MindLink Mobile - MobileIron MDM for iOS
The MindLink Mobile iOS client is available for the MobileIron AppConnect container and leverages MobileIron Tunnel per-app VPN for connectivity.
1. Enable AppConnect
Before enabling AppConnect on your admin portal, confirm that your organization has purchased the required AppConnect licenses. Contact your MobileIron representative if you require additional details on AppConnect license purchases.
- To enable AppConnect and MobileIron Tunnel functionality on the admin portal, navigate to the Settings page
Figure 50 – Navigation menu bar, MobileIron Admin Portal
Check the boxes as shown below.
Figure 51 – Settings for additional products, MobileIron Admin Portal
- Select the option for “Enable AppConnect for third-party and in-house apps”
2. Configure an AppConnect global policy
To modify an existing AppConnect global policy:
On the MobileIron Admin Portal, go to Policies & Configs > Policies
Select an AppConnect global policy
Edit the AppConnect global policy based on your requirements. Please refer to the AppConnect chapter of the VSP Administration Guide for details about each field.
An AppConnect global policy configures the security settings for all AppConnect apps, including: Whether AppConnect is enabled for the devices that the policy is applied to and AppConnect passcode requirements.
Figure 52 – Modify AppConnect Global Policy, MobileIron Admin Portal
Note: The AppConnect passcode is not the same as the device passcode.
Figure 53 - AppConnect Passcode settings, MobileIron Admin Portal
- You may opt to modify AppConnect security controls such as out-of-contact timeouts
Figure 54 - AppConnect Security, MobileIron Admin Portal
- Specify the app check-in interval and the default end-user message for when an app is not authorized by default
Note: The app check-in interval is independent of the MDM check-in timer and controls, and apps cannot be forced to check-in before the interval expires. The recommended configuration for the app check-in interval is 60 minutes.
Figure 55 – App Authorization, MobileIron Admin Portal
- You can configure whether AppConnect apps with no AppConnect container policy are authorized by default in addition to other data loss prevention settings.
Figure 56 – Data Loss Prevention policies, MobileIron Admin Portal
3 Configure a new AppConnect container policy
An AppConnect container policy specifies data loss protection policies for the app. The AppConnect container policy is required for an application to be authorized unless the AppConnect global policy allows apps without a container policy to be authorized. Such apps get their data loss protection policies from the AppConnect global policy.
Details about each field are in the AppConnect chapter of the MobileIron Core Administration Guide.
To configure an AppConnect container policy:
- On the MobileIron Admin Portal, go to Policies & Configs > Configurations > Add New > AppConnect > Container Policy.
Figure 57 – Creating a new configuration, MobileIron Admin Portal
- Enter the Name, Description, and Application.
Note: For the Application field, choose an application from the app distribution library, or for iOS apps, specify the iOS bundle ID ( com.mindlinksoft.mindlinkmobile.mobileiron ). You can find the bundle ID by going to Apps > App Distribution Library, and clicking to edit the app. The field Inventory Apps displays the bundle ID in parenthesis.
Figure 58 – Creating a new AppConnect Container Policy, MobileIron Admin Portal
- Configure the data loss protection policies according to your requirements.
Figure 59 – Data Loss Prevention policies, MobileIron Admin Portal
4 Configuring MobileIron Tunnel
To ensure the MindLink Mobile for MobileIron app can function within your AppConnect enterprise workspace you must create a MobileIron Tunnel configuration.
In order to create a MobileIron Tunnel configuration the following prerequisites must be met.
· MobileIron Sentry (license required) must be deployed within the relevant environment and configured using the MobileIron Administration Portal.
· Configuration can be done by navigating to: Settings > Sentry (Configuration depends on the deployment environment and any potential associated restrictions)
· Please consult the MobileIron Administration guide/manual for deployment and configuration instructions for MobileIron Sentry.
To start configuring MobileIron Tunnel log into the MobileIron Administration Portal.
- Using the menu bar, navigate to: ‘Policies & Configs’
Figure 60 – Policies & Configs, MobileIron Admin Portal
- Create a VPN setting by selecting: Add New > VPN
Figure 61 - Add New VPN Configuration, MobileIron Admin Portal
- For the fields displayed below to appear you must first select MobileIron Tunnel as your connection type.
Figure 62 - Configure VPN, MobileIron Admin Portal
Next select the Sentry to be used in this VPN configuration from the drop down menu. Please Note: A license is required to do this.
Select the Sentry Service (options will be displayed once a Sentry has been selected).
Select an Identity Certificate (choice of certificate type is dependent on the deployment environment and any potential restrictions). You may have to create a new Identity Certificate configuration specific to VPN, this process is described in the following section.
Additional (optional) configuration options include: Custom Data and iOS 10.3 only configuration option to specify Safari domains.
The MobileIron Tunnel configuration must now be applied to the application; navigate to: Apps using the navigation bar.
Find the App you wish to apply the configuration to and click the edit icon.
Scroll down to find the option: ‘Per App VPN’
Figure 63 – Apply VPN configuration to App, MobileIron Admin Portal
Ensure that your configuration is in the ‘Selected’ column and click ‘Save’
Ensure that you apply your newly created VPN configuration it to all relevant labels.
On the device, the next time the user checks in:
· The user will receive the latest MDM profile with the updated per App VPN settings
· The next time the app attempts to make a TCP connection or a HTTP request the VPN is triggered, users will be able to see this in the status bar of their device.
5 Configuring MobileIron AppTunnel
In order to configure the AppTunnel for iOS, you need to complete the following tasks:
Enable the AppTunnel on Core through the MobileIron Admin Portal Enable the AppTunnel on the Standalone Sentry Configure device and server authentication on the Standalone Sentry Configure the Sentry with an AppTunnel service Upload the app to MobileIron Core Configure the AppTunnel service in the AppConnect app configuration For detailed instructions on steps 1-5, refer to the ‘AppConnect and AppTunnel Guide’ on MobileIron’s Support Community website.
For step 6, follow the instructions below:
- Using the menu bar, navigate to Policies & Configs > Configurations
Figure 1.4.5a - Policies & Configs, MobileIron Admin Portal
- Select Add New > AppConnect > App Configuration
Figure 1.4.5b - Add new App Configuration
Enter a name for the AppConnect app configuration, for example MLM AppConnect.
In the Application field, fill in the bundle ID for the MindLink public app: com.mindlinksoft.mindlinkmobile.mobileiron.
In the AppTunnel Rules section, click Add+ to add a new AppTunnel rule.
Figure 1.4.5c - Configure the AppTunnel rule
SENTRY: Select the Sentry number from the drop-down list. SERVICE: Select the service that you configured in the AppTunnel Configuration section of the specified Sentry. URL WILDCARD: Enter a URL wildcard that matches the host name of the MindLink server, or the load balancer and each MindLink server if deployed as a pool. PORT: Enter the port number that the app requests to access. This should be the same as the configured port for the session service on the MindLink Management Tool. IDENTITY CERTIFICATE: Select the Certificate or the Certificate Enrollment setting that you created for app tunneling. 6. Click Save.
Select the new AppConnect app configuration from the list.
Select More Actions > Apply To Label > iOS > Apply
Try the free CSS tidy which lets you beautify stylesheets for your websites.
6 Installing certificates through MobileIron Administration Portal
If the MindLink Mobile server is secured with a certificate issued by an internal CA authority, the CA’s root certificate must be installed as a trusted root certificate on the device.
Installing certificates on devices that use the MobileIron version of MindLink Mobile must be done through the MobileIron Administration Portal.
- Logon to your MobileIron Administration Portal
Figure 64 – MobileIron Admin Portal; Policies & Configs
- Using the top navigation bar, click ‘Policies & Configs’
Figure 65 – Add certificate profile, MobileIron Admin Portal
- Click ‘Add New’ and select ‘Certificates’
Figure 66 – Creating a new certificate setting, MobileIron Admin Portal
Fill in the fields of the New Certificate Setting and browse to the file location of the CA certificate.
Save the New Certificate Setting.
Figure 67 – Apply CA Certificate profile to label
- Apply the newly created Certificate Setting to the desired label(s).
7 Pre-configuring the username and server details
Figure 68– MobileIron Console
Start by navigating to the MobileIron console, here is where you will be able to make the changes required to directly affect the MindLink Mobile for MobileIron app.
Figure 69– Policies and Configs
Once you have clicked on 'Policies and Configs' you will be brought to a sumarry page of all the configurations currently setup on your conosle. For the purpose of this guide you will want to select the configuration that you would've already created beforehand. Note that this is the configuration that will be pushed to the device and thus you will want to make sure that this configuration is applied to the correct label applicable to your fleet of devices.
Figure 70– Configuration details
Once you've selected the appropriate configuration you will be presented with a summary of the details surrounding said configuration. In this case the details relate to the app tunnel configuration. When you are ready to make changes click on 'Edit'
Figure 71– Editing configuration details
When you have clicked 'Edit' you will be brought to the above screen. Here you will notice the section 'App-Specific Configurations' this relates directly to the MindLink Mobile for MobileIron app. Here you can match specific key-value pairs (specific to your infrastructure) to the MindLink Mobile app. In the example above the key 'mlmServerUrl' is pointed towards a server running the MindLink Mobile service. You are also able to pre-configure the MLM log on name which can be seen in the screenshot below.
Figure 72– Device pre-configured username
As can be seen above the following key (set on the console) has been pushed to the device, resulting the pre-configured log on name. Note: the value can be any number of variables that MobileIron core is capable of understanding (please refer to the AppConnect documentation). These variables are defined in the LDAP configuration for the Core server. This can be found under 'Services > LDAP'. For example, you could use the 'user ID' variable and have the samaccountnamefield attached to it, so for example, test1 is being pulled from the samaccountnamefield and is matched via the $USERID$ variable as can be seen in Figure 71.