MindLink Mobile - Airwatch MDM for iOS


1 Setting Up

Before the MindLink application can be deployed to your users it must be added to the management console and set up with the correct configurations and profiles.

Where to begin

Add New

Start by heading over to the AirWatch console. To add the MindLink for AirWatch application, go to Apps & Books > Native > Public. Add New

Add the application

In the public section click the 'Add application' button. Applications can be added from an app installer file, or by searching for it on the AppStore & Play store. For your deployment you will want to find our latest release by searching the AppStore or Google Play store (Depeding what device OS you are targeting - we want Apple iOS for this guide) Add app

After selecting Apple iOS and using 'MindLink' or 'MindLink for AirWatch' as the Name, click Next to browse search results. With the search term 'MindLink' you can see the Vanilla application, the MindLink for MobileIron application and the one we want : MindLink for AirWatch. Search app store

Press + Select for the MindLink for AirWatch application. This will open the App details page. Fill out this pages as applicable. App info

Now click Save & Assign

Assinging the application

The next screen will request an assignment. If one does not already exist the click the 'Add assignment' button. Apps & books

In this window, provide an assignment group to determine the device(s) that the application will be assigned to. Add assignment

Scroll down to enable/disable various functionality - the configuration of these will depend on your deployment requirements though Managed Access and Make app MDM Managed if user installed are likely to be options you enable reguardless. Add assignment

Once you have configured your assignemt click Add. Back on the update assignment page an assignment is now shown. *Save and Publish to assign the application to the device assignment group and apply the configuration settings. Add assignment

Before completing the publish process a preview of the devices that will be impacted is shown. Use this view to ensure the desired devices are within the assignment, revising your assignment groups(s) if something is not right. Add assignment If the devices are correct, complete the process by click Publish


To successfully administer the MindLink for AirWatch application you will need to create a MindLink-related SDK.

Add a new profile

In the console header click 'Add'. Add New

This will present the drop down. From here choose the 'Profile' option. Add profile

Choosing platform

Once you have chosen to create a profile you will have a selection of platforms to choose from - for this guide we will be using Apple iOS General

Configur the SDK Profile

From here you will be able to configure how the MindLink for AirWatch app is controlled.

Proxy

This Profile should be created to reflect your company's administrative infrastructure. You will also be able to specify whether or not you want to enforce Data Loss Prevention policies which will then be reflected on the MindLink for AirWatch app.


3 Enabling the App Tunnel at the SDK profile level

Configuring the integrated tunnel

VPN

During creation of the Mindlink for AirWatch SDK there is an option to configure an integrated tunnel provided by AirWatch. Assuming this is applicable to your organisation, the following will run through how this can be leveraged by the MindLink for AirWatch app.

Enabling the AW integrated tunnel

Proxy

In order to enable the AW integrated tunnel, and thus have it applied to MLM for AW, you will want to navigate to the MindLink SDK that was created. From here, you will want to navigate down to the 'Proxy' tab. Tick Enable App Tunnel. Once this has been done (by clicking 'Save'), the MindLink for AirWatch app will be leveraging the AirWatch integrated tunnel.


4. Per-app VPN Profile

The VPN Profile will alter how you connect. As the name suggests, it is applied on a per-app basis and will alter the behaviour of your application(s) to utilise the AirWatch VPN Connectivity.

4.1 Creating the per-app VPN profile

Setting up the app specific VPN profile

List view

To set up an app specific VPN you will want to click on the 'Devices' tab, once this has been opened you will want to view the 'Profiles' section. As shown in the screenshot above you will want to click 'Add' in order to setup the VPN

Configure the VPN

VPN 2

Once you have successfully started the process to setup the profile you will be greeted with the screen as shown in the above screenshot. From here you will want to configure the VPN specific settings as per your administrative infrastructure.

Turn the per-app VPN on or off

VPN 3

Once you have created the VPN profile in order to turn it on or off (depending on your administrative preferences) you will want to go to the profile and then to the 'VPN' section whereby you will want to tick the Per-App VPN rules so that by default MindLink Mobile for AirWatch will use the Per-App VPN as its means of connection

4.2 Applying the per-app VPN profile

Apply the per-app VPN
Apply VPN

To apply the per-app VPN to the app you will want to navigate to the apps and books section of the AirWatch console. From here you will want to select the MindLink app that you added earlier (section 5.5.) To do this use the radio button to select the MindLink for AirWatch app that you would have selected during the deployment stage.

Assign the application
Assign

To assign the application you will want to navigate to the top of the apps & books section whereby you will find the 'Assign' button, this is what you will want to press in order to begin the application of the per-app VPN

Choose assignment group
Update assignment

From here you will want to select the assignment groups that you wish the VPN to be applied to - this will of course depend on the administrative infrastructure present amongst your organisation. From here you will want to click 'Add Assignment'

Add assignment Add assignment

Once you have clicked on 'Add Assignment' you will be brought to the screen above. From here you will notice the 'Advanced' tab - this is where you will need to apply the app specific VPN profile that you created.

Select the per-app VPN Profile Select assignnent

The following is done by selecting from a drop down. Assuming that you have configured your app specific VPN correctly this will 'Push' the assignment down to the groups that were selected beforehand

View device assignments Assign device

Once you have selected the per-app VPN you will be brought to a screen similar to the one above whereupon you will be shown the list of devices affected by the assignment. This will be dependent on the assignment group you selected during the beginning of this process. However, this is a chance for you to review the potential changes that will be made and ensure the desired devices are on the list - if your intended device(s) are not show then ensure you are using the correct assignment group.


6. Managing Data Loss Prevention Policies

Data Loss Prevention (DLP) controls what data to record, how data is recorded and how this data is distributed. Restrictions to what data can be accessed by extrnal applications can be applied, such as: browser apps for URL links, email apps for email addresses and the mobile number dialer for phone numbers. The level of detail devices log informaion to and how those logs are then distributed can also be configured.

The AirWatch management allows many restrictions, controls and policies to be applied that can micro-manage your deployment. However, we will only cover the ones that have a significant impact on the MindLink experience as more informaion on the details of AirWatch DLP policies (and the other sections of the administrator console) can be found from AirWatch's own documentation resources.


6.1. Logging & Exporting Logs

When enabled, device logs are recorded on a user's mobile device. The level of detail that a log records can also be configured, along with several factors to deterine what process, if any, the logs are exported with.


6.1.1 Managed Logging

The logging process can be configured to suite your requirements

Manage Globally

If you wish to control logging on a global scale (meaning this will apply to all AirWatch apps, including MindLink) go to Groups & Settings > All Settings > Apps > Settings and policies > Settings.
This is where the options to enable/disable logging can be found. For the user there will be no indication if the admin has enabled or disabled Logging, and this change will also NOT be Dynamic (changes will need to be synced with the devices, rather than applying as soon as you save changes)

Logging Level (Global)
If logging is enabled using the method above there will be two additional options for the admin:

  1. Logging level
  2. Send logs over WiFi only

The logging level can be configured here, and will also apply to all AirWatch apps.

The second option is entirely up to your deployment requirements.

Manage Per-app

To manage loggign on a per-app basis you need to navigate to the specific application. In this case, MindLink for AirWatch.

Got to Apps&Books > (Your MindLink App) Click 'Assign' and edit the assignment. There will be a list of options, which set what device(s) it applies to. Currently there is only one which applies to all devices.

Set Application Configuration to Enabled. This will add two configuration keys:
- mlmDisableLogging
- mlmDisableVerboseLogging

Set both of these to boolean and to enable them write 'true' for the value field Changes made here will be applied dynamically. Assign device


6.1.2 Exporting Logs

When logging is enabled the device will record logs. The second half of the Logging DLP configuration will be focused on how to get the logs from the device to the administrator.

Exporting with Email applications enabled
The MDM Console contains restrictions that can limit the user's ability to export their logs.

  1. User is not permitted to export logs. Depending on your policies and configurations you may have set a restriction preventing a user from seeing the export logs button in the MindLink App.
  2. Email applications are restricted. When a user exports logs an email application is used to send the file(s).

Assign device

Exporting with email applications disabled
If your DLP Policies restrict the usage of Email applications then the user will not be able to use email apps for sending logs. Depending what other applications are enabled there may be significant restrictions on the ability to export the logs. In some cases this may even prevent users from exporting logs from the MindLink Application.

Disable the user's ability to export
If logging is disabled then the user will not be able to export any logs. From the user's perspective they will still see the send logs button, but pressing it will do nothing.

6.2 URL Browser Invocation

Within the AirWatch management console go to Devices > Profiles & Resources > Profiles. Here you will be able to change restrictions in the relevant device profile (this will depend on your specific configuration, so make sure you know which profile will apply to the device(s) you want to change)

Devices > Profile

Here you will find your profiles. Yours will be different to the screenshots based on your own deployment, but the concept stays the same. Device Profile Select the profile that applies to your target device(s). Simply clicking the name will open it Profiles : general Now you must click Add version to start making changes. Navigate to the Restrictions tab.

Disable Safari

Once you have made your changes click Save and publish.

View device assignment to preview the devices that will be impacted by the changes. Ensure your desired device(s) show up here. Click publish once you are ready

Now the chages will be applied in the console, and the device must Sync in order to receive the latest changes.

6.3 Email Invocation

In order to disable composing email and opening links make sure to do the following:

Go to Groups & Settings -> All settings Groups And Settings > All Settings

Apps -> Settings & Policies Settings And Policies

Profiles Settings And Policies : Profiles

Select the MindLink profile that applies to your desired device Profiles

Navigate to Restrictions and find the Enable Data Loss Prevention option Restrictions : Data Loss Prevention

Tickt the box to enable DLP and find the Enale Composing Email entry. Disable Composing Email

Then ensure Enable Composing Email is disabled AND ensure Restrict documents to be opened in the follow apps is enabled with no apps specified Restrict apps And Save the profile

Lastly, Save to apply your changes.



If this does not work, double check that these settings are not being overridden from Groups & Settings -> All settings -> Apps -> Settings & Policies -> Security Policies
Settings And Policies > Security Policies

Security Policies

Scroll down and check the DLP section to ensure the Enable Composineg Email setting does not conflict. Security Policies : DLP

Note: Child Permissions are what decide whether the profile setting override these settings or vica versa Child Permissions They are found at the bottom of the page


6.4 Mobile Dialer Invocation

To start you will want to navigate to Apps & Books > Applications > Native, where your applications should be available Assign

Beginning the assignment Apply VPN

From the list of applications you will want to select your MindLink app using the radio button (purple box). Then click the Assign button. Apply VPN

Edit the assignment After clicking assign you will be met with the assignments window Update assignment

Select the assignment group (in our case we simply use 'All devices' but you may have several of oyur own, so ensure you choose the one you wish to apply.)

Click 'Edit' to make your configuration changes. You will be met with a window similar to the following : Add assignment

Application Configuration Scroll down to find the Application Configuration section Application Configuration Disabled begin by enabling application configuration. By default this is disabled, and the configuration key section is not shown.

Application Configuration Once enabled the section where configuration keys are added will be shown. The values for this may depend on your setup, but in this case the keys are :

  • mlmDisableBrowserInvocation : Disables the use of web browser applications to handle URL links and files in the MindLink application
  • mlmDisableEmailInvocation : Disables the use of email applications to handle email addresses in the MindLink application
  • mlmDisableDialerInvocation : Disables the use of the mobile phone dialer to handle phone numbers in the MindLink application

Configuration Keys

Save the configuration Once you have entered the preconfigured data it is time to save and push changes to the device. Add Application Configuration

On the next screen you will see the Save And Publish button. Save And Publish You will then transition to a window to preview the assigned devices, from which you can publish the changes. It may be good to double-check the list of devices to ensure your target device(s) are there, after which you can publish.

Once published the configuration is ready for the device to receive.

DLP Policies on the device
Once changes have been made to the configuration the device will need to Send Data through the AirWatch device application so that it will sync with the AirWatch console. After a successful sync the configuration changes should push to the device and the DLP restriction(s) will be in place


7 Pre-configuring the username and server details

To start you will want to navigate to Apps & Books > Applications > Native, where your applications should be available Assign

Beginning the assignment Apply VPN

From the list of applications you will want to select your MindLink app using the radio button (purple box). Then click the Assign button. Apply VPN

Edit the assignment After clicking assign you will be met with the assignments window Update assignment

Select the assignment group (in our case we simply use 'All devices' but you may have several of oyur own, so ensure you choose the one you wish to apply.)

Click 'Edit' to make your configuration changes. You will be met with a window similar to the following : Update assignment

Application Configuration Scroll down to find the Application Configuration section Update assignment begin by enabling application configuration. By default this is disabled, and the configuration key section is not shown.

Update assignment Once enabled the section where configuration keys are added will be shown. The values for this may depend on your setup, but in this case the keys are :

  • mlmServerUrl : The server address that the device will connect to.
  • mlmLogOnUrl : The name to preauthenticate the username field with.

Update assignment

Save the configuration Once you have entered the preconfigured data it is time to save and push changes to the device. Update assignment

On the next screen you will see the Save And Publish button. Update assignment You will then transition to a window to preview the assigned devices, from which you can publish the changes. It may be good to double-check the list of devices to ensure your target device(s) are there, after which you can publish.

Once published the configuration is ready for the device to receive.

Preconfigured values on the device Once changes have been made to the configuration the device will need to Send Data through the AirWatch device application so that it will sync with the AirWatch console. After a successful sync the configuration changes should push to the device and preconfigure the server URL and/or Username field.

MLM Login Page