MobileIron Cloud R45. Administrator Guide

Size: px

Start display at page:

Download "MobileIron Cloud R45. Administrator Guide"

Aileen Singleton
6 years ago
Views:

1 MobileIron Cloud R45 Administrator Guide 1

3 Table of Contents Welcome What's new... 1 Apple ios and macos... 1 Android and Android for Work... 1 Windows... 1 Security... 2 Other features... 2 Getting Started... 5 If you need to change something... 5 If you did not finish the Startup Wizard... 5 Dashboard... 7 To add a widget... 7 To arrange widgets... 7 To edit a widget... 7 Reviewing notifications... 7 Reviewing user password expiration and ID change notifications... 8 Reports... 8 Can't see the Dashboard page?... 9 See Also... 9 Users Users > Users To add a user To add several users To add users by uploading a file To add an administrator The nobody user Viewing the device registration PIN information Can't do tasks on the Users page? See Also Users > User Groups To create a dynamically managed user group To create a manually managed user group Can't do tasks on the User Groups page? See Also Users > User Settings Editing the default setting Adding a custom setting Deleting a custom setting Configuring the settings for new device registrations Configuring the device limit per user Defining the Terms of Service Users > User Branding License: Gold Before you start i

4 Table of Contents Steps Managing Users Users > Users To add a user To add several users To add users by uploading a file To add an administrator The nobody user Viewing the device registration PIN information Can't do tasks on the Users page? See Also Adding an API user for Cisco ISE operations Can't do tasks on the Users page? See Also Assigning Roles to Users How to give helpdesk staff permission to use basic device actions User Roles See Also Finding and Filtering Users To search for a user To filter users Assigning Users to User Groups From the Users page From the User Groups page Inviting Users To invite users See Also Managing Multiple Administrator Logins To view the last administrator login Changing a Password Changing another user's password Extending Password Expiration Extending password expiration for other users Changing the Tenant Administrator Username To change the Tenant Administrator username Sending a Message To send a message to users To send a message to devices Removing Users from User Groups From the Users > Users page From the Users > User Groups page Deleting a User To delete a user What happens when you delete a local user What about LDAP users? Exporting Users ii

5 MobileIron Cloud Administrator Guide R45 Assigning Custom Attributes to Users Removing Custom Attributes from Users Changing the User Locale Devices Devices Managing the devices Listing the devices by criteria Bulk assign/change users and custom attributes to devices Displaying detailed device information To search device logs Can't see the Devices page? See Also Devices > Device Groups Adding a device group Removing a device group Can't see the Device Groups page? See Also Devices > Unmanaged Devices License: Silver To block a device To allow a device that has been blocked To clear a device from the list Devices > App Inventory To display only certain apps To display the installed devices for an app To display the installed Win32 apps on a device To save app inventory to a file Can't see the App Inventory page? See Also Managing Devices Device Registration (ios, macos, and Android) Sending an invitation (ios, macos, and Android) Instructing end users to download the app (ios and Android) What the end user sees If the user does not install the MDM profile Device Registration (Windows Phone 8.1 and Windows 10 Mobile) Sending an invitation What device users do Changing Passcode Settings To change the assigned Passcode configuration To assign a different Passcode configuration Finding Device Entries To search for a device To filter devices Using Device Owner Important iii

6 Table of Contents Provisioning the device See also Assigning a Device to a new user Forcing a Check-in To force a device to check in Locating a Device Locking a Device To lock a device Managing devices in Apple lost mode Enabling lost mode Performing lost mode actions Disabling lost mode Retiring a Device To retire a device Wiping a Device To wipe a device Deleting a Device Unlocking a Device To unlock a device Unlocking Android devices Unlocking AppConnect for Android apps Unlocking an ios device Restarting or shutting down devices Restarting a device Shutting down a device Clearing the Restrictions Password (ios only) To clear the Restrictions password Assigning Custom Attributes to Devices Removing Custom Attributes from Devices Resetting the PIN Apps Apps > App Catalog Licensing for app features If an Android device is in Kiosk Mode Switching between list and grid view Viewing app reputation information Adding an app from a public store Adding an In-house app Deploying in-house apps to Google Play Viewing VPP license usage (ios) Revoking a VPP license (ios) Can't do tasks on the App Catalog page? See Also Viewing App Details App Configuration App Configuration iv

7 MobileIron Cloud Administrator Guide R45 Licensing for app features Configuration steps common to multiple apps Configuring MobileIron apps Configuring the MobileIron app Configuring the MobileIron app Configuring the MobileIron Tunnel app Configuring the MobileIron + for ios app Configuring the MobileIron + for Android app Configuring the MobileIron Dataview app Using ios Managed App Configuration Choosing Windows 10 apps for your in-house catalog Editing Windows 10 app configuration settings Using 83 Using the Android for Work App Configuration To use the Android for Work configuration How to create a custom configuration for MobileIron Tunnel for Windows Apps > Categories To add a category To remove a category Can't do tasks on the App Categories page? Apps > Reviews To view ratings and reviews To disable ratings and reviews To delete a review Can't do tasks in the Reviews page? See Also Apps > Licenses License: Gold Device-based and User-based license distribution Device-based license option User-based license option To add a VPP app to the catalog To distribute licenses for a VPP app in the catalog View app licenses per user VPP license usage notifications Revoking a VPP License Can't do tasks on the App Categories page? Apps > Catalog Settings Changing ios/macos app management settings Enabling/disabling ios app updates Enabling/disabling application ratings and reviews Uploading or updating an ios/macos VPP stoken (License: Gold) Removing an ios/macos VPP stoken from your MobileIron Cloud service Can't do tasks in the Catalog Settings page? MobileIron Bridge MobileIron Bridge supported file types v

8 Table of Contents MobileIron Bridge setup Procuring and activating MobileIron Bridge licenses Installing the MobileIron Bridge mobile application Uploading scripts to the devices Uploading scripts to the devices for one-time use Content Content > Content To add content To upload a new version To delete content Can't do tasks on the Content page? See Also Content > Categories To add a category To remove a category Can't do tasks on the Categories (Content) page? Configurations Configurations To add a configuration To delete a configuration To exclude a configuration To push a configuration To prioritize configurations Can't see the Configurations page? See Also Custom Configuration License: Gold Eligible Devices Description To define a Custom configuration Custom Configuration settings Home Screen Layout Configuration License Eligible Devices Description To define a Home Screen Layout configuration Home Screen Layout Configuration settings App Control Configuration: Control Which Apps Are Installed Per Device Supported Devices Steps to define whitelist or blacklist apps ios 9.3 supervised devices App Notifications Configuration To create an App Notifications configuration Managing Configurations Configuration Types Security vi

9 MobileIron Cloud Administrator Guide R45 User Resources Enterprise Network Access Cellular Network More Configurations Device Sync Configuration See Also Variables Summary of supported account variables Summary of supported device variables AppConnect Configuration AppConnect Overview AppTunnel Overview AppConnect-enabled Apps Secure apps from MobileIron AppConnect and third-party/in-house secure apps Status of Secure Apps App-specific configuration from MobileIron Cloud AppConnect Passcode Changing/Resetting the passcode Setting Up AppConnect License: Gold Before you start Steps Configuring AppConnect Devices License: Gold AppConnect ios device settings AppConnect Android device settings Configuring AppConnect Apps Bookmarks settings for app Troubleshooting AppConnect Setup Security Configurations Android for Work Configuration License: Gold Android for Work settings Android Work Challenge License: Silver To create the Android Work Challenge configuration: Configuration Setup settings Certificate Certificate settings Android Encryption Encryption settings FileVault FileVault Recovery Key Redirection Identity Certificate Configuration Identity certificate settings vii

10 Table of Contents ios Activation Lock Configuration License: Silver To enable the ios Activation Lock To use the ios Activation Lock bypass code To clear the ios Activation Lock bypass code ios Custom Configuration ios Custom settings ios Restrictions ios Restrictions settings Lockdown & Kiosk: Android Lockdown & Kiosk: Android for Work Lockdown settings Android for Work lockdown settings Device Owner with kiosk mode lockdown settings Lockdown & Kiosk: Samsung SAFE Lockdown settings macos Firewall macos Restrictions Apple App Catalog Managed Domains License: Silver Managed domains settings Passcode Configuration Passcode settings Privacy Privacy settings Software Updates Configuring software updates for ios devices Configuring software updates for Windows devices Software updates for Windows 10+ devices Software updates for pre Windows devices Software updates for Windows devices Web Content Filter License: Silver Web content filter settings Windows Information Protection License: Gold Applicable to: Windows To setup Windows Information Protection for Windows: Windows Restrictions Windows Restrictions settings User Resource Configurations CalDAV Configuration CalDAV settings CardDAV Configuration CardDAV settings viii

11 MobileIron Cloud Administrator Guide R45 Google Configuration Google settings Configuration settings Incoming Mail Outgoing Mail Exchange Configuration Exchange settings Font Configuration Font settings Subscribed Calendar Configuration Subscribed calendar configuration Web Clip Configuration Web clip settings Enterprise Network Access Configurations AirPlay Configuration License: Silver Airplay settings AirPrint Configuration License: Silver AirPrint settings Always On VPN Configuration Always On VPN settings for Android Always On VPN settings for ios Default App Runtime Permissions Setting global runtime permissions Setting app-specific runtime permissions Education License: Gold Education settings Global Proxy Configuration License: Silver Global proxy settings LDAP Configuration LDAP settings macos Server Configuration To configure macos Server: MobileIron Tunnel Per-app VPN Configuration License: Silver Per-app VPN settings IPsec (Cisco) Cisco AnyConnect Juniper SSL F5 SSL SonicWALL Mobile Connect ix

12 Table of Contents Aruba VIA Custom SSL Palo Alto Networks GlobalProtect Single Sign-On Configuration Single sign-on settings Multi-user Secure Sign-in for ios VPN Configuration VPN settings L2TP PPTP IPsec (Cisco) Cisco AnyConnect Juniper SSL F5 SSL Aruba VIA Custom SSL Palo Alto Networks GlobalProtect Note: Not applicable to Windows Phone and Android devices IKEv2 (Windows Only) IKEv VPN On Demand Configuration VPN On Demand settings IPsec (Cisco) Cisco AnyConnect Juniper SSL F5 SSL SonicWALL Mobile Connect Aruba VIA Custom SSL Palo Alto Networks GlobalProtect Wi-Fi Wi-Fi settings WEP, WPA/WPA2, Any (Personal) settings WEP Enterprise, WPA/WPA2 Enterprise, Any (Enterprise) settings ios Cellular Network Configurations APN Configuration APN settings Cellular Cellular settings for Default APN Cellular settings for Data APNs Controlling cellular access while roaming Controlling cellular access ios Telecom Presets Configuration ios Telecom Presets settings Other Configurations x

13 MobileIron Cloud Administrator Guide R45 Apple TV Configuration License: Silver Apple TV settings Lock Screen Message Configuration To create a Lock Screen Message configuration Lock Screen Message Configuration settings Default Device Name Configuration License: Silver Default device name settings ios Wallpaper Configuration License: Silver ios wallpaper settings Single App Mode Configuration License: Silver Single app mode configuration Policies Policies To add a policy To change a policy To delete a policy Can't see the Policies page? See Also Custom policy License: Platinum Eligible Devices Description To add a custom policy Understanding the conditions settings Can't see the Policy page? Monitoring and Controlling Allowed Apps License: Silver Supported Devices Before You Start Creating an Allowed Apps policy See Also: Admin Admin > Certificate Authority License: Silver Connecting to an external certificate authority Creating an intermediate certificate authority Generate a CSR (certificate signing request) Uploading the signed certificate Uploading an existing certificate Creating a standalone certificate authority Creating a cloud certificate authority Admin > Device Partition xi

14 Table of Contents License: Silver To create a device partition To create rules To prioritize partitions To assign an administrator to a partition See Also Admin > Attributes To create custom user attributes To create custom device attributes To view the standard attributes See Also Admin > Support Administrators To create a support administrator To end access for a support administrator To suspend access for a support administrator Admin > System Use Notification License: Silver To create a system use notification Admin > Connector License: Silver To download a Connector To install a Connector To access the Connector logs Can't see the Connector page? Admin > LDAP License: Silver To add an LDAP server Editing the LDAP server information Importing LDAP users Updating the users, groups, or organizational units selected To enable LDAP Sync Discard Notification To synchronize changes from the LDAP server Troubleshooting Connectivity to the LDAPS Server Can't see the LDAP page? Admin > Sentry License: Silver Supported platforms To download a Sentry To install and register a Sentry To set up a Sentry profile ActiveSync with basic auth To assign a profile to a Sentry To set up the Exchange configuration See also Can't see the Sentry page? Identity xii

15 MobileIron Cloud Administrator Guide R45 Admin > Identity License: Silver Overview IdP Set Up Types To configure an identity provider Set up tasks you may need to complete Can't see the Identity page? Admin > Install MDM Certificate To renew the MDM certificate Can't see the Install MDM Certificate page? Admin > Apple Configurator Defining a default user for devices Installing apps using Apple Configurator Installing apps using EMM server What the end user needs to do Can't see the Install Apple Configurator page? Admin > Device Enrollment Program Visit deploy.apple.com Connecting MobileIron Cloud to DEP Editing the DEP profile Editing the DEP authentication setting Setting up managed macos admin account using DEP Admin > Education License: Gold Configuring Education Pushing the Classroom app to the teachers Disabling Education Admin > End User Portal (Branding) To brand the Self-Service Portal Admin > Apple App Catalog (Branding) To brand the Apple app catalog: Using Microsoft Azure Setting up Azure AD Creating Users on Azure AD Microsoft Azure AD Enrollment Requirements To set up Microsoft Azure with EMM Microsoft Azure AD Enrollments with Microsoft Passport for Work Support Android for Work Configure Android for Work Configure Android for Work profile Android for Work Accounts Configure Android for Work Admin > App Reputation License: Platinum Prerequisites xiii

16 Table of Contents Enabling App Reputation Can't see the App Reputation page? Admin > App Lists License: Silver To create app lists Can't see the App Lists page? Admin > Unmanaged Devices License: Silver Enabling and disabling unmanaged devices Distributing apps to unmanaged devices Managing unmanaged device users Disabling unmanaged devices Admin > Infrastructure > 319 License: Platinum To set up for Android To set up for ios Admin > Android App Catalog (Branding) To brand the Android app catalog: Admin > Android Kiosk Branding To brand the Android kiosk screen: Using Scheduled Reports License: Silver Generating a Report Using Custom Reports License: Gold Generating a Report Admin > GOOGLE/ANDROID > Google Apps API Prerequisites To enable the Google Apps API feature: Can't see the Google Apps API page? Tenant Suspension End User Invitation Branding Admin > End User Invitation (Branding) Previewing and testing an template Customizing the message headers Customizing the end user invitation subject and body Supported variables Recommended variables Other supported variables Custom user attribute variables Upgrading Upgrading a license How do I request an upgrade? Upgrading from a previous release See also Packages xiv

17 MobileIron Cloud Administrator Guide R45 Silver Gold Platinum File a Support Ticket To access the Support portal User Licenses To see the number of devices/licenses for a user Device Licenses How To How to use Bulk Enrollment for Android How to use Samsung Knox Mobile Enrollment Requirements How to use AirPlay Mirroring Edit an ios MDM Configuration To edit an ios MDM configuration Edit an macos MDM Configuration To edit an macos MDM configuration How to Delete Apps from the App Catalog How to Create an Android Shortcut How to Deploy Divide Productivity with Android for Work How to Deploy Windows Phone 8.1 and Windows 10 Mobile Devices How to register Windows Phone 8.1 and Windows 10 Devices How to configure updates to your Windows installation How to configure the device passcode How to configure Exchange How to view device details How to retire a device How to Find the Package ID for an Android App How to Export Configurations Monitoring and Controlling Allowed Apps License: Silver Supported Devices Before You Start Creating an Allowed Apps policy See Also: Prioritize Configurations To prioritize configurations Prioritize Policies To prioritize configurations How to Set Up Android for Work Supported Devices Before You Start Connecting MobileIron Cloud with Android for Work Getting Your Android for Work Credentials Adding your Android for Work MDM Token to MobileIron Cloud Synchronizing user between MobileIron Cloud and Google xv

18 Table of Contents Active Directory/LDAP Users Local Users Deploying Android for Work to Supported devices Retiring Registered Devices To deploy the device Confirming Deployment Deploying Android for Work Apps Configuring Business Apps How to set up the Provisioner app Provisioning Requirements Enable Android beam to use NFC bump Provision a corporate-owned device Register the device Verify the device registration status Setting Up AppTunnel Before you start Setting up Sentry to use AppTunnel with certificates Setting up apps to use AppTunnel How to Set Up Docs@Work Before you start Steps Supported content repositories Supported authentication to content repositories Supported file types Annotation Viewing Editing and annotating documents User-added sites How To Set Up Kiosk Mode for Android License: Silver Before you start Steps Launching Kiosk Mode Remotely Disabling Quick Settings in Kiosk Mode Exiting Kiosk Mode Set Up Single App Mode for ios License: Silver Steps Using the Phone dialer as the app How to Troubleshoot Sentry Issues How to Upgrade In-House Apps To display a list of app versions How to use Help@Work with TeamViewer License: Platinum Installing TeamViewer Requesting a TeamViewer account xvi

19 MobileIron Cloud Administrator Guide R45 Enabling TeamViewer Confirming TeamViewer session ID Starting a TeamViewer session Accessing a user device with TeamViewer How to add management of non-ios devices License: Gold Configure MobileIron Tunnel for Android for Work Configure VPN Tunnel for Windows and Android SCEP Configuration for External Certificate Authorities How to Push SyncML to Devices Using Custom Configurations How to configure Distribution Filters How to use the httpproxy command for Connector More Details Displaying and Hiding Columns To display or hide columns When to Edit a Username If a username conflict happens Self-Service Portal See Also Device Partition Examples Administrator per location Administrator per OS per location Administrator for executives Administrator for all other devices Android Requirements Supported servers System Notifications To show system notifications To investigate a notification How to use MobileIron Access Sentry Installation Instructions Sentry Upgrade Instructions Connector Installation Instructions Opting Out of Location Data Collection For ios devices For Android devices MobileIron Cloud Timeout Information Glossary Index xvii

21 Welcome......to a cloud-based service that you can use to manage devices, including the apps and content on those devices. With MobileIron Cloud, your users can access their apps and data on the device of their choice while you manage and secure the devices, apps, and content on your network. Note: A third-party vendor translates this Extended Help into many languages. The accelerated release cadence of MobileIron Cloud means that sometimes there is a delay in publishing translated content. If your non-english Extended Help is out of date, please access the latest content in the English language by accessing the URL, extended help URL>/xx/all/en/desktop/Welcome.htm where <base extended help URL> is the address after and before the latest MobileIron Cloud version number, and xx is the latest version number of MobileIron Cloud. For example, to access release 45 online help, the URL would be extended help URL>/45/all/en/desktop/Welcome.htm. What's new Apple ios and macos Enhancements to the Update apps during device checkin option for ios/macos app updates on the Apps > Catalog Settings page. Select Palo Alto Networks GlobalProtect as a new connection type for VPN, VPN on Demand, and Per-App VPN configurations. Android and Android for Work MobileIron Cloud creates a new default device group called Android Enterprise Devices. The administrators can select a list of dangerous permissions, which are applicable to the specific application, instead of having to manage too many individual permissions. Create and distribute additional Default App Runtime Permissions configurations apart from modifying the default system configuration. Enable the "any lock method" option to allow the user choice of any lock method, including pattern unlock. This setting overrides all other passcode settings. Additional settings available for Lockdown & Kiosk: Samsung SAFE configuration: Allow Bluetooth Audio-only Disable Unknown Sources Disable Device Admin Privileges Removal Windows 1

22 Welcome... PowerShell scripts pushed to devices using MobileIron Bridge now support named arguments. 64-bit PowerShell scripts are now supported on 64-bit Windows 10 desktop devices. Select one of the four telemetry levels to allow Windows 10 devices to send diagnostic and usage telemetry data. The administrator can reset the PIN for a Windows mobile device from the device details page. A new PIN will be generated for the device, which can be viewed by clicking the View link. View device location of a Windows 10 device on the device details page on a Google map, if it is enabled in the Privacy configuration. In the left pane, the current longitude and latitude values are displayed. Security Ping One is now supported as a Cloud identity provider (IdP). SHA-1 certificates are deprecated while creating the identity certificates. You can choose other algorithms. While updating the certificates, if the older certificates use SHA-1, the same SHA-1 algorithm can be used. If the older certificates use an algorithm above SHA-1, then switching to SHA-1 is not allowed. Other features If Device Owner Settings is turned ON and if the administrator has marked the device as User Owned, the user will be presented with the option to mark the device as User Owned or Company Owned during device enrollment and also from the self-service portal. Use the Bulk Assign via Upload feature on the Devices page to upload a CSV file to assign or change users and/or custom attributes to devices in bulk. Use new conditions while creating a Custom Policy, such as Android for Work Capable, Custom Attributes (user, device, LDAP), and User Group. By default, the user locale is set to the tenant's locale. The administrator can now change the locale for a single user from the user details page. View the used (except Windows) and available internal storage on the device details page. For compromised devices, check the violation reason in the Violation columns on the following pages: Device Details page, Policies tab. Policies > Compromised Devices page, Active Violations tab (Android only) Copyright MobileIron, Inc. All Rights Reserved. Any reproduction or redistribution of part or all of these materials is strictly prohibited. Information in this publication is subject to change without notice. MobileIron, Inc. does not warrant the use of this publication. For some phone images, a third-party database and image library, Copyright Aeleeta's Art and Design Studio, is used. This database and image library cannot be distributed separate from the MobileIron product. MobileIron, the MobileIron logos and other trade names, trademarks or service marks of MobileIron, Inc. 2

23 MobileIron Cloud Administrator Guide R45 appearing in this documentation are the property of MobileIron, Inc. This documentation contains additional trade names, trademarks and service marks of others, which are the property of their respective owners. We do not intend our use or display of other companies trade names, trademarks or service marks to imply a relationship with, or endorsement or sponsorship of us by, these other companies. 3

25 Getting Started When you accessed MobileIron Cloud the first time, the Startup Wizard was displayed. If you completed the Startup Wizard, you should now have: an ios MDM certificate installed (if completed) passcode settings for all devices settings for at least some devices (ActiveSync, IMAP/POP) any apps you chose to set up in the app catalog users who have been invited to enroll If you need to change something Click one of the above links to get information on how to change the things you just set up. If you did not finish the Startup Wizard Click each of the above links for information on completing the basics. Note that skipping the ios MDM certificate installation means ios devices will not be able to register. Users will see a message stating that ios device enrollment has not been enabled. 5

27 Dashboard The dashboard shows important statistics about registered devices and users. Each section on the dashboard is called a widget. For each widget, you define: the category of data displayed (such as devices or users) how the data is grouped (such as by OS version or model) how the data is filtered (such as displaying only ios devices) how the data is displayed (such as pie chart or bar chart) To add a widget 1. Click Add (upper right). 2. Assign a name to the widget. 3. Select a data category. 4. Complete the filtering options as they display. 5. Select the default display type (pie chart, bar chart, line graph). 6. Click Done. To arrange widgets Widgets always display three to a row. However, you can change the order in which the widgets are displayed: 1. Click Arrange (upper right). 2. Drag the boxes into the order in which the widgets should appear. 3. Click OK. To edit a widget 1. Click the settings icon for the widget (upper right). 2. Select Edit. 3. Make your changes. 4. Click Done. Reviewing notifications 7

28 Dashboard Click the bell icon (top right) or go to the Dashboard > Notifications page to review notifications and take actions where necessary based on the following criteria: Component Type APP LDAP VPP ios Tenant Connector DEP Server Token Notification Type Expiration Data Sync Usage Limit Admin Action Server Authentication Error Status Change Severity Cleared Information Critical Warning Admins can select the APP component to quickly review all app-specific notifications on the Notifications page and also in the bell notification section. If there are new permissions to be accepted for Google Play apps, then the admins can accept them upon clicking the notifications rather than visiting each app page to review and accept the permissions. Reviewing user password expiration and ID change notifications Admins can review the upcoming password expirations in the Notifications page. They are also notified of the password expirations from two weeks to one day in advance, including links to CSV report files containing the list of corresponding users. Admins can also review a notification that lists the users whose IDs (UIDs) were detected to have changed during the last LDAP sync. Reports On the Dashboard > Reports page, you can access the data in your Enterprise Mobility Management (EMM) system. The following is the workflow of a report: 8

29 MobileIron Cloud Administrator Guide R45 1. Choose - select from a predefined report template. 2. Define Scope - set the period of time for report data. 3. Set Details - name and customize your report. 4. Run or schedule - run the report immediately or create a schedule. 5. Share - specify who will receive your report. For more details, visit the following topics: Dashboard > Reports (Scheduled) Dashboard > Reports (Custom) Can't see the Dashboard page? Maybe you don't have permission. You need one of the following roles: System Management System Read Only See Also Displaying and Hiding Columns 9

31 Users Users > Users Before you invite someone to register mobile devices, you need to create a user entry for that person. You also need to create a user for anyone who will use MobileIron Cloud to help manage devices or publish content (administrators). You can add a single user or several users at a time. Once you have added many users, you might want to filter the display to show only the ones you are interested in. Other things you can do with users in this page include: assign to/remove from a user group send a message invite to register assign roles change a password delete To add a user 1. Click Add (top right). 2. Select Single User. 3. Complete the form with the user's information: Address First Name Last Name The Username field displays the address you entered. In most cases, you should not edit this default. See When to Edit a Username. 4. If you want to change the display name for this user, edit the default text in the Display Name field. 5. If you want to assign a password, enter it in the Password and Confirm Password fields. If you assign a password, you need to communicate it to the user for device registration. If you don't assign a password, the user will need to create a password during device registration. 6. If you want to set up other features before inviting this user, clear the Send this invitation now option. Otherwise, the invitation will be sent when you click Done. 7. Click Done to add the user. To add several users 1. Click Add (top right). 11

32 Users > Users 2. Select Multiple Users. 3. Type or paste the addresses of the users, separated by commas. Example: 4. If you want to set up other features before inviting this user, clear the Send this invitation now option. Otherwise, the invitation will be sent when you click Done. 5. Click Done to add the users. To add users by uploading a file 1. Click Add (top right). 2. Select Multiple Users. 3. Select Upload CSV. 4. Click Download CSV Template. 5. Edit the template with the following information for each user: user ID (required) address (required) password first name last name display name user groups custom attributes This is the same information you enter when adding a single user. Do not exceed 10,000 entries in the file. 6. Save the file. 7. Drag it to the upload area or select Upload CSV to select the file. 8. Once the uploaded user information is displayed, make any necessary edits. 9. Click Next (lower right). 10. If you do not want to send invitations right away, select Do not send invitations. 11. Click Done. To add an administrator 1. Click Add (top right). 2. Select Single User. 3. Complete the form with the user's information: Address First Name Last Name The Username field displays the address you entered. 4. If you want to change the display name for this user, edit the default text in the Display Name field. 5. Assign a password in the Password field. 6. Enter the password again in the Confirm Password field. 12

33 MobileIron Cloud Administrator Guide R45 7. Click Done to add the user. 8. Communicate the password to the person who will help manage devices. The nobody user The nobody user is a default user that cannot be deleted. The service applies this user to devices that do not have associated users, such as retired devices. Viewing the device registration PIN information While adding new users, the generated registration PIN information is displayed to admins if the Device Registration Authentication Type is set to PIN Only. This information can be useful to assist users with device enrollments. For single users, the PIN is displayed via the Users > Invite User to Register action and also in the PIN Info section of the User Details page. For multiple users, the PINs are displayed as a column in the User List page in addition to the PIN Status (Valid or Expired), PIN Issued, and PIN Expires columns. Can't do tasks on the Users page? Maybe you don't have permission. You need one of the following roles: System Management User Management See Also Displaying and Hiding Columns Users > User Groups Create a user group so that you can assign apps and roles to multiple users. For example, you might create a Managers group if you want all department managers to be administrators for apps and content. You can create a user group to be managed in one of the following methods: Dynamically Managed: Local and LDAP users are added/removed to/from a group dynamically based on certain rules and/or attributes. Manually Managed: Add/remove users to/from a group manually. Manually Managed groups are recommended only for testing purposes that require 100 or less users. To create a dynamically managed user group 13

34 Users > User Settings 1. Click Add (top right). 2. Enter a group name (mandatory). 3. (Optional) Click Add Description to add a description. 4. Select the Dynamically Managed option. 5. Set custom rules and/or attributes as per your requirements. For each rule, select between local and LDAP users. You can include or exclude a sub-group by using the User Group filter criteria. Set ANY or ALL conditional filters for rules. Add more rules by clicking the plus character. Create a group of rules by clicking the hierarchical icon next to the plus sign. Review the user group's rules and attributes in the text query below the rules construct. Review the Results for users that match the configured criteria. As you add or modify a rule or an attribute, the matching users are found and displayed if they exist. 6. Click Save. To create a manually managed user group 1. Click Add (top right). 2. Enter a group name (mandatory). 3. (Optional) Click Add Description to add a description. 4. Select the Manually Managed option. 5. In the Search Users field, type the address of each user to be included in the group. As you type, the matching users are found and displayed if they exist. 6. Select the users you want to add to the group. You may search and add more users as required. 7. Click Save. Can't do tasks on the User Groups page? Maybe you don't have permission. You need one of the following roles: System Management User Management See Also Displaying and Hiding Columns Users > User Settings User settings define device registration options. There are several types: 14

35 MobileIron Cloud Administrator Guide R45 Device Registration Setting: Sets authentication by password, PIN, or both; and device ownership. Device Limit Setting: Sets the number of devices a user can register. Terms of Service Setting: Sets the terms of service displayed to the user for each device registration. You can edit the default settings for the All Users group or add custom settings and assign them to other user groups. Editing the default setting Click the Edit link for the setting that has the lock icon. You cannot delete a default setting. Adding a custom setting Click the Add setting for specific user groups link. Deleting a custom setting Click the x icon. Configuring the settings for new device registrations You can configure minimum OS version, authentication type, and device ownership for new device registrations. The device enrollment URL generated in earlier versions of MobileIron Cloud will cease to work with the current version. The administrator will need to regenerate the device enrollment URL for device registration. 1. Edit the default Device Registration Authentication Type setting or add a new one. 2. Edit or assign a name to identify the setting. 3. Type an optional description of the setting. 4. In the OS Minimum Version Blocking section, define the minimum OS version for ios, macos, Android, and Windows: 1. Select the Enable Minimum Version option. 2. Select an OS version from the drop-down. 5. In the Device Registration Authentication Type section, select a registration type from the drop-down (note that this setting affects both normal registration and DEP registration. If you use DEP, make sure that your DEP configuration matches your choice here): 4. Password Only 15

36 Users > User Settings PIN Only Password and PIN Note: Users may still receive a PIN to complete account activation. 5. For PINs, include the following: PIN lifetime: How long the PIN remains valid (1-30 days) PIN length: The number of characters (4-12) Allow user to request a new PIN (when forgotten or expired) 6. Optionally, turn on Device Owner Settings, and then click User Owned or Company Owned. This setting changes how the device is classified during the registration process. If Device Owner Settings is turned ON and if the administrator has marked the device as User Owned, the user will be presented with the option to mark the device as User Owned or Company Owned during device enrollment and also from the self-service portal. For Supervised devices, device owner setting will be "Company Owned." 8. Click +Add for at least one user group to which you want to distribute the setting. 9. Click Save. Configuring the device limit per user 1. Edit the default Device Limit setting or add a new one. 2. Edit or assign a name to identify the setting. 16

37 MobileIron Cloud Administrator Guide R45 3. Type an optional description of the setting. 4. Select a limit from the drop-down. 5. Click +Add for at least one user group to which you want to distribute the setting. 6. Click Save. Defining the Terms of Service 1. Create a new Terms of Service setting. 2. Assign a name to identify the setting. 3. Type an optional description of the setting. 4. Select the Prompt the user... option. 5. Type a title and text to display. 6. Click +Add for at least one user group to which you want to distribute the setting. 7. Click Save. Note: Once accepted, the terms of service cannot be deleted. However, you can turn off the prompts for new registration by clearing the Prompt the user... option. Users > User Branding User branding enables you to customize the device registration process with names and logos that your users will recognize. You can customize the user-facing branding in the following ways: Set a custom host name for the registration URL Display your logo in the registration and registration screen Display a custom favicon during registration activities License: Gold Before you start Decide on the host name you want to use in your custom URL. It must meet the following requirements: Contains no spaces Contains no special characters 17

38 Users > Users Obtain a logo file that meets the following requirements: PNG format 580 px x 80 px Obtain a favicon file that meets the following requirements: PNG format 64 px x 64 px Steps 1. Go to Users > User Branding. 2. Click Customize (upper right). 3. In the Hostname field, type a short name to use as the host name in your URL. 4. Click Check Availability to confirm that the host name you entered has not been used by someone else. 5. If the host name is not available, enter a different name. 6. Note the resulting registration URL under URL Preview. 7. Click Next. 8. Under Logo, click Choose File to upload the logo to be used in the registration and registration screen. 9. Click Next. 10. Under Favicon, click Choose File to upload the favicon to be displayed in place of the MobileIron Cloud favicon during registration activities. 11. Click Done. Managing Users Users > Users Before you invite someone to register mobile devices, you need to create a user entry for that person. You also need to create a user for anyone who will use MobileIron Cloud to help manage devices or publish content (administrators). You can add a single user or several users at a time. Once you have added many users, you might want to filter the display to show only the ones you are interested in. Other things you can do with users in this page include: assign to/remove from a user group send a message invite to register assign roles change a password delete To add a user 18

39 MobileIron Cloud Administrator Guide R45 1. Click Add (top right). 2. Select Single User. 3. Complete the form with the user's information: Address First Name Last Name The Username field displays the address you entered. In most cases, you should not edit this default. See When to Edit a Username. 4. If you want to change the display name for this user, edit the default text in the Display Name field. 5. If you want to assign a password, enter it in the Password and Confirm Password fields. If you assign a password, you need to communicate it to the user for device registration. If you don't assign a password, the user will need to create a password during device registration. 6. If you want to set up other features before inviting this user, clear the Send this invitation now option. Otherwise, the invitation will be sent when you click Done. 7. Click Done to add the user. To add several users 1. Click Add (top right). 2. Select Multiple Users. 3. Type or paste the addresses of the users, separated by commas. Example: jdoe@mycompany.com, jsmith@mycompany.com, tjones@mycompany.com 4. If you want to set up other features before inviting this user, clear the Send this invitation now option. Otherwise, the invitation will be sent when you click Done. 5. Click Done to add the users. To add users by uploading a file 1. Click Add (top right). 2. Select Multiple Users. 3. Select Upload CSV. 4. Click Download CSV Template. 5. Edit the template with the following information for each user: user ID (required) address (required) password first name last name 19

40 Users > Users display name user groups custom attributes This is the same information you enter when adding a single user. Do not exceed 10,000 entries in the file. 6. Save the file. 7. Drag it to the upload area or select Upload CSV to select the file. 8. Once the uploaded user information is displayed, make any necessary edits. 9. Click Next (lower right). 10. If you do not want to send invitations right away, select Do not send invitations. 11. Click Done. To add an administrator 1. Click Add (top right). 2. Select Single User. 3. Complete the form with the user's information: Address First Name Last Name The Username field displays the address you entered. 4. If you want to change the display name for this user, edit the default text in the Display Name field. 5. Assign a password in the Password field. 6. Enter the password again in the Confirm Password field. 7. Click Done to add the user. 8. Communicate the password to the person who will help manage devices. The nobody user The nobody user is a default user that cannot be deleted. The service applies this user to devices that do not have associated users, such as retired devices. Viewing the device registration PIN information While adding new users, the generated registration PIN information is displayed to admins if the Device Registration Authentication Type is set to PIN Only. This information can be useful to assist users with device enrollments. For single users, the PIN is displayed via the Users > Invite User to Register action and also in the PIN Info section of the User Details page. For multiple users, the PINs are displayed as a column in the User List page in addition to the PIN Status (Valid or Expired), PIN Issued, and PIN Expires columns. Can't do tasks on the Users page? 20

41 MobileIron Cloud Administrator Guide R45 Maybe you don't have permission. You need one of the following roles: System Management User Management See Also Displaying and Hiding Columns Adding an API user for Cisco ISE operations You can add an API user with the role "Cisco ISE Operations that allows Cisco ISE to interact with the Cisco ISE APIs in MobileIron Cloud. After you create this user, you use this user's credentials from Cisco ISE to authenticate API calls into MobileIron Cloud. These APIs allow Cisco ISE to get device information; take actions on devices, for example, full wipe, corporate wipe, and pin lock; and send messages to devices. Note: Only the Super Admin of a tenant is assigned the Cisco ISE Operations role by default. The Super Admin must explicitly choose the other users in the system who must possess this role and assign it to them. Users, that are assigned the Cisco ISE Operations role can, in turn, assign the role to other appropriate users in the system. To add an API user: 1. Click the Users tab. 2. Click Add. 3. Select API User. 4. Complete the resultant form with the user's information: 21

42 Assigning Roles to Users Address First Name Last Name The Username field displays the address you entered. In most cases, you should not edit this default. See When to Edit a Username. 5. If you want to change the display name for this user, edit the default text in the Display Name field. 6. Assign a password by entering it in the Password and Confirm Password fields. 7. Leave the API Management Cisco ISE Operations role selected in the Assign Roles section. 8. Click Done to add the user. Can't do tasks on the Users page? Maybe you don't have permission. You need one of the following roles: System Management User Management See Also Displaying and Hiding Columns Assigning Roles to Users You can give users access to MobileIron Cloud data and features by assigning roles. You can assign roles directly to users or to user groups. Assigning a role to a user group gives that role to all users in that group. 1. Go to Users > Users or Users > User Groups. 2. Select the link for a user or user group. 3. Click Actions. 4. Select Assign Roles. 5. Select the roles you want to assign. 6. Click Done. How to give helpdesk staff permission to use basic device actions The helpdesk roles generally allow staff to view data. However, some organizations prefer to include the basic device actions: Force Check-in Lock 22

43 MobileIron Cloud Administrator Guide R45 Unlock Send Message Retire Wipe To provide permission to these actions: 1. Go to Users > Users or Users > User Groups. 2. Select the link for a user or user group. 3. Click Actions. 4. Select Assign Roles. 5. Select Device Read Only. 6. Select Device Actions. 7. Click Done. Note: You must select Device Read Only before selecting Device Actions. Otherwise, users will not have the expected permissions. User Roles User roles determine the pages users can see in MobileIron Cloud and the things users can do. The following table lists the roles you can assign and what they mean. Role Can See Can Do System Management System Read Only User Management User Read Only Device Management Device Read Only App & Content Management Dashboard, Users, Apps, Content, Admin Dashboard, Users, Apps, Content, Admin Users, Apps, Content Users, Apps, Content Users, Devices, Apps, Content, Policies Users, Devices, Apps, Content, Policies Users, Apps, Content All tasks in these pages View data in these pages All tasks in Users View data in Apps, Content View data in these pages All tasks in Users, Devices, Policies View data in Content, Apps View data in these pages All tasks in Users, Apps, Content, including AppConnect tasks 23

44 Finding and Filtering Users App & Content Read Only Users, Apps, Content Device Actions Users, Devices, Apps, Content, Policies View data in these pages, including AppConnect tasks View data in these pages Only the following device actions: Force Checkin Lock Unlock Send Message Retire Wipe Note: You must select Device Read Only before selecting Device Actions. Otherwise, users will not have the expected permissions. LDAP User Users, Apps, Content Allows a user to Registration And register LDAP Users Invite and send invitation(s) to register device(s) See Also Assigning Roles Finding and Filtering Users Once you have added many users, it can be helpful to use filters or searches to quickly locate a user entry. To search for a user 1. Go to Users > Users. 24

45 MobileIron Cloud Administrator Guide R45 2. Type characters in the Find users box (left pane). To filter users 1. Use the check boxes in the Users > Users page to filter the users, displaying only the ones you are interested in. You can filter based on User (Enter an existing user.) User Group (Select the user groups of interest.) Invite Status (Select the status check boxes.) 2. In the Users > Users page, you can filter users based on Custom Attributes and other attributes by clicking the settings icon (upper right). 3. The Invite Status filters are: Completed (The user received it and responded.) Expired (The user did not respond in time.) Not Invited (You have not invited this user.) Assigning Users to User Groups Assigning users to user groups is a great way to minimize the number of times you need to repeat tasks like: distributing apps assigning roles From the Users page 1. Go to Users. 2. Select the users you want to work with. 3. Click Actions (upper right). 4. Select Assign to Group. 5. Select the groups or click Create New to start a new group. 6. Click Save. From the User Groups page 1. Go to Users > User Groups. 2. Select the user groups you want to work with. 3. Click Actions (upper right). 4. Select Assign Users. 5. Type the address of each user. 6. Click Assign Users. Inviting Users 25

46 Inviting Users When you add a user, you have an opportunity to invite that user to enroll devices. In fact, this option is selected by default. The invited user receives an message containing the information needed to enroll. You can also invite (or re-invite) a user from the Users > Users page. To invite users 1. Go to Users. 2. Select the users you want to invite. 3. Select Actions > Send Invite. The Invitation Preview appears, along with an option to set device ownership to User Owned or Company Owned. 26

47 MobileIron Cloud Administrator Guide R45 4. Optionally, turn on Device Owner Settings, and then click User Owned or Company Owned. This setting changes how the device is classified during the registration process. This is only applicable for PIN Only or Password + PIN registration types. If Device Owner Settings is turned off, devices will be registered as "Not Set." For Supervised devices, device owner setting will be "Company Owned." 5. Click Send. See Also Importing LDAP users 27

Managing Multiple Administrator Logins Managing Multiple Administrator Logins MobileIron supports multiple MobileIron Cloud admin portal sessions so the administrator can view different pages of the

48 Managing Multiple Administrator Logins Managing Multiple Administrator Logins MobileIron supports multiple MobileIron Cloud admin portal sessions so the administrator can view different pages of the portal at the same time. If you are an administrator, you can view your last login date to help you keep track of multiple logins. To view the last administrator login. 1. Click the Account icon (upper right). 2. View the Last logged in: entry. Changing a Password You can change your MobileIron Cloud password. You can also change the password for another user if you have permission. 1. Click the Account icon (upper right). 2. Select Change Password from the pull-down menu. 3. Enter your current password. 4. Enter your new password. 5. Enter your new password again. 6. Click Done. Changing another user's password 28

49 MobileIron Cloud Administrator Guide R45 1. Go to Users. 2. Click the display name for the user. 3. Click Edit (upper left). 4. Enter the new password in the Change Password field. 5. Confirm the new password. 6. Click Save (upper left). Extending Password Expiration You can extend the expiration of a MobileIron Cloud user password: 1. Go to Users. 2. Click the display name for the user. 3. Click Edit (upper left). 4. Under Password Expiration, enter a number in the Extend by...days field. 5. Click Save (upper left). Extending password expiration for other users You can also change the password for another user if you have permission: 1. Go to Users. 2. Select the users. 3. Click Actions > Extend Password Expiration. 4. On the Extend Password Expiration page, under Password Expiration, enter a number in the Extend by...days field. 5. Click Save. Changing the Tenant Administrator Username You can change the Tenant Administrator's username to facilitate the introduction of a new Tenant Administrator. Because the Tenant Administrator can never be deleted, this is a way to change the Tenant Administrator to another username. This feature supports the following scenarios: User with all roles changes Tenant Administrator username 1. Tenant Admin leaves company. 2. User with User Management role changes Tenant Admin username, address, first name, last name, and password for the new Tenant Administrator. 29

Changing the Tenant Administrator Username See Assigning Roles and Changing a Password for information on assigning roles and changing the password.

Before leaving the company, departing Tenant Administrator changes username and password. 2.

50 Changing the Tenant Administrator Username See Assigning Roles and Changing a Password for information on assigning roles and changing the password. Tenant Administrator changes username to new Tenant Administrator before leaving company 1. Before leaving the company, departing Tenant Administrator changes username and password. 2. Departing Tenant Administrator passes this information on to the new Tenant Administrator. To change the Tenant Administrator username 1. Select Users. 2. Select the Users sub-tab. 3. Click the Tenant Administrator's display name. 4. Click Change Username. 5. Enter the new username. 30

51 MobileIron Cloud Administrator Guide R45 6. Click the check-box adjacent to Yes, I want to change the Tenant Admin's Username until a check mark appears in it. 7. Click Save. Sending a Message You can send a message to any known user. Messages can be or push notifications. Only users having enrolled devices can receive push notifications. To send a message to users 1. Go to Users > Users. 2. Select the users you want to message. 3. Click Actions (upper right). 4. Select Send Message. 5. If you do not want to send , clear the Send an message check box. 6. If sending , enter a subject and message text. 7. If sending a push notification, select the Send a Push Notification check box and enter message text. 8. Click Send. To send a message to devices 1. Go to Devices > Devices. 2. Select the devices you want to message. 3. Click Actions (upper right). 4. Select Send Message. 5. Optionally, click the device name link to go to the Device details page and click the Send Message icon. 6. If you do not want to send , clear the Send an message check box. 7. If sending , enter a subject and message text. 8. If sending a push notification, select the Send a Push Notification check box and enter message text. 9. Click Send. Removing Users from User Groups Removing a user from a user group means: any roles assigned to that group are removed from the user any apps assigned to that group are no longer available in the user's app catalog apps that were configured to be removable are removed from the user's devices From the Users > Users page 31

52 Deleting a User 1. Select the user you want to work with. 2. Click Actions (upper right). 3. Select Remove from Group. 4. Select the groups. 5. Click Remove. From the Users > User Groups page 1. Click the user group to display its details. 2. Click Edit (upper right). 3. Click the Remove link next to the user you want to remove. 4. Click Save (upper right). Deleting a User To delete a user 1. Go to Users > Users. 2. Select the entry for the user. 3. Click Actions (upper right). 4. Select Delete. What happens when you delete a local user All information related to a deleted user is deleted from the system. Devices associated with the user are retired. Content uploaded by the user remains. No further device registrations are allowed for the user's account. What about LDAP users? If the LDAP server has been disabled, an LDAP user cannot be permanently deleted. The next sync of LDAP data will restore a deleted LDAP user. If the LDAP server or group has been deleted, the LDAP users become local users and can be deleted. If a user is deleted on the LDAP server, the user is automatically removed from the service during the next LDAP sync. 32

53 MobileIron Cloud Administrator Guide R45 Exporting Users To export a list of users: 1. Go to Users > Users. 2. Filter the list of users as necessary. 3. Click Export to CSV (lower right). All publishable data for the displayed users is exported to a CSV file, which you can save or open in your default program for CSV files. Assigning Custom Attributes to Users You can assign custom user attributes such as Department to one or more users. Each attribute has a corresponding value that you can use for tasks like creating configurations and user groups. To assign custom attributes to one or more users: 1. Go to Admin > Attributes to create new custom attributes if required. 2. Go to Users. 3. Select one or more users. 4. Click Actions. 5. Select Assign Custom Attributes. 6. Select one of the following options: Force assign (overwrite) all attributes even if any existing values are found. Overwrite only if value is empty, and skip attributes with existing values. 7. Select the attributes you want to assign and enter their values (empty values are not allowed). 8. Click Assign. Removing Custom Attributes from Users Proceed with caution as this action is not reversible. To remove custom attributes from one or more users: 1. Go to Users. 2. Select one or more users. 3. Click Actions. 4. Select Remove Custom Attributes. 5. Select the attributes you want to remove. 6. Click Remove. 33

54 Changing the User Locale Changing the User Locale By default, the user locale is set to the tenant's locale. If required, the administrator can change the locale for a single user as follows: 1. Go to Users. 2. Click the display name for the user. 3. Click Edit (upper left). 4. Under the Locale field, click Change. 5. In the Change User Locale window, select the required locale from the Change user locale to: dropdown list. 6. Click Done. 7. Click Save (upper left). 34

55 Devices Devices Each entry in the Devices page represents a mobile device that has been registered with MobileIron Cloud and lists important information about the device. Use this page to do basic device management, including: Assign to User Send a message Lock Unlock Force Check-in Retire Wipe Reset PIN (Windows 10 mobile devices only) Note: The MobileIron Cloud server cannot handle processing the same device with different client identifiers and registered across different tenants. The server can only handle the instance where it is the same device with different client identifiers and registered to the same tenant. Managing the devices 1. Select one or more devices. 2. Select an action from the Actions list (upper right). Listing the devices by criteria When you have many devices registered, you can use the criteria (also called filters) on the left to display only the devices you are interested in. Bulk assign/change users and custom attributes to devices You can use this feature to upload a CSV file to assign or change users and/or custom attributes to devices in bulk. 1. From the Devices page, click the Bulk Assign via Upload icon (next to the Actions button). 2. (Optional) Click Download template to save a CSV template file that you can edit and upload. 3. After the CSV file is ready, click Choose File to browse to the CSV file location or drag and drop the CSV file to the File data section. 4. Select one of the following options: 35

56 Devices Force assign (overwrite) all attributes even if any existing values are found. Overwrite only if value is empty, and skip attributes with existing values. 5. Click Upload. Displaying detailed device information Click the link in the Name column of an entry to display the Device Details page. The Device Details page contains several tabs organizing the following information: Overview Manufacturer Wi-Fi MAC Address Network Tethered - (ios devices) Serial number Storage Usage - Used (except Windows) and available internal storage on devices OS/version Device Name Device Identifier Device Groups Device Encryption Status - (macos devices) Language Client App Version Client App BundleID EAS Device Identifiers Ownership Last backup to icloud - (ios devices) Supervised Mode - (ios devices) Windows Device Type - (Windows devices) Channel URL - (Windows devices) Azure AD Device ID - (Windows devices) Encrypted Windows Information Protection - (Windows devices) WIP App Locker Configured EDP Mandatory Settings Phone number Cellular Technology IMSI ICCID IMEI MEID Device Location 36

57 MobileIron Cloud Administrator Guide R45 Carrier Home MCC Home MNC Roaming Current Operator Current MCC Current MNC Data roaming Voice roaming Configurations - applied configurations Installed Apps AppConnect Apps - installed AppConnect apps Policies - applied policies. For compromised devices, check the violation reason in the Violation column. If the device has been rooted, the system displays the reason shown in the Violation column: Priority (1 = Violation highest) 1 Plugin compromised 2 Client tampered Unknown device 3 manufacturer: unknown Suspicious folder 4 detected: <path> Suspicious binary found 5 at: <path> Folder /data is browsable 6 OR Folder /data/data is browsable Found 7 /system/app/superuser.apk Package manager 8 compromised Suspicious app found: 9 <package> Certificates - installed certificates Sentry information (ActiveSync associations) Attributes - Custom Attributes and Device attributes Logs - View and customize device filters status last check-in device groups 37

58 Devices > Device Groups terms of service accepted date terms of service accepted To search device logs 1. Under Devices > Devices, click the link in the Name column of an entry. 2. Click the Logs tab. 3. Use the Action, Status, Start Date, and End Date filters to narrow the displayed messages. Can't see the Devices page? Maybe you don't have permission. You need one of the following roles: Device Management Device Read Only See Also Displaying and Hiding Columns Devices > Device Groups Use device groups to create lists of devices that you want to treat in the same way. You can assign policies and configurations to device groups. The following are the default device groups created by MobileIron Cloud: All Devices Android Devices Android Enterprise Devices ios Devices macos Devices Windows Devices Adding a device group You can add a new device group based on rules to identify the devices with the following criteria: Bronze license: Rules can identify devices by: Device Type OS - operating system (pre-populated) OS Version User Group 38

59 MobileIron Cloud Administrator Guide R45 Silver license: Rules can identify devices by: Android Device Owner Mode Enabled Android Work Enabled Carrier Device Type Kiosk Mode - whether the device is in Kiosk Mode or kiosk-enabled (yes/no/not applicable) OS - operating system (Android, ios, macos, Windows) OS Version Ownership Roaming - whether the device is roaming (yes/no) Supervised App Status - whether the device is supervised (yes/no) User Group Custom Device Attribute Custom User Attribute Custom LDAP Attribute Perform the following tasks to add a device group: 1. Click Add (upper right). 2. Enter a name for this group. 3. Enter an optional description for this group. 4. Select the type of device group you want to create: Dynamically Managed: Use rules to define which devices are in the group. Manually Managed: Enter each user whose devices are to be included in the group. 5. For dynamically-managed groups: 4. a. Create a rule that defines the group. Example: OS is ios b. Click + to create additional rules, if needed. Example: Device is iphone 5S c. Click Any if the devices need to match at least one of the rules. d. Click All if the devices need to match all the rules. 6. For manually-managed groups: a. Type the name of a user whose device you want to add. b. Select the device from the displayed list. c. Repeat steps a and b until all devices are displayed in the list. 7. Click Save. Removing a device group 1. Go to Devices > Device Groups. 2. Click the checkbox for the device group you want to remove. 39

60 Devices > Unmanaged Devices 3. Click the Actions pull-down menu.. 4. Click Delete Device Group. Can't see the Device Groups page? Maybe you don't have permission. You need one of the following roles: Device Management Device Read Only See Also Displaying and Hiding Columns Devices > Unmanaged Devices License: Silver If you have set up Sentry access control, any unregistered devices that access your system are called unmanaged devices. You define whether unmanaged devices should have access to by default when you set up a Sentry. You can then manually allow or block access for these devices. Note: The Unmanaged Devices page is updated every 5 minutes. Therefore, changes in management are not immediately reflected. To block a device 1. Select the device. 2. Select Actions > Block. The device remains blocked until you select Actions > Allow or Actions > Delete. To allow a device that has been blocked 1. Select the device. 2. Select Actions > Allow. The device continues to have access to until you select Actions > Block or Actions > Delete. To clear a device from the list 1. Select the device. 2. Select Actions > Delete. 40

MobileIron Cloud Administrator Guide R45 The next time the device attempts to access your email system, it will reappear on this list, and you will need to repeat any Block or Allow action you

Use this page to get information on the apps being used by enrolled devices. You can answer questions like: Which apps are most popular? Do ios devices get their apps directly from the App Store?

61 MobileIron Cloud Administrator Guide R45 The next time the device attempts to access your system, it will reappear on this list, and you will need to repeat any Block or Allow action you previously applied to the device. Devices > App Inventory The app inventory is the list of apps detected on enrolled devices. Use this page to get information on the apps being used by enrolled devices. You can answer questions like: Which apps are most popular? Do ios devices get their apps directly from the App Store? How many Android users have downloaded an optional in-house app? How many devices are using an outdated version of an app? App Reputation (only if enabled) Which apps have an app reputation score? What is an app's app reputation rating? On which app reputation lists is an app? App reputation information appears in the area below: To display only certain apps When you display the App Inventory page, all apps are listed. To narrow this list to certain apps, use the filters (left pane). For example, to show only in-house apps on ios devices, you would select ios and In-House. To display the installed devices for an app Click the number listed in the # Installed column. To display the installed Win32 apps on a device 41

62 Device Registration (ios, macos, and Android) The app inventory displays Win32 apps on a device if the privacy configuration for that device allows for the collection of information for all apps on that device. To configure the privacy policy for the device: 1. Determine which privacy configuration applies to the desired device by following the directions in Devices. 2. Go to Configurations. 3. For the privacy configuration you noted in step 1: a. Select the configuration. b. Click Edit. c. Under Collect App Inventory, select For All Apps on the Device. d. Click Done. To save app inventory to a file Click Export. Can't see the App Inventory page? Maybe you don't have permission. You need one of the following roles: Device Management Device Read Only See Also Displaying and Hiding Columns Managing Devices Device Registration (ios, macos, and Android) Most users start by registering a device. You can use any of the following approaches to start the registration process: Send an invitation to one or more end users Instruct end users to download the MobileIron Go app Note: The end user must have an account in MobileIron Cloud before you can start the device registration process. For LDAP users, that means a Connector and an 42

63 MobileIron Cloud Administrator Guide R45 LDAP server must be set up, and the user must be imported from the LDAP server. For local users, that means adding a user. The device enrollment URL generated in earlier versions of MobileIron Cloud will cease to work with the current version. The administrator will need to regenerate the device enrollment URL for device registration. Sending an invitation (ios, macos, and Android) In most cases, you will start the registration process by sending an invitation. MobileIron Cloud provides the following ways to send end users an invitation to register a device: in the Startup Wizard when you add one or more users in the Users page (Actions > Send Invite) If end users misplace the invite, receive it on a desktop or laptop, or fail to receive it for some reason, you can send them to the URL that was listed in the invitation. Add /go to the end of your service URL. End users who have an MobileIron Cloud account with a password set do not need an invitation to start the registration process. You can send them to the URL that would have been listed in an invitation. Instructing end users to download the app (ios and Android) The MobileIron Go app is available for Android and ios devices. You can send end users instructions on how to download the app from a public app store and start the registration process from the app. Include the information that the end user will need to enter to complete registration: username: usually the end user's address password: if required by your User Settings and a temporary password was defined by an administrator If a password has not been set for the end user's account, then you must send an invitation to generate the necessary one-time use PIN, which will automatically be ed to the end user. What the end user sees The invitation is an containing: a link to the registration page a one-time use PIN, if necessary basic instructions on what to do next 43

64 Device Registration (Windows Phone 8.1 and Windows 10 Mobile) If the end user receives the on the mobile device, then tapping the link starts the registration process. If the end user receives the on a laptop or desktop, then the end user can enter the displayed URL in the browser on the mobile device. The one-time use PIN is included if the end user's account does not yet have a password defined for the MobileIron Cloud user account, or if your User Settings require a registration PIN. After entering the PIN, the end user will be prompted to set a password for the account if the password does not exist. If you have already set a password for the account, then you will need to communicate it to the end user using an external channel, such as corporate . If you are using LDAP for authentication, consider informing the end user that network credentials are required. If the user does not install the MDM profile If the user does not complete installation of the MDM profile during registration, then MobileIron Cloud periodically sends push notifications to the device to prompt the user to complete the registration process. Device Registration (Windows Phone 8.1 and Windows 10 Mobile) Most users start by registering a device. You can use any of the following approaches to start the registration process: invitation Direct users to the URL for your implementation Note: The end user must have an account in MobileIron Cloud before you can start the device registration process. For LDAP users, that means a Connector and an LDAP server must be set up, and the user must be imported from the LDAP server. For local users, that means adding a user. The device enrollment URL generated in earlier versions of MobileIron Cloud will cease to work with the current version. The administrator will need to regenerate the device enrollment URL for device registration. Sending an invitation In most cases, you will start the registration process by sending an invitation. MobileIron Cloud provides the following ways to send end users an invitation to register a device: in the Startup Wizard 44

65 MobileIron Cloud Administrator Guide R45 when you add one or more users in the Users page (Actions > Send Invite) If end users misplace the invite, receive it on a desktop or laptop, or fail to receive it for some reason, you can send them to the URL that was listed in the invitation. Just add \go to the end of your service URL. End users who have a MobileIron Cloud account with a password set do not need an invitation to start the registration process. You can send them to the URL that would have been listed in an invitation. What device users do Tell your device users how to complete the registration process. You can use the following instructions as a template and make any necessary changes: 1. Open a browser on your Windows Phone 8.1 or Windows 10 mobile device. 2. Navigate to mobileiron.com/go. You are redirected to a new page containing an enrollment URL. 3. Copy the enrollment URL to the clipboard. 4. Tap Open Settings > Workplace to open the Workplace app. 5. Tap add account at the bottom of the Settings page. 6. Enter the address associated with the invitation you received. Note to administrators: If the user's MobileIron Cloud username does not match user's address as entered in MobileIron Cloud, tell the user to enter the username when prompted for the address. 7. Paste the Workplace server URL you copied into the next text field. 8. Tap sign in. 9. Enter your password in the next field. 10. Leave the other fields blank. 11. Tap sign in. 12. Click done in the ACCOUNT ADDED screen. The Workplace start screen shows that an account has been added. Changing Passcode Settings Use the Passcode configuration assigned to a device to change the passcode settings. You can either: change the settings for the assigned configuration OR assign a different Passcode configuration Changes you make to the configuration will affect all devices that configuration is assigned to. To change the assigned Passcode configuration 1. Go to Devices > Devices. 2. Find the entry for the device in the list. 45

66 Finding Device Entries 3. Click the link in the Name column. If a Passcode configuration has been assigned, it will display in the Configurations tab. 4. In the Configurations tab, click the Passcode Config link. 5. Click Edit (upper right). 6. Make the changes. To assign a different Passcode configuration 1. Make sure someone has created the configuration you need. 2. Go to Devices > Devices. 3. Find the entry for the device in the list. 4. Click the link in the Name column. Finding Device Entries Once you have added many devices, it can be helpful to use filters or searches to quickly locate a device entry. You can also skip ahead to display a page of devices or search for a device using the Find Devices search box near the top left corner. To search for a device 1. Go to Devices > Devices. 2. Type characters in the 'Find devices' box. To filter devices 1. Go to Devices > Devices. 2. Select the filters (left pane) to narrow the device entries displayed. If you have assigned custom attributes to devices, you can filter devices based on those attributes by clicking the settings icon (upper right). For example, select Retired and Android to display only retired Android devices. Using Device Owner License: Gold You can designate devices as company-owned or employee-owned after the devices have been registered. This designation helps manage policies that are based on whether a user has a personal device or a company owned device. With the proper license, you can then use ownership in rules for creating device groups. 46

67 MobileIron Cloud Administrator Guide R45 Use the Provisioner app to configure the device. Before the device is provisioned it must be factory-reset with an NFC (Near Field Communication) bump. An NFC bump involves tapping the master or template device against a new or factory-reset device to configure it. Then the MobileIron Go client will control the device once it s in device owner mode. Device Owner mode also supports Kiosk mode on Android for Work devices running Android 5.0 through the most recently released version as supported by MobileIron. For configuration information go to: Lockdown & Kiosk Configuration. Important If you retire a device in Device Owner mode, the device will factory reset. A device can only have one active device owner at a time. The phone dialer is not supported in Device Owner mode. The camera is not supported in Device Owner mode. Only devices that are Android for Work capable are able to start devices in Device Owner mode. Provisioning the device To provision the device: 1. Enable NFC (Near Field Communication) on the provisioning device by launching the Provisioner app and enter the Wi-Fi security type and password. 2. Navigate to the Welcome page on a new device or a factory-reset device. 3. Bump the new device back-to-back with the provisioning device. Wi-Fi is configured and the client is downloaded. The device is now in Device Owner mode. To Enable Reset Protection ( for devices running Android 5.1+ only) 1. In the MobileIron Cloud portal, Go to Configurations. 2. Click Android for Work Device Owner. 3. Click Edit. The Edit Device Owner Configuration page is displayed. 4. Enter a configuration name and description. 5. Optionally select Enable Reset Protection. Select this option to prompt the user to enter their Google account credentials when the device is factory reset. 6. Click Next. 7. Select a distribution option. 8. Click Done. To configure: 47

68 Using Device Owner 1. In the MobileIron Cloud portal, Go to Configurations. 2. Click +Add. 3. Select Lockdown & Kiosk: Android for Work Configuration. The Create Lockdown & Kiosk: Android for Work Configuration page is displayed. 4. Enter a configuration name and description. Choose a Lockdown type. 5. Click Lockdown - Device Owner with Kiosk mode. Android Device Owner Lockdown settings options are displayed. 6. Optionally, choose to Disable WI-FI or WI-FI settings Disable Camera Disable Bluetooth Disallow Bluetooth Settings Disable Screen Capture Disable Screen Capture Mute Master Volume Disallow Apps Control Disallow Credentials Disallow Emergency Broadcasts Disallow Mobile Networks Can not be disabled if Wi-Fi is disabled Disallow Tethering Disallow VPN Disallow Factory Reset Disallow Modify Accounts Disallow Outgoing Beam Disallow Outgoing Calls Disallow Safe Boot Disallow Share Location Disallow SMS Disallow Unmute Microphone Disable Auto Time Disable Auto Time Zone Disable Data Roaming Disable Wi-Fi Sleep 7. Optionally choose to enable Kiosk Mode. The following settings are displayed. Disable Quick settings Allow User to Access WiFi Settings Allow User to Access Bluetooth Settings Allow User to Access Location Settings Allow User to Delay Application Updates 8. Optionally create a Kiosk Exit Pin to use to exit Kiosk mode. 9. Optionally create a whitelist of apps that will be available to users in Kiosk Mode. 10. Optionally choose to add these apps from the App catalog. 48

69 MobileIron Cloud Administrator Guide R45 See also Work Chrome Work Slides Work Docs Work PDF Viewer Work Sheets Divide Productivity for Work Device Groups Assigning a Device to a new user An existing registered device may need to be re-provisioned for a new user, if there has been a role change for the user, or if the previous user's relationship to the company has changed. These steps help to avoid retiring and re-registering the device. To assign a device to a user: 1. Navigate to the device in the Devices page. 2. Click the device name to display the Device details page. 3. Click Assign to user icon. 4. Start to enter the users name in the Search User... field. 5. Select the desired user. 6. Click Assign to user. The device will be provisioned for that user. Note: You may notice that in user-based and license-based scenarios, you can assign a device to a user who has exceeded the assigned device limit. This is because the intent of the device limit feature is to limit the registration of devices in support of Bring Your Own Device (BYOD) scenarios. In both device-based and user-based licenses, enforcing the device limit is inconsequential. For device-based licenses, the cost to the end customer does not change because the total number of devices in the system does not change. For Userbased licenses, the lack of this check actually benefits the customer. For example, consider five users, U1 through U5 with 5 devices each. With user-based licensing, this would consume five licenses. If instead, two of the devices from U4 and U5 are moved to U1 and U2, then license consumption goes DOWN, from five to three. 49

70 Forcing a Check-in Forcing a Check-in Devices need to contact MobileIron Cloud (check in) to provide and receive information. Check-ins are scheduled at regular intervals. You can also prompt a device to check in on demand. Forcing a device to check in can speed up the process of applying configurations, updating policies, etc. To force a device to check in 1. Go to Devices > Devices. 2. Select the devices. 3. Click Actions. 4. Select Force Check-in. 5. Optionally, click the device name link to go to the Device details page and click the Force Check-in icon and click OK. Locating a Device If you have enabled the Locate feature for a device, you can display the last known location for that device. You must apply a privacy configuration to the device to enable this feature. The device must also support this feature, and the user must agree to share their location data. To locate a device: 1. Navigate to the device in the Devices page. 2. Click the link in the Name column. 3. Click the link under Device Location (bottom of left pane). A Device Location map displays. Locking a Device You can trigger the screen lock on a device. Locking works somewhat differently on different devices. To lock a device 1. Go to Devices > Devices. 2. Select the device. 50

71 MobileIron Cloud Administrator Guide R45 3. Click Actions. 4. Select Lock. 5. Optionally, click the device name link to go to the Device details page and click the Lock icon and click OK. 6. For AppConnect Android apps, the Lock command locks the user out of the container and also locks the device. The users can log back in to the device and the AppConnect app using the device passcode and the AppConnect passcode respectively. 7. For ios 7 devices, you can enter a display message and phone number (optional). These options can give device users information about why the device has been locked and the number to call to get it unlocked. 8. For macos devices, the user is prompted to enter a 6-digit PIN as passcode to access the device. To proceed with the screen lock, the device user needs to: 1. Enter the PIN. 2. Select the check box to confirm locking the device. 3. Click Yes, send lock command. Alternate Methods of Locking a Device: A device user can perform the lock action from the Self Service Portal. An Administrator can perform the lock action from the Administrator Portal. Managing devices in Apple lost mode Applicable to: ios Supervised devices You can place a supervised device in lost mode through MobileIron Cloud. This means you report the device as lost to Apple servers, allowing you to retrieve the last recorded location of the device, as well as disable lost mode if the device is found. Enabling lost mode You can report a lost device to Apple servers by placing the device in lost mode. After you have placed a device in lost mode: If the device is retired, you cannot disable lost mode. If the device is wiped, you cannot locate or track the device. To enable lost mode: 1. Go to Devices. 2. Select the checkbox for the device. 3. Select Actions > ios Only > Lost Mode. 51

72 Retiring a Device 4. In the Lost Device Mode section, select the Enable Lost Mode option to place the ios device in lost mode. Performing lost mode actions After the lost mode is enabled, you can perform the following actions from the Lost Device Mode section: Push Message/Phone Number to iphone Enter a message to be displayed on the locked screen of the lost device. Enter a contact number to be displayed on the locked screen of the lost device. If someone finds the device, they can call the number to report it. Lock Device Refresh Device Location Note: If the device is wiped, you will not be able to locate the device. Play Lost Mode Sound Note: Sound will play until the device is removed from lost mode or a user disables the sound on the device. Disabling lost mode If a device in lost mode is retrieved, or the lost mode was enabled in error, you can disable lost mode. Note: If the lost device is retired from MobileIron Cloud, disabling lost mode will not work. To disable lost mode: 1. Go to Devices. 2. Select the checkbox for the device. 3. Select Actions > ios Only > Lost Mode. 4. In the Lost Device Mode section, deselect the Lost Mode is enabled for device option. Retiring a Device Retiring a device ends its relationship with MobileIron Cloud. You might retire a device if: the user left the company the user has replaced the device you need to undo the management tasks you have completed (start over) To retire a device 52

73 MobileIron Cloud Administrator Guide R45 1. Go to Devices > Devices. 2. Select the device. 3. Click Actions (upper right). 4. Select Retire. 5. Optionally, click the device name link to go to the Device details page and click the icon. 6. Select Retire and click OK. Wiping a Device Wiping a device removes all data and returns the device to factory default settings.. To wipe a device 1. Go to Devices > Devices. 2. Select the device. 3. Click Actions (upper right). 4. Select Wipe. 5. Optionally, click the device name link to go to the Device details page and click the icon. Select Wipe and click OK. 6. For macos devices, you can send a 6-digit PIN to the device as passcode. On the device, the user is prompted to enter the PIN to access the device. To proceed with the wipe action, the device user needs to: 1. Enter the PIN. 2. Select the check box to confirm the device wipe action. 3. Click Yes, wipe this device. Deleting a Device After you retire a device, you can delete it. Deleting it removes it from all pages. You can delete a device only if its status is Retired or Retire Pending. To delete a device: 1. Go to Devices > Devices. 2. Navigate to the device. 3. Click the link in the Name column. 4. Click the Delete Device link (left pane). 5. Read the displayed warning. 6. If you still want to delete the device, select the check box to confirm. 53

74 Unlocking a Device 7. Click Delete. Unlocking a Device You can clear the screen lock on a device. Unlocking works somewhat differently on different devices. To unlock a device 1. Go to Devices > Devices. 2. Select the devices. 3. Click Actions. 4. Select Unlock. 5. Optionally, click the device name link to go to the Device details page and click the Unlock icon and click OK. Unlocking Android devices When an Unlock command is received, the Android app attempts to turn off the passcode policy and resets the passcode. If encryption is enabled on the device, the passcode is set to unlock. If encryption is disabled on the device, the passcode is set to empty. On Android 6.0 devices, the unlock command of Android Enterprise Device (Device Owner mode) sets the PIN to unlock, which unlocks the device and prompts for a new password. However, when the administrator performs the unlock command on Android 7.0 devices, MobileIron Go sets the passcode to "un!ockm3!". Unlocking AppConnect for Android apps For AppConnect apps, the AppConnect Unlock command helps unlock containers that have been locked due to users trying to log in multiple times with incorrect passcodes. This unlock does not unlock the device. Unlocking an ios device When an Unlock command is received, the ios app removes the passcode from the device. If the passcode configuration specifies that a new passcode is required, then the device user will be prompted to set a new passcode that complies with the rules defined in the passcode configuration. The user must make this change within 60 minutes or the app will force the user to set the new passcode. 54

75 MobileIron Cloud Administrator Guide R45 Restarting or shutting down devices Applicable to: ios (ios and tvos) supervised devices Administrators can restart or shutdown an ios or tvos supervised device individually from the device details page or in bulk from the devices list page. Restarting a device 1. Go to Devices. 2. Navigate to the device. 3. Click the link in the Name column. 4. Click the Actions button. 5. Click Restart/Shutdown device. Note: Unsupported devices cannot be restarted. 6. Read the displayed warning. 7. (Optional) Select the option to clear the passcode of the device on restart. If the passcode is not cleared, the device will require a passcode and will not be connected to Wi-Fi after the restart. 8. Select Restart Device if not already selected. 9. If you still want to restart the device, click Send to Device. Otherwise, click Cancel. You can restart multiple supported devices from Devices list page. To do so, select the devices, click Actions > Restart/Shutdown Device, and follow the instructions on the screen. Shutting down a device 1. Go to Devices. 2. Navigate to the device. 3. Click the link in the Name column. 4. Click the Actions button. 5. Click Restart/Shutdown device. Note: Unsupported devices cannot be restarted. 6. Read the displayed warning. 7. Select Shutdown Device. 8. If you still want to shutdown the device, click Send to Device. Otherwise, click Cancel. You can shutdown multiple supported devices from Devices list page. To do so, select the devices, click Actions > Restart/Shutdown Device, and follow the instructions on the screen. 55

76 Clearing the Restrictions Password (ios only) Clearing the Restrictions Password (ios only) You can clear a Restrictions password set by users on supervised ios 8 devices. This action is available for active devices only. To clear the Restrictions password 1. Go to Devices > Devices. 2. Select the entry for the device. 3. Select Actions > Clear Restrictions Password. 4. Confirm the action when prompted. Assigning Custom Attributes to Devices You can assign custom device attributes such as internal ID to one or more devices. Each attribute has a corresponding value that you can use for tasks like creating configurations and device groups. To assign a custom attribute to one or more devices: 1. Go to Admin > Attributes to create new custom attributes if required. 2. Go to Devices. 3. Select one or more devices. 4. Click Actions. 5. Select Assign Custom Attributes. 6. Select one of the following options: Force assign (overwrite) all attributes even if any existing values are found. Overwrite only if value is empty, and skip attributes with existing values. 7. Select the attributes you want to assign and enter their values (empty values are not allowed). 8. Click Assign. Removing Custom Attributes from Devices Proceed with caution as this action is not reversible. To remove custom attributes from one or more devices: 56

77 MobileIron Cloud Administrator Guide R45 1. Go to Devices. 2. Select one or more devices. 3. Click Actions. 4. Select Remove Custom Attributes. 5. Select the attributes you want to remove. 6. Click Remove. Resetting the PIN Applicable to: Windows 8 and 10 mobile devices The administrator can reset the PIN for a Windows mobile device. A new PIN will be generated for the device. This feature may be useful in situations such as when the user leaves the organization without resetting the PIN of a company-owned device. 1. Go to Devices. 2. Click the user name the device is associated with to view the device details page. 3. In the General section, in the PIN row, click Reset. 4. In the PIN Reset window, select the checkbox to confirm the PIN reset. 5. Click Yes, proceed. This process may take several minutes. Ensure the device is turned ON. From the device details page, click View to view the newly assigned PIN after reset. 57

79 Apps Apps > App Catalog Use the App Catalog page to manage your app catalog. The app catalog lists the mobile apps you have made available for your users. These include apps that users can download from public app stores and apps you intend to distribute using MobileIron Cloud (in-house apps). AppConnect-enabled apps are also available as business apps on the app catalog page, thereby simplifying the process of importing them for configuration and distribution. Note: App Catalog is not supported for macos apps. The macos apps are deployed through the Volume Purchase Program (VPP) via device-based licenses and through the Silent App Install method on enrollments. Android does not allow apps with active admin privileges to be uninstalled. To uninstall such an app, go to Device Settings > Security > Device Administrators and disable the Device Administrator privileges. Then, uninstall the app. Licensing for app features The following App Catalog features require additional licensing: Silent app install/uninstall: Silver license Per-app configuration: Gold license AppConnect custom configuration: Gold license Android for Work custom configuration: Silver license If an Android device is in Kiosk Mode Only in-house apps can be installed while the device is in Kiosk Mode. You can install public apps, but the device must exit Kiosk Mode before those apps can be installed. Also, you can limit the apps available for use on devices in Kiosk Mode to only the apps that are approved or whitelisted by your company. On devices using Android 4.1, If an approved app launches an app not included on the whitelist, that app will launch and then be quickly minimized. On devices using Android 5.0, the unapproved app launched from a whitelisted app will remain available. Switching between list and grid view 59

information, if app reputation is enabled: Which apps have an app reputation score?

80 Apps > App Catalog Click the List or Grid icon on the right side of the App Catalog screen. Viewing app reputation information The App Catalog affords a the following app reputation information, if app reputation is enabled: Which apps have an app reputation score? What is an app's app reputation rating? On which app reputation lists is an app? App reputation information appears in the area below: 60

81 MobileIron Cloud Administrator Guide R45 Adding an app from a public store 1. Click Add (top left). 2. Choose the app you want: a. Select the public app store. b. Enter the name of the app. c. Select the app from the list. d. Click Next. 3. Describe the app for users: a. Add or remove categories. b. Enter an optional description. c. Click Next. 4. Define app distribution: a. Select a distribution option. b. Expand the Advanced Options & App Configuration section. c. Use the following guidelines to complete the options: 3. a. Setting Install on Device Do not show app in end user App Catalog (Android only) Silently install on Samsung SAFE devices (ios only) Enable Per-App VPN for this app What To Do Select this option to start installation immediately after registration. The user will be prompted to confirm installation of the app except under the following conditions: The device is a supervised ios device. The device is a Samsung SAFE device and the silent installation option below has been selected. Select this option if you do not want the user to see the app in the app catalog on the device. This option does not apply to public apps. Select this option to use a Per-App VPN configuration with this app. Select the Per App VPN configuration to be used from the drop-down list. 61

82 Apps > App Catalog (ios only) Prevent backup to icloud and itunes (ios only) Remove apps on unenrollment (ios only) AppConnect Custom Configuration ios 7+ Managed App Settings Select this option to keep data related to this app from being backed up to icloud and itunes. Select this option to remove this app once the device is no longer managed by MobileIron Cloud. For AppConnect-enabled app, enter the keys and values that specify your custom configuration preferences. See the documentation for the app for available keys. Enter keys and values defined for this app as an ios 7+ managed app. See the documentation for the app for information on supported keys. 4. a. Note: Android for Work apps will have different options. d. Click Next. 5. Select a promotion option: Not Featured Featured List Banner 6. Click Done. Adding an In-house app 1. Click Add (top left). 2. Drag the app file to the dotted box, or click Choose File to select it from your file system and click Confirm. 3. Click Upload (lower right). 4. Describe the app for users: a. Add categories. b. Enter an optional description. c. (Windows 32-bit MSI apps only) Enter an optional App Source URL Override to allow obtaining large files, such as Microsoft Office installation media, from a local network (SMB, FTP, HTTP). d. (Windows 32-bit MSI apps only) Enter an optional Command Line switch to specify additional information that are not part of the package while deploying the MSI files. For example, to write installation logs to an output 62

83 MobileIron Cloud Administrator Guide R45 file, you can enter "/log output.txt" in this field. This creates the output.txt file in the C:\Windows\System32 folder. e. Click Next. 5. (Optional) Add screenshots of the app. 6. Click Next. 7. Define app distribution: a. Select a distribution option. b. Expand the Advanced Options & App Configuration section. c. Use the following guidelines to complete the options: 6. a. Setting Install on Device Do not show app in end user App Catalog (Android only) Silently install on Samsung SAFE devices (ios only) Enable Per-App VPN for this app (ios only) Prevent backup to icloud and itunes (ios only) Remove apps on unenrollment (ios only) What To Do Select this option to start installation immediately after registration. The user will be prompted to confirm installation of the app except under the following conditions: The device is a supervised ios device. The device is a Samsung SAFE device and the silent installation option below has been selected. Select this option if you do not want the user to see the app in the app catalog on the device. Select this option if you do not want the user prompted to confirm installation on Samsung SAFE devices. Select this option to use a Per-App VPN configuration with this app. Select the Per App VPN configuration to be used from the drop-down list. Select this option to keep data related to this app from being backed up to icloud and itunes. Select this option to remove this app once the device is no longer managed by MobileIron Cloud. For AppConnect-enabled app, enter 63

84 Apps > App Catalog AppConnect Custom Configuration ios 7+ Managed App Settings the keys and values that specify your custom configuration preferences. See the documentation for the app for available keys. Enter keys and values defined for this app as an ios 7+ managed app. See the documentation for the app for information on supported keys. 7. a. d. Click Next. 8. Select a promotion option: Not Featured Featured List Banner 9. Click Done. Deploying in-house apps to Google Play Upload your in-house apps to the Google Play Private channel and import them into MobileIron Cloud for deployment to Android for Work enabled devices. 1. Log into Goople private apps console: 2. Click All Applications in the left menu. 3. Click Create new application and enter a name for the application. 4. Click Upload APK to upload the.apk file you generated. 5. Click Store Listing: Enter a short description and a full description. Upload screenshot for all tabs. Upload a high resolution icon. Upload a feature graphic icon (graphic.png) Enter the required information for Categorization, Contact details, and Privacy policy. Complete the questionnaire for an app rating. 6. Click Pricing & Distribution. If all the required information has been entered Ready to Publish is displayed a the top of the page. 7. Go to the Apps tab In the MobileIron Cloud. 8. Click Refresh Available Catalogs to sync your private apps. Note: It may take several hours to publish your app. Viewing VPP license usage (ios) 64

85 MobileIron Cloud Administrator Guide R45 The license usage details specific to a user is displayed in the license usage table in the license column. 1. Click an app. 2. Click the License Usage tab. 3. Enter a user name in the search field. Revoking a VPP license (ios) 1. Click an app. 2. Click the License Usage tab. 3. Click the Revoke License link for the user whose access to the license should be removed. Note: VPP licenses are automatically revoked if the user is deleted or the user removes the MDM profile from the device. Can't do tasks on the App Catalog page? Maybe you don't have permission. You need the following role: App & Content Management See Also Displaying and Hiding Columns How to Delete Apps from the App Catalog Viewing App Details You can drill down from the App Catalog to app details about any of the apps in the catalog. To view app details: 1. Click Apps. 2. Click App Catalog. 65

86 Viewing App Details 3. Select the app whose details you wish to view. The App Details window appears: 66

MobileIron Cloud Administrator Guide R45 Note that App Reputation information only appears if App Reputation is enabled, and if you have requested it on this screen previously by clicking the Request

87 MobileIron Cloud Administrator Guide R45 Note that App Reputation information only appears if App Reputation is enabled, and if you have requested it on this screen previously by clicking the Request Analysis button:. Note: For ios in-house apps, you can check the Provisioning Profile Expiration Date on the app details page. App Configuration App Configuration App configuration enables you to customize the installation, promotion, and distribution of each app you deploy to your users' devices. The apps can be your own in-house 67

88 App Configuration apps, apps from a public store, or MobileIron apps. You have the flexibility to deploy the apps to many different users and groups with unique names and configurations specifically tailored to each recipient. Licensing for app features The following features require additional licensing: Silent app install/uninstall: Silver license Per-app configuration: Gold license AppConnect custom configuration: Gold license Configuration steps common to multiple apps Do these steps first and then proceed with configuration steps for each app you want to deploy. You can design multiple configurations of the same app and give each configuration a unique name. Each configuration can have its own distribution and promotion levels to fit your deployment strategy. Select an app to add to the App catalog: 1. Go to Apps > Apps Catalog and click +Add. 2. Use the pull-down menu to select either the App Store, Google Play or your In- House app store and choose an app to add to the catalog. Depending on your licensing agreement, you might also have MobileIron apps available to add to your catalog. 3. Optionally, edit the Category of the app. 4. Optionally, add a brief description of the app in the Description field. 5. Click Next. 6. Choose a distribution level for this configuration of the app: To everyone - The app is added to all the user compatible devices. To no one - The app is staged for distribution at a later date. Custom Distribution - The app is distributed to only the users or user groups you choose. 7. Click Next. Configuring installation options To select the installation configuration options: 1. Click Install Application configuration settings or click the + icon to add another configuration to view the Configuration Setup page. 2. Enter a name for the configuration in the Name field. 68

89 MobileIron Cloud Administrator Guide R45 3. Optionally, enter a brief description of the installation configuration in the Description field. 4. Optionally, select Install on Device. This prompts and requires the app to be installed on the device and allows you to select these options: Silently install on Samsung SAFE devices Silently install on Samsung KNOX workspace and Zebra devices Do not show app in end user App Catalog. Install as a Managed App. If already installed, it converts the app and its data to a managed app. Converting already installed apps on supervised devices is done silently. The user will be prompted to allow conversion if the device is unsupervised. 5. You may encounter additional configuration options, depending on the chosen app. These options may include the ability to add multiple Key and Value pairs. In such cases, click + Add to enter Key and Value pairs. Select ios App Management settings To select ios App Management settings: 1. Click ios Managed Apps Application configuration settings or click the + icon to add another configuration to view the Configuration Setup page. 2. Enter a name for the configuration in the Name field. 3. Enter a brief description of the configuration in the Description field. 4. Select to prevent backup to icloud and itunes. 5. Select to remove apps when the device is unenrolled. Select App Promotion levels To set the level of promotion for the app: 1. Click Promotion distribution configuration settings or click the + icon to add another configuration to view the Promotion configuration page. 2. Enter a name for promotion distribution configuration settings in the Name field. 3. Optionally, enter a brief description of the configuration in the Description field. 4. Select the level of promotion you want the app to receive, Not Featured, Featured List, or use Feature Banner. If Not Featured is selected the app will not be listed. 5. Click + Add Description to enter a brief description of the configuration. 6. Optionally, change the distribution of the configuration. 7. Click Done to save the app configuration. Enter values for an AppConnect Custom configuration To enter values for an AppConnect Custom configuration: 69

App Configuration 1. Click the + icon to open the configuration page. 2. Click + Add Description to enter a brief description of the configuration. 3. Click + Add to enter Key and Value pairs. 4.

90 App Configuration 1. Click the + icon to open the configuration page. 2. Click + Add Description to enter a brief description of the configuration. 3. Click + Add to enter Key and Value pairs. 4. Choose a distribution level for the configuration. 5. Click Next. Configuring AppTunnel traffic rules Use the AppTunnel to define traffic rules to allow access services using Sentry: 1. Click Apps. 2. Click App Catalog. 3. Click the app for which to create an AppTunnel configuration. 70

91 MobileIron Cloud Administrator Guide R45 4. Click App Configurations. 5. Click the + icon to open the configuration page. 71

92 App Configuration 6. Provide a helpful name for the configuration. 7. Choose a Sentry Profile from the pull-down menu. 8. Enter the domain wildcards for the traffic that should be tunneled and the service to which the traffic should be sent. Multiple wildcards are evaluated in the order in which they appear. Note that, optionally, you can specify a port number in the fields to the far right, for example, the fields that reflect 23 and 26 in the illustration above. You can also drag the domain wildcard fields up or down. 9. Choose a distribution level for the configuration. 10. Click Save. Configuring an ios Managed app To configure an ios Managed app: 1. Click the + icon to open the configuration page. 2. Click + Add Description to enter a brief description of the configuration. 3. Click + Add to enter a Key and Value. 4. Choose a distribution level. 5. Click Next. 72

93 MobileIron Cloud Administrator Guide R45 Configuring a VPN for each app using Per App VPN 1. Click the + icon to open the configuration page. 2. Enter a name for the VPN for this app in the Name field. 3. Click + Add Description to enter a brief description of the configuration. 4. Click the Enable Per-App VPN for this app checkbox and select a Per-App VPN Config from the pull-down menu. 5. Choose how to Distribute this App Config. 6. Click Next. Configuring MobileIron apps As you configure MobileIron apps, you have the opportunity to name and design unique configurations to assign to different users or groups. Access and use of MobileIron apps and other software requires a licensing agreement. Please verify that you have the proper licensing to use MobileIron software. Important: Each configuration has a priority indicated by their order in the list displayed for the app. This priority can be changed by dragging and dropping the configuration. The higher on the list the higher the priority. Configuring the MobileIron Docs@Work app 1. Go to Apps > Apps Catalog and click +Add. 2. Select MobileIron Docs@Work to add to the Apps catalog. 3. Edit the Category if needed. 4. Optionally enter a brief description of the configuration. 5. Select a distribution level. 6. Click Next. 7. AppConnect Custom Configuration. Click +Add to add Key and Value pairs. 8. Select a Distribution level. Click Next. 9. Create app configurations using these options: 8. a. Click Install Application configuration settings to configure the installation or Click the + icon to add another configuration. Select Install on Device to prompt the user and require installation. This setting uses a silent installation on supervised ios devices. Select Install as a Managed App. If already installed, it converts the app and its data to a managed app. Converting already installed apps on supervised devices is 73

94 App Configuration done silently. The user will be prompted to allow conversion if the device is unsupervised. b. Click ios Application Management configuration settings to configure ios App Settings or click the + icon to add another configuration. Enter a name for the configuration. Optionally add a description for the configuration. Select Prevent backup to icloud and itunes. Select Remove app on unenrollment. c. Click Promotion distribution configuration settings to configure Promotion settings or click the + icon to add another promotion configuration. Enter a name for the configuration. Optionally add a description for the configuration. Choose a promotion level for this configuration. d. Docs@Work configuration: Enter a name for the configuration. Optionally, click +Add Description to enter a description of the configuration. Click +Add in the Content Sites section to enter site details: Name URL Domain Subdomain Authentication Published Web View Actions Use the Publish site options pulldown menus to set these site options: Update Mode. Update Interval. Max Auto download size. Max documents per update. o Select the distribution level for this configuration. e. Click the + icon to set App Tunnel options. Enter a name for the configuration. Optionally add a description for this configuration. Enter the domain wildcards for the App Tunnel. Choose a distribution level for this configuration. f. Click the + icon to add ios Managed App Configuration settings. Name this configuration. Enter the key and value pairs for ios 7+Managed App settings. Choose a distribution level. g. Choose whether to enable Per App VPN. Name this configuration. Choose a distribution level. 74

95 MobileIron Cloud Administrator Guide R45 Configuring the MobileIron app 1. Go to Apps > Apps Catalog and click +Add. 2. Select MobileIron to add to the Apps catalog. 3. Edit the Category if needed. 4. Enter a brief description of the configuration if needed. 5. Click Next. 6. Select a distribution level. 7. Click Next. 8. Create app configurations using these options: a. Click Install Application configuration settings to configure the installation or Click the + icon to add another configuration. Select Install on Device to prompt the user and require installation. This setting uses a silent installation on supervised ios devices. Select Install as a Managed App. If already installed, it converts the app and its data to a managed app. Converting already installed apps on supervised devices is done silently. The user will be prompted to allow conversion if the device is unsupervised. b. Click ios Application Management configuration settings to configure ios App Settings or click the + icon to add another configuration. Enter a name for the configuration. Optionally add a description for the configuration. Select Prevent backup to icloud and itunes. Select Remove app on unenrollment. c. Click Promotion distribution configuration settings to configure Promotion settings or click the + icon to add another promotion configuration. Enter a name for the configuration. Optionally add a description for the configuration. Choose a promotion level for this configuration. d. Web@Work configuration. Add Bookmarks. AppConnect Custom Configuration. Click +Add to enter Key and Value pairs. e. Click the + icon to set App Tunnel options. Enter a name for the configuration. Optionally add a description for this configuration. Enter the domain wildcards for the App Tunnel. Choose a distribution level for this configuration. f. Click the + icon to add ios Managed App Configuration settings. Name this configuration. Enter the key and value pairs for ios 7+Managed App settings. Choose a distribution level. g. Choose whether to enable Per App VPN. 75

96 App Configuration Name this configuration. Choose a distribution level. Configuring the MobileIron Tunnel app 1. Go to Apps > Apps Catalog and click +Add. 2. Select MobileIron Tunnel to add to the Apps catalog. 3. Edit the Category if needed. 4. Click +Add Description to add a brief description of the configuration. 5. Click Next. 6. Select a distribution level. 7. Click Next. 8. Create app configurations using these options: a. Click Install Application configuration settings to configure the installation or click the + icon to add another configuration. Select Install on Device to prompt the user and require installation. This setting uses a silent installation on supervised ios devices. Select Install as a Managed App. If already installed, it converts the app and its data to a managed app. Converting already installed apps on supervised devices is done silently. The user will be prompted to allow conversion if the device is unsupervised. b. Click ios Application Management configuration settings to configure ios App Settings or click the + icon to add another configuration. Enter a name for the configuration. Optionally add a description for the configuration. Select Prevent backup to icloud and itunes. Select Remove app on unenrollment. c. Select a level of distribution. d. Click the + icon to add AppConnect Custom Configuration settings. Name this configuration. Enter the key and value pairs for AppConnect Custom Configuration settings. Choose a distribution level. e. AppConnection Custom configuration. Click +Add to enter Key and Value pairs. f. Choose a Sentry profile for the App Tunnel. g. Enter the domain wildcards for the tunnel traffic. Multiple wildcards will be evaluated in the order in which they are listed. h. Click the + icon to add ios Managed App Configuration settings. Name this configuration. Enter the key and value pairs for ios 7+Managed App settings. Choose a distribution level. 76

97 MobileIron Cloud Administrator Guide R45 Configuring the MobileIron + for ios app 1. Go to Apps > Apps Catalog and click +Add. 2. Select MobileIron + to add the app to the Apps catalog. 3. Edit the Category if needed. 4. Enter a description of the app if needed. 5. Click Next. 6. Click the Distribution tab and click Edit to begin making changes to the distribution level. 7. Click Save. 8. Click the App Configurations tab to view a summary of the current configuration. 9. Enter a description of the app if needed. 1. a. Click Install Application configuration settings to configure the installation or Click the + icon to add another configuration. Select Install on Device to prompt the user and require installation. This setting uses a silent installation on supervised ios devices. Select Install as a Managed App. If already installed, it converts the app and its data to a managed app. Converting already installed apps on supervised devices is done silently. The user will be prompted to allow conversion if the device is unsupervised. b. Click ios Application Management configuration settings to configure ios App Settings or click the + icon to add another configuration. Enter a name for the configuration. Enter a description for the configuration. Select Prevent backup to icloud and itunes. Select Remove app on unenrollment. c. Click Promotion distribution configuration settings to configure Promotion settings or click the + icon to add another promotion configuration. Enter a name for the configuration. Optionally add a description for the configuration. Choose a promotion level for this configuration. d. Click the + icon to add an + for ios Configuration settings. Enter a name for the configuration. Optionally add a description for the configuration. e. Enter the address of the device user. f. password - Enter the user s password for the ActiveSync server. g. Exchange Host - Enter the fully qualified domain name of the ActiveSync server. h. Exchange Username Check to require SSL. 77

98 App Configuration i. Minimum Characters for Global Address List (GAL) Search. j. Choose a certificate to use for + App Identity Certificate and select from these options: Trust All Certificates. Prompt for Password Before Connecting to Server. IBM Lotus Notes Traveler. Allow Safari Browser. Allow Detailed Notifications. Show Pictures by Default. Allow Exporting Contacts. Allow Logging. Default Signature. Allow Send Feedback. Set AppConnect Custom Configuration settings: Click +Add to enter Key and Value pairs. Set AppConnect Certificate Configuration settings: Click +Add to enter Key and select a Certificate from the drop-down list. This is useful in the case of S/MIME support for +. You can specify the keys and corresponding certificates for encryption ( _encryption_certificate) and signature ( _signing_certificate). Select a distribution level for this configuration. k. Click the + icon to add App Tunnel options. Enter a name for the configuration. Optionally add a description for this configuration. Enter the domain wildcards for the App Tunnel. Choose a distribution level for this configuration. l. Click the + icon to add ios Managed App Configuration settings. Name this configuration. Enter the key and value pairs for ios 7+ Managed App settings. Choose a distribution level. m. Choose whether to enable Per App VPN. Name this configuration. Choose a distribution level. Configuring the MobileIron + for Android app The license you purchased determines whether or not you have access to the + for Android app. The + for Android app will already be added to your App catalog. To configure + for Android: 1. Click the + link in the catalog to view the Details tab. 2. Use the Actions pulldown menu button to add a new version of the app or delete the app from your catalog. 78

99 MobileIron Cloud Administrator Guide R45 3. Click Edit to begin making changes to the details. Edit the Category if needed. Enter a description if needed. Add screenshots if needed. 4. Click Save. 5. Click the Distribution tab and click Edit to begin making changes to the distribution level. 6. Click Save. 7. Click the App Configurations tab to view a summary of the current configuration. 8. Enter a description of the app if needed. 9. Click Install on Device in the left navigation pane then click Install Application configuration settings. Click Edit to begin making changes to the installation configuration settings. Enter a name for the configuration. Enter a description for the configuration. Select Install on Device to prompt the user and require installation. Select Install as a Managed App. If already installed, it converts the app and its data to a managed app. Converting already installed apps on supervised devices is done silently. The user will be prompted to allow conversion if the device is unsupervised. Click Update to save your changes. 10. Click Promotion in the left navigation pane then click Promotion distribution configuration settings to change the promotion level. Click Edit to begin making changes to the promotion level settings. Enter a name for the configuration. Enter a description for the configuration. Select a promotion level. Click Update to save your changes. 11. Click the Reviews tab to view information on reviews. Export the review data to a spreadsheet if needed. Configuring the MobileIron Dataview app 1. Go to Apps > Apps Catalog and click +Add. 2. Select MobileIron Dataview to add to the Apps catalog. 3. Edit the Category if needed. 4. Enter a description of the app if needed. 5. Click Next. 6. Select a distribution level. 7. Click Next. 8. Create app configurations using these options: a. Click Install Application configuration settings to configure the installation or Click the + icon to add another configuration. 79

100 App Configuration Select Install on Device to prompt the user and require installation. This setting uses a silent installation on supervised ios devices. Select Install as a Managed App. If already installed, it converts the app and its data to a managed app. Converting already installed apps on supervised devices is done silently. The user will be prompted to allow conversion if the device is unsupervised. b. Click ios Application Management configuration settings to configure ios App Settings or click the + icon to add another configuration. Enter a name for the configuration. Optionally add a description for the configuration. Select Prevent backup to icloud and itunes. Select Remove app on unenrollment. c. Click Promotion distribution configuration settings to configure Promotion settings or click the + icon to add another promotion configuration. Enter a name for the configuration. Optionally add a description for the configuration. Choose a promotion level for this configuration. d. Click the + icon to set AppConnect Custom Configuration settings. Click +Add to enter Key and Value pairs. e. Click the + icon to set App Tunnel options. Enter a name for the configuration. Optionally add a description for this configuration. Enter the domain wildcards for the App Tunnel. Choose a distribution level for this configuration. f. Click the + icon to set more Dataview Configuration options. Enter a Billing date. This is the day of month billing cycle starts. Choose how you want to cap data usage. Set a regular usage monthly cap or set as unlimited data plan and just use roaming cap and alerts. Set a Daily data usage cap and set an alert. Set a Roaming usage cap and set an alert. g. Click the + icon to add ios Managed App Configuration settings. Name this configuration. Enter the key and value pairs for ios 7+Managed App settings. Choose a distribution level. h. Choose whether to enable Per App VPN. Name this configuration. Choose a distribution level. 80

101 MobileIron Cloud Administrator Guide R45 Using ios Managed App Configuration An application might have some configuration parameters implemented or restricted by the developer. For applications with such restrictions your configuration options might be limited. 1. Go to Apps > App Catalog. 2. Select a configuration. 3. Click the App Configurations tab. 4. Click ios Managed App Configuration or click the + button. In the ios Managed App Configuration there are some default configuration settings in place. 5. Click Add to add another configuration, if needed. 6. Optionally, click the name of the configuration to edit the current configuration. The configuration setup details and options are displayed. 7. Click Edit. The configuration options present may vary depending the app developer chooses to provide initially. You still have the option to enter key value pairs. 8. Click Update to save your entries. Choosing Windows 10 apps for your in-house catalog Choose the apps to add to your in-house app catalog. Only in-house apps are supported for Windows10. Windows 10 enforces compliance directly on the device based on the apps you choose to allow or disallow. Note: The Windows 10 check-in interval is once every 60 minutes by default. You may want to perform a forced device check-in to get an update of the device and app status. These actions are supported: Uploading new apps Silent installation Adding a new version of the app Deleting an app These formats are supported: APPX APPXBUNDLE MSI wrapped Win32 - pre-bundled Win32 app To configure Windows 10 apps: 81

102 App Configuration 1. Click Devices on the main navigation bar. 2. Select a Windows 10 device that you have enrolled in MobileIron Cloud. 3. Click Apps > App Catalog. 4. Select an app. 5. Use the Actions pulldown menu to add the app or delete the app from your catalog. Optionally add a new version of the app. Click the Actions pulldown menu. Select Add New Version. Go to the catalog and select a new version of the app. Click Update and Save to view the App information screen. 6. Use the Version pulldown menu to choose which version to use. 7. Click Edit to begin making changes to the details. Edit the Category if needed. Enter a Description if needed. Add screenshots if needed. 8. Click Save. 9. Click the Distribution tab and click Edit to begin making changes to the distribution level. 10. Click Save. 11. Click the App Configurations tab to view a summary of the current configuration. 12. Enter a description of the app if needed. 13. Click Install on Device in the App Configurations summary page. Silent installation is the default and cannot be changed. 14. Click Promotion in the left navigation pane then click Promotion distribution configuration settings to change the promotion level. Click Edit to make changes to the promotion level settings. Enter a name for the configuration. Enter a description for the configuration. Select a promotion level. Click Update to save your changes. 15. Click the Reviews tab to view information on reviews. Export the review data to a spreadsheet if needed. Editing Windows 10 app configuration settings To edit an app configuration: 1. Click Policies > Configuration. 2. Click +Add. 3. Select Windows App Control to view the Create Windows App Control Configuration screen. 4. Enter a Name and Description for the configuration. 82

103 MobileIron Cloud Administrator Guide R45 5. Define the app type as: Allowed (Whitelisted) - Only these apps are allowed. These apps are installed silently if not already present on the device. Disallowed (Blacklisted) - If present on the device,these apps will be blocked if launched. 6. Specify the Rule definitions for the App Type and App Identifier. 7. Click Lookup Apps to view the Search Windows 10 Apps screen. 8. Enter the name of the app to search the Windows Store. 9. Select the app from the choices displayed to add it to the App Identifier. 10. Optionally use the App Type pulldown menu to set a path define in the App Identifier to allow or disallow apps using the specified path or block all apps installed in that path. App Type Publisher/PFN Equals applies to Windows 10 Mobile and Windows 10 Desktop supports PFN. EXE/Win32 Equals applies to Windows desktop only. 11. Click Next. 12. Select a distribution level. All Devices. No Devices. Custom - to enter the users or groups to receive the app. 13. Click Done. 14. You can edit the Rule definitions to select an App Type and specify an App Identifier. Click the Actions pulldown menu. Select Add New Version. Select a new version of the app. Click Update and Save to view the App information screen. Using Apps@Work Apps@Work enables use of Windows public and in-house apps on Windows 10 devices in MobileIron Cloud Apps@Work is installed silently on supported Windows 10 mobile devices. To configure an app for Apps@Work: 1. Select a Windows app. 2. Click the App Configuration tab. 3. Click Install on Device. Windows In-house app configuration can be set to the silent install flag or install using Apps@Work. Public apps cannot be set to silent install. 4. Optionally, choose to display or hide apps in Apps@work catalog. This option applies to in-house apps only. 83

104 Using the Android for Work App Configuration 5. Click the Promotion currently does not support the banner promotion so the available options are Featured and Not Featured. Note: Only the Promotion option is displayed for public apps. To install an app using 1. Click the app. Your administrator address and server URL are pre-filled in the login dialog. 2. Enter your password and click Sign In to display the apps page. There are three tabs: featured apps in-house apps store apps 3. Select the in-house apps tab. 4. Select an app to install. A message is displayed stating that a request has been sent to the server to install the app. Click Close. 5. Optionally, select an app from the store apps tab to display the Windows app store. 6. If prompted, enter your username and password for the Windows app store. 7. Click Update and Save to view the App information screen. Using the Android for Work App Configuration If MobileIron Cloud is Android for Work enabled, then the Android for Work configuration is available to use per app. To use the Android for Work configuration 1. Click the Apps. 84

105 MobileIron Cloud Administrator Guide R45 2. Use App Catalog. 3. Select an app for which to configure the Anroid for Work configuration. 4. Click App Configurations. 5. Click +. 85

106 Using the Android for Work App Configuration 6. Provide a name for the configuration. 7. Optionally, provide a description. 8. Use the Managed Configurations fields to configure managed configurations behaviors: Setting Description 86

107 MobileIron Cloud Administrator Guide R45 Blocks apps from sharing widgets across profiles Blocks the user from uninstalling the app Enable to block apps from sharing widgets across profiles only if the app is not silently installed. Leave disabled to allow trusted apps deployed in the Android for Work profile to display widgets on the home screen so users can access information without having to log in. Enable to block the user from uninstalling the app after MobileIron Cloud silently installs the app. 9. Click Manage Permissions to select and configure runtime permissions for applications targeting API 23 or higher and Android Only the dangerous permissions that are applicable to the specific application are listed for selection. The complete list of dangerous permissions (such as read your contacts, find accounts on the device, write call log, and so on) are listed at The permissions are applied only when the application requests permissions. The permissions are not applied if the users have previously accepted or denied permissions. The rights you can assign to each permission include: Auto grant Auto deny. Use this setting with caution. Default/Global 10. Configure the distribution options, selecting from Everyone with App, No One, or Custom. 11. Click Save. How to create a custom configuration for MobileIron Tunnel for Windows Use these steps to create a custom configuration for MobileIron Tunnel for Windows devices. 1. Go to Configuration > +Add. 2. Select the MobileIron Tunnel policy to display the Create MobileIron Tunnel Configuration page. 3. Enter a name for the configuration. 87

108 Apps > Categories 4. Enter a description. 5. Click the Windows icon to create a Tunnel service for Windows and to display the Profile Settings section.. 6. Enter the settings in the Define Profile Settings section. 7. Choose a sentry profile from the Sentry Profile pull-down menu. 8. Choose a sentry service from the Sentry Service pull-down menu. 9. Enter an address to receive debugging information. 10. If you select the Advanced option in Sentry Profile Settings: Enter Key Value pairs. Click Next. 11. If you select the Standard option in Sentry Profile Settings: Select the Always On position. Note: On is the default setting. This is a Windows 10 feature that enables the active VPN profile to connect automatically on these triggers: User Signs In, Network change. In the App Groups section enter the App Format and the file path settings using the pull-down menus. If needed, click +Create New Group in the Apps Group section to create a new list of apps which will have all traffic flow through VPN. Enter a path for the app in the App Type pull-down menu. Click Lookup Apps to search for Windows 10 apps in the Windows App Store. Enter the name of the app in the search field. Select an app to add to the App Identifier. In the Traffic Filters section, click +Add to add filter. Enter an IP address range in the Traffic Filter screen to limit traffic allowed through the tunnel to these IP addresses. All traffic is sent through the tunnel if no filters are configured. Enter the DNS filters. In the DNS section, click +Add to add a Domain and DNS Server IP. Click Next.. Apps > Categories Categories describe types of apps and help organize apps when users browse the app catalog. Every app must have at least one category assigned. A list of common app categories is available when you start using MobileIron Cloud. Use this page to manage app categories. To add a category You can add new categories here, or when you add an app to the app catalog. 88

109 MobileIron Cloud Administrator Guide R45 1. Click Add (bottom left) 2. Type the category name. Categories are not case sensitive, so MINE is the same as Mine. 3. Click Save. To remove a category Click the X next to the category. Can't do tasks on the App Categories page? Maybe you don't have permission. You need the following role: App & Content Management Apps > Reviews Reviews are the comments and ratings (stars) your users provide about apps in the app catalog. Reviews provide valuable information to you and to users who are considering installing an app. Use the Reviews page to view or delete ratings and reviews. You might delete a review or rating if it is old or inappropriate. Note that: Only device users can create and edit app ratings and reviews. Device users can edit, but not delete, their own ratings and reviews. Only administrators can delete app reviews. App ratings cannot be deleted. Ratings (stars) given to apps remain on the Apps > App Catalog page, even if you later disable the ratings and reviews feature for your users. To view ratings and reviews Go to Apps > Reviews to read full user review comments and ratings (stars) for the apps you have distributed. Go to Apps > App Catalog and see the Avg. Rating column for the total number of reviews and the average rating. Go to Apps > Apps Catalog, click the App Name, and see the Reviews tab for ratings and reviews for a specific app. To disable ratings and reviews 1. Go to Apps > Catalog Settings. 2. Uncheck Enable Ratings and Reviews in the end user app catalog. 89

110 Apps > Licenses 3. Click Save. To delete a review 1. Go to Apps > Reviews. 2. Select the review. 3. Click the Actions button at the top right of the page. 4. Select Delete. 5. Click Yes in the Delete Review confirmation dialog. Can't do tasks in the Reviews page? Maybe you don't have permission. You need the following role: Apps & Content Management See Also Displaying and Hiding Columns Apps > Licenses License: Gold The Licenses screen is available only if you have set up Apple's Volume Purchase Program (VPP) in your app catalog settings. This screen shows the app licenses you have purchased for ios devices and how many have been used. Use this screen to: select the VPP apps that will be included in your catalog distribute licenses for VPP apps Device-based and User-based license distribution Whether the license for an app is Device-based or User-based depends on how you assign it. When assigning an app license to a device, it becomes a device-based license. When assigning an app license to a user, it becomes a user-based license. A license is consumed when installing a VPP app to a device, or when a token is issued for that app. If no licenses are available for the app, the user has the option of installing 90

111 MobileIron Cloud Administrator Guide R45 and paying for the app themselves. If a user has already been assigned a user-based license for the requested VPP app, the app is installed using the existing user-based license, rather than the VPP license. Device-based license option With device-based licenses, the users need not enrollment in VPP. The required apps will install automatically. Corporate supervised devices don t need to deal with an IT owned Apple ID. During device check-in, the device is identified by the serial number and the required app is installed if there are licenses available. If no licenses are available the app is not installed. If a license for an app is reserved, then a device based license assignment will not occur at app installation. Note:Application updates for Apps deployed using Device based VPP licensing are controlled by the administrator. To control how an app will be updated, in Apps> App Catalog navigate to the App Configurations/Install On Device tab. You will be able to select an immediate update that will occur at the next device check-in, or you can choose to have the app update automatically when new versions become available. Important: Before assigning a device-based license to a business to business (B2B) or productivity app, confirm the app is eligible for device-based licensing with the app developer. User-based license option A user-based license remains valid for that user if they have to move from one device to another in case the device is lost or stolen or the user upgrades to a new device. With user-based licenses, the user must first enroll into the Volume Purchase Program. Enrolling is a manual action that the end user must complete in the App Catalog. Required VPP apps won t be installed on the device until the user enrolls in the Volume Purchase Program. If the app is a required VPP app and the license distribution is user-based: Required app install will not occur if the user is not enrolled in the VPP program. Required apps may be installed if the user is enrolled in the VPP program and a license is available. If the user is enrolled in VPP, but there are no licenses available then the app will not be installed. To add a VPP app to the catalog 91

112 Apps > Licenses 1. Go to Apps > Catalog Settings. 2. Update a VPP secure token. 3. Optionally, check Automatically distribute VPP apps to all users. The All Users group is used to distribute the FCFS licenses. 4. Click Update. 5. Go to Apps > Licenses. 6. Select an app and click Add to Catalog. Click Next. 7. Optionally, add a description of the app. Click Next. 8. Select a distribution option. Click Next. 9. Click the App Configuration tab. 10. Optionally, select Install on device. This configuration option installs the app without prompting the user on supervised ios devices. 11. Select other configuration options if needed. To distribute licenses for a VPP app in the catalog 1. Select Apps > Licenses from the main menu. A list of Apps purchased through the VPP program is displayed. 2. Select an app and click Distribute Licenses. 3. Choose a distribution option, First-come, first-served, Reserved, or Disallowed in the VPP Licenses section. View app licenses per user You can designate license preference for your users by using the License Usage tab. 1. Click the Users tab 2. Select a user. 3. Click the License Usage tab. A list of apps is displayed with their VPP License type and license assignment details. To view the license usage for each app per user: 1. Go to Users in the MobileIron Cloud main menu. 2. Select a user. The Devices tab is displayed by default. 3. Click on the License Usage tab. A list of all the apps installed on the user's device is displayed including the license status. The serial number for the device is listed in the VPP License Type column for device based licenses. App name Version of the app 92

113 MobileIron Cloud Administrator Guide R45 Cost of the app Date the app was assigned VPP license type Actions (License status.) You can also view the VPP license usage for each app: 1. Go to App > App catalog in the MobileIron Cloud main menu. 2. Select an app. 3. Click on the VPP Licenses tab if present. Only apps purchased through the VPP program will display this tab. A separate tab for each VPP license type is displayed. 2. License type and log First Come First Served (FCFS) - You have the option to select which user groups will receive this type of license. Reserved Disallowed Activity Log Description User Requested Apps - Apps the user chooses to install. A User based License is the default Required Apps - Apps that are required and are installed by Admin configuration using the Install on Device setting. These apps use Device based licenses by default. Reserved licenses have priority over FCFS licenses. Here you can select the users or devices to have a Reserved license for the app. Enter the users who are not allowed to have a license for this app. The user can still install the app, but they must purchase it. Displays the user, the type of VPP license assigned to them, the date it was assigned, and the latest action taken on the license

114 Apps > Licenses To view the detailed license usage for each app per device: 1. Go to Devices > Devices in the MobileIron Cloud main menu. 2. Select a device. 3. Click on the Installed Apps tab. A list of all the managed apps installed to the selected device is displayed including the license status. App Name Version of the app Platforms supported Source of the app Size of the app VPP license type VPP license usage notifications VPP notifications help you track VPP license usage. The notifications thresholds are defined as: An information notification is issued when over 50% of the licenses have been used. A warning notification is issued when 70 to 80% of the licenses have been used. A Critical notification is issued when 90 to 100 % of the licenses have used. Notifications are cleared when the usage drops below 50%. To view license information for each app: 1. Click Apps > Licenses. License Information is displayed including: Name of the app. Cost of the license. Number of licenses available. Number of redeemed licenses. 2. Go to Dashboard > Notifications to view details of a license notification. The Notifications page is displayed. 3. Click on the notification title to see the details. These notifications are available: Notifications Component Type Notification Type Severity LDAP Expiration Cleared VPP Data Sync Information ios Usage Limit Warning Tenant Admin Action Critical 94

115 MobileIron Cloud Administrator Guide R45 DEP Server Token Status Change Connector VPP license usage notifications VPP License Usage Trigger Severity Notification Type Component Type 50% Redeemed Info License Usage VPP 70% Redeemed Warn License Usage VPP 80% Redeemed Warn License Usage VPP 90% Redeemed Alert License Usage VPP 100% Redeemed Alert License Usage VPP Revoking a VPP License VPP Licenses are revoked when a: Device is inactive (retired or wiped). VPP app is deleted. Device based license is revoked when the device is retired. VPP token is deleted. To revoke a VPP license for an app: 1. Select the app under Apps > App Catalog. 2. Click the VPP Licenses tab. 3. Click Revoke All Licenses. Note: For ios devices, Apple allows a 30-day grace period for VPP apps after the VPP license is revoked. Therefore, the VPP app remains installable. For macos devices, after the VPP license is revoked, the app still remains on the device. VPP Authentication Error Notifications 95

116 Apps > Catalog Settings Some authentications errors might occur when using the Apple VPP service. These VPP Authentication errors notifications are: Error Notification Invalid Authentication Token Expired Token The stoken has been revoked Login required Action Upload a valid VPP stoken Generate a new token online using your company's account Upload a valid VPP Log into the VPP service Can't do tasks on the App Categories page? Maybe you don't have permission. You need the following role: App & Content Management Apps > Catalog Settings Catalog settings are preferences you apply across all apps in your app catalog. You can: Include app updates during device checkin Prevent backup to icloud and itunes (ios only) Remove ios apps when the device is un-enrolled Enable MobileIron Cloud "Ratings and Reviews" Upload ios and macos volume purchase plan (VPP) tokens (requires Gold license) Changing ios/macos app management settings These settings will apply to all apps unless an app management configuration has been created for individual apps. 1. Select or clear one or more of the following check boxes: Update apps during device checkin (selected by default) Prevent backup to icloud and itunes Remove apps on un-enrollment 2. Click Save. Enabling/disabling ios app updates 1. Select or clear Update apps during device checkin. 96

117 MobileIron Cloud Administrator Guide R45 By default, this option is selected. When cleared, any device checkin (including a force checkin by the admin) does not include app updates. However, the user can manually update the app by clicking the Force checkin action on the device app catalog. New app installations and all other configurations and settings will be updated during the device checkin. 2. Click Save. For a managed app, the admin can click the Update button on the app details page to manually update the app to the latest version from the App Store. On a user's device, the user can click the Force Checkin button on the App Catalog menu to let the device checkin and let the app updates occur along with other configurations and updates. These settings together allow end-users to choose when their apps get updated: Wait until connected to Wi-Fi to avoid data charges. Avoid being locked-out, at the wrong time, while the app updates. Enabling/disabling application ratings and reviews This will allow users to rate and review the applications and for other users to read those reviews. 1. Select or clear Enable Ratings and Reviews in the end user app catalog. 2. Click Save. Note: The format of the VPP stoken has changed. Instead of a character string in previous releases, it is now a character string stored in a text file in the vpptoken file format. Upload this file directly to the admin console for processing. The VPP account page has been updated to display the VPP organization name and expiration dates. Uploading or updating an ios/macos VPP stoken (License: Gold) 1. Select Add VPP stoken. 2. Enter a name for the stoken file in the Alias Name field. 3. Drag and drop the stoken file to the specified area or click Choose File to navigate to the stoken file. 4. Click Save, or if you are updating an stoken file click Update. 97

118 MobileIron Bridge 5. Go to the Licenses page to view the apps associated with this token. Important: If VPP tokens were reserved for individual users before the upgrade to r29, you must verify that the tokens are still reserved for those users and reserve them again if needed. Removing an ios/macos VPP stoken from your MobileIron Cloud service You can revoke an app that is no longer needed by a user, and reassign it as needed. If the app was deployed as a managed app with MDM for ios/macos, the you have the option of removing the app and all data immediately. 1. Select an app to remove. 2. Click Delete. A warning dialog appears. 3. Optionally, you can give the user a 30-day grace period to: Save their data. Buy a personal copy of the app. Transfer Apps they installed by this VPP account to their personal accounts to continue use. Can't do tasks in the Catalog Settings page? Maybe you don't have permission. You need the following role: App & Content Management MobileIron Bridge MobileIron Bridge unifies mobile and desktop operations for Windows 10 using a single console and communications channel. It extends EMM capabilities to managing PCs and allows organizations to take advantage of significantly reduced costs and increased efficiency while ensuring consistent security across PCs and mobile. By using MobileIron Bridge, enterprises have the ability to use a single protocol for Windows 10 Desktop devices as they do for supported Windows mobile devices, to send information to the legacy applications on the OS. MobileIron Bridge allows IT to modernize Windows operations on EMM without giving up critical functionality. IT can apply policies and scripts already in place without requiring a systems image, domain join, or multiple channels of communication to the device. 98

119 MobileIron Cloud Administrator Guide R45 With MobileIron Bridge, organizations can now: Have complete control over PCs with EMM Manage PCs remotely, over-the-air Reduce the need for imaging desktops Leverage GPO-based commands with PowerShell scripts deployed by EMM Easily edit and manage Registry Effortlessly deploy non-msi wrapped Win32 apps Gain File System visibility Note: MobileIron Bridge is only used with Windows 10 desktop devices. MobileIron Bridge supported file types MobileIron Bridge includes support for the following file types: PowerShell PowerShell scripts pushed to devices using MobileIron Bridge support named arguments. 64-bit PowerShell scripts are supported on 64-bit Windows 10 desktop devices. Registry VB Scripts.EXE for Win32 application deployment Note: If admins need to push Win32 (.EXE) files to a device (for example, as a Windows in-house app), the MobileIron Bridge functionality will be automatically used if available. It is mandatory to enter an argument to silently run the file (for example, /SILENT or /VERYSILENT). Using MobileIron Bridge, the device can be augmented in following key areas. Registry: Reading, writing, and updating registry values. Files: Verifying, reading, and updating contents of a file. Application Deployment: Adding the ability to install.exe-based applications to the desktop device. These applications can either reside on the Cloud servers or a CDN in the Cloud. MobileIron Bridge setup Setting up MobileIron Bridge requires that admins complete the following steps in the following order: 1. Procuring and activating MobileIron Bridge licenses. 2. Installing the MobileIron Bridge mobile application. 99

120 MobileIron Bridge 3. Uploading scripts for permanent or one time use to the devices. Procuring and activating MobileIron Bridge licenses Separate licenses are required to use MobileIron Bridge on MobileIron Cloud apart from the regular Silver/Gold/Platinum licenses. For more information, please visit Installing the MobileIron Bridge mobile application After MobileIron Bridge licenses has been activated, the MobileIron Bridge mobile application can be installed as follows: 1. Go to Apps > App Catalog. 2. Click +Add. 3. Click MobileIron Bridge in the Business Apps section. 4. Add details, customize, and distribute the MobileIron Bridge mobile application to the required devices as per the procured licenses. If you have enabled the Silently install on Windows devices option, MobileIron Bridge mobile application will be silently installed and the MobileIron Bridge service will start running on the devices. Uploading scripts to the devices Administrators can upload scripts to the devices for permanent use by creating a new MobileIron Bridge configuration: 1. Go to Configuration > +Add. 2. Select the MobileIron Bridge configuration. 3. Enter a name for the configuration. 4. Enter a description. 5. In the Configuration Setup section, specify the remaining settings as described in the following table. 1. Enter the Script File category settings to specify an installation script to be pushed or executed on the devices. 2. (Optional) Enter the Undo Script File category settings to specify an uninstallation script to be pushed or executed on the devices. This is useful in scenarios such as device retirement or configuration deletion. 6. Click Next. 7. Select a distribution for this configuration. A force check-in will be done automatically for these device actions. Category Setting What To Do Name Enter a name that identifies this configuration. Description Enter a description that clarifies the 100

121 MobileIron Cloud Administrator Guide R45 purpose of this configuration. Script File All Versions (Windows 10+ Desktop) Select a valid script or executable file (.ps1,.reg,.exe). Script File The specified script file or executable file (.ps1,.reg,.exe) will be automatically executed. Other file types will only be copied to the target folder. Specify the list of arguments for the script file. Script Arguments Note: For Win32 (.exe) files, enter an argument to silently run the file (for example, /SILENT or /VERYSILENT). This is mandatory. Specify the target folder for the script file. Target Folder If the target folder is not specified, then the value of the %TEMP% system environment variable is used as the target folder. Undo Script All Versions (Windows 10+ Desktop) File Select a valid script or executable file (.ps1,.reg,.exe). Script File Script Arguments The specified script file or executable file (.ps1,.reg,.exe) will be automatically executed. Other file types will only be copied to the target folder. Specify the list of arguments for the script file. 101

122 MobileIron Bridge Note: For Win32 (.exe) files, enter an argument to silently run the file (for example, /SILENT or /VERYSILENT). This is mandatory. Specify the target folder for the script file. Target Folder If the target folder is not specified, then the value of the %TEMP% system environment variable is used by default. Uploading scripts to the devices for one-time use Administrators can upload a script to the devices for one-time (ad hoc) use. 1. Go to Devices > Devices. 2. Click the device name link to go to the Device details page. This is a Windows 10 desktop device to which the one-time script will be pushed/executed. 3. Click the icon and click MobileIron Bridge. 4. Enter a name. 5. In the Script File section, specify a script to be pushed/executed on the device as described in the preceding table. 6. Click Apply. The script execution will be queued and may take a while to complete. Go to the Logs tab to check and view the status (output or failure messages). A force check-in will be done automatically for these device actions. 102

123 Content Content > Content The content catalog contains files that users can download. A typical catalog might include sales presentations, images, spreadsheets, and documents. Use the Content page to manage the content catalog. ibook and EPUB content can be distributed to ios 8+ ipad devices (Gold license). (These formats are restricted to ipad because Apple supports in-house distribution of these formats only to ipad. This restriction does not apply to ios 9 devices.) Also note that content previews are not available for these formats. For PDF content, you have the option of pushing the document to the ibook app on ios 8+ devices. To add content 1. Click +Add. 2. Drag the content file to the dotted box, or click Choose File to select it from your file system. 3. Describe the file for users. a. Edit the default title, if needed. b. Enter the name of the document author. c. Enter one or more categories. Be sure to press Enter after typing the name of a category. c. (Optional) Enter a description of the file. d. Click Next. 4. Define content distribution. 5. Click Done. To upload a new version 1. Click the link to the document in the Name column. 2. Select Actions > Upload New Version. 3. Drag the content file to the dotted box, or click Choose File to select it from your file system. 4. Enter a description of the changes in the What's New field. 5. Click Next. 6. Make any necessary changes to the distribution. 7. Click Done. To delete content 1. Click the link to the document in the Name column. 103

124 Content > Categories 2. Select Actions > Delete This Document. 3. Click the check box to confirm. 4. Click Delete Document. When you delete a document: It is removed from the system. It is no longer available in the content catalog. It is removed from devices that have downloaded it. Can't do tasks on the Content page? Maybe you don't have permission. You need the following role: App & Content Management See Also Displaying and Hiding Columns Content > Categories Categories describe the types of content in the content catalog. Categories help organize content so that users can easily find what they need. Each item added to the content catalog must have at least one category assigned. To add a category 1. Click Add (bottom left) 2. Type the category name. Categories are not case sensitive, so MINE is the same as Mine. 3. Click Save. To remove a category - Click the X next to the category. Can't do tasks on the Categories (Content) page? Maybe you don't have permission. You need the following role: App & Content Management 104

125 Configurations Configurations Configurations are collections of settings that you send to devices. For example, you can use configurations to automatically set up VPN settings and passcode requirements on these devices. The existing configurations for your system are listed in the Configurations page. There are many types of configurations available. They fall into the following basic categories: security user resources enterprise network access cellular network other (more configurations) You can perform the following actions for most configurations: add edit clone delete exclude one or more configurations from a specific device push one or more excluded configurations to a specific device Certain configurations have restricted actions: Some configurations cannot be added or cloned. ios Activation Lock is an example of this type of configuration. Therefore, these configurations do not appear among the tiles listed when you add a configuration. These configurations are listed only in the Configurations page. System-defined configurations cannot be edited or deleted. SCEP for ios Enrollment is an example of this type of configuration. Some configurations can be marked as cannot be deleted or reinstalled from a device. These configurations cannot be excluded or pushed to the device. To add a configuration 1. Click Add (upper left). 2. Select the type of configuration you want to create. 3. Complete the form in the configuration wizard. 4. Click Next. 105

126 Configurations 5. If you do not want this configuration enabled immediately, clear the Enable this configuration option. 6. Select device groups for the configuration. If your service has device partitions defined, you will need to specify whether the configuration should be applied to the other partitions, and with what priority. For configurations that issue a command to the device instead of installing a profile on the device, the configuration details will not list the configuration as applied to any devices. To delete a configuration 1. Select the configuration. 2. Select Actions > Delete. To exclude a configuration Some previously distributed configurations can be manually removed from a device by excluding them as follows: 1. Go to Devices > Devices. 2. Click a device name to view the details page. 3. Go to Configurations. 4. Select one or more configurations to be excluded. 5. Click Exclude Profiles. To exclude a single configuration, you may also click Exclude under the Actions column. To push a configuration If you want to reinstall any of the excluded configurations on a device, push the configurations as follows: 1. Go to Devices > Devices. 2. Click a device name to view the details page. 3. Go to Configurations > Excluded Configurations. 4. Select one or more configurations to be pushed to the device. 5. Click Push Profiles. To push a single configuration, you may also click Push under the Actions column. To prioritize configurations 106

127 MobileIron Cloud Administrator Guide R45 When configurations of the same type are applied to the same device, the defined priority determines which configuration is applied. The configuration with the highest priority has the lowest number. For example, the configuration with priority 1001 has a higher priority than the configuration with priority The service assigns numbers automatically. To change the priority of configurations: 1. With no configuration selected, select Actions > Prioritize configs. This option is available only if the page contains two or more configurations of the same type. 2. Use the arrows to move the configurations so that the one that should have the highest priority appears at the top. 3. Click Save. Can't see the Configurations page? Maybe you don't have permission. You need one of the following roles: Device Management Device Read Only See Also Displaying and Hiding Columns Device Partition Prioritize Configurations Custom Configuration Configurations License: Gold Eligible Devices ios, macos, Android, Windows Description Allows you to import and distribute a predefined configuration file. The valid formats are: OS Valid Configuration File Formats 107

Custom Configuration ios macos.plist.mobileconfig.xml.plist.mobileconfig.xml. Currently, this feature only supports.xml Android configuration files for Zebra devices. Windows SyncML.

128 Custom Configuration ios macos.plist.mobileconfig.xml.plist.mobileconfig.xml. Currently, this feature only supports.xml Android configuration files for Zebra devices. Windows SyncML. To define a Custom configuration 1. Select Configurations. 2. Click + Add. 3. Type "custom" in the search field, and then click the Custom configuration. The Custom Configuration details page appears. 4. Configure the settings on this page. Refer to the table in the section Custom Configuration settings for guidance on the values. 5. Click Next to configure the distribution settings. 6. (macos devices) Select an additional option for the Who does this configuration apply to setting depending on your desired behavior for this configuration: Device Wide (commonly used). User Specific (current registered user). 7. Click Done. Custom Configuration settings Setting Name Description Choose OS What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Click an OS icon to upload a 108

129 MobileIron Cloud Administrator Guide R45 Choose File configuration file that corresponds to the selected icon. This option appears after you have selected an OS. Drag a configuration file into the Drag and Drop box, or click the Choose File button to select a configuration file. See Also How to create a configuration Home Screen Layout Configuration Configurations License Gold Eligible Devices ios 9.3+ Supervised Only Description Defines a layout of apps, folders, and web clips for the Home screen. To define a Home Screen Layout configuration 1. Select Configurations. 2. Click + Add. 3. Type "home" in the search field, and then click the Home Screen Layout configuration: 109

Home Screen Layout Configuration The Home Screen Layout Configuration details page appears. 4.

Refer to the table in the section Home_Screen_Layout_Configuration_Settings for guidance on the values. 5.

Home Screen Layout Configuration settings Setting What To Do Name Enter a name that identifies this configuration.

130 Home Screen Layout Configuration The Home Screen Layout Configuration details page appears. 4. Configure the settings on this page. Refer to the table in the section Home_Screen_Layout_Configuration_Settings for guidance on the values. 5. Click Next to configure the distribution settings, and then click Done. Home Screen Layout Configuration settings Setting What To Do Name Enter a name that identifies this configuration. Description Enter a description that clarifies the purpose of this configuration. Dock Click the to add an app or webclip to the dock of the home screen, shown highlighted here, and then follow the directions on the subsequent screens: Page 1 Click the to add an app or webclip to the page area of the home screen, shown highlighted here, and then 110

MobileIron Cloud Administrator Guide R45 follow the directions on the subsequent screens: You can click to add another page to the phone display.

131 MobileIron Cloud Administrator Guide R45 follow the directions on the subsequent screens: You can click to add another page to the phone display. See Also How to create a configuration App Control Configuration: Control Which Apps Are Installed Per Device For ios 9.3 Supervised devices, this configuration allows apps to be whitelisted or blacklisted at the device level. Apps that are already installed will not be visible and cannot be launched. Apps will still be visible in the App Store, but they cannot be downloaded or launched. Any device to which this configuration is distributed will use this configuration and ignore any Allowed Apps Policy settings. This configuration supersedes any app-related policies that reference the same applications on the target devices. For Windows 10 devices, restrictions happen at the device level, therefore a configuration is the only way to enforce app rules. The App Control configuration allows you to create a: Whitelist: Only allow Apps that are explicitly added to this list. No other apps will be able to be installed on devices. Blacklist: Disallow specific apps from being installed on devices. 111

132 App Notifications Configuration Supported Devices ios 9.3+ Supervised only Windows Steps to define whitelist or blacklist apps 1. Select Configurations. 2. Click + Add 3. Enter app control in the resultant Choose Configuration field, and then select the App Control configuration. 4. Enter name and description for the configuration. 5. Select an OS and then continue below at the section that applies to your OS. ios 9.3 supervised devices 1. Choose whether to create a whitelist or blacklist. 2. Click Add Apps. 3. Choose the apps to whitelist or blacklist by clicking one or both of the following tabs: Click Add by Lookup to choose apps from the app catalog or system apps. Click Add Manually to choose apps by entering the Apple bundle ID (starts with "com.apple") for Apple System apps only. 4. Click the Whitelist or Blacklist tab to review the list of chosen apps to be whitelisted or blacklisted. 5. Click Next and then choose a distribution option. 6. Click Done. App Notifications Configuration Configurations Choose how users receive notifications from selected apps. This configuration is for ios 9.3 Supervised devices only. To create an App Notifications configuration 1. Select Configurations. 2. Click + Add. 112

133 MobileIron Cloud Administrator Guide R45 3. Type notifications in the search field, and then click the App Notifications configuration: The App Notifications Configuration Setup page appears: 113

134 App Notifications Configuration See Also 4. Name and describe the configuration. 5. Choose an app to which to apply the app notification settings. 6. Configure the notification settings. 7. Click Next to configure the distribution settings, and then click Done. How to create a configuration 114

135 MobileIron Cloud Administrator Guide R45 Managing Configurations Configuration Types Use the search and filter capability on the Choose Configurations page to find the configuration you want to apply. 1. Choose Configurations. 2. Choose one of the configurations listed or click the +Add button. The Choose Configuration page is displayed 3. Click one of the configurations listed or : o Enter the name of the configuration in the search box o Click a filter icon on the right of the search box to display configuration types compatible with platform. 4. Click a configuration button to access configuration setting options. Use the Configurations page to create and edit all configuration types. Security Type What It Does For These Devices Android for Work specifies Android for Work options Android for Work Needs This License Gold AppConnect Device Certificate Android Encryption FileVault 2 specifies security settings AppConnectenabled apps on devices establishes trust with servers prompts users to start encryption provides ability to perform full XTS- AES 128 disk encryption on the contents of a volume Android ios Android ios macos Android macos Gold 115

136 Configuration Types FileVault Recovery Key Redirection determines settings for redirecting the FileVault recovery keys to a corporate server macos Identity Certificate ios Activation Lock authenticates the device to servers authenticates the device to network resources enables the Apple Activation Lock feature on supervised devices Android ios macos ios Silver ios Custom Configuration distributes an ios configuration profile that was created by a different app ios ios Restrictions Lockdown & Kiosk: Android Lockdown & Kiosk: Android for Work Lockdown & Kiosk: Samsung SAFE locks down device features enables device features locks down device features re-enables device features applies the kiosk feature defines features and apps that are restricted on Android for Work devices applies the kiosk feature defines features and apps that are restricted on Samsung SAFE devices applies the kiosk feature ios Android Android Samsung SAFE 116

137 MobileIron Cloud Administrator Guide R45 macos Firewall macos Restrictions Apple App Catalog Managed Domains Passcode Privacy Software Updates manages the Application Firewall settings that are accessible in the Security Preferences pane on macos devices Note: The Administrator can enable the stealth mode by specifying a device that cannot be discovered by the ping command. determine which features are enabled on macos devices manages access to the Apple App Catalog via a web clip specifies trusted and web domains makes a passcode mandatory specifies passcode length and content changes passcode requirements specifies whether location data is collected creates and distributes rules for OS updates macos macos ios macos ios 8+ Silver Android ios macos Android ios Windows ios Windows Web Content Filter controls Safari content supervised ios 7 Silver 117

138 Configuration Types Windows Information Protection Windows Restrictions defines Windows Information Protection (WIP) settings to protect enterprise data determines which features are available on Windows Phone devices Windows 10+ Gold Windows Phone User Resources Type CalDAV CardDAV What It Does sets up access to a CalDAV server (like Google Calendar) sets up access to a CardDAV server (like Google Contacts) For These Devices ios ios Needs This License Exchange sets up access for POP/IMAP (like Gmail) sets up access for ActiveSyncbased (like Outlook) for Android and ios mobile devices ios Android ios macos Note: Exchange via sentry is not supported on macos The Sync Past days s flag is 118

139 MobileIron Cloud Administrator Guide R45 Google sets up Exchange Web Services (EWS)-based for macos devices defines how much to sync to the device defines security for Creates Google account configuration s that connect ios devices to Google accounts. Specifies which app to use to make calls to contacts in the Google system. ios not applicable for macos Font Subscribed Calendar installs nonstandard fonts necessary for proper display of documents sets up a subscription to an internet calendar ios ios Web Clip displays a shortcut ios macos 119

140 Configuration Types (icon) to a web page Enterprise Network Access Type What It Does For These Devices AirPlay AirPrint sets up access to alternate devices for media display sets up wireless printing ios Needs This License Silver ios macos Silver Always On VPN sets up access to a VPN server without user interaction Android ios 8+ Gold for Android for Work Silver for ios Default App Runtime Permissions sets the runtime permission configuration for apps deployed to Android for Work devices. Apps built targeting Android API 23+ and running Android 6.0+ on Android for Work devices. Education configures the Apple Education payload and the Classroom app for Leaders and Members supervised ios 9.3+ Gold Global Proxy LDAP sets up devices to forward HTTP traffic to a proxy server sets up access to a corporate directory supervised ios 7 ios MobileIron defines a per-app ios 7+ Silver 120

141 MobileIron Cloud Administrator Guide R45 Tunnel MobileIron Bridge macos Server Per-app VPN Single Sign- On Multi-user Secure Sign-in VPN VPN On Demand Wi-Fi VPN connection between a client and Sentry using MobileIron Tunnel allows IT to modernize Windows operations on EMM without giving up critical functionality define a macos Server account with the configured account types and relevant settings. Allows the user to activate File Sharing on the server. sets up connections between specific apps and a VPN server sets up single sign-on for specified managed apps sets up secure multi-user login via web clip sets up access to a VPN server sets up access to a VPN server based on domains, host names, etc. sets up access to a wireless network Windows 10+ Windows 10+ desktop ios 10+ ios Silver ios ios Android ios macos ios Android ios MobileIron Bridge license 121

142 Configuration Types macos Cellular Network Type APN Cellular ios Telecom Presets What It Does sets up the cellular Access Point Name for the device sets up cellular network access sets default values for roaming restrictions sets default values for personal hotspot restrictions For These Devices ios ios ios Needs This License More Configurations Type What It Does For These Devices Apple TV Default Device Name ios Wallpaper Single App Mode defines language and locale for Apple TV defines a default device name using variables installs a home screen and lock screen background restricts the device to use of the specified app supervised ios 7 supervised ios 8 supervised ios 7 supervised ios 7 Needs This License Silver Silver Silver Silver Device Sync Configuration Device Sync settings provide a list data points you can monitor on devices. Device Sync configurations cannot be edited. To view a list of the settings checked: 1. Go to Configurations. 122

MobileIron Cloud Administrator Guide R45 2. Click Device Sync Config. The Details tab of the Device Sync Config page is displayed with a list of items checked.

143 MobileIron Cloud Administrator Guide R45 2. Click Device Sync Config. The Details tab of the Device Sync Config page is displayed with a list of items checked. Settings Time between readings in seconds Certificate List 60 Device Information 60 Installed App List 60 Managed App List 60 Profile List 60 Provisioning Profile List 60 Restrictions 60 Security Information 60 ios 9+ Check for Updates 1440 See Also Variables Variables You can use variables in certain configuration fields to represent values specific to a given user. Any field that supports variables displays a list of supported variables if you type $ in the field. Summary of supported account variables 123

144 Variables Use account variables to substitute information about an account, such as an Exchange account. Variable Description The logon name used in LDAP to support clients and servers ${samaccountname} running older versions of the Windows operating system. The text displayed to identify the ${userdisplayname} account. The value that uniquely identifies ${userdn} the user in the LDAP directory (i.e., distinguished name). The address associated ${user address} with the user account. ${userfirstname} The user's given name. ${userlastname} The user's surname. The home geographic ${userlocale} location/language for the user. The unique identifier used ${useruid} internally by LDAP. The string used to identify the ${username} user. The Internet-style login name for ${userupn} a user. (The UPN is shorter than the distinguished name.) Summary of supported device variables Use device variables to substitute information about a mobile device. Variable Description The unique device identifier ${deviceclientdeviceidentifier} generated by the device management app. The International Mobile Equipment Identity assigned to ${deviceimei} the device. This number uniquely identifies the mobile device. The International Mobile Subscriber Identity assigned to ${deviceimsi} the home cellular network for the device. ${devicepk} The unique device identifier 124

145 MobileIron Cloud Administrator Guide R45 generated by the device management service. The serial number assigned to ${devicesn} the device. The unique identifier assigned to ${deviceudid} the device by the manufacturer. The Media Access Control address that uniquely identifies ${devicewifimacaddress} the network interface on the device. The unique device identifier ${devicemdmdeviceidentifier} generated by the Apple MDM function. AppConnect Configuration AppConnect Overview AppConnect is a MobileIron feature that containerizes apps to protect data on ios and Android devices. Each AppConnect-enabled app becomes a secure container whose data is encrypted, protected from unauthorized access, and removable. Because each user has multiple business apps, each app container is also connected to other secure app containers. This connection allows the AppConnect-enabled apps to share data, like documents. MobileIron Cloud uses policies to manage the AppConnect-enabled apps. With AppConnect, you can: Require an additional passcode for accessing AppConnect-enabled apps. Automatically wipe app data for out-of-contact ios devices. Apply data loss prevention policies, restricting actions such as copy/paste and open-in. Set AppConnect custom configuration settings built into the apps. Create custom app configurations. Provide an additional layer of encryption for app data. AppTunnel Overview AppConnect protects data on the device -- data-at-rest. MobileIron AppTunnel provides secure tunneling and access control to protect app data as it moves between the device and corporate data sources -- data-in-motion. App-by-app session security protects the connection between each app container and the corporate network. AppTunnel is particularly useful when an organization does not want to open up VPN access to all 125

146 AppConnect-enabled Apps apps on the device. This feature requires a Standalone Sentry configured to support app tunneling. AppConnect-enabled Apps AppConnect-enabled apps, also known as AppConnect apps, are apps that have been containerized using one of the following methods: wrapping (ios and Android) AppConnect SDK (ios) AppConnect Cordova Plugin (ios) You configure the set of AppConnect apps by using the Admin Portal. You also configure which AppConnect apps are available to which devices. From the device user perspective, AppConnect apps are called secure apps. Secure apps can share data only with other secure apps. Unsecured apps cannot access the data. Secure apps from MobileIron MobileIron provides a number of AppConnect apps. For example, Web@Work and Docs@Work are AppConnect apps. AppConnect and third-party/in-house secure apps Third-party providers can create third-party secure apps by either: wrapping the apps (Android and ios) developing ios apps by using the AppConnect for ios SDK or AppConnect for ios Cordova Plugin Likewise, your organization can develop an in-house secure app and wrap it or use the AppConnect for ios SDK or Cordova Plugin. Status of Secure Apps From the Devices > Devices page, click a device to view the Overview page. On this page, users can check the status of secure apps with the following information: 126

147 MobileIron Cloud Administrator Guide R45 Secure Apps Status - Indicates whether AppConnect is enabled or disabled. Secure Apps Encryption Status - Indicates whether AppConnect passcode is enabled or disabled. Secure Apps Encryption Mode - Indicates the encryption mode (such as AES 256). In addition, these fields can be used: As filters (left pane) to narrow the device entries displayed when users are trying to find/filter devices. As rules while creating a dynamically managed device group. As distribution filters, which refine the devices that apps that will get distributed to based on defined rules. For each secure app, administrators can review Container Policy and Configuration statuses (Installed, Applied, Sent, or Pending Install) in the Configurations tab of the device details page. App-specific configuration from MobileIron Cloud On the Admin Portal, you can configure settings that are specific to an AppConnect app. Because MobileIron Cloud provides these settings to the app, device users do not have to manually enter configuration details that an AppConnect app requires. By automating the configuration for the device users, each user has a better experience when installing and setting up apps. Also, the enterprise has fewer support calls, and the app is secured from misuse due to configuration. This feature is also useful for apps which do not want to allow the device users to provide certain configuration settings for security reasons. AppConnect Passcode You can require an AppConnect passcode, also known as the secure apps passcode. With a single login with the AppConnect passcode, the device user can access all the secure apps. On the Admin Portal, you configure the rules for the AppConnect passcode. The AppConnect passcode is not the same as the passcode used to unlock the device. For the highest possible security when using AppConnect, MobileIron recommends that each device use both of the following: a device passcode an AppConnect passcode 127

148 Setting Up AppConnect In some environments, however, using both passcodes is not feasible due to usability and other requirements. For these reasons, you have the option to not require an AppConnect passcode. The user is not encumbered with entering a second authentication to access secure apps. Note that only access to the secure apps changes. The app still is AppConnect-enabled, secured with AppConnect features such as data loss prevention policies. Also, the secure apps data is still protected with encryption. However, no AppConnect passcode means data encryption does not use the AppConnect passcode in creating the encryption key. Your organization s security requirements determine whether accessing secure apps without an AppConnect passcode is an acceptable trade-off for an improved user experience. Changing/Resetting the passcode Users can change or reset the secure apps passcode in the Secure Apps Manager app by selecting Change Passcode in the options menu. Users can select the Forgot Password link to reset the passcode, provided it has been allowed in the AppConnect configuration. Setting Up AppConnect License: Gold Before you start Before you can start to use AppConnect with MobileIron Cloud, you need to add AppConnect-enabled apps to your app catalog. For information on AppConnectenabled apps available in public app stores, see For each AppConnect-enabled app you add, check the details in the app catalog to make sure the app is compatible with MobileIron Cloud. If the app uses an older version of AppConnect that is incompatible with MobileIron Cloud, a warning message will display in the app details. On Android, the app will not be allowed to be uploaded if the container version is lesser than If you plan to use any custom configuration settings available for an app, you need to provide the keys and values when you add the app to the app catalog. See the documentation for a given app for information on available settings. If an Android AppConnect app contains information about configuration requirements, MobileIron Cloud automatically creates the key value pairs that the app specifies. For in-house ios SDK apps, MobileIron Cloud automatically creates the key value pairs that the app specifies. 128

149 MobileIron Cloud Administrator Guide R45 Steps 1. Go to Configurations. 2. Edit the default AppConnect Device configuration or add a new one (+Add > AppConnect Device). Note: The default configuration applies to all devices. You cannot change the distribution option. 3. Complete the form to define your AppConnect device configuration. Configuring AppConnect Devices Configurations License: Gold An AppConnect device configuration defines AppConnect security settings. A default configuration is applied to all devices. You can create alternate configurations for different groups of devices or just edit the default configuration. 1. Go to Configurations > +Add > AppConnect Device. 2. Click ios or Android. 3. Enter the settings applicable for the chosen OS as listed in one of following tables. AppConnect ios device settings Setting What To Do Name Enter a name that identifies this configuration. Description Enter a description that clarifies the purpose of this configuration. AppConnect Passcode Enable Secure Apps Passcode Select to require users to enter their secure apps passcode before accessing AppConnect apps. 4-digit numeric Select to allow the passcode to have only 4 digits in it. Alphanumeric Select to require the passcode to contain at least one digit and one letter. Select an age from the list or select Custom to Maximum enter a specific number of days after which the Password Age user must change the secure apps passcode. 129

150 Configuring AppConnect Devices Auto-Lock Passcode history (1-50 passcodes) Maximum number of failed attempts App Authorization App check-in interval Unauthorized message Device Out of Contact Wipe AppConnect device after Data Loss Prevention Settings Allow copy/paste to Allow printing Select the maximum amount of time to allow as an inactivity timeout. After this period of inactivity in AppConnect apps, the device user is locked out of the apps if an AppConnect passcode is required. The device user must reenter the AppConnect passcode to access AppConnect apps. Select a value from 1 to 50. This value specifies the number of most recently used secure apps passcodes that the device user cannot use when changing his passcode. By default, no value is set. In this case, the user can reuse any previous passcode, including the current passcode. Select a value between 4 and 10. Select -- if you do not want to limit failed attempts. If the device user fails to correctly enter the AppConnect passcode after a certain number of attempts, the user cannot access AppConnect apps. Enter the number of minutes the app should wait before checking in with MobileIron Cloud to receive AppConnect-related configuration updates. Note that app authorization is an automatic result of adding an app to the app catalog. Enter the default message that is displayed to the user if the app is not authorized on the device. If you do not enter a default message, the system provides one. Enter the number days (1-90) that the device can remain out of contact before having its AppConnect data wiped. Enter 0 to disable this option. Once the AppConnect global policy is applied to the device, wiping the AppConnect apps occurs on the device after the specified time without reconnecting to MobileIron Cloud. Select to if you want the device user to be able to copy content from AppConnect apps to other apps. You can override this option in each app s individual AppConnect container policy. Select if you want AppConnect apps to be allowed to use print capabilities by default. You can override this option in each app s individual 130

151 MobileIron Cloud Administrator Guide R45 AppConnect container policy. Select if you want AppConnect apps to be allowed to use the Open In (document interaction) feature by default. You can override this option in each app s AppConnect container policy. When you select this option, then select either: Allow open-in All Apps Whitelist Apps only All apps Select if you want the app to be able to send documents to any other app. Whitelist Apps only Select if you want the app to be able to send documents only to the apps that you specify. Enter the name of each app in your App catalog to Whitelist, one per line, or in a semi-colon delimited list. For example: com.myappco.myapp1 com.myappco.myapp2;com.myappco.mya pp3 AppConnect Android device settings Setting What To Do Enter a name that identifies this Name configuration. Enter a description that clarifies the Description purpose of this configuration. AppConnect Passcode Select to require users to enter their Enable Secure Apps secure apps passcode before Passcode accessing AppConnect apps. Select to allow the passcode to have only digits in it. However, the user can Numeric choose to create an alphanumeric passcode. Select to require the passcode to Alphanumeric contain at least one digit and one letter. Select to allow the passcode to have Don't specify characters of any type. Minimum passcode Select the minimum number of 131

152 Configuring AppConnect Devices length Minimum number of complex characters Maximum Password Age Auto-Lock Passcode history characters required. For alphanumeric passcodes, select the minimum number of complex characters required. Note: A complex character is any character which is not 0-9, a-z, or A-Z. For example, $, \, and ä are special characters. Select an age from the list or select Custom to enter a specific number of days after which the user must change the secure apps passcode. Select the amount of time that passes before the AppConnect auto-lock feature requires the user to re-enter the secure apps passcode. Enter the number of unique secure apps passcodes that the user must enter before repeating a passcode. For example, if you set this option to 3, then the user must use 3 different passcodes when resetting the secure apps passcode before being able to reuse the first passcode. Select a value between 1 and 10. Select None if you do not want to limit failed attempts. If the device user Maximum number of fails to correctly enter the AppConnect failed attempts passcode after a certain number of attempts, the user cannot access AppConnect apps. Allow user to Select to allow the user to recover recover passcode passcode. App Authorization Unauthorized message Data Loss Prevention Settings Copy/Paste No restrictions Enter the default message that is displayed to the user if the app is not authorized on the device. If you do not enter a default message, the system provides one. Select if you want the device user to be able to copy content from AppConnect apps to other apps. You can override this option in each app s 132

153 MobileIron Cloud Administrator Guide R45 Among AppConnect apps Within an AppConnect app individual AppConnect container policy. When you select this option, then select either: No restrictions Select if you want the device user to be able to copy content from the AppConnect app and paste it into any other app. Among AppConnect apps Select AppConnect apps if you want the device user to be able to copy content from the AppConnect app and paste it only into other AppConnect apps. Within an AppConnect app Select if you want the device user to be able to copy content from the AppConnect app and paste it only into the same AppConnect app. Allow Camera Allow Gallery Allow Media Player Allow Screen Capture Allow web Select to allow camera photo access for all the AppConnect apps on an Android device. Select to allow all the AppConnect apps on an Android device to access images from the gallery. Select to allow all the AppConnect apps to stream media to media players. Select if you want AppConnect apps to allow screen capture by default. Select to allow an unsecured browser to attempt to display a web page when a device user taps the page s URL in a secure app. If you do not select Allow web, only Web@Work can display the page. Allow Non- Select to allow device users to choose AppConnect apps to to view a web page in Web@Work or open URLs in other AppConnect-enabled browser Web@Work when they tap a link (URL) in an app 133

154 Configuring AppConnect Apps that is not AppConnect-enabled. Note: If AppConnect is enabled after the device has already been registered, there will be a prompt on the user's device to set up the AppConnect container. If a device receives a Retire command from MobileIron Cloud, the AppConnect container is removed and all data is wiped from the container. Secure Apps Manager is uninstalled automatically on SAFE devices and remains on non- SAFE devices. All secure apps will be uninstalled as are the regular apps on SAFE devices. On non-safe devices, the secure apps will not be uninstalled. Configuring AppConnect Apps You can specify app-specific settings for AppConnect-enabled apps such as: Docs@Work (ios and Android) + (ios and Android) Web@Work (ios and Android) In-house apps Third-party apps To specify the settings for an AppConnect app such as +: 1. Go to Apps > App Catalog. 2. Click +Add > Enter app settings until you reach the App Configurations page. 4. Click the plus icon next to + Configuration. 5. On this page, you can specify AppConnect Custom Configuration as Key-Value pairs among other settings. In the AppConnect Certificate Configuration section, you can choose a certificate for the app as Key-Value pair. 6. Proceed with the remaining app configuration. Bookmarks settings for Web@Work app For the Web@Work app, use the Web@Work app setting. If you are adding the Web@Work app from the App Catalog: 1. Go to Apps > App Catalog. 2. Click +Add > Web@Work. 134

155 MobileIron Cloud Administrator Guide R45 3. Enter app settings until you reach App Configurations. 4. Click the plus icon next to Configuration. 5. Enter Bookmarks and AppTunnel settings for the app. 6. Proceed with the remaining app configuration. Troubleshooting AppConnect Setup Perform the following steps to verify the configurations of AppConnect-enabled apps: 1. Go to Devices > Devices. 2. Select a device that should be AppConnect ready. 3. Check the Configurations tab for the expected device configuration. 4. Check the AppConnect Apps tab to ensure that expected apps have been installed as AppConnect-enabled apps. 5. Check the app's custom configuration. Security Configurations Android for Work Configuration Configurations License: Gold An Android for Work configuration defines the Android for Work options enabled for supported devices. You can create alternate configurations for different groups of devices or just edit the default configuration. For a list of devices that support Android for Work go here. Android for Work settings Setting Name Description Disable Screen Capture (Android 5.0 +) Disallow Apps What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select to prevent devices from using the native screen capture feature. Select to prevent users from modifying 135

156 Android Work Challenge Control (Android 5.0 apps in Settings or launchers. +) Disallow Config Select to prevent users from setting up Credentials (Android user credentials ) Disallow Cross Select to prevent devices from Profile copying and pasting to other Android Copy/Paste (Android for Work profiles ) Disallow Modify Accounts (Android 5.0 +) Disallow Outgoing Beam (Android 5.0 +) Disallow Share Location (Android 5.0 +) Restrict Input Methods (Android 5.0 +) Restrict Accessibility Services (Android 5.0 +) Disable Caller ID (Android 6.0 +) Select to prevent users from adding and removing accounts. Select to prevent a user from using NFC to transfer app data. Select to prevent websites and apps from prompting the device user to share device location. Select to restrict input methods by designating a list of whitelisted package names. If there are no whitelisted packages, then only system input methods will be allowed. The input methods are not just restricted to Work Apps, but to the entire device. Select to restrict accessibility services by designating a list of whitelisted package names. If there are no whitelisted packages, then only system accessibility services will be allowed. The accessibility services are not just restricted to Work Apps, but to the entire device. Select to prevent the device from identifying itself to other devices when initiating a call. Android Work Challenge Configurations 136

157 MobileIron Cloud Administrator Guide R45 License: Silver An Android Work Challenge configuration defines secure passwords for users to access the Work Profile data and apps. Requires the Profile Owner. Implementation notes: Administrators can apply a device password policy and a work profile password policy independently. MobileIron Cloud does not send this configuration to clients earlier than Android 7.0 because such clients do not does not support this feature. MobileIron Cloud only sends this configuration to devices with an AfW Work Profile. To create the Android Work Challenge configuration: 1. Click Configurations. 2. Click +Add. 137

158 Android Work Challenge 3. Type "work" in the search field. 4. Select the Android Work Challenge configuration. 138

159 MobileIron Cloud Administrator Guide R45 5. Enter a name for the configuration, and, optionally, a description. 6. Use the Configuration Setup fields to create the configuration. Refer to Configuration Setup settings for details on the settings. 7. Click Next ->. 139

Android Work Challenge 8. Enable the configuration if desired. 9. Configure distribution settings, to all devices, no devices, or to a custom set of devices. 10. Click Done.

160 Android Work Challenge 8. Enable the configuration if desired. 9. Configure distribution settings, to all devices, no devices, or to a custom set of devices. 10. Click Done. Configuration Setup settings Setting What To Do Enter a name that identifies this Name configuration. Enter a description that clarifies the Description purpose of this configuration. Allow user choice of any lock method, Enable any lock including pattern unlock. Overrides all method other passcode settings. Minimum passcode Select a minimum passcode length, from 4 length to 16 characters. Enable to allow the passcode to contain Allow simple values repeating, ascending, or descending character sequences. Require alphanumeric Enable to require the passcode to contain value at least one letter and one number. Configure complex character and element type requirements, ranging from: Complex character and element type characteristics None Minimum of 1 non- 140

161 MobileIron Cloud Administrator Guide R45 alphanumeric character Minimum of 2 nonalphanumeric characters Minimum of 3 nonalphanumeric characters Minimum of 4 nonalphanumeric characters Fingerprint unlock Maximum passcode age Auto-lock Passcode history Maximum number of failed attempts Enable to allow users to unlock their devices with their fingerprint. Configure a maximum password age, from none to 730 days. Select a time period after which the device auto-locks. Times range from never to fifteen minutes. Specify the number of unique passcodes required before passcode reuse is allowed, ranging from none to 50 passcodes. Select the maximum number of failed attempts. WARNING:MobileIron Cloud wipes devices for which the user exceeds the maximum number of password attempts! Certificate Configurations A certificate configuration identifies a certificate to be distributed to devices. Certificates enable devices to establish trust with server and network resources. Certificate settings Setting Name Description Certificate data What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Drag the certificate file to the dotted box, or click Choose File to select it from your file system. 141

162 Android Encryption See Also How to create a configuration Android Encryption Configurations An encryption configuration turns on encryption for Android devices. Encryption stores the device's data in an unreadable form so that anyone who might steal the device cannot access the data. Enabling encryption prompts the device user to encrypt the device and requires setting a device passcode. The passcode is what decrypts the data so that you can read it. The device cannot be used while it is being encrypted. Once encryption is on, turning it off requires a factory reset of the device. Encryption settings Setting Name Description Enable Device Encryption What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select the setting to turn on encryption for all encryption-capable Android devices that receive this configuration. See Also How to create a configuration FileVault 2 Configurations FileVault 2 provides the ability to perform full XTS-AES 128 disk encryption on the contents of a volume. When you Enable FileVault 2, the following settings are available for configuration: Category Settings FileVault User Settings Defer enabling FileVault until the designated user logs out Always prompt user to enable FileVault Maximum number of times a user 142

163 MobileIron Cloud Administrator Guide R45 can bypass enabling FileVault Do not request enabling FileVault at user logout time Output Path Personal Recovery Key Enter the path to the location where the recovery key and computer information plist will be stored. Create a personal recovery key Enable Institutional Recovery Key: Using Keychain - if no certificate information is provided in this payload the keychain already created at /Library/Keychains/FileVaultMaster.keyc hain will be used. Select one of the following options: Upload Certificate Certificate Use keychain on the Users System FileVault Recovery Key Redirection Configurations FileVault Recovery Key Redirection determines settings for redirecting the FileVault recovery keys to a corporate server. You can set the following options: Name for the configuration setup (Optional) Add a description. Recovery Key Redirect Enter Redirect URL to which FDE recovery keys should be sent instead of Apple. The URL must begin with Select a Certificate from the dropdown list. Only PKCS1 format certificate is supported. Identity Certificate Configuration Configurations An identity certificate configuration defines a certificate authentication mechanism for mobile devices. Identity certificates are X.509 certificates (.p12 or.pfx). Also, the identity 143

164 Identity Certificate Configuration certificates can be generated dynamically using the Certificate Authority as a source. Before beginning, you should already know how you plan to distribute certificates to your mobile devices. You should also have configured any necessary certificate authority. Note: SHA-1 certificates are deprecated while creating the identity certificates. You can choose other algorithms. While updating the certificates, if the older certificates use SHA-1, the same SHA-1 algorithm can be used. If the older certificates use an algorithm above SHA-1, then switching to SHA-1 is not allowed. After configuring an identity certificate, you can click Test Configuration and continue to issue and verify the validity of the test certificate. While editing an existing identity certificate configuration or the App Identity Certificate configuration under Certificate Authority page (which are in turn used in a Sentry profile for Tunnel or app tunnel), from the Actions menu you can select the Clear cached certificates and issue new ones with recent updates option if required. Non-cached certificates will be re-issued automatically. Identity certificate settings Setting Name Description Certificate Distribution Identity Certificate data Password Identity Certificate What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select the type of certificate distribution to set up: Single File: Upload an existing certificate for distribution to devices. SCEP Config (ios Only): Specify how to request a certificate from a SCEP server. Dynamically Generated: Create certificates on request using a local or external certificate authority. Your selection determines which options display in the rest of the form. Single File: Drag the certificate file to the dotted box, or click Choose File to select it from your file system. Single File: Enter the password that was defined to protect the bundle containing the certificate. SCEP Config: Select to specify a SCEP server. 144

165 MobileIron Cloud Administrator Guide R45 (SCEP) Local Certificate Authority URL CA Identifier Subject Subject Alternate Name Type Subject Alternate Name Value NT Principal Name Retries Retry delay SCEP Config: Select to specify a local certificate authority that you have already created under Admin > Certificate Authority. Select the local certificate authority from the drop-down that appears when you select this option. SCEP Config: Enter the URL for the SCEP server. SCEP Config: Enter the identifier provided by the certificate authority. SCEP Config/Dynamically Generated: Enter an X.509 name represented as a comma-separated array of OIDs and values. Typically, the subject is set to the user s fully qualified domain name. For example, C=US,DC=com,DC=MobileIron,OU=InfoTech or CN= You can also customize the Subject by appending a variable to the OID. For example, CN= $DEVICE_CLIENT_ID$. For ease of configuration you can also use the $USER_DN$ variable to populate the Subject with the user s FQDN. SCEP Config: Select RFC 822 Name, DNS Name,Uniform Resource Identifier or None, based on the attributes of the certificate template. Dynamically Generated: Click Add to specify one of the above types. Click Add again to specify additional types. SCEP Config/Dynamically Generated: Enter the value for the corresponding type. SCEP Config: Enter a subject alt name for Microsoft environment. This would usually be configured to include the user's UPN (user principal name). SCEP Config: Select from the list to set the number of times that authentication will be attempted after the first time a status of 'pending' is returned. SCEP Config: Select from the list to set the number of seconds to wait before a retry. 145

166 ios Activation Lock Configuration Key size Use as digital signature SCEP Config/Dynamically Generated: Select 1024 bits or 2048 bits. SCEP Config/Dynamically Generated: Select if the certificate can be used for signing. SCEP Config/Dynamically Generated: Use as key Select if the certificate can be used for encipherment encryption. CA Fingerprint Source Signature Algorithm SCEP Config: If your certificate authority uses HTTP, enter the hex string to be used as the fingerprint of the CA s certificate. MD5 fingerprints is supported. If you prefer, you can create a fingerprint from the certificate. Just drag and drop the certificate to the designated area or click Create from Certificate to select the certificate from your file system. Dynamically Generated: Select the local certificate authority from the drop-down. You should have already created this CA under Admin > Certificate Authority. Dynamically Generated: Select the method to use for signing the certificate: SHA256 with RSA, SHA384 with RSA, SHA512 with RSA, ios Activation Lock Configuration Configurations Activation Lock is an Apple feature designed to prevent anyone from using a lost or stolen device. As soon as Find My iphone is turned on, a mapping between this icloud account and a hardware identifier for this device is saved to Apple s activation servers. From that point, no one can turn off Find My iphone, erase the device, or reactivate it without entering the existing Apple ID and password. If someone other than the user wipes the device and then tries to re-activate and use it, they will be prompted for the Apple ID and password in Setup Assistant. Activation Lock provides administrators with more options for deterring theft of supervised devices. However, most corporate administrators are likely to leave Activation Lock disabled because it is primarily a consumer feature. The following table summarizes the options for corporate-liable deployments: Device Type Result 146

167 MobileIron Cloud Administrator Guide R45 Corporate-liable and supervised Corporate-liable and unsupervised Activation Lock is disabled for supervised devices by default. Device users cannot turn on Activation Lock. Activation Lock will be enabled as soon as the end-user signs in to icloud with their Apple ID and turns on Find My Device. MDM servers, including MobileIron Cloud, cannot control Activation Lock on unsupervised devices. Device users can lock activation with their personal credentials, leaving you no recourse should they leave the company. License: Silver To enable the ios Activation Lock Should you decide to enable the ios Activation Lock feature on supervised devices: 1. Turn on Find My iphone. 2. Go to Policies > Configurations. 3. Select the ios Activation Lock configuration from the list of existing configurations. 4. Click Edit. 5. Click Enable Activation Lock. 6. Click Done. 7. Register the device. To use the ios Activation Lock bypass code When the device is wiped with the ios Activation Lock enabled, the bypass code is retained on the Apple Activation server and in the MobileIron Cloud Admin interface. 1. Go to Devices 2. Select the device 3. Click Actions > Wipe. It may take a few minutes before the device restarts 4. When the device prompts you for the Apple ID and password leave the Apple ID empty 5. Enter the bypass code in the password field 6. Click Next. 7. Proceed with setup 147

168 ios Custom Configuration To clear the ios Activation Lock bypass code When the ios Activation Lock is cleared in the MobileIron Cloud Admin interface, the bypass code is removed from the Apple Activation server, but it is still present in the device details in the MobileIron Cloud Admin interface. 1. Go to Devices 2. Select the device 3. Select Policies > Configurations 4. Select ios Activation Lock 5. Click Edit 6. Uncheck ios Activation Lock 7. Click Done 8. Go to Devices 9. Select the device 10. Click Actions > Wipe. It may take a few minutes before the device restarts. The device can now be setup with the new user's AppleID and password. 11. Proceed with setup. The status of the clear ios Activation Lock is displayed on the interface in this manner: State Pending Sent Failed Result Server is sending the Clear Activation Lock code to Apple. Apple acknowledges receipt of the Clear Activation Lock code. The server was unable to send the code to Apple. Apple has reported an error. ios Custom Configuration Configurations An ios custom configuration enables you to upload and distribute an ios configuration profile that was created by a different app, such as Apple's iphone Configuration Utility. 148

169 MobileIron Cloud Administrator Guide R45 ios Custom settings Setting Name Description File data What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Drag and drop the configuration file or click Choose File to select it from your file system. See Also How to create a configuration ios Restrictions Configurations ios restrictions are settings that help the primary user of the device control what other users are allowed to do with an ios device. These settings are defined by Apple and managed by MobileIron Cloud. ios Restrictions settings Category Setting What To Do Name Enter a name that identifies this configuration. Description Enter a description that clarifies the purpose of this configuration. Select to allow the device user to take Allow screen Device functionality screen captures using the built-in ios capture screen capture feature. Allow automatic sync while roaming Allow Siri Allow Siri while device is locked Select to allow synchronization of mail accounts while the device is outside of its home country. Select to allow the personal assistant app on supported devices. Select to allow the personal assistant app to perform tasks even when the device is locked. 149

170 ios Restrictions Allow voice dialing Allow In-App Purchase Allow passbook while locked ios 7+ Allow lock screen Control Center Allow lock screen Notifications view Allow lock screen Today view Allow Open In from managed to unmanaged apps Allow Open In from unmanaged to managed apps Select to allow users to dial a contact or number by talking to the device. Select to allow users to make purchases through apps running on the device. Select to allow Passbook notifications to display while the device is locked. Select to allow access to Control Center from the lock screen. Select to allow notifications to be displayed on the lock screen. Select to allow access to the Today view from the lock screen. Requires Gold license. Select to allow documents in managed apps and accounts to be opened in unmanaged apps and accounts. Disabling this option prevents exchange of documents from managed to unmanaged apps and accounts. For example, you might want to keep enterprise documents from being opened with personal apps. You can also use this option (disable) together with a managed domains configuration to ensure that data downloaded from managed domains can only be opened in a managed app. Requires Gold license. Select to allow documents in unmanaged apps and accounts to be opened in managed apps and accounts. Disabling this option prevents exchange of documents from unmanaged to managed apps and accounts. For example, you might want to keep users from sending personal documents using company . You can also use this option (turn off) together with a managed domains configuration to ensure that data downloaded from unmanaged domains cannot be opened in a 150

171 MobileIron Cloud Administrator Guide R45 Require passcode on first AirPlay pairing ios 7+ Supervised Allow Bookstore access Allow Bookstore Erotica Allow account modification Allow app cellular data modification Allow Find My Friends modification Allow pairing with non-configurator hosts Allow AirDrop Allow finger print for unlock Allow app in single app mode managed app. Select to require the Apple TV to display a passcode that the user must enter on the ios device to authorize the initial pairing of the devices. Select to allow access to ibookstore. Select to allow users to download ibookstore material that has been tagged as erotica. Select to allow users with supervised ios 7 devices to add accounts and make changes to accounts that have already been configured. Select to allow users to make changes to cellular data settings for apps. Select to allow users to make changes to the Find My Friends app settings. Select to allow host pairing for itunes synchronization. In effect, enabling this option allows supervised devices to sync with itunes on a Mac other than the supervision host. Disabling this option disables all host pairing with the exception of the supervision host. If no supervision host certificate has been configured, all pairing is disabled. Select to allow use of AirDrop on the device. AirDrop is Apple s ad hoc Wi- Fi system that enables file sharing with nearby users. By restricting this feature, you ensure that sensitive documents are not leaked to unauthorized or unsecured devices. Select to allow users to unlock the device using the finger print feature. Enter a list of bundle IDs for apps that can autonomously enter single app mode on ios 7 supervised devices. For example, you can specify custom exam apps for students. As soon as the student launches the app, the app enters single app mode to ensure that 151

172 ios Restrictions ios 8+ Allow Enterprise books to be backed up Allow Enterprise books notes and highlights to be synced Force Apple Watch wrist detection ios 8+ Supervised Allow Spotlight search to return Internet search results Allow predictive keyboard Allow keyboard autocorrection Allow keyboard spell check Allow keyboard definition lookup Allow modifying Touch ID fingerprints ios 9+ Supervised Allow keyboard shortcuts on ipads the student cannot use other resources while taking the exam. This feature applies to apps developed for autonomous single app mode. Supervision is established with Apple Configurator. Select to allow personal backup of ibooks, epub, and PDF documents that were pushed to the device using MDM. Select to allow the notes and highlights added to Enterprise books to be synchronized to itunes. Select to hide on-screen notifications unless someone is wearing the Apple Watch. Select to allow the Spotlight search to include internet sources. Select to allow users to enable ios prediction of the word being typed, enabling users to tap one of three predictions to complete the word. Select to allow use of auto-correction with Bluetooth keyboards. Select to allow use of spell check with Bluetooth keyboards. Select to allow definition lookup with Bluetooth keyboards. Select to allow Touch ID settings to be changed. Select to allow use of keyboard shortcuts on the ipad. Allow modification of Select to allow users to change wallpaper wallpaper images. Allow pairing with Select to allow pairing of the iphone with Apple watch the Apple watch. Allow modification Select to allow user to change the name of of device name the device. 152

173 MobileIron Cloud Administrator Guide R45 ios 10+ Supervised Allow Bluetooth modification Select to allow user to modify the Bluetooth setting on supervised devices. Useful in such cases as shared ipads used for the Classroom app for Education where Bluetooth is required to run the app. ios Supervised Select to allow the user to talk to the Allow dictation iphone or ipad instead of typing. Allow force (Applicable for ipads only) Select to allow unprompted unprompted message on the screen when a managed classroom supervised ipad is configured with screen observation managed classes. Category Setting What To Do Select to enable the user to install applications from the Apple App Store. Applications Allow installing apps Unselect to disable the App Store and remove its icon from the Home Screen. Select to enable the user to operate All use of camera the camera. Unselect to disable the camera and remove its icon from the Home screen. Allow FaceTime Select to allow the user to run FaceTime if the camera is enabled. Select to allow use of the itunes Allow use of itunes Music Store. Unselect to disable Store itunes Music store and remove its icon from the Home screen. Select to allow use of the Safari web browser. Unselect to disable the Safari Allow use of Safari web browser, remove its icon from the Home screen, and prevent users from opening web clips. Enable autofill Select to turn on the autofill feature for fields displayed in Safari. Select to prompt Safari to attempt to prevent the user from visiting websites Force fraud warning identified as being fraudulent or compromised. Enable JavaScript Select to turn on Javascript support for Safari. 153

174 ios Restrictions Block pop-ups Accept cookies ios 7+ Supervised Allow removing apps Allow use of Game Center Allow adding Game Center friends Allow multiplayer gaming Allow imessage ios 8+ Allow managed applications to use cloud sync Allow Activity Continuation ios 8+ Supervised Allow use of Podcasts ios 9+ Supervised Allow trusting of new enterprise app authors Allow App Store Allow automatic app downloads Allow News app Select to block pop-ups for Safari. Select Never, Always, or From Visited sites. Select to allow users to remove apps from the device. Select to allow access to Game Center. Select to allow users to add friends to Game Center. Select to allow users to play games that include other users. Select to allow use of imessage. Select to allow managed apps to use cloud sync. Select to allow activity continuation in apps supporting Handoff. Not currently supported. Select to allow user to access new enterprise apps. Select to allow user access to the Apple App store. Select to allow the app to download files, data, updates with prompting the user. Select to allow use of the News app. Category Setting What To Do icloud Allow backup Select to allow the device to back up data via Apple s icloud service. Select to allow documents to be Allow document synchronized via Apple s icloud sync service. Select to allow photos to be Allow Photo Stream synchronized to your other ios devices via Apple s icloud. Allowed shared Select to allow synchronization of 154

175 MobileIron Cloud Administrator Guide R45 Photo Streams ios 7+ Allow keychain sync ios 9+ Allow icloud Photo Library shared photos. Note: Deselecting this option can result in loss of photos. Select to allow synchronization of your keychain. Select to allow access to icloud photo library. Category Setting What To Do Allow diagnostic Select to allow automatic submission Security and Privacy data to be sent to of diagnostic data to Apple. Apple Select to allow the device user to accept untrusted HTTPS certificates. If Allow user to accept this option is not selected, then the untrusted TLS device will automatically reject certificates untrusted HTTPS certificates without prompting the device user. Force encrypted backups Force user to enter itunes Store password for all transactions ios 7+ Allow over-the-air certificate updates Force limit ad tracking ios 7+ Supervised Allow configuration profile installation Allow assistant user generated content ios 8+ Supervised Allow user to erase all content and Select to require encrypted backups via itunes. Automatically selected due to SCEP requirements. Select to force device users to enter their itunes password for each App Store transaction. If this option is not selected, then the device user can make multiple transactions on a single authentication. Select to allow over-the-air updates of root certificates. Select to require use of the limit ad tracking feature. Select to allow users to install configuration profiles and certificates interactively. Select to allow Siri to query usergenerated content from the web. Select to enable the "Erase All Content And Settings" option in the ios Reset 155

176 ios Restrictions settings in Reset UI UI on the device. Allow user to enable Select to enable the "Enable restrictions in Restrictions" option in the Restrictions Settings UI UI on the device. ios 9+ Treat AirDrop as unmanaged Allow access to AirDrop file sharing. destination ios 9+ Supervised Allow modification of Select to allow user to change the device passcode passcode for the device. Category Setting What To Do Content Ratings Allow explicit music & podcasts Ratings region Movies TV Shows Apps Select to allow access to websites having adult ratings. Explicit content is marked as such by content providers, such as record labels, when sold through the itunes Store. Select a region from the dropdown list to change the region associated with the rating selections for applications, tv shows, and movies. Select a rating limit for movies stored on the device: Don t Allow Movies G PG PG-13 R NC-17 Select a rating limit for TV shows stored on the device: Don t Allow TV Shows TV-Y TV-Y7 TV-G TV-PG TV-14 TV-MA Allow All TV Shows Select a rating limit for applications on the device: Don t Allow Apps 156

177 MobileIron Cloud Administrator Guide R Allow All Apps See Also How to create a configuration Lockdown & Kiosk: Android Configurations A Lockdown & Kiosk: Android configuration disables certain features of Android devices and create a whitelist of apps that will be available to users in Kiosk mode. You can restrict the option to modify settings or apps when an Android device is in Kiosk mode. Add apps and select settings in the Create Lockdown & Kiosk: Android Configuration page. The option to change the settings using the Settings icon will be available in Kiosk mode. Select apps without choosing any settings configuration options and the settings icon will not be displayed in Kiosk mode. If you choose not to include any apps in the configuration, then the settings icon will be displayed. Setting What To Do Name Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this Description configuration. Lockdown Settings: Disable features for all Android devices. Disable Wi-Fi Select to turn off access to wireless LANs. Disable Camera Select to turn off camera access. Select to turn off Bluetooth features. Note: Use caution when using this option. MobileIron recommends against disabling audio Disable Bluetooth because hands-free Bluetooth access is disabled. Legal requirements for hands-free use of devices while driving is becoming more widespread. Kiosk Mode Settings: Enables the device to be used as a kiosk, with operation restricted to a few specific apps. Enable Kiosk Select to configure Kiosk Mode on Android devices. 157

178 Lockdown & Kiosk: Android Mode Disable Quick Settings Allow User to Access Wi-Fi Settings Select to disable Quick Settings in Kiosk mode. Select to allow a user to change Wi-Fi settings and access preferred wireless networks. Allow User to Select to allow a user to change the Bluetooth Access Bluetooth settings and pair additional Bluetooth devices. Settings Allow User to Access Location Settings Select to allow a user access to the location settings. Allow User to Delay Application Select to allow a user to delay application updates. Updates Enter the four-digit code that the end user must Kiosk Exit PIN type in order to exit Kiosk Mode. Create a whitelist of apps: These apps will be available to users in Kiosk Mode by adding apps to the allowed apps list. Drag and Drop to arrange the apps in the order they should appear in the Kiosk Mode launcher. Note: Adding an application to the list of allowed apps will not install the app on device. Be sure to distribute each app to the appropriate users and user groups in the App Catalog. Click Add+ to include listed native apps in the group of apps allowed in Kiosk Mode. Built-In Apps Note: If you have disabled Dialer or Camera in Lockdown settings above, they cannot be added to the Allowed Apps list. Click Add+ to included listed apps from the app App Catalog catalog in the group of apps allowed in Kiosk Mode. Click Add+ to include the package ID of an app that Other Apps is not available on the Google Play Store. Kiosk Mode Allowed Apps Click X to remove an app from the group of apps allowed in Kiosk Mode. Drag and drop to change the order in which apps appear on kiosk devices. Note: Using Kiosk mode on Android 4.3 through the most recently released version as supported by MobileIron, Samsung devices that support multiple users, will automatically lock down the multi-user feature while in Kiosk mode. See Also How to create a configuration 158

179 MobileIron Cloud Administrator Guide R45 Lockdown & Kiosk: Android for Work Configurations A Lockdown & Kiosk: Android for Work configuration disables certain features of Android for Work devices and create a whitelist of apps that will be available to users in Kiosk mode. Lockdown settings Setting Name Description What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select the type of lockdown settings you want to configure: Choose Lockdown Type Android for Work profile Device Owner with Kiosk Mode - Device Owner Only one type is allowed per configuration. The options displayed depend on the type you select. Android for Work lockdown settings Disable certain features on Android for Work devices. Setting What To Do For Devices Android 5.0+ Disable Screen Capture Select to turn off the ability to use the device's built-in screen capture feature. Disallow Apps Control Disallow Config Credentials Select to prevent a user from modifying applications in Settings or launchers. Select to prevent a user from configuring user credentials. Android 5.0+ Android 5.0+ Disallow Cross Profile Copy Paste Select to prevent copy/paste of information between profiles. Android

180 Lockdown & Kiosk: Android for Work Disallow Modify Accounts Select to prevent a user from adding or removing accounts. Android 5.0+ Disallow Outgoing Beam Select to prevent a user from using NFC to transfer app data. Android 5.0+ Disallow Share Location Select to prevent a user from revealing the device location to apps. Android 5.0+ Restrict Input Methods Restrict Accessibility Services Disable Caller ID Select to restrict input methods for work apps by designating a list of whitelisted package names via the Package Name field. If there are no whitelisted packages, then only system input methods will be allowed. Select to restrict accessibility services for work apps by designating a list of whitelisted package names via the Package Name field. If there are no whitelisted packages, then only system accessibility services will be allowed. Select to prevent the device from identifying itself to other devices when initiating a call. Android 5.0+ Android 5.0+ Android 6.0+ Device Owner with kiosk mode lockdown settings Disable certain features on Android for Work Device Owner devices for Android Setting What To Do Disable Wi-Fi Select to turn off access to wireless LANs. Disable Wi-Fi Settings Select to turn off access to wireless settings. Disable Camera Select to turn off camera access. Select to turn off Bluetooth features. Note: Use caution when using this option. MobileIron Disable Bluetooth recommends against disabling audio because handsfree Bluetooth access is disabled. Legal requirements for hands-free use of devices while driving is becoming 160

181 MobileIron Cloud Administrator Guide R45 more widespread. Disallow Bluetooth Select to turn off access to Bluetooth settings. Settings Disable Screen Select to turn off the ability to use the device's built-in Capture screen capture feature. Mute Master Volume Select to mute master volume. Select to prevent a user from modifying applications in Disallow Apps Control Settings or launchers. Disallow Credentials Select to prevent a user from configuring user credentials. Disallow Emergency Select to prevent emergency broadcasts. Broadcasts Disallow Mobile Select to turn off access to mobile networks. Networks Note: This cannot be disabled if Wi-Fi is disabled. Select to turn off tethering as an option for using the Disallow Tethering internet connection of one device to provide internet access to another device. Disallow VPN Select to turn off VPN connections. Select to prevent users from returning the device to Disable Factory Reset factory defaults. Disallow Modify Select to prevent a user from adding or removing accounts. Accounts Disallow Outgoing Beam Select to prevent a user from using NFC to transfer app data. Disallow Outgoing Calls Select to prevent a user from making outgoing calls. Disallow Safe Boot Select to prevent a user from making outgoing calls. Select to prevent a user from revealing the device location to Disallow Share Location apps. Select to prevent a user from sending and receiving Disallow SMS SMS messages. Disallow Unmute Select to prevent a user from unmuting the device's Microphone microphone. Select to prevent a user from enabling automatic time Disallow Auto Time changes. Disallow Auto Time Select to prevent a user from enabling automatic device time Zone adjustment with time zone changes.. Select to turn off data exchange while the device is Disable Data Roaming roaming. Select to keep Wi-Fi on while the device is in Sleep Disable Wi-Fi Sleep mode. Select to restrict input methods for work apps by designating a list of whitelisted package names via the Restrict Input Methods Package Name field. If there are no whitelisted packages, then only system input methods will be allowed. 161

182 Lockdown & Kiosk: Android for Work Select to restrict accessibility services for work apps by designating a list of whitelisted package names via the Restrict Accessibility Package Name field. If there are no whitelisted Services packages, then only system accessibility services will be allowed. Kiosk Mode Settings: Kiosk Mode applies additional restrictions to the devices including limited access to apps via a customized launcher. Enable Kiosk Mode Select to configure Kiosk Mode on Android devices. Disable Quick Settings Select to disable Quick Settings in Kiosk mode. Allow User to Access Select to allow a user to change Wi-Fi settings and Wi-Fi Settings access preferred wireless networks. Allow User to Access Select to allow a user to change the Bluetooth settings Bluetooth Settings and pair additional Bluetooth devices. Allow User to Access Select to allow a user access to the location settings. Location Settings Allow User to Delay Select to allow a user to delay application updates. Application Updates Enter the four-digit code that the end user must type in Kiosk Exit PIN order to exit Kiosk Mode. Create a whitelist of apps: These apps will be available to users in Kiosk Mode by adding apps to the allowed apps list. Drag and Drop to arrange the apps in the order they should appear in the Kiosk Mode launcher. Note: Adding an application to the list of allowed apps will not install the app on device. Be sure to distribute each app to the appropriate users and user groups in the App Catalog. Click Add+ to include listed native apps in the group of apps allowed in Kiosk Mode. Built-In Apps Note: If you have disabled Dialer or Camera in Lockdown settings above, they cannot be added to the Allowed Apps list. Click Add+ to included listed apps from the app catalog App Catalog in the group of apps allowed in Kiosk Mode. Click Add+ to include the package ID of an app that is Other Apps not available on the Google Play Store. Kiosk Mode Allowed Apps Click X to remove an app from the group of apps allowed in Kiosk Mode. Drag and drop to change the order in which apps appear on kiosk devices. Note: Using Kiosk mode on Android 4.3 through the most recently released version as supported by MobileIron,Samsung devices that support multiple users, will automatically lock down the multi-user feature while in Kiosk mode. See Also How to create a configuration 162

183 MobileIron Cloud Administrator Guide R45 Lockdown & Kiosk: Samsung SAFE Configurations A Lockdown & Kiosk: Samsung SAFE configuration disables certain features of Samsung SAFE devices and create a whitelist of apps that will be available to users in Kiosk mode. Lockdown settings Setting What To Do Name Enter a name that identifies this configuration. Enter a description that clarifies the purpose of Description this configuration. Samsung SAFE Lockdown Settings: Disable certain features on Samsung SAFE devices only. Disable Wi-Fi Select to turn off access to wireless LANs. Disable Camera Select to turn off camera access. Disable Bluetooth Select to turn off Bluetooth features. Allow Bluetooth Select to turn on Bluetooth audio features only. Audio-only Select to turn off exchange of data when one Disable Mobile device touches another. Data Note: This cannot be disabled if Wi-Fi is disabled. Disable GPS Select to turn off GPS. Disable Phone Select to turn off the phone app. Dialer Disable SD Card Select to turn off SD card access. Disable Google Select to turn off backups to Google servers. Backup Disable Select to turn off access to copy/paste Copy/Paste functions. Select to turn off NFC (Near-field Disable NFC Communication) data exchange when the device touches another device. Disable Select to turn off app access to the device Microphone microphone. Disable Screen Capture Select to turn off the ability to use the device's built-in screen capture feature. Turning on this option does not allow screen captures of MobileIron Go. Such screen captures are disallowed. 163

184 Lockdown & Kiosk: Samsung SAFE Disable Bluetooth Tethering Disable USB Debug Disable USB Mass Storage Disable USB Tethering Disable Wi-Fi Tethering Disable Native Browser Disable YouTube Disable Factory Reset Disable OTA Upgrade Disable Voice Roaming Disable USB Media Player Disable Google Play Disable Data Roaming Disable Unknown Sources Disable Device Admin Privileges Removal Disable Setting Select to turn off Bluetooth tethering as an option for using the internet connection of one device to provide internet access to another device. Select to turn off the USB debugging feature. Select to turn off support for copying files to a mass storage device connected to the mobile device on a USB port. Select to turn off USB tethering as an option for using the internet connection of one device to provide internet access to another device. Select to turn off Wi-Fi tethering as an option for using the internet connection of one device to provide internet access to another device. Select to prevent users from accessing the Android browser. Select to prevent users from accessing YouTube. Select to prevent users from returning the device to factory defaults. Select to turn off over-the-air upgrades of the device firmware. Warning: Do not disable Disable Setting Changes if OTA Upgrade is enabled. Disabling Setting Changes when OTA Upgrade is enabled can result in a nonfunctional device because setting changes are required for upgrade. Select to turn off access to voice calls while the device is roaming. Select to turn off the USB media player. Select to turn off access to Google Play. Select to turn off data exchange while the device is roaming. Select to disable installing apps from anywhere but the Google Play Store, except for the MobileIron Go app. Select to prohibit users from turning off device admin privileges from MobileIron Go. Select to turn off access to the device Settings 164

185 MobileIron Cloud Administrator Guide R45 Changes app. Warning: Do not disable Disable Setting Changes if OTA Upgrade is enabled. Disabling Setting Changes when OTA Upgrade is enabled can result in a nonfunctional device because setting changes are required for upgrade. Kiosk Mode Settings: Kiosk Mode applies additional restrictions to the devices including limited access to apps via a customized launcher. Enable Kiosk Mode Allow User to Access Wi-Fi Settings Select to configure Kiosk Mode on Android devices. Select to allow a user to change Wi-Fi settings and access preferred wireless networks. Allow User to Select to allow a user to change the Bluetooth Access Bluetooth settings and pair additional Bluetooth devices. Settings Allow User to Select to allow a user to delay application Delay Application updates. Updates Select one of the following GPS location settings: GPS Location Settings Disable Location Enable Location Allow User to Select Enter the four-digit code that the end user must Kiosk Exit PIN type in order to exit Kiosk Mode. Create a whitelist of apps: These apps will be available to users in Kiosk Mode by adding apps to the allowed apps list. Drag and Drop to arrange the apps in the order they should appear in the Kiosk Mode launcher. Note: Adding an application to the list of allowed apps will not install the app on device. Be sure to distribute each app to the appropriate users and user groups in the App Catalog. Click Add+ to include listed native apps in the group of apps allowed in Kiosk Mode. Built-In Apps Note: If you have disabled Dialer or Camera in Lockdown settings above, they cannot be added to the Allowed Apps list. Click Add+ to included listed apps from the app App Catalog catalog in the group of apps allowed in Kiosk Mode. 165

186 macos Firewall Other Apps Kiosk Mode Allowed Apps Click Add+ to include the package ID of an app that is not available on the Google Play Store. Click X to remove an app from the group of apps allowed in Kiosk Mode. Drag and drop to change the order in which apps appear on kiosk devices. Note: Using Kiosk mode on Android 4.3 through the most recently released version as supported by MobileIron,Samsung devices that support multiple users, will automatically lock down the multi-user feature while in Kiosk mode. See Also How to create a configuration macos Firewall Configurations macos Firewall manages the Application Firewall settings that are accessible in the Security Preferences pane on macos devices Applicable to: macos When you Enable Firewall, you can select one or more of the following options: Block All Incoming Enable Stealth Mode Applications - The list of applications Note: The configuration must exist in a system-scoped profile. If more than one profile contains this configuration, then the most restrictive union of settings will be used. The Automatically allow signed downloaded software and the Automatically allow built-in-software options are not supported. However, both the options will be forced ON when this configuration is available. The Administrator can enable the stealth mode by specifying a device that cannot be discovered by the ping command. macos Restrictions 166

187 MobileIron Cloud Administrator Guide R45 Configurations macos restrictions determine which features are enabled on macos devices. You can set the following features to be enabled or disabled on macos devices: macos Version Features Allow Camera Allow Cloud document sync Supervised only: Allow Spotlight Internet Results Allow Definition Lookup Allow icloud key chain sync Allow Back to my Mac Allow Find my Mac Allow sharing to Notes, Reminders, or LinkedIn Allow Bookmark sync Allow macos mail icloud service Allow macos icloud calendar service Allow macos icloud address book service Allow icloud reminder service 167

188 Apple App Catalog Apple App Catalog Configurations Applicable to: ios and macos The Apple App Catalog configuration manages access to the Apple App Catalog via a web clip. Admins can edit the distribution of this system-defined configuration as follows: 1. Go to Configurations. 2. Click Apple App Catalog. 3. Click Edit Distribution. 4. Select one of the following distribution options: All Devices - all compatible devices will have this configuration sent to them. No Devices - disable access to Apple App Catalog or stage this configuration for later distribution. Custom - define specific device groups that will have this configuration sent to them. 5. Click Save. Managed Domains Configurations License: Silver A managed domain configuration enables you to specify which domains are trusted for Mail and Safari on ios 8+ devices. Once the configuration is applied to the device, domains that are not specified in the configuration will be highlighted (untrusted) in Mail and Safari on the device. Use this configuration combined with a restrictions configuration to control the data downloads allowed in Safari. Managed domains settings Setting What To Do 168

189 MobileIron Cloud Administrator Guide R45 Name Description Managed Domains Managed Web Domains Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Click +Add to enter a domain, as in mycompany.com. Click +Add to enter a domain, as in mycompany.com. See Also How to create a configuration Passcode Configuration Configurations One of the first things you set up in MobileIron Cloud (using the startup wizard) is a passcode configuration. This configuration defines settings for the screen lock feature on devices. Passcode settings Setting Name Description Allow simple values What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. For ios and Android: Select to allow pin or passcodes that are less secure because they contain repeated, ascending, or descending character sequences. Examples: 1111, 1234, abcd. Note: Deselecting this option for Android devices will enforce passcodes with complex PINs. For example, users cannot configure repeated, ascending, or descending character sequences. For Windows Phone 8.1: Select to allow passcodes that are less secure 169

190 Passcode Configuration Require alphanumeric value Minimum passcode length Minimum number of complex characters Maximum passcode age Auto-Lock Any Lock Method SmartLock Fingerprint Unlock because they contain repeated or ascending numeric sequences. Examples: 1111, 1234 For ios and Android: Select to ensure that passcodes include letters and numbers. For Windows Phone 8.1: Select to ensure a strong password based on Microsoft's standard. Select a number from the list to set a minimum passcode length. For ios and Android: Select a number from the list to set a minimum number of characters that are not numbers or letters. For Windows Phone 8.1: Not compatible. Enter a number to the number of days after which the device user must reset the passcode. If you do not want to set the a passcode age, then leave this field blank. Select an interval from the list to define how long the device can stay idle before it automatically sets the screen lock. Android only. Allows user choice of any lock method, including pattern unlock. The passcode settings above will not be applied to this device. For Android 5.0 devices except in Android for Work profiles: For Android 6.0 or later: Allows or disallows a user to choose the SmartLock feature to unlock a device. The SmartLock feature automatically unlocks a device in certain circumstances such as the user's proximity to the device, device at a location, or when the device is paired with a trusted device. For Android 5.0 devices except in Android for Work profiles: For Android 6.0 or later: Allows or disallows the user to choose 170

191 MobileIron Cloud Administrator Guide R45 Passcode history Grace period for device lock Maximum number of failed attempts See Also How to create a configuration Privacy Configurations Fingerprint to unlock a device. Enter a number to set the number of unique passcodes a user must enter before reusing a passcode. For example, if you set this field to 4, then the user must set 4 passcodes before being able to reuse the first passcode. Select an interval from the list to set the amount of time between the appearance of the lock screen and the point at which the device user needs to enter a passcode to unlock the device. Windows Phone 8.1 not supported. Select a number from the list to set the number of times the device user can consecutively enter the wrong passcode before the device is reset and wiped. Use caution with this option. A privacy configuration defines whether: location data is collected on the device and sent to the device management system administrators are allowed to wipe the device app inventory is collected for all apps or just those that appear in the app catalog Privacy settings Setting Name Description Collect Location What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select to enable collection of location 171

192 Privacy Data data. View device location in the Devices page. Disable Device Wipe Action Collect App Inventory See Also How to create a configuration For ios devices, the location displayed for a device is based on the network location only. For Android devices, the location is based on both network location and GPS location (if available). For Windows devices, the location is based on the latitude and longitude values (also displayed on the device details page with a Google map) obtained during a device checkin. When location collection is enabled on a device, the current location is updated every 4 hours. Location data is removed from the device management system when the device is retired or the privacy configuration is disabled or removed. Note: Device users can turn off collection of location data on the device. Select to prevent administrators from wiping the device. Consider selecting this option for devices that are owned by the user (employee owned). Select Collect App Inventory to collect information on all apps installed on the device, regardless of whether an app is present in the app catalog. Select For Apps on the Device that are in the App Catalog to collect information on only those apps installed on the device and present in the app catalog. 172

193 MobileIron Cloud Administrator Guide R45 Software Updates Configurations Applicable to: ios Supervised and Windows 10+ devices Create and distribute rules for OS updates. Configuring software updates for ios devices To allow ios devices to have OS updates sent to them if they are in supervised mode: 1. Go to Configurations. 2. Click Software Updates. 3. Click ios to view the Configuration Setup section. 4. Select the Allow OS updates to be automatically installed on supervised devices option. 5. Select the following time options for the updates to happen: Start Time End Time Timezone 6. Click Next. 7. Select the Enable this configuration option. 8. Select one of the following distribution options: All Devices No Devices (default) Custom 9. Click Done. Configuring software updates for Windows devices To configure your Windows installation update schedule: 1. Go to Configurations. 2. Click Software Updates. 3. Click Windows to view the Configuration Setup section. 4. Enter the following options depending on the version of your Windows devices. 5. Click Next. 6. Select the Enable this configuration option. 7. Select one of the following distribution options: All Devices No Devices (default) Custom 8. Click Done. 173

194 Web Content Filter Software updates for Windows 10+ devices Update Sources - Select one of the following sources: Enterprise WSUS Microsoft Update and/or Enterprise WSUS URL to Enterprise WSUS Server Allow Updates from 'Trusted Publishers' - Limit sources for updates to trusted publishers only. Auto Update Strategy - Select one of the options from the pull-down menu. Scheduled Installation Day - Set the frequency of updates. Scheduled Installation Time - Select an installation time for updates. Software updates for pre Windows devices Note: These settings will not work if Telemetry Restriction is disabled on a device. Pause Upgrade/Updates - Turn on to delay changes to a later date. Defer Updates for - Choose to delay up to 4 weeks. Defer Upgrades Defer Upgrades for - Choose to delay up to 8 months. Software updates for Windows devices Branch to install updates from - Allows the IT admin to set which branch a device receives their updates from. Current Branch Current Branch for Business Feature Updates (upgrades) - Supported only in Windows 10 Professional, Windows 10 Enterprise, and Windows 10 Education. Pause updates Defer for - Choose to delay up to 180 days. Quality Updates (updates) - Supported only in Windows 10 Professional, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise. Pause updates Defer for - Choose to delay up to 30 days. Web Content Filter Configurations License: Silver A web content filter configuration limits web access for ios 7+ devices. 174

195 MobileIron Cloud Administrator Guide R45 Web content filter settings Setting Name Description Allowed websites Permitted URLs Blacklisted URLs What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Limited Adult Content: Select this option if you want to block access to web sites based on ios automatic filters. These filters attempt, with a high degree of accuracy, to block websites with inappropriate content. Specific Web Sites Only: Select this option if you want to manually list the accessible web sites. Plug-in (ios8 Supervised Only): Select this option to use a third-party plug-in. This option is available only if you selected Limit Adult Content. Enter the permitted URLs. Each URL must begin with either: Note: If you want to permit both and for the same site, include two separate URLs. All URLs for which the initial characters match the given permitted URL are accessible. Example: permits access to the following: These URLs are accessible even if the ios automatic filters block them. This option is available only if you selected Limit Adult Content. Enter the blacklisted URLs. Each URL must begin with either: Note: If you want to block both and for the same site, include a row for each URL. All URLs for which the initial characters match the given blacklisted URL are blocked. Example: blocks access to the following: 175

196 Web Content Filter Whitelisted bookmarks Filter Name Identifier Service Address These URLs are blocked even if the ios automatic filters allow them. This option is available only if you selected Specific Websites Only. Optionally enter the folder into which the bookmark should be added in Safari. Example: /Sales/Products/ If absent, the bookmark is added to the default bookmarks directory. This option is a available only if you selected Plug-in. Enter text that will be displayed to identify this filter. This option is available only if you selected Plugin. Enter the bundle ID of the plug-in providing the filtering service. This option is available only if you selected Plugin. Optional: Enter any server address necessary for use by the plug-in. Consult the documentation for the plug-in to determine if this value is necessary. This option is available on if you selected Plug-in. Organization Optional: Enter any organization string required by the plug-in. Consult the documentation for the plug-in to determine if this value is necessary. This option is available on if you selected Plug-in. Username Password Certificate Optional: Enter any username required by the plug-in service. Consult the documentation for the plug-in to determine if this value is necessary. This option is available on if you selected Plug-in. Optional: Enter any password required by the plug-in service. Consult the documentation for the plug-in to determine if this value is necessary. This option is available on if you selected Plug-in. Optional: Enter any certificate required by the 176

197 MobileIron Cloud Administrator Guide R45 Filter Webkit Traffic Filter Socket Traffic Custom Data plug-in service to authenticate the user. Consult the documentation for the plug-in to determine if this value is necessary. This option is available on if you selected Plug-in. Select to include Webkit traffic in the filter. This option is available on if you selected Plug-in. Select to include socket traffic in the filter. This option is available on if you selected Plug-in. Optional: Add any key/value pairs required by the plug-in service. Consult the documentation for the plug-in to determine if this value is necessary. See Also How to create a configuration Windows Information Protection Configurations License: Gold Applicable to: Windows 10+ A Windows Information Protection (WIP) configuration defines WIP settings to protect enterprise data. This configuration can be applied to devices enrolled under management. You can also view WIP details for a configured device on the overview page of that device. To setup Windows Information Protection for Windows: 1. Go to Configuration > +Add. 2. Select the Windows Information Protection configuration. 3. Enter a name for the configuration. 4. Enter a description. 5. In the Configuration Setup section, specify the remaining settings as described in the following table. 6. Click Next. 7. Select a distribution for this configuration. 177

198 Windows Information Protection Category Setting What To Do Enter a name that identifies this Name configuration. Enter a description that clarifies the Description purpose of this configuration. Enterprise All Versions (Windows 10+ Desktop and Mobile) Information Specify the list of identities for which Data Protection policies are configured. s and other data associated with these identities will be considered enterprise and protected. Protected Domain Names This is a list of domains separated by with the first domain in the list considered the primary identity for the purposes of Windows UI. For example: "domain1.com domain2.co.uk" Specify the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected. Network Domain names Cloud Resources These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains. For example: "mail.domain3.com, domain4.com" Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. Specify one or more domain names with optional proxy addresses in brackets. 178

199 MobileIron Cloud Administrator Guide R45 For example: "domainname1.com, domainname2 ( )". If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the specified proxy server (on Port 80). All proxy addresses specified in this field should also be entered in the following Internal Proxy Servers field. IP Range Neutral Resources Proxy Servers Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. This is a comma-separated list of IPv4 and IPv6 ranges. Select the IP Ranges are authoritative option when the client must accept the configured list and not use heuristics to attempt to find other subnets. Specifies the list of domain names that can be used for work or personal resource. Specifies the comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example: " , , , , ". Select the Proxy Servers are authoritative option when the 179

200 Windows Information Protection Data Protection Internal Proxy Servers client must accept the configured list of proxies and not try to detect other work proxies. Specifies the comma-separated list of internal proxy servers. For example " , , , , ". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the EnterpriseCloudResources policy to force traffic to the matched Cloud Resources through these proxies. All Versions (Windows 10+ Desktop and Mobile) Choose one of the following enforcement levels: Enforcement Level Off - No protection (previously encrypted data will be unencrypted). Silent - Encrypt the data and and audit activities on the device after data is being protected. The user is not prompted on account of any negative data/app information. Override - Similar to the Silent mode. In addition, if an app or data is being used incorrectly, the user is prompted to either proceed or cancel the operation the user is currently performing. Block - Similar to the Silent mode. In addition, if an app or data is being used incorrectly, 180

201 MobileIron Cloud Administrator Guide R45 the operation the user is currently performing is blocked and the user is warned with the reason for blocking the operation. Note: Except in the Off mode, any data or app that was not supposed to use enterprise data or resources will be logged on the device. That data can be removed from the device using another configuration service provider (CSP). Specify a recovery certificate that can be used for data recovery of encrypted files. Data Recovery Certificate This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS). However, this certificate is delivered through MDM instead of through the Group Policy. You can also select one or more of the following options: Allow User Decryption Revoke On Unenroll Show EDP Icons Require Protection Under Lock (Windows 10 Mobile only) RMS All Versions (Windows 10+ Desktop and Mobile) Specify whether to allow Azure Rights Allow Azure RMS Management (Azure RMS) encryption for WIP. Specify TemplateID GUID to use for RMS encryption. The RMS template allows the admins to configure the RMS Template ID details about who has access to RMS-protected file and how long they have access. 181

202 Windows Restrictions App Control All Versions (Windows 10+ Desktop and Mobile) Specify a collection of apps that are built under the Apps > App Catalog page with a value of WIP. Specify the rule definitions for the apps using the following set of parameters: Select one of the following app types: App Type App Identifier App Description Publisher/PFN Equals - applies to Windows 10 Mobile and Windows 10 Desktop supporting PFN. EXE/Win32 Equals - applies to Windows desktop only. Select the app from the choices displayed to add it to the App Identifier. You can also click Lookup Apps. Enter a description for the app. Windows Restrictions Configurations Windows restrictions determine which features are enabled on Windows desktops and mobile devices. Windows Restrictions settings Category Setting What To Do Name Enter a name that identifies this configuration. Description Enter a description that clarifies the purpose of this configuration. All Versions (Windows 10 Desktop and Mobile, Windows 8.1 Device Capabilities Desktop and Mobile) Select to prevent the device from Disable WiFi offloading accessing compatible networks to carry data intended for authorized wireless networks. Disable internet sharing Select to prevent the device from accessing the internet by means of another wireless device. 182

203 MobileIron Cloud Administrator Guide R45 Telemetry - Allow device to send diagnostic and usage telemetry data. Disable location Disable cellular data roaming Disable bluetooth Disable VPN when roaming or on a cellular network 8.1 Windows Phone 8.1 only Disable WiFi Hotspot reporting Select to disable location services. Select to disable data roaming when the device is in cellular mode. Select to prevent the device from establishing bluetooth connections. Select to prevent the device from establishing VPN connections when not on WiFi. Select to prevent the device from automatically reporting HotSpot information to Microsoft Windows Phone 8.1 & Windows 10 Mobile Select to prevent the device from Disable WiFi accessing wireless networks. Select to prevent the device from Disable manual accessing wireless networks outside of configuration of WiFi those defined by MobileIron Cloud. Select to prevent the device from establishing radio communication with Disable NFC another device by getting close to or touching another device. Disable manual root certificate installation Windows 10 only Select to prevent the end user from manually installing root and intermediate certificates. Select one of the following telemetry levels of data reporting: Telemetry level Security - Send information about the Connected User Experience, Telemetry Component Settings, the Malicious Software Removal Tool, and Windows Defender. Basic - Send basic device information that includes quality-related data, app compatibility, app usage data, and data from the Security 183

204 Windows Restrictions level. Enhanced - Send more information that includes usage and performance of Windows, Windows Server, System Center, and apps. Also includes advanced reliability data, and data from both the Basic and the Security levels. Full (Default) - Send all data to identify and help fix the problems, plus data from the Security, Basic, and Enhanced levels. Data Loss Prevention (DLP) Windows and Application All Versions (Windows 10 Desktop and Mobile, Windows 8.1 Desktop and Mobile) Select to prevent the end user from using Disable camera the camera app. Disable access to Select to prevent the device from storage (SD) card accessing a storage card. 8.1 Windows Phone 8.1 only Disable offline "Save As" Disable offline sharing Select to prevent the end user from using the Save As command with Office Hub files. Select to prevent the end user from sharing Office Hub files Windows Phone 8.1 & Windows 10 Mobile Disable copy and Select to prevent the end user from paste copying and pasting data between apps. Select to prevent the end user from using Disable screen capture the screen capture feature on the device. Disable voice Select to prevent the end user from using recording the voice recording feature. Select to prevent the end user from Disable USB mass accessing device storage from a desktop storage by means of a USB. All Versions (Windows 10 Desktop and Mobile, Windows 8.1 Desktop and Mobile) Disable Microsoft Select to prevent the end user from using accounts for service Microsoft accounts for authenticating to other than non- services. Disable non-microsoft accounts Select to prevent the end user from configuring using non-microsoft 184

205 MobileIron Cloud Administrator Guide R45 Secure Browser Settings Other Restrictions accounts. Disable Cortana Select to prevent the end user from personal assistant accessing Microsoft's personal assistant. Disable location-based Select to prevent searches from leveraging search the device location. Select to prevent the end user from Disable developer enabling sideloading of apps. The default unlock mode when a device is enrolled in MDM is SideLoad enabled. 8.1 Windows Phone 8.1 only Disable storing images Select to prevent the end user from saving from Visual Search images Bing Vision searches. feature 8.1+ Windows Phone 8.1 & Windows 10 Mobile Disable Microsoft Select to prevent the end user from Store accessing the Microsoft app store. Disable Internet Select to prevent the end user from Explorer accessing Internet Explorer. Disable alerts from Actions Center 10+ Windows 10 Desktop and Mobile Disable Browser Popups on desktops Select to prevent display of Action Center alerts above the lock screen. (Desktop devices only) Select to disable pop-up browser windows in Microsoft Edge browser. Select to disable saving and managing passwords locally on the devices. Disable Password Manager All Versions (Windows 10 Desktop and Mobile, Windows 8.1 Desktop and Mobile) Disable ability to unenroll from EMM and delete the workplace account. Select to prevent the end user from unenrolling from EMM and deleting company account image Windows Phone 8.1 & Windows 10 Mobile Require device encryption Select to turn on internal storage encryption. Once turned on, this option cannot be changed by the EMM server. Disable user from Select to prevent the end user from setting setting the device lock the device lock grace period. grace period Note: Windows 8.1 devices do not report their serial number. User Resource Configurations 185

206 CalDAV Configuration CalDAV Configuration Configurations A CalDAV configuration defines access to a web calendar using the CalDAV internet standard. CalDAV settings Setting Name Description Hostname and Port Principal URL User Password Use SSL What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Enter the host name and port for the calendar server. Enter the URL for accessing calendar services. Enter the user name to use for access. Enter the password to use for access. Select to use only the secure socket layer for communications between the device and the server. See Also How to create a configuration CardDAV Configuration Configurations A CardDAV defines access to a web address book using the CardDAV internet standard. CardDAV settings Setting Name Description Hostname and Port Principal URL What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Enter the host name and port for the address book server. Enter the URL for accessing address 186

207 MobileIron Cloud Administrator Guide R45 Username Password Use SSL ios 10+ Communication Service Rules book services. Enter the user name to use for access. Enter the password to use for access. Select to use only the secure socket layer for communications between the device and the server. Choose a default app to use to make audio calls to contacts within the CardDAV system. See Also How to create a configuration Google Configuration Configurations Create Google account configurations that connect ios devices, through the most recently released version as supported by MobileIron, to Google accounts. The configuration can set up multiple Google addresses and any other Google services the user enables after authentication. Google settings Specify the Google account by specifying a com.apple.google-oauth value. Setting What To Do ios Enter a name that identifies this Name configuration. Account description Enter the display name of the account. Enter the full name of the user for the Account name account. Enter the Google address of the address account. ios 10+ Communication Service Rules See Also Choose a default app to use to make audio calls to contacts within the Google system. 187

208 Configuration How to create a configuration Configuration Configurations An configuration sets up POP or IMAP on devices. settings Setting Name Description Account Description Account Type User Display Name Address Allow Move Enable S/MIME What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Enter the text you want to use to identify this account. Select IMAP or POP. If you select IMAP, you can also enter the path prefix. The internet service provider (ISP) can give you information on which type of account is available. A prefix is generally required when all IMAP folders are listed under the Inbox. ISPs that require prefixes usually provide information on the specific prefix to configure. Enter the text you want to use to identify account user. Note that the user can set this value on the device, as well. Enter a variable to specify the address for the account. Select if you do not want to prevent from being moved from this account. Select to turn on support S/MIME encryption. Then, you can select signing and encryption certificates. Note: Requires certificate caching. Make sure that caching is enabled in the Certificate Authority being used by Identity Certificate's configuration. 188

209 MobileIron Cloud Administrator Guide R45 ios 10.3+: Select one of the following options for the S/MIME signing and S/MIME encryption fields: Off On User Select Allow Mail Drop Enable S/MIME per-message signing and encryption if required. Select to allow Mail Drop for this account. Mail Drop enables the user to send with large attachments by storing the attachment in icloud and placing a link to it in the . For more information on Mail Drop go to: Incoming Mail Setting What To Do The internet service provider (ISP) can Mail Server and Port give you this address. Enter the user name for accessing the incoming mail server. This often the User Name same as the address. Your ISP can provide the format. Select the authentication type defined Authentication Type by the ISP. Enter the password for accessing the Password incoming mail server. Select to use only the secure socket Use SSL layer for communications between the device and the server. Outgoing Mail Setting What To Do The internet service provider (ISP) can Mail Server and Port give you this address. User Name Enter the user name for accessing the 189

210 Exchange Configuration Authentication Type Password Outgoing password same as incoming Use Only in Mail Use SSL See Also How to create a configuration outgoing mail server. This often the same as the address. Your ISP can provide the format. Select the authentication type defined by the ISP. Enter the password for accessing the outgoing mail server. Select if SMTP authentication uses the same password as POP/IMAP. Select if you want this configuration used only by the client. Other apps that send , including apps that send content using the native client, are not able to use this configuration. Select to use only the secure socket layer for communications between the device and the server. Exchange Configuration Configurations An Exchange configuration sets up ActiveSync-based on Android and ios devices and Exchange Web Services (EWS)-based for macos devices. Exchange settings Setting Name Description Exchange Host What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. If you are using Sentry to control access, enter the Sentry server host name. Otherwise, enter the address of the ActiveSync server.* 190

211 MobileIron Cloud Administrator Guide R45 Allow Move Enable S/MIME For ios and Android: Select if you do not want to prevent from being moved from this account. For Windows Phone 8.1 and Windows 10: Not applicable. Select to turn on support S/MIME encryption. Then, you can select signing and encryption certificates. Note: Requires certificate caching. Make sure that caching is enabled in the Certificate Authority being used by Identity Certificate's configuration. ios 10.3+: Select one of the following options for the S/MIME signing and S/MIME encryption fields: Off On User Select Enable S/MIME per-message signing and encryption if required. Sync Recent Addresses Use Only in Mail Use SSL Domain User Account Password Select if you want to sync recentlycontacted addresses between the device and the server. Select if you want this configuration used only by the client. Other apps that send , including apps that send content using the native client, are not able to use this configuration. Select to use only the secure socket layer for communications between the device and the server. Enter the domain for this account, unless you want the user to be prompted for it. Enter a variable representing the address for this account.* Enter the password for this account, unless you want the user to be prompted for it. 191

212 Exchange Configuration Address Past Days of Mail to Sync Sync Calendar Sync Contacts Sync Sync Tasks Identity Certificate Enter a variable representing the address for this account.* Select the number of days of to sync between the device and the server. For Android and Windows Phone 8.1 and Windows 10: Select to sync calendar items between the device and the server. For ios: Not applicable. For Samsung devices: This setting is not used (it is ON by default). For Android + app: This setting is used. For Android and Windows Phone 8.1 and Windows 10: Select to sync contacts between the device and the server. For ios: Not applicable. For Samsung devices: This setting is not used (it is ON by default). For Android + app: This setting is used. For Android and Windows Phone 8.1 and Windows 10: Select to sync between the device and the server. For ios: Not applicable. For Samsung devices: This setting is not used (it is ON by default). For Android + app: This setting is not used (it is ON by default). For Android and Windows Phone 8.1 and Windows 10: Select to sync tasks between the device and the server. For ios: Not applicable. For Samsung devices: This setting is not used (it is ON by default). For Android + app: Not applicable. Select an identity certificate from the list if you want the device to authenticate to the server using a certificate. Certificates appear in this 192

213 MobileIron Cloud Administrator Guide R45 Make Identity Certificate Compatible with ios 4 Android Use Certificate Based Authentication Only list only if already configured using an identity certificate configuration. Not supported. Use the selected identity certificate as the only means of authenticating to the Exchange server. Select to allow device users to set Android devices to accept all SSL certificates. This setting applies to Android + and Samsung SAFE . Note: Accept all SSL Certificates Use caution when enabling this setting, as device users might unknowingly expose the device to attack. This option needs to be enabled if the Sentry certificate is a self-signed or unknown certificate. Exchange App Priority ios 10+ Select the client to be configured by default on Android devices. Choose a default app to use to make Communication audio calls to contacts within the Service Rules CardDAV system. *Type $ to see a list of supported variables, if available, for this field. See Also How to create a configuration Font Configuration Configurations A font configuration enables you to provide additional TrueType or OpenType font files to ios 7 devices. Font settings 193

214 Subscribed Calendar Configuration Setting Name Description Upload Fonts What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Drag the font file to the dotted box, or click Choose File to select it from your file system. Font files must be.otf or.ttf files. See Also How to create a configuration Subscribed Calendar Configuration Configurations A subscribed calendar configuration defines access to a public web calendar. Subscribed calendar configuration Setting What To Do Name Enter a name that identifies this configuration. Description Enter a description that clarifies the purpose of this configuration. URL Enter the URL for accessing the calendar.* User Enter the user name to use for access.* Password Enter the password to use for access. Select to use only the secure socket Use SSL layer for communications between the device and the server. Note: Type $ to see a list of supported variables, if available, for this field. See Also How to create a configuration Web Clip Configuration Configurations 194

215 MobileIron Cloud Administrator Guide R45 A web clip is a shortcut to a website or web page from an ios device. Use a web clip configuration to create standard web clips on devices. Web clip settings Setting What To Do Enter a name that identifies this Name configuration. Enter a description that clarifies the Description purpose of this configuration. Enter the text that you want to display Label below the shortcut on the device screen.* Enter the URL that the web clip will URL access.* Select to allow the device user to Removable delete the web clip. Drag the icon file to the dotted box, or Icon click Choose File to select it from your file system. Select to eliminate the special effects Precomposed Icon added by more recent versions of Safari. Select to display the web clip in fullscreen mode instead of as content in a Full Screen browser. Note: Type $ to see a list of supported variables, if available, for this field. See Also Multi-user Secure Sign-in for ios How to create a configuration Enterprise Network Access Configurations AirPlay Configuration Configurations License: Silver An Airplay configuration sets up access to alternate devices for media display. 195

216 AirPrint Configuration Airplay settings Setting Name Description White list Device Settings What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Enter the device ID of each permitted AirPlay destination. If you do not list an ID, then AirPlay destinations are not restricted. Enter the device name and password for each known AirPlay destination. See Also How to create a configuration AirPrint Configuration Configurations License: Silver An AirPrint configuration sets up wireless printing. AirPrint settings Setting Name Description AirPrint Settings What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. IP Address: Enter the IP address of the AirPrint printer. Resource Path: Enter the Resource Path associated with the AirPrint printer. This corresponds to the rp parameter of the _ipps.tcp Bonjour record. Examples: printers/canon_mg5300_series printers/xerox_phaser_7600 ipp/print Epson_IPP_Printer. 196

217 MobileIron Cloud Administrator Guide R45 See Also Note: The resource path is case sensitive. How to create a configuration Always On VPN Configuration Configurations License: Gold for Android for Work Silver for ios An always on VPN configuration ensures that users are automatically connected to VPN (when available) without needing to take any action. This feature requires Android or ios 8+, as well as a VPN provider that supports the IKEv2 protocol. Always On VPN settings for Android Always-On VPN configuration is sent to Android for Work devices with Android To enable this configuration, select an app from the App Catalog or enter a package name. Always On VPN settings for ios Setting Name Description Use same tunnel configuration for Cellular and Wi-Fi Server Local Identifier What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select to define one server-identifier pair for VPN connections, regardless of whether the connection is established over a cellular or a Wi-Fi network. Enter the host name or IP address of the VPN server. Identifier of the IKEv2 client in one of the following formats: FQDN UserFQDN Address 197

218 Always On VPN Configuration Remote Identifier Enable EAP Machine Authentication EAP Authentication Shared Secret Credential Account Password Dead Peer Detection Interval ASN1DN Remote identifier in one of the following formats: FQDN UserFQDN Address ASN1DN Select to enable extended authentication. Available only if Enable EAP is not selected. Select one of the following: Certificate Shared Secret Available only if Enable EAP is selected. Select one of the following: Certificate Username/Password Available only if Shared Secret was selected for Machine Authentication. Enter the shared secret for the connection. Available only if Certificate was selected for Machine Authentication. Select the certificate to use. this certificate will be sent out for IKE client authentication. If extended authentication is used, this certificate can be used for EAP-TLS. Available only if Username/Password was selected for EAP Authentication. Enter the account ID for the VPN server. Available only if Username/Password was selected for EAP Authentication. Enter the password for the VPN server. Select one of the following: None (Disable) Low (keepalive sent every 1 hour) Medium (keepalive sent every 198

219 MobileIron Cloud Administrator Guide R45 Encryption Algorithm Integrity Algorithm Diffie Hellman Group Lifetime In Minutes Voice Mail Airprint Allow traffic from captive websheet outside the VPN tunnel Allow traffic from all captive networking apps outside the VPN tunnel Captive Networking App Bundle Identifiers 30 minutes) High (keepalive sent every 10 minutes) Select one of the following: DES 3DES AES-128 AES-256 Select one of the following: SHA1-96 SHA1-160 SHA2-256 SHA2-384 SHA2-512 Select the D-H key exchange group. Enter the SA lifetime (re-key interval) in minutes. Valid values are 10 through Select Allow traffic via tunnel to make voice mail exempt for Always On VPN. Select Allow traffic via tunnel to make Airprint traffic exempt for Always On VPN. Select to allow traffic from captive web sheets outside the VPN tunnel. Select to allow traffic from all captive networking apps outside the VPN tunnel to perform captive network handling. List the bundle IDs for captive networking apps whose traffic will be allowed outside the VPN tunnel to perform captive network handling. Captive networking apps may require additional entitlements to operate in a captive environment. See Also How to create a configuration 199

220 Default App Runtime Permissions Default App Runtime Permissions Configurations Applicable to: Apps built targeting Android API 23+ and running Android 6.0+ on Android for Work devices. Administrators can set the runtime permission configuration for apps deployed to Android for Work devices. Apps built targeting API 23 (or higher) and running Android 6.0 or later, are able to prompt users for permissions at runtime. The Default App Runtime Permissions configuration sets the default for these app runtime permissions. MobileIron Cloud creates this configuration by default. You can edit this default system configuration or create a new configuration based on your requirements. The app-specific permissions take precedence over the general app permission configuration. In-house apps are subject to the global permissions. Setting the per-app permissions for in-house apps is not supported. Setting global runtime permissions Administrators can edit the default app runtime permissions and the distribution of this configuration as follows: 1. Go to Configurations. 2. Perform one of the following actions: To edit the default system configuration, click Default App Runtime Permissions and click Edit. To add a new configuration, click Add > Default App Runtime Permissions. 3. Enter a name for the configuration. 4. Enter a description. 5. In the Configuration Setup section, set one of the following default runtime permissions: User Prompt (default option) Auto Grant Auto Deny (Use with caution) 6. Click Next. 7. Select the Enable this configuration option. Note: If you deselect this option, this configuration will not be applied to any devices. It will be removed from all devices if it was previously applied. 8. Select one of the following distribution options: All Devices No Devices (default) Custom 9. Click Done. 200

221 MobileIron Cloud Administrator Guide R45 Setting app-specific runtime permissions Administrators can set the default runtime permissions for an individual application as follows: 1. Go to Apps. 2. Click the name of the app. 3. Click App Configurations > Android for Work. 4. Click Add or click the configuration name to edit an existing configuration. 5. Set the configuration options such as a name, description, and restrictions. 6. In the Runtime Permissions section, click Manage Permissions. 7. Select the permissions in the displayed window and click Select. Only the dangerous permissions that are applicable to the specific application are listed for selection. The complete list of dangerous permissions (such as read your contacts, find accounts on the device, write call log, and so on) are listed at The permissions are applied only when the application requests permissions. The permissions are not applied if the users have previously accepted or denied permissions. 8. In the Runtime Permissions section, select one of the following default runtime permissions: Default/Global (default option) Auto Grant Auto Deny (Use with caution) 9. In the Distribute this App Config section, select one of the following distribution options: Everyone with App No One Custom 10. Click Save at the top of the page. Education Configurations License: Gold Applicable to: Supervised ios 9.3+ Configures the Apple Education payload and the Classroom app for Leaders and Members. 201

222 Global Proxy Configuration Education settings Setting Name Description Configuration Type Enable this configuration What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select one of the following types: Leader Member Select this option to apply this configuration to selected devices. Deselect this option to remove this configuration from all the devices if it was previously applied. Select one of the following distribution options: Distribute All Devices No Devices Custom See Also How to create a configuration Global Proxy Configuration Configurations License: Silver A global proxy configuration sets up devices to forward HTTP traffic to a proxy server. Global proxy settings Setting Name What To Do Enter a name that identifies this 202

223 MobileIron Cloud Administrator Guide R45 configuration. Enter a description that clarifies the Description purpose of this configuration. Select Manual or Auto. If you select Manual, you need the proxy server host name and port, and optionally a Type username and password into the proxy server. If you select Auto, you can enter a proxy autoconfiguration (PAC) URL. If you selected Manual, enter the Hostname and Port hostname and port number for the proxy server. (Optional) Username for accessing the User proxy server.* (Optional) Password for accessing the Password proxy server. (Optional) If you selected Auto, you can enter the URL of the PAC file that defines the proxy configuration. If you PAC URL leave this setting blank, the device uses the web proxy autodiscovery protocol (WPAD) to discover proxies. (ios 7 and later) Select to allow a Allow direct direct connection if the device is connection if PAC is unable to access the PAC file for any unreachable reason. Allow bypassing (ios 7 and later) Select to allow proxy to access bypassing the proxy to display the captive networks login page for a captive network. Note: Type $ to see a list of supported variables, if available, for this field. See Also How to create a configuration LDAP Configuration Configurations An LDAP configuration sets up access to a corporate directory. LDAP settings 203

224 macos Server Configuration Setting What To Do Enter a name that identifies this Name configuration. Enter a description that clarifies the Description purpose of this configuration. Enter the host name for the LDAP Hostname server.* Enter the username for accessing the User LDAP account.* Enter the password for accessing the Password LDAP account. Select if you want to use SSL for the Use SSL connection to the LDAP server. Enter at least one entry for the account. Each entry represents a node in the LDAP tree from which to start searching. Click the + button to add a new entry, then edit the entry. An entry consists of the following values: Description: Explains the purpose of the search setting. Search Settings Scope: Select Base, Subtree, or One Level to indicate the scope of the search. Base indicates just the node level, Subtree indicates the node and all children, One Level indicates the node and one level of children. Search Base: The conceptual path to the specified note (e.g., ou=people, o=mycorp). ios 10+ Choose a default app to use to make Communication audio calls to contacts within the Service Rules LDAP system. Note: Type $ to see a list of supported variables, if available, for this field. See Also How to create a configuration macos Server Configuration Configurations 204

225 MobileIron Cloud Administrator Guide R45 A macos Server configuration defines a macos Server account with the configured account types and settings. This configuration allows the user to activate File Sharing on the server. Applicable to: ios 10+ To configure macos Server: 1. Go to Configuration > +Add. 2. Select the macos Server configuration to display the Create macos Server Configuration page. 3. Enter a name for the configuration. 4. Enter a description. 5. Enter Host Name to specify the server address. 6. Enter User Name to specify the user's login name. 7. (Optional) Enter Password for the user. 8. (Optional) Enter Description for the account. 9. (Optional) Under Configured Accounts, enter Port number to use when contacting the server for the Documents dictionary account. If no port number is specified, the default port number is used. 10. Click Next. 11. Select a distribution for this configuration. MobileIron Tunnel Configurations A MobileIron Tunnel configuration defines a per-app VPN connection between an ios client or a Windows client and Sentry using MobileIron Tunnel Applicable to: ios 7+ and Windows 10+ To create a MobileIron Tunnel Configuration for ios: 1. Go to Configuration > +Add. 2. Select the MobileIron Tunnel configuration to display the Create MobileIron Tunnel Configuration page. 3. Enter a name for the configuration. 4. Enter a description. 5. Click the ios icon. The Configuration Setup section is displayed. 6. In the Sentry Settings section: 1. Choose a sentry profile from the Sentry Profile pull-down menu. 2. Choose a sentry service from the Sentry Service pull-down menu. 3. Enter an address to receive debugging information. 205

226 MobileIron Tunnel 7. In the MobileIron Tunnel section, choose one of the following options for Legacy App Support: Enabled - Specify the use of the Tunnel Legacy app for all ios versions. Enabled for ios 7 & 8 only - Specify the use of the Tunnel Legacy app for ios 7 and 8 and the use of the Tunnel app for ios In the Custom Data section, choose or specify values for the following settings for MobileIron Tunnel apps: Custom Data - Keys and string values for custom data. Safari Domains - Allow Safari to tunnel only to the specified domains. Disconnection Timeout - Specify the idle time after which VPN will disconnect. Set to 0 if the connection should stay open indefinitely. Network Rules - Specify rules to match values based on DNS Domain, DNS Server Address, SSID, URL String Probe, and Interface Type. 206

227 MobileIron Cloud Administrator Guide R45 Action - Specify whether VPN connection should Connect, Disconnect, or Ignore based on the specified Network rules. Connection Rules - Specify Domains, Action (Connect or Disconnect), DNS Server, and URL Probe. 9. Click Next. 10. Select a distribution for this configuration. To create a MobileIron Tunnel Configuration for Windows: 1. Go to Configuration > +Add. 2. Select the MobileIron Tunnel configuration to display the Create MobileIron Tunnel Configuration page. 3. Enter a name for the configuration. 4. Enter a description. 5. Click the Windows icon. The Configuration Setup section is displayed. 6. Choose a sentry profile from the Sentry Profile pull-down menu. 7. Choose a sentry service from the Sentry Service pull-down menu. 8. Enter an address to receive debugging information. 9. Select Standard or Advanced option for Tunnel App settings. In the Advanced option, you can enter Key-Value pairs only. 10. In the Standard option, select an Always On position. ON is the default setting. This is a Windows 10 feature that enables the active VPN profile to connect automatically on these triggers: User Signs In, Network change. Note: The Always On settings works for Force Tunnel only. 11. If needed, click +Create New Group to create a new list of apps that will have all the traffic flow through VPN. Enter a path for the app in the App Type pull-down menu. Click Lookup Apps to search for Windows 10 apps in the Windows App Store. Enter the name of the app in the search field. Select an app to add it to the App Identifier. In the Traffic Filters section, click +Add to add filter. All traffic is sent through the tunnel if no filters are configured. Enter an IP address range in the Traffic Filter screen to limit traffic allowed through the tunnel to these IP addresses. 12. In the DNS section, click +Add to add a Domain and DNS Server IP. 13. Click Next. 14. Select a distribution for this configuration. Per-app VPN Configuration Configurations 207

228 Per-app VPN Configuration License: Silver Applicable to: ios devices A Per-app VPN configuration defines the settings for virtual private network access for specific apps. Per-app VPN settings Setting Name Description Connection Type Enable VPN On Demand What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select the type of VPN to configure. The remaining settings depend on this selection. Select to use this configuration for domains and host names that establish a VPN on demand. For ios and macos, you can set up: Network rules that allow or disallow connections to, and allow or ignore, the networks that evaluate as true. Connection rules allow when needed, or never allow, connections to the networks that evaluate as true. Enable ios Rules For network rules, you can specify the (Applicable if Enable following types of parameters: VPN On Demand is selected) DNS Domain Match DNS Server Address Match SSID Match URL String Probe Interface Type Match For connection rules, you can specify the following types of parameters: DNS Domain Match DNS Server Address Match 208

229 MobileIron Cloud Administrator Guide R45 SSID Match URL String Probe Interface Type Match Domains DNS Server URL Probe On demand match app Select to enable the per-app VPN on enabled demand. Safari Domains Allow Safari to tunnel only to the (ios) specified domains. Select one of the following tunnel provider: Provider Type (ios 9+) app-proxy - tunnels traffic at the app layer. packet-tunnel - tunnels traffic at the IP layer. IPsec (Cisco) Setting Server Account Machine Authentication Credential Include User PIN Proxy Setup What To Do Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection.* Only Certificate authentication is supported. Select the identity certificate to use. Select to prompt the user for a PIN. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for 209

230 Per-app VPN Configuration connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Cisco AnyConnect Setting Server Account Group User Authentication Credential Proxy Setup What To Do Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the group to use to authenticate the connection. Only Certificate authentication is supported. Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Juniper SSL Setting What To Do 210

231 MobileIron Cloud Administrator Guide R45 Server Account Realm Role User Authentication Credential Proxy Setup Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the authentication realm to be used for authenticating the connection. Enter the authentication role to be used for authenticating the connection. Only Certificate authentication is supported. Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. F5 SSL Setting Server Account User Authentication Credential Proxy Setup What To Do Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection.* Only Certificate authentication is supported. Select the identity certificate to use. Select Manual or Automatic to configure a proxy. 211

232 Per-app VPN Configuration SonicWALL Mobile Connect If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Setting Server Account Login Group or Domain User Authentication Credential Proxy Setup What To Do Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the login group or domain to be used for authenticating the connection. Only Certificate authentication is supported. Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. 212

233 MobileIron Cloud Administrator Guide R45 Aruba VIA If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Setting Server Account User Authentication Credential Proxy Setup What To Do Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection.* Only Certificate authentication is supported. Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Custom SSL Setting Identifier What To Do Enter the identifier for this custom SSL VPN in reverse DNS format (such as com.mycompany.myserver). 213

234 Per-app VPN Configuration Server Account Custom Data User Authentication Credential Proxy Setup Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the key-value pairs that define the custom data for this VPN. Only Certificate authentication is supported. Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Palo Alto Networks GlobalProtect Setting Server Account Custom Data User Authentication What To Do Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection. Enter the key-value pairs that define the custom data for this VPN. Certificate is the user authentication method. Select an identity certificate to use in the Credential field. 214

235 MobileIron Cloud Administrator Guide R45 Select Manual or Automatic to configure a proxy. Proxy Setup If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Note: Type $ to see a list of supported variables, if available, for this field. See Also How to create a configuration Single Sign-On Configuration Configurations A single sign-on configuration sets up access to multiple managed apps on ios 7+ devices with a single authentication using Kerberos. Single sign-on settings Setting Name Description Kerberos principal name Certificate What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Enter the name of the Kerberos principal. For ios 8 with Gold license: Select 215

236 Multi-user Secure Sign-in for ios Kerberos realm name URL prefixes matches Applications the certificate to use to renew the Kerberos credential. Enter the name of the Kerberos realm. List of URLs prefixes that must be matched in order to use this account for Kerberos authentication over HTTP. (Optional) List of app identifiers that are allowed to use this login. If you do not specify app identifiers, this login matches all app identifiers. See Also How to create a configuration Multi-user Secure Sign-in for ios Configurations Applicable to: ios The Multi-user Secure Sign-in for ios configuration enables secure multi-user login on ios devices via a web clip. Admins can edit the distribution of this system-defined configuration as follows: 1. Go to Configurations. 2. Click Multi-user Secure Sign-in for ios. 3. Click Edit Distribution. 4. Select one of the following distribution options: All Devices No Devices (default) Custom 5. Click Save. Signing in to a device A user can sign in to an ios device and assign the device to self. After logging in, all relevant applications, policies, configurations, and certificates are pushed to the device. Signing out of a device 216

237 MobileIron Cloud Administrator Guide R45 A user can sign out of his/her ios device after usage. After signing out, the applications, policies, configurations, and certificates are removed from the device, leaving the device in the state that it was in prior to the user sign-in. Then, the device is available for signin by another user. VPN Configuration Configurations A VPN configuration defines the settings for virtual private network access. VPN settings Setting Name Description Connection Type What To Do Enter a name that identifies this configuration. Note: Windows Phone 8.1 devices do not support changing the name. Delete the configuration and create a new one if you need to change the name of a VPN profile for Windows Phone 8.1 devices. Enter a description that clarifies the purpose of this configuration. Select the type of VPN to configure. The remaining settings depend on this selection. L2TP Setting Server Account User Authentication Shared Secret Send All Traffic What To Do Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection.* Select the authentication method to use: Password or RSA SecurID. Enter the shared secret passcode if one is necessary for initiating the connection. Select this option to use this connection for all network traffic. This 217

238 VPN Configuration Proxy Setup option helps protect data from being compromised, particularly on public networks. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. PPTP Note: The PPTP configuration type is not supported on the MobileIron Go Android Client. Setting Server Account User Authentication Encryption Level Send All Traffic Proxy Setup What To Do Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection.* Select the authentication method to use: Password or RSA SecurID. Select a level of data encryption for the connection: None, Automatic, or Maximum (128-bit). Select this option to use this connection for all network traffic. This option helps protect data from being compromised, particularly on public networks. Select Manual or Automatic to 218

239 MobileIron Cloud Administrator Guide R45 IPsec (Cisco) configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Setting Server Account Machine Authentication Group Name Shared Secret Use Hybrid Authentication Prompt for What To Do Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection.* Select the authentication method to use: Shared Secret/Group Name or Certificate. Shared Secret/Group Name authentication. Specify the name of the group to use. If Hybrid Authentication is used, the string must end with [hybrid]. Shared Secret/Group Name authentication. Enter the shared secret passcode. Shared Secret/Group Name authentication. Select to specify hybrid authentication, i.e., server provides a certificate and the client provides a pre-shared key. Shared Secret/Group Name 219

240 VPN Configuration Password Credential Include User PIN Proxy Setup authentication. Specify whether the user should be prompted for a password when connecting. Certificate authentication Select the identity certificate to use. Certificate authentication Select to prompt the user for a PIN. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Cisco AnyConnect Setting Server Account Group User Authentication Proxy Setup What To Do Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the group to use to authenticate the connection. Select the user authentication method to use: Password or Certificate. If you select Certificate, then the following field is available: Credential: Select the identity certificate to use. Select Manual or Automatic to 220

241 MobileIron Cloud Administrator Guide R45 Juniper SSL configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Setting Server Account Realm Role User Authentication Proxy Setup What To Do Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the authentication realm to be used for authenticating the connection. Enter the authentication role to be used for authenticating the connection. Select the user authentication method to use: Password or Certificate. If you select Certificate, then the following field is available: Credential: Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* 221

242 VPN Configuration Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. F5 SSL Setting Server Account User Authentication Proxy Setup What To Do Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection. Enter the user authentication method to use: Password or Certificate. If you select Certificate, then the following field is available: Credential: Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the 222

243 MobileIron Cloud Administrator Guide R45 SonicWALL Mobile Connect fully-qualified URL for the proxy. Setting Server Account Login Group or Domain User Authentication Proxy Setup What To Do Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the login group or domain to be used for authenticating the connection. Select the user authentication method to use: Password or Certificate. If you select Certificate, then the following field is available: Credential: Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Aruba VIA Setting Server What To Do Enter the IP address or host name for the VPN server. 223

244 VPN Configuration Account User Authentication Proxy Setup Enter the user account to be used for authenticating the connection.* Select the user authentication method to use: Password or Certificate. If you select Certificate, then the following field is available: Credential: Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Custom SSL Setting Identifier Server Account Custom Data User Authentication What To Do Enter the identifier for this custom SSL VPN in reverse DNS format (such as com.mycompany.myserver). Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the key-value pairs that define the custom data for this VPN. Select the user authentication method to use: Password or Certificate. If you select Certificate, then the following field is available: 224

245 MobileIron Cloud Administrator Guide R45 Credential: Select the identity certificate to use. Select Manual or Automatic to configure a proxy. Proxy Setup If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Palo Alto Networks GlobalProtect Note: Not applicable to Windows Phone and Android devices. Setting Server Account Custom Data User Authentication Proxy Setup What To Do Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection. Enter the key-value pairs that define the custom data for this VPN. Select the user authentication method to use: Password or Certificate. If you select Certificate, then the following field is available: Credential: Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are 225

246 VPN Configuration IKEv2 (Windows Only) available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Setting Server Proxy Setup What To Do Enter the host name or IP address of the VPN server. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. IKEv2 226

247 MobileIron Cloud Administrator Guide R45 Setting Server Local Identifier Remote Identifier Machine Authentication EAP Authentication Shared Secret Credential Enable EAP Account Password What To Do Enter the host name or IP address of the VPN server. Identifier of the IKEv2 client in one of the following formats: FQDN UserFQDN Address ASN1DN Remote identifier in one of the following formats: FQDN UserFQDN Address ASN1DN Available only if Enable EAP is not selected. Select one of the following: Certificate Shared Secret Available only if Enable EAP is selected. Select one of the following: Certificate Username/Password Available only if Shared Secret was selected for Machine Authentication. Enter the shared secret for the connection. Available only if Certificate was selected for Machine Authentication. Select the certificate to use. this certificate will be sent out for IKE client authentication. If extended authentication is used, this certificate can be used for EAP-TLS. Select to enable extended authentication. Available only if Username/Password was selected for EAP Authentication. Enter the account ID for the VPN server. Available only if Username/Password was selected for EAP Authentication. Enter the password for the VPN 227

248 VPN Configuration Dead Peer Detection Interval Server Certificate Issuer Common Name Server Certificate Common Name Use IP4 and IP6 subnets attributes Enable IKEv2 Mobility and Multihoming Protocol (MOBIKE) Enable Perfect Forward Secrecy (PFS) Enable IKEv2 redirect Enable NAT keepalive NAT keepalive interval Encryption Algorithm server. Select one of the following: None (Disable) Low (keepalive sent every 1 hour) Medium (keepalive sent every 30 minutes) High (keepalive sent every 10 minutes) (optional) Common name of a server certificate issuer, causes the IKE server to send a certificate request based on the certificate issuer to the server. (optional) Common name of a server certificate used to validate the certificate sent by the IKEv2 server (optional) Select to use IP4 and IP6 subnets attributes. (optional) The default setting is 0. MOBIKE (The ability to support multihomed mobile devices when connected to both Wi-Fi and cellular links with multiple IP addresses) is enabled. It is enabled by default. Set to 1 to disable MOBIKE. (optional) When set to 1 it enables PFS for IKEv2 connections. The default setting is 0. (optional) The default setting is 0. The IKEv2 connection is redirected if a redirect request is received from the server. It is enabled by default. Set to 1 to disable IKEv2 redirect. Enables the Network Address Translation keepalive that prevents the deletion of NAT entries in the absence of any traffic when there is NAT between IKE peers. If NAT keepalive is enabled, this is the time in seconds that keepalive packets will be sent for the device. Select one of the following: DES 3DES 228

249 MobileIron Cloud Administrator Guide R45 Integrity Algorithm Diffie Hellman Group Lifetime In Minutes Proxy Setup AES-128 AES-256 Select one of the following: SHA1-96 SHA1-160 SHA2-256 SHA2-384 SHA2-512 Select the D-H key exchange group. Enter the SA lifetime (re-key interval) in minutes. Valid values are 10 through Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. *Type $ to see a list of supported variables, if available, for this field. See Also How to create a configuration VPN On Demand Configuration 229

250 VPN On Demand Configuration Configurations Applicable to: ios devices A VPN On Demand configuration sets up access to a VPN server based on domains, host names, etc. VPN On Demand settings Setting Name Description Connection Type Enable VPN On Demand What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select the type of VPN to configure. The remaining settings depend on this selection. Select to use this configuration for domains and host names that establish a VPN on demand. For ios and macos, you can set up: Network rules that allow or disallow connections to, and allow or ignore, the networks that evaluate as true. Connection rules allow when needed, or never allow, connections to the networks that evaluate as true. Enable ios Rules For network rules, you can specify the (Applicable if Enable following types of parameters: VPN On Demand is selected) DNS Domain Match DNS Server Address Match SSID Match URL String Probe Interface Type Match For connection rules, you can specify the following types of parameters: DNS Domain Match DNS Server Address Match 230

251 MobileIron Cloud Administrator Guide R45 SSID Match URL String Probe Interface Type Match Domain Name DNS Server URL Probe Select one of the following tunnel provider: Provider Type (ios 9+) app-proxy - tunnels traffic at the app layer packet-tunnel - tunnels traffic at the IP layer IPsec (Cisco) Setting Server Account Machine Authentication Credential Include User PIN Proxy Setup What To Do Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection.* Only Certificate authentication is supported. Select the identity certificate to use. Select to prompt the user for a PIN. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the 231

252 VPN On Demand Configuration fully-qualified URL for the proxy. Cisco AnyConnect Setting Server Account Group User Authentication Credential Proxy Setup What To Do Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the group to use to authenticate the connection. Only Certificate authentication is supported. Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Juniper SSL Setting Server Account Realm What To Do Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the authentication realm to be 232

253 MobileIron Cloud Administrator Guide R45 Role User Authentication Credential Proxy Setup used for authenticating the connection. Enter the authentication role to be used for authenticating the connection. Only Certificate authentication is supported. Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. F5 SSL Setting Server Account User Authentication Credential Proxy Setup What To Do Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection.* Only Certificate authentication is supported. Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port 233

254 VPN On Demand Configuration SonicWALL Mobile Connect number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Setting Server Account Login Group or Domain User Authentication Credential Proxy Setup What To Do Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the login group or domain to be used for authenticating the connection. Only Certificate authentication is supported. Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the 234

255 MobileIron Cloud Administrator Guide R45 Aruba VIA proxy. Setting Server Account User Authentication Credential Proxy Setup What To Do Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection.* Only Certificate authentication is supported. Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Custom SSL Setting Identifier Server Account Custom Data What To Do Enter the identifier for this custom SSL VPN in reverse DNS format (such as com.mycompany.myserver). Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the key-value pairs that define 235

256 VPN On Demand Configuration User Authentication Credential Proxy Setup the custom data for this VPN. Only Certificate authentication is supported. Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Palo Alto Networks GlobalProtect Setting Server Account Custom Data User Authentication Proxy Setup What To Do Enter the IP address or host name for the VPN server. Enter the user account to be used for authenticating the connection. Enter the key-value pairs that define the custom data for this VPN. Certificate is the user authentication method. Select an identity certificate to use in the Credential field. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: 236

257 MobileIron Cloud Administrator Guide R45 Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Note: Type $ to see a list of supported variables, if available, for this field. See Also How to create a configuration Wi-Fi Configurations A Wi-Fi configuration sets up access to a wireless network. Wi-Fi settings Setting Name Description Service Set Identifier (SSID) Auto Join Hidden Network What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Enter the name of the wireless network these settings apply to. This field is case sensitive. Select if devices should automatically join the corresponding Wi-Fi network. If this option is not selected, device users must tap the network name on the device to join the network. Select this option if the network 237

258 Wi-Fi Disable Captive Network Detection (ios 10+) Disable Captive Network Detection (ios 10+) Proxy Setup access is not broadcast. Administrators can enable or disable Wi-Fi Captive bypass mode. When Apple detects the presence of a captive portal, it opens a login screen to request access. You can disable the detection of captive portals, requiring the user to manually launch a web browser which triggers the portal login of the captive network. This new setting is useful when an ISE captive portal prevents the login screen from popping up, leading users to believe that their unconnected devices are actually connected to the Internet. Administrators can enable or disable Wi-Fi Captive bypass mode. When Apple detects the presence of a captive portal, it opens a login screen to request access. You can disable the detection of captive portals, requiring the user to manually launch a web browser which triggers the portal login of the captive network. This new setting is useful when an ISE captive portal prevents the login screen from popping up, leading users to believe that their unconnected devices are actually connected to the Internet. Select Manual or Automatic to configure a proxy. For Windows Phone 8.1, Automatic does not apply. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the 238

259 MobileIron Cloud Administrator Guide R45 Security Type following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Select the security method required for accessing the network: WEP WPA/WPA2 Any (Personal) WEP Enterprise WPA/WPA2 Enterprise Any (Enterprise) For Windows Phone 8.1: only WPA2 and WPA2 Enterprise apply. WEP, WPA/WPA2, Any (Personal) settings Setting Password What To Do (Optional) Enter the password for accessing this network. Otherwise, the device user will be prompted for any password required for accessing the network. WEP Enterprise, WPA/WPA2 Enterprise, Any (Enterprise) settings Setting Protocols Accepted EAP Types EAP-FAST What To Do Select the EAP types that can be used for accessing this network: Select the EAP-FAST option that define authentication methods: Use PAC:Select to use a proxy auto-config (PAC).. Provision PAC: Select to allow a PAC to be provisioned. Otherwise, only a PAC already provisioned on the device can be used. This option is available only if you selected Use PAC. Provision PAC Anonymously: 239

260 Wi-Fi Authentication Username Use Per-Connection Password Password Identity Certificate Outer Identity Select to allow a PAC to be provisioned without authenticating the server. This option is available only if you selected Provision PAC. For Windows Phone 8.1, select only one authentication method. Specify the username required for network access. If you leave this blank, the device user will be prompted for it.* Select to prompt the device user for a password for each connection. When the device rejoins the same network, the device user will be prompted to reauthenticate to join the network. (Optional) Enter the password for accessing this network. Otherwise, the device user will be prompted for any password required for accessing the network. (Optional) Select the certificate to use for the identity credential. The Identity Certificate configuration defines each available identity certificate. (Optional) For TTLS, PEAP, and EAP- FAST, select to allow device users to hide their identity. The user's actual name appears only inside the encrypted tunnel. This option can increase security because an attacker can't see the authenticating user's name in the clear. ios Setting All Versions Network Type What To Do Select if this network should be treated as: standard 240

261 MobileIron Cloud Administrator Guide R45 Proxy PAC fallback allowed Passpoint Settings Domain Name Connect to roaming partner Passpoint networks Roaming Consortium Organization Identifiers Network Access Identifier Realm Names MCC and MNC pair legacy hotspot Passpoint (Optional) Allows the device to connect directly to the destination if the PAC file is unreachable. The settings in this section appear if you selected Passpoint for the Network Type. Enter the domain name to be used for Passpoint negotiation. (Optional) Select to allow connections to roaming service providers. (Optional) Enter the identifiers assigned by IEEE to the entities supported by this Wi-Fi profile. (Optional) Enter the Network Access Identifier Realm names to be used for Passpoint negotiation. (Optional) Enter the Mobile Country Code (MCC)/Mobile Network Code (MNC) pairs to be used for Passpoint negotiation. Each string must contain exactly six digits. Displayed (Optional) Enter the network operator operator name name to display. Cisco QoS fast lane Restrict QoS marking The settings in this section apply to Cisco fast lane configuration. Settings include whitelisting apps for L2 and L3 marking, and whether to whitelist the audio and video traffic of built-in audio/video services such as FaceTime and Wi-Fi Calling. If unselected, then all apps will use L2 and L3 marking when the network supports Cisco QoS Fast Lane. If selected, then use the Choose Apps settings that appear to add the apps 241

262 Wi-Fi Enable QoS marking that you would like included for L2 and L3 marking. All apps not selected will not use L2 and L3 markings. Disables L3 marking and uses only L2 marking for traffic sent to the Wi-Fi network. When unselected, the system treats Wi-Fi as not associated with a Cisco QoS Fast Lane network. Specifies whether to whitelist the Whitelist Apple audio and video traffic of built-in audio/video audio/video services such as calling FaceTime and Wi-Fi Calling. Use to add the apps that you would like included for L2 and L3 marking. All Choose Apps apps not selected will not use L2 and L3 marking. ios 10+ Cisco QoS fast lane Restrict QoS marking Enable QoS marking The settings in this section apply to Cisco fast lane configuration. Settings include whitelisting apps for L2 and L3 marking, and whether to whitelist the audio and video traffic of built-in audio/video services such as FaceTime and Wi-Fi Calling. If unselected, then all apps will use L2 and L3 marking when the network supports Cisco QoS Fast Lane. If selected, then use the Choose Apps settings that appear to add the apps that you would like included for L2 and L3 marking. All apps not selected will not use L2 and L3 markings. Disables L3 marking and uses only L2 marking for traffic sent to the Wi-Fi network. When unselected, the system treats Wi-Fi as not associated with a Cisco QoS Fast Lane network. Specifies whether to whitelist the Whitelist Apple audio and video traffic of built-in audio/video audio/video services such as calling FaceTime and Wi-Fi Calling. Use to add the apps that you would like included for L2 and L3 marking. All Choose Apps apps not selected will not use L2 and L3 marking. 242

263 MobileIron Cloud Administrator Guide R45 ios Supervised Determines which Wi-Fi networks the Enable Wi-Fi device is allowed to connect to. If whitelisting multiple Wi-Fi configurations exist, the most restrictive will be applied. *Type $ to see a list of supported variables, if available, for this field. See Also How to create a configuration Cellular Network Configurations APN Configuration Policies > Configurations An APN confirmation sets up the cellular Access Point Name for the device. For ios 7, use the Cellular configuration, instead. APN settings Setting What To Do Enter a name that identifies this Name configuration. Enter a description that clarifies the Description purpose of this configuration. Enter the name for the corresponding access point. The name is generally Access Point Name defined by the operator providing service. Access Point User Enter a user name authorized for this Name access point.* Access Point Enter the password corresponding to Password the user name entered. Proxy Server and Enter the IP address or URL and the Port port number of the APN proxy. *Type $ to see a list of supported variables, if available, for this field. See Also How to create a configuration Cellular 243

264 Cellular Configurations Applicable to: ios 7.0+ A cellular configuration sets up the cellular profile for a device. Configure the cellular network settings on devices running ios 7.0 or later. Some companies have contracts with their cellular operators that grant them access to a unique Access Point Name (APN) for remote network access or for special billing plans. Consult your cellular operator for configuration parameters. Note: No more than one cellular profile can be installed at any time. A cellular profile cannot be installed if an APN profile is already installed. You can configure cellular settings for the following APN types from the Configured APN Types dropdown box: Default & Data APNs Default APNs Data APNs For all the configurations, enter a name that identifies the configuration and an optional description. Cellular settings for Default APN Default APN Settings APN Name APN Authentication Type User Name Password What To Do Enter the name for the corresponding access point. The name is generally defined by the operator providing service. (Optional) Select one of the following: CHAP (challenge handshake authentication protocol) PAP (password authentication protocol) (Optional) Enter a user name to be used for authentication. (Optional) Enter a password to be used for authentication. 244

265 MobileIron Cloud Administrator Guide R45 Cellular settings for Data APNs Data APN Settings What To Do Enter the name for the corresponding access point. The name is generally APN Name defined by the operator providing service. (Optional) Select one of the following: APN Authentication Type User Name Password Proxy Server Proxy Server Port Allowed Protocol Mask Allowed Protocol Mask in Domestic Roaming Allowed Protocol Mask in Roaming CHAP (challenge handshake authentication protocol) PAP (password authentication protocol) (Optional) Enter a user name to be used for authentication. (Optional) Enter a password to be used for authentication. Specify the proxy server. Specify the proxy server port. Select IPv4, IPv6, or Both. Select IPv4, IPv6, or Both. Select IPv4, IPv6, or Both. Controlling cellular access while roaming You can limit the access of some or all of the managed apps to cellular data while the device is in a roaming state. 1. Go to the Policies tab in the MobileIron Cloud main navigation menu. 2. Click +Add 3. Click Network Usage Configuration. The Create Network Usage configuration page is displayed. 4. Select the Disallow for all managed apps checkbox to block managed apps from accessing cellular data when roaming or at all times. 5. Leave the checkbox unselected to be able to specify the managed apps by name or package ID to block from receiving cellular data. 245

266 ios Telecom Presets Configuration 6. Use the pulldown menus in the Apps field to search for an app by name or by package ID. Controlling cellular access You can limit the access of some or all of the managed apps to cellular data at any time. The apps can still be used on a limited basis, but they will not have access to cellular data. 1. Go to the Policies tab in the MobileIron Cloud main navigation menu. 2. Click +Add 3. Click Network Usage Configuration. The Create Network Usage configuration page is displayed. 4. Select the Disallow for all managed apps checkbox to block managed apps from accessing cellular data at any time. 5. Optionally, leave the checkbox unselected to specify the managed apps to block from receiving cellular data. 6. Use the pulldown menus in the Apps field to search for an app by name or by package ID. See Also How to create a configuration ios Telecom Presets Configuration Policies > Configurations An ios Telecom Presets configuration sets default values for roaming restrictions and hotspot restrictions. ios Telecom Presets settings Setting Name Description Allow devices to use voice service while roaming What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select to enable voice roaming. Availability of voice roaming depends on the operator. 246

267 MobileIron Cloud Administrator Guide R45 Allow devices to use data service while roaming Allow users to enable personal hotspot See Also How to create a configuration Select to enable data roaming. Note that enabling data roaming also enables voice roaming on the device. Select to enable the personal hotspot feature. Availability of this feature depends on the operator. Other Configurations Apple TV Configuration Configurations License: Silver An Apple TV configuration defines the language and locale for Apple TV. Apple TV settings Setting Name Description Language Locale What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Enter the two-character language code to specify the UI language. Enter the locale ID to specify the country/language combination for the UI. See Also How to create a configuration Lock Screen Message Configuration Configurations 247

Lock Screen Message Configuration Displays a message and asset tag info on the login and lock screens. This is for supervised devices using ios 9.

268 Lock Screen Message Configuration Displays a message and asset tag info on the login and lock screens. This is for supervised devices using ios 9.3 through the most recently released version as supported by MobileIron. To create a Lock Screen Message configuration 1. Select Policies > Configurations. 2. Click + Add. 3. Type lock in the search field, and then click the Lock Screen Message configuration: The Lock Screen Message Configuration details page appears. 248

269 MobileIron Cloud Administrator Guide R45 4. Configure the settings on this page. Refer to the table in the section Lock_Screen_Message_Configuration_Settings for guidance on the values. 5. Click Next to configure the distribution settings, and then click Done. Lock Screen Message Configuration settings Setting Name Description Lock Screen Footnote Asset Tag Information What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. This text appears on the login window and lock screen. This text appears at the bottom of the login window and lock screen. See Also How to create a configuration Default Device Name Configuration Configurations License: Silver A default device name configuration enables you to define default device names for supervised ios 8 devices. You can use the following variables to construct the device name: Device Serial Number Device IMEI Device Model MobileIron Cloud Username (local users only) LDAP Organizational Unit (OU) LDAP Common Name (CN) For example, you would enter ${devicesn}-${userou} for device names that begin with the device serial number and end with the user's organization as defined in LDAP. Default device name settings 249

270 ios Wallpaper Configuration Setting Name Description Device Name Description What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Enter the format for the default device name, including available device and LDAP attributes.* Note: If the resulting device name exceeds 63 characters, it will be shortened to make sure it displays correctly on the device. Enter a description that clarifies the purpose of this configuration. *Type $ to see a list of supported variables, if available, for this field. See Also How to create a configuration ios Wallpaper Configuration Configurations License: Silver An ios wallpaper configuration defines a default wallpaper image for the Home screen and Lock screen of ios devices. Device users are free to change the distributed wallpaper on the device (Settings > Wallpapers & Brightness). Removing the configuration does not remove the wallpaper. Note: Images must be 1164H x 640W and in.jpg or.png format. ios wallpaper settings Setting What To Do Name Enter a name that identifies this configuration. Description Enter a description that clarifies the purpose of this configuration. Upload iphone Wallpaper Use the same Select to upload a single image for 250

271 MobileIron Cloud Administrator Guide R45 image for Home iphone. Screen and Lock Screen Drag and drop the image file or click Home Screen Choose File to select it. Drag and drop the image file or click Lock Screen Choose File to select it. Upload ipad Wallpaper Use the same image for Home Select to upload a single image for Screen and Lock ipad. Screen Drag and drop the image file or click Home Screen Choose File to select it. Drag and drop the image file or click Lock Screen Choose File to select it. See Also How to create a configuration Single App Mode Configuration Configurations License: Silver Single app mode restricts ios devices to the use of the specified app. For example, you might want to set up devices that can use only a custom app your organization has developed. Single app mode configuration Setting Name Description Choose App What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select the method to use for selecting the app: From App Catalog & System Apps: Select to search the MobileIron Cloud app catalog and system apps (pre- 251

272 Single App Mode Configuration installed on Apple devices by default). Enter the name of the app and select it when it displays in the apps list. Enter Bundle ID: Select to enter the unique identifier for the system app you want to select. Use this option if you cannot find the system app using the From App Catalog & System Apps option. Disable Touch Select to disable the touch screen. Disable device Select to disable device rotation sensing. rotation Disable volume Select to disable the device's volume buttons. buttons Disable ringer Select to disable the device's ringer switch. switch Disable sleep wake Select to disable the device's sleep/wake button (top button right on device rim). Select to prevent the device from going to sleep after Disable auto lock an idle period. Select to enable the VoiceOver screen reader Enable voice over (accessibility feature). Enable zoom Select to enable Zoom (accessibility feature). Select to enable the invert colors adjustment Enable invert colors (accessibility feature). Enable assistive Select to enable AssistiveTouch (accessibility touch feature). Enable speak Select to enable Speak Selection (accessibility selection feature). Select to switch from stereo to mono audio Enable mono audio (accessibility feature). Voice over Select to allow device users to make VoiceOver adjustments adjustments. Select to allow device users to make Zoom Zoom adjustments adjustments. Invert colors Select to allow device users to invert colors. adjustments Assistive touch Select to allow users to make AssistiveTouch adjustments adjustments. See Also How to create a configuration 252

273 Policies Policies Policies define requirements for devices, as well as what will happen if a device does not comply with requirements. Each policy consists of a rule and a compliance action (what happens if the rule is violated). Use the Policies page to select, set up, and distribute policies. Available policy types are: Type What It Does Flags devices that have been jailbroken (ios) or rooted (Android). To view the violation reason why the system flagged an Android device as compromised due to rooting: 1. Click the Policies tab 2. Click the Compromised Devices link. 3. Click the Active Violations tab. 4. Check the violation reason in the Violation column. Compromised Devices To view the violation reason why the system flagged an Android device as compromised due to rooting: 1. Click the Policies tab. 2. Click the Compromised Devices link. 3. Click the Active Violations tab. 4. Check the violation reason in the Violation column. It will be one of the following reasons: Priority (1 = highest) Violation 253

274 Policies 1 Plugin compromised 2 Client tampered Unknown device 3 manufacturer: unknown Suspicious folder 4 detected: <path> Suspicious binary found 5 at: <path> Folder /data is browsable 6 OR Folder /data/data is browsable Found 7 /system/app/superuser.apk Package manager 8 compromised Suspicious app found: 9 <package> Data Flags macos devices that do not have Protection/Encryption a passcode or encryption enabled. Disabled (macos) Flags devices that might be incurring international roaming charges. Status is refreshed when the device checks International in. Roaming For ios, the service uses the roaming flag as set and reported by ios. The compliance action is triggered by the first violation only. MDM/Device Administration Disabled Out of Contact Allowed Apps Custom Policy Available compliance actions are: Flags devices that have MDM (ios) or Device Administration (Android) disabled, which severely limits management of these devices. Flags devices that have not checked in with the MobileIron Cloud service for the defined number of days. Flags devices that violate rules about which apps are allowed or required. Creates a custom policy based on conditions and related actions you specify. 254

275 MobileIron Cloud Administrator Guide R45 Compliance Action Monitor Block via Sentry Send message to user Quarantine What It Does Flags the device in the MobileIron Cloud Devices page. Prevents the device from accessing . Flags the device in the MobileIron Cloud Devices page. Sends an to the device owner. Sends a push notification to the device. Removes most configurations from the device. Exceptions: passcode configurations, Wi-Fi configurations for Wi- Fi-only devices, Restriction configurations (ios). Removes all apps installed by MobileIron Cloud. Removes all content distributed by MobileIron Cloud, including ibook and epub files. Blocks access to MobileIron Cloud catalogs. Suspends prompts for installing additional apps. Blocks access to AppConnect-enabled apps. Includes support for AppConnect-enabled apps. To add a policy 1. Go to Policies. 255

276 Custom policy 2. Click +Add (upper right). 3. Select a policy type. 4. Complete the settings. 5. Select the device groups you want to receive this policy. 6. Click Done. To change a policy 1. Go to Policies. 2. Select the policy. 3. Click Edit (upper right). To delete a policy 1. Go to Policies. 2. Select the policy. 3. Click Actions (upper right). 4. Select Delete. Can't see the Policies page? Maybe you don't have permission. You need one of the following roles: Device Management Device Read Only See Also Displaying and Hiding Columns Prioritize Policies Custom policy Policies License: Platinum Eligible Devices Android, ios, macos, Windows. Description Allows you to create a custom policy based on conditions and related actions you specify. 256

277 MobileIron Cloud Administrator Guide R45 To add a custom policy 1. Go to Policies. 2. Click + Add. 257

278 Custom policy 3. Select Custom Policy. 4. Provide a name for the custom policy. 5. Click + Add Description to add a description if desired. 6. Use the Rule Builder to define conditions that trigger actions when the conditions evaluate as true. See Understanding_the_conditions_settings for guidance on creating the conditions. 7. Click the Monitor check box if desired. A best practice recommendation is that new policies be set only with the "Monitor" compliance action for an evaluation period. The policy can then be checked over a period of a few days to be sure it is not matching devices in a way that is not intended. When a policy is set only with the "Monitor" action you will see how many devices match the policy, but no 258

279 MobileIron Cloud Administrator Guide R45 actions that affect the user or device will be taken. This is especially useful for "Custom Policy" types where an incorrect operator can be accidentally set that could result in marking all devices in violation of the policy. 8. Select the compliance action to take when the specified conditions evaluate as true. Actions allow policies to fall into compliance by defining security preferences in the form of rules. You can add actions now, or after you have evaluated any violations. Adding the action Wait in between other actions provides a way to allow device users to fix their device and get it back into compliance before additional actions are taken. As an example, you may want to send a warning message and wait 24 hours before applying a quarantine action. Do Nothing Send - Sends an to the user regarding their device. Send Push Notification - Sends a push notification to the user regarding their device. Send and Push Notification - Sends an and push notification to the user regarding their device. Wait - Adding this action allows users to fix their device before further action against the device occurs. Quarantine - Removes access to apps and content distributed to the user. Prevents users from downloading new apps and content. Includes support for AppConnect-enabled apps. Block - Prevents the device from accessing , applicable only for the registered/managed devices. Note: Sentry version or later is required to utilize the tiered compliance actions. 9. Click the Yes check box to affirm that you realize that editing the conditions and/or the actions for this policy will release any previously actioned devices into a reset state. 10. Click Next. Understanding the conditions settings UI Field Description Possible values Supported Platforms Android for Work Capable This field indicates Yes - If the device is Android Android for Work Android for Work Enabled whether the device is natively capable of running Android for Work. This field indicates whether Android for Work is enabled on the device. capable. No - If the device is not Android for Work capable. Yes - If Android for Work is enabled on the device. No - If Android for Work is not enabled Android 259

280 Custom policy on the device. Compromised This field indicates Yes - Device is ios/android whether the device is rooted/compromised. rooted/compromised. No - Device is not rooted/compromised. Custom Device Attribute This field enables adding an existing custom device attribute as a rule to verify its value. Enter the attribute's value to be verified. ios/macos/android/windows Custom LDAP Attribute Custom User Attribute This field enables adding an existing custom LDAP attribute as a rule to verify its value. This field enables adding an existing custom user attribute as a rule to verify its value. Enter the attribute's value to be verified. Enter the attribute's value to be verified. ios/macos/android/windows ios/macos/android/windows Data Roaming This field indicates whether data roaming is enabled on the device. Yes - Data roaming is enabled on the device. No - Data roaming is not enabled on the device. Default value is No if the supported device does not report info about this field. ios/android Device Type This field represents Text value. ios/macos/android/windows the device model. Encryption Enabled This field determines Yes - Device is whether the device is encryption/data ios/android/windows encryption/data protection enabled. protection enabled. No - Device is not encryption/data Locator Services Enabled protection enabled. This field indicates Yes - Device locator whether the device service is enabled. has a device locator No - Device locator service (such as Find service is not My iphone) enabled. enabled. Manufacturer This field represents the device Text value. ios ios/macos/android/windows 260

281 MobileIron Cloud Administrator Guide R45 MDM Managed OS OS Version Ownership manufacturer. This field determines Yes - The device is whether the device is enabled for Mobile MDM/Device admin Device management enabled. (MDM). No - The device is not enabled for This field represents the OS type of the device. This field represents MDM. ios, macos, Android, Windows. Version number. the OS version of the device. This field indicates the ownership type of the device. User Owned - The device is owned by the user. Company Owned - The device is owned by the company. Not set - The ownership information is not set/available. ios/macos/android ios/macos/android/windows ios/macos/android/windows ios/macos/android/windows Passcode Compliant This field indicates whether is device is Yes - the user's passcode is ios/macos/android With Profiles passcode compliant compliant with with profiles. requirements from profiles. No - otherwise. Personal This field indicates Yes - Personal ios Hotspot Enabled whether Personal Hotspot feature is enabled on the device. Hotspot feature is enabled. No - Personal Hotspot feature is not enabled. The Personal Hotspot setting is only available on certain carriers. Default value is No if the supported device does not report info about this field. Roaming This field indicates Yes - The device is ios/android/windows 261

282 Monitoring and Controlling Allowed Apps Supervised User Group Voice Roaming the roaming status of the device. currently roaming. No - The device is currently not roaming. Default value is No if the supported device does not report info about this field. This field indicates Yes - Device is ios/macos whether the device is supervised. supervised. No - Device is not supervised. This field represents Select an existing ios/macos/android/windows the user group. static user group. This field indicates Yes - voice roaming ios whether voice is enabled on the roaming is enabled device. on the device. No - voice roaming is not enabled on the device. The voice roaming setting is only available on certain carriers. Disabling voice roaming also disables data roaming. Default value is No if the supported device does not report info about this field. Can't see the Policy page? Maybe you don't have permission. You need one of the following roles: Device Management Device Read Only Monitoring and Controlling Allowed Apps To control which apps are installed on devices, you create an Allowed Apps policy. The policy contains the following information: 262

283 MobileIron Cloud Administrator Guide R45 whitelist apps blacklist apps required apps compliance actions If an app is both required and blacklisted, then the evaluation of the app against the required list takes precedence. For example, if an app A1 is present in both in the required list and the blacklist, then the apps policy evaluation for this device behaves as follows. Device will be compliant if A1 is installed on the device. Device will be non-compliant if A1 is not installed on the device. License: Silver Supported Devices Android 4.2 through the most recently released version as supported by MobileIron ios 8.0 through the most recently released version as supported by MobileIron macos through the most recently released version as supported by MobileIron Before You Start The privacy configuration assigned to a device must allow collection of app information in order for an Allowed Apps policy to work correctly. Check the privacy configurations assigned to the devices to which you will apply the Allowed Apps policy. If you are not sure which configurations are affected: 1. Go to Policies. 263

284 Monitoring and Controlling Allowed Apps 2. Click Allowed Apps. 3. Under Privacy Configurations, note the configurations that need to be edited. 4. Go to Configurations. 5. For each privacy configuration you noted: a. Select the configuration. b. Click Edit. c. Under Collect App Inventory, select For All Apps on the Device. d. Click Done. 264

285 MobileIron Cloud Administrator Guide R45 Creating an Allowed Apps policy 1. Go to Policies. 2. Click Allowed Apps. 3. In the Name field, type a name for this policy. 4. In the Description field, type optional text that explains the purpose of the policy. 265

286 Monitoring and Controlling Allowed Apps 5. Use the Required Apps and App Lists section to select required apps. For example, you can select the Add App Lists tab and then select the desired required apps lists. 6. Use the resultant fields to select the required apps or apps lists. Note: Click the View Required List tab for a list of apps you have selected so far. 7. Click Next. 8. Select whether to create a whitelist or a blacklist. Note: You cannot have a whitelist and a blacklist for a device. Creating a whitelist means all other apps are blacklisted. 9. Use the Whitelist/Blacklist Apps and App Lists section to select apps. For example, you can select the Add App Lists tab and then select the desired apps lists. 10. Use the resultant fields to select the required apps or app lists. Note: Click the View Whitelist or Blacklist tab for a list of apps you have selected so far. 11. Click Next. 12. Select the actions to take when a device is out of compliance: 266

287 MobileIron Cloud Administrator Guide R45 Setting Monitor Do Nothing Send Send Push Notification. Send and Push Notification Wait Block What To Do Currently always selected. Select to take no action if the device is out of compliance. Select to notify the user that the device is out of compliance in an . Select to notify the user that the device is out of compliance in a push notification. Select to notify the user that the device is out of compliance in an and a push notification. Select to wait for a specified passage of time before taking action. Select to: Block app tunnel Block active sync Note: The Allowed Apps policy supports tiered compliance actions if you have a Platinum license. 13. Click Next. 14. Configure the distribution. 15. Click Done. See Also: Prioritize Policies to set higher or lower priorities to an Allowed Apps policy. 267

288

289 Admin Admin > Certificate Authority License: Silver Using certificate authentication is an effective way to secure your mobile devices. Certificates are more secure than passwords, and they enable you to use a single credential to protect VPNs, wireless networks, , etc. If your organization has access to an external certificate authority, you can use a Connector to access it. If your organization does not have access to a certificate authority, you can use MobileIron Cloud as a certificate authority. You can also use it as an intermediate certificate authority to other certificate authorities. The certificates generated by MobileIron Cloud are called self-signed certificates. Note: SHA-1 certificates are deprecated while creating the identity certificates. You can choose other algorithms. While updating the certificates, if the older certificates use SHA-1, the same SHA-1 algorithm can be used. If the older certificates use an algorithm above SHA-1, then switching to SHA-1 is not allowed. During the configuration of external, local, or cloud certificate authority, select the Cache Identities on MobileIron Cloud option to store identities with the MobileIron Cloud service. Clear to generate identities each time as needed. While editing an existing certificate from the Actions menu, you can select the Clear cached certificates and issue new ones with recent updates option if required. Non-cached certificates will be re-issued automatically. Connecting to an external certificate authority 1. Install and configure a Connector (Admin > Connector). 2. In the Certificate Authority page, click Add. 3. Under Add an External Certificate Authority, click Continue. 4. Enter a name that identifies this configuration. 5. Select one of the following Certificate Authority Type: Microsoft EJBCA Generic SCEP Server The Generic SCEP Server option can be used with most SCEP servers having a static challenge password. 6. Complete the displayed form. 7. Click Done. Creating an intermediate certificate authority 269

290 Admin > Certificate Authority If you need a certificate, then generate a CSR and submit it to the signing authority. Once you receive the certificate from the signing authority, upload the certificate. If you already have the necessary certificate, then upload the existing identity. Generate a CSR (certificate signing request) 1. In the Certificate Authority page, click Add. 2. In the Add Certificate Authority page, under Create an Intermediate Certificate Authority, click Generate CSR. 3. Complete the displayed form. 4. Click Generate. 5. Copy the content between BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST to a text file. 6. Click Done. 7. Submit the file you created to the certifying authority. Uploading the signed certificate Once you receive the signed certificate from the certifying authority: 1. In the Certificate Authority page, find the entry for the CSR you generated. 2. Select Actions > Upload New Signed Certificate. 3. Click Choose File. 4. Select the new signed certificate. 5. Click Done. Uploading an existing certificate If you already have a certificate, upload it: 1. In the Certificate Authority page, click Add. 2. In the Add Certificate Authority page, under Create an Intermediate Certificate Authority, click Upload Existing Identity. 3. In the Name field, enter a name for this certificate that distinguishes it from others. 4. Click Upload. 5. Select the certificate. 6. Enter the password for the certificate. 7. Click Upload. Creating a standalone certificate authority Choose this option if you want to create a new, completely standalone Certificate Authority. 1. In the Certificate Authority page, click Add. 270

291 MobileIron Cloud Administrator Guide R45 2. In the Add Certificate Authority page, under Create a Standalone Certificate Authority, click Continue. 3. Complete the displayed form. 4. Click Generate. Creating a cloud certificate authority Choose this option if you want to use a third party hosted Certificate Authority. 1. In the Certificate Authority page, click Add. 2. In the Add Certificate Authority page, under Create a Cloud Certificate Authority, click Continue. 3. Select GlobalSign or Symantec Managed PKI web services as the cloud Certificate Authority. 4. Complete the remaining fields on the displayed form. 5. Click Done. Admin > Device Partition License: Silver Device partitions enable you to designate devices for management by different administrators (delegated administration). The administrator for a device partition can define the configurations and policies applied to the devices in the partition. The rules you define for a partition determine which devices belong to the partition. A device can belong to only one partition. Devices that don't match the rules for the partitions you create automatically belong to the default partition. After you create the partitions, you can assign each partition to the proper administrator. You cannot edit or delete the default partition. To create a device partition 1. In the Device Partition screen, click Manage. 2. Click Create New Partition. 3. Create the rules that define which devices are in the partition. 4. Click Preview to see which devices will be assigned to the partition. 5. Click Save when you are satisfied with the devices in the partition. The partitions you create inherit all configurations from the Default partition. Therefore, any configurations you create later in the Default partition are eligible to be applied to the other partitions. However, changes made to an existing configuration are not inherited. 271

292 Admin > Device Partition The partitions you create receive copies of only those policies that exist in the Default partition at that time. Any policies you create later in the Default partition apply only to the Default partition. To create rules 1. Select Any if you want devices to be included in this definition if they meet any of the rules. 2. Select All if you want devices to be included in this definition only if they meet all of the rules. 3. Select one of the following rule types from the dropdown: Custom LDAP Attribute: For rules based on LDAP attributes. OS: For rules based on the device's operating system. User Group: For rules based on the device's user group (as defined in the device management service). Username: For rules based on the username associated with the device. 4. Define the criteria for the selected rule type: Custom LDAP Attribute: Enter the name of the custom LDAP attribute that was configured in the LDAP settings. OS: Select Android, ios, macos, or Windows. User Group: Select one of the user groups displayed in the dropdown. These are the user groups defined under Users > User Groups. Username: Type in a username. 5. To add another rule for this partition, click the + next to the previous rule. 6. Click Preview to see which devices will be assigned to the partition. 7. Click Save when you are satisfied with the devices in the partition. Devices that no longer match the rules for a partition are automatically moved to the next matching partition. If the device does not match the rules of an existing partition, then the device moves to the Default partition. For example, removing a user from a user group can cause that user's devices to move to a different partition. Moves to a different partition can result in changes in policies and configurations. To prioritize partitions MobileIron Cloud assesses partitions in order of appearance. To change the order, click the arrows in the upper right corner of the partition definition. To assign an administrator to a partition 1. Go to Users > Users. 272

293 MobileIron Cloud Administrator Guide R45 2. Search for the user who will be the administrator. 3. Click the link for the user to display detail. 4. Select Actions > Assign Roles. 5. Select Device Management. 6. Under Device Management, select the partition for this administrator. 7. Click Done. When this administrator logs in, only devices, configurations, and policies in the assigned partition will be visible. See Also Device Partition Examples Admin > Attributes Use the Attributes page to: manage the types of information you can record for users and devices view the standard types of information tracked by MobileIron Cloud Custom user attributes might include information like Department. Custom device attributes might include information like an internal ID. Each attribute has a corresponding variable that you can use for tasks like creating configurations and device groups. To create custom user attributes 1. Under Custom Attributes, click +Add New. 2. In the Attribute Name field, enter text that will represent the attribute. Note that the text you enter will be used to create the corresponding variable in the Usage field. 3. Select User from the Attribute Type list. 4. Click Save (far right). To create custom device attributes 273

294 Admin > Support Administrators 1. Under Custom Attributes, click +Add New. 2. In the Attribute Name field, enter text that will represent the attribute. Note that the text you enter will be used to create the corresponding variable in the Usage field. 3. Select Device from the Attribute Type list. 4. Click Save (far right). To view the standard attributes Scroll to the System Attributes section of the page. See Also Assigning Custom Attributes to Users Removing Custom Attributes from Users Assigning Custom Attributes to Devices Removing Custom Attributes from Devices Admin > Support Administrators Create a temporary support administrator to enable the service support team to log in with your roles and permissions. This user expires automatically in 7 days, or you can end access at any time. Creating a support administrator makes it easier for the support team to troubleshoot issues. To create a support administrator 1. In the Support Administrators page, click Add Support User. 2. Click Create User to confirm. This step sends an to the device management service support team. Note that the Display Name field shows "(disabled)" until a support team member activates the new account. The resulting display name will have the following format: support-<random_id>-<your_username>@<your_company>.com Once you create a support administrator, selecting Admin > Support Administrators takes you directly to the list of existing support administrators. Therefore, if you need to create additional support users, go directly to step 2 above. 274

MobileIron Cloud Administrator Guide R45 To end access for a support administrator 1. In the Support Administrators page, click the Delete link to the right of the account you want to remove. 2.

295 MobileIron Cloud Administrator Guide R45 To end access for a support administrator 1. In the Support Administrators page, click the Delete link to the right of the account you want to remove. 2. When prompted, click Remove User to confirm. To suspend access for a support administrator In the Support Administrators page, click the Disable link to the right of the account you want to suspend. Admin > System Use Notification License: Silver Use the System Use Notification feature to create a customized system use notification that appears to administrators at the time of login, and requires administrators to accept terms of use before accessing the system. To create a system use notification 1. Select Admin > System Use Notification. 2. Click Create Notification. The System Use Notification Details page appears. 275

296 Admin > System Use Notification 3. Enter a title in the Title field. 4. Enter a summary or instructions in the Summary field. 5. Choose a logo if desired. 6. Enter terms of use text in the Terms of Use Text field. This is the text that the administrator will have to accept at login. 7. Place a check mark in the Enable the System Use Notification check box to turn on the notification. 276

297 MobileIron Cloud Administrator Guide R45 8. Click Preview to invoke a preview of the system use notification. 9. Click Save when you are satisfied with the system use notification. Admin > Connector The Connector is a component that adds on-premise corporate directories (like Microsoft Active Directory), external CAs, and certificates to the MobileIron Cloud cloud by means of secure HTTPS connections. The Connector is available to download as an ISO file that you can install on a virtual machine. License: Silver To download a Connector Click Download the Connector to get the ISO you need. To install a Connector See the instructions included with the download. To access the Connector logs You can access the Connector logs from the kocab service to help troubleshoot Connector related problems. You must have System Manager or System Read Only role. 1. Go to Admin > Connector to view the Connector page. The Connectors interface displays the Connector status (Enabled or Disabled), Connector Name, Connection (Connected or Not Connected), Version number, Logging Level, Actions (Disable or Remove the Connector). 2. Use the Logging Level pulldown menu to choose a level. The available logging levels are displayed in the pulldown menu in order from the lowest logging level to the highest logging level: Error 277

298 Admin > LDAP Warn Info Debug Trace The Info level is the default logging level setting. If you choose another logging level a rotating Sync icon appears indicating that information is being collected at the level of logging that you selected. The logging level will reset to the Info level after an hour. The Trace level is the highest logging level setting. Use this level to collect all the messages at all the other levels. The sync icon is displayed for the duration of the request. 3. If needed, hover over the Sync icon to see the Cancel icon. Click the Cancel icon to cancel the logging level change. 4. Hover over the Request icon to display the Request information. Click the Request icon to request the files from the current log folder in a.zip file. The log files are added to a.zip file when a request is made. When a new request is made the.zip file from the previous request is deleted. 5. If needed, hover over the Request icon and it becomes the Cancel icon. Click the Cancel icon to stop the request. When a request is canceled before completion, the Download icon is not displayed because the previous log.zip file was deleted from the server. The original log files on the Connector are still available to request. 6. Click the Download icon when the request is completed to download the log.zip file containing log files collected during the latest request. The log file name is in the format: kocab.log. The name of the zip file that is downloaded consists of the server name, connection version, and a time stamp including day, month, year, and the time of the day in the format: <Connector_Hostname>_<Connector_Version>_<TimeStamp>.zip. The archived.zip file name is in the format: kocab.yyyy-mm-dd.0.log.gz. 7. Optionally, use the Actions pulldown menu to Disable or Remove the Connector. Can't see the Connector page? Maybe you don't have permission. You need one of the following roles: System Management System Read Only Admin > LDAP 278

299 MobileIron Cloud Administrator Guide R45 License: Silver Configuring an LDAP server and a Connector enables you to import users and groups from your corporate directory. After you have installed at least one Connector, you can add one or more LDAP servers. Adding an LDAP server means configuring: the connection to the LDAP server the search terms necessary to view the target directory data the portion of the directory to import whether to automatically invite users in the selected portion of the directory After you have added an LDAP server, you can return to this page to edit the LDAP server information or change the LDAP users selected. Note: LDAP users must be imported after configuring an LDAP user. See Importing LDAP users. LDAP usernames, just like local usernames, must be globally unique. Please verify that users do not already have a local account with the same username, or, for organizations with more than one tenant, that the username has not already been associated with another tenant. To add an LDAP server 1. Click Add Server. 2. Provide the following information: Setting Name Description Directory URL User ID What To Do Enter a name that identifies this server. Enter a description that clarifies the purpose of this server. Enter the URL for the directory. Use one of the following formats: ldap://<ip address or hostname>:<port> ldaps://<ip address or hostname>:<port>. Example: ldap://myserver1.mycompany.com:389 Enter the user ID for an account having the following characteristics: managed by the LDAP server can bind to the LDAP server and search the subtrees for user, group, and organizational unit This is generally an account with Directory Administrator Credentials (DN or Distinguished Name 279

300 Admin > LDAP and password). Password Enter the password for the account. Confirm Password Re-enter the password for the account. Select the type of directory from the list of supported directories. Active Directory Open LDAP Directory Type Redhat directory IBM Domino Directory Oracle Directory Sun One Directory Other 3. Click Test Connection and Continue. This step validates the information you have provided so far. If the information proves valid, then the service retrieves the LDAP naming context, which it uses to fill in some of the fields on the next page. If the LDAP URL fails to connect, you may proceed with the next steps. However, this may result in limited functionality until the connection is resolved. 4. Complete the remaining settings: Setting Directory Failover URL Sync Interval Enable Sync Discard Enable this LDAP Server What To Do Enter the URL for the secondary directory. Use the following format: ldap://<ip address or hostname>:<port>. Example: ldap://myserver2.mycompany.com:389 Enter the period of time between each attempted synchronization of LDAP data from the LDAP server. The default value is 15 minutes. Consider increasing the interval once you have successfully synchronized all target LDAP data and confirmed that your LDAP setup meets your needs. Select to automatically discard the LDAP sync data if the reloaded data set declines significantly. This option ensures that abnormal behavior on the part of the LDAP system will not result in unnecessary, disruptive updates on the service and removal of configurations from registered devices. Make sure this option is not selected if you plan to make major changes in your LDAP setup or on the LDAP server. Select to use this LDAP server with your service. Clear this setting if you want to retire this LDAP server or 280

301 MobileIron Cloud Administrator Guide R45 Automatically invite users whenever they are imported Chase Referrals Search Results Timeout Search Results Count take it out of service. Though a configured failover to a second LDAP server would automatically replace this server, using this option enables you to plan ahead and avoid a brief lack of connectivity during failover. Select to automatically send invites to the users when they are imported from the LDAP server. Applies only if you are using a multi-forested domain. This option indicates whether you want to use alternate domain controllers when the targeted domain controller does not have a copy of the requested object. Select Follow if you want to use referrals. Select Ignore if you do not want to use alternate domain controllers. Throw currently has the same effect as Ignore. Note: Selecting Follow delays LDAP authentication. Increase this timeout if you observe performance issues or incomplete results when browsing the data synchronized from the LDAP server. In general, this timeout should never be set to less than 10 seconds. Set to the maximum number of records that should be returned from the LDAP server at one time. Scenarios that might require changing this setting to improve performance include: The LDAP server is located far away or behind a high latency link. In this case, large search results will take longer to retrieve than small ones, so defining a smaller set enables you to see subsets of updated data more quickly. The LDAP is massive, and every search returns a huge results set. In this case, if performance is not an issue, defining a larger results set would make it possible to return all of the data with fewer searches. 5. Click Next. 6. Use the following guidelines to configure the integration with the LDAP server: Setting Group Member Format OU Search Attributes What To Do Select DN or UID to indicate whether to use the distinguished name or the user ID in your search. Specify criteria for searching at the organizational unit level. 281

302 Admin > LDAP Base DN Object GUID Attribute Name Description Attribute DN Search Filter Search Scope User Search Attributes Base DN Attribute UID Object GUID Attribute DN First Name Last Name Display Name Address Principal Name Enter the distinguished name for the starting level at which you want your search to be rooted or begin. Your selection determines defaults for several other fields, which you can change, if necessary. If necessary, change the default value to match your LDAP environment. This is the attribute that uniquely identifies an organizational unit across time and across OU name changes. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. Select the portion of the LDAP hierarchy to target: Base (only the level of the search base entry) One Level (the level beneath the search base) Subtree (the subtree in the directory information tree beneath the search base DN) Specify criteria for searching users in a given directory level. Enter the distinguished name for the starting level you want to search. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. This is the attribute that uniquely identifies an user across time and across user name changes. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. 282

303 MobileIron Cloud Administrator Guide R45 Locale Member Of Search Filter Search Scope +Add Custom Attribute Group Search Attributes Base DN Object GUID Attribute DN Attribute Name Description Member Search Filter Search Scope If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. Select the portion of the LDAP hierarchy to target: Base (only the level of the search base entry) One Level (the level beneath the search base) Subtree (the subtree in the directory information tree beneath the search base DN) (Optional) Specify up to 7 custom user attributes from your directory service that you want to apply to device management. Each attribute can then be referenced by ${attributename} in configuration fields that support variables. Important: Use of this option requires consistent implementation of custom attributes across LDAP servers. If an LDAP server included in your implementation does not use this attribute, then features dependent on this attribute might not work as expected. Enter the distinguished name for the starting level you want to search. If necessary, change the default value to match your LDAP environment. This is the attribute that uniquely identifies a group across time and across group name changes. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. Select the portion of the LDAP hierarchy to target: Base (only the level of the search base entry) One Level (the level beneath the search base) Subtree (the subtree in the directory information 283

304 Admin > LDAP tree beneath the search base DN) 7. Click Browse or Search. 8. Confirm that your configuration returns the expected data. You can do this by browsing or searching for a known item in the directory. 9. Click Next. Editing the LDAP server information 1. Go to Admin > LDAP. 2. In the LDAP server entry, select the Edit icon from the Actions column to view the Connect LDAP Server page. 3. Make the necessary changes. 4. Click Test Connection and Continue. If the LDAP URL fails to connect, you may proceed with the next steps. However, this may result in limited functionality until the connection is resolved. 5. Click Browse or Search. 6. Confirm that your configuration returns the expected data. You can do this by browsing or searching for a known item in the directory. 7. Click Done. Importing LDAP users 1. Go to Users. 2. Click +Add > Invite Users from LDAP. 3. Click Select Users in the LDAP server entry. 4. In the Add LDAP Users page, enter the name of the user, group, or OU in the search field. 5. To add new users or groups, click +Add next to the entry you want to add. 6. Click Next. 7. Choose whether or not to send the invitation: Invite None To send the invites later, go to Users > Users and select Actions > Send Invite to send the invitations. Invite All 8. Click Done. Updating the users, groups, or organizational units selected 1. Go to Admin > LDAP. 2. In the LDAP server entry, select the Manage Users icon from the Actions column to view the Add LDAP Users page. 3. To add new users or groups, enter the name of the user or group in the search field. 284

305 MobileIron Cloud Administrator Guide R45 4. Click +Add next to the entry you want to add. 5. To remove a user, group, or OU, click the remove icon next to the entry you want to delete. 6. Click Done. To enable LDAP Sync Discard Notification 1. Go to Admin > LDAP. 2. In the LDAP server entry, select the Edit icon from the Actions column to view the Connect LDAP Server page. 3. Check the Enable Sync Discard checkbox. 4. Enter a value for the percentage of reloaded LDAP data to trigger sync discard. 5. Click Test Connection and Continue. If the LDAP URL fails to connect, you may proceed with the next steps. However, this may result in limited functionality until the connection is resolved. 6. Click Done. 7. Click the Sync Now icon in the LDAP server entry. When the change diff to be synced from LDAP to MobileIron Cloud falls above the set discard percentage a WARNING notification is generated. When the changes are reverted to a value below the set percentage then the notification is CLEARED. Trigger LDAP Sync Discard LDAP Sync Restored Severity Notification Type Component Type Warn Data Sync LDAP Info Data Sync LDAP Component LDAP server name LDAP server name To synchronize changes from the LDAP server In the LDAP page, click the Sync Now icon in the LDAP server entry. Troubleshooting Connectivity to the LDAPS Server If you encounter issues connecting to the LDAPS (LDAP over SSL) server, you may be experiencing an issue with the certificate. To resolve the issue: 285

306 Admin > Sentry Verify that you are not using a self-signed certificate on the LDAPS server. Verify that the LDAPS certificate has not expired or been revoked. Also check for a hostname mismatch. After verifying, wait for the automatic LDAP sync, or manually sync using the Admin > LDAP > Sync Now icon in the LDAP server entry. Can't see the LDAP page? Maybe you don't have permission. You need one of the following roles: System Management System Read Only Admin > Sentry Sentry is a component that acts as a gateway between mobile devices and your ActiveSync-enabled system. Use Sentry to control which devices are allowed to access . It is available to download as an ISO file that you can install on a virtual machine. Organizations should consider using a load balancer to maintain multiple (redundant) Sentrys. License: Silver Supported platforms Exchange 2007 Exchange 2010 SP3 Exchange 2013 To download a Sentry Click Download installer to get the ISO you need. To install and register a Sentry See the instructions included with the download or Sentry Installation. To set up a Sentry profile You need to set up at least one Sentry profile and assign it to one or more registered Sentrys to specify the services provided by the Sentrys.: 286

307 MobileIron Cloud Administrator Guide R45 1. Click Set Up Profile or + Add Sentry Profile. 2. Select the type of Sentry profile to create: ActiveSync with basic auth ActiveSync and/or AppTunnel with certificates ActiveSync and/or AppTunnel with Kerberos 3. Complete the steps for the selected profile type. 4. Click Assign in the Actions column for the Sentry that should receive the profile. 5. Select the profile. ActiveSync with basic auth 1. Select ActiveSync with basic auth. 2. Click Next. 3. Enter the global settings for this Sentry: Setting What To Do Enter a name that identifies this Sentry Name or group of Sentrys. Enter optional text to further identify Description this Sentry profile. If you are using multiple Sentrys, enter the external host name and port number for the load balancer External Hostname configured for accessing the Sentrys. and Port If you are using a single Sentry, enter the external host name and port number for the Sentry. Default Unmanaged Devices Behavior Select the checkbox if you want to allow devices that are not managed by the service to access . Allow unmanaged Otherwise, unmanaged devices will be devices to receive blocked from access. and data See Unmanaged Devices for information on unblocking (allowing) devices. Advanced Options Enter the number of failed communication Dead Threshold attempts that must occur before a server is flagged as dead. Enter the number of milliseconds during Failure Windows which the failures need to occur. Dead Time The duration of time during which the 287

308 Admin > Sentry Scheduling Socket read/write timeout Server connection timeout Server response timeout Device request timeout server will be recorded as dead. Active health check If you specified the ActiveSync servers in priority order, then select Priority. If you would like each server to be serviced in turn, select Round Robin. Enter the interval between Sentry checks for socket read/write timeouts from devices or servers. Enter the interval between Sentry attempts to connect to an ActiveSync server. Enter the amount of time that the Sentry will wait for an HTTP response from the ActiveSync server. Enter the amount of time that the Sentry will wait for an HTTP response from a device on a new or existing connection. 3. Click Next. 4. Enter the Sentry server configuration settings, which apply to access between the devices and the Sentry: Setting What To Do Select the protocol to use for communication between the Sentry Listener Protocol and the service. HTTPS is recommended. Enter the port to use for each Https/Http Port supported protocol. 443 is typical for HTTPS. 80 is typical for HTTP. Select Use Sentry's self-signed cert if you intend to use Sentry's selfsigned certificate to authenticate Certificate/Key communication between Sentry and mobile devices. If you want to use your own certificates, click Upload New Certificate. Advanced Traffic Controls (ATC) Enable/Disable When enabled, Advanced Traffic Advanced Traffic Control allows traffic to be blocked or Controls sent via proxies or directly to 288

309 MobileIron Cloud Administrator Guide R45 Server-side Proxy List destinations. ATC Configuration is not supported with Sentry versions earlier than Click + Add Proxy to add a proxy or several. Provide a list of destination hosts, application ID bundle and action (block/proxy/allow direct access). You may create multiple Rule Sets. Rule Set can be associated with the services based on Rule Type. MobileIron Cloud evaluates these Traffic Control Rules rules in the order they appear in the list. For "*", use the Default Action. Each Rule Set should have a unique name and should contain same Rule Type. Modifying the ATC Rule Set Name will disassociate the ATC Rule from the Services that are linked to this Sentry profile. Advanced Options Select the protocols required by your Protocols ActiveSync servers. Ciphers are used in the SSLencrypted communication with the Sentry. Strong ciphers are generally preferred. Weak ciphers might be required for older devices. Strong ciphers are selected by default. Select Cipher suites any additional ciphers you want to use. At least one cipher must be selected. Note: Verify that any load balancers, VIPS, and proxies in the Sentry's path support the OpenSSL cipher suite. 4. Click Next. 5. Select the Exchange service. 6. Use the following guidelines to complete the service settings: Setting Service Name ActiveSync Options What To Do Enter a name to identify this service. If you want to limit the ActiveSync protocol version supported, select a version from the drop-down. 289

310 Admin > Sentry Server Configuration Server Authentication ActiveSync Servers Enable Server TLS Enable Active Health Check Pass through (Basic Authentication) is the supported authentication method. Enter the hostname and port for each ActiveSync server that this Sentry will access. If you want to specify certain servers with higher priority, enter the servers in order from highest to lowest priority. If the ActiveSync servers require SSL, then the Enable Server TLS check box must be selected. Select to use TLS for communication with the Exchange server. 7. Click Next. 8. Click Save. To assign a profile to a Sentry Once a Sentry is registered, it displays in the Sentry page in the Unconfigured Sentry Servers section. To assign a profile for the Sentry, click Assign in the Actions column. To set up the Exchange configuration Create a new Exchange configuration that specifies the Sentry instead of the ActiveSync server. Note that existing Exchange configurations will be removed from registered devices. Once the new configuration is installed, device users will be prompted to enter the ActiveSync password. See also Unmanaged Devices (for managing access for devices not managed by Sentry) Policies (Block via Sentry compliance action) Troubleshooting Sentry issues Can't see the Sentry page? Maybe you don't have permission. You need one of the following roles: System Management System Read Only 290

311 MobileIron Cloud Administrator Guide R45 Identity Admin > Identity License: Silver Configure an identity provider (IdP) to authenticate users who wish to register devices with MobileIron Cloud, access this Admin Portal, or access the Self-Service Portal. An on-prem LDAP compatible user directory is required. MobileIron Cloud works with any SAML 2.0 compatible IdP. Microsoft ADFS (Active Directory Federation Services), Okta, OneLogin, PingOne, and Ping Identity's PingFederate have been verified to work with MobileIron Cloud. Overview If you are using Microsoft AD, or another on-premise LDAP directory, you will need to set up Connector to connect to and import users to MobileIron Cloud. Set up Connector or LDAP if you have not done so already. When an IdP is added, user authentication automatically switches from LDAP to IdP. Only one IdP provider is allowed. In case your IdP becomes inaccessible, use the MobileIron Cloud Tenant Admin (TA) account to access this Admin Portal and troubleshoot. The TA is a Local account and does not require external authentication. The TA account is created when your MobileIron Cloud is provisioned and information provided to the technical contact of your organization, or equivalent. If you do not have your TA account information, contact your support representative. MobileIron Cloud supports Microsoft Azure Active Directory (AAD) for authenticating users during registration of Windows 10 devices. Note: AAD cannot be used for authenticating Admin Portal or Self Service Portal access. Provision Azure services if necessary. Set the authentication type for your LDAP users using the tools provided by your IdP vendor. The authentication scheme of your IdP will take precedence over the MobileIron Cloud settings. Note: MobileIron Cloud Authentication settings can be found here: Users > User Settings > Device Registration Setting > Device Registration Authentication Type. Apple DEP and Configurator device enrollments do not use IdP for user Authentication. IdP Set Up Types The MobileIron Cloud Identity page guides you through the set up of the following types of IdP providers: 291

Admin > Identity Cloud IdP Setup - Supported Cloud IdP providers are OneLogin, Okta, and PingOne. On-Prem IdP Setup - Supported on-premd IdP providers are ADFS 3.0 and PingFederate 8.2.1.

3. Click an identity provider set up type: Cloud IDP Setup, On-Prem IDP Setup, or Generic IDP Setup. 4. Select a corresponding IdP.

312 Admin > Identity Cloud IdP Setup - Supported Cloud IdP providers are OneLogin, Okta, and PingOne. On-Prem IdP Setup - Supported on-premd IdP providers are ADFS 3.0 and PingFederate Generic IdP Setup - This is a generic set up path you can use if you are not using Microsoft ADFS, Okta, OneLogin, or PingFederate. To configure an identity provider 1. Click Admin. 2. Click Identity. 3. Click an identity provider set up type: Cloud IDP Setup, On-Prem IDP Setup, or Generic IDP Setup. 4. Select a corresponding IdP. If you selected Generic IDP Setup in step 3, then skip this step and continue at step Follow the instructions on the screen that appear for your chosen IdP. See Set up tasks you may need to complete for more information. 6. Click Done. Set up tasks you may need to complete Depending on your chosen IdP, you may be guided through: IdP Procedure 292

313 MobileIron Cloud Administrator Guide R45 Okta OneLogin PingOne ADSF 3.0 PingFederate Generic IdP 1. Generating a key to upload to your IdP. 2. Logging into your IdP and uploading generated key. 3. Exporting a metadata file from your IdP and importing it into MobileIron Cloud. 1. Download the metadata file from MobileIron Cloud. 2. Setting up a "Relying Party Trust" on ADFS or an SP Connection on PingFederate, and importing the MobileIron Cloud metadata file. 3. Exporting the metadata file from your IdP and importing it into MobileIron Cloud. 1. Download the metadata file from MobileIron Cloud. 2. Following the instructions provided by your IdP vendor to configure your IdP server or service to communicate with MobileIron Cloud service as "Service Provider." This can include: a. Uploading the metadata file from Step 1 above to your IdP. This configuration file contains the essential information that enables MobileIron Cloud, as a SAML 2.0 Service Provider, to communicate with your SAML 2.0 Identity Provider. The standard SAML 2.0 URLs, certificates and settings are included in the metadata file. NOTE: MobileIron Cloud expects a SAML 2.0 compatible IdP to have the ability to import and process an XML metadata exported from a Service Provider. b. Configuring your IdP to use RSA-HSA-1 for signing SAML authentication requests. Information about the Signing Certificate used to verify the authentication requests is included in the metadata file downloaded in Step 1. c. Configuring your IdP to include a username in the SAML responses sent to MobileIron Cloud. MobileIron expects the username in the <Name Id> element of the SAML Response from IdP. 3. Exporting a metadata file from your IdP and importing it into MobileIron Cloud. Can't see the Identity page? Maybe you don't have permission. You need one of the following roles: System Management System Read Only Admin > Install MDM Certificate 293

314 Admin > Apple Configurator You must request and install an Apple MDM certificate to manage ios devices. You also need to renew this certificate once a year. (The Apple account used for creating the certificate receives a notification from the Apple site when the expiration date approaches.) Use the MDM Certificate page to add or renew this certificate.. To acquire and install the MDM certificate 1. Use the MDM Certificate page to download a certificate signing request (CSR) from your MobileIron Cloud tenant. 2. Upload the CSR to Apple to create a new certificate. On the Apple site, add a note indicating what the certificate is for. This note will help you when it is time to renew the certificate. 3. Save the resulting certificate. 4. Install the certificate for your MobileIron Cloud tenant. To renew the MDM certificate 1. Click Renew Certificate. 2. Download a certificate signing request (CSR) from your MobileIron Cloud tenant. 3. Upload the CSR to Apple to renew the corresponding certificate. On the Apple site, make sure you are renewing the correct certificate. Uploading a different certificate to MobileIron Cloud will automatically retire all registered ios devices. 4. Install the certificate for your MobileIron Cloud tenant. You will receive a warning if you attempt to upload the wrong certificate. Can't see the Install MDM Certificate page? Maybe you don't have permission. You need one of the following roles: System Management System Read Only Admin > Apple Configurator You can use this page to prepare Apple Configurator for setting up MobileIron Cloud device management on ios devices. Apple Configurator makes it really easy to deploy ios devices in large quantities. Additionally, Configurator lets administrators make ios devices Supervised, which allows for greater levels of configuration and management capabilities. For more information about Apple Configurator, please see the Mac App Store. The basic steps are: 1. Export the MDM profile from your MobileIron Cloud tenant. 2. Import the MDM profile into the Configurator. 3. Use the Configurator to apply the MDM profile to tethered devices. Defining a default user for devices 294

315 MobileIron Cloud Administrator Guide R45 Devices configured through the Apple Configurator are assigned to the nobody user in MobileIron Cloud unless you pick a different user: 1. Click in the Assign configured devices to field. 2. Start typing the username of the MobileIron Cloud user you want to select. 3. Select the username when it displays in the drop-down list. 4. Click Save. Installing apps using Apple Configurator Before using the Apple Configurator to install apps: Access to the Apple app store is restricted by the device configuration. Apps installation is permitted by the device configuration. Apple Configurator must be installed on the computer used to configure the devices. To install apps using the Apple Configurator: 1. In MobileIron Cloud, go to Admin > Apple Configurator. 2. Switch the enroll devices toggle switch to On. 3. Click one of the following: Default User's plist. Specific User's plist - Enter the specific user's username or ID. 4. In the Apple Configurator, go to Prepare > Apps. 5. Go to Prepare > Setting and disable Supervision. 6. Select the Never update device option in Update ios. 7. Click Prepare (bottom of the Apple Configurator). The apps will be visible in the list of Installed apps on the device after a device check-in. Installing apps using EMM server To install apps using the EMM server: 1. Upload an app from the in house store in the Apps tab. 2. Select the app. 3. Click the App Configurations tab. 4. Select Install on Device. Complete configuration settings. 295

316 Admin > Device Enrollment Program 5. Select Actions > Force Check-in. What the end user needs to do Apple requires the end-user has to launch the MobileIron Go app at least once, or the Cloud Location feature will not function properly. This is to ensure that the end-user is aware that their location is being tracked. Caution: If devices are deployed in single app mode using Configurator, then this approach will not be possible. Can't see the Install Apple Configurator page? Maybe you don't have permission. You need one of the following roles: System Management System Read Only Admin > Device Enrollment Program Apple's Device Enrollment Program (DEP) enables customers to purchase devices in bulk and automatically enroll these devices in MDM during activation. If you choose to participate, you can use MobileIron Cloud as the MDM server for managing these devices. For more information about DEP, see: Visit deploy.apple.com Before you can use MobileIron Cloud with DEP, you need to sign up with Apple at deploy.apple.com. Connecting MobileIron Cloud to DEP 1. Go to Admin > Device Enrollment Program. 2. Click Download Key. 3. Save your MobileIron Cloud key. 4. Click deploy.apple.com. 5. Sign in using your DEP-eligible Apple credentials. 6. On Apple's DEP site: a. Click Get Started. b. Select the trusted phone to use for authenticating to Apple's service. c. Enter the verification code sent to the selected phone. d. Click Add MDM Server. 296

317 MobileIron Cloud Administrator Guide R45 e. Enter a name to identify the virtual MDM server to be used with the service. f. Click Next. g. Upload the public key you downloaded earlier. h. Click Next i. Click Your Server Token to download the token. j. Click Done. 7. In MobileIron Cloud, click Upload. 8. Click Next. 9. Select an authentication option: Prompt user for registration/login Note: Users will be prompted for a username and password. Users can enter either a password or a PIN for the password field. Password and PIN preferences can be configured in Users > User Settings related to authentication. Skip user login. Note: Devices assigned to the nobody user (anonymous) or a defined user can be reassigned to specific users at a later time from the Devices page. Choose either Define one user to assign all devices to or Assign all devices to an anonymous user option. The selected option overrides selections under User Settings. 10. Click Upload to install the key you received in step Complete the displayed form to define the profile for your DEP devices: Setting Name Department Supervised Mode MDM Removable MDM Mandatory Allow Pairing What To Do Enter a name that identifies this DEP profile. Enter the department in your organization that is associated with this profile. Indicate whether you will be deploying devices in supervised mode (using Apple Configurator). Indicate whether the device user should be able to remove the MDM profile. Indicate whether MDM should be mandatory. Indicate whether host pairing functions will be allowed. Select 297

318 Admin > Device Enrollment Program Support Phone Number Skip entering passcode to allow pairing with any Mac. Deselect to allow pairing only to a DEP-managed ios device with a certificate uploaded to facilitate this pairing. Provide a phone number that device users can contact for help. Skip location services Skip restore from backup Skip "Move to ios" from Android Select to skip and accept the default Skip Terms of for this portion of the Setup Assistant Service process. Skip signing in to AppleID and icloud Skip Touch ID setup Skip Apple Pay setup Skip zoom setup Skip Siri Skip Apple FileVault setup Skip automatically sending diagnostic information Skip DisplayTone setup Skip the Home button screen Skip icloud setup Select to skip FileVault 2 encryption portion of the macos Setup Assistant process. macos encryption can be administered via a FileVault 2 configuration. Select to skip and accept the default for this portion of the Setup Assistant process. Note: You can create different DEP profiles with the same DEP account so that different sets of devices can receive different configurations. 12. Click Save. 298

319 MobileIron Cloud Administrator Guide R45 Note: When new devices are added to Apple s Device Enrollment Program, it might take up to 15 minutes for MobileIron Cloud to discover those new devices. The new devices are then assigned an enrollment profile. If you cannot add new devices to the Device Enrollment Program go to Dashboard > Notifications to check for notifications from Apple for DEP. If there are any updates to the EULA you will notified by with steps to accept the new EULA. You can view all the custom device attributes that exist in your tenant and assign them to the devices during their enrollment via Apple DEP. Editing the DEP profile 1. Go to Admin > Device Enrollment Program. 2. Find the name of the server you created on the Apple site. 3. Select Actions > Edit DEP Profile. Note: If you refresh the server token on Apple's site, then the existing token will become invalid. However, the display in the Device Enrollment Program page, including the token expiration date, will remain until you upload the new token. Editing the DEP authentication setting 1. Go to Admin > Device Enrollment Program. 2. Find the name of the server you created on the Apple site. 3. Select Actions > Edit Authentication. Setting up managed macos admin account using DEP MobileIron Cloud supports DEP registration on devices that have been reset to factory default or are being activated for the first time. Using DEP, an admin account can be created on the macos device. MobileIron Cloud supports only optional enrollment for macos and, therefore, MobileIron Cloud ignores the MDM Mandatory field in the DEP profile because it only applies to ios devices. 1. Go to Admin > Device Enrollment Program. 2. Find the name of the server you created on the Apple site. 3. Select Actions > Edit DEP Profile. 4. Select one of the following options from the macos account setup assistant options: 299

320 Admin > Education Skip primary setup account creation In this option, the UI for setting up the primary accounts on the macos device is skipped. No user account is created besides an admin account. An additional section, Set up Managed macos Admin Account, will be displayed (described below) to create the managed macos admin account. The account can also be hidden from Users & Groups. Create primary accounts as regular users In this option, the macos user will create a non-admin Standard account as part of the enrollment. An admin account can still be created by the MobileIron Admin and pushed to the device. An additional section, Set up Managed macos Admin Account, will be displayed (described below) to create the managed macos admin account. The account can also be hidden from Users & Groups. 5. After selecting one of the above options, enter the following details in the Set up Managed macos Admin Account section if you want to create a managed macos admin account: Full Name Account Name Password Confirm Password (Optional) Hide managed administrator account in Users & Groups 6. Click Save. Admin > Education License: Gold Applicable to: Supervised ios 9.3+ Apple School Manager is an Apple cloud service dedicated to education institutions to provide services including purchasing apps in the Volume Purchase Program, enrolling ipads through the Device Enrollment Program, and creating managed Apple IDs. With full integration with Apple School Manager, MobileIron EMM solution provides a seamless way to fully manage the ipads designated for teachers and students in order to leverage the Education ecosystem and apps such as Classroom. Configuring Education 1. Go to Admin > Education. 2. Click the Setup Education option if it is turned off. 3. Select one of the following options: Sync with the Apple School Manager account to import school information. If the account is not already configured: 300

321 MobileIron Cloud Administrator Guide R45 1. Go to Admin > Device Enrollment Program to download your organization's key files. 2. Upload the key files to your Apple School Manager account to generate enryption keys. 3. Download the encryption keys from Apple School Manager and upload the keys into MobileIron Cloud (Admin > Device Enrollment Program). Note: Existing Apple DEP accounts can be reused for Apple Education. Apple will give you the option to upgrade your DEP account to include Education capabilities when you access the Apple School Manager. For the upgrade instructions, visit 4. When the encryption keys are accepted, the Sync Now button appears. 5. Click Sync Now to start data sync with Apple School Manager. Import data from CSV files. To do so: 1. (Optional) Click Download CSV templates ZIP file to download a zip file that contains templates of all the data types. 2. Click Select files Add the following six CSV files: Students data file (students.csv) Roster data file (roster.csv) Staff data file (staff.csv) Classes data file (classes.csv) Courses data file (courses.csv) Locations data file (locations.csv) Note: You must select all the six CSV files together, every time, before uploading them. 4. Click Upload. 5. (Optional) If the CSV files need to be modified, please retain all necessary data in all six files that had been previously uploaded. Make the required edits and upload them together once again. 4. Data is now available in the Classes and Individuals tab. The individuals (students and staff) also appear in the Users page of MobileIron Cloud. 5. Create two device groups for devices that will be used for Education by students and staff. To do so: 1. Go to Admin > Custom Attributes. 2. Create custom attributes for students and staff that will be used to create dynamically managed device groups. 3. Go to Devices > Device Groups. 4. Click Add+. 5. Create one each dynamically managed device group for students and staff using the custom attributes created previously as filters. 301

322 Admin > Education 6. Assign registered devices to students and staff from the Devices page using the Actions > Assign to user option. 7. Create a Leader (staff) configuration and a Member (students) configuration by adding the Configurations > Education payloads. 8. Distribute the Leader (staff) and Member (students) configurations to the staff and student device groups. This distribution will push these configurations and install certificates on the respective devices. Note: On the Admin > Education page, if there is no value present for the Class Name, the value is derived from the class system source identifier and the course identifier fields. These fields are optional in the Apple School Manager or the CSV file. However, it is recommended to enter a value at all times as their combination is used as the default identifier in the absence of a Class Name. Pushing the Classroom app to the teachers Using the Classroom app, the teachers (Leader) can manage the following scenarios: Classroom management ability to control ipads and apps remotely. Ability to create a class group. Ability for a teacher to view the student members of that group. Ability for a teacher to send content to the students in that group. Restrict what apps and content the students can view. Push the Classroom app from the Apple App Store as follows: 1. Go to the Apps > App Catalog page. 2. Click the +Add button. 3. Search for and select the Classroom app by Apple. 4. Click Next. 5. Enter the category and description. 6. Click Next. 7. Distribute the app to the teachers device group created previously. 8. Configure the app settings in the App Configurations page. 9. Click Done. Disabling Education Disabling Education will wipe all the current data. Please exercise caution while doing so. 1. Go to Admin > Education. 2. Click the Setup Education option if it is turned on. 302

323 MobileIron Cloud Administrator Guide R45 3. Click Yes. Admin > End User Portal (Branding) License: Silver You can customize the Self-Service Portal with your organization's logo. If you do not add your logo, the Self-Service Portal displays the default service logo. To brand the Self-Service Portal 1. In the Self-Service Portal Branding screen, click Customize (upper right). 2. Drag the logo file (PNG, 182x34) to the dotted box, or click Choose File to select it from your file system. 3. Click Save Changes. Admin > Apple App Catalog (Branding) You can brand the Apple app catalog to make its appearance more familiar to your end users for iphone, ipad, and Mac devices. You can customize the following items in the Apple app catalog: catalog logo (PNG, 360x64) catalog name webclip icon (PNG, 1024x1024) webclip name To brand the Apple app catalog: 1. In the Apple App Catalog Branding screen, click Customize (upper right). 2. Drag the logo file to the dotted box, or click Choose File to select it from your file system. 3. Edit the App Catalog Name text to change the label shown at the top of the catalog. Note: The app catalog name you enter applies to Android, ios, and macos. 4. Drag and drop the webclip file to the dotted box, or click Choose File to select it from your file system. 5. Edit the Webclip Name text to change the label shown under the app catalog webclip icon. 6. Click Save Changes. 303

324 Using Microsoft Azure Using Microsoft Azure Setting up Azure AD To set up Azure AD: 1. Go to to purchase your Azure account. 2. Use your existing Hotmail or Outlook.com account, or create a new account and register as a new user. 3. Buy an Azure account by using one of the payment options and following the verification steps. 4. Ask Microsoft to whitelist the MobileIron Cloud tenant. 5. Use the same Hotmail or Outlook.com account you used in step 2 to login to AAD at as an admin. 6. Go to Domain tab. A default the domain, TestMiBGLRoutlook.onmicrosoft.com, is created for your account and any users created will belong to this domain. If needed you can recreate a custom domain. 7. Go to the Applications tab and click Add Application to map the MobileIron Cloud MDM, 8. Select the option Add an application from the gallery. 9. Select the Mobile Device Management category. 10. Select the MobileIron MDM from the App gallery. 11. Click Configure. Add the MDM end points (Enrollment discovery and Terms of Use End point) and save the configurations. Creating Users on Azure AD To create users on Azure AD: 1. Go to active directory - > Default Directory ->Users. 2. Selecting the Add user option -> Select New user in your organization. 3. Enter the username. Click next (->). The User Profile page is displayed. 4. Add the user information such as, first and last name and the display name. 5. Use the dropdown menu to assign the appropriate role to the user. 6. Generate the temporary password. The user will be required to change this password at the first login. Microsoft Azure AD Enrollment 304

325 MobileIron Cloud Administrator Guide R45 Requirements Users must be registered in MobileIron Cloud. Connect your domain to enroll user on their Windows 10 Mobile devices. 1. Click Join Azure AD. 2. Enter username and password. 3. Click Sign in. 4. Accept the EULA. 5. Click Create PIN. If you have enabled Microsoft Passport for Work PIN complexity, you are prompted to set up a complex PIN as per the configured policy. Azure AD authenticates the user and downloads a JWT (JSON Web Token) to the device. The device is now enrolled. User is contacted through the device for verification. 6. Enter and confirm a PIN. 7. Click OK. To set up Microsoft Azure with EMM Setting up users 1. Go to Admin > Microsoft Azure. 2. Click Setup Microsoft Azure with EMM service. 3. Go to Accounts settings in the Microsoft Azure. 4. Go to Applications section. 5. Select Add EMM application from gallery. 6. Select MobileIron Cloud EMM. Assigning Users 7. Go to Azure Account Configuration. 8. In manage device for these users, verify the setting is for All Users. 9. Enter the Azure AD Domain. 10. Click Connect Account. Enabling Microsoft Passport for Work for Windows 10 Devices 11. Click Edit under the Passport for Work section. 12. Select Enable Passport for Work for Windows 10 Devices. 13. Set the PIN complexity options, including the minimum and maximum lengths. You must enable at least one of the following options: 1. Digits 305

326 Android for Work 2. Special characters 3. Uppercase letters 4. Lowercase letters 14. Click Save. Disabling Microsoft Passport for Work for Windows 10 Devices 1. Click Edit under the Passport for Work section. 2. Deselect Enable Passport for Work for Windows 10 Devices. Note: Disabling this option does not remove the PIN from the device. 3. Click Save. Note: The first time a tenant is built or is upgraded to version R39 or later from an earlier version of MobileIron Cloud and when Microsoft Azure is enabled, Passport for Work is enabled by default. The PIN constraints are set to be digits with a minimum length of 4. If the Administrator wants to disable Passport for Work, then the feature should be disabled before registering any users or devices. If this is not done, then the default PIN constraints will take effect unless otherwise modified on the Administrator Portal. Microsoft Azure AD Enrollments with Microsoft Passport for Work Support Windows 10 devices can join Microsoft Azure AD through the out-of-box experience (OOBE), the post OOBE, and the Bring Your Own Device (BYOD) flow. After enabling Microsoft Passport for Work in MobileIron Cloud, users on these devices can create complex PINs as per the configured policy and use the PINs to sign in to the devices. Here is an example of the BYOD enrollment: 1. On your Windows 10 device, go to Windows Settings > Accounts > Access work or school. 2. In the Connect to work or school page, click Connect. 3. Follow the instructions to enter your account details. It will prompt you to set up a complex PIN as per the policy configured on MobileIron Cloud for your organization. 4. Sign out of Windows and sign in to use the PIN to log in to Windows. Note: Devices that are already enrolled will receive Microsoft Passport for Work policy configuration after the devices check-in with MobileIron Cloud. Android for Work License: Silver Note: Android for Work-enabled MobileIron productivity apps like +, Docs@Work, and Web@Work require Gold license. 306

327 MobileIron Cloud Administrator Guide R45 Tunnel for Android for Work requires Platinum license. Android for Work enables use and configuration of Android for Work apps. Android for Work users can view and install apps from the MobileIron app catalog as well as via Google Play. Configure Android for Work 1. In the MobileIron Cloud portal, click Admin. 2. Select Android for Work. 3. Select the Authorize Google or Use Managed Google Account Setup as described below: a. For enterprises that are NOT G Suite subscribers: click Authorize Google to initiate a process that enables Google to provision users with Android For Work accounts. This method allows users to be enrolled with Android enterprise (Android for Work) WITHOUT sending any personal infatuation ( addresses to Google). You will be asked to authorize Android enterprise with an admin Google account. b. For enterprises who are G Suite subscribers: click Use Managed Google Account Setup. This method allows your users to enroll in Android enterprise (Android for Work) with their Google accounts. Each user is required to have a Google account to enroll with Android enterprise (Android for Work). 307

328 Android for Work 4. Follow the directions on the screen for completing the configuration process: For the automatic method, this includes: a. Enabling your EMM API and creating your Enterprise Credentials. b. Enrolling in Google by authorizing the owner of the integration. This should be an IT account rather than a personal account. c. Setting your credential by dragging and dropping your Service Account JSON Client ID. For the alternate method, this includes: a. Looking up your Android for Work token and service account in the Google Developers Console and Admin Console. b. In MobileIron Cloud, entering your MDM token and Google domain to connect to the Google service. c. In MobileIron Cloud, dragging and dropping your Service Account JSON Client ID. d. Authorizing MobileIron Cloud to view and/or manage your Google Users by clicking Authorize in MobileIron Cloud, and selecting Accept in the Google authorization dialog. The MobileIron Cloud user interface guides you through these steps. Configure Android for Work profile 1. In the MobileIron Cloud portal, go to Configurations. 2. Click +Add. 3. Select Lockdown & Kiosk: Android for Work configuration. The Create Lockdown & Kiosk: Android for Work configuration page is displayed. 4. Enter a configuration name and description. Choose a Lockdown type. 5. Click Lockdown - Android for Work Profile. Android for Work Lockdown settings options are displayed. 6. Select the lockdown settings you want to apply to the target devices: Setting Name Description Disable Screen Capture (Android 5.0 +) Disallow Apps Control (Android 5.0 What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select to prevent devices from using the native screen capture feature. Select to prevent users from modifying apps in Settings or launchers. 308

329 MobileIron Cloud Administrator Guide R ) Disallow Config Select to prevent users from setting up Credentials (Android user credentials ) Disallow Cross Select to prevent devices from Profile copying and pasting to other Android Copy/Paste (Android for Work profiles ) Disallow Modify Accounts (Android 5.0 +) Disallow Outgoing Beam (Android 5.0 +) Disallow Share Location (Android 5.0 +) Restrict Input Methods (Android 5.0 +) Restrict Accessibility Services (Android 5.0 +) Disable Caller ID (Android 6.0 +) Select to prevent users from adding and removing accounts. Select to prevent a user from using NFC to transfer app data. Select to prevent websites and apps from prompting the device user to share device location. Select to restrict input methods by designating a list of whitelisted package names. If there are no whitelisted packages, then only system input methods will be allowed. The input methods are not just restricted to Work Apps, but to the entire device. Select to restrict accessibility services by designating a list of whitelisted package names. If there are no whitelisted packages, then only system accessibility services will be allowed. The accessibility services are not just restricted to Work Apps, but to the entire device. Select to prevent the device from identifying itself to other devices when initiating a call. Important: When the user adds a Google Account using Add account in Settings, the Google authentication server checks if the domain of the account is registered as an EMM-managed domain. Verify that Enforce EMM policies on Android devices is checked. If so, the MobileIron GO client is automatically installed or updated (if it is not already installed on the device) and launched. Once the user goes through the registration process, the user is prompted to 309

330 Android for Work Accounts create a work profile and the Google Account is automatically migrated to the work profile. Android for Work Accounts License: Gold Android for Work accounts enables use and configuration of Android for Work without having to sync Active Directory information directly to Google. You no longer have to use Google Apps Directory Sync (GADS) or have your users log into a Google account. Important: If you have already set up Android for Work, you must first unregister and retire those devices to be able to use this feature. Configure Android for Work 1. In the MobileIron Cloud portal, Go to Admin > Android for Work. If the user has Android for Work already set up they will see the Android for Work Setup screen. New Android for Work customers who don't have a Google apps account use the Recommentded Setup Method If there is an existing Android for Work configuration that was created at an earlier date, the users will not see the new Android for Work screen. They must remove the existing Android for Work configuration to use the Recommended Setup Method. 2. Click Begin to display the first Android for Work screen. 3. Click Google Developers Console to display the Google Developers Console page with directions on how to: Create a Google Project and enable the EMM API Create your EMM Credentials 4. Go to Enroll with Google and enter an arbitrary string for the username. 5. Click Authorize to display the Google Play for Work screen. 6. Click Get Started. Enter your company name in the Organization details page. Accept the Android for Work agreement. 7. Click Confirm. 8. Drag and drop your JSON Client ID file or click Choose File to navigate to the JSON Client ID file and select it. 9. Click Set Credentials. 10. Click Authorize. Verify that the Connected to Google status is displayed. Note: 310

331 MobileIron Cloud Administrator Guide R45 Any user logged into the account can register a device. It doesn't have to be a Google user to register a device. Once you enroll an account, it cannot be unenrolled currently. Admin > App Reputation License: Platinum Integrate MobileIron Cloud with an app reputation vendor to access app threat scores and lists of apps with specified behaviors. Prerequisites Enabling app reputation requires an account with a supported app reputation vendor. When enabling app reputation, you will need to have set up on your app reputation vendor site some or all of the following items, depending on your app reputation vendor: org id username password auth token You need to have the associated information handy when enabling app reputation on MobileIron Cloud. Enabling App Reputation To enable app reputation: 1. Click Admin. 311

332 Admin > App Reputation 2. Click App Reputation. 3. Click Setup App Reputation. 312

333 MobileIron Cloud Administrator Guide R45 4. Select a vendor from the Please Select a Vendor drop-down list, and then supply the information requested by the resultant fields. See Prerequisites for the kinds of information you may be asked to supply. 5. Drag the red score settings tab to the desired value. Your app reputation vendor rates as risky apps with a score over the threshold you set. Consult your app reputation vendor for the recommended setting. 6. Use the Add Exceptions controls to add apps with scores exceeding the threshold value that you would like marked as safe, preventing them from being flagged as part of compliance checks. This is sometimes useful for in-house apps or apps already deemed appropriate for use on managed devices. 7. Click the Enable App Reputation on Save check box to place a check mark in it. 8. Click Save. Note: The reputation scores are refreshed daily for tenants with vendors supporting pertenant reputation scoring. Can't see the App Reputation page? Maybe you do not have permission. You need one of the following roles: System Management System Read Only Admin > App Lists License: Silver You can create lists of required, whitelisted, and blacklisted apps for use with the Allowed Apps policy, where you can use these lists to help specify actions to take if a device's installed apps do not meet the requirements implied by the app lists. You cannot edit app lists once created because app lists can be referred to in Allowed Apps policies. Similarly, you cannot delete app lists referred to by any allowed apps policies. To create app lists 1. Click Admin. 313

334 Admin > App Lists 314

335 MobileIron Cloud Administrator Guide R45 2. Click App Lists. 315

336 Admin > App Lists 3. Click Create New List. 4. Configure a name for the list. 5. Select the type of list, Whitelist, Blacklist, or Required. 6. Select the app type, ios Store, OS X store, Google Play, or App Catalog. 7. Enter search criteria to narrow your choices. 8. Use the check boxes to select apps. You can use multiple searches and enable more than one check box. 316

337 MobileIron Cloud Administrator Guide R45 Note: Click the View Apps tab for a list of apps you have selected so far. 9. Click Save. Now you can use this list when you configure the Allowed Apps policy. Can't see the App Lists page? Maybe you do not have permission. You need one of the following roles: System Management System Read Only Admin > Unmanaged Devices License: Silver You can allow Mobile Application Management (MAM) for user devices without a Mobile Device Management (MDM) profile to distribute apps to the unmanaged devices and add unmanaged device users. Enabling and disabling unmanaged devices 1. Go to Admin > Unmanaged Devices. 2. Turn on the Unmanaged Devices Settings option if it is turned off. Distributing apps to unmanaged devices Note: Unmanaged devices will not receive any app configurations as they can only be delivered to devices under management. All apps for unmanaged devices must be installed manually by the user and cannot be removed from any unmanaged devices by the administrator (the user would need to manually remove those apps themselves). 1. Go to Admin > Unmanaged Devices. 2. Turn on the Unmanaged Devices Settings option if it is turned off. 3. Click Add Apps. The App Catalog page is displayed. 4. Click +Add. 5. Search for an app from a public store, upload an in-house app, or select one of the listed business apps to distribute to the unmanaged devices. 317

338 Admin > Unmanaged Devices 6. Under App Settings, turn on the Allow this App to be distributed to Unmanaged Devices option. 7. Complete the remaining app settings and distribution options. 8. Click Done. Managing unmanaged device users 1. Go to Admin > Unmanaged Devices. 2. Turn on the Unmanaged Devices Settings option if it is turned off. 3. Click Add LDAP or Local Users. The Users page is displayed. 4. You can perform one or more of the following actions: Add one or more unmanaged device users 1. Click +Add to add single or multiple users from the corresponding menu options. 2. Enter the details in the Address, First Name, Last Name, Password, and Confirm Password fields. 3. In the Unmanaged Devices option, select the Add as Unmanaged Devices User checkbox. 4. Complete the remaining user settings and click Done. Add unmanaged device LDAP users 1. Click +Add > Invite Users from LDAP. 2. Complete the remaining user settings and click Done. 3. From the Users page, select the LDAP users. 4. Click Actions > Assign as Unmanaged. 5. On the pop-up window, select the mark confirmation option and Click Continue. Tag or un-tag existing users as unmanaged device users 1. Go to the Users page 2. Select the existing users to be tagged or un-tagged as unmanaged device users. 3. To tag the selected users as unmanaged device users, click Actions > Assign as Unmanaged. 4. To un-tag the selected users as unmanaged device users, click Actions > Remove Unmanaged Status. 5. On the pop-up window, select the mark or remove confirmation option and Click Continue. Note: Half-account users cannot be tagged as unmanaged device users. Disabling unmanaged devices Disabling the unmanaged devices will result in data loss not limited to: All Unmanaged Devices Users will be converted back to MDM Users. Any Apps that have been enabled as Unmanaged Devices Apps will be reset. 318

339 MobileIron Cloud Administrator Guide R45 Apps that have been distributed to Users may still exist on their devices. Unmanaged Devices App Catalog settings will be reset to default. Perform the following steps to disable unmanaged devices: 1. Go to Admin > Unmanaged Devices. 2. Turn off the Unmanaged Devices Settings option if it is turned on. 3. Select the I understand that turning OFF the Unmanaged Devices feature cannot be reversed option. 4. Click Turn Off Unmanaged Devices. Admin > Infrastructure > Help@Work License: Platinum Help@Work transforms the help desk experience for ios and Android devices by allowing users to ask for help with a click of a button and to share their screen with a help desk agent. Users no longer waste valuable time trying to verbalize the issue, and IT staff is more efficient when troubleshooting device issues. To set up Help@Work for Android 1. Go to the Admin tab. 319

Admin > Infrastructure > Help@Work 2. Click Admin > Infrastructure > Help@Work. 3. Click the Android tab. 4.

340 Admin > Infrastructure > 2. Click Admin > Infrastructure > 3. Click the Android tab. 4. Click the Enable TeamViewer link, and then follow the instructions on the resultant pages and dialog boxes. 5. Distribute the TeamViewer app. See App Configuration for instructions. To set up for ios 1. Go to the Admin tab. 320

MobileIron Cloud Administrator Guide R45 2. Click Admin > Infrastructure > Help@Work. 3. Click the ios tab. 4. Click the Download SDK link.

341 MobileIron Cloud Administrator Guide R45 2. Click Admin > Infrastructure > 3. Click the ios tab. 4. Click the Download SDK link. The for ios SDK includes the for ios client application which is required for establishing remote sessions with devices. The SDK also includes browser plug-ins that provide network information that you will need for establishing support sessions. 5. Optionally, follow the instructions in the SDK to customize the app branding. The for ios client app is provided without branding. 6. Upload the for ios app as an In-House app to your App Catalog. See the section, "To add an In-House app," in App Catalog. 7. Install the browser plug-in. Staff providing remote support will need to setup their browsers to extract network information about the device used by for ios. This information will be needed before each session. The information will be sent to the user s device when a session is initiated. The SDK includes a MobileIron signed plug-in for FireFox browsers. There is also a python script provided for extracting this information. 8. Set up VPN and/or Sentry with Tunnel configured on your system to reach remote users and devices. See VPN Configuration, Sentry, and Set Up AppTunnel. 321

342 Admin > Android App Catalog (Branding) Admin > Android App Catalog (Branding) You can brand the Android app catalog to make its appearance more familiar to your end users. You can customize the following items in the Android app catalog: Catalog logo (PNG, 360x64) Catalog name Action bar color Shortcut icon Shortcut name To brand the Android app catalog: 1. In the Android App Catalog Branding screen, click Customize (upper right). 2. To change the App Catalog Logo, drag the logo file to the dotted box, or click Choose File to select it from your file system. 3. Click the Action Bar Color field to display a color palette to select from or enter the hex number for the color you prefer. 4. Edit the App Catalog Name text to change the label for the catalog. Note: The app catalog name you enter applies to Android, ios, and macos. 5. To change the Shortcut Icon, drag the icon file to the dotted box, or click Choose File to select it from your file system. 6. Edit the Shortcut Name text to change the label for the app shortcut. 7. Click Save Changes. Admin > Android Kiosk Branding License: Silver You can brand the Android kiosk page to make its appearance more familiar to your end users. You can customize the following items: banner logo (PNG, 840x114) or text banner border color banner background color screen background color screen background image (1280x800) 322

343 MobileIron Cloud Administrator Guide R45 screen background format To brand the Android kiosk screen: 1. In the Kiosk Mode Branding screen, click Customize (upper right). 2. If you want to turn off the banner, uncheck Enable Top Banner. 3. Click the Banner Background Color field to display a color palette to select from or enter the hex number for the color you prefer. 4. Click the Banner Border Color field to display a color palette to select from or enter the hex number for the color you prefer. 5. Select Image/Logo or Text to set the banner content. 6. If you selected Image/Logo, drag and drop the image file or click Choose File to select one. 7. If you selected Text, type the text you want to display in the banner. 8. Click the Background tab. 9. Click the Background Color field to display a color palette to select from or enter the hex number for the color you prefer. 10. To change the background image: a. Delete the default image. b. Drag and drop the preferred image or click Choose File to select one. c. Select the preferred layout. 11. Click Save Changes. Using Scheduled Reports License: Silver The Scheduled Reports feature enables you to schedule and generate reports on various metrics with pre-packaged templates ready to use. You must have the System Administrator or the System Read Only role to access this feature. A maximum of 50 recurring reports of each type may be created. Generating a Report To schedule and generate a report: 1. Go to Dashboard > Reports. 2. Click Create a report to display the Choose a Report Template page. 3. Choose a template for your report from the options you have configured. Blocked Devices Devices 323

344 Using Scheduled Reports Policy Violations Users User Password Expiry Status Most Used Apps Unmanaged Apps 4. Click Next. The Scope page is displayed. Choose from these scope options: All Since Date - defaults to the current date. Click on the date field to specify a different date. In the last - Choose a range from 4 hours to 52 weeks to specify the scope of data over a specific period of time. 5. Click Next. The Details page is displayed. Enter a Report Name. (Optional) Enter a Description for the report. (Optional) Select the Make this report permanent checkbox. Permanent reports cannot be modified or deleted, or have bulk actions applied to them. In the Reports list view, any existing permanent reports appear as pinned at the top of the list. 6. Click Next. The Run or Schedule page is displayed. 7. Click Run Now to run the report in the next few hours or click Schedule to specify how often the report will be run. The Run Now option will generate a one-time report. You can use the same template to generate scheduled reports. In the Dashboard > Reports page, the Frequency and Next Scheduled columns will display Unscheduled status for these reports. 8. Select one of the following formats for downloading the report: CSV PDF CSV and PDF For PDF report files, up to 10 columns are allowed. In the Report Charts section, the two types of charts that will be included in the PDF reports are displayed. 9. Click Next. The Share this Report page appears. 10. Choose the recipients of this report. Optionally, add external IDs. 11. Click Done. The Summary page is displayed. 12. Optionally, click Edit to modify your report. 13. Optionally, click the Actions pull-down menu to: Disable Report View the Last Report 324

Using Custom Reports License: Gold The custom reports feature enables you to customize and generate reports on various metrics with pre-packaged templates ready to use.

345 MobileIron Cloud Administrator Guide R45 View Report History Delete Report 14. Click Save. 15. Click the download icon to select the format of the report as shown below: An containing a Download Report button to download the report is sent to the recipients of the report. Using Custom Reports License: Gold The custom reports feature enables you to customize and generate reports on various metrics with pre-packaged templates ready to use. You must have the System Administrator or the System Read Only role to access this feature. A maximum of 50 recurring reports of each type may be created. Generating a Report To schedule and generate a report: 1. Go to Dashboard > Reports. 2. Click Create a report to display the Choose a Report Template page. 3. Choose a template for your report from the options you have configured. Blocked Devices Devices Policy Violations Users User Password Expiry Status 325

346 Using Custom Reports Most Used Apps Unmanaged Apps 4. Click Next. The Scope page is displayed. Choose from these scope options: All Since Date - defaults to the current date. Click on the date field to specify a different date. In the last - Choose a range from 4 hours to 52 weeks to specify how often the report will be run. 5. Click Next. The Details page is displayed. Enter a Report Name. (Optional) Enter a Description for the report. (Optional) Select the Make this report permanent checkbox. Permanent reports cannot be modified or deleted, or have bulk actions applied to them. In the Reports list view, any existing permanent reports appear as pinned at the top of the list. 6. Click Customize to generate a custom report: Add, remove, or reorder headers in the Report Columns section. Click Restore Defaults to revert to the previously generated headers. To revert to the headers without any customizations, you can choose one of the templates from the Choose a Report Template page. Create filters based on specific rules in the Filter Conditions section. In the Dashboard > Reports page, the Template Name column will display "custom" in brackets to indicate that the report has been customized. 7. Click Next. The Run or Schedule page is displayed. 8. Click Run Now to run the report in the next few hours or click Schedule to specify how often the report will be run over a specified time span. The Run Now option will generate a one-time report. You can use the same template to generate scheduled reports. In the Dashboard > Reports page, the Frequency and Next Scheduled columns will display Unscheduled status for these reports. 9. Select one of the following formats for downloading the report: CSV PDF CSV and PDF For PDF report files, up to 10 columns are allowed. In the Report Charts section, the two types of charts that will be included in the PDF reports are displayed. 10. Click Next. The Share this Report page is displayed. 11. Choose the recipients of this report. Optionally, add external IDs. 326

347 MobileIron Cloud Administrator Guide R Click Done. The Summary page is displayed. 13. Optionally, click Edit to modify your report. 14. Optionally, click the Actions pull-down menu to: Disable Report View the Last Report View Report History Delete Report 15. Click Save. 16. Click the download icon to select the format of the report. An containing a Download Report button to download the report is sent to the recipients of the report. Admin > GOOGLE/ANDROID > Google Apps API Google customers who use Single Sign On (SSO) to authenticate user access to Google Apps services may not be able to use Exchange to connect users to , contacts, and calendar due to limitations in the protocol that prevent devices from supporting SSO-triggered redirects to external authentication services. This service addresses this condition by creating and managing account passwords for ActiveSync connectivity. Prerequisites Before attempting to configure the Google Apps API feature, you need: Admin access to an account on Admin access to an account on To enable the Google Apps API feature: 1. Select Admin > GOOGLE/ANDROID > Google Apps API. 2. Click Step 1: Google Dev at the bottom of the rectangle on the left labeled 1. The Step 1: Google Dev page appears. 3. Follow the instructions that appear on the Step 1: Google Dev page, and then click Done. 4. Click Step 2: Google Admin at the bottom of the middle rectangle labeled 2. The Step 2: Google Admin page appears. 5. Follow the instructions that appear on the Step 2: Google Admin page, and then click Done. 327

348 Tenant Suspension 6. Enter the Google Admin user name in the Enter the Google Admin user name field in the rectangle on the right labeled In the same rectangle, click Choose File to upload the JSON file you downloaded in Step Click Save. Can't see the Google Apps API page? Maybe you don't have permission. You need one of the following roles: System Management System Read Only Tenant Suspension Access to a tenant used with an evaluation license or a production license might be suspended by MobileIron Cloud. An Evaluation License might be suspended when the evaluation period expires or when the usage allowance has been exceeded. A Production License might be suspended when the subscription period expires or when the usage allowance has been exceeded. MobileIron Cloud will restore a suspended tenant when the license has been renewed or when additional licenses have been purchased, in case of an overage. When a tenant license is suspended: Existing registered devices continue to function normally. Administrators cannot log in to the Admin portal. New devices cannot be registered. API access to the tenant is blocked. End users can continue to access the Self-Service portal. Tenant Suspension Action and Error Messages Suspension Action Error Error message displayed Location End Customerintegration API access is blocked.. API Call fails. Access denied. Your Evaluation License has expired. Please renew your license to re-enable API access. Contact your System Administrator for details. API error 401. New devices are blocked from An error message is Unable to register your device. The license for your system has expired. Please contact Following password 328

349 MobileIron Cloud Administrator Guide R45 registering. displayed on the enrollment screen. your system administrator for details. Previously enrolled devices will continue to operate normally. verification. Administrator is blocked from logging in to the Admin portal. An error message is displayed on the login screen. Unable to login. Your License has expired. Please renew your license to regain access to the Admin Portal and to enroll new devices. Devices that have been previously enrolled devices will continue to operate normally. Contact your sales representative to renew your licenses. Note that the Admin password expires after one year (365 days). Following password verification. End User Invitation Branding Admin > End User Invitation (Branding) You can brand the end user invitation to make its appearance more familiar to your end users. Click Revert to Default Settings to clear the customizations. You can customize the following header fields: Display Name From Address Reply-to Address You can also customize the following templates in all of your supported languages: Invitation with a PIN Invitation without a PIN Invitation for IDP (Saml) Previewing and testing an template You can preview and test the templates. The test allows you to send an based on the template to an address you specify. 329

350 Admin > End User Invitation (Branding) To preview and test an template: 1. Click Admin. 2. Click End User Invitation Click the Preview and Test link associated with the template you wish to preview and test. 4. View the rendered template in the rendered template pane 330

MobileIron Cloud Administrator Guide R45 5. Specify a test email address to which to send the test email.

351 MobileIron Cloud Administrator Guide R45 5. Specify a test address to which to send the test . If the address you specify belongs to a current user, the test substitutes values for most of the template variables, affording a very accurate idea of the user experience of the . However, the test does not substitute values for variables MobileIron Cloud generates at the time it generates an actual invitation. 6. Click Send Test . Customizing the message headers 1. Click Admin. 2. Click End User Invitation Click Edit. 4. Provide new settings as desired for Display Name, From Address, and Reply-to Address. 5. Click Save. Customizing the end user invitation subject and body 1. Click Admin. 331

352 Admin > End User Invitation (Branding) 2. Click End User Invitation Click the edit pen icon adjacent to the template you wish to customize. 332

353 MobileIron Cloud Administrator Guide R45 4. Edit the subject line if desired. 5. Edit the source code in the body pane. You can use the variables displayed on the right in the body of the . See Supported variables. 6. Click Preview to preview the template as you create iterations to your satisfaction. 333

354 Admin > End User Invitation (Branding) 7. When you are ready to save the template, click Preview. This renders the preview and provides a save function. 8. Click Save if you are satisfied with the preview. Supported variables MobileIron Cloud offers several variables you can use to customize your templates. Recommended variables These variables are recommended because they contain important registration information typically included in End User invitation s. Variable Description ${useractivationurl} ${clusterregistrationurl} 334

355 MobileIron Cloud Administrator Guide R45 ${registrationpin} ${registrationpinexpiration} ${enduserportalleourl} Other supported variables The following variables are also supported. Variable Description ${productbrandname} ${companylogourl} ${message:${ .invitation.title}} ${message:${ .invitation.pg1}} ${message:${ .invitation.get.started}} ${message:${ .invitation.pg2}} ${message:${ .invitation.pg3}} ${message:${ .footer}} 335

356 Admin > End User Invitation (Branding) ${companywebsitelabel} Custom user attribute variables An admin can use custom user attributes as variables in the customized template under the following conditions: The custom user attributes exist on the Admin > Attributes page. An admin has assigned the custom user attributes to users, with values given for the custom user attributes for each user. 336

357 Upgrading Upgrading a license The basic features are provided in the Bronze package. You can expand the Bronze package by: adding more devices adding Silver adding Gold adding Platinum These additions expand your mobile solution beyond basic device configuration. How do I request an upgrade? To request an upgrade: 1. Select Upgrade Options from the admin drop-down menu. 2. Click Request Upgrade / Add Devices (upper right). 3. Select the items you want to add and enter your phone number. An representative will contact you in about 24 hours with details. Upgrading from a previous release When upgrading from a previous release, the settings on the Edit DEP Profile page are not preserved. Please note your option settings before upgrading. If Skip signing in to AppleID and icloud is enabled before upgrading, then Skip Apple Pay setup will be enabled after upgrading. If Skip entering passcode is enabled before the upgrade, then Skip Touch ID and Skip Apple Pay setup will be enabled after the upgrade. 1. After the upgrade is complete, return to the Edit DEP Profile page to edit the DEP profile to restore the desired settings. 2. Click Save. After upgrading several configuration settings are affected. Please note that: 337

358 Upgrading Promotion options are set to Off. Installation settings are set to No. Don t Show in App Catalog option is no longer selected. Silent Install on Android Samsung SAFE is set to False. ios Management Flags are set to: Backup to icloud. Remove on unenrollment. Note: These ios Management flag settings can be selected for each app individually. App settings: App settings are now called Configurations. All other app settings remain as they were prior to the upgrade. See also Packages 338

359 Packages MobileIron Cloud basic features are provided in the Bronze package. You can expand the Bronze package by: adding more devices adding Silver adding Gold adding Platinum These additions expand your mobile solution beyond basic device configuration. Silver Upgrading to Silver adds the following features: Gold LDAP and Connector: Support for adding corporate directories and certificate authorities to the MobileIron Cloud. Sentry: Support for access control. Device partitions: Support for designating devices for management by different administrators (delegated administration). Supervised mode: Device-level support for fine-grained configuration, including single-app mode. Self-Service Portal branding: Use your logo in the Self-Service Portal. Certificate Authorities: Use MobileIron Cloud as a certificate authority. Silent app install/uninstall: Automatically deploy and remove apps from a mobile device. App whitelist/blacklist/required apps: Monitor and control which apps are installed on devices. Web content filter: Apply website whitelist/blacklist policies to all web browsers. Per app VPN: VPN security is now immediate, invisible, and specific to the mobile app. Apple-specific functionality: Enable/restrict AirPlay, AirDrop, ios wallpaper distribution, and Apple TV. Android Kiosk mode: Support for configuring Android devices to operate in kiosk mode. Android Kiosk branding: Change the background and banner of the kiosk screen displayed when device operate in kiosk mode. Upgrading to Gold adds the features provided by Silver as well as the following features: Android for Work: Provide Android users with access to Google's container solution. 339

360 Packages Single sign on: Users authenticate once and are automatically logged in to other enterprise mobile apps. Open-in management: Control which mobile apps can open what enterprise content. Per app configuration: Deploy configured mobile apps at scale, with little to no required action by the end user. Apple Volume Purchase Program (VPP): Distribute mobile app licenses to devices, and reclaim and reassign those licenses when a device is retired. ios App Catalog branding: Display your company logo in the app catalog. Increased content limit: 50 files, 25 MB each AppConnect for ios: Secure and configure AppConnect-enabled apps. AppTunnel for ios: Secure app access to enterprise resources. Docs@Work for ios: Enable users to view, store, and share documents. ios 8 certificate-based single sign on ios 8 ibook/epub management User branding Platinum Upgrading to Platinum adds the features provided by Gold as well as the following features: MobileIron Tunnel: Configure app-specific access to enterprise data. Dataview for ios: Define setting for the data monitoring app. 340

361 File a Support Ticket You can use the Support option to access the Support portal. To access the Support portal 1. Click the user icon (upper right). 2. Select Support. 3. Enter your support credentials 4. Click Login. 341

362

363 User Licenses MobileIron Cloud user-based licenses define the number of users you can register, the number of devices allowed per user license, the amount of content you can configure for distribution to devices, and which features are available. If you reach your limit for users, a red triangle displays in the Admin page. If you reach your limit for content, the service will prevent you from adding more and display a message to indicate that you have reached your limit. To determine how many user licenses you should plan for consider the following points: Each user license allows registration of up to three devices. Once a user registers more than three devices, another user license is claimed. There is no enforced limit to the number of user licenses that a user can claim. Licenses are released when devices are retired or wiped. For example, when User1 registers her work phone on the first day of work, she claims a user license. The following week, she registers her personal phone and a tablet under that same license. When she registers another tablet, she now has four devices, so she claims a second user license. When her personal phone is stolen, she wipes the device, which releases the second user license. To see the number of devices/licenses for a user 1. Go to Users > Users. 2. Click the link for the user. The left pane lists user details, including license usage. 343

364

365 Device Licenses MobileIron Cloud device-based licenses define the number of devices you can register, the amount of content you can configure for distribution to devices, and which features are available. If you reach your limit for devices, a red triangle displays in the Admin page. If you reach your limit for content, the service will prevent you from adding more and display a message to indicate that you have reached your limit. 345

366

367 How To How to use Bulk Enrollment for Android The bulk enrollment feature enables you to quickly register multiple Android devices with MobileIron Cloud. License: Silver These tasks must be done before using bulk enrollment: 1. Install Android SDK, which includes the Android Debug Bridge (adb), on the computer used to register the devices. For more information about the Android Debug Bridge, see: 2. Enable USB debugging. The procedure to enable USB debugging on Android devices varies depending on the Android release. See: for information on enabling USB debugging. 3. Install the MobileIron Go client on each device. 4. Connect the devices via USB cable to the provisioning computer to be used to register them. The MobileIron Go app can be started and registered to a server using the Android Debug Bridge (adb) shell. The Android Debug Bridge is a tool that can be used from the command line in Windows, or in the Terminal utility in ios. It enables you to communicate with a connected Android device. From the adb shell the command format is: > adb shell $ am start -a android.intent.action.main -d "mirp://na1.mobileiron.com?key=value&key=value" -n com.mobileiron.anyware.android/com.mobileiron.polaris.manager.ui.startactivit y Note: The MobileIron Registration Protocol (mirp) is used to encode relevant data for registration with MobileIron. Valid keys and values are: Key user Value User's address that would have been typed into the username field if using ireg. 347

368 How to use Bulk Enrollment for Android Required. password User's password pin quickstart Registration pin for the user When set to TRUE: the splash screen will show, but not as long. On the Welcome screen, when the spinner changes to the Continue button, the screen will automatically move on without having to tap Continue. Also, this streamlined provisioning flow occurs across all devices: The privacy and shortcut prompts for the user are skipped. On zebra devices, the client shall grant admin privileges to itself without a user prompt. Requires a minimum version of Zebra MX 4.3. When set to FALSE: the splash screen will show as usual and the user will need to tap Continue on the Welcome screen. Optional, defaults to FALSE. Note: Use of a password, pin, or token is required to use bulk enrollment. This example command specifies a server, user, password, pin, and quickstart: am start -a android.intent.action.main -d "mirp://ppp183.auto.mobileiron.com?user=miadmin@auto0001.mobileiron.com&passw ord=p@$$w0r3&pin=12345&quickstart=true" - n com.mobileiron.anyware.android.qa/com.mobileiron.polaris.manager.ui.startac tivity Sample bulk enrollment script You can use this script as an example to use when designing your own bulk enrollment script. This sample script registers all devices attached to the provisioning machine with the same user and password. for i in `adb devices grep -v devices grep device cut -f 1` do echo "Registering $i" adb -s $i shell "am start -a android.intent.action.main -d \"mirp://<servername>?user=<user address>&password=<password>&quickstart=true\" -n com.mobileiron.anyware.android/com.mobileiron.polaris.manager.ui.startactivity" done 348

369 MobileIron Cloud Administrator Guide R45 Potential Error messages Here are some potential errors that you may encounter using bulk enrollment. Error mirp scheme not found Resolution Example command using a mirp scheme: am start -a android.intent.action.main -d "xxxmirp://?user=miadmin@auto0001.mobileiron.com&password=p@$$w0r3&pin=12345&t -n com.mobileiron.anyware.android.qa/com.mobileiron.polaris.manager.ui.startac URL is Occurs if no data string is sent at all. Verify that the URL is correct. invalid No server information Server information missing or improperly entered. found No user information Verify that user key was entered. found No password/pin Verify that a pin OR password key was entered. information found How to use Samsung Knox Mobile Enrollment Samsung KNOX Mobile Enrollment enables administrators to register qualified Samsung devices to MobileIron Cloud. Using KNOX Mobile Enrollment, a device can be shipped directly from an approved reseller to an end user and the MobileIron Go Android client will automatically download with enrollment data pre-populated. For details see the Samsung KNOX Mobile Enrollment with MobileIron Quick Start Guide. Requirements Device list by IMEI CSV file containing a list of devices containing an IMEI or serial number, and optionally a username and enrollment password. MobileIron Cloud (current release). Samsung KNOX account approved for mobile enrollment Samsung supported devices. A list of Samsung supported devices is available here. 349

370 How to use AirPlay Mirroring How to use AirPlay Mirroring License: Gold AirPlay Mirroring is a feature that gives you the ability to display the screen from an ios device on a monitor using Apple TV. Apple TV and the ios device must be connected to the same Wi-Fi network. This feature requires the following: ios 7 and later devices - Supervised Apple TV version - Supervised AirPlay Important: Switching to include management of non-ios devices cannot be reversed. Configure Apple AirPlay For more information on AirPlay configuration settings see AirPlay Configuration. To configure Apple AirPlay: 1. Go to Configurations. 2. Click +Add. 3. Click AirPlay. 4. Enter a Name and Description of the configuration in the appropriate fields. 5. For all supported ios versions, enter a Device Name and Password. 6. Click + Add to add another device, if needed. 7. Optionally, for Supervised ios 7 devices and later add device IDs to a White list. 8. Click Next. 9. Choose a distribution level. 10. Click Done. Setup AirPlay on the mobile device 1. Setup Apple Configurator. 2. Go to Devices > Devices. 3. Click the name of an ios device to display the Details page for that device. 4. Click the icon. 5. Select AirPlay Mirroring to display the AirPlay mirroring dialog. 350

371 MobileIron Cloud Administrator Guide R45 6. Select an Apple TV device from the pulldown menu. 7. Enter a scan time in seconds to specify a time limit to search for the device you selected. 8. Enter the password for the Apple TV device. 9. Click Send Request. Setup a monitor to work with Apple TV 1. On a monitor connected to Apple TV Go to Settings > Profile. 2. Select MobileIron Cloud Apple Configurator. 3. Click Add Profile. 4. Click the icon. 5. Select AirPlay Mirroring to display the AirPlay mirroring dialog. 6. Select an Apple TV device from the pulldown menu. 7. Enter a scan time in seconds to specify a time limit to search for the device you selected. 8. Enter the password for the Apple TV device. 9. Click Send Request. Connect your ios device to Apple TV 1. Connect the Apple TV device to a monitor. 2. Using the Apple TV remote, go to Settings > Accounts > Home Sharing to turn on Home Sharing. 3. Connect ios device to the same Wi-Fi network as your Apple TV device. 4. Open the Remote app on your ios device. 5. Enable Home Sharing from the Remote Settings screen. Edit an ios MDM Configuration The ios MDM configuration defines access limits for MobileIron Cloud. There are two types of ios MDM configurations: ios MDM - Bulk Provisioned: For devices purchased by the enterprise and provisioned as part of a mass distribution. ios MDM - Individually Provisioned: For devices provisioned one by one. Only one of each type is provided and allowed across all device partitions. 351

372 Edit an macos MDM Configuration To edit an ios MDM configuration 1. Go to Configurations. 2. Select the ios MDM configuration you want to edit. 3. Use the following guidelines to make changes: Setting What To Do Allow device lock and Uncheck to prevent enforcement of a passcode removal passcode compliance configuration. Uncheck to prevent enforcement of a Allow device erase device wipe action. Uncheck to exclude the device from networking information reporting. Note: If this option is unchecked, then Allow query of the device list view and device detail Network information view will show N/A for the network (phone/sim numbers, information that is no longer reported. MAC addresses) Also, the roaming policy will not be enforceable for affected devices. 4. Click Done. Your changes apply only to devices provisioned after you make the change. Edit an macos MDM Configuration The macos MDM configuration defines access limits for MobileIron Cloud. macos MDM configurations are individually provisioned, for devices provisioned one by one. To edit an macos MDM configuration 1. Go to Configurations. 2. Select the macos MDM configuration you want to edit. 3. Use the following guidelines to make changes: Setting What To Do Allow device lock and Uncheck to prevent enforcement of a passcode removal passcode compliance configuration. 352

373 MobileIron Cloud Administrator Guide R45 Allow device erase Allow query of Network information (phone/sim numbers, MAC addresses) Uncheck to prevent enforcement of a device wipe action. Uncheck to exclude the device from networking information reporting. Note: If this option is unchecked, then the device list view and device detail view will show N/A for the network information that is no longer reported. Also, the roaming policy will not be enforceable for affected devices. 4. Click Done. Your changes apply only to devices provisioned after you make the change. How to Delete Apps from the App Catalog You can delete public and in-house apps from the App Catalog. If the app is installed on devices, it will be removed the next time those devices check in. 1. Go to Apps > App Catalog. 2. Click the link for the app. 3. Select Actions > Delete from Catalog. 4. Read the warning that explains what happens when you delete an app. The warning explains that VPP licenses (ios) and app reviews (all OSes) are also deleted. 5. Select the check box to confirm. 6. Click Delete App. How to Create an Android Shortcut Shortcuts are only available in Kiosk Mode using a whitelisted browser. The browser must be whitelisted in the Lockdown and Kiosk configuration. The shortcuts will appear in the MobileIron Cloud Kiosk launcher. To create an Android shortcut : 1. Go to Configurations.> +Add 2. Click Android Shortcut to display the Create Android Shortcut Configuration page. 353

374 How to Deploy Divide Productivity with Android for Work 3. Enter a name for the Configuration in the Name field. 4. Enter a description of the configuration in the Description field. 5. Enter a unique label for the shortcut in the Label field. 6. Enter a URL for the target of the shortcut in the URL field. 7. Optionally, drag and drop a file in the icon field or click Choose File to navigate to the file to choose an icon for the shortcut. 8. Click Next. How to Deploy Divide Productivity with Android for Work Divide Productivity is a PIM app you can deploy to Android for Work devices. 1. Go to Apps > App Catalog. 2. Under Business Apps, click Divide Productivity. 3. Enter additional categories or a description. 4. Click Next. 5. Accept the displayed permissions. 6. Click Next. 7. Select a distribution option. 8. Expand Advanced Options & App Configuration. 9. Use the following guidelines to enable options: Setting Blocks the user from uninstalling the app Mail Address Password Host What To Do Select to prevent the end user from uninstalling the app when it has been silently installed. Use variables to define the address to associate with the app. Use variable to define the password for the account. If you leave this field empty, the user will be prompted for the password. Enter the host name of the mail server to use. Enter the fully qualified domain name of the ActiveSync server. If you are using a Standalone Sentry, enter its fully qualified domain name (FQDN) instead. 354

375 MobileIron Cloud Administrator Guide R45 Example: mysentry.mycompany.com Server Type Select the type of mail server. Use variables to define the username for Username the account. Select if you want secure communication Is SSL Required using https to the server that you specified in the Host field. Select only if you want the app to automatically accept untrusted Trust All Certificates certificates. Typically, you select this option only when working in a test environment. Enter the default signature for all s. Note that the end user can Default change this at any time. Once the Signature device user changes it, later changes to this field have no effect. Max Enter the maximum size to be allowed for Attachment Size attached files. Enable Task Select to synchronize tasks. Login Certificate Enter the alias for the login certificate. Alias Smime Signing Not currently supported. Certificate Alias Smime Encryption Not currently supported. Certificate Alias Advanced Options Install on Device Select to prompt the user to install the app. Silently install on Select to install the app automatically on Samsung SAFE Samsung SAFE devices. devices Do not show app in end user App Catalog Select if you do not want the app to appear in the app catalog on the device. 10. Select a promotion option. 11. Click Done. How to Deploy Windows Phone 8.1 and Windows 10 Mobile Devices Support for Windows Phone 8.1 and Windows 10 devices includes the following 355

376 How to Deploy Windows Phone 8.1 and Windows 10 Mobile Devices abilities: Device registration Configuration of the device passcode Configuration of Exchange View device details Retiring the device MobileIron Cloud currently uses the native Windows Phone 8.1 client for device management, so there is no app to download. How to register Windows Phone 8.1 and Windows 10 Devices Go to Device Registration (Windows Phone 8.1 and Windows10 Mobile). How to configure updates to your Windows installation To configure your Windows installation update schedule, go to Configurations > Software Updates. How to configure the device passcode 1. Create a passcode configuration. 2. Complete the options as applicable to Windows Phone 8.1 or Windows 10 devices. 3. Assign the configuration to the Windows Phone 8.1 device group or another device group you have created. How to configure Exchange 1. Create an Exchange configuration. 2. Complete the options as applicable to Windows Phone 8.1 or Windows 10 devices. 3. Assign the configuration to the Windows Phone 8.1 or Windows 10 device group or another device group you have created. How to view device details 1. Go to Devices > Devices. 2. Click the link for the device to view the details. How to retire a device Go to Retiring a Device. 356

377 MobileIron Cloud Administrator Guide R45 How to Find the Package ID for an Android App For public apps available on the Google Play Store: 1. Use a web browser to locate the app in Google Play Store. 2. Select the app. 3. Examine the URL displayed in the browser. The package ID is included in the URL after id= as shown below: ID> For in-house apps and other apps not available on the Play Store, try downloading Package Name Viewer ( or a similar app on the Google Play Store. How to Export Configurations Export your configuration files to send to support for use as a diagnostic aid. You can export a single configuration file to a Yaml format file or export all your configurations into a.zip file. Export Configuration You can export files from different areas of the Configuration page depending on which configurations you want to export. Export all the configurations: 1. Go to Configurations. 2. Click the Actions pulldown menu and click Export All Configs with Details. A file with the name Polices _yyyymmdd.zip is downloaded to your device. Export a customized configuration: 1. Go to Configurations. 2. Click + Add to select a configuration. 3. Follow the steps to customize the configuration. 4. Click Next. 5. Choose a distribution level. 6. Click Done. 7. Select the configuration you just created from the list on the Configuration page. 357

378 Monitoring and Controlling Allowed Apps 8. Click the Actions pulldown menu and click Export. A file with the name of the configuration and a timestamp _yyyymmdd.yaml is downloaded to your device. Export an existing configuration: 1. Go to Configurations. 2. Select an existing configuration. 3. Click the Actions pulldown menu and click Export. A file with the name of the configuration and a timestamp _yyyymmdd.yaml is downloaded. Monitoring and Controlling Allowed Apps To control which apps are installed on devices, you create an Allowed Apps policy. The policy contains the following information: whitelist apps blacklist apps required apps compliance actions If an app is both required and blacklisted, then the evaluation of the app against the required list takes precedence. For example, if an app A1 is present in both in the required list and the blacklist, then the apps policy evaluation for this device behaves as follows. Device will be compliant if A1 is installed on the device. Device will be non-compliant if A1 is not installed on the device. License: Silver Supported Devices Android 4.2 through the most recently released version as supported by MobileIron ios 8.0 through the most recently released version as supported by MobileIron macos through the most recently released version as supported by MobileIron Before You Start 358

MobileIron Cloud Administrator Guide R45 The privacy configuration assigned to a device must allow collection of app information in order for an Allowed Apps policy to work correctly.

379 MobileIron Cloud Administrator Guide R45 The privacy configuration assigned to a device must allow collection of app information in order for an Allowed Apps policy to work correctly. Check the privacy configurations assigned to the devices to which you will apply the Allowed Apps policy. If you are not sure which configurations are affected: 1. Go to Policies. 2. Click Allowed Apps. 3. Under Privacy Configurations, note the configurations that need to be edited. 4. Go to Configurations. 359

380 Monitoring and Controlling Allowed Apps 5. For each privacy configuration you noted: a. Select the configuration. b. Click Edit. c. Under Collect App Inventory, select For All Apps on the Device. d. Click Done. Creating an Allowed Apps policy 1. Go to Policies. 360

381 MobileIron Cloud Administrator Guide R45 2. Click Allowed Apps. 3. In the Name field, type a name for this policy. 4. In the Description field, type optional text that explains the purpose of the policy. 5. Use the Required Apps and App Lists section to select required apps. For example, you can select the Add App Lists tab and then select the desired required apps lists. 6. Use the resultant fields to select the required apps or apps lists. Note: Click the View Required List tab for a list of apps you have selected so far. 7. Click Next. 361

382 Monitoring and Controlling Allowed Apps 8. Select whether to create a whitelist or a blacklist. Note: You cannot have a whitelist and a blacklist for a device. Creating a whitelist means all other apps are blacklisted. 9. Use the Whitelist/Blacklist Apps and App Lists section to select apps. For example, you can select the Add App Lists tab and then select the desired apps lists. 10. Use the resultant fields to select the required apps or app lists. Note: Click the View Whitelist or Blacklist tab for a list of apps you have selected so far. 11. Click Next. 12. Select the actions to take when a device is out of compliance: Setting Monitor Do Nothing Send What To Do Currently always selected. Select to take no action if the device is out of compliance. Select to notify the user that the device is out of compliance in an

383 MobileIron Cloud Administrator Guide R45 Send Push Notification. Send and Push Notification Wait Block Select to notify the user that the device is out of compliance in a push notification. Select to notify the user that the device is out of compliance in an and a push notification. Select to wait for a specified passage of time before taking action. Select to: Block app tunnel Block active sync Note: The Allowed Apps policy supports tiered compliance actions if you have a Platinum license. 13. Click Next. 14. Configure the distribution. 15. Click Done. See Also: Prioritize Policies to set higher or lower priorities to an Allowed Apps policy. Prioritize Configurations If you select multiple device groups for a configuration, then multiple configurations of the same type might be assigned to a given device. For some configuration types, assigning multiple configurations makes sense. For example, you would assign multiple Wi-Fi configurations to provide access to multiple wireless networks. For other configuration types, only one configuration may be assigned to a device. For example, it does not make sense to assign multiple privacy or passcode configurations. In these cases, MobileIron Cloud uses priorities to decide which configuration is applied. To prioritize configurations 1. Go to Configurations. 363

384 Prioritize Policies 2. Select Actions > Prioritize configs. If Actions is not displayed, then you do not have multiple configurations of a type that requires priorities. 3. Use the arrows to list configurations from highest (top) to lowest (bottom). Note: A lock icon means the configuration's priority cannot be changed without editing the All Devices distribution setting within the configuration. 4. Click Save. Prioritize Policies If you select multiple device groups for a policy, then multiple policies of the same type might be assigned to a given device. For other Allowed Apps policies, only one policy may be assigned to a device. Therefore, MobileIron Cloud uses priorities to decide which policy is applied. To prioritize configurations 1. Go to Policies > Policy & Compliance. 2. Select Actions > Prioritize policies. If Actions is not displayed, then you do not have multiple policies requiring priorities. 3. Use the arrows to list priorities from highest (top) to lowest (bottom). Note: A lock icon means the policy's priority cannot be changed without editing the All Devices distribution setting within the policy. 4. Click Save. How to Set Up Android for Work License: Silver Android for Work is a program offered by Google that enables mobility administrators to: Separate work and personal data Secure and manage enterprise apps Control system apps (such as Camera and Gallery) 364

385 MobileIron Cloud Administrator Guide R45 Centrally provision and configure apps in the Android for Work container Prevent data loss (screen capture) You can configure MobileIron Cloud as the EMM server that manages Android for Work. Android for Work requires at least MobileIron Go app for Android 3.0. There are two supported configurations of Android for Work, Device Owner and Managed Profile Employee Owned. Supported Devices MobileIron Cloud currently supports Android for Work only on devices that are running Android 5.0 and have Android for Work enabled by the manufacturer. Android for Work is required for Kiosk mode on devices running Android 5.0. Here is a list of supported Android for Work devices. Before You Start If you have not already registered your domain with Google, you must first sign up for the program on the Google website: During the process you will: Claim a domain (must match the domain for user addresses) Receive a token Download a JSON client ID Both items are required when you set up Android for Work on MobileIron Cloud. After the process, you will receive an containing instructions for verifying that you own the domain you claimed. If the company has already used its domain name to sign up for Google Apps for Work, see for information on enabling Android for Work. Connecting MobileIron Cloud with Android for Work Once you have signed up for Android for Work, set up MobileIron Cloud as the EMM server for Google s program. Getting Your Android for Work Credentials To get your Android for work credentials 1. Go to Admin > Android for Work. 365

386 How to Set Up Android for Work 2. Click Google Developers Console. 3. Click the first displayed link to go to the Google Developers Console. 4. Select Create a project from the drop-down menu. 5. Enter a name for the project. 6. Accept the terms of service. 7. Click Create. 8. Click API & auth. 9. Select APIs. 10. Type emm in the Search field to find the Google Play EMM API. 11. Click the Google Play EMM API link. 12. Click Enable API. 13. Click Credentials. 14. Select Service account. 15. Click Create to save the JSON file. Adding your Android for Work MDM Token to MobileIron Cloud 1. Log into 2. Click Security. 3. If you do not see Android for Work Settings click Show More. 4. Select Android for Work Settings. 5. Under Manage enterprise mobility management provider, copy the MDM token. 6. Return to the MobileIron Cloud portal. 7. Click Done. 8. In box 2, paste the MDM token you just copied. 9. In the Domain field, enter the domain you claimed with Google. 10. Click Choose File and upload the JSON file you downloaded. 11. Click Connect. The message Connected to Google displays when the connection is successful. 12. In box 3 click Authorize to indicate that you want to give MobileIron Cloud access to your Google user data. 13. Click Accept. The message Connected to Users displays in the MobileIron Cloud portal. Synchronizing user between MobileIron Cloud and Google Before you deploy Android for Work to Android users managed by MobileIron Cloud, each user must have a corresponding record on the Google Admin Portal. The steps required for synchronizing the user information between MobileIron Cloud and the Google Admin Portal depend on whether you have set up an integration with your organization s directory services (AD/LDAP). Active Directory/LDAP Users 366

387 MobileIron Cloud Administrator Guide R45 If you have set up an AD/LDAP integration with MobileIron Cloud, then you must use Google Apps Directory Sync set up an AD/LDAP integration with the Google Admin Portal. See for more information. Local Users If you created only local users in MobileIron Cloud and do not intend to integrate it with a directory service, then complete the following steps to synchronize those users with the Google Admin Portal: 1. Log into the Google Admin Portal at: admin.google.com. 2. Click Users. 3.. Click the Add user or Add multiple users icon in the lower right corner. 4. For each MobileIron Cloud user that will use Android for Work, add a Google user with the same username and address as the MobileIron Cloud user. 5. In the MobileIron Cloud portal for each MobileIron Cloud user that was just added to the Google Admin Portal: a. Click the username link in the Users tab to display the user's details. b. Select Sync the User with Google User Directory. c. Click Sync with Google User Directory. d. Confirm that Google Status is listed as Enabled. Deploying Android for Work to Supported devices Two configurations are required for deploying Android for Work: The Android for Work configuration enables Android for Work. A Lockdown & Kiosk configuration defines the Android for Work restrictions to apply. Retiring Registered Devices Before you deploy Android for Work to devices that are already registered with MobileIron Cloud, you must retire those devices. To deploy the device 1. In the MobileIron Cloud portal, go to Configurations. 2. Select Android for Work. 3. Click Edit. 4. Click Next. 5. Select All Devices or Custom. 6. If you selected Custom, search for and select the device groups that should receive the Android for Work settings. 7. Click Done. 8. Click Back to list (upper left corner). 9. Click +Add. 367

388 How to Set Up Android for Work 10. Click Lockdown & Kiosk: Android for Work 11. In the Name field, enter text that identifies the configuration. 12. Under Choose Lockdown Type, select Android for Work Profile. 13. Select the lockdown settings you want to apply to the target devices: 14. Setting Name Description Disable Screen Capture (Android 5.0 +) What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select to prevent devices from using the native screen capture feature. Disallow Apps Select to prevent users from modifying Control (Android 5.0 apps in Settings or launchers. +) Disallow Config Select to prevent users from setting up Credentials (Android user credentials ) Disallow Cross Select to prevent devices from Profile copying and pasting to other Android Copy/Paste (Android for Work profiles ) Disallow Modify Accounts (Android 5.0 +) Disallow Outgoing Beam (Android 5.0 +) Disallow Share Location (Android 5.0 +) Restrict Input Methods (Android 5.0 +) Restrict Accessibility Services (Android 5.0 +) Select to prevent users from adding and removing accounts. Select to prevent a user from using NFC to transfer app data. Select to prevent websites and apps from prompting the device user to share device location. Select to restrict input methods by designating a list of whitelisted package names. If there are no whitelisted packages, then only system input methods will be allowed. The input methods are not just restricted to Work Apps, but to the entire device. Select to restrict accessibility services by designating a list of whitelisted package names. If there are no 368

389 MobileIron Cloud Administrator Guide R Disable Caller ID (Android 6.0 +) whitelisted packages, then only system accessibility services will be allowed. The accessibility services are not just restricted to Work Apps, but to the entire device. Select to prevent the device from identifying itself to other devices when initiating a call. 16. Click Next. 17. Select All Devices or Custom. 18. If you selected Custom, search for and select the device groups that should receive the Android for Work settings. 19. Click Done. Note: You cannot make changes to the resulting profile once it has been deployed. Instead, you need to create a new Android for Work configuration and deploy it. Confirming Deployment You can confirm that Android for Work has been deployed in the following ways: Under Users > Users, find the entry for a user, and then check that the Google Status is Enabled. Under Devices > Devices, click the link for a device, and then check that status for Android for Work is Enabled. Google Status for a user should be listed as Enabled. If it is not Enabled, then the user will not be able to register devices. Note: If Android for Work was set up as Android for Work Accounts, then the user is not shown as Google Status: Enabled until after an Android for Work device is registered. See Android for Work Accounts for more information about Android for Work Accounts. Deploying Android for Work Apps Any app developed for Android for Work may include options that you can configure through MobileIron Cloud. To configure the options: 1. In the MobileIron Cloud portal, go to Apps >App Catalog. 2. Find the app in the Google Play Store. 3. Click the app entry. 4..Accept permissions on behalf of Android for Work users. 5. Click Next. 369

390 How to set up the Provisioner app 6. Select a distribution option. 7. Expand Advanced Options & App Configuration. 8. Select the options you want to apply. 9. Select a promotion option. 10. Click Done. Configuring Business Apps Android for Work apps are available in the Business Apps section of the app catalog, including the following apps: Divide Productivity + Tunnel Gmail How to set up the Provisioner app Provisioner is a MobileIron Cloud app used to provision corporate-owned devices so that they can be registered as work managed devices and placed in Device Owner mode. A company-managed device has a corporate profile only and no personal profile. The administrator is able to set over twenty lockdowns on the device, that can restrict device functions such as the camera, phone calls, SMS, networking, and more. The Provisioner app is needed by the device that will initiate the configuration of the Android for Work target device with an NFC bump. To provision corporate-owned devices, install the Provisioner app onto a master device, and use the NFC (near field communication) bump to provision new devices. The bump is tapping the two devices together. The devices can be provisioned to use one of these MobileIron client apps: MobileIron Go app to use with MobileIron Cloud At Work EMM, an unbranded client app, to use with MobileIron Cloud. Provisioning Requirements To provision a corporate-owned Android for Work device to be a work managed device: Corporate-owned native Android for Work-capable devices must be factory reset prior to provisioning. Android for Work configuration must be defined and applied to the Android device group. An NFC-capable Android device designated to serve as the master or as the template, with the Provisioner app installed. Android for Work-capable devices to provision. 370

391 MobileIron Cloud Administrator Guide R45 Provisioner app Download the Provisioner app here. Available on Google Play after the MobileIron Go client is released. Enable Android beam to use NFC bump To enable the Android beam: 1. Go to Settings on the device. 2. Go to Wireless & networks and click More. 3. Select the NFC checkbox. 4. Click Android Beam and slide the switch to On. Note: The exact steps may differ slightly for your device. Provision a corporate-owned device To provision Android for Work devices to become work managed devices. 1. Install the Provisioner app on the device to be used as the Android master device. 2. Launch Provisioner on the master device. 3. Select an app from the dropdown menu. At Work EMM MDM Mobile@Work MobileIron Go app Vodafone Mobile@Work 4. Enter the information requested by the Provisioner app. Some fields may autopopulate if a supported Wi-Fi type is present. Use these guidelines: Field Select app for provisioning Wi-Fi Network SSID Wi-Fi Security Type Wi-Fi Password Time Zone Locale Value MobileIron Go (select for use with MobileIron Cloud) At Work EMM (unbranded client app; select for use with branded Cloud). Enter the Wi-Fi SSID the master device is to use. Enter the Wi-Fi security type Enter the password for the Wi-Fi Enter the local current time zone Enter the locale 371

392 Setting Up AppTunnel 5. Click Continue. The Bump the devices screen is displayed on the master device. 6. With the target device turned on and displaying the Android Welcome screen, press the master device back-to-back with the target device to initiate an NFC transfer. If the NFC transfer is successful, the target device may make a sound, and then proceed to downloading the chosen client app. If the device is not encrypted, it will start the encryption process before continuing. 7. Continue to provision additional devices by bumping the devices. The target device must display the Welcome screen, and the master device must display the Bump the devices screen. Register the device Once the corporate-owned device has been provisioned using NFC bump, it will have the selected MobileIron client app installed. Launch the MobileIron client app and register the device. Verify the device registration status To check the registration status of the device go to the Admin Portal: 1. Go to Devices > Devices. 2. Click the link for a device to view the details. 3. The status of the device is listed in the left pane. Setting Up AppTunnel AppTunnel protects app data by providing app-by-app session security between each app container and the corporate network. Before you start AppTunnel depends on the latest supported version of Sentry. Complete the Sentry installation before starting the AppTunnel setup tasks. If you intend to use a SCEP identity: Add a local or external certificate authority. A Connector installation is required. Add an App Identity Certificate Configuration. This is the SCEP identity you will use when you configure AppTunnel. Setting up Sentry to use AppTunnel with certificates 372

393 MobileIron Cloud Administrator Guide R45 1. Go to Admin > Sentry. 2. Click + Add Sentry Profile. 3. Click ActiveSync and/or AppTunnel with certificates. 4. Click Next. 5. Use the following guidelines to complete the Global Settings page. Setting What To Do Enter a name that identifies this Name profile. Enter a description that clarifies the Description purpose of this profile. External Hostname Enter the hostname and port for the and Port Sentry. Device Authentication Mode Select to use a single certificate for Use a single certificate authentication. If you do not already have for 2-factor auth a certificate uploaded, you can do so in the area displayed below the selected option. Select the app identity certificate Use SCEP Identity configuration you created for your certificate authority. Select to validate the certificates presented Enable certificate by the device against the revocation list Certificate Revocation List (CRL) published by the CA. Default Unmanaged Devices Behavior Allow unmanaged devices to receive and data Select if you do not want to block data access for devices that are not managed by MobileIron Cloud. 6. Click Next. 7. In the Sentry Server Configuration page, upload a server certificate. 8. Click Next. 9. Add at least one of the displayed services. 10. Save the profile. 11. Register the Sentry. 12. Go to Admin > Sentry. 13. Assign the profile you just created. 373

394 How to Set Up Setting up apps to use AppTunnel 1. After Sentry is configured to use AppTunnel, go to Apps > App Catalog. 2. For each app that supports AppTunnel: a. Add the app to the app catalog. b. Under Advanced Options & App Configuration, scroll to the AppTunnel section. c. Select the Sentry profile you created for AppTunnel. d. Enter the domain wildcards for the traffic to be tunneled. e. Select distribution and promotion options for the app. f. Click Done. How to Set Up The app enables ios users to access, store, view, edit, and annotate documents from content repositories, such as Microsoft SharePoint. MobileIron Cloud administrators can set up so that: users see all available content repositories documents are protected from unauthorized distribution Users can also configure access to content repositories. Note: Device users must have a valid user ID and password to access content sites. Before you start Decide which repositories you want to make available. All repositories you configure for Docs@Work are visible to all users. You can provide select users with instructions for accessing restricted repositories. Decide whether you want to make each repository a published site. Content on published sites is automatically downloaded and mirrored on devices. Collect the following information for each repository: URL for the site type of repository (SharePoint, WebDAV) subtype of repository (Office 365, NetworkDrive, etc.) Steps 1. Edit the Default AppConnect device configuration or create a new one. 374

395 MobileIron Cloud Administrator Guide R45 If the same settings will apply to all user groups and all AppConnect-enabled apps, then you can edit the default configuration. Only one AppConnect device configuration can be applied to a given device and all AppConnect-enabled apps on that device. 2. Add the Docs@Work app to the app catalog. Under Advanced Options and App Configuration, provide the following information for each content site you want to display in Docs@Work: URL Domain Enter a URL for the content site. The URL must include or Both domain name and IP address are supported. Select the type of content site you are configuring: SharePoint (Select SharePoint for One Drive for Business.) WebDAV Subdomain Select the subdomain type for the content site: SharePoint: Office 365, Corporate Select Office 365 if you are configuring OneDrive for Business. WebDAV: NetworkDrive, CloudStorage Authentication Select if you want the device to authenticate to the server. Published Site Select to designate the site as a published site. All content in a published site is automatically downloaded and mirrored locally on the device when the device syncs. If the option is not selected, the user must manually download the content. A Web View site cannot be configured as a published site, and a published site cannot be configured as a Web View site. Note: Published sites for SharePoint are not supported at root, site, and subsite levels. Published sites are supported at document library and folder levels. We recommend that published sites be set for publishing documents. 375

396 How to Set Up Web View Only for SharePoint domains. Select to allow users to view and navigate SharePoint folders in browser view. Provide the following information for the published sites: Update Interval (Minutes) Max auto download size (MB) Max documents per update Update Mode Specify the updated interval for published sites. The Default setting is every 60 minutes. Specify the maximum file size for automatic download. Files above this size will not be automatically downloaded. The default setting is 500 MB. Specify the maximum number of documents to update for each updated site. Only the number of files specified will be updated. The default setting is 100 files. Specify the method devices can use to update published sites. Select either Wi-Fi Only or Wi-Fi and Cellular. MobileIron recommends using Wi-Fi Only if you support large number of documents. Remember to select a device group for app distribution. Supported content repositories Sharepoint: Microsoft SharePoint 2007 Microsoft SharePoint 2010 Microsoft SharePoint 2013 Microsoft SharePoint Office 365 OneDrive for Business Only OneDrive for Business (with SharePoint and Office 365) is supported. OneDrive (personal online storage for consumers) is not supported. Box Dropbox WebDAV Apache-based WebDAV content repositories IIS-based WebDAV content repositories Cloud Storage: WebDAV Box 376

397 MobileIron Cloud Administrator Guide R45 Apache-based WebDAV content repositories IIS-based WebDAV content repositories Supported authentication to content repositories Basic: Sharepoint, WebDAV NTLM: Sharepoint, WebDAV OAuth2: Box, Dropbox Note: Users on SharePoint must have at least Contribute permissions. Supported file types Annotation PDF Viewing Microsoft Word documents (.doc,.docx) Microsoft Excel documents (.xls,.xlsx,.xla,.xlt,.xltx,.xlsm) Microsoft PowerPoint documents (.ppt,.pptx,.pot,.potx,.pps,.ppsx) Adobe Acrobat documents (.pdf) Rich Text Format files (.rtf) Plain text files (.txt) Comma separated values files (.csv) Image files (.png,.bmp,.jpg,.jpeg,.gif,.tiff,.ico) Web files (.htm,.xml,.js) Apple Pages documents (.pages) Apple Numbers spreadsheet files (.numbers) Apple Keynote presentation files (.key) Quicktime video files (.mov) MPEG4 audio/video files (.mp4) WAV files (.wav) MP3 audio files (.mp3) Some files that are not supported: executable files (for example,.exe,.msi, or.ipa files) archive files (for example,.zip,.rar, or.tar files) system files (for example,.dll, or.sys files) Supported files types for editing The following file types are supported for editing: Microsoft Word documents (.doc,.docx) Microsoft Excel documents (.xls,.xlsx,.xlsm) Microsoft PowerPoint documents (.ppt,.pptx) Plain text files (.txt) Web files (.xml) 377

398 How To Set Up Kiosk Mode for Android Editing and annotating documents To edit or annotate, users must download the document to My Files. If the file type is not supported for editing, the edit icon will not be available. Online editing is only available with Office Web Apps. Since Office Web Apps are only supported with SharePoint, supports online editing only with SharePoint folders. Office Web Apps must be enabled on the SharePoint server. If Office Web Apps are not enabled, the edit icon will not be available when you tap to view documents. User-added sites Users can add the following types of sites: Box Cloud Storage Dropbox Network Drive SharePoint To add corporate sites, the user will need the following information: The site s URL. The URL must include or Both domain name and IP address are supported. Type of Authentication for Network drives. The authentication setting is labeled No Authentication. Device users should enable this setting, if the site does not require authentication. Type of authentication for SharePoint servers: Corporate: User authenticates with on-premise SharePoint using either Windows NTLM or Forms-based authentication with corporate credentials. User credentials can be domain\username or just username, depending on how SharePoint is setup with Windows domain authentication. Office365: User authenticates with Office365 SharePoint using the authentication mechanism supported by Office365. User credentials map to the user s account on Office365 or to the user s AD credentials. If Office365 has been integrated with corporate AD, then the user s SharePoint credentials map to AD credentials. NoAuthn: User doesn t need to provide credentials for authentication. The SharePoint server supports anonymous access. Web View. For SharePoint sites, the user can turn on Web View to be able to view and navigate SharePoint folders in browser view. How To Set Up Kiosk Mode for Android 378

399 MobileIron Cloud Administrator Guide R45 License: Silver Kiosk Mode for Android devices enables you to restrict use of a device to specific apps. You might use Kiosk Mode to set up devices for employees who will use only workspecific apps. When preparing Android devices for Kiosk mode or Device Owner with Kiosk mode, you will need to create a whitelist of apps that you want to be available to users in Kiosk Mode. For devices using Device Owner you can add apps to the allowed apps list by dragging and dropping to arrange the apps in the order they should appear in the Kiosk Mode launcher when configuring the app. See Lockdown & Kiosk configuration for more information. Before you start Before you configure Kiosk Mode for Android devices, make sure you have done the following tasks: Installed the MobileIron Go app on the devices. Configured the app catalog with the apps that your kiosk configuration will need. Distributed the app catalog to the devices that will run in Kiosk Mode. Installed the apps that your kiosk configuration will need. Optional: Set up Android kiosk branding. Note: Kiosk mode is supported on Android 5.1 and 6.0. Non- Samsung SAFE must be placed in Device Owner mode to prevent the use of undesired applications. Important: Some devices have features which can cause the device to draw over the screen or otherwise create an escape from Kiosk mode. The People Edge feature of the Samsung Galaxy S6 Edge is an example of such a feature. We recommend that these types of features be turned off by an administrator before the device is deployed. Steps 1. Go to Configurations. 2. Click Add+. 3. Click Lockdown & Kiosk: Android. 4. In the Create Settings screen of the Lockdown & Kiosk configuration, complete at least the Kiosk Mode Settings section. 5. In the Distribution screen, select the device groups to receive this configuration. 6. Click Done. 7. For non-samsung devices, continue with the following steps: a. Go to Devices > Devices. b. Select the devices you want to enable for kiosk mode. c. Select Actions > Force Check-in. 379

400 How To Set Up Kiosk Mode for Android d. On the devices, launch the MobileIron Go app. e. Tap the Kiosk Mode button. f. Press the Home button on the device. g. If a Choose Launcher dialog appears, tap MobileIron Go Kiosk Launcher and select Always. This step is necessary to ensure that the proper launcher will be used for this feature. Otherwise, the user would be prompted to select a launcher. Launching Kiosk Mode Remotely 1. Go to Devices > Devices. 2. Add the Kiosk Mode column to the display. 3. Select devices that have Kiosk mode enabled, but are not currently in Kiosk mode. 4. Select Actions > Enter Kiosk Mode. Disabling Quick Settings in Kiosk Mode The Quick Settings feature is enabled on Android devices by default. You are now able to enable or disable Quick Settings feature for a single device or for a group of devices. 1. Go to Policies > Configurations 2. Click the +Add button 3. Click Lockdown & Kiosk 4. Select a Lockdown type 5. Enable Kiosk mode When you enable Kiosk mode you now have the following options: Disable Quick Settings Allow User to Access Wi-Fi Settings Allow User to Access Bluetooth Settings Allow User to Access Location Settings Allow User to Delay Application Updates 6. Optionally, you can create a PIN for exiting Kiosk Mode. Exiting Kiosk Mode You can exit Kiosk Mode on the device if you set a PIN in the configuration: 1. Tap the Settings icon. 2. Select Exit Kiosk Mode. 3. Tap in the Kiosk PIN field when prompted. 4. Enter the kiosk PIN. 380

401 MobileIron Cloud Administrator Guide R45 You can exit Kiosk Mode for a specific device from the portal: 1. Go to Devices > Devices. 2. Display the details for the device. 3. Select Actions > Exit Kiosk Mode. You can also use the following methods to exit Kiosk Mode: Delete the configuration Disable the configuration Remove the device group from the configuration Set Up Single App Mode for ios License: Silver Single app mode restricts ios devices to the use of the specified app. For example, you might want to set up devices that can use only a custom app your organization has developed. Steps 1. Go to Policies > Configurations > Add > Single App Mode. 2. Use the following guidelines to define the app and related settings. Setting Name Description Choose App Disable Touch Disable device rotation What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select the method to use for selecting the app: From App Catalog & System Apps: Select to search the MobileIron Cloud app catalog and system apps (preinstalled on Apple devices by default). Enter the name of the app and select it when it displays in the apps list. Enter Bundle ID: Select to enter the unique identifier for the system app you want to select. Use this option if you cannot find the system app using the From App Catalog & System Apps option. Select to disable the touch screen. Select to disable device rotation sensing. 381

402 How to Troubleshoot Sentry Issues Disable volume buttons Select to disable the device's volume buttons. Disable ringer switch Select to disable the device's ringer switch. Disable sleep wake Select to disable the device's sleep/wake button (top button right on device rim). Disable auto lock Select to prevent the device from going to sleep after an idle period. Enable voice over Select to enable the VoiceOver screen reader (accessibility feature). Enable zoom Select to enable Zoom (accessibility feature). Select to enable the invert colors adjustment Enable invert colors (accessibility feature). Enable assistive touch Select to enable AssistiveTouch (accessibility feature). Enable speak selection Select to enable Speak Selection (accessibility feature). Select to switch from stereo to mono audio Enable mono audio (accessibility feature). Voice over adjustments Select to allow device users to make VoiceOver adjustments. Zoom adjustments Select to allow device users to make Zoom adjustments. Invert colors adjustments Select to allow device users to invert colors. Assistive touch adjustments Select to allow users to make AssistiveTouch adjustments. 3. Click Next. 4. In the Distribution screen, select the device groups to receive this configuration. 5. Click Done. Using the Phone dialer as the app If you have configured the Phone dialer as the app to be used, then the Home button works once after the device enters single app mode. How to Troubleshoot Sentry Issues Typical Sentry issues include: 382

403 MobileIron Cloud Administrator Guide R45 A device is not getting . Is Sentry blocking access for this device? A device is getting , but should not. Why is Sentry not blocking access for this device? To determine whether Sentry has blocked for a device: 1. Go to Devices > Devices. 2. Click the link for the device. 3. Click the Sentry tab. The following information is displayed: user Sentry host name user-agent (the client used on the device) status (whether the device's has been blocked) How to Upgrade In-House Apps 1. Go to Apps > App Catalog. 2. Select the app to be upgraded. 3. Select Actions > Add New Version. 4. Drag and drop the app to the Upload App area or click Choose File to select it from your file system. 5. Select one of the following options based on what you want to do with the previous version of the app: Keep the description, screenshots, and distribution the same: replaces the previous version in the app catalog. Change the description, screenshots, or distribution: includes both versions in the app catalog. 6. Under What's New, enter text that explains to users what is different in the new version. This text will be displayed on the device when the user selects the app for installation. 7. If you chose to change descriptions, screenshots, or distribution options, complete those changes. 8. Click Done. If you chose to keep older versions of the app in the catalog, only one entry will display under Apps > App Catalog. The pane on the far left will indicate the number of apps accounted for by the entry. If you later decide to delete the newer version, the older version will automatically replace it on installed devices. To display a list of app versions 1. Click the link for the app under Apps > App Catalog. 2. Click the Version tab. 383

404 How to use with TeamViewer 3. If there are multiple versions of the app in the catalog, a drop-down displays the versions. How to use Apps@Work Apps@Work enables the use of Windows public and in-house apps on Windows 10 devices in MobileIron Cloud. Apps@Work is already configured and is installed silently on supported Windows 10 devices. To configure an app for Apps@Work: 1. Select a Windows app. 2. Click the App Configuration tab. 3. Click Install on Device. Windows In-house app configuration can be set to the silent install flag or install using Apps@Work. Public apps cannot be set to silent install. 4. Optionally, choose to display or hide apps in Apps@Work catalog. This option applies to in-house apps only. To install an app using Apps@Work: 1. Click the Apps@Work app. Your administrator address and server URL are pre-filled in the Apps@Work login dialog. 2. Enter your password and click Sign In to display the apps page. There are three tabs: featured apps in-house apps store apps 3. Select the in-house apps tab. 4. Select an app to install. A message is displayed stating that a request has been sent to the server to install the app. Click Close. 5. Optionally, select an app from the store apps tab to display the Windows app store. 6. If prompted, enter your username and password for the Windows app store. 7. Click Update and Save to view the App information screen. How to use Help@Work with TeamViewer License: Platinum 384

405 MobileIron Cloud Administrator Guide R45 is implemented using TeamViewer. TeamViewer is a third party app from TeamViewer.com that enables remote support for Android, ios, and Windows devices. MobileIron Cloud uses TeamViewer to provide remote support for Android devices only. Once installed and configured it gives a support administrator the ability to access and diagnose problems with users' mobile devices remotely. Note: TeamViewer is not supported when a device is in Kiosk mode or retired. Installing TeamViewer Install the TeamViewer app on the desktop to access and provide support for your users' remote devices. To install TeamViewer: 1. Download the installation package for the TeamViewer full version for Mac, Windows, or Android from here: 2. Launch the TeamViewer installation program. 3. Select Basic Installation. 4. Select Company / Commercial use. 5. Click Accept - finish. Requesting a TeamViewer account You must have a TeamViewer account to provide support using TeamViewer. To obtain a TeamViewer account: 1. Go to 2. Enter your , name, and password. 3. Click Sign Up. 4. Use the account you entered in step 2 to receive an TeamViewer account activation Complete the instructions in the to activate your TeamViewer account. Enabling TeamViewer When a user requests support, select the device and activate TeamViewer: 1. Select the Admin tab in the MobileIron Cloud navigation bar. 2. Select Help@Work on the left navigation pane. 385

406 How to use with TeamViewer 3. In the Setting up for Android section, step 1, click EnableTeamViewer. 4. Read the TeamViewer license agreement. 5. Click Agree. Confirming TeamViewer session ID TeamViewer generates a session ID when connection is established between the administrator's computer and the user's mobile device. 1. When the session id is generated, MobileIron Cloud passes it to MobileIron Go app (client) which in turn uses this session id to invoke the TeamViewer client on the device. 2. Your Enterprise License is now activated. This identifies MobileIron customers to TeamViewer so that access is granted. 3. The user is prompted to accept the TeamViewer EULA. Starting a TeamViewer session To start a TeamViewer session for a device: 1. Select Devices in the MobileIron Cloud navigation bar. 2. Click on the device that needs support. 3. Click on the Actions pull-down menu and select Start TeamViewer remote control. If the administrator has a valid TeamViewer token the desktop client starts with a support session to the device, otherwise the administrator will be required to login with TeamViewer and grant permissions. Accessing a user device with TeamViewer If the TeamViewer QuickSupport app is installed on the device: 1. The Set Up Help@Work screen is displayed and the user is notified that the IT administrator is requesting access to their device. 2. The user clicks Continue to begin the TeamViewer session. If the TeamViewer Quick Support app is not installed on the device: 386

407 MobileIron Cloud Administrator Guide R45 1. The Set Up screen is displayed and the user is prompted to install the TeamViewer QuickSupport app. The TeamViewer QuickSupport app may be available from the app catalog or it can be downloaded from Google Play. 2. If access to Google Play is restricted or unavailable the user is instructed to contact their IT administrator for help obtaining the TeamViewer QuickSupport app. For more information see, How to Set Up for Android here. How to add management of non-ios devices License: Gold You are currently using a version of MobileIron Cloud that is optimized for ios devices. This section describes how to switch to allow management of non-ios devices. After switching you will also be able to manage the following devices: Android 5.0 through the most recently released version as supported by MobileIron Windows Phone 8.1 Windows 10 mobile and desktop Important: Switching to include management of non-ios devices cannot be reversed. To switch to include non-ios devices: 1. Click Admin > Allowed Platforms. 2. Click the Allow All Platforms button. 3. Check I understand that this cannot be undone to confirm that you know and understand that this operation cannot be undone. 4. Click the Allow All Platforms button. Configure MobileIron Tunnel for Android for Work Tunnel for Android for Work enables you to allow business apps, in-house apps or Google Plays Store apps on Android for Work devices to have access to resources behind your firewall. For Android for Work tunnel, the tenant should already have Android for Work settings configured. Follow the steps in Configure VPN Tunnel for Windows and Android to set up a Sentry profile. 387

408 How to add management of non-ios devices To configure Tunnel for Android for Work: 1. Navigate to Apps > +Add to go to the App catalog. 2. Select the Google Play Store. 3. Search for MobileIron Tunnel or click Tunnel (Android) in the Business apps section to add the app. 4. Click Next to begin configuration. Optionally, add a description. Choose a distribution level. Add screenshots if needed. 5. Click the Distribution tab and click Edit to make changes to the distribution level if needed. 6. Click the App Configurations tab to view a summary of the current configuration. 7. Select Android for Work + icon to display the Configuration Setup. Enter a name for the configuration. Enter the appropriate restrictions your company requires. 8. Select the Restrictions you want to apply. Choose Sentry Server from the drop down list. Enter a list of applications allowed to access the VPN connection in the AllowedAppList field. Enter a list of applications denied to access the VPN connection in the DisallowedAppList field. Optionally check AllowBypass to allow all apps to bypass the VPN connection. Use the SentryService pulldown menu to select an IP Tunnel service that is defined on Sentry. Use the ClientCertAlias pulldown menu to select a client certificate alias. Use the UINotificationLevel pulldown menu to set the level of UI notifications from VPN. Use the Debuglog pulldown menu to select a level of detail for the logs. Enter a value for the idle timeout time in milli-seconds in the TcpIdleTmoMs file. Enter a value for the Tunnel MTU in the MTU file. Enter an address for the person who will receive the VPN plugin logs. in the DebugInfoRecipient field 9. In the Distribute this App Config section, select a distribution option for the configuration hat you designed Your distribution options are: Everyone with App No One Custom 10. Click the Reviews tab to view information on reviews. Export the review data to a spreadsheet if needed. 388

409 MobileIron Cloud Administrator Guide R45 Configure VPN Tunnel for Windows and Android Setup a VPN connection between a Windows 10 Client or Android Client and Sentry using MobileIron Tunnel. Setup a Sentry Profile 1. Go to Admin > Certificate Authority. 2. Click +Add to add a Certificate Authority to display the Add Certificate Authority dialog. 3. Select a Certificate Authority type to add or create. Add an External Certificate Authority. Create an Intermediate Certificate Authority. Create a Standalone Certificate Authority. 4. Click + Add Description to enter a brief description of the configuration. 5. Set up a Sentry Profile. 6. Go to Admin > Certificate Authority > App Identity Certificate Configuration. 7. To add an External CA, click Continue in the Add an External Certificate Authority box. Enter a name for the Certificate Authority. Use the pull-down menu to select Microsoft as the Certificate Authority Type. Enter the SCEP URL. Enter the Username and Password. Enter the Challenge URL. Click Save. 8. To add an App Identity Certificate Configuration click +Add button or click the Actions pull-down menu and select Edit. Enter a name. Select a source from the Source pull-down menu. Select a signature algorithm from the Signature Algorithm pull-down menu. Enter a Subject. Optionally click +Add to choose a Subject Alternate Name Type. Choose a Key Size from the pull-down menu. Optionally, select Use as digital signature. Optionally, select Use as key encipherment. 9. Click Done. Create a Sentry Proflle 1. Go to Admin > Sentry >Add Sentry Profile. 2. Choose ActiveSync and/or AppTunnel with certificate as the authentication. 3. Click Next to display the Global Settings page. 4. Enter a Name and description for the profile in the appropriate fields. 389

410 Configure VPN Tunnel for Windows and Android 5. Enter the External Hostname using Sentry's Fully Qualified Domain Name(FQDN) and the Port using a port accessible by a managed device. 6. In the Device Authentication Mode section: Select Use a Single Pfx file - all Windows clients use the same certificate Select Use SCEP Identity - use the Certificate Authority setup in the previous steps Optionally, select Enable Certificate Revocation List (CRL). 7. Click Next to display the Sentry Server Configuration page. 8. Select Use Sentry Self-signed certificate or select Upload New Certificate. 9. Click Next to display the Add Services page. 10. Select the MobileIron Tunnel Service for Windows and enter a service name. Sentry Server Configuration 1. Verify the Https Port. The default value is Choose whether or not to use the Sentry's self-signed certificate. This is selected by default. 3. Uncheck to display the Upload New Certificate link. 4. Click Next. Add a MobileIron Tunnel Service 1. Choose the Windows/Android Icon to add MobileIron Tunnel service for Android. 2. Fill in the service name. 3. Click Save. Click Save and Continue. 4. Use the pulldown menu to choose a sentry profile and Click Assign. Assign a Sentry Profile 1. Go to Admin > Sentry > Actions and Click Assign. 2. Use the pulldown menu to choose a sentry profile and Click Assign. Set up a client certificate using 1. Go to Policies > Configurations and Click Assign. 2. Click Identity Certificate to display the Edit Identity Certificate (Dynamically Generated) Configuration page. 3. Enter configuration details. See Identity Certificate Configuration for more information. Set up a MobileIron Tunnel Policy for Android for Work 390

411 MobileIron Cloud Administrator Guide R45 Use these steps to set up a MobileIron Tunnel policy for Android for Work. Note: If you're are not setting up a Tunnel policy for Android for work, go to the next section, Set up a MobileIron Tunnel Policy. 1. Go to Apps and click +Add. 2. Select Google Play Store 3. Search for MobileIron Tunnel. 4. Select the app and Click Next. 5. Go to Admin > Sentry > Actions. 6. Click Assign -> Choose a Sentry Profile to assign to a Sentry instance. 7. Use the pulldown menu to choose a sentry profile and Click Assign. 8. Select the distribution level. Click Next 9. In the App Configuration page, select Android for Work (+) icon. Select the sentry setting which we would have already defined the tenant 10. Save the App configuration. The Tunnel app should be installed from the App catalog when the device is enrolled. Set up a MobileIron Tunnel Policy for Windows Use these steps to set up a MobileIron Tunnel policy for Windows devices. 1. Go to Policies > +Add. 2. Select the MobileIron Tunnel policy to display the Create MobileIron Tunnel Configuration page. 3. Enter a name for the configuration. 4. Enter a description. 5. Click the Windows icon to create a Tunnel service for Windows or Android. The Profile Settings section is displayed. 6. Choose a sentry profile from the Sentry Profile pulldown menu. 7. Choose a sentry service from the Sentry Service pulldown menu. 8. Enter an address to receive debugging information. 9. Select an Always On position. ON is the default setting. This is a Windows 10 feature that enables the active VPN profile to connect automatically on these triggers: User Signs In, Network change. Note: The Always On settings works for Force Tunnel only. 10. If needed, click +Create New Group to create a new list of apps that will have all the traffic flow through VPN. Enter a path for the app in the App Type pulldown menu. Click Lookup Apps to search for Windows 10 apps in the Windows App Store. Enter the name of the app in the search field. Select an app to add it to the App Identifier. 391

412 SCEP Configuration for External Certificate Authorities In the Traffic Filters section, click +Add to add filter. All traffic is sent through the tunnel if no filters are configured. Enter an IP address range in the Traffic Filter screen to limit traffic allowed through the tunnel to these IP addresses. 11. In the DNS section, click +Add to add a Domain and DNS Server IP. 12. Click Next. 13. Select a distribution for this configuration. SCEP Configuration for External Certificate Authorities This feature enables support for Simple Certificate Enrollment Protocol (SCEP) configuration for external certificate authorities for Windows 10 devices. Setup an External Certificate Authority You must first setup an External CA. You can skip to the next section if you already have an External CA. 1. Go to Admin -> Certificate Authority to create an External CA 2. Enter a name for the Certificate Authority. 3. Use the pull-down menu to select Microsoft as the Certificate Authority Type. 4. Enter the SCEP URL. 5. Enter the Username and Password. 6. Enter the Challenge URL. 7. Click Save. SCEP Configuration Now you can proceed with the SCEP configuration. 1. Go to Configuration > +Add 2. Select the Windows icon. 3. Select Identity Certificate to go to the Create Identity Certificate Configuration page. 4. Enter a name for the configuration. 5. Select Windows Config from the list of SCEP configurations from the Certificate Distribution pull-down menu. 6. Select the External CA. 7. Enter the Certificate Distribution details. Enter the subject. For example: CN=${user Address} Select the number of Retries from the Retry pulldown menu. 392

413 MobileIron Cloud Administrator Guide R45 Select the number of seconds to wait before each entry from the Retry delay pulldown menu. Select a key size from the Key Length pulldown menu. Select at least one certificate usage option. Enter the length of time in the Validity field and pulldown menu. Enter the CA Thumbprint. Go to the SCEP challenge URL copy the CA Thumbprint and paste it here or click Create from Certificate... to upload the certificate from which the CA Thumbprint can be created. Select at least one hashing algorithm from the Hash Algorithm Family options. 8. Click Next. How to Push SyncML to Devices Using Custom Configurations You can create your own Synchronization Markup Language (SyncML) configuration files or get them from a third party source to implement custom features by adding them to a custom configuration. Supported platforms: Windows 10 Phone Windows 10 Desktop Windows 8.1 devices To enter values for a custom configuration: 1. Go to Policies > Configurations. 2. Click +Add. 3. Click Custom Configuration to display the Create Custom Configuration page. 4. Enter a name for the configuration. 5. Click the Windows OS icon. 6. Drag and drop the SyncML file in the interface or click Choose File to navigate to the file to select for uploading to the device. Note: MobileIron Cloud does not perform any validation checks on the code in the file. 7. Click Next. 393

414 How to configure Distribution Filters How to configure Distribution Filters Use Distribution Filters to limit the apps available for installation. Distribution filters enable you to display only the apps in the app catalog that are applicable to the device. License: Gold These filters are available by default: AfW Enabled Apps - limits app distribution to Android for Work enabled devices only. ipad Only Apps - limits app distribution to ipad devices only. iphone Only Apps - limits app distribution to iphone devices only. 1. Go to Apps > Distribution Filter. The default app filters and any created app filters are listed here. 2. Click +Add to access the Create Distribution Filter dialog. 3. Enter a name and description in the appropriate fields. 4. Select rule definitions for the filter. 5. Click Create Distribution Filter. 6. if needed, select a custom filter to update. a. Click Edit to display the Update Distribution Filter page. b. Enter a name and description in the appropriate fields. c. Use the pull-down menus to define rules for the filter. d. Click Update Distribution Filter. 7. Select an app. 8. On the App Detail page and select the Distribution tab. 9. Click Edit. 10. Choose an App Distribution option: 9. Everyone No one Custom Note: The Distribution Filter section is visible only if Everyone or the Custom distribution option is selected. 10. Choose a distribution filter option: 10. a. Enter a filter name in the Search the existing distribution filters... field to locate a filter that has already been created. b. Click +Add Distribution filter to add a new filter. Note: Distribution filters can be created or assigned to an app before it's added to the catalog. 394

415 MobileIron Cloud Administrator Guide R45 How to use the httpproxy command for Connector A new klish shell command has been created to help edit Connector configuration for your MobileIron Cloud installation. Use this command to change login information and other parameters to configure the connector. The httpproxy command is now available in this release with these requirements. klish shell To configure your connector 1. Log in to klish shell. 2. Enter a? for a list of available klish shell commands. 3. Enter httpproxy to show the current value of these parameters: a. enabled b. scheme c. server d. authtype e. username f. password 4. Enter httpproxy? to see a list commands available for use with httpproxy.. authtype - Set the authentication type of the http proxy to NONE, BASIC, or NTLM a. disable - Disable the http proxy b. enable - Enable the http proxy c. host - Set the host of the http proxy - must be an FQDN or an IP either http or https d. password - Set the Authentication password of the http proxy e. port - Set the port of the http proxy f. scheme - Set the scheme of the http proxy - must be either http or https g. show - Show the current http proxy settings h. username - Set the authentication username of the http proxy 5. Use the commands listed above to setup your connector instance. 395

416

More Details Displaying and Hiding Columns Most pages that display information in a table let you select which columns to display or hide. To display or hide columns 1.

417 More Details Displaying and Hiding Columns Most pages that display information in a table let you select which columns to display or hide. To display or hide columns 1. Click the settings icon (upper right). 2. Select the columns to display. 3. Clear check boxes to hide columns. When to Edit a Username When you add a user, the text you enter for the address is automatically listed for the username, as well. In most cases, you should leave the default username in place because: A username in the format of an address is required. It is convenient to use the username variable in configurations, though the address can also be used. The only time to edit a username is in the rare event of a conflict with an existing username, because usernames must be unique across the entire device management 397

MobileIron Cloud R39

MobileIron Cloud R39 Table of Contents Welcome...... 1 What's new... 1 Getting Started... 2 If you need to change something... 2 If you did not finish the Startup Wizard... 2 Dashboard... 3 To add a widget...