnels that AppConnect
apps and iOS managed apps use.
Unauthorizes AppConnect apps.
iOS: AppConnect apps become unauthorized
when the next app checkin occurs. When
launched, an AppConnect app displays a mes-
sage and exits. Some iOS AppConnect apps
that have portions that involve only unse-
cured functionality can allow the user to use
only those portions.
Android, starting with Mobile@Work for
Android 5.6 and Secure Apps Manager 5.7:
AppConnect apps become unauthorized when
the next device checkin occurs. When the
device user tries to launch an AppConnect
app, the Secure Apps Manager displays a
small pop-up message with the reason the
app is unauthorized.
This action impacts AppConnect apps that are
part of the Docs@Work for Android solution,
as well as third-party AppConnect for Android
apps.
iOS: Docs@Work for iOS: Blocks the use of
Docs@Work features in Mobile@Work for iOS.
Company Confidential
195
Managing Policies
Item Description
Quarantine Selecting this option has the following impact to
the device:
Immediately blocks access to the web sites
configured to use the AppTunnel feature.
This action blocks tunnels that AppConnect
apps and iOS managed apps use.
AppConnect apps are retired, which means
they become unauthorized and their secure
data is deleted (wiped).
iOS: AppConnect apps become unauthorized
and their secure data is wiped when the next
app checkin occurs. When launched, an
AppConnect app displays a message and
exits. Some iOS AppConnect apps that have
portions that involve only unsecured function-
ality can allow the user to use only those por-
tions.
Android, starting with Mobile@Work for
Android 5.6 and Secure Apps Manager 5.7:
AppConnect apps become unauthorized and
their data is wiped when the next device
checkin occurs. When the device user tries to
launch an AppConnect app, the Secure Apps
Manager displays a small pop-up message
with the reason the app is unauthorized.
This action impacts AppConnect apps that are
part of the Docs@Work for Android solution,
as well as third-party AppConnect for Android
apps.
iOS: Docs@Work for iOS: Blocks the use of
Docs@Work features in Mobile@Work for iOS
and wipes its data.
Company Confidential
196
Managing Policies
Item Description
Remove All Configurations iOS: Select if you want to remove the
configurations (i.e., profiles) that provide access
to corporate resources.
Android: Select to remove the following
configurations:
Exchange
VPN
Wi-Fi
Docs@Work
4. If you have selected Show for the Android Custom ROM features in Settings >
Preferences, then the wipe action is available. To enable wipe, first read and select
Company Confidential
197
Managing Policies
the caution statement. You can then select Wipe the device.
Note: Wipe applies only to Android devices. It applies to all Android devices.
5. Click Save.
This new compliance action now appears in the drop down list of compliance
actions in the Access Control section of security policies, on the Policies & Configs >
Policies page.
Once the change reaches the device, MobileIron Core checks the device for
compliance. If the device is out of compliance, then the action is performed.
Company Confidential
198
Managing Policies
Restoring configurations
MobileIron automatically restores the configurations once the device user addresses
the policy violation. For example, if the policy violation resulted from an old version of
iOS, then upgrading resolves the issue. The same factors that apply to establishing
the quarantine affect the amount of time required to release the device from
quarantine.
Exception: If the WiFi configuration has been removed from a WiFi-only device, then
configurations must be restored manually.
Company Confidential
199
Managing Policies
Win 8.1
Android iOS OS X Win 7 WP8 RT/Pro
g Only Location and Apps privacy settings currently apply to iOS and Android. Only Apps privacy settings apply to OS X.
Privacy policies specify which files to synchronize with MobileIron Core and whether
activity or content should be synchronized for each type of data. Privacy policies also
specify which information the MobileIron Client should include in its log. Use the
following guidelines to create or edit Privacy policies:
Default Policy
Item Description Setting
Name Required. Enter a descriptive name for Default Privacy
this policy. This is the text that will be Policy
displayed to identify this policy
throughout the Admin Portal. This
name must be unique within this policy
type.
Tip: Though using the same name for
different policy types is allowed (e.g.,
Executive), consider keeping the
names unique to ensure clearer log
entries.
Status Select Active to turn on this policy. Active
Select Inactive to turn off this policy.
Priority Specifies the priority of this custom
policy relative to the other custom
policies of the same type. This priority
determines which policy is applied if
more than one policy is associated with
a specific device. Select Higher than
or Lower than, then select an existing
policy from the dropdown list. For
example, to give Policy A a higher
priority than Policy B, you would select
Higher than and Policy B. See
Prioritizing policies on page 178 for
more information.
Because this priority applies only to
custom policies, this field is not
enabled when you create the first
custom policy of a given type.
Description Enter an explanation of the purpose of Default Privacy
this policy. Policy
Company Confidential
200
Managing Policies
Default Policy
Item Description Setting
SMS Specify synchronization for SMS: Sync Activity
Sync Activity: Collect SMS statistics.
Sync Content: Collect SMS statistics
and store SMS data on the MobileIron
Server.
None: Do not collect SMS statistics or
store SMS data.
Note that, except in the case of the
SMS archiving feature, if the users
privacy settings in MyPhone@Work
specify that SMS content shall not by
synced, then the Sync Content option
here results in syncing of SMS activity
data only.
Apps Specify synchronization for apps: Sync Inventory
Sync Inventory: Obtain identifying
information (i.e., meta data) for the
apps installed on the device.
None: Do not obtain app information.
If you select this option, then app data
for the device will not be reflected in
the App Inventory page.
Exception: Identifying information on
iOS managed apps is stored,
regardless of the setting you select.
See iOS managed apps on page 435
for information on managed apps.
MobileIron iOS Specify whether to enable or disable Disabled
App the multitasking for the MobileIron iOS
Multitasking app. This fea-ture governs whether the
OS can bring the MobileIron app into
memory periodically. No data is
transmitted to the app by the OS when
this occurs.
Company Confidential
201
Managing Policies
Default Policy
Item Description Setting
Location Specify which location data, if any, is Sync Cell Tower
stored on MobileIron Core:
None: No location data is stored.
Sync Cell Tower: Cell tower data is
stored.
Sync GPS if available: GPS data is
stored.
iOS Installed App Specify the app type, if installed on the All Apps
Inventory device, that will be displayed in the
Device App Inventory page.
All Apps: All apps installed on the
device are displayed.
Managed Apps Only (iOS 7, iOS 7.1):
Only managed apps installed on the
device are displayed.
Managed + Specified Apps Only (iOS
7, iOS 7.1): Only the following types of
installed apps are displayed:
Managed apps.
Apps with the bundle IDs entered
here.
If you have app control rules, add
the app bundle IDs here. Otherwise,
the app will not be displayed in the
Device App Inventory page.
You do not have to enter the bundle
IDs for managed apps.
Company Confidential
202
Managing Policies
Win 8.1
Android iOS Win 7 WP8 WP8.1 RT/Pro
yes m - - partial n
partial -
m Camera lockdown supported for Android 4.x and also on devices on which the Samsung SAFE APIs are present. Blue-
Tooth and Wi-Fi lockdown are supported on devices on which Samsung SAFE APIs are present. Extended lockdown policies
are supported with Android 4.x if the device has Samsung SAFE APIs present and is running Mobile@Work version 5.1.
Note: To lock down features on iOS devices, go to Policies & Configs > Configurations.
Click Add New > iOS and OS X > Restrictions.
Lockdown policies specify which features should be disabled in the event that device
access must be restricted. To create a lockdown policy, go to Policies & Configs >
Policies. Click Add New > Lockdown.
Default Policy
Item Description Setting
Name Required. Enter a descriptive name for Default
this policy. This is the text that will be Lockdown Policy
displayed to identify this policy
throughout the Admin Portal. This name
must be unique within this policy type.
Tip: Though using the same name for
different policy types is allowed (e.g.,
Executive), consider keeping the names
unique to ensure clearer log entries.
Status Select Active to turn on this policy. Select Active
Inactive to turn off this policy.
Priority Specifies the priority of this custom policy
relative to the other custom policies of
the same type. This priority determines
which policy is applied if more than one
policy is associated with a specific device.
Select Higher than or Lower than,
then select an existing policy from the
dropdown list. For example, to give Policy
A a higher priority than Policy B, you
would select Higher than and Policy B.
See Prioritizing policies on page 178 for
more information.
Because this priority applies only to
custom policies, this field is not enabled
when you create the first custom policy of
a given type.
Company Confidential
203
Managing Policies
Default Policy
Item Description Setting
Description Enter an explanation of the purpose of Default
this policy. Lockdown Policy
Bluetooth Enable or disable access to Bluetooth Enable Audio &
features. You can enable both Audio and Data
Data or just Audio.
Caution: MobileIron recommends against
disabling audio because hands-free
Bluetooth access is disabled. Legal
requirements for hands-free use of
devices while driving is becoming more
widespread.
Camera Enable or disable camera access. Enable
NFC Enable or disable NFC (Near-field Enable
Communication) data exchange when the
device touches another device.
USB Mass Enable or disable access to the devices Enable
Storage USB storage from a computer.
SD Card Not for Android unless Samsung Enable
Enterprise APIs are present on the
device. Enable or disable access to the
secure data card.
Wi-Fi Enable or disable access to wireless LANs. Enable
Roaming Data Enable or disable access to data services Enable
while roaming.
Copy / Paste Enable or disable access to copy / paste Enable
functionality.
Screen Capture Enable or disable screen capture. Enable
GPS User Control Enable or disable the device users ability Enable
to turn GPS on and off.
GPS If GPS User Control is disabled, specify Enable
whether GPS is enabled or disabled on
the device.
Android
Company Confidential
204
Managing Policies
Default Policy
Item Description Setting
Lockscreen Android 4.2, 4.3, 4.4: Enable or disable Enable
Widgets the ability to add widgets to the
lockscreen. Placing widgets on the
lockscreen means device users can
perform tasks without unlocking the
device.
Note: Though Samsung SAFE devices
have a feature that is very similar, it is
not the Android lockscreen widgets
feature, which is what MobileIron Core
controls. this option has no effect on
SAFE devices.
Microphone Enable or disable access by apps to the Enable
microphone. This feature does not impact
voice calls.
USB Debug Enable or disable the device users ability Enable
to enable USB debugging.
Samsung SAFE
Android 4.x with Samsung Enterprise APIs and running version 5.6 through 5.9
of the Mobile@Work for Android app:
Android Browser Enable or disable access to the Android Enable
browser.
Email Account Enable or disable the device users ability Enable
Creation to configure an email account on the
device.
Factory Reset Enable or disable the ability to reset the Enable
device to factory defaults.
Google Backup Enable or disable backup to Google Enable
servers.
Google Play Enable or disable access to Google Play. Enable
Make Passwords Enable to allow users to change the Enable
Visible Make Passwords Visible setting on their
device. Disable to prevent users from
changing this setting and make password
characters not visible.
Management Enable or disable the device users ability Enable
Removal to remove the Mobile@Work app and the
Samsung DM Agent.
Company Confidential
205
Managing Policies
Default Policy
Item Description Setting
OTA Upgrade Enable or disable over-the-air upgrades of Enable
the device firmware.
Warning: Do not disable Setting Changes
if OTA Upgrade is enabled. Disabling
Setting Changes when OTA Upgrade is
enabled can result in a non-functional
device because setting changes are
required for upgrade.
Roaming Voice Enable or disable voice calls while Enable
Calls roaming.
Setting Changes Enable or disable the device user access Enable
to the settings app.
Warning: Do not disable Setting Changes
if OTA Upgrade is enabled. Disabling
Setting Changes when OTA Upgrade is
enabled can result in a non-functional
device because setting changes are
required for upgrade.
Tethering - Enable or disable Bluetooth tethering. Enable
Bluetooth
Tethering - USB Enable or disable USB tethering. Enable
Tethering - Wi-Fi Enable or disable Wi-Fi tethering. Enable
Unknown Enable or disable installation of apps from Enable
Sources sources other than Google Play.
USB Media Player Enable or disable the USB media player. Enable
YouTube Enable or disable access to YouTube. Enable
Windows Phone
Options for WP8.1
Internet Sharing Enable or disable Internet sharing. Enable
Microsoft Store Enable or disable access to the Windows Enable
Phone Store.
Manual Email Enable or disable ability to manually add Enable
Set-up an email account on the device.
VPN while Roam- Enable or disable VPN when device is out Enable
ing of network.
Hotspot Discov- Enable or disable Hotspot Discovery. Enable
ery
Microsoft Account Enable or disable Microsoft SkyDrive or Enable
Live Account.
Save as of MS- Enable or disable the Save As operation Enable
Office for a MS-Office document.
Company Confidential
206
Managing Policies
Default Policy
Item Description Setting
Browser Enable or disable Internet Explorer. Enable
The option does not have any impact on
any other browsers installed from the
Windows Store.
Manual Wi-Fi Enable or disable ability to manually add Enable
Setup a Wi-Fi setup.
Wi-Fi Sense Enable or disable the device to automati- Enable
Hotspots cally connect to Wi-fi Hotspots and friend
social network.
MS Error Report- Enable or disable Error Reporting. Enable
ing
Sharing Of MS- Enable or disable sharing MS-Office files. Enable
Office Files
Profile Roaming Enable or disable cellular data roaming. Enable
Action Center Enable or disable Action Center notifica- Enable
Notifications tions.
Developer Unlock Enable or disable Developer Unlock. Enable
Search to Use Enable or disable the Access to my loca- Enable
Location tion feature on the device. Disabling this
feature impacts the Cortana and bing.
Manual Root Cer- Enable or disable ability to manually Enable
tificate Installa- install a root certificate on the device. If
tion disabled, the device user cannot install a
root certificate to the device.
Store Images Enable or disable the Visual Search option Enable
From Visual in bing.
Search
Voice Recording Enable or disable voice recording Enable
in Cortana.
Return Without Enable or disable ability for the device Enable
Password user to set grace period for locking. If
enabled, the device user can set the
grace period for locking the device. If dis-
abled, the Security policy sets the grace
period, and the option is not available to
the device user.
Cortana Enable or disable Cortana. Enable
Note: Policy changes may cause devices to which that policy is applied to prompt the
user to restart the device.
Company Confidential
207
Managing Policies
Win 8.1
Android iOS Win 7 WP8 WP8 RT/Pro
Sync policies specify how the MobileIron Client behaves on the device and interacts
with MobileIron Core. These interactions include synchronization of profiles,
configurations, and app inventory.
Windows 8.1 RT and Pro devices only sync every 24-hours. The sync interval cannot
be set through the Sync settings. Force Device Check-In is supported. The Admin can
force the device to check-in at any time.
For Windows Phone 8.1 devices, only Sync Interval is applied. The sync interval is
applied when the device registers with MobileIron Core. Any changes to the sync
interval after the device has registered are not applied to the device.
Default Policy
Item Description Setting
Name Required. Enter a descriptive name for this Default Sync
policy. This is the text that will be displayed Policy
to identify this policy throughout the Admin
Portal. This name must be unique within
this policy type.
Tip: Though using the same name for
different policy types is allowed (e.g.,
Executive), consider keeping the names
unique to ensure clearer log entries.
Status Select Active to turn on this policy. Select Active
Inactive to turn off this policy.
Company Confidential
208
Managing Policies
Default Policy
Item Description Setting
Priority Specify a priority for this policy in relation
to other custom policies of this type.
Priority determines which policy is applied
in the case of a conflict. For example, if a
device has two labels assigned to it, and
each label has a different sync policy, then
the priority determines which policy is
applied.
Select Higher than or Lower than and
select the relative policy from the
dropdown list. Because priority applies only
to custom policies, this setting is not
available when you create the first custom
policy of this type. Default policies are not
included in prioritization.
Description Enter an explanation of the purpose of this Default Sync
policy. Policy
Server IP/Host Displays the IP address or host name of the
Name MobileIron Core instance that the
MobileIron Client will communicate with.
This setting is completed automatically
when the first phone registration is
requested.
Use TLS Specify whether to use Transport Layer selected
Security for interactions between
MobileIron Core and the MobileIron Client
installed on devices.
Company Confidential
209
Managing Policies
Default Policy
Item Description Setting
Sync While Specifies which data, if any, should be Only Activity and
Roaming synchronized with Core while the device is SMS Content
roaming.
All Activity and Content: Causes all activity
and content to be synchronized while the
device is roaming.
Only Activity and SMS Content: Restricts
synchronized data to activity and SMS
content while the device is roaming.
Eliminates synchronization of some data to
reduce the cost of data transfer when
additional charges may apply. This option is
selected by default.
Only Roaming Status: Restricts
synchronized data to roaming status while
the device is roaming. Eliminates
synchronization of most data to minimize
the cost of data transfer when additional
charges may apply. Synchronizing roaming
status ensures that location data is
communicated to the server and that
roaming alerts can be generated in a timely
fashion. International roaming alerts are
not generated.
No Sync: Prevents all data from being
synchronized while the device is roaming.
Roaming alerts may not be generated by
Event Center in a timely fashion because
the device cannot communicate its roaming
status. Therefore, if international roaming
alerts have been configured, the MobileIron
Client on the device will generate a local
roaming alert.
Company Confidential
210
Managing Policies
Default Policy
Item Description Setting
Heartbeat Not for iOS: Specify the maximum amount 14
Interval of time that the MobileIron Client will wait
before:
sending a request to the MobileIron
Server to confirm that the client and
server are connected.
Note that the MobileIron Client does not
connect to the server according to this
interval unless the Client is Always Con-
nected option is selected.
Company Confidential
211
Managing Policies
Company Confidential
212
Managing Policies
MobileIron Core uses C2DM to immediately send lock, unlock, retire, and wipe
commands to devices. With this field enabled, the Core can send these commands to
the device at any time without using C2DM.
Company Confidential
213
Managing Policies
Win 8.1
Android iOS Win 7 WP8 RT/Pro
- yes - - -
Docs@Work policies specify settings that change the behavior of the Mobile@Work for
iOS app.
For information on configuring a Docs@Work policy, see For iOS: Set up Docs@Work
policies on page 571.
Company Confidential
214
Managing Policies
This policy applies only to supervised iOS 6 devices, that is, devices that have been
deployed using the Apple Configurator.
3. Click Save.
4. Apply the policy to the appropriate labels.
Company Confidential
215
Managing Policies
Company Confidential
216
Managing Policies
Important: Confirm that you have specified the correct proxy information, and that
the proxy is reachable. An invalid or unreachable proxy server will make the device
unreachable by the network. In this case, physical access is required to reset the
device.
Company Confidential
217
Managing Policies
Proxy Type Select Manual or Auto. If you select Manual, then you
must specify the proxy server address and port. A
username and password for the server are optional input.
If you select Auto proxy type, then you have the option of
entering a proxy autoconfiguration (PAC) URL.
Proxy Server If you selected the Manual proxy type, enter the network
address for the proxy server.
Proxy Server Port If you selected the Manual proxy type, enter the port
number for the proxy server.
User Name Optional. Enter the user name for authenticating to the
proxy server.
Password Optional. Enter the password for authenticating to the
proxy server.
Proxy PAC URL Optional. If you selected the Auto proxy type, enter proxy
autoconfiguration (PAC) URL. If you leave this field blank,
the device will use the web proxy autodiscovery protocol
(WPAD) to determine the location of the PAC file.
4. Click Save.
5. Apply the policy to the appropriate labels.
Company Confidential
218
Managing Policies
See Android Kiosk Support on page 859 for information on configuring this policy.
Company Confidential
219
Managing Policies
Company Confidential
220
Managing Policies
4. Click Save.
5. Apply the policy to the appropriate labels (More Actions > Apply to Labels).
Company Confidential
221
Managing Policies
Upgrade Note: The Samsung KNOX license key for Samsung KNOX activation has
been moved from the Samsung (KNOX) Container policy (Policies & Configs >
Configurations) to the Samsung General policy (Policies & Configs > Policies). If a
license key is configured in the Container policy, then a new Samsung general policy is
automatically created.
Item Description
Name Enter a unique name for the policy.
Status Select Active to turn on this policy.
Select Inactive to turn off this policy.
Priority Select Higher than or Lower than, then select an existing
policy from the dropdown list.
If you have multiple policies, use the Priority setting to
select which policy gets applied. See Prioritizing policies
in the MobileIron Core Administration Guide.
Description Enter a description for the policy.
KNOX License Key Enter the Samsung KNOX license key
KNOX Device To enable attestation, first select the I understand
Attestation Enabled checkbox, then select KNOX Device Attestation Enabled.
See also: Attestation support for Samsung KNOX on
page 222
The attestation feature is supported starting in VSP
version 6.0, and Mobile@Work for Android version 6.0.
4. Click Save.
The attestation feature requires Samsung Android devices that are attestation
capable.
Company Confidential
222
Managing Policies
Attestation works by sending a challenge to the device to test its integrity. The device
responds, and MobileIron Core returns its final verification. A device responds to the
challenge in one of three ways:
Correctly, resulting in attestation state of PASS
Incorrectly, resulting in attestation state of FAIL
No response, resulting in attestation state of UNKNOWN.
A device without attestation support does not respond. A device that supports
attestation may also not respond, for example, if it has no network connectivity, or if it
was compromised and sends no response.
An attestation challenge is sent to a device when the device checks-in with MobileIron
Core, but not more frequently than once per hour. The attestation result determines
whether a Samsung KNOX container is removed, installed, or left unchanged.
Additional compliance actions triggered by an attestation fail can be defined in a
security policy.
Important Note: For all Samsung Android devices, whether or not they are
attestation-capable, enabling attestation for the device removes a pre-existing
Samsung KNOX container from the device.
Prerequisites
You must have a Samsung KNOX License Key to enable attestation.
Samsung Android devices that support attestation are required to take
advantage of this feature.
Recommendations
For the best user experience, apply attestation to a new device deployment. If
you enable attestation on a previously deployed device, any existing Samsung
KNOX container will be removed, and replaced only if the device passes the
attestation challenge.
We recommend enabling attestation in a homogeneous environment where all
the devices are known to support attestation. For example, where all
attestation-capable Samsung devices are corporate owned and assigned to an
LDAP group.
We strongly recommend against enabling attestation to groups of devices
where attestation support is unknown or mixed.
Follow these steps to enable attestation, create a related security policy with optional
custom compliance actions, and assign the policy to devices.
Company Confidential
223
Managing Policies
Company Confidential
224
Managing Policies
7.4 Select the label with attestation policies (for example, Attestation Label).
7.5 Click Apply.
Warning: For all Android devices, KNOX containers that were created before
attestation is enabled are removed when the attestation policy is applied.
A label that includes a Samsung Global Policy with the attestation feature enabled is
applied to a device. MobileIron Core sends attestation challenges to the device
periodically. The behavior of each device type is detailed below.
Company Confidential
225
Managing Policies
Company Confidential
226
Managing Policies
Troubleshooting policies
The user has addressed the security policy violation, but the device is still
quarantined.
Company Confidential
227
Managing Policies
1. Use the Force Device Check-In option to override the Sync Interval setting and
prompt the device to connect to the server.
2. Confirm that the battery level on the device is not below the sync threshold set in
the sync policy.
Company Confidential
228
Chapter 6
Company Confidential
229
Managing Device Settings with Configurations
The following table summarizes the device settings managed by MobileIron Core.
Category Types
Android Samsung Samsung Browser
Samsung Kiosk
Samsung KNOX Container
Infrastructure Exchange
Email
Wi-Fi
VPN
Bookmarks
Certificates
SCEP
MobileIron AppCon- Configuration
nect Container Policy
MobileIron Features Docs@Work
Web@Work
iOS and OS X (Mac) General
CalDAV
CardDAV
Web Clips
Configuration Profile
LDAP
Company Confidential
230
Managing Device Settings with Configurations
Category Types
iOS Only AirPlay (starting with iOS 7)
AirPrint (starting with iOS 7)
APN
Provisioning Profile
Restrictions
Subscribed Calendars
Web Content Filter (starting with iOS 7)
Managed App Config (starting with iOS 7)
Single Sign-On Account (starting with iOS 7)
Windows Phone 8 Enrollment Token (AET)
Configurations page
Use the Policies & Configs > Configurations page to create and manage configurations.
It displays the following information for each configuration.
Field Description
Name Indicates a name for this group of settings.
Setting Type Indicates the kind of configuration.
Description Displays additional information about this group of set-
tings.
# Phones Indicates the number of phones to which this group of set-
tings has been applied. Click the link to display a list of the
devices.
Labels Indicates the labels to which this group of settings has
been applied.
WatchList Displays the number of devices for which this group of set-
tings is queued. Click the link to display a list of the
devices.
Quarantined Displays the number of devices that have had configura-
tions removed due to policy violations. Click the link to dis-
play a list of the devices. See Creating a custom
compliance action on page 194 for information on quar-
antining devices.
Required role
Users must have the View configuration role to access the Configurations page.
Company Confidential
231
Managing Device Settings with Configurations
Default configurations
The following table summarizes the default configurations packaged with MobileIron
Core:
Note: System SCEP and Certificate settings are no longer available for selection as
Identity Certificates in a customer configurations (Policies & Configs > Configura-
tions). System SCEP and Certificate settings will continue to be available in configura-
tions that already use them as Identity Certificates prior to Core Version 7.0.
Company Confidential
232
Managing Device Settings with Configurations
4. If changing an access right is necessary, select an access right and click the appro-
priate arrow to move the access right to the Available list. The following table sum-
marizes these access rights.
5. If you want MobileIron Core to indicate that the MDM profile has been removed
from iOS devices, select Check out when MDM profile is removed.
Note: Receipt of this alert is not guaranteed. Therefore, this setting does not
ensure notification upon removal of the profile.
6. If you want to automatically alert iOS users when a new iOS MDM configuration is
available, select Send an APNs message to iOS 5 and later devices...
7. Click Save.
Company Confidential
233
Managing Device Settings with Configurations
Click the View Details button for Android devices to see information on each configura-
tion.
Win 8.1
Android iOS WP8 WP8 RT/Pro
Company Confidential
234
Managing Device Settings with Configurations
Editing configurations
Win 8.1
Android iOS Win 7 WP8 RT/Pro
To edit configurations:
1. In the Configurations screen, select the configuration you want to edit.
2. Click Edit.
Deleting configurations
Win 8.1
Android iOS Win 7 WP8 WP8 RT/Pro
To delete configurations:
1. In the Configurations screen, select the settings you want to delete.
2. Click Delete.
Company Confidential
235
Managing Device Settings with Configurations
Item Description
Auto Fill Select to enable automatic completion of web
forms.
Cookies Select to allow use of cookies.
Javascript Select to enable Javascript.
Pop-ups Select to allow pop-ups.
Show Security Warning Select to display browser security warnings.
Note: Not supported for Samsung Galaxy S4.
SmartCard Authentication Select to enable SmartCard authentication. To
use SmartCard authentication, also select Pop-
ups and Show Security Warning. See Configur-
ing SmartCard browser authentication on
page 236.
Prerequisites:
Samsung KNOX license
Access to websites that require SmartCard authentication
Refer to the SmartCard readers instructions to install and pair the SmartCard reader
with the Samsung device.
Step-by-step
The following steps create a policy that enables KNOX, configure the Samsung
browser to enable SmartCard authentication, and configure the KNOX container to use
the browser configuration. (Note: In each step, you can edit an existing configuration
or policy instead of creating a new one.)
Company Confidential
236
Managing Device Settings with Configurations
Start with a device that has the SmartCard-related policies and configurations applied
as described in the previous section.
Company Confidential
237
Managing Device Settings with Configurations
Company Confidential
238
Managing Device Settings with Configurations
See Samsung KNOX support on page 341 for information on configuring Samsung
KNOX support.
Note: Make sure only one Samsung KNOX container setting applies to each device.
Item Description
Authentication
Password Type Select the kind of password to require:
Alphanumeric: Must include at least one alphabetic
and one numeric character.
Complex: Must include at least one alphabetic, one
numeric, and one special character (i.e., a sym-
bol).
Min Password Length Specify a minimum length for he password. The
accepted range is 6-16.
Min Number of Complex Specify the minimum number of complex characters
Characters for the passcode. Valid entries are 0-10.
For example, to require at least two complex charac-
ters in the passcode, enter 2.
Max Character Specify a limit for the number of times a specific char-
Occurrences acter can occur in the passcode.
For example, to prevent a specific character from
occurring 3 or more times, enter 2.
Max Character Sequence Specify a limit for the number of characters that can
Length appear in sequence in a passcode.
For example, to prevent abc from occurring in a
passcode, enter 2.
Company Confidential
239
Managing Device Settings with Configurations
Item Description
Max Numeric Sequence Specify a limit for the number of numeric characters
Length that can appear in sequence in a passcode.
For example, to prevent 123 from occurring in a
passcode, enter 2.
Min Character Change Specify a minimum number of characters that must
Length change when the passcode is reset.
For example, to ensure that at least 2 characters
change, enter 2.
Forbidden Strings Specify any strings that must not be present in the
passcode.
To add a string:
Click + to add an entry.
Click the Name placeholder in the new entry.
Replace Name with the string you want to add.
For example, to prevent the passcode from including
the users email address or last name, enter $EMAIL$,
$LAST_NAME.
See Supported variables on page 242 for a list of
supported variables.
Max Inactivity Timeout Specify the idle time duration after which the lock
should be enabled. If password is set, the user will be
prompted for a password when unlocking the con-
tainer.
Max Password Age Specify the number of days after which the password
will expire.
Stored Password History Specify the number of previous passwords that are
stored and cannot be used when setting a new pass-
word.
Max Number of Failed Specify the maximum number of failed password
Attempts attempts to allow. When this number is exceeded, the
container will be disabled.
Password Visible Option Select Off to disable the Make password visible
option.
Apps
Select the in-house apps to be installed in the con-
tainer:
Click the + button.
Select an app from the Name list.
The Version and Package Name fields are filled in
automatically.
Restrictions
Company Confidential
240
Managing Device Settings with Configurations
Item Description
Allow Camera Select to allow the device user or third-party apps to
use the photo camera, video camera, and video tele-
phony features.
Allow Content Sharing Select to allow use of the Share Via List, which is dis-
(i.e., Share Via) played in certain apps that share content with other
apps.
Allow Email Account Cre- Select to allow user to create email accounts. By
ation default, this is unselected and end users cannot cre-
ate email accounts in the KNOX container.
Allow Non-Secure Keypad Select to allow keyboards inside the container,
regardless of whether they are pre-loaded or third-
party keyboards.
Allow Samsung KNOX Select to allow device users to download apps from
App Store the Samsung KNOX app store (www.samsung-
knox.com).
App Settings
Browser Specifies the Android Samsung Browser configuration
to use in the container. You need to create the Sam-
sung Browser configuration separately. Otherwise,
this list will be empty.
Company Confidential
241
Managing Device Settings with Configurations
Item Description
Exchange Specifies the Exchange configuration to use in the
container. You need to create the Exchange configura-
tion separately. Otherwise, this list will be empty.
VPN Specifies the VPN configuration to use for Samsung
KNOX IPsec in the container. You need to create the
configuration separately. Otherwise, this list will be
empty.
Note: The KNOX VPN client must be installed on the
device before you push the KNOX VPN configuration.
1. Download the KNOX VPN client from the Samsung
KNOX portal:
https://www.samsungknox.com/en/resources/sdk/
download-knox-vpn-client
Go to Resources -> Tools (at the bottom) -> Down-
load KNOX VPN Client. To create a user ID in the
Samsung KNOX portal, an active KNOX license key
(trial or product) is required.
2. Upload the KNOX VPN client to the App Distribution
Library.
3. Create a new VPN configuration with Samsung
KNOX IPsec specified as the connection type (Poli-
cies & Configs > Configurations > Add New >
VPN).
4. Select the new VPN configuration in the Samsung
KNOX container (Policies & Configs > Configura-
tions > Add New > Android > Samsung KNOX Con-
tainer).
Supported variables
The following variables are supported for Android Samsung KNOX Containers:
$EMAIL$
$USERID$
$FIRST_NAME$
$LAST_NAME$
$DISPLAY_NAME$
$USER_CUSTOM1$
$USER_CUSTOM2$
$USER_CUSTOM3$
$USER_CUSTOM4$
$NULL$
Company Confidential
242
Managing Device Settings with Configurations
Exchange settings
Win 8.1
Android iOS OS X Win 7 WP8 WP8 RT/Pro
Select Policies & Configs > Configurations > Add New > Exchange to specify the set-
tings for the ActiveSync server that devices use. The ActiveSync server can be a Mic-
rosoft Exchange server, an IBM Lotus Notes Traveler server, Microsoft Office 365,
or other servers.
For OS X 10.7 and 10.8: Only contacts are synchronized. ActiveSync is not supported.
For OS X 10.9 Mavericks: Contacts, mail, notes, reminders, and calendar are synchro-
nized. ActiveSync is not supported.
For iOS:
If an Exchange profile already exists on the device, then attempts to distribute new
ActiveSync settings using MobileIron will fail.
For Android:
The Exchange configuration works with:
Android devices using the NitroDesk TouchDown email app and Android version 2.2
through 4.4
Android devices using the Android Email+ email app and Android version 4.0
through 4.4
Samsung SAFE devices running the Samsung native email app and Android version
2.2. or through 4.4
HTC devices using HTC Sense 4.0 or later using the HTC native email app
Note: The HTC native email app does not work with Lotus Notes Traveler.
Motorola devices with Enterprise Device Management APIs and running Android
4.0, and using the Motorola native email app
For more a detailed list of Motorola devices, see
http://developer.motorola.com/products/?filters=1425#filter
Note: The Motorola native email app does not work with Lotus Notes Traveler.
Company Confidential
243
Managing Device Settings with Configurations
On some Motorola devices, the native email app exits after each setup step. On
these devices, the device user must relaunch the native email app to continue with
the next setup step.
After setup is completed, the Mobile@Work homescreen displays. On all other
devices, the email app starts after setup is completed.
The Exchange server or Sentry must use a trusted certificate. Motorola devices will
not configure an Exchange account to servers using untrusted certificates.
Exchange settings
The following table describes the Exchange settings you can specify.
Item Description
General
Name Enter brief text that identifies this group of Exchange set-
tings.
Description Enter additional text that clarifies the purpose of this
group of Exchange settings.
Company Confidential
244
Managing Device Settings with Configurations
Item Description
Server Address Enter the address of the ActiveSync server.
If you are using Standalone Sentry, do the following:
Enter the Standalone Sentrys address.
If you are using Lotus Domino server 8.5.3.1 Upgrade
Pack 1 for your ActiveSync server, set the server
address to <Standalone Sentrys fully qualified domain
name>/traveler.
If you are using a Lotus Domino server earlier than
8.5.3.1 Upgrade Pack 1, set the address to <Stand-
alone Sentry fully qualified domain name>/servlet/trav-
eler.
If you are using load balancers, contact MobileIron Pro-
fessional Services.
Company Confidential
245
Managing Device Settings with Configurations
Item Description
ActiveSync User Specify the variable for the email address to be used with
Email this Exchange configuration. You can specify any or all of
the following variables $EMAIL$, $USERID$, $PASS-
WORD$. You can also specify custom formats, such as
$USERID$_US.
Typically, you use $EMAIL$ in this field.
ActiveSync User Specify the variable for the password to be used with this
Password Exchange configuration. You can specify any or all of the
following variables $EMAIL$, $USERID$, $PASSWORD$.
You can also specify custom formats, such as $USE-
RID$_US.
Enter additional variables or text in the text box adjacent
to the Password field. Entries in this text box are kept hid-
den and will not be visible to any MobileIron Core adminis-
trator.
Note: All variables and text upto the last valid variable will
be visible. Anything after the last valid variable will not be
visible. The valid variable may appear in either of the
password fields. Valid variables are variables in the drop-
down list.
Identity Certificate Select the SCEP entry you created for supporting
Exchange ActiveSync, if you are implementing certificate-
based authentication.
Password is also Specify whether to prompt device users for a password
required when certificate authentication is implemented. The pass-
word prompt is turned off by default. Once you specify an
Identify Certificate, this option is enabled. Select the
option if you want to retain the password prompt.
Items to Synchro- Not for iOS, OS X or Android: Select the Outlook items to
nize be synchronized: Contacts, Calendar, Email, Tasks.
Past Days of Email Specify the maximum amount of email to synchronize
to Sync each time by selecting an option from the dropdown list.
On Android devices, this setting works only with these
email apps:
NitroDesk TouchDown
However, the TouchDown app does not display this
information in its settings screen.
Samsung SAFE devices native email app
Email+
Company Confidential
246
Managing Device Settings with Configurations
Item Description
Move/Forward Mes- Starting with iOS 5: Specifies whether device users can
sages to Other Email move or forward email from the originating email account.
Accounts This feature is not supported for WP8 devices or for
Android devices.
Enable S/MIME Enables support for S/MIME encryption.
This feature is not supported for WP8 devices.
S/MIME Signing Select a certificate as a signing identity.
identity This feature is not supported for WP8 devices.
S/MIME Encryption Select a certificate as an encryption identity.
identity This feature is not supported for WP8 devices.
ActiveSync Not for iOS or OS X. Limited support for Android.
Sync during
Peak Time Select the preferred synchronization approach for peak
times.
This field is applicable to only some Android devices. On
those devices, the synchronization approach that you
choose applies at all times, not just peak times. The other
ActiveSync settings, such as Off-peak times, do not apply
to Android devices.
The only Android devices that this field applies to are:
Android devices using the NitroDesk TouchDown email
app
Samsung SAFE devices using their native email app
Android devices using Email+
For WP8 devices, the following Peak times are not sup-
ported:
Every 5 minutes, Every 10 minutes, Every 2 hours, Every
4 hours.
Off-peak Time Select the preferred synchronization approach for off-peak
times.
This feature is not supported for WP8 devices.
Use above settings Specify whether to apply synchronization preferences
when roaming while roaming.
This feature is not supported for WP8 devices.
Send/receive when Specify whether queued messages should be sent and
send received whenever the user sends a message.
This feature is not supported for WP8 devices.
Peak Time
Peak Days Specify which days should be considered peak days.
This feature is not supported for WP8 devices.
Company Confidential
247
Managing Device Settings with Configurations
Item Description
Start Time Specify the beginning of the peak period for all peak days.
This feature is not supported for WP8 devices.
End Time Specify the end of the peak period for all peak days.
This feature is not supported for WP8 devices.
iOS 5 and Later Set-
tings
Email access to Specifies whether third-party apps can use the account for
Third-Party apps email access.
Recent Address iOS 6 and iOS 7.
syncing Specifies whether of recently-used email addresses can be
synchronized.
Android
Exchange App Prior- Drag and drop email configurations to specify which are
ity allowed. Change the order of selected configurations to
specify priority.
If there are no email apps specified in the Selected col-
umn, then Mobile@Work uses the following provisioning
priority:
1. Android Email+
2. NitroDesk TouchDown
3. Native email app
General
Accept all SSL certif- Enables device users to set Android devices to accept all
icates SSL certificates. This setting applies to Android Email+,
Samsung SAFE Email, and TouchDown and is intended for
use when the MobileIron Sentry uses self-signed certifi-
cates.
Note: Use caution when enabling this setting, as device
users might unknowingly expose the device to attack.
Copy/Paste Prevents use of the copy and paste commands in the
NitroDesk TouchDown email app and in Android Email+.
Allow access to Specify whether to publish contacts and calendar items to
secure info from non-secure email clients running on the same device.
outside container For Secure Android Email+, you can allow access to both
contacts and calendar. For Secure NitroDesk TouchDown,
you can allow access to contacts.
NitroDesk Touch- If you are using NitroDesks TouchDown to manage
Down Exchange on Android devices, enter the license key you
received from NitroDesk. The license key will be provi-
sioned with the other Exchange settings in this profile.
Samsung SAFE (Samsung SAFE 4.x)
Company Confidential
248
Managing Device Settings with Configurations
Item Description
Email Account Cre- Select this option to allow Samsung SAFE device users to
ation By User create an email account on the device. Otherwise, email
accounts can be created only as part of Core-initiated pro-
visioning of supported email clients.
HTML Email Select this option to allow viewing of HTML email. This
option is not enabled by default, which prevents rendering
of HTML-based email.
SmartCard Authenti- Select this option to enable SmartCard authentication.
cation SmartCard authentication is generally reserved for high-
security environments using multi-factor authentication.
The MobileIron Core administrator can configure and apply up to two Exchange set-
tings for each device. Exchange settings are found in the Admin Portal under Policies &
Configs > Configurations. The device must be running Mobile@Work version 6.0 when
it receives the configuration.
On the device, both mailboxes appear in a single email app. The email app is deter-
mined by 1) the email apps priority as specified in the Exchange Settings Exchange
App Priority, and 2) the email apps availability on the device. For example, if both
Samsung Native Email and Email+ are available on the device, the app with the high-
est priority is used.
Note that Mobile@Works Options > Email Status is not supported for multiple
Exchange accounts.
Company Confidential
249
Managing Device Settings with Configurations
Win 8.1
Android iOS OS X Win 7 WP8 RT/Pro
- yes yes - - -
Select Policies & Configs > Configurations > Add New > Email to set up POP or IMAP
email.
The following table describes the email settings you can specify:
Item Description
Name Enter brief text that identifies this group of email settings.
Description Enter additional text that clarifies the purpose of this
group of email settings.
Account Type Select POP or IMAP to indicate the type of email account
you are configuring. The internet service provider (ISP)
can give you information on which type of account is avail-
able.
User Email Specify the email address to use. The default value is
$EMAIL$. Use this field to specify an alternate format. For
example, your email standard might be $EMAIL$_US for
users in the United States.
See Supported variables on page 252.
Incoming Mail
Server Settings
Path Prefix Specify the IMAP path prefix for the email client. A prefix is
generally required when all IMAP folders are listed under
the Inbox. ISPs that require prefixes usually provide infor-
mation on the specific prefix to configure.
Server Address Specify the address for the server handling incoming mail.
The internet service provider (ISP) can give you this
address.
Server Port Specify the port number for the server handling incoming
mail. The internet service provider (ISP) can give you this
information.
Require SSL Specify whether secure sockets layer (SSL) is required for
incoming email transport. This is determined by the way in
which the user mailboxes are set up. Your internet service
provider (ISP) can give you this information.
Company Confidential
250
Managing Device Settings with Configurations
Item Description
User Name Specify the email address to use. The default value is
$EMAIL$. Use this field to specify an alternate format. For
example, your standard might be $USERID$.
Why: Some enterprises have a strong preference concern-
ing which identifier is exposed.
See Supported variables on page 252.
Use Password iOS and OS X only: Specify whether to authenticate the
Authentication password for email access.
Password Specify the password to use. The default value is $PASS-
WORD$. Use this field to specify a custom format, such as
$PASSWORD$_$USERID$.
See Supported variables on page 252.
Outgoing (SMTP)
Mail Server Settings
Server Address Specify the address for the SMTP server handling outgoing
mail.
Server Port Specify the port number for the SMTP server handling out-
going mail.
Require SSL Specify whether to use secure sockets layer (SSL) outgo-
ing email transport.
Require Authentica- Specify whether to use secure sockets layer (SSL) for out-
tion going email transport.
Use Same User Specify whether to use the same user name and password
Name and Password used for incoming email. If you select this option, then the
for Sending Email Server User Name option is disabled.
Server User Name Specify the user name to use. The default value is
$EMAIL$. Use this field to specify an alternate format. For
example, your standard might be $USERID$.
Why: Some enterprises have a strong preference concern-
ing which identifier is exposed.
See Supported variables on page 252.
Use Password iOS and OS X only: Specify whether to authenticate the
Authentication password for email access.
Password Specify the password to use. The default value is $PASS-
WORD$. Use this field to specify a custom format, such as
$PASSWORD$_$USERID$.
See Supported variables on page 252.
Advanced Settings Not for iOS, OSX
Automatic Send/ Specify how new email should be sent and retrieved. You
Receive can set an automatic time interval or select Manual to con-
figure no automatic email exchange.
Company Confidential
251
Managing Device Settings with Configurations
Item Description
Download Messages Specify the number of messages to download to the device
during send/receive.
Message Format Indicate whether messages should be formatted in plain
text or HTML.
Message Download Specify a size limit for a single message to be downloaded.
Limit
Download Attach- Specify a size limit for an attachment to be downloaded, or
ment specify that attachments are not be downloaded.
iOS 5 Settings
Block move/forward Enables the iOS 5 feature that prevents users from moving
messages to other email messages to other email accounts or forwarding
email accounts email from accounts other than the originating account.
Block email access Prevents third-party apps from using the account for email
to 3rd party apps access.
Enable S/MIME Enables support for S/MIME encryption.
S/MIME Signing Enables selection of a certificate as the signing identity. If
identity you do not select a certificate, then the device user will be
prompted to select from the certificates that are already
on the device.
S/MIME Encryption Enables selection of a certificate as the encryption identity.
identity If you do not select a certificate, then the device user will
be prompted to select from the certificates that are
already on the device.
Allow Recent iOS 6 and iOS 7.
Address syncing Enables synchronization of recently-used email addresses.
Supported variables
You can use the following variables in fields that support variables.
$USERID$
$EMAIL$
$PASSWORD$
$USER_CUSTOM1$ ... $USER_CUSTOM4$ (custom fields defined for LDAP)
Company Confidential
252
Managing Device Settings with Configurations
Wi-Fi settings
Win 8.1
Android iOS Win 7 WP8 WP8.1 RT/Pro
Select Policies & Configs > Configurations > Add New > Wi-Fi to configure wireless
network access.
Authentication types
The fields that appear in the New Wifi Setting dialog change based on values selected.
The following tables describe the fields required for each selection in the Authentica-
tion field:
Open authentication
Shared authentication
WPA Enterprise authentication
Company Confidential
253
Managing Device Settings with Configurations
Open authentication
Use the following guidelines to set up Open authentication.
Item Description
Name Enter the name to use to reference this configuration in
MobileIron.
Network Name Enter the name (i.e., service set identifier) of the Wi-Fi
(SSID) network these settings apply to. This field is case sensi-
tive.
Description Enter additional text to clarify the purpose of this group of
Wi-Fi settings.
Hidden Network Select this option if the SSID is not broadcast.
Authentication Select Open.
Data Encryption Not Applicable for iOS. Select the data encryption method
associated with the selected authentication type. The
selection affects which of the following fields are dis-
played. For Open authentication, the following encryption
options are available:
Disabled
WEP
WEP Enterprise (Not Applicable for Android)
Network Key WEP encryption
Not Applicable for iOS. Enter the network key necessary
for accessing this network. The network key should be 5 or
13 ASCII characters or 10 or 26 hexadecimal digits.
Key Index WEP encryption
If using multiple network keys, select a number indicating
the memory position of the correct encryption key.
Confirm Network Not Applicable for iOS. Re-enter the network key to con-
Key firm.
User Name WEP Enterprise encryption
Specify the variable to use as the user name when estab-
lishing the Wi-Fi connection. See Supported variables on
page 267.
Company Confidential
254
Managing Device Settings with Configurations
Item Description
Password WEP Enterprise encryption
Specify the variable to use and any necessary custom for-
matting for the Wi-Fi password. The default variable
selected is $PASSWORD$.
Enter additional variables or text in the text box adjacent
to the Password field. Entries in this text box are kept hid-
den and will not be visible to any MobileIron Core adminis-
trator.
Note the following:
If you specify $PASSWORD$, also enable Save User
Password under Settings > Preferences.
All variables and text up to the last valid variable will be
visible. Anything after the last valid variable will not be
visible. The valid variable may appear in either of the
password fields.
Company Confidential
255
Managing Device Settings with Configurations
Item Description
EAP Type Select the authentication protocol used:
EAP-FAST (Does not apply for Android)
EAP-SIM (Does not apply for Android)
LEAP (Does not apply for Android)
PEAP
TLS
TTLS
iOS 5 Settings
Auto Join Specifies whether devices should automatically join the
corresponding Wi-Fi network. If this option is not selected,
device users must tap the network name on the device to
join the network.
Proxy Type Specifies whether a proxy is configured, and which type.
Available types are Manual and Auto.
Proxy PAC URL Specifies the URL for the proxy auto-configuration (PAC)
file.
Proxy Server Specifies the proxy servers IP address.
Proxy User Name For manual proxies, specifies the optional user name for
server access.
Company Confidential
256
Managing Device Settings with Configurations
Proxy Password For manual proxies, specifies the optional password for
server access.
Priority For iOS 7 and iOS 7.1 only.
Enter a number between -100 and +100 to set the priority
for the Wi-Fi setting.
If multiple Wi-Fi settings are applied, the device selects
the Wi-Fi setting with the higher priority. The lower the
number the higher the priority.
Shared authentication
Use the following guidelines to set up shared authentication:
Item Description
Name Enter the name to use to reference this configuration in
MobileIron.
Network Name Enter the name (i.e., service set identifier) of the Wi-Fi
(SSID) network these settings apply to. This field is case sensi-
tive.
Description Enter additional text to clarify the purpose of this group of
Wi-Fi settings.
Hidden Network Select this option if the SSID is not broadcast.
Authentication Select Shared.
Data Encryption Not Applicable for iOS. Select the data encryption method
associated with the selected authentication type. The
selection affects which of the following fields are dis-
played. For Shared authentication, the following encryp-
tion options are available:
Disabled
WEP
WEP Enterprise (Not Applicable for Android)
Network Key WEP encryption
Not Applicable for iOS. Enter the network key necessary
for accessing this network. The network key should be 5 or
13 ASCII characters or 10 or 26 hexadecimal digits.
Key Index WEP encryption
If using multiple network keys, select a number indicating
the memory position of the correct encryption key.
Confirm Network Not Applicable for iOS. Re-enter the network key to con-
Key firm.
User Name WEP Enterprise encryption
Specify the variable to use as the user name when estab-
lishing the Wi-Fi connection. See Supported variables on
page 267.
Company Confidential
257
Managing Device Settings with Configurations
Item Description
Password WEP Enterprise encryption
Specify the variable to use and any necessary custom for-
matting for the Wi-Fi password. The default variable
selected is $PASSWORD$.
Enter additional variables or text in the text box adjacent
to the Password field. Entries in this text box are kept hid-
den and will not be visible to any MobileIron Core adminis-
trator.
Note the following:
If you specify $PASSWORD$, also enable Save User
Password under Settings > Preferences.
All variables and text up to the last valid variable will be
visible. Anything after the last valid variable will not be
visible. The valid variable may appear in either of the
password fields.
Company Confidential
258
Managing Device Settings with Configurations
Item Description
EAP Type Select the authentication protocol used:
EAP-FAST (Does not apply for Android)
EAP-SIM (Does not apply for Android)
LEAP (Does not apply for Android)
PEAP
TLS
TTLS
iOS 5 Settings
Auto Join Specifies whether devices should automatically join the
corresponding Wi-Fi network. If this option is not selected,
device users must tap the network name on the device to
join the network.
Proxy Type Specifies whether a proxy is configured, and which type.
Available types are Manual and Auto.
Proxy PAC URL Specifies the URL for the proxy auto-configuration (PAC)
file.
Proxy Server Specifies the proxy servers IP address.
Priority For iOS 7 and iOS 7.1 only.
Enter a number between -100 and +100 to set the priority
for the Wi-Fi setting.
If multiple Wi-Fi settings are applied, the device selects
the Wi-Fi setting with the higher priority. The lower the
number the higher the priority.
Company Confidential
259
Managing Device Settings with Configurations
Item Description
Name Enter the name to use to reference this configuration in
MobileIron.
Network Name Enter the name (i.e., service set identifier) of the Wi-Fi
(SSID) network these settings apply to. This field is case sensi-
tive.
Description Enter additional text to clarify the purpose of this group of
Wi-Fi settings.
Hidden Network Select this option if the SSID is not broadcast.
Authentication Select WPA Enterprise.
Data Encryption Not Applicable for iOS. Select the data encryption method
associated with the selected authentication type. For WPA
Enterprise authentication, the following encryption options
are available:
AES
TKIP
User Name Specify the variable to use as the user name when estab-
lishing the Wi-Fi connection. See Supported variables on
page 267.
Password Specify the variable to use and any necessary custom for-
matting for the Wi-Fi password. The default variable
selected is $PASSWORD$.
Enter additional variables or text in the text box adjacent
to the Password field. Entries in this text box are kept hid-
den and will not be visible to any MobileIron Core adminis-
trator.
Note the following:
If you specify $PASSWORD$, also enable Save User
Password under Settings > Preferences.
All variables and text up to the last valid variable will be
visible. Anything after the last valid variable will not be
visible. The valid variable may appear in either of the
password fields.
Company Confidential
260
Managing Device Settings with Configurations
Item Description
Apply to Certificates Configure this field with the CA certificate needed to vali-
date the Identity Certificate presented by the Wi-Fi Access
Point. It is not the CA certificate needed to validate the
Identity Certificate sent to the device in the Wi-Fi config.
Android only: Though this section allows multiple certifi-
cates to be configured, Android supports only one entry in
this field. If more than one is configured, only one of them
will be installed on the device. If more than one CA certifi-
cate is required to validate the Access Point Identity Certif-
icate, they must be installed using separate Wi-Fi profiles.
Trusted Certificate Not applicable for Android. If you did not specify trusted
Names certificates in the Apply to Certificates list, then enter the
names of the authentication servers to be trusted. You can
specify a particular server, such as server.mycompany.com
or a partial name such as *.mycompany.com.
Allow Trust Excep- Not applicable for Android. Select this option to let users
tions decide to trust a server when the chain of trust cant be
established. To avoid these prompts, and to permit con-
nections only to trusted services, turn off this option and
upload all necessary certificates.
Use Per-connection Not applicable for Android. Select this option to prompt
Password the user to enter a password each time the device con-
nects to the Wi-Fi network.
Company Confidential
261
Managing Device Settings with Configurations
Item Description
EAP Type Select the authentication protocol used:
EAP-FAST (Does not apply for Android)
EAP-SIM (Does not apply for Android)
LEAP (Does not apply for Android)
PEAP
TLS
TTLS
iOS 5 Settings
Auto Join Specifies whether devices should automatically join the
corresponding Wi-Fi network. If this option is not selected,
device users must tap the network name on the device to
join the network.
Proxy Type Specifies whether a proxy is configured, and which type.
Available types are Manual and Auto.
Proxy PAC URL Specifies the URL for the proxy auto-configuration (PAC)
file.
Proxy Server Specifies the proxy servers IP address.
Priority For iOS 7 and iOS 7.1 only.
Enter a number between -100 and +100 to set the priority
for the Wi-Fi setting.
If multiple Wi-Fi settings are applied, the device selects
the Wi-Fi setting with the higher priority. The lower the
number the higher the priority.
Company Confidential
262
Managing Device Settings with Configurations
Item Description
Network Name Enter the name (i.e., service set identifier) of the Wi-Fi
(SSID) network these settings apply to. This field is case sensi-
tive.
Description Enter additional text to clarify the purpose of this group of
Wi-Fi settings.
Hidden Network Select this option if the SSID is not broadcast.
Authentication Select WPA2 Enterprise.
Data Encryption Not Applicable for iOS. Select the data encryption method
associated with the selected authentication type. For
WPA2 Enterprise authentication, the following encryption
options are available:
AES
TKIP
User Name Specify the variable to use as the user name when estab-
lishing the Wi-Fi connection. See Supported variables on
page 267.
Password Specify the variable to use and any necessary custom for-
matting for the Wi-Fi password. The default variable
selected is $PASSWORD$.
Enter additional variables or text in the text box adjacent
to the Password field. Entries in this text box are kept hid-
den and will not be visible to any MobileIron Core adminis-
trator.
Note the following:
If you specify $PASSWORD$, also enable Save User
Password under Settings > Preferences.
All variables and text up to the last valid variable will be
visible. Anything after the last valid variable will not be
visible. The valid variable may appear in either of the
password fields. Valid variables are variables in the
dropdown list.
Apply to Certificates Configure this field with the CA certificate needed to vali-
date the Identity Certificate presented by the Wi-Fi Access
Point. It is not the CA certificate needed to validate the
Identity Certificate sent to the device in the Wi-Fi config.
Android only: Though this section allows multiple certifi-
cates to be configured, Android supports only one entry in
this field. If more than one is configured, only one of them
will be installed on the device. If more than one CA certifi-
cate is required to validate the Access Point Identity Certif-
icate, they must be installed using separate Wi-Fi profiles.
Company Confidential
263
Managing Device Settings with Configurations
Item Description
Trusted Certificate Not applicable for Android. If you did not specify trusted
Names certificates in the Apply to Certificates list, then enter the
names of the authentication servers to be trusted. You can
specify a particular server, such as server.mycompany.com
or a partial name such as *.mycompany.com.
Allow Trust Excep- Not applicable for Android. Select this option to let users
tions decide to trust a server when the chain of trust cant be
established. To avoid these prompts, and to permit con-
nections only to trusted services, turn off this option and
upload all necessary certificates.
Use Per-connection Not applicable for Android. Select this option to prompt
Password the user to enter a password each time the device con-
nects to the Wi-Fi network.
EAP Type Select the authentication protocol used:
EAP-FAST (Does not apply for Android)
EAP-SIM (Does not apply for Android)
LEAP (Does not apply for Android)
PEAP
TLS
TTLS
iOS 5 Settings
Auto Join Specifies whether devices should automatically join the
corresponding Wi-Fi network. If this option is not selected,
device users must tap the network name on the device to
join the network.
Company Confidential
264
Managing Device Settings with Configurations
Item Description
Name Enter the name to use to reference this configuration in
MobileIron.
Network Name Enter the name (i.e., service set identifier) of the Wi-Fi
(SSID) network these settings apply to. This field is case sensi-
tive.
Description Enter additional text to clarify the purpose of this group of
Wi-Fi settings.
Hidden Network Select this option if the SSID is not broadcast.
Authentication Select WPA Personal.
Data Encryption Not Applicable for iOS. Select the data encryption method
associated with the selected authentication type. For WPA
Personal authentication, the following encryption options
are available:
AES
TKIP
Network Key Not Applicable for iOS. Enter the network key necessary
for accessing this network. The key should be at least 8
characters long.
Confirm Network Not Applicable for iOS. Re-enter the network key to con-
Key firm.
EAP Type Not applicable.
Connects To Select Internet or Work.
Company Confidential
265
Managing Device Settings with Configurations
iOS 5 Settings
Auto Join Specifies whether devices should automatically join the
corresponding Wi-Fi network. If this option is not selected,
device users must tap the network name on the device to
join the network.
Proxy Type Specifies whether a proxy is configured, and which type.
Available types are Manual and Auto.
Proxy PAC URL Specifies the URL for the proxy auto-configuration (PAC)
file.
Proxy Server Specifies the proxy servers IP address.
Priority For iOS 7 and iOS 7.1 only.
Enter a number between -100 and +100 to set the priority
for the Wi-Fi setting.
If multiple Wi-Fi settings are applied, the device selects
the Wi-Fi setting with the higher priority. The lower the
number the higher the priority.
Item Description
Name Enter the name to use to reference this configuration in
MobileIron.
Network Name Enter the name (i.e., service set identifier) of the Wi-Fi
(SSID) network these settings apply to. This field is case sensi-
tive.
Description Enter additional text to clarify the purpose of this group of
Wi-Fi settings.
Hidden Network Select this option if the SSID is not broadcast.
Authentication Select WPA2 Personal.
Data Encryption Not Applicable for iOS. Select the data encryption method
associated with the selected authentication type. For WPA
Personal authentication, the following encryption options
are available:
AES
TKIP
Network Key Not Applicable for iOS. Enter the network key necessary
for accessing this network. The key should be at least 8
characters long.
Confirm Network Not Applicable for iOS. Re-enter the network key to con-
Key firm.
EAP Type Not applicable.
Connects To Select Internet or Work.
Company Confidential
266
Managing Device Settings with Configurations
iOS 5 Settings
Auto Join Specifies whether devices should automatically join the
corresponding Wi-Fi network. If this option is not selected,
device users must tap the network name on the device to
join the network.
Proxy Type Specifies whether a proxy is configured, and which type.
Available types are Manual and Auto.
Proxy PAC URL Specifies the URL for the proxy auto-configuration (PAC)
file.
Proxy Server Specifies the proxy servers IP address.
Priority For iOS 7 and iOS 7.1 only.
Enter a number between -100 and +100 to set the priority
for the Wi-Fi setting.
If multiple Wi-Fi settings are applied, the device selects
the Wi-Fi setting with the higher priority. The lower the
number the higher the priority.
Supported variables
You can use the following variables in fields that support variables.
$PASSWORD$ (only supported in the password field)
$EMAIL$
$USERID$
$DEVICE_MAC$
$NULL$
$USER_CUSTOM1$ ... $USER_CUSTOM4$ (custom fields defined for LDAP)
Company Confidential
267
Managing Device Settings with Configurations
VPN settings
Win 8.1
Android iOS OS X Win 7 WP8 WP8.1 RT/Pro
Select Policies & Configs > Configurations > Add New > VPN to configure VPN access.
The fields that appear in the New VPN Setting dialog change based on values selected.
The following tables describe the fields required for each selection in the Connection
Type field.
Note the following for Windows 8.1 for RT and Pro devices:
If you change the name of a VPN profile, it is pushed as a new profile to the device.
Under Settings > Preferences, the Save User Password Preferences setting is not
supported. If a VPN setting with Username as $USERID$ and Password as $PASS-
WORD$ is pushed to the device, the user is still prompted for a password.
Only PPTP, Juniper SSL, F5 SSL, and SonicWALL Mobile Connect VPN types are sup-
ported.
PPTP
Use the following guidelines to configure PPTP VPN.
Item Description
Name Enter brief text that identifies this group of VPN settings.
Description Enter additional text that clarifies the purpose of this
group of VPN settings.
Connection Type Select PPTP (iOS, OSX, and Android only).
Server Enter the IP address, hostname, or URL for the VPN server.
User Name Specify the user name to use. The default value is
$EMAIL$. Use this field to specify an alternate format. For
example, your standard might be $USERID$.
Why: Some enterprises have a strong preference concern-
ing which identifier is exposed.
See Supported variables on page 294.
Company Confidential
268
Managing Device Settings with Configurations
Item Description
Password Specify the password to use. The default value is $PASS-
WORD$. Use this field to specify a custom format, such as
$PASSWORD$_$USERID$.
See Supported variables on page 294.
Authentication Select the authentication method to use: Password or RSA
SecureID.
Encryption Level Select None, Automatic or Maximum (128 bit).
Domain Specify the network domain.
Send all Traffic Selecting this option protects data from being compro-
mised, particularly on public networks.
Proxy Select Manual or Automatic to configure a proxy. If you
select Manual, you must specify the proxy server name
and port number. If you select Automatic, you must spec-
ify the proxy server URL.
L2TP
Use the following guidelines to configure L2TP VPN.
Item Description
Name Enter brief text that identifies this group of VPN settings.
Description Enter additional text that clarifies the purpose of this
group of VPN settings.
Connection Type Select L2TP (iOS, OSX, and Android only).
Server Enter the IP address, hostname, or URL for the VPN server.
User Name Specify the user name to use. The default value is
$EMAIL$. Use this field to specify an alternate format. For
example, your standard might be $USERID$.
Why: Some enterprises have a strong preference concern-
ing which identifier is exposed.
See Supported variables on page 294.
Password Specify the password to use. The default value is $PASS-
WORD$. Use this field to specify a custom format, such as
$PASSWORD$_$USERID$.This field does not display if you
selected RSA SecureID for authentication.
See Supported variables on page 294.
Authentication Select the authentication method to use: Password or RSA
SecureID.
Shared Secret The shared secret passcode. This is not the users pass-
word; the shared secret must be specified to initiate a
connection.
Company Confidential
269
Managing Device Settings with Configurations
Item Description
Confirm Shared Re-enter the shared secret to confirm.
Secret
Send all Traffic Selecting this option protects data from being compro-
mised, particularly on public networks.
Proxy Select Manual or Automatic to configure a proxy. If you
select Manual, you must specify the proxy server name
and port number. If you select Automatic, you must spec-
ify the proxy server URL.
IPSec (Cisco)
Use the following guidelines to configure IPSec (Cisco) VPN.
Item Description
Name Enter brief text that identifies this group of VPN settings.
Description Enter additional text that clarifies the purpose of this
group of VPN settings.
Connection Type Select IPSec (Cisco).
Server Enter the IP address, hostname, or URL for the VPN server.
User Name Specify the user name to use. The default value is
$EMAIL$. Use this field to specify an alternate format. For
example, your standard might be $USERID$.
Why: Some enterprises have a strong preference concern-
ing which identifier is exposed.
See Supported variables on page 294.
XAuth Enabled Specifies that IPsec XAuth authentication is enabled.
Select this option if your VPN requires two-factor authenti-
cation, resulting in a prompt for the password. This option
is enabled by default.
Password Specify the password to use. The default value is $PASS-
WORD$. Use this field to specify a custom format, such as
$PASSWORD$_$USERID$.
See Supported variables on page 294.
Authentication Select the authentication method to use: Shared Secret/
Group Name or Certificate.
Group Name Shared Secret/Group Name authentication.
Specify the name of the group to use. If Hybrid Authenti-
cation is used, the string must end with [hybrid].
Shared Secret Shared Secret/Group Name authentication.
The shared secret passcode. This is not the users pass-
word; the shared secret must be specified to initiate a
connection.
Company Confidential
270
Managing Device Settings with Configurations
Item Description
Confirm Shared Shared Secret/Group Name authentication.
Secret Re-enter the shared secret to confirm.
Use Hybrid Authenti- Shared Secret/Group Name authentication.
cation Select to specify hybrid authentication, i.e., server pro-
vides a certificate and the client provides a pre-shared
key.
Prompt for Password Shared Secret/Group Name authentication.
Specify whether the user should be prompted for a pass-
word when connecting.
Identity Certificate Certificate authentication.
Select the SCEP entry you created for supporting VPN, if
you are implementing certificate-based authentication.
Include User PIN Certificate authentication.
Select to prompt the user for a PIN.
VPN on Demand Certificate authentication.
Select to enable the VPN on Demand section. Click Add
New to specify a domain or hostname and the preferred
connection option.
Per app VPN Certificate authentication.
Select Yes to create a per app VPN setting.
Note the following:
This feature is only supported for iOS 7 and iOS 7.1.
You must update your VPN software to a version that
supports iOS 7 features.
An additional license may be required for this feature.
You cannot delete a per app VPN setting that is being
used by an app. Remove the per app VPN setting from
the app before you delete the setting.
You can enable per app VPN for an app when you:
add the app using the Add App Wizard.
edit an in-house app or an App Store app in the App
Distribution Library.
See Adding in-house apps for iOS on page 492 and
Changing iOS app information on page 499 for informa-
tion on how to add or edit iOS apps.
Proxy Select Manual or Automatic to configure a proxy. If you
select Manual, you must specify the proxy server name
and port number. If you select Automatic, you must spec-
ify the proxy server URL.
Company Confidential
271
Managing Device Settings with Configurations
Item Description
On Demand Rules (VPN on Demand, iOS 7 and iOS 7.1)
VPN On Demand rules are applied when the device's primary network interface
changes, for example when the device switches to a different Wi-Fi network.
Note the following:
A matching rule is not required. The Default Rule is applied if a matching rule is
not defined.
If you select Evaluate Connection, a matching rule is not required.
You can create upto 10 On Demand matching rules.
For each matching rule you can create upto 50 Type and Value pairs.
Add New Matching Click to add a new On Demand matching rule.
Rule
Action Select one of the following actions to apply to the match-
ing rule:
Connect
Disconnect
Allow
Ignore
Evaluate Connection
Add New Click to add a new Type Value pair.
- Click to delete either an On Demand rule, or a matching
rule.
Matching Rules:
For each matching rule to which the action is applied enter the type and value
pair.
Type Select from one of the following key types:
DNS Domain
Interface Type
DNS Server Address
SSID
URL String Probe
Company Confidential
272
Managing Device Settings with Configurations
Item Description
Value For each key selected, enter a value.
DNS DomainEnter a list of domain names to match
against the domain being accessed. Wildcard '*' prefix is
supported, e.g. *.example.com would match any-
thing.example.com
Interface TypeEnter either Wifi or Cellular.
DNS Server AddressEnter a list of DNS servers to match
against. All DNS servers have to match the devices cur-
rent DNS servers or this match will fail. Wildcard '*' is sup-
ported, e.g. 1.2.3.* would match any DNS servers with
1.2.3. prefix.
SSIDEnter a list of SSIDs to match against the current
network. If the network is not a Wi-Fi network or if its
SSID does not appear in the list, the match will fail.
URL String ProbeEnter a URL to a trusted HTTPS server.
This is used to probe for reachability. Redirection is not
supported.
Description Enter additional information about this matching rule.
Domain Action Only appears if the Action is Evaluate Connection.
Select one of the following Actions for the domain:
Connect if neededThe specified domains trigger a VPN
connection attempt if domain name resolution fails. For
example: The DNS server indicates that it cannot
resolve the domain, or responds with a redirection to a
different server, or fails to respond (timeout).
Never connectThe specified domains do not trigger a
VPN connection attempt.
Action Parameters:
Only appears if the Action is Evaluate Connection. Define the Evaluation Type and
Value pair.
Evaluation Type Select the Evaluation type as one of the following:
Domain (Required)
Required DNS Server (only available with Connect if
needed)
Required URL Probe (only available with Connect if
needed)
Company Confidential
273
Managing Device Settings with Configurations
Item Description
Value Enter the value for the evaluation type selected.
DomainEnter a list of domains for which this evaluation
applies. Wildcard prefixes are supported, for example,
*.example.com.
Required DNS ServerEnter a list of IP addresses of DNS
servers to use for resolving the domains. These servers do
not need to be part of the devices current network config-
uration. If these DNS servers are not reachable, VPN is
triggered. Either configure an internal DNS server or
trusted external DNS server.
Required URL ProbeEnter an HTTP or HTTPS (preferred)
URL. The device to probes this URL using a GET request.
The probe is successful if the DNS resolution for this
server is successful. VPN is triggered if the probe fails.
Description Enter additional information about this Evaluation Type
and Value pair.
Default Rule:
The default rule (action) is applied to a connection that does not match any of the
matching rules.
If none of the rules Select the action for the Default Rule.
above match or if
there is no rule
defined, choose VPN
connection to:
Company Confidential
274
Managing Device Settings with Configurations
IKEv2
Use the following guidelines to configure IKEv2 VPN.
Item Description
Name Enter brief text that identifies this group of VPN settings.
Description Enter additional text that clarifies the purpose of this
group of VPN settings.
Connection Type Select IKEv2 (WP8.1 only).
Server Enter the IP address, hostname, or URL for the VPN server.
Proxy Select None, Manual or Automatic to configure a proxy. If
you select Manual, you must specify the proxy server
name and port number. If you select Automatic, you must
specify the proxy server URL.
Note: WP8.1 devices do not currently support Automatic
Proxy.
Proxy Server URL Automatic Proxy
Enter the URL for the proxy server.
Are there any considerations for format of the URL?
Proxy Server Manual Proxy
Enter the name for the proxy server.
Proxy Server Port Manual Proxy
Enter the port for the proxy server.
Type Manual Proxy
Select Static or Variable.
Proxy Server User Manual Proxy
Name If the type is Static, enter the username for the proxy
server
If the type is Variable, the default variable selected is
$USERID$.
Note: WP8.1 devices do not support Proxy Server User
Name.
Proxy Server Manual Proxy
Password If the type is Static, enter the password for the proxy
server
If the type is Variable, the default variable selected is
$PASSWORD$.
Note: WP8.1 devices do not support Proxy Server Pass-
word.
Company Confidential
275
Managing Device Settings with Configurations
Item Description
Username Specify the user name to use. The default value is
$USERID$. Use this field to specify an alternate format.
For example, your standard might be $EMAIL$.
Why: Some enterprises have a strong preference
concerning which identifier is exposed.
Custom variables are not supported. See Supported
variables.
User Authentication Select the authentication method to use: Password or
Certificate.
Password Specify the password to use. The default value is
$PASSWORD$. Use this field to specify a custom format,
such as $PASSWORD$_$USERID$.
Custom variables are not supported. See Supported
variables.
Identity Certificate Certificate User Authentication
Select the WIN*SCEP setting generated using reverse
proxy.
Supported variables
You can use the following variables in fields that support variables:
$USERID$
$EMAIL$
$PASSWORD$
$NULL$
$USER_CUSTOM1$ ... $USER_CUSTOM4$ (custom fields defined for LDAP)
Enter $NULL$ if you want the field presented to the user to be blank.
Company Confidential
276
Managing Device Settings with Configurations
Item Description
Name Enter brief text that identifies this group of VPN settings.
Description Enter additional text that clarifies the purpose of this
group of VPN settings.
Connection Type Select Samsung KNOX IPsec.
Server Enter the IP address, hostname, or URL for the VPN server.
Backup Server Enter the IP address, hostname, or URL for the fallback
server to use in the event that the primary server is not
available.
Authentication Type Select the authentication method to use: Pre-Shared Key
or Certificate.
Shared Secret Pre-Shared Secret authentication.
The shared secret passcode. This is not the users pass-
word; the shared secret must be specified to initiate a
connection.
Confirm Shared Pre-Shared Secret authentication.
Secret Re-enter the shared secret to confirm.
Identity Certificate Certificate authentication.
Select the SCEP entry you created for supporting VPN, if
you are implementing certificate-based authentication.
CA Certificate Certificate authentication.
Select the SCEP entry you created for supporting VPN, if
you are implementing certificate-based authentication.
User Authentication Select to enable user authentication as an additional fac-
tor.
Username If User Authentication is selected, review the default vari-
able to determine if it meets your needs. If it does not
meet your needs, enter a different variable. See Sup-
ported variables on page 294.
Password If User Authentication is selected, review the default vari-
able to determine if it meets your needs. default variable
to determine if it meets your needs. If it does not meet
your needs, enter a different variable. See Supported
variables on page 294.
IKE Version Enter the Internet Key Exchange (IKE) version in use by
your IPsec VPN server. IPsec uses the IKE to negotiate the
protocols and algorithms used for the connection, and to
generate the encryption and authentication keys.
Company Confidential
277
Managing Device Settings with Configurations
Item Description
Phase 1 Mode If you selected IKE Phase 1, select the mode of operation
in use by your IPsec VPN server:
Main: Has three two-way exchanges between the initia-
tor and the receiver.
Aggressive: Fewer exchanges are made, and with fewer
packets.
Group ID Type Select the Group ID type your IPsec VPN server uses to
authenticate to IKE peers.
Group Name Enter the group name for your IPsec VPN server. This
name corresponds to the value selected in Group ID Type.
Cisco AnyConnect
Use the following guidelines to configure Cisco AnyConnect VPN.
Item Description
Name Enter brief text that identifies this group of VPN settings.
Description Enter additional text that clarifies the purpose of this
group of VPN settings.
Connection Type Select Cisco AnyConnect (iOS, OSX, and Android only).
Server Enter the IP address, hostname, or URL for the VPN server.
User Name Specify the user name to use. The default value is
$EMAIL$. Use this field to specify an alternate format. For
example, your standard might be $USERID$.
Why: Some enterprises have a strong preference concern-
ing which identifier is exposed.
See Supported variables on page 294.
Password Specify the password to use. The default value is $PASS-
WORD$. Use this field to specify a custom format, such as
$PASSWORD$_$USERID$.
See Supported variables on page 294.
Group Specify the name of the group to use.
User Authentication Select Password or Certificate.
Identity Certificate Certificate authentication.
Select the SCEP entry you created for supporting VPN, if
you are implementing certificate-based authentication.
VPN on Demand Certificate authentication.
Select to enable the VPN on Demand section. Click Add
New to specify a domain or hostname and the preferred
connection option.
Company Confidential
278
Managing Device Settings with Configurations
Item Description
Per app VPN Certificate authentication.
Select Yes to create a per app VPN setting.
Note the following:
This feature is only supported for iOS 7 and iOS 7.1.
You must update your VPN software to a version that
supports iOS 7 features.
An additional license may be required for this feature.
You cannot delete a per app VPN setting that is being
used by an app. Remove the per app VPN setting from
the app before you delete the setting.
You can enable per app VPN for an app when you:
add the app using the Add App Wizard.
edit an in-house app or an App Store app in the App
Distribution Library.
See Adding in-house apps for iOS on page 492 and
Changing iOS app information on page 499 for informa-
tion on how to add or edit iOS apps.
Proxy Not for Android. Select Manual or Automatic to configure a
proxy. If you select Manual, you must specify the proxy
server name and port number. If you select Automatic,
you must specify the proxy server URL.
On Demand Rules (VPN on Demand, iOS 7 and iOS 7.1)
VPN On Demand rules are applied when the device's primary network interface
changes, for example when the device switches to a different Wi-Fi network.
Note the following:
A matching rule is not required. The Default Rule is applied if a matching rule is
not defined.
If you select Evaluate Connection, a matching rule is not required.
You can create upto 10 On Demand matching rules.
For each matching rule you can create upto 50 Type and Value pairs.
Add New Matching Click to add a new On Demand matching rule.
Rule
Action Select one of the following actions to apply to the match-
ing rule:
Connect
Disconnect
Allow
Ignore
Evaluate Connection
Company Confidential
279
Managing Device Settings with Configurations
Item Description
Add New Click to add a new Type Value pair.
- Click to delete either an On Demand rule, or a matching
rule.
Matching Rules:
For each matching rule to which the action is applied enter the type and value
pair.
Type Select from one of the following key types:
DNS Domain
Interface Type
DNS Server Address
SSID
URL String Probe
Value For each key selected, enter a value.
DNS DomainEnter a list of domain names to match
against the domain being accessed. Wildcard '*' prefix is
supported, e.g. *.example.com would match any-
thing.example.com
Interface TypeEnter either Wifi or Cellular.
DNS Server AddressEnter a list of DNS servers to match
against. All DNS servers have to match the devices cur-
rent DNS servers or this match will fail. Wildcard '*' is sup-
ported, e.g. 1.2.3.* would match any DNS servers with
1.2.3. prefix.
SSIDEnter a list of SSIDs to match against the current
network. If the network is not a Wi-Fi network or if its
SSID does not appear in the list, the match will fail.
URL String ProbeEnter a URL to a trusted HTTPS server.
This is used to probe for reachability. Redirection is not
supported.
Description Enter additional information about this matching rule.
Domain Action Only appears if the Action is Evaluate Connection.
Select one of the following Actions for the domain:
Connect if neededThe specified domains trigger a VPN
connection attempt if domain name resolution fails. For
example: The DNS server indicates that it cannot
resolve the domain, or responds with a redirection to a
different server, or fails to respond (timeout).
Never connectThe specified domains do not trigger a
VPN connection attempt.
Company Confidential
280
Managing Device Settings with Configurations
Item Description
Action Parameters:
Only appears if the Action is Evaluate Connection. Define the Evaluation Type and
Value pair.
Evaluation Type Select the Evaluation type as one of the following:
Domain (Required)
Required DNS Server (only available with Connect if
needed)
Required URL Probe (only available with Connect if
needed)
Value Enter the value for the evaluation type selected.
DomainEnter a list of domains for which this evaluation
applies. Wildcard prefixes are supported, for example,
*.example.com.
Required DNS ServerEnter a list of IP addresses of DNS
servers to use for resolving the domains. These servers do
not need to be part of the devices current network config-
uration. If these DNS servers are not reachable, VPN is
triggered. Either configure an internal DNS server or
trusted external DNS server.
Required URL ProbeEnter an HTTP or HTTPS (preferred)
URL. The device to probes this URL using a GET request.
The probe is successful if the DNS resolution for this
server is successful. VPN is triggered if the probe fails.
Description Enter additional information about this Evaluation Type
and Value pair.
Default Rule:
The default rule (action) is applied to a connection that does not match any of the
matching rules.
If none of the rules Select the action for the Default Rule.
above match or if
there is no rule
defined, choose VPN
connection to:
Company Confidential
281
Managing Device Settings with Configurations
Item Description
Name Enter brief text that identifies this group of VPN settings.
Description Enter additional text that clarifies the purpose of this
group of VPN settings.
Connection Type Select Juniper SSL.
Server Enter the IP address, hostname, or URL for the VPN server.
Proxy Not for Android. Select Manual or Automatic to configure a
proxy. If you select Manual, you must specify the proxy
server name and port number. If you select Automatic,
you must specify the proxy server URL.
User Name Specify the user name to use for authentication. The
default value is $EMAIL$. Use this field to specify an alter-
nate format. For example, your standard might be $USE-
RID$.
Why: Some enterprises have a strong preference concern-
ing which identifier is exposed.
See Supported variables on page 294.
User Authentication Select Password or Certificate.
Password Specify the password to use. The default value is $PASS-
WORD$. Use this field to specify a custom format, such as
$PASSWORD$_$USERID$.
See Supported variables on page 294.
Role Specify the Juniper user role to use as a restriction.
Realm Specify the Juniper realm to use as a restriction.
Identity Certificate Certificate authentication.
Select the SCEP entry you created for supporting VPN, if
you are implementing certificate-based authentication.
VPN on Demand Certificate authentication.
iOS only. Select to enable the VPN on Demand section.
Click Add New to specify a domain or hostname and the
preferred connection option.
Company Confidential
282
Managing Device Settings with Configurations
Item Description
Per app VPN Certificate authentication.
iOS 7 and iOS 7.1 only. Select Yes to create a per app VPN
setting.
Note the following:
You must update your VPN software to a version that
supports iOS 7 features.
An additional license may be required for this feature.
You cannot delete a per app VPN setting that is being
used by an app. Remove the per app VPN setting from
the app before you delete the setting.
You can enable per app VPN for an app when you:
add the app using the Add App Wizard.
edit an in-house app or an App Store app in the App
Distribution Library.
See Adding in-house apps for iOS on page 492 and
Changing iOS app information on page 499 for informa-
tion on how to add or edit iOS apps.
On Demand Rules (VPN on Demand, iOS 7 and iOS 7.1)
VPN On Demand rules are applied when the device's primary network interface
changes, for example when the device switches to a different Wi-Fi network.
Note the following:
A matching rule is not required. The Default Rule is applied if a matching rule is
not defined.
If you select Evaluate Connection, a matching rule is not required.
You can create upto 10 On Demand matching rules.
For each matching rule you can create upto 50 Type and Value pairs.
Add New Matching Click to add a new On Demand matching rule.
Rule
Action Select one of the following actions to apply to the match-
ing rule:
Connect
Disconnect
Allow
Ignore
Evaluate Connection
Add New Click to add a new Type Value pair.
- Click to delete either an On Demand rule, or a matching
rule.
Company Confidential
283
Managing Device Settings with Configurations
Item Description
Matching Rules:
For each matching rule to which the action is applied enter the type and value
pair.
Type Select from one of the following key types:
DNS Domain
Interface Type
DNS Server Address
SSID
URL String Probe
Value For each key selected, enter a value.
DNS DomainEnter a list of domain names to match
against the domain being accessed. Wildcard '*' prefix is
supported, e.g. *.example.com would match any-
thing.example.com
Interface TypeEnter either Wifi or Cellular.
DNS Server AddressEnter a list of DNS servers to match
against. All DNS servers have to match the devices cur-
rent DNS servers or this match will fail. Wildcard '*' is sup-
ported, e.g. 1.2.3.* would match any DNS servers with
1.2.3. prefix.
SSIDEnter a list of SSIDs to match against the current
network. If the network is not a Wi-Fi network or if its
SSID does not appear in the list, the match will fail.
URL String ProbeEnter a URL to a trusted HTTPS server.
This is used to probe for reachability. Redirection is not
supported.
Description Enter additional information about this matching rule.
Domain Action Only appears if the Action is Evaluate Connection.
Select one of the following Actions for the domain:
Connect if neededThe specified domains trigger a VPN
connection attempt if domain name resolution fails. For
example: The DNS server indicates that it cannot
resolve the domain, or responds with a redirection to a
different server, or fails to respond (timeout).
Never connectThe specified domains do not trigger a
VPN connection attempt.
Action Parameters:
Only appears if the Action is Evaluate Connection. Define the Evaluation Type and
Value pair.
Company Confidential
284
Managing Device Settings with Configurations
Item Description
Evaluation Type Select the Evaluation type as one of the following:
Domain (Required)
Required DNS Server (only available with Connect if
needed)
Required URL Probe (only available with Connect if
needed)
Value Enter the value for the evaluation type selected.
DomainEnter a list of domains for which this evaluation
applies. Wildcard prefixes are supported, for example,
*.example.com.
Required DNS ServerEnter a list of IP addresses of DNS
servers to use for resolving the domains. These servers do
not need to be part of the devices current network config-
uration. If these DNS servers are not reachable, VPN is
triggered. Either configure an internal DNS server or
trusted external DNS server.
Required URL ProbeEnter an HTTP or HTTPS (preferred)
URL. The device to probes this URL using a GET request.
The probe is successful if the DNS resolution for this
server is successful. VPN is triggered if the probe fails.
Description Enter additional information about this Evaluation Type
and Value pair.
Default Rule:
The default rule (action) is applied to a connection that does not match any of the
matching rules.
If none of the rules Select the action for the Default Rule.
above match or if
there is no rule
defined, choose VPN
connection to:
Company Confidential
285
Managing Device Settings with Configurations
F5 SSL
Use the following guidelines to configure F5 SSL VPN.
Item Description
Name Enter brief text that identifies this group of VPN settings.
Description Enter additional text that clarifies the purpose of this
group of VPN settings.
Connection Type Select F5 SSL (iOS and OSX only).
Server Enter the IP address, hostname, or URL for the VPN server.
User Name Specify the user name to use. The default value is
$EMAIL$. Use this field to specify an alternate format. For
example, your standard might be $USERID$.
Why: Some enterprises have a strong preference concern-
ing which identifier is exposed.
See Supported variables on page 294.
Password Specify the password to use. The default value is $PASS-
WORD$. Use this field to specify a custom format, such as
$PASSWORD$_$USERID$.
See Supported variables on page 294.
User Authentication Select Password or Certificate.
Identity Certificate Certificate authentication.
Select the SCEP entry you created for supporting VPN, if
you are implementing certificate-based authentication.
VPN on Demand Certificate authentication.
Select to enable the VPN on Demand section. Click Add
New to specify a domain or hostname and the preferred
connection option.
Company Confidential
286
Managing Device Settings with Configurations
Item Description
Per app VPN Certificate authentication.
Select Yes to create a per app VPN setting.
Note the following:
This feature is only supported for iOS 7 and iOS 7.1.
You must update your VPN software to a version that
supports iOS 7 features.
An additional license may be required for this feature.
You cannot delete a per app VPN setting that is being
used by an app. Remove the per app VPN setting from
the app before you delete the setting.
You can enable per app VPN for an app when you:
add the app using the Add App Wizard.
edit an in-house app or an App Store app in the App
Distribution Library.
See Adding in-house apps for iOS on page 492 and
Changing iOS app information on page 499 for informa-
tion on how to add or edit iOS apps.
Proxy Not for Android. Select Manual or Automatic to configure a
proxy. If you select Manual, you must specify the proxy
server name and port number. If you select Automatic,
you must specify the proxy server URL.
On Demand Rules (VPN on Demand, iOS 7 and iOS 7.1)
VPN On Demand rules are applied when the device's primary network interface
changes, for example when the device switches to a different Wi-Fi network.
Note the following:
A matching rule is not required. The Default Rule is applied if a matching rule is
not defined.
If you select Evaluate Connection, a matching rule is not required.
You can create upto 10 On Demand matching rules.
For each matching rule you can create upto 50 Type and Value pairs.
Add New Matching Click to add a new On Demand matching rule.
Rule
Action Select one of the following actions to apply to the match-
ing rule:
Connect
Disconnect
Allow
Ignore
Evaluate Connection
Company Confidential
287
Managing Device Settings with Configurations
Item Description
Add New Click to add a new Type Value pair.
- Click to delete either an On Demand rule, or a matching
rule.
Matching Rules:
For each matching rule to which the action is applied enter the type and value
pair.
Type Select from one of the following key types:
DNS Domain
Interface Type
DNS Server Address
SSID
URL String Probe
Value For each key selected, enter a value.
DNS DomainEnter a list of domain names to match
against the domain being accessed. Wildcard '*' prefix is
supported, e.g. *.example.com would match any-
thing.example.com
Interface TypeEnter either Wifi or Cellular.
DNS Server AddressEnter a list of DNS servers to match
against. All DNS servers have to match the devices cur-
rent DNS servers or this match will fail. Wildcard '*' is sup-
ported, e.g. 1.2.3.* would match any DNS servers with
1.2.3. prefix.
SSIDEnter a list of SSIDs to match against the current
network. If the network is not a Wi-Fi network or if its
SSID does not appear in the list, the match will fail.
URL String ProbeEnter a URL to a trusted HTTPS server.
This is used to probe for reachability. Redirection is not
supported.
Description Enter additional information about this matching rule.
Domain Action Only appears if the Action is Evaluate Connection.
Select one of the following Actions for the domain:
Connect if neededThe specified domains trigger a VPN
connection attempt if domain name resolution fails. For
example: The DNS server indicates that it cannot
resolve the domain, or responds with a redirection to a
different server, or fails to respond (timeout).
Never connectThe specified domains do not trigger a
VPN connection attempt.
Company Confidential
288
Managing Device Settings with Configurations
Item Description
Action Parameters:
Only appears if the Action is Evaluate Connection. Define the Evaluation Type and
Value pair.
Evaluation Type Select the Evaluation type as one of the following:
Domain (Required)
Required DNS Server (only available with Connect if
needed)
Required URL Probe (only available with Connect if
needed)
Value Enter the value for the evaluation type selected.
DomainEnter a list of domains for which this evaluation
applies. Wildcard prefixes are supported, for example,
*.example.com.
Required DNS ServerEnter a list of IP addresses of DNS
servers to use for resolving the domains. These servers do
not need to be part of the devices current network config-
uration. If these DNS servers are not reachable, VPN is
triggered. Either configure an internal DNS server or
trusted external DNS server.
Required URL ProbeEnter an HTTP or HTTPS (preferred)
URL. The device to probes this URL using a GET request.
The probe is successful if the DNS resolution for this
server is successful. VPN is triggered if the probe fails.
Description Enter additional information about this Evaluation Type
and Value pair.
Default Rule:
The default rule (action) is applied to a connection that does not match any of the
matching rules.
If none of the rules Select the action for the Default Rule.
above match or if
there is no rule
defined, choose VPN
connection to:
Company Confidential
289
Managing Device Settings with Configurations
Item Description
Name Enter brief text that identifies this group of VPN settings.
Description Enter additional text that clarifies the purpose of this
group of VPN settings.
Connection Type Select Custom SSL (iOS and OSX only).
Server Enter the IP address, hostname, or URL for the VPN server.
User Name Specify the user name to use. The default value is
$EMAIL$. Use this field to specify an alternate format. For
example, your standard might be $USERID$.
Why: Some enterprises have a strong preference concern-
ing which identifier is exposed.
See Supported variables on page 294.
Password Specify the password to use. The default value is $PASS-
WORD$. Use this field to specify a custom format, such as
$PASSWORD$_$USERID$.
See Supported variables on page 294.
Identifier App Store identifier for the VPN app being configured. The
app creator should provide this information.
User Authentication Select Password or Certificate.
Identity Certificate Certificate authentication.
Select the SCEP entry you created for supporting VPN, if
you are implementing certificate-based authentication.
VPN on Demand Certificate authentication.
Select to enable the VPN on Demand section. Click Add
New to specify a domain or hostname and the preferred
connection option.
Company Confidential
290
Managing Device Settings with Configurations
Item Description
Per app VPN Certificate authentication.
Select Yes to create a per app VPN setting.
Note the following:
This feature is only supported for iOS 7 and iOS 7.1.
You must update your VPN software to a version that
supports iOS 7 features.
An additional license may be required for this feature.
You cannot delete a per app VPN setting that is being
used by an app. Remove the per app VPN setting from
the app before you delete the setting.
You can enable per app VPN for an app when you:
add the app using the Add App Wizard.
edit an in-house app or an App Store app in the App
Distribution Library.
See Adding in-house apps for iOS on page 492 and
Changing iOS app information on page 499 for informa-
tion on how to add or edit iOS apps.
Custom Data Key/value pairs necessary to configure the app. Click Add
New to display a popup for entering each pair. The app
creator should provide the necessary key/value pairs.
Proxy Not for Android. Select Manual or Automatic to configure a
proxy. If you select Manual, you must specify the proxy
server name and port number. If you select Automatic,
you must specify the proxy server URL.
On Demand Rules (VPN on Demand, iOS 7 and iOS 7.1)
VPN On Demand rules are applied when the device's primary network interface
changes, for example when the device switches to a different Wi-Fi network.
Note the following:
A matching rule is not required. The Default Rule is applied if a matching rule is
not defined.
If you select Evaluate Connection, a matching rule is not required.
You can create upto 10 On Demand matching rules.
For each matching rule you can create upto 50 Type and Value pairs.
Add New Matching Click to add a new On Demand matching rule.
Rule
Company Confidential
291
Managing Device Settings with Configurations
Item Description
Action Select one of the following actions to apply to the match-
ing rule:
Connect
Disconnect
Allow
Ignore
Evaluate Connection
Add New Click to add a new Type Value pair.
- Click to delete either an On Demand rule, or a matching
rule.
Matching Rules:
For each matching rule to which the action is applied enter the type and value
pair.
Type Select from one of the following key types:
DNS Domain
Interface Type
DNS Server Address
SSID
URL String Probe
Value For each key selected, enter a value.
DNS DomainEnter a list of domain names to match
against the domain being accessed. Wildcard '*' prefix is
supported, e.g. *.example.com would match any-
thing.example.com
Interface TypeEnter either Wifi or Cellular.
DNS Server AddressEnter a list of DNS servers to match
against. All DNS servers have to match the devices cur-
rent DNS servers or this match will fail. Wildcard '*' is sup-
ported, e.g. 1.2.3.* would match any DNS servers with
1.2.3. prefix.
SSIDEnter a list of SSIDs to match against the current
network. If the network is not a Wi-Fi network or if its
SSID does not appear in the list, the match will fail.
URL String ProbeEnter a URL to a trusted HTTPS server.
This is used to probe for reachability. Redirection is not
supported.
Description Enter additional information about this matching rule.
Company Confidential
292
Managing Device Settings with Configurations
Item Description
Domain Action Only appears if the Action is Evaluate Connection.
Select one of the following Actions for the domain:
Connect if neededThe specified domains trigger a VPN
connection attempt if domain name resolution fails. For
example: The DNS server indicates that it cannot
resolve the domain, or responds with a redirection to a
different server, or fails to respond (timeout).
Never connectThe specified domains do not trigger a
VPN connection attempt.
Action Parameters:
Only appears if the Action is Evaluate Connection. Define the Evaluation Type and
Value pair.
Evaluation Type Select the Evaluation type as one of the following:
Domain (Required)
Required DNS Server (only available with Connect if
needed)
Required URL Probe (only available with Connect if
needed)
Value Enter the value for the evaluation type selected.
DomainEnter a list of domains for which this evaluation
applies. Wildcard prefixes are supported, for example,
*.example.com.
Required DNS ServerEnter a list of IP addresses of DNS
servers to use for resolving the domains. These servers do
not need to be part of the devices current network config-
uration. If these DNS servers are not reachable, VPN is
triggered. Either configure an internal DNS server or
trusted external DNS server.
Required URL ProbeEnter an HTTP or HTTPS (preferred)
URL. The device to probes this URL using a GET request.
The probe is successful if the DNS resolution for this
server is successful. VPN is triggered if the probe fails.
Description Enter additional information about this Evaluation Type
and Value pair.
Default Rule:
The default rule (action) is applied to a connection that does not match any of the
matching rules.
If none of the rules Select the action for the Default Rule.
above match or if
there is no rule
defined, choose VPN
connection to:
Company Confidential
293
Managing Device Settings with Configurations
Item Description
Supported variables
You can use the following variables in fields that support variables:
$USERID$
$EMAIL$
$PASSWORD$
$NULL$
$USER_CUSTOM1$ ... $USER_CUSTOM4$ (custom fields defined for LDAP)
MobileIron Tunnel
Use this setting to configure per app VPN with MobileIron Tunnel.
Item Description
Name Enter a name for the MobileIron Tunnel VPN profile.
Description Enter a description for the profile.
Connection Type Select MobileIron Tunnel.
Only fields relevant to MobileIron Tunnel are displayed.
Sentry Select the Sentry on which you created the TCP tunnel
service.
Sentry Service Select the TCP service that the Safari domain or managed
app will use.
Company Confidential
294
Managing Device Settings with Configurations
Item Description
Identity Certificate Select the SCEP setting you created.
Safari Domains
The device user can access servers ending with these domains in Safari.
Safari Domain Enter a domain name.
Only alphanumeric characters and periods (.) are sup-
ported.
Description Enter a description for the domain.
Add New Click to add a domain.
Company Confidential
295
Managing Device Settings with Configurations
AppConnect settings
Configuring an AppConnect app can involve the following configurations:
AppConnect configuration
This configuration is necessary if the AppConnect app requires app tunneling or
app-specific configurations.
See Configuring an AppConnect app configuration on page 614.
AppConnect container policy
The presence of an AppConnect container policy for a device is what authorizes the
app on the device. You also set whether certain features, such as copy/paste or
Open In, are enabled.
See Configuring AppConnect container policies on page 603.
Company Confidential
296
Managing Device Settings with Configurations
Company Confidential
297
Managing Device Settings with Configurations
Company Confidential
298
Managing Device Settings with Configurations
Bookmarks settings
No longer supported. See Web@Work on page 653 for information on creating book-
marks in Web@Work.
Company Confidential
299
Managing Device Settings with Configurations
Certificates settings
Select Policies & Configs > Configurations > Add New > Certificates to configure the
necessary identity certificates for your organization.
The following table describes the Certificate settings you can specify:
Item Description
Name Enter brief text that identifies this group of certificate set-
tings.
Description Enter additional text that clarifies the purpose of this
group of certificate settings.
File Name Click the Browse button to select the certificate to be
uploaded to the MobileIron Server. Note that the certificate
will also appear in the File Management page.
Password Specify any password required for decrypting the certifi-
cate.
Confirm Password Enter the password again to match and confirm.
Company Confidential
300
Managing Device Settings with Configurations
SCEP settings
Win 8.1
Android iOS OS X Win 7 WP8 WP8.1 RT/Pro
Select Policies & Configs > Configurations > Add New > SCEP to specify settings that
allow the device to obtain certificates from a CA using Simple Certificate Enrollment
Protocol (SCEP).
Creating a SCEP entry is part of a larger process of setting up a SCEP server to sup-
port authentication for VPN on demand, Wi-Fi, Exchange ActiveSync, and so on. A
default SCEP setting is included for the built-in SCEP server, which supports iOS and
OS X enrollment.
Item Description
Name Enter brief text that identifies this group of SCEP settings.
Description Enter additional text that clarifies the purpose of this
group of SCEP settings.
Enable Proxy Indicate whether to enable proxy functions. See Why
proxy? on page 304.
Cache locally Specifies whether MobileIron Core stores the private key
generated keys sent to each device. Removing the caching requirement
after devices have been provisioned will require reprovi-
sioning of certificates for all impacted devices.
User Certificate Specifies that the certificate is distributed to multiple
devices assigned to a single user.
Device Certificate Specifies that the certificate is bound to the given device.
Company Confidential
301
Managing Device Settings with Configurations
URL Enter the URL for the server that corresponds to the
selected setting type.
For example, if you selected SCEP in the Setting Type field,
enter the URL for the SCEP server.
For iOS and OSX: Note that iOS and OSX do not support
https with self-signed certificates. Therefore, should you
choose to use https, you must have a trusted certificate
installed for the portal certificate in order for provisioning
to function properly.
Certificate See Using the OpenTrust integration on page 305.
MPS Mobile Profiles See Using the OpenTrust integration on page 305.
Description See Using the OpenTrust integration on page 305.
Application Descrip- See Using the OpenTrust integration on page 305.
tion
Subject Enter an X.509 name represented as a comma-separated
array of OIDs and values. Typically, the subject is set to
the users fully qualified domain name. For example,
C=US,DC=com,DC=MobileIron,OU=InfoTech or
CN=www.mobileiron.com.
You can also customize the Subject by appending a vari-
able to the OID. For example, CN=www.mobileiron.com-
$DEVICE_CLIENT_ID$.
Refer to X.509 Codes for information about X.509 OIDs.
For ease of configuration you can also use the $USER_DN$
variable to populate the Subject with the users FQDN.
Company Confidential
302
Managing Device Settings with Configurations
Company Confidential
303
Managing Device Settings with Configurations
X.509 Codes
The Subject field uses an X.509 distinguished name. You can use one or more
X.509 codes, separated by commas. This table describes the valid X.509 codes:
Note: If the SCEP entry is not valid, then you will be prompted to correct it; partial
and invalid entries cannot be saved.
Why proxy?
Choosing to enable SCEP proxy functions has the following benefits:
A single certificate verifies Exchange ActiveSync, Wi-Fi, and VPN configurations
There is no need to expose a SCEP listener to the internet.
MobileIron can detect and address revoked and expired certificates.
Supported variables
You can use the following variables in fields that support variables:
$USERID$
$FIRST_NAME$
$LAST_NAME$
$DISPLAY_NAME$
$EMAIL$
$USER_DN$
$USER_UPN$
Company Confidential
304
Managing Device Settings with Configurations
$USER_LOCALE$
$NULL$
$USER_CUSTOM1$ ... $USER_CUSTOM4$ (custom fields defined for LDAP)
$DEVICE_UUID$
$DEVICE_UDID$
$DEVICE_IMSI$
$DEVICE_IMEI$
$DEVICE_SN$
Prerequisites
A valid Symantec VeriSign Managed PKI account is required.
To configure SCEP settings for Symantec Managed PKI, select the Symantec Managed
PKI option in the New SCEP Setting dialog (Policies & Configs > Configurations > Add
New > SCEP).
Compatibility notes
This integration does not involve or support OpenTrust SCEP (decentralized) imple-
mentations. It is intended for those who want to deploy a non-SCEP implementa-
tion.
This integration does not support the pushing Certificate Authorities Bundles to
devices, which is offered by OpenTrust.
Company Confidential
305
Managing Device Settings with Configurations
Pre-requisites
The information in this section assumes the following:
You have the URL for your OpenTrust cloud instance.
You have the client-side JSON connector identity certificate MobileIron Core will use
to authenticate to the MPS.
You have implemented a centralized (non-SCEP) OpenTrust cloud.
You have created a Mobile Management Profile on MPS containing a single central-
ized credential.
Company Confidential
306
Managing Device Settings with Configurations
Supported variables
The following variables are supported for the required and optional fields in a SCEP
configuration for OpenTrust:
$EMAIL$
$USERID$
$FIRST_NAME$
$LAST_NAME$
$DISPLAY_NAME$
Company Confidential
307
Managing Device Settings with Configurations
$USER_DN$
$USER_UPN$
$USER_LOCALE$
$DEVICE_UUID$
$DEVICE_UDID$
$DEVICE_IMSI$
$DEVICE_IMEI$
$DEVICE_SN$
$DEVICE_MAC$
$USER_CUSTOM1$
$USER_CUSTOM2$
$USER_CUSTOM3$
$USER_CUSTOM4$
$NULL$
Company Confidential
308
Managing Device Settings with Configurations
Item Description
Name Enter brief text that identifies this group of settings.
Description Enter additional text that clarifies the purpose of this
group of settings.
Enable Proxy Indicate whether to enable proxy functions.
Cache locally gener- Specifies whether MobileIron Core stores the private key
ated keys sent to each device. Removing the caching requirement
after devices have been provisioned will require reprovi-
sioning of certificates for all impacted devices.
User Certificate Specifies that the certificate is distributed to multiple
devices assigned to a single user.
Device Certificate Specifies that the certificate is bound to the given device.
Company Confidential
309
Managing Device Settings with Configurations
Company Confidential
310
Managing Device Settings with Configurations
3. Click Save.
Note: You can save the setting before you have completed all required fields,
enabling you to enter and save the information in stages.
Supported variables
The following variables are supported for the required and optional fields:
$EMAIL$
$USERID$
$FIRST_NAME$
$LAST_NAME$
$DISPLAY_NAME$
$USER_DN$
$USER_UPN$
$USER_LOCALE$
$DEVICE_UUID$
$DEVICE_UDID$
$DEVICE_IMSI$
$DEVICE_IMEI$
$DEVICE_SN$
$DEVICE_MAC$
$USER_CUSTOM1$
$USER_CUSTOM2$
$USER_CUSTOM3$
$USER_CUSTOM4$
Company Confidential
311
Managing Device Settings with Configurations
$NULL$
Revoking a certificate adds the certificate to the CRL (Certificate Revocation List). The
certificate is also removed from the Symantec Web Services Managed PKI manager.
When a device authenticates with MobileIron Core, the system first checks the CRL to
verify that the certificate is not on the list. If the certificate is on the list, authentica-
tion fails.
To revoke a certificate:
1. Navigate to Logs & Events > Certificate Logs.
2. Select the certificate that you want to revoke.
3. Click Revoke.
Company Confidential
312
Managing Device Settings with Configurations
Unlike iOS and Android devices, WP8.1 devices originate the certificate request. When
the WP8.1 device requests a certificate, the MobileIron Core acts as a SCEP reverse
proxy and communicates with the SCEP server to deliver the certificate to the device.
Company Confidential
313
Managing Device Settings with Configurations
Before you configure SCEP Reverse Proxies, you must have configured a SCEP setting.
Company Confidential
314
Managing Device Settings with Configurations
Docs@Work settings
Win 8.1
Android iOS Win 7 WP8 RT/Pro
yes yes - - -
Select Policies & Configs > Configurations > Add New > Docs@Work to configure
access to content servers.
Company Confidential
315
Managing Device Settings with Configurations
Web@Work settings
For the Web@Work app, use the Web@Work app setting (Select Policies & Configs >
Configurations > Add New > Web@Work to specify bookmarks and AppTunnel settings
for the Web@Work app. See Configure a Web@Work setting on page 672.
Company Confidential
316
Managing Device Settings with Configurations
General settings
Select Policies & Configs > Configurations > Add New > iOS and OS X> General to
specify the basic information for interactions with the iOS and OS X configuration pro-
files.
Note: General settings can be set once; if you want to use this screen to change these
settings, then the user must manually delete the profile.
Item Description
Name Enter brief text that identifies this group of iOS and OS X
general settings.
Description Enter additional text that clarifies the purpose of this
group of iOS and OS X general settings.
Identifier Specify the profile identifier. It must uniquely identify this
profile. Use the format
com.companyname.identifier
where identifier describes the profile, as in com.mycom-
pany.work.
Organization Specify the issuing organization of the profile, as it will be
shown to the user.
Control when the Not for iOS with MDM: Specify when configuration profiles
profile can be should be removed:
removed Always: always removable.
With Authentication: removable with authentication.
Never: never removable. Select this option to prevent
users from removing the profile.
CalDAV settings
Select Policies & Configs > Configurations > Add New > iOS and OS X > CalDAV to
specify parameters for connecting to CalDAV-compliant calendar servers. CalDAV (or
Company Confidential
317
Managing Device Settings with Configurations
Item Description
Name Enter brief text that identifies this group of iOS and OS X
CalDAV settings.
Description Enter additional text that clarifies the purpose of this
group of iOS and OS X general settings.
HostName Enter the host name of the calendar server.
Port Enter the port for the calendar server.
Principal URL Enter the URL for accessing calendar services.
Use SSL Select to use SSL for data transfer.
User Name Specify the user name to use. The default value is $USE-
RID$. Use this field to specify an alternate format.
Why: Some enterprises have a strong preference concern-
ing which identifier is exposed.
See Supported Variables on page 318.
Password Specify the password to use. The default value is $PASS-
WORD$. Use this field to specify a custom format, such as
$PASSWORD$_US.
See Supported Variables on page 318.
iOS 4 supports only a single CalDAV setting. Therefore, only the first CalDAV configu-
ration applied to an iOS 4 will take effect.
Supported Variables
You can use the following variables in fields that support variables.
$USERID$
$EMAIL$
$NULL$
$USER_CUSTOM1$ ... $USER_CUSTOM4$ (custom fields defined for LDAP)
CardDAV settings
Select Policies & Configs > Configurations > Add New > iOS and OS X > CardDAV to
configure access to subscription address books compatible with this protocol.
Company Confidential
318
Managing Device Settings with Configurations
Note: This configuration is supported on iOS and OS X v10.8. OS X v10.7 Lion is not
supported.
Item Description
Name Enter brief text that identifies this group of iOS and OS X
subscribed address book settings.
Description Enter additional text that clarifies the purpose of this
group of iOS and OS X subscribed address book settings.
HostName Enter the hostname or IP address of the CardDAV account.
Port Enter the port number of the CardDAV account.
Principal URL Enter the Principal URL for the CardDAV account.
Use SSL Select to use SSL for data transfer.
User Name Specify the user name to use. The default value is $USE-
RID$. Use this field to specify an alternate format.
Why: Some enterprises have a strong preference concern-
ing which identifier is exposed.
See Supported variables on page 319.
Password Specify the password to use. The default value is $PASS-
WORD$. Use this field to specify a custom format, such as
$PASSWORD$_$USERID$.
See Supported variables on page 319.
Supported variables
You can use the following variables in fields that support variables.
$USERID$
$EMAIL$
$NULL$
$USER_CUSTOM1$ ... $USER_CUSTOM4$ (custom fields defined for LDAP)
Item Description
Web Clips Set Name Enter brief text that identifies this group of iOS and OS X
web clips settings.
Description Enter additional text that clarifies the purpose of this
group of iOS and OS X web clips settings.
Company Confidential
319
Managing Device Settings with Configurations
Item Description
Name Enter brief text to describe the web clip. This is the text
that users will see.
Address/URL Enter the address or URL for the target of the web clip.
Removable iOS only: Clear the Removable checkbox to prevent users
from removing the web clip once it is pushed out to their
phones.
Full Screen iOS only: By default, Full Screen is selected. When
selected, the web clip is displayed as a full-screen applica-
tion.
Precomposed iOS only: By default, Precomposed is selected. When
selected, iOS will not add the bezel shading effect to the
icon.
Icon Select an icon to display for the web clip.
LDAP settings
Select Policies & Configs > Configurations > Add New > iOS and OS X > LDAP to con-
figure an LDAP profile for iOS and OS X devices.
Company Confidential
320
Managing Device Settings with Configurations
Use the following guidelines to complete this form. The iOS 5 Configuration Reference
may also be useful.
Item Description
Name Descriptive name to use when referencing this configura-
tion.
Account Description Optional. Description of the LDAP account.
Account Username Optional. Username for accessing the LDAP account.
Account Password Optional. Password that corresponds to the Account User-
name value. The password applies to encrypted accounts.
Account Confirm Optional. Confirms the password entered in the Account
Password Password field.
Account Hostname The hostname for the LDAP server.
Use SSL Whether to use SSL.
Search Settings Should have at least one entry for the account. Each entry
represents a node in the LDAP tree from which to start
searching. Click the + button to add a new entry, then edit
the entry.
An entry consists of the following values:
Description: Explains the purpose of the search setting.
Scope: Select Base, Subtree, or One Level to indicate the
scope of the search. Base indicates just the node level,
Subtree indicates the node and all children, One Level
indicates the node and one level of children.
Search Base: The conceptual path to the specified note
(e.g., ou=people, o=mycorp).
Company Confidential
321
Managing Device Settings with Configurations
iOS settings
The following iOS-specific settings are available:
AirPlay (starting with iOS 7)
AirPrint (starting with iOS 7)
Restrictions
Subscribed Calendars
APN
Provisioning Profile
Web Content Filter (starting with iOS 7)
Managed App Config (starting with iOS 7)
Enterprise single sign-on (starting with iOS 7)
AirPlay settings
This feature is only supported for iOS 7 and iOS 7.1 devices.
AirPlay is an iOS feature that allows you to mirror the content displayed on your iOS
device on to a destination device, for example, an HDTV.
For iOS 7 and iOS 7.1 devices, you can now configure your MobileIron Core to control
the AirPlay resources that supervised devices can access. You can configure the fol-
lowing settings:
Specify the passcode for the AirPlay destination device so that devices can connect
seamlessly.
Specify a whitelist of destination devices to which you can mirror the content that is
displayed on the screen of your supervised iOS 7 device.
To configure AirPlay:
1. In the Admin Portal, go to Policies & Configs > Configurations.
2. From the Add New drop-down menu, go to iOS and OS X > AirPlay.
The New AirPlay Configuration screen displays.
3. Enter a name for the AirPlay Configuration.
4. Enter additional information that describes the AirPlay Configuration.
5. In the AirPlay Destination Devices section, click + to add a new destination device.
6. For each destination device, enter the following information:
Field Description
Device Name Enter the name of the destination device.
Password Enter the password for the destination device.
Company Confidential
322
Managing Device Settings with Configurations
Field Description
Description Enter additional information that describes this destina-
tion device.
- Click if you want to delete this device.
7. In the AirPlay Whitelist Devices section, click + to add a new destination device to
the whitelist.
Note: Whitelists are only supported on supervised devices.
8. For each destination device in the whitelist, enter the following information:
Field Description
Device MAC Address Enter the Bonjour Device ID.
Description Enter additional information that describes this destina-
tion device.
- Click if you want to delete this device.
9. Click Save.
AirPrint settings
This feature is only supported for iOS 7 and iOS 7.1 devices.
AirPrint is an iOS feature that allows you to print to an AirPrint printer from your iOS
device without the need to install drivers or download software.
For iOS 7 and iOS 7.1 devices, you can configure your MobileIron Core to control the
printing resources that devices can access. You can specify a whitelist of AirPrint print-
ers that devices can access.
To configure AirPrint:
1. In the Admin Portal, go to Policies & Configs > Configurations.
2. From the Add New drop-down menu, go to iOS and OS X > AirPrint.
The New AirPrint Configuration screen displays.
3. Enter a name for the AirPrint Configuration.
4. Enter additional information that describes the AirPrint Configuration.
5. In the AirPrint Destination Whitelist section, click + to add a new destination
printer.
Company Confidential
323
Managing Device Settings with Configurations
Field Description
IP Address Enter the IP address of the AirPrint printer.
Path Enter the Resource Path associated with the AirPrint
printer. This corresponds to the rp parameter of the
_ipps.tcp Bonjour record. For example:
printers/Canon_MG5300_series
printers/Xerox_Phaser_7600
ipp/print
Epson_IPP_Printer.
7. Click Save.
Restrictions settings
Select Policies & Configs > Configurations > Add New > iOS > Restrictions to specify
lockdown capabilities for iOS.
The following table summarizes the settings.
Item Description
Name Enter brief text that identifies this group of iOS restric-
tion settings.
Description Enter additional text that clarifies the purpose of this
group of iOS restriction settings.
Device Functionality
Allow Installing Apps Select to enable the user to install applications. Unse-
lect to disable the App Store and remove its icon from
the Home Screen. As a result, users will be unable to
install App Store applications on the device. This setting
does not impact installation of in-house apps.
Allow removing apps iOS 7.0 and iOS 7.1. Supervised devices only.
If disabled, end-users cannot remove non-native apps
on the device.
Allow use of Camera Select to enable the user to operate the camera. Unse-
lect to disable the camera and remove its icon from the
Home screen. As a result, users will be unable to take
photographs.
Company Confidential
324
Managing Device Settings with Configurations
Item Description
Allow FaceTime Select to allow the user to run FaceTime if the camera is
enabled.
Allow Screen Capture Select to allow the user to operate the native screen
capture function.
Allow automatic sync Select to allow synchronization of mail accounts while
while roaming the device is outside of its home country.
Allow Siri Select to allow the personal assistant app on supported
devices.
Allow Siri while device Select to allow the personal assistant app to perform
locked tasks even when the device is locked.
Show user-generated iOS 7.0 and iOS 7.1. Supervised devices only.
content in Siri If disabled, prevents Siri from querying user-generated
content on the web.
Allow voice dialing Select to allow users to access voice dialog features.
Allow in app purchases Select to allow users to make purchases through apps
running on the device.
Force users to enter Select to force device users to enter their iTunes pass-
store password for all word for each App Store transaction. If this option is
purchases (iOS 5 and not selected, then the device user can make multiple
later) transactions on a single authentication.
Allow multiplayer gam- Select to allow users to play games that include other
ing users.
Allow adding Game Select to allow device users to friends to their gaming
Center friends social network in the Apple Game Center.
Allow interactive instal- iOS 6.0 and iOS 7. Supervised devices only.
lation of configuration Select to allow users to install configuration profiles and
profiles and certificates certificates interactively.
Allow Passbook notifica- iOS 6.0 and iOS 7.
tions while locked Select to allow Passbook notifications to be shown on
the lock screen.
Allow AirDrop For supervised iOS 7 devices, select to allow use of Air-
Drop for iOS on the device (iOS 7 or iOS 7.1).
AirDrop is Apples ad hoc Wi-Fi system that enables file
sharing with nearby users. By restricting this feature,
you ensure that sensitive documents are not leaked to
unauthorized or unsecured devices.
Allow modifying Find iOS 7.0 and iOS 7.1. Supervised devices only.
my Friends settings If disabled, changes to the Find My Friends app are dis-
abled.
Allow Touch ID to iOS 7.0 and iOS 7.1.
unlock device If disabled, prevents Touch ID from unlocking a device.
Company Confidential
325
Managing Device Settings with Configurations
Item Description
Show Control Center in iOS 7.0 and iOS 7.1.
lock screen If disabled, prevents Control Center from appearing on
the Lock screen.
Show Notification Cen- iOS 7.0 and iOS 7.1.
ter in lock screen If disabled, prevents the Notification Center from
appearing on the lock screen.
Show Today view in lock iOS 7.0 and iOS 7.1.
screen If disabled, the Today view in Notification Center on the
lock screen is disabled.
Allow changes to cellu- iOS 7.0 and iOS 7.1. Supervised devices only.
lar data usage for apps If disabled, changes to cellular data usage for apps are
disabled.
Applications
Allow Use of YouTube Select to allow use of the YouTube site. Unselect to dis-
able YouTube and remove its icon from the Home
screen.
Allow Use of iTunes Select to allow use of the iTunes Music Store. Unselect
Music Store to disable iTunes Music store and remove its icon from
the Home screen. As a result, users will not be able to
preview, purchase or download content.
Allow use of Safari Select to allow use of the Safari web browser. Unselect
to disable the Safari web browser, remove its icon from
the Home screen, and prevent users from opening web
clips.
Enable autofill Select to turn on the autofill feature for fields displayed
in Safari.
Force fraud warning Select to prompt Safari to attempt to prevent the user
from visiting websites identified as being fraudulent or
compromised.
Enable Javascript Select to turn on Javascript support for Safari.
Block pop-ups Select to block pop-ups for Safari.
Accept cookies Select to allow cookies.
iCloud (iOS 5 and later)
Allow backup Select to allow the device to back up data via Apples
iCloud service.
Allow document sync Select to allow documents to be synchronized via
Apples iCloud service.
Allow Photo Stream Select to allow photos to be synchronized to your other
iOS devices via Apples iCloud.
Allow shared photo iOS 6.0 and iOS 7
streams Select to allow synchronization of shared photos.
Company Confidential
326
Managing Device Settings with Configurations
Item Description
Allow use of iBookStore iOS 6.0 and iOS 7. Supervised devices only.
Select to allow access to iBookstore.
Allow Game Center iOS 6.0 and iOS 7. Supervised devices only.
Select to allow access to Game Center.
Allow iMessage iOS 6.0 and iOS 7. Supervised devices only.
Select to allow use of iMessage.
Allow ability to modify Select to allow users with supervised iOS 7 devices to
account settings add email accounts and make changes to email
accounts that have already been configured.
Security and Privacy
Allow diagnostic data to iOS 6.0 and later.
be sent to Apple Select to allow automatic submission of diagnostic data
to Apple.
Force limited ad track- iOS 7.0 and iOS 7.1.
ing If enabled, limits ad tracking. It is disabled by default.
Allow user to accept Select to allow the device user to accept untrusted
untrusted TLS certifi- HTTPS certificates. If this option is not selected, then
cates the device will automatically reject untrusted HTTPS
certificates without prompting the device user.
Allow automatic iOS 7.0 and iOS 7.1.
updates to certificate If disabled, over-the-air PKI updates are disabled.
trust settings
Force encrypted back- Requires encrypted backups via iTunes. Automatically
ups selected due to SCEP requirements.
Allow pairing with non- For supervised iOS 7 devices, select to allow host pair-
Configurator hosts ing for iTunes synchronization. In effect, enabling this
option allows supervised devices to sync with iTunes on
a Mac other than the supervision host. Disabling this
option disables all host pairing with the exception of the
supervision host. If no supervision host certificate has
been configured, all pairing is disabled.
Allow open documents Additional license required to disallow this action.
from managed apps and Select to allow documents in managed apps and
accounts to unman- accounts to be opened in unmanaged apps and
aged apps and accounts accounts. Disabling this option prevents exchange of
documents from managed to unmanaged apps and
accounts. For example, you might want to keep enter-
prise documents from being opened with personal apps.
Company Confidential
327
Managing Device Settings with Configurations
Item Description
Allow open documents Additional license required to disallow this action.
from unmanaged apps Select to allow documents in unmanaged apps and
and accounts to man- accounts to be opened in managed apps and accounts.
aged apps and accounts Disabling this option prevents exchange of documents
from unmanaged to managed apps and accounts. For
example, you might want to keep users from sending
personal documents using company email.
Content Ratings
Allow explicit music & Select to allow access to websites having adult ratings.
podcasts Explicit content is marked as such by content providers,
such as record labels, when sold through the iTunes
Store.
Allow iBookstore media iOS 6.0 and iOS 7. Supervised devices only.
that has been tagged as Select to allow users to download iBookstore material
erotica that has been tagged as erotica.
Ratings region Select a region from the dropdown list to change the
region associated with the rating selections for applica-
tions, tv shows, and movies.
Allowed content ratings Select the allowed rating for each type of medium:
movies, tv shows, and apps.
Movies Select a rating limit for movies stored on the device:
Dont Allow Movies
G
PG
PG-13
R
NC-17
TV Shows Select a rating limit for TV shows stored on the device:
Dont Allow TV Shows
TV-Y
TV-Y7
TV-G
TV-PG
TV-14
TV-MA
Allow All TV Shows
Company Confidential
328
Managing Device Settings with Configurations
Item Description
Apps Select a rating limit for applications on the device:
Dont Allow Apps
4+
9+
12+
17+
Allow All Apps
App whitelist for Single Specify a list of apps that can autonomously enter sin-
App Mode gle app mode on iOS 7 supervised devices. For exam-
ple, you can specify custom exam apps for students. As
soon as the student launches the app, the app enters
single app mode to ensure that the student cannot use
other resources while taking the exam. This feature
applies to supervised iOS devices only apps developed
for autonomous single app mode. Supervision is estab-
lished with Apple Configurator.
Item Description
Name Enter brief text that identifies this group of iOS subscribed
calendar settings.
Description Enter additional text that clarifies the purpose of this
group of iOS subscribed calendar settings.
Company Confidential
329
Managing Device Settings with Configurations
Item Description
URL Enter the URL for accessing the subscribed calendar.
Use SSL Select to use SSL for data transfer.
User Name Specify the user name to use. The default value is $USE-
RID$. Use this field to specify an alternate format.
Why: Some enterprises have a strong preference concern-
ing which identifier is exposed.
See Supported Variables on page 330.
Password Specify the password to use. The default value is $PASS-
WORD$. Use this field to specify a custom format, such as
$PASSWORD$_$USERID$.
See Supported Variables on page 330.
iOS devices accept settings for up to four subscribed calendars. Therefore, any addi-
tional calendar settings applied to an iOS device will be ignored.
Supported Variables
You can use the following variables in fields that support variables.
$USERID$
$EMAIL$
$NULL$
$USER_CUSTOM1$ ... $USER_CUSTOM4$ (custom fields defined for LDAP)
APN settings
Select Policies & Configs > Configurations > Add New > iOS > APN to define parame-
ters for access point interactions, which define how the device accesses the operators
network.
Item Description
Access Point Name Identifier available from the operator.
Description Enter additional text that clarifies the purpose of this
group of iOS APN settings.
User Name Enter a user name authorized for this access point.
Password Enter the password corresponding to the user name
entered.
Proxy Server Enter the IP address or URL of the APN proxy.
Port Enter the port number of the APN proxy.
Company Confidential
330
Managing Device Settings with Configurations
MobileIron Core supports configuring the web content filter on the Admin Portal. You
can do one of the following:
Block access to sites containing adult content.
Configure the devices set of accessible sites.
Item Description
Name Enter brief text that identifies this web content configura-
tion.
Description Enter additional text that clarifies the purpose of this web
content configuration.
Allowed Websites Limit Adult Content
Select this option if you want to block access to web
sites based on iOS automatic filters. These filters
attempt, with a high degree of accuracy, to block web-
sites with inappropriate content.
Specific Web Sites Only
Select this option if you want to manually list the acces-
sible web sites.
Permitted URLs Available only if you selected Limit Adult Content.
These URLs are accessible even if the iOS automatic filters
block them.
Company Confidential
331
Managing Device Settings with Configurations
Item Description
To add a permitted URL, click + .
To delete a permitted URL, click - .
You can add up to 50 permitted URLs.
URL Enter the permitted URL. The URL must begin with either:
http://
https://
Note: If you want to permit both http:// and https:// for
the same site, include a row for each URL.
All URLs for which the initial characters match the given
permitted URL are accessible.
Example:
http://www.someCompanySite.com
permits access to the following:
http://www.someCompanySite.com
http://www.someCompanySite.com/jobs
http://www.someCompanySite.com/products
Description Enter additional text that clarifies the purpose of this per-
mitted URL.
Blacklisted URLs Available only if you selected Limit Adult Content.
These URLs are blocked even if the iOS automatic filters
allow them.
To add a blacklisted URL, click + .
To delete a blacklisted URL, click - .
You can add up to 50 blacklisted URLs.
URL Enter the blacklisted URL. The URL must begin with either:
http://
https://
Note: If you want to block both http:// and https:// for the
same site, include a row for each URL.
All URLs for which the initial characters match the given
blacklisted URL are blocked.
Example:
http://www.someCompanySite.com
blocks access to the following:
http://www.someCompanySite.com
http://www.someCompanySite.com/jobs
http://www.someCompanySite.com/products
Company Confidential
332
Managing Device Settings with Configurations
Item Description
Description Enter additional text that clarifies the purpose of this
blacklisted URL.
Specific Websites Available only if you selected Specific Web Sites Only.
These URLs are the only accessible sites. On Safari, they
are added as bookmarks. Any existing bookmarks on
Safari are disabled.
To add an accessible URL, click + .
To delete an accessible URL, click - .
URL Enter the URL of a website you want to make accessible.
The URL must begin with either:
http://
https://
Note: If you want to make both http:// and https:// for the
same site accessible, include a row for each URL.
If you are using the Apps@Work or Secure Sign-in web
clips, include an entry for the URL of MobileIron Core. Oth-
erwise, these web clips cannot work.
Name The title of the bookmark in Safari.
Bookmark Optionally enter the folder into which the bookmark should
be added in Safari.
Example:
/Sales/Products/
If absent, the bookmark is added to the default bookmarks
directory.
Description Optionally enter additional text that clarifies the purpose
of this URL.
4. Click Save.
5. Select the web content configuration you just created.
6. Select More Actions > Apply To Label.
7. Select the labels to which you want to apply this web content configuration.
8. Click Apply.
Browser impact
The web content filter feature impacts all browsers and web views on the device
including:
Safari
When using the option Specific Web Sites Only, only Safari displays the book-
marks that you specify. Other browsers do not.
Web@Work
Company Confidential
333
Managing Device Settings with Configurations
Apps@Work
the Secure Sign-in web clip
other browsers and web views
Therefore, if you use the option Specific Web Sites Only, be sure to include the URL
for your MobileIron Core so that the Apps@Work and Secure Sign-in web clips work.
Managed app configuration requires iOS 7 or iOS 7.1. Select Policies & Configs > Con-
figurations > Add New > iOS and OS X > Managed App Config to provide app configu-
ration to a managed app.
When a managed app gets its configuration from MobileIron Core, the device user
does not have to manually enter the configuration. This feature results in easier app
deployment and fewer support calls for you, and a better user experience for the
device user.
Company Confidential
334
Managing Device Settings with Configurations
6. MobileIron Core sends the setting to the device when the device checks in.
7. The managed app installed on the device accesses the configuration using iOS 7
programming interfaces.
Note: You can apply a managed app config setting to a device before the app is
installed on the device. When the app is installed, it accesses the configuration.
Until then, the configuration has no impact on the device.
Item Description
Name Enter brief text that identifies this managed app config
setting.
Description Enter additional text that clarifies the purpose of this man-
aged app config setting.
BundleId Enter the bundle ID of the managed app.
File Click Choose File.
Select the plist file that contains the app configuration for
the app.
Note: MobileIron Core does not validate the plist files type
or contents.
4. Click Save.
5. Select the managed app config setting you just created.
MobileIron Core assigns the setting the type MDM APP CONFIG.
6. Select More Actions > Apply To Label.
7. Select the labels to which you want to apply this managed app config setting.
8. Click Apply.
Note:
You cannot edit the managed app config setting, including uploading a different
plist file. If changes are necessary, delete the managed app config setting and cre-
ate a new one. Be sure to re-apply labels.
You can apply only one managed app config setting for each app to each device,
including when more than one version of the app is installed on a device.
The configuration information is not encrypted on the device. The configuration
should therefore not contain any sensitive information.
Company Confidential
335
Managing Device Settings with Configurations
When the managed app config setting is removed, the managed app automatically
removes its use of the configuration.
Supported variables
The plist can use the following MobileIron Core variables:
Variable Description
$DEVICE_MAC$ The Wi-Fi MAC (Media Access Control) address of the
device.
$DEVICE_UDID$ The unique device identifier of the device.
$DISPLAY_NAME$ The display name of the device user.
$EMAIL$ The email address of the device user.
$FIRST_NAME$ The first name of the device user.
$LAST_NAME$ The last name of the device user.
$USERID$ The user ID of the device user.
When MobileIron Core sends the configuration to a device, it substitutes the appropri-
ate values for the variables.
Sample plist
A plist is a text file in XML format. The XML content vary for each app, and the con-
tents have been validated by the app developer. The following is a sample plist,
included here only to illustrate the format you can expect:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
Company Confidential
336
Managing Device Settings with Configurations
<dict>
<key>Server</key>
<string>http://www.somecompanyserver.com</string>
<key>Some Dict</key>
<dict>
<key>A</key>
<string>$DISPLAY_NAME$</string>
<key>C</key>
<string>$DEVICE_UDID$</string>
</dict>
<key>Some Array</key>
<array>
<string>abc</string>
<string>val</string>
<string>$DEVICE_MAC$</string>
</array>
</dict>
</plist>
For iOS 7 and iOS 7.1 devices, you can now configure your MobileIron Core to manage
the enterprise apps and resources that device users can access without having to
enter their enterprise credentials.
Field Description
Name Enter a name for this configuration.
Description Enter additional information that describes this configura-
tion.
Principal Name (Required) Enter the Kerberos principal name.
You can also specify a variable. See Supported vari-
ables on page 339.
Company Confidential
337
Managing Device Settings with Configurations
Field Description
Realm (Required) The default is $Realm$. This is the only valid
variable. $Realm$ is supported for LDAP users only.
The realm is calculated by extracting the base DN (e.g.
DC=auto, DC=MyCompany, DC=com) and converting to
a domain. Example: AUTO.MYCOMPANY.COM.
You can also enter a domain name. The domain name
you enter is automatically capitalized. Example:
AUTO.MYCOMPANY.COM.
4. Click Save.
5. In the Configurations page, select the configuration.
6. Click More Actions > Apply To Label
7. Select a label to apply, and click Apply.
Company Confidential
338
Managing Device Settings with Configurations
Supported variables
The following variables are supported:
$EMAIL$
$USERID$
$FIRST_NAME$
$LAST_NAME$
$DISPLAY_NAME$
$USER_DN$
$USER_UPN$
$USER_CUSTOM1$
$USER_CUSTOM2$
$USER_CUSTOM3$
$USER_CUSTOM4$
Company Confidential
339
Managing Device Settings with Configurations
Company Confidential
340
Managing Device Settings with Configurations
Company Confidential
341
Managing Device Settings with Configurations
Company Confidential
342
Chapter 7
Managing Certificates
Overview of certificates
Supported certificate scenarios
Company Confidential
343
Managing Certificates
Overview of certificates
MobileIron is capable of distributing and managing certificates.
Certificates establish user identity while eliminating the need for users to enter user
names and passwords on their mobile devices. Certificates streamline authentication
to key enterprise resources, such as email, Wi-Fi, and VPN. Some application require
the use of certificates for authentication.
The certificate includes information that identifies the user, device, or server that
holds the certificate.
The MobileIron solution provides the flexibility to use MobileIron Core as a local certif-
icate authority, an intermediate certificate authority, or as a proxy for a trusted certif-
icate authority.
Company Confidential
344
Managing Certificates
Types of certificates
MobileIron uses the following types of certificates:
The following diagram illustrates where each certificate type is used in the MobileIron
architecture:
Company Confidential
345
Managing Certificates
Company Confidential
346
Managing Certificates
You can configure MobileIron Core as a local certificate authority for the following
scenarios:
Core as an Independent Root CA (self-signed)Configure Core as an independent
root certificate authority if you are using a self-signed certificate. Use this option if
your company does not have its own certificate authority and you are using Core as
the certificate authority.
Core as an Intermediate CAUse this option when your company already has its
own certificate authority. Using Core as an Intermediate CA gives your mobile
device users the advantage of being able to authenticate to servers within your
company intranet.
Company Confidential
347
Managing Certificates
Open Trust
Symantec Web Services Managed PKI
Win 8.1
Android iOS WP8e RT/Pro
ActiveSync yesa yesb yes -
VPN yesc yesd - -
Wi-Fi yes yes - yes
Win 8.1
Certificate Android iOS WP8 RT/Pro
MS SCEP yes yes yes yes
Entrust yes yes -
Local CA yes yes yes yes
Symantec Managed PKI yes yes -
User provided certificates yes yes -
Open Trust yes yes -
Symantec Web Services yes yes -
Managed PKI
For information about how to create SCEP settings in MobileIron Core, see See SCEP
settings on page 301.
Company Confidential
348
Managing Certificates
More information
For detailed information about how to set up MobileIron Core as a SCEP proxy in a
managed PKI environment, see Setting up Symantec VeriSign Managed PKI Integra-
tion tech note, available on the MobileIron Support site.
For detailed information about how to set up certificate-based authentication for iOS,
see the Certificate-based Authentication for iOS tech note, available on the MobileIron
Support site.
For detailed information about how to set up MobileIron to use Entrust, see the
Authentication Using Entrust Certificate Types tech note, available on the MobileIron
Support site.
Company Confidential
349
Managing Certificates
Company Confidential
350
Chapter 8
Troubleshooting Devices
Overview of troubleshooting devices
Force Device Check-In
Using logs
Service Diagnostic screen
Company Confidential
351
Troubleshooting Devices
To troubleshoot issues involving MobileIron Server operation, see Section III: System
Management.
Company Confidential
352
Troubleshooting Devices
Win 8.1
Android iOS OS X Win 7 WP8 RT/Pro
You can use the Force Device Check-in feature to force the device to connect to the
MobileIron Server. You might use this feature if the MobileIron Client has not con-
nected for some time, or you want to override a long sync interval to download
updates.
4. In the dialog, confirm the user and device information and enter a note.
5. Click Force Device Check-in.
Note that the device user may have a Connect Now option that forces the MobileIron
Client to attempt to connect to the MobileIron Server.
Company Confidential
353
Troubleshooting Devices
Using logs
The following Log pages in the Admin Portal under Logs & Events enable you to easily
navigate through the MobileIron log entries to find the information you need.
MDM Log: for iOS MDM entries
Certificate Log: for certificate-related entries
Browse All: for MobileIron device management entries
MDM Log
The MDM Log displays MDM-specific log entries.
Viewing Errors
Errors result in the display of a View Error link in the Error column. Click the link to
display error details.
Certificate Log
The Certificate Log displays certificate-related log entries. You can remove selected
certificates from the log and revoke selected certificates.
Company Confidential
354
Troubleshooting Devices
Revoking a Certificate
You can revoke certificates created using a Local Certificate Authority. Revoking a cer-
tificate adds the certificate to the CRL (Certificate Revocation List). When a device
authenticates with MobileIron Core, the system first checks the CRL to verify that the
certificate is not on the list. If the certificate is on the list, authentication fails.
To revoke a certificate:
1. Navigate to Logs & Events > Certificate Logs.
2. Select the certificate that you want to revoke.
3. Click Revoke.
The certificate will be added immediately to the CRL so the next time the device
attempts to authenticate, authentication will fail.
Company Confidential
355
Troubleshooting Devices
Item Description
Subject Related To If you are looking for log entries
related to a specific phone number,
enter the phone number.
Actions Select the types of actions you want
to see log entries for.
Requested Specify a range of time during which
the action was requested.
Company Confidential
356
Troubleshooting Devices
Item Description
Completed Specify a range of time during which
the action was completed.
Status Specify whether you want to see log
entries having a specific status.
3. Click Search.
Company Confidential
357
Troubleshooting Devices
To display the Service Diagnostic screen, select Settings > Service Diagnostics.
Click Verify All to recheck the listed services, or click the Verify button next to a spe-
cific service to verify just that service.
Company Confidential
358
Chapter 9
Company Confidential
359
Working with Events
About events
The Event Center enables MobileIron administrators to connect events to specific
alerts. For example, you can specify an SMS to be sent each time a user enters a dif-
ferent country, informing the user that different rates may apply.
Events page
Use the Events (Admin Portal > Logs & Events > Event Settings) page to manage the
events you are interested in and the corresponding actions you want to automate.
Required role
Users must have the Manage logs and events role to access the Event Settings page.
Company Confidential
360
Working with Events
Managing events
Each event type recognized by the Event Center has settings specific to the event
type. See Event types on page 363 for information on specific settings. This section
explains tasks related to all event types:
Creating an event
Editing an event
Deleting an event
Setting alert preferences
Creating an event
To create an event:
1. Click Logs & Events > Event Settings in the Admin Portal.
2. Click Add New.
3. Select the type of event from the dropdown.
4. Complete the information for the selected event.
5. Click Save.
6. Refresh the screen to display the new event.
For each type of alert (i.e., SMS, email, and push notification (i.e., APNs or C2DM),
you can select one of the following:
User only
User + Admin
Admin only
Company Confidential
361
Working with Events
If you select one of the Admin options, then a CC to Admins section displays in the
dialog.
Use this section to select those users, other than the device user, who should be noti-
fied. Only users having registered devices display in this list.
Editing an event
To edit a event:
1. Click Logs & Events > Event Settings in Admin Portal.
2. Select the event you want to edit.
3. Click the Edit button.
4. Make your changes.
5. Click Save
Deleting an event
To delete an event:
1. Click the Events Center tab in Admin Portal.
2. Select the event you want to delete.
3. Click the Delete button.
Company Confidential
362
Working with Events
Event types
Each event type has specific settings that need to be configured. This section
describes the settings for each type.
Win 8.1
Android iOS Win 7 WP8 RT/Pro
yes yes - - -
Note that international roaming detection is not supported for dual-mode devices (i.e.,
devices that switch between GSM and CDMA).
Company Confidential
363
Working with Events
Field Description
Name Identifier for this notification.
Description Additional text to clarify the purpose of this noti-
fication.
Generate Alert Turns on/off the alert defined for this event. Not
currently implemented.
Alert for Every Generates an alert for each country visited after
Country Visited in the user leaves the home country.
the Trip
Maximum Alerts Specifies whether there is a limit on the number
of alerts generated for a given trip. If you select
Limited, then you can specify the number of
alerts to allow. Once the user returns to the
home country, the count is returned to 0.
Severity Specifies the severity defined for the alert: Criti-
cal, Warning, and Information.
Company Confidential
364
Working with Events
Field Description
Template Specifies the template to populate the resulting
alert. Click View to display the content of the
current template. Select an alternate template
from the dropdown or click Create to create a
new template. See The MobileIron Event Center
sends emails, SMSes, and push notification mes-
sages based on triggering events. When you
configure events, you can use the default mes-
sage template or create a new one. Event Cen-
ter templates enable you to specify content and
basic formatting using HTML markup. on
page 380 for information on creating a new tem-
plate.
Send SMS Specifies whether to send an alert in a text mes-
sage, and whether to send it to the user, the
admin, or both. Specify users in the Apply to
Users section or by selecting a label in the Apply
to Labels section. If you select Admin only or
User + Admin, then the CC to Admins section
displays. Use this section to specify administra-
tive users who should receive the alert.
Send Email Specifies whether to send an alert in an email,
and whether to send it to the user, the admin, or
both. Specify users in the Apply to Users section
or by selecting a label in the Apply to Labels sec-
tion. If you select Admin only or User +
Admin, then the CC to Admins section displays.
Use this section to specify administrative users
who should receive the alert.
Send through Push Specifies whether to send a message via Apple
Notification Push Notification service or Android C2DM, and
whether to send it to the user, the admin, or
both. Specify users in the Apply to Users section
or by selecting a label in the Apply to Labels sec-
tion. If you select Admin only or User +
Admin, then the CC to Admins section displays.
Use this section to specify administrative users
who should receive the alert.
The length of the message is limited to 255
characters.
Apply to Labels Associate this event with the selected labels.
See Using labels to establish groups on
page 143 for information on labels.
Search Users Enter the user ID to find devices to which you
want to apply this event.
Apply to Users Associate this group of settings with the selected
users.
Company Confidential
365
Working with Events
Field Description
Exclude Labels Do not apply this event to selected labels. See
Using labels to establish groups on page 143
for information on labels.
Search Users Enter the user ID to find devices that should not
have this event applied.
Exclude Users Do not apply this event to the selected users.
CC to Admins If you selected Admin only or User + Admin,
then the CC to Admins section displays. Use this
section to specify administrative users who
should receive the alert.
5. Click Save.
Note: If more than one international roaming event applies to a device, only the last
one you edited and saved is triggered.
Win 8.1
Android iOS Win 7 WP8 RT/Pro
yes yes - - -
For iOS devices that are not MDM-managed, the device user must start the MobileIron
app on the device to trigger this event.
To create a SIM changed event:
1. Click Logs & Events > Event Settings in Admin Portal.
2. Click Add New.
3. Select SIM Changed Event from the dropdown menu.
Company Confidential
366
Working with Events
Field Description
Name Identifier for this event.
Description Additional text to clarify the purpose of this
event.
Generate Alert Turns on/off the alert defined for this event. Not
currently implemented.
Severity Specifies the severity defined for the alert: Criti-
cal, Warning, and Information.
Template Specifies the template to populate the resulting
alert. Click View to display the content of the
current template. Select an alternate template
from the dropdown or click Create to create a
new template. See The MobileIron Event Center
sends emails, SMSes, and push notification mes-
sages based on triggering events. When you
configure events, you can use the default mes-
sage template or create a new one. Event Cen-
ter templates enable you to specify content and
basic formatting using HTML markup. on
page 380 for information on creating a new tem-
plate.
Company Confidential
367
Working with Events
Field Description
Send SMS Specifies whether to send an alert in a text mes-
sage, and whether to send it to the user, the
admin, or both. Specify users in the Apply to
Users section or by selecting a label in the Apply
to Labels section. If you select Admin only or
User + Admin, then the CC to Admins section
displays. Use this section to specify administra-
tive users who should receive the alert.
Send Email Specifies whether to send an alert in an email,
and whether to send it to the user, the admin, or
both. Specify users in the Apply to Users section
or by selecting a label in the Apply to Labels sec-
tion. If you select Admin only or User +
Admin, then the CC to Admins section displays.
Use this section to specify administrative users
who should receive the alert.
Send through Push Specifies whether to send a message via Apple
Notification Push Notification service or Android C2DM, and
whether to send it to the user, the admin, or
both. Specify users in the Apply to Users section
or by selecting a label in the Apply to Labels sec-
tion. If you select Admin only or User +
Admin, then the CC to Admins section displays.
Use this section to specify administrative users
who should receive the alert.
The length of the message is limited to 255
characters.
Apply to Labels Associate this event with the selected labels.
See Using labels to establish groups on
page 143 for information on labels.
Search Users Enter the user ID to find devices to which you
want to apply this event.
Apply to Users Associate this group of settings with the selected
users.
Exclude Labels Do not apply this event to selected labels. See
Using labels to establish groups on page 143
for information on labels.
Search Users Enter the user ID to find devices that should not
have this event applied.
Exclude Users Do not apply this event to the selected users.
CC to Admins If you selected Admin only or User + Admin,
then the CC to Admins section displays. Use this
section to specify administrative users who
should receive the alert.
5. Click Save.
Company Confidential
368
Working with Events
Note: If more than one SIM changed event applies to a device, only the last one you
edited and saved is triggered.
Win 8.1
Android iOS Win 7 WP8 RT/Pro
yes yes - - -
Field Description
Name Identifier for this event.
Description Additional text to clarify the purpose of this noti-
fication.
Company Confidential
369
Working with Events
Field Description
Used Memory Size Specifies the percentage of total memory that
Exceeds triggers the alert.
Generate Alert Turns on/off the alert defined for this event. Not
currently implemented.
Alert every Specifies the interval for generating the alert.
Select 1,2,3 or 4 weeks.
Severity Specifies the severity defined for the alert: Criti-
cal, Warning, and Information.
Template Specifies the template to populate the resulting
alert. Click View to display the content of the
current template. Select an alternate template
from the dropdown or click Create to create a
new template. See The MobileIron Event Center
sends emails, SMSes, and push notification mes-
sages based on triggering events. When you
configure events, you can use the default mes-
sage template or create a new one. Event Cen-
ter templates enable you to specify content and
basic formatting using HTML markup. on
page 380 for information on creating a new tem-
plate.
Send SMS Specifies whether to send an alert in a text mes-
sage, and whether to send it to the user, the
admin, or both. Specify users in the Apply to
Users section or by selecting a label in the Apply
to Labels section. If you select Admin only or
User + Admin, then the CC to Admins section
displays. Use this section to specify administra-
tive users who should receive the alert.
Send Email Specifies whether to send an alert in an email,
and whether to send it to the user, the admin, or
both. Specify users in the Apply to Users section
or by selecting a label in the Apply to Labels sec-
tion. If you select Admin only or User +
Admin, then the CC to Admins section displays.
Use this section to specify administrative users
who should receive the alert.
Company Confidential
370
Working with Events
Field Description
Send through Push Specifies whether to send a message via Apple
Notification Push Notification service or Android C2DM, and
whether to send it to the user, the admin, or
both. Specify users in the Apply to Users section
or by selecting a label in the Apply to Labels sec-
tion. If you select Admin only or User +
Admin, then the CC to Admins section displays.
Use this section to specify administrative users
who should receive the alert.
The length of the message is limited to 255
characters.
Apply to Labels Associate this event with the selected labels.
See Using labels to establish groups on
page 143 for information on labels.
Search Users Enter the user ID to find devices to which you
want to apply this event.
Apply to Users Associate this group of settings with the selected
users.
Exclude Labels Do not apply this event to selected labels. See
Using labels to establish groups on page 143
for information on labels.
Search Users Enter the user ID to find devices that should not
have this event applied.
Exclude Users Do not apply this event to the selected users.
CC to Admins If you selected Admin only or User + Admin,
then the CC to Admins section displays. Use this
section to specify administrative users who
should receive the alert.
5. Click Save.
Notes:
Memory exceeded events are sent only once per week when the configured mem-
ory limit is reached.If more than one memory size exceeded event applies to a
device, only the last one you edited and saved is triggered.
System event
A system event generates an alert when components of a MobileIron implementation
is not working. To create a system event:
1. Click Logs & Events > Event Settings in Admin Portal.
2. Click Add New.
Company Confidential
371
Working with Events
Field Description
Name Identifier for this event.
Description Additional text to clarify the purpose of this noti-
fication.
Sentry (standalone and inte- Generates an alert if MobileIron Core is unable
grated) is unreachable to contact the MobileIron Sentry.
Sentry (standalone and inte- Generates an alert if the MobileIron Sentry is
grated) cannot reach EAS unable to contact the ActiveSync server.
server
MobileIron gateway is Select this option to send an alert if Core cannot
unreachable connect to the MobileIron gateway.
BES is unreachable Select this option to send an alert if Core cannot
connect to an integrated BES server.
LDAP server is unreachable Select this option to send an alert if Core cannot
connect to any of the configured LDAP servers.
DNS server is unreachable Select this option to send an alert if Core and
one of the configured DNS servers.
Mail server is unreachable Select this option to send an alert if Core cannot
connect to the configured SMTP server.
NTP server is unreachable Select this option to send an alert if Core con-
nect to the configured NTP server.
Certificate Expired Select this option to send an alert for certificate
expiration. An alert is sent 30 days before expi-
ration and on the expiration date. Certificates
supported include MDM APNS/Client (iOS only),
Admin Portal, and device certificates.
Provisioning Profile Expired Generates an alert if an iOS provisioning profile
distributed via MobileIron has expired. In gen-
eral, this profile will be associated with an in-
house app.
SMTP Relay server is Generates an alert if the configured SMTP relay
unreachable (for SMS archive) does not respond to a ping or
SMTP ping.
See Settings > Preferences in Admin Portal for
the configured SMTP relay.
SMTP Relay server error Generates an alert if the configured SMTP relay
(for SMS archive) returns an error. The alert
includes available details to enable troubleshoot-
ing.
See Settings > Preferences in Admin Portal for
the configured SMTP relay.
Company Confidential
372
Working with Events
Field Description
SMS Message archive queue Generates an alert if the queue of messages to
is full be archived exceeds 100. This indicates a possi-
ble problem with the service, causing a backlog
in the queue.
In response to this alert, you should check the
health of the SMTP relay server and confirm that
it is correctly configured under Settings > Pref-
erences in Admin Portal.
System storage threshold Generates an alert if the system storage thresh-
has been reached old has been reached. See Manually purging
data (system storage) on page 742 for infor-
mation on setting this threshold.
Connector state events Generates an alert if the health of the Connector
changes. MobileIron defines a healthy connector
as one that connects to the server at expected
intervals and syncs successfully with the LDAP
server. An alert is generated if a Connector
changes from healthy to unhealthy, or from
unhealthy to healthy.
Connector requires upgrade Generates an alert if the automated upgrade of
the Connector fails. This alert prompts you to
manually upgrade the Connector.
Connector can not connect Generates an alert if a configured LDAP server is
to LDAP server no longer reachable.
Connector is unreachable Generates an alert if the MobileIron server does
not receive the expected response to the sched-
uled probe of the Connector. This alert generally
indicates network problems.
VPP Percent Used Threshold Generates an alert if the percentage of VPP
tokens for an iOS app purchased via VPP
reaches the specified level. The default thresh-
old is 99 percent, meaning an alert is generated
when 99 percent of the tokens for any VPP-pur-
chased app have been redeemed.
Generate Alert Turns on/off the alert defined for this event. Not
currently implemented.
Maximum Alerts Specifies whether there is a limit on the number
of alerts generated for a given event. If you
select Limited, then you can specify the number
of alerts to allow.
Alert Every Specifies the interval for generating alerts for a
given event. Select the number of hours from
the dropdown.
Severity Specifies the severity defined for the alert.
Select Critical, Warning, or Information.
Company Confidential
373
Working with Events
Field Description
Template Specifies the template to populate the resulting
alert. Click View to display the content of the
current template. Select an alternate template
from the dropdown or click Create to create a
new template. See The MobileIron Event Center
sends emails, SMSes, and push notification mes-
sages based on triggering events. When you
configure events, you can use the default mes-
sage template or create a new one. Event Cen-
ter templates enable you to specify content and
basic formatting using HTML markup. on
page 380 for information on creating a new tem-
plate.
Send SMS Specifies whether to send an alert in a text mes-
sage, and whether to send it to the user, the
admin, or both. Specify users in the Apply to
Users section or by selecting a label in the Apply
to Labels section. If you select Admin only or
User + Admin, then the CC to Admins section
displays. Use this section to specify administra-
tive users who should receive the alert.
Send Email Specifies whether to send an alert in an email,
and whether to send it to the user, the admin, or
both. Specify users in the Apply to Users section
or by selecting a label in the Apply to Labels sec-
tion. If you select Admin only or User +
Admin, then the CC to Admins section displays.
Use this section to specify administrative users
who should receive the alert.
Send through Push Notifica- Specifies whether to send a message via Apple
tion Push Notification service or Android C2DM, and
whether to send it to the user, the admin, or
both. Specify users in the Apply to Users section
or by selecting a label in the Apply to Labels sec-
tion. If you select Admin only or User +
Admin, then the CC to Admins section displays.
Use this section to specify administrative users
who should receive the alert.
The length of the message is limited to 255
characters.
Apply to Labels Send the alert to users in the selected labels.
See Using labels to establish groups on
page 143 for information on labels.
Note: In most cases, if you do select a label, it
should not be a label with broad coverage. Sys-
tem event alerts are usually not appropriate for
device users.
Company Confidential
374
Working with Events
Field Description
Search Users Enter the user ID to find users to which you
want to send the alert.
Apply to Users Send the alert to the selected users.
Exclude Labels Do not send the alert to the selected labels. Use
this option to specify groups of users who should
not receive the alert. For example, you might
specify a custom Executive label if you want to
keep executives from receiving the alert. See
Using labels to establish groups on page 143
for information on labels.
Search Users Enter the user ID to find users who should not
receive this alert.
Exclude Users Do not send the alert to the selected users.
Search Users Enter the user ID to find users who act as tele-
com administrators and should receive the alert.
CC to Admins If you selected Admin only or User + Admin,
then the CC to Admins section displays. Use this
section to specify administrative users who
should receive the alert.
5. Click Save.
Win 8.1
Android iOS Win 7 WP8 WP8.1 RT/Pro
1 Only out of contact and out of policy violations are supported. Alerts are only sent by email.
Company Confidential
375
Working with Events
Field Description
Name Identifier for this event.
Description Additional text to clarify the purpose of this noti-
fication.
Connectivity
Out-of-contact with Select this option to send an alert when a device
Server for X number of has been out of contact for the number of days
days specified in the Security policy assigned to it.
Out-of-policy for X num- Select this option to send an alert when a policy
ber of days has been out of date for the number of days
specified in the Security policy assigned to it.
Device Settings
Passcode is not compli- Generates an alert if a device is detected having
ant a passcode that does not meet the requirements
specified in the associated security policy.
App Control
Company Confidential
376
Working with Events
Field Description
Disallowed app found Generates an alert if an app that is specified as
Disallowed is not installed on a device. Apps are
specified as Required, Allowed, or Disallowed
under Apps & Configs > App Control.
App found that is not in Generates an alert if an app that does not
Allowed Apps list appear on the list of allowed apps has been
detected on a device. Apps are specified as
Required, Allowed, or Disallowed under Apps &
Configs > App Control.
Required app not found Generates an alert if an app that is specified as
Required is not installed on a device. Apps are
specified as Required, Allowed, or Disallowed
under Apps & Configs > App Control.
Data Protection/Encryp-
tion - iOS - Android
Data Protection/Encryp- Generates an alert if an iOS device has its Data
tion is disabled Protection feature turned off, or an Android
device has its Data Encryption feature turned
off.
iOS
Disallowed iOS model Select this option to send an alert when a
found restricted iOS model is registered.
Disallowed iOS version Select this option to send an alert when a
found restricted iOS version is registered.
Compromised iOS device Select this option to send an alert when a com-
promised iOS is registered or connects to the
server. That is, an iOS device has been compro-
mised by circumventing the operator and usage
restrictions imposed by the operator and manu-
facturer.
iOS Configuration not Generates an alert if an iOS device does not
compliant have the expected security policy or app set-
tings. This state may indicate that a setting was
changed or was not applied successfully.
Restored Device con- Generates an alert if a previously wiped device
nected to server has been restored and attempts to connect
through the MobileIron deployment.
MobileIron iOS App Mul- Generates an alert if the device user disables
titasking disabled by multitasking for the MobileIron iOS app. Dis-
user abling multitasking increases the likelihood that
a compromised device will go undetected for a
significant period of time.
Device MDM deactivated Generates an alert when the MDM profile on a
(iOS 5 and later) managed iOS 5 device is removed.
Android
Company Confidential
377
Working with Events
Field Description
Disallowed Android OS Generates an alert if an Android device having a
version found disallowed OS version is detected. You can spec-
ify disallowed versions in the security policy.
Compromised Android Generates an alert if a modified Android device
device detected is detected. That is, an Android device has been
compromised by circumventing the operator and
usage restrictions imposed by the operator and
manufacturer.
Device administrator not Generate an alert when a managed Android
activated for DM client or device is found to have no device administrator
agent privilege activated for the MobileIron app or the
Samsung DM Agent.
Note: The Samsung DM Agent is not required on
Samsung MDM 4.x, starting with Mobile@Work
for Android version 5.9.
Actions
Generate Alert Turns on/off the alert defined for this event. Not
currently implemented.
Maximum Alerts Specifies whether there is a limit on the number
of alerts generated for a given event. If you
select Limited, then you can specify the number
of alerts to allow.
Alert Every Specifies the interval for generating alerts for a
given event. Select the number of days from the
dropdown.
Severity Specifies the severity defined for the alert.
Select Critical, Warning, or Information.
Template Specifies the template to populate the resulting
alert. Click View to display the content of the
current template. Select an alternate template
from the dropdown or click Create to create a
new template. See The MobileIron Event Center
sends emails, SMSes, and push notification mes-
sages based on triggering events. When you
configure events, you can use the default mes-
sage template or create a new one. Event Cen-
ter templates enable you to specify content and
basic formatting using HTML markup. on
page 380 for information on creating a new tem-
plate.
Company Confidential
378
Working with Events
Field Description
Send SMS Specifies whether to send an alert in a text mes-
sage, and whether to send it to the user, the
admin, or both. Specify users in the Apply to
Users section or by selecting a label in the Apply
to Labels section. If you select Admin only or
User + Admin, then the CC to Admins section
displays. Use this section to specify administra-
tive users who should receive the alert.inistra-
tive users who should receive the alert.
Send Email Specifies whether to send an alert in an email,
and whether to send it to the user, the admin, or
both. Specify users in the Apply to Users section
or by selecting a label in the Apply to Labels sec-
tion. If you select Admin only or User +
Admin, then the CC to Admins section displays.
Use this section to specify administrative users
who should receive the alert.
Send through Push Noti- Specifies whether to send a message via Apple
fication Push Notification service or Android C2DM, and
whether to send it to the user, the admin, or
both. Specify users in the Apply to Users section
or by selecting a label in the Apply to Labels sec-
tion. If you select Admin only or User +
Admin, then the CC to Admins section displays.
Use this section to specify administrative users
who should receive the alert.
The length of the message is limited to 255
characters.
Apply to Labels Send the alert to users in the selected labels.
See Using labels to establish groups on
page 143 for information on labels.
Search Users Enter the user ID to find users to which you
want to send the alert.
Apply to Users Send the alert to the selected users.
Exclude Labels Do not send the alert to the selected labels. Use
this option to specify groups of users who should
not receive the alert. For example, you might
specify a custom Executive label if you want to
keep executives from receiving the alert. See
Using labels to establish groups on page 143
for information on labels.
Search Users Enter the user ID to find users who should not
receive this alert.
Exclude Users Do not send the alert to the selected users.
Company Confidential
379
Working with Events
Field Description
Search Users Enter the user ID to find users who act as tele-
com administrators and should receive the alert.
CC to Admins If you selected Admin only or User + Admin,
then the CC to Admins section displays. Use this
section to specify administrative users who
should receive the alert.
5. Click Save.
The MobileIron Event Center sends emails, SMSes, and push notification messages
based on triggering events. When you configure events, you can use the default mes-
sage template or create a new one. Event Center templates enable you to specify con-
tent and basic formatting using HTML markup.
Note: If more than one policy violations event applies to a device, only the last one
you edited and saved is triggered. Therefore, do not create a separate policy viola-
tions event for each type of security policy violation. Instead, apply only one policy
violations event to each device. In that one event, select all of the security policy set-
tings that you want to trigger the event. Use the template variable $DEFAULT_POLI-
CY_VIOLATION_MESSAGE in your message template to specify the security policy
violation that triggered the event.
Company Confidential
380
Working with Events
Company Confidential
381
Working with Events
Company Confidential
382
Working with Events
Event Center messages are displayed with the HTML markup that provides the
basic formatting for the content.
2. In the Name field, enter a name for the template.
The name must be unique for events of the same type.
3. In the Edit Template for field, select the language this template will be used for.
Note that only those languages that have been enabled for the system will be dis-
played in this list.
4. Make changes to the displayed messages.
5. Click Save.
You can remove the variables that you do not want to use from a field in the Event
Center template. This allows you to further customize the Event Center messages.
Company Confidential
383
Working with Events
Variable descriptions
The following table describes the variables used in Event Center messages.
Variable Description
$CURRENT_COUNTRY The country in which the device is cur-
rently located.
$CURRENT_PHONE_NUMBER The phone number currently associ-
ated with the device in MobileIron
Core, but not matching the phone
number currently used by the device.
$DEFAULT_POLICY_VIOLATION_MES- The hardcoded message associated
SAGE with the policy violation that triggered
the alert.
Note: Due to the length limits of SMS,
C2DM, and APNs, the text might be
truncated.
$DEFAULT_SYSTEM_MESSAGE The third-party system message or
error that triggered the alert.
$FREE_MEMORY_SIZE The amount of free memory currently
available on the device.
$HOME_COUNTRY The home country of the device.
$MEMORY_SIZE_LIMIT The threshold set for the device mem-
ory.
Company Confidential
384
Working with Events
Variable Description
$NEW_PHONE_NUMBER The phone number replacing the
$CURRENT_PHONE_NUMBER$ as a
result of a SIM change.
$PHONE_NUMBER The phone number used by the device.
$SERVER_IP The IP address of the server triggering
a system event alert.
$SERVER_NAME The hostname of the server triggering
the system event alert.
$SEVERITY The defined severity of the system
event, i.e., Information, Warning, or
Critical.
$THRESHOLD_ON The total used for calculations, i.e.,
International Roaming or Total Usage.
$THRESHOLD_TYPE The type of usage measured, i.e.,
SMS, Data, or Voice.
$THRESHOLD_UNIT The unit associated with the type of
usage, i.e., minutes, messages, or MB.
$THRESHOLD_VALUE The defined threshold value for this
event, e.g., 1000 (voice minutes).
$TOTAL_MEMORY_SIZE The total memory reported by the
device.
$USED_VALUE The amount of memory currently used
on the device.
$USER_NAME The display name of the user associ-
ated with the device.
Company Confidential
385
Working with Events
Company Confidential
386
Working with Events
This list includes the default template for each Event Center type. These are not
editable.
3. Click the View link for the message template you want to view.
Company Confidential
387
Working with Events
Event Center messages are displayed with the HTML markup that provides the
basic formatting for the content.
2. In the Name field, enter a name for the template.
The name must be unique for events of the same type.
3. In the Edit Template for field, select the language this template will be used for.
Company Confidential
388
Working with Events
Note that only those languages that have been enabled for the system will be dis-
played in this list.
4. Make changes to the displayed messages.
5. Click Save.
Company Confidential
389
Working with Events
Variable descriptions
The following table describes the variables used in Event Center messages.
Variable Description
$CURRENT_COUNTRY The country in which the device is cur-
rently located.
$CURRENT_PHONE_NUMBER The phone number currently associ-
ated with the device in MobileIron
Core, but not matching the phone
number currently used by the device.
$DEFAULT_POLICY_VIOLATION_MES- The hardcoded message associated
SAGE with the policy violation that triggered
the alert.
Note: Due to the length limits of SMS,
C2DM, and APNs, the text might be
truncated.
$DEFAULT_SYSTEM_MESSAGE The third-party system message or
error that triggered the alert.
$FREE_MEMORY_SIZE The amount of free memory currently
available on the device.
$HOME_COUNTRY The home country of the device.
$MEMORY_SIZE_LIMIT The threshold set for the device mem-
ory.
$NEW_PHONE_NUMBER The phone number replacing the
$CURRENT_PHONE_NUMBER$ as a
result of a SIM change.
$PHONE_NUMBER The phone number used by the device.
$SERVER_IP The IP address of the server triggering
a system event alert.
$SERVER_NAME The hostname of the server triggering
the system event alert.
Company Confidential
390
Working with Events
Variable Description
$SEVERITY The defined severity of the system
event, i.e., Information, Warning, or
Critical.
$THRESHOLD_ON The total used for calculations, i.e.,
International Roaming or Total Usage.
$THRESHOLD_TYPE The type of usage measured, i.e.,
SMS, Data, or Voice.
$THRESHOLD_UNIT The unit associated with the type of
usage, i.e., minutes, messages, or MB.
$THRESHOLD_VALUE The defined threshold value for this
event, e.g., 1000 (voice minutes).
$TOTAL_MEMORY_SIZE The total memory reported by the
device.
$USED_VALUE The amount of memory currently used
on the device.
$USER_NAME The display name of the user associ-
ated with the device.
Company Confidential
391
Working with Events
Company Confidential
392
Working with Events
Events
Use the Events screen to track the events that have triggered alerts. To display the
Events screen, go to Logs & Events > Events.
Filtering events
You can filter the displayed events using the following criteria:
Read/Unread
Labels
User
Start Date/End Date
Event Type
Event Status
Filter Description
Read/Unread Select Read or Unread from the Show dropdown
list. To resume displaying all events, select All.
Labels Select the preferred label from the Labels drop-
down to filter based on the label specified in the
event.
User Enter a user ID and click the search icon to filter
based on the user IDs specified in the event.
Start Date/End Date Select dates in the Start Date and End Date
fields to filter events by date range.
Event Type Select an event type from the Type dropdown to
filter by event type.
Event Status Select an event status from the status dropdown
to filter based on the events lifecycle state.
Company Confidential
393
Working with Events
Adding a note
You can add a note to one or more events to help track the work that has been done
in response. Each event can hold one note; adding another note replaces the existing
note. To add a note:
1. Select one or more events.
2. Select Actions > Add Note.
Company Confidential
394
Chapter 10
Company Confidential
395
Working with MobileIron Sentry
MobileIron Sentry
MobileIron Sentry is a component of a MobileIron deployment that interacts with your
companys ActiveSync server. The ActiveSync server provides employees access to
their email, contacts, calendar, and tasks. Sentry, with input from MobileIron Core,
protects the ActiveSync server from wrongful access from the devices.
Before continuing with Sentry configuration using the Admin Portal, see the following:
For details about Sentry and an overview of the configuration tasks that you do, see
the MobileIron Sentry Administration Guide.
For information on Sentry installation if you are using an on-premise MobileIron
Core, see the MobileIron Installation Guide.
For information on Sentry installation if you are using Connected Cloud, see Getting
Started with the MobileIron Connected Cloud.
In the Admin Portal, you configure the following information pertaining to Sentry con-
figuration:
Standalone or Integrated Sentry connectivity.
See Adding, editing, and deleting a Sentry on MobileIron Core on page 397.
Certificate management for the certificate that Standalone Sentry presents to
devices.
See Managing certificates for Standalone Sentry on page 417.
Device authentication (how the device authenticates to the Standalone Sentry) and
server authentication (how the Standalone Sentry authenticates the device to the
server).
See Device and server authentication support for Standalone Sentry on
page 408.
Email attachment control.
See Email attachment control support for Standalone Sentry on page 422.
Sentry preferences.
See Setting Sentry preferences on page 435.
You also use the Admin Portal to manage ActiveSync associations. See Working with
ActiveSync Phones via MobileIron Sentry on page 439.
Company Confidential
396
Working with MobileIron Sentry
For information about filling in this form, see Installing Integrated Sentry in the
MobileIron Installation Guide.
Company Confidential
397
Working with MobileIron Sentry
Item Description
Sentry Host / IP Enter the host name or IP address of the server on which
the Standalone Sentry is installed.
Sentry Port Enter the port that MobileIron Core will use to access the
Standalone Sentry. The default is 9090.
Enable Active Sync Select Enable ActiveSync to configure the Standalone Sen-
try for ActiveSync.
The ActiveSync Configuration section displays.
Enable App Tunnel- Select Enable App Tunneling to configure the Standalone
ing Sentry for AppTunnel.
The AppTunnel Configuration section displays.
Enable Kerberos Select Enable Kerberos Proxy to configure the Standalone
Proxy Sentry as a Kerberos Key Distribution Center Proxy
(KKDCP) server.
The Kerberos Proxy Configuration section displays.
Company Confidential
398
Working with MobileIron Sentry
Item Description
ActiveSync Configuration
This section of the form displays only if you choose Enable ActiveSync.
Server Authentica- Select how the Sentry authenticates the user to the
tion ActiveSync server.
Select Pass Through or Kerberos.
The Kerberos option is only available if you selected Iden-
tity Certificate for Device Authentication.
ActiveSync Servers Enter the ActiveSync server hostnames or IP addresses,
separated by semicolons (;). The ActiveSync servers in
this list provide failover support for each other.
The maximum number of characters accepted is 4000
characters.
For Microsoft Office 365, enter outlook.office365.com.
For Gmail, enter m.google.com.
Enable Server TLS Specify whether the ActiveSync servers require SSL (i.e.,
port 443).
Company Confidential
399
Working with MobileIron Sentry
Item Description
Enable Redirect Pro- To disable redirect processing, clear the check box.
cessing (451) If Enable Redirect Processing (451) is disabled, the Stand-
alone Sentry does not handle redirection, and passes the
redirect URL to the device.
Limit Protocol Ver- Check this option to choose the ActiveSync protocol ver-
sion sion that the device and Microsoft Exchange use to com-
municate with the Standalone Sentry.
If the device is already registered, you have to push the
exchange profile to the device to force the device to use
the new protocol.
Attachment Control Specify whether to enable email attachment control, and
then specify the type of email attachment control. For
more information, see Email attachment control support
for Standalone Sentry on page 422.
Company Confidential
400
Working with MobileIron Sentry
Item Description
Company Confidential
401
Working with MobileIron Sentry
Item Description
Server List Enter the app servers host name or IP address (usually an
internal host name or IP address). Include the port num-
ber on the app server that the Sentry can access.
Example: resource1.companyname.com:443
You can enter multiple servers. The Sentry uses a round-
robin distribution to load balance the servers. That is, it
sets up the first tunnel with the first app server, the next
with the next app server, and so on. Separate each server
name with a semicolon.
Example: resource1.companyname.com:443;
resource2.companyname.com:443.
Note: The Server List field is not applicable when the ser-
vice name is <TCP_ANY>.
TLS Enabled NA
Proxy Enabled/ATC Select if you want to direct the TCP Tunnel service traffic
through the proxy server.
You must also have configured Server-side Proxy or
Advanced Traffic Control (ATC).
Server SPN List NA
Company Confidential
402
Working with MobileIron Sentry
Item Description
KDC server list Specify the KDC servers to request the Kerberos ticket.
Include the port number for the KDC server. Typically, the
port number is 88.
Enter the KDC servers separated by semicolon(;). The
KDC servers in the list provide failover support for each
other.
Example: kdc1.example.com:88;kdc2.example.com:88
You must specify atleast one KDC server.
Company Confidential
403
Working with MobileIron Sentry
Item Description
Advanced Configuration
This feature provides you the addition flexibility to configure Standalone Sentry
session timeouts. You may want to configure the session timeouts to manage
server resources. For example, you may want to configure larger timeouts when
using a Lotus Notes Traveler server with Standalone Sentry.
Note: Do not make changes to the settings unless specifically instructed in the
documentation or by MobileIron Professional Services.
Socket read/write Specify the time in milliseconds, the Sentry should check
timeout for the socket read/write time out from either the device
or the server.
Enter a valid integer.
The default setting is 10000, and the minimum is 1.
Server connection Specify the time in milliseconds after which the Sentry will
timeout time out when connecting to the server.
Enter a valid integer.
The default setting is 10000, and the minimum is 1.
Server response Specify the time in milliseconds after which the Sentry will
timeout time out when waiting for an HTTP response from the
server.
Enter a valid integer.
The default setting is 60000, and the minimum is 1.
If the Sentry is dedicated to AppTunnel support for the IBM
Notes Traveler client, set this value to 900,000 millisec-
onds. See Using AppTunnel with the IBM Notes Traveler
client app on page 632.
Device request time- Specify the time in milliseconds after which the Sentry will
out time out when waiting for an HTTP request from the device
on a new or existing connection.
Enter a valid integer.
The default setting is 10000, and the minimum is 1.
If the Sentry is dedicated to AppTunnel support for the IBM
Notes Traveler client, set this value to 900,000 millisec-
onds. See Using AppTunnel with the IBM Notes Traveler
client app on page 632.
4. Click Save.
5. Perform this step if you configured the Sentry for app tunneling and the Sentry
uses a self-signed certificate:
In the Settings > Sentry page, for the Sentry configured for app tunneling, click the
View Certificate link.
This makes the Sentrys certificate known to MobileIron Core.
Company Confidential
404
Working with MobileIron Sentry
For information about editing Integrated Sentry configuration, see Installing Inte-
grated Sentry in the MobileIron Installation Guide.
Caution: Do not remove a Standalone Sentry entry without first making sure that no
devices are using Exchange app settings that use that Standalone Sentry. Devices
with such Exchange app settings are still accessing the Standalone Sentry. These
devices can continue to access the ActiveSync server even if they violate their security
policy or if you manually attempt to block them. See Exchange settings on
page 243.
Company Confidential
405
Working with MobileIron Sentry
When you disable the Sentry, the notifications from MobileIron Core to the Sentry are
disabled. This allows Core processes to continue without any disruption, and it keeps
the Sentry configuration. The disabled Sentry continues to process traffic from clients
and continues to communicate with Core.
When you re-enable the Sentry, notifications from MobileIron Core to the Sentry are
re-established.
To disable a Sentry:
1. In the Admin portal, go to Settings > Sentry.
2. Select the Sentry.
3. Click Disable.
The Disable option is only available if the Sentry is enabled.
4. In the pop-up dialog, click Yes.
The State for the Sentry in Settings > Sentry will show Disabled.
The message for the Sentry in Settings > Service Diagnostics will show that the
Sentry has been disabled.
You can change the Sentry setting when it is disabled.
To enable a Sentry:
1. In the Admin portal, go to Settings > Sentry.
2. Select the Sentry.
3. Click Enable.
The Enable option is only available if the Sentry is disabled.
4. In the pop-up dialog, click Yes.
The State for the Sentry in Settings > Sentry will show Enabled.
The message for the Sentry in Settings > Service Diagnostics will show that the
Sentry is reachable.
Any changes made to the Sentry settings will be pushed to the Sentry.
Note: When you disable or enable a Sentry, the warning message indicates that Sen-
try is restarted. Only Standalone Sentry is restarted. Integrated Sentry is not
restarted when it is disabled or enabled.
Company Confidential
406
Working with MobileIron Sentry
You configure 451 redirect processing on the Standalone Sentry by enabling or dis-
abling the Enable Redirect Processing (451) field in the Edit Standalone Sentry page.
From the Admin Portal, go to Settings > Sentry, and click on the edit icon for the Sen-
try.
4. Click Save.
Company Confidential
407
Working with MobileIron Sentry
Device authentication
Device authentication specifies how the device authenticates to the Standalone Sen-
try.
Standalone Sentry supports the following types of device authentication:
Company Confidential
408
Working with MobileIron Sentry
Server authentication
Server authentication specifies how the Sentry authenticates the device to the back-
end server. This can be the ActiveSync server or the app server.
Standalone Sentry supports the following types of server authentication. These are
supported for both ActiveSync and AppTunnel.
If you do device authentication with Identity certificates, you can specify different
server authentication types for the ActiveSync configuration and for each AppTunnel
service. For example, you can specify Pass Through for the ActiveSync server and Ker-
beros Constrained Delegation (KCD) for the servers listed for an AppTunnel service.
To configure authentication:
1. Complete the necessary infrastructure changes.
See Adding a MobileIron Standalone Sentry entry on page 398.
2. Obtain the certificates required for your implementation.
3. In the Admin Portal, select Settings > Sentry.
Company Confidential
409
Working with MobileIron Sentry
For device authentication with group certficate, Pass Through is the only option avail-
able for server authentication.
Company Confidential
410
Working with MobileIron Sentry
Company Confidential
411
Working with MobileIron Sentry
Note: The Certificate Field Mapping fields are used only if the server authentication is
done with Kerberos.
5. If you are configuring the Sentry for ActiveSync, in the ActiveSync Server Configu-
ration section, Server Authentication defaults to Pass Through.
If you are configuring the Sentry for AppTunnel, in the App Tunneling Configuration
section, select Pass Through for Server Auth for the AppTunnel Service.
6. Click Save.
Note: The Sentry restarts when you click Save after uploading the certificate.
Company Confidential
412
Working with MobileIron Sentry
This section describes the configuration when you choose Identity Certificate to
authenticate the device to the Sentry and Kerberos for how Sentry authenticates the
device to the ActiveSync or app server.
Company Confidential
413
Working with MobileIron Sentry
5. Use the Subject Alternate Name Type list to select the field in the client certificate
that will be used to identify the user for Kerberos Constrained Delegation.
The Type is the same type that you specified when generating the client certificate.
This is often the NT Principal Name.
6. Use the Value list to select the value used in the Subject Alternate Name field.
Usually, the User UPN (user principal name) is used to identify the user.
Company Confidential
414
Working with MobileIron Sentry
Company Confidential
415
Working with MobileIron Sentry
Password
Password for the Sentry service account.
2. Optionally, configure one or more Key Distribution Centers.
The Key Distribution Center is the network service that supplies session tickets and
temporary session keys. This is generally the Active Directory domain controller
host name.
If you do not configure a KDC, the system auto-detects the KDC.
3. Click Save.
Note: The Sentry restarts when you click Save.
By terminating SSL in the DMZ, Standalone Sentry enables an added layer of security,
as well as accommodates the DMZ firewall policies.
Company Confidential
416
Working with MobileIron Sentry
Standalone Sentry presents this certificate to devices so that the devices know that
the Sentry server is a trusted server. Sentry also presents its certificate to other serv-
ers connecting to it, such as a server that performs health checks on Sentry.
To get a certificate from a trusted Certificate Authority, use the Sentry page on the
Admin Portal to generate a certificate signing request (CSR) to the CA. Once you
receive the signed certificate, you can use the same page to upload it to MobileIron
Core, which sends it to Sentry.
Company Confidential
417
Working with MobileIron Sentry
Company Confidential
418
Working with MobileIron Sentry
Field Description
Common Name Enter the server host name.
E-Mail Enter the email address of the contact person in your
organization who should receive the resulting certificate.
Company Enter the name of the company requesting the certificate.
Department Enter the department requesting the certificate.
City Enter the city in which the company is located.
State Enter the state in which the company is located.
Country Enter the two-character abbreviation for the country in
which the company is located.
Key Length Select 1024 or 2048 to specify the length of each key in
the pair.
5. Click Generate.
Company Confidential
419
Working with MobileIron Sentry
6. Copy the content between BEGIN CERTIFICATE REQUEST and END CERTIFICATE
REQUEST to a text file.
7. Copy the content between BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY to
another text file.
8. Click OK.
9. Submit the file you created in step 6 to the certifying authority.
Company Confidential
420
Working with MobileIron Sentry
3. Click the Browse button and select a file to be uploaded. If there are additional
files, click the Add another file link.
Select the certificates as indicated in the following table:
Company Confidential
421
Working with MobileIron Sentry
Up to four emails embedded within the email are supported. All attachment control
options are supported for each of the embedded emails. If an email contains five or
more levels of embedded emails, Sentry encrypts/converts all attachments, including
text and image files.
Note: Attachment control for iOS 7 devices requires Standalone Sentry Version 4.7.1
or later.
If you are using attachment control, and some iOS devices use other third-party iOS
email clients, configure a separate Sentry for those devices. On that Sentry, do not
enable attachment control.
Company Confidential
422
Working with MobileIron Sentry
The following table summarizes the email attachment control options that are sup-
ported on different devices:
Remove attachment
The Remove attachment option causes the Standalone Sentry to remove attach-
ments from emails, replacing each attachment with another file. The name of the
replacement file is the original attachment file name appended with removed.html.
For example, myDocument.pdf is replaced with myDocument.pdf.removed.html.
"The original attachment was removed as required by the security policies of your
administrator."
On iOS devices, the message is translated according to the language setting of the
device. The language defaults to United States English if the language setting is not
one of the supported languages.
Supported devices: This option is available on all platforms for all email clients..
Note: Typically, you wont use this option on iOS devices with native email or sup-
ported AppConnect-enabled email apps or on Android devices that use secure apps.
Company Confidential
423
Working with MobileIron Sentry
Other options are available on these devices that are less intrusive, but still keep the
attachments secure.
The Standalone Sentry appends the file name of the attachment with .secure. For
example, myDocument.pdf is renamed myDocument.pdf.secure. Mobile@Work is the
only app that can open files with the .secure file extension.
Note: When the device user saves a local copy of an email attachment, the saved copy
is protected by the devices data encryption.
When the device user sends Docs@Work documents as email attachments, the docu-
ments are also encrypted. See Encryption for iOS Docs@Work documents sent as
email attachments on page 557.
Therefore, use the encryption option only if the following statements are true:
You are operating in a high security environment.
For Standalone Sentry versions prior to 4.9, you are using a physical appliance for
your Standalone Sentry or you are using the Virtual Standalone Sentry large con-
figuration. Starting with Standalone Sentry 4.9, the physical appliance and any size
virtual configuration supports the encryption option.
Note: Attempts to configure the encryption option fail for other Standalone Sentry
configurations.
Configuration considerations
Changing to or from this option requires you to re-push the Exchange app setting to
the Standalone Sentrys devices. For more information, see Changing the encryption
option on page 429.
Company Confidential
424
Working with MobileIron Sentry
Supported devices: This option is available only on iOS devices using the native email
client.
Deliver as is
The Deliver as is option delivers all email attachments in their original form. The
device user views attachments with any available apps that work with the type of
attachment.
Supported devices: This option is available on iOS devices using the native email cli-
ent, and on Android devices using unsecured email apps, and on other platforms..
Typically, you wont use this option on iOS devices using the native email client
because other options that keep the attachments secure are available.
Supported devices: This option is available on Android devices that are using secure
apps and iOS devices using a supported AppConnect-enabled email app.
Note: The exception to this behavior involves the behavior of the iOS native email cli-
ent.. If the email attachment control option is Remove Attachment, the iOS native
email client forwards the replacement file -- the file that contains the replacement text
and has the .removed.html file extension. The original attachment is not forwarded.
However, you typically do not use the "Remove Attachment" option on iOS devices.
Company Confidential
425
Working with MobileIron Sentry
The Standalone Sentry does some processing on each email that is directed to an
ActiveSync device when the email attachment control option is one of the following:
Open only with Docs@Work and protect with encryption
Remove attachment
This processing breaks the security of the email signature. Therefore, when an email
app receives a signed email in these cases, the app always indicates to the user that it
cannot validate the senders identity and that the email has been tampered with.
For example, the iOS native email client displays the emails From field in red if:
an iOS device user has enabled S/MIME in the iOS Mail app
the iOS native email client receives an S/MIME email through Standalone Sentry
the email attachment control option is one of the options mentioned above
Encrypted emails
S/MIME can also be used to encrypt emails, although this use of S/MIME is not com-
mon. Standalone Sentry passes along an S/MIME encrypted email with no impact to
the email.
Company Confidential
426
Working with MobileIron Sentry
If you require different options for different users, use a different Standalone Sentry
for each set of users.
Before you configure Open only with Docs@Work and protect with encryption
options for iOS devices, make sure you have enabled Docs@Work as described in
Enable Docs@Work on page 566. The default setting for Attachment Control is dis-
abled. If Attachment Control is set to disabled, Standalone Sentry delivers attach-
ments as is to all devices.
Company Confidential
427
Working with MobileIron Sentry
4. For iOS And Android Using Secure Apps, select the type of attachment control that
you want to use. The list of supported secure email apps is in Supported devices
and email apps on page 422
For a description of the options, see Email attachment control options on
page 423.
5. For Other Platforms (Including Android Using Unsecured Apps), select the type of
attachment control that you want to use.
Note: This option does not impact iOS devices at all.
For a description of the options, see Email attachment control options on
page 423.
6. For File Name Exclusion List, enter any file extensions that you always want Stand-
alone Sentry to deliver as is, regardless of the attachment control option selected.
Specify a comma-separated list.
If you make no entry into the text box, the default file name extension list is
applied. See Default file name exclusion list on page 430.
7. Click Save.
The Standalone Sentry restarts when you click Save. A restart can cause a brief
interruption in email service to device users.
8. If you changed to or from the option Open only with Docs@Work and protect with
encryption, you see the following:
To find out if the Standalone Sentry failed to apply the changes, go to Settings ->
Sentry. Click View Errors on Standalone Sentrys setting for the detailed error mes-
sage.
Company Confidential
428
Working with MobileIron Sentry
Important: The re-push sends the Exchange setting to all devices with the appropriate
label, not just the iOS devices.
On each affected device, the re-push causes the email app that uses the Exchange
setting to:
resync its emails, calendar items, tasks, and contacts. For example, the email app
removes all emails from its email folders and then re-fetches the emails from the
ActiveSync server.
in some cases, prompt the device user to reenter his password for accessing email.
If your deployment has multiple Sentrys and some have Open only with Docs@Work
and protect with Encryption enabled and others do not, attachment control may fail.
An encrypted document is forwarded as is by a Sentry not configured to protect with
encryption. In this case, you will not be able to view the encrypted document on
Company Confidential
429
Working with MobileIron Sentry
mobile devices that do not have an encryption key. Since the document remains
encrypted, you will also not be able to view it on non-mobile devices or on non-iOS
email clients.
If you are using attachment control, we recommend that all Sentrys have Open only
with Docs@Work and protect with Encryption enabled for iOS using Native Email.
If the text box specifies no file extensions, the Standalone Sentry uses the following
file extensions by default for the exclusion list:
txt
html
htm
jpg
jpeg
gif
png
eml
rpms
rpmsg
bmp
tiff
tif
sdtid
log
ics
Company Confidential
430
Working with MobileIron Sentry
The following table summarizes how the exclusion list impacts whether the Stand-
alone Sentry applies each attachment control option:
Open only with Any appropriate app can Files open only with
Docs@Work and open the file, which the Docs@Work and are pro-
protect with encryption Sentry delivers as is. tected with encryption.
Applied. Applied.
Sentry removes the attach- Sentry removes the attach-
Remove Attachment ment. ment.
Applied. Applied.
Sentry delivers the attach- Sentry delivers the attach-
Deliver as is ment as is. ment as is.
Applied. Applied.
Open with Secure Email Only secure email apps can Only secure email apps can
App open the attachment. open the attachment.
If you think the key is compromised, you can generate a new key. However, before
generating a new key, consider the following:
Key regeneration causes a restart for all Standalone Sentries that are using encryp-
tion for attachment control.
A restart can cause a brief interruption in email service to device users.
Key regeneration prevents iOS device users who use the iOS native email client
from reading previously received attachments, unless you subsequently re-push
the Exchange setting to the devices.
Previously received attachments are encrypted with the old key, but Mobile@Work
uses the new key after key regeneration. Therefore, Mobile@Work cannot display
the old attachment.
Furthermore, consider the scenario when a device user forwards an email with an
attachment encrypted with the old key.The Standalone Sentry is unable to decrypt
the attachment because it is using the new key. In this case, the Standalone Sentry
replaces the attachment with a text file with an explanatory message.
Therefore, key regeneration requires you to re-push the Exchange setting to the
iOS devices using the iOS native email client that the Standalone Sentry works
Company Confidential
431
Working with MobileIron Sentry
with. The re-push causes the email app to remove all emails from its email folders
and then re-fetch the emails from the ActiveSync server. Re-fetching the emails
means that the Standalone Sentry encrypts the email attachments with the new
key.
Important: The re-push sends the Exchange setting to all devices with the appro-
priate label, not just the iOS devices.
The re-push causes the email app on each affected device to:
resynch its emails, calendar items, tasks, and contacts with the ActiveSync
server. For example, the email app removes all emails from its email folders and
then re-fetches the emails from the ActiveSync server.
in some cases, prompt the device user to reenter his password for accessing
email.
The easiest way to re-push an Exchange setting to a device is to make a simple
modification, such as adding a space at the end of the Description field. The next
time each device checks in, MobileIron Core will send the Exchange setting to the
device.
3. Click Yes if you are sure you want to regenerate the key.
4. Go to Policies & Configs > Configurations.
5. Select an Exchange setting that uses a Standalone Sentry configured with the
attachment control encryption option.
6. Click Edit.
The Modify Exchange Setting screen displays.
7. Add a space to the end of the Description field.
8. Click Save.
9. Repeat steps 5 through 8 for each Exchange setting that uses a Standalone Sentry
configured with the attachment control encryption option.
Company Confidential
432
Working with MobileIron Sentry
Note: If a Standalone Sentry is not available when you regenerate the key, its entry in
Sentry > Settings displays an error:
To send the new encryption key when the Standalone Sentry is available again:
1. Go to Settings > Sentry in the Admin Portal.
2. Click Edit next to the Standalone Sentry entry.
3. Click Save in the Edit Standalone Sentry screen.
Company Confidential
433
Working with MobileIron Sentry
Note: Disable Background health check if you are using only one ActiveSync server or
if you are using Lotus Notes Traveler 8.5.3.
Perform the following steps to change the Background health check settings for the
ActiveSync server:
1. In the Admin Portal, go to Settings > Sentry.
2. Click on the edit icon for the Sentry.
3. In the Edit Standalone Sentry page, under ActiveSync Configuration, expand
ActiveSync Server Configuration.
Use the following guidelines to configure background health check for ActiveSync
servers:
Item Description
Enable Back- Clear the check box to disable the ActiveSync server health
ground Health check.
Check If enabled, when the ActiveSync server fails for the number
of times configured in the Dead Threshold setting and within
the number configured in the Failure Window, then the
ActiveSync server status shows Unreachable.
When the background health check determines that the
server is live for the number configured for Live Threshold,
the ActiveSync server status shows Reachable.
Interval Specify the time interval, in seconds, that Sentry performs a
background health check.
The valid range is 10 through 600. The default is 60.
Live Threshold Specify the number of times the ActiveSync server back-
ground health check is successful before the server is
marked as live.
The valid range is 1 through 10. The default is 3.
Company Confidential
434
Working with MobileIron Sentry
Note: When you change this setting, Standalone Sentry immediately changes its
behavior to reflect the setting. Integrated Sentry informs the Microsoft Exchange
Server to change its behavior the next time Integrated Sentry syncs with MobileIron
Core.
To automatically block ActiveSync phones that are not registered with MobileIron:
1. Click Settings in the Admin Portal.
2. Click Sentry.
3. Click Preferences.
4. Select Auto Block Unregistered Devices.
For other methods for blocking devices from accessing the ActiveSync server, see the
following:
Block on page 453
Working with security policies on page 182
Company Confidential
435
Working with MobileIron Sentry
This behavior determines whether the Sentry applies the ActiveSync servers policy to
the device syncing with the ActiveSync server.
Note: It may take up to twenty-four hours for any changes to the Default ActiveSync
Policy behavior to take effect.
1. In the Admin Portal, go to Sentry > Preferences.
Company Confidential
436
Working with MobileIron Sentry
2. Set the default behavior. The settings are described in the following table.
Item Description
Remove AS Server policy The ActiveSync servers policy is not applied to
the device.
Pass-through AS Server policy The ActiveSync servers policy is applied to the
device.
3. Click Save.
Company Confidential
437
Working with MobileIron Sentry
Company Confidential
438
Chapter 11
Company Confidential
439
Working with ActiveSync Phones via MobileIron Sentry
Note: The terms ActiveSync devices, ActiveSync phones, and ActiveSync associations
are used interchangeably and refer to the user and device accessing the ActiveSync
server. Actions which specifically impact only the user or the device are called out.
Before working with ActiveSync devices on the Admin Portal, see the MobileIron Sen-
try Administration Guide for information about the following:
ActiveSync protocol versions
ActiveSync devices
ActiveSync policies, including how they compare to the security policies
MobileIron Core, Standalone Sentry, and ActiveSync device interaction
Use the Admin Portal to configure information relating to the Sentries that MobileIron
Core works with. See Working with MobileIron Sentry on page 395.
Once you have configured your Sentrys and understand ActiveSync devices in a Mobil-
eIron deployment, use the Admin Portal to manage the ActiveSync devices. You can
do the following tasks:
Create and assign Exchange App Settings to devices.
See Exchange settings on page 243.
Create and assign Security policies to devices.
See Working with security policies on page 182.
Create and assign ActiveSync policies to mailboxes.
See Working with ActiveSync policies on page 442.
Add multiple ActiveSync accounts to a registered device.
See Adding multiple ActiveSync accounts to a registered device on page 448.
View information about ActiveSync devices.
See Viewing ActiveSync associations on page 449.
Block an ActiveSync device from accessing the ActiveSync server.
See Block on page 453.
Allow an ActiveSync device to access the ActiveSync server.
See Allow on page 452.
Wipe an ActiveSync device.
See Wipe on page 455.
Register an ActiveSync device.
See Registering ActiveSync phones on page 456.
Remove an ActiveSync device.
See Removing ActiveSync phones on page 456.
Company Confidential
440
Working with ActiveSync Phones via MobileIron Sentry
Company Confidential
441
Working with ActiveSync Phones via MobileIron Sentry
Win 8.1
Android iOS Win 7 WP8 WP8.1 RT/Pro
Before you configure ActiveSync policies, see The ActiveSync Policy in the Mobile-
Iron Sentry Administration Guide.
To work with ActiveSync policies, from the Admin Portal go to Policies & Configs >
ActiveSync Policies.
Company Confidential
442
Working with ActiveSync Phones via MobileIron Sentry
Company Confidential
443
Working with ActiveSync Phones via MobileIron Sentry
Company Confidential
444
Working with ActiveSync Phones via MobileIron Sentry
Company Confidential
445
Working with ActiveSync Phones via MobileIron Sentry
Company Confidential
446
Working with ActiveSync Phones via MobileIron Sentry
In the ActiveSync Policies page, the # Phones for an ActiveSync Policy displays the
number of devices to which the policy is applied. Since we don't recommend assigning
an ActiveSync policy to iOS, Android, and WP8 devices, you may only see devices
other than iOS, Android, WP8.
Company Confidential
447
Working with ActiveSync Phones via MobileIron Sentry
yes
Standalone Sentry and Integrated Sentry support multiple email accounts on the
same device for the following use cases:
The device user requires access to another users email account.
The device user is a member of a group and requires access to the groups email
account.
Note: If multiple mailboxes are registered on a device and each uses a different
Exchange profile, in the ActiveSync Association page:
The second mailbox displays as the same User as the first mailbox.
The Mailbox ID for the second mailbox displays correctly.
Company Confidential
448
Working with ActiveSync Phones via MobileIron Sentry
Win 8.1
Android iOS Win 7 WP8 RT/Pro
- yes yes yes yes
To display the users and the devices that connect via ActiveSync:
1. In the Admin Portal, click the Users & Devices tab.
Column Description
DeviceID The DeviceID for the device.
User The device user.
Number The device number.
Phone The device model.
OS The device platform.
Status Indicates whether the device is registered with MobileIron.
When a record is associated with a registered device on
MobileIron Core, the status displays as Regis-
tered(Linked).
When a record is not associated with a registered
device on MobileIron Core, the status displays as
Unregistered (Unlinked).
Use the Link To feature to link the record to the corre-
sponding registered device.
Sync Status Indicates whether ActiveSync access for the device is
Allowed or Blocked.
If an iOS device is blocked, it also cannot access the
Docs@Work features. See Block impact on documents
on page 578.
First Sync Time For Integrated Sentry, the First Sync Time displays the
time stamp for the first successful synchronization of data
from the Exchange server.
For Standalone Sentry, the First Sync Time displays the
time stamp when the device is first reported by Sentry to
MobileIron Core as a new device.
Company Confidential
449
Working with ActiveSync Phones via MobileIron Sentry
Column Description
Mailbox ID Displays the ID for the synchronized mailbox as defined in
ActiveSync.
Domain Indicates whether the device connects via Integrated Sen-
try or Standalone Sentry.
You can filter the ActiveSync Devices list by these additional criteria:
Item Description
Registered(linked) Displays records that are associated with a regis-
tered device on MobileIron Core.
Unregistered(unlinked) Displays records that are not associated with a
registered device on Core.
ActiveSync Policy Assigned Displays associations with device to which an
ActiveSync policy is manually assigned.
ActiveSync Action Applied in Displays associations with device on which an
CY ActiveSync action is applied in the calendar year.
The following table summarizes the information available in the ActiveSync Details
pane.
Label Description
User The user (email account) accessing the ActiveSync
server.
Phone The device number and model.
Company Confidential
450
Working with ActiveSync Phones via MobileIron Sentry
Label Description
Device Details Additional details received from the device.
Mailbox Details The ActiveSync policy applied to the mailbox.
Redirect URL, if there is a redirect URL, to which the
device is redirected.
Comment Comments you may have added to this record.
Company Confidential
451
Working with ActiveSync Phones via MobileIron Sentry
Note: Allow, Block, and Wipe actions override MobileIron Cores automatic decision-
making about a devices ability to access the ActiveSync server. For more information,
see Overriding and re-establishing MobileIron Core management of a device on
page 457.
Note: We recommend applying ActiveSync actions to devices other than iOS, Android,
and WP8 devices. Wipe, Assign Policy, and Revert Policy are ActiveSync actions.
Allow
Win 8.1
Android iOS Win 7 WP8 WP8.1 RT/Pro
yes yes yes yes yes yes
Use the Allow button to allow blocked ActiveSync devices to access the ActiveSync
server. The Allow button also allows blocked iOS devices to access the Docs@Work
features as described in Block impact on documents on page 578.
Do the following:
Company Confidential
452
Working with ActiveSync Phones via MobileIron Sentry
1. In the Admin Portal, click the ActiveSync Associations link under the Users &
Devices tab.
Note: When you select Allow, you are overriding any MobileIron Core logic that wipes
the device or allows or blocks the devices access to the ActiveSync server. For more
information, see Overriding and re-establishing MobileIron Core management of a
device on page 457.
Block
Win 8.1
Android iOS Win 7 WP8 WP8.1 RT/Pro
Company Confidential
453
Working with ActiveSync Phones via MobileIron Sentry
Use the Block button to block selected ActiveSync devices from accessing the
ActiveSync server.
For iOS devices, the Block button also keeps the selected ActiveSync devices from
accessing the Docs@Work features as described in Block impact on documents on
page 578.
The behavior when blocking access to the ActiveSync server is different depending on
whether you are using Standalone Sentry or Integrated Sentry (available only with
on-premise MobileIron Core), as given in the following table..
For Integrated Sentry, once a single phone has been blocked, you need to use the
Allow command to grant connections to future phones.
Company Confidential
454
Working with ActiveSync Phones via MobileIron Sentry
Note: When you click Block, you are overriding any MobileIron Core logic that wipes
the device or allows or blocks the devices access to the ActiveSync server. For more
information, see Overriding and re-establishing MobileIron Core management of a
device on page 457.
Wipe
Win 8.1
Android iOS Win 7 WP8 WP8.1 RT/Pro
Wiping an ActiveSync phone sends an ActiveSync Wipe command to the phone, which
removes all data from the phone, returning the phone to factory defaults. Once you
Company Confidential
455
Working with ActiveSync Phones via MobileIron Sentry
wipe a phone, its status changes to Wiped, and the only valid action you can apply is
Remove.
Warning
Returning the phone to factory defaults removes all data. Once a wipe has started, do
not restart your phone. Interfering with the wipe process can render your phone non-
functional.
Note: Apply this action only to devices other than iOS, Android, and WP8 devices.
Note: The device is wiped only when it attempts to sync, or the user takes an action.
For example, the device is wiped when the device user attempts to send an email.
Note: When you click Wipe, you are overriding any MobileIron Core logic that wipes
the device or allows or blocks the devices access to the ActiveSync server. For more
information, see Overriding and re-establishing MobileIron Core management of a
device on page 457.
Win 8.1
Android iOS Win 7 WP8 WP8.1 RT/Pro
Company Confidential
456
Working with ActiveSync Phones via MobileIron Sentry
For more information about using Remove, see Overriding and re-establishing Mobil-
eIron Core management of a device on page 457.
To link a device in the ActiveSync Associations page to a device in the Devices page:
1. Select the device in the ActiveSync Devices page.
2. Click the Link to button.
3. Select the corresponding device from the popup.
4. Click Link To.
However, once you select the Allow, Block, or Wipe button for the device, MobileIron
Core no longer automatically makes these decisions. You can only manually make
these decisions using the Allow, Block, or Wipe buttons. To cause Core to once more
automatically make these decisions, click the Remove button. The next time the
device attempts to access its email, Core and Sentry resync information about the
device, and Core again makes these decisions automatically.
For example, consider the scenario where an executives device is being blocked from
accessing email due to the devices security policy. Take the following steps:
1. Select the Allow Button on the ActiveSync Devices view for the executives device.
This action immediately allows the executive to access email, without waiting for
your further actions.
2. Use the Admin Portal to update the devices security policy.
For example, exclude the device from using the existing security policy, and create
a new security policy for executives.
3. Click the Remove Button on the ActiveSync Devices view.
MobileIron Core removes the device from the ActiveSync Devices view. The next
time the device accesses its email, Core adds the device back to the view, and once
again manages the device based on its security policy.
Company Confidential
457
Working with ActiveSync Phones via MobileIron Sentry
You can determine if a device was recently blocked or allowed, and if it was a manual
or automatic action. Using the Admin Portal, do the following
1. Select Log > Browse All.
2. Look for Block or Reinstate (which means allowed) in the Action column.
The message column indicates if the action was due to the security policy. If the action
was manual, the message column is either empty, or contains a note added by the
administrator who performed the manual action.
Note: Apply this action only to devices other than iOS, Android, and WP8 devices.
Company Confidential
458
Working with ActiveSync Phones via MobileIron Sentry
Company Confidential
459
Working with ActiveSync Phones via MobileIron Sentry
Perform this step if your Sentry uses a self-signed certificate. If your Sentry has a cer-
tificate signed by a third-party CA, go to step 4.
The specific steps differ slightly for each browser type. The following steps detail how
to download the certificates using the Chrome browser.
On Mac OSX
Navigate to https://sentryhostname, where sentryhostname is the Sentry's
fully-qualified domain name.
Click on the Https padlock icon in the address bar.
Click Certificate Information.
Click the signing certificate (CA), then drag the certificate icon from the panel to
your desktop.
Click the self-signed certificate, then drag the certificate icon from the panel to
your desktop.
Go to step 3.
On Windows
Navigate to https://sentryhostname, where sentryhostname is the Sentry's
fully-qualified domain name.
Click on the Https padlock icon in the address bar.
Click Certificate information.
Click the Details tab.
Click Copy to File...
The Certificate Export Wizard appears.
Click Next.
Select the format you want to use as Base-64 encoded X.509 (.CER), click
Next.
Click Browse to navigate to the Desktop to save the file.
Company Confidential
460
Working with ActiveSync Phones via MobileIron Sentry
Enter a name for the file and click Save, then Next, then Finish.
Note: Other formats are recognized by Windows Phone 7 as valid certificates, but
other formats will not work with an Exchange ActiveSync account.
Click the Certification Path tab.
Select the signing certificate (CA certificate).
Click the Details tab.
Click Copy to File...
The Certificate Export Wizard appears.
Click Next.
Select the format you want to use as Base-64 encoded X.509 (.CER), then click
Next.
Click Browse to navigate to the Desktop to save the file.
Enter a name for the file and click Save, then Next, then Finish.
Go to step 3.
3. Install the self-signed certificate and its signing certificate, the CA certificate.
Perform this step after performing step 2. If your Sentry has a certificate signed by a
third-party CA, go to step 4.
Email the two certificates (self-signed and CA) to an email account on the
device, for example, a GMail or a Yahoo account.
On the device, tap on the attachments to download.
Tap the shield icons to install the certificates.
Go to step 4.
4. Configure the Exchange ActiveSync account on the device.
On the device, tap Settings > email + accounts > add an account > advanced
setup.
Enter your email address and Password, then tap Next.
Tap Exchange ActiveSync as the email account type.
In the Domain field, enter the domain of the email server.
In the Server field, enter sentryhostname, where sentryhostname is the Sen-
try's fully-qualified domain name.
Check Server requires encrypted (SSL) connection.
Tap sign in. The device begins to sync.
Company Confidential
461
Working with ActiveSync Phones via MobileIron Sentry
Company Confidential
462
Chapter 12
Company Confidential
463
Using the SMS Archive Feature
Supported devices
The SMS archival feature is supported on Samsung SAFE devices running MDM 2.0
through MDM 4.x.
yes - - - -
Setting Description
Forward SMS as Select On to enable the SMS Archive feature.
Email
Default From Enter the email address to include in the From
Address field of the emails generated for archiving the
SMSes.
Destination Email Enter the email addresses for the archival sys-
Addresses tems to which the generated emails are being
sent. Separate the email addresses with com-
mas (,).
Host/IP Addresses Enter the host name or IP address of each SMTP
server to use for relaying the email to the SMS
archival destinations. You may specify the same
SMTP server that you specified when you config-
ured MobileIron Core. If you specify multiple
addresses, then MobileIron attempts to connect
to each in the order specified until a successful
connection is established.
TLS Enabled Select Yes if you want to enable TLS for commu-
nication with the SMTP relay server.
Company Confidential
464
Using the SMS Archive Feature
Setting Description
STARTTLS Required If you selected Yes for the TLS Enabled option,
indicate whether the STARTTLS protocol is
required for the specified SMTP servers.
SMS Delivery Inter- Enter the number of hours that MobileIron Core
val should wait before forwarding collected SMSes
to their archival destinations. The default value
is 4.
Company Confidential
465
Using the SMS Archive Feature
Company Confidential
466
Using the SMS Archive Feature
Company Confidential
467
Using the SMS Archive Feature
Company Confidential
468
Chapter 13
Company Confidential
469
Using Enterprise Connector
5. Select the Connector of interest to display additional details in the pane on the
right.
Company Confidential
470
Using Enterprise Connector
Note: A failed auto upgrade does not affect your system operations.
Your system always maintains the previous working version.
Perform a manual upgrade if you want to upgrade to a newer
version after the auto upgrade failed, perform a manual upgrade.
Services/Backend status: The name and status of the backend services.
Session id: An internal generated session ID.
User id: The user account for this Connector.
Last Error: The last error message.
Company Confidential
471
Using Enterprise Connector
Note: Apply saves the configuration in the current session only. It is not
persistent after the machine reboots.
7. Click Yes.
A dialog appears informing the status.
8. Click OK.
9. Click Save on the upper right corner.
Note: Make sure to click Save to make the configuration persistent after
the machine reboots.
Company Confidential
472
Using Enterprise Connector
https://<fully-qualified_domain_name>.
2. Go to Settings > Connector.
3. Click Preferences. The preferences panel is displayed.
Caution: Do not make changes to these settings without explicit direction from either
MobileIron support or a knowledge base article.
Item Description
LDAP Timeout Specify the time in seconds after which the LDAP
request to the Connector will time out.
LDAP Request Specify the number of times that MobileIron
Retries Core will retry the LDAP request to the Connec-
tor before reporting an error.
Note: Increasing the number of retries will
increase the cumulative timeout.
LDAP Test Timeout Specify the time in seconds when connection will
time out for a test request. For example, when
you modify the LDAP settings.
Company Confidential
473
Using Enterprise Connector
Company Confidential
474
Section II: Apps and Data
Management
Managing Mobile Apps with Apps@Work
Docs@Work
AppConnect
Web@Work
Company Confidential
475
Company Confidential
476
Chapter 14
Company Confidential
477
Managing Mobile Apps with Apps@Work
For iOS and Android, you can provide users with links to recommended apps on the
Apple Store or Google Play (formerly Android Market), or links to internally-developed
apps they can download from the MobileIron app distribution library.
For Windows Phone 8 (WP8), you can provide users with links to recommended apps
on the Windows Store, or links to internally-developed apps they can download from
the MobileIron app distribution library.
Company Confidential
478
Managing Mobile Apps with Apps@Work
Company Confidential
479
Managing Mobile Apps with Apps@Work
Company Confidential
480
Managing Mobile Apps with Apps@Work
The device user can tap this web clip to access the Apps@Work enterprise app
storefront. Apps@Work displays lists of apps that you have configured for download
from the Apple App Store or MobileIron Core. The apps appear in these tabbed
sections:
Featured: The featured page lists all apps that the administrator designates as
featured. These apps can include in-house, recommended, web apps, and prepaid
apps.
Updates: The updates page displays all apps that have an available update. The
Update All button allows the device user to update all apps at the same time.
Company Confidential
481
Managing Mobile Apps with Apps@Work
The Categories page is the default page for Apps@Work. If the administrator has
designated any featured apps, then the Featured is the default page.
For comprehensive information on in-house app development, see the Apple website.
The device user must have an iTunes account to download these apps.
You can upload a custom image to replace the MobileIron logo in the App Storefront.
This allows you to re-brand the App Storefront to reflect your organizations branding.
The App Storefront displays the new image when the user accesses the storefront.
Prerequisites
Complete app functionality, including updates to badges resulting from inventory data,
requires:
Company Confidential
482
Managing Mobile Apps with Apps@Work
iOS MDM certificate (See Enabling iOS MDM support on page 36.)
iOS MDM profile enabled (Settings > Preferences)
If you intend to develop and manage in-house apps, then participation in Apples iDEP
program is required. See the materials posted on the MobileIron Support site.
Starting with iOS 7, you can also restrict document interaction between managed
apps and unmanaged apps. See Restrictions settings on page 324.
Starting with iOS 7, a managed app can get its configuration from MobileIron Core.
The device user does not have to manually enter the configuration. This feature
results in easier app deployment and fewer support calls for you, and a better user
experience for the device user.
For more information, see Managed app configuration settings on page 334.
AppConnect apps
For information about AppConnect apps, see AppConnect on page 581.
You upload iOS AppConnect apps created with the AppConnect wrapping technology to
the app distribution library as in-house apps. AppConnect apps created with the SDK
can be distributed as either in-house apps or recommended apps. The process for
adding an AppConnect app to the app distribution library is the same as for any iOS
app.
When you upload an iOS AppConnect app as an in-house app to the app distribution
library, in some cases MobileIron Core automatically creates an AppConnect container
policy and AppConnect app configuration. Core takes this action when the app has
specified its desired default values for the policy and configuration in its IPA file. You
can override these values by editing the apps AppConnect container policy or
AppConnect app configuration. Core keeps in sync the labels that you apply to the app
and the labels that you apply to the AppConnect container policy and AppConnect app
configuration.
Company Confidential
483
Managing Mobile Apps with Apps@Work
Because the Apps@Work web clip is deployed like any other configuration, there might
be considerable lag between device registration and the appearance of the web clip.
Company Confidential
484
Managing Mobile Apps with Apps@Work
Company Confidential
485
Managing Mobile Apps with Apps@Work
To improve search performance, the default is set to 20. You can enter a number
between 20 and 200.
7. Click the Search button.
The matching apps are displayed.
8. Click the Import or Update link for an app to import the relevant information.
Import indicates an app that does not yet exist in the app distribution library.
Update indicates an app that exists in the app distribution library, but has an
update available for download.
9. Close the dialog.
The app is displayed in the App Distribution Library screen with an icon that identi-
fies the app as a recommended app.
10. Click the edit icon for the app.
11. Make any necessary changes to the default settings.
12. Click Save.
13. Select Actions > Apply To Label to specify the device groups that should see this
app.
Important: To ensure that MobileIron Core is able to track the devices that have an
App Store app installed, you must associate the official app name with the displayed
app name. We recommend that you test an app installation to determine the official
name and create the association prior to distributing the app to users. See Linking
app store apps to inventory apps on page 498 for information on establishing this
association.
Company Confidential
486
Managing Mobile Apps with Apps@Work
Item Description
iTunes ID Enter the iTunes ID for the app. See Getting the iTunes
app ID on page 490 for detailed steps for getting the ID.
Note: The app ID is not editable later, so be sure to enter
the correct ID.
App Name Enter the name to display on the App Store Apps list on
devices. Only alphanumerics, underscores, dashes and
spaces are allowed in this field. App names longer than 25
characters will be truncated when displayed on the device.
Note that the App Inventory page in the Admin Portal will
display the name reported by the installed app, not the
app name entered here. You can create a link between
these app names. See Linking app store apps to inven-
tory apps on page 498 for information on creating this
link.
iPad Only Set to Yes if the app is designed only for iPads. This
ensures that the app is not displayed in Apps@Work for
other iOS devices.
Managed App Settings
Prevent backup of Ensures that iTunes will not attempt to back up possibly
the app data sensitive data associated with the given app. No further
action is necessary to apply this restriction.
Remove app when Set to Yes to ensure that the app will not remain on the
MDM profile is device if device management is disabled. No further action
removed is necessary to apply this restriction.
Note: If you change the setting after the app is added, the
changed setting will not be applied to the app.
Remove app when Set to Yes to enable configured compliance actions to
device is quaran- remove the app if a policy violation results in a quaran-
tined or signed out tined device or the device signs out in multi-user mode.
This option does not apply unless the corresponding
option has been specified in a compliance action, and that
compliance action has been selected for one or more pol-
icy options in the security policy for a device. Once the
device is no longer quarantined, the app can be down-
loaded again.
Note: If you change the setting after the app is added, the
changed setting will not be applied to the app.
This App Store app Set to Yes for free recommended apps.
is free iOS allows Managed App features to be applied to free
apps and apps purchased with VPP credits, but not to apps
paid for by the user. Specifying whether the app is free
ensures successful download of apps that require user
payment.
Company Confidential
487
Managing Mobile Apps with Apps@Work
Item Description
Send installation Set to Yes to prompt device users to install this app once
request on device device registration is complete or a user signs in on a
registration or sign- multi-user device.
in
Per App VPN (iOS 7 iOS 7 and iOS 7.1: Select the VPN setting you created for
or later) per app VPN in the Available column, and click the right
arrow to move it to the Selected column. If the app will
use MobileIron Tunnel, select the MobileIron Tunnel VPN
setting you created. You can select multiple per app VPN
settings.
To reorder the per app VPN configurations in the Selected
column, drag the configuration names to the correct posi-
tions in the list.
See VPN settings on page 268 for information on creat-
ing a per app VPN or MobileIron Tunnel VPN setting.
See Per app VPN priority on page 492.
7. Click Next.
8. Use the following guidelines to complete this screen:
Item Description
App Name Displays the app name you entered in the previous
screen. This field is not editable.
Display Version Enter the version number you want to display to users.
You may enter numerals and periods (.) in this field.
Description Enter any additional text that helps describe what the
app is for.
Featured Select No if you do not want to highlight this app in the
Featured apps list. Note that the Message feature for iOS
apps applies only to featured apps. See Informing users
of new apps and upgrades for featured apps on
page 501 for information.
Company Confidential
488
Managing Mobile Apps with Apps@Work
Item Description
App Updates Select Update managed app only to update previous
versions of the app only if they were installed as man-
aged apps.
Select Update managed or unmanaged app to update a
previous version of the app, regardless of whether it was
installed as managed. The update is then applied as an
unmanaged updated. This option is useful if you want to
support existing unmanaged installations of the app
without forcing users to uninstall and reinstall as a man-
aged app. (Apple prohibits installation of updates over
unmanaged apps.)
Note: This option applies only to apps that were installed
by means of a device user-initiated request on the app
storefront.
Hide in App Select Hide to prevent this app from displaying in the app
Storefront storefront. For example you might want to hide apps that
will be installed upon registration anyway. Hiding a man-
datory app reduces clutter in the app storefront, leaving
device users with a concise menu of the approved apps
they might find useful.
Select Show to display the apps if it is normally always
hidden, such as the Apps@Work Container.
Category Select one or more categories if you would like this app
to be displayed in a specific group of apps on the device.
Click Add New Category to define new categories.
9. Click Next.
10. Use the following guidelines to complete this page:
Item Description
App Icon Select the icon to be used to represent this app. The file
must be in JPG, PNG, or GIF format. PNG is recommended
for best resizing results. Acceptable dimensions are 57x57
pixels, 72x72 pixels, or 114x114 pixels. If you do not
select an icon, then a default icon will be displayed next to
this app in Apps@Work.
iPhone and iPod Select up to 4 optional screenshots to display for the app.
touch screenshots Screenshots must be in JPG, PNG, or GIF format. Accept-
able dimensions are 320x480 pixels, 480x320 pixels,
640x960 pixels, and 960x640 pixels. Note that the display
of rotated screenshots in the Admin Portal might not be
consistent with the display on the devices.
iPad screenshots Select up to 4 optional screenshots to display for the app.
Screenshots must be in JPG, PNG, or GIF format. Accept-
able dimensions are 768x1024 pixels and 1024x768 pix-
els.
Company Confidential
489
Managing Mobile Apps with Apps@Work
Company Confidential
490
Managing Mobile Apps with Apps@Work
Company Confidential
491
Managing Mobile Apps with Apps@Work
The priority of per app VPN configurations applied to labels is higher than per app VPN
configurations that are not applied to labels. For example, suppose the app lists VPN1,
VPN2 and VPN3 as the possible per app VPN configurations in the Selected list.
If VPN1 and VPN2 are applied to labels and VPN3 is not, then VPN1 is assigned to
the app when the per app VPN list order is:
VPN1 (applied to label)
VPN2 (applied to label)
VPN3
If VPN1 and VPN2 are applied to labels and VPN3 is not, then VPN1 is assigned to
the app if the per app VPN list is:
VPN3
VPN1 (applied to label)
VPN2 (applied to label)
The Apps tab in device details (Users & Devices > Devices > select the up arrow see
the device details) lists the activated per app VPN for the device so that users and
administrators can easily view which VPN the app is using on that device.
Note: If you are upgrading to MobileIron Core 7.0, existing per app VPN assignments
become the highest-priority per app VPN for the app.
Company Confidential
492
Managing Mobile Apps with Apps@Work
Item Description
App Upload Click Browse and navigate to the in-house app (.ipa) you
want to upload.
Note: For iOS, MobileIron Core supports uploading apps
that are up to 5 GB.
iPad Only Set to Yes if the app is designed only for iPads, set the
iPad Only option to Yes. This ensures that the app is not
displayed in Apps@Work for other iOS devices.
Managed App Settings
Prevent backup of Ensures that iTunes will not attempt to back up possibly
the app data sensitive data associated with the given app. No further
action is necessary to apply this restriction.
Remove app when Set to Yes to ensure that the app will not remain on the
MDM profile is device if device management is disabled. No further
removed action is necessary to apply this restriction.
Note: If you change the setting after the app is added,
the changed setting is not applied to the app.
Allow app removal Set to Yes to enable configured compliance actions to
when device is quar- remove the app if a policy violation results in a quaran-
antined or signed tined device or the device signs out in multi-user mode.
out This option does not apply unless the corresponding
option has been specified in a compliance action, and that
compliance action has been selected for one or more pol-
icy options in the security policy for a device. Once the
device is no longer quarantined, the app can be down-
loaded again.
Note: If you change the setting after the app is added,
the changed setting is not applied to the app.
Send installation Set to Yes to prompt device users to install this app once
request on device device registration is complete or a user signs in on a
registration or sign- multi-user device.
in
Per App VPN (iOS 7 iOS 7 and iOS 7.1: Select the VPN setting you created for
or later) per app VPN in the Available column, and click the right
arrow to move it to the Selected column. If the app will
use MobileIron Tunnel, select the MobileIron Tunnel VPN
setting you created. You can select multiple per app VPN
settings.
To reorder the per app VPN configurations in the Selected
column, drag the configuration names to the correct posi-
tions in the list.
See VPN settings on page 268 for information on creat-
ing a per app VPN or MobileIron Tunnel VPN setting.
See Per app VPN priority on page 492.
Company Confidential
493
Managing Mobile Apps with Apps@Work
6. Click Next.
The Add App Wizard examines the selected bundle to ensure that it meets require-
ments for in-house apps distributed for iOS devices. If the bundle is acceptable, the
following screen displays.
Note: Downloads of iOS in-house apps over 3G should be limited to 20 MB. Use Wi-
Fi for downloading larger in-house apps.
7. Use the following guidelines to complete the items in this screen:
Item Description
App Name Displays the App Name defined for the app bundle. You
can edit this text to display a different name to users.
Note that app names longer than 25 characters will be
truncated when displayed on the device.
Note: An iOS app is packaged as a bundle. A bundle is a
directory in the file system that groups related resources
together in one place. An iOS app bundle contains the
app executable file and supporting resource files such as
app icons, image files, and localized content.
Display Version Enter the version number to be displayed to users. You
may enter numerals and periods (.) in this field.
Bundle Version Displays the version defined for the bundle. This item is
not editable.
Description Enter any additional text that helps describe what the
app is for.
Override URL If you are implementing an alternate URL for download-
ing in-house apps, enter that URL here. The URL must
point to the in-house app in its alternate location. See
Override for in-house app URLs on page 549 for the
requirements for this configuration.
Featured Select No if you do not want to highlight this app in the
Featured apps list. On the device, the user can a subset
of featured apps. Note that the Message feature for iOS
apps applies only to featured apps. See Informing users
of new apps and upgrades for featured apps on
page 501 for information.
Data Protection Select Yes to require that data protection be enabled in
Required order to install this app.
Note: Devices without data protection enabled will not
see the app at all in the In-house Apps list on the device
and will not know that data protection compliance is
required. Therefore, you may want to communicate the
requirement to users.
Company Confidential
494
Managing Mobile Apps with Apps@Work
Item Description
App Updates Select Update managed app only to update previous
versions of the app only if they were installed as man-
aged apps.
Select Update managed or unmanaged app to update a
previous version of the app, regardless of whether it was
installed as managed. The update is then applied as an
unmanaged updated. This option is useful if you want to
support existing unmanaged installations of the app
without forcing users to uninstall and reinstall as a man-
aged app. (Apple prohibits installation of updates over
unmanaged apps.)
Note: This option applies only to apps that were installed
by means of a device user-initiated request on the app
storefront.
Hide in App Select Hide to prevent this app from displaying in the app
Storefront storefront. For example you might want to hide apps that
will be installed upon registration anyway. Hiding a man-
datory app reduces clutter in the app storefront, leaving
device users with a concise menu of the approved apps
they might find useful.
Select Show to display the apps if it is normally always
hidden, such as the Apps@Work Container.
Provisioning Profile Displays the identifier for the provisioning profile incorpo-
rated in the bundle.
Note: The provisioning profile is a text document con-
taining verification information for the app. Apps are not
usable on iOS without a current provisioning profile.
Category Select one or more categories if you would like this app
to be displayed in a specific group of apps on the device.
Click Add New Category to define a new category.
8. Click Next.
Company Confidential
495
Managing Mobile Apps with Apps@Work
Item Description
App Icon Required. The app icon is automatically extracted from the
IPA file. The file must be in PNG format.
If an icon cannot be automatically extracted from the IPA
file, then it must added manually.
Acceptable dimensions are 57x57, 72x72, 114x114,
120x120, 144x144, or 152x152 pixels.
iPhone and iPod Select up to 4 optional screenshots to display for the app.
touch screenshots Screenshots must be in JPG, PNG, or GIF format and one
of the following dimensions specifications:
320x480 pixels
640x960 pixels
480x320 pixels
960x640 pixels
iPad screenshots Select up to 4 optional screenshots to display for the app.
Screenshots must be in JPG, PNG, or GIF format and one
of the following dimensions specifications:
1024x768 pixels
768x1024 pixels
Company Confidential
496
Managing Mobile Apps with Apps@Work
5. Select the label that represents the iOSs devices for which you want the selected
app to be displayed.
6. Click Apply.
7. If you have not done so already, consider linking any App Store app to the corre-
sponding entry in the app inventory.
This step will help with app tracking because the name you assign to the app is not
likely to be the same as the name reported by the app once it is installed. You
should also consider testing the first installation of each App Store app so that you
can record the corresponding reported app name. See Linking app store apps to
inventory apps on page 498.
If the user deletes a published app, that app will not become available for reinstalling
again until the next sync interval causes MobileIron Core to be updated. You can
address user concerns by using the Force Device Check-in command to force the
MobileIron app to update Core.
Company Confidential
497
Managing Mobile Apps with Apps@Work
To link the App Store app name to the reported app name:
1. In the Admin Portal, select Apps > App Distribution Library.
2. Select iOS from the Select Platform list.
3. Click the edit icon next to the app you want to work with.
4. Select the corresponding inventory app name from the Inventory Apps list.
5. Click Save.
Once the link is established, the # of Devices Installed column in the App Distribu-
tion screen displays the correct number. You should consider changing the app
name as specified in any app control rules to ensure it matches the official name.
Upgrading apps
When an upgrade for an app becomes available, you can just add it to the app
distribution library and assign it to appropriate labels like any other app. MobileIron
Core detects that it is an update and indicates its availability in the form of a badge
that appears on the corresponding tab in Apps@Work. Core also replaces the app
entry displayed in the apps lists on the devices.
Company Confidential
498
Managing Mobile Apps with Apps@Work
Tapping the entry for the app having an update displays an UPDATE tag instead of an
INSTALL tag.
Updates to featured apps are published in the same way to all devices in the labels
assigned to the apps. You can also send a message to devices to announce the
availability of updates to featured apps.
Note: The iTunes ID is not editable. If you entered the wrong ID when you added this
app to the app distribution library, then you need to delete the app entry and create a
new one.
Company Confidential
499
Managing Mobile Apps with Apps@Work
Company Confidential
500
Managing Mobile Apps with Apps@Work
Company Confidential
501
Managing Mobile Apps with Apps@Work
Company Confidential
502
Managing Mobile Apps with Apps@Work
Company Confidential
503
Managing Mobile Apps with Apps@Work
Setup tasks
Setup for VPP support requires the following tasks:
1. Upload the payment file to MobileIron Core.
2. Configure the optional alert.
Company Confidential
504
Managing Mobile Apps with Apps@Work
Note: Some versions of Excel will attempt to save an XLS file as XLSX by default. If
you open the file in Excel, be sure not to save the file when you close it.
You can use the Actions > Remove From Label command to remove either or both
labels.
Company Confidential
505
Managing Mobile Apps with Apps@Work
Company Confidential
506
Managing Mobile Apps with Apps@Work
The Apple Volume Purchase Program (VPP) allows you to purchase multiple copies of
an app to redistribute to your employees. With iOS 7, the program was updated to
provide additional benefits. On MobileIron Core, the new VPP license management is
available in parallel with the old redemption codes (purchase codes).
We strongly recommend that you purchase app licenses rather than redemption codes
through your Apple VPP.
Note: Open HTTPS port 443 for iOS VPP support. Port 443 is required for access to
https://vpp.itunes.apple.com from Core.
Note: If the user has another registered device on which the app is installed, the app
license is not reclaimed.
This gives the organization up-to-date visibility into app and license inventory for each
VPP account.
Company Confidential
507
Managing Mobile Apps with Apps@Work
Company Confidential
508
Managing Mobile Apps with Apps@Work
Field Description
VPP Account Name The account name entered when adding the VPP account.
Description Additional information that describes this account.
Service Token The credential used to link the VPP account to MobileIron
Core.
Expires In Days Number of days before the service token expires.
Before the service token expires, you must download a
new service token from Apples VPP portal.
Uploaded Date when the service token was last added to Mobile-
Iron Core.
Click the inverted V icon to display the apps and associated license information.
App Name of the app purchased with the VPP account.
Added in App Distri- Indicates whether you imported the app into Core for dis-
bution tribution.
When you import an app, it is also displayed in the App
Distribution page.
Licenses Used Number of licenses redeemed for the app.
This is a total for the account. This number includes
licenses that were redeemed by other MobileIron Core
instances.
Licenses Purchased Number of licenses purchased for the app.
Company Confidential
509
Managing Mobile Apps with Apps@Work
Field Description
Account Name Enter an account name.
This could be the department or business unit to which
the app is applied.
Apple ID (Optional) Enter the Apple ID for the VPP account.
Description (Optional) Enter additional information that describes this
account.
Service Token Copy and paste the service token you received from
Apple.
4. Click Save.
A list of apps that were purchased with this VPP account is displayed.
Note: You do not have to import the apps at this point. See also, Importing VPP
apps from the VPP account and Importing VPP apps from the App Distribution
Library.
5. Click Done.
See Importing app store apps for iOS: App Store import and Manually adding App
Store apps for iOS in the MobileIron Core Administration Guide.
For an app already listed in the App Distribution Library, the VPP Purchased / Used
column now displays the license information.
Company Confidential
510
Managing Mobile Apps with Apps@Work
Note: For iOS 7 and iOS 7.1, when you import recommended apps that use licenses or
redemption codes, set the This App Store App is Free option to No. This allows the
device user to successfully download the app using licenses or redemption codes.
The VPP purchased and used information includes both redemption codes and licenses
purchased and used for the VPP account.
Company Confidential
511
Managing Mobile Apps with Apps@Work
To view the devices on which the app is installed, for the app, click the number in the
device installed column. The popup displays all devices on which the app is installed
and the associated VPP account.
Action Description
Update VPP Account Click to edit the VPP account information or
import apps.
Delete VPP Account Click to delete the VPP account from MobileIron
Core.
When you delete a VPP account:
All licenses for the apps purchased through
the VPP account are reclaimed.
Users have a grace period of 30 days to pur-
chase the apps.
Once you have enrolled in your companys VPP, prepaid apps available to you through
the VPP will display the PREPAID status. Tap Request to install these apps like you
would a free app.
If you did not enroll in the program, tap View to purchase the app from the Apple App-
Store.
Company Confidential
512
Managing Mobile Apps with Apps@Work
Distributed secure apps appear in the Secure Apps list on managed Android devices.
For detailed information about AppConnect for Android and secure apps, see Using
AppConnect for Android on page 625.
Company Confidential
513
Managing Mobile Apps with Apps@Work
You can protect in-house apps and associated data by using the Admin Portal to
uninstall in-house apps if a device is lost or stolen.
Some devices prevent the user from uninstalling the app. On other devices, if the
device user uninstalls the in-house app, it is automatically reinstalled.
Company Confidential
514
Managing Mobile Apps with Apps@Work
Item Description
App Name Enter the name that the device reports if the app is
installed. Only alphanumerics, underscores, dashes and
spaces are allowed in this field.
It is important to enter the reported name to ensure
that app inventory will correctly reflect the presence of
this app.
If you do not know the reported name, enter a tempo-
rary name in this field, then distribute the app to a test
device and check the App Inventory page for the
reported name. You can then edit this field to reflect the
reported name.
Package Name Enter the unique, fully-qualified identifier for this app.
The package name for an Android app is included in the
Google Play (formerly Android Market) URL. The
following example highlights the package name:
https://market.android.com/
details?id=com.dataviz.docstogo&feature=top-free
Note that the package name provides the basis for
matching recommended apps with entries in the App
Inventory screen. Therefore, the requirement that the
package name be unique impacts the app inventory dis-
play.
Min. OS Version Select the minimum version required for this app.
Devices that do not meet the minimum version require-
ment will not display this app in the Google Play Apps
list.
7. Click Next.
8. Use the following guidelines to complete this screen:
Item Description
App Name Displays the app name you entered in the previous
screen. This field is not editable here.
Description Enter any additional text that helps describe what the
app is for. This text appears on the target devices under
the app name in the Google Play Apps list.
Company Confidential
515
Managing Mobile Apps with Apps@Work
Item Description
Featured Select No if you do not want to highlight this app in the
Featured apps list. On the device, the user can tap a but-
ton to display all recommended (i.e., Google Play) and
in-house apps or a subset of featured apps.
Category Select a category if you would like this app to be dis-
played in a specific group of apps in the Google Play
Apps list on the device. Click the here link to define new
categories.
9. Click Next.
10. Use the following guidelines to complete this page:
Item Description
App Icon Select the icon to be used to represent this app. The file
must be 144 x 144 pixels and in JPG, PNG, or GIF format.
We recommend PNG for best resizing results. If you do
not select an icon, then a default icon will be displayed
next to this app in the Google Play Apps list.
To clear the field, such as if you select the wrong file,
click the - button next to the Browse button.
Android Screenshots Click the Browse button to select and upload optional
screenshot files. The supported dimensions are 480x800
pixels and 480x854 pixels. GIF, JPG, and PNG are sup-
ported. We recommend PNG for best resizing.
Once you upload the first screenshot, a + icon displays.
Click this icon to upload additional screenshots.
To clear the field, such as if you select the wrong file,
click the - button next to the Browse button.
Company Confidential
516
Managing Mobile Apps with Apps@Work
Item Description
App Name Displays the app name defined by the app developer.
This is the name that displays to device users. This field
is not editable.
Display Version Displays the version number defined by the app devel-
oper. This is the version that displays to device users.
This field is not editable.
Code Version Displays the version defined for the package. This item is
not editable.
Description Enter any additional text that helps describe what the
app is for. This text appears on the target devices under
the app name in the In-house Apps list.
Override URL If you are implementing an alternate URL for download-
ing in-house apps, enter that URL here. The URL must
point to the in-house app in its alternate location. See
Override for in-house app URLs on page 549 for the
requirements for this configuration.
Company Confidential
517
Managing Mobile Apps with Apps@Work
Item Description
Featured Select No if you do not want to highlight this app in the
Featured apps list. On the device, the user can tap a but-
ton to display all recommended and in-house apps or a
subset of featured apps.
Category Select a category if you would like this app to be dis-
played in a specific group of apps on the device. Click the
here link to define new categories.
9. Click Next.
Note: The icon for Android in-house apps is defined by the app developer. However,
after you finish adding the app, you can edit the entry for the app and change the
icon.
10. If you would like to provide screenshots of the app, click the Browse button and
select the files. The supported dimensions are 480x800 pixels and 480x854 pixels.
GIF, JPG, and PNG are supported. We recommend PNG for best resizing.
Once you upload the first screenshot, a + icon displays. Click this icon to upload
additional screenshots.
11. Click Next when you are finished uploading screenshots.
12. Click Finish.
The app is displayed in the App Distribution Library screen with an icon that identi-
fies the app as an in-house app.
See AppConnect apps that MobileIron provides for Android on page 625 and
Third-party AppConnect apps that MobileIron provides for Android on page 626.
the AppConnect apps that your enterprise wrapped.
See AppConnect and third-party/in-house secure apps on page 582.
Before you begin: Get the Secure Apps Manager and the other AppConnect apps that
MobileIron provides from the support.mobileiron.com site. Save them to a location
accessible from your MobileIron Core.
To add a secure app to the app distribution library:
1. In the Admin Portal, select Apps > App Distribution Library.
Company Confidential
518
Managing Mobile Apps with Apps@Work
Item Description
App Name Displays the app name defined by the app developer.
This is the name that displays to device users. This field
is not editable.
Display Version Displays the version number defined by the app devel-
oper. This is the version that displays to device users.
This field is not editable.
Note: The version number for AppConnect apps includes:
the version number defined by the app developer
additional numbers provided by the wrapping process
Code Version Displays the version defined for the package. This item is
not editable.
Company Confidential
519
Managing Mobile Apps with Apps@Work
Item Description
Description Enter any additional text that helps describe what the
app is for. This text appears on the target devices under
the app name in the Secure Apps list.
MobileIron recommends that you add the following
descriptions for the AppConnect apps that MobileIron
provides:
the Secure Apps Manager
The Secure Apps Manager works with the
Mobile@Work app to secure and manage secure apps
on your device.
NitroDesk TouchDown
NitroDesk TouchDown provides secure access to your
company email, contacts, calendar, and tasks.
ThinkFree Document Viewer
ThinkFree Document Viewer provides secure access to
your company documents and email attachments.
File Manager
File Manager allows you to securely navigate and
manage your company files.
Android Email+
Android Email+ provides the native email client expe-
rience with ease of setup and important other fea-
tures.
Web@Work
Web@Work is a secure browser that allows your
device users to easily and securely access your organi-
zation's web content.
IBM Notes Traveler
IBM Notes Traveler is the client for the IBM Notes
Traveler server. It provides access to email, contacts,
calendar, and tasks.
Divide PIM
Divide PIM (Personal Information Manager) for
Android provides secure email, calendar, contacts, and
tasks on corporate-owned and BYOD Android devices
running Android 4.0 or higher.
Override URL If you are implementing an alternate URL for download-
ing secure apps, enter that URL here. The URL must
point to the secure app in its alternate location. See
Override for in-house app URLs on page 549 for the
requirements for this configuration.
Featured This field is not applicable for AppConnect apps.
Category This field is not applicable for AppConnect apps.
Company Confidential
520
Managing Mobile Apps with Apps@Work
9. Click Next.
Note: The icon for Android secure apps is defined by the app developer. However,
after you finish adding the app, you can edit the entry for the app and change the
icon.
10. If you would like to provide screenshots of the app, click the Browse button and
select the files. The supported dimensions are 480x800 pixels and 480x854 pixels.
GIF, JPG, and PNG are supported. We recommend PNG for best resizing.
Once you upload the first screenshot, a + icon displays. Click this icon to upload
additional screenshots.
11. Click Finish.
The app is displayed in the App Distribution Library screen with an icon that identi-
fies the app as an in-house app.
Note: You know the app is an AppConnect app by looking at its version number. The
version number for an AppConnect app is a concatenation of the original apps ver-
sion number and a version number from wrapping the app.
Company Confidential
521
Managing Mobile Apps with Apps@Work
If the user deletes a published app, that app will not become available for reinstalling
again until the next sync interval causes MobileIron Core to be updated. You can
address user concerns by using the Force Device Check-In command to force the
MobileIron Client to update Core.
Enhanced Apps@Work
Enhanced Apps@Work is available on devices running Mobile@Work for Android
version 6.0 or later and Android OS versions 4.0-4.4.
The Google Play Apps and In-house Apps items in Mobile@Work are replaced by the
single Apps@Work item, to provide a consolidated and enhanced app store. Within
Apps@Work, apps are organized into the Featured and category tabs.
Apps@Work enables users to view, install, update, reinstall, and search for the apps
made available to them by the MobileIron Core administrator. If the administrator
enables ratings and reviews, the user sees reviews, and can rate apps and write
reviews.
Apps@Work displays the apps that the Core administrator makes available to the
device through labels. In the Admin Portal, the administrator assigns an app to one or
more labels. A device that is assigned to the same label as the app will have access to
that app in Apps@Work.
Company Confidential
522
Managing Mobile Apps with Apps@Work
Featured tab
The featured screen lists all apps that are designated as featured apps by the
administrator.
In the Admin Portal, the administrator sets featured apps in Apps > App
Distribution Library > Add App dialog.
Categories tab
An app can be listed under Featured as well as under multiple categories.
Uncategorized apps are displayed under Uncategorized in the Categories tab.
Only categories that have at least one app are displayed.
In the Admin Portal, the administrator defines categories in the Apps > App
Distribution Library > Add App dialog.
Updates tab
The Updates tab displays all apps that have updates available.
Tap the Update button to install a new version of the existing app.
App details
Tap the app to view its details screen. If the administrator enabled ratings and
reviews, tap the Reviews tab to read reviews or write a review.
Localized Apps@Work
Company Confidential
523
Managing Mobile Apps with Apps@Work
A newly-added app does not display in the in-house apps list on the device.
1. Confirm that you have applied the app to a label to which the device has been
added.
2. Confirm that the device meets the minimum OS requirement you specified when
you added the app.
3. Confirm that the device has been configured to accept apps from outside the Goo-
gle Play (formerly Android Market). (On the device, select Settings > Applications >
Unknown sources).
4. If the MobileIron app is running, select Refresh from the app menu.
Company Confidential
524
Managing Mobile Apps with Apps@Work
Note: After registration, the WP8 device is in Verified state. The device state changes
to Active after the first successful MDM session. This may take approximately ten
seconds and upto one minute after registration. If the device user logs into the
Mobile@Work app before the device changes to Active state, the device user will not
see any recommended apps because MobileIron Core is not yet associated with the
device.
The following sections provide information about developing and managing in-house
and third-party apps:
Company Confidential
525
Managing Mobile Apps with Apps@Work
Before you develop in-house apps for WP8 devices on page 526
Adding the AET and applying a label on page 527
Adding in-house and third-party apps for distribution to WP8 devices on page 527
Upgrading to a new version of an app on WP8 devices on page 529
Editing WP8 app information on page 529
Deleting a Windows Phone 8 app from MobileIron Core on page 529
Company Confidential
526
Managing Mobile Apps with Apps@Work
Company Confidential
527
Managing Mobile Apps with Apps@Work
Item Description
App Name The name of the app as defined by the developer. This field is
not editable.
Version The version of the app. This field is not editable.
Author The author of the app as defined by the developer. This field is
not editable.
Description Enter a description for the app.
Featured Select Yes to display the app in the Featured list on the
device.
Select No if you do not want to list the app in the Featured list
on the device.
Category Select the category from the drop-down list. The app appears
under that category on the device.
To add a new category, click the provided link.
Silent Upgrade Specify how the app is upgraded on the WP8 device.
Only the latest version of the app is listed in the Mobile@Work
app.
The setting is only available when adding a new version of the
app.
Select Yes to update to the new version without any user
actions.
This is the default setting. The app is upgraded when the
device checks in with MobileIron Core.
Select No to only allow a manual update of the app.
The app is not automatically updated when the device checks
in with MobileIron Core, and the user is not prompted or noti-
fied to update the app.
The device user manually installs the latest version of the app
from the Mobile@Work app on the device.
9. Click Next.
10. (Optional) Click Browse to navigate and select the icon and screenshots for the app.
You can upload one icon and up to 4 screenshots per app.
11. Click Finish.
The app information appears in the App Distribution page.
12. In the App Distribution page, select the app.
13. Click Actions > Apply To Label and select a label to apply.
The app is pushed to the devices to which the label is applied.
Note: Only the latest version of the app is displayed in the Mobile@Work app.
Company Confidential
528
Managing Mobile Apps with Apps@Work
When you remove the label, the app is no longer pushed to devices associated with
that label. The app is not deleted from MobileIron Core or from the devices on which it
is already installed.
Item Description
App Name Edit the name of the app.
Description Edit the description for the app.
Featured App Change whether the app is a Featured App or not.
On the device, the featured apps display in a sepa-
rate Featured list. The app also displays in the In-
house apps list or the Recommended apps list.
Category Edit the category under which the app appears on
the device.
To add a new category, click the provided link.
App Icon Click the edit icon under the graphic to navigate to
and select a new graphic. Click OK to replace the
existing graphic.
Windows Phone 8 Click the edit icon under the screenshot to navigate
Screenshots to and select a new screenshot. Click OK to replace
the existing screenshot.
4. Click Save.
Company Confidential
529
Managing Mobile Apps with Apps@Work
This action deletes the app from MobileIron Core, but does not delete it from the
device.
Company Confidential
530
Managing Mobile Apps with Apps@Work
Company Confidential
531
Managing Mobile Apps with Apps@Work
Certificates
We strongly recommend that in-house or third-party apps for Windows 8.1 RT and Pro
devices are signed with a publicly trusted certificate issued by a Certificate Authority
(CA). The CAs root certificate must be supported by the Windows 8.1 OS. Signing
with a publicly trusted certificate eliminates any additional steps by the device user.
We do not recommend signing apps with a self-signed certificate, as this will require
the device user to perform additional steps before you can distribute the apps.
Sideloading keys
Typically, apps for Windows RT and Pro devices are signed and available only through
the Windows Store. However, in-house and third-party apps can be made available
through a process called sideloading. Each Window RT and Pro device must be
sideload enabled. You sideload enable a device with sideload activation keys that you
get directly from Microsoft.
For information about sideloading product activation keys, see
http://www.microsoft.com/licensing/activation/existing-customers/product-
activation.aspx
For information about sideload enabling devices see
http://technet.microsoft.com/en-us/library/hh852635.aspx
Company Confidential
532
Managing Mobile Apps with Apps@Work
Item Description
App Name The name of the app as defined by the developer.
This field is not editable when you add the app.
Version The version of the app. This field is not editable.
Author The author of the app as defined by the developer.
This field is not editable.
Description Enter a description for the app.
Featured Select Yes to display the app in the Featured list on the
device.
Select No if you do not want to list the app in the Featured list
on the device.
Category Select the category from the drop-down list. The app appears
under that category on the device.
To add a new category, click the provided link.
8. Click Next.
9. (Optional) Click Browse to navigate and select the icon and screenshots for the app.
You can upload one icon and up to 4 screenshots per app.
10. Click Finish.
The app information appears in the App Distribution page.
11. In the App Distribution page, select the app.
12. Click Actions > Apply To Label and select a label to apply.
The app is pushed to the devices in the label.
Note: Apps are pushed silently to the device. No action is required by the device
user.
Only the latest version of the app is displayed in the Mobile@Work app.
Company Confidential
533
Managing Mobile Apps with Apps@Work
Item Description
App Name Edit the name of the app.
Description Edit the description for the app.
Featured App Change whether the app is a Featured App or not.
On the device, the featured apps display in a sepa-
rate Featured list. The app also displays in the In-
house apps list or the Recommended apps list.
Category Edit the category under which the app appears on
the device.
To add a new category, click the provided link.
App Icon Click the edit icon under the graphic to navigate to
and select a new graphic. Click OK to replace the
existing graphic.
Windows Phone 8 Click the edit icon under the screenshot to navigate
Screenshots to and select a new screenshot. Click OK to replace
the existing screenshot.
4. Click Save.
Company Confidential
534
Managing Mobile Apps with Apps@Work
Select the Web Application platform in the Admin Portal > Apps > App Distribution
Library, to add and deploy web applications through Apps@Work.
Item Description
Name Enter a name, no more than 127 characters, for the web
application.
This name is displayed on the device.
App Logo Click Browse to navigate and select a graphic for the web
clip.
If you do not select a graphic, the default graphic is used.
Click Use Default to clear the selected graphic and use
default graphic.
The graphic should be in PNG format and no more than
512 x 152 pixels.
Description Enter additional information to describe the app.
Developer Enter the name of the developer for this web application.
App URL Enter the address or URL for the target of the web clip.
The URL must include the prefix http://, https://, or
mibrowser://.
You can enter up to 255 characters.
If you enter the prefix mibrowser://, the URL opens in
Web@Work. Web@Work must be installed on the device.
Category Select a category if you would like this app to be displayed
in a specific group of apps on the device.
Select a category in the Available column and click the ->
arrow to move it to the Selected column.
Click Add New Category to define new categories.
Company Confidential
535
Managing Mobile Apps with Apps@Work
Featured App Select Yes to display the app in the Featured List on the
device.
The app will also display in all the categories you selected.
Hide in App Select Hide to prevent this app from displaying in the app
Storefront storefront. For example, you might want to hide apps that
will be installed upon registration. Hiding a mandatory app
reduces clutter in the app storefront, leaving device users
with a concise menu of the approved apps they might find
useful.
Select Show to display the apps if it is normally always
hidden, such as the Apps@Work Container.
5. Click Save.
Action Description
Delete Click Delete to delete the web application from Mobile-
Iron Core and remove it from Apps@Work.
Apply To Label Click Actions > Apply to Label to select the label to apply.
The web application will be available in Apps@Work for
the devices associated with the label.
Remove From Label Click Actions > Remove From Label to deselect the labels.
The web application will be removed from Apps@Work for
the devices associated with the label.
Company Confidential
536
Managing Mobile Apps with Apps@Work
The number in the Devices column indicates the number of devices on which the
web application is installed.
Note: The number in the Devices column will display as 0 if the feature is disabled.
3. Click on the number to see a list of devices.
If the web application points to a mibrowser:// URL, the web page opens in
Web@Work. You must have Web@Work installed on your device to view a web page
with the mibrowser:// prefix.
Note: The details page will display the Launch button if Enable Installation of Web
Applications is disabled.
Tapping on the Request button installs the web clip to the device. The status of the
button changes to Installed after the web application is installed on the device.
The device user can tap on the web clip to access the link. You do not have to go to
the Apps@Work to access the link.
Company Confidential
537
Managing Mobile Apps with Apps@Work
You can set up app control to enhance visibility into the apps being installed on
managed devices and help enforce corporate app policy. Setting up app control
involves the following tasks:
1. Configure alerts for when a device violates the app control rules in its security pol-
icy.
2. Define app control rules.
3. Select app control rules for the Access Control settings in the security policies
assigned to target devices.
This order of tasks is strongly recommended to ensure that alerts are generated if
devices are already in violation when they receive the corresponding policy from
MobileIron. Otherwise, these devices will not generate an alert until one of the
following actions occurs:
the administrator changes the security policy
the administrator edits the app control rule
the device updates app inventory
the device updates device detail
The app control rule defines which apps you want to control. Security policies specify
which devices the rules are applied to and the actions to associate with a rule
violation. The alert determines the information that is sent as the result of rule
violation, as well as the recipients of the information.
Important: To ensure that the alert is generated in a timely fashion for devices that
are already in violation when the policy is created, you should create the event first.
Otherwise, the alert will not be generated until after one of the following:
change in security policy
edit of app control rule
device updates app inventory
device updates device detail
Company Confidential
538
Managing Mobile Apps with Apps@Work
Company Confidential
539
Managing Mobile Apps with Apps@Work
Item Description
Disallowed app found Generate an alert if a disallowed app is
found on a designated device.
App found that is not in Generate an alert if an app is found that
Allowed Apps list is not on the Allowed Apps list for the
designated device.
Required app not found Generate an alert if a required app is not
found on a designated device.
Company Confidential
540
Managing Mobile Apps with Apps@Work
Required: (iOS and Android only) This rule specifies criteria for apps that MUST
be installed. WP8.1 devices ignore this option.
Allowed: This rule specifies criteria for apps that MAY be installed, exclusive of
all other apps.
Disallowed: This rule specifies criteria for apps that MUST NOT be installed.
5. Under Rule Entries, specify one or more criteria to match the name of the app you
want to control:
For AppID, select IS or CONTAINS (iOS and Android only) to indicate whether to
use an exact match. Note that if you selected Required, then you must select
IS.
For WP8.1, select IS MS Store GUID. WP8.1 devices do not support IS
or CONTAINS.
In the App ID String, for iOS or Android, enter the app name text you want to
match. Do not enter wildcards. If you know the official name for the app, enter
it here. If you do not, enter text you will be able to identify with this app. Once
you have installed the app once, the App Inventory screen will display the offi-
cial name. You can then change this field to match.
For WP8.1 enter the GUID of the app.
In the Device Platform list, select the platform to which you want to apply this
entry.
In the optional Comment field, you can enter a note about the purpose of the
entry.
6. To add an additional entry, click the + icon.
7. Click Save when you are finished.
8. Specify the rule in the appropriate security policies to apply the rule to managed
devices.
Example:
http://www.windowsphone.com/en-us/store/app/netflix/
c3a509cd-61d6-df11-a844-00237de2db9e
Company Confidential
541
Managing Mobile Apps with Apps@Work
Icon Description
App control violation
Select the entry for a device in violation to see details in the device details pane.
Company Confidential
542
Managing Mobile Apps with Apps@Work
The Device App Inventory page displays the apps that MobileIron has detected on
managed devices. Only apps that were installed after the manufacturers image was
loaded are listed.
To display the app inventory, in the Admin Portal, select Apps > Device App Inventory.
Note that inventory data is updated based on the Sync Interval specified in the Sync
policy. Therefore, inventory changes on the device are not reflected immediately on
the App Inventory page. During testing, you can use one of the following methods to
decrease the amount of time it will take to update the inventory:
decrease the Sync Interval in the Sync policy
use the Force Device Check-in feature in Admin Portal (for supported platforms)
use the Connect Now/Refresh feature in the MobileIron client (for supported plat-
forms)
check for updated configurations (for iOS)
Also note that setting Apps to None in the Sync policy drops the current inventory
data. Setting Apps back to Sync Inventory re-enables inventory reporting for iOS
(with timing governed by the Sync Interval specified in the sync policy). For all other
platforms, you must make an app distribution change or reboot the device in order to
restart the inventory process.
Company Confidential
543
Managing Mobile Apps with Apps@Work
App filters
The App filters feature allows you to control which apps are reported in the Device App
Inventory page. You can configure App filters so that the device reports only managed
apps or a list of apps that the administrator specifies. All other apps on the users
device are not visible in the Device App Inventory page providing additional privacy on
the device.
For example, to display iOS apps that are on company-owned devices and contain the
letter A, you would select iOS from the Platforms list, select Company-Owned from
the Labels list, and enter A in the Search by App field. Clicking the search icon in the
Search by App field applies the search.
Company Confidential
544
Managing Mobile Apps with Apps@Work
You can use the Device App Inventory page to help manage the apps that are
appearing in your enterprise. We recommend the following approach:
determine which apps are new
determine when an app was first reported by a managed device
launch a web search for a selected app
display permissions for Android apps
move directly to the App Control screen
If a new version of an app flagged as OK appears, then the default status is New
Version.
Exception: If you have changed the status for an app to Bad, then a new version of it
will retain the Bad flag. See Deciding whether an app is OK on page 546 for
information on changing the flag.
Company Confidential
545
Managing Mobile Apps with Apps@Work
Just click the link in the Permissions column to display the list of Android permissions.
If multiple versions of an app have been detected, then the displayed permissions are
for the latest version of the app.
If you want to be able to track which apps you have determined to be bad, consider
adding the information in the Comment field for an app control rule.
Company Confidential
546
Managing Mobile Apps with Apps@Work
Company Confidential
547
Managing Mobile Apps with Apps@Work
Company Confidential
548
Managing Mobile Apps with Apps@Work
This alternative enables you to specify an override URL, per app, to be used for in-
house app distribution. MobileIron Core routes download requests to this alternate
location. The following diagram illustrates a typical deployment.
This feature uses unauthenticated URLs. Therefore, a trusted and secure internal
network is an absolute requirement. This feature is intended for use behind the
firewall.
Company Confidential
549
Managing Mobile Apps with Apps@Work
4. When you complete the Add App Wizard, assign an appropriate label to the app.
Company Confidential
550
Managing Mobile Apps with Apps@Work
Item Description
Reputation Service URL Enter the URL your app reputation service pro-
vided.
Authentication Type Select Basic or Token Authentication.
Name/Password Specify a username and password when you
select Basic Authentication.
Authentication Key Provide an authentication key when you select
Token Authentication.
Rating Range Low Enter the low number of the services range.
Value
Rating Range High Enter the high number of the services range.
Value
Company Confidential
551
Managing Mobile Apps with Apps@Work
Item Description
Rating Scale Click Low to indicate that apps with ratings lower
than the Rating Threshold have the highest
threat level (for example, if the range is 0 to
100, and the Rating Threshhold is 60, apps with
a rating of 60 or below have a high threat rat-
ing)
Click High to indicate that apps with rathings
higher than the Rating Threshold have the high-
est threat level (for example, if the range is 0 to
100, and the Rating Threshhold is 65, apps with
a rating of 65 or more have a high threat rating)
Rating Threshold Specify the rating you select as the limit for
determining whether an app has a high or low
threat rating. It is used in combination with Rat-
ing Scale to determine the app threat risk.
Check Interval Select an interval for contacting the reputation
service to retrieve updated reputation data:
Daily: Update occurs at midnight each day.
Weekly: Update occurs at midnight between
Saturday and Sunday.
Monthly: Update occurs at midnight before
the first of the month.
6. Click Save.
An initial sync begins shortly after initial configuration. Thereafter, the Check Inter-
val setting determines when Core contacts the reputation service.
Company Confidential
552
Managing Mobile Apps with Apps@Work
AppthoritySyncJob.execute
Done with sync job
scores.length
The following table summarizes the values that can display in the App Rating field:
Rating Description
Not Rated With a score of 0 indicates that MobileIron Core
has not processed the app yet.
With a blank score indicates that the app is not
currently in the designated services database.
The app might be new or the service might pro-
vide app data only for specific operating sys-
tems.
OK Indicates that the apps score exceeds the
threshold specified in the App Reputation set-
tings.
Risky Indicates that the apps score does not exceed
the threshold specified in the App Reputation
settings.
Company Confidential
553
Managing Mobile Apps with Apps@Work
Company Confidential
554
Chapter 15
Docs@Work
About Docs@Work
Configuring email attachment control
Configuring Docs@Work for content servers (Android)
Configuring Docs@Work for content servers (iOS)
Docs@Work setup tasks
Impacts of other MobileIron features (iOS)
Impacts of other MobileIron features (Android)
Supported files in the Mobile@Work for iOS app
Company Confidential
555
Docs@Work
About Docs@Work
The Docs@Work feature gives device users an intuitive way to access, store, and view
attachments (from email) and documents from content servers, such as Microsoft
SharePoint sites. It also lets administrators establish data loss prevention controls to
protect these documents from unauthorized distribution. Docs@Work uses certain
aspects of AppConnect, including passcode access and app tunneling; however, you do
not require an AppConnect license for Docs@Work.
For iOS
Docs@Work for iOS is a feature contained within the Mobile@Work app. Implementing
Docs@Work on an iOS device (as explained in this document) displays the
Docs@Work-related tabs in Mobile@Work. See Docs@Work for iOS on page 843 for
information on using Docs@Work once it is configured on an iOS device.
For Android
Docs@Work for Android is a solution involving separate AppConnect-enabled apps that
work together. See The SharePoint Client App for Android on page 883 for informa-
tion on using Docs@Work once it is configured on an Android device.
For detailed information, see Email attachment control support for Standalone Sen-
try on page 422.
Company Confidential
556
Docs@Work
Company Confidential
557
Docs@Work
Mobile@Work encrypts the document when the device user selects it to send as an
attachment. Mobile@Work also appends .secure to the attachments file name.
The following table summarizes when the recipient receives an encrypted attachment
and whether the attachment is readable.
iOS 7 considerations
In iOS 7, the native email client recognizes if a device user is emailing someone in a
domain that matches any of the email accounts. In this case, the email client auto-
matically changes the from email address to match the recipients domain.
For example, consider the case when gmail is the default account in the email client,
and the device user emails a work colleagues Exchange account. The email client
automatically changes the from email address to be the device users Exchange
account. Therefore, in this example, the email is from a work account to a work
account. The attachment is encrypted and the recipient, a work colleague, can read it.
Limitations
Consider the case where you change attachment control handling on MobileIron Core
to no longer be Open only with Docs@Work and protect with encryption. When
Standalone Sentry sends subsequent emails to devices, is no longer encrypts the
emails. However, the devices continue to encrypt Docs@Work attachments in emails
that the user sends. If the recipient is a work colleague, the recipient can still read the
attachment in Mobile@Work. However, non-work recipients cannot read the attach-
ment. The reason is that the Standalone Sentry no longer decrypts the attachment in
the sent email.
Company Confidential
558
Docs@Work
Docs@Work supports PDF annotation for the document types supported by the native
iOS PDF viewer, including CSV files and Microsoft Office files such as TXT, DOC, DOCX,
RTF, XLS, XLSX, PPT, and PPTX. When you initiate annotation on non-PDF file, the file
is exported to PDF and saved to the Local Files folder where you can annotate it from
there.
Annotations created in Docs@Work can be viewed in other PDF viewers such as Adobe
Acrobat Reader, and Preview in OS X. PDF annotations created in other apps can be
viewed in Docs@Work.
For details on how to initiate annotation on files from different sources, see Annotat-
ing documents in Docs@Work for iOS on page 866.
For details on how to tap and hold to use the annotation feature within Docs@Work,
see Annotating PDFs in Docs@Work on page 871.
See Mobile@Work for iOS Release Upgrade Guide, Version 5.8 for further details.
To use SSO:
The content server must support authentication using Kerberos Constrained Dele-
gation (KCD).
Docs@Work must use the AppTunnel feature, configured so that the Standalone
Sentry uses KCD to authenticate the user to the content server.
The content server must be either a Microsoft SharePoint server or IIS-based Web-
DAV content repository or Apache-based content repository. MobileIron does not
support KCD with CIFS-based content repositories.
Company Confidential
559
Docs@Work
To determine whether a specific content repository will function with Docs@Work, con-
tact the vendor for information on the basis for the WebDAV or CIFS implementation.
Note: Android Secure Apps 5.7 and later versions of the SharePoint Client app support
IIS-based WebDAV content repositories, Microsoft SharePoint 2013, and CIFS-based
content repositories. The SharePoint Client app supports Apache-based WebDAV con-
tent respositories starting with Android Secure Apps 5.9.
Supported devices
iOS devices
To support Docs@Work, including full email attachment control, an iOS device must
have:
iOS 5, iOS 6, or iOS 7
the Mobile@Work for iOS app
Company Confidential
560
Docs@Work
Note: Email attachment control works only with the iOS native email client and sup-
ported AppConnect-enabled email apps. For the list of apps, see Supported devices
and email apps on page 422..
Note: Email attachment control can deliver attachments only to supported AppCon-
nect-enabled apps. For the list of apps, see Supported devices and email apps on
page 422.
Docs@Work requirements
The Docs@Work feature requires the following versions of MobileIron products:
VSP 5.0 or later (5.7 or later for CIFS-based content servers)
Standalone Sentry 4.0 or later to support email attachment control (4.7 or later for
CIFS-based content servers)
File viewers
On iOS devices, when Mobile@Work displays files, it uses the native file viewer to
display the contents of different file types. See Supported files in the Mobile@Work
for iOS app on page 580.
On Android devices, the ThinkFree Viewer displays the contents of different file
types. See Document types supported by ThinkFree Document Viewer on
page 631.
SharePoint Prerequisites
To access a SharePoint site from Mobile@Work for iOS or from the SharePoint Client
app on Android devices, a device user must have the correct SharePoint permission
level. The permission level must include the following SharePoint site permission:
Company Confidential
561
Docs@Work
Browse Directories - Enumerate files and folders in a Web site using SharePoint
Designer and Web DAV interfaces.
The contribute permission level includes this site permission by default. Therefore,
device users with this permission level or higher can access the SharePoint site. The
read permission level does not include this site permission by default. However, you
can change the read permission level to include this site permission. Another option
is that you can create another read permission level that includes this site permis-
sion.
For more information about SharePoint permission levels, see SharePoint documenta-
tion.
Company Confidential
562
Docs@Work
Company Confidential
563
Docs@Work
Company Confidential
564
Docs@Work
Company Confidential
565
Docs@Work
Enable Docs@Work
Enable Docs@Work if:
you are supporting viewing documents from content servers.
you are using email attachment control, even if you are not supporting viewing
documents from content servers.
Caution: For iOS devices, if you disable Docs@Work after it has been enabled, the
Mobile@Work app on each registered iOS device does the following:
Removes all content server configurations, whether the device user added them
manually or you configured them with Docs@Work app settings on MobileIron Core
Removes all local copies of content server files and email attachments
Removes the list of recent attachments
Note: For a description of all the AppConnect apps that MobileIron provides, see:
AppConnect apps that MobileIron provides for Android on page 625
Third-party AppConnect apps that MobileIron provides for Android on page 626
Company Confidential
566
Docs@Work
Note: Some of the apps might be duplicates of apps you have already uploaded to
support another MobileIron product. If the app upload fails with a message stating
that the app is already uploaded, skip to the next app.
For general information about app settings, see Managing Device Settings with Con-
figurations on page 229.
To create a Docs@Work configuration:
1. In the Admin Portal, select Policies & Configs > Configurations.
2. Select Add New > Docs@Work.
3. Use the following guidelines to create or edit a Docs@Work configuration:.
Item Description
Name Enter brief text that identifies this Docs@Work
configuration.
Description Enter additional text that clarifies the purpose of this
Docs@Work configuration.
URL Enter the URL of a content server site, subsite, library, or
folder. The URL may include the port number.
The format of the SharePoint URL is described in Specify
the URL of the Docs@Work configuration (SharePoint) on
page 570.
For CIFS-based content servers, specify http or https
instead of smb for the server URL; this is necessary
because Docs@Work currently tunnels only http/https.
Also specify the port number. Example: https://
cifs1.mycompany.com:445/docs.
Variables are supported, including the following:
$USERID$
$EMAIL$
$USER_CUSTOM1$
$USER_CUSTOM2$
$USER_CUSTOM3$
$USER_CUSTOM4$
Company Confidential
567
Docs@Work
Item Description
User Name Specify the user name that the device user uses to access
the content server.
Enter one of the following variables: $EMAIL$, $USERID$,
$USER_CUSTOM1$, $USER_CUSTOM2$,
$USER_CUSTOM3$, $USER_CUSTOM4$, or $NULL$.
You can also enter a combination of one or more variables
and text, such as $USERID$:$EMAIL$ or
$USERID$_$EMAIL$.
When the device user attempts to access the content
server, the app on the device that handles content server
access fills a user name field with the users information
based on the variables you specify in this field. On iOS
devices, the app is Mobile@Work for iOS. On Android
devices, the app is the SharePoint Client app.
Enter $NULL$ if you want the app on the device that
handles SharePoint access to leave the user name field
empty, requiring the device user to manually enter the
user name.
Password Specify the password that the device user uses to access
the content server.
Enter one of the following variables: $PASSWORD$,
$USER_CUSTOM1$, $USER_CUSTOM2$,
$USER_CUSTOM3$, $USER_CUSTOM4$, or $NULL$.
You can also enter a combination of one or more variables
and text.
When the device user attempts to access the content
server, the app on the device that handles content server
access fills a password field with the users information
based on the variables you specify in this field. However,
the text is hidden with asterisks.
Enter $NULL$ if you want the app on the device that
handles content server access to leave the password field
empty, requiring the device user to manually enter the
password.
On iOS devices, the app that handles content server
access is Mobile@Work for iOS. On Android devices the
app is the SharePoint Client app.
Note: If you include $PASSWORD$, enable Save User
Password. See Set up your preference for saving
passwords on MobileIron Core on page 576.
Priority Folders Mobile@Work for iOS 5.10 or later, VSP 5.9.1 or later:
Select to automatically download the latest version of files
in a specified folder. See Implementing priority folders
on page 569 for more information on priority folders.
Company Confidential
568
Docs@Work
Item Description
Update Interval Mobile@Work for iOS 5.10 or later, VSP 5.9.1 or later:
Specify the period of time that Docs@Work should wait
before checking for changes in the priority folder.
Enter a number greater than zero in the text box. Select
Minutes, Hours, or Days from the dropdown list.
Update Method Mobile@Work for iOS 5.10 or later, VSP 5.9.1 or later: If
you want to restrict downloading of folder updates to Wi-
Fi, then select Wi-Fi only. If you want to permit download-
ing of folder updates by means of Wi-Fi or cellular net-
work, then select Wi-Fi or Cellular.
Restricting downloads to WiFi can help ensure optimized
billing, but will delay downloads until the update interval
coincides with Wi-Fi access.
Allow Users to Save Select this field to give the device user the option to save
Password content server passwords on the device. If the user
chooses to save a content server password, the app on the
device that handles content server access does not
present a login screen to the user when the user next
accesses the content server.
On iOS devices, the app that handles content server
access is Mobile@Work for iOS. On Android devices the
app is the SharePoint Client app.
If this option and the Save User Passwords option
(Settings > Preferences) are enabled, then the Remember
Password option is automatically selected in the Remote
Shares screen on the device.
4. Click Save.
5. Select the new Docs@Work configuration.
6. Select More Actions > Apply To Label.
7. Select the labels to which you want to apply this configuration.
Company Confidential
569
Docs@Work
New and changed files are automatically downloaded to the device after the speci-
fied interval. If Docs@Work is unable to access the content repository when the
interval has elapsed, the download will start as soon as access is restored.
The device user can tap on an unsynchronized file while the priority folder is down-
loading to move that file to the top of the priority list for download.
Any changes made to the file on the device will not be updated to the target folder.
The first time a device user launches Docs@Work after receiving the priority folder
configuration, the folder displays as Never Updated until the downloading of files
has completed.
If the Docs@Work configuration does not specify the credentials necessary for
accessing the content repository, then the device user must enter valid credentials
to continue the download.
Documents that are pending download or in the process of downloading have a blue
icon.
Documents that have been downloaded or updated display with a green icon to
indicate that they have been synchronized with the content repository.
When a cellular or Wi-Fi connection is not available, the documents display with a
gray icon, indicating offline access.
The URL includes a hierarchical list of names that drills down to the site, subsite,
library, or document you want the device user to access. This URL is not the same as
the URL that you see in a web browser open to the same site, subsite, library, or doc-
ument.
Company Confidential
570
Docs@Work
Note:
Do not copy the URL you see in a browsers URL address bar into this field. The URL
in this field is not the same as the browsers URL. For example, for the root site on
Microsoft SharePoint 2010, the browsers URL field appears as:
https://companySharePointSite.com/SitePages/Home.aspx
In this field, you specify:
https://companySharePointSite.com
A valid URL does not contain spaces or certain special characters. For example, a
space is entered in a valid URL as %20. That is, instead of entering:
https://companySharePointSite/Shared Documents
Enter:
https://companySharePointSite/Shared%20Documents.
Such substitutions are known as URL encoding.
The URL can include these variables: $USERID$, $EMAIL$, $USER_CUSTOM1$,
$USER_CUSTOM2$, $USER_CUSTOM3$, and $USER_CUSTOM4$.
Combinations of text and variables are supported, as shown in the following exam-
ple:
https://companySharePointSite.com/$USER_CUSTOM1$/$USERID$.
When using these variables, make sure the URL still specifies a SharePoint site,
subsite, library, or folder.
Note: For Android devices, you address these requirements as part of the AppConnect
configuration. The AppConnect instructions explain how to configure the AppConnect
app configuration and container settings.
For general information about policies, see Managing Policies on page 173.
To configure a Docs@Work policy:
1. If you intend to use AppTunnel with Docs@Work for iOS, set up AppTunnel.
Note: App tunneling is required for CIFS-based content servers.
See Adding AppTunnel or Advanced AppTunnel support on page 588. Note that
steps that apply to separate AppConnect apps do not apply to Docs@Work for iOS.
For example, you do not create an AppConnect container policy for Docs@Work for
iOS.
2. In the Admin Portal, select Policies & Configs > Policies.
3. Edit the default Docs@Work policy, or select Add New > Docs@Work to create a
new one.
Company Confidential
571
Docs@Work
Company Confidential
572
Docs@Work
Company Confidential
573
Docs@Work
Company Confidential
574
Docs@Work
5. Click Save.
6. Select the new Docs@Work policy.
7. Select More Actions > Apply To Label.
8. Select the labels to which you want to apply this policy.
Company Confidential
575
Docs@Work
Caution: If you plan to use the $PASSWORD$ field in any configurations, be sure to
set Save User Password to Yes before any device users register. Device users who reg-
istered before you set Save User Password to Yes will have to log in to the
MyPhone@Work web portal. Logging in to the MyPhone@Work web portal provides the
users password to MobileIron Core.
Company Confidential
576
Docs@Work
When the device is no longer quarantined, Mobile@Work makes the Local Files and
Files Shares tabs available again. Docs@Work configurations are restored, and the
user can once again access the content servers that you configured. However, if the
user had saved the content server password, Mobile@Work no longer has it. The user
will have to re-enter it.
You can also create a quarantine action that retires AppConnect apps on iOS devices.
Retiring an AppConnect app makes it unauthorized and deletes (wipes) all its secure
data. This compliance action also blocks and wipes the data of the Docs@Work fea-
tures in Mobile@Work.
Company Confidential
577
Docs@Work
When the device is no longer blocked, Mobile@Work makes the Local Files and File
Shares tabs available again.
Mobile@Work notifies MobileIron Core that the device is jailbroken. Core takes further
actions depending on the security policy that you configured.
When the device is no longer jailbroken, Mobile@Work makes the Local Files and File
Shares tabs available again.
Company Confidential
578
Docs@Work
Company Confidential
579
Docs@Work
If a user tries to open a file that Mobile@Work does not support, Mobile@Work dis-
plays an error message.
Some files that the device user cannot view in Mobile@Work are:
executable files (for example, .exe, .msi, or .ipa files)
archive files (for example, .zip, .rar, or .tar files)
system files (for example, .dll or .sys, files)
Note: For information about default file types that Standalone Sentry does not apply
email attachment control to, see Default file name exclusion list on page 430.
Company Confidential
580
Chapter 16
AppConnect
About AppConnect
How to configure AppConnect
AppConnect configuration tasks
Managing AppTunnel
Using AppConnect for Android
Using AppConnect for iOS
Company Confidential
581
AppConnect
About AppConnect
AppConnect is a MobileIron feature that containerizes apps to protect data on the
device. Each AppConnect-enabled app becomes a secure container whose data is
encrypted, protected from unauthorized access, and removable. Because each user
has multiple business apps, each app container is also connected to other secure app
containers. This connection allows the AppConnect-enabled apps to share data, like
documents. MobileIron Core uses policies to manage the AppConnect-enabled apps.
You configure the set of AppConnect-enabled apps by using the Admin Portal. You also
configure which AppConnect-enabled apps are available to which devices. Once
installed and configured on the device, AppConnect-enabled apps are called secure
apps. Secure apps can share data only with other secure apps. Unsecured apps can-
not access the data.
With a single sign-on, the device user can access all the secure apps. On the Admin
Portal, you configure the rules for the single sign-on passcode. This passcode is called
the AppConnect passcode or the secure apps passcode. The AppConnect passcode is
not the same as the passcode used to unlock the device.
Configuring these apps as part of your AppConnect offering requires the purchase of a
separate AppConnect license.
Note: You cannot wrap an app that you get from Google Play or the Apple App Store.
See the following for details about how to wrap an app or how to develop an app using
the AppConnect for iOS SDK:
Company Confidential
582
AppConnect
Standard AppTunnel
Standard AppTunnel tunnels HTTP/S connections between an iOS or Android AppCon-
nect-enabled app and a corporate data source. Contact the application vendor or
developer to find out if the app works with standard AppTunnel.
Advanced AppTunnel
Advanced AppTunnel tunnels TCP connections between an app and a corporate data
source.
On iOS devices, one use case of Advanced AppTunnel is to support TCP tunneling for
iOS managed apps. Since AppConnect apps are iOS managed apps, Advanced
AppTunnel also supports TCP tunneling for iOS AppConnect apps. The MobileIron Tun-
nel app must be installed on the iOS device.
Company Confidential
583
AppConnect
Note: MobileIron does not support KCD with CIFS-based content servers.
Each AppConnect apps documentation should specify the necessary configuration for
the app.
Some AppConnect for Android features require one of the more recent Android ver-
sions. These exceptions are noted in specific feature descriptions.
Note: AppConnect and AppConnect with AppTunnel are not supported with Samsung
KNOX. AppConnect apps can run outside of the KNOX container.
Component compatibility
To run Android secure apps, the device must be running the following:
Version 5.7 or later of the Mobile@Work for Android app
Version 5.7 or later of the Secure Apps Manager
Company Confidential
584
AppConnect
The following table summarizes which Secure Apps Manager versions are compatible
with specific Mobile@Work versions:
Mobile@Work Mobile@Work
5.7.x 5.9.x Mobile@Work 6.0
Secure Apps Manager 5.7.x Supported Not supported Not supported
Secure Apps Manager 5.9.x Not supported Supported Supported
Secure Apps Manager 6.0 Not supported Supported Supported
The following table summarizes which Secure Apps Manager versions are compatible
with apps wrapped with specific wrapper versions:
The Mobile@Work for Android app is the next version of the MyPhone@Work app. This
app provides all the features that MyPhone@Work provided, plus support of AppCon-
nect apps.
The Secure Apps Manager works with the Mobile@Work for Android app to support
AppConnect apps. For example, the Secure Apps Manager provides a list of all
AppConnect apps on the device. The device user can launch an AppConnect app from
this list, from the device app list, or from a shortcut on the home screen. On the
device, the apps are called secure apps.
Company Confidential
585
AppConnect
Note:
AppConnect for iOS works on devices running iOS 7 and iOS 7.1 only if:
The app is built with AppConnect for iOS SDK version 1.6 or later or the app is
wrapped with the AppConnect for iOS Wrapper version 1.8 or later.
Mobile@Work 5.7.4 through 5.10 for iOS is running on the device.
AppConnect for iOS apps wrapped with AppConnect for iOS Wrapper Library 2.1 are
not supported on iOS 5.x devices.
Company Confidential
586
AppConnect
app determines which files are secure. The app encrypts the data in those files, but
file names and paths are not encrypted.
This data encryption is supported when Mobile@Work for iOS is registered with VSP
5.5 through 6.0.
The encryption key is not stored on the device. It is programmatically derived, in
part from the device users AppConnect passcode. Encrypted files cannot be
decrypted without the AppConnect passcode or the user's full MobileIron login cre-
dentials.
Company Confidential
587
AppConnect
Basic configuration
Complete the following steps to implement a basic AppConnect configuration:
1. Add the MobileIron secure apps you intend to deploy.
These are AppConnect apps provided by MobileIron.
See Adding secure apps for deployment on page 590.
2. Configure the AppConnect Global policy.
See Configuring the AppConnect global policy on page 590.
3. Configure the AppConnect Container policy.
See Configuring AppConnect container policies on page 603.
4. Enable any MobileIron secure apps you intend to deploy.
See Enabling MobileIron secure apps on page 607.
Company Confidential
588
AppConnect
Company Confidential
589
AppConnect
For details on using the App Wizard to add AppConnect apps to the app distribution
library, see:
Working with apps for iOS devices on page 481
Working with apps for Android devices on page 513
Company Confidential
590
AppConnect
Note: If you are using AppConnect on iOS devices but not on Android devices, do not
apply the same AppConnect global policy to both Android and iOS devices. For Android
devices that do not use AppConnect apps, make sure the AppConnect field of the
AppConnect global policy is disabled.
If the device user fails to correctly enter the AppConnect passcode after a certain
number of attempts, the user cannot access AppConnect-enabled apps. Specifically:
On iOS devices, the device user must enter his user credentials and then create a
new AppConnect passcode.
On Android devices, send an unlock command to the device from the Admin Portal.
The unlock command removes both the device passcode and the secure apps pass-
code. The user can then create both passcodes again.
Company Confidential
591
AppConnect
Detailed behavior on a device registered with Core 7.0 depends on the version of
Mobile@Work as given in the following table:
Configuration steps
To configure an AppConnect global policy:
1. In the Admin Portal, select Policies & Configs > Policies.
2. Edit the default AppConnect global policy, or select Add New > AppConnect to cre-
ate a new one.
Company Confidential
592
AppConnect
Company Confidential
593
AppConnect
Company Confidential
594
AppConnect
Company Confidential
595
AppConnect
Company Confidential
596
AppConnect
Regarding Android:
The app checkin interval does not apply
to Android. However, the AppConnect-
related policies and settings are updated
on the device when the device checks in.
Device checkin occurs:
according to the sync interval speci-
fied on the devices sync policy.
when you force a device checkin from
the Users & Devices screen.
when the device user uses the Con-
nect Now feature in Mobile@Work on
the device.
Unauthorized Enter the default message that None
Message Mobile@Work displays if the app is not
authorized on the device. If you do not
enter a default message, the system
provides one.
Data Loss Pre-
vention Policies
Company Confidential
597
AppConnect
Company Confidential
598
AppConnect
Company Confidential
599
AppConnect
Company Confidential
600
AppConnect
Company Confidential
601
AppConnect
3. Click Save.
4. If you created a new policy, apply the appropriate labels to the AppConnect global
policy.
If you are using the default AppConnect global policy, it automatically applies to all
devices.
The following table summarizes this interaction of the lockdown policy and the
AppConnect global policy:
Company Confidential
602
AppConnect
Note: For each AppConnect app, make sure only one AppConnect container policy
applies to each device.
If you later remove the AppConnect container policy, or remove the devices label
from the policy:
an iOS AppConnect app becomes retired. A retired app becomes unauthorized on
the device and the app deletes (wipes) all its sensitive data.
Note: For information on other cases when an iOS AppConnect app becomes
retired, see Situations that wipe AppConnect for iOS app data on page 643.
an Android AppConnect app becomes unauthorized. If the app is unauthorized,
when the device user tries to run it, the Secure Apps Manager displays a message
that the app is unauthorized.
Note: For information on when an Android AppConnect app becomes retired, see
Situations that wipe Android AppConnect app data on page 638.
Company Confidential
603
AppConnect
Note: In the Admin Portal, on Policies & Configs > Configurations, the name of the
app, not the name of the AppConnect container policy, displays in the name column.
You can override these values by editing the apps AppConnect container policy. Mobil-
eIron Core keeps in sync the labels that you apply to the app and the labels that you
apply to the AppConnect container policy that Core automatically created.
Configuration tasks
To configure an AppConnect container policy:
1. In the Admin Portal, select Policy & Configs > Configurations.
2. Select the existing container policy for the app, or select Add New > AppConnect >
Container Policy to create a new one.
Item Description
Name Enter brief text that identifies this AppConnect container
policy.
Note: If MobileIron Core automatically created this policy:
You cannot edit the name.
The name is not the same as the name that appears in
the name column in Policy & Configs > Configurations.
Description Enter additional text that clarifies the purpose of this
AppConnect container policy.
Company Confidential
604
AppConnect
Item Description
Application Android, starting with Mobile@Work 5.6:
Select an Android AppConnect app from the MobileIron
Core app distribution library.
iOS:
Select an iOS AppConnect app from the MobileIron Core
app distribution library or enter the bundle ID of an iOS
AppConnect app. A bundle ID that you enter is case
sensitive.
Note: The dropdown selection includes an iOS AppConnect
app only if both of the following statements are true:
The app was added to the Core app distribution library
as an in-house app.
The app specifies default feature policies (copy/paste,
document interaction, print).
Exempt from iOS only:
AppConnect Select this option if you want to allow the device user to
passcode policy use the app without entering the AppConnect passcode.
Data Loss Preven-
tion Policies
Print iOS only:
Select Allow if you want AppConnect apps to be allowed to
use print capabilities.
Copy/Paste To iOS only:
Select Allow if you want the device user to be able to copy
content from the AppConnect app to other apps.
When you select this option, then select either:
All Apps
Select All Apps if you want the device user to be able to
copy content from the AppConnect app and paste it into
any other app.
AppConnect Apps
This feature is under construction. Do not select.
Company Confidential
605
AppConnect
Item Description
Open In iOS only:
Select Allow if you want AppConnect apps to be allowed to
use the Open In (document interaction) feature.
When you select this option, then select either:
All Apps
Select All Apps if you want the app to be able to send
documents to any other app.
AppConnect Apps
Starting with Mobile@Work for iOS version 5.7:
Select AppConnect Apps to allow an AppConnect app to
send documents to only other AppConnect apps.
Whitelist
Select Whitelist if you want the app to be able to send
documents only to the apps that you specify.
Enter the bundle ID of each app, one per line, or in a
semi-colon delimited list. For example:
com.myAppCo.myApp1
com.myAppCo.myApp2;com.myAppCo.myApp3
The bundle IDs that you enter are case sensitive.
3. Click Save.
4. Select the new app policy.
5. Select More Actions > Apply To Label.
6. Select the labels to which you want to apply this AppConnect container policy.
7. Click Apply.
Be sure to apply one of the labels that you selected to the device. To check the
devices labels:
1. Go to Users and Devices > Devices.
2. Expand the device details panel by clicking the up arrow for the desired device.
3. In the Device Details panel, select Label Membership.
Company Confidential
606
AppConnect
Also see Enabling MobileIron Core licensing options for Android secure apps on
page 630.
Company Confidential
607
AppConnect
4. Click Save.
Also see Enabling MobileIron Core licensing options for Android secure apps on
page 630.
Item Description
Host / IP Enter the external host name or IP address of the server on
which the Standalone Sentry is installed.
The host name or IP address must be external because AppCon-
nect apps on devices that are tunneling data must be able to
access the Sentry.
MobileIron Core also needs to connect to this same host name
or IP address. If the host name or IP address is not accessible
by Core and devices, use the name or IP address that the
devices use. Then, using the System Manager, add a static host
entry to Core.
Port Enter the port that the Standalone Sentry is listening on. The
default is 9090.
Enable Clear the check box to disable ActiveSync support on the Sentry.
ActiveSync
Enable App Click the check box to enable AppTunnel support on the Sentry.
Tunneling
Company Confidential
608
AppConnect
Item Description
Upload Certifi- If you chose Group Certificate, upload the certificate (generally
cate a .cer file) you trust.
If you chose Identity Certificate, upload the Root certificate (this
may be a root certificate chain) from the CA you trust. The CA
may be a Root Authority or an Intermediate Authority.
Check certifi- Select Check Certificate Revocation List (CRL) if you want to val-
cate revoca- idate the certificates presented by the device against the Certifi-
tion list (CRL) cate Revocation List (CRL) published by the CA.
Note that only HTTP and HTTPS based CRLs are supported.
Some CAs create LDAP-based CRLs by default that will not work
with Sentry.
For CRL validation to work, Sentry requires network connectivity
to the CRL Distribution Point (CDP), usually the CA that issued
the certificate, through an HTTP or HTTPS port.
Subject Alter- Use the Subject Alternate Name Type list to select the field in
native Name the client certificate that will be used to identify the user for Ker-
Type beros Constrained Delegation.
The Type is the same type that you specified when generating
the client certificate. This type is often the NT Principal Name.
Value Use the Value list to select the value used in the Subject Alter-
nate Name field.
Usually, the User UPN (user principal name) is used to identify
the user.
AppTunnel Configuration
Add Context Select the check box to forward additional device context infor-
Headers mation to your corporate backend resource.
This allows your corporate backend resources to further validate
the device.
This feature is available only with Standalone Sentry Version 4.9
through 5.0.
Note: Context headers are not supported for Advanced AppTun-
nel (TCP tunneling).
Advanced Traf- Select the checkbox to enable advanced traffic control.
fic Control The Server-side Proxy section is replaced with the Advanced
Traffic Control (ATC) section.
Company Confidential
609
AppConnect
Item Description
Port Enter the port number for the proxy server.
+ Click to add a proxy server.
Server-side Proxy
If Advanced Traffic Control (ATC) is enabled, the Server-side Proxy section is no
longer available. If you had configured a proxy server, and you enable advanced
traffic control, the proxy server will be listed in the Server-side Proxy List as
global. The Default Action is selected as Proxy and the default Proxy server is
selected as global.
To configure Server-side Proxy, enter the HTTP proxy server information. Config-
uring an HTTP proxy server provides access to corporate resources without having
to open the ports that Standalone Sentry would otherwise require.
This feature is available only with Standalone Sentry Version 4.9 through 6.0.
Proxy Host Enter the FQDN of the proxy server.
Name / IP Do not include a URI scheme, such as http:// or https://, in this
field.
Proxy Port Enter the port number for the proxy server.
To add a new AppTunnel service, click +.
Company Confidential
610
AppConnect
Item Description
Service Name The Service Name is used in the AppConnect app configuration.
The app configuration uses the service name to restrict the app
to accessing servers in the Server List field. It is similarly used
in the Web@Work setting and Docs@Work policy, for setting up
tunneling for Web@Work for Android or iOS, and for the
Docs@Work feature of Mobile@Work for iOS, respectively.
Enter one of the following:
A unique name for the service that the AppConnect app on
the device accesses. One or more of your internal app servers
provide the service. You list the servers in the Server List
field.
For example, some possible service names are:
SharePoint
Human Resources
A service name cannot contain these characters: 'space' \ ; *
? < > " |.
Special prefixes:
For app tunnels that point to CIFS-based content servers,
the service name must begin with CIFS_.
For Advanced AppTunnel (TCP tunneling), the name must
begin with TCP (case-insensitive).
Example: TCP_Finance
<ANY>
Select <ANY> to allow tunneling to any URL that the app
requests. Typically, you select <ANY> if an AppConnect apps
app configuration specifies a URL with wildcards for tunneling,
such as *.myCompany.com. The Sentry tunnels the data for
any URL request that the app makes that matches the URL
with wildcards.
The Sentry tunnels the data to the app server that has the
URL that the app specified. The Server List field is therefore
not applicable when the Service Name is <ANY>.
For example, consider when the app requests URL
myAppServer.mycompany.com, which matches *.mycom-
pany.com in the app configuration. The Sentry tunnels the
data to myAppServer.myCompany.com.
Web@Work typically uses the <ANY> service, so that it can
browse to any of your internal servers.
Note: Do not select this option for tunneling to CIFS-based
content servers. Select <CIFS_ANY> instead.
Company Confidential
611
AppConnect
Item Description
<TCP_ANY>.
Select <TCP_ANY> to allow Advanced AppTunnel (TCP tun-
neling) to any backend server that the app requests.
<CIFS_ANY>
Select <CIFS_ANY> to allow tunneling to any URL for a CIFS-
based content server. Typically, you select <CIFS_ANY> if the
URL for a CIFS-based content server contains wildcards for
tunneling, such as *.myCompany.com.
Note: The order of the Service Name entries does not matter.
Server Auth Select the authentication scheme for the Standalone Sentry to
use to authenticate the user to the app server:
Pass Through
The Sentry passes through the authentication credentials,
such as the user ID and password (basic authentication) or
NTLM, to the app server.
Note: For TCP tunneling, select Pass Through, which is the
only option available when the service name begins with
TCP. The Sentry passes through all TCP packets to the app
server.
Kerberos
The Sentry uses Kerberos Constrained Delegation (KCD).
KCD supports Single Sign On (SSO). SSO means that the
device user does not have to enter any credentials when the
AppConnect app accesses the app server.
The Kerberos option is only available if you selected Identity
Certificate for Device Authentication.
MobileIron does not support Kerberos for CIFS-based content
servers.
Server List Enter the app servers host name or IP address (usually an
internal host name or IP address). Include the port number on
the app server that the Sentry can access.
For example:
sharepoint1.companyname.com:443
You can enter multiple servers. The Sentry uses a round-robin
distribution to load balance the servers. That is, it sets up the
first tunnel with the first app server, the next with the next app
server, and so on. Separate each server name with a semicolon.
For example:
sharepoint1.companyname.com:443;sharepoint2.compa-
nyname.com:443.
Note: The Server List field is not applicable when the service
name is <ANY>, <TCP_ANY>, or <CIFS_ANY>.
Company Confidential
612
AppConnect
Item Description
TLS Enabled Select TLS Enabled if the app servers listed in the Server List
field require SSL.
This option is not applicable when the service name is <ANY>,
<TCP_ANY>, or <CIFS_ANY>.
Note: Although port 443 is typically used for https and requires
SSL, the app server can use other port numbers requiring SSL.
Proxy/ATC Select if you want to direct the AppTunnel service traffic through
the proxy server.
You must also have configured Server-side Proxy or Advanced
Traffic Control (ATC).
Server SPN List Enter the Service Principal Name (SPN) for each server, sepa-
rated by semicolons. For example:
sharepoint1.company.com;sharepoint2.company.com.
The Server SPN List applies only when the Service Name is not
<ANY> and the Server Auth is Kerberos.
If each server in the Server List has the same name as its SPN,
you can leave the Server SPN List empty. However, if you
include a Server SPN List, the number of SPNs listed must equal
the number of servers listed in the Server List. The first server
in the Server List corresponds to the first SPN in the Server SPN
List, the second server in the Server List corresponds to the sec-
ond server in the Server SPN List, and so on.
Note: When the Service Name is <ANY> and the Server Auth is
Kerberos, the Standalone Sentry assumes that the SPN is the
same as the server name received from the device.
Kerberos Authentication Configuration
If you select Kerberos for the Server Auth field for an AppTunnel service, this sec-
tion appears. For Kerberos authentication information for both ActiveSync and
AppTunnel, see Authentication using an identity certificate and Kerberos con-
strained delegation on page 412.
Use keytab file Select this field to upload a Kerberos-generated keytab file. Click
Upload File to upload the keytab file. Uploading the keytab file
populates the Realm and Sentry Service Principal fields.
Realm If you do not upload a keytab file, enter the Kerberos adminis-
trative domain. The realm is usually the company domain name,
in all uppercase characters.
Sentry Service If you do not upload a keytab file, enter the service principal for
Principal the Sentry service account, preceded by HTTP/ if you do not
upload a keytab file. For example, if the user name of the ser-
vice account is sentry1_kcd, the service principal would be HTTP/
sentry1_kcd.
Company Confidential
613
AppConnect
Item Description
Password If you do not upload a keytab file, enter the password for the
Sentry service account.
Key distribu- Optionally enter the key distribution center, which is the network
tion center service that supplies session tickets and temporary session
keys. This field is generally the Active Directory domain control-
ler hostname.
If you do not enter a key distribution center, the system auto-
detects it.
4. Click Save.
5. If the Sentry uses a self-signed certificate, in the Settings > Sentry page, for the
Sentry configured for app tunneling, click the View Certificate link.
This makes the Sentrys certificate known to MobileIron Core.
Note: For each AppConnect app, make sure only one AppConnect app configuration
applies to each device.
Company Confidential
614
AppConnect
Note: In the Admin Portal, on Policies & Configs > Configurations, the name of the
app, not the name of the AppConnect app configuration, displays in the name column.
MobileIron Core keeps in sync the labels that you apply to the app and the labels that
you apply to the AppConnect app configuration that Core automatically created.
Important: Use the automatically created app configuration only as a reference. The
reason is that if you modify the key-value pairs in an automatically created AppCon-
nect app configuration, your modified settings are lost when you upload a new version
of the app. They will be replaced with the key-value pairs specified in the uploaded
app. This replacement can result in device users losing previously configured settings.
Therefore, manually create an AppConnect app configuration, copying into it the keys
from the automatically created app configuration. Then enter appropriate values for
the keys you copied.
Configuration tasks
To configure an AppConnect app configuration:
1. In the Admin Portal, select Policy & Configs > Configurations.
2. Select Add New > AppConnect > Configuration to create an AppConnect app con-
figuration.
Company Confidential
615
AppConnect
Item Description
Name Enter brief text that identifies this AppConnect app
configuration.
Note: If MobileIron Core automatically created this
AppConnect app configuration:
You cannot edit the name.
The name is not the same as the name that appears in
the name column in Policy & Configs > Configurations.
Description Enter additional text that clarifies the purpose of this
AppConnect app configuration.
Company Confidential
616
AppConnect
Item Description
Application Android, starting with Mobile@Work 5.6:
Select an Android AppConnect app from the MobileIron
Core app distribution library.
iOS:
Select an iOS AppConnect app from the MobileIron Core
app distribution library or enter the bundle ID of an iOS
AppConnect app. A bundle ID that you enter is case
sensitive.
Company Confidential
617
AppConnect
Item Description
URL Wildcard Enter one of the following:
an app servers hostname
Example: finance.yourcompany.com
a hostname with wildcards. The wildcard character is *.
Example:
*.yourcompanyname.com
Company Confidential
618
AppConnect
Item Description
Sentry Select a Sentry configured for app tunneling from the
drop-down list.
Service Select a service name from the drop-down list.
This service name specifies an AppTunnel service config-
ured in the App Tunneling Configuration section of the
specified Sentry.
Note: If you entered a URL with wildcards in the URL Wild-
card field, you can only select <ANY> or <CIFS_ANY> as
the service. The <ANY> or <CIFS_ANY> service must be
configured in the App Tunneling Configuration section of
the Sentry configured for App Tunneling.
If the service on the Sentry is configured with its Server
Auth set to Kerberos, the AppConnect app uses Single
Sign On. That is, the device user does not enter any fur-
ther credentials when the app accesses its enterprise app
server.
Identity Certificate Select the Certificate or the SCEP profile that you created
for app tunneling.
For more information, see SCEP settings on page 301
and Certificates settings on page 300.
Configurations
Specify app-specific configuration settings as key-value
pairs.
To add a key-value pair, click + .
To delete a key-value pair, click - .
Company Confidential
619
AppConnect
Item Description
Key Enter the key. The key is any string that the app
recognizes as a configurable item.
For example: userid, appURL
Value Enter the value. The value is either:
a string
The string can have any value that is meaningful to the
app. It can also include one or more of these MobileIron
Core variables: $USERID$, $EMAIL$, $USER_CUS-
TOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$,
$USER_CUSTOM4$.
If you do not want to provide a value, enter $NULL$.
The $NULL$ value tells the app that the app user will
need to provide the value.
For example:
$USERID$
https://someEnterpriseURL.com
a SCEP or Certificate setting
SCEP and Certificate settings that you configured in Pol-
icy & Configs > Configurations appear in the dropdown
list. When you choose a SCEP or Certificate setting,
MobileIron Core sends the contents of the certificate as
the value.
If the certificate is password-encoded, Core automati-
cally sends another key-value pair. The keys name is
the string <name of key for certificate>_MI_CERT_PW.
The value is the certificates password.
3. Click Save.
4. Select the new AppConnect app configuration.
5. Select More Actions > Apply To Label.
6. Select the labels to which you want to apply this AppConnect app configuration.
7. Click Apply.
Be sure to apply one of the labels that you selected to the device. To check the
devices labels:
1. Go to Users and Devices > Devices.
2. Select the device.
3. In the Device Details Pane, select Label Membership.
Company Confidential
620
AppConnect
4. Click Apply.
Enabling AppTunnel
If you are deploying secure apps developed by your organization or a third party, you
need to enable an additional product to use app tunnels with these apps:
1. In the Admin Portal, go to Settings > Preferences.
2. Scroll down to Additional Products.
Note: Do not select this option if you are using AppTunnel only for Docs@Work.
Do the following:
1. In the Admin Portal, go to Settings > Sentry.
2. Select the Standalone Sentry.
3. Click the Edit icon.
4. Select Enable Attachment Control, which is in the Attachment Control Configuration
section of the ActiveSync Configuration section.
5. For Android Using Secure Apps, select Open With Secure Email App.
Company Confidential
621
AppConnect
action. These actions can be either default compliance actions or custom compliance
actions.
For details about compliance actions that impact AppConnect apps, see Compliance
actions for security policy violations on page 192.
Company Confidential
622
AppConnect
Managing AppTunnel
Manually blocking the AppTunnel feature on a device on page 623
You can block all the AppConnect apps of a particular device from using the
AppTunnel feature.
Viewing App Tunnels on page 623
View all the tunnels for every app and device.
Taking actions on app tunnels on page 624
You can direct the Standalone Sentry to block a particular app on a particular
device from using an AppTunnel.
Note: On iOS devices, the set of impacted apps includes the Docs@Work features in
Mobile@Work for iOS.
Company Confidential
623
AppConnect
Column Description
Application The app bundle ID. For Docs@Work, the app name is dis-
played.
User The AppConnect app user.
Status The status of the device.
State The app tunnel state. The state can be Allow or Block.
Version The app tunnel headers version that the device uses to
talk to the Sentry.
Service Service name of the app tunnel.
If your Standalone Sentry is not Version 5.0, the Service
field will be empty for new Version 1 tunnels.
Creation Time The time when the app tunnel was created.
App Bundle The app bundle ID for iOS AppConnect apps, and the
package ID for Android AppConnect apps.
Action Description
Allow Permits the AppConnect app on the device to access the app
server(s) through a Sentry.
Block Prohibits the AppConnect app on the device from accessing the
app server(s) through a Sentry.
Remove Deletes the app tunnel information.
After a Remove, Sentry will not have any memory of the app
tunnel. When the user on the device uses the app, a new a app
tunnel is established. Remove is generally used for troubleshoot-
ing purposes.
Company Confidential
624
AppConnect
Company Confidential
625
AppConnect
Company Confidential
626
AppConnect
For more information about Divide PIM, including how to deploy it, see the Divide
PIM Release Upgrade Guide. The version that MobileIron supports is at
https://support.mobileiron.com/support/CDL.html.
IBM Notes Traveler
IBM Notes Traveler is the client for the IBM Notes Traveler server. It provides access
to email, contacts, calendar, and tasks. Contact IBM for licensing for IBM Notes
Traveler.
IBM Notes Traveler is not part of the Docs@Work solution. It is a third-party
AppConnect app. To use it, you must have a MobileIron license for third-party
AppConnect apps.
Working with the AppConnect versions of ThinkFree Document Viewer and File
Manager, emails and their attachments are available only in the AppConnect con-
tainer. You can secure data-in-motion using the AppTunnel feature. See Using
AppTunnel with the IBM Notes Traveler client app on page 632.
The automatically generated AppConnect app configuration includes configuration
settings, such as the IBM Notes Traveler server. You can edit these settings so that
the device user does not have to enter them manually. You do not configure an
Exchange app setting when using IBM Notes Traveler.
Note: Standalone Sentry email attachment control does not support the IBM Notes
Traveler client. When you configure attachment control on the Standalone Sentry,
the settings you select have no impact on email attachment delivery to IBM Notes
Traveler. The attachment control settings apply only to ActiveSync servers and
email clients.
Starting with Secure Apps 5.9.0.1, MobileIron provides a secure version of IBM
Notes Traveler version 9.0.1.0_201404021602. The version that MobileIron sup-
ports is at https://support.mobileiron.com/support/CDL.html.
Polaris Office
Polaris Office for Android provides secure document viewing and editing on Android
devices. Using it requires an additional license. Polaris Office is not part of the
Docs@Work solution. It is a third-party AppConnect app. To use it, you must have a
MobileIron license for third-party AppConnect apps.
Polaris Office also requires a license key. The license key allows MobileIron to track
how many devices in your company are using the app. You provide the license key
to the devices that use the app by including it in the AppConnect app configuration
for the app. For more information, see License key support on page 631.
NitroDesk TouchDown
The AppConnect version of the NitroDesk TouchDown email app provides a consis-
tent user experience across a broad range of Android devices. Working with the
AppConnect versions of ThinkFree Document Viewer and File Manager, emails and
their attachments are available only in the AppConnect container. This combination
of secure apps can provide the secure email attachment capability of the
Docs@Work solution.
Starting with Secure Apps 5.7, MobileIron provides a secure version of NitroDesk
TouchDown 8.1.00052. The version that MobileIron supports is at
https://support.mobileiron.com/support/CDL.html.
Company Confidential
627
AppConnect
Note: Web@Work for Android, the secure browser that MobileIron provides, allows
you to run pure web apps in the AppConnect secure container.
In a hybrid web app, business logic and content presentation occurs using Android
WebView and WebKit technologies, specifically within an object of the Java class
android.Webkit.WebView. The WebView object locally renders content using web tech-
nologies such as HTML, CSS, and Javascript. The WebView object can access the web
content from a network resource or from embedded web content.
Starting with Android Secure Apps 6.0, like other app data, data related to the
android.webkit.WebView class is encrypted. This web-related data can include cook-
ies, the web cache, and web databases.
PhoneGap apps
Android Secure Apps 6.0 adds support for AppConnect-enabled PhoneGap apps on
devices running Android 4.0 through 4.4. That is, you can now wrap an APK file that
was created using the PhoneGap mobile development framework. The wrapped
PhoneGap app is a type of AppConnect-enabled hybrid web app.
Company Confidential
628
AppConnect
Note: Advanced AppTunnel supports TCP tunneling from the app to enterprise servers
behind the firewall. Standard AppTunnel supports only HTTP/S tunneling. Because
WebView does not use one of the HTTP/S APIs that Android AppConnect wrapping
supports, Advanced AppTunnel is required for AppConnect-enabled hybrid web apps.
When a hybrid web app uses Advanced AppTunnel, the traffic between the device and
the Standalone Sentry is secured using an Secure Sockets Layer (SSL) session, as
shown in the following diagram:
Note:
Advanced AppTunnel does not support wrapped hybrid web apps using UDP.
Only hybrid web apps can use Advanced AppTunnel. An app written in Java without
using Android WebView and WebKit technologies can use only standard AppTunnel
to tunnel HTTP/S connections. MobileIron supports standard AppTunnel in Java
apps only if app uses the HTTP/S APIs specified in the MobileIron AppConnect for
Android App Developers Guide.
Contact the application vendor or developer to find out whether to configure
Advanced AppTunnel or standard AppTunnel.
The procedure to configure Advanced AppTunnel is mostly the same as the proce-
dure to configure standard AppTunnel (HTTP/S tunneling). The difference involves
the AppTunnel service that you configure on the Standalone Sentry. See Configur-
ing a TCP tunnel service on page 401.
Company Confidential
629
AppConnect
The following table shows which Android secure apps you can deploy for the options
Docs@Work, AppConnect for third-party and in-house apps, and Web@Work. Select
each option only if your organization has purchased it.
*In addition to purchasing the Additional Products option, these apps have an additional cost.
Enable AppTunnel for third-party and in-house apps for the following apps if your
organization has purchased AppTunnel:
IBM Notes Traveler if you are securing data-in-motion with AppTunnel.
Note: The data-in-motion for email apps Secure NitroDesk TouchDown, Android
Email+, and Divide PIM are secure without using AppTunnel.
Any third-party or in-house apps if you are securing data-in-motion with AppTun-
nel.
Note: When using AppTunnel only to tunnel data from the SharePoint client app to
content servers, you do not need to select the option to enable AppTunnel for third-
party and in-house apps.
Company Confidential
630
AppConnect
You provide the license key to the devices that use the app by including in the
AppConnect app configuration for the app. When the app first runs on a device, the
Secure Apps Manager validates the license key and passes it to a MobileIron activation
server. The MobileIron activation server logs the use of the app on that device.
If this process fails, the app does not run. Possible failure reasons are configuring an
invalid license key, configuring no license key, or no network connectivity on the
device.
Note: The Secure Apps Manager communicates with the MobileIron activation server
using HTTPS. Therefore, devices are required to have access to the public Internet the
first time the app launches for this feature to work.
To provide the license key to the app, add a key-value pair to the apps AppConnect
app configuration:
Key: MI_APP_LICENSE
Value: The license key that you received with your order. For example:
1adadecd357456c123456
Company Confidential
631
AppConnect
If the device user tries to view a document type that is not in this list, the Android OS
indicates that no app is available to open the selected file.
Note: AppConnect apps can use other secure file viewers if they are also AppConnect
apps.
The SharePoint Client is part of the secure File Manager. Therefore, the SharePoint Cli-
ent does not appear as a separate app in the list of secure apps that the device user
installs. It also does not appear as a separate app in the app distribution library on
MobileIron Core. When a device user installs the secure File Manager, they also install
the SharePoint Client.
Additional Standalone Sentry requirements exist for using the AppTunnel feature for
the IBM Notes Traveler client. Do one of the following:
Use VSP 5.7 through 6.0 and Standalone Sentry 4.7 through 4.9.
No special configuration is necessary for IBM Notes Traveler with these versions of
VSP and Sentry.
Company Confidential
632
AppConnect
Dedicate a Standalone Sentry to tunneling for IBM Notes Traveler if you are using a
Standalone Sentry version prior to 4.7.
This option requires you to configure session timeout values for the Sentry.
To configure session timeout values, do the following steps in the Admin Portal:
1. Go to Settings > Sentry.
2. Select the entry to edit.
3. Click the edit icon next to the entry.
4. Scroll down to Advanced Configuration.
5. Click to expand.
6. Click Yes when prompted.
7. Enter the following values:
Setting Value
Socket read/write timeout 10000 milliseconds, which is the default value
Server connection timeout 10000 milliseconds, which is the default value
Server response timeout 900000 milliseconds
Device request timeout 900000 milliseconds
8. Click Save.
Lock impact
Locking a device causes the device user to be locked out of AppConnect apps. The
user must reenter the secure apps passcode to access AppConnect apps. The Secure
Apps Manager prompts the user to reenter the passcode when the user launches:
the Secure Apps Manager
any AppConnect app
If the device also uses a device passcode, the user must first reenter the device pass-
code.
Unlock impact
Unlocking a device removes the device passcode and also removes the secure apps
passcode. The Secure Apps Manager notifies the device user to create a new secure
apps passcode when the user launches:
the Mobile@Work app
Company Confidential
633
AppConnect
No data relating to AppConnect apps is removed when a device is unlocked. Once the
device user creates a new secure apps passcode, the data becomes accessible again.
Retire impact
Retiring a device unregisters the device from MobileIron Core.
However, the device user must manually uninstall the AppConnect apps and the
Secure Apps Manager.
Retiring a device, therefore, retires the AppConnect apps on the device. For more
information about retiring AppConnect apps, see AppConnect app authorization on
page 603.
Company Confidential
634
AppConnect
Each row of the following table summarizes whether copy/paste is allowed for a set of
apps depending on the copy/paste setting:
Company Confidential
635
AppConnect
If the Exchange setting allows copy/paste commands, the copy/paste DLP setting in
the AppConnect global policy determines the extent of copy/paste use in these apps,
just as it does with other apps.
The following table summarizes the copy/paste behavior for secure and unsecured
TouchDown and Email+, depending on the Exchange setting and the AppConnect
global policy setting:
Company Confidential
636
AppConnect
For example, consider a device user who is viewing an email in a secure email app,
and the email body contains a URL. The user taps on the URL to view the web page in
a browser. The following table describes the behavior for opening browsers from
secure apps:
Note: If the URL points to a server behind the enterprises firewall, an unsecured
browsers attempt to display the web page fails.
Company Confidential
637
AppConnect
An AppConnect app such as NitroDesk TouchDown can allow a device user to select
one of the system folders ringtones.
An AppConnect app such as Polaris Office can now access the system folders font
files.
The secure File Manager can display the system folder.
Company Confidential
638
AppConnect
Item Description
Secure Apps Encryption Indicates one of the following values:
Mode Unavailable
A version of Secure Apps Manager prior to 5.9
is installed on the device.
Secure Apps Manager is not installed on the
device.
AES-128
The device user upgraded to Secure Apps Manager
5.9 from a prior version.
AES-256
The device user installed Secure Apps Manager
5.9 on a device that had no prior version.
The device user upgraded to Secure Apps Man-
ager 5.9 from a prior version. Then you dis-
abled and re-enabled AppConnect on the
device. This procedure wiped all the AppCon-
nect data and changed the encryption mode to
AES-256.
Secure Apps Encryption The value is Enabled if the device user has created a
State secure apps passcode.
Otherwise, the value is Disabled.
Secure Apps State Indicates the state of secure apps on the device:
not installed
The device user has not yet installed all the secure
apps.
installed
The device user has installed all the secure apps.
However, he has not yet created the secure apps
passcode.
ready
The device user has installed the secure apps, and
created the secure apps passcode.
Company Confidential
639
AppConnect
Company Confidential
640
AppConnect
Note: You do not have to purchase the AppConnect feature that supports third-party
and in-house apps to use Web@Work or the Docs@Work features of Mobile@Work.
Company Confidential
641
AppConnect
maximum time between app checkins while an AppConnect app is running. See
Configuring the AppConnect global policy on page 590.
It enforces the AppConnect passcode.
Mobile@Work prompts the device user to create an AppConnect passcode when
first launching any AppConnect app. You configure a passcode inactivity timeout in
the AppConnect global policy. When this timeout expires, Mobile@Work prompts
the device user to reenter his AppConnect passcode.
In each of these situations, Mobile@Work launches, and the device user sees the
Mobile@Work app momentarily. Once Mobile@Work has completed the app checkin,
the device user automatically returns to the AppConnect app.
Note: The Force Device Check-in feature on the Admin Portal does not sync the poli-
cies and settings related to AppConnect for iOS. The app check-in interval on the
AppConnect global policy controls these updates. However, in the Mobile@Work for
iOS app on the device, the Force Device Check-in option does sync the policies and
settings related to AppConnect.
Company Confidential
642
AppConnect
The device user used Mobile@Work to log out of AppConnect apps, and then
launches an AppConnect app.
The MobileIron Core administrator has changed the complexity rules of the
AppConnect passcode, and an app checkin occurs.
In each of these situations, Mobile@Work launches, and presents the device user with
a screen for entering his AppConnect passcode. After the device user enters the pass-
code, the device user automatically returns to the AppConnect app.
Dual-mode apps
Some apps can behave as either an AppConnect-enabled app, or a regular, unsecured,
standalone app. These apps are called dual-mode apps. For example, Divide iOS is a
dual-mode app. As a dual-mode app, the same app can behave as a secure, enter-
prise app for enterprise users, or as a regular app for general consumers.
Company Confidential
643
AppConnect
You have configured an AppConnect container policy for the app (or have config-
ured the AppConnect global policy to authorize apps that have no AppConnect con-
tainer policy).
Some dual-mode apps allow the device user to change the app into an AppConnect-
enabled app or regular app after having already run it the other way. Other dual-mode
apps require the user to uninstall and reinstall the app to make this change.
Component compatibility
This feature requires:
Mobile@Work 5.9
Apps built with the AppConnect for iOS SDK version 1.7 or apps wrapped with iOS
AppConnect Wrapper version 1.9.
Log levels
You choose one of four log levels for an AppConnect app. The two highest levels can
log sensitive data. To prohibit unauthorized users from accessing sensitive data, the
two highest levels require the device user to enter a debug code that you specify.
Exactly what sensitive data is logged depends on the app, but can include, for
example:
Device user data, including document names and contents, contact lists, notes, and
bookmarks
Encryption keys, passwords, certificates, signing identities, and cookies
Complete URLs and URL POST data
Data that reveals the contents of encrypted data
Company Confidential
644
AppConnect
The following table describes the log levels from lowest (least verbose) to highest
(most verbose):
Requires the
Contains user to enter
sensitive the debug
Log level Description data? code?
Error Provides error, warning, and status No No
messages.
This level is the default. It is always
turned on.
Error messages are for events that block
access to part or all of the app.
Example: Corrupt or missing data
Warning messages are for events that
are suspicious, but not quite failures like
errors.
Example: Unexpected data that is
ignored
Status messages indicate major changes
in the state of the app.
Example: User successfully logged in
Info Provides error, warning, and status No No
messages, plus more information.
Info messages indicate minor changes in
the state of the app.
Example: AppConnect app check-in times
Verbose Provides error, warning, status, and info Yes Yes
messages, plus more, possibly sensitive,
information.
Verbose messages provide more
extensive information, possibly including
sensitive details.
Example: Server URLs
Debug Provides error, warning, status, info, and Yes Yes
verbose messages, plus further
information, which is possibly sensitive.
Debug messages have the most
information, possibly including sensitive
details.
Example: URL request details
Company Confidential
645
AppConnect
1. Modify an AppConnect apps app configuration to increase the log level for the app.
You create a key-value pair that specifies one of four log levels. For the two highest
log levels, verbose and debug, you create a key-value pair that is the debug code
that activates logging.
See Configuring the log level and debug code on page 646.
2. If you chose one of the two highest log levels, ask the device user to turn on log-
ging for the app on the device, and to enter the debug code .
See Activating verbose or debug logging on the device on page 648.
3. Collect the data from the device.
See Collecting the logs on page 649.
4. View the logs.
Viewing the logs on page 650
5. Revert to the default log level.
See Remove log level configuration when no longer needed on page 651
Consider that the debug level impacts all devices with the applied labels. The same
debug code works for all impacted devices. Although you have to tell a device user the
Company Confidential
646
AppConnect
debug code for the app to log sensitive data, the user can share the debug code with
other users. Therefore, carefully consider which labels are applied to an existing app
configuration to which you add the verbose or debug log levels.
If the app had no app configuration, you can easily narrow down the set of devices
that can log sensitive data. Create a new label and apply it to the app configuration
that you create for assigning log levels. Then add the same label to the devices of
interest.
Be sure to apply one of the labels that you selected to the device. To check the
devices labels:
1. Go to Users and Devices > Devices.
2. Select the device.
3. In the Device Details Pane, select Label Membership.
The status details for an AppConnect app include a Debug Mode switch only when you
have configured both of the following in the apps AppConnect app configuration:
a log level of verbose or debug
a debug code
In this case, the status details for an AppConnect app shows the Debug Mode switch:
Company Confidential
647
AppConnect
Company Confidential
648
AppConnect
Verbose or debug level logging is activated for 24 hours, after which it is automatically
deactivated the next time that the device user launches or switches to the app.
However, the device user can deactivate it any time by tapping Debug Mode again.
Therefore, after the device user has activated debug mode on the device, and can
reproduce the issue, instruct the device user to do the following:
1. Download IPCU from Apples web site and install it on a Mac OS X or Windows com-
puter.
See http://support.apple.com/downloads/#iphone configuration utility.
2. Connect the device to the computer using a USB cable.
3. Open IPCU on the computer.
4. Select the device in the left pane.
5. Select the Console tab.
Company Confidential
649
AppConnect
6. When the issue occurs on the device, click Save Console As...
7. Save the data to a file.
8. Email the file to you.
The messages logged by AppConnect apps, the AppConnect library, and the
AppConnect wrapper include the log level as shown in the following table:
Company Confidential
650
AppConnect
Do the following:
1. In the Admin Portal, select Policies & Configs > Configurations
2. Select the app configuration for the app and click Edit.
3. In App-specific Configurations, click - to remove the key-value pairs.
4. Click Save.
Upgrade considerations
Consider the case when the AppConnect app configuration on MobileIron Core con-
tains the log-related key-value pairs before a device user upgrades to Mobile@Work
5.9. When the device user upgrades, the configured log levels are not automatically
applied. The log level defaults to error.
Company Confidential
651
AppConnect
Company Confidential
652
Chapter 17
Web@Work
Overview
Secure enterprise web site access using AppTunnel
Web@Work user agent string
Configuring Web@Work on the Admin Portal
Company Confidential
653
Web@Work
Overview
Web@Work is an AppConnect app provided by MobileIron that allows your users to
securely access your organization's web content on iOS and Android devices using
AppTunnel technology rather than requiring VPN configuration. The way you configure
Web@Work on MobileIron Core is essentially the same for both iOS and Android
devices, except for how each app is distributed. iOS and Android versions of
Web@Work support the same core functionality. However, some features of
Web@Work are specific to only one or the other operating system. Where the feature
set is not commonly shared, this chapter denotes features specific to only one
operating system as iOS or Android, as applicable.
Company Confidential
654
Web@Work
See MobileIron Web@Work for iOS Release Upgrade Guide, Version 1.1.3 for
additional details.
Web@Work overview
Web@Work has the following features.
Platform
Web@Work Feature Support Description
Secure access to web iOS, Web@Work uses AppConnect and AppTunnel
sites hosted on servers Android capabilities to provide this secure access.
behind your firewall, Note: You can use Web@Work without
without requiring the purchasing AppConnect for third-party or in-
device user to use VPN house apps and without purchasing
AppTunnel.
See Secure enterprise web site access using
AppTunnel on page 660.
Configuration: See Configure a Web@Work
setting on page 672
Support for Single Sign iOS, The device user registers Mobile@Work with
On using Kerberos Android MobileIron Core by entering his MobileIron
Constrained Delegation credentials. Then, the device user can use
(KCD) Web@Work to access an enterprise app
server without having to enter any further
credentials. This support depends on your
environment being set up to use KCD, plus
the necessary AppTunnel configuration.
See Authentication using an identity
certificate and Kerberos constrained
delegation on page 412.
Admin-specified iOS, Web@Work supports bookmarks that you
bookmarks Android specify on the Admin Portal.
Configuration: See Configure a Web@Work
setting on page 672.
Company Confidential
655
Web@Work
Platform
Web@Work Feature Support Description
Ability to provide iOS, You can provide different Web@Work-related
different Web@Work- Android settings to different devices and users,
related settings to depending on, for example, device attributes
different devices and and user membership in the enterprise
users directory. MobileIron Core provides this
capability through labeling.
Company Confidential
656
Web@Work
Platform
Web@Work Feature Support Description
URL schemes that open iOS See Web@Work URL schemesiOS on
web pages page 658
automatically, and only,
in Web@Work
User can open Android
downloaded documents
in other secure apps,
such as ThinkFree
Viewer or File Manager.
Encrypt downloaded Android Screen capture can be disabled, as well.
documents and prevent These behaviors protect documents from
sharing them outside of leaking to unsecure apps.
the secure container
Delete downloaded Android For example, automatic wipe of downloaded
documents based on documents can occur in the following cases:
device compliance The device has been out of contact for the
status
specified amount of time.
The device is retired.
Company Confidential
657
Web@Work
When the device user first launches Web@Work, Mobile@Work prompts the user to
create a secure apps passcode if he had not already created one to use some other
AppConnect app. On subsequent launches of Web@Work, Mobile@Work prompts
the user to enter the secure apps passcode, unless he had recently entered it to
use some other AppConnect app.
Note: On Android the AppConnect implementation uses its own encryption
implementation and does not require a device passcode. Instead, the secure apps
passcode is required.
Once a device user has registered the device with MobileIron Core and, if required,
entered his secure apps passcode, he has no further Web@Work setup to do.
Note: A device user cannot specify Web@Work as the default browser on the device.
This prohibition ensures that the device user always has easy access to a browser for
non-enterprise browsing, even if the device becomes unauthorized to use Web@Work.
For example, a web page opens automatically in Web@Work when the device user:
taps a link in Safari that uses one of these URL schemes.
taps a web clip that uses one of these URL schemes.
Note: These URL schemes work in web clips only on devices running iOS 6.0
through iOS 7.1.
Because iOS otherwise automatically opens HTTP and HTTPS URLs only in Mobile
Safari, the native web browser, using these URL schemes in web clips and web pages
for mobile devices can improve the user experience when Web@Work is used for
tunneling.
When Allow Copy/Paste To is not selected, the device user is not allowed to paste
secure data from Web@Work into an unsecured app. Therefore, Web@Work clears the
pasteboard when it exits only if the device user copied content from inside
Web@Work.
Company Confidential
658
Web@Work
Note: Similarly, when Mobile@Work exits, it clears data copied from inside
Mobile@Work because the Docs@Work content of Mobile@Work is also secure data.
This behavior means that the device users copy/paste experience for other apps is
not impacted. For example, consider the following scenario:
1. Allow Copy/Paste To is not selected.
2. The device user copies a URL from an unsecured app.
3. The device user launches Web@Work.
4. Mobile@Work launches to prompt the device user for his AppConnect passcode.
At this point, although Web@Work exited, it did not clear the URL from the
pasteboard, since the URL was not copied from inside Web@Work. The device user
can still paste the content into any app, secured or not.
5. When the device user returns to Web@Work, the URL is still available on the paste-
board.
6. The device user pastes the URL into the Web@Work address bar.
See Add Web@Work for iOS to the app distribution library on page 676 for further
details.
See Upload Web@Work for Android to MobileIron Core and apply labels on page 676
for further details.
Company Confidential
659
Web@Work
Company Confidential
660
Web@Work
Company Confidential
661
Web@Work
Make sure your web server applications handle Web@Work requests just as they
would handle native browser requests on the iOS or Android device.
Company Confidential
662
Web@Work
Company Confidential
663
Web@Work
See Configure an
AppConnect global
policy on page 670
6. Configure an Policies & Configs > The AppConnect container policy
AppConnect con- Configurations > Add for Web@Work is used to
tainer policy for New > AppConnect > authorize the device user to use
Web@Work Container Policy Web@Work. This policy also
OR Edit existing policy configures data loss prevention
policies for the device.
See Configure an
AppConnect container
policy for Web@Work
on page 671
7. Configure a Policies & Configs > A Web@Work setting configures:
Web@Work setting Configurations > Add AppTunnel settings for
New > Web@Work Web@Work
See Configure a admin-specified browser
Web@Work setting on
bookmarks
page 672
key-value pairs for custom
configuration
8. iOS onlyAdd Apps & Configs > App For iOS device users, add
Web@Work as a Distribution Web@Work for iOS to the app
recommended app See Add Web@Work distribution library as a
for iOS to the app recommended app.
distribution library on
page 676
9. Android only Add Apps & Configs > App Web@Work for Android can only
Web@Work as an Distribution be added to the app distribution
in-house app See Upload library as an in-house app.
Web@Work for Android
to MobileIron Core and
apply labels on
page 676
Company Confidential
664
Web@Work
Enabling Web@Work
A Web@Work license is required on MobileIron Core to enable support. This setting
indicates that you have the required license to deploy Web@Work.
Note: Although Web@Work uses AppConnect capabilities, do not select Enable
AppConnect For Third-party and In-house Apps under Settings, unless you also
purchased that license.
To enable Web@Work:
1. In the Admin Portal, go to Settings > Preferences.
2. Scroll down to Additional Products.
3. Select Enable Web@Work.
4. Click Save.
Company Confidential
665
Web@Work
Item Description
Sentry Host / Enter the external host name or IP address of the server on
IP which the Standalone Sentry is installed.
The host name or IP address must be external because
Web@Work on devices must be able to access the Sentry.
MobileIron Core also needs to connect to this same host name
or IP address. If the host name or IP address is not accessible
by Core and devices, use the name or IP address that the
devices use. Then, using the System Manager, add a static host
entry to Core.
Sentry Port Enter the port that the Standalone Sentry is listening on. The
default is 9090.
Enable App Click the check box to enable AppTunnel support on the Sentry.
Tunneling
Company Confidential
666
Web@Work
Item Description
Subject Use the Subject Alternate Name Type list to select the field in
Alternative the client certificate that will be used to identify the user for
Name Type Kerberos Constrained Delegation.
The Type is the same type that you specified when generating
the client certificate. This type is often the NT Principal Name.
Value Use the Value list to select the value used in the Subject
Alternate Name field.
Usually, the User UPN (user principal name) is used to identify
the user.
Server-side Proxy
Enter the HTTP proxy server information. Configuring an HTTP proxy server pro-
vides access to corporate resources without having to open the ports that Stand-
alone Sentry would otherwise require.
This feature is available only with Standalone Sentry Version 4.9 or later.
Proxy Host Enter the FQDN of the proxy server.
Name / IP Do not include a URI scheme, such as http:// or https://, in this
field.
Proxy Port Enter the port number for the proxy server.
To add a new service for Web@Work, click +.
Service Name Use the dropdown to select <ANY>
Note: <CIFS_ANY> is not relevant to Web@Work.
Selecting <ANY> means that the Web@Work user can reach any
of your internal servers. Typically, you do not want to restrict
users access. However, if you do want to restrict their access to
internal servers, you can list the services here instead of
selecting <ANY>. The service name is any unique identifier for
the internal servers.
For example, some possible service names are:
SharePoint
Human Resources
Company Confidential
667
Web@Work
Item Description
Server Auth Select the authentication scheme for the Standalone Sentry to
use to authenticate the user to the enterprise server:
Pass Through
The Sentry passes through the authentication credentials,
such as the user ID and password (basic, digest or NTLM
authentication) to the enterprise server.
Kerberos
The Sentry uses Kerberos Constrained Delegation (KCD).
KCD supports Single Sign On (SSO). SSO means that the
device user does not have to enter any credentials when
Web@Work accesses the enterprise server.
The Kerberos option is only available if you selected Identity
Certificate for Device Authentication.
Server List Since you typically select <ANY> for the service name for
Web@Work, the server list is not applicable.
Note: <CIFS_ANY> is not relevant to Web@Work.
If you do specify service names, enter the internal servers host
name or IP address (usually an internal host name or IP
address). Include the port number on the internal server that
the Sentry can access.
For example:
sharepoint1.companyname.com:443
You can enter multiple servers. The Sentry uses a round-robin
distribution to load balance the servers. That is, it sets up the
first tunnel with the first internal server, the next with the next
internal server, and so on. Separate each server name with a
semicolon.
For example:
sharepoint1.companyname.com:443;sharepoint2.companynam
e.com:443.
TLS Enabled Since you typically select <ANY> for the service name for
Web@Work, TLS Enabled is not applicable.
If you do specify service names, select TLS Enabled if the
enterprise servers listed in the Server List field require SSL.
Note: Although port 443 is typically used for https and requires
SSL, the enterprise server can use other port numbers requiring
SSL.
Proxy Enabled Select if you want to direct the AppTunnel service traffic through
the proxy server.
You must also have configured Server-side Proxy.
Company Confidential
668
Web@Work
Item Description
Server SPN List Since you typically select <ANY> for the service name for
Web@Work, Server SPN List is not applicable.
Note: <CIFS_ANY> is not relevant to Web@Work.
Note: When the Service Name is <ANY> and the Server Auth is
Kerberos, the Standalone Sentry assumes that the SPN is the
same as the server name received from the device.
If you do specify service names, Enter the Service Principal
Name (SPN) for each server, separated by semicolons. For
example:
sharepoint1.company.com;sharepoint2.company.com.
The Server SPN List applies only when the Service Name is not
<ANY> and the Server Auth is Kerberos.
If each server in the Server List has the same name as its SPN,
you can leave the Server SPN List empty. However, if you
include a Server SPN List, the number of SPNs listed must equal
the number of servers listed in the Server List. The first server
in the Server List corresponds to the first SPN in the Server SPN
List, the second server in the Server List corresponds to the
second server in the Server SPN List, and so on.
Kerberos Authentication Configuration
If you select Kerberos for the Server Auth field for an AppTunnel service, this
section appears. For Kerberos authentication information for both ActiveSync and
AppTunnel, see Authentication using an identity certificate and Kerberos
constrained delegation on page 412.
Use keytab file Select this field to upload a Kerberos-generated keytab file. Click
Upload File to upload the keytab file. Uploading the keytab file
populates the Realm and Sentry Service Principal fields.
Realm If you do not upload a keytab file, enter the Kerberos
administrative domain. The realm is usually the company
domain name, in all uppercase characters.
Sentry Service If you do not upload a keytab file, enter the service principal for
Principal the Sentry service account, preceded by HTTP/ if you do not
upload a keytab file. For example, if the user name of the
service account is sentry1_kcd, the service principal would be
HTTP/sentry1_kcd.
Password If you do not upload a keytab file, enter the password for the
Sentry service account.
Key Optionally enter the key distribution center, which is the network
distribution service that supplies session tickets and temporary session
center keys. This field is generally the Active Directory domain
controller hostname.
If you do not enter a key distribution center, the system auto-
detects it.
4. Click Save.
Company Confidential
669
Web@Work
5. If the Sentry uses a self-signed certificate, in the Settings > Sentry page, for the
Sentry configured for AppTunneling, click the View Certificate link. This makes the
Sentrys certificate known to MobileIron Core.
For detailed information about security policies, see Working with security policies
on page 182.
You also configure default data loss prevention policies. Note that:
Web@Work for iOS supports only the Allow Copy/Paste To option. Enabling the
other options has no impact on Web@Work.
Web@Work for Android supports only the Screen Capture data loss prevention
policy option in the AppConnect global policy.
Company Confidential
670
Web@Work
5. Apply the appropriate labels to the AppConnect global policy. If you are using the
default AppConnect global policy, it automatically applies to all devices.
Note: You can also authorize device users to use Web@Work on the AppConnect
global policy by selecting the option to authorize apps without an AppConnect
container policy.
Note: Make sure only one AppConnect container policy for Web@Work applies to each
device.
Be sure to apply one of the labels that you selected to the device. To check the
devices labels:
1. Go to Users & Devices > Devices.
2. Expand the device details for the desired device, by clicking the up arrow next to
the checkbox.
3. Select Label Membership.
Company Confidential
671
Web@Work
AppTunnel
Web@Work uses the AppTunnel feature to provide secure access to web sites behind
your firewall. A device user can use Web@Work only if you have set up AppTunnel for
Web@Work.
Browser bookmarks
You can configure a list of secure web sites that Web@Work automatically sets up as
browser bookmarks for the device user.
Custom configurations
You can specify key-value pairs that provide configurable data that impact Web@Work
behavior. These key-value pairs are analogous to the key-value pairs that an
AppConnect app configuration provides in its App-specific Configurations section. The
only currently supported key-value pairs for both Web@Work for iOS and Web@Work
for Android are for use by MobileIron Technical Support for troubleshooting.
Note: Make sure only one Web@Work setting applies to each device.
Item Description
Name Enter brief text that identifies this Web@Work setting.
Description Enter additional text that clarifies the purpose of this
Web@Work setting.
Application The application is set to Web@Work for you.
Company Confidential
672
Web@Work
Item Description
AppTunnel Configure AppTunnel settings for Web@Work.
First, configure the Standalone Sentry to support
AppTunnel. See Set up a Standalone Sentry to support
AppTunnel for Web@Work on page 665.
When Web@Work tries to connect to the URL (and port,
for Android) configured here, the Sentry creates a tunnel
to the Service.
Company Confidential
673
Web@Work
Item Description
URL Wildcard Typically, for the Web@Work AppTunnel, enter a hostname
with wildcards. The wildcard character is *..
Example:
*.yourcompanyname.com
If you want finer granularity regarding what requests the
Standalone Sentry tunnels, configure multiple AppTunnel
rows.
If Web@Work requests to access this hostname, the Sen-
try tunnels the Web@Work data to an app server. The Sen-
try and Service fields that you specify in this AppTunnel
row determine the target app server.
Note:
On Android devices, the Web@Work data is tunneled
only if Web@Works request matches this hostname and
the port number specified in the Port field of this
AppTunnel row. On iOS devices, only the hostname, not
the port number, determines whether the Web@Work
data is tunneled.
If Web@Work requests a hostname that does not match
the value of any of the AppTunnel entries in the
Web@Work setting, tunneling does not occur. In this
case, if the requested hostname is behind your firewall,
Web@Work informs the device user that it cannot
access the requested hostname.
A hostname with wildcards works only with the service
<ANY>. Unlike services with specific service names,
these services do not have associated app servers. The
Sentry tunnels the data to the app server that has the
URL that Web@Work specified.
Note: <CIFS_ANY> is not relevant to Web@Work.
The order of these AppTunnel rows matters. If you
specify more than one AppTunnel row, the first row that
matches the hostname (and port, for Android) that
Web@Work requested is chosen. That row determines
the Sentry and Service to use for tunneling.
Do not include a URI scheme, such as http:// or
https://, in this field.
Company Confidential
674
Web@Work
Item Description
Port Enter the port number that Web@Work requests to access.
On Android devices: The Web@Work data is tunneled only
if Web@Works request matches the hostname in the URL
Wildcard field and this port number. If you do not enter a
port number, the port in Web@Works request is not used
to determine whether data is tunneled.
On iOS devices: Only the hostname, not the port number,
determines whether Web@Work data is tunneled.
Note: Entering a port number in this field is required when
both of the following are true:
The hostname in the URL Wildcard field does not con-
tain a wildcard.
The service is not <ANY> or <CIFS_ANY>.
Sentry Select the Standalone Sentry that you want to tunnel the
URLs listed in this AppTunnel entry. The drop-down list
contains all Standalone Sentrys that are configured to
support AppTunnel.
Service Select a Service Name from the drop-down list. Typically,
for Web@Work, the service is <ANY>.
Note: <CIFS_ANY> is not relevant to Web@Work.
This service name specifies an AppTunnel service
configured in the App Tunneling Configuration section of
the specified Sentry.
If the service on the Sentry is configured with its Server
Auth set to Kerberos, Web@Work uses Single Sign On for
the enterprise server. That is, the device user does not
enter any further credentials when Web@Work accesses
the enterprise app server.
Identity Certificate Select the Certificate or the SCEP profile that you created
for devices to present to the Standalone Sentry that
supports app tunneling.
For more information, see SCEP settings on page 301
and Certificates settings on page 300.
Bookmarks
Specify the bookmarks that you want to appear
automatically in the Bookmarks screen of Web@Work.
To add a bookmark, click + .
To delete a bookmark, click - .
The bookmarks appear in the Bookmarks screen of
Web@Work in the same order that they appear in the
Web@Work setting. To change the ordering, drag the
bookmarks in the Web@Work setting.
Company Confidential
675
Web@Work
Item Description
Bookmark Enter the name of the bookmark. The name is any string
that describes the URL that the bookmark points to.
For example:
Sales information
Address Enter the URL for the bookmark.
For example:
https://sales.mySecureCompany.com
Custom
Configurations
Specify Web@Work custom configuration settings as key-
value pairs.
To add a key-value pair, click + .
To delete a key-value pair, click - .
Key Enter the key. The key is any string that Web@Work
recognizes as a configurable item.
The only currently supported key-value pairs for both
Web@Work for iOS and Web@Work for Android are for use
by MobileIron Technical Support for troubleshooting.
Value Enter the value.
3. Click Save.
4. Select the new Web@Work setting.
5. Select More Actions > Apply To Label.
6. Select the labels to which you want to apply this Web@Work setting.
7. Click Apply.
Be sure to apply one of the labels that you selected to the appropriate devices.
Company Confidential
676
Web@Work
Devices running Web@Work for Android must also have Secure Apps Manager
installed. Optionally, they can have other AppConnect apps installed that interact with
Web@Work.
For details about uploading in-house Android apps, see Adding in-house apps for
Android on page 517.
https://support.mobileiron.com/mi/android-browser/current/
Use your credentials for MobileIron software downloads to access Web@Work for
Android. Contact Customer Support if your account does not have access to this
software.
Obtaining the Secure Apps Manager
Web@Work for Android requires that you also install the Secure Apps Manager on the
device. It is available at:
https://support.mobileiron.com/mi/android-secureapks/current
Obtaining other Android AppConnect apps that interact with Web@Work for
Android
You can also use the following AppConnect apps that interact with Web@Work for
additional secure functionality:
ThinkFree Document Viewer
File Manager (the File Manager with the SharePoint client app is sufficient)
https://support.mobileiron.com/mi/android-secureapks/current
Company Confidential
677
Web@Work
Company Confidential
678
Section III: System Management
Overview of System Manager
Configuring MobileIron Core System Settings
Configuring MobileIron Core Security Settings
Configuring MobileIron Core Maintenance Settings
Troubleshooting
Company Confidential
679
Company Confidential
680
Chapter 18
Company Confidential
681
Overview of System Manager
Company Confidential
682
Overview of System Manager
Getting started
Company Confidential
683
Overview of System Manager
Logging out
Select the Sign Out link in the upper right corner to exit.
Saving a configuration
If you want to save configuration settings in the System Manager, click the Save link in
the upper right corner of the System console.
Why: System Manager does not automatically save changes you make to system set-
tings. Though these settings are retained if you log out, rebooting MobileIron Core
without saving these settings would return Core to its previously-saved configuration.
Company Confidential
684
Chapter 19
Company Confidential
685
Configuring MobileIron Core System Settings
Overview
The Settings page in System Manager contains links for configuring MobileIron Core.
The following table summarizes the tasks associated with each link.
Company Confidential
686
Configuring MobileIron Core System Settings
Interfaces
The Settings > Interfaces screen enables you to change parameters for the network
interface points for MobileIron Core:
physical and VLAN interfaces
static routes
Company Confidential
687
Configuring MobileIron Core System Settings
Field Description
IP Enter the IP address of the physical
network interface.
Unless you are configuring a stand-
alone implementation for a small trial,
you should specify at least one physi-
cal interface.
Mask Enter the netmask of the physical net-
work interface.
ACL Name Select an Access Control List for this
interface. See Access Control Lists
on page 724.
Admin State To enable this interface for use with
the MobileIron system, click Enable. To
temporarily prevent use of this inter-
face with the MobileIron system, click
Disable.
3. Click Save.
Company Confidential
688
Configuring MobileIron Core System Settings
Field Description
VLAN ID Specify a number between 2 and
4094.
IP Address Enter the IP address for this
VLAN interface.
Mask Enter the netmask for this VLAN
interface.
Physical Interface Select the physical interface that
corresponds to this VLAN inter-
face.
ACL Name Select an Access Control List for
this interface. See Access Con-
trol Lists on page 724.
Admin State To enable this interface, click
Enable. To temporarily suspend
use of this VLAN, click Disable.
3. Click Save.
Company Confidential
689
Configuring MobileIron Core System Settings
Routes
The Settings > Network > Routes screen enables you to create and maintain static
network routes within the enterprise.
Field Description
Network Enter the network IP address.
Mask Enter the subnet mask.
Gateway Enter the IP address for the
gateway.
3. Click Save.
Company Confidential
690
Configuring MobileIron Core System Settings
2. Click Delete.
Company Confidential
691
Configuring MobileIron Core System Settings
Field Description
Host name Specify the fully-qualified host
name for the appliance.
Default Domain Specify the default domain for
the appliance.
Preferred DNS Server Specify the IP address of the pri-
mary DNS server to use.
Alternate DNS Server Specify the IP address of an
1 optional alternate DNS server.
Alternate DNS Server Specify the IP address of an
2 optional alternate DNS server.
2. Click Save.
Company Confidential
692
Configuring MobileIron Core System Settings
Static Hosts
The Static Hosts page enables you to edit the hosts file. Use this feature in the follow-
ing cases:
DNS is not available or does not resolve the necessary names
DNS resolves the hostname to the external IP, but you want the traffic to go via the
internal IP
Adding hosts
To add a host:
1. Click the Add button.
Field Description
IP Address The IP address for the host you are
adding.
FQDN The fully-qualified domain name for
this host, as in appdoc1.mycom-
pany.com.
Alias The alias for this host.
Company Confidential
693
Configuring MobileIron Core System Settings
3. Click Save.
Editing hosts
To edit a host, click the IP address for the host displayed in the Static Hosts screen.
Deleting hosts
To delete a host:
1. In the Static Hosts screen, select the host to be deleted.
2. Click the Delete button.
Company Confidential
694
Configuring MobileIron Core System Settings
Field Description
Time Source Select NTP if you intend
to specify one or more
NTP servers. Select Local
if you intend to set the
system time for the Mobil-
eIron Server.
If you select NTP
Primary Server Specify the IP address or
fully-qualified host name
for the NTP server to use.
Secondary Server Specify the IP address or
fully-qualified host name
for the first failover NTP
server to use.
Tertiary Server Specify the IP address or
fully-qualified host name
for the second failover
NTP server to use.
Company Confidential
695
Configuring MobileIron Core System Settings
Field Description
If you select Local
Date Enter the current date.
Time Enter the current time.
2. Click Save.
Company Confidential
696
Configuring MobileIron Core System Settings
CLI
The CLI screen displays the command line interface access settings specified during
configuration. Use this screen to alter these settings.
1. Use the following guidelines to complete the fields:
Field Description
Enable Secret Click the Change Enable Secret
link to specify the password
required to access important
functions in the CLI.
Confirm Enable Re-enter the specified password
Secret to confirm. This field displays
only if you click the Change
Enable Secret link.
CLI Session Timeout Specify the duration of inactivity
on the Telnet or SSH connection
that should cause the session to
time out.
SSH Select Enable if you want to
allow SSH access to the Mobile-
Iron Administration tool.
Max SSH Sessions Specify the maximum number of
simultaneous SSH sessions to
allow.
Telnet Select Enable if you want to
allow Telnet access to the Mobil-
eIron Administration tool.
Max Telnet Sessions Specify the maximum number of
simultaneous Telnet sessions to
allow.
2. Click Save.
Company Confidential
697
Configuring MobileIron Core System Settings
Syslog
Use the Syslog screen to configure any remote log servers you have set up on your
network. Logs are then written to both the syslog location and the local log location.
Field Description
Server Enter the IP address or host name for
the remote log server.
Log Level Select the log level from the dis-
played list.
Admin State Select Enable from the dropdown list
to apply these settings to your cur-
rent configuration. Select Disable to
suspend use of the configured log
server.
Company Confidential
698
Configuring MobileIron Core System Settings
Splunk Forwarder
The Splunk Forwarder is a service on MobileIron Core that forwards information about
Core, including device information and system health logs to a Splunk indexer for
indexing.
For information on the device fields that are provided, see the Data Dictionary sec-
tion in the MobileIron Core Reporting Database Guide.
Before you configure a Splunk indexer on MobileIron Core, you must enable the
Splunk Forwarder service in Settings > Services. The Core data is forwarded to the
configured Splunk indexer.
Field Description
Splunk Indexer IP address for the Splunk indexer.
You can enter only one IP address. If you have
multiple Splunk indexers, configure a separate
instance for each Splunk indexer.
Port Port number on which the Splunk indexer is lis-
tening.
Enable SSL Secures the connection between MobileIron
Core and the Splunk indexer.
SSL requires the appropriate configuration on
the Splunk indexer.
4. Click OK.
5. Restart the Splunk Forwarder service to connect to the indexer.
To restart the Splunk Forwarder service, disable then enable the service.
Company Confidential
699
Configuring MobileIron Core System Settings
After you restart the Splunk Forwarder service, the Status for the Splunk Indexer
shows as Connected.
If the status is Not Connected, check the IP address and the Port for the Splunk
Indexer.
Note: The Splunk Forwarder service forwards the MobileIron Core system health logs
at an interval set on the Splunk indexer.
Company Confidential
700
Configuring MobileIron Core System Settings
SNMP
Use the SNMP screen to manage SNMP trap receivers. MobileIron currently supports
link up/down traps and the host-resources MIB file.
Company Confidential
701
Configuring MobileIron Core System Settings
Company Confidential
702
Configuring MobileIron Core System Settings
Email Settings
Use the Email Settings screen in the System Manager portion of the portal to set up
the SMTP server access required for MobileIron email alerts, such as policy violation
alerts. In the US and certain other countries, the SMTP server settings are also
required for alerts sent via SMS. In a few cases, the SMTP server may be used to
transmit a control command to certain devices.
1. From the Settings screen, click the Email Settings link in the navigation pane.
Field Description
From Email Specify the email address to use in the From field
for all administrative email notifications.
SMTP Server Specify the IP address or fully-qualified host
name for the SMTP server the MobileIron Server
will use.
SMTP Server Port Specify the port configured for the SMTP server.
Protocol If th SMTP server you are configuring is a secured
server, that is, it uses the SMTPS protocol, then
select the SMTPS button. Otherwise, leave SMTP
selected.
Authentication Specify whether this SMTP server requires
Required authentication. In most cases, this field will be
set to Yes.
User Name If you select Yes for Authentication Required,
then this field displays. Enter the user name
required for SMTP authentication.
Company Confidential
703
Configuring MobileIron Core System Settings
Field Description
Password If you select Yes for Authentication Required,
then this field displays. Enter the password
required for SMTP authentication.
Confirm Password If you select Yes for Authentication Required,
then this field displays. Confirm the password
required for SMTP authentication.
Company Confidential
704
Configuring MobileIron Core System Settings
Port Settings
Use the Port Settings screen to change settings, if necessary, for the following Mobile-
Iron services:
Sync Service
Sync TLS
Help Desk
Provisioning
Each must have a unique port. Changes to the default settings are seldom necessary.
Making changes to these settings requires re-registering phones, so use caution when
making changes.
Provision protocol (http/https) is also specified in this screen. Port 443 is entered
automatically for https and cannot be changed. Note that changing this protocol does
not automatically change the associated port. You must manually specify 443 for the
https provisioning port, or 8080 for the http provisioning port.
Modifying the values for the Provision Protocol or Provisioning Port fields updates the
Local CA URLs for the CRL distribution point and the CA certificate access location for
newly issued certificates. Previously generated certificates will continue to reference
the old location.
To use the new values for these fields, remove the previously issued certificates from
MIFS > Log > Certificate Log. MobileIron Core pushes the updated setting to the
device(s) on the next device check-in.
If you change the provisioning port after generating a certificate signing request, you
must generate a new CSR and replace the old certificate with the newly returned
certificate in Admin Portal in Settings > Local Certificate Authorities.
Company Confidential
705
Configuring MobileIron Core System Settings
configure the sync service to use 9999, then you must open port 9999.
Note: The Provisioning Protocol and Provisioning Port settings do not apply to
Windows Phone 8 (WP8)devices. WP8 devices use https and port 443.
Company Confidential
706
Configuring MobileIron Core System Settings
Data Purge
MobileIron Core stores significant amounts of data, such as:
call records
SMS records
data records
backup snapshots
log files
client logs
notification tables
Every four hours, MobileIron Core automatically purges client logs and notification
tables. You can automatically or manually purge the remaining stored data. Purging
enables you to:
manage system storage
fulfill corporate or legal requirements for data disposal
For example, a production system managing thousands of phones can exhaust avail-
able system storage. In addition, certain industries and countries must adhere to legal
mandates requiring purging of data after a number of years.
You can configure auto-purging based on either the amount of system storage used or
the age of the data stored. To configure auto-purging:
1. In System Manager, go to Settings > Data Purge.
Company Confidential
707
Configuring MobileIron Core System Settings
Company Confidential
708
Configuring MobileIron Core System Settings
Select or clear checkboxes to indicate whether the following types of data should be
purged:
Manual purging
You can perform ad hoc data purging. See Manually purging data (system storage)
on page 742 for information.
Company Confidential
709
Configuring MobileIron Core System Settings
See the Reporting Database Guide for information on configuring and using the
Reporting Database.
4. Under Data to Export, select or clear data categories to specify the data to export
or omit.
The Device option is required and cannot be cleared.
5. Select a frequency from the Run RDB Export Every drop-down.
6. Select a retention time from the Retain Export Data For drop-down.
7. Click Apply.
Company Confidential
710
Configuring MobileIron Core System Settings
Services
Use the Settings > Services screen to enable or disable the following MobileIron ser-
vices:
Core: Core MobileIron service.
Atlas: Atlas reporting console. See the Atlas Administration Guide for more infor-
mation.
Splunk Forwarder: Splunk Forwarder service.
Running is not a live link to the SplunkForwarder service.
When you disable the SplunkForwarder service, you also disable the connection to
the Splunk indexers configured in Settings > Splunk Forwarder.
If you re-enable the Splunk Forwarder service, MobileIron Core connects to the
indexers configured in Settings > Splunk Forwarder.
Reporting Database Exporter: MobileIron RDB (Reporting Database).
Enabling the Reporting Database Exporter allows the Reporting Database to extract
the relevant MobileIron Core data.
Company Confidential
711
Configuring MobileIron Core System Settings
Company Confidential
712
Chapter 20
Company Confidential
713
Configuring MobileIron Core Security Settings
Overview
The Security page in System Manager contains links for configuring aspects of Mobile-
Iron Core access. The following table summarizes the tasks associated with each link.
Company Confidential
714
Configuring MobileIron Core Security Settings
Company Confidential
715
Configuring MobileIron Core Security Settings
Field Description
User ID Enter the unique identifier to
assign to this user. The user ID is
case sensitive.
First Name Enter the users first name.
Last Name Enter the users last name.
Password Enter a password for the user.
Passwords must have at least
8 characters.
Passwords must contain at
least 1 alphabetic character.
Passwords must contain at
least 1 numeric character.
Passwords cannot have 4 or
more repeating characters.
Passwords cannot be the same
as the user ID.
Password may contain Uni-
code characters, except for
CLI access.
Users cannot change a pass-
word more than once during a
24 hour period.
4. Click Apply.
5. Click Save.
Company Confidential
716
Configuring MobileIron Core Security Settings
Company Confidential
717
Configuring MobileIron Core Security Settings
Certificate Mgmt
Use the Certificate Mgmt feature to fulfill certificate requirements your organization
may have for the MobileIron appliances or the TLS client. You can:
Generate a self-signed certificate
Generate a CSR for a certificate authority
You should also use this page to upload the required certificates.
Note: When you update a certificate, you are prompted to confirm that you want to
proceed because the HTTP service needs to be restarted, resulting in service disrup-
tion.
Company Confidential
718
Configuring MobileIron Core Security Settings
2. For MobileIron Core, click the Manage Certificate link for Portal HTTPS. For the
MobileIron Client, click the Manage Certificate link for Client TLS.
Component Requirements
Appliance Private key file
Certificate file
Root CA certificate file
Without password
Company Confidential
719
Configuring MobileIron Core Security Settings
To generate a CSR:
1. In the MobileIron System Manager, select Certificate Mgmt from the Security page.
2. For MobileIron Core, click the Manage Certificate link for Portal HTTPS. For the
MobileIron Client, click the Manage Certificate link for Client TLS.
Company Confidential
720
Configuring MobileIron Core Security Settings
Field Description
Common Name Enter the server host name.
E-Mail Enter the email address of the contact
person in your organization who
should receive the resulting certificate.
Company Enter the name of the company
requesting the certificate.
Department Enter the department requesting the
certificate.
City Enter the city in which the company is
located.
State Enter the state in which the company
is located.
Country Enter the two-character abbreviation
for the country in which the company
is located.
Key Length Select 1024 or 2048 to specify the
length of each key in the pair. Longer
keys provide stronger security, but
may impact performance.
5. Click Generate.
A message similar to the following displays.
Company Confidential
721
Configuring MobileIron Core Security Settings
6. Copy the content between BEGIN CERTIFICATE REQUEST and END CERTIFICATE
REQUEST to a text file.
7. Copy the content between BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY to
another text file.
8. Click Close.
9. Submit the file you created in step 6 to the certifying authority.
Uploading certificates
When you receive the CA certificate from the certifying authority:
1. In the MobileIron System Manager, select Certificate Mgmt from the Security page.
2. For MobileIron Core, click the Manage Certificate link for Portal HTTPS. For the
MobileIron Client, click the Manage Certificate link for Client TLS.
Company Confidential
722
Configuring MobileIron Core Security Settings
Viewing certificates
To view a Portal HTTPS or Client-TLS certificate:
1. In the MobileIron System Manager, select Certificate Mgmt from the Security page.
2. Click the View Certificate link for the certificate type you want to view.
Company Confidential
723
Configuring MobileIron Core Security Settings
Each ACL consists of one or more access control entries (ACEs). Configuring ACLs
requires the following tasks:
1. Configure entries for each network and host requiring an ACL.
2. Configure entries for any network services requiring an ACL.
3. Create an ACL.
To add an ACL:
1. Click Add.
Company Confidential
724
Configuring MobileIron Core Security Settings
Company Confidential
725
Configuring MobileIron Core Security Settings
Field Description
Source Network Select the network from which
access will originate. This list is
populated with the networks and
hosts you created for use with
ACLs. See Networks and Hosts
on page 728.
Destination Network Select the network being
accessed. This list is populated
with the networks and hosts you
created for use with ACLs. See
Networks and Hosts on
page 728.
Service Select the network service to
which this entry permits or
denies access. This list is popu-
lated with the services you cre-
ated for use with ACLs. See
Network Services on page 730.
Action Select Permit or Deny from the
dropdown list.
Connections Per Enter the number of connections
Minute to allow per minute.
Description Enter text to describe the pur-
pose of this entry.
7. Click Save.
Editing an ACL
To edit an existing ACL:
1. Click the name in the ACLs list.
2. To delete an ACE, click its checkbox and click Delete.
3. To add an ACE, click Add.
4. To insert and ACE, select the ACE above which you want to insert a new ACE and
click Insert.
5. Click Save.
Copying an ACL
To start a new ACL based on an existing one:
1. Select the ACL to be copied.
2. Click the Copy button.
Company Confidential
726
Configuring MobileIron Core Security Settings
Deleting an ACL
To delete an ACL:
1. Select the ACL to be deleted.
2. Click Delete.
Company Confidential
727
Configuring MobileIron Core Security Settings
Field Description
Name Enter a name to use to identify
this host or network.
Description Enter additional text to provide
supporting information about this
host or network.
Type Select Subnet or Host from the
dropdown menu.
Network/Host Enter the IP address for this net-
work or host.
3. Click Save.
Company Confidential
728
Configuring MobileIron Core Security Settings
This host or network will now be available for ACLs configured in the ACLs screen.
Company Confidential
729
Configuring MobileIron Core Security Settings
Network Services
Use the Network Services screen to manage available services. MobileIron prepopu-
lates this screen with common services.
To add a service:
1. Click Add.
Field Description
Name Enter a name to use to identify
this service.
Description Enter additional text provide sup-
porting information about this
service.
Type Select TCP, UDP, or IP from the
dropdown menu.
Source Port Enter the number of the source
port for this service. Enter 0 to
allow any source port.
Destination Port Enter the number of the destina-
tion port for this service. Enter 0
to allow any destination port.
Company Confidential
730
Configuring MobileIron Core Security Settings
3. Click Save.
Company Confidential
731
Configuring MobileIron Core Security Settings
Company Confidential
732
Configuring MobileIron Core Security Settings
Portal ACLs
Use Portal ACLs to further restrict access to various portals within MobileIron Core.
To enable an ACL:
1. Select the checkbox for the component you want to work with. The following table
describes each component.
Component Description
MyPhone@Work User Portal The MyPhone@Work portal that
enables device users to access a web-
site, download apps, manage con-
tacts, and so on.
Admin Portal Portal The Admin Portal portion of the Admin
Portal.
System Manager Portal The System Manager portion of the
Admin Portal.
Sentry Connection The MobileIron Sentry installed for
ActiveSync access control.
API Connection The MobileIron Web Services API.
Company Confidential
733
Configuring MobileIron Core Security Settings
Component Description
iOS MDM The iOS MDM service for profile man-
agement.
iOS iReg URL The iReg service that enables provi-
sioning iOS devices without installing
the MobileIron iOS app.
App Storefront Connection The app management service for iOS.
2. Enter the IP address or network/mask pair to specify servers or networks that may
access this component. Separate the entries with spaces.
Examples:
100.0.0.0 150.0.0.0
101.0.0.0 10.0.0.0/255.255.255.0
You must use the expanded form of the mask. Do not specify an entry similar to
10.0.0.0/24.
If your MobileIron Core is behind a NAT, enter the IP of the NAT network.
Note: Remember that the Sentry must be able to access Core. If it does not have
access, then the ActiveSync Devices page will not display devices.
Company Confidential
734
Chapter 21
Company Confidential
735
Configuring MobileIron Core Maintenance Settings
Overview
Company Confidential
736
Configuring MobileIron Core Maintenance Settings
See the upgrade documentation for a specific release for instructions on when and
how to use this screen.
Company Confidential
737
Configuring MobileIron Core Maintenance Settings
2. Click Export.
Company Confidential
738
Configuring MobileIron Core Maintenance Settings
Importing a configuration
You can import a MobileIron Server configuration from a local XML file or FTP site:
1. Click Import Configuration.
Company Confidential
739
Configuring MobileIron Core Maintenance Settings
Company Confidential
740
Configuring MobileIron Core Maintenance Settings
Rebooting
You can reboot the MobileIron Server to clear the current configuration settings and
restart all server modules:
1. Click Reboot in the navigation pane.
Company Confidential
741
Configuring MobileIron Core Maintenance Settings
2. Specify the age of the data to be purged in the Delete data older than field.
3. Click Purge Now.
See Specifying what gets purged on page 708 for information on selecting the data
to purge.
Company Confidential
742
Configuring MobileIron Core Maintenance Settings
Pre-requisites
Sufficient disk space at the destination to store the archive
Protocol-specific requirements described in the following table
Protocol Pre-requisites
NFS Port 2049 open from MobileIron Core to the NFS server
Note: The NFS option assumes that user authentication is not
required for the specified server. Therefore, we recommend using
IP ACLs to restrict NFS mounts to MobileIron Core.
SCP Port 22 open from Core to the backup location
FTP Port 21 open from Core to the FTP server
CIFS Ports 137 (UDP), 138 (UDP), 139 (TCP), and 445(TCP) open from
Core to the Windows share server
Backup settings
Complete the following steps to configure the destination and schedule for backups:
1. In System Manager, select Maintenance > System Backup.
Company Confidential
743
Configuring MobileIron Core Maintenance Settings
2. Use the following guidelines to complete the System Backup Configuration section.
Company Confidential
744
Configuring MobileIron Core Maintenance Settings
3. Click Save.
Enabling backups
To enable the backup configured backup schedule, select Enabled in the System
Backup Control section.
Backup file
The name of the resulting file has the following format:
<Core_FQDN>-backup-YYYY-MM-DD--HH-MM-SS.tgz
Company Confidential
745
Configuring MobileIron Core Maintenance Settings
Company Confidential
746
Configuring MobileIron Core Maintenance Settings
Requirements
The MobileIron Core version used to create the backup must be used to restore the
backup.
Confirm that the location of the backup file is easily accessible to ensure that the
upload process does not time out. Uploading the file should complete within 15
minutes.
Procedure
Complete the following steps to restore your MobileIron Core from a backup:
1. Configure a new MobileIron Core or reset the existing Core to the factory default
state.
2. Move the backup file to a location that is reachable from System Manager.
3. In System Manager, select Maintenance > System Backup.
4. Scroll down to the Restore System section.
5. Click Browse.
6. Select the backup file.
7. Click Restore.
When the process is complete, a message displays prompting you to reboot.
8. If prompted to save the configuration, click Yes.
9. If you chose to configure a second MobileIron Core instead of resetting the original,
power down the original to prevent IP conflicts.
10. Select Maintenance > Reboot.
Company Confidential
747
Configuring MobileIron Core Maintenance Settings
To address these situations, use the Exclude System Configs on Restore option.
Restoring a system in this manner does not provide a replacement MobileIron Core.
You can use this restored system to view data or as the basis for a replacement sys-
tem.
Company Confidential
748
Chapter 22
Troubleshooting
Overview
Working with logs
Network monitor
Service diagnosis
Company Confidential
749
Troubleshooting
Overview
Use the Troubleshooting page in the System console to investigate possible problems
with MobileIron operation. In most cases, you will use this page under the direction of
MobileIron Customer Support.
Company Confidential
750
Troubleshooting
Module Description
MICS MobileIron Configuration Service (i.e., the service that
supports System Manager)
Employee MyPhone@Work Portal (employee portal)
2. For MIFS (MobileIron File Service), which represents the rest of MobileIron Core,
select:
a. In the MIFS Debugging section, use the Package drop-down to select an area to
include in the log.
b. Use the Log level drop-down to select the level of detail you want to include.
c. Click the + icon to add additional packages and log levels.
3. Click Apply.
Disabling debugging
You can disable all debugging or you can select the modules for which you want to dis-
able debugging.
Company Confidential
751
Troubleshooting
Clearing logs
Clearing logs enables you to discard information for previous events, making it easier
to isolate the information you need. To clear all logs, click Clear All Logs under Trou-
bleshooting > Logs.
Viewing logs
The Troubleshooting screen enables you to view the contents of debug logs directly
from the console. Debugging must be enabled. The following table lists the available
logs:
To view a log:
1. In the View Module Logs section, click the link for the log you want to view.
Company Confidential
752
Troubleshooting
The displayed window shows the most recent log entries. The window scrolls
dynamically as MobileIron Core adds entries to the log.
2. Click x to close the log view.
Note: If you close the log view window and then re-open it, the displayed window
shows only log entries made since you closed the window.
2. Select User or Phone to specify whether you want to view logs by user or device.
3. Enter the user name or phone number.
4. Click View Log.
Exporting logs
You can upload logs directly to the default support site or a designated alternate site.
To upload logs:
1. Select Troubleshooting > Logs.
2. Scroll down to the Export Logs section.
3. Select the log to download.
4. Select a database option.
Company Confidential
753
Troubleshooting
Show tech logs can include database information that some companies consider too
sensitive to send to MobileIron Customer Support. Therefore, you can use the
Database Options to specify whether to include data and whether to remove poten-
tially sensitive information from the output.
The following options are available:
Sanitize: Remove sensitive information. This is the default selection.
Standard: Sensitive information included.
No Database: All database information omitted.
5. Select SFTP Upload, HTTPS Upload or Download from the Type drop-down list,
depending on the method you want to use.
6. If you received a MobileIron support ticket number associated with this export,
enter it in the Support Ticket Number field.
7. If you selected SFTP Upload or HTTPS Upload, select the Alternate Location check
box and configure a backup location or user authentication in case transmission to
the primary server or user fails.
If you receive technical support from a MobileIron partner instead of directly from
MobileIron, then you will need to obtain an alternate location from your vendor.
The following additional fields for the alternate location are displayed:
Host/IP or URL (e.g., https://support.mobileiron.com)
User Name
Password
Confirm Password
8. Click SFTP Upload, HTTPS Upload or Download.
Company Confidential
754
Troubleshooting
Note that changing the debug mode (log verbosity) here, overrides the settings con-
figured in the Sentry user interface.
4. Click Submit.
The updated debug status is communicated to the Sentry and reflected in the Sentry
user interface the next time you refresh the Sentry Logs page.
If you selected Sentry, the Sentry is set to log at Level 1 and becomes enabled.
If you selected Sentry HTTP Packet Trace, the Sentry is set to log at Level 2 and
becomes enabled.
Company Confidential
755
Troubleshooting
Company Confidential
756
Troubleshooting
Network monitor
The Network Monitor screen enables you to produce a TCP dump for one of the Mobil-
eIron Server physical interfaces. The information provided might assist in trouble-
shooting device connectivity problems. Click Download to store the results in a pcap
file.
Option Description
Interface Select the physical interface for which you want
to produce a tcp dump.
Filter Not implemented.
Snap Length Not implemented.
Max no. of Packets Specifies the number of packets after which the
capture should stop. The default value is 1000.
Acceptable range of values is 1 to 1000000.
Company Confidential
757
Troubleshooting
Service diagnosis
You can use the Service Diagnosis page under Troubleshooting to check the health of
the following services:
NTP
BES
Sentry
Email
DNS
MobileIron Gateway
SCEP
MapQuest
APNs
MobileIron support site
Click Verify All to recheck the listed services, or click the Verify button next to a spe-
cific service to verify just that service.
Company Confidential
758
Section IV: Command Line Interface
(CLI)
Command Line Interface
Company Confidential
759
Company Confidential
760
Chapter 23
About CLI
The CLI, or command line interface, enables authorized administrators to access cer-
tain functions from the command line in a terminal window.
Logging in
1. Use ssh or telnet to log in to the server.
2. Log in as the administrator user established during installation.
3. Enter the corresponding password.
Logging out
Use Ctrl-d to terminate the CLI session and close the terminal window. You can also
enter one of the following commands:
logout
exit
Help commands
Two commands are available to help you use the CLI:
help
?
Company Confidential
761
Command Line Interface
Auto-complete keys
Movement keys
Deletion keys
Enter ? to list available commands in the current mode or details for the current com-
mand.
For example, the following command lists all commands in the current mode:
>?
Note that the list of available commands varies according to the mode you are in. See
Modes on page 763.
Auto-complete keys
The following keys provide auto-completion capabilities:
Enter
Auto-completes the command line, performs syntax checking, and executes the
command if no syntax error exists. If a syntax error exists, help text is displayed.
Spacebar
Auto-completes the command.
Movement keys
[CTRL-A] Move to the start of the line
[CTRL-E] Move to the end of the line.
[up] Move to the previous command line held in history.
[down] Move to the next command line held in history.
[left] Move the insertion point left one character.
[right] Move the insertion point right one character.
Deletion keys
[CTRL-C] Delete and abort the current line.
[CTRL-D] Delete the character to the right on the insertion point.
[CTRL-K] Delete all the characters to the right of the insertion point.
[CTRL-U] Delete the whole line.
[backspace] Delete the character to the left of the insertion point.
Company Confidential
762
Command Line Interface
Modes
The CLI uses the following modes:
EXEC
Default mode established when you log in successfully.
EXEC PRIVILEGED
Privileged mode, enabling commands that affect device management.
CONFIG
Configuration mode, enabling commands that affect network management. In this
mode, you can use the Tab key to cycle through the available commands and sub-
commands.
INTERFACE
Mode for configuring physical and VLAN interfaces.
Return to the
Mode Accessible through... Command to access previous mode
EXEC The default mode Not applicable exit
Exits the CLI
session.
EXEC EXEC mode enable disable
PRIVILEGED
CONFIG EXEC PRIVILEGED configure terminal end
mode
INTERFACE CONFIG mode interface GigabitEthernet n end
interface vlan n
Company Confidential
763
Command Line Interface
Command Description
enable Accesses privileged commands.
exit Closes the terminal window.
help Describes of the interactive help system.
host Performs a DNS lookup for a specified IP
address or host name.
logout Closes the terminal window.
ping Sends echo messages.
show Shows running system information:
show banner
show clock
show hostname
show interfaces
show ip
show log
show logging
show logtail
show memory
show ntp status
show processes
show service
show software repository
show tcp
show timeout
show version
timeout Sets the idle timeout for the CLI.
traceroute Traces route to destination.
enable
Enables EXEC PRIVILEGED mode for access to advanced commands.
Company Confidential
764
Command Line Interface
Prompts for the enable-secret password, which is the system password initially set
during installation. Entering the correct password changes the command line prompt
from > to #.
Example:
> enable
Password:
#
exit
Exits the EXEC mode and closes the terminal window.
help
Displays a description of the interactive help system, including:
Auto-completion keys
Movement keys
Deletion keys
host
Queries Internet name servers to perform a DNS lookup. Specify one of the following
parameters:
Parameter Description
hostname The host name of the destination server
to look up.
IP address The IP address of the destination server
to look up.
This command returns the hostname of the server if you specify an IP address, and it
returns the IP address if you specify the hostname.
Note: This command executes the Linux command nslookup. See Linux man pages for
more information.
Example:
>host yahoo.com
Server: 172.16.0.1
Address: 172.16.0.1#53
Company Confidential
765
Command Line Interface
Non-authoritative answer:
Name: yahoo.com
Address: 98.137.149.56
Name: yahoo.com
Address: 98.139.180.149
Name: yahoo.com
Address: 209.191.122.70
Name: yahoo.com
Address: 72.30.2.43
logout
Exits from the EXEC mode and closes the terminal window.
ping
Sends echo messages. This command pings the destination server that the parameter
specifies.
Parameter Description
hostname The destinations host name.
IP address The destinations IP address.
Example:
>ping yahoo.com
show banner
Displays the banner that was displayed when you logged on to the command line
interface.
Example:
>show banner
************************************************************
* MobileIron Core CLI *
* *
* *
************************************************************
Welcome user it is Tue Dec 13 21:27:03 UTC 2011
show clock
Displays the current system date, time, and time zone.
Company Confidential
766
Command Line Interface
Example:
> show clock
Displaying system clock details
Tue Dec 13 21:25:12 UTC 2011
show hostname
Displays the hostname for MobileIron Core.
Example:
>show hostname
appname.domain.com
show interfaces
Displays the configuration of the network interfaces configured for MobileIron Core.
Example:
>show interfaces
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:6b:c6:23 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:0c:29:6b:c6:2d brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:0c:29:6b:c6:37 brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:0c:29:6b:c6:41 brd ff:ff:ff:ff:ff:ff
show ip
Displays IP information.
Parameter Description
arp Displays the physical network address that corresponds to
the IP address of MobileIron Core. ARP is Address Resolu-
tion Protocol, a low-level network protocol.
domain-name Displays the domain name of MobileIron Core.
Company Confidential
767
Command Line Interface
Parameter Description
interface brief Displays IP interface status and configuration. Add the fol-
lowing parameters to the command:
<ifacename> <interfaceid>
The <ifacename> is either GigabitEthernet or VLAN.
The <interfaceid> has the value 1 to 4 for GigabitEthernet
and 1 - 4094 for VLAN.
These interfaces are configured using the System Manager
in the Admin Portal. See Managing network interfaces on
page 687.
name-server Displays the IP address of the Internet name servers that
MobileIron Core uses.
These interfaces are configured using the System Manager
in the Admin Portal. See DNS and Hostname on
page 692.
route Displays the routing table of Core. These static network
routes are configured using the System Manager in the
Admin Portal. See Routes on page 690.
Example:
>show ip domain-name
+------------------
Domain Name
+------------------
mydomain.com
>show ip route
192.168.57.0/24 via 10.10.1.1 dev eth0
10.10.0.0/16 dev eth0 proto kernel scope link src 10.10.17.80
default via 10.10.1.1 dev eth0
Note: In the show ip route output, default means that the network and mask are
both 0.0.0.0.
show log
Displays the log file that the parameter specifies.
Company Confidential
768
Command Line Interface
The command takes one parameter that is the name of the log file. The following table
lists the log file names you can use:
Example:
> show log mifs.log
> --log 'tomcat/mifs.log' --
Company Confidential
769
Command Line Interface
show logging
Displays the configured syslog server information:
IP address
log level
state
This information is configured in the System Manager, in Settings > Syslog. See Sys-
log on page 698.
The log level values displayed by this command correspond to the configured log lev-
els as follows:
Example:
>show logging
+--------------+--------------+---------------
IP Address + Loglevel + State
+--------------+--------------+---------------
myLogserver.com 5 enable
show logtail
Displays the last ten lines (the tail) of the specified log. The command takes one
parameter that is the name of the log file. See show log on page 768 for the list of
available log files.
Example:
>show logtail mifs.log
--log 'tomcat/mifs.log' --tail --
/mi/tomcat2/webapps/mics/WEB-INF/pages/include.jsp
/mi/tomcat2/webapps/mics/WEB-INF/pages/index.jsp
/mi/tomcat2/webapps/mics/WEB-INF/pages/styles
/mi/tomcat2/webapps/mics/WEB-INF/pages/styles/mobir.css
Company Confidential
770
Command Line Interface
/mi/tomcat2/webapps/mics/WEB-INF/pages/listRadius.jsp
/mi/tomcat2/webapps/mics/WEB-INF/pages/micsLogin.jsp
/mi/tomcat2/webapps/mics/WEB-INF/remoting-servlet.xml
/mi/tomcat-properties/license.properties
/mi/tomcat-properties/datapurge.properties
/mi/tomcat-properties/mifs.properties
show memory
Displays information about free and used memory on MobileIron Core.
This command executes the Linux command free. See Linux man pages for more
information.
Example:
> show memory
total used free shared buffers cached
Mem: 2135892 2065440 70452 0 146848 456292
-/+ buffers/cache: 1462300 673592
Swap: 4192956 12 4192944
You can configure the NTP servers using the System Manager in the Admin Portal. See
Date and Time (NTP) on page 695.
Example:
>show ntp status
+-----------+--------------------+
Index + NTP Server +
+-----------+--------------------+
0 172.16.0.1
show processes
Displays the processes running on MobileIron Core.
Note: This command executes the Linux command ps auxwww. See Linux man pages
for more information.
Example:
>show processes
Company Confidential
771
Command Line Interface
show service
Displays the status for configured services such as Telnet, SSH, and NTP. You can
enable these services and set the maximum number of sessions using the System
Manager in the Admin Portal. See CLI on page 697.
Example:
>show service
+------------+-----------+---------------
Servicename + Enabled + Max.Sessions
+------------+-----------+---------------
ssh yes 5
telnet yes 5
ntp yes
Example:
>show software repository
+------------------------------------------+---------------+-----------
Software repository Username Password
+------------------------------------------+---------------+-----------
myRepositoryServer.com RepositoryUserId
show tcp
Lists information about all active TCP ports. This information provides traffic statistics
and can help identify network problems.
Note: This command executes the Linux command netstat -nat. See Linux man
pages for more information.
Example:
>show tcp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
.
.
.
Company Confidential
772
Command Line Interface
show timeout
Displays the currently configured idle timeout for the CLI in minutes. The value 0 indi-
cates no timeout. The timeout value is configured using the System Manager in the
Admin Portal. See CLI on page 697.
Example:
>show timeout
+---------------------------
Cli Idle Timeout in Minute(s)
+---------------------------
Company Confidential
773
Command Line Interface
show version
Displays the currently installed version of MobileIron Core software.
Example:
>show version
VSP 4.5.0 Build 47
timeout
Sets the idle timeout for the CLI. Enter the number of minutes between 0 and 9999.
Example:
>timeout 150
You can also set the CLI idle timeout using the System Manager in the Admin Portal.
See CLI on page 697.
traceroute
Displays the network route to the specified destination.
Parameter Description
hostname The destinations host name.
IP address The destinations IP address.
Examples:
>traceroute 173.194.33.43
traceroute to 173.194.33.43 (173.194.33.43), 30 hops max, 40 byte packets
1 10.10.1.1 (10.10.1.1) 4.808 ms 5.481 ms 6.112 ms
2 * * *
.
.
.
>traceroute google.com
traceroute to google.com (173.194.33.45), 30 hops max, 40 byte packets
1 10.10.1.1 (10.10.1.1) 5.268 ms 5.933 ms 6.564 ms
2 * * *
.
.
.
Company Confidential
774
Command Line Interface
Note: All EXEC mode commands, except enable and logout, are also available in EXEC
PRIVILEGED mode.
Command Description
clear arp-cache Clears the ARP cache on MobileIron Core.
configure terminal Enters configuration mode.
dbcleanup app_inventory Deletes duplicate and unused rows from
app inventory tables.
disable Returns to EXEC mode.
diskcleanup Remove retired devices data and deleted
apps from the disk.
diskcleanup retired_devices
diskcleanup trashed_apps
end Returns to EXEC mode.
failover Manages Core failover.
grubupdate Updates the grub configuration. Requires a
reload.
install rpm Installs VMware Tools.
no install rpm Deletes, resets, and disables various sys-
tem configurations.
poweroff Turns off Core.
reload Halts Core and performs a cold restart.
service Performs operations on the Tomcat and
iptables services.
setup Runs the setup wizard to reconfigure an
installation.
Company Confidential
775
Command Line Interface
Command Description
show Shows running system information:
show portalacl
show portalacl
show running-config
show statichost
show system
show tech
show kparams
clear arp-cache
Clears the ARP cache on MobileIron Core, listing each cleared ARP entry. The ARP
cache stores a mapping of IP addresses with link layer addresses, which are also
known as Ethernet addresses and MAC addresses. If the mapping in the cache is stale,
use this command to clear the cache. A mapping can become stale, if, for example, an
IP address has moved to a new host.
Example:
#clear arp-cache
Deleting Arp Entry for 100.10.10.10
Deleting Arp Entry for 10.10.19.21
configure terminal
Enters configuration mode. See CONFIG commands on page 787 for the commands
you can enter in configuration mode.
Example:
#configure terminal
Enter configuration commands, one per line.
/config#
Company Confidential
776
Command Line Interface
dbcleanup app_inventory
Deletes duplicate and unused rows from app inventory tables. Requires portal service
restart.
Example:
#dbcleanup app_inventory
Stopping tomcat: [ OK ]
AppInventry cleanup...
disable
Returns to EXEC mode.
Example:
#disable
>
diskcleanup retired_devices
Removes retired devices data from the disk.
Example:
#diskcleanup retired_devices
diskCleanup.pl - VSP disk cleanup script
-----------------------
Found 0 devices with devices data, removed 0 devices' data.
0 bytes freed up
-----------------------
diskcleanup trashed_apps
Removes deleted apps from the disk.
Example:
#diskcleanup trashed_apps
diskCleanup.pl - VSP disk cleanup script
[1] Finding app-catalog resources to delete...
==============================================
Company Confidential
777
Command Line Interface
-----------------------
Found 0 files, removed 0 files
0 bytes freed up
-----------------------
end
Returns to EXEC mode.
Example:
#end
>
exit
Terminates the CLI session and closes the terminal window.
failover
Commands to assist with managing MobileIron Core failover. Failover allows a second-
ary Core to take over if the primary Core fails when your installation requires high
availability. For more information about implementing a high availability solution, con-
tact MobileIron Technical Support.
grubupdate
Updates the grub configuration. Requires a reload.
Note: This command should not be used on VMs. It should be used only for the physi-
cal box.
Example:
#grubupdate
install rpm
Installs VMware Tools. If your MobileIron Core runs in VMware, use this command to
install the VMware Tools installation package. The installation package is an RPM file or
a .tar.gz. The parameter specifies where to find the file.
Company Confidential
778
Command Line Interface
Warning: Use this command only to install third-party RPM or tar files that MobileIron
has approved, such as VMware Tools.
Parameter Description
cdrom Installs the RPM from a CDROM.
file Unused.
url Installs the RPM from a URL.
Specify the URL as the final parameter.
info Displays a list of installed third-party RPMs.
Examples:
The following example shows the initial output when installing VMwareTools from CD
ROM. Although not shown here, the installation continues with VMwareTools configura-
tion.
#install rpm cdrom
mount: block device /dev/cdrom is write-protected, mounting read-only Select
rpm/tar file to install 0. None - Do not install any thing 1
/mnt/VMwareTools-4.0.0-171294.tar.gz
Enter your selection: 1
Installing /mnt/VMwareTools-4.0.0-171294.tar.gz
Creating a new VMware Tools installer database using the tar4 format.
What is the directory that contains the init directories (rc0.d/ to rc6.d/)?
[/etc/rc.d]
The path "/usr/lib/vmware-tools" does not exist currently. This program is going
to create it, including needed parent directories. Is this what you want?
[yes]
Company Confidential
779
Command Line Interface
The installation of VMware Tools 4.0.0 build-171294 for Linux completed success-
fully. You can decide to remove this software from your system at any time by
invoking the following command: "/usr/bin/vmware-uninstall-tools.pl".
Before running VMware Tools for the first time, you need to configure it by
invoking the following command: "/usr/bin/vmware-config-tools.pl". Do you want
this program to invoke the command for you now? [yes]
....
no install rpm
Uninstalls a MobileIron-approved third-party RPM. See install rpm on page 778.
For the list of no commands possible in CONFIG mode, see no on page 794.
poweroff
Turns off MobileIron Core. This command not only logs you out of the CLI, but shuts
down the operating system and powers off Core.
Example:
#poweroff
Configuration saved.
reload
Halts MobileIron Core and performs a cold restart.
Example:
#reload
Configuration saved.
service
Performs operations on the Tomcat and iptables services. You can start and stop these
services, and check their status.
Company Confidential
780
Command Line Interface
Parameter Description
service name The name of the Linux service. Possible
values are:
tomcat
iptables
operation The operation to perform on the specified
service. Possible values are:
start
stop
status
Example:
#service tomcat start
Starting tomcat: Using TOMCAT_ALLOCATION_MB=11235
.
.
.
[OK]
#service iptables start
Applying iptables firewall rules: [OK]
setup
Runs the setup wizard to reconfigure an installation. This command takes you through
the initial configuration of MobileIron Core.
Example:
#setup
Company Confidential
781
Command Line Interface
show portalacl
Displays the configured portal Access Control Lists (ACLs), which restrict access to
various portals of MobileIron Core. The access is restricted to certain servers or net-
works by specifying their IP addresses or network/mask pairs.
For more information, see Portal ACLs on page 733, which describes how you config-
ure the portal ACLs in the System Manager, Security > Access Control List > Portal
ACLs.
Example:
#show portalacl
+-----------------------------------------------------------------------
Module + Access Allowed From
+-----------------------------------------------------------------------
MyPhoneAtWork 10.10.17.12
show running-config
Displays the configuration under which MobileIron Core is currently running.
The following table lists the configuration information that this command displays. It
also shows where in the System Manager of the Admin Portal to configure this infor-
mation, and a reference to the corresponding documentation.
Company Confidential
782
Command Line Interface
Example:
#show running-config
show statichost
Displays the configured static hosts. The static hosts are configured using the System
Manager, in Settings > Static Hosts or with the CLI command statichost. See Static
Hosts on page 693 and statichost on page 797.
Example:
#show statichost
+------------------+-------------------------------------
IP Address FQDN
+------------------+-------------------------------------
172.16.80.2 mysentry.mycompany.com
show system
Displays system information as specified by the parameter. Most parameters result in
displaying output from Linux commands. For more information about Linux command
output, see the Linux man page description available on the Web.
Parameter Description
disk Displays disk usage information for each
mounted file system.
Linux command: df -h
top Displays a snapshot of the running tasks and
threads, including their command-line
parameters.
Enter h for help on navigating the output.
Enter q to quit.
Linux command: top -bcHss -n 1
Company Confidential
783
Command Line Interface
Parameter Description
toprt Displays the running tasks, memory usage,
and the uptime status, updating the display
in real-time.
Enter h for help.
Enter q to quit.
Linux command: top
uptime Displays the following information:
the current time
the system status (up)
how long the system has been running
how many users are currently logged on
the system load averages for the last 1, 5,
and 15 minutes
Examples:
#show system disk
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 80G 3.0G 73G 4% /
/dev/sda1 99M 12M 82M 13% /boot
tmpfs 7.9G 8.0K 7.9G 1% /dev/shm
Company Confidential
784
Command Line Interface
show tech
Gets MobileIron Core logs and database dumps for diagnostics. This command trans-
fers the diagnostic files to a server that you specify, using either HTTP(S) or SFTP.
Parameter Description
http sftp Select the transport method for the files.
URL When using HTTP, enter the URL for the destination
server. For example:
https://support.mobileiron.com/uploads
host When using SFTP, enter the host name or IP address of
the destination server. For example:
support.mobileiron.com
alllogs Enter No. Enter Yes only if MobileIron Core had
restarted since the issue occurred.
username Enter the user name for logging in to the server that
you specified. The command will prompt you for the
corresponding password.
support-ticket-number Enter the support ticket number, if you have one. This
parameter is optional.
For more information about the logs, see Working with logs on page 751.
Example:
#show tech http https://support.mobileiron.com/uploads No mysupportusername
Enter Password for user mysupportusername:
software checkupdate
Checks the configured software repository for available updates to MobileIron Core.
The repository information is configured using the System Manager, in Maintenance >
Software Updates. See Getting MobileIron server software updates on page 737.
Example:
#software checkupdate
software update
Installs the updates located using software checkupdate. Use the reload command
after using the software update command. See Getting MobileIron server software
updates on page 737.
Company Confidential
785
Command Line Interface
Example:
#software update
...
#reload
ssh
Opens an ssh connection.
Parameter Description
user The ID of the user making the connection.
server The IP address or hostname of the target
server.
Example:
#ssh miadmin 100.10.10.10
miadmin@100.10.10.10s password:
telnet
Opens a telnet connection.
Parameter Description
server The IP address or hostname of the target
server.
Example:
#telnet 100.10.10.10
login: miadmin
password:
write
Saves configuration changes.
The changes you make in your CLI session are not saved across reboots of MobileIron
Core, although they are remembered between CLI sessions. Therefore, to ensure your
changes are not lost, use the write command to save your changes.
If you do not save your changes, a reboot will return Core to its previously-saved con-
figuration.
Company Confidential
786
Command Line Interface
Example:
#write
CONFIG commands
The commands specific to the CONFIG mode are summarized in the following table,
and then listed in detail in alphabetical order.
In addition, the EXEC mode commands exit, help, and timeout are also available in
CONFIG mode...
Command Description
banner Defines the text to appear in the CLI login
banner.
certificate client Generates a self-signed certificate for the
MobileIron client for use with TLS.
certificate portal Generates a self-signed certificate for
MobileIron Sentry configurations.
clock set Sets the date and time on MobileIron Core.
do Runs EXEC or EXEC PRIVILEGED com-
mands from CONFIGURE mode.
enable secret Changes the enable-secret password.
end Returns to EXEC PRIVILEGED mode.
eula Sets the End User License Agreement infor-
mation.
hostname Configures Cores fully-qualified host name.
interface GigabitEthernet Switches to INTERFACE mode to configure
a physical interface.
interface VLAN Switches to INTERFACE mode to configure
a VLAN interface.
ip arp Updates the ARP cache on Core.
ip domain-name Sets the default domain name.
ip name-server Sets the preferred DNS server.
ip route Configures a static network route.
kparam Configures kernel parameters.
no Deletes, resets, and disables various sys-
tem configurations.
ntp Configures the time sources.
Company Confidential
787
Command Line Interface
Command Description
portalacl Configures the portal Access Control Lists
(ACLs), which restrict access to various
portals of Core.
service Enables the service ssh, telnet, or ntp.
service support Unlocks and resets the password for the
support account.
software repository Configures the software repository URL.
statichost Maps a fully-qualified domain name to an IP
address.
syslog Configures syslog server information.
system user Creates a System Manager user account.
banner
Defines the text to appear in the CLI login banner. You can specify two strings. The
strings cannot include spaces.
Specify the following parameters:
Parameter Description
bannername Multi-word string enclosed in quotes.
Example:
certificate client
Generates a self-signed certificate for the MobileIron client for use with TLS.
For more information, see Certificate Mgmt on page 718, which describes how to do
this task in the System Manager, in Security > Certificate Mgmt.
Example:
/config#certificate client
Tlsproxy service will be disrupted.
Would you like to proceed? [y/n]:
/config#
Note: The CLI does not provide a confirmation that the certificate was generated.
Company Confidential
788
Command Line Interface
certificate portal
Generates a self-signed certificate for MobileIron Sentry configurations.
For more information, see Certificate Mgmt on page 718, which describes how to do
this task in the System Manager, in Security > Certificate Mgmt.
Example:
/config#certificate portal
Services will be disrupted.
Would you like to proceed? [y/n]: y
/config#
Note: The CLI does not provide a confirmation that the certificate was generated.
clock set
Sets the date and time on MobileIron Core.
Parameter Description
time Current time using the format HH:MM:SS. Specify the
hours as a value between 00 and 23.
day Day of the month as a value between 1 and 31.
month Month of the year. Specify one of the following: January,
February, March, April, May, June, July, August,
September, October, November, December.
year Specify as a 4 digit string. For example: 2012
Example:
/config#clock set 10:34:59 23 February 2012
/config#
do
Runs EXEC or EXEC PRIVILEGED commands from CONFIGURE mode.
Use the do command when you are in CONFIGURE mode and want to run a command
from EXEC PRIVILEGED mode, but dont want to have to exit and reenter CONFIGURE
mode. After the keyword do, enter the command. For example:
config#do ping someWebSite.com
Company Confidential
789
Command Line Interface
The following table lists the commands you can run using do:
Command Description
clear arp-cache Clears the ARP cache on MobileIron Core.
clock set Sets the date and time on Core.
disable Returns to EXEC mode.
help Describes the interactive help system.
host Performs a DNS lookup for a specified IP address or
host name.
logout Closes the terminal window.
ping Sends echo messages.
poweroff Turns off MobileIron Core.
reload Halts Core and performs a code restart.
show Executes show commands specified in EXEC mode
commands on page 764 and EXEC PRIVILEGED
commands on page 775.
telnet Opens a telnet session.
timeout Sets the idle timeout for the CLI.
traceroute Traces route to destination.
write Saves configuration changes.
Example:
/config#do show banner
enable secret
Changes the enable-secret password. This password allows you to change from EXEC
mode to EXEC PRIVILEGED mode in the CLI.
For more information, see CLI on page 697, which describes how to do this task in
the System Manager, in Settings > CLI.
Example:
/config#enable secret NewPwd123
end
Returns to EXEC PRIVILEGED mode.
Company Confidential
790
Command Line Interface
Example:
/config#end
eula
Sets the End User License Agreement (EULA) information.
Parameter Description
companyname The name of the company accepting the EULA. Enclose
the name in double quotes if it contains spaces.
contactname The name of the contact at the company. Enclose the
name in double quotes if it contains spaces.
contactemail Email address of the contact.
Example:
/config#eula My Company Joe Doe jdoe@mycompany.com
hostname
Configures MobileIron Cores fully-qualified host name.
Parameter Description
hostname The fully-qualified hostname for MobileIron Core.
For more information, see DNS and Hostname on page 692, which describes how to
do this task in the System Manager, in Settings > DNS and Hostname.
Example:
/config#hostname myhost123
Please reload the system for the changes to be effective.
/config#
interface GigabitEthernet
Switches to INTERFACE mode to configure a physical interface. Specify 1, 2, 3, or 4 to
specify which interface.
Company Confidential
791
Command Line Interface
For more information, see Managing network interfaces on page 687, which
describes configuring the physical interfaces in System Manager, in Settings > Inter-
faces.
Example:
/config#interface GigabitEthernet 2
/config-if#
interface VLAN
Switches to INTERFACE mode to configure virtual Local Area Network (VLAN) inter-
faces. Specify a number between 1 and 4094 for the VLAN ID.
For more information, see Managing network interfaces on page 687, which
describes configuring the VLAN interfaces in System Manager, in Settings > Inter-
faces.
Example:
/config#interface vlan 2
/config-vlan#
ip arp
Updates the ARP cache on MobileIron Core. The ARP cache stores a mapping of IP
addresses with link layer addresses, which are also known as Ethernet addresses and
MAC addresses.
Typically, the ARP cache is updated automatically, making this command unnecessary.
Parameter Description
IP address IP address of MobileIron Core.
Mac address Corresponding Mac address, using format:
xx:xx:xx:xx:xx:xx
Interface type Specify GigabitEthernet or VLAN.
Interface ID Specify 1 to 4 for GigabitEthernet.
Example:
/config#ip arp 10.10.15.41 00:50:56:91:71:1B GigabitEthernet 1
Company Confidential
792
Command Line Interface
ip domain-name
Sets the default domain name. This value is shown in the System Manager, in
Settings > DNS and Hostname.
Example:
/config# ip domain-name mycompany.com
/config#
ip name-server
Sets the preferred DNS server.
For more information, see DNS and Hostname on page 692, which describes config-
uring the DNS servers in System Manager, in Settings > DNS and Hostname.
Example:
/config# ip name-server 10.10.15.6
/config#
ip route
Configures a static network route. This command specifies the subnet mask and gate-
way to use for routing from a network IP address.
Parameter Description
IP address Network IP address.
mask Subnet mask.
gateway IP address for the gateway.
For more information, see Routes on page 690, which describes configuring the
static network routes in System Manager, in Settings > Network > Routes.
Example:
/config#ip route 192.168.57.0 255.255.255.0 10.10.1.1
kparam
Configures kernel parameters.
Company Confidential
793
Command Line Interface
Parameter Description
name The name of the kernel parameter. Enter rp_filter or
log_martians.
Example:
/config#kparam rp_filter
no
Deletes, resets, and disables various system configurations, as described in the fol-
lowing table.
Command Description
no banner Reverts to the original login banner.
no hostname Reverts the system's fully qualified domain
name to localhost.localdomain. Requires
a system reload for the change to take
effect.
no interface vlan <vlan number 1 - Deletes the specified VLAN interface.
4094>
no ip arp <IP address> Deletes the specified IP address from the
ARP cache.
no ip domain-name Deletes the domain-name of MobileIron
Core.
no ip name-server <IP address> Deletes the specified Internet name server
from the list of Internet name servers that
Core uses for DNS lookup.
no ip route <IP address> <mask> Deletes the specified static network route
from Cores routing table.
no kparam <name> Disables the kernel parameter.
no ntp <IP address or hostname> Deletes the specified NTP server from Cores
list of NTP servers.
no portalacls Deletes portal ACLs.
no service <service name> Disables the specified service (ssh, telnet,
or ntp).
no service support Disables the password for the misupport
account.
no statichost <IP address> Deletes the static host entry.
Company Confidential
794
Command Line Interface
Command Description
no syslog <IP address or hostname> Deletes the syslog server specified by the
parameter.
no system user <username> Deletes the system user specified by the
parameter.
ntp
Configures the time sources. The time sources are Network Time Protocol (NTP) serv-
ers. An NTP server figures out how much the system clock drifts and smoothly cor-
rects it.
You can configure the NTP servers in the System Manager, in Settings > Date and
Time (NTP). See Date and Time (NTP) on page 695.
Parameter Description
server Hostname or IP address of the NTP server.
index The order this NTP server appears in the configura-
tion (0-2).
Example:
/config# ntp 172.16.0.1 0
Company Confidential
795
Command Line Interface
portalacl
Configures the portal Access Control Lists (ACLs), which restrict access to various por-
tals of MobileIron Core. Access is restricted to servers or networks by specifying their
IP addresses, network and mask pairs, or hostname.
Parameter Description
module Enter one of the following options:
MyPhoneAtWork
SmartphoneManagerPortal
SystemManagerPortal
SentryConnection
APIConnection
iOSMDM
iOSiRegURL
AppStorefrontConnection
host The IP address, network, or hostname from which
access is allowed. Only one host configuration is sup-
ported from CLI. Use the System Manager portal to
configure multiple hosts or Networks.
Example
/config#portalacl MyPhoneAtWork 10.101.1.119
service
Enables the service ssh, telnet, or ntp. For telnet and ntp, this command also sets the
number of instances allowed for the service.
Parameter Description
name The name of the service. Enter either ssh, telnet, or ntp.
instances Maximum sessions allowed for ssh or telnet.
Example:
/config#service telnet 4
service support
Unlocks and resets the password for the support account. This command allows one-
time access to the misupport Linux user account, using the displayed account pass-
word.
Company Confidential
796
Command Line Interface
Warning: Do not access the Linux misupport account unless you are working closely
with MobileIron Technical Support. MobileIron cannot help you recover if you damage
your system when working on your own in the Linux command shell.
Example:
/config#service support
One-time-password for account misupport set to XRXFHT1str
software repository
Configures the software repository URL. This URL specifies the location of software
updates for MobileIron Core. You can also configure the software repository in the
System Manager, in Maintenance > Software Updates. See Getting MobileIron server
software updates on page 737.
Parameter Description
urlstring URL for the software repository.
username The username portion of the credentials for
accessing the repository.
password The password portion of the credentials for
accessing the repository.
statichost
A static host configuration maps a fully-qualified domain name to an IP address. This
static mapping is useful in the following cases:
A DNS server is not available.
The DNS server entry for a fully-qualified domain name points to an external IP
address, outside of your firewall, although the ultimate destination is inside your
firewall. You can use this static mapping if you want to associate the fully-qualified
domain name with an internal IP address, inside your firewall.
The static hosts are also configured using the System Manager, in Settings > Static
Hosts. See Static Hosts on page 693.
Parameter Description
ip IP address of the fully-qualified domain name.
fqdn The fully-qualified domain name.
Company Confidential
797
Command Line Interface
Example:
/config#statichost 172.16.80.2 mysentry.mycompany.com
syslog
Configures syslog server information.
Parameter Description
server Hostname or IP address of the syslog server
loglevel Specify the log level to be enabled (0-7)
The log level value you specify in this command corresponds to the log levels as fol-
lows:
For more information, see Syslog on page 698, which describes configuring the sys-
log servers in System Manager, in Settings > Syslog.
system user
Creates a System Manager user account. Specify the following parameters:.
Parameter Description
username User name
password The unencrypted (cleartext) user password
For more information, see Identity Source > Local Users on page 715.
Company Confidential
798
Command Line Interface
You enter each INTERFACE mode from the CONFIG mode using the commands inter-
face GigabitEthernet on page 791 or interface VLAN on page 792. For example:
/config# interface GigabitEthernet 2
/config-if#
Each INTERFACE mode has its own set of commands that are applied to the specified
interface, such as GigabitEthernet 2 in the above example. Most commands are
shared by both modes.
The commands specific to the INTERFACE modes are summarized in the following
table, and then listed in detail in alphabetical order.
Command Description
do Runs EXEC or EXEC PRIVILEGED commands.
end Returns to CONFIGURE mode.
exit Exits the EXEC mode and closes the terminal
window.
ip address Configures the IP address of a physical or VLAN
interface.
no no ip address - Resets the IP address of a
physical or VLAN interface.
no shutdown - Enables a physical or VLAN
interface.
physical interface GigabitEthernet (Available in INTERFACE VLAN mode only.)
Creates a VLAN interface on the specified phys-
ical interface.
shutdown Disables the current VLAN or physical interface.
end
Returns to CONFIGURE mode.
Example:
/config-if#end
/config#
Company Confidential
799
Command Line Interface
/config-vlan#end
/config#
ip address
Configures the IP address and mask of the interface you specified in the interface
command. The interface is one of the following:
a physical interface when in INTERFACE GigabitEthernet mode.
a VLAN interface when in INTERFACE VLAN mode. Before you can configure the IP
address of a VLAN interface, create the VLAN interface, using the command physi-
cal interface GigabitEthernet on page 801.
Parameter Description
IP address IP address of the physical network interface when in INTER-
FACE GigabitEthernet mode.
IP address of the VLAN interface when in INTERFACE VLAN
mode.
mask The netmask of the interface.
Example:
/config#interface GigabitEthernet 2
/config-if#ip address 10.10.17.27 255.255.255.0
no
Use the no command in INTERFACE mode as described in the following table.
Command Description
no ip address Resets the IP address and mask of the
interface that you specified in the inter-
face command. The interface can be a
physical or VLAN interface. This command
sets both the IP address and the mask to
0.0.0.0.
no shutdown Enables the GigibitEthernet or VLAN inter-
face that you specified in the interface
command.
Company Confidential
800
Command Line Interface
Parameter Description
GigabitEthernet A value between 1 and 4 that specifies the Giga-
interface number bitEthernet interface on which to create the VLAN
interface.
Example:
/config#interface vlan 1
/config-vlan#
/config-vlan#physical interface GigabitEthernet 1
shutdown
Disables the VLAN or physical interface that you specified in the interface command.
To enable the interface, use no shutdown. See no on page 800.
Examples:
The following command disables a physical interface:
/config#interface GigabitEthernet 1
/config-if#shutdown
/config-if#
Company Confidential
801
Command Line Interface
Company Confidential
802
Section V: Appendixes
Web-based Registration for iOS and OS X Devices
Distributing iOS MDM Profiles with Apple Configurator
Secure Apps on Android Devices
Secure apps on iOS Devices
Docs@Work for iOS
The SharePoint Client App for Android
Working with the MobileIron App and Related Agents for Android
Multi-User Support for iOS
Android Kiosk Support
The User Portal: MyPhone@Work
Physical Appliance Hardware Specification
Configuring Outbound HTTP Proxy for Gateway Transactions / System Updates
Company Confidential
803
Company Confidential
804
Appendix A
Company Confidential
805
What is web-based registration?
Web-based registration is a process of registering iOS and OS X devices in bulk for
large deployments. The benefits of this style of registration include:
iTunes accounts are not required
No end-user interaction is required
However, because a MobileIron app is not downloaded to the device, the management
features provided by the app, such as in-house app distribution, are not available.
Preparation
Because users will be informed of the registration via email before they receive the
device, you should consider turning off user notification when you bulk register the
devices. As an alternative, consider editing the registration template or informing
users that they should ignore the email. See Customizing registration messages on
page 105 for information on editing the template.
Company Confidential
806
Implementing web-based registration for iOS
and OS X devices
To implement web-based registration for iOS and OS X devices:
1. In Admin Portal, select Settings > Preferences.
Company Confidential
807
Create a pending device report
A pending device report is used to list the username and the PIN and/or password you
will need in order to complete the registration process on each users behalf. To create
this report, do the following:
1. Go to Users & Devices > Devices.
2. Open Advanced Search by clicking the advanced search icon.
3. Using the query builder, select the following:
Select Status for Field
Select Equals for Operator
Select Pending for Value
4. Click Search. The devices in the pending state are shown in the table.
5. To download this report in CSV format, click Export To CSV. The report includes the
PIN and/or password required to complete registration, as appropriate.
Company Confidential
808
Appendix B
Company Confidential
809
This step is necessary only if you want to match devices with serial numbers auto-
matically.
3. Export the MDM profile from MobileIron Core.
4. Import the MDM profile into the Configurator.
5. Apply the MDM profile to tethered devices.
Company Confidential
810
3. In the Name field, enter a name for the configuration.
4. Click the + under Profiles.
Company Confidential
811
5. Select Import Profile.
6. Select the MDM profile you exported.
7. Click Open.
Company Confidential
812
Applying the MDM profile to the tethered device
To apply the imported MDM profile using the Configurator:
1. Tether a device.
2. Select the checkbox next to the profile you just added.
Company Confidential
813
3. Click the Prepare button at the bottom of the screen.
4. If prompted to confirm, click Apply.
5. For unsupervised devices, respond to the profile installation prompts displayed on
the device.
Prompts do not display on supervised devices.
6. Confirm that the registration has been completed on MobileIron Core.
If you did not bulk-register the devices, they will be displayed in the Admin Portal
with the "<Anonymous>" user account. When a device user installs and signs in to
Mobile@Work, Core switches the device to that user's account.
Company Confidential
814
2. Click Install Profiles...
3. Click Import to navigate to the iOS MDM profile you exported from MobileIron Core.
4. Select the iOS MDM profile and click Open.
You are returned to the Choose or create a profile screen, and the iOS MDM profile
displays.
Company Confidential
815
5. Select the iOS MDM profile and click Next.
The Profile Installation Complete screen appears.
6. Click Close.
Follow the steps in Importing the iOS MDM profile using Apple Configurator 1.4.2 to
also import a Wi-Fi profile.
Company Confidential
816
Appendix C
A secure app:
keeps its data secure.
A secure app can share its data and files only with other secure apps.
requires you to log in with a secure apps passcode.
Logging in once time with your secure apps passcode allows you to access all the
secure apps.
overlays its icon with a special badge that indicates it is a secure app.
The Mobile@Work app works with another MobileIron app to download, install, and
manage your secure apps. The other MobileIron app is called the Secure Apps Man-
ager. The Secure Apps Manager is downloaded and installed along with the secure
apps.
Setting up your device to use secure apps requires you to do the following:
1. Download and install the secure apps on page 818
2. Create the secure apps passcode on page 819
Company Confidential
817
Download and install the secure apps
To download and install the secure apps on Android devices:
1. Start the Mobile@Work app.
If you do not see the Secure Apps tab on your Mobile@Work home screen, your
administrator has not configured your device to use secure apps.
2. Follow the instructions to install secure apps, including the Secure Apps Manager
3. Continue to Create the secure apps passcode on page 819.
Company Confidential
818
Create the secure apps passcode
After you download and install all your secure apps, you create a passcode for the
secure apps. Logging in one time provides access to all the secure apps.
Note: The secure apps passcode is not the same passcode as your device password, if
you have one. You can choose the same values for both the secure apps passcode and
the device password, or choose a different value for each of them.
Company Confidential
819
Secure apps notifications
Throughout the steps for setting up secure apps on your device, and after the steps
are completed, you receive notifications about the status of Mobile@Work and secure
apps. For example, a notification indicates whether you have logged in with the secure
apps passcode.
When you power on the device, a notification indicates that you have not logged in
with your secure apps passcode, and that you have no email connection. Be sure to
log in.
To log in:
1. Open any secure app or the Secure Apps Manager.
2. Enter your secure apps passcode.
Some secure apps, such as the email app, are active even when you are not using
them. For example, the email app syncs your email and calendar items. Until you log
in with your secure apps passcode, these apps cannot do their jobs.
Company Confidential
820
Secure apps status bar icons
A secure apps icon appears in the status bar of the device.
When you have entered your secure apps passcode, the icon looks like the following:
When you are logged out of secure apps, the icon looks like the following:
For example, you are logged out when you have not used a secure app for five min-
utes.
The secure apps icon turns into a warning icon in some situations:
The warning icon appears when you need to reenter your secure apps passcode, such
as when you power on the device.
Company Confidential
821
Camera, gallery, and media player warning
messages
The administrator can allow or prohibit secure apps on your device to do the following:
access camera photos from the app
access gallery images from the app
stream media from the app to a media player
If a capability is prohibited, if an app attempts to use the capability, a message dis-
plays indicating that the administrator has disabled the capability.
If the administrator allows accessing camera photos from secure apps, when an app
accesses the camera, the app displays a warning. The warning indicates that the
photo will not be secured, and that a photo from an unsecured camera app may com-
promise secure data.
If the administrator allows accessing gallery images from secure apps, when an app
accesses an image, the app displays a warning. The warning indicates that the image
will not be secured and that an image from an unsecured app may compromise secure
data.
If the administrator allows media streaming from secure apps, when an app is about
to stream media, the app displays a warning. The warning indicates that media will be
streamed outside the secure container.
The warnings also provide the option to turn off future warnings.
Company Confidential
822
Appendix D
Company Confidential
823
Secure apps passcode management
Typically, you configure AppConnect to require the device user to use a secure apps
passcode to use secure apps. The device user creates and uses a secure apps pass-
code as follows:
Creating a secure apps passcode on page 824
Logging in with the secure apps passcode on page 826
Logging out of secure apps on page 827
Resetting the secure apps passcode - user initiated on page 828
Resetting the secure apps passcode - administrator initiated on page 832
Mobile@Work prompts the device user to create a secure apps passcode the first time
the user does one of the following:
Company Confidential
824
taps Log In
launches any secure app
taps the Local Files tab or File Shares tab in Mobile@Work.
If Docs@Work is enabled, the Local Files and File Shares tabs allow the user to
access file share documents and email attachments. Like secure apps, these
Mobile@Work capabilities require the secure apps passcode.
To create a secure apps passcode, the device user does the following:
1. Taps Log In.
Company Confidential
825
4. Reenters the passcode.
5. Taps Done.
6. Taps Done.
Company Confidential
826
Mobile@Work, Mobile@Work prompts the user to log in with the secure apps pass-
code:
The device user can now continue with the secure app.
To log out of secure apps, the device user does the following:
1. Goes to the Mobile@Work home screen.
Company Confidential
827
2. Taps Log Out.
Mobile@Work will prompt the device user for the secure apps passcode the next time
the user launches a secure app, taps Log In, or taps the Local Files or File Shares tab
in Mobile@Work.
Company Confidential
828
2. Taps Secure Apps .
3. Taps Passcode.
Company Confidential
829
4. Taps Change Passcode.
Company Confidential
830
7. Enters a new passcode according to the specified instructions.
8. Taps Done.
Company Confidential
831
11. Taps Done.
Company Confidential
832
1. Taps OK.
Company Confidential
833
6. Reenters the passcode.
7. Taps Done.
8. Taps Done.
Company Confidential
834
The device user either:
realizes that he has forgotten the passcode.
exceeds the maximum number of attempts to enter the passcode.
You configure this value in the AppConnect global policy.
Note: Forgotten secure apps passcode handling is different if Mobile@Work 5.7 is reg-
istered with a VSP 5.5. See Forgotten secure apps passcode with Mobile@Work 5.7
and VSP 5.5 on page 838.
When the device user realizes that he has forgotten the passcode
The device user does the following:
1. Launches a secure app, or taps Log In or taps the Local Files or File Shares tab in
Mobile@Work. Mobile@Work prompts the user to login with the secure apps pass-
code:
Company Confidential
835
3. Enters the User Name and Password for registering with MobileIron Core.
Company Confidential
836
6. Reenters the passcode.
7. Taps Done.
8. Taps Done.
Company Confidential
837
The user can attempt to reenter the secure apps passcode only after waiting longer
and longer time periods. Specifically, after the 5th, 6th, 7th, 8th, and 9th attempts,
the user must wait 1, 5, 15, 60, and 60 minutes respectively. After the 10th attempt,
maximum, the user can no longer access secure apps. To regain access, he must
enter his user credentials and then create a new secure apps passcode.
Forgotten secure apps passcode with Mobile@Work 5.7 and VSP 5.5
Forgotten secure apps passcode handling is different if Mobile@Work 5.7 is registered
with a VSP 5.5. Mobile@Work displays a message to the device user describing the
steps to take if the user has forgotten the passcode. Executing these steps means that
the device user cannot recover any secure data that the AppConnect apps had saved.
Company Confidential
838
Secure apps status display
Starting with Mobile@Work 5.9 for iOS, a secure apps status display is available on
the device. This display provides detailed information about each secure app, allowing
you to troubleshoot issues more easily.
4. All installed secure apps that have been opened at least once appear under the
heading Secure Apps.
If no secure apps have been opened at least once, then this list does not appear.
Company Confidential
839
For apps built starting with AppConnect for iOS SDK 1.7 or wrapped with iOS
AppConnect wrapper 1.9, you see the short version number, followed by the long
version number in parenthesis. Apps built with a previous SDK version or wrapped
with a previous wrapper version show only the long version number.
An icon that indicates whether the app is authorized
The following table describes the status details for a secure app:
Field Description
App Version The version number of the secure app.
For apps built starting with AppConnect for iOS
SDK 1.7 or wrapped with iOS AppConnect
wrapper 1.9, you see the short version number,
followed by the long version number in
parenthesis. Apps built with a previous SDK
version or wrapped with a previous wrapper
version show only the long version number.
AppConnect Version The version of the AppConnect for iOS SDK for
apps built with the SDK.
The AppConnect for iOS Wrapper version for
wrapped apps. This version includes the SDK
version used in the Wrapper.
Company Confidential
840
Field Description
Last Check-in The date and time when Mobile@Work last
fetched the AppConnect policies from MobileIron
Core.
Authorization Status Whether the device is authorized to use the app.
Possible values are:
Authorized
Unauthorized
Retired
Policies and Configurations
For more information, see Configuring AppConnect container policies
on page 603 and Configuring an AppConnect app configuration on
page 614.
Open In Whether Open In is allowed for the app. Possible
values are:
Not Allowed
Allowed (All Apps)
Allowed (Secure Apps Only)
Allowed (Whitelisted Apps)
Print Whether print capabilities are allowed for the
app. Possible values are:
Not Allowed
Allowed
Company Confidential
841
Field Description
Copy/Paste Whether the device user can copy from the app
to other apps. Possible values are:
Not Allowed
Allowed
Encrypted
Note: The value Encrypted is not supported.
It corresponds to the unsupported Mobile-
Iron Core policy value Copy/Paste To
AppConnect Apps
Configuration Count The number of key-value pairs that the Core
sent to the app. This value corresponds to the
number of key-value pairs in the AppConnect
app configuration for the app.
Note:
If one of the key-value pairs in the
AppConnect app configuration is a SCEP or
certificate setting and the certificate is
password-encoded, Core automatically sends
another key-value pair for the password. The
configuration count includes that key-value
pair.
The keys that you use to turn on debug level
logging for an AppConnect app are not
included in the configuration count. These
keys are MI_AC_LOG_LEVEL and
MI_AC_LOG_LEVEL_CODE.
If an app has not applied a policy or configuration, the corresponding field in the
display also indicates one of the following:
Pending
The app has not yet applied the policy or configuration. The pending status shows
until the next time the device user launches the app.
Unsupported
The app does not support the policy or configuration.
Error
The app had an error when applying the policy or configuration.
Company Confidential
842
Appendix E
This chapter provides the iOS device user perspective of using Mobile@Work. For the
administrator perspective of the Docs@Work feature, see Docs@Work on page 555.
Using the Mobile@Work for iOS app, your iOS device has secure access to:
content server documents
You can securely access content server documents and save copies to your device.
See Accessing content server documents on page 844.
Email attachments
Your administrator determines how you view email attachments based on your
companys security policies.
See Accessing email attachments on page 849.
For information about the types of files that Mobile@Work can display, see Supported
files in the Mobile@Work for iOS app on page 880.
Company Confidential
843
The instructions that follow are based on using Mobile@Work on an iPhone running
iOS 5.1.1. Mobile@Work works a little differently on an iPad to take advantage of the
larger screen. See Mobile@Work on an iPad on page 880.
Note: These features are available only if your administrator has enabled the
Docs@Work feature on MobileIron Core.
Company Confidential
844
3. Enter the following information:
Field Description
Server The URL of a content server.
For SharePoint
Enter the URL of a SharePoint site, subsite,
library, or folder.
Company Confidential
845
4. Tap Go.
Mobile@Work logs you in to the content server and displays the sites folders.
Mobile@Work displays one of the following for each folder:
the number of items in the folder
Empty if no items are in the folder
Unauthorized if you do not have the authority to access the folder
Field Description
User name Your user name for logging in to the content server.
When setting up your access to a content server, your
administrator can choose whether the user name is filled
in. In that case, you cannot edit the field.
Password Your password for logging in to the content server.
Remember Password Tap to change the value to ON if you want Mobile@Work
to remember the password.
Note: Your administrator can choose whether remember-
ing the password is allowed.
4. Tap Go.
Mobile@Work logs you in to the content server and displays the sites folders.
Company Confidential
846
Accessing priority folder documents
The Priority Folder feature enables you to automatically download the latest version of
files in a specified folder in the Docs@Work content repository. This gives you offline
access to these files. Priority folders display separately from remote folders.
The first time a device user launches Docs@Work after receiving the priority folder
configuration, the folder displays as Never Updated until the downloading of files has
completed.
If the administrator has not set the credentials necessary for accessing the content
repository, then the following form displays.
Company Confidential
847
Documents that are pending download or in the process of downloading have a blue
icon.
Documents that have been downloaded or updated display with a green icon to indi-
cate that they have been synchronized with the content repository.
When a cellular or Wi-Fi connection is not available, the documents display with a gray
icon, indicating offline access.
Company Confidential
848
Accessing email attachments
Your administrator determines how you access email attachments when you are using
the Mail app on your device. The choice enforces the security policies of your com-
pany.
Company Confidential
849
2. Tap the attachment to fully download it, if it is surrounded by a dashed box. To fully
download one or more attachments, you can also scroll down the screen and tap
Download Full Message.
For smaller attachments that are already fully downloaded, skip to step 3.
Company Confidential
850
4. Tap Open in MobileIron.
You are now viewing the attachment in Recent Attachments in Local Files in
Mobile@Work.
Company Confidential
851
2. Tap on the attachment.
The attachment contains text that says The original attachment was removed as
required by the security policies of your administrator.
Company Confidential
852
2. Tap the folder icon.
Company Confidential
853
The document is now available for viewing under Local Files. See Viewing a local
file on page 855.
Company Confidential
854
3. Tap Save To Local Files.
The document is now available for viewing under Local Files. It is no longer avail-
able under Recent Attachments.
Company Confidential
855
The files display in alphabetical order.
2. Tap the file that you want to view.
Note: Mobile@Work prompts you to log in if you are not currently logged in to the
content server, and you have not selected to have Mobile@Work remember your
content server password. Mobile@Work requires your login credentials because it is
checking if a newer version of the document is available on the content server.
Company Confidential
856
1. In Mobile@Work, tap Local Files.
Note: Mobile@Work prompts you to log in if you are not currently logged in to the
content server, and you have not selected to have Mobile@Work remember your
content server password. Mobile@Work requires your login credentials because it is
checking if a newer version of the document is available on the content server.
3. Tap Update Now to sync your local file to the updated remote file.
Mobile@Work updates the local file and displays it.
Company Confidential
857
Deleting a local file
To delete a local file:
1. In Mobile@Work, tap Local Files.
3. Tap Delete.
Mobile@Work deletes the file from the Local Files list.
Company Confidential
858
Managing recently opened email attachments
Mobile@Work automatically saves to a special folder the 20 most recent email attach-
ments that you opened.
Company Confidential
859
3. Tap the file that you want to view.
Company Confidential
860
4. Tap the folder icon.
Company Confidential
861
Mobile@Work removes the file from the Recent Attachments folder and adds it to
the Local Files folder.
Company Confidential
862
3. Tap Edit.
4. Tap the Delete icon on the file that you want to delete.
Company Confidential
863
5. Tap Delete.
Mobile@Work removes the file from the Recent Attachments folder.
Company Confidential
864
2. Tap the Open In icon.
If you do not see the Open In icon, your administrator has not given you permission
to use this capability.
Company Confidential
865
Annotating documents in Docs@Work for iOS
Starting from Mobile@Work iOS v5.8.0, Docs@Work for iOS supports viewing and cre-
ating PDF annotations in documents. You can open a secure email attachment, anno-
tate it as a PDF file, and securely email the annotated version back to a colleague
all in Docs@Work. You can annotate attachments you receive from email, files you
view on a remote server, or files you have saved locally.
Company Confidential
866
2. Tap the Annotate icon (for iPads, this is in the top-left of the screen, for iPhones,
this is at the bottom of the screen).
Company Confidential
867
3. Tap Create in the Creating a PDF to Annotate prompt to export a Microsoft Office
or non-PDF document to PDF and save it to Local Files for annotation.
4. Tap Create in the Annotating a Copy prompt to save a copy of a PDF file to Local
Files for annotation.
A filename suffix of - Annotated.pdf is appended to the annotation copy by
default. You can optionally edit this when saving the annotation copy; however, it is
recommended to preserve the - Annotated.pdf filename suffix.
Company Confidential
868
5. Tap and hold anywhere in the document to start an annotation. See Annotating
PDFs in Docs@Work on page 871 for details.
You have the option to save annotations in either the source file or an annotation copy
for PDF documents that are in Local Files and not associated to remote servers. These
files are typically those that you received as email attachments, downloaded from a
web browser, or saved from another app using Open In. You have to move or save
these documents from Recent Files to Local Files for the Save to this document
option to appear when you start the annotation. Note that you cannot save to the
source file if the source file is not a PDF.
1. In Mobile@Work, tap Local Files.
2. Tap the file you want to annotate.
3. Tap the Annotate icon (for iPads, this is in the top-left of the screen, for iPhones,
this is at the bottom of the screen).
Company Confidential
869
4. Tap Save to this document to keep all annotations in this same file in Local Files,
or
Tap Create an annotated copy to create a separate annotation copy ( - Anno-
tated.pdf) in Local Files.
5. Tap and hold anywhere in the document to start an annotation. See Annotating
PDFs in Docs@Work on page 871 for details.
Company Confidential
870
5. Tap the Create button in the Annotating a Copy dialog that appears.
This saves the annotation copy of the file ( - Annotated.pdf) to your Local Files
folder, and lets you continue annotating the file from there. If the source file is a
Microsoft Office or non-PDF document, the document is first exported to PDF. Note
that the annotation copy is not synced with the remote server.
You can optionally edit the name of the file when saving the annotation copy; how-
ever, it is recommended to preserve the - Annotated.pdf filename suffix.
6. Tap and hold anywhere in the document to start an annotation. See Annotating
PDFs in Docs@Work on page 871 for details.
Company Confidential
871
Change the color of highlights
Adding a note
1. In your annotation file, tap and hold a non-text area of the document to bring up
the comment menu.
Removing a note
1. Tap the note icon to bring up the Note dialog.
2. Tap the trash icon.
Company Confidential
872
3. Tap elsewhere in the document.
4. Tap Paste to paste the note and its icon in the new location.
Note: If you want to copy only some of the text within the Note dialog (rather than the
entire note), you can tap within the dialog, select, then copy text. You can then paste
the text into another note dialog later.
3. Tap a new icon style (from the top two rows of the menu options).
4. Tap a new color (from the bottom row of the menu options).
5. Tap outside the dialog to close it.
Company Confidential
873
2. Drag the selection handles to select the text you want.
3. Tap one of the T icons to highlight, underline, or strike-through text. (The exam-
ple shows an underline annotation).
Note: Define and Search are iOS options that are only available when you select a
small portion of text. Larger text selections do not present the Define and Search
options.
Editing an annotation
For underline and strike-through annotations, you can attach a note, remove the
annotation, or copy the text selected for the annotation:
For highlight annotations, you can additionally change the color of the highlight:
Company Confidential
874
5. For highlights only, tap Color to change the highlight color. See Editing the color of
an annotation on page 876.
Removing an annotation
1. Tap highlighted, underlined or strike-through text to bring up the available edit
options.
2. Tap Remove to delete the annotation and any associated note.
Company Confidential
875
Note: If you have multiple annotations applied to the same selected text, tapping
Remove deletes one annotation style at a time, plus any note attached to that
style.
Copying an annotation
1. Tap highlighted, underlined or strike-through text to bring up the available edit
options.
2. Tap Copy to copy the selected text to the clipboard. You can then paste this text in
a note dialog later.
3. Tap one of the four standard colors (yellow (default), green, blue, pink) to change
the highlight color.
4. Or, tap Custom to choose from a custom color palette.
Company Confidential
876
5. Tap the page navigation dots at the bottom of the Choose Color dialog to bring up
different color swatches.
6. Tap a rectangle to choose that color for highlights.
7. Tap outside the dialog to close it.
Company Confidential
877
1. From Mobile@Work, tap Settings.
Company Confidential
878
2. Tap Docs@Work Settings.
Company Confidential
879
Supported files in the Mobile@Work for iOS app
You can view most common file types in Mobile@Work. If you try to open a file that
Mobile@Work does not support, Mobile@Work displays an error message.
Mobile@Work on an iPad
The behavior of the Mobile@Work for iOS app is slightly different on an iPad than it is
on an iPhone.
Company Confidential
880
The left (master) pane contains:
information about what you are currently doing, such as looking at the home
screen, or navigating through content server folders.
the tabs for accessing the Mobile@Work home screen, Local Files, Remote Files,
and settings.
The right (detail) pane contains information depending on what the master pane is
displaying. For example, the detail pane displays:
a files content
About information for Mobile@Work
the Mobile Activity Map
In Portrait mode, you can tap on the detail pane to hide the master pane:
Note: When viewing the Mobile Activity Map, to once again show the master pane, tap
the MobileIron button.
Company Confidential
881
The icons behave the same as they do in Mobile@Work on an iPhone. For example,
see:
Saving a content server document as a local file on page 852
Opening documents in other apps on page 864
Company Confidential
882
Appendix F
Note: The SharePoint Client app works with content servers other than SharePoint.
See Supported content servers on page 559.
Company Confidential
883
2. Select the menu.
Company Confidential
884
Company Confidential
885
4. Enter the following information:
Field Description
Name A descriptive name for the content server repository.
For example:
Marketing documents
URL The URL of a repository site, subsite, library, or folder.
5. Tap OK.
The SharePoint Client verifies your credentials and displays the entry for the con-
tent server repository.
Company Confidential
886
Note: To delete a content server repository, long press the entry and tap Delete.
2. Navigate to the appropriate folder by tapping successive folder names. This exam-
ple shows the file list after navigating to the following folder:
Company Confidential
887
subteamsite1/Shared Documents
3. Tap the document that you want to view. The secure ThinkFree Document Viewer,
or other secure app, loads and displays the selected document. If the ThinkFree
Document Viewer does not support the type of document, an error message dis-
plays.
Company Confidential
888
If ThinkFree Document Viewer does not support the document type, the SharePoint
Client displays a list of secure apps to try to view the document with.
If no secure app supports viewing the document type, the Android OS indicates
that no app is available to open the selected file.
Attempting to open the document with an app that does not support the document
type results in an error message or erroneous behavior, depending on the app.
If the SharePoint Client does not support a document type, it displays a special icon
for the document:
Company Confidential
889
Save documents locally
You can save documents locally to your devices SD card.
To save a document:
1. In the SharePoint Client, navigate to the folder containing the document:
2. Long press (touch and hold the same position) the document you want to save:
Company Confidential
890
3. Tap Save.
Company Confidential
891
You can now use the secure File Manager to view the local copy of the document.
Email a document
To email a document as an attachment:
1. In the SharePoint Client, navigate to the folder containing the document:
2. Long press (touch and hold the same position) the document you want to email:
3. Tap Send.
Company Confidential
892
4. Tap Send Email.
The secure TouchDown email app opens with the document as an attachment.
5. Add the recipients, subject, and message body, and send the email.
Company Confidential
893
Automatically saved documents
Whenever you open a document using the SharePoint Client, the SharePoint Client
saves the document on device storage. It saves the document in a folder structure
equivalent to the folder structure of the content server. The SharePoint Client opens
this local copy if the document has not changed on the content server.
You can use the secure File Manager to navigate to these automatically saved docu-
ments and open them.
Company Confidential
894
Appendix G
Company Confidential
895
Uninstalling the MobileIron app for Android
The MobileIron app for Android requires Device Administrator privileges on the device.
An app having these privileges applied cannot be uninstalled. Therefore, you must
first remove the Device Administrator privilege if you want to uninstall the app.
Note: For Samsung SAFE devices, the MobileIron lockdown policy can specify that
uninstalling the app is not allowed. In this case, you need to change the policy before
uninstalling.
Company Confidential
896
3. Tap Deactivate.
4. Go to Settings > Applications > Manage applications.
Company Confidential
897
6. Click Uninstall.
Company Confidential
898
Uninstalling the Samsung DM Agent
For devices running versions of Mobile@Work prior to 5.9, access to Samsungs
extended features, which are provided in the Samsung Enterprise APIs, requires
installation of the Samsung DM AgentThe MobileIron app will detect whether your
device supports the extended features when you start it the first time and prompt you
to install the agent if it is supported. Uninstalling the MobileIron app does not uninstall
the Samsung DM Agent.
Note: For Samsung SAFE devices, the MobileIron lockdown policy can specify that
uninstalling the agent is not allowed. In this case, you need to change the policy
before uninstalling.
Company Confidential
899
Troubleshooting email setup on Android devices
If email is not set up or there is a configuration problem, the following screen displays.
The device user can access this screen by selecting Options > Email Setup from the
MobileIron app menu.
Company Confidential
900
How the Email Setup screen works
The Email Setup screen displays a checklist of tests for email connectivity. The Mobile-
Iron app completes each test in the checklist until it finds an issue. A green check dis-
plays next to an item that has passed the test. A red X displays next to the first item
that does not pass the test. The MobileIron app does not proceed with the remaining
items on the checklist until the detected issue has been resolved.
The following table describes each item that appears in the list.
Company Confidential
901
Profile Complete Indicates whether the email password was
included in the profile. TouchDown manages its
password, so this test always passes for Touch-
Down. For the supported native email apps, if
the profile does not include a password, then the
test fails and a button labeled Enter Password
displays at the bottom of the screen. The device
user can tap the button to provide the password.
Email App Setup Indicates whether the MobileIron app can com-
municate with the email app.
If the device is using TouchDown, then Touch-
Down will launch and prompt the user to accept
the license agreement and enter the password.
If the device is using the Samsung native email
client, then the Go to Email button displays.
When the device user taps the button, the
MobileIron app displays an alert stating that the
configuration will take some time to complete,
and that a notification will prompt the user to
activate the Device Administrator privileges for
the email client.
If an error occurs, an error message displays.
The device user can tap the View Details button
and email details to the administrator.
If the device is using the HTC native email app,
the app launches after setup is completed.
If the device is using the Motorola native email
app, the app is configured successfully, but the
user must launch it manually. The user follows
the steps in the app. The app exits after each
step and the user must relaunch it. After one
time through this process, the app is completely
set up.
Company Confidential
902
It is from a source that the Android OS trusts (that is, it can be checked against
the trusted CA certificates installed on the device).
The CN attribute in the certificate must match the email address in the email
profile.
Company Confidential
903
Troubleshooting Wi-Fi setup on Android devices
Certain Wi-Fi configurations require user input. For example, WPA2 Enterprise config-
urations require the device user to enter the password. When input is required, the
device user receives an Android notification, as shown in the following screen.
The device user can tap the notification to begin the Wi-Fi setup process.
Company Confidential
904
Displaying the Wi-Fi Setup page
If the device fails to access Wi-Fi, then the administrator can direct the device user to
the Wi-Fi Setup page:
1. Start the MobileIron for Android app.
2. Tap the menu button on the device.
Company Confidential
905
3. Tap Options.
Company Confidential
906
4. Tap Wi-Fi Setup.
If only one Wi-Fi network has been configured, then the setup screen for that network
is displayed.
If multiple networks have been configured, then a list of those networks is displayed,
as shown in the following figure.
Networks that are properly configured display with a green check. Networks that are
not properly configured or require input from the device user display with a red X. Tap
an entry to display the details for that networks configuration.
Company Confidential
907
The following table describes the entries in the Wi-Fi Setup screen.
Company Confidential
908
Profile Complete Indicates whether a required password is missing from
the profile. For example, certain Wi-Fi configurations
require a password, so a missing password would cause
this test to fail for those configurations. If this test fails,
then an Enter Password button displays at the bottom
of the screen. The device user can tap the button and
provide the password as specified by the administrator.
Wi-Fi Setup Complete Indicates that all tests have passed and setup is com-
plete.
Company Confidential
909
Certificate configuration support on the
MobileIron for Android app
The MobileIron app includes the following certificate setup support:
Certificate Setup screen available from the Options menu
certificate provisioning triggered by Wi-Fi setup
certificate alerts
Company Confidential
910
Select a certificate and tap View Details to display certificate information. Tap Reprovi-
sion Certificates to retrieve new or updated certificates.
Tap View Details to display more information. If certificates are present, but do not
meet requirements, then a Reprovision Certificates button displays, as well.
Certificate alerts
When the administrator pushes certificates to supported Android devices, the device
receives a system notification, provided the device is compliant with existing passcode
and encryption policies. Tap the notification to begin the provisioning process.
Company Confidential
911
Company Confidential
912
Appendix H
Company Confidential
913
Using Secure Sign-In
Devices configured for multi-user support receive a Secure Sign-In web clip.
Tapping the Secure Sign-In web clip displays the following page.
Company Confidential
914
Entering a valid username and password prompts MobileIron Core to apply the profiles
configured for the device.
When the device user is ready to sign out, tapping the web clip displays the following
page:
Company Confidential
915
Tapping Sign Out removes the managed apps and profiles.
Note: The Secure Sign-in web clip is impacted by web content filters, available in
supervised devices starting with iOS 7. Make sure your web content filters do not
block access to MobileIron Core. If Core access is blocked, the secure sign-in web clip
cannot work. For more information, see Web content filter settings on page 331.
Company Confidential
916
Setting Secure Sign-In preferences
Before you enable Secure Sign-In, you should review the default global preferences to
ensure that they meet your needs:
1. Select Settings > Preferences.
2. Under Multi-User Preferences, select one of the following settings to specify how to
handle Wi-Fi settings when device users sign out:
Keep Wi-Fi settings
Remove Wi-Fi settings for cellular-enabled devices
Remove Wi-Fi settings for cellular-enabled and Wi-Fi-only devices
3. If you want to clear the passcode on the device when the device user signs out,
select the Clear passcode option.
4. Click Save.
Company Confidential
917
Setting unique restrictions for signed-out
devices
The "Signed-Out" label enable you to specify more-stringent restrictions for multi-user
devices when a user signs out. This is a dynamic label that applies automatically to
any multi-user iOS device that does not have a signed-in user.
To specify restrictions:
1. Create the restrictions that you want applied when a user signs out.
For example, you might want to disable access to YouTube when an authorized user
is not signed in.
2. Apply each policy and configuration to the Signed-Out label.
Example
Suppose you want iPads to be restricted to basic web use when an authorized user is
not signed in. You would need to create a Restrictions configuration to lock down the
camera, inappropriate content, screen captures, app installation, and so on.
From this point on, all multi-user devices will receive the new restriction settings upon
sign-out.
Company Confidential
918
Enabling Secure Sign-In
To enable Secure Sign-In:
1. Select Policies & Configs > Configurations.
2. Select the System - Multi-User Secure Sign-In configuration.
3. Select More Actions > Apply To Label.
4. Select the label or labels that represent the devices to be configured for multi-user
sign-in.
5. Click Apply.
Company Confidential
919
Remote sign-out
To sign out a user on a multi-user device from the Admin Portal:
1. Select the device in the Devices page.
2. Select More Actions > iOS Only > Sign out.
Company Confidential
920
What gets removed on sign-out
Company Confidential
921
Company Confidential
922
Appendix I
Examples include:
A retail store might want to use tablets to provide one or two custom apps for cus-
tomers to use while shopping.
A school might want to distribute tablets that present only appropriate apps for the
user who signs in.
Note: Though the Android kiosk feature allows multiple users to log in on a given
device, it does not represent full multi-user support. It is intended as a view filter for
apps. The profiles on the device do not change when different users log in. Instead, a
different list of apps displays based on the current user.
Requirements
Android kiosk mode is supported for Samsung SAFE 3.0 devices.
Company Confidential
923
Setup steps
To set up an Android kiosk device:
1. Create an Android kiosk policy.
2. For multiple-app mode, create an Android kiosk configuration for each combination
of LDAP group and accessible apps. Do not complete this step for single-app mode.
Note: The device user who logs in must belong to a specified LDAP group.
The policy specifies the kiosk type. The configuration specifies which apps to display to
which users in multiple-app mode.
These instructions assume that the apps are already installed on the devices. If any
apps specified in the kiosk setup are not installed on the device, that app will be rep-
resented by a blank icon.
The package name is included in the URL, as shown in the figure above.
Company Confidential
924
Creating an Android Kiosk policy
The Android Kiosk policy specifies the behavior of a kiosk device. The behavior options
vary based on whether the policy specifies a single-app kiosk or multiple-app kiosk.
Item Description
Single App package name Enter the package name for the app. The typical
package name has the following format:
com.company.app
Enable Android functions
System bar System bars are screen areas dedicated to navi-
gation and the display of notifications and status.
Clear this option if you want to hide the system
bar when the device is acting as a single-app
kiosk.
Task manager The task manager enables device users to open
an app that is currently running on the device.
Select this option if you want device users to be
able to access the built-in task manager on the
device.
Notification bar expansion The notification bar typically displays at the top of
the device. Swiping down expands the bar to the
full size of the screen so that the device user can
see notification details. Select this option if you
want device users to be able to expand the notifi-
cation bar.
Company Confidential
925
Item Description
Navigation bar For Android 4.0, the navigation bar is present only
on devices that don't have the traditional hard-
ware keys. It contains the Back, Home, and
Recents controls. Select this option if you want
device users to be able to access the navigation
bar.
Note: For tablets, the status and navigation bars
are combined into a single bar at the bottom of
the screen.
Status bar The status bar displays pending notifications on
the left and status, such as time, battery level, or
signal strength, on the right.
Note: For tablets, the status and navigation bars
are combined into a single bar at the bottom of
the screen.
3. Click Save.
4. Assign the policy to the appropriate label to push it to the target devices.
Company Confidential
926
3. Use the following guidelines to complete the remaining options:
Item Description
Kiosk multi-user login Enable this option to allow different users to log
in. Device users enter their MobileIron credentials
to access the kiosk. The credentials entered
determine who is recorded as the current user,
the apps to display, and whether that user has
permission to exit kiosk mode from the device.
Note: The credentials entered do not affect the
profiles installed on the device.
Inactivity logout Select the duration of inactivity after which the
user will be signed out. This option applies to
multi-user kiosks only.
Administrative access to If you want to specify users who have permission
exit Kiosk mode to disable kiosk mode from the device, specify the
corresponding LDAP groups for those users.
You can choose from the LDAP groups that you
specified in Settings > LDAP for each LDAP server.
Branding
Background Color Enter the hex triplet for the color you want to
apply to the kiosk display background.
Banner Color Enter the hex triplet for the color you want to
apply to the banner at the top of the kiosk dis-
play.
Banner Text Color Enter the hex triplet for the color you want to
apply to the text in the banner at the top of the
kiosk display.
Banner Text Enter the text you want to display in the banner
at the top of the kiosk display.
Banner Logo Click Browse to select a logo. The logo must be a
JPEG or PNG graphic. Image sizes vary for differ-
ent devices. 120x120 pixels is appropriate for
most phones. 180x180 pixels is appropriate for
most tables. The image must be smaller than 100
KB.
Enable Android functions
System bar System bars are screen areas dedicated to navi-
gation and the display of notifications and status.
Clear this option if you want to hide the system
bar when the device is acting as a single-app
kiosk.
Company Confidential
927
Item Description
Task manager The task manager enables device users to open
an app that is currently running on the device.
Select this option if you want device users to be
able to access the built-in task manager on the
device.
Notification bar expansion The notification bar typically displays at the top of
the device. Swiping down expands the bar to the
full size of the screen so that the device user can
see notification details. Select this option if you
want device users to be able to expand the notifi-
cation bar.
4. Click Save.
5. Assign the policy to the appropriate label to push it to the target devices.
6. Create an Android kiosk configuration to specify the apps to be used.
Company Confidential
928
Creating an Android Kiosk configuration
The Android kiosk configuration has the following functions:
specifies the apps to be displayed for multiple-app devices
specifies which LDAP groups, (and, therefore, which users) have access to those
apps
You can apply multiple kiosk configurations. The union of the configurations deter-
mines which apps to display.
Note: Do not assign a kiosk configuration to a device configured for single-app mode.
The LDAP group access specified in the configuration would effectively disable the
specified apps on a single-app mode device.
Company Confidential
929
Enabling/Disabling Android kiosk mode
The first time the necessary policy and configuration are pushed to the device, a kiosk
item displays in the Apps@Work screen on the device. Tap Kiosk Mode to initiate kiosk
mode.
Afterwards, you can enable and disable Android kiosk mode from the Admin Portal.
Users with assigned privileges can also disable kiosk mode on a kiosk device.
Only users configured for administrative access in the kiosk policy can disable kiosk
mode from the device. The kiosk must be configured to support multiple apps and
multiple users. To disable Android kiosk mode from the device:
1. Log in as a kiosk administrator.
2. Tap the Exit Kiosk icon at the top of the screen.
Company Confidential
930
Example
Consider a school that wants to install the followings apps on several tablets. Though
all the apps will be installed on each tablet, the apps that are displayed depend on
which user has logged in.
The following table shows the apps and the LDAP groups that should have access to
them.
LDAP Apps
Groups
View Update Send 2 Send 2
Parents Teachers
Teachers yes yes yes yes
Tutors yes yes yes
Students yes
Company Confidential
931
Device details
The Device Details pane in the Admin Portal displays the following information about
kiosk mode:
whether kiosk mode has been enabled
the device user currently logged in on the device.
Company Confidential
932
Deployment notes
Kiosk mode is a viewing filter only
Kiosk mode is NOT an App Blocking feature. It only restricts the viewing of apps
which can be launched.
Apps must be installed on the device for them to launch from the kiosk.
Distribute apps with the silent install option enabled.
Eases the deployment process
Configuring which apps to run
Single App mode uses the Android kiosk policy.
Multiple Apps mode uses kiosk configurations
Apps defined in kiosk configurations with no LDAP groups defined apply to ALL
kiosk users.
The union of all kiosk configurations applicable for a kiosk user determines the
list of apps to display.
If the device loses its connection to MobileIron Core, then kiosk mode cannot be
disabled. You must do a factory reset.
Company Confidential
933
Company Confidential
934
Appendix J
Company Confidential
935
What is MyPhone@Work?
MyPhone@Work is a self-service web application that enables MobileIron users to par-
ticipate in the management of their devices. Registered users can do tasks like:
Track their activity
Manage contact information
Set privacy options
Remotely lock a phone
Browser Settings
Your browser needs to be configured to display mixed content to ensure full access to
all tabs in MyPhone@Work.
Supported platforms
The following table lists the platforms supported for MyPhone@Work and its features.
Company Confidential
936
Getting started
MyPhone@Work gives device users the ability to perform basic tasks without adminis-
trative intervention.
Logging in
Users who did not self register will need the MobileIron administrator to provide the
URL to the MobileIron Server, as well as the user ID and password for their account.
As with the Admin Portal, the user ID and password are case sensitive.
https://<MobileIron_server>
To log in:
1. Enter the user ID.
2. Enter the password.
3. Click Sign In.
The following page displays.
Note: The following tabs will be disabled if you have default settings applied:
Contacts
Company Confidential
937
Calls & Texts
Activity
To enable these tabs, click Settings and enable the displayed options. Note that it may
take some time for the data associated with these tabs to display.
Registering phones
If you have been assigned the Myphone@Work Registration role, then you can register
your own phones without help from your MobileIron administrator.
To register a phone from MyPhone@Work:
1. Click the Add a Phone link.
Item Description
My device has no Select this option if your device has no phone
phone number number. MobileIron will handle this device as a
WiFi-only device.
Country Select the home country for this device. The
country you select determines the content of the
Country Code field. This option is available only
if you have a cellular device; it is grayed out if
you selected My device has no phone number.
Company Confidential
938
Item Description
Mobile Enter the prefix and number, if any, for this
device. Enter numbers only, with no leading
zeros or spaces. The Country Code is filled in
automatically based on your selection from the
Country list.
Operator Select the name of the mobile service provider
for this phone.
Why: The name of the operator is required for
proper transmission of SMS messages.
Platform Select the name of the operating system used
on this phone. If you do not see the platform
you want, it may be disabled for registration.
Why: The operating system specified determines
which MobileIron Client will be downloaded to
the phone.
Device Language Select a language from the dropdown list. Your
administrator must enable supported languages
to enable this feature. Note that, if the device
reports a locale associated with a different lan-
guage, then the language associated with the
locale will be used.
I own this device Select this option if this phone is your property,
and not provided by your company. Note that
MobileIron automatically assigns default labels
based on ownership. See Using labels to estab-
lish groups on page 143 for information on
labels.
Why: Administrators may want to assign differ-
ent polices to phones based on ownership.
3. Click Register.
Searching
You can search MyPhone@Work for specific content. Select one of the following con-
tent types from the dropdown list in the upper right corner:
Calls & Texts
Contacts
Applications
Enter the text to search for in the field to the right and click the icon.
Company Confidential
939
Logging out
Click Log Out in the upper right corner to end your MyPhone@Work session.
Company Confidential
940
Home
The Home page gives you an initial snapshot of your phone and your usage.
Communication Graph
The Communication Graph gives you a graphic snapshot of your communications.
Contacts are matched are indicated in the node labels. Non-contacts are identified by
number.
Company Confidential
941
The lengths of the lines joining the nodes indicate the relative rank of the correspond-
ing contacts. In other words, those contacts you communicate with more frequently
are displayed with shorter lines. Click the arrow under the Communication Graph title
bar to display the underlying data for the graph.
Company Confidential
942
Click a node in the graph to show the data for your interactions with just the corre-
sponding phone.
Company Confidential
943
My Usage
The My Usage section in the Home page provides a quick snapshot of your usage,
updated daily.
Storage
The Storage section provides a rough chart of internal and removable storage cur-
rently available on the phone.
Company Confidential
944
Lost Phone
The Lost Phone section enables you to act in the event that your phone is lost or sto-
len. Select from the following options:
Find It
Lock It
Wipe It
Note: Your administrator must give you the required roles for access to these buttons.
Company Confidential
945
2. If the last know location may be out of date, click the Update Location button to
remotely enable GPS and obtain a lat/long reading.
Company Confidential
946
3. Click OK to continue, despite the possibility that contacting the phone might take
some time.
A Cancel button is available in case the process takes longer than expected.
Wipe It
Click Wipe It to return your phone to factory defaults. This feature is available only if
you have been assigned the MyPhone@Work Wipe role.
3. Click Restore.
4. Select the device whose backup snapshots you want to select from.
5. Select the snapshot to use.
Company Confidential
947
6. Select the resources to restore (i.e, User Files and/or Storage Card).
7. Click Apply.
My Apps
The My Apps section lists newly added apps available for your phone.
Click the My Apps link to display the Applications screen, or click the link for a dis-
played app to go directly to that page.
Company Confidential
948
Contacts
Click the Contacts tab to display the list of contacts synchronized between your phone
and MyPhone@Work. If the Contacts tab is not enabled, then your MobileIron admin-
istrator did not enable contact synchronization. See Preferences on page 960.
Note: Contacts stored on the SIM card are not synchronized at this time.
Displaying contacts
Click a contact to display the information for that contact.
Company Confidential
949
Searching contacts
To search your contact list, enter text in the Search Contacts field. You can search
your contacts list based on any name or number fields, such as First Name, Last
Name, Home Phone, and so on.
Adding contacts
To add a contact:
1. Click New Contact.
Company Confidential
950
2. Enter information for this contact.
Note: The contact name is limited to 32 characters. If you enter more than 32 char-
acters, then the contact name with be shorted to the first 32 characters when you
save your changes.
3. Click Save.
The next time your phone connects to MobileIron, this new contact will be added to
the list of contacts on your phone.
Editing contacts
To edit a contact:
1. Select the contact from the list in the Contacts page.
2. Click Edit.
Company Confidential
951
3. Make the necessary changes.
4. Click Save.
Your changes will be copied to your phone the next time it connects to MobileIron.
Deleting contacts
To delete a contact:
1. Select the contact from the list in the Contacts page.
2. Click Delete.
Company Confidential
952
Calls & Texts
Click the Calls & Texts tab to view your phone activity.
Click the heading for any column to sort the displayed list based on that column. Dis-
played contact names are links to the information for the corresponding contacts. If
you click an unknown contact, you are invited to add the contact to your address
book.
Showing/Hiding content
By default, the content of texts is hidden for privacy purposes. You can display the
content by clearing the Hide Text Content checkbox.
Using keywords
Enter text in the Keywords field to restrict the display to those entries containing the
specified text. For texts, the keywords will be matched against the content as well as
the contact information.
Company Confidential
953
Displaying calls and/or texts
Select Calls, Texts, or both to specify which to include in the display. If you select
Calls, all calls are included by default. Select Missed or Dropped to include only these
call types.
Note: Specifying Missed or Dropped excludes Texts from the filter criteria.
Company Confidential
954
Activity
The Activity page displays your statistics for calls, SMS, and data, and compares them
to the average calculated for your MobileIron implementation.
Filtering activity
To filter display activity:
1. Select Call, SMS, or Data from the Select Activity list.
2. Click the From field to select a start date.
3. Click the To field to select an end date.
4. Select the Refresh link.
Company Confidential
955
Company Confidential
956
Apps
Click the My Apps icon to display the Applications page.
Browsing apps
The Applications page lists the applications recommended by your organization. The
MobileIron administrator can group these applications into custom categories. Click a
category to browse the applications available for download.
To determine which applications are currently installed on your phone, click Apps On
My Phone.
Company Confidential
957
Installing apps
You can install apps that are displayed in the My Apps page. To install an app:
1. Click the icon for the app.
Company Confidential
958
Uninstalling apps
To uninstall apps that are currently installed on your phone:
1. Click Apps On My Phone
2. Select the app from the displayed list.
Company Confidential
959
Preferences
Use the Preferences page to change customizable settings.
Privacy settings
Use the following guidelines for your privacy settings:
Setting Description
Sync contacts Specify whether you want to copy contact infor-
mation between your phone and
MyPhone@Work. If you choose not to synchro-
nize contacts, then the Contacts tab will be dis-
abled. Note that contacts stored on your SIM
card are not currently synchronized.
Sync text content Specify whether to maintain a record of SMS
text content on MyPhone@Work. Administrators
do not have access to this content, regardless of
your preference for this setting. However, note
that choosing not to sync content does not affect
activity data from being synced.
Account settings
Change Password
To change your MobileIron password, click the Change Password link. This option does
not apply to users whose accounts are managed through LDAP.
Certificate
To upload a personal certificate:
1. Click Upload Certificate.
2. Click Browse to select the certificate.
3. Enter the password for the certificate.
4. Confirm the password.
5. Click Upload Certificate.
Company Confidential
960
Appendix K
Company Confidential
961
MobileIron Standard Appliance (M2100 3rd
Generation)
The MobileIron appliance is a tightly integrated hardware, OS, application, and data-
base solution that is built, optimized, and certified by MobileIron. This section provides
the specs for the next generation appliance. If you received an earlier appliance, see
MobileIron Standard Appliance (M2100 2nd Generation) on page 966.
System
Processor 3.5 GHz Quadcore Xeon CPU
Memory 32 GB
Drives 2x 500 GB Hot-swap SATA
6.0 GB Hard Disk Drives (RAID 1)
1x Slim DVD drive
Chassis
Form Factor 19 1U Rackmount
Dimensions (D x H x W) 22.6 x 1.7 x 16.8 (574mm x 43mm
x 426 mm)
Weight 32 lbs (16.5 kg)
Front Panel
Buttons Power On/Off
System Reset
LEDs Power LED
Hard drive activity LED
2x Network activity LEDs
System Overheat LED
USB 2x USB Ports
Drives 2x 500 GB Hot-swap SATA
6.0 GB Hard Disk Drives (RAID1)
1x Slim DVD Drive
Back Panel
IPMI Intelligent Platform Management Inter-
face (IPMI) 2.0 with virtual media over
LAN and KVM-over-LAN support
1x 10/100BASE-T (RJ45)
Ethernet 2x 10/100/1000BASE-T (RJ45)
VGA 1x VGA (DB15)
PS/2 PS/2 keyboard and mouse ports
USB 2x USB rear ports
Serial 1x Serial port (DB9)
Company Confidential
962
Power Supply
Power 350 W AC power supply w/ PFC AC
Voltage 100 240V, 50 - 60Hz, 4.2 - 1.8 Amp
Max
+5 V: 18 Amp
+5 V standby: 3 Amp
+12 V: 29 Amp
+3.3 V: 15 Amp
Connector IEC 60320-C13
Operating Environment
Operating Temperature: 50 to 95F (10 to
35C)
Relative Humidity: 8% to 90% (non-
condensing)
Non-Operating Temperature: -40 to 158F (-40 to
70C)
Relative Humidity: 5% to 95% (non-
condensing)
Heat Output 682 BTU/hr (3.412 BTU/hr/W * 200 W)
Company Confidential
963
MobileIron Standard Appliance (M2100 2nd
Generation)
The MobileIron appliance is a tightly integrated hardware, OS, application, and data-
base solution that is built, optimized, and certified by MobileIron. This section provides
the specs for the 2nd generation appliance.
System
Processor 2.53 GHz Quadcore Xeon CPU
Memory 16 GB
Drives 2x 250 GB Enterprise Hard Disk Drives
(RAID 1)
1x DVD drive
Chassis
Form Factor 19 1U Rackmount
Dimensions (D x H x W) 15.75 x 1.7 x 16.8 (400mm x 43mm
x 426 mm)
Weight 17 lbs (7.7 kg)
Front Panel
Buttons Power On/Off
LEDs Power LED
System Overheat LED
USB 2x USB Ports
Serial 1x Serial Console (RJ45)
Back Panel
IPMI Intelligent Platform Management Inter-
face (IPMI) 2.0 with virtual media over
LAN and KVM-over-LAN support; 1x
10/100BASE-T (RJ45)
Ethernet 2x 10/100/1000BASE-T (RJ45)
VGA 1x VGA (DB15)
PS/2 2x PS/2 keyboard and mouse ports
USB 2x USB Ports
Serial 1x Serial port (DB9)
Power Supply
Power 200 W maximum
Voltage 100 240V, 50-60Hz, 4 - 2 Amp Max
Connector IEC 60320-C13
Operating Environment
Company Confidential
964
Operating Temperature: 50 to 95F (10 to
35C)
Relative Humidity: 8% to 90% (non-
condensing)
Non-Operating Temperature: -40 to 158F (-40 to
70C)
Relative Humidity: 5% to 95% (non-
condensing)
Heat Output 682 BTU/hr (3.412 BTU/hr/W * 200 W)
Company Confidential
965
MobileIron M2500 Series Appliance
The M2500 Series large-scale deployment appliance provides the tightly integrated
solution of the standard appliance, with the resources necessary for larger deploy-
ments.
Form Factor
1U Rackmount Chassis, 27.75" Depth
Processors
2 x IntelXeon E5-2670 2600 Mhz, 8 Cores/16 Threads, 20MB Cache (16
Cores total)
Memory
64 GB, 1600 MHz
USB
2 x Front, 3x Back
LAN
Quad Intel I350 GbE connections
Storage
4 x 600 GB SAS 3Gb/s ports, RAID 10
1 SATA DVD-ROM
Drive Bays
4 x 3.5" hot swap drive bays + one Optical Drive support
VGA
Integrated 2D Video Controller
16MB DDR3 Memory
Expansion Slots
2 x PCI-E Gen3 x16 FHHL via two risers (1 each)
Power
1+1 Redundant 750W Power Supply, Platinum level efficiency
Management
Integrated Baseboard Management Controller, IPMI 2.0 compliant
Full RMM4 (Key and NIC)
Support for Intel Server Management Software
Cooling
Six dual rotor managed system fans
One power supply fan for each installed power supply module
Company Confidential
966
Company Confidential
967
Company Confidential
968
Appendix L
Field Description
HTTP Proxy URL Enter the URL for the outbound HTTP
proxy.
HTTP Proxy Auth Enter the authentication name for the
Name HTTP proxy.
HTTP Proxy Auth Enter the authentication password for the
Password HTTP proxy.
HTTP Client Connect Specify the amount of time to wait for the
Timeout connection setup to complete.
HTTP Client Socket Specify the amount of time to wait for a
Timeout response from the proxy server.
4. Click Save.
At this point, the settings are saved, but not applied.
5. To apply these changes, you need to restart the tomcat server for MobileIron Core.
Enter the following commands using the CLI:
enable
service tomcat stop
service tomcat start
Company Confidential
969
What the HTTP outbound proxy does not apply to
The HTTP outbound proxy does not apply to the following areas:
APNS for MDM or the MobileIron Client
MobileIron Sentry
BES integration
SCEP-to-CA connections
Company Confidential
970