iOS Airwatch
1 Setting Up
Before the MindLink application can be deployed to your users it must be added to the management console and set up with the correct configurations and profiles. It is assumed the foundations of a standard AirWatch Deployment, such as assignment groups and accounts, have already been set up. This documentation site focuses on the MindLink-Specific elements of the deployment process.
Where to begin
Start by heading over to the AirWatch console. To add the MindLink for AirWatch application, go to Apps & Books > Native > Public.
Add the application
In the public section click the 'Add application' button. Applications can be added from an app installer file, or by searching for it on the AppStore / Google Play store (Depending what device OS type you are targeting - Apple or Android).
You will want to find our latest app release by searching the AppStore or Google Play store - we will use Apple iOS for this guide.
After selecting Apple iOS and using 'MindLink' or 'MindLink for AirWatch' as the Name, click Next to browse search results. With the search term 'MindLink' you can see the Vanilla application, and the one we want : MindLink for AirWatch.
Press + Select for the MindLink for AirWatch application. This will open the App details page. Fill out this page as applicable.
Now click Save & Assign
Assigning the application
The next screen will request an assignment. If one does not already exist the click the 'Add assignment' button.
In this window, provide an assignment group to determine the device(s) that the application will be assigned to.
Scroll down to enable/disable various functionality - the configuration of these will depend on your deployment requirements through Managed Access and Make app MDM Managed if user installed are likely to be options you enable regardless.
Once you have configured your assignment click Add. Back on the update assignment page, an assignment is now shown. Save and Publish to assign the application to the device assignment group and apply the configuration settings.
Before completing the publishing process a preview of the devices that will be impacted is shown. Use this view to ensure the desired devices are within the assignment, revising your assignment group(s) if something is not right.
If the devices are correct, complete the process by click Publish
2. Creating the MindLink SDK Profile
To successfully administer the MindLink for AirWatch application you will need to create a MindLink-related SDK.
Add a new profile
In the console header click Add.
This will present the drop down. From here choose the Profile option.
Choosing platform
Once you have chosen to create a profile you will have a selection of platforms to choose from - for this guide we will be using Apple iOS
Configure the SDK Profile
From here you will be able to configure how the MindLink for AirWatch app is controlled.
This Profile should be created to reflect your company's administrative infrastructure. You will also be able to specify whether or not you want to enforce Data Loss Prevention policies, which will then be reflected on the MindLink for AirWatch app.
Save And Publish will then create the SDK Profile, or save changes if you are editing an existing one.
2.1 Enabling the AppTunnel at the SDK level
Configuring the integrated tunnel
Within the MindLink for AirWatch SDK profile there is an option to configure an Integrated Tunnel provided by AirWatch.
Enabling the AW integrated tunnel
In order to enable the AW integrated tunnel, and thus have it applied to MLM for AirWatch, you will want to navigate to the MindLink SDK that was created (or the tab of the one you are creating). From here, you will want to navigate down to the Proxy tab. Tick Enable App Tunnel and select the VMWare Tunnel - Proxy dropdown option.
The rest of this page is up to your deployment, and can be left blank or filled out depending on your requirements. Once this has been done, click Save.
the MindLink for AirWatch app will begin leveraging the AirWatch integrated tunnel.
3. Integrated AppTunnel Device Profile
The AppTunnel is leveraged through the SDK (Section 2, Above), so this device profile simply accompanies it and sets the device configurations.
The VMWare App Tunnel will alter how you connect. The AppTunnel is compiled with the deployed application, meaning it does not require a VPN app or profile of its own to leverage the connection.
3.1 Create the Integrated AppTunnel Profile
Navigate to Devices > Profiles & Resources > Profiles
On this page you will either see an existing AppTunnel profile, or need to create one. We assume one has not been created yet.
Click Add > Add Profile
Now select the OS platform - in this case we will use iOS
Configure the Profile
Now the iOS profile must be configured. Much of this will be dependant on your specific deployment.
Because the Integrated AppTunnel is leveraged through the SDK, the device profile just need to establish the accompanying device configuration. Much of this will depend on your deployment environment and requirements.
3.2 Applying the Integrated Tunnel Device Profile
Add the assignment group to the profile
Once you have a device profile configured, its assignment to devices is achieved through the Assignment Group(s). Open the Integrated App Tunnel Device Profile and it should open on the General page.
To begin editing, press the Add Version button (or, if you are only just creating the profile for the first time, you should already be able to edit). In the Smart Groups field add the group you want to assign. One of these should already be created from your initial AirWatch setup Pre-MindLink.
After assigning the group, Save And Publish the Profile. If you use other Profiles for connectivity, namely the Per-app VPN profile, be aware of any conflicts. In the case of switching from the VPN Tunnel, you should remove the group(s) you want to assign to the Integrated Tunnel Profile from the VPN Profile to ensure devices know which connection to make.
4. Per-app VPN Profile
The VPN Profile will alter how you connect. As the name suggests, it is applied on a per-app basis and will alter the behaviour of your application(s) to utilise the AirWatch VPN Connectivity.
4.1 Creating the per-app VPN profile
The VPN and Integrated tunnel profiles are very similar. The process will mostly be the same, with the exception of the VPN tab.
Setting up the app specific VPN profile
Navigate to Devices > Profiles & Resources > Profiles
On this page you will either see an existing AppTunnel profile, or need to create one. We assume one has not been created yet.
Click Add > Add Profile
Now select the OS platform - in this case we will use iOS
Configure the baseline Profile settings These settings will be dependant on your specific deployment. Configure them accordingly.
Configure the VPN
After configuring the other settings you will want to configure the VPN specific settings, as per your administrative infrastructure.
4.2 Apply the VPN Device Profile
If you use other Profiles for connectivity, namely the Integrated Tunnel Profile, be aware of any conflicts. In the case of the Integrated Tunnel, you should remove the group(s) you want to assign to the VPN Profile from the Integrated Tunnel Profile to ensure devices know which connection to make.
in order to turn it on or off (depending on your administrative preferences) you will want to go to the profile and then to the 'VPN' section whereby you will want to tick the Per-App VPN rules, so that by default MindLink Mobile for AirWatch will use the Per-App VPN as its means of connection
4.3 Applying the per-app VPN profile to the App
Apply the per-app VPN
To apply the per-app VPN to the app you will want to navigate to the apps and books section of the AirWatch console. From here you will want to select the MindLink app that you added earlier (section 5.5.) To do this use the radio button to select the MindLink for AirWatch app that you would have selected during the deployment stage.
Assign the application
To assign the application you will want to navigate to the top of the apps & books section whereby you will find the 'Assign' button, this is what you will want to press in order to begin the application of the per-app VPN
Choose assignment group
From here you will want to select the assignment groups that you wish the VPN to be applied to - this will of course depend on the administrative infrastructure present amongst your organisation. From here you will want to click 'Add Assignment'
Add assignment
Once you have clicked on 'Add Assignment' you will be brought to the screen above. From here you will notice the 'Advanced' tab - this is where you will need to apply the app specific VPN profile that you created.
Select the per-app VPN Profile
The following is done by selecting from a drop down. Assuming that you have configured your app specific VPN correctly this will 'Push' the assignment down to the groups that were selected beforehand
View device assignments
Once you have selected the per-app VPN you will be brought to a screen similar to the one above whereupon you will be shown the list of devices affected by the assignment. This will be dependent on the assignment group you selected during the beginning of this process. However, this is a chance for you to review the potential changes that will be made and ensure the desired devices are on the list - if your intended device(s) are not show then ensure you are using the correct assignment group.
5. Managing Data Loss Prevention Policies
Data Loss Prevention (DLP) controls what data to record, how data is recorded and how this data is distributed. Restrictions to what data can be accessed by external applications can be applied, such as: browser apps for URL links, email apps for email addresses and the mobile number dialler for phone numbers. The level of detail devices log information to and how those logs are then distributed can also be configured.
The AirWatch management allows many restrictions, controls and policies to be applied that can micro-manage your deployment. However, we will only cover the ones that have a significant impact on the MindLink experience as more information on the details of AirWatch DLP policies (and the other sections of the administrator console) can be found from AirWatch's own documentation resources.
5.1. Logging & Exporting Logs
When enabled, device logs are recorded on a user's mobile device. The level of detail that a log records can also be configured, along with several factors to determine what process, if any, the logs are exported with.
5.1.1 Managed Logging
The logging process can be configured to suite your requirements
Manage Globally
If you wish to control logging on a global scale (meaning this will apply to all AirWatch apps, including MindLink) go to Groups & Settings > All Settings > Apps > Settings and policies > Settings.
This is where the options to enable/disable logging can be found. For the user there will be no indication if the admin has enabled or disabled Logging, and this change will also NOT be Dynamic (changes will need to be synced with the devices, rather than applying as soon as you save changes)
Logging Level (Global)
If logging is enabled using the method above there will be two additional options for the admin:
- Logging level
- Send logs over WiFi only
The logging level can be configured here, and will also apply to all AirWatch apps.
The second option is entirely up to your deployment requirements.
Manage Per-app To manage logging on a per-app basis you need to navigate to the specific application. In this case, MindLink for AirWatch.
Got to Apps&Books > (Your MindLink App) Click 'Assign' and edit the assignment. There will be a list of options, which set what device(s) it applies to. Currently there is only one which applies to all devices.
Set Application Configuration to Enabled. This will add two configuration keys:
- mlmDisableLogging
- mlmDisableVerboseLogging
Set both of these to boolean and to enable them set the Configuration Value to 'true'. Changes made here will be applied dynamically.
5.1.2 Exporting Logs
When logging is enabled the device will record logs. The second half of the Logging DLP configuration will be focused on how to get the logs from the device to the administrator.
Exporting with Email applications enabled
The MDM Console contains restrictions that can limit the user's ability to export their logs.
- The user is not permitted to export logs. Depending on your policies and configurations you may have set a restriction preventing a user from seeing the export logs button in the MindLink App.
- Email applications are restricted. When a user exports logs an email application is used to send the file(s).
Exporting with email applications disabled
If your DLP Policies restrict the usage of Email applications then the user will not be able to use email apps for sending logs. Depending on what other applications are enabled there may be significant restrictions on the ability to export the logs. In some cases this may even prevent users from exporting logs from the MindLink Application.
Disable the user's ability to export
If logging is disabled then the user will not be able to export any logs. From the user's perspective they will still see the send logs button, but pressing it will do nothing.
5.2 URL Browser Invocation
Within the AirWatch management console go to Devices > Profiles & Resources > Profiles. Here you will be able to change restrictions in the relevant device profile (this will depend on your specific configuration, so make sure you know which profile will apply to the device(s) you want to change)
Here you will find your profiles. Yours will be different to the screenshots based on your own deployment, but the concept stays the same.
Select the profile that applies to your target device(s). Simply clicking the name will open it
Now you must click Add version to start making changes. Navigate to the Restrictions tab.
Once you have made your changes click Save and publish.
View device assignment to preview the devices that will be impacted by the changes. Ensure your desired device(s) show up here. Click publish once you are ready
Now the changes will be applied in the console, and the device must Sync in order to receive the latest changes.
5.3 Email Invocation
In order to disable composing email and opening links make sure to do the following:
Go to Groups & Settings -> All settings
Apps -> Settings & Policies
Profiles
Select the MindLink profile that applies to your desired device
Navigate to Restrictions and find the Enable Data Loss Prevention option
Ticket the box to enable DLP and find the Enable Composing Email entry.
Then ensure Enable Composing Email is disabled AND ensure Restrict documents to be opened in the following apps is enabled with no apps specified
Lastly, Save to apply your changes.
If this does not work, double check that these settings are not being overridden from Groups & Settings -> All settings -> Apps -> Settings & Policies -> Security Policies
Scroll down and check the DLP section to ensure the Enable Composing Email setting does not conflict.
Note: Child Permissions are what decide whether the profile setting override these settings or vice versa
They are found at the bottom of the page
5.4 Mobile Dialler Invocation
To start you will want to navigate to Apps & Books > Applications > Native, where your applications should be available
Beginning the assignment
From the list of applications you will want to select your MindLink app using the radio button (purple box). Then click the Assign button.
Edit the assignment After clicking assign you will be met with the assignments window
Select the assignment group (in our case we simply use 'All devices' but you may have several of your own, so ensure you choose the one you wish to apply.)
Click 'Edit' to make your configuration changes. You will be met with a window similar to the following:
Application Configuration Scroll down to find the Application Configuration section
begin by enabling application configuration. By default this is disabled, and the configuration key section is not shown.
Once enabled the section where configuration keys are added will be shown. The values for this may depend on your setup, but in this case the keys are :
- mlmDisableBrowserInvocation : Disables the use of web browser applications to handle URL links and files in the MindLink application
- mlmDisableEmailInvocation : Disables the use of email applications to handle email addresses in the MindLink application
- mlmDisableDiallerInvocation : Disables the use of the mobile phone dialler to handle phone numbers in the MindLink application
Save the configuration Once you have entered the preconfigured data it is time to save and push changes to the device.
On the next screen you will see the Save And Publish button.
You will then transition to a window to preview the assigned devices, from which you can publish the changes. It may be good to double-check the list of devices to ensure your target device(s) are there, after which you can publish.
Once published the configuration is ready for the device to receive.
DLP Policies on the device
Once changes have been made to the configuration the device will need to Send Data through the AirWatch device application so that it will sync with the AirWatch console. After a successful sync the configuration changes should push to the device and the DLP restriction(s) will be in place
6 Pre-configuring the username and server details
To start you will want to navigate to Apps & Books > Applications > Native, where your applications should be available
Beginning the assignment
From the list of applications you will want to select your MindLink app using the radio button (purple box). Then click the Assign button.
Edit the assignment After clicking assign you will be met with the assignments window
Select the assignment group (in our case we simply use 'All devices' but you may have several of your own, so ensure you choose the one you wish to apply.)
Click 'Edit' to make your configuration changes. You will be met with a window similar to the following:
Application Configuration Scroll down to find the Application Configuration section
begin by enabling application configuration. By default this is disabled, and the configuration key section is not shown.
Once enabled the section where configuration keys are added will be shown. The values for this may depend on your setup, but in this case the keys are:
- mlmServerUrl : The server address that the device will connect to.
- mlmLogOnUrl : The name to pre-authenticate the username field with.
Save the configuration Once you have entered the preconfigured data it is time to save and push changes to the device.
On the next screen you will see the Save And Publish button.
You will then transition to a window to preview the assigned devices, from which you can publish the changes. It may be good to double-check the list of devices to ensure your target device(s) are there, after which you can publish.
Once published the configuration is ready for the device to receive.
Preconfigured values on the device Once changes have been made to the configuration the device will need to Send Data through the AirWatch device application so that it will sync with the AirWatch console. After a successful sync the configuration changes should push to the device and preconfigure the server URL and/or Username field.