MindLink Mobile - MobileIron MDM for iOS
The MindLink Mobile iOS client is available for the MobileIron AppConnect container and leverages MobileIron Tunnel per-app VPN for connectivity.
1 Enable AppConnect
Before enabling AppConnect on the MobileIron admin portal, confirm that your organization has purchased the required AppConnect licenses. Contact your MobileIron representative if you require additional details on AppConnect license purchases.
To enable AppConnect and MobileIron Tunnel functionality on the admin portal, navigate to the Settings page
From the settings page expand the 'Additional Products' section on the left menu and select 'Licensed Products.
Select the option for “Enable AppConnect for third-party and in-house apps”
2 Configure an AppConnect global policy
Modify an existing AppConnect global policy:
On the MobileIron Admin Portal, go to Policies & Configs > Policies
Select an AppConnect global policy
Edit the AppConnect global policy based on your requirements. Please refer to the AppConnect chapter of the VSP Administration Guide for details about each field.
An AppConnect global policy configures the security settings for all AppConnect apps, including Whether AppConnect is enabled for the devices that the policy is applied to, and AppConnect passcode requirements.
Note: The AppConnect passcode is not the same as the device passcode.
You may opt to modify AppConnect security controls, such as out-of-contact timeouts
Specify the app check-in interval and the default end-user message for when an app is not authorized by default
Note: The app check-in interval is independent of the MDM check-in timer and controls, and apps cannot be forced to check-in before the interval expires. The recommended configuration for the app check-in interval is 60 minutes.
You can configure whether AppConnect apps with no AppConnect container policy are authorized by default in addition to other data loss prevention settings.
3 Configure a new AppConnect container policy
An AppConnect container policy specifies data loss protection policies for the app. The AppConnect container policy is required for an application to be authorized unless the AppConnect global policy allows apps without a container policy to be authorized. Such apps get their data loss protection policies from the AppConnect global policy.
Details about each field are in the AppConnect chapter of the MobileIron Core Administration Guide.
To configure an AppConnect container policy:
Create a new AppConnect Container Policy
- On the MobileIron Admin Portal, go to Policies & Configs > Configurations > Add New > AppConnect > Container Policy.
Enter the details
- Enter the Name, Description, and Application.
Note: For the Application field, choose an application from the app distribution library, or for iOS apps, specify the iOS bundle ID (com.mindlinksoft.mindlinkmobile.mobileiron). You can find the bundle ID by going to Apps > App Distribution Library, and clicking to edit the app. The field Inventory Apps displays the bundle ID in parenthesis.
Configure DLP Policies
- Configure the data loss protection policies according to your requirements.
4 Configuring MobileIron Tunnel
To ensure the MindLink Mobile for MobileIron app can function within your AppConnect enterprise workspace you must create a MobileIron Tunnel configuration.
In order to create a MobileIron Tunnel configuration the following prerequisites must be met.
MobileIron Sentry (license required) must be deployed within the relevant environment and configured using the MobileIron Administration Portal.
Configuration can be done by navigating to: Settings > Sentry (Configuration depends on the deployment environment and any potential associated restrictions)
Please consult the MobileIron Administration guide/manual for deployment and configuration instructions for MobileIron Sentry.
To start configuring MobileIron Tunnel log into the MobileIron Administration Portal.
Create a VPN Configuration
Using the menu bar, navigate to: ‘Policies & Configs’
Create a VPN setting by selecting: Add New > VPN
Configure the VPN
For the fields displayed below to appear you must first select MobileIron Tunnel as your connection type.
Next select the Sentry to be used in this VPN configuration from the drop down menu. Please Note: A license is required to do this.
Select the Sentry Service (options will be displayed once a Sentry has been selected).
Select an Identity Certificate (choice of certificate type is dependent on the deployment environment and any potential restrictions). You may have to create a new Identity Certificate configuration specific to VPN, this process is described in the following section.
Additional (optional) configuration options include: Custom Data and iOS 10.3 only configuration option to specify Safari domains.
Apply the VPN Configuration
The MobileIron Tunnel configuration must now be applied to the application; navigate to: Apps using the navigation bar.
Find the App you wish to apply the configuration to and click the edit icon.
Scroll down to find the option: ‘Per App VPN’
Ensure that your configuration is in the ‘Selected’ column and click ‘Save’
Ensure that you apply your newly created VPN configuration it to all relevant labels.
Check-in on the device
- On the device, the next time the user checks in:
The user will receive the latest MDM profile with the updated per App VPN settings
The next time the app attempts to make a TCP connection or a HTTP request the VPN is triggered, users will be able to see this in the status bar of their device.
5 Configuring MobileIron AppTunnel
In order to configure the AppTunnel for iOS, you need to complete the following tasks:
- Enable the AppTunnel on Core through the MobileIron Admin Portal
- Enable the AppTunnel on the Standalone Sentry
- Configure device and server authentication on the Standalone Sentry
- Configure the Sentry with an AppTunnel service
- Upload the app to MobileIron Core
- Configure the AppTunnel service in the AppConnect app configuration
For detailed instructions on steps 1-5, refer to the ‘AppConnect and AppTunnel Guide’ on MobileIron’s Support Community website.
For step 6, follow the instructions below:
- Using the menu bar, navigate to Policies & Configs > Configurations
Add a new app configuration
- Select Add New > AppConnect > App Configuration
- Enter a name for the AppConnect app configuration, for example MLM AppConnect.
Configure the AppTunnel rule
- In the Application field, fill in the bundle ID for the MindLink public app: com.mindlinksoft.mindlinkmobile.mobileiron.
- In the AppTunnel Rules section, click Add+ to add a new AppTunnel rule.
SENTRY: Select the Sentry number from the drop-down list.
SERVICE: Select the service that you configured in the AppTunnel Configuration section of the specified Sentry.
URL WILDCARD: Enter a URL wildcard that matches the host name of the MindLink server, or the load balancer and each MindLink server if deployed as a pool.
PORT: Enter the port number that the app requests to access. This should be the same as the configured port for the session service on the MindLink Management Tool.
IDENTITY CERTIFICATE: Select the Certificate or the Certificate Enrolment setting that you created for app tunnelling.
Save and apply the configuration
- Click Save.
- Select the new AppConnect app configuration from the list.
- Select More Actions > Apply To Label > iOS > Apply
6 Installing certificates through MobileIron Administration Portal
If the MindLink Mobile server is secured with a certificate issued by an internal CA authority, the CA’s root certificate must be installed as a trusted root certificate on the device.
Installing certificates on devices that use the MobileIron version of MindLink Mobile must be done through the MobileIron Administration Portal.
Go to Policies & Configs
- Logon to your MobileIron Administration Portal
- Using the top navigation bar, click ‘Policies & Configs’
Add a new certificate profile
- Click ‘Add New’ and select ‘Certificates’
- Fill in the fields of the New Certificate Setting and browse to the file location of the CA certificate.
Save and apply
- Save the New Certificate Setting.
- Apply the newly created Certificate Setting to the desired label(s).
7 Configuring Data Loss Prevention policies
Data Loss Prevention (DLP) manages the device restrictions to data.
By default the policy allows most actions, such as copy-paste and opening things in any applications. This includes the native apps and the MobileIron AppConnect applications such as web@work or mail@work.
Some content may require external access to other applications, such as email addresses opening in a native device application, phone numbers opening the device dialler or links and documents opening in web browser applications.
The DLP Settings are adjusted in the AppPolicy configuration, under the Security Policies section. Go to Policies & Configs > Configurations > configuration name [AppPolicy] and click 'edit'.
The Open In setting will determine how other applications are utilised to handle scenarios such as opening files, email addresses or phone numbers:
- All Apps : Sets no restrictions on which applications can be used
- AppConnect Apps : Only allow opening in the AppConnect applications. If they aren't installed opening will not be possible
- Whitelist : Only allow opening in the specifically provisioned applications. If applications aren't installed opening will not be possible
- When all apps are permitted the default browser will be the native browser (safari, chrome or other) on the device.
- If you set the policy to AppConnect apps only then Web@work is the browser application provided by MobileIron
- If you set it to whitelist then a web app will need to be whitelisted to be allowed
- When all apps are permitted the default browser will be the native browser (safari, chrome or other) on the device.
- If you set the policy to AppConnect apps only then email@work is the browser application provided by MobileIron
- If you set it to whitelist then an email app will need to be whitelisted to be allowed
- When All apps are permitted the dialler will be allowed
- If you set the policy to AppConnect apps only then the dialler will not be allowed
- If you set it to whitelist then the dialler will need to be whitelisted to be allowed
The admin can 'enable logging' within MobileIron which will allow them to configure the logging settings. However, logging will always be enabled to some level within MobileIron. Instead, in the admin console we can manage the specific settings for logging; While the admin cannot disable it, they still have some control and can manage the logging level.
Go to Policies&Configs > MindLink Beta AppConnect > Edit. Go to the app specific configurations and from here we can enable or disable logging Use the key MI_AC_ENABLE_LOGGING_TO_FILE and set the value to 'Yes' / 'No'
This determines the level of detail that the logs record.
Within the MobileIron console go to Policies&Configs > MindLink Beta AppConnect > Edit (top right) and scroll down to app specific configuration.
Use the key MI_AC_LOG_LEVEL and set the value to one of the following :
While logging is enabled the mobile device will store logs in files created locally. These logs can then be exported from the device to a recipient. Usually this will be done by exporting the log file through the native email application or through whichever mail application is compatible with the used MDM (see Email invocation for details on this).
If either the admin or the user enables logging the export option will be enabled in-app. If logging is disabled then there will be no export button.
Trying to export the log files using an app not managed by MobileIron will not be allowed.
- While logging is enabled the log button will be shown.
- When logging is disabled then the button will be disabled. It will return an error stating there is no file (if logging is not enabled then no log files will have been created)
Disable Safari (iOS)
safari can be disabled outright.
To enable or disable safari in MobileIron go to Policies & Configs > Configurations > iOS Cloud Restrictions > Edit and scroll down to the Application Restrictions section. There will be a check box for Safari.
Once you have set it to your need click save and make sure the configuration is pushed to your device. If safari isn't working also try checking the MindLink For MobileIron Beta AppPolicy as this has restrictions for open-in app settings
8 Pre-configuring the username and server details
Start by navigating to the Configurations tab. This is where you will be able to make the changes required to preconfigure the server URL and/or Logon name.
The list of configurations will be different in your deployment, depending which ones you have created. The preconfigured values are added to the AppConfig configuration.
Editing the AppConfig Configuration
Once you've selected the appropriate configuration you will be presented with a summary of the details. In this case the details relate to the app tunnel configuration. When you are ready to make changes click 'Edit'
This is the section of the selected configuration where the keys and values are added.
Here you can match specific key-value pairs (specific to your infrastructure) to the MindLink Mobile app. In the example the key 'mlmServerUrl' is pointed towards a server running the MindLink Mobile service and 'mlmLogOnName' specifies the username.
Note: the value can be any number of variables that MobileIron core is capable of understanding (please refer to the AppConnect documentation). These variables are defined in the LDAP configuration for the Core server. This can be found under Services > LDAP. For example, you could use the 'user ID' variable and have the samaccountnamefield attached to it, so for example, test1 is being pulled from the samaccountnamefield and is matched via the $USERID$ variable
As seen in the screenshot below there are two keys
- mlmServerUrl : The full server URL
- mlmLogOnName : the name that will populate the username field
These cannot be edited on the device, so ensure they are correctly formatted to allow successful connection and authentication.
Save the configuration
Once you have applied your keys, save the configuration with the save button.
Apply changes to device(s)
Once you have made your changes they will need to be pushed to the device(s). To do this, select the configuration you have made changes to and apply it to the relevant label. This part will depend entirely on how your MobileIron deployment is configured as you will be using your own labels.
Preconfigured values on the device
Once changes are applied to the correct label(s) the device should check for updates within the MobileIron application. When the new configuration changes are pushed to the device the keys should be applied and the URL and/or Username should be preconfigured with the values you gave.
Preconfigured values cannot be edited on the device, so if there is an issue it needs addressing in the MobileIron Admin Console.