iOS Airwatch

1 Setting Up#

Before the MindLink application can be deployed to your users it must be added to the management console and set up with the correct configurations and profiles. It is assumed the foundations of a standard AirWatch Deployment, such as assignment groups and accounts, have already been set up. This documentation site focuses on the MindLink-Specific elements of the deployment process.

Where to begin Add New

Start by heading over to the AirWatch console. To add the MindLink for AirWatch application, go to Apps & Books > Native > Public.

Add New

Add the application
In the public section click the 'Add application' button. Applications can be added from an app installer file, or by searching for it on the AppStore / Google Play store (Depending what device OS type you are targeting - Apple or Android).
You will want to find our latest app release by searching the AppStore or Google Play store - we will use Apple iOS for this guide.

Add app

After selecting Apple iOS and using 'MindLink' or 'MindLink for AirWatch' as the Name, click Next to browse search results. With the search term 'MindLink' you can see the Vanilla application, and the one we want : MindLink for AirWatch.

Search app store

Press + Select for the MindLink for AirWatch application. This will open the App details page. Fill out this page as applicable.

App info

Now click Save & Assign

Assigning the application
The next screen will request an assignment. If one does not already exist the click the 'Add assignment' button.

Apps & books

In this window, provide an assignment group to determine the device(s) that the application will be assigned to.

Add assignment

Scroll down to enable/disable various functionality - the configuration of these will depend on your deployment requirements through Managed Access and Make app MDM Managed if user installed are likely to be options you enable regardless.

Add assignment

Once you have configured your assignment click Add. Back on the update assignment page, an assignment is now shown. Save and Publish to assign the application to the device assignment group and apply the configuration settings.

Add assignment

Before completing the publishing process a preview of the devices that will be impacted is shown. Use this view to ensure the desired devices are within the assignment, revising your assignment group(s) if something is not right.

Add assignment

If the devices are correct, complete the process by click Publish


2. Creating the MindLink SDK Profile#

To successfully administer the MindLink for AirWatch application you will need to create a MindLink-related SDK.

Add a new profile
In the console header click Add.

Add New

This will present the drop down. From here choose the Profile option.

Add profile

Choosing platform
Once you have chosen to create a profile you will have a selection of platforms to choose from - for this guide we will be using Apple iOS

General

Configure the SDK Profile
From here you will be able to configure how the MindLink for AirWatch app is controlled.

Proxy

This Profile should be created to reflect your company's administrative infrastructure. You will also be able to specify whether or not you want to enforce Data Loss Prevention policies, which will then be reflected on the MindLink for AirWatch app.

Save And Publish will then create the SDK Profile, or save changes if you are editing an existing one.


2.1 Enabling the AppTunnel at the SDK level#

Configuring the integrated tunnel
Within the MindLink for AirWatch SDK profile there is an option to configure an Integrated Tunnel provided by AirWatch.

Enabling the AW integrated tunnel
In order to enable the AW integrated tunnel, and thus have it applied to MLM for AirWatch, you will want to navigate to the MindLink SDK that was created (or the tab of the one you are creating). From here, you will want to navigate down to the Proxy tab. Tick Enable App Tunnel and select the VMWare Tunnel - Proxy dropdown option.

Proxy

The rest of this page is up to your deployment, and can be left blank or filled out depending on your requirements. Once this has been done, click Save.

the MindLink for AirWatch app will begin leveraging the AirWatch integrated tunnel.


3. Integrated AppTunnel Device Profile#

The AppTunnel is leveraged through the SDK (Section 2, Above), so this device profile simply accompanies it and sets the device configurations.

The VMWare App Tunnel will alter how you connect. The AppTunnel is compiled with the deployed application, meaning it does not require a VPN app or profile of its own to leverage the connection.


3.1 Create the Integrated AppTunnel Profile#

Navigate to Devices > Profiles & Resources > Profiles

Device Profiles

On this page you will either see an existing AppTunnel profile, or need to create one. We assume one has not been created yet.
Click Add > Add Profile

Add - Add Profile

Now select the OS platform - in this case we will use iOS

Select OS Platform

Configure the Profile
Now the iOS profile must be configured. Much of this will be dependant on your specific deployment.

Configure AppTunnel Profile

Because the Integrated AppTunnel is leveraged through the SDK, the device profile just need to establish the accompanying device configuration. Much of this will depend on your deployment environment and requirements.


3.2 Applying the Integrated Tunnel Device Profile#

Add the assignment group to the profile
Once you have a device profile configured, its assignment to devices is achieved through the Assignment Group(s). Open the Integrated App Tunnel Device Profile and it should open on the General page.

Configure AppTunnel Profile

To begin editing, press the Add Version button (or, if you are only just creating the profile for the first time, you should already be able to edit). In the Smart Groups field add the group you want to assign. One of these should already be created from your initial AirWatch setup Pre-MindLink.

Configure AppTunnel Profile

After assigning the group, Save And Publish the Profile. If you use other Profiles for connectivity, namely the Per-app VPN profile, be aware of any conflicts. In the case of switching from the VPN Tunnel, you should remove the group(s) you want to assign to the Integrated Tunnel Profile from the VPN Profile to ensure devices know which connection to make.


4. Per-app VPN Profile#

The VPN Profile will alter how you connect. As the name suggests, it is applied on a per-app basis and will alter the behaviour of your application(s) to utilise the AirWatch VPN Connectivity.


4.1 Creating the per-app VPN profile#

The VPN and Integrated tunnel profiles are very similar. The process will mostly be the same, with the exception of the VPN tab.

Setting up the app specific VPN profile
Navigate to Devices > Profiles & Resources > Profiles

Device Profiles

On this page you will either see an existing AppTunnel profile, or need to create one. We assume one has not been created yet.
Click Add > Add Profile

Add - Add Profile

Now select the OS platform - in this case we will use iOS

Select OS Platform

Configure the baseline Profile settings These settings will be dependant on your specific deployment. Configure them accordingly.

Configure the VPN

VPN 2

After configuring the other settings you will want to configure the VPN specific settings, as per your administrative infrastructure.


4.2 Apply the VPN Device Profile#

VPN 3

If you use other Profiles for connectivity, namely the Integrated Tunnel Profile, be aware of any conflicts. In the case of the Integrated Tunnel, you should remove the group(s) you want to assign to the VPN Profile from the Integrated Tunnel Profile to ensure devices know which connection to make.

in order to turn it on or off (depending on your administrative preferences) you will want to go to the profile and then to the 'VPN' section whereby you will want to tick the Per-App VPN rules, so that by default MindLink Mobile for AirWatch will use the Per-App VPN as its means of connection


4.3 Applying the per-app VPN profile to the App#

Apply the per-app VPN
Apply VPN

To apply the per-app VPN to the app you will want to navigate to the apps and books section of the AirWatch console. From here you will want to select the MindLink app that you added earlier (section 5.5.) To do this use the radio button to select the MindLink for AirWatch app that you would have selected during the deployment stage.

Assign the application
Assign

To assign the application you will want to navigate to the top of the apps & books section whereby you will find the 'Assign' button, this is what you will want to press in order to begin the application of the per-app VPN

Choose assignment group
Update assignment

From here you will want to select the assignment groups that you wish the VPN to be applied to - this will of course depend on the administrative infrastructure present amongst your organisation. From here you will want to click 'Add Assignment'

Add assignment Add assignment

Once you have clicked on 'Add Assignment' you will be brought to the screen above. From here you will notice the 'Advanced' tab - this is where you will need to apply the app specific VPN profile that you created.

Select the per-app VPN Profile Select assignment

The following is done by selecting from a drop down. Assuming that you have configured your app specific VPN correctly this will 'Push' the assignment down to the groups that were selected beforehand

View device assignments Assign device

Once you have selected the per-app VPN you will be brought to a screen similar to the one above whereupon you will be shown the list of devices affected by the assignment. This will be dependent on the assignment group you selected during the beginning of this process. However, this is a chance for you to review the potential changes that will be made and ensure the desired devices are on the list - if your intended device(s) are not show then ensure you are using the correct assignment group.


5. Managing Data Loss Prevention Policies#

Data Loss Prevention (DLP) controls what data to record, how data is recorded and how this data is distributed. Restrictions to what data can be accessed by external applications can be applied, such as: browser apps for URL links, email apps for email addresses and the mobile number dialler for phone numbers. The level of detail devices log information to and how those logs are then distributed can also be configured.

The AirWatch management allows many restrictions, controls and policies to be applied that can micro-manage your deployment. However, we will only cover the ones that have a significant impact on the MindLink experience as more information on the details of AirWatch DLP policies (and the other sections of the administrator console) can be found from AirWatch's own documentation resources.


5.1. Logging & Exporting Logs#

When enabled, device logs are recorded on a user's mobile device. The level of detail that a log records can also be configured, along with several factors to determine what process, if any, the logs are exported with.


5.1.1 Managed Logging#

The logging process can be configured to suite your requirements

Manage Globally If you wish to control logging on a global scale (meaning this will apply to all AirWatch apps, including MindLink) go to Groups & Settings > All Settings > Apps > Settings and policies > Settings.
This is where the options to enable/disable logging can be found. For the user there will be no indication if the admin has enabled or disabled Logging, and this change will also NOT be Dynamic (changes will need to be synced with the devices, rather than applying as soon as you save changes)

Logging Level (Global)
If logging is enabled using the method above there will be two additional options for the admin:

  1. Logging level
  2. Send logs over WiFi only

The logging level can be configured here, and will also apply to all AirWatch apps.

The second option is entirely up to your deployment requirements.

Manage Per-app To manage logging on a per-app basis you need to navigate to the specific application. In this case, MindLink for AirWatch.

Got to Apps&Books > (Your MindLink App) Click 'Assign' and edit the assignment. There will be a list of options, which set what device(s) it applies to. Currently there is only one which applies to all devices.

Set Application Configuration to Enabled. This will add two configuration keys:
- mlmDisableLogging
- mlmDisableVerboseLogging

Set both of these to boolean and to enable them set the Configuration Value to 'true'. Changes made here will be applied dynamically.

Assign device


5.1.2 Exporting Logs#

When logging is enabled the device will record logs. The second half of the Logging DLP configuration will be focused on how to get the logs from the device to the administrator.

Exporting with Email applications enabled
The MDM Console contains restrictions that can limit the user's ability to export their logs.

  1. The user is not permitted to export logs. Depending on your policies and configurations you may have set a restriction preventing a user from seeing the export logs button in the MindLink App.
  2. Email applications are restricted. When a user exports logs an email application is used to send the file(s).

Assign device

Exporting with email applications disabled
If your DLP Policies restrict the usage of Email applications then the user will not be able to use email apps for sending logs. Depending on what other applications are enabled there may be significant restrictions on the ability to export the logs. In some cases this may even prevent users from exporting logs from the MindLink Application.

Disable the user's ability to export
If logging is disabled then the user will not be able to export any logs. From the user's perspective they will still see the send logs button, but pressing it will do nothing.

5.2 URL Browser Invocation#

Within the AirWatch management console go to Devices > Profiles & Resources > Profiles. Here you will be able to change restrictions in the relevant device profile (this will depend on your specific configuration, so make sure you know which profile will apply to the device(s) you want to change)

Devices > Profile

Here you will find your profiles. Yours will be different to the screenshots based on your own deployment, but the concept stays the same.

Device Profile

Select the profile that applies to your target device(s). Simply clicking the name will open it

Profiles : general

Now you must click Add version to start making changes. Navigate to the Restrictions tab.

Disable Safari

Once you have made your changes click Save and publish.

View device assignment to preview the devices that will be impacted by the changes. Ensure your desired device(s) show up here. Click publish once you are ready

Now the changes will be applied in the console, and the device must Sync in order to receive the latest changes.

5.3 Email Invocation#

In order to disable composing email and opening links make sure to do the following:

Go to Groups & Settings -> All settings Groups And Settings > All Settings

Apps -> Settings & Policies Settings And Policies

Profiles Settings And Policies : Profiles

Select the MindLink profile that applies to your desired device Profiles

Navigate to Restrictions and find the Enable Data Loss Prevention option

Restrictions : Data Loss Prevention

Ticket the box to enable DLP and find the Enable Composing Email entry.

Disable Composing Email

Then ensure Enable Composing Email is disabled AND ensure Restrict documents to be opened in the following apps is enabled with no apps specified

Restrict apps And Save the profile

Lastly, Save to apply your changes.


If this does not work, double check that these settings are not being overridden from Groups & Settings -> All settings -> Apps -> Settings & Policies -> Security Policies

Settings And Policies > Security Policies

Security Policies

Scroll down and check the DLP section to ensure the Enable Composing Email setting does not conflict.

Security Policies : DLP

Note: Child Permissions are what decide whether the profile setting override these settings or vice versa

Child Permissions

They are found at the bottom of the page


5.4 Mobile Dialler Invocation#

To start you will want to navigate to Apps & Books > Applications > Native, where your applications should be available

Assign

Beginning the assignment Apply VPN

From the list of applications you will want to select your MindLink app using the radio button (purple box). Then click the Assign button.

Apply VPN

Edit the assignment After clicking assign you will be met with the assignments window

Update assignment

Select the assignment group (in our case we simply use 'All devices' but you may have several of your own, so ensure you choose the one you wish to apply.)

Click 'Edit' to make your configuration changes. You will be met with a window similar to the following:

Add assignment

Application Configuration Scroll down to find the Application Configuration section

Application Configuration Disabled

begin by enabling application configuration. By default this is disabled, and the configuration key section is not shown.

Application Configuration

Once enabled the section where configuration keys are added will be shown. The values for this may depend on your setup, but in this case the keys are :

  • mlmDisableBrowserInvocation : Disables the use of web browser applications to handle URL links and files in the MindLink application
  • mlmDisableEmailInvocation : Disables the use of email applications to handle email addresses in the MindLink application
  • mlmDisableDiallerInvocation : Disables the use of the mobile phone dialler to handle phone numbers in the MindLink application

Configuration Keys

Save the configuration Once you have entered the preconfigured data it is time to save and push changes to the device.

Add Application Configuration

On the next screen you will see the Save And Publish button.

Save And Publish

You will then transition to a window to preview the assigned devices, from which you can publish the changes. It may be good to double-check the list of devices to ensure your target device(s) are there, after which you can publish.

Once published the configuration is ready for the device to receive.

DLP Policies on the device
Once changes have been made to the configuration the device will need to Send Data through the AirWatch device application so that it will sync with the AirWatch console. After a successful sync the configuration changes should push to the device and the DLP restriction(s) will be in place


6 Pre-configuring the username and server details#

To start you will want to navigate to Apps & Books > Applications > Native, where your applications should be available

Assign

Beginning the assignment Apply VPN

From the list of applications you will want to select your MindLink app using the radio button (purple box). Then click the Assign button.

Apply VPN

Edit the assignment After clicking assign you will be met with the assignments window

Update assignment

Select the assignment group (in our case we simply use 'All devices' but you may have several of your own, so ensure you choose the one you wish to apply.)

Click 'Edit' to make your configuration changes. You will be met with a window similar to the following:

Update assignment

Application Configuration Scroll down to find the Application Configuration section

Update assignment

begin by enabling application configuration. By default this is disabled, and the configuration key section is not shown.

Update assignment

Once enabled the section where configuration keys are added will be shown. The values for this may depend on your setup, but in this case the keys are:

  • mlmServerUrl : The server address that the device will connect to.
  • mlmLogOnUrl : The name to pre-authenticate the username field with.

Update assignment

Save the configuration Once you have entered the preconfigured data it is time to save and push changes to the device.

Update assignment

On the next screen you will see the Save And Publish button.

Update assignment

You will then transition to a window to preview the assigned devices, from which you can publish the changes. It may be good to double-check the list of devices to ensure your target device(s) are there, after which you can publish.

Once published the configuration is ready for the device to receive.

Preconfigured values on the device Once changes have been made to the configuration the device will need to Send Data through the AirWatch device application so that it will sync with the AirWatch console. After a successful sync the configuration changes should push to the device and preconfigure the server URL and/or Username field.

MLM Login Page