MobileIron Cloud R39

Size: px
Start display at page:

Download "MobileIron Cloud R39"

Transcription

1 MobileIron Cloud R39

2 Table of Contents Welcome What's new... 1 Getting Started... 2 If you need to change something... 2 If you did not finish the Startup Wizard... 2 Dashboard... 3 To add a widget... 3 To arrange widgets... 3 To edit a widget... 3 Can't see the Dashboard page?... 3 See Also... 4 Users... 5 Users > Users... 5 To add a user... 5 To add several users... 5 To add users by uploading a file... 6 To add an administrator... 6 The nobody user... 7 Can't do tasks on the Users page?... 7 See Also... 7 Users > User Groups... 7 To create a dynamically managed user group... 7 To create a manually managed user group... 8 Can't do tasks on the User Groups page?... 8 See Also... 8 Users > User Settings... 8 To edit the default setting... 8 To add a custom setting... 9 To delete a custom setting... 9 To require a password, PIN, or both, and set device ownership... 9 To limit the number of devices per user To define the terms of service displayed i

3 Users > User Branding License: Gold Before you start Steps Managing Users Users > Users To add a user To add several users To add users by uploading a file To add an administrator The nobody user Can't do tasks on the Users page? See Also Adding an API user for Cisco ISE operations Can't do tasks on the Users page? See Also Assigning Roles to Users How to give helpdesk staff permission to use basic device actions User Roles See Also Finding Users To search for a user To filter users Assigning Users to User Groups From the Users page From the User Groups page Inviting Users To invite users Changing a Password To change your password To change another user's password Filtering Users Sending a Message To send a message to users ii

4 To send a message to devices Removing Users from User Groups From the Users > Users page From the Users > User Groups page Deleting a User To delete a user What happens when you delete a local user What about LDAP users? Exporting Users Devices Devices > Devices To manage devices To list devices by criteria To show detailed device information To search device logs Can't see the Devices page? See Also Devices > Device Groups To add a device group To remove a device group Can't see the Device Groups page? See Also Devices > Unmanaged Devices License: Silver To block a device To allow a device that has been blocked To clear a device from the list Devices > App Inventory To display only certain apps To display the installed devices for an app To display the installed Win32 apps on a device To save app inventory to a file Can't see the App Inventory page? See Also iii

5 Managing Devices Device Registration (ios, macos, and Android) Sending an invitation (ios, macos, and Android) Instructing end users to download the app (ios and Android) What the end user sees If the user does not install the MDM profile Device Registration (Windows Phone 8.1 and Windows 10 Mobile) Sending an invitation What device users do Changing Passcode Settings To change the assigned Passcode configuration To assign a different Passcode configuration Finding Device Entries To search for a device To filter devices Using Device Owner Important Provisioning the device See also Assigning a Device to a new user Forcing a Check-in To force a device to check in Locating a Device Locking a Device To lock a device Retiring a Device To retire a device Wiping a Device To wipe a device Deleting a Device Unlocking a Device To unlock a device Unlocking Android devices Unlocking an ios device iv

6 Clearing the Restrictions Password (ios only) To clear the Restrictions password Apps Apps > App Catalog Licensing for app features If an Android device is in Kiosk Mode To switch between list and grid view To switch between list and grid view To view app reputation information To add an app from a public store To add an In-House app Viewing VPP license usage (ios) Revoking a VPP license (ios) Can't do tasks on the App Catalog page? See Also Viewing App Details App Configuration Licensing for app features Configuration steps common to multiple apps Configuring MobileIron apps Configure the MobileIron Docs@Work app Configure the MobileIron Web@Work app Configure the MobileIron Tunnel app Configure the MobileIron + for ios app Configure the MobileIron + for Android app Configure the MobileIron Dataview app Using ios Managed App Configuration Choosing Windows 10 apps for your in-house catalog Editing Windows 10 app configuration settings Using Apps@Work How to create a custom configuration for MobileIron Tunnel for Windows Apps > Categories To add a category To remove a category v

7 Can't do tasks on the App Categories page? Apps > Reviews To view ratings and reviews To disable ratings and reviews To delete a review Can't do tasks in the Reviews page? See Also Apps > Licenses License: Gold Device-based and User-based license distribution Device-based license option User-based license option To add a VPP app to the catalog To distribute licenses for a VPP app in the catalog View app licenses per user VPP license usage notifications Revoking a VPP License Can't do tasks on the App Categories page? Apps > Catalog Settings To change ios app management settings To enable/disable app ratings and reviews To upload or update an ios VPP stoken (License: Gold) To remove an ios VPP stoken from your MobileIron Cloud service Can't do tasks in the Catalog Settings page? Content Content > Content To add content To upload a new version To delete content Can't do tasks on the Content page? See Also Content > Categories To add a category To remove a category vi

8 Can't do tasks on the Categories (Content) page? Policies Configurations To add a configuration To delete a configuration To exclude a configuration To push a configuration To prioritize configurations Can't see the Configurations page? See Also Custom Configuration License: Gold Eligible Devices Description To define a Custom configuration Custom Configuration settings Home Screen Layout Configuration License Eligible Devices Description To define a Home Screen Layout configuration Home Screen Layout Configuration settings App Control Configuration: Control Which Apps Are Installed Per Device Supported Devices Steps to define whitelist or blacklist apps ios 9.3 supervised devices App Notifications Configuration To create an App Notifications configuration Policies > Policy & Compliance To add a policy To change a policy To delete a policy Can't see the Policy & Compliance page? See Also vii

9 Managing Configurations Configuration Types Security User Resources Enterprise Network Access Cellular Network More Configurations Device Sync Configuration See Also Variables Summary of supported account variables Summary of supported device variables Security Configurations Android for Work Configuration License: Gold Android for Work settings AppConnect Device Configuration License: Gold AppConnect device settings Changing/Resetting the passcode See also Certificate Configuration Certificate settings Encryption Configuration (Android Only) Encryption settings Identity Certificate Configuration Identity certificate settings ios Activation Lock Configuration License: Silver To enable the ios Activation Lock To use the ios Activation Lock bypass code To clear the ios Activation Lock bypass code ios Custom Configuration ios Custom settings viii

10 ios Restrictions Configuration ios Restrictions settings Lockdown & Kiosk Configuration (Android Only) Lockdown settings Managed Domains Configuration License: Silver Managed domains settings Passcode Configuration Passcode settings Privacy Configuration Privacy settings Web Content Filter Configuration License: Silver Web content filter settings Windows Restrictions Configuration Windows Restrictions settings OS X Restrictions FileVault FileVault Recovery Key Redirection OS X Firewall User Resource Configurations CalDAV Configuration CalDAV settings CardDAV Configuration CardDAV settings Google Configuration Google settings Configuration settings Incoming Mail Outgoing Mail Exchange Configuration Exchange settings Font Configuration ix

11 Font settings Subscribed Calendar Configuration Subscribed calendar configuration Web Clip Configuration Web clip settings Enterprise Network Access Configurations AirPlay Configuration License: Silver Airplay settings AirPrint Configuration License: Silver AirPrint settings Always On VPN Configuration License: Silver Always On VPN settings Global Proxy Configuration License: Silver Global proxy settings LDAP Configuration LDAP settings Per-App VPN Configuration License: Silver Per-App VPN settings IPsec (Cisco) Cisco AnyConnect Juniper SSL F5 SSL SonicWALL Mobile Connect Aruba VIA Custom SSL Single Sign-On Configuration Single sign-on settings VPN Configuration VPN settings x

12 L2TP PPTP IPsec (Cisco) Cisco AnyConnect Juniper SSL F5 SSL Aruba VIA Custom SSL IKEv2 (Windows Only) IKEv VPN On Demand Configuration VPN On Demand settings IPsec (Cisco) Cisco AnyConnect Juniper SSL F5 SSL SonicWALL Mobile Connect Aruba VIA Custom SSL Wi-Fi Configuration Wi-Fi settings WEP, WPA/WPA2, Any (Personal) settings WEP Enterprise, WPA/WPA2 Enterprise, Any (Enterprise) settings ios Cellular Network Configurations APN Configuration APN settings Cellular Configuration Cellular settings Controlling cellular access while roaming Controlling cellular access ios Telecom Presets Configuration ios Telecom Presets settings Other Configurations xi

13 Apple TV Configuration License: Silver Apple TV settings Lock Screen Message Configuration To create a Lock Screen Message configuration Lock Screen Message Configuration settings Default Device Name Configuration License: Silver Default device name settings ios Wallpaper Configuration License: Silver ios wallpaper settings Single App Mode Configuration License: Silver Single app mode configuration Admin Admin > Certificate Authority License: Silver Supported certificate authorities To connect to an external certificate authority To create an intermediate certificate authority Generate a CSR (certificate signing request) Upload the signed certificate Upload an existing certificate To create a standalone certificate authority Admin > Device Partition License: Silver To create a device partition To create rules To prioritize partitions To assign an administrator to a partition See Also Admin > Attributes To create custom user attributes xii

14 To create custom device attributes To view the standard attributes Admin > Support Administrators To create a support administrator To end access for a support administrator To suspend access for a support administrator Admin > System Use Notification License: Silver To create a system use notification Admin > Connector License: Silver To download a Connector To install a Connector To access the Connector logs Can't see the Connector page? Admin > LDAP License: Silver To add an LDAP server To import LDAP users To edit the LDAP server information To change the users, groups, or organizational units selected To enable LDAP Sync Discard Notification To synchronize changes from the LDAP server Troubleshooting Connectivity to the LDAPS Server Can't see the LDAP page? Admin > Sentry License: Silver Supported platforms To download a Sentry To install and register a Sentry To set up a Sentry profile ActiveSync with basic auth To assign a profile to a Sentry To set up the Exchange configuration xiii

15 See also Can't see the Sentry page? Admin > Identity License: Silver Implementation notes To configure an identity provider Can't see the Identity page? Admin > Install MDM Certificate To renew the MDM certificate Can't see the Install MDM Certificate page? Admin > Apple Configurator To define a default user for devices Install apps using Apple Configurator Install apps using EMM server What the end user needs to do Can't see the Install Apple Configurator page? Admin > Device Enrollment Program Visit deploy.apple.com Connect MobileIron Cloud to DEP To edit the DEP profile To edit the DEP authentication setting Admin > End User Portal (Branding) To brand the Self-Service Portal Admin > ios App Catalog (Branding) To brand the ios app catalog Using Microsoft Azure Setting up Azure AD Creating Users on Azure AD Microsoft Azure AD Enrollment Requirements To set up Microsoft Azure with EMM Android for Work Configure Android for Work Configure Android for Work profile xiv

16 Deploy In-House Apps to Google Play Android for Work Accounts Configure Android for Work Admin > App Reputation License: Platinum Prerequisites Enabling App Reputation Can't see the App Reputation page? Admin > Infrastructure > 229 License: Platinum To set up for Android To set up for ios Admin > Android App Catalog (Branding) To brand the Android app catalog Admin > Android Kiosk Branding To brand the Android kiosk screen Using Scheduled Reports License: Silver Generating a Report Admin > GOOGLE/ANDROID > Google Apps API Prerequisites To enable the Google Apps API feature: Can't see the Google Apps API page? Tenant Suspension Upgrading Upgrading a license How do I request an upgrade? Upgrading from a previous release See also Packages Silver Gold Platinum File a Support Ticket xv

17 To access the Support portal User Licenses To see the number of devices/licenses for a user Device Licenses How To How to use Bulk Enrollment for Android How to use Samsung Knox Mobile Enrollment Requirements How to use AirPlay Mirroring Edit an ios MDM Configuration To edit an ios MDM configuration Edit an macos MDM Configuration To edit an macos MDM configuration How to Delete Apps from the App Catalog How to Create an Android Shortcut How to Deploy Divide Productivity with Android for Work How to Deploy Windows Phone 8.1 and Windows 10 Mobile Devices How to register Windows Phone 8.1 and Windows 10 Devices How to configure updates to your Windows installation How to configure the device passcode How to configure Exchange How to view device details How to retire a device How to Find the Package ID for an Android App How to Export Configurations How to Monitor and Control Which Apps Are Installed License: Silver Supported Devices Before You Start Steps to create an Allowed Apps policy Steps to define whitelist or blacklist apps Steps to define required apps Steps to select compliance actions Prioritize Configurations xvi

18 To prioritize configurations Prioritize Policies To prioritize configurations How to Set Up Android for Work Supported Devices Before You Start Connecting MobileIron Cloud with Android for Work Getting Your Android for Work Credentials Adding your Android for Work MDM Token to MobileIron Cloud Synchronizing user between MobileIron Cloud and Google Active Directory/LDAP Users Local Users Deploying Android for Work to Supported devices Retiring Registered Devices To deploy the device Confirming Deployment Deploying Android for Work Apps Configuring Business Apps How to set up the Provisioner app Provisioning Requirements Enable Android beam to use NFC bump Provision a corporate-owned device Register the device Verify the device registration status How to Set Up AppConnect License: Gold Before you start Steps How to troubleshoot AppConnect setup Set Up AppTunnel Before you start To set up Sentry to use AppTunnel with certificates To set up apps to use AppTunnel How to Set Up Docs@Work xvii

19 Before you start Steps Supported content repositories Supported authentication to content repositories Supported file types Annotation Viewing Editing and annotating documents User-added sites How To Set Up Kiosk Mode for Android License: Silver Before you start Steps Launching Kiosk Mode Remotely Disabling Quick Settings in Kiosk Mode Exiting Kiosk Mode Set Up Single App Mode for ios License: Silver Steps Using the Phone dialer as the app How to Troubleshoot Sentry Issues How to Upgrade In-House Apps To display a list of app versions How to use Help@Work with TeamViewer License: Platinum Installing TeamViewer Requesting a TeamViewer account Enabling TeamViewer Confirming TeamViewer session ID Starting a TeamViewer session Accessing a user device with TeamViewer How to add management of non-ios devices License: Gold Configure MobileIron Tunnel for Android for Work xviii

20 Configure VPN Tunnel for Windows and Android SCEP Configuration for External Certificate Authorities How to Push SyncML to Devices Using Custom Configurations How to configure Distribution Filters How to use the httpproxy command for Connector More Details Displaying and Hiding Columns To display or hide columns When to Edit a Username If a username conflict happens Self-Service Portal See Also Device Partition Examples Administrator per location Administrator per OS per location Administrator for executives Administrator for all other devices Android Requirements Supported servers System Notifications To show system notifications To investigate a notification How to use MobileIron Access Sentry Installation Guide Prerequisites Sentry Requirements Minimum Memory and CPU for Standalone Sentry Installing the Sentry ISO Package Using the Configuration Wizard System Properties, Admin Accounts Setup Network Setup Reload Register the Sentry xix

21 Sentry Upgrade Guide Before You Upgrade Supported Upgrades Starting the Sentry System Manager Upgrade Procedure Upgrade to version Connector Installation Guide Prerequisites Connector Requirements Installing the Connector ISO Package Using the Configuration Wizard System Properties and SSH Admin Account Setup End User Licensing Agreement Confirm password Network Setup Final Configuration Settings If Connector Registration Fails Starting and Stopping the Connector Displaying Connector Status Displaying Connector Version Collecting Logs Opting Out of Location Data Collection For ios devices For Android devices Glossary Index xx

22 Welcome......to a cloud-based service that you can use to manage mobile devices, including the apps and content on those devices. With MobileIron Cloud, your users can access their apps and data on the device of their choice while you manage and secure the devices, apps, and content on your network. Note: A third-party vendor translates this Extended Help into many languages. The accelerated release cadence of MobileIron Cloud means that sometimes there is a delay in publishing translated content. If your non-english Extended Help is out of date, please access the latest content in the English language by accessing the URL, where xx is the latest version number of MobileIron Cloud. For example, to access release 39 online help, the URL would be What's new App Reputation support macos support Create dynamically managed User Groups based on custom attributes Android Fingerprint and SmartLock device restrictions Complex PIN on Android (5.0 or later) Push and Exclude configurations to individual ios, Android, macos, and Windows 10 devices Microsoft Passport for Work PIN for Windows 10 devices Deploy MSI files with command-line switches for Windows 10 devices Copyright MobileIron, Inc. All Rights Reserved. Any reproduction or redistribution of part or all of these materials is strictly prohibited. Information in this publication is subject to change without notice. MobileIron, Inc. does not warrant the use of this publication. For some phone images, a third-party database and image library, Copyright Aeleeta's Art and Design Studio, is used. This database and image library cannot be distributed separate from the MobileIron product. MobileIron, the MobileIron logos and other trade names, trademarks or service marks of MobileIron, Inc. appearing in this documentation are the property of MobileIron, Inc. This documentation contains additional trade names, trademarks and service marks of others, which are the property of their respective owners. We do not intend our use or display of other companies trade names, trademarks or service marks to imply a relationship with, or endorsement or sponsorship of us by, these other companies. 1

23 Getting Started When you accessed MobileIron Cloud the first time, the Startup Wizard was displayed. If you completed the Startup Wizard, you should now have: an ios MDM certificate installed (if completed) passcode settings for all devices settings for at least some devices (ActiveSync, IMAP/POP) any apps you chose to set up in the app catalog users who have been invited to enroll If you need to change something Click one of the above links to get information on how to change the things you just set up. If you did not finish the Startup Wizard Click each of the above links for information on completing the basics. Note that skipping the ios MDM certificate installation means ios devices will not be able to register. Users will see a message stating that ios device enrollment has not been enabled. 2

24 Dashboard The dashboard shows important statistics about registered devices and users. Each section on the dashboard is called a widget. For each widget, you define: the category of data displayed (such as devices or users) how the data is grouped (such as by OS version or model) how the data is filtered (such as displaying only ios devices) how the data is displayed (such as pie chart or bar chart) To add a widget 1. Click Add (upper right). 2. Assign a name to the widget. 3. Select a data category. 4. Complete the filtering options as they display. 5. Select the default display type (pie chart, bar chart, line graph). 6. Click Done. To arrange widgets Widgets always display three to a row. However, you can change the order in which the widgets are displayed: 1. Click Arrange (upper right). 2. Drag the boxes into the order in which the widgets should appear. 3. Click OK. To edit a widget 1. Click the settings icon for the widget (upper right). 2. Select Edit. 3. Make your changes. 4. Click Done. Can't see the Dashboard page? Maybe you don't have permission. You need one of the following roles: 3

25 System Management System Read Only See Also Displaying and Hiding Columns 4

26 Users Users > Users Before you invite someone to register mobile devices, you need to create a user entry for that person. You also need to create a user for anyone who will use MobileIron Cloud to help manage devices or publish content (administrators). You can add a single user or several users at a time. Once you have added many users, you might want to filter the display to show only the ones you are interested in. Other things you can do with users in this page include: assign to/remove from a user group send a message invite to register assign roles change a password delete To add a user 1. Click Add (top right). 2. Select Single User. 3. Complete the form with the user's information: Address First Name Last Name The Username field displays the address you entered. In most cases, you should not edit this default. See When to Edit a Username. 4. If you want to change the display name for this user, edit the default text in the Display Name field. 5. If you want to assign a password, enter it in the Password and Confirm Password fields. If you assign a password, you need to communicate it to the user for device registration. If you don't assign a password, the user will need to create a password during device registration. 6. If you want to set up other features before inviting this user, clear the Send this invitation now option. Otherwise, the invitation will be sent when you click Done. 7. Click Done to add the user. To add several users 1. Click Add (top right). 2. Select Multiple Users. 5

27 3. Type or paste the addresses of the users, separated by commas. Example: 4. If you want to set up other features before inviting this user, clear the Send this invitation now option. Otherwise, the invitation will be sent when you click Done. 5. Click Done to add the users. To add users by uploading a file 1. Click Add (top right). 2. Select Multiple Users. 3. Select Upload CSV. 4. Click Download CSV Template. 5. Edit the template with the following information for each user: user ID (required) address (required) password first name last name display name user groups custom attributes This is the same information you enter when adding a single user. Do not exceed 10,000 entries in the file. 6. Save the file. 7. Drag it to the upload area or select Upload CSV to select the file. 8. Once the uploaded user information is displayed, make any necessary edits. 9. Click Next (lower right). 10. If you do not want to send invitations right away, select Do not send invitations. 11. Click Done. To add an administrator 1. Click Add (top right). 2. Select Single User. 3. Complete the form with the user's information: Address First Name Last Name The Username field displays the address you entered. 4. If you want to change the display name for this user, edit the default text in the Display Name field. 5. Assign a password in the Password field. 6. Enter the password again in the Confirm Password field. 7. Click Done to add the user. 6

28 8. Communicate the password to the person who will help manage devices. The nobody user The nobody user is a default user that cannot be deleted. The service applies this user to devices that do not have associated users, such as retired devices. Can't do tasks on the Users page? Maybe you don't have permission. You need one of the following roles: System Management User Management See Also Displaying and Hiding Columns Users > User Groups Create a user group so that you can assign apps and roles to multiple users. For example, you might create a Managers group if you want all department managers to be administrators for apps and content. You can create a user group to be managed in one of the following methods: Dynamically Managed: Local and LDAP users are added/removed to/from a group dynamically based on certain rules and/or attributes. Manually Managed: Add/remove users to/from a group manually. Manually Managed groups are recommended only for testing purposes that require 100 or less users. To create a dynamically managed user group 1. Click Add (top right). 2. Enter a group name (mandatory). 3. (Optional) Click Add Description to add a description. 4. Select the Dynamically Managed option. 5. Set custom rules and/or attributes as per your requirements. For each rule, select between local and LDAP users. Set ANY or ALL conditional filters for rules. Add more rules by clicking the plus character. Create a group of rules by clicking the hierarchical icon next to the plus sign. Review the user group's rules and attributes in the text query below the rules construct. 7

29 Review the Results for users that match the configured criteria. As you add or modify a rule or an attribute, the matching users are found and displayed if they exist. 6. Click Save. To create a manually managed user group 1. Click Add (top right). 2. Enter a group name (mandatory). 3. (Optional) Click Add Description to add a description. 4. Select the Manually Managed option. 5. In the Search Users field, type the address of each user to be included in the group. As you type, the matching users are found and displayed if they exist. 6. Select the users you want to add to the group. You may search and add more users as required. 7. Click Save. Can't do tasks on the User Groups page? Maybe you don't have permission. You need one of the following roles: System Management User Management See Also Displaying and Hiding Columns Users > User Settings User settings define device registration options. There are several types: Device Registration Setting: Sets authentication by password, PIN, or both; and device ownership. Device Limit Setting: Sets the number of devices a user can register. Terms of Service Setting: Sets the terms of service displayed to the user for each device registration. You can edit the default settings for the All Users group or add custom settings and assign them to other user groups. To edit the default setting 8

30 Click the Edit link for the setting that has the lock icon. You cannot delete a default setting. To add a custom setting Click the Add setting for specific user groups link. To delete a custom setting Click the x icon. To require a password, PIN, or both, and set device ownership 1. Edit the default Device Registration setting or add a new one. 2. Edit or assign a name to identify the setting. 3. Type an optional description of the setting. 4. Select a registration type from the drop-down: Password Only PIN Only Password and PIN 5. For PINs, include the following: PIN lifetime: How long the PIN remains valid PIN length: The number of characters Allow user to request a new PIN (when forgotten or expired) 6. Optionally, turn on Device Owner Settings, and then click User Owned or Company Owned. This setting changes how the device is classified during the registration process. This is only applicable for PIN Only or Password + PIN registration types. If Device Owner Settings is turned off, devices will be registered as "Not Set." For Supervised devices, device owner setting will be "Company Owned." 9

31 7. Click +Add for at least one user group to which you want to distribute the setting. 8. Click Save. To limit the number of devices per user 1. Edit the default Device Limit setting or add a new one. 2. Edit or assign a name to identify the setting. 3. Type an optional description of the setting. 4. Select a limit from the drop-down. 5. Click +Add for at least one user group to which you want to distribute the setting. 6. Click Save. To define the terms of service displayed 1. Create a new Terms of Service setting. 2. Assign a name to identify the setting. 3. Type an optional description of the setting. 4. Select the Prompt the user... option. 5. Type a title and text to display. 6. Click +Add for at least one user group to which you want to distribute the setting. 7. Click Save. 10

32 Note: Once accepted, the terms of service cannot be deleted. However, you can turn off the prompts for new registration by clearing the Prompt the user... option. Users > User Branding User branding enables you to customize the device registration process with names and logos that your users will recognize. You can customize the user-facing branding in the following ways: Set a custom hostname for the registration URL Display your logo in the registration and registration screen Display a custom favicon during registration activities License: Gold Before you start Decide on the hostname you want to use in your custom URL. It must meet the following requirements: Contains no spaces Contains no special characters Obtain a logo file that meets the following requirements: PNG format 580 px x 80 px Obtain a favicon file that meets the following requirements: PNG format 64 px x 64 px Steps 1. Go to Users > User Branding. 2. Click Customize (upper right). 3. In the Hostname field, type a short name to use as the hostname in your URL. 4. Click Check Availability to confirm that the hostname you entered has not been used by someone else. 5. If the hostname is not available, enter a different name. 6. Note the resulting registration URL under URL Preview. 7. Click Next. 11

33 8. Under Logo, click Choose File to upload the logo to be used in the registration and registration screen. 9. Click Next. 10. Under Favicon, click Choose File to upload the favicon to be displayed in place of the MobileIron Cloud favicon during registration activities. 11. Click Done. Managing Users Users > Users Before you invite someone to register mobile devices, you need to create a user entry for that person. You also need to create a user for anyone who will use MobileIron Cloud to help manage devices or publish content (administrators). You can add a single user or several users at a time. Once you have added many users, you might want to filter the display to show only the ones you are interested in. Other things you can do with users in this page include: assign to/remove from a user group send a message invite to register assign roles change a password delete To add a user 1. Click Add (top right). 2. Select Single User. 3. Complete the form with the user's information: Address First Name Last Name The Username field displays the address you entered. In most cases, you should not edit this default. See When to Edit a Username. 4. If you want to change the display name for this user, edit the default text in the Display Name field. 5. If you want to assign a password, enter it in the Password and Confirm Password fields. If you assign a password, you need to communicate it to the user for device registration. If you don't assign a password, the user will need to create a password during device registration. 6. If you want to set up other features before inviting this user, clear the Send this invitation now option. 12

34 Otherwise, the invitation will be sent when you click Done. 7. Click Done to add the user. To add several users 1. Click Add (top right). 2. Select Multiple Users. 3. Type or paste the addresses of the users, separated by commas. Example: 4. If you want to set up other features before inviting this user, clear the Send this invitation now option. Otherwise, the invitation will be sent when you click Done. 5. Click Done to add the users. To add users by uploading a file 1. Click Add (top right). 2. Select Multiple Users. 3. Select Upload CSV. 4. Click Download CSV Template. 5. Edit the template with the following information for each user: user ID (required) address (required) password first name last name display name user groups custom attributes This is the same information you enter when adding a single user. Do not exceed 10,000 entries in the file. 6. Save the file. 7. Drag it to the upload area or select Upload CSV to select the file. 8. Once the uploaded user information is displayed, make any necessary edits. 9. Click Next (lower right). 10. If you do not want to send invitations right away, select Do not send invitations. 11. Click Done. To add an administrator 1. Click Add (top right). 2. Select Single User. 3. Complete the form with the user's information: Address First Name 13

35 Last Name The Username field displays the address you entered. 4. If you want to change the display name for this user, edit the default text in the Display Name field. 5. Assign a password in the Password field. 6. Enter the password again in the Confirm Password field. 7. Click Done to add the user. 8. Communicate the password to the person who will help manage devices. The nobody user The nobody user is a default user that cannot be deleted. The service applies this user to devices that do not have associated users, such as retired devices. Can't do tasks on the Users page? Maybe you don't have permission. You need one of the following roles: System Management User Management See Also Displaying and Hiding Columns Adding an API user for Cisco ISE operations You can add an API user with the role "Cisco ISE Operations that allows Cisco ISE to interact with the Cisco ISE APIs in MobileIron Cloud. After you create this user, you use this user's credentials from Cisco ISE to authenticate API calls into MobileIron Cloud. These APIs allow Cisco ISE to get device information; take actions on devices, for example, full wipe, corporate wipe, and pin lock; and send messages to devices. To add an API user: 1. Click the Users tab. 14

36 2. Click Add. 3. Select API User. 4. Complete the resultant form with the user's information: Address First Name Last Name The Username field displays the address you entered. In most cases, you should not edit this default. See When to Edit a Username. 4. If you want to change the display name for this user, edit the default text in the Display Name field. 5. Assign a password by entering it in the Password and Confirm Password fields. 6. Leave the API Management Cisco ISE Operations role selected in the Assign Roles section. 7. Click Done to add the user. Can't do tasks on the Users page? Maybe you don't have permission. You need one of the following roles: System Management User Management See Also Displaying and Hiding Columns Assigning Roles to Users 15

37 You can give users access to MobileIron Cloud data and features by assigning roles. You can assign roles directly to users or to user groups. Assigning a role to a user group gives that role to all users in that group. 1. Go to Users > Users or Users > User Groups. 2. Select the link for a user or user group. 3. Click Actions. 4. Select Assign Roles. 5. Select the roles you want to assign. 6. Click Done. How to give helpdesk staff permission to use basic device actions The helpdesk roles generally allow staff to view data. However, some organizations prefer to include the basic device actions: Force Check-in Lock Unlock Send Message Retire Wipe To provide permission to these actions: 1. Go to Users > Users or Users > User Groups. 2. Select the link for a user or user group. 3. Click Actions. 4. Select Assign Roles. 5. Select Device Read Only. 6. Select Device Actions. 7. Click Done. Note: You must select Device Read Only before selecting Device Actions. Otherwise, users will not have the expected permissions. User Roles User roles determine the pages users can see in MobileIron Cloud and the things users can do. The following table lists the roles you can assign and what they mean. Role Can See Can Do System Management Dashboard, Users, Apps, Content, Admin All tasks in these pages System Read Dashboard, Users, View data in these 16

38 Only User Management User Read Only Device Management Device Read Only App & Content Management App & Content Read Only Apps, Content, Admin Users, Apps, Content Users, Apps, Content Users, Devices, Apps, Content, Policies Users, Devices, Apps, Content, Policies Users, Apps, Content Users, Apps, Content Device Actions Users, Devices, Apps, Content, Policies pages All tasks in Users View data in Apps, Content View data in these pages All tasks in Users, Devices, Policies View data in Content, Apps View data in these pages All tasks in Users, Apps, Content, including AppConnect tasks View data in these pages, including AppConnect tasks View data in these pages Only the following device actions: Force Checkin Lock Unlock Send Message Retire Wipe Note: You must select Device Read Only before selecting Device Actions. Otherwise, users will not have the expected permissions. 17

39 See Also Assigning Roles Finding Users Once you have added many users, it can be helpful to use filters or searches to quickly locate a user entry. To search for a user 1. Go to Users > Users. 2. Type characters in the Find users box (left pane). To filter users 1. Go to Users > Users. 2. Select the filters (left pane) to narrow the user entries displayed. For example, select Not Invited to display all users you have yet to invite to enroll. Assigning Users to User Groups Assigning users to user groups is a great way to minimize the number of times you need to repeat tasks like: distributing apps assigning roles From the Users page 1. Go to Users > Users. 2. Select the users you want to work with. 3. Click Actions (upper right). 4. Select Assign to Group. 5. Select the groups or click Create New to start a new group. 6. Click Save. From the User Groups page 1. Go to Users > User Groups. 2. Select the user groups you want to work with. 3. Click Actions (upper right). 4. Select Assign Users. 5. Type the address of each user. 18

40 6. Click Assign Users. Inviting Users When you add a user, you have an opportunity to invite that user to enroll devices. In fact, this option is selected by default. The invited user receives an message containing the information needed to enroll. You can also invite (or re-invite) a user from the Users > Users page. To invite users 1. Go to Users > Users. 2. Select the users you want to invite. 3. Select Actions > Send Invite. The Invitation Preview appears, along with an option to set device ownership to User Owned or Company Owned. 19

41 4. Optionally, turn on Device Owner Settings, and then click User Owned or Company Owned. This setting changes how the device is classified during the registration process. This is only applicable for PIN Only or Password + PIN registration types. If Device Owner Settings is turned off, devices will be registered as "Not Set." For Supervised devices, device owner setting will be "Company Owned." 5. Click Send. Changing a Password 20

42 You can change your MobileIron Cloud password. You can also change the password for another user if you have permission. To change your password 1. Click the Account icon (upper right). 2. Select Change Password from the pull-down menu. 3. Enter your current password. 4. Enter your new password. 5. Enter your new password again. 6. Click Done. To change another user's password 1. Go to Users > Users. 2. Click the display name for the user. 3. Click Edit (upper right). 4. Enter the new password in the Change Password field. 5. Confirm the new password. 6. Click Save (upper right). Filtering Users Use the check boxes in the Users > Users page to filter the users, displaying only the ones you are interested in. You can filter based on User (Enter an existing user.) User Group (Select the user groups of interest.) Invite Status (Select the status check boxes.) The Invite Status filters are: Completed (The user received it and responded.) Expired (The user did not respond in time.) Not Invited (You have not invited this user.) Sending a Message You can send a message to any known user. Messages can be or push notifications. Only users having enrolled devices can receive push notifications. To send a message to users 1. Go to Users > Users. 2. Select the users you want to message. 3. Click Actions (upper right). 21

43 4. Select Send Message. 5. If you do not want to send , clear the Send an message check box. 6. If sending , enter a subject and message text. 7. If sending a push notification, select the Send a Push Notification check box and enter message text. 8. Click Send. To send a message to devices 1. Go to Devices > Devices. 2. Select the devices you want to message. 3. Click Actions (upper right). 4. Select Send Message. 5. Optionally, click the device name link to go to the Device details page and click the Send Message icon. 6. If you do not want to send , clear the Send an message check box. 7. If sending , enter a subject and message text. 8. If sending a push notification, select the Send a Push Notification check box and enter message text. 9. Click Send. Removing Users from User Groups Removing a user from a user group means: any roles assigned to that group are removed from the user any apps assigned to that group are no longer available in the user's app catalog apps that were configured to be removable are removed from the user's devices From the Users > Users page 1. Select the user you want to work with. 2. Click Actions (upper right). 3. Select Remove from Group. 4. Select the groups. 5. Click Remove. From the Users > User Groups page 1. Click the user group to display its details. 2. Click Edit (upper right). 3. Click the Remove link next to the user you want to remove. 4. Click Save (upper right). 22

44 Deleting a User To delete a user 1. Go to Users > Users. 2. Select the entry for the user. 3. Click Actions (upper right). 4. Select Delete. What happens when you delete a local user All information related to a deleted user is deleted from the system. Devices associated with the user are retired. Content uploaded by the user remains. No further device registrations are allowed for the user's account. What about LDAP users? If the LDAP server has been disabled, an LDAP user cannot be permanently deleted. The next sync of LDAP data will restore a deleted LDAP user. If the LDAP server or group has been deleted, the LDAP users become local users and can be deleted. If a user is deleted on the LDAP server, the user is automatically removed from the service during the next LDAP sync. Exporting Users To export a list of users: 1. Go to Users > Users. 2. Filter the list of users as necessary. 3. Click Export to CSV (lower right). All publishable data for the displayed users is exported to a CSV file, which you can save or open in your default program for CSV files. 23

45 Devices Devices > Devices Each entry in the Devices page represents a mobile device that has been registered with MobileIron Cloud and lists important information about the device. Use this page to do basic device management, including: Assign to User Send a message Lock Unlock Force Check-in Retire Wipe To manage devices 1. Select one or more devices. 2. Select an action from the Actions list (upper right). To list devices by criteria When you have many devices registered, you can use the criteria (also called filters) on the left to display only the devices you are interested in. To show detailed device information Click the link in the Name column of an entry to display the Device Details page. The Device Details page contains several tabs organizing the following information: Overview Manufacturer Wi-Fi MAC Address Serial number OS/version Device Name Device Identifier Device Groups 24

46 Language Client App Version Client App BundleID EAS Device Identifiers Ownership Last backup to icloud - (ios devices) Supervised Mode - (ios devices) Windows Device Type - (Windows devices) Channel URL - (Windows devices) Azure AD Device ID - (Windows devices) Phone number Cellular Technology IMSI ICCID IMEI MEID Device Location Carrier Home MCC Home MNC Roaming Current Operator Current MCC Current MNC Data roaming Voice roaming Configurations - applied configurations Installed Apps AppConnect Apps - installed AppConnect apps Policies - applied policies Certificates - installed certificates Sentry information (ActiveSync associations) Attributes - Custom Attributes and Device attributes Logs - View and customize device filters status last check-in device groups terms of service accepted date terms of service accepted To search device logs 1. Under Devices > Devices, click the link in the Name column of an entry. 2. Click the Logs tab. 25

47 3. Use the Action, Status, Start Date, and End Date filters to narrow the displayed messages. Can't see the Devices page? Maybe you don't have permission. You need one of the following roles: Device Management Device Read Only See Also Displaying and Hiding Columns Devices > Device Groups Use device groups to create lists of devices that you want to treat in the same way. You can assign policies and configurations to device groups. Bronze license: Rules can identify devices by: device type operating system (pre-populated) operating system version user group Silver license: Rules can identify devices by: device type operating system (Android, ios) operating system version ownership user group carrier whether the device is supervised (yes/no) whether the device is roaming (yes/no) whether the device is in Kiosk Mode or kiosk-enabled (yes/no/not applicable) custom device attributes via API custom LDAP attributes To add a device group 1. Click Add (upper right). 2. Enter a name for this group. 3. Enter an optional description for this group. 4. Select the type of device group you want to create: Dynamically Managed: Use rules to define which devices are in the group. Manually Managed: Enter each user whose devices are to be included in the group. 5. For dynamically-managed groups: 26

48 4. a. Create a rule that defines the group. Example: OS is ios b. Click + to create additional rules, if needed. Example: Device is iphone 5S c. Click Any if the devices need to match at least one of the rules. d. Click All if the devices need to match all the rules. 6. For manually-managed groups: a. Type the name of a user whose device you want to add. b. Select the device from the displayed list. c. Repeat steps a and b until all devices are displayed in the list. 7. Click Save. To remove a device group 1. Go to Devices > Device Groups. 2. Click the checkbox for the device group you want to remove. 3. Click the Actions pulldown menu.. 4. Click Delete Device Group. Can't see the Device Groups page? Maybe you don't have permission. You need one of the following roles: Device Management Device Read Only See Also Displaying and Hiding Columns Devices > Unmanaged Devices License: Silver If you have set up Sentry access control, any unregistered devices that access your system are called unmanaged devices. You define whether unmanaged devices should have access to by default when you set up a Sentry. You can then manually allow or block access for these devices. Note: The Unmanaged Devices page is updated every 5 minutes. Therefore, changes in management are not immediately reflected. To block a device 1. Select the device. 27

49 2. Select Actions > Block. The device remains blocked until you select Actions > Allow or Actions > Delete. To allow a device that has been blocked 1. Select the device. 2. Select Actions > Allow. The device continues to have access to until you select Actions > Block or Actions > Delete. To clear a device from the list 1. Select the device. 2. Select Actions > Delete. The next time the device attempts to access your system, it will reappear on this list, and you will need to repeat any Block or Allow action you previously applied to the device. Devices > App Inventory The app inventory is the list of apps detected on enrolled devices. Use this page to get information on the apps being used by enrolled devices. You can answer questions like: Which apps are most popular? Do ios devices get their apps directly from the App Store? How many Android users have downloaded an optional in-house app? How many devices are using an outdated version of an app? App Reputation (only if enabled) Which apps have an app reputation score? What is an app's app reputation rating? On which app reputation lists is an app? App reputation information appears in the area below: 28

50 To display only certain apps When you display the App Inventory page, all apps are listed. To narrow this list to certain apps, use the filters (left pane). For example, to show only in-house apps on ios devices, you would select ios and In-House. To display the installed devices for an app Click the number listed in the # Installed column. To display the installed Win32 apps on a device The app inventory displays Win32 apps on a device if the privacy configuration for that device allows for the collection of information for all apps on that device. To configure the privacy policy for the device: 1. Determine which privacy configuration applies to the desired device by following the directions in Devices. 2. Go to Configurations. 3. For the privacy configuration you noted in step 1: a. Select the configuration. b. Click Edit. c. Under Collect App Inventory, select For All Apps on the Device. d. Click Done. To save app inventory to a file Click Export. Can't see the App Inventory page? Maybe you don't have permission. You need one of the following roles: Device Management 29

51 Device Read Only See Also Displaying and Hiding Columns Managing Devices Device Registration (ios, macos, and Android) Most users start by registering a device. You can use any of the following approaches to start the registration process: Send an invitation to one or more end users Instruct end users to download the MobileIron Go app Note: The end user must have an account in MobileIron Cloud before you can start the device registration process. For LDAP users, that means a Connector and an LDAP server must be set up, and the user must be imported from the LDAP server. For local users, that means adding a user. Sending an invitation (ios, macos, and Android) In most cases, you will start the registration process by sending an invitation. MobileIron Cloud provides the following ways to send end users an invitation to register a device: in the Startup Wizard when you add one or more users in the Users page (Actions > Send Invite) If end users misplace the invite, receive it on a desktop or laptop, or fail to receive it for some reason, you can send them to the URL that was listed in the invitation. Add /go to the end of your service URL. End users who have an MobileIron Cloud account with a password set do not need an invitation to start the registration process. You can send them to the URL that would have been listed in an invitation. Instructing end users to download the app (ios and Android) The MobileIron Go app is available for Android and ios devices. You can send end users instructions on how to download the app from a public app store and start the 30

52 registration process from the app. Include the information that the end user will need to enter to complete registration: username: usually the end user's address password: if required by your User Settings and a temporary password was defined by an administrator If a password has not been set for the end user's account, then you must send an invitation to generate the necessary one-time use PIN, which will automatically be ed to the end user. What the end user sees The invitation is an containing: a link to the registration page a one-time use PIN, if necessary basic instructions on what to do next If the end user receives the on the mobile device, then tapping the link starts the registration process. If the end user receives the on a laptop or desktop, then the end user can enter the displayed URL in the browser on the mobile device. The one-time use PIN is included if the end user's account does not yet have a password defined for the MobileIron Cloud user account, or if your User Settings require a registration PIN. After entering the PIN, the end user will be prompted to set a password for the account if the password does not exist. If you have already set a password for the account, then you will need to communicate it to the end user using an external channel, such as corporate . If you are using LDAP for authentication, consider informing the end user that network credentials are required. If the user does not install the MDM profile If the user does not complete installation of the MDM profile during registration, then MobileIron Cloud periodically sends push notifications to the device to prompt the user to complete the registration process. Device Registration (Windows Phone 8.1 and Windows 10 Mobile) Most users start by registering a device. You can use any of the following approaches to start the registration process: 31

53 invitation Direct users to the URL for your implementation Note: The end user must have an account in MobileIron Cloud before you can start the device registration process. For LDAP users, that means a Connector and an LDAP server must be set up, and the user must be imported from the LDAP server. For local users, that means adding a user. Sending an invitation In most cases, you will start the registration process by sending an invitation. MobileIron Cloud provides the following ways to send end users an invitation to register a device: in the Startup Wizard when you add one or more users in the Users page (Actions > Send Invite) If end users misplace the invite, receive it on a desktop or laptop, or fail to receive it for some reason, you can send them to the URL that was listed in the invitation. Just add \go to the end of your service URL. End users who have a MobileIron Cloud account with a password set do not need an invitation to start the registration process. You can send them to the URL that would have been listed in an invitation. What device users do Tell your device users how to complete the registration process. You can use the following instructions as a template and make any necessary changes: 1. Open a browser on your Windows Phone 8.1 or Windows 10 mobile device. 2. Navigate to mobileiron.com/go. You are redirected to a new page containing an enrollment URL. 3. Copy the enrollment URL to the clipboard. 4. Tap Open Settings > Workplace to open the Workplace app. 5. Tap add account at the bottom of the Settings page. 6. Enter the address associated with the invitation you received. Note to administrators: If the user's MobileIron Cloud username does not match user's address as entered in MobileIron Cloud, tell the user to enter the username when prompted for the address. 7. Paste the Workplace server URL you copied into the next text field. 8. Tap sign in. 9. Enter your password in the next field. 10. Leave the other fields blank. 11. Tap sign in. 12. Click done in the ACCOUNT ADDED screen. The Workplace start screen shows that an account has been added. 32

54 Changing Passcode Settings Use the Passcode configuration assigned to a device to change the passcode settings. You can either: change the settings for the assigned configuration OR assign a different Passcode configuration Changes you make to the configuration will affect all devices that configuration is assigned to. To change the assigned Passcode configuration 1. Go to Devices > Devices. 2. Find the entry for the device in the list. 3. Click the link in the Name column. If a Passcode configuration has been assigned, it will display in the Configurations tab. 4. In the Configurations tab, click the Passcode Config link. 5. Click Edit (upper right). 6. Make the changes. To assign a different Passcode configuration 1. Make sure someone has created the configuration you need. 2. Go to Devices > Devices. 3. Find the entry for the device in the list. 4. Click the link in the Name column. Finding Device Entries Once you have added many devices, it can be helpful to use filters or searches to quickly locate a device entry. You can also skip ahead to display a page of devices or search for a device using the Find Devices search box near the top left corner. To search for a device 1. Go to Devices > Devices. 2. Type characters in the 'Find devices' box. To filter devices 1. Go to Devices > Devices. 2. Select the filters (left pane) to narrow the device entries displayed. 33

55 For example, select Retired and Android to display only retired Android devices. Using Device Owner License: Gold You can designate devices as company-owned or employee-owned after the devices have been registered. This designation helps manage policies that are based on whether a user has a personal device or a company owned device. With the proper license, you can then use ownership in rules for creating device groups. Use the Provisioner app to configure the device. Before the device is provisioned it must be factory-reset with an NFC (Near Field Communication) bump. An NFC bump involves tapping the master or template device against a new or factory-reset device to configure it. Then the MobileIron Go client will control the device once it s in device owner mode. Device Owner mode also supports Kiosk mode on Android for Work devices running Android 5.0 through the most recently released version as supported by MobileIron. For configuration information go to: Lockdown & Kiosk Configuration. Important If you retire a device in Device Owner mode, the device will factory reset. A device can only have one active device owner at a time. The phone dialer is not supported in Device Owner mode. The camera is not supported in Device Owner mode. Only devices that are Android for Work capable are able to start devices in Device Owner mode. Provisioning the device To provision the device: 1. Enable NFC (Near Field Communication) on the provisioning device by launching the Provisioner app and enter the Wi-Fi security type and password. 2. Navigate to the Welcome page on a new device or a factory-reset device. 3. Bump the new device back-to-back with the provisioning device. Wi-Fi is configured and the client is downloaded. The device is now in Device Owner mode. To Enable Reset Protection ( for devices running Android 5.1+ only) 1. In the MobileIron Cloud portal, Go to Configurations. 34

56 2. Click Android for Work Device Owner. 3. Click Edit. The Edit Device Owner Configuration page is displayed. 4. Enter a configuration name and description. 5. Optionally select Enable Reset Protection. Select this option to prompt the user to enter their Google account credentials when the device is factory reset. 6. Click Next. 7. Select a distribution option. 8. Click Done. To configure: 1. In the MobileIron Cloud portal, Go to Configurations. 2. Click +Add. 3. Select Lockdown & Kiosk: Android for Work Configuration. The Create Lockdown & Kiosk: Android for Work Configuration page is displayed. 4. Enter a configuration name and description. Choose a Lockdown type. 5. Click Lockdown - Device Owner with Kiosk mode. Android Device Owner Lockdown settings options are displayed. 6. Optionally, choose to Disable WI-FI or WI-FI settings Disable Camera Disable Bluetooth Disallow Bluetooth Settings Disable Screen Capture Disable Screen Capture Mute Master Volume Disallow Apps Control Disallow Credentials Disallow Emergency Broadcasts Disallow Mobile Networks Can not be disabled if Wi-Fi is disabled Disallow Tethering Disallow VPN Disallow Factory Reset Disallow Modify Accounts Disallow Outgoing Beam Disallow Outgoing Calls Disallow Safe Boot Disallow Share Location Disallow SMS Disallow Unmute Microphone Disable Auto Time Disable Auto Time Zone 35

57 Disable Data Roaming Disable Wi-Fi Sleep 7. Optionally choose to enable Kiosk Mode. The following settings are displayed. Disable Quick settings Allow User to Access WiFi Settings Allow User to Access Bluetooth Settings Allow User to Access Location Settings Allow User to Delay Application Updates 8. Optionally create a Kiosk Exit Pin to use to exit Kiosk mode. 9. Optionally create a whitelist of apps that will be available to users in Kiosk Mode. 10. Optionally choose to add these apps from the App catalog. Work Chrome Work Slides Work Docs Work PDF Viewer Work Sheets Divide Productivity for Work See also Device Groups Assigning a Device to a new user An existing registered device may need to be re-provisioned for a new user, if there has been a role change for the user, or if the previous user's relationship to the company has changed. These steps help to avoid retiring and re-registering the device. To assign a device to a user: 1. Navigate to the device in the Devices page. 2. Click the device name to display the Device details page. 3. Click Assign to user icon. 4. Start to enter the users name in the Search User... field. 5. Select the desired user. 6. Click Assign to user. The device will be provisioned for that user. Note: You may notice that in user-based and license-based scenarios, you can assign a device to a user who has exceeded the assigned device limit. This is because the 36

58 intent of the device limit feature is to limit the registration of devices in support of Bring Your Own Device (BYOD) scenarios. In both device-based and user-based licenses, enforcing the device limit is inconsequential. For device-based licenses, the cost to the end customer does not change because the total number of devices in the system does not change. For Userbased licenses, the lack of this check actually benefits the customer. For example, consider five users, U1 through U5 with 5 devices each. With user-based licensing, this would consume five licenses. If instead, two of the devices from U4 and U5 are moved to U1 and U2, then license consumption goes DOWN, from five to three. Forcing a Check-in Devices need to contact MobileIron Cloud (check in) to provide and receive information. Check-ins are scheduled at regular intervals. You can also prompt a device to check in on demand. Forcing a device to check in can speed up the process of applying configurations, updating policies, etc. To force a device to check in 1. Go to Devices > Devices. 2. Select the devices. 3. Click Actions. 4. Select Force Check-in. 5. Optionally, click the device name link to go to the Device details page and click the Force Check-in icon and click OK. Locating a Device If you have enabled the Locate feature for a device, you can display the last known location for that device. You must apply a privacy configuration to the device to enable this feature. The device must also support this feature, and the user must agree to share their location data. To locate a device: 1. Navigate to the device in the Devices page. 2. Click the link in the Name column. 3. Click the link under Device Location (bottom of left pane). 37

59 A Device Location map displays. Locking a Device You can trigger the screen lock on a device. Locking works somewhat differently on different devices. To lock a device 1. Go to Devices > Devices. 2. Select the device. 3. Click Actions. 4. Select Lock. 5. Optionally, click the device name link to go to the Device details page and click the Lock icon and click OK. 6. For ios 7 devices, you can enter a display message and phone number (optional). These options can give device users information about why the device has been locked and the number to call to get it unlocked. 7. For macos devices, the user is prompted to enter a 6-digit PIN as passcode to access the device. To proceed with the screen lock, the device user needs to: 1. Enter the PIN. 2. Select the check box to confirm locking the device. 3. Click Yes, send lock command. Alternate Methods of Locking a Device: A device user can perform the lock action from the Self Service Portal. An Administrator can perform the lock action from the Administrator Portal. Retiring a Device Retiring a device ends its relationship with MobileIron Cloud. You might retire a device if: the user left the company the user has replaced the device you need to undo the management tasks you have completed (start over) To retire a device 1. Go to Devices > Devices. 2. Select the device. 3. Click Actions (upper right). 38

60 4. Select Retire. 5. Optionally, click the device name link to go to the Device details page and click the icon. 6. Select Retire and click OK. Wiping a Device Wiping a device removes all data and returns the device to factory default settings.. To wipe a device 1. Go to Devices > Devices. 2. Select the device. 3. Click Actions (upper right). 4. Select Wipe. 5. Optionally, click the device name link to go to the Device details page and click the icon. Select Wipe and click OK. 6. For macos devices, you can send a 6-digit PIN to the device as passcode. On the device, the user is prompted to enter the PIN to access the device. To proceed with the wipe action, the device user needs to: 1. Enter the PIN. 2. Select the check box to confirm the device wipe action. 3. Click Yes, wipe this device. Deleting a Device After you retire a device, you can delete it. Deleting it removes it from all pages. You can delete a device only if its status is Retired or Retire Pending. To delete a device: 1. Go to Devices > Devices. 2. Navigate to the device. 3. Click the link in the Name column. 4. Click the Delete Device link (left pane). 5. Read the displayed warning. 6. If you still want to delete the device, select the check box to confirm. 7. Click Delete. 39

61 Unlocking a Device You can clear the screen lock on a device. Unlocking works somewhat differently on different devices. To unlock a device 1. Go to Devices > Devices. 2. Select the devices. 3. Click Actions. 4. Select Unlock. 5. Optionally, click the device name link to go to the Device details page and click the Unlock icon and click OK. Unlocking Android devices When an Unlock command is received, the Android app attempts to turn off the passcode policy and resets the passcode. If encryption is enabled on the device, the passcode is set to un!ockm3! If encryption is disabled on the device, the passcode is set to empty. Unlocking an ios device When an Unlock command is received, the ios app removes the passcode from the device. If the passcode configuration specifies that a new passcode is required, then the device user will be prompted to set a new passcode that complies with the rules defined in the passcode configuration. The user must make this change within 60 minutes or the app will force the user to set the new passcode. Clearing the Restrictions Password (ios only) You can clear a Restrictions password set by users on supervised ios 8 devices. This action is available for active devices only. To clear the Restrictions password 1. Go to Devices > Devices. 2. Select the entry for the device. 3. Select Actions > Clear Restrictions Password. 4. Confirm the action when prompted. 40

62 41

63 Apps Apps > App Catalog The app catalog lists the mobile apps you have made available for your users. These include apps that users can download from public app stores and apps you intend to distribute using MobileIron Cloud (in-house apps). Use the App Catalog page to manage your app catalog. Note: App Catalog is not supported for macos apps. The macos apps are deployed through the Volume Purchase Program (VPP) via device-based licenses and through the Silent App Install method on enrollments. Licensing for app features The following App Catalog features require additional licensing: Silent app install/uninstall: Silver license Per-app configuration: Gold license AppConnect custom configuration: Gold license Android for Work custom configuration: Gold license If an Android device is in Kiosk Mode Only in-house apps can be installed while the device is in Kiosk Mode. You can install public apps, but the device must exit Kiosk Mode before those apps can be installed. Also, you can limit the apps available for use on devices in kiosk mode to only the apps that are approved or whitelisted by your company. On devices using Android 4.1, If an approved app launches an app not included on the whitelist, that app will launch and then be quickly minimized. On devices using Android 5.0, the unapproved app launched from a whitelisted app will remain available. To switch between list and grid view Click the List or Grid icon on the right side of the App Catalog screen. 42

64 To switch between list and grid view Click the List or Grid icon on the right side of the App Catalog screen. To view app reputation information The App Catalog affords a the following app reputation information, if app reputation is enabled: Which apps have an app reputation score? 43

65 What is an app's app reputation rating? On which app reputation lists is an app? App reputation information appears in the area below: To add an app from a public store 1. Click Add (top left). 2. Choose the app you want: a. Select the public app store. b. Enter the name of the app. c. Select the app from the list. d. Click Next. 3. Describe the app for users: a. Add or remove categories. b. Enter an optional description. c. Click Next. 4. Define app distribution: a. Select a distribution option. b. Expand the Advanced Options & App Configuration section. c. Use the following guidelines to complete the options: 3. a. Setting Install on Device What To Do Select this option to start installation immediately after registration. The 44

66 user will be prompted to confirm installation of the app except under the following conditions: The device is a supervised ios device. The device is a Samsung SAFE device and the silent installation option below has been selected. Do not show app in end user App Catalog (Android only) Silently install on Samsung SAFE devices (ios only) Enable Per-App VPN for this app (ios only) Prevent backup to icloud and itunes (ios only) Remove apps on unenrollment (ios only) AppConnect Custom Configuration ios 7+ Managed App Settings Select this option if you do not want the user to see the app in the app catalog on the device. This option does not apply to public apps. Select this option to use a Per-App VPN configuration with this app. Select the Per App VPN configuration to be used from the drop-down list. Select this option to keep data related to this app from being backed up to icloud and itunes. Select this option to remove this app once the device is no longer managed by MobileIron Cloud. For AppConnect-enabled app, enter the keys and values that specify your custom configuration preferences. See the documentation for the app for available keys. Enter keys and values defined for this app as an ios 7+ managed app. See the documentation for the app for information on supported keys. 4. a. Note: Android for Work apps will have different options. d. Click Next. 2. Select a promotion option: 45

67 1. Not Featured Featured List Banner 2. Click Done. To add an In-House app 1. Click Add (top left). 2. Drag the app file to the dotted box, or click Choose File to select it from your file system and click Confirm. 3. Click Upload (lower right). 4. Describe the app for users: a. Add categories. b. Enter an optional description. c. (Windows 32-bit MSI apps only) Enter an optional Command Line switch to specify additional information that are not part of the package while deploying the MSI files. For example, to write installation logs to an output file, you can enter "/log output.txt" in this field. This creates the output.txt file in the C:\Windows\System32 folder. d. Click Next. 5. (Optional) Add screenshots of the app. 6. Click Next. 7. Define app distribution: a. Select a distribution option. b. Expand the Advanced Options & App Configuration section. c. Use the following guidelines to complete the options: 6. a. Setting Install on Device What To Do Select this option to start installation immediately after registration. The user will be prompted to confirm installation of the app except under the following conditions: The device is a supervised ios device. The device is a Samsung SAFE device and the silent installation option below has been selected. Do not show app in Select this option if you do not want 46

68 end user App Catalog (Android only) Silently install on Samsung SAFE devices (ios only) Enable Per-App VPN for this app (ios only) Prevent backup to icloud and itunes (ios only) Remove apps on unenrollment (ios only) AppConnect Custom Configuration ios 7+ Managed App Settings the user to see the app in the app catalog on the device. Select this option if you do not want the user prompted to confirm installation on Samsung SAFE devices. Select this option to use a Per-App VPN configuration with this app. Select the Per App VPN configuration to be used from the drop-down list. Select this option to keep data related to this app from being backed up to icloud and itunes. Select this option to remove this app once the device is no longer managed by MobileIron Cloud. For AppConnect-enabled app, enter the keys and values that specify your custom configuration preferences. See the documentation for the app for available keys. Enter keys and values defined for this app as an ios 7+ managed app. See the documentation for the app for information on supported keys. 7. a. d. Click Next. 8. Select a promotion option: Not Featured 1. Featured List 2. Banner 3. Click Done. Viewing VPP license usage (ios) The license usage details specific to a user is displayed in the license usage table in the license column. 1. Click an app. 2. Click the License Usage tab. 3. Enter a user name in the search field. 47

69 Revoking a VPP license (ios) 1. Click an app. 2. Click the License Usage tab. 3. Click the Revoke License link for the user whose access to the license should be removed. Note: VPP licenses are automatically revoked if the user is deleted or the user removes the MDM profile from the device. Can't do tasks on the App Catalog page? Maybe you don't have permission. You need the following role: App & Content Management See Also Displaying and Hiding Columns How to Delete Apps from the App Catalog Viewing App Details You can drill down from the App Catalog to app details about any of the apps in the catalog. To view app details: 1. Click Apps. 2. Click App Catalog. 48

70 3. Select the app whose details you wish to view. The App Details window appears: 49

71 Note that App Reputation information only appears if App Reputation is enabled, and if you have requested it on this screen previously by clicking the Request Analysis button:. App Configuration App configuration enables you to customize the installation, promotion, and distribution of each app you deploy to your users' devices. The apps can be your own in-house apps, apps from a public store, or MobileIron apps. You have the flexibility to deploy the apps to many different users and groups with unique names and configurations specifically tailored to each recipient. 50

72 Licensing for app features The following features require additional licensing: Silent app install/uninstall: Silver license Per-app configuration: Gold license AppConnect custom configuration: Gold license Configuration steps common to multiple apps Do these steps first and then proceed with configuration steps for each app you want to deploy. You can design multiple configurations of the same app and give each configuration a unique name. Each configuration can have its own distribution and promotion levels to fit your deployment strategy. Select an app to add to the App catalog: 1. Go to Apps > Apps Catalog and click +Add. 2. Use the pulldown menu to select either the App Store, Google Play or your In- House app store and choose an app to add to the catalog. Depending on your licensing agreement, you might also have MobileIron apps available to add to your catalog. 3. Optionally, edit the Category of the app. 4. Optionally, add a brief description of the app in the Description field. 5. Click Next. 6. Choose a distribution level for this configuration of the app: To everyone - The app is added to all the user compatible devices. To no one - The app is staged for distribution at a later date. Custom Distribution - The app is distributed to only the users or user groups you choose. 7. Click Next. Configure installation options To select the installation configuration options: 1. Click Install Application configuration settings or click the + icon to add another configuration to view the Configuration Setup page. 2. Enter a name for the configuration in the Name field. 3. Optionally, enter a brief description of the installation configuration in the Description field. 51

73 4. Optionally, select Install on Device. This prompts and requires the app to be installed on the device and allows you to select these options: Silently install on Samsung SAFE devices Silently install on Samsung KNOX workspace and Zebra devices Do not show app in end user App Catalog. Install as a Managed App. If already installed, it converts the app and its data to a managed app. Converting already installed apps on supervised devices is done silently. The user will be prompted to allow conversion if the device is unsupervised. 5. You may encounter additional configuration options, depending on the chosen app. These options may include the ability to add multiple Key and Value pairs. In such cases, click + Add to enter Key and Value pairs. Select ios App Management settings To select ios App Management settings: 1. Click ios Managed Apps Application configuration settings or click the + icon to add another configuration to view the Configuration Setup page. 2. Enter a name for the configuration in the Name field. 3. Enter a brief description of the configuration in the Description field. 4. Select to prevent backup to icloud and itunes. 5. Select to remove apps when the device is unenrolled. Select App Promotion levels To set the level of promotion for the app: 1. Click Promotion distribution configuration settings or click the + icon to add another configuration to view the Promotion configuration page. 2. Enter a name for promotion distribution configuration settings in the Name field. 3. Optionally, enter a brief description of the configuration in the Description field. 4. Select the level of promotion you want the app to receive, Not Featured, Featured List, or use Feature Banner. If Not Featured is selected the app will not be listed. 5. Click + Add Description to enter a brief description of the configuration. 6. Optionally, change the distribution of the configuration. 7. Click Done to save the app configuration. Enter values for an AppConnect Custom configuration 52

74 To enter values for an AppConnect Custom configuration: 1. Click the + icon to open the configuration page. 2. Click + Add Description to enter a brief description of the configuration. 3. Click + Add to enter Key and Value pairs. 4. Choose a distribution level for the configuration. 5. Click Next. Configure the AppTunnel Use the AppTunnel to define traffic rules to allow access services using Sentry: 1. Click the + icon to open the configuration page. 2. Choose a Sentry Profile from the pulldown menu. 3. Choose a distribution level for the configuration. 4. Click Next. Configure an ios Managed app To configure an ios Managed app: : 1. Click the + icon to open the configuration page. 2. Click + Add Description to enter a brief description of the configuration. 3. Click + Add to enter a Key and Value. 4. Choose a distribution level. 5. Click Next. Configure a VPN for each app using Per App VPN 1. Click the + icon to open the configuration page. 2. Enter a name for the VPN for this app in the Name field. 3. Click + Add Description to enter a brief description of the configuration. 4. Click the Enable Per-App VPN for this app checkbox and select a Per-App VPN Config from the pulldown menu. 5. Choose how to Distribute this App Config. 6. Click Next. Configuring MobileIron apps As you configure MobileIron apps, you have the opportunity to name and design unique configurations to assign to different users or groups. Access and use of MobileIron apps 53

75 and other software requires a licensing agreement. Please verify that you have the proper licensing to use MobileIron software. Important: Each configuration has a priority indicated by their order in the list displayed for the app. This priority can be changed by dragging and dropping the configuration. The higher on the list the higher the priority. Configure the MobileIron Docs@Work app 1. Go to Apps > Apps Catalog and click +Add. 2. Select MobileIron Docs@Work to add to the Apps catalog. 3. Edit the Category if needed. 4. Optionally enter a brief description of the configuration. 5. Select a distribution level. 6. Click Next. 7. AppConnect Custom Configuration. Click +Add to add Key and Value pairs. 8. Select a Distribution level. Click Next. 9. Create app configurations using these options: 8. a. Click Install Application configuration settings to configure the installation or Click the + icon to add another configuration. Select Install on Device to prompt the user and require installation. This setting uses a silent installation on supervised ios devices. Select Install as a Managed App. If already installed, it converts the app and its data to a managed app. Converting already installed apps on supervised devices is done silently. The user will be prompted to allow conversion if the device is unsupervised. b. Click ios Application Management configuration settings to configure ios App Settings or click the + icon to add another configuration. Enter a name for the configuration. Optionally add a description for the configuration. Select Prevent backup to icloud and itunes. Select Remove app on unenrollment. c. Click Promotion distribution configuration settings to configure Promotion settings or click the + icon to add another promotion configuration. Enter a name for the configuration. Optionally add a description for the configuration. Choose a promotion level for this configuration. d. Docs@Work configuration: 54

76 Enter a name for the configuration. Optionally, click +Add Description to enter a description of the configuration. Click +Add in the Content Sites section to enter site details: Name URL Domain Subdomain Authentication Published Web View Actions Use the Publish site options pulldown menus to set these site options: Update Mode. Update Interval. Max Auto download size. Max documents per update. o Select the distribution level for this configuration. e. Click the + icon to set App Tunnel options. Enter a name for the configuration. Optionally add a description for this configuration. Enter the domain wildcards for the App Tunnel. Choose a distribution level for this configuration. f. Click the + icon to add ios Managed App Configuration settings. Name this configuration. Enter the key and value pairs for ios 7+Managed App settings. Choose a distribution level. g. Choose whether to enable Per App VPN. Name this configuration. Choose a distribution level. Configure the MobileIron Web@Work app 1. Go to Apps > Apps Catalog and click +Add. 2. Select MobileIron Web@Work to add to the Apps catalog. 3. Edit the Category if needed. 4. Enter a brief description of the configuration if needed. 5. Click Next. 6. Select a distribution level. 7. Click Next. 8. Create app configurations using these options: a. Click Install Application configuration settings to configure the installation or Click the + icon to add another configuration. Select Install on Device to prompt the user and require installation. This setting uses a silent installation on supervised ios devices. 55

77 Select Install as a Managed App. If already installed, it converts the app and its data to a managed app. Converting already installed apps on supervised devices is done silently. The user will be prompted to allow conversion if the device is unsupervised. b. Click ios Application Management configuration settings to configure ios App Settings or click the + icon to add another configuration. Enter a name for the configuration. Optionally add a description for the configuration. Select Prevent backup to icloud and itunes. Select Remove app on unenrollment. c. Click Promotion distribution configuration settings to configure Promotion settings or click the + icon to add another promotion configuration. Enter a name for the configuration. Optionally add a description for the configuration. Choose a promotion level for this configuration. d. Web@Work configuration. Add Bookmarks. AppConnect Custom Configuration. Click +Add to enter Key and Value pairs. e. Click the + icon to set App Tunnel options. Enter a name for the configuration. Optionally add a description for this configuration. Enter the domain wildcards for the App Tunnel. Choose a distribution level for this configuration. f. Click the + icon to add ios Managed App Configuration settings. Name this configuration. Enter the key and value pairs for ios 7+Managed App settings. Choose a distribution level. g. Choose whether to enable Per App VPN. Name this configuration. Choose a distribution level. Configure the MobileIron Tunnel app 1. Go to Apps > Apps Catalog and click +Add. 2. Select MobileIron Tunnel to add to the Apps catalog. 3. Edit the Category if needed. 4. Click +Add Description to add a brief description of the configuration. 5. Click Next. 6. Select a distribution level. 7. Click Next. 8. Create app configurations using these options: a. Click Install Application configuration settings to configure the installation or click the + icon to add another configuration. 56

78 Select Install on Device to prompt the user and require installation. This setting uses a silent installation on supervised ios devices. Select Install as a Managed App. If already installed, it converts the app and its data to a managed app. Converting already installed apps on supervised devices is done silently. The user will be prompted to allow conversion if the device is unsupervised. b. Click ios Application Management configuration settings to configure ios App Settings or click the + icon to add another configuration. Enter a name for the configuration. Optionally add a description for the configuration. Select Prevent backup to icloud and itunes. Select Remove app on unenrollment. c. Select a level of distribution. d. Click the + icon to add AppConnect Custom Configuration settings. Name this configuration. Enter the key and value pairs for AppConnect Custom Configuration settings. Choose a distribution level. e. AppConnection Custom configuration. Click +Add to enter Key and Value pairs. f. Choose a Sentry profile for the App Tunnel. g. Enter the domain wildcards for the tunnel traffic. Multiple wildcards will be evaluated in the order in which they are listed. h. Click the + icon to add ios Managed App Configuration settings. Name this configuration. Enter the key and value pairs for ios 7+Managed App settings. Choose a distribution level. Configure the MobileIron + for ios app 1. Go to Apps > Apps Catalog and click +Add. 2. Select MobileIron + to add the app to the Apps catalog. 3. Edit the Category if needed. 4. Enter a description of the app if needed. 5. Click Next. 6. Select a distribution level. 7. Click Next. 8. Create app configurations using these options: 1. a. Click Install Application configuration settings to configure the installation or Click the + icon to add another configuration. 57

79 Select Install on Device to prompt the user and require installation. This setting uses a silent installation on supervised ios devices. Select Install as a Managed App. If already installed, it converts the app and its data to a managed app. Converting already installed apps on supervised devices is done silently. The user will be prompted to allow conversion if the device is unsupervised. b. Click ios Application Management configuration settings to configure ios App Settings or click the + icon to add another configuration. Enter a name for the configuration. Enter a description for the configuration. Select Prevent backup to icloud and itunes. Select Remove app on unenrollment. c. Click Promotion distribution configuration settings to configure Promotion settings or click the + icon to add another promotion configuration. Enter a name for the configuration. Optionally add a description for the configuration. Choose a promotion level for this configuration. d. Click the + icon to add an + for ios Configuration. Enter a name for the configuration. Optionally add a description for the configuration. e. Enter the address of the device user. f. password - Enter the user s password for the ActiveSync server. g. Exchange Host - Enter the fully qualified domain name of the ActiveSync server. h. Exchange Username Check to require SSL. i. Minimum Characters for Global Address List (GAL) Search. j. Choose a certificate to use for + App Identity Certificate and select from these options: Trust All Certificates. Prompt for Password Before Connecting to Server. IBM Lotus Notes Traveler. Allow Safari Browser. Allow Detailed Notifications. Show Pictures by Default. Allow Exporting Contacts. Allow Logging. Default Signature. Allow Send Feedback. Set AppConnect Custom Configuration settings. Click +Add to enter Key and Value pairs. Select a distribution level for this configuration. k. Click the + icon to add App Tunnel options. 58

80 Enter a name for the configuration. Optionally add a description for this configuration. Enter the domain wildcards for the App Tunnel. Choose a distribution level for this configuration. l. Click the + icon to add ios Managed App Configuration settings. Name this configuration. Enter the key and value pairs for ios 7+ Managed App settings. Choose a distribution level. m. Choose whether to enable Per App VPN. Name this configuration. Choose a distribution level. Configure the MobileIron + for Android app The license you purchased determines whether or not you have access to the + for Android app. The + for Android app will already be added to your App catalog. To configure + for Android: 1. Click the + link in the catalog to view the Details tab. 2. Use the Actions pulldown menu button to add a new version of the app or delete the app from your catalog. 3. Click Edit to begin making changes to the details. Edit the Category if needed. Enter a description if needed. Add screenshots if needed. 4. Click Save. 5. Click the Distribution tab and click Edit to begin making changes to the distribution level. 6. Click Save. 7. Click the App Configurations tab to view a summary of the current configuration. 8. Enter a description of the app if needed. 9. Click Install on Device in the left navigation pane then click Install Application configuration settings. Click Edit to begin making changes to the installation configuration settings. Enter a name for the configuration. Enter a description for the configuration. Select Install on Device to prompt the user and require installation. Select Install as a Managed App. If already installed, it converts the app and its data to a managed app. Converting already installed apps on supervised devices is done silently. The user will be prompted to allow conversion if the device is unsupervised. Click Update to save your changes. 59

81 10. Click Promotion in the left navigation pane then click Promotion distribution configuration settings to change the promotion level. Click Edit to begin making changes to the promotion level settings. Enter a name for the configuration. Enter a description for the configuration. Select a promotion level. Click Update to save your changes. 11. Click the Reviews tab to view information on reviews. Export the review data to a spreadsheet if needed. Configure the MobileIron Dataview app 1. Go to Apps > Apps Catalog and click +Add. 2. Select MobileIron Dataview to add to the Apps catalog. 3. Edit the Category if needed. 4. Enter a description of the app if needed. 5. Click Next. 6. Select a distribution level. 7. Click Next. 8. Create app configurations using these options: a. Click Install Application configuration settings to configure the installation or Click the + icon to add another configuration. Select Install on Device to prompt the user and require installation. This setting uses a silent installation on supervised ios devices. Select Install as a Managed App. If already installed, it converts the app and its data to a managed app. Converting already installed apps on supervised devices is done silently. The user will be prompted to allow conversion if the device is unsupervised. b. Click ios Application Management configuration settings to configure ios App Settings or click the + icon to add another configuration. Enter a name for the configuration. Optionally add a description for the configuration. Select Prevent backup to icloud and itunes. Select Remove app on unenrollment. c. Click Promotion distribution configuration settings to configure Promotion settings or click the + icon to add another promotion configuration. Enter a name for the configuration. Optionally add a description for the configuration. Choose a promotion level for this configuration. d. Click the + icon to set AppConnect Custom Configuration settings. 60

82 Click +Add to enter Key and Value pairs. e. Click the + icon to set App Tunnel options. Enter a name for the configuration. Optionally add a description for this configuration. Enter the domain wildcards for the App Tunnel. Choose a distribution level for this configuration. f. Click the + icon to set more Dataview Configuration options. Enter a Billing date. This is the day of month billing cycle starts. Choose how you want to cap data usage. Set a regular usage monthly cap or set as unlimited data plan and just use roaming cap and alerts. Set a Daily data usage cap and set an alert. Set a Roaming usage cap and set an alert. g. Click the + icon to add ios Managed App Configuration settings. Name this configuration. Enter the key and value pairs for ios 7+Managed App settings. Choose a distribution level. h. Choose whether to enable Per App VPN. Name this configuration. Choose a distribution level. Using ios Managed App Configuration An application might have some configuration parameters implemented or restricted by the developer. For applications with such restrictions your configuration options might be limited. 1. Go to Apps > App Catalog. 2. Select a configuration. 3. Click the App Configurations tab. 4. Click ios Managed App Configuration or click the + button. In the ios Managed App Configuration there are some default configuration settings in place. 5. Click Add to add another configuration, if needed. 6. Optionally, click the name of the configuration to edit the current configuration. The configuration setup details and options are displayed. 7. Click Edit. The configuration options present may vary depending the app developer chooses to provide initially. You still have the option to enter key value pairs. 8. Click Update to save your entries. 61

83 Choosing Windows 10 apps for your in-house catalog Choose the apps to add to your in-house app catalog. Only in-house apps are supported for Windows10. Windows 10 enforces compliance directly on the device based on the apps you choose to allow or disallow. Note: The Windows 10 check-in interval is once every 60 minutes by default. You may want to perform a forced device check-in to get an update of the device and app status. These actions are supported: Uploading new apps Silent installation Adding a new version of the app Deleting an app These formats are supported: APPX APPXBUNDLE MSI wrapped Win32 - pre-bundled Win32 app To configure Windows 10 apps: 1. Click Devices on the main navigation bar. 2. Select a Windows 10 device that you have enrolled in MobileIron Cloud. 3. Click Apps > App Catalog. 4. Select an app. 5. Use the Actions pulldown menu to add the app or delete the app from your catalog. Optionally add a new version of the app. Click the Actions pulldown menu. Select Add New Version. Go to the catalog and select a new version of the app. Click Update and Save to view the App information screen. 6. Use the Version pulldown menu to choose which version to use. 7. Click Edit to begin making changes to the details. Edit the Category if needed. Enter a Description if needed. Add screenshots if needed. 8. Click Save. 9. Click the Distribution tab and click Edit to begin making changes to the distribution level. 10. Click Save. 11. Click the App Configurations tab to view a summary of the current configuration. 12. Enter a description of the app if needed. 62

84 13. Click Install on Device in the App Configurations summary page. Silent installation is the default and cannot be changed. 14. Click Promotion in the left navigation pane then click Promotion distribution configuration settings to change the promotion level. Click Edit to make changes to the promotion level settings. Enter a name for the configuration. Enter a description for the configuration. Select a promotion level. Click Update to save your changes. 15. Click the Reviews tab to view information on reviews. Export the review data to a spreadsheet if needed. Editing Windows 10 app configuration settings To edit an app configuration: 1. Click Policies > Configuration. 2. Click +Add. 3. Select Windows App Control to view the Create Windows App Control Configuration screen. 4. Enter a Name and Description for the configuration. 5. Define the app type as: Allowed (Whitelisted) - Only these apps are allowed. These apps are installed silently if not already present on the device. Disallowed (Blacklisted) - If present on the device,these apps will be blocked if launched. 6. Specify the Rule definitions for the App Type and App Identifier. 7. Click Lookup Apps to view the Search Windows 10 Apps screen. 8. Enter the name of the app to search the Windows Store. 9. Select the app from the choices displayed to add it to the App Identifier. 10. Optionally use the App Type pulldown menu to set a path define in the App Identifier to allow or disallow apps using the specified path or block all apps installed in that path. App Type Publisher/PFN Equals applies to Windows 10 Mobile and Windows 10 Desktop supports PFN. EXE/Win32 Equals applies to Windows desktop only. 11. Click Next. 12. Select a distribution level. All Devices. No Devices. Custom - to enter the users or groups to receive the app. 13. Click Done. 14. You can edit the Rule definitions to select an App Type and specify an App Identifier. Click the Actions pulldown menu. 63

85 Select Add New Version. Select a new version of the app. Click Update and Save to view the App information screen. Using Apps@Work Apps@Work enables use of Windows public and in-house apps on Windows 10 devices in MobileIron Cloud Apps@Work is installed silently on supported Windows 10 mobile devices. To configure an app for Apps@Work: 1. Select a Windows app. 2. Click the App Configuration tab. 3. Click Install on Device. Windows In-house app configuration can be set to the silent install flag or install using Apps@Work. Public apps cannot be set to silent install. 4. Optionally, choose to display or hide apps in Apps@work catalog. This option applies to in-house apps only. 5. Click the Promotion tab.apps@work currently does not support the banner promotion so the available options are Featured and Not Featured. Note: Only the Promotion option is displayed for public apps. To install an app using Apps@Work: 1. Click the Apps@Work app. Your administrator address and server URL are pre-filled in the Apps@Work login dialog. 2. Enter your password and click Sign In to display the apps page. There are three tabs: featured apps in-house apps store apps 3. Select the in-house apps tab. 4. Select an app to install. A message is displayed stating that a request has been sent to the server to install the app. Click Close. 5. Optionally, select an app from the store apps tab to display the Windows app store. 6. If prompted, enter your username and password for the Windows app store. 7. Click Update and Save to view the App information screen. 64

86 How to create a custom configuration for MobileIron Tunnel for Windows Use these steps to create a custom configuration for MobileIron Tunnel for Windows devices. 1. Go to Configuration > +Add. 2. Select the MobileIron Tunnel policy to display the Create MobileIron Tunnel Configuration page. 3. Enter a name for the configuration. 4. Enter a description. 5. Click the Windows icon to create a Tunnel service for Windows and to display the Profile Settings section.. 6. Enter the settings in the Define Profile Settings section. 7. Choose a sentry profile from the Sentry Profile pulldown menu. 8. Choose a sentry service from the Sentry Service pulldown menu. 9. Enter an address to receive debugging information. 10. If you select the Advanced option in Sentry Profile Settings: Enter Key Value pairs. Click Next. 11. If you select the Standard option in Sentry Profile Settings: Select the Always On position. Note: On is the default setting. This is a Windows 10 feature that enables the active VPN profile to connect automatically on these triggers: User Signs In, Network change. In the App Groups section enter the App Format and the file path settings using the pulldown menus. If needed, click +Create New Group in the Apps Group section to create a new list of apps which will have all traffic flow through VPN. Enter a path for the app in the App Type pulldown menu. Click Lookup Apps to search for Windows 10 apps in the Windows App Store. Enter the name of the app in the search field. Select an app to add to the App Identifier. In the Traffic Filters section, click +Add to add filter. Enter an IP address range in the Traffic Filter screen to limit traffic allowed through the tunnel to these IP addresses. All traffic is sent through the tunnel if no filters are configured. Enter the DNS filters. In the DNS section, click +Add to add a Domain and DNS Server IP. Click Next.. 65

87 Apps > Categories Categories describe types of apps and help organize apps when users browse the app catalog. Every app must have at least one category assigned. A list of common app categories is available when you start using MobileIron Cloud. Use this page to manage app categories. To add a category You can add new categories here, or when you add an app to the app catalog. 1. Click Add (bottom left) 2. Type the category name. Categories are not case sensitive, so MINE is the same as Mine. 3. Click Save. To remove a category Click the X next to the category. Can't do tasks on the App Categories page? Maybe you don't have permission. You need the following role: App & Content Management Apps > Reviews Reviews are the comments and ratings (stars) your users provide about apps in the app catalog. Reviews provide valuable information to you and to users who are considering installing an app. Use the Reviews page to view or delete ratings and reviews. You might delete a review or rating if it is old or inappropriate. Note that: Only device users can create and edit app ratings and reviews. Device users can edit, but not delete, their own ratings and reviews. Only administrators can delete app reviews. App ratings cannot be deleted. Ratings (stars) given to apps remain on the Apps > App Catalog page, even if you later disable the ratings and reviews feature for your users. To view ratings and reviews Go to Apps > Reviews to read full user review comments and ratings (stars) for the apps you have distributed. 66

88 Go to Apps > App Catalog and see the Avg. Rating column for the total number of reviews and the average rating. Go to Apps > Apps Catalog, click the App Name, and see the Reviews tab for ratings and reviews for a specific app. To disable ratings and reviews 1. Go to Apps > Catalog Settings. 2. Uncheck Enable Ratings and Reviews in the end user app catalog. 3. Click Save. To delete a review 1. Go to Apps > Reviews. 2. Select the review. 3. Click the Actions button at the top right of the page. 4. Select Delete. 5. Click Yes in the Delete Review confirmation dialog. Can't do tasks in the Reviews page? Maybe you don't have permission. You need the following role: Apps & Content Management See Also Displaying and Hiding Columns Apps > Licenses License: Gold The Licenses screen is available only if you have set up Apple's Volume Purchase Program (VPP) in your app catalog settings. This screen shows the app licenses you have purchased for ios devices and how many have been used. Use this screen to: select the VPP apps that will be included in your catalog 67

89 distribute licenses for VPP apps Device-based and User-based license distribution Whether the license for an app is Device-based or User-based depends on how you assign it. When assigning an app license to a device, it becomes a device-based license. When assigning an app license to a user, it becomes a user-based license. A license is consumed when installing a VPP app to a device, or when a token is issued for that app. If no licenses are available for the app, the user has the option of installing and paying for the app themselves. If a user has already been assigned a user-based license for the requested VPP app, the app is installed using the existing user-based license, rather than the VPP license. Device-based license option With device-based licenses, the users need not enrollment in VPP. The required apps will install automatically. Corporate supervised devices don t need to deal with an IT owned Apple ID. During device check-in, the device is identified by the serial number and the required app is installed if there are licenses available. If no licenses are available the app is not installed. If a license for an app is reserved, then a device based license assignment will not occur at app installation. Note:Application updates for Apps deployed using Device based VPP licensing are controlled by the administrator. To control how an app will be updated, in Apps> App Catalog navigate to the App Configurations/Install On Device tab. You will be able to select an immediate update that will occur at the next device check-in, or you can choose to have the app update automatically when new versions become available. Important: Before assigning a device-based license to a business to business (B2B) or productivity app, confirm the app is eligible for device-based licensing with the app developer. User-based license option A user-based license remains valid for that user if they have to move from one device to another in case the device is lost or stolen or the user upgrades to a new device. With user-based licenses, the user must first enroll into the Volume Purchase Program. Enrolling is a manual action that the end user must complete in the App Catalog. Required VPP apps won t be installed on the device until the user enrolls in the Volume Purchase Program. 68

90 If the app is a required VPP app and the license distribution is user-based: Required app install will not occur if the user is not enrolled in the VPP program. Required apps may be installed if the user is enrolled in the VPP program and a license is available. If the user is enrolled in VPP, but there are no licenses available then the app will not be installed. To add a VPP app to the catalog 1. Go to Apps > Catalog Settings. 2. Update a VPP secure token. 3. Optionally, check Automatically distribute VPP apps to all users. The All Users group is used to distribute the FCFS licenses. 4. Click Update. 5. Go to Apps > Licenses. 6. Select an app and click Add to Catalog. Click Next. 7. Optionally, add a description of the app. Click Next. 8. Select a distribution option. Click Next. 9. Click the App Configuration tab. 10. Optionally, select Install on device. This configuration option installs the app without prompting the user on supervised ios devices. 11. Select other configuration options if needed. To distribute licenses for a VPP app in the catalog 1. Select Apps > Licenses from the main menu. A list of Apps purchased through the VPP program is displayed. 2. Select an app and click Distribute Licenses. 3. Choose a distribution option, First-come, first-served, Reserved, or Disallowed in the VPP Licenses section. View app licenses per user You can designate license preference for your users by using the License Usage tab. 1. Click the Users tab 2. Select a user. 69

91 3. Click the License Usage tab. A list of apps is displayed with their VPP License type and license assignment details. To view the license usage for each app per user: 1. Go to Users in the MobileIron Cloud main menu. 2. Select a user. The Devices tab is displayed by default. 3. Click on the License Usage tab. A list of all the apps installed on the user's device is displayed including the license status. The serial number for the device is listed in the VPP License Type column for device based licenses. App name Version of the app Cost of the app Date the app was assigned VPP license type Actions (License status.) You can also view the VPP license usage for each app: 1. Go to App > App catalog in the MobileIron Cloud main menu. 2. Select an app. 3. Click on the VPP Licenses tab if present. Only apps purchased through the VPP program will display this tab. A separate tab for each VPP license type is displayed. 2. License type and log First Come First Served (FCFS) - You have the option to select which user groups will receive this type of license. Description User Requested Apps - Apps the user chooses to install. A User based License is the default Required Apps - Apps that are required and are installed by Admin configuration using the Install on Device setting. These apps use Device 70

92 based licenses by default. Reserved Disallowed Activity Log Reserved licenses have priority over FCFS licenses. Here you can select the users or devices to have a Reserved license for the app. Enter the users who are not allowed to have a license for this app. The user can still install the app, but they must purchase it. Displays the user, the type of VPP license assigned to them, the date it was assigned, and the latest action taken on the license. 3. To view the detailed license usage for each app per device: 1. Go to Devices > Devices in the MobileIron Cloud main menu. 2. Select a device. 3. Click on the Installed Apps tab. A list of all the managed apps installed to the selected device is displayed including the license status. App Name Version of the app Platforms supported Source of the app Size of the app VPP license type VPP license usage notifications VPP notifications help you track VPP license usage. The notifications thresholds are defined as: An information notification is issued when over 50% of the licenses have been used. A warning notification is issued when 70 to 80% of the licenses have been used. A Critical notification is issued when 90 to 100 % of the licenses have used. Notifications are cleared when the usage drops below 50%. 71

93 To view license information for each app: 1. Click Apps > Licenses. License Information is displayed including: Name of the app. Cost of the license. Number of licenses available. Number of redeemed licenses. 2. Go to Dashboard > Notifications to view details of a license notification. The Notifications page is displayed. 3. Click on the notification title to see the details. These notifications are available: Notifications Component Type Notification Type Severity LDAP Expiration Cleared VPP Data Sync Information ios Usage Limit Warning Tenant Admin Action Critical DEP Server Token Status Change Connector VPP license usage notifications VPP License Usage Trigger Severity Notification Type Component Type 50% Redeemed Info License Usage VPP 70% Redeemed Warn License Usage VPP 80% Redeemed Warn License Usage VPP 90% Redeemed Alert License Usage VPP 100% Redeemed Alert License Usage VPP Revoking a VPP License VPP Licenses are revoked when a: Device is inactive (retired or wiped). VPP app is deleted. Device based license is revoked when the device is retired. VPP token is deleted. 72

94 To revoke a VPP license for an app: 1. Select the app under Apps > App Catalog. 2. Click the VPP Licenses tab. 3. Click Revoke All Licenses. Note: Apple allows a 30-day grace period for VPP apps after the VPP license is revoked. Therefore, the VPP app remains installable. VPP Authentication Error Notifications Some authentications errors might occur when using the Apple VPP service. These VPP Authentication errors notifications are: Error Notification Invalid Authentication Token Expired Token The stoken has been revoked Login required Action Upload a valid VPP stoken Generate a new token online using your company's account Upload a valid VPP Log into the VPP service Can't do tasks on the App Categories page? Maybe you don't have permission. You need the following role: App & Content Management Apps > Catalog Settings Catalog settings are preferences you apply across all apps in your app catalog. You can: Prevent backup to icloud and itunes (ios only) Remove ios apps when the device is un-enrolled Enable MobileIron Cloud "Ratings and Reviews" Upload ios volume purchase plan (VPP) tokens (requires Gold license) To change ios app management settings 73

95 1. Select or clear check boxes. 2. Click Save. To enable/disable app ratings and reviews 1. Select or clear Enable Ratings and Reviews in the end user app catalog. 2. Click Save. Note: The format of the VPP stoken has changed. Instead of a character string in previous releases, it is now a character string stored in a text file in the vpptoken file format. Upload this file directly to the admin console for processing. The VPP account page has been updated to display the VPP organization name and expiration dates. To upload or update an ios VPP stoken (License: Gold) 1. Select Add VPP stoken. 2. Enter a name for the stoken file in the Alias Name field. 3. Drag and drop the stoken file to the specified area or click Choose File to navigate to the stoken file. 4. Click Save, or if you are updating an stoken file click Update. 5. Go to the Licenses page to view the apps associated with this token. Important: If VPP tokens were reserved for individual users before the upgrade to r29, you must verify that the tokens are still reserved for those users and reserve them again if needed. To remove an ios VPP stoken from your MobileIron Cloud service You can revoke an app that is no longer needed by a user, and reassign it as needed. If the app was deployed as a managed app with MDM for ios, the you have the option of removing the app and all data immediately. 1. Select an app to remove. 2. Click Delete. A warning dialog appears. 3. Optionally, you can give the user a 30-day grace period to: Save their data. Buy a personal copy of the app. Transfer Apps they installed by this VPP account to their personal accounts to continue use. 74

96 Can't do tasks in the Catalog Settings page? Maybe you don't have permission. You need the following role: App & Content Management 75

97 Content Content > Content The content catalog contains files that users can download. A typical catalog might include sales presentations, images, spreadsheets, and documents. Use the Content page to manage the content catalog. ibook and EPUB content can be distributed to ios 8+ ipad devices (Gold license). (These formats are restricted to ipad because Apple supports in-house distribution of these formats only to ipad. This restriction does not apply to ios 9 devices.) Also note that content previews are not available for these formats. For PDF content, you have the option of pushing the document to the ibook app on ios 8+ devices. To add content 1. Click +Add. 2. Drag the content file to the dotted box, or click Choose File to select it from your file system. 3. Describe the file for users. a. Edit the default title, if needed. b. Enter the name of the document author. c. Enter one or more categories. Be sure to press Enter after typing the name of a category. c. (Optional) Enter a description of the file. d. Click Next. 4. Define content distribution. 5. Click Done. To upload a new version 1. Click the link to the document in the Name column. 2. Select Actions > Upload New Version. 3. Drag the content file to the dotted box, or click Choose File to select it from your file system. 4. Enter a description of the changes in the What's New field. 5. Click Next. Make any necessary changes to the distribution. 76

98 6. Click Done. To delete content 1. Click the link to the document in the Name column. 2. Select Actions > Delete This Document. 3. Click the check box to confirm. 4. Click Delete Document. When you delete a document: It is removed from the system. It is no longer available in the content catalog. It is removed from devices that have downloaded it. Can't do tasks on the Content page? Maybe you don't have permission. You need the following role: App & Content Management See Also Displaying and Hiding Columns Content > Categories Categories describe the types of content in the content catalog. Categories help organize content so that users can easily find what they need. Each item added to the content catalog must have at least one category assigned. To add a category 1. Click Add (bottom left) 2. Type the category name. Categories are not case sensitive, so MINE is the same as Mine. 3. Click Save. To remove a category - Click the X next to the category. Can't do tasks on the Categories (Content) page? Maybe you don't have permission. You need the following role: App & Content Management 77

99

100 Policies Configurations Configurations are collections of settings that you send to devices. For example, you can use configurations to automatically set up VPN settings and passcode requirements on these devices. The existing configurations for your system are listed in the Configurations page. There are many types of configurations available. They fall into the following basic categories: security user resources enterprise network access cellular network other (more configurations) You can perform the following actions for most configurations: add edit clone delete exclude one or more configurations from a specific device push one or more excluded configurations to a specific device Certain configurations have restricted actions: Some configurations cannot be added or cloned. ios Activation Lock is an example of this type of configuration. Therefore, these configurations do not appear among the tiles listed when you add a configuration. These configurations are listed only in the Configurations page. System-defined configurations cannot be edited or deleted. SCEP for ios Enrollment is an example of this type of configuration. Some configurations can be marked as cannot be deleted or reinstalled from a device. These configurations cannot be excluded or pushed to the device. To add a configuration 1. Click Add (upper left). 2. Select the type of configuration you want to create. 3. Complete the form in the configuration wizard. 4. Click Next. 79

101 5. If you do not want this configuration enabled immediately, clear the Enable this configuration option. 6. Select device groups for the configuration. If your service has device partitions defined, you will need to specify whether the configuration should be applied to the other partitions, and with what priority. For configurations that issue a command to the device instead of installing a profile on the device, the configuration details will not list the configuration as applied to any devices. To delete a configuration 1. Select the configuration. 2. Select Actions > Delete. To exclude a configuration Some previously distributed configurations can be manually removed from a device by excluding them as follows: 1. Go to Devices > Devices. 2. Click a device name to view the details page. 3. Go to Configurations. 4. Select one or more configurations to be excluded. 5. Click Exclude Profiles. To exclude a single configuration, you may also click Exclude under the Actions column. To push a configuration If you want to reinstall any of the excluded configurations on a device, push the configurations as follows: 1. Go to Devices > Devices. 2. Click a device name to view the details page. 3. Go to Configurations > Excluded Configurations. 4. Select one or more configurations to be pushed to the device. 5. Click Push Profiles. To push a single configuration, you may also click Push under the Actions column. To prioritize configurations 80

102 When configurations of the same type are applied to the same device, the defined priority determines which configuration is applied. The configuration with the highest priority has the lowest number. For example, the configuration with priority 1001 has a higher priority than the configuration with priority The service assigns numbers automatically. To change the priority of configurations: 1. With no configuration selected, select Actions > Prioritize configs. This option is available only if the page contains two or more configurations of the same type. 2. Use the arrows to move the configurations so that the one that should have the highest priority appears at the top. 3. Click Save. Can't see the Configurations page? Maybe you don't have permission. You need one of the following roles: Device Management Device Read Only See Also Displaying and Hiding Columns Device Partition Prioritize Configurations Custom Configuration Policies > Configurations License: Gold Eligible Devices Android, ios, Windows. Description Allows you to import and distribute a predefined configuration file. The valid formats are: OS Valid Configuration File Formats 81

103 ios.plist.mobileconfig.xml.xml. Currently, this feature only supports.xml Android configuration files for Zebra devices. Windows SyncML. To define a Custom configuration 1. Select Policies > Configurations. 2. Click + Add. 3. Type "custom" in the search field, and then click the Custom configuration: The Custom Configuration details page appears. 4. Configure the settings on this page. Refer to the table in the section Custom Configuration settings for guidance on the values. 5. Click Next to configure the distribution settings, and then click Done. 82

104 Custom Configuration settings Setting What To Do Name Enter a name that identifies this configuration. DescriptionEnter a description that clarifies the purpose of this configuration. Choose Click an OS icon to upload a configuration file that corresponds OS to the selected icon: Choose File This option appears after you have selected an OS. Drag a configuration file into the Drag and Drop box, or click the Choose File button to select a configuration file. See Also How to create a configuration Home Screen Layout Configuration Configurations License Gold Eligible Devices ios 9.3+ Supervised Only Description Defines a layout of apps, folders, and web clips for the Home screen. To define a Home Screen Layout configuration 1. Select Configurations. 2. Click + Add. 83

105 3. Type "home" in the search field, and then click the Home Screen Layout configuration: The Home Screen Layout Configuration details page appears. 4. Configure the settings on this page. Refer to the table in the section Home_Screen_Layout_Configuration_Settings for guidance on the values. 5. Click Next to configure the distribution settings, and then click Done. Home Screen Layout Configuration settings Setting What To Do Name Enter a name that identifies this configuration. Description Enter a description that clarifies the purpose of this configuration. Dock Click the to add an app or webclip to the dock of the home screen, shown highlighted here, and then follow the directions on the subsequent screens: 84

106 Page 1 Click the to add an app or webclip to the page area of the home screen, shown highlighted here, and then follow the directions on the subsequent screens: You can click to add another page to the phone display. See Also How to create a configuration App Control Configuration: Control Which Apps Are Installed Per Device 85

107 For ios 9.3 Supervised devices, this config allows apps to be whitelisted or blacklisted at the device level. Apps that are already installed will not be visible and cannot be launched. Apps will still be visible in the App Store, but they cannot be downloaded or launched. Any device to which this config is distributed will use this config and ignore any Allowed Apps Policy settings. This config supersedes any app-related policies that reference the same applications on the target devices. For Windows 10 devices, restrictions happen at the device level, therefore a config is the only way to enforce app rules. The App Control config allows you to create a: Whitelist: Only allow Apps that are explicitly added to this list. No other apps will be able to be installed on devices. Blacklist: Disallow specific apps from being installed on devices. Supported Devices ios9.3+ Supervised only Windows Steps to define whitelist or blacklist apps 1. Select Configurations. 2. Click + Add 3. Enter app control in the resultant Choose Configuration field, and then select the App Control config. 4. Enter name and description for the config. 5. Select an OS and then continue below at the section that applies to your OS. ios 9.3 supervised devices 1. Choose whether to create a whitelist or blacklist. 2. Choose the apps to whitelist or blacklist, either from the app catalog or system apps, or by entering the Apple bundle ID for Apple System apps only. 3. Click Next and then choose a distribution option. 4. Click Done. App Notifications Configuration Configurations 86

108 Choose how users receive notifications from selected apps. This configuration is for ios 9.3 Supervised devices only. To create an App Notifications configuration 1. Select Configurations. 2. Click + Add. 3. Type notifications in the search field, and then click the App Notifications configuration: The App Notifications Configuration Setup page appears: 87

109 See Also 4. Name and describe the configuration. 5. Choose an app to which to apply the app notification settings. 6. Configure the notification settings. 7. Click Next to configure the distribution settings, and then click Done. How to create a configuration 88

110 Policies > Policy & Compliance Policies define requirements for devices, as well as what will happen if a device does not comply with requirements. Each policy consists of a rule and a compliance action (what happens if the rule is violated). Use the Policy & Compliance page to select, set up, and distribute policies. Available policy types are: Type What It Does Compromised Flags devices that have been Devices jailbroken (ios) or rooted (Android). Flags devices that might be incurring international roaming charges. Status is refreshed when the device International checks in. Roaming Devices For ios, the service uses the roaming flag as set and reported by ios. The compliance action is triggered by the first violation only. Flags devices that have MDM (ios) MDM/Device or Device Administration (Android) Administration disabled, which severely limits Disabled management of these devices. Flags devices that have not checked Out of Contact in with the MobileIron Cloud service for the defined number of days. Flags devices that violate rules about Allowed Apps which apps are allowed or required. Available compliance actions are: Compliance What It Does Action Flags the device in the MobileIron Cloud Devices Monitor page. Block via Sentry Send message to user Prevents the device from accessing . Flags the device in the MobileIron Cloud Devices page. Sends an to the device owner. 89

111 Sends a push notification to the device. Quarantine Removes most configurations from the device. Exceptions: passcode configurations, Wi-Fi configurations for Wi- Fi-only devices, Restriction configurations (ios). Removes all apps installed by MobileIron Cloud. Removes all content distributed by MobileIron Cloud, including ibook and epub files. Blocks access to MobileIron Cloud catalogs. Suspends prompts for installing additional apps. Blocks access to AppConnect-enabled apps. To add a policy 1. Go to Policies > Policy & Compliance. 2. Click Add (upper right). 3. Select a policy type. 4. Complete the settings. 5. Select the device groups you want to receive this policy. 6. Click Done. To change a policy 1. Go to Policies > Policy & Compliance. 2. Select the policy. 3. Click Edit (upper right). To delete a policy 1. Go to Policies > Policy & Compliance. 2. Select the policy. 90

112 3. Click Actions (upper right). 4. Select Delete. Can't see the Policy & Compliance page? Maybe you don't have permission. You need one of the following roles: Device Management Device Read Only See Also Displaying and Hiding Columns Prioritize Policies Managing Configurations Configuration Types Use the search and filter capability on the Choose Configurations page to find the configuration you want to apply. 1. Choose Configurations. 2. Choose one of the configurations listed or click the +Add button. The Choose Configuration page is displayed 3. Click one of the configurations listed or : o Enter the name of the configuration in the search box o Click a filter icon on the right of the search box to display configuration types compatible with platform. 4. Click a configuration button to access configuration setting options. Use the Configurations page to create and edit all configuration types. Security Type What It Does For These Devices Android for Work specifies Android for Work options Android for Work Needs This License Gold AppConnect Device specifies whether location data is collected ios Gold 91

113 Certificate Encryption FileVault 2 establishes trust with servers prompts users to start encryption provides ability to perform full XTS-AES 128 disk encryption on the contents of a volume Android ios macos Android macos FileVault Recovery Key Redirection determines settings for redirecting the FileVault recovery keys to a corporate server macos Identity Certificate ios Activation Lock authenticates the device to servers authenticates the device to network resources enables the Apple Activation Lock feature on supervised devices Android ios macos ios Silver ios Custom Configuration distributes an ios configuration profile that was created by a different app ios ios Restrictions locks down device features enables device features ios Lockdown & locks down Android 92

114 Kiosk Managed Domains OS X Firewall OS X Restrictions Passcode Privacy device features re-enables device features applies the kiosk feature specifies trusted and web domains manages the Application Firewall settings that are accessible in the Security Preferences pane on macos devices Note: The Administrator can enable the stealth mode by specifying a device that cannot be discovered by the ping command. determine which features are enabled on macos devices makes a passcode mandatory specifies passcode length and content changes passcode requirements specifies whether location data is collected ios 8+ Silver macos macos Android ios macos Android ios 93

115 Web Content Filter Windows Restrictions controls Safari content determines which features are available on Windows Phone devices supervised ios 7 Windows Phone Silver User Resources Type CalDAV CardDAV What It Does sets up access to a CalDAV server (like Google Calendar) sets up access to a CardDAV server (like Google Contacts) For These Devices ios ios Needs This License Exchange sets up access for POP/IMAP (like Gmail) sets up access for ActiveSyncbased (like Outlook) for Android and ios mobile devices sets up Exchange Web Services ios Android ios macos Note: Exchange via sentry is not supported on macos The Sync Past days s flag is not applicable for macos 94

116 Google Font Subscribed Calendar Web Clip (EWS)-based for macos devices defines how much to sync to the device defines security for Creates Google account configuration s that connect ios devices to Google accounts. Specifies which app to use to make calls to contacts in the Google system. installs nonstandard fonts necessary for proper display of documents sets up a subscription to an internet calendar displays a shortcut (icon) to a web page ios ios ios ios macos 95

117 Enterprise Network Access Type What It Does For These Devices AirPlay AirPrint sets up access to alternate devices for media display sets up wireless printing ios Needs This License Silver ios macos Silver Always On VPN Global Proxy LDAP Per-App VPN Single Sign-On VPN VPN On Demand Wi-Fi sets up access to a VPN server without user interaction sets up devices to forward HTTP traffic to a proxy server sets up access to a corporate directory sets up connections between specific apps and a VPN server sets up single signon for specified managed apps sets up access to a VPN server sets up access to a VPN server based on domains, host names, etc. sets up access to a wireless network ios 8 Silver supervised ios 7 ios Silver ios Silver ios Android ios macos ios Android ios macos Cellular Network Type APN What It Does sets up the cellular Access Point Name for the device For These Devices ios Needs This License 96

118 Cellular ios Telecom Presets sets up cellular network access sets default values for roaming restrictions sets default values for personal hotspot restrictions ios ios More Configurations Type What It Does For These Devices Apple TV Default Device Name ios Wallpaper Single App Mode defines language and locale for Apple TV defines a default device name using variables installs a home screen and lock screen background restricts the device to use of the specified app supervised ios 7 supervised ios 8 supervised ios 7 supervised ios 7 Needs This License Silver Silver Silver Silver Device Sync Configuration Device Sync settings provide a list data points you can monitor on devices. Device Sync configurations cannot be edited. To view a list of the settings checked: 1. Go to Configurations. 2. Click Device Sync Config. The Details tab of the Device Sync Config page is displayed with a list of items checked. Settings Time between readings in seconds Certificate List 60 Device Information 60 97

119 Installed App List 60 Managed App List 60 Profile List 60 Provisioning Profile List 60 Restrictions 60 Security Information 60 ios 9+ Check for Updates 1440 See Also Variables Variables You can use variables in certain configuration fields to represent values specific to a given user. Any field that supports variables displays a list of supported variables if you type $ in the field. Summary of supported account variables Use account variables to substitute information about an account, such as an Exchange account. Variable Description The logon name used in LDAP to support clients and servers ${samaccountname} running older versions of the Windows operating system. The text displayed to identify the ${userdisplayname} account. 98

120 The value that uniquely identifies ${userdn} the user in the LDAP directory (i.e., distinguished name). The address associated ${user address} with the user account. ${userfirstname} The user's given name. ${userlastname} The user's surname. The home geographic ${userlocale} location/language for the user. The unique identifier used ${useruid} internally by LDAP. The string used to identify the ${username} user. The Internet-style login name for ${userupn} a user. (The UPN is shorter than the distinguished name.) Summary of supported device variables Use device variables to substitute information about a mobile device. Variable Description The unique device identifier ${deviceclientdeviceidentifier} generated by the device management app. The International Mobile Equipment Identity assigned to ${deviceimei} the device. This number uniquely identifies the mobile device. The International Mobile Subscriber Identity assigned to ${deviceimsi} the home cellular network for the device. The unique device identifier ${devicepk} generated by the device management service. The serial number assigned to ${devicesn} the device. The unique identifier assigned to ${deviceudid} the device by the manufacturer. The Media Access Control address that uniquely identifies ${devicewifimacaddress} the network interface on the device. 99

121 ${devicemdmdeviceidentifier} The unique device identifier generated by the Apple MDM function. Security Configurations Android for Work Configuration Configurations License: Gold An Android for Work configuration defines the Android for Work options enabled for supported devices. You can create alternate configurations for different groups of devices or just edit the default configuration. For a list of devices that support Android for Work go here. Android for Work settings Setting Name Description Disable Screen Capture Disallow Apps Control Disallow Config Credentials Disallow Cross Profile Copy/Paste Disallow Modify Accounts Disallow Share Location Disable Caller ID What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select to prevent devices from using the native screen capture feature. Select to prevent users from modifying apps in Settings or launchers. Select to prevent users from setting up user credentials. Select to prevent devices from copying and pasting to other Android for Work profiles. Select to prevent users from adding and removing accounts. Select to prevent websites and apps from prompting the device user to share device location. Select to prevent the device from identifying itself to other devices when initiating a call. 100

122 AppConnect Device Configuration Configurations License: Gold An AppConnect device configuration defines AppConnect security settings. A default configuration is applied to all devices. You can create alternate configurations for different groups of devices or just edit the default configuration. AppConnect device settings Setting What To Do Enter a name that identifies this Name configuration. Enter a description that clarifies the Description purpose of this configuration. AppConnect Passcode Select to require users to enter their Enable Secure Apps secure apps passcode before Passcode accessing AppConnect apps. Select to require a 4-digit secure apps 4-digit numeric passcode. Select to require a secure apps Alphanumeric passcode containing numbers and letters. For alphanumeric passcodes, select Minimum passcode the minimum number of characters length required. Minimum number of complex characters Maximum Password Age Auto-Lock Passcode history For alphanumeric passcodes, select the minimum number of complex characters required. Select an age from the list or select Custom to enter a specific number of days after which the user must change the secure apps passcode. Select the amount of time that passes before the AppConnect auto-lock feature requires the user to re-enter the secure apps passcode. Enter the number of unique secure 101

123 apps passcodes that the user must enter before repeating a passcode. For example, if you set this option to 3, then the user must use 3 different passcodes when resetting the secure apps passcode before being able to reuse the first passcode. Enter the number of times the user Maximum number of may provide an incorrect secure apps failed attempts passcode before being locked out of the AppConnect apps on the device. App Authorization App check-in interval Unauthorized message Device Out of Contact Wipe AppConnect device after Enter the number of minutes the app should wait before checking in with AppConnect. Note that app authorization is an automatic result of adding an app to the app catalog. Enter the text to be displayed to the user if the app is not authorized to check in with AppConnect. Enter the number days that the device can remain out of contact before having its AppConnect data wiped. Enter 0 to disable this option. Data Loss Prevention Settings Select to allow users to copy and Allow copy/paste to paste data to apps. Select to allow users to print data in Allow printing apps. Select to allow users to open files in Allow open-in apps. Select to allow users to perform above All Apps selected actions for all apps. Select to allow users to perform above selected actions for specified apps from your app catalog only. When you Whitelist Apps only select this option, a new box displays. Type the first letter of the app in the box for a drop-down of available apps from your app catalog. Changing/Resetting the passcode 102

124 Users can change or reset the secure apps passcode in the MobileIron Go app by selecting Change Password under Settings. Users can select the Forgot Password link to reset the passcode. See also How to Set Up AppConnect How to create a configuration Certificate Configuration Configurations A certificate configuration identifies a certificate to be distributed to devices. Certificates enable devices to establish trust with server and network resources. Certificate settings Setting Name Description Certificate data What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Drag the certificate file to the dotted box, or click Choose File to select it from your file system. See Also How to create a configuration Encryption Configuration (Android Only) Configurations An encryption configuration turns on encryption for Android devices. Encryption stores the device's data in an unreadable form so that anyone who might steal the device cannot access the data. Enabling encryption prompts the device user to encrypt the device and requires setting a device passcode. The passcode is what decrypts the data so that you can read it. The device cannot be used while it is being encrypted. Once encryption is on, turning it off requires a factory reset of the device. Encryption settings 103

125 Setting Name Description Enable Device Encryption What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select the setting to turn on encryption for all encryption-capable Android devices that receive this configuration. See Also How to create a configuration Identity Certificate Configuration Configurations An identity certificate configuration defines a certificate authentication mechanism for mobile devices. Identity certificates are X.509 certificates (.p12 or.pfx). Before beginning, you should already know how you plan to distribute certificates to your mobile devices. You should also have configured any necessary certificate authority. Identity certificate settings Setting Name Description Certificate Distribution Identity Certificate data Password What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select the type of certificate distribution to set up: Single File: Upload an existing certificate for distribution to devices. SCEP Config (ios Only): Specify how to request a certificate from a SCEP server. Dynamically Generated: Create certificates on request using a local or external certificate authority. Your selection determines which options display in the rest of the form. Single File: Drag the certificate file to the dotted box, or click Choose File to select it from your file system. Single File: Enter the password that was 104

126 Identity Certificate (SCEP) Local Certificate Authority URL CA Identifier Subject Subject Alternate Name Type Subject Alternate Name Value NT Principal Name Retries defined to protect the bundle containing the certificate. SCEP Config: Select to specify a SCEP server. SCEP Config: Select to specify a local certificate authority that you have already created under Policies > Certificate Authority. Select the local certificate authority from the drop-down that appears when you select this option. SCEP Config: Enter the URL for the SCEP server. SCEP Config: Enter the identifier provided by the certificate authority. SCEP Config/Dynamically Generated: Enter an X.509 name represented as a comma-separated array of OIDs and values. Typically, the subject is set to the user s fully qualified domain name. For example, C=US,DC=com,DC=MobileIron,OU=InfoTech or CN= You can also customize the Subject by appending a variable to the OID. For example, CN= $DEVICE_CLIENT_ID$. For ease of configuration you can also use the $USER_DN$ variable to populate the Subject with the user s FQDN. SCEP Config: Select RFC 822 Name, DNS Name,Uniform Resource Identifier or None, based on the attributes of the certificate template. Dynamically Generated: Click Add to specify one of the above types. Click Add again to specify additional types. SCEP Config/Dynamically Generated: Enter the value for the corresponding type. SCEP Config: Enter a subject alt name for Microsoft environment. This would usually be configured to include the user's UPN (user principal name). SCEP Config: Select from the list to set the number of times that authentication will be 105

127 Retry delay Key size Use as digital signature attempted after the first time a status of 'pending' is returned. SCEP Config: Select from the list to set the number of seconds to wait before a retry. SCEP Config/Dynamically Generated: Select 1024 bits or 2048 bits. SCEP Config/Dynamically Generated: Select if the certificate can be used for signing. SCEP Config/Dynamically Generated: Use as key Select if the certificate can be used for encipherment encryption. CA Fingerprint Source Signature Algorithm SCEP Config: If your certificate authority uses HTTP, enter the hex string to be used as the fingerprint of the CA s certificate. SHA1 and MD5 fingerprints are supported. If you prefer, you can create a fingerprint from the certificate. Just drag and drop the certificate to the designated area or click Create from Certificate to select the certificate from your file system. Dynamically Generated: Select the local certificate authority from the drop-down. You should have already created this CA under Policies > Certificate Authority. Dynamically Generated: Select the method to use for signing the certificate: SHA1 with RSA, SHA256 with RSA, SHA384 with RSA, SHA512 with RSA, ios Activation Lock Configuration Configurations Activation Lock is an Apple feature designed to prevent anyone from using a lost or stolen device. As soon as Find My iphone is turned on, a mapping between this icloud account and a hardware identifier for this device is saved to Apple s activation servers. From that point, no one can turn off Find My iphone, erase the device, or reactivate it without entering the existing Apple ID and password. If someone other than the user wipes the device and then tries to re-activate and use it, they will be prompted for the Apple ID and password in Setup Assistant. Activation Lock provides administrators with more options for deterring theft of supervised devices. However, most corporate administrators are likely to leave 106

128 Activation Lock disabled because it is primarily a consumer feature. The following table summarizes the options for corporate-liable deployments: Device Type Corporate-liable and supervised Result Activation Lock is disabled for supervised devices by default. Device users cannot turn on Activation Lock. Corporate-liable and unsupervised Activation Lock will be enabled as soon as the end-user signs in to icloud with their Apple ID and turns on Find My Device. MDM servers, including MobileIron Cloud, cannot control Activation Lock on unsupervised devices. Device users can lock activation with their personal credentials, leaving you no recourse should they leave the company. License: Silver To enable the ios Activation Lock Should you decide to enable the ios Activation Lock feature on supervised devices: 1. Turn on Find My iphone. 2. Go to Policies > Configurations. 3. Select the ios Activation Lock configuration from the list of existing configurations. 4. Click Edit. 5. Click Enable Activation Lock. 6. Click Done. 7. Register the device. To use the ios Activation Lock bypass code When the device is wiped with the ios Activation Lock enabled, the bypass code is retained on the Apple Activation server and in the MobileIron Cloud Admin interface. 1. Go to Devices 2. Select the device 3. Click Actions > Wipe. It may take a few minutes before the device restarts 107

129 4. When the device prompts you for the Apple ID and password leave the Apple ID empty 5. Enter the bypass code in the password field 6. Click Next. 7. Proceed with setup To clear the ios Activation Lock bypass code When the ios Activation Lock is cleared in the MobileIron Cloud Admin interface, the bypass code is removed from the Apple Activation server, but it is still present in the device details in the MobileIron Cloud Admin interface. 1. Go to Devices 2. Select the device 3. Select Policies > Configurations 4. Select ios Activation Lock 5. Click Edit 6. Uncheck ios Activation Lock 7. Click Done 8. Go to Devices 9. Select the device 10. Click Actions > Wipe. It may take a few minutes before the device restarts. The device can now be setup with the new user's AppleID and password. 11. Proceed with setup. The status of the clear ios Activation Lock is displayed on the interface in this manner: State Pending Sent Failed Result Server is sending the Clear Activation Lock code to Apple. Apple acknowledges receipt of the Clear Activation Lock code. The server was unable to send the code to Apple. Apple has reported an error. ios Custom Configuration 108

130 Configurations An ios custom configuration enables you to upload and distribute an ios configuration profile that was created by a different app, such as Apple's iphone Configuration Utility. ios Custom settings Setting Name Description File data What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Drag and drop the configuration file or click Choose File to select it from your file system. See Also How to create a configuration ios Restrictions Configuration Configurations ios restrictions are settings that help the primary user of the device control what other users are allowed to do with an ios device. These settings are defined by Apple and managed by MobileIron Cloud. ios Restrictions settings Category Setting What To Do Name Enter a name that identifies this configuration. Description Enter a description that clarifies the purpose of this configuration. Select to allow the device user to take Allow screen Device functionality screen captures using the built-in ios capture screen capture feature. Allow automatic sync while roaming Allow Siri Select to allow synchronization of mail accounts while the device is outside of its home country. Select to allow the personal assistant app on supported devices. 109

131 Allow Siri while device is locked Allow voice dialing Allow In-App Purchase Allow passbook while locked ios 7+ Allow lock screen Control Center Allow lock screen Notifications view Allow lock screen Today view Allow Open In from managed to unmanaged apps Allow Open In from unmanaged to managed apps Select to allow the personal assistant app to perform tasks even when the device is locked. Select to allow users to dial a contact or number by talking to the device. Select to allow users to make purchases through apps running on the device. Select to allow Passbook notifications to display while the device is locked. Select to allow access to Control Center from the lock screen. Select to allow notifications to be displayed on the lock screen. Select to allow access to the Today view from the lock screen. Requires Gold license. Select to allow documents in managed apps and accounts to be opened in unmanaged apps and accounts. Disabling this option prevents exchange of documents from managed to unmanaged apps and accounts. For example, you might want to keep enterprise documents from being opened with personal apps. You can also use this option (disable) together with a managed domains configuration to ensure that data downloaded from managed domains can only be opened in a managed app. Requires Gold license. Select to allow documents in unmanaged apps and accounts to be opened in managed apps and accounts. Disabling this option prevents exchange of documents from unmanaged to managed apps and accounts. For example, you might want to keep users from sending personal documents using company . You can also use this option (turn off) together with a managed 110

132 Require passcode on first AirPlay pairing ios 7+ Supervised Allow Bookstore access Allow Bookstore Erotica Allow account modification Allow app cellular data modification Allow Find My Friends modification Allow pairing with non-configurator hosts Allow AirDrop Allow finger print for unlock Allow app in single app mode domains configuration to ensure that data downloaded from unmanaged domains cannot be opened in a managed app. Select to require the Apple TV to display a passcode that the user must enter on the ios device to authorize the initial pairing of the devices. Select to allow access to ibookstore. Select to allow users to download ibookstore material that has been tagged as erotica. Select to allow users with supervised ios 7 devices to add accounts and make changes to accounts that have already been configured. Select to allow users to make changes to cellular data settings for apps. Select to allow users to make changes to the Find My Friends app settings. Select to allow host pairing for itunes synchronization. In effect, enabling this option allows supervised devices to sync with itunes on a Mac other than the supervision host. Disabling this option disables all host pairing with the exception of the supervision host. If no supervision host certificate has been configured, all pairing is disabled. Select to allow use of AirDrop on the device. AirDrop is Apple s ad hoc Wi- Fi system that enables file sharing with nearby users. By restricting this feature, you ensure that sensitive documents are not leaked to unauthorized or unsecured devices. Select to allow users to unlock the device using the finger print feature. Enter a list of bundle IDs for apps that can autonomously enter single app mode on ios 7 supervised devices. For example, you can specify custom 111

133 ios 8+ Allow Enterprise books to be backed up Allow Enterprise books notes and highlights to be synced Force Apple Watch wrist detection ios 8+ Supervised Allow Spotlight search to return Internet search results Allow predictive keyboard Allow keyboard autocorrection Allow keyboard spell check Allow keyboard definition lookup Allow modifying Touch ID fingerprints ios 9+ Supervised Allow keyboard shortcuts on ipads exam apps for students. As soon as the student launches the app, the app enters single app mode to ensure that the student cannot use other resources while taking the exam. This feature applies to apps developed for autonomous single app mode. Supervision is established with Apple Configurator. Select to allow personal backup of ibooks, epub, and PDF documents that were pushed to the device using MDM. Select to allow the notes and highlights added to Enterprise books to be synchronized to itunes. Select to hide on-screen notifications unless someone is wearing the Apple Watch. Select to allow the Spotlight search to include internet sources. Select to allow users to enable ios prediction of the word being typed, enabling users to tap one of three predictions to complete the word. Select to allow use of auto-correction with Bluetooth keyboards. Select to allow use of spell check with Bluetooth keyboards. Select to allow definition lookup with Bluetooth keyboards. Select to allow Touch ID settings to be changed. Select to allow use of keyboard shortcuts on the ipad. Allow modification of Select to allow users to change wallpaper wallpaper images. Allow pairing with Select to allow pairing of the iphone with 112

134 Apple watch Allow modification of device name the Apple watch. Select to allow user to change the name of the device. Category Setting What To Do Select to enable the user to install applications from the Apple App Store. Applications Allow installing apps Unselect to disable the App Store and remove its icon from the Home Screen. Select to enable the user to operate All use of camera the camera. Unselect to disable the camera and remove its icon from the Home screen. Allow FaceTime Select to allow the user to run FaceTime if the camera is enabled. Select to allow use of the itunes Allow use of itunes Music Store. Unselect to disable Store itunes Music store and remove its icon from the Home screen. Select to allow use of the Safari web browser. Unselect to disable the Safari Allow use of Safari web browser, remove its icon from the Home screen, and prevent users from opening web clips. Enable autofill Select to turn on the autofill feature for fields displayed in Safari. Select to prompt Safari to attempt to prevent the user from visiting websites Force fraud warning identified as being fraudulent or compromised. Enable JavaScript Select to turn on Javascript support for Safari. Block pop-ups Select to block pop-ups for Safari. Accept cookies Select Never, Always, or From Visited sites. ios 7+ Supervised Allow removing apps Select to allow users to remove apps from the device. Allow use of Game Center Select to allow access to Game Center. Allow adding Game Select to allow users to add friends to 113

135 Center friends Game Center. Allow multiplayer Select to allow users to play games gaming that include other users. Allow imessage Select to allow use of imessage. ios 8+ Allow managed Select to allow managed apps to use applications to use cloud sync. cloud sync Allow Activity Select to allow activity continuation in Continuation apps supporting Handoff. ios 8+ Supervised Allow use of Not currently supported. Podcasts ios 9+ Supervised Allow trusting of new Select to allow user to access new enterprise app authors enterprise apps. Select to allow user access to the Apple Allow App Store App store. Allow automatic app Select to allow the app to download files, downloads data, updates with prompting the user. Allow News app Select to allow use of the News app. ios 10+ Supervised Select to user to modify the Bluetooth setting on supervised devices. Useful is Allow Bluetooth such cases as shared ipads used for the modification ClassRomm app for Education where Bluetooth is required to run the app. Category Setting What To Do icloud Allow backup Select to allow the device to back up data via Apple s icloud service. Select to allow documents to be Allow document synchronized via Apple s icloud sync service. Select to allow photos to be Allow Photo Stream synchronized to your other ios devices via Apple s icloud. Allowed shared Photo Streams Select to allow synchronization of shared photos. Note: Deselecting this option can result in loss of photos. ios 7+ Allow keychain sync Select to allow synchronization of your 114

136 ios 9+ Allow icloud Photo Library keychain. Select to allow access to icloud photo library. Category Setting What To Do Allow diagnostic Select to allow automatic submission Security and Privacy data to be sent to of diagnostic data to Apple. Apple Select to allow the device user to accept untrusted HTTPS certificates. If Allow user to accept this option is not selected, then the untrusted TLS device will automatically reject certificates untrusted HTTPS certificates without prompting the device user. Force encrypted backups Force user to enter itunes Store password for all transactions ios 7+ Allow over-the-air certificate updates Force limit ad tracking ios 7+ Supervised Allow configuration profile installation Allow assistant user generated content ios 8+ Supervised Allow user to erase all content and settings in Reset UI Allow user to enable restrictions in Settings UI Select to require encrypted backups via itunes. Automatically selected due to SCEP requirements. Select to force device users to enter their itunes password for each App Store transaction. If this option is not selected, then the device user can make multiple transactions on a single authentication. Select to allow over-the-air updates of root certificates. Select to require use of the limit ad tracking feature. Select to allow users to install configuration profiles and certificates interactively. Select to allow Siri to query usergenerated content from the web. Select to enable the "Erase All Content And Settings" option in the ios Reset UI on the device. Select to enable the "Enable Restrictions" option in the Restrictions UI on the device. 115

137 ios 9+ Treat AirDrop as unmanaged Allow access to AirDrop file sharing. destination ios 9+ Supervised Allow modification of Select to allow user to change the device passcode passcode for the device. Category Setting What To Do Content Ratings Allow explicit music & podcasts Ratings region Movies TV Shows Apps Select to allow access to websites having adult ratings. Explicit content is marked as such by content providers, such as record labels, when sold through the itunes Store. Select a region from the dropdown list to change the region associated with the rating selections for applications, tv shows, and movies. Select a rating limit for movies stored on the device: Don t Allow Movies G PG PG-13 R NC-17 Select a rating limit for TV shows stored on the device: Don t Allow TV Shows TV-Y TV-Y7 TV-G TV-PG TV-14 TV-MA Allow All TV Shows Select a rating limit for applications on the device: Don t Allow Apps Allow All Apps 116

138 See Also How to create a configuration Lockdown & Kiosk Configuration (Android Only) Configurations A lockdown & kiosk configuration disables certain features of Android devices. You can restrict the option to modify settings or apps when an Android device is in Kiosk mode. Add apps and select settings in the Create Lockdown & Kiosk Configuration page and the option to change the settings using the Settings icon will be available in Kiosk mode. Select apps without choosing any settings configuration options and the settings icon will not be displayed in Kiosk mode. If you choose not to include any apps in the configuration, then the settings icon will be displayed. Lockdown settings Setting What To Do For Lockdown Types Name Enter a name that identifies this configuration. Description Enter a description that clarifies the purpose of this configuration. Select the type of lockdown settings you want to configure: Choose Lockdown Type Disable Wi-Fi Android Android for Work (requires MobileIron Go app version 3.1) Samsung SAFE Only one type is allowed per configuration. The options displayed depend on the type you select. Select to turn off access to wireless LANs. Android Samsung SAFE Device Owner 117

139 Disable Wi-Fi Sleep Disable Camera Select to keep Wi-Fi on while the device is in Sleep mode. Select to turn off camera access. Android for Work Device Owner Android Android for Work Samsung SAFE Device Owner Disable Bluetooth Disable Mobile Data Disable GPS Select to turn off Bluetooth features. Note: Use caution when using this option. MobileIron recommends against disabling audio because hands-free Bluetooth access is disabled. Legal requirements for hands-free use of devices while driving is becoming more widespread. Select to turn off exchange of data when one device touches another. Select to turn off GPS. Android Android for Work Samsung SAFE Device Owner Samsung SAFE Samsung SAFE Disable Phone Dialer Select to turn off the phone app. Android for Work Samsung SAFE Disable SD Card Select to turn off SD card access. Samsung SAFE Disable Google Backup Disable Copy/Paste Disable NFC Select to turn off backups to Google servers. Select to turn off access to copy/paste functions. Select to turn off NFC (Near-field Communication) data exchange when the device touches another device. Samsung SAFE Samsung SAFE Samsung SAFE 118

140 Disable Microphone Disable Screen Capture Select to turn off app access to the device microphone. Select to turn off the ability to use the device's built-in screen capture feature. Samsung SAFE Android for Work Samsung SAFE Device Owner Disable Bluetooth Tethering Disable USB Debug Select to turn off Bluetooth tethering as an option for using the internet connection of one device to provide internet access to another device. Select to turn off the USB debugging feature. Samsung SAFE Samsung SAFE Disable USB Mass Storage Disable USB Tethering Disable Wi-Fi Tethering Disable Native Browser Disable YouTube Disable Factory Reset Disable OTA Upgrade Select to turn off support for copying files to a mass storage device connected to the mobile device on a USB port. Select to turn off USB tethering as an option for using the internet connection of one device to provide internet access to another device. Select to turn off Wi-Fi tethering as an option for using the internet connection of one device to provide internet access to another device. Select to prevent users from accessing the Android browser. Select to prevent users from accessing YouTube. Select to prevent users from returning the device to factory defaults. Select to turn off over-the-air upgrades of the device firmware. Warning: Do not disable Disable Setting Changes if OTA Upgrade is enabled. Disabling Setting Changes when OTA Samsung SAFE Samsung SAFE Samsung SAFE Samsung SAFE Samsung SAFE Samsung SAFE Samsung SAFE 119

141 Disable Voice Roaming Disable USB Media Player Disable Google Play Disable Data Roaming Disable Setting Changes Disallow Apps Control Disallow Config Credentials Disallow Cross Profile Copy Paste Disallow Modify Accounts Upgrade is enabled can result in a non-functional device because setting changes are required for upgrade. Select to turn off access to voice calls while the device is roaming. Select to turn off the USB media player. Select to turn off access to Google Play. Select to turn off data exchange while the device is roaming. Select to turn off access to the device Settings app. Warning: Do not disable Disable Setting Changes if OTA Upgrade is enabled. Disabling Setting Changes when OTA Upgrade is enabled can result in a non-functional device because setting changes are required for upgrade. Select to prevent a user from modifying applications in Settings or launchers. Select to prevent a user from configuring user credentials. Select to prevent copy/paste of information between profiles. Select to prevent a user from adding or removing accounts. Samsung SAFE Samsung SAFE Samsung SAFE Samsung SAFE Device Owner Samsung SAFE Android for Work Device Owner Android for Work Device Owner Android for Work Android for Work Device Owner Disallow Outgoing Select to prevent a user from using Android for Work 120

142 Beam NFC to transfer app data. Device Owner Disallow Outgoing Calls Select to prevent a user from making outgoing calls. Device Owner Disallow Safe Boot Select to prevent a user from making outgoing calls. Device Owner Disallow Share Location Disallow SMS Disallow Unmute Microphone Disallow Auto Time Disallow Auto Time Zone Disallow Data Roaming Disable Caller ID Kiosk Mode Settings Enable Kiosk Mode Select to prevent a user from revealing the device location to apps. Select to prevent a user from sending and receiving SMS messages. Select to prevent a user from unmuting the device's microphone. Select to prevent a user from enabling automatic time changes. Select to prevent a user from enabling automatic device time adjustment with timezone changes.. Select to prevent a user from enabling Data roaminig. Select to prevent the device from identifying itself to other devices when initiating a call. Enables the device to be used as a kiosk, with operation restricted to a few specific apps. Select to configure Kiosk Mode on Android devices. Android for Work Device Owner Device Owner Device Owner Device Owner Device Owner Device Owner Android for Work Android Samsung SAFE Android Android for Work Samsung SAFE Device Owner Enable Access to Location Settings in Kiosk Mode Select to allow a user access to the location settings. Android Android for Work Samsung SAFE 121

143 Device Owner Enable /Disable Quick Settings in Kiosk Mode Toggle Quick Settings on and off is Kiosk mode. Android Android for Work Device Owner Allow User to Access Wi-Fi Settings Select to allow a user to change Wi-Fi settings and access preferred wireless networks. Android Android for Work Samsung SAFE Device Owner Allow User to Access Bluetooth Settings Select to allow a user to change the Bluetooth settings and pair additional Bluetooth devices. Android Android for Work Samsung SAFE Device Owner Allow User to Delay Application Updates Select to allow a user to delay application updates. Android Android for Work Samsung SAFE Device Owner Kiosk Exit PIN Enter the four-digit code that the end user must type in order to exit Kiosk Mode. Android Android for Work Samsung SAFE Device Owner Built-In Apps App Catalog Other Apps Click Add+ to include listed native apps in the group of apps allowed in Kiosk Mode. Click Add+ to included listed apps from the app catalog in the group of apps allowed in Kiosk Mode. Click Add+ to include the package ID of an app that is not available on the Google Play Store. Android Samsung SAFE Android Android for Work Samsung SAFE Android Android for Work Samsung SAFE 122

144 Kiosk Mode Allowed Apps Click X to remove an app from the group of apps allowed in Kiosk Mode. Drag and drop to change the order in which apps appear on kiosk devices. Android Android for Work Samsung SAFE Note: Using Kiosk mode on Android 4.3 through the most recently released version as supported by MobileIron,Samsung devices that support multiple users, will automatically lock down the multi-user feature while in Kiosk mode. See Also How to create a configuration Managed Domains Configuration Configurations License: Silver A managed domain configuration enables you to specify which domains are trusted for Mail and Safari on ios 8+ devices. Once the configuration is applied to the device, domains that are not specified in the configuration will be highlighted (untrusted) in Mail and Safari on the device. Use this configuration combined with a restrictions configuration to control the data downloads allowed in Safari. Managed domains settings Setting Name Description Managed Domains Managed Web Domains What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Click +Add to enter a domain, as in mycompany.com. Click +Add to enter a domain, as in mycompany.com. See Also 123

145 How to create a configuration Passcode Configuration Configurations One of the first things you set up in MobileIron Cloud (using the startup wizard) is a passcode configuration. This configuration defines settings for the screen lock feature on devices. Passcode settings Setting What To Do Enter a name that identifies this Name configuration. Enter a description that clarifies the Description purpose of this configuration. For ios and Android: Select to allow passcodes that are less secure because they contain repeated, ascending, or descending character sequences. Examples: 1111, 1234, abcd. Note: Deselecting this option for Android devices will enforce Allow simple values passcodes with complex PINs. For example, users cannot configure repeated, ascending, or descending character sequences. For Windows Phone 8.1: Select to allow passcodes that are less secure because they contain repeated or ascending numeric sequences. Examples: 1111, 1234 For ios and Android: Select to ensure that passcodes include letters Require and numbers. alphanumeric value For Windows Phone 8.1: Select to ensure a strong password based on Microsoft's standard. Minimum passcode Select a number from the list to set a length minimum passcode length. Minimum number of complex characters For ios and Android: Select a number from the list to set a minimum 124

146 Maximum passcode age Auto-Lock SmartLock Fingerprint Unlock Passcode history Grace period for device lock number of characters that are not numbers or letters. For Windows Phone 8.1: Not compatible. Enter a number to the number of days after which the device user must reset the passcode. If you do not want to set the a passcode age, then leave this field blank. Select an interval from the list to define how long the device can stay idle before it automatically sets the screen lock. For Android 5.0 devices except in Android for Work profiles: For Android 6.0 or later: Allows or disallows a user to choose the SmartLock feature to unlock a device. The SmartLock feature automatically unlocks a device in certain circumstances such as the user's proximity to the device, device at a location, or when the device is paired with a trusted device. For Android 5.0 devices except in Android for Work profiles: For Android 6.0 or later: Allows or disallows the user to choose Fingerprint to unlock a device. Enter a number to set the number of unique passcodes a user must enter before reusing a passcode. For example, if you set this field to 4, then the user must set 4 passcodes before being able to reuse the first passcode. Select an interval from the list to set the amount of time between the appearance of the lock screen and the point at which the device user needs to enter a passcode to unlock the device. Windows Phone 8.1 not supported. Select a number from the list to set the Maximum number of number of times the device user can failed attempts consecutively enter the wrong 125

147 See Also How to create a configuration Privacy Configuration passcode before the device is reset and wiped. Use caution with this option. Configurations A privacy configuration defines whether: location data is collected on the device and sent to the device management system administrators are allowed to wipe the device app inventory is collected for all apps or just those that appear in the app catalog Privacy settings Setting Name Description Collect Location Data Disable Device Wipe Action What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select to enable collection of location data. View device location in the Devices page. The location displayed for a device is based on the network location only for ios. It is based on both network location and GPS location (if available) for Android. When location collection is enabled on a device, the current location is updated every 4 hours. Location data is removed from the device management system when the device is retired or the privacy configuration is disabled or removed. Note: Device users can turn off collection of location data on the device. Select to prevent administrators from wiping the device. Consider selecting this option for devices that are owned by the 126

148 user (employee owned). Select Collect App Inventory to collect information on all apps installed on the device, regardless of whether an app is present in the app catalog. Collect App Inventory Select For Apps on the Device that are in the App Catalog to collect information on only those apps installed on the device and present in the app catalog. See Also How to create a configuration Web Content Filter Configuration Configurations License: Silver A web content filter configuration limits web access for ios 7+ devices. Web content filter settings Setting Name Description Allowed websites Permitted URLs What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Limited Adult Content: Select this option if you want to block access to web sites based on ios automatic filters. These filters attempt, with a high degree of accuracy, to block websites with inappropriate content. Specific Web Sites Only: Select this option if you want to manually list the accessible web sites. Plug-in (ios8 Supervised Only): Select this option to use a third-party plug-in. This option is available only if you selected Limit Adult Content. Enter the permitted URLs. Each URL must begin with either: 127

149 Blacklisted URLs Whitelisted bookmarks Filter Name Identifier Note: If you want to permit both and for the same site, include two separate URLs. All URLs for which the initial characters match the given permitted URL are accessible. Example: permits access to the following: These URLs are accessible even if the ios automatic filters block them. This option is available only if you selected Limit Adult Content. Enter the blacklisted URLs. Each URL must begin with either: Note: If you want to block both and for the same site, include a row for each URL. All URLs for which the initial characters match the given blacklisted URL are blocked. Example: blocks access to the following: These URLs are blocked even if the ios automatic filters allow them. This option is available only if you selected Specific Websites Only. Optionally enter the folder into which the bookmark should be added in Safari. Example: /Sales/Products/ If absent, the bookmark is added to the default bookmarks directory. This option is a available only if you selected Plug-in. Enter text that will be displayed to identify this filter. This option is available only if you selected Plugin. Enter the bundle ID of the plug-in providing the filtering service. 128

150 Service Address This option is available only if you selected Plugin. Optional: Enter any server address necessary for use by the plug-in. Consult the documentation for the plug-in to determine if this value is necessary. This option is available on if you selected Plug-in. Organization Optional: Enter any organization string required by the plug-in. Consult the documentation for the plug-in to determine if this value is necessary. This option is available on if you selected Plug-in. Username Password Optional: Enter any username required by the plug-in service. Consult the documentation for the plug-in to determine if this value is necessary. This option is available on if you selected Plug-in. Optional: Enter any password required by the plug-in service. Consult the documentation for the plug-in to determine if this value is necessary. This option is available on if you selected Plug-in. Certificate Filter Webkit Traffic Filter Socket Traffic Custom Data Optional: Enter any certificate required by the plug-in service to authenticate the user. Consult the documentation for the plug-in to determine if this value is necessary. This option is available on if you selected Plug-in. Select to include Webkit traffic in the filter. This option is available on if you selected Plug-in. Select to include socket traffic in the filter. This option is available on if you selected Plug-in. Optional: Add any key/value pairs required by the plug-in service. Consult the documentation for the plug-in to determine if this value is necessary. See Also How to create a configuration Windows Restrictions Configuration 129

151 Configurations Windows restrictions determine which features are enabled on WIndows desktops and mobile devices. Windows Restrictions settings Category Setting What To Do Name Enter a name that identifies this configuration. Description Enter a description that clarifies the purpose of this configuration. All Versions (Windows10 Desktop and Mobile, Windows 8.1 Device Capabilities Desktop and Mobile) Select to prevent the device from Disable WiFi offloading accessing compatible networks to carry data intended for authorized wireless networks. Disable internet sharing Disable location Disable cellular data roaming Disable bluetooth Disable VPN when roaming or on a cellular network Disable telemetry (e.g. IBM Watson) 8.1 Windows Phone 8.1 only Disable WiFi Hotspot reporting Select to prevent the device from accessing the internet by means of another wireless device. Select to disable location services. Select to disable data roaming when the device is in cellular mode. Select to prevent the device from establishing bluetooth connections. Select to prevent the device from establishing VPN connections when not on WiFi. Select to prevent the device from transmitting error reports. Select to prevent the device from automatically reporting HotSpot information to Microsoft Windows Phone 8.1 & Windows 10 Mobile Select to prevent the device from Disable WiFi accessing wireless networks. Select to prevent the device from Disable manual accessing wireless networks outside of configuration of WiFi those defined by MobileIron Cloud. 130

152 Data Loss Prevention (DLP) Windows and Application Disable NFC Disable manual root certificate installation Select to prevent the device from establishing radio communication with another device by getting close to or touching another device. Select to prevent the end user from manually installing root and intermediate certificates. All Versions (Windows10 Desktop and Mobile, Windows 8.1 Desktop and Mobile) Select to prevent the end user from using Disable camera the camera app. Disable access to Select to prevent the device from storage (SD) card accessing a storage card. 8.1 Windows Phone 8.1 only Disable offline "Save As" Disable offline sharing Select to prevent the end user from using the Save As command with Office Hub files. Select to prevent the end user from sharing Office Hub files Windows Phone 8.1 & Windows 10 Mobile Disable copy and Select to prevent the end user from paste copying and pasting data between apps. Select to prevent the end user from using Disable screen capture the screen capture feature on the device. Disable voice Select to prevent the end user from using recording the voice recording feature. Select to prevent the end user from Disable USB mass accessing device storage from a desktop storage by means of a USB. All Versions (Windows10 Desktop and Mobile, Windows 8.1 Desktop and Mobile) Disable Microsoft Select to prevent the end user from using accounts for service Microsoft accounts for authenticating to other than non- services. Disable non-microsoft accounts Select to prevent the end user from configuring using non-microsoft accounts. Disable Cortana Select to prevent the end user from personal assistant accessing Microsoft's personal assistant. Disable location-based Select to prevent searches from leveraging search the device location. Disable developer Select to prevent the end user from unlock enabling sideloading of apps. The default 131

153 Other Restrictions mode when a device is enrolled in MDM is SideLoad enabled. 8.1 Windows Phone 8.1 only Disable storing images Select to prevent the end user from saving from Visual Search images Bing Vision searches. feature 8.1+ Windows Phone 8.1 & Windows 10 Mobile Disable Microsoft Select to prevent the end user from Store accessing the Microsoft app store. Disable Internet Select to prevent the end user from Explorer accessing Internet Explorer. Disable alerts from Select to prevent display of Action Center Actions Center alerts above the lock screen. All Versions (Windows10 Desktop and Mobile, Windows 8.1 Desktop and Mobile) Disable ability to Select to prevent the end user from unenroll from EMM unenrolling from EMM and deleting and delete the company account image. workplace account Windows Phone 8.1 & Windows 10 Mobile Require device encryption Select to turn on internal storage encryption. Once turned on, this option cannot be changed by the EMM server. Disable user from setting the device lock grace period Note: Windows 8.1 devices do not report their serial number. OS X Restrictions Configurations OS X restrictions determine which features are enabled on macos devices. You can set the following features to be enabled or disabled on macos devices: macos Version Features Allow Camera Allow Cloud document sync 132

154 Supervised only: Allow Spotlight Internet Results Allow Definition Lookup Allow icloud key chain sync Allow Back to my Mac Allow Find my Mac Allow sharing to Notes, Reminders, or LinkedIn Allow Bookmark sync Allow macos mail icloud service Allow macos icloud calendar service Allow macos icloud address book service Allow icloud reminder service FileVault 2 Configurations FileVault 2 provides the ability to perform full XTS-AES 128 disk encryption on the contents of a volume. When you Enable FileVault 2, the following settings are available for configuration: 133

155 Category Settings FileVault User Settings Defer enabling FileVault until the designated user logs out Always prompt user to enable FileVault Maximum number of times a user can bypass enabling FileVault Do not request enabling FileVault at user logout time Output Path Personal Recovery Key Enter the path to the location where the recovery key and computer information plist will be stored. Create a personal recovery key Enable Institutional Recovery Key: Using Keychain - if no certificate information is provided in this payload the keychain already created at /Library/Keychains/FileVaultMaster.keyc hain will be used. Select one of the following options: Upload Certificate Certificate Use keychain on the Users System FileVault Recovery Key Redirection Configurations FileVault Recovery Key Redirection determines settings for redirecting the FileVault recovery keys to a corporate server. You can set the following options: Name for the configuration setup (Optional) Add a description. Recovery Key Redirect Enter Redirect URL to which FDE recovery keys should be sent instead of Apple. The URL must begin with Select a Certificate from the dropdown list. Only PKCS1 format certificate is supported. 134

156 OS X Firewall Configurations OS X Firewall manages the Application Firewall settings that are accessible in the Security Preferences pane on macos devices Applicable to: macos When you Enable Firewall, you can select one or more of the following options: Block All Incoming Enable Stealth Mode Applications - The list of applications Note: The configuration must exist in a system-scoped profile. If more than one profile contains this configuration, then the most restrictive union of settings will be used. The Automatically allow signed downloaded software and the Automatically allow built-in-software options are not supported. However, both the options will be forced ON when this configuration is available. The Administrator can enable the stealth mode by specifying a device that cannot be discovered by the ping command. User Resource Configurations CalDAV Configuration Configurations A CalDAV configuration defines access to a web calendar using the CalDAV internet standard. CalDAV settings Setting What To Do Name Enter a name that identifies this configuration. Description Enter a description that clarifies the purpose of this configuration. Hostname and Port Enter the host name and port for the 135

157 Principal URL User Password Use SSL calendar server. Enter the URL for accessing calendar services. Enter the user name to use for access. Enter the password to use for access. Select to use only the secure socket layer for communications between the device and the server. See Also How to create a configuration CardDAV Configuration Configurations A CardDAV defines access to a web address book using the CardDAV internet standard. CardDAV settings Setting Name Description Hostname and Port Principal URL Username Password Use SSL ios 10+ Communication Service Rules What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Enter the host name and port for the address book server. Enter the URL for accessing address book services. Enter the user name to use for access. Enter the password to use for access. Select to use only the secure socket layer for communications between the device and the server. Choose a default app to use to make audio calls to contacts within the CardDAV system. See Also How to create a configuration 136

158 Google Configuration Configurations Create Google account configurations that connect ios devices, through the most recently released version as supported by MobileIron, to Google accounts. The configuration can set up multiple Google addresses and any other Google services the user enables after authentication. Google settings Specify the Google account by specifying a com.apple.google-oauth value. Setting What To Do ios Enter a name that identifies this Name configuration. Account description Enter the display name of the account. Enter the full name of the user for the Account name account. Enter the Google address of the address account. ios 10+ Communication Service Rules See Also How to create a configuration Choose a default app to use to make audio calls to contacts within the Google system. Configuration Configurations An configuration sets up POP or IMAP on devices. settings Setting Name What To Do Enter a name that identifies this configuration. 137

159 Description Account Description Account Type User Display Name Address Allow Move Enable S/MIME Allow Mail Drop Enter a description that clarifies the purpose of this configuration. Enter the text you want to use to identify this account. Select IMAP or POP. If you select IMAP, you can also enter the path prefix. The internet service provider (ISP) can give you information on which type of account is available. A prefix is generally required when all IMAP folders are listed under the Inbox. ISPs that require prefixes usually provide information on the specific prefix to configure. Enter the text you want to use to identify account user. Note that the user can set this value on the device, as well. Enter a variable to specify the address for the account. Select if you do not want to prevent from being moved from this account. Select to turn on support S/MIME encryption. Select to allow Mail Drop for this account. Mail Drop enables the user to send with large attachments by storing the attachment in icloud and placing a link to it in the . For more information on Mail Drop go to: Incoming Mail Setting What To Do The internet service provider (ISP) can Mail Server and Port give you this address. Enter the user name for accessing the incoming mail server. This often the User Name same as the address. Your ISP can provide the format. Select the authentication type defined Authentication Type by the ISP. Password Enter the password for accessing the 138

160 Use SSL incoming mail server. Select to use only the secure socket layer for communications between the device and the server. Outgoing Mail Setting What To Do The internet service provider (ISP) can Mail Server and Port give you this address. Enter the user name for accessing the outgoing mail server. This often the User Name same as the address. Your ISP can provide the format. Select the authentication type defined Authentication Type by the ISP. Enter the password for accessing the Password outgoing mail server. Outgoing password Select if SMTP authentication uses the same as incoming same password as POP/IMAP. Select if you want this configuration used only by the client. Other apps that send , including apps Use Only in Mail that send content using the native client, are not able to use this configuration. Select to use only the secure socket Use SSL layer for communications between the device and the server. See Also How to create a configuration Exchange Configuration Configurations An Exchange configuration sets up ActiveSync-based on Andoid and ios devices and Exchange Web Services (EWS)-based for macos devices. 139

161 Exchange settings Setting Name Description Exchange Host Allow Move Sync Recent Addresses Use Only in Mail Use SSL Domain User Account Password Address Past Days of Mail to Sync Sync Calendar What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. If you are using Sentry to control access, enter the Sentry server hostname. Otherwise, enter the address of the ActiveSync server.* For ios and Android: Select if you do not want to prevent from being moved from this account. For Windows Phone 8.1 and Windows 10: Not applicable. Select if you want to sync recentlycontacted addresses between the device and the server. Select if you want this configuration used only by the client. Other apps that send , including apps that send content using the native client, are not able to use this configuration. Select to use only the secure socket layer for communications between the device and the server. Enter the domain for this account, unless you want the user to be prompted for it. Enter a variable representing the address for this account.* Enter the password for this account, unless you want the user to be prompted for it. Enter a variable representing the address for this account.* Select the number of days of to sync between the device and the server. For Android and Windows Phone 8.1 and Windows 10: Select to sync calendar items between the device and the server. 140

162 For ios: Not applicable. For Android and Windows Phone 8.1 and Windows 10: Select to sync Sync Contacts contacts between the device and the server. For ios: Not applicable. For Android and Windows Phone 8.1 and Windows 10: Select to sync Sync between the device and the server. For ios: Not applicable. For Android and Windows Phone 8.1 and Windows 10: Select to sync Sync Tasks tasks between the device and the server. For ios: Not applicable. Select an identity certificate from the list if you want the device to authenticate to the server using a Identity Certificate certificate. Certificates appear in this list only if already configured using an identity certificate configuration. Make Identity Certificate Not supported. Compatible with ios 4 Android Use Certificate Based Authentication Only Accept all SSL Certificates Use the selected identity certificate as the only means of authenticating to the Exchange server. Select to allow device users to set Android devices to accept all SSL certificates. This setting applies to Android + and Samsung SAFE . Note: Use caution when enabling this setting, as device users might unknowingly expose the device to attack. This option needs to be enabled if the Sentry certificate is a self-signed or unknown 141

163 Exchange App Priority ios 10+ certificate. Select the client to be configured by default on Android devices. Choose a default app to use to make Communication audio calls to contacts within the Service Rules CardDAV system. *Type $ to see a list of supported variables, if available, for this field. See Also How to create a configuration Font Configuration Configurations A font configuration enables you to provide additional TrueType or OpenType font files to ios 7 devices. Font settings Setting Name Description Upload Fonts What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Drag the font file to the dotted box, or click Choose File to select it from your file system. Font files must be.otf or.ttf files. See Also How to create a configuration Subscribed Calendar Configuration Configurations A subscribed calendar configuration defines access to a public web calendar. Subscribed calendar configuration 142

164 Setting What To Do Name Enter a name that identifies this configuration. Description Enter a description that clarifies the purpose of this configuration. URL Enter the URL for accessing the calendar.* User Enter the user name to use for access.* Password Enter the password to use for access. Select to use only the secure socket Use SSL layer for communications between the device and the server. Note: Type $ to see a list of supported variables, if available, for this field. See Also How to create a configuration Web Clip Configuration Configurations A web clip is a shortcut to a website or web page from an ios device. Use a web clip configuration to create standard web clips on devices. Web clip settings Setting What To Do Enter a name that identifies this Name configuration. Enter a description that clarifies the Description purpose of this configuration. Enter the text that you want to display Label below the shortcut on the device screen.* Enter the URL that the web clip will URL access.* Select to allow the device user to Removable delete the web clip. Drag the icon file to the dotted box, or Icon click Choose File to select it from your file system. Precomposed Icon Select to eliminate the special effects 143

165 added by more recent versions of Safari. Select to display the web clip in fullscreen mode instead of as content in a Full Screen browser. Note: Type $ to see a list of supported variables, if available, for this field. See Also How to create a configuration Enterprise Network Access Configurations AirPlay Configuration Configurations License: Silver An Airplay configuration sets up access to alternate devices for media display. Airplay settings Setting Name Description White list Device Settings What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Enter the device ID of each permitted AirPlay destination. If you do not list an ID, then AirPlay destinations are not restricted. Enter the device name and password for each known AirPlay destination. See Also How to create a configuration AirPrint Configuration 144

166 Configurations License: Silver An AirPrint configuration sets up wireless printing. AirPrint settings Setting Name Description AirPrint Settings What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. IP Address: Enter the IP address of the AirPrint printer. Resource Path: Enter the Resource Path associated with the AirPrint printer. This corresponds to the rp parameter of the _ipps.tcp Bonjour record. Examples: printers/canon_mg5300_series printers/xerox_phaser_7600 ipp/print Epson_IPP_Printer. Note: The resource path is case sensitive. See Also How to create a configuration Always On VPN Configuration Configurations License: Silver An always on VPN configuration ensures that users are automatically connected to VPN (when available) without needing to take any action. This feature requires ios 8, as well as a VPN provider that supports the IKEv2 protocol. Always On VPN settings Setting Name What To Do Enter a name that identifies this 145

167 Description Use same tunnel configuration for Cellular and Wi-Fi Server Local Identifier Remote Identifier Enable EAP Machine Authentication EAP Authentication Shared Secret Credential configuration. Enter a description that clarifies the purpose of this configuration. Select to define one server-identifier pair for VPN connections, regardless of whether the connection is established over a cellular or a Wi-Fi network. Enter the hostname or IP address of the VPN server. Identifier of the IKEv2 client in one of the following formats: FQDN UserFQDN Address ASN1DN Remote identifier in one of the following formats: FQDN UserFQDN Address ASN1DN Select to enable extended authentication. Available only if Enable EAP is not selected. Select one of the following: Certificate Shared Secret Available only if Enable EAP is selected. Select one of the following: Certificate Username/Password Available only if Shared Secret was selected for Machine Authentication. Enter the shared secret for the connection. Available only if Certificate was selected for Machine Authentication. Select the certificate to use. this certificate will be sent out for IKE client authentication. If extended 146

168 Account Password Dead Peer Detection Interval Encryption Algorithm Integrity Algorithm Diffie Hellman Group Lifetime In Minutes Voice Mail Airprint Allow traffic from captive websheet outside the VPN tunnel Allow traffic from all captive networking authentication is used, this certificate can be used for EAP-TLS. Available only if Username/Password was selected for EAP Authentication. Enter the account ID for the VPN server. Available only if Username/Password was selected for EAP Authentication. Enter the password for the VPN server. Select one of the following: None (Disable) Low (keepalive sent every 1 hour) Medium (keepalive sent every 30 minutes) High (keepalive sent every 10 minutes) Select one of the following: DES 3DES AES-128 AES-256 Select one of the following: SHA1-96 SHA1-160 SHA2-256 SHA2-384 SHA2-512 Select the D-H key exchange group. Enter the SA lifetime (re-key interval) in minutes. Valid values are 10 through Select Allow traffic via tunnel to make voice mail exempt for Always On VPN. Select Allow traffic via tunnel to make Airprint traffic exempt for Always On VPN. Select to allow traffic from captive web sheets outside the VPN tunnel. Select to allow traffic from all captive networking apps outside the VPN 147

169 apps outside the VPN tunnel Captive Networking App Bundle Identifiers tunnel to perform captive network handling. List the bundle IDs for captive networking apps whose traffic will be allowed outside the VPN tunnel to perform captive network handling. Captive networking apps may require additional entitlements to operate in a captive environment. See Also How to create a configuration Global Proxy Configuration Policies > Configurations License: Silver A global proxy configuration sets up devices to forward HTTP traffic to a proxy server. Global proxy settings Setting Name Description Type Hostname and Port User Password What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select Manual or Auto. If you select Manual, you need the proxy server hostname and port, and optionally a username and password into the proxy server. If you select Auto, you can enter a proxy autoconfiguration (PAC) URL. If you selected Manual, enter the hostname and port number for the proxy server. (Optional) Username for accessing the proxy server.* (Optional) Password for accessing the proxy server. 148

170 (Optional) If you selected Auto, you can enter the URL of the PAC file that defines the proxy configuration. If you PAC URL leave this setting blank, the device uses the web proxy autodiscovery protocol (WPAD) to discover proxies. (ios 7 and later) Select to allow a Allow direct direct connection if the device is connection if PAC is unable to access the PAC file for any unreachable reason. Allow bypassing (ios 7 and later) Select to allow proxy to access bypassing the proxy to display the captive networks login page for a captive network. Note: Type $ to see a list of supported variables, if available, for this field. See Also How to create a configuration LDAP Configuration Policies > Configurations An LDAP configuration sets up access to a corporate directory. LDAP settings Setting Name Description Hostname User Password Use SSL Search Settings What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Enter the hostname for the LDAP server.* Enter the username for accessing the LDAP account.* Enter the password for accessing the LDAP account. Select if you want to use SSL for the connection to the LDAP server. Enter at least one entry for the account. Each entry represents a node in the LDAP tree from which to start searching. Click the + button to add a new entry, then edit the entry. 149

171 An entry consists of the following values: Description: Explains the purpose of the search setting. Scope: Select Base, Subtree, or One Level to indicate the scope of the search. Base indicates just the node level, Subtree indicates the node and all children, One Level indicates the node and one level of children. Search Base: The conceptual path to the specified note (e.g., ou=people, o=mycorp). ios 10+ Choose a default app to use to make Communication audio calls to contacts within the Service Rules LDAP system. Note: Type $ to see a list of supported variables, if available, for this field. See Also How to create a configuration Per-App VPN Configuration Policies > Configurations License: Silver A Per-App VPN configuration defines the settings for virtual private network access for specific apps. Per-App VPN settings Setting Name Description Connection Type What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select the type of VPN to configure. The remaining settings depend on this selection. IPsec (Cisco) 150

172 Setting Server Account Machine Authentication Credential Include User PIN Proxy Setup Enable VPN On Demand What To Do Enter the IP address or hostname for the VPN server. Enter the user account to be used for authenticating the connection.* Only Certificate authentication is supported. Select the identity certificate to use. Select to prompt the user for a PIN. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Select to use this configuration for domains and host names that establish a VPN on demand. Cisco AnyConnect Setting Server Account Group User Authentication What To Do Enter the IP address or hostname for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the group to use to authenticate the connection. Only Certificate authentication is supported. 151

173 Credential Proxy Setup Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Juniper SSL Setting Server Account Realm Role User Authentication Credential Proxy Setup What To Do Enter the IP address or hostname for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the authentication realm to be used for authenticating the connection. Enter the authentication role to be used for authenticating the connection. Only Certificate authentication is supported. Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* 152

174 F5 SSL Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Setting Server Account User Authentication Credential Proxy Setup What To Do Enter the IP address or hostname for the VPN server. Enter the user account to be used for authenticating the connection.* Only Certificate authentication is supported. Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. SonicWALL Mobile Connect 153

175 Setting Server Account Login Group or Domain User Authentication Credential Proxy Setup What To Do Enter the IP address or hostname for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the login group or domain to be used for authenticating the connection. Only Certificate authentication is supported. Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Aruba VIA Setting Server Account User Authentication Credential Proxy Setup What To Do Enter the IP address or hostname for the VPN server. Enter the user account to be used for authenticating the connection.* Only Certificate authentication is supported. Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the 154

176 Custom SSL following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Setting Identifier Server Account Custom Data User Authentication Credential Proxy Setup What To Do Enter the identifier for this custom SSL VPN in reverse DNS format (such as com.mycompany.myserver). Enter the IP address or hostname for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the key-value pairs that define the custom data for this VPN. Only Certificate authentication is supported. Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid 155

177 password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Note: Type $ to see a list of supported variables, if available, for this field. See Also How to create a configuration Single Sign-On Configuration Policies > Configurations A single sign-on configuration sets up access to multiple managed apps on ios 7 devices with a single authentication using Kerberos. Single sign-on settings Setting Name Description Kerberos principal name Certificate Kerberos realm name URL prefixes matches Applications What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Enter the name of the Kerberos principal. For ios 8 with Gold license: Select the certificate to use to renew the Kerberos credential. Enter the name of the Kerberos realm. List of URLs prefixes that must be matched in order to use this account for Kerberos authentication over HTTP. (Optional) List of app identifiers that are allowed to use this login. If you do not specify app identifiers, this login matches all app identifiers. See Also 156

178 How to create a configuration VPN Configuration Configurations A VPN configuration defines the settings for virtual private network access. VPN settings Setting Name Description Connection Type What To Do Enter a name that identifies this configuration. Note: Windows Phone 8.1 devices do not support changing the name. Delete the configuration and create a new one if you need to change the name of a VPN profile for Windows Phone 8.1 devices. Enter a description that clarifies the purpose of this configuration. Select the type of VPN to configure. The remaining settings depend on this selection. L2TP Setting Server Account User Authentication Shared Secret Send All Traffic Proxy Setup What To Do Enter the IP address or hostname for the VPN server. Enter the user account to be used for authenticating the connection.* Select the authentication method to use: Password or RSA SecurID. Enter the shared secret passcode if one is necessary for initiating the connection. Select this option to use this connection for all network traffic. This option helps protect data from being compromised, particularly on public networks. Select Manual or Automatic to 157

179 PPTP configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Note: The PPTP configuration type is not supported on the MobileIron Go Android Client. Setting Server Account User Authentication Encryption Level Send All Traffic Proxy Setup What To Do Enter the IP address or hostname for the VPN server. Enter the user account to be used for authenticating the connection.* Select the authentication method to use: Password or RSA SecurID. Select a level of data encryption for the connection: None, Automatic, or Maximum (128-bit). Select this option to use this connection for all network traffic. This option helps protect data from being compromised, particularly on public networks. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are 158

180 IPsec (Cisco) available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Setting Server Account Machine Authentication Group Name Shared Secret Use Hybrid Authentication Prompt for Password What To Do Enter the IP address or hostname for the VPN server. Enter the user account to be used for authenticating the connection.* Select the authentication method to use: Shared Secret/Group Name or Certificate. Shared Secret/Group Name authentication. Specify the name of the group to use. If Hybrid Authentication is used, the string must end with [hybrid]. Shared Secret/Group Name authentication. Enter the shared secret passcode. Shared Secret/Group Name authentication. Select to specify hybrid authentication, i.e., server provides a certificate and the client provides a pre-shared key. Shared Secret/Group Name authentication. Specify whether the user should be prompted for a password when connecting. 159

181 Credential Include User PIN Proxy Setup Certificate authentication Select the identity certificate to use. Certificate authentication Select to prompt the user for a PIN. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Cisco AnyConnect Setting Server Account Group User Authentication Proxy Setup What To Do Enter the IP address or hostname for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the group to use to authenticate the connection. Select the user authentication method to use: Password or Certificate. If you select Certificate, then the following field is available: Credential: Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: 160

182 Juniper SSL Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Setting Server Account Realm Role User Authentication Proxy Setup What To Do Enter the IP address or hostname for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the authentication realm to be used for authenticating the connection. Enter the authentication role to be used for authenticating the connection. Select the user authentication method to use: Password or Certificate. If you select Certificate, then the following field is available: Credential: Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid 161

183 F5 SSL password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Setting Server Account User Authentication Proxy Setup What To Do Enter the IP address or hostname for the VPN server. Enter the user account to be used for authenticating the connection. Enter the user authentication method to use: Password or Certificate. If you select Certificate, then the following field is available: Credential: Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. SonicWALL Mobile Connect 162

184 Setting Server Account Login Group or Domain User Authentication Proxy Setup What To Do Enter the IP address or hostname for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the login group or domain to be used for authenticating the connection. Select the user authentication method to use: Password or Certificate. If you select Certificate, then the following field is available: Credential: Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Aruba VIA Setting Server Account User Authentication What To Do Enter the IP address or hostname for the VPN server. Enter the user account to be used for authenticating the connection.* Select the user authentication method to use: Password or Certificate. If 163

185 Proxy Setup you select Certificate, then the following field is available: Credential: Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Custom SSL Setting Identifier Server Account Custom Data User Authentication Proxy Setup What To Do Enter the identifier for this custom SSL VPN in reverse DNS format (such as com.mycompany.myserver). Enter the IP address or hostname for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the key-value pairs that define the custom data for this VPN. Select the user authentication method to use: Password or Certificate. If you select Certificate, then the following field is available: Credential: Select the identity certificate to use. Select Manual or Automatic to configure a proxy. 164

186 IKEv2 (Windows Only) If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Setting Server Proxy Setup What To Do Enter the hostname or IP address of the VPN server. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. 165

187 IKEv2 Setting Server Local Identifier Remote Identifier Machine Authentication EAP Authentication Shared Secret Credential Enable EAP Account What To Do Enter the hostname or IP address of the VPN server. Identifier of the IKEv2 client in one of the following formats: FQDN UserFQDN Address ASN1DN Remote identifier in one of the following formats: FQDN UserFQDN Address ASN1DN Available only if Enable EAP is not selected. Select one of the following: Certificate Shared Secret Available only if Enable EAP is selected. Select one of the following: Certificate Username/Password Available only if Shared Secret was selected for Machine Authentication. Enter the shared secret for the connection. Available only if Certificate was selected for Machine Authentication. Select the certificate to use. this certificate will be sent out for IKE client authentication. If extended authentication is used, this certificate can be used for EAP-TLS. Select to enable extended authentication. Available only if Username/Password was selected for EAP Authentication. Enter the account ID for the VPN 166

188 Password Dead Peer Detection Interval Server Certificate Issuer Common Name Server Certificate Common Name Use IP4 and IP6 subnets attributes Enable IKEv2 Mobility and Multihoming Protocol (MOBIKE) Enable Perfect Forward Secrecy (PFS) Enable IKEv2 redirect Enable NAT keepalive NAT keepalive server. Available only if Username/Password was selected for EAP Authentication. Enter the password for the VPN server. Select one of the following: None (Disable) Low (keepalive sent every 1 hour) Medium (keepalive sent every 30 minutes) High (keepalive sent every 10 minutes) (optional) Common name of a server certificate issuer, causes the IKE server to send a certificate request based on the certificate issuer to the server. (optional) Common name of a server certificate used to validate the certificate sent by the IKEv2 server (optional) Select to use IP4 and IP6 subnets attributes. (optional) The default setting is 0. MOBIKE (The ability to support multi-homed mobile devices when connected to both Wi-Fi and cellular links with multiple IP addresses) is enabled. It is enabled by default. Set to 1 to disable MOBIKE. (optional) When set to 1 it enables PFS for IKEv2 connections. The default setting is 0. (optional) The default setting is 0. The IKEv2 connection is redirected if a redirect request is received from the server. It is enabled by default. Set to 1 to disable IKEv2 redirect. Enables the Network Address Translation keepalive that prevents the deletion of NAT entries in the absence of any traffic when there is NAT between IKE peers. If NAT keepalive is enabled, this is the 167

189 interval Encryption Algorithm Integrity Algorithm Diffie Hellman Group Lifetime In Minutes Proxy Setup time in seconds that keepalive packets will be sent for the device. Select one of the following: DES 3DES AES-128 AES-256 Select one of the following: SHA1-96 SHA1-160 SHA2-256 SHA2-384 SHA2-512 Select the D-H key exchange group. Enter the SA lifetime (re-key interval) in minutes. Valid values are 10 through Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. *Type $ to see a list of supported variables, if available, for this field. See Also How to create a configuration 168

190 VPN On Demand Configuration Policies > Configurations A VPN On Demand configuration sets up access to a VPN server based on domains, host names, etc. VPN On Demand settings Setting Name Description Connection Type What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select the type of VPN to configure. The remaining settings depend on this selection. IPsec (Cisco) Setting Server Account Machine Authentication Credential Include User PIN Proxy Setup What To Do Enter the IP address or hostname for the VPN server. Enter the user account to be used for authenticating the connection.* Only Certificate authentication is supported. Select the identity certificate to use. Select to prompt the user for a PIN. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for 169

191 Enable VPN On Demand connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Select to use this configuration for domains and host names that establish a VPN on demand. Cisco AnyConnect Setting Server Account Group User Authentication Credential Proxy Setup What To Do Enter the IP address or hostname for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the group to use to authenticate the connection. Only Certificate authentication is supported. Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. 170

192 Juniper SSL Setting Server Account Realm Role User Authentication Credential Proxy Setup What To Do Enter the IP address or hostname for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the authentication realm to be used for authenticating the connection. Enter the authentication role to be used for authenticating the connection. Only Certificate authentication is supported. Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. F5 SSL Setting Server Account User Authentication What To Do Enter the IP address or hostname for the VPN server. Enter the user account to be used for authenticating the connection.* Only Certificate authentication is supported. 171

193 Credential Proxy Setup Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. SonicWALL Mobile Connect Setting Server Account Login Group or Domain User Authentication Credential Proxy Setup What To Do Enter the IP address or hostname for the VPN server. Enter the user account to be used for authenticating the connection.* Enter the login group or domain to be used for authenticating the connection. Only Certificate authentication is supported. Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* 172

194 Aruba VIA Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Setting Server Account User Authentication Credential Proxy Setup What To Do Enter the IP address or hostname for the VPN server. Enter the user account to be used for authenticating the connection.* Only Certificate authentication is supported. Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Custom SSL Setting What To Do 173

195 Enter the identifier for this custom SSL Identifier VPN in reverse DNS format (such as com.mycompany.myserver). Enter the IP address or hostname for Server the VPN server. Enter the user account to be used for Account authenticating the connection.* Enter the key-value pairs that define Custom Data the custom data for this VPN. Only Certificate authentication is User Authentication supported. Credential Select the identity certificate to use. Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for Proxy Setup connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Note: Type $ to see a list of supported variables, if available, for this field. See Also How to create a configuration Wi-Fi Configuration Configurations A Wi-Fi configuration sets up access to a wireless network. Wi-Fi settings 174

196 Setting Name Description Service Set Identifier (SSID) Auto Join Hidden Network Disable Captive Network Detection (ios 10+) Disable Captive Network Detection (ios 10+) Proxy Setup What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Enter the name of the wireless network these settings apply to. This field is case sensitive. Select if devices should automatically join the corresponding Wi-Fi network. If this option is not selected, device users must tap the network name on the device to join the network. Select this option if the network access is not broadcast. Administrators can enable or disable Wi-Fi Captive bypass mode. When Apple detects the presence of a captive portal, it opens a login screen to request access. You can disable the detection of captive portals, requiring the user to manually launch a web browser which triggers the portal login of the captive network. This new setting is useful when an ISE captive portal prevents the login screen from popping up, leading users to believe that their unconnected devices are actually connected to the Internet. Administrators can enable or disable Wi-Fi Captive bypass mode. When Apple detects the presence of a captive portal, it opens a login screen to request access. You can disable the detection of captive portals, requiring the user to manually launch a web browser which triggers the portal login of the captive network. This new setting is useful when an ISE captive portal prevents the login screen from popping up, leading users to believe that their unconnected devices are actually connected to the Internet. Select Manual or Automatic to configure a proxy. 175

197 Security Type For Windows Phone 8.1, Automatic does not apply. If you select Manual, then the following additional fields are available: Server and Port: Enter the network address and port number for the proxy server.* Authentication: Enter a valid user name if one is required for connecting to the proxy.* Password: Enter a valid password if one is required for connecting to the proxy. If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. Select the security method required for accessing the network: WEP WPA/WPA2 Any (Personal) WEP Enterprise WPA/WPA2 Enterprise Any (Enterprise) For Windows Phone 8.1: only WPA2 and WPA2 Enterprise apply. WEP, WPA/WPA2, Any (Personal) settings Setting Password What To Do (Optional) Enter the password for accessing this network. Otherwise, the device user will be prompted for any password required for accessing the network. WEP Enterprise, WPA/WPA2 Enterprise, Any (Enterprise) settings Setting What To Do 176

198 Protocols Accepted EAP Types EAP-FAST Authentication Username Use Per-Connection Password Password Identity Certificate Outer Identity Select the EAP types that can be used for accessing this network: Select the EAP-FAST option that define authentication methods: Use PAC:Select to use a proxy auto-config (PAC).. Provision PAC: Select to allow a PAC to be provisioned. Otherwise, only a PAC already provisioned on the device can be used. This option is available only if you selected Use PAC. Provision PAC Anonymously: Select to allow a PAC to be provisioned without authenticating the server. This option is available only if you selected Provision PAC. For Windows Phone 8.1, select only one authentication method. Specify the username required for network access. If you leave this blank, the device user will be prompted for it.* Select to prompt the device user for a password for each connection. When the device rejoins the same network, the device user will be prompted to reauthenticate to join the network. (Optional) Enter the password for accessing this network. Otherwise, the device user will be prompted for any password required for accessing the network. (Optional) Select the certificate to use for the identity credential. The Identity Certificate configuration defines each available identity certificate. (Optional) For TTLS, PEAP, and EAP- FAST, select to allow device users to hide their identity. The user's actual name appears only inside the 177

199 encrypted tunnel. This option can increase security because an attacker can't see the authenticating user's name in the clear. ios Setting All Versions Network Type What To Do Select if this network should be treated as: standard legacy hotspot Passpoint Proxy PAC fallback allowed Passpoint Settings Domain Name Connect to roaming partner Passpoint networks Roaming Consortium Organization Identifiers Network Access Identifier Realm Names MCC and MNC pair (Optional) Allows the device to connect directly to the destination if the PAC file is unreachable. The settings in this section appear if you selected Passpoint for the Network Type. Enter the domain name to be used for Passpoint negotiation. (Optional) Select to allow connections to roaming service providers. (Optional) Enter the identifiers assigned by IEEE to the entities supported by this Wi-Fi profile. (Optional) Enter the Network Access Identifier Realm names to be used for Passpoint negotiation. (Optional) Enter the Mobile Country Code (MCC)/Mobile Network Code (MNC) pairs to be used for Passpoint negotiation. Each string must contain exactly six digits. 178

200 Displayed (Optional) Enter the network operator operator name name to display. Cisco QoS fast lane Restrict QoS marking Enable QoS marking The settings in this section apply to Cisco fast lane configuration. Settings include whitelisting apps for L2 and L3 marking, and whether to whitelist the audio and video traffic of built-in audio/video services such as FaceTime and Wi-Fi Calling. If unselected, then all apps will use L2 and L3 marking when the network supports Cisco QoS Fast Lane. If selected, then use the Choose Apps settings that appear to add the apps that you would like included for L2 and L3 marking. All apps not selected will not use L2 and L3 markings. Disables L3 marking and uses only L2 marking for traffic sent to the Wi-Fi network. When unselected, the system treats Wi-Fi as not associated with a Cisco QoS Fast Lane network. Specifies whether to whitelist the Whitelist Apple audio and video traffic of built-in audio/video audio/video services such as calling FaceTime and Wi-Fi Calling. Use to add the apps that you would like included for L2 and L3 marking. All Choose Apps apps not selected will not use L2 and L3 marking. ios 10+ Cisco QoS fast lane Restrict QoS marking The settings in this section apply to Cisco fast lane configuration. Settings include whitelisting apps for L2 and L3 marking, and whether to whitelist the audio and video traffic of built-in audio/video services such as FaceTime and Wi-Fi Calling. If unselected, then all apps will use L2 and L3 marking when the network supports Cisco QoS Fast Lane. If selected, then use the Choose Apps settings that appear to add the apps that you would like included for L2 and 179

201 Enable QoS marking Whitelist Apple audio/video calling L3 marking. All apps not selected will not use L2 and L3 markings. Disables L3 marking and uses only L2 marking for traffic sent to the Wi-Fi network. When unselected, the system treats Wi-Fi as not associated with a Cisco QoS Fast Lane network. Specifies whether to whitelist the audio and video traffic of built-in audio/video services such as FaceTime and Wi-Fi Calling. Use to add the apps that you would like included for L2 and L3 marking. All Choose Apps apps not selected will not use L2 and L3 marking. *Type $ to see a list of supported variables, if available, for this field. See Also How to create a configuration Cellular Network Configurations APN Configuration Policies > Configurations An APN confirmation sets up the cellular Access Point Name for the device. For ios 7, use the Cellular configuration, instead. APN settings Setting Name Description Access Point Name Access Point User Name Access Point Password What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Enter the name for the corresponding access point. The name is generally defined by the operator providing service. Enter a user name authorized for this access point.* Enter the password corresponding to the user name entered. 180

202 Proxy Server and Enter the IP address or URL and the Port port number of the APN proxy. *Type $ to see a list of supported variables, if available, for this field. See Also How to create a configuration Cellular Configuration Policies > Configurations A cellular configuration sets up the cellular profile for a device. Note that: No more than one cellular profile can be installed at any time. A cellular profile cannot be installed if an APN profile is already installed. Cellular settings Setting What To Do Enter a name that identifies this Name configuration. Enter a description that clarifies the Description purpose of this configuration. Enter the name for the corresponding access point. The name is generally APN Name defined by the operator providing service. (Optional) Select CHAP (challenge handshake authentication protocol) or Authentication Type PAP (password authentication protocol. (Optional) Enter a user name to be User used for authentication.* (Optional) Enter a password to be Password used for authentication. APNs Not currently supported. *Type $ to see a list of supported variables, if available, for this field. Controlling cellular access while roaming You can limit the access of some or all of the managed apps to cellular data while the device is in a roaming state. 181

203 1. Go to the Policies tab in the MobileIron Cloud main navigation menu. 2. Click +Add 3. Click Network Usage Configuration. The Create Network Usage configuration page is displayed. 4. Select the Disallow for all managed apps checkbox to block managed apps from accessing cellular data when roaming or at all times. 5. Leave the checkbox unselected to be able to specify the managed apps by name or package ID to block from receiving cellular data. 6. Use the pulldown menus in the Apps field to search for an app by name or by package ID. Controlling cellular access You can limit the access of some or all of the managed apps to cellular data at any time. The apps can still be used on a limited basis, but they will not have access to cellular data. 1. Go to the Policies tab in the MobileIron Cloud main navigation menu. 2. Click +Add 3. Click Network Usage Configuration. The Create Network Usage configuration page is displayed. 4. Select the Disallow for all managed apps checkbox to block managed apps from accessing cellular data at any time. 5. Optionally, leave the checkbox unselected to specify the managed apps to block from receiving cellular data. 6. Use the pulldown menus in the Apps field to search for an app by name or by package ID. See Also How to create a configuration ios Telecom Presets Configuration Policies > Configurations An ios Telecom Presets configuration sets default values for roaming restrictions and hotspot restrictions. ios Telecom Presets settings 182

204 Setting Name Description Allow devices to use voice service while roaming Allow devices to use data service while roaming Allow users to enable personal hotspot See Also How to create a configuration What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select to enable voice roaming. Availability of voice roaming depends on the operator. Select to enable data roaming. Note that enabling data roaming also enables voice roaming on the device. Select to enable the personal hotspot feature. Availability of this feature depends on the operator. Other Configurations Apple TV Configuration Configurations License: Silver An Apple TV configuration defines the language and locale for Apple TV. Apple TV settings Setting Name Description Language Locale What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Enter the two-character language code to specify the UI language. Enter the locale ID to specify the country/language combination for the UI. 183

205 See Also How to create a configuration Lock Screen Message Configuration Configurations Displays a message and asset tag info on the login and lock screens. This is for supervised devices using ios 9.3 through the most recently released version as supported by MobileIron. To create a Lock Screen Message configuration 1. Select Policies > Configurations. 2. Click + Add. 3. Type lock in the search field, and then click the Lock Screen Message configuration: 184

206 The Lock Screen Message Configuration details page appears. 4. Configure the settings on this page. Refer to the table in the section Lock_Screen_Message_Configuration_Settings for guidance on the values. 5. Click Next to configure the distribution settings, and then click Done. Lock Screen Message Configuration settings Setting Name Description Lock Screen Footnote Asset Tag Information What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. This text appears on the login window and lock screen. This text appears at the bottom of the login window and lock screen. See Also How to create a configuration 185

207 Default Device Name Configuration Configurations License: Silver A default device name configuration enables you to define default device names for supervised ios 8 devices. You can use the following variables to construct the device name: Device Serial Number Device IMEI Device Model MobileIron Cloud Username (local users only) LDAP Organizational Unit (OU) LDAP Common Name (CN) For example, you would enter ${devicesn}-${userou} for device names that begin with the device serial number and end with the user's organization as defined in LDAP. Default device name settings Setting Name Description Device Name Description What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Enter the format for the default device name, including available device and LDAP attributes.* Note: If the resulting device name exceeds 63 characters, it will be shortened to make sure it displays correctly on the device. Enter a description that clarifies the purpose of this configuration. *Type $ to see a list of supported variables, if available, for this field. See Also 186

208 How to create a configuration ios Wallpaper Configuration Configurations License: Silver An ios wallpaper configuration defines a default wallpaper image for the Home screen and Lock screen of ios devices. Device users are free to change the distributed wallpaper on the device (Settings > Wallpapers & Brightness). Removing the configuration does not remove the wallpaper. Note: Images must be 1164H x 640W and in.jpg or.png format. ios wallpaper settings Setting What To Do Enter a name that identifies this Name configuration. Enter a description that clarifies the Description purpose of this configuration. Upload iphone Wallpaper Use the same image for Home Select to upload a single image for Screen and Lock iphone. Screen Drag and drop the image file or click Home Screen Choose File to select it. Drag and drop the image file or click Lock Screen Choose File to select it. Upload ipad Wallpaper Use the same image for Home Screen and Lock Screen Home Screen Lock Screen See Also How to create a configuration Select to upload a single image for ipad. Drag and drop the image file or click Choose File to select it. Drag and drop the image file or click Choose File to select it. 187

209 Single App Mode Configuration Configurations License: Silver Single app mode restricts ios devices to the use of the specified app. For example, you might want to set up devices that can use only a custom app your organization has developed. Single app mode configuration Setting Name Description Choose App Disable Touch Disable device rotation Disable volume buttons Disable ringer switch Disable sleep wake button Disable auto lock Enable voice over Enable zoom What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select the method to use for selecting the app: From App Catalog & System Apps: Select to search the MobileIron Cloud app catalog and system apps (preinstalled on Apple devices by default). Enter the name of the app and select it when it displays in the apps list. Enter Bundle ID: Select to enter the unique identifier for the system app you want to select. Use this option if you cannot find the system app using the From App Catalog & System Apps option. Select to disable the touch screen. Select to disable device rotation sensing. Select to disable the device's volume buttons. Select to disable the device's ringer switch. Select to disable the device's sleep/wake button (top right on device rim). Select to prevent the device from going to sleep after an idle period. Select to enable the VoiceOver screen reader (accessibility feature). Select to enable Zoom (accessibility feature). 188

210 Select to enable the invert colors adjustment Enable invert colors (accessibility feature). Enable assistive Select to enable AssistiveTouch (accessibility touch feature). Enable speak Select to enable Speak Selection (accessibility selection feature). Select to switch from stereo to mono audio Enable mono audio (accessibility feature). Voice over Select to allow device users to make VoiceOver adjustments adjustments. Select to allow device users to make Zoom Zoom adjustments adjustments. Invert colors Select to allow device users to invert colors. adjustments Assistive touch Select to allow users to make AssistiveTouch adjustments adjustments. See Also How to create a configuration 189

211

212 Admin Admin > Certificate Authority License: Silver Using certificate authentication is an effective way to secure your mobile devices. Certificates are more secure than passwords, and they enable you to use a single credential to protect VPNs, wireless networks, , etc. If your organization has access to an external certificate authority, you can use a Connector to access it. If your organization does not have access to a certificate authority, you can use MobileIron Cloud as a certificate authority. You can also use it as an intermediate certificate authority to other certificate authorities. The certificates generated by MobileIron Cloud are called self-signed certificates. Supported certificate authorities Microsoft Server (NDES) 2008 To connect to an external certificate authority 1. Install and configure a Connector (Admin > Connector). 2. In the Certificate Authority page, click Add. 3. Under Add an External Certificate Authority, click Continue. 4. Use the following guidelines to complete the information for the external certificate authority: Setting Name Certificate Authority Type Cache Identities on MobileIron Cloud SCEP URL What To Do Enter a name that identifies this configuration. Select the type of certificate authority you are using: Microsoft Generic SCEP Server The Generic SCEP Server option can be used with most SCEP servers having a static challenge password. Select to store identities with the MobileIron Cloud service. Clear to generate identities as needed. Enter the base URL for the SCEP 191

213 Username Password Challenge URL Challenge Password server you intend to use. Microsoft SCEP: Enter the username for the certificate authority. Microsoft SCEP: Enter the password for the certificate authority. Microsoft SCEP: Enter the URL of the trustpoint defined for your Microsoft CA. Generic SCEP: Enter a pre-shared secret the SCEP server can use to identify the request or user. This password must be static, that is, it must not expire. To create an intermediate certificate authority If you need a certificate, then generate a CSR and submit it to the signing authority. Once you receive the certificate from the signing authority, upload the certificate. If you already have the necessary certificate, then upload the existing identity. Generate a CSR (certificate signing request) 1. In the Certificate Authority page, click Add. 2. Click Generate CSR. 3. Complete the displayed form. 4. Click Generate. 5. Copy the content between BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST to a text file. 6. Click Done. 7. Submit the file you created to the certifying authority. Upload the signed certificate Once you receive the signed certificate from the certifying authority: 1. In the Certificate Authority page, find the entry for the CSR you generated. 2. Select Actions > Upload New Signed Certificate. 3. Click Choose File. 4. Select the new signed certificate. 5. Click Done. Upload an existing certificate If you already have a certificate, upload it: 192

214 1. In the Certificate Authority page, click Upload Existing Identity. 2. In the Name field, enter a name for this certificate that distinguishes it from others. 3. Click Upload. 4. Select the certificate. 5. Enter the password for the certificate. 6. Click Upload. To create a standalone certificate authority 1. In the Certificate Authority page, click Continue. 2. Complete the displayed form. 3. Click Generate. Admin > Device Partition License: Silver Device partitions enable you to designate devices for management by different administrators (delegated administration). The administrator for a device partition can define the configurations and policies applied to the devices in the partition. The rules you define for a partition determine which devices belong to the partition. A device can belong to only one partition. Devices that don't match the rules for the partitions you create automatically belong to the default partition. After you create the partitions, you can assign each partition to the proper administrator. You cannot edit or delete the default partition. To create a device partition 1. In the Device Partition screen, click Edit Partitions. 2. Click Create New Partition. 3. Create the rules that define which devices are in the partition. 4. Click Preview to see which devices will be assigned to the partition. 5. Click Save when you are satisfied with the devices in the partition. The partitions you create inherit all configurations from the Default partition. Therefore, any configurations you create later in the Default partition are eligible to be applied to the other partitions. However, changes made to an existing configuration are not inherited. The partitions you create receive copies of only those policies that exist in the Default partition at that time. Any policies you create later in the Default partition apply only to the Default partition. 193

215 To create rules 1. Select Any if you want devices to be included in this definition if they meet any of the rules. 2. Select All if you want devices to be included in this definition only if they meet all of the rules. 3. Select one of the following rule types from the dropdown: OS: For rules based on the device's operating system. User Group: For rules based on the device's user group (as defined in the device management service). Username: For rules based on the username associated with the device. 4. Define the criteria for the selected rule type: OS: Select Android, ios, or OSX. User Group: Select one of the user groups displayed in the dropdown. These are the user groups defined under Users > User Groups. Username: Type in a username. 5. To add another rule for this partition, click the + next to the previous rule. 6. Click Preview to see which devices will be assigned to the partition. 7. Click Save when you are satisfied with the devices in the partition. Devices that no longer match the rules for a partition are automatically moved to the next matching partition. If the device does not match the rules of an existing partition, then the device moves to the Default partition. For example, removing a user from a user group can cause that user's devices to move to a different partition. Moves to a different partition can result in changes in policies and configurations. To prioritize partitions MobileIron Cloud assesses partitions in order of appearance. To change the order, click the arrows in the upper right corner of the partition definition. To assign an administrator to a partition 1. Go to Users > Users. 2. Search for the user who will be the administrator. 3. Click the link for the user to display detail. 4. Select Actions > Assign Roles. 5. Select Device Management. 6. Under Device Management, select the partition for this administrator. 7. Click Done. 194

216 When this administrator logs in, only devices, configurations, and policies in the assigned partition will be visible. See Also Device Partition Examples Admin > Attributes Use the Attributes page to: manage the types of information you can record for users and devices view the standard types of information tracked by MobileIron Cloud Custom user attributes might include information like Department. Custom device attributes might include information like an internal ID. Each attribute has a corresponding variable that you can use for tasks like creating configurations and device groups. To create custom user attributes 1. Under Custom Attributes, click +Add New. 2. In the Attribute Name field, enter text that will represent the attribute. Note that the text you enter will be used to create the corresponding variable in the Usage field. 3. Select User from the Attribute Type list. 4. Click Save (far right). To create custom device attributes 1. Under Custom Attributes, click +Add New. 2. In the Attribute Name field, enter text that will represent the attribute. Note that the text you enter will be used to create the corresponding variable in the Usage field. 3. Select Device from the Attribute Type list. 4. Click Save (far right). 195

217 To view the standard attributes Scroll to the System Attributes section of the page. Admin > Support Administrators Create a temporary support administrator to enable the service support team to log in with your roles and permissions. This user expires automatically in 7 days, or you can end access at any time. Creating a support administrator makes it easier for the support team to troubleshoot issues. To create a support administrator 1. In the Support Administrators page, click Add Support User. 2. Click Create User to confirm. This step sends an to the device management service support team. Note that the Display Name field shows "(disabled)" until a support team member activates the new account. The resulting display name will have the following format: support-<random_id>-<your_username>@<your_company>.com Once you create a support administrator, selecting Admin > Support Administrators takes you directly to the list of existing support administrators. Therefore, if you need to create additional support users, go directly to step 2 above. To end access for a support administrator 1. In the Support Administrators page, click the Delete link to the right of the account you want to remove. 2. When prompted, click Remove User to confirm. To suspend access for a support administrator In the Support Administrators page, click the Disable link to the right of the account you want to suspend. Admin > System Use Notification 196

218 License: Silver Use the System Use Notification feature to create a customized system use notification that appears to administrators at the time of login, and requires administrators to accept terms of use before accessing the system. To create a system use notification 1. Select Admin > System Use Notification. 2. Click Create Notification. The System Use Notification Details page appears. 197

219 3. Enter a title in the Title field. 4. Enter a summary or instructions in the Summary field. 5. Choose a logo if desired. 6. Enter terms of use text in the Terms of Use Text field. This is the text that the administrator will have to accept at login. 7. Place a check mark in the Enable the System Use Notification check box to turn on the notification. 198

220 8. Click Preview to invoke a preview of the system use notification. 9. Click Save when you are satisfied with the system use notification. Admin > Connector The Connector is a component that adds on-premise corporate directories (like Microsoft Active Directory), external CAs, and certificates to the MobileIron Cloud cloud by means of secure HTTPS connections. The Connector is available to download as an ISO file that you can install on a virtual machine. License: Silver To download a Connector Click Download the Connector to get the ISO you need. To install a Connector See the instructions included with the download. To access the Connector logs You can access the Connector logs from the kocab service to help troubleshoot Connector related problems. You must have System Manager or System Read Only role. 1. Go to Admin > Connector to view the Connector page. The Connectors interface displays the Connector status (Enabled or Disabled), Connector Name, Connection (Connected or Not Connected), Version number, Logging Level, Actions (Disable or Remove the Connector). 2. Use the Logging Level pulldown menu to choose a level. The available logging levels are displayed in the pulldown menu in order from the lowest logging level to the highest logging level: Error 199

221 Warn Info Debug Trace The Info level is the default logging level setting. If you choose another logging level a rotating Sync icon appears indicating that information is being collected at the level of logging that you selected. The logging level will reset to the Info level after an hour. The Trace level is the highest logging level setting. Use this level to collect all the messages at all the other levels. The sync icon is displayed for the duration of the request. 3. If needed, hover over the Sync icon to see the Cancel icon. Click the Cancel icon to cancel the logging level change. 4. Hover over the Request icon to display the Request information. Click the Request icon to request the files from the current log folder in a.zip file. The log files are added to a.zip file when a request is made. When a new request is made the.zip file from the previous request is deleted. 5. If needed, hover over the Request icon and it becomes the Cancel icon. Click the Cancel icon to stop the request. When a request is canceled before completion, the Download icon is not displayed because the previous log.zip file was deleted from the server. The original log files on the Connector are still available to request. 6. Click the Download icon when the request is completed to download the log.zip file containing log files collected during the latest request. The log file name is in the format: kocab.log. The name of the zip file that is downloaded consists of the server name, connection version, and a time stamp including day, month, year, and the time of the day in the format: <Connector_Hostname>_<Connector_Version>_<TimeStamp>.zip. The archived.zip file name is in the format: kocab.yyyy-mm-dd.0.log.gz. 7. Optionally, use the Actions pulldown menu to Disable or Remove the Connector. Can't see the Connector page? Maybe you don't have permission. You need one of the following roles: System Management System Read Only Admin > LDAP 200

222 License: Silver Configuring an LDAP server and a Connector enables you to import users and groups from your corporate directory. After you have installed at least one Connector, you can add one or more LDAP servers. Adding an LDAP server means configuring: the connection to the LDAP server the search terms necessary to view the target directory data the portion of the directory to import whether to automatically invite users in the selected portion of the directory After you have added an LDAP server, you can return to this page to edit the LDAP server information or change the LDAP users selected. Note: LDAP users must be imported. Simply configuring an LDAP user is not sufficient. See To_import_LDAP_users. LDAP usernames, just like local usernames, must be globally unique. Please verify that users do not already have a local account with the same username, or, for organizations with more than one tenant, that the username has not already been associated with another tenant. To add an LDAP server 1. Click Add Server. 2. Provide the following information: Setting What To Do Name Enter a name that identifies this server. Enter a description that clarifies the purpose of this Description server. Enter the URL for the directory. Use one of the following formats: Directory URL ldap://<ip address or hostname>:<port> ldaps://<ip address or hostname>:<port>. Example: ldap://myserver1.mycompany.com:389 Enter the user ID for an account having the following characteristics: managed by the LDAP server can bind to the LDAP server and search the User ID subtrees for user, group, and organizational unit This is generally an account with Directory Administrator Credentials (DN or Distinguished Name and password). Password Enter the password for the account. Confirm Password Re-enter the password for the account. 201

223 Directory Type Select the type of directory from the list of supported directories. Active Directory Open LDAP Redhat directory IBM Domino Directory Oracle Directory Sun One Directory Other 3. Click Test Connection. This step validates the information you have provided so far. If the information proves valid, then the service retrieves the LDAP naming context, which it uses to fill in some of the fields on the next page. 4. If the connection test is successful, complete the remaining settings: Setting Sync Interval Enable Sync Discard Enable this LDAP Server Directory Failover URL Chase Referrals What To Do Enter the period of time between each attempted synchronization of LDAP data from the LDAP server. The default value is 15 minutes. Consider increasing the interval once you have successfully synchronized all target LDAP data and confirmed that your LDAP setup meets your needs. Select to automatically discard the LDAP sync data if the reloaded data set declines significantly. This option ensures that abnormal behavior on the part of the LDAP system will not result in unnecessary, disruptive updates on the service and removal of configurations from registered devices. Make sure this option is not selected if you plan to make major changes in your LDAP setup or on the LDAP server. Select to use this LDAP server with your service. Clear this setting if you want to retire this LDAP server or take it out of service. Though a configured failover to a second LDAP server would automatically replace this server, using this option enables you to plan ahead and avoid a brief lack of connectivity during failover. Enter the URL for the secondary directory. Use the following format: ldap://<ip address or hostname>:<port>. Example: ldap://myserver2.mycompany.com:389 Applies only if you are using a multi-forested domain. This option indicates whether you want to use 202

224 Search Results Timeout Search Results Count alternate domain controllers when the targeted domain controller does not have a copy of the requested object. Select Follow if you want to use referrals. Select Ignore if you do not want to use alternate domain controllers. Throw currently has the same effect as Ignore. Note: Selecting Follow delays LDAP authentication. Increase this timeout if you observe performance issues or incomplete results when browsing the data synchronized from the LDAP server. In general, this timeout should never be set to less than 10 seconds. Set to the maximum number of records that should be returned from the LDAP server at one time. Scenarios that might require changing this setting to improve performance include: The LDAP server is located far away or behind a high latency link. In this case, large search results will take longer to retrieve than small ones, so defining a smaller set enables you to see subsets of updated data more quickly. The LDAP is massive, and every search returns a huge results set. In this case, if performance is not an issue, defining a larger results set would make it possible to return all of the data with fewer searches. 5. Click Next. 6. Use the following guidelines to configure the integration with the LDAP server: Setting Group Member Format OU Search Attributes Base DN Object GUID Attribute Name Description What To Do Select DN or UID to indicate whether to use the distinguished name or the user ID in your search. Specify criteria for searching at the organizational unit level. Enter the distinguished name for the starting level at which you want your search to be rooted or begin. Your selection determines defaults for several other fields, which you can change, if necessary. If necessary, change the default value to match your LDAP environment. This is the attribute that uniquely identifies an organizational unit across time and across OU name changes. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your 203

225 Attribute DN Search Filter Search Scope User Search Attributes Base DN Attribute UID Object GUID Attribute DN First Name Last Name Display Name Address Principal Name Locale Member Of Search Filter Search Scope LDAP environment. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. Select the portion of the LDAP hierarchy to target: Base (only the level of the search base entry) One Level (the level beneath the search base) Subtree (the subtree in the directory information tree beneath the search base DN) Specify criteria for searching users in a given directory level. Enter the distinguished name for the starting level you want to search. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. This is the attribute that uniquely identifies an user across time and across user name changes. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. Select the portion of the LDAP hierarchy to target: Base (only the level of the search base entry) One Level (the level beneath the search base) Subtree (the subtree in the directory information tree beneath the search base DN) 204

226 +Add Custom Attribute Group Search Attributes Base DN Object GUID Attribute DN Attribute Name Description Member Search Filter Search Scope (Optional) Specify up to 7 custom user attributes from your directory service that you want to apply to device management. Each attribute can then be referenced by ${attributename} in configuration fields that support variables. Important: Use of this option requires consistent implementation of custom attributes across LDAP servers. If an LDAP server included in your implementation does not use this attribute, then features dependent on this attribute might not work as expected. Enter the distinguished name for the starting level you want to search. If necessary, change the default value to match your LDAP environment. This is the attribute that uniquely identifies a group across time and across group name changes. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. If necessary, change the default value to match your LDAP environment. Select the portion of the LDAP hierarchy to target: Base (only the level of the search base entry) One Level (the level beneath the search base) Subtree (the subtree in the directory information tree beneath the search base DN) 7. Click Browse or Search. 8. Confirm that your configuration returns the expected data. You can do this by browsing or searching for a known item in the directory. 8. Click Next. To import LDAP users 1. Go to Admin > LDAP. 205

227 2. In the LDAP page, choose an LDAP server. 3. Select Manage Users from the Actions pulldown menu to view the Manage Users dialog. 4. Enter the name of a user or group in the search field. 5. Click +Add next to the entry you want to add. 6. Click Next. 7. Click Done. 8. Choose whether or not to send an invitation. 9. Click Next. 10. Click Done. 11. Click Sync Now in the LDAP server entry. 12. Go to Users > Users to confirm that the users have been imported. The users that are selected or are members of a selected group are imported into the Users page. If you selected Invite None during the LDAP server configuration, go to Users > Users and select Actions > Send Invite to send invitations. Note: Performing an LDAP Sync might result in errors due to a connector time out error. Click the bell icon or go to Dashboard > Notifications to check for any error messages. To edit the LDAP server information 1. In the LDAP page, click Edit in the LDAP server entry. 2. Make the necessary changes. To change the users, groups, or organizational units selected 1. Go to Admin > LDAP. 2. Select an LDAP server on the LDAP page. 3. Select Manage Users from the Actions pulldown menu to view the Manage Users dialog. 4. To add new users or groups, enter the name of the user or group in the search field. 5. Click +Add next to the entry you want to add. 6. To remove the user or group, click the remove icon next to the entry you want to delete. 7. Click Next. 8. Click Done. 9. Choose whether or not to send an invitation. 10. Click Next. 11. Click Done. 12. Click Sync Now in the LDAP server entry. 206

228 13. Optionally, select Edit from the Actions pulldown menu to change LDAP server settings. To enable LDAP Sync Discard Notification 1. Go to Admin > LDAP. 2. In the LDAP page, choose an LDAP server. 3. Select Edit from the Actions pulldown menu to view the Edit LDAP Server dialog. 4. Check the Enable Sync Discard checkbox. 5. Enter a value for the percentage of reloaded LDAP data to trigger sync discard. 6. Click Next. 7. Click Next. 8. Click Done. 9. Click Sync Now in the LDAP server entry. When the change diff to be synced from LDAP to Polaris falls above the set discard percentage a WARNING notification is generated. When the changes are reverted to a value below the set percentage then the notification is CLEARED. Trigger LDAP Sync Discard LDAP Sync Restored Severity Notification Type Component Type Warn Data Sync LDAP Info Data Sync LDAP Component LDAP server name LDAP server name To synchronize changes from the LDAP server In the LDAP page, click Sync Now in the LDAP server entry. Troubleshooting Connectivity to the LDAPS Server If you encounter issues connecting to the LDAPS (LDAP over SSL) server, you may be experiencing an issue with the certificate. To resolve the issue: Verify that you are not using a self-signed certificate on the LDAPS server. Verify that the LDAPS certificate has not expired or been revoked. Also check for a hostname mismatch. 207

229 After verifying, wait for the automatic LDAP sync, or manually sync using Admin > LDAP > Sync Now. Can't see the LDAP page? Maybe you don't have permission. You need one of the following roles: System Management System Read Only Admin > Sentry Sentry is a component that acts as a gateway between mobile devices and your ActiveSync-enabled system. Use Sentry to control which devices are allowed to access . It is available to download as an ISO file that you can install on a virtual machine. Organizations should consider using a load balancer to maintain multiple (redundant) Sentrys. License: Silver Supported platforms Exchange 2007 Exchange 2010 SP3 Exchange 2013 To download a Sentry Click Download installer to get the ISO you need. To install and register a Sentry See the instructions included with the download or Sentry Installation. To set up a Sentry profile You need to set up at least one Sentry profile and assign it to one or more registered Sentrys to specify the services provided by the Sentrys.: 1. Click Set Up Profile or + Add Sentry Profile. 2. Select the type of Sentry profile to create: ActiveSync with basic auth 208

230 ActiveSync and/or AppTunnel with certificates ActiveSync and/or AppTunnel with Kerberos 3. Complete the steps for the selected profile type. 4. Click Assign in the Actions column for the Sentry that should receive the profile. 5. Select the profile. ActiveSync with basic auth 1. Select ActiveSync with basic auth. 2. Click Next. 3. Enter the global settings for this Sentry: Setting What To Do Enter a name that identifies this Sentry Name or group of Sentrys. Enter optional text to further identify Description this Sentry profile. If you are using multiple Sentrys, enter the external hostname and port number for the load balancer External Hostname configured for accessing the Sentrys. and Port If you are using a single Sentry, enter the external hostname and port number for the Sentry. Default Unmanaged Devices Behavior Select the checkbox if you want to allow devices that are not managed by the service to access . Allow unmanaged Otherwise, unmanaged devices will be devices to receive blocked from access. and data See Unmanaged Devices for information on unblocking (allowing) devices. Advanced Options Enter the number of failed communication Dead Threshold attempts that must occur before a server is flagged as dead. Enter the number of milliseconds during Failure Windows which the failures need to occur. The duration of time during which the Dead Time server will be recorded as dead. Active health check If you specified the ActiveSync servers Scheduling in priority order, then select Priority. If 209

231 Socket read/write timeout Server connection timeout Server response timeout Device request timeout you would like each server to be serviced in turn, select Round Robin. Enter the interval between Sentry checks for socket read/write timeouts from devices or servers. Enter the interval between Sentry attempts to connect to an ActiveSync server. Enter the amount of time that the Sentry will wait for an HTTP response from the ActiveSync server. Enter the amount of time that the Sentry will wait for an HTTP response from a device on a new or existing connection. 3. Click Next. 4. Enter the Sentry server configuration settings, which apply to access between the devices and the Sentry: Setting What To Do Select the protocol to use for communication between the Sentry Listener Protocol and the service. HTTPS is recommended. Enter the port to use for each Https/Http Port supported protocol. 443 is typical for HTTPS. 80 is typical for HTTP. Select Use Sentry's self-signed cert if you intend to use Sentry's selfsigned certificate to authenticate Certificate/Key communication between Sentry and mobile devices. If you want to use your own certificates, click Upload New Certificate. Advanced Options Select the protocols required by your Protocols ActiveSync servers. Ciphers are used in the SSLencrypted communication with the Cipher suites Sentry. Strong ciphers are generally preferred. Weak ciphers might be required for older devices. Strong 210

232 ciphers are selected by default. Select any additional ciphers you want to use. At least one cipher must be selected. Note: Verify that any load balancers, VIPS, and proxies in the Sentry's path support the OpenSSL cipher suite. 4. Click Next. 5. Select the Exchange service. 6. Use the following guidelines to complete the service settings: Setting What To Do Service Name Enter a name to identify this service. If you want to limit the ActiveSync ActiveSync Options protocol version supported, select a version from the drop-down. Server Configuration Pass through (Basic Server Authentication) is the supported Authentication authentication method. Enter the hostname and port for each ActiveSync server that this Sentry will access. If you want to specify certain servers with higher priority, enter the ActiveSync Servers servers in order from highest to lowest priority. If the ActiveSync servers require SSL, then the Enable Server TLS check box must be selected. Select to use TLS for communication with Enable Server TLS the Exchange server. Enable Active Health Check 7. Click Next. 8. Click Save. To assign a profile to a Sentry Once a Sentry is registered, it displays in the Sentry page in the Unconfigured Sentry Servers section. To assign a profile for the Sentry, click Assign in the Actions column. 211

233 To set up the Exchange configuration Create a new Exchange configuration that specifies the Sentry instead of the ActiveSync server. Note that existing Exchange configurations will be removed from registered devices. Once the new configuration is installed, device users will be prompted to enter the ActiveSync password. See also Unmanaged Devices (for managing access for devices not managed by Sentry) Policies (Block via Sentry compliance action) Troubleshooting Sentry issues Can't see the Sentry page? Maybe you don't have permission. You need one of the following roles: System Management System Read Only Admin > Identity License: Silver Configure an identity provider (IdP) to authenticate users who wish to register devices with MobileIron Cloud, access the Admin Portal, or access the Self Service Portal. MobileIron Cloud works with any SAML 2.0 compatible IdP. OKTA and ONELOGIN have been verified to work with MobileIron Cloud. Implementation notes If you are using Microsoft AD, or another on-prep LDAP directory, you will need to set up Connector to connect to and import users to MobileIron Cloud. Set up Connector or LDAP if you have not done so already. When an IdP is added, user authentication automatically switches from LDAP to IdP. Only one IdP provider is allowed. In case your IdP becomes inaccessible, use the MobileIron Cloud Tenant Admin (TA) account to access this Admin Portal and troubleshoot. The TA is a Local account and does not require external authentication. The TA account is created when your MobileIron Cloud is provisioned and login information is provided to the technical contact of your organization, or equivalent. If you do not have your TA account information, contact your support representative. MobileIron Cloud supports Microsoft Azure Active Directory (AAD) for authenticating users during registration of Windows 10 devices. 212

234 AAD currently cannot be used for authenticating Admin Portal of Self Service Portal access. Provision Azure services if necessary. Set the authentication type for your LDAP users using the tools provided by your IdP vendor. The authentication settings on MobileIron Cloud will not apply to LDAP users. Authentication settings will still apply to Local users. MobileIron Cloud Authentication settings can be found here: Users > User Settings > Device Registration Setting > Device Registration Authentication Type. Apple DEP and Configurator device enrollments do not use IdP for user Authentication. To configure an identity provider 1. Click Admin. 2. Click Identity. 3. Click Set Up An Identity Provider. 4. Click the control that generates a key for uploading to your idp. 5. Login to your idp and connect your idp instance with MobileIron Cloud. See the documentation provided by your idp. At the end of this process, you should have an XML file from your idp to upload to MobileIron Cloud. 213

235 6. Upload the XML file from your idp to MobileIron Cloud. 7. Click Done. Can't see the Identity page? Maybe you don't have permission. You need one of the following roles: System Management System Read Only Admin > Install MDM Certificate You must request and install an Apple MDM certificate to manage ios devices. You also need to renew this certificate once a year. (The Apple account used for creating the certificate receives a notification from the Apple site when the expiration date approaches.) Use the MDM Certificate page to add or renew this certificate.. To acquire and install the MDM certificate 1. Use the MDM Certificate page to download a certificate signing request (CSR) from your MobileIron Cloud tenant. 2. Upload the CSR to Apple to create a new certificate. On the Apple site, add a note indicating what the certificate is for. This note will help you when it is time to renew the certificate. 3. Save the resulting certificate. 4. Install the certificate for your MobileIron Cloud tenant. To renew the MDM certificate 1. Click Renew Certificate. 2. Download a certificate signing request (CSR) from your MobileIron Cloud tenant. 3. Upload the CSR to Apple to renew the corresponding certificate. On the Apple site, make sure you are renewing the correct certificate. Uploading a different certificate to MobileIron Cloud will automatically retire all registered ios devices. 4. Install the certificate for your MobileIron Cloud tenant. You will receive a warning if you attempt to upload the wrong certificate. Can't see the Install MDM Certificate page? Maybe you don't have permission. You need one of the following roles: System Management System Read Only Admin > Apple Configurator 214

236 You can use this page to prepare Apple Configurator for setting up MobileIron Cloud device management on ios devices. Enrolling devices this way results in device entries that have no user recorded. You can manually add user information after the device is enrolled. Apple Configurator also enables you to configure supervised devices, which provides increased configuration and management options. The basic steps are: 1. Export the MDM profile from your MobileIron Cloud tenant. 2. Import the MDM profile into the Configurator. 3. Use the Configurator to apply the MDM profile to tethered devices. To define a default user for devices Devices configured through the Apple Configurator are assigned to the nobody user in MobileIron Cloud unless you pick a different user: 1. Click in the Assign configured devices to field. 2. Start typing the username of the MobileIron Cloud user you want to select. 3. Select the username when it displays in the drop-down list. 4. Click Save. Install apps using Apple Configurator Before using the Apple Configurator to install apps: Access to the Apple app store is restricted by the device configuration. Apps installation is permitted by the device configuration. Apple Configurator must be installed on the computer used to configure the devices. To install apps using the Apple Configurator: 1. Go to Admin > Apple Configurator in MobileIron Cloud. 2. Switch the enroll devices toggle switch to On. 3. Click Download plist. 4. Go to Prepare > Apps. Add the apps in the Apple Configurator. 5. Go to Prepare > Setting and disable Supervision. 6. Select Never update device option in Update ios. 7. Click Prepare (bottom of the Apple Configurator). The apps will be visible in the list of Installed apps on the device after a device check-in. 215

237 Install apps using EMM server To install apps using the EMM server: 1. Upload an app from the in house store in the Apps tab. 2. Select the app. 3. Click the App Configurations tab. 4. Select Install on Device. Complete configuration settings. 5. Select Actions > Force Check-in. What the end user needs to do Apple requires the end-user has to launch the MobileIron Go app at least once, or the Cloud Location feature will not function properly. This is to ensure that the end-user is aware that their location is being tracked. Caution: If devices are deployed in single app mode using Configurator, then this approach will not be possible. Can't see the Install Apple Configurator page? Maybe you don't have permission. You need one of the following roles: System Management System Read Only Admin > Device Enrollment Program Apple's Device Enrollment Program (DEP) enables customers to purchase devices in bulk and automatically enroll these devices in MDM during activation. If you choose to participate, you can use MobileIron Cloud as the MDM server for managing these devices. For more information about DEP, see: Visit deploy.apple.com Before you can use MobileIron Cloud with DEP, you need to sign up with Apple at deploy.apple.com. Connect MobileIron Cloud to DEP 216

238 1. Go to Admin > Device Enrollment Program. 2. Click Download Key. 3. Save your MobileIron Cloud key. 4. Click deploy.apple.com. 5. Sign in using your DEP-eligible Apple credentials. 6. On Apple's DEP site: a. Click Get Started. b. Select the trusted phone to use for authenticating to Apple's service. c. Enter the verification code sent to the selected phone. d. Click Add MDM Server. e. Enter a name to identify the virtual MDM server to be used with the service. f. Click Next. g. Upload the public key you downloaded earlier. h. Click Next i. Click Your Server Token to download the token. j. Click Done. 7. In MobileIron Cloud, click Upload. 8. Click Next. 9. Select an authentication option: Prompt user to login with their corporate username and password during device activation. Skip user login. (Assign all devices to the specified user.) The selected option overrides selections under User Settings. 10. Click Upload to install the key you received in step Complete the displayed form to define the profile for your DEP devices: Setting Name Department Supervised Mode MDM Removable MDM Mandatory What To Do Enter a name that identifies this DEP profile. Enter the department in your organization that is associated with this profile. Indicate whether you will be deploying devices in supervised mode (using Apple Configurator). Indicate whether the device user should be able to remove the MDM profile. Indicate whether MDM should be 217

239 Allow Pairing Support Phone Number Skip entering passcode Skip location services Skip restore from backup Skip "Move to ios" from Android Skip Terms of Service Skip signing in to AppleID and icloud Skip Touch ID setup Skip Apple Pay setup Skip zoom setup Skip Siri Skip Apple FileVault setup mandatory. Indicate whether host pairing functions will be allowed. Select to allow pairing with any Mac. Deselect to allow pairing only to a DEP-managed ios device with a certificate uploaded to facilitate this pairing. Provide a phone number that device users can contact for help. Select to allow users to skip this portion of the standard device activation process. Select to allow users to skip this portion of the standard device activation process. Select to allow users to skip this portion of the standard device activation process. Select to allow users to skip this portion of the standard device activation process. Select to allow users to skip this portion of the standard device activation process. Select to allow users to skip this portion of the standard device activation process. Select to allow users to skip this portion of the standard device activation process. Select to allow users to skip this portion of the standard device activation process. Select to allow users to skip this portion of the standard device activation process. Select to allow users to skip this portion of the standard device activation process. Select to allow users to skip this portion of the standard device activation process. You must also disable from the ios restrictions 218

240 Skip automatically sending diagnostic information configuration. Select to allow users to skip this portion of the standard device activation process. 12. Click Save. Note: When new devices are added to Apple s Device Enrollment Program, it might take up to 15 minutes for MobileIron Cloud to discover those new devices. The new devices are then assigned an enrollment profile. If you cannot add new devices to the Device Enrollment Program go to Dashboard > Notifications to check for notifications from Apple for DEP. If there are any updates to the EULA you will notified by with steps to accept the new EULA. To edit the DEP profile 1. Go to Admin > Device Enrollment Program. 2. Find the name of the server you created on the Apple site. 3. Select Actions > Edit DEP Profile. Note: If you refresh the server token on Apple's site, then the existing token will become invalid. However, the display in the Device Enrollment Program page, including the token expiration date, will remain until you upload the new token. To edit the DEP authentication setting 1. Go to Admin > Device Enrollment Program. 2. Find the name of the server you created on the Apple site. 3. Select Actions > Edit Authentication. Admin > End User Portal (Branding) License: Silver You can customize the Self-Service Portal with your organization's logo. If you do not add your logo, the Self-Service Portal displays the default service logo. 219

241 To brand the Self-Service Portal 1. In the Self-Service Portal Branding screen, click Customize (upper right). 2. Drag the logo file (PNG, 182x34) to the dotted box, or click Choose File to select it from your file system. 3. Click Save Changes. Admin > ios App Catalog (Branding) You can brand the ios app catalog to make its appearance more familiar to your end users. You can customize the following items in the ios app catalog: catalog name catalog logo (PNG, 360x64) webclip icon (PNG, 1024x1024) webclip name To brand the ios app catalog 1. In the ios App Catalog Branding screen, click Customize (upper right). 2. Drag the logo file to the dotted box, or click Choose File to select it from your file system. 3. Edit the App Catalog Name text to change the label shown at the top of the catalog. Note: The app catalog name you enter applies to both Android and ios. 4. Drag and drop the webclip file to the dotted box, or click Choose File to select it from your file system. 5. Edit the Webclip Name text to change the label shown under the app catalog webclip icon. 6. Click Save Changes. Using Microsoft Azure Setting up Azure AD To set up Azure AD: 220

242 . 1. Go to to purchase your Azure account. 2. Use your existing Hotmail or Outlook.com account, or create a new account and register as a new user. 3. Buy an Azure account by using one of the payment options and following the verification steps. 4. Ask Microsoft to whitelist the MobileIron Cloud tenant. 5. Use the same Hotmail or Outlook.com account you used in step 2 to login to AAD at as an admin. 6. Go to Domain tab. A default the domain, TestMiBGLRoutlook.onmicrosoft.com, is created for your account and any users created will belong to this domain. If needed you can recreate a custom domain. 7. Go to the Applications tab and click Add Application to map the MobileIron Cloud MDM, 8. Select the option Add an application from the gallery. 9. Select the Mobile Device Management category. 10. Select the MobileIron MDM from the App gallery. 11. Click Configure. Add the MDM end points (Enrollment discovery and Terms of Use End point) and save the configurations. Creating Users on Azure AD To create users on Azure AD: 1. Go to active directory - > Default Directory ->Users. 2. Selecting the Add user option -> Select New user in your organization. 3. Enter the username. Click next (->). The User Profile page is displayed. 4. Add the user information such as, first and last name and the display name. 5. Use the dropdown menu to assign the appropriate role to the user. 6. Generate the temporary password. The user will be required to change this password at the first login. Microsoft Azure AD Enrollment Requirements Users must be registered in MobileIron Cloud. Connect your domain to enroll user on their Windows 10 Mobile devices. 221

243 1. Click Join Azure AD. 2. Enter username and password. 3. Click Sign in. 4. Accept the EULA. 5. Click Create PIN. Azure AD authenticates the user and downloads a JWT (JSON Web Token) to the device. The device is now enrolled. User is contacted through the device for verification. 6. Enter and confirm a PIN. 7. Click OK. To set up Microsoft Azure with EMM Setting up users 1. Go to Admin > Microsoft Azure. 2. Click Setup Microsoft Azure with EMM service. 3. Go to Accounts settings in the Microsoft Azure. 4. Go to Applications section. 5. Select Add EMM application from gallery. 6. Select MobileIron Cloud EMM. Assigning Users 7. Go to Azure Account Configuration. 8. In manage device for these users, verify the setting is for All Users. 9. Enter the Azure AD Domain. 10. Click Connect Account. Enabling Microsoft Passport for Work for Windows 10 Devices 11. Click Edit under the Passport for Work section. 12. Select Enable Passport for Work for Windows 10 Devices. 13. Set the PIN complexity options, including the minimum and maximum lengths. You must enable at least one of the following options: 1. Digits 2. Special characters 222

244 3. Uppercase letters 4. Lowercase letters 14. Click Save. Note: Disabling Microsoft Passport for Work for Windows 10 Devices 1. Click Edit under the Passport for Work section. 2. Deselect Enable Passport for Work for Windows 10 Devices. Note: Disabling this option does not remove the PIN from the device. 3. Click Save. Note: The first time a tenant is built or is upgraded to version R39 or later from an earlier version of MobileIron Cloud and when Microsoft Azure is enabled, Passport for Work is enabled by default. The PIN constraints are set to be digits with a minimum length of 4. If the Administrator wants to disable Passport for Work, then the feature should be disabled before registering any users or devices. If this is not done, then the default PIN constraints will take effect unless otherwise modified on the Administrator Portal. Android for Work Android for Work enables use and configuration of Android for Work apps. Configure Android for Work 1. In the MobileIron Cloud portal, Go to Admin > Android for Work. 2. Click Google Developers Console. 3. Follow the steps to look up your Android for Work token and service account. Click Done. 4. Enter your MDM token and Google domain in the fields provided. 5. Drag and drop your JSON Client ID file or click Choose File to navigate to the JSON Client ID file and select it. 6. Click Connect. 7. Click Authorize. Configure Android for Work profile 1. In the MobileIron Cloud portal, go to Configurations. 2. Click +Add. 223

245 3. Select Lockdown & Kiosk: Android for Work Configuration. The Create Lockdown & Kiosk: Android for Work Configuration page is displayed. 4. Enter a configuration name and description. Choose a Lockdown type. 5. Click Lockdown - Android for Work Profile. Android for Work Lockdown settings options are displayed. 6. For Android 5+ devices, optionally, choose to: Disable Screen Capture Disallow Apps Control Disallow Config Credentials Disallow Cross Profile Copy Paste Disallow Modify Accounts Disallow Outgoing Beam Disallow Share Location 7. For Android 6+ devices, optionally choose to: Disable Caller ID Important: When the user adds a Google Account using Add account in Settings, the Google authentication server checks if the domain of the account is registered as an EMM-managed domain. Verify that Enforce EMM policies on Android devices is checked. If so, the MobileIron GO client is automatically installed or updated (if it is not already installed on the device) and launched. Once the user goes through the registration process, the user is prompted to create a work profile and the Google Account is automatically migrated to the work profile. Deploy In-House Apps to Google Play Upload your in-house apps to the Google Play Private channel and import them into MobileIron Cloud for deployment to Android for Work enabled devices. 1. Log into Goople private apps console: 2. Click All Applications in the left menu. 3. Click Create new application and enter a name for the application. 4. Click Upload APK to upload the.apk file you generated. 5. Click Store Listing: Enter a short description and a full description. Upload screenshot for all tabs. Upload a high resolution icon. Upload a feature graphic icon (graphic.png) Enter the required information for Categorization, Contact details, and Privacy policy. 224

246 Complete the questionnaire for an app rating. 6. Click Pricing & Distribution. If all the required information has been entered Ready to Publish is displayed a the top of the page. 7. Go to the Apps tab In the MobileIron Cloud. 8. Click Refresh Available Catalogs to sync your private apps. Note: It may take several hours to publish your app. Android for Work Accounts License: Gold Android for Work accounts enables use and configuration of Android for Work without having to sync Active Directory information directly to Google. You no longer have to use Google Apps Directory Sync (GADS) or have your users log into a Google account. Important: If you already set up Android for Work, you must first unregister and retire those devices to be able to use this feature. Work Managed Devices, also known as Device Owner mode, is not supported at this time. Configure Android for Work 1. In the MobileIron Cloud portal, Go to Admin > Android for Work. If the user has AFW already set up they will see the Android for Work Setup screen. New AFW customers who don't have a Google apps account use the Recommentded Setup Method If there is an existing AFW configuration that was created at an earlier date, the users will not see the new Android for Work screen. They must remove the existing AFW configuration to use the Recommended Setup Method. 2. Click Begin to display the first Android for Work screen. 3. Click Google Developers Console to display the Google Developers Console page with directions on how to: Create a Google Project and enable the EMM api Create your EMM Credentials 4. Go to Enroll with Google and enter an arbitrary string for the username. 5. Click Authorize to display the Google Play for Work screen. 6. Click Get Started. 225

247 Enter your company name in the Organization details page. Accept the Android for Work agreement. 7. Click Confirm. 8. Drag and drop your JSON Client ID file or click Choose File to navigate to the JSON Client ID file and select it. 9. Click Set Credentials. 10. Click Authorize. Verify that the Connected to Google status is displayed. Note: Any user logged into the account can register a device. It doesn't have to be a Google user to register a device. Once you enroll an account, it cannot be unenrolled currently. Admin > App Reputation License: Platinum Integrate MobileIron Cloud with an app reputation vendor to access app threat scores and lists of apps with specified behaviors. Prerequisites Enabling app reputation requires an account with a supported app reputation vendor. When enabling app reputation, you will need to have set up on your app reputation vendor site some or all of the following items, depending on your app reputation vendor: org id username password auth token You need to have the associated information handy when enabling app reputation on MobileIron Cloud. 226

248 Enabling App Reputation To enable app reputation: 1. Click Admin. 2. Click App Reputation. 3. Click Setup App Reputation. 227

249 4. Select a vendor from the Please Select a Vendor drop-down list, and then supply the information requested by the resultant fields. See Prerequisites for the kinds of information you may be asked to supply. 5. Drag the red score settings tab to the desired value. Your app reputation vendor rates as risky apps with a score over the threshold you set. Consult your app reputation vendor for the recommended setting. 6. Use the Add Exceptions controls to add apps with scores exceeding the threshold value that you would like marked as safe, preventing them from being flagged as part of compliance checks. This is sometimes useful for in-house apps or apps already deemed appropriate for use on managed devices. 7. Click the Enable App Reputation on Save check box to place a check mark in it. 8. Click Save. Can't see the App Reputation page? Maybe you do not have permission. You need one of the following roles: 228

250 System Management System Read Only Admin > Infrastructure > License: Platinum transforms the help desk experience for ios and Android devices by allowing users to ask for help with a click of a button and to share their screen with a help desk agent. Users no longer waste valuable time trying to verbalize the issue, and IT staff is more efficient when troubleshooting device issues. To set up Help@Work for Android 1. Go to the Admin tab. 229

251 2. Click Admin > Infrastructure > 3. Click the Android tab. 4. Click the Enable TeamViewer link, and then follow the instructions on the resultant pages and dialog boxes. 5. Distribute the TeamViewer app. See App Configuration for instructions. To set up for ios 1. Go to the Admin tab. 2. Click Admin > Infrastructure > 3. Click the ios tab. 4. Click the Download SDK link. The for ios SDK includes the for ios client application which is required for establishing remote sessions with devices. The SDK also includes browser plug-ins that provide network information that you will need for establishing support sessions. 5. Optionally, follow the instructions in the SDK to customize the app branding. The for ios client app is provided without branding. 6. Upload the for ios app as an In-House app to your App Catalog. See the section, "To add an In-House app," in App Catalog. 230

252 7. Install the browser plug-in. Staff providing remote support will need to setup their browsers to extract network information about the device used by for ios. This information will be needed before each session. The information will be sent to the user s device when a session is initiated. The SDK includes a MobileIron signed plug-in for FireFox browsers. There is also a python script provided for extracting this information. 8. Set up VPN and/or Sentry with Tunnel configured on your system to reach remote users and devices. See VPN Configuration, Sentry, and Set Up AppTunnel. Admin > Android App Catalog (Branding) You can brand the Android app catalog to make its appearance more familiar to your end users. You can customize the following items in the Android app catalog: catalog logo (PNG, 360x64) catalog name action bar color To brand the Android app catalog 1. In the Android App Catalog Branding screen, click Customize (upper right). 2. Drag the logo file to the dotted box, or click Choose File to select it from your file system. 3. Edit the App Catalog Name text to change the label for the catalog. Note: The app catalog name you enter applies to both Android and ios. 4. Click the Action Bar field to display a color palette to select from or enter the hex number for the color you prefer. 5. Click Save Changes. Admin > Android Kiosk Branding License: Silver 231

253 You can brand the Android kiosk page to make its appearance more familiar to your end users. You can customize the following items: banner logo (PNG, 840x114) or text banner border color banner background color screen background color screen background image (1280x800) screen background format To brand the Android kiosk screen 1. In the Android Kiosk screen, click Customize (upper right). 2. If you want to turn off the banner, uncheck Enable Top Banner. 3. Click the Banner Background Color field to display a color palette to select from or enter the hex number for the color you prefer. 4. Click the Banner Border Color field to display a color palette to select from or enter the hex number for the color you prefer. 5. Select Image/Logo or Text to set the banner content. 6. If you selected Image/Logo, drag and drop the image file or click Choose File to select one. 7. If you selected Text, type the text you want to display in the banner. 8. Click the Background tab. 9. Click the Background Color field to display a color palette to select from or enter the hex number for the color you prefer. 10. To change the background image: a. Delete the default image. b. Drag and drop the preferred image or click Choose File to select one. c. Select the preferred layout. 11. Click Save Changes. Using Scheduled Reports License: Silver The Schedule Reports feature enables you to schedule and generate reports on various metrics with pre-packaged templates ready to use. You must have the System Administrator or the System Read Only role to access this feature. Generating a Report 232

254 To schedule and generate a report: 1. Go to Dashboard > Reports. 2. Click Create a report to display the Choose a Report Template page. 3. Choose a template for your report from the options you have configured. Blocked Devices Devices Policy Violations Users Most Used Apps 4. Click Next. The Report Details page is displayed. Choose from these scope options: All Since Date - defaults to the current date. Click in the date field to specify a different date. In the last - Choose a range from 4 hours to 52 weeks to specify the how often the report will be run over a specified time span. 5. Click Next. 6. Click Schedule to specify the how often the report will be run over a specified time span. 7. Click Next. The Share this Report page appears. 8. Choose who will receive the report. Optionally, add external IDs. 9. Click Done. The summary page is displayed. 10. Optionally, click Edit to change any of the options you selected. 11. Optionally, click the Actions pulldown menu to: Disable Report View the Last Report Report History Delete Report 12. Click Save. 13. Click the download icon to select the format of the report as shown below: 233

255 An containing a Download Report button to download the report is sent to the recipients of the report. Admin > GOOGLE/ANDROID > Google Apps API Google customers who use Single Sign On (SSO) to authenticate user access to Google Apps services may not be able to use Exchange to connect users to , contacts, and calendar due to limitations in the protocol that prevent devices from supporting SSO-triggered redirects to external authentication services. This service addresses this condition by creating and managing account passwords for ActiveSync connectivity. Prerequisites Before attempting to configure the Google Apps API feature, you need: Admin access to an account on Admin access to an account on To enable the Google Apps API feature: 1. Select Admin > GOOGLE/ANDROID > Google Apps API. 2. Click Step 1: Google Dev at the bottom of the rectangle on the left labeled 1. The Step 1: Google Dev page appears. 3. Follow the instructions that appear on the Step 1: Google Dev page, and then click Done. 4. Click Step 2: Google Admin at the bottom of the middle rectangle labeled

256 The Step 2: Google Admin page appears. 5. Follow the instructions that appear on the Step 2: Google Admin page, and then click Done. 6. Enter the Google Admin user name in the Enter the Google Admin user name field in the rectangle on the right labeled In the same rectangle, click Choose File to upload the JSON file you downloaded in Step Click Save. Can't see the Google Apps API page? Maybe you don't have permission. You need one of the following roles: System Management System Read Only Tenant Suspension Access to a tenant used with an evaluation license or a production license might be suspended by MobileIron Cloud. An Evaluation License might be suspended when the evaluation period expires or when the usage allowance has been exceeded. A Production License might be suspended when the subscription period expires or when the usage allowance has been exceeded. MobileIron Cloud will restore a suspended tenant when the license has been renewed or when additional licenses have been purchased, in case of an overage. When a tenant license is suspended: Existing registered devices continue to function normally. Administrators cannot log in to the Admin portal. New devices cannot be registered. API access to the tenant is blocked. End users can continue to access the Self-Service portal. Tenant Suspension Action and Error Messages Suspension Action Error Error message displayed Location End Customerintegration API access is blocked.. API Call fails. Access denied. Your Evaluation License has expired. Please renew your license to re-enable API access. Contact your System Administrator for details. API error

257 New devices are blocked from registering. An error message is displayed on the enrollment screen. Unable to register your device. The license for your system has expired. Please contact your system administrator for details. Previously enrolled devices will continue to operate normally. Following password verification. Administrator is blocked from logging in to the Admin portal. An error message is displayed on the login screen. Unable to login to MobileIron Cloud. Your License has expired. Please renew your license to regain access to the Admin Portal and to enroll new devices. Devices that have been previously enrolled devices will continue to operate normally. Contact your sales representative to renew your licenses. Note that the Admin password expires after one year (365 days). Following password verification. 236

258 Upgrading Upgrading a license The basic features are provided in the Bronze package. You can expand the Bronze package by: adding more devices adding Silver adding Gold adding Platinum These additions expand your mobile solution beyond basic device configuration. How do I request an upgrade? To request an upgrade: 1. Select Upgrade Options from the admin drop-down menu. 2. Click Request Upgrade / Add Devices (upper right). 3. Select the items you want to add and enter your phone number. An representative will contact you in about 24 hours with details. Upgrading from a previous release When upgrading from a previous release, the settings on the Edit DEP Profile page are not preserved. Please note your option settings before upgrading. If Skip signing in to AppleID and icloud is enabled before upgrading, then Skip Apple Pay setup will be enabled after upgrading. If Skip entering passcode is enabled before the upgrade, then Skip Touch ID and Skip Apple Pay setup will be enabled after the upgrade. 1. After the upgrade is complete, return to the Edit DEP Profile page to edit the DEP profile to restore the desired settings. 2. Click Save. After upgrading several configuration settings are affected. Please note that: 237

259 Promotion options are set to Off. Installation settings are set to No. Don t Show in App Catalog option is no longer selected. Silent Install on Android Samsung SAFE is set to False. ios Management Flags are set to: Backup to icloud. Remove on unenrollment. Note: These ios Management flag settings can be selected for each app individually. App settings: App settings are now called Configurations. All other app settings remain as they were prior to the upgrade. See also Packages 238

260 Packages MobileIron Cloud basic features are provided in the Bronze package. You can expand the Bronze package by: adding more devices adding Silver adding Gold adding Platinum These additions expand your mobile solution beyond basic device configuration. Silver Upgrading to Silver adds the following features: Gold LDAP and Connector: Support for adding corporate directories and certificate authorities to the MobileIron Cloud. Sentry: Support for access control. Device partitions: Support for designating devices for management by different administrators (delegated administration). Supervised mode: Device-level support for fine-grained configuration, including single-app mode. Self-Service Portal branding: Use your logo in the Self-Service Portal. Certificate Authorities: Use MobileIron Cloud as a certificate authority. Silent app install/uninstall: Automatically deploy and remove apps from a mobile device. App whitelist/blacklist/required apps: Monitor and control which apps are installed on devices. Web content filter: Apply website whitelist/blacklist policies to all web browsers. Per app VPN: VPN security is now immediate, invisible, and specific to the mobile app. Apple-specific functionality: Enable/restrict AirPlay, AirDrop, ios wallpaper distribution, and Apple TV. Android Kiosk mode: Support for configuring Android devices to operate in kiosk mode. Android Kiosk branding: Change the background and banner of the kiosk screen displayed when device operate in kiosk mode. Upgrading to Gold adds the features provided by Silver as well as the following features: Android for Work: Provide Android users with access to Google's container solution. 239

261 Single sign on: Users authenticate once and are automatically logged in to other enterprise mobile apps. Open-in management: Control which mobile apps can open what enterprise content. Per app configuration: Deploy configured mobile apps at scale, with little to no required action by the end user. Apple Volume Purchase Program (VPP): Distribute mobile app licenses to devices, and reclaim and reassign those licenses when a device is retired. ios App Catalog branding: Display your company logo in the app catalog. Increased content limit: 50 files, 25 MB each AppConnect for ios: Secure and configure AppConnect-enabled apps. AppTunnel for ios: Secure app access to enterprise resources. Docs@Work for ios: Enable users to view, store, and share documents. ios 8 certificate-based single sign on ios 8 ibook/epub management User branding Platinum Upgrading to Platinum adds the features provided by Gold as well as the following features: MobileIron Tunnel: Configure app-specific access to enterprise data. Dataview for ios: Define setting for the data monitoring app. 240

262 File a Support Ticket You can use the Support option to access the Support portal. To access the Support portal 1. Click the user icon (upper right). 2. Select Support. 3. Enter your support credentials 4. Click Login. 241

263 User Licenses MobileIron Cloud user-based licenses define the number of users you can register, the number of devices allowed per user license, the amount of content you can configure for distribution to devices, and which features are available. If you reach your limit for users, a red triangle displays in the Admin page. If you reach your limit for content, the service will prevent you from adding more and display a message to indicate that you have reached your limit. To determine how many user licenses you should plan for consider the following points: Each user license allows registration of up to three devices. Once a user registers more than three devices, another user license is claimed. There is no enforced limit to the number of user licenses that a user can claim. Licenses are released when devices are retired or wiped. For example, when User1 registers her work phone on the first day of work, she claims a user license. The following week, she registers her personal phone and a tablet under that same license. When she registers another tablet, she now has four devices, so she claims a second user license. When her personal phone is stolen, she wipes the device, which releases the second user license. To see the number of devices/licenses for a user 1. Go to Users > Users. 2. Click the link for the user. The left pane lists user details, including license usage. 242

264 Device Licenses MobileIron Cloud device-based licenses define the number of devices you can register, the amount of content you can configure for distribution to devices, and which features are available. If you reach your limit for devices, a red triangle displays in the Admin page. If you reach your limit for content, the service will prevent you from adding more and display a message to indicate that you have reached your limit. 243

265 How To How to use Bulk Enrollment for Android The bulk enrollment feature enables you to quickly register multiple Android devices with MobileIron Cloud. License: Silver These tasks must be done before using bulk enrollment: 1. Install Android SDK, which includes the Android Debug Bridge (adb), on the computer used to register the devices. For more information about the Android Debug Bridge, see: 2. Enable USB debugging. The procedure to enable USB debugging on Android devices varies depending on the Android release. See: for information on enabling USB debugging. 3. Install the MobileIron Go client on each device. 4. Connect the devices via USB cable to the provisioning computer to be used to register them. The MobileIron Go app can be started and registered to a server using the Android Debug Bridge (adb) shell. The Android Debug Bridge is a tool that can be used from the command line in Windows, or in the Terminal utility in ios. It enables you to communicate with a connected Android device. From the adb shell the command format is: > adb shell $ am start -a android.intent.action.main -d "mirp://na1.mobileiron.com?key=value&key=value" -n com.mobileiron.anyware.android/com.mobileiron.polaris.manager.ui.startactivit y Note: The MobileIron Registration Protocol (mirp) is used to encode relevant data for registration with MobileIron. 244

266 Valid keys and values are: Key Value User's address that would have been typed user into the username field if using ireg. Required. password User's password pin Registration pin for the user quickstart When set to TRUE: the splash screen will show, but not as long. On the Welcome screen, when the spinner changes to the Continue button, the screen will automatically move on without having to tap Continue. When set to FALSE: the splash screen will show as usual and the user will need to tap Continue on the Welcome screen. Optional, defaults to FALSE. Note: Use of a password, pin, or token is required to use bulk enrollment. This example command specifies a server, user, password, pin, and quickstart: am start -a android.intent.action.main -d "mirp://ppp183.auto.mobileiron.com?user=miadmin@auto0001.mobileiron.com&passw ord=p@$$w0r3&pin=12345&quickstart=true" - n com.mobileiron.anyware.android.qa/com.mobileiron.polaris.manager.ui.startac tivity Sample bulk enrollment script You can use this script as an example to use when designing your own bulk enrollment script. This sample script registers all devices attached to the provisioning machine with the same user and password. for i in `adb devices grep -v devices grep device cut -f 1` do echo "Registering $i" adb -s $i shell "am start -a android.intent.action.main -d \"mirp://<servername>?user=<user address>&password=<password>&quickstart=true\" -n com.mobileiron.anyware.android/com.mobileiron.polaris.manager.ui.startactivity" done 245

267 Potential Error messages Here are some potential errors that you may encounter using bulk enrollment. Error mirp scheme not found Resolution Example command using a mirp scheme: am start -a android.intent.action.main -d "xxxmirp://?user=miadmin@auto0001.mobileiron.com&password=p@$$w0r3&pin=12345&t -n com.mobileiron.anyware.android.qa/com.mobileiron.polaris.manager.ui.startac URL is Occurs if no data string is sent at all. Verify that the URL is correct. invalid No server information Server information missing or improperly entered. found No user information Verify that user key was entered. found No password/pin Verify that a pin OR password key was entered. information found How to use Samsung Knox Mobile Enrollment Samsung KNOX Mobile Enrollment enables administrators to register qualified Samsung devices to MobileIron Cloud. Using KNOX Mobile Enrollment, a device can be shipped directly from an approved reseller to an end user and the MobileIron Go Android client will automatically download with enrollment data pre-populated. For details see the Samsung KNOX Mobile Enrollment with MobileIron Quick Start Guide. Requirements Device list by IMEI CSV file containing a list of devices containing an IMEI or serial number, and optionally a username and enrollment password. MobileIron Cloud (current release). Samsung KNOX account approved for mobile enrollment 246

268 Samsung supported devices. A list of Samsung supported devices is available here. How to use AirPlay Mirroring License: Gold AirPlay Mirroring is a feature that gives you the ability to display the screen from an ios device on a monitor using Apple TV. Apple TV and the ios device must be connected to the same Wi-Fi network. This feature requires the following: ios 7 and later devices - Supervised Apple TV version - Supervised AirPlay Important: Switching to include management of non-ios devices cannot be reversed. Configure Apple AirPlay For more information on AirPlay configuration settings see AirPlay Configuration. To configure Apple AirPlay: 1. Go to Configurations. 2. Click +Add. 3. Click AirPlay. 4. Enter a Name and Description of the configuration in the appropriate fields. 5. For all supported ios versions, enter a Device Name and Password. 6. Click + Add to add another device, if needed. 7. Optionally, for Supervised ios 7 devices and later add device IDs to a White list. 8. Click Next. 9. Choose a distribution level. 10. Click Done. Setup AirPlay on the mobile device 1. Setup Apple Configurator. 2. Go to Devices > Devices. 3. Click the name of an ios device to display the Details page for that device. 247

269 4. Click the icon. 5. Select AirPlay Mirroring to display the AirPlay mirroring dialog. 6. Select an Apple TV device from the pulldown menu. 7. Enter a scan time in seconds to specify a time limit to search for the device you selected. 8. Enter the password for the Apple TV device. 9. Click Send Request. Setup a monitor to work with Apple TV 1. On a monitor connected to Apple TV Go to Settings > Profile. 2. Select MobileIron Cloud Apple Configurator. 3. Click Add Profile. 4. Click the icon. 5. Select AirPlay Mirroring to display the AirPlay mirroring dialog. 6. Select an Apple TV device from the pulldown menu. 7. Enter a scan time in seconds to specify a time limit to search for the device you selected. 8. Enter the password for the Apple TV device. 9. Click Send Request. Connect your ios device to Apple TV 1. Connect the Apple TV device to a monitor. 2. Using the Apple TV remote, go to Settings > Accounts > Home Sharing to turn on Home Sharing. 3. Connect ios device to the same Wi-Fi network as your Apple TV device. 4. Open the Remote app on your ios device. 5. Enable Home Sharing from the Remote Settings screen. Edit an ios MDM Configuration The ios MDM configuration defines access limits for MobileIron Cloud. There are two types of ios MDM configurations: ios MDM - Bulk Provisioned: For devices purchased by the enterprise and provisioned as part of a mass distribution. ios MDM - Individually Provisioned: For devices provisioned one by one. 248

270 Only one of each type is provided and allowed across all device partitions. To edit an ios MDM configuration 1. Go to Configurations. 2. Select the ios MDM configuration you want to edit. 3. Use the following guidelines to make changes: Setting What To Do Allow device lock and Uncheck to prevent enforcement of a passcode removal passcode compliance configuration. Uncheck to prevent enforcement of a Allow device erase device wipe action. Uncheck to exclude the device from networking information reporting. Note: If this option is unchecked, then Allow query of the device list view and device detail Network information view will show N/A for the network (phone/sim numbers, information that is no longer reported. MAC addresses) Also, the roaming policy will not be enforceable for affected devices. 4. Click Done. Your changes apply only to devices provisioned after you make the change. Edit an macos MDM Configuration The macos MDM configuration defines access limits for MobileIron Cloud. macos MDM configurations are individually provisioned, for devices provisioned one by one. To edit an macos MDM configuration 1. Go to Configurations. 2. Select the macos MDM configuration you want to edit. 3. Use the following guidelines to make changes: Setting What To Do 249

271 Allow device lock and passcode removal Allow device erase Allow query of Network information (phone/sim numbers, MAC addresses) Uncheck to prevent enforcement of a passcode compliance configuration. Uncheck to prevent enforcement of a device wipe action. Uncheck to exclude the device from networking information reporting. Note: If this option is unchecked, then the device list view and device detail view will show N/A for the network information that is no longer reported. Also, the roaming policy will not be enforceable for affected devices. 4. Click Done. Your changes apply only to devices provisioned after you make the change. How to Delete Apps from the App Catalog You can delete public and in-house apps from the App Catalog. If the app is installed on devices, it will be removed the next time those devices check in. 1. Go to Apps > App Catalog. 2. Click the link for the app. 3. Select Actions > Delete from Catalog. 4. Read the warning that explains what happens when you delete an app. The warning explains that VPP licenses (ios) and app reviews (all OSes) are also deleted. 5. Select the check box to confirm. 6. Click Delete App. How to Create an Android Shortcut Shortcuts are only available in Kiosk Mode using a whitelisted browser. The browser must be whitelisted in the Lockdown and Kiosk configuration. The shortcuts will appear in the MobileIron Cloud Kiosk launcher. To create an Android shortcut : 250

272 1. Go to Configurations.> +Add 2. Click Android Shortcut to display the Create Android Shortcut Configuration page. 3. Enter a name for the Configuration in the Name field. 4. Enter a description of the configuration in the Description field. 5. Enter a unique label for the shortcut in the Label field. 6. Enter a URL for the target of the shortcut in the URL field. 7. Optionally, drag and drop a file in the icon field or click Choose File to navigate to the file to choose an icon for the shortcut. 8. Click Next. How to Deploy Divide Productivity with Android for Work Divide Productivity is a PIM app you can deploy to Android for Work devices. 1. Go to Apps > App Catalog. 2. Under Business Apps, click Divide Productivity. 3. Enter additional categories or a description. 4. Click Next. 5. Accept the displayed permissions. 6. Click Next. 7. Select a distribution option. 8. Expand Advanced Options & App Configuration. 9. Use the following guidelines to enable options: Setting Blocks the user from uninstalling the app Mail Address Password Host What To Do Select to prevent the end user from uninstalling the app when it has been silently installed. Use variables to define the address to associate with the app. Use variable to define the password for the account. If you leave this field empty, the user will be prompted for the password. Enter the host name of the mail server to use. Enter the fully qualified domain name 251

273 Server Type Username Is SSL Required Trust All Certificates Default Signature of the ActiveSync server. If you are using a Standalone Sentry, enter its fully qualified domain name (FQDN) instead. Example: mysentry.mycompany.com Select the type of mail server. Use variables to define the username for the account. Select if you want secure communication using https to the server that you specified in the Host field. Select only if you want the app to automatically accept untrusted certificates. Typically, you select this option only when working in a test environment. Enter the default signature for all s. Note that the end user can change this at any time. Once the device user changes it, later changes to this field have no effect. Enter the maximum size to be allowed for attached files. Select to synchronize tasks. Max Attachment Size Enable Task Login Certificate Enter the alias for the login certificate. Alias Smime Signing Not currently supported. Certificate Alias Smime Encryption Not currently supported. Certificate Alias Advanced Options Install on Device Select to prompt the user to install the app. Silently install on Select to install the app automatically on Samsung SAFE Samsung SAFE devices. devices Do not show app in end user App Catalog Select if you do not want the app to appear in the app catalog on the device. 10. Select a promotion option. 11. Click Done. 252

274 How to Deploy Windows Phone 8.1 and Windows 10 Mobile Devices Support for Windows Phone 8.1 and Windows 10 devices includes the following abilities: Device registration Configuration of the device passcode Configuration of Exchange View device details Retiring the device MobileIron Cloud currently uses the native Windows Phone 8.1 client for device management, so there is no app to download. How to register Windows Phone 8.1 and Windows 10 Devices Go to Device Registration (Windows Phone 8.1 and Windows10 Mobile). How to configure updates to your Windows installation To configure your Windows installation update schedule: 1. Go to Configurations. 2. Click Windows Update Configuration to view the Create Windows Update Configuration page. 3. Choose an Auto Update Strategy in pulldown menu. 4. Set the frequency of updates in the Schedule Installation Day pulldown menu. 5. Select an installation time using the Schedule installation time pulldown menu. 6. Check the Allow Updates from Trusted Publishers checkbox to limit sources for updates to trusted publishers only. 7. Choose an update source from the Update Sources pulldown menu. 8. Enter the URL for the Enterprise WSUS Server you want to supply the update or upgrade. 9. Select the Defer non-security upgrades checkbox to delay upgrades that do not address security issues. 10. Select the Pause Upgrade/Updates checkbox to delay changes to a later date. 11. Use the appropriate pulldown menu to specify a number of weeks or months to delay the update or upgrade. 12. Click Save. How to configure the device passcode 1. Create a passcode configuration. 253

275 2. Complete the options as applicable to Windows Phone 8.1 or Windows 10 devices. 3. Assign the configuration to the Windows Phone 8.1 device group or another device group you have created. How to configure Exchange 1. Create an Exchange configuration. 2. Complete the options as applicable to Windows Phone 8.1 or Windows 10 devices. 3. Assign the configuration to the Windows Phone 8.1 or Windows 10 device group or another device group you have created. How to view device details 1. Go to Devices > Devices. 2. Click the link for the device to view the details. How to retire a device Go to Retiring a Device. How to Find the Package ID for an Android App For public apps available on the Google Play Store: 1. Use a web browser to locate the app in Google Play Store. 2. Select the app. 3. Examine the URL displayed in the browser. The package ID is included in the URL after id= as shown below: ID> For in-house apps and other apps not available on the Play Store, try downloading Package Name Viewer ( or a similar app on the Google Play Store. How to Export Configurations 254

276 Export your configuration files to send to support for use as a diagnostic aid. You can export a single configuration file to a Yaml format file or export all your configurations into a.zip file. Export Configuration You can export files from different areas of the Configuration page depending on which configurations you want to export. Export all the configurations: 1. Go to Configurations. 2. Click the Actions pulldown menu and click Export All Configs with Details. A file with the name Polices _yyyymmdd.zip is downloaded to your device. Export a customized configuration: 1. Go to Configurations. 2. Click + Add to select a configuration. 3. Follow the steps to customize the configuration. 4. Click Next. 5. Choose a distribution level. 6. Click Done. 7. Select the configuration you just created from the list on the Configuration page. 8. Click the Actions pulldown menu and click Export. A file with the name of the configuration and a timestamp _yyyymmdd.yaml is downloaded to your device. Export an existing configuration: 1. Go to Configurations. 2. Select an existing configuration. 3. Click the Actions pulldown menu and click Export. A file with the name of the configuration and a timestamp _yyyymmdd.yaml is downloaded. How to Monitor and Control Which Apps Are Installed To control which apps are installed on devices, you create an Allowed Apps policy. The policy contains the following information: whitelist apps blacklist apps 255

277 required apps compliance actions License: Silver Supported Devices Android 5.0 through the most recently released version as supported by MobileIron ios 7 through the most recently released version as supported by MobileIron Before You Start The privacy configuration assigned to a device must allow collection of app information in order for an Allowed Apps policy to work correctly. Check the privacy configurations assigned to the devices to which you will apply the Allowed Apps policy. If you are not sure which configurations are affected: 1. Go to Policies > Policy & Compliance. 2. Click +Add. 3. Click Allowed Apps. 4. Under Privacy Configurations, note the configurations that need to be edited. 5. Go to Policies > Configurations. 6. For each privacy configuration you noted: a. Select the configuration. b. Click Edit. c. Under Collect App Inventory, select For All Apps on the Device. d. Click Done. Steps to create an Allowed Apps policy 1. Go to Policies > Policy & Compliance. 2. Click +Add. 3. Click Allowed Apps. 4. In the Name field, type a name for this policy. 5. In the Description field, type optional text that explains the purpose of the policy. 6. Define the whitelist or blacklist apps. Note: You cannot have a whitelist and a blacklist for a device. Creating a whitelist means all other apps are blacklisted. 7. Define the required apps. 8. Select the actions to take when a device is out of compliance. 9. Click Next. 10. Select the device groups that will receive this policy. 11. Click Done. Steps to define whitelist or blacklist apps 256

278 1. In the Allowed Apps policy, select Create a Whitelist or Create a Blacklist. 2. Under Choose Apps, select an app source to search: App Catalog: For any apps listed in your app catalog. Apple Store: For ios apps not listed in your app catalog. Google Play: For Android apps not listed in your app catalog. 3. Enter text to search for the app you want to add to the list. 4. For the Apple Store, click the flag if you want to search the app store for a different country. 5. Select the app you want to add. 6. Click +Add. 7. Repeat steps 2 through 6 until you have selected all apps for the list. Steps to define required apps 1. In the Allowed Apps policy, scroll down to Required Apps Rules. 2. Under Choose Apps, select an app source to search: App Catalog: For any apps listed in your app catalog. Apple Store: For ios apps not listed in your app catalog. Google Play: For Android apps not listed in your app catalog. 3. Enter text to search for the app you want to add to the list. 4. For the Apple Store, click the flag if you want to search the app store for a different country. 5. Select the app you want to add. 6. Click +Add. 7. Repeat steps 2 through 6 until you have selected all apps for the list. Steps to select compliance actions 1. In the Allowed Apps policy, scroll down to Compliance Action. 2. Use the following guidelines to define the actions to take on devices that violate whitelist, blacklist, or required app rules: Setting Monitor Blocked via Sentry Send message to user Quarantine What To Do Currently always selected. Select to remove access to for registered devices that are out of compliance. Select to notify the user that the device is out of compliance. Select the types of messages to send: Send an message Send a Push Notification Enter the text required for each type of message. Not available for Allowed Apps 257

279 policies. Prioritize Configurations If you select multiple device groups for a configuration, then multiple configurations of the same type might be assigned to a given device. For some configuration types, assigning multiple configurations makes sense. For example, you would assign multiple Wi-Fi configurations to provide access to multiple wireless networks. For other configuration types, only one configuration may be assigned to a device. For example, it does not make sense to assign multiple privacy or passcode configurations. In these cases, MobileIron Cloud uses priorities to decide which configuration is applied. To prioritize configurations 1. Go to Configurations. 2. Select Actions > Prioritize configs. If Actions is not displayed, then you do not have multiple configurations of a type that requires priorities. 3. Use the arrows to list configurations from highest (top) to lowest (bottom). Note: A lock icon means the configuration's priority cannot be changed without editing the All Devices distribution setting within the configuration. 4. Click Save. Prioritize Policies If you select multiple device groups for a policy, then multiple policies of the same type might be assigned to a given device. For other Allowed Apps policies, only one policy may be assigned to a device. Therefore, MobileIron Cloud uses priorities to decide which policy is applied. To prioritize configurations 1. Go to Policies > Policy & Compliance. 258

280 2. Select Actions > Prioritize policies. If Actions is not displayed, then you do not have multiple policies requiring priorities. 3. Use the arrows to list priorities from highest (top) to lowest (bottom). Note: A lock icon means the policy's priority cannot be changed without editing the All Devices distribution setting within the policy. 4. Click Save. How to Set Up Android for Work License: Gold Android for Work is a program offered by Google that enables mobility administrators to: Separate work and personal data Secure and manage enterprise apps Control system apps (such as Camera and Gallery) Centrally provision and configure apps in the Android for Work container Prevent data loss (screen capture) You can configure MobileIron Cloud as the EMM server that manages Android for Work. Android for Work requires at least MobileIron Go app for Android 3.0. There are two supported configurations of Android for Work, Device Owner and Managed Profile Employee Owned. Supported Devices MobileIron Cloud currently supports Android for Work only on devices that are running Android 5.0 and have Android for Work enabled by the manufacturer. Android for Work is required for Kiosk mode on devices running Android 5.0. Here is a list of supported Android for Work devices. Before You Start If you have not already registered your domain with Google, you must first sign up for the program on the Google website: During the process you will: Claim a domain (must match the domain for user addresses) 259

281 Receive a token Download a JSON client ID Both items are required when you set up Android for Work on MobileIron Cloud. After the process, you will receive an containing instructions for verifying that you own the domain you claimed. If the company has already used its domain name to sign up for Google Apps for Work, see for information on enabling Android for Work. Connecting MobileIron Cloud with Android for Work Once you have signed up for Android for Work, set up MobileIron Cloud as the EMM server for Google s program. Getting Your Android for Work Credentials To get your Android for work credentials 1. Go to Admin > Android for Work. 2. Click Google Developers Console. 3. Click the first displayed link to go to the Google Developers Console. 4. Select Create a project from the drop-down menu. 5. Enter a name for the project. 6. Accept the terms of service. 7. Click Create. 8. Click API & auth. 9. Select APIs. 10. Type emm in the Search field to find the Google Play EMM API. 11. Click the Google Play EMM API link. 12. Click Enable API. 13. Click Credentials. 14. Select Service account. 15. Click Create to save the JSON file. Adding your Android for Work MDM Token to MobileIron Cloud 1. Log into 2. Click Security. 3. If you do not see Android for Work Settings click Show More. 4. Select Android for Work Settings. 260

282 5. Under Manage enterprise mobility management provider, copy the MDM token. 6. Return to the MobileIron Cloud portal. 7. Click Done. 8. In box 2, paste the MDM token you just copied. 9. In the Domain field, enter the domain you claimed with Google. 10. Click Choose File and upload the JSON file you downloaded. 11. Click Connect. The message Connected to Google displays when the connection is successful. 12. In box 3 click Authorize to indicate that you want to give MobileIron Cloud access to your Google user data. 13. Click Accept. The message Connected to Users displays in the MobileIron Cloud portal. Synchronizing user between MobileIron Cloud and Google Before you deploy Android for Work to Android users managed by MobileIron Cloud, each user must have a corresponding record on the Google Admin Portal. The steps required for synchronizing the user information between MobileIron Cloud and the Google Admin Portal depend on whether you have set up an integration with your organization s directory services (AD/LDAP). Active Directory/LDAP Users If you have set up an AD/LDAP integration with MobileIron Cloud, then you must use Google Apps Directory Sync set up an AD/LDAP integration with the Google Admin Portal. See for more information. Local Users If you created only local users in MobileIron Cloud and do not intend to integrate it with a directory service, then complete the following steps to synchronize those users with the Google Admin Portal: 1. Log into the Google Admin Portal at: admin.google.com. 2. Click Users. 3.. Click the Add user or Add multiple users icon in the lower right corner. 4. For each MobileIron Cloud user that will use Android for Work, add a Google user with the same username and address as the MobileIron Cloud user. 5. In the MobileIron Cloud portal for each MobileIron Cloud user that was just added to the Google Admin Portal: a. Click the username link in the Users tab to display the user's details. b. Select Sync the User with Google User Directory. c. Click Sync with Google User Directory. d. Confirm that Google Status is listed as Enabled. 261

283 Deploying Android for Work to Supported devices Two configurations are required for deploying Android for Work: The Android for Work configuration enables Android for Work. A Lockdown & Kiosk configuration defines the Android for Work restrictions to apply. Retiring Registered Devices Before you deploy Android for Work to devices that are already registered with MobileIron Cloud, you must retire those devices. To deploy the device 1. In the MobileIron Cloud portal, go to Configurations. 2. Select Android for Work. 3. Click Edit. 4. Click Next. 5. Select All Device or Custom. 6. If you selected Custom, search for and select the device groups that should receive the Android for Work settings. 7. Click Done. 8. Click Back to list (upper left corner). 9. Click +Add. 10. Click Lockdown & Kiosk 11. In the Name field, enter text that identifies the configuration. 12. Under Choose Lockdown Type, select Android for Work. 13. Click Next. 14. Click Edit. 15. Select the lockdown settings you want to apply to the target devices. Setting Name Description Disable Screen Capture Disallow Apps Control Disallow Config Credentials Disallow Cross Profile Copy/Paste What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. Select to prevent devices from using the native screen capture feature. Select to prevent users from modifying apps in Settings or launchers. Select to prevent users from setting up user credentials. Select to prevent devices from copying and pasting to other Android for Work profiles. 262

284 16. Disallow Modify Accounts Disallow Share Location Disable Caller ID Select to prevent users from adding and removing accounts. Select to prevent websites and apps from prompting the device user to share device location. Select to prevent the device from identifying itself to other devices when initiating a call. 17. Click Next. 18. Select All Devices or Custom. 19. If you selected Custom, search for and select the device groups that should receive the Android for Work settings. 20. Click Done. Note: You cannot make changes to the resulting profile once it has been deployed. Instead, you need to create a new Android for Work configuration and deploy it. Confirming Deployment You can confirm that Android for Work has been deployed in the following ways: Under Users > Users, find the entry for a user, and then check that the Google Status is Enabled. Under Devices > Devices, click the link for a device, and then check that status for Android for Work is Enabled. Google Status for a user should be listed as Enabled. If it is not Enabled, then the user will not be able to register devices. Note: If Android for Work was set up as Android for Work Accounts, then the user is not shown as Google Status: Enabled until after an Android for Work device is registered. See Android for Work Accounts for more information about Android for Work Accounts. Deploying Android for Work Apps Any app developed for Android for Work may include options that you can configure through MobileIron Cloud. To configure the options: 1. In the MobileIron Cloud portal, go to Apps >App Catalog. 2. Find the app in the Google Play Store. 3. Click the app entry. 4..Accept permissions on behalf of Android for Work users. 5. Click Next. 263

285 6. Select a distribution option. 7. Expand Advanced Options & App Configuration. 8. Select the options you want to apply. 9. Select a promotion option. 10. Click Done. Configuring Business Apps The following Android for Work apps are included in the Business Apps section of the app catalog: Divide Productivity How to set up the Provisioner app Provisioner is a MobileIron Cloud app used to provision corporate-owned devices so that they can be registered as work managed devices and placed in Device Owner mode. A company-managed device has a corporate profile only and no personal profile. The administrator is able to set over twenty lockdowns on the device, that can restrict device functions such as the camera, phone calls, SMS, networking, and more. The Provisioner app is needed by the device that will initiate the configuration of the Android for Work target device with an NFC bump. To provision corporate-owned devices, install the Provisioner app onto a master device, and use the NFC (near field communication) bump to provision new devices. The bump is tapping the two devices together. The devices can be provisioned to use one of these MobileIron client apps: MobileIron Go app to use with MobileIron Cloud At Work EMM, an unbranded client app, to use with MobileIron Cloud. Provisioning Requirements To provision a corporate-owned Android for Work device to be a work managed device: Corporate-owned native Android for Work-capable devices must be factory reset prior to provisioning. Android for Work configuration must be defined and applied to the Android device group. An NFC-capable Android device designated to serve as the master or as the template, with the Provisioner app installed. Android for Work-capable devices to provision. Provisioner app Download the Provisioner app here. Available on Google Play after the MobileIron Go client is released. 264

286 Enable Android beam to use NFC bump To enable the Android beam: 1. Go to Settings on the device. 2. Go to Wireless & networks and click More. 3. Select the NFC checkbox. 4. Click Android Beam and slide the switch to On. Note: The exact steps may differ slightly for your device. Provision a corporate-owned device To provision Android for Work devices to become work managed devices. 1. Install the Provisioner app on the device to be used as the Android master device. 2. Launch Provisioner on the master device. 3. Select an app from the dropdown menu. At Work EMM MDM Mobile@Work MobileIron Go app Vodafone Mobile@Work 4. Enter the information requested by the Provisioner app. Some fields may autopopulate if a supported Wi-Fi type is present. Use these guidelines: Field Select app for provisioning Wi-Fi Network SSID Wi-Fi Security Type Wi-Fi Password Time Zone Locale Value MobileIron Go (select for use with MobileIron Cloud) At Work EMM (unbranded client app; select for use with branded Cloud). Enter the Wi-Fi SSID the master device is to use. Enter the Wi-Fi security type Enter the password for the Wi-Fi Enter the local current time zone Enter the locale 5. Click Continue. The Bump the devices screen is displayed on the master device. 6. With the target device turned on and displaying the Android Welcome screen, press the master device back-to-back with the target device to initiate an NFC 265

287 transfer. If the NFC transfer is successful, the target device may make a sound, and then proceed to downloading the chosen client app. If the device is not encrypted, it will start the encryption process before continuing. 7. Continue to provision additional devices by bumping the devices. The target device must display the Welcome screen, and the master device must display the Bump the devices screen. Register the device Once the corporate-owned device has been provisioned using NFC bump, it will have the selected MobileIron client app installed. Launch the MobileIron client app and register the device. Verify the device registration status To check the registration status of the device go to the Admin Portal: 1. Go to Devices > Devices. 2. Click the link for a device to view the details. 3. The status of the device is listed in the left pane. How to Set Up AppConnect AppConnect is a feature that enables you to configure and secure the apps on the devices you manage. Most of the AppConnect functions apply to AppConnect-enabled apps, which include apps available on public app stores and in-house apps developed by your organization. With AppConnect, you can: require an additional passcode for accessing AppConnect-enabled apps automatically wipe app data for out-of-contact devices restrict copy/paste, printing, and open-in actions set AppConnect custom configuration settings built into the apps AppConnect is currently supported for ios only. License: Gold Before you start Before you can start to use AppConnect with MobileIron Cloud, you need to add AppConnect-enabled apps to your app catalog. For information on AppConnect- 266

288 enabled apps available in public app stores, see For each AppConnect-enabled app you add, check the details in the app catalog to make sure the app is compatible with MobileIron Cloud. If the app has the wrong version of AppConnect, a warning message will display in the app details. If you plan to use any custom configuration settings available for an app, you need to provide the keys and values when you add the app to the app catalog. See the documentation for a given app for information on available settings. Steps 1. Go to Policies > Configurations. 2. Edit the Default AppConnect Device Configuration or add a new one (+Add > AppConnect Device Configuration). Note: The default configuration applies to all devices. You cannot change the distribution option. 3. Complete the form to define your AppConnect device configuration. How to troubleshoot AppConnect setup 1. Go to Devices > Devices. 2. Select a device that should be AppConnect ready. 3. Check the Configurations tab for the expected device configuration. 4. Check the AppConnect Apps tab to ensure that expected apps have been installed as AppConnect-enabled apps. Set Up AppTunnel AppTunnel protects app data by providing app-by-app session security between each app container and the corporate network. Before you start AppTunnel depends on Sentry to Complete the Sentry installation before starting the AppTunnel setup tasks. If you intend to use a SCEP identity: Add a local or external certificate authority. A Connector installation is required. 267

289 Add an App Identity Certificate Configuration. This is the SCEP identity you will use when you configure AppTunnel. To set up Sentry to use AppTunnel with certificates 1. Go to Admin > Sentry. 2. Click + Add Sentry Profile. 3. Click ActiveSync and/or AppTunnel with certificates. 4. Click Next. 5. Use the following guidelines to complete the Global Settings page. Setting What To Do Enter a name that identifies this Name profile. Enter a description that clarifies the Description purpose of this profile. External Hostname Enter the hostname and port for the and Port Sentry. Device Authentication Mode Select to use a single certificate for Use a single certificate authentication. If you do not already have for 2-factor auth a certificate uploaded, you can do so in the area displayed below the selected option. Select the app identity certificate Use SCEP Identity configuration you created for your certificate authority. Select to validate the certificates presented Enable certificate by the device against the revocation list Certificate Revocation List (CRL) published by the CA. Default Unmanaged Devices Behavior Allow unmanaged devices to receive and data Select if you do not want to block data access for devices that are not managed by MobileIron Cloud. 6. Click Next. 7. In the Sentry Server Configuration page, upload a server certificate. 8. Click Next. 9. Add at least one of the displayed services. 10. Save the profile. 268

290 11. Register the Sentry. 12. Go to Admin > Sentry. 13. Assign the profile you just created. To set up apps to use AppTunnel 1. After Sentry is configured to use AppTunnel, go to Apps > App Catalog. 2. For each app that supports AppTunnel: a. Add the app to the app catalog. b. Under Advanced Options & App Configuration, scroll to the AppTunnel section. c. Select the Sentry profile you created for AppTunnel. d. Enter the domain wildcards for the traffic to be tunneled. e. Select distribution and promotion options for the app. f. Click Done. How to Set Up The app enables ios users to access, store, view, edit, and annotate documents from content repositories, such as Microsoft SharePoint. MobileIron Cloud administrators can set up so that: users see all available content repositories documents are protected from unauthorized distribution Users can also configure access to content repositories. Note: Device users must have a valid user ID and password to access content sites. Before you start Decide which repositories you want to make available. All repositories you configure for Docs@Work are visible to all users. You can provide select users with instructions for accessing restricted repositories. Decide whether you want to make each repository a published site. Content on published sites is automatically downloaded and mirrored on devices. Collect the following information for each repository: URL for the site type of repository (SharePoint, WebDAV) 269

291 Steps subtype of repository (Office 365, NetworkDrive, etc.) 1. Edit the Default AppConnect device configuration or create a new one. If the same settings will apply to all user groups and all AppConnect-enabled apps, then you can edit the default configuration. Only one AppConnect device configuration can be applied to a given device and all AppConnect-enabled apps on that device. 2. Add the Docs@Work app to the app catalog. Under Advanced Options and App Configuration, provide the following information for each content site you want to display in Docs@Work: URL Domain Enter a URL for the content site. The URL must include or Both domain name and IP address are supported. Select the type of content site you are configuring: SharePoint (Select SharePoint for One Drive for Business.) WebDAV Subdomain Select the subdomain type for the content site: SharePoint: Office 365, Corporate Select Office 365 if you are configuring OneDrive for Business. WebDAV: NetworkDrive, CloudStorage Authentication Select if you want the device to authenticate to the server. 270

292 Published Site Select to designate the site as a published site. All content in a published site is automatically downloaded and mirrored locally on the device when the device syncs. If the option is not selected, the user must manually download the content. A Web View site cannot be configured as a published site, and a published site cannot be configured as a Web View site. Note: Published sites for SharePoint are not supported at root, site, and subsite levels. Published sites are supported at document library and folder levels. We recommend that published sites be set for publishing documents. Web View Only for SharePoint domains. Select to allow users to view and navigate SharePoint folders in browser view. Provide the following information for the published sites: Update Interval (Minutes) Max auto download size (MB) Max documents per update Update Mode Specify the updated interval for published sites. The Default setting is every 60 minutes. Specify the maximum file size for automatic download. Files above this size will not be automatically downloaded. The default setting is 500 MB. Specify the maximum number of documents to update for each updated site. Only the number of files specified will be updated. The default setting is 100 files. Specify the method devices can use to update published sites. Select either Wi-Fi Only or Wi-Fi and Cellular. MobileIron recommends using Wi-Fi Only if you support large number of documents. Remember to select a device group for app distribution. Supported content repositories Sharepoint: Microsoft SharePoint 2007 Microsoft SharePoint

293 Microsoft SharePoint 2013 Microsoft SharePoint Office 365 OneDrive for Business Only OneDrive for Business (with SharePoint and Office 365) is supported. OneDrive (personal online storage for consumers) is not supported. Box Dropbox WebDAV Apache-based WebDAV content repositories IIS-based WebDAV content repositories Cloud Storage: WebDAV Box Apache-based WebDAV content repositories IIS-based WebDAV content repositories Supported authentication to content repositories Basic: Sharepoint, WebDAV NTLM: Sharepoint, WebDAV OAuth2: Box, Dropbox Note: Users on SharePoint must have at least Contribute permissions. Supported file types Annotation PDF Viewing Microsoft Word documents (.doc,.docx) Microsoft Excel documents (.xls,.xlsx,.xla,.xlt,.xltx,.xlsm) Microsoft PowerPoint documents (.ppt,.pptx,.pot,.potx,.pps,.ppsx) Adobe Acrobat documents (.pdf) Rich Text Format files (.rtf) Plain text files (.txt) Comma separated values files (.csv) Image files (.png,.bmp,.jpg,.jpeg,.gif,.tiff,.ico) Web files (.htm,.xml,.js) Apple Pages documents (.pages) Apple Numbers spreadsheet files (.numbers) Apple Keynote presentation files (.key) Quicktime video files (.mov) MPEG4 audio/video files (.mp4) 272

294 WAV files (.wav) MP3 audio files (.mp3) Some files that are not supported: executable files (for example,.exe,.msi, or.ipa files) archive files (for example,.zip,.rar, or.tar files) system files (for example,.dll, or.sys files) Supported files types for editing The following file types are supported for editing: Microsoft Word documents (.doc,.docx) Microsoft Excel documents (.xls,.xlsx,.xlsm) Microsoft PowerPoint documents (.ppt,.pptx) Plain text files (.txt) Web files (.xml) Editing and annotating documents To edit or annotate, users must download the document to My Files. If the file type is not supported for editing, the edit icon will not be available. Online editing is only available with Office Web Apps. Since Office Web Apps are only supported with SharePoint, supports online editing only with SharePoint folders. Office Web Apps must be enabled on the SharePoint server. If Office Web Apps are not enabled, the edit icon will not be available when you tap to view documents. User-added sites Users can add the following types of sites: Box Cloud Storage Dropbox Network Drive SharePoint To add corporate sites, the user will need the following information: The site s URL. The URL must include or Both domain name and IP address are supported. Type of Authentication for Network drives. The authentication setting is labeled No Authentication. Device users should enable this setting, if the site does not require authentication. Type of authentication for SharePoint servers: Corporate: User authenticates with on-premise SharePoint using either Windows NTLM or Forms-based authentication with corporate credentials. 273

295 User credentials can be domain\username or just username, depending on how SharePoint is setup with Windows domain authentication. Office365: User authenticates with Office365 SharePoint using the authentication mechanism supported by Office365. User credentials map to the user s account on Office365 or to the user s AD credentials. If Office365 has been integrated with corporate AD, then the user s SharePoint credentials map to AD credentials. NoAuthn: User doesn t need to provide credentials for authentication. The SharePoint server supports anonymous access. Web View. For SharePoint sites, the user can turn on Web View to be able to view and navigate SharePoint folders in browser view. How To Set Up Kiosk Mode for Android License: Silver Kiosk Mode for Android devices enables you to restrict use of a device to specific apps. You might use Kiosk Mode to set up devices for employees who will use only workspecific apps. When preparing Android devices for Kiosk mode or Device Owner with Kiosk mode, you will need to create a whitelist of apps that you want to be available to users in Kiosk Mode. For devices using Device Owner you can add apps to the allowed apps list by dragging and dropping to arrange the apps in the order they should appear in the Kiosk Mode launcher when configuring the app. See Lockdown & Kiosk configuration for more information. Before you start Before you configure Kiosk Mode for Android devices, make sure you have done the following tasks: Installed the MobileIron Go app on the devices. Configured the app catalog with the apps that your kiosk configuration will need. Distributed the app catalog to the devices that will run in Kiosk Mode. Installed the apps that your kiosk configuration will need. Optional: Set up Android kiosk branding. Note: Kiosk mode is supported on Android 5.1 and 6.0. Non- Samsung SAFE must be placed in Device Owner mode to prevent the use of undesired applications. Important: Some devices have features which can cause the device to draw over the screen or otherwise create an escape from Kiosk mode. The People Edge feature of the Samsung Galaxy S6 Edge is an example of such a feature. We recommend that these types of features be turned off by an administrator before the device is deployed. 274

296 Steps 1. Go to Configurations. 2. Click Add+. 3. Click Lockdown & Kiosk. 4. In the Create Settings screen of the Lockdown & Kiosk configuration, complete at least the Kiosk Mode Settings section. 5. In the Distribution screen, select the device groups to receive this configuration. 6. Click Done. 7. For non-samsung devices, continue with the following steps: a. Go to Devices > Devices. b. Select the devices you want to enable for kiosk mode. c. Select Actions > Force Check-in. d. On the devices, launch the MobileIron Go app. e. Tap the Kiosk Mode button. f. Press the Home button on the device. g. If a Choose Launcher dialog appears, tap MobileIron Go Kiosk Launcher and select Always. This step is necessary to ensure that the proper launcher will be used for this feature. Otherwise, the user would be prompted to select a launcher. Launching Kiosk Mode Remotely 1. Go to Devices > Devices. 2. Add the Kiosk Mode column to the display. 3. Select devices that have Kiosk mode enabled, but are not currently in Kiosk mode. 4. Select Actions > Enter Kiosk Mode. Disabling Quick Settings in Kiosk Mode The Quick Settings feature is enabled on Android devices by default. You are now able to enable or disable Quick Settings feature for a single device or for a group of devices. 1. Go to Policies > Configurations 2. Click the +Add button 3. Click Lockdown & Kiosk 4. Select a Lockdown type 5. Enable Kiosk mode When you enable Kiosk mode you now have the following options: Disable Quick Settings Allow User to Access Wi-Fi Settings Allow User to Access Bluetooth Settings Allow User to Access Location Settings 275

297 Allow User to Delay Application Updates 6. Optionally, you can create a PIN for exiting Kiosk Mode. Exiting Kiosk Mode You can exit Kiosk Mode on the device if you set a PIN in the configuration: 1. Tap the Settings icon. 2. Select Exit Kiosk Mode. 3. Tap in the Kiosk PIN field when prompted. 4. Enter the kiosk PIN. You can exit Kiosk Mode for a specific device from the portal: 1. Go to Devices > Devices. 2. Display the details for the device. 3. Select Actions > Exit Kiosk Mode. You can also use the following methods to exit Kiosk Mode: Delete the configuration Disable the configuration Remove the device group from the configuration Set Up Single App Mode for ios License: Silver Single app mode restricts ios devices to the use of the specified app. For example, you might want to set up devices that can use only a custom app your organization has developed. Steps 1. Go to Policies > Configurations > Add > Single App Mode. 2. Use the following guidelines to define the app and related settings. Setting Name Description What To Do Enter a name that identifies this configuration. Enter a description that clarifies the purpose of this configuration. 276

298 Select the method to use for selecting the app: Choose App From App Catalog & System Apps: Select to search the MobileIron Cloud app catalog and system apps (preinstalled on Apple devices by default). Enter the name of the app and select it when it displays in the apps list. Enter Bundle ID: Select to enter the unique identifier for the system app you want to select. Use this option if you cannot find the system app using the From App Catalog & System Apps option. Disable Touch Select to disable the touch screen. Disable device Select to disable device rotation sensing. rotation Disable volume Select to disable the device's volume buttons. buttons Disable ringer Select to disable the device's ringer switch. switch Disable sleep wake Select to disable the device's sleep/wake button (top button right on device rim). Select to prevent the device from going to sleep after Disable auto lock an idle period. Select to enable the VoiceOver screen reader Enable voice over (accessibility feature). Enable zoom Select to enable Zoom (accessibility feature). Select to enable the invert colors adjustment Enable invert colors (accessibility feature). Enable assistive Select to enable AssistiveTouch (accessibility touch feature). Enable speak Select to enable Speak Selection (accessibility selection feature). Select to switch from stereo to mono audio Enable mono audio (accessibility feature). Voice over Select to allow device users to make VoiceOver adjustments adjustments. Select to allow device users to make Zoom Zoom adjustments adjustments. Invert colors Select to allow device users to invert colors. adjustments Assistive touch Select to allow users to make AssistiveTouch adjustments adjustments. 277

299 3. Click Next. 4. In the Distribution screen, select the device groups to receive this configuration. 5. Click Done. Using the Phone dialer as the app If you have configured the Phone dialer as the app to be used, then the Home button works once after the device enters single app mode. How to Troubleshoot Sentry Issues Typical Sentry issues include: A device is not getting . Is Sentry blocking access for this device? A device is getting , but should not. Why is Sentry not blocking access for this device? To determine whether Sentry has blocked for a device: 1. Go to Devices > Devices. 2. Click the link for the device. 3. Click the Sentry tab. The following information is displayed: user Sentry hostname user-agent (the client used on the device) status (whether the device's has been blocked) How to Upgrade In-House Apps 1. Go to Apps > App Catalog. 2. Select the app to be upgraded. 3. Select Actions > Add New Version. 4. Drag and drop the app to the Upload App area or click Choose File to select it from your file system. 5. Select one of the following options based on what you want to do with the previous version of the app: Keep the description, screenshots, and distribution the same: replaces the previous version in the app catalog. Change the description, screenshots, or distribution: includes both versions in the app catalog. 6. Under What's New, enter text that explains to users what is different in the new version. 278

300 This text will be displayed on the device when the user selects the app for installation. 7. If you chose to change descriptions, screenshots, or distribution options, complete those changes. 8. Click Done. If you chose to keep older versions of the app in the catalog, only one entry will display under Apps > App Catalog. The pane on the far left will indicate the number of apps accounted for by the entry. If you later decide to delete the newer version, the older version will automatically replace it on installed devices. To display a list of app versions 1. Click the link for the app under Apps > App Catalog. 2. Click the Version tab. 3. If there are multiple versions of the app in the catalog, a drop-down displays the versions. How to use Apps@Work Apps@Work enables the use of Windows public and in-house apps on Windows 10 devices in MobileIron Cloud. Apps@Work is already configured and is installed silently on supported Windows 10 devices. To configure an app for Apps@Work: 1. Select a Windows app. 2. Click the App Configuration tab. 3. Click Install on Device. Windows In-house app configuration can be set to the silent install flag or install using Apps@Work. Public apps cannot be set to silent install. 4. Optionally, choose to display or hide apps in Apps@Work catalog. This option applies to in-house apps only. To install an app using Apps@Work: 1. Click the Apps@Work app. Your administrator address and server URL are pre-filled in the Apps@Work login dialog. 2. Enter your password and click Sign In to display the apps page. There are three tabs: featured apps in-house apps store apps 3. Select the in-house apps tab. 279

301 4. Select an app to install. A message is displayed stating that a request has been sent to the server to install the app. Click Close. 5. Optionally, select an app from the store apps tab to display the Windows app store. 6. If prompted, enter your username and password for the Windows app store. 7. Click Update and Save to view the App information screen. How to use Help@Work with TeamViewer License: Platinum Help@Work is implemented using TeamViewer. TeamViewer is a third party app from TeamViewer.com that enables remote support for Android, ios, and Windows devices. MobileIron Cloud uses TeamViewer to provide remote support for Android devices only. Once installed and configured it gives a support administrator the ability to access and diagnose problems with users' mobile devices remotely. Note: TeamViewer is not supported when a device is in Kiosk mode or retired. Installing TeamViewer Install the TeamViewer app on the desktop to access and provide support for your users' remote devices. To install TeamViewer: 1. Download the installation package for the TeamViewer full version for Mac, Windows, or Android from here: 2. Launch the TeamViewer installation program. 3. Select Basic Installation. 4. Select Company / Commercial use. 5. Click Accept - finish. Requesting a TeamViewer account You must have a TeamViewer account to provide support using TeamViewer. To obtain a TeamViewer account: 280

302 1. Go to 2. Enter your , name, and password. 3. Click Sign Up. 4. Use the account you entered in step 2 to receive an TeamViewer account activation Complete the instructions in the to activate your TeamViewer account. Enabling TeamViewer When a user requests support, select the device and activate TeamViewer: 1. Select the Admin tab in the MobileIron Cloud navigation bar. 2. Select Help@Work on the left navigation pane. 3. In the Setting up Help@Work for Android section, step 1, click EnableTeamViewer. 4. Read the TeamViewer license agreement. 5. Click Agree. Confirming TeamViewer session ID TeamViewer generates a session ID when connection is established between the administrator's computer and the user's mobile device. 1. When the session id is generated, MobileIron Cloud passes it to MobileIron Go app (client) which in turn uses this session id to invoke the TeamViewer client on the device. 2. Your Enterprise License is now activated. This identifies MobileIron customers to TeamViewer so that access is granted. 3. The user is prompted to accept the TeamViewer EULA. Starting a TeamViewer session To start a TeamViewer session for a device: 1. Select Devices in the MobileIron Cloud navigation bar. 2. Click on the device that needs support. 3. Click on the Actions pulldown menu and select Start TeamViewer remote control. If the administrator has a valid TeamViewer token the desktop client starts with a support session to the device, otherwise the administrator will be required to login with TeamViewer and grant permissions. 281

303 Accessing a user device with TeamViewer If the TeamViewer QuickSupport app is installed on the device: 1. The Set Up Help@Work screen is displayed and the user is notified that the IT administrator is requesting access to their device. 2. The user clicks Continue to begin the TeamViewer session. If the TeamViewer Quick Support app is not installed on the device: 1. The Set Up Help@Work screen is displayed and the user is prompted to install the TeamViewer QuickSupport app. The TeamViewer QuickSupport app may be available from the app catalog or it can be downloaded from Google Play. 2. If access to Google Play is restricted or unavailable the user is instructed to contact their IT administrator for help obtaining the TeamViewer QuickSupport app. For more information see, How to Set Up Help@Work for Android here. How to add management of non-ios devices License: Gold You are currently using a version of MobileIron Cloud that is optimized for ios devices. This section describes how to switch to allow management of non-ios devices. After switching you will also be able to manage the following devices: Android 5.0 through the most recently released version as supported by MobileIron Windows Phone 8.1 Windows 10 mobile and desktop Important: Switching to include management of non-ios devices cannot be reversed. To switch to include non-ios devices: 1. Click Admin > Allowed Platforms. 2. Click the Allow All Platforms button. 3. Check I understand that this cannot be undone to confirm that you know and understand that this operation cannot be undone. 282

304 4. Click the Allow All Platforms button. Configure MobileIron Tunnel for Android for Work Tunnel for Android for Work enables you to allow business apps, in-house apps or Google Plays Store apps on Android for Work devices to have access to resources behind your firewall. For Android for Work tunnel, the tenant should already have Android for Work settings configured. Follow the steps in Configure VPN Tunnel for Windows and Android to set up a Sentry profile. To configure Tunnel for Android for Work: 1. Navigate to Apps > +Add to go to the App catalog. 2. Select the Google Play Store. 3. Search for MobileIron Tunnel or click Tunnel (Android) in the Business apps section to add the app. 4. Click Next to begin configuration. Optionally, add a description. Choose a distribution level. Add screenshots if needed. 5. Click the Distribution tab and click Edit to make changes to the distribution level if needed. 6. Click the App Configurations tab to view a summary of the current configuration. 7. Select Android for Work + icon to display the Configuration Setup. Enter a name for the configuration. Enter the appropriate restrictions your company requires. 8. Select the Restrictions you want to apply. Choose Sentry Server from the drop down list. Enter a list of applications allowed to access the VPN connection in the AllowedAppList field. Enter a list of applications denied to access the VPN connection in the DisallowedAppList field. Optionally check AllowBypass to allow all apps to bypass the VPN connection. Use the SentryService pulldown menu to select an IP Tunnel service that is defined on Sentry. Use the ClientCertAlias pulldown menu to select a client certificate alias. Use the UINotificationLevel pulldown menu to set the level of UI notifications from VPN. Use the Debuglog pulldown menu to select a level of detail for the logs. 283

305 Enter a value for the idle timeout time in milli-seconds in the TcpIdleTmoMs file. Enter a value for the Tunnel MTU in the MTU file. Enter an address for the person who will receive the VPN plugin logs. in the DebugInfoRecipient field 9. In the Distribute this App Config section, select a distribution option for the configuration hat you designed Your distribution options are: Everyone with App No One Custom 10. Click the Reviews tab to view information on reviews. Export the review data to a spreadsheet if needed. Configure VPN Tunnel for Windows and Android Setup a VPN connection between a Windows 10 Client or Android Client and Sentry using MobileIron Tunnel. Setup a Sentry Profile 1. Go to Admin > Certificate Authority. 2. Click +Add to add a Certificate Authority to display the Add Certificate Authority dialog. 3. Select a Certificate Authority type to add or create. Add an External Certificate Authority. Create an Intermediate Certificate Authority. Create a Standalone Certificate Authority. 4. Click + Add Description to enter a brief description of the configuration. 5. Set up a Sentry Profile. 6. Go to Admin > Certificate Authority > App Identity Certificate Configuration. 7. To add an External CA, click Continue in the Add an External Certificate Authority box. Enter a name for the Certificate Authority. Use the pulldown menu to select Microsoft as the Certificate Authority Type. Enter the SCEP URL. Enter the Username and Password. Enter the Challenge URL. Click Save. 8. To add an App Identity Certificate Configuration click +Add button or click the Actions pulldown menu and select Edit. Enter a name. Select a source from the Source pulldown menu. 284

306 Select a signature algorithm from the Signature Algorithm pulldown menu. Enter a Subject. Optionally click +Add to choose a Subject Alternate Name Type. Choose a Key Size from the pulldown menu. Optionally, select Use as digital signature. Optionally, select Use as key encipherment. 9. Click Done. Create a Sentry Proflle 1. Go to Admin > Sentry >Add Sentry Profile. 2. Choose ActiveSync and/or AppTunnel with certificate as the authentication. 3. Click Next to display the Global Settings page. 4. Enter a Name and description for the profile in the appropriate fields. 5. Enter the External Hostname using Sentry's Fully Qualified Domain Name(FQDN) and the Port using a port accessible by a managed device. 6. In the Device Authentication Mode section: Select Use a Single Pfx file - all Windows clients use the same certificate Select Use SCEP Identity - use the Certificate Authority setup in the previous steps Optionally, select Enable Certificate Revocation List (CRL). 7. Click Next to display the Sentry Server Configuration page. 8. Select Use Sentry Self-signed certificate or select Upload New Certificate. 9. Click Next to display the Add Services page. 10. Select the MobileIron Tunnel Service for Windows and enter a service name. Sentry Server Configuration 1. Verify the Https Port. The default value is Choose whether or not to use the Sentry's self-signed certificate. This is selected by default. 3. Uncheck to display the Upload New Certificate link. 4. Click Next. Add a MobileIron Tunnel Service 1. Choose the Windows/Android Icon to add MobileIron Tunnel service for Android. 2. Fill in the service name. 3. Click Save. Click Save and Continue. 4. Use the pulldown menu to choose a sentry profile and Click Assign. Assign a Sentry Profile 285

307 1. Go to Admin > Sentry > Actions and Click Assign. 2. Use the pulldown menu to choose a sentry profile and Click Assign. Set up a client certificate using 1. Go to Policies > Configurations and Click Assign. 2. Click Identity Certificate to display the Edit Identity Certificate (Dynamically Generated) Configuration page. 3. Enter configuration details. See Identity Certificate Configuration for more information. Set up a MobileIron Tunnel Policy for Android for Work Use these steps to set up a MobileIron Tunnel policy for Android for Work. Note: If you're are not setting up a Tunnel policy for Android for work, go to the next section, Set up a MobileIron Tunnel Policy. 1. Go to Apps and click +Add. 2. Select Google Play Store 3. Search for MobileIron Tunnel. 4. Select the app and Click Next. 5. Go to Admin > Sentry > Actions. 6. Click Assign -> Choose a Sentry Profile to assign to a Sentry instance. 7. Use the pulldown menu to choose a sentry profile and Click Assign. 8. Select the distribution level. Click Next 9. In the App Configuration page, select Android for Work (+) icon. Select the sentry setting which we would have already defined the tenant 10. Save the App configuration. The Tunnel app should be installed from the App catalog when the device is enrolled. Set up a MobileIron Tunnel Policy Use these steps to set up a MobileIron Tunnel policy for Windows or ios devices. 1. Go to Policies > +Add. 2. Select the MobileIron Tunnel policy to display the Create MobileIron Tunnel Configuration page. 3. Enter a name for the configuration. 4. Enter a description. 5. Click the Windows icon to create a Tunnel service for Windows or Android. The Profile Settings section is displayed. 286

308 6. Choose a sentry profile from the Sentry Profile pulldown menu. 7. Choose a sentry service from the Sentry Service pulldown menu. 8. Enter an address to receive debugging information. 9. Select an Always On position. ON is the default setting. This is a Windows 10 feature that enables the active VPN profile to connect automatically on these triggers: User Signs In, Network change. Note: The Always On settings works for Force Tunnel only. 10. If needed, click +Create New Group to create a new list of apps that will have all the traffic flow through VPN. Enter a path for the app in the App Type pulldown menu. Click Lookup Apps to search for Windows 10 apps in the Windows App Store. Enter the name of the app in the search field. Select an app to add it to the App Identifier. In the Traffic Filters section, click +Add to add filter. All traffic is sent through the tunnel if no filters are configured. Enter an IP address range in the Traffic Filter screen to limit traffic allowed through the tunnel to these IP addresses. 11. In the DNS section, click +Add to add a Domain and DNS Server IP. 12. Click Next. 13. Select a distribution for this configuration. SCEP Configuration for External Certificate Authorities This feature enables support for Simple Certificate Enrollment Protocol (SCEP) configuration for external certificate authorities for Windows 10 devices. Setup an External Certificate Authority You must first setup an External CA. You can skip to the next section if you already have an External CA. 1. Go to Admin -> Certificate Authority to create an External CA 2. Enter a name for the Certificate Authority. 3. Use the pulldown menu to select Microsoft as the Certificate Authority Type. 4. Enter the SCEP URL. 5. Enter the Username and Password. 6. Enter the Challenge URL. 7. Click Save. 287

309 SCEP Configuration Now you can proceed with the SCEP configuration. 1. Go to Configuration > +Add 2. Select the Windows icon. 3. Select Identity Certificate to go to the Create Identity Certificate Configuration page. 4. Enter a name for the configuration. 5. Select Windows Config from the list of SCEP configurations from the Certificate Distribution pulldown menu. 6. Select the External CA. 7. Enter the Certificate Distribution details. Enter the subject. For example: CN=${user Address} Select the number of Retries from the Retry pulldown menu. Select the number of seconds to wait before each entry from the Retry delay pulldown menu. Select a key size from the Key Length pulldown menu. Select at least one certificate usage option. Enter the length of time in the Validity field and pulldown menu. Enter the CA Thumbprint. Go to the SCEP challenge URL copy the CA Thumbprint and paste it here or click Create from Certificate... to upload the certificate from which the CA Thumbprint can be created. Select at least one hashing algorithm from the Hash Algorithm Family options. 8. Click Next. How to Push SyncML to Devices Using Custom Configurations You can create your own Synchronization Markup Language (SyncML) configuration files or get them from a third party source to implement custom features by adding them to a custom configuration. Supported platforms: Windows 10 Phone Windows 10 Desktop Windows 8.1 devices To enter values for an AppConnect Custom configuration: 288

310 1. Go to Policies > Configurations. 2. Click +Add. 3. Click Custom Configuration to display the Create Custom Configuration page. 4. Enter a name for the configuration. 5. Click the Windows OS icon. 6. Drag and drop the SyncML file in the interface or click Choose File to navigate to the file to select for uploading to the device. Note: MobileIron Cloud does not perform any validation checks on the code in the file. 7. Click Next. How to configure Distribution Filters Use Distribution Filters to limit the apps available for installation. Distribution filters enable you to display only the apps in the app catalog that are applicable to the device. License: Gold These filters are available by default: AfW Enabled Apps - limits app distribution to Android for Work enabled devices only. ipad Only Apps - limits app distribution to ipad devices only. iphone Only Apps - limits app distribution to iphone devices only. 1. Go to Apps > Distribution Filter. The default app filters and any created app filters are listed here. 2. Click +Add to access the Create Distribution Filter dialog. 3. Enter a name and description in the appropriate fields. 4. Select rule definitions for the filter. 5. Click Create Distribution Filter. 6. if needed, select a custom filter to update. a. Click Edit to display the Update Distribution Filter page. b. Enter a name and description in the appropriate fields. c. Use the pulldown menus to define rules for the filter. d. Click Update Distribution Filter. 7. Select an app. 8. On the App Detail page and select the Distribution tab. 9. Click Edit. 10. Choose an App Distribution option: 289

311 9. Everyone No one Custom Note: The Distribution Filter section is visible only if Everyone or the Custom distribution option is selected. 10. Choose a distribution filter option: 10. a. Enter a filter name in the Search the existing distribution filters... field to locate a filter that has already been created. b. Click +Add Distribution filter to add a new filter. Note: Distribution filters can be created or assigned to an app before it's added to the catalog. How to use the httpproxy command for Connector A new klish shell command has been created to help edit Connector configuration for your MobileIron Cloud installation. Use this command to change login information and other parameters to configure the connector. The httpproxy command is now available in this release with these requirements. klish shell To configure your connector 1. Log in to klish shell. 2. Enter a? for a list of available klish shell commands. 3. Enter httpproxy to show the current value of these parameters: a. enabled b. scheme c. server d. authtype e. username f. password 4. Enter httpproxy? to see a list commands available for use with httpproxy.. authtype - Set the authentication type of the http proxy to NONE, BASIC, or NTLM a. disable - Disable the http proxy b. enable - Enable the http proxy 290

312 c. host - Set the host of the http proxy - must be an FQDN or an IP either http or https d. password - Set the Authentication password of the http proxy e. port - Set the port of the http proxy f. scheme - Set the scheme of the http proxy - must be either http or https g. show - Show the current http proxy settings h. username - Set the authentication username of the http proxy 5. Use the commands listed above to setup your connector instance. 291

313 More Details Displaying and Hiding Columns Most pages that display information in a table let you select which columns to display or hide. To display or hide columns 1. Click the settings icon (upper right). 2. Select the columns to display. 3. Clear check boxes to hide columns. When to Edit a Username When you add a user, the text you enter for the address is automatically listed for the username, as well. In most cases, you should leave the default username in place because: A username in the format of an address is required. 292

MobileIron Cloud R45. Administrator Guide

MobileIron Cloud R45. Administrator Guide MobileIron Cloud R45 Administrator Guide 1 Table of Contents Welcome...... 1 What's new... 1 Apple ios and macos... 1 Android and Android for Work... 1 Windows... 1 Security... 2 Other features... 2 Getting

More information

Integration with Apple Configurator 2. VMware Workspace ONE UEM 1902

Integration with Apple Configurator 2. VMware Workspace ONE UEM 1902 Integration with Apple Configurator 2 VMware Workspace ONE UEM 1902 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about

More information

VMware AirWatch Integration with Apple Configurator 2 Guide Using Apple Configurator 2 and AirWatch to simplify mass deployments

VMware AirWatch Integration with Apple Configurator 2 Guide Using Apple Configurator 2 and AirWatch to simplify mass deployments VMware AirWatch Integration with Apple Configurator 2 Guide Using Apple Configurator 2 and AirWatch to simplify mass deployments AirWatch v9.2 Have documentation feedback? Submit a Documentation Feedback

More information

ipad in Business Mobile Device Management

ipad in Business Mobile Device Management ipad in Business Mobile Device Management ipad supports Mobile Device Management, giving businesses the ability to manage scaled deployments of ipad across their organizations. These Mobile Device Management

More information

VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes

VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes Workspace ONE UEM v9.6 Have documentation feedback? Submit

More information

VMware Workspace ONE UEM Integration with Apple School Manager

VMware Workspace ONE UEM Integration with Apple School Manager VMware Workspace ONE UEM Integration with Apple School Manager VMware Workspace ONE UEM Integration with Apple School Manager VMware Workspace ONE UEM 1811 You can find the most up-to-date technical documentation

More information

Building a BYOD Program Using Jamf Pro. Technical Paper Jamf Pro or Later 2 February 2018

Building a BYOD Program Using Jamf Pro. Technical Paper Jamf Pro or Later 2 February 2018 Building a BYOD Program Using Jamf Pro Technical Paper Jamf Pro 10.2.0 or Later 2 February 2018 copyright 2002-2018 Jamf. All rights reserved. Jamf has made all efforts to ensure that this guide is accurate.

More information

VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes

VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes AirWatch v9.3 Have documentation feedback? Submit a Documentation

More information

Verizon MDM UEM Unified Endpoint Management

Verizon MDM UEM Unified Endpoint Management Verizon MDM UEM Unified Endpoint Management Version: 1.0 Last Updated: 3/29/18 Table of Contents Unified Endpoint Management (UEM) Overview... 4 Account Dashboard... 4 Unified Endpoint Management (UEM)

More information

Managing Devices and Corporate Data on ios

Managing Devices and Corporate Data on ios Managing Devices and Corporate Data on ios Overview Businesses everywhere are empowering their employees with iphone and ipad. Contents Overview Management Basics Separating Work and Personal Data Flexible

More information

VMware AirWatch ios Platform Guide Deploying and managing ios devices

VMware AirWatch ios Platform Guide Deploying and managing ios devices VMware AirWatch ios Platform Guide Deploying and managing ios devices AirWatch v9.3 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

More information

Sophos Mobile in Central

Sophos Mobile in Central administrator help Product Version: 8 Contents About this help...1 About Sophos Mobile Admin... 2 User interface... 2 Table views... 2 User roles... 3 Key steps for managing devices with Sophos Mobile...4

More information

Sophos Mobile. administrator help. product version: 9

Sophos Mobile. administrator help. product version: 9 administrator help product version: 9 Contents About this help... 1 About Admin... 2 Dashboard... 2 Table views...3 User roles... 3 Key steps for managing devices with...5 Reports... 6 Tasks... 7 Monitor

More information

Sophos Mobile Control Administrator guide. Product version: 5.1

Sophos Mobile Control Administrator guide. Product version: 5.1 Sophos Mobile Control Administrator guide Product version: 5.1 Document date: June 2015 Contents 1 About Sophos Mobile Control...5 1.1 Sophos Mobile Control on premise and as a Service...5 1.2 About this

More information

What s New for Enterprise and Education ios 11, macos High Sierra 10.13, tvos 11, and deployment tools and services

What s New for Enterprise and Education ios 11, macos High Sierra 10.13, tvos 11, and deployment tools and services What s New for Enterprise and Education ios 11, macos High Sierra 10.13, tvos 11, and deployment tools and services September 2017 Introduction This document is a summary of what s new in ios 11, macos

More information

Sophos Mobile. administrator help. product version: 9

Sophos Mobile. administrator help. product version: 9 administrator help product version: 9 Contents About this help... 1 About...2 About Admin... 3 Dashboard... 3 Table views...4 Prerequisites... 4 User roles... 4 Change your password... 5 Password recovery...

More information

VMware AirWatch ios Platform Guide Deploying and managing ios devices. Workspace ONE UEM v9.4

VMware AirWatch ios Platform Guide Deploying and managing ios devices. Workspace ONE UEM v9.4 VMware AirWatch ios Platform Guide Deploying and managing ios devices Workspace ONE UEM v9.4 H a v e d o c u m e n t a t io n f e e d b a c k? S u b m it a D o c u m e n t a t io n F e e d b a c k s u

More information

Systems Manager Cloud-Based Enterprise Mobility Management

Systems Manager Cloud-Based Enterprise Mobility Management Datasheet Systems Manager Systems Manager Cloud-Based Enterprise Mobility Management Overview Meraki Systems Manager provides cloud-based over-the-air centralized management, diagnostics, monitoring, and

More information

Pulse Workspace Appliance. Administration Guide

Pulse Workspace Appliance. Administration Guide Pulse Workspace Appliance Administration Guide Product Release 2.0, 1743.1 Document Revisions 1.0 Published Date January 2018 Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose, CA 95134 The Pulse

More information

Configuration Guide. BlackBerry UEM. Version 12.9

Configuration Guide. BlackBerry UEM. Version 12.9 Configuration Guide BlackBerry UEM Version 12.9 Published: 2018-07-16 SWD-20180713083904821 Contents About this guide... 8 Getting started... 9 Configuring BlackBerry UEM for the first time...9 Configuration

More information

Sophos Mobile. startup guide. Product Version: 8.1

Sophos Mobile. startup guide. Product Version: 8.1 Sophos Mobile startup guide Product Version: 8.1 Contents About this guide... 1 Sophos Mobile licenses... 2 Trial licenses...2 Upgrade trial licenses to full licenses... 2 Update licenses... 2 What are

More information

Compliance Manager ZENworks Mobile Management 3.0.x January 2015

Compliance Manager ZENworks Mobile Management 3.0.x January 2015 www.novell.com/documentation Compliance Manager ZENworks Mobile Management 3.0.x January 2015 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this

More information

BlackBerry UEM Configuration Guide

BlackBerry UEM Configuration Guide BlackBerry UEM Configuration Guide 12.9 2018-11-05Z 2 Contents Getting started... 7 Configuring BlackBerry UEM for the first time... 7 Configuration tasks for managing BlackBerry OS devices... 9 Administrator

More information

Sophos Mobile. startup guide. Product Version: 8.5

Sophos Mobile. startup guide. Product Version: 8.5 Sophos Mobile startup guide Product Version: 8.5 Contents About this guide... 1 Sophos Mobile licenses... 2 Trial licenses...2 Upgrade trial licenses to full licenses... 2 Update licenses... 2 What are

More information

VMware Workspace ONE UEM ios Device Management. VMware Workspace ONE UEM 1811 VMware AirWatch

VMware Workspace ONE UEM ios Device Management. VMware Workspace ONE UEM 1811 VMware AirWatch VMware Workspace ONE UEM ios Device Management VMware Workspace ONE UEM 1811 VMware AirWatch You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

Sophos Mobile in Central

Sophos Mobile in Central startup guide product version: 8.6 Contents About this guide... 1 What are the key steps?... 2 Activate Mobile Advanced licenses... 3 Configure settings... 4 Configure personal settings...4 Configure IT

More information

Sophos Mobile on Premise

Sophos Mobile on Premise administrator help product version: 8.6 Contents About this help... 1 About Sophos Mobile...2 About Sophos Mobile Admin... 3 User interface... 3 Table views...3 Prerequisites... 4 User roles... 4 Change

More information

Sophos Mobile in Central

Sophos Mobile in Central startup guide Product Version: 8.1 Contents About this guide... 1 What are the key steps?... 2 Activate Mobile Advanced licenses... 3 Configure settings... 4 Configure personal settings...4 Configure technical

More information

VMware AirWatch ios Platform Guide Deploying and managing ios devices

VMware AirWatch ios Platform Guide Deploying and managing ios devices VMware AirWatch ios Platform Guide Deploying and managing ios devices AirWatch v9.1 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

More information

Configuration Guide. BlackBerry UEM. Version 12.7 Maintenance Release 2

Configuration Guide. BlackBerry UEM. Version 12.7 Maintenance Release 2 Configuration Guide BlackBerry UEM Version 12.7 Maintenance Release 2 Published: 2017-12-04 SWD-20171130134721747 Contents About this guide... 8 Getting started... 9 Configuring BlackBerry UEM for the

More information

Compliance Manager ZENworks Mobile Management 2.7.x August 2013

Compliance Manager ZENworks Mobile Management 2.7.x August 2013 www.novell.com/documentation Compliance Manager ZENworks Mobile Management 2.7.x August 2013 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this

More information

VMware AirWatch ios Platform Guide Deploying and managing ios devices

VMware AirWatch ios Platform Guide Deploying and managing ios devices VMware AirWatch ios Platform Guide Deploying and managing ios devices Workspace ONE UEM v9.7 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

More information

Sophos Mobile Control startup guide. Product version: 7

Sophos Mobile Control startup guide. Product version: 7 Sophos Mobile Control startup guide Product version: 7 Contents 1 About this guide...4 2 About Sophos Mobile Control...5 3 Sophos Mobile Control licenses...7 3.1 Trial licenses...7 3.2 Upgrade trial licenses

More information

Sophos Mobile as a Service

Sophos Mobile as a Service startup guide product version: 8.6 Contents About this guide... 1 What are the key steps?... 2 Change your password... 3 Change your login name... 4 Activate Mobile Advanced licenses... 5 Check your licenses...6

More information

Release Notes and Advisories Guide. BlackBerry UEM Version 12.7 and all maintenance releases

Release Notes and Advisories Guide. BlackBerry UEM Version 12.7 and all maintenance releases Release Notes and Advisories Guide BlackBerry UEM Version 12.7 and all maintenance releases Published: 2018-02-07 SWD-20180207105136916 Contents Installing or upgrading the software...4 What's new in BlackBerry

More information

McAfee Enterprise Mobility Management 12.0 Software

McAfee Enterprise Mobility Management 12.0 Software Product Guide McAfee Enterprise Mobility Management 12.0 Software For use with epolicy Orchestrator 4.6.7-5.1 Software COPYRIGHT Copyright 2014 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS

More information

ForeScout Extended Module for VMware AirWatch MDM

ForeScout Extended Module for VMware AirWatch MDM ForeScout Extended Module for VMware AirWatch MDM Version 1.7.2 Table of Contents About the AirWatch MDM Integration... 4 Additional AirWatch Documentation... 4 About this Module... 4 How it Works... 5

More information

ForeScout Extended Module for MobileIron

ForeScout Extended Module for MobileIron Version 1.8 Table of Contents About MobileIron Integration... 4 Additional MobileIron Documentation... 4 About this Module... 4 How it Works... 5 Continuous Query Refresh... 5 Offsite Device Management...

More information

Sophos Mobile. super administrator guide. Product Version: 8

Sophos Mobile. super administrator guide. Product Version: 8 Sophos Mobile super administrator guide Product Version: 8 Contents About this guide... 1 Document conventions... 1 Super administrator... 2 Super administrator tasks...2 Super administrator customer...

More information

VMware AirWatch tvos Platform Guide Deploying and managing tvos devices

VMware AirWatch tvos Platform Guide Deploying and managing tvos devices VMware AirWatch tvos Platform Guide Deploying and managing tvos devices AirWatch v9.3 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

More information

QuickStart Guide for Mobile Device Management. Version 8.7

QuickStart Guide for Mobile Device Management. Version 8.7 QuickStart Guide for Mobile Device Management Version 8.7 JAMF Software, LLC 2013 JAMF Software, LLC. All rights reserved. JAMF Software has made all efforts to ensure that this guide is accurate. JAMF

More information

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1 Guide to Deploying VMware Workspace ONE DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

ios Supervised Devices

ios Supervised Devices www.novell.com/documentation ios Supervised Devices ZENworks Mobile Management 3.2.x October 2015 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use

More information

Sophos Mobile in Central administrator help. Product version: 7.1

Sophos Mobile in Central administrator help. Product version: 7.1 Sophos Mobile in Central administrator help Product version: 7.1 Contents 1 About this help...6 2 Key steps for managing devices with Sophos Mobile...7 3 Dashboard...8 4 Reports...9 5 Tasks...10 5.1 Monitor

More information

This guide provides information on...

This guide provides information on... Upgrade Procedures for On-Demand and On-Premise Users This guide provides information on...... Managing server upgrades for both On-Demand and On-Premise systems GO!Enterprise MDM Upgrade Procedures Preview

More information

VMware Workspace ONE UEM Apple tvos Device Management. VMware Workspace ONE UEM 1811 VMware AirWatch

VMware Workspace ONE UEM Apple tvos Device Management. VMware Workspace ONE UEM 1811 VMware AirWatch VMware Workspace ONE UEM Apple tvos Device Management VMware Workspace ONE UEM 1811 VMware AirWatch You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

NotifyMDM Device Application User Guide Installation and Configuration for Android

NotifyMDM Device Application User Guide Installation and Configuration for Android NotifyMDM Device Application User Guide Installation and Configuration for Android NotifyMDM for Android, Version 3.x NotifyMDM for Android 1 Table of Contents NotifyMDM for Android 3 Installation Instructions

More information

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,

More information

VMware AirWatch Express Guide Managing your organization's mobile devices

VMware AirWatch Express Guide Managing your organization's mobile devices VMware AirWatch Express Guide Managing your organization's mobile devices AirWatch Express v1.1 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

More information

VMware AirWatch Tizen Guide

VMware AirWatch Tizen Guide VMware AirWatch Tizen Guide AirWatch v8.4 and higher Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com. This product is protected

More information

Google Sync Integration Guide. VMware Workspace ONE UEM 1902

Google Sync Integration Guide. VMware Workspace ONE UEM 1902 Google Sync Integration Guide VMware Workspace ONE UEM 1902 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation,

More information

Sophos Mobile as a Service

Sophos Mobile as a Service startup guide Product Version: 8 Contents About this guide... 1 What are the key steps?... 2 Change your password... 3 Change your login name... 4 Activate Mobile Advanced licenses...5 Check your licenses...6

More information

Sophos Mobile. super administrator guide. product version: 8.6

Sophos Mobile. super administrator guide. product version: 8.6 Sophos Mobile super administrator guide product version: 8.6 Contents About this guide... 1 Document conventions... 1 Super administrator... 2 Super administrator tasks...2 Super administrator customer...

More information

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1 Guide to Deploying VMware Workspace ONE VMware Identity Manager 2.9.1 VMware AirWatch 9.1 Guide to Deploying VMware Workspace ONE You can find the most up-to-date technical documentation on the VMware

More information

What s New in Device Configuration, Deployment, and Management

What s New in Device Configuration, Deployment, and Management Session Distribution #WWDC17 What s New in Device Configuration, Deployment, and Management 304 Todd Fernandez, Senior Manager, Device Management and Server 2017 Apple Inc. All rights reserved. Redistribution

More information

VMware AirWatch Google Sync Integration Guide Securing Your Infrastructure

VMware AirWatch Google Sync Integration Guide Securing Your  Infrastructure VMware AirWatch Google Sync Integration Guide Securing Your Email Infrastructure AirWatch v9.2 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

More information

Vodafone Secure Device Manager Administration User Guide

Vodafone Secure Device Manager Administration User Guide Vodafone Secure Device Manager Administration User Guide Vodafone New Zealand Limited. Correct as of June 2017. Vodafone Ready Business Contents Introduction 3 Help 4 How to find help in the Vodafone Secure

More information

VMware AirWatch Express Guide Managing your organization's mobile devices

VMware AirWatch Express Guide Managing your organization's mobile devices VMware AirWatch Express Guide Managing your organization's mobile devices AirWatch Express v1.1 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

More information

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,

More information

VMware AirWatch Android Platform Guide

VMware AirWatch Android Platform Guide VMware AirWatch Android Platform Guide Workspace ONE UEM v9.4 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com. This product

More information

Forescout. eyeextend for MobileIron. Configuration Guide. Version 1.9

Forescout. eyeextend for MobileIron. Configuration Guide. Version 1.9 Forescout Version 1.9 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191

More information

VMware AirWatch Google Sync Integration Guide Securing Your Infrastructure

VMware AirWatch Google Sync Integration Guide Securing Your  Infrastructure VMware AirWatch Google Sync Integration Guide Securing Your Email Infrastructure Workspace ONE UEM v9.5 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard

More information

VMware AirWatch Symbian Platform Guide Deploying and managing Symbian devices

VMware AirWatch Symbian Platform Guide Deploying and managing Symbian devices VMware AirWatch Symbian Platform Guide Deploying and managing Symbian devices AirWatch v8.1 and higher Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard

More information

Sophos Mobile super administrator guide. Product version: 7.1

Sophos Mobile super administrator guide. Product version: 7.1 Sophos Mobile super administrator guide Product version: 7.1 Contents 1 About this guide...4 1.1 Document conventions...4 2 Super administrator...5 2.1 Super administrator tasks...5 2.2 Super administrator

More information

Reports and Analytics. VMware Workspace ONE UEM 1902

Reports and Analytics. VMware Workspace ONE UEM 1902 VMware Workspace ONE UEM 1902 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation, submit your feedback

More information

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1 VMware Workspace ONE Quick Configuration Guide VMware AirWatch 9.1 A P R I L 2 0 1 7 V 2 Revision Table The following table lists revisions to this guide since the April 2017 release Date April 2017 June

More information

Strengths of Knox Manage Kiosk

Strengths of Knox Manage Kiosk 16 Kiosk Applications A kiosk application is an application that is installed on a stand-alone device, featuring a touchscreen interface that displays information, and used in public spaces or workplaces.

More information

Mobility Manager 9.5. Users Guide

Mobility Manager 9.5. Users Guide Mobility Manager 9.5 Users Guide LANDESK MOBILITY MANAGER Copyright 2002-2013, LANDesk Software, Inc. and its affiliates. All rights reserved. LANDesk and its logos are registered trademarks or trademarks

More information

Product Guide. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6

Product Guide. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 COPYRIGHT Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed,

More information

Sophos Mobile administrator help. Product version: 7.1

Sophos Mobile administrator help. Product version: 7.1 Sophos Mobile administrator help Product version: 7.1 Contents 1 About this help...6 2 About Sophos Mobile...7 3 About the Sophos Mobile console...8 3.1 User interface...8 3.2 Table views...9 3.3 Prerequisites...9

More information

DSS User Guide. End User Guide. - i -

DSS User Guide. End User Guide. - i - DSS User Guide End User Guide - i - DSS User Guide Table of Contents End User Guide... 1 Table of Contents... 2 Part 1: Getting Started... 1 How to Log in to the Web Portal... 1 How to Manage Account Settings...

More information

VMware AirWatch Reports Guide

VMware AirWatch Reports Guide VMware AirWatch Reports Guide AirWatch v9.3 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com. This product is protected by copyright

More information

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,

More information

Getting Started Guide

Getting Started Guide Getting Started Guide BlackBerry UEM Version 12.6 Maintenance Release 2 Published: 2017-04-07 SWD-20170407163328365 Contents Getting started with BlackBerry UEM and BlackBerry Dynamics...5 Steps to get

More information

Link to other configuration guides for information on...

Link to other configuration guides for information on... Configuration Guide: Adding Users and Enrolling Devices This guide provides information on...... Adding users manually or via batch import using the Add New User Wizard... Setting up an Organization for

More information

AirWatch Mobile Device Management

AirWatch Mobile Device Management RSA Ready Implementation Guide for 3rd Party PKI Applications Last Modified: November 26 th, 2014 Partner Information Product Information Partner Name Web Site Product Name Version & Platform Product Description

More information

VMware AirWatch Express Documentation. VMware Workspace ONE UEM 1810

VMware AirWatch Express Documentation. VMware Workspace ONE UEM 1810 VMware AirWatch Express Documentation VMware Workspace ONE UEM 1810 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about

More information

Dell Management Portal. Apple Device Enrollment Program

Dell Management Portal. Apple Device Enrollment Program Dell Management Portal Contents 3 Setting up the 3 DMP Device Deployment Program Prerequisites 4 Configure Apple VPP Token in DMP 5 Download Apple VPP Token 5 Assign VPP App Licenses 7 Configure Virtual

More information

ios Deployment Overview for Enterprise

ios Deployment Overview for Enterprise ios Deployment Overview for Enterprise Contents What s new in ios 9 Ownership models Deployment steps Support options ipad and iphone can transform your business and how your employees work. They can significantly

More information

AirWatch Express. VMware Workspace ONE UEM 1902

AirWatch Express. VMware Workspace ONE UEM 1902 VMware Workspace ONE UEM 1902 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation, submit your feedback

More information

Sophos Mobile SaaS startup guide. Product version: 7.1

Sophos Mobile SaaS startup guide. Product version: 7.1 Sophos Mobile SaaS startup guide Product version: 7.1 Contents 1 About this guide...4 2 What are the key steps?...5 3 Change your password...6 4 Change your login name...7 5 Activate SMC Advanced licenses...8

More information

SECURE, CENTRALIZED, SIMPLE

SECURE, CENTRALIZED, SIMPLE 1 SECURE, CENTRALIZED, SIMPLE Multi-platform Enterprise Mobility Management Whitepaper 2 Controlling it all from one place BlackBerry Enterprise Service 10 (BES10) is an end-to-end, multi-platform, device,

More information

Sophos Mobile Control SaaS startup guide. Product version: 6.1

Sophos Mobile Control SaaS startup guide. Product version: 6.1 Sophos Mobile Control SaaS startup guide Product version: 6.1 Document date: September 2016 Contents 1 About this guide...4 2 About Sophos Mobile Control...5 3 What are the key steps?...7 4 Change your

More information

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,

More information

Systems Manager. Endpoint Management

Systems Manager. Endpoint Management Datasheet Systems Manager Systems Manager Endpoint Management Overview As Cisco s endpoint management solution, Cisco Meraki Systems Manager supports a variety of platforms allowing for the diverse ecosystem

More information

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

VMware AirWatch Certificate Authentication for Cisco IPSec VPN VMware AirWatch Certificate Authentication for Cisco IPSec VPN For VMware AirWatch Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

More information

This guide provides information on...

This guide provides information on... Managing Users and User Resources This guide provides information on...... The User/Device Grid... The User/Device Profile... Categorizing Users into Local Groups... Managing Applications... Managing Corporate

More information

QuickStart Guide for Managing Mobile Devices. Version

QuickStart Guide for Managing Mobile Devices. Version QuickStart Guide for Managing Mobile Devices Version 10.1.0 copyright 2002-2017 Jamf. All rights reserved. Jamf has made all efforts to ensure that this guide is accurate. Jamf 100 Washington Ave S Suite

More information

Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, please review the readme files,

More information

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE Guide to Deploying VMware Workspace ONE with VMware Identity Manager SEP 2018 VMware Workspace ONE You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

Integrating AirWatch and VMware Identity Manager

Integrating AirWatch and VMware Identity Manager Integrating AirWatch and VMware Identity Manager VMware AirWatch 9.1.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a

More information

GRS Enterprise Synchronization Tool

GRS Enterprise Synchronization Tool GRS Enterprise Synchronization Tool Last Revised: Thursday, April 05, 2018 Page i TABLE OF CONTENTS Anchor End User Guide... Error! Bookmark not defined. Last Revised: Monday, March 12, 2018... 1 Table

More information

The following device commands are used most frequently: Lock/Unlock device O - O O. Reset screen password O - O - Factory reset + Initialize SD Card

The following device commands are used most frequently: Lock/Unlock device O - O O. Reset screen password O - O - Factory reset + Initialize SD Card 10 Device management Administrators can install apps on an activated device using device commands and check the profiles settings. Moreover, they can update, delete, or re-install apps installed on users'

More information

Sophos Mobile Control 6.1

Sophos Mobile Control 6.1 Sophos Control 6.1 Feature Matrix, June 2016 Server Admin User Interface Easy-to-use web interface Flexible Dashboard with 22 different widgets Flexible filter mechanism Role-based access Multitenancy

More information

NotifyMDM Device Application User Guide Installation and Configuration for ios with TouchDown

NotifyMDM Device Application User Guide Installation and Configuration for ios with TouchDown NotifyMDM Device Application User Guide Installation and Configuration for ios with TouchDown NotifyMDM for ios Devices, Version 3.x NotifyMDM for ios with TouchDown 1 Table of Contents NotifyMDM for ios

More information

Administering Workspace ONE in VMware Identity Manager Services with AirWatch. VMware AirWatch 9.1.1

Administering Workspace ONE in VMware Identity Manager Services with AirWatch. VMware AirWatch 9.1.1 Administering Workspace ONE in VMware Identity Manager Services with AirWatch VMware AirWatch 9.1.1 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

Comodo IT and Security Manager Software Version 6.5

Comodo IT and Security Manager Software Version 6.5 Comodo IT and Security Manager Software Version 6.5 Quick Start Guide Guide Version 6.5.051117 Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013 Comodo IT and Security Manager - Quick Start

More information

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810 Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN VMware Workspace ONE UEM 1810 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

AT&T Work. Mobility Management Enterprise Admin Guide v.2.0

AT&T Work. Mobility Management Enterprise Admin Guide v.2.0 AT&T Work Mobility Management v.2.0 Table of Contents 1. Introduction... 5 2. Getting Started... 6 Gaining Enterprise Admin Access to MMP... 6 Logging in... 7 Forgot Password... 7 Reset Password... 7 Navigating

More information

ForeScout Extended Module for MaaS360

ForeScout Extended Module for MaaS360 Version 1.8 Table of Contents About MaaS360 Integration... 4 Additional ForeScout MDM Documentation... 4 About this Module... 4 How it Works... 5 Continuous Query Refresh... 5 Offsite Device Management...

More information