Mobile Secure Deployment

Depending on how your company manages corporate or personal mobile devices, Secure Mobile Device Management (MDM) solutions may be utilised.

The MindLink Mobile application is available in several 'flavours', some of which integrate with MDM solutions.

  • MindLink Vanilla : The unmodified application, typically utilised by environments that do not have MDM solutions deployed. This can be installed straight from the App Store / Play Store.
  • MindLink for AirWatch : a variant of the MindLink application designed for integration with the AirWatch MDM. Deployed / Managed through the MDM console.

MDM Consoles also allow the vanilla application to be uploaded and managed, though it is not recommended to use this method unless you are on another MDM solution that is not included above. Policy & Profile results may not be as effective in this case.


Your MDM Deployment#

If you wish to deploy MindLink using one of the MDM solutions there are two supposed scenarios :

  • you already have an active MDM deployment and wish to integrate MindLink
  • You are looking into a new MDM solution to deploy and manage MindLink with

If you already have a deployed MDM solution you can visit the App deployment section found under Install And Configure. This section will cover the process of adding the MindLink application and applying the MDM policies for further management. Core principles relating directly to the MindLink application will be covered, but the MindLink documentation site does not cover all aspects of the MDMs as they are 3rd party solutions with their own corresponding documentation sites.

If you find these MDM solutions suitable for your needs but do not have one deployed already then please refer to the corresponding MDMs' resources to get your core solution up and running. As MDMs are a 3rd party solution, this site will not cover the process of setting one up. However, once you are up and running you can visit the App deployment section found under Install And Configure to learn how to add and manage the MindLink application through your chosen MDM.


Overview of a secure deployment#

The following diagram shows the configuration necessary for a secure deployment. We make the following assumptions:

The Challenge Response Service and Host Identification Service listen on the same port.

Security on the File Transfer Service, Socket Service and MDS push communication is either globally enabled or disabled.

The same certificate is used to secure the Socket Service and the File Transfer Service.

The management center is used to configure the socket service port, the port of the file transfer web service, and the shared port of the Challenge Response Service and Host Location Service.

By default, the management center configures the socket service host name as the FQDN of the server. This value is customizable in the management center if the organization has its network infrastructure setup, so that clients can make connections to a different address.

If security is enabled, the certificate used to secure the file transfer service and socket service must also be configured. The subject must be the host name of the broker service, and it must be issued by an authority trusted by the device.

  • The relative paths of each HTTP service are hardcoded constants.

  • The Host Location Service returns the details of the socket service and Challenge Response Service to the device.

    File download links are sent in-band with the chat history as direct download links to the file transfer service. Hence, the client must only be configured with the load-balanced URL of the Host Identification Service.


HTTP Proxy#

Given that the client connects to the proxy and not directly to the hostname, port or even potentially the relative path of the actual broker service when using an HTTP proxy, the actual URLs to connect to must be made configurable.

Since the client connects to the URL in its own IT policy or local configuration for the Host Location Service, only the URLs of the Challenge Response Service and the File Transfer Service must be configured on the server via the management center/app config.

  • The Challenge Response Proxy URL and File Transfer Proxy URL are configured on the server via the management center/app config.

  • The proxy URL of the Challenge Response Service is sent to the client in the response from the Host Location Service.

  • The File Transfer Proxy URL is used to form file download links sent to the client in messages.

Note: the security protocol on the proxied URLs is not necessarily linked to whether security is enabled on the server, as the HTTP proxy may be configured to perform HTTPS communication and/or offloading between itself and the client, or itself and the Mobile Broker.

The client is configured with the proxied URL of the load balanced Host Location Service.