Professional Documents
Culture Documents
0
Revised: January 7, 2011
Overview
This release focuses on the following new features:
• Android Support
• In-house App Distribution for iOS
• Redesigned Apps Management UI
• App Control Feature
• BlackBerry 6.0 Support
• Windows Phone 7 Support
• Registration PIN and/or Password (Android/iOS)
• SMS Archive Package
• Expanded Events
• Outbound HTTP Proxy for Gateway Transactions and System Updates
• Specifying Eligible Platforms for Registration
• API Additions
See the MobileIron Release Notes for information on other changes, resolved issues,
and known issues.
Company Confidential
1
Android Support
Android 2.2 is now supported. The following table summarizes the feature support in
this first release of MobileIron for Android.
Provisioning Android
Lock yes
Wipe yes
Selective Wipe (Email) yes10, 13
Certificate Exchange
Distribution only10
Encryption Policy (Internal Stor- Exchange
age) only10
Password Policy yes
Privacy Policy yes
Block Registration by OS yes
Locate (via Cell Tower) yes
Locate (via GPS) yes
Sentry Access Control Android
Company Confidential
2
Mobile Activity Intelligence Android
International
Roaming yes
Event Center
Alerting partial12
MyPhone@Work Android
Register yes
Lock yes
Wipe yes
Find It yes
11 SMS archiving coverage is not complete for this platform. Also, there are certain devices for which the SMS data is not
currently available.
12 One or more significant parts of this feature are not supported. See the detailed documentation for this feature.
13 Selective wipe of email for this platform is accomplished via retiring or wiping the device; it is not accomplished using
the Selective Wipe command.
Company Confidential
4
3. In the Registration Preferences section, enter the URL for the custom page in the
Landing Page URL After Device Registration field as follows:
http://<URL>Click Save.
Optional Syntax
If available, the following values are added to the end of the URL:
?email=<email_address>&name=<user_ID>
The email address and user ID are the values associated with the user’s MobileIron
account. Include these optional elements if you to design a page that is customized
based on this information. For example, you might want to use the <user_ID> to pro-
vide a personalized welcome on the page.
Note: If you intend to use these optional elements, be sure that the web server host-
ing the custom page will accept them.
Example: http://www.mycompany.com?name=jsmith
Company Confidential
5
In-house App Distribution for iOS
In previous releases, MobileIron enabled only a recommended list of public apps,
requiring users to initiate and complete a download process via the Apple Store.
MobileIron now also supports the distribution of in-house apps.
http://www.apple.com/iphone/business/apps/in-house/resources.html.
Prerequisites
Basic app distribution requires:
• iOS 4.1 or later
For the complete functionality, including updates to badging resulting from inventory
data, the following are also required:
• Participation in the Apple iDEP program
• iOS MDM features enabled (Settings | Preferences)
For details on implementing and enabling MDM support for MobileIron, see the mate-
rials posted on the MobileIron Support site.
Company Confidential
6
1. In Smartphone Manager, select Apps & Files | App Distribution.
4. Click Next.
Company Confidential
7
In-house App is selected by default.
5. Click Browse and navigate to the in-house app (.ipa) you want to upload.
6. If this app is designed only for iPads, set the iPad Only option to Yes.
7. Click Next.
The Add App Wizard examines the selected bundle to ensure that it meets require-
ments for in-house apps distributed for iOS devices. If the bundle is acceptable, the
following screen displays.
Company Confidential
8
8. Use the following guidelines to complete the items in this screen:
Item Description
App Name Displays the App Name defined for the bundle. You can
edit this text to display a different name to users. Note
that app names longer than 25 characters will be trun-
cated when displayed on the device.
Display Version Enter the version number to be displayed to users. You
may enter numerals and periods (.) in this field.
Bundle Version Displays the version defined for the bundle. This item is
not editable.
Description Enter any additional text that helps describe what the
app is for. This text appears on the in the MobileIron app
on target devices (under the app name in the In-House
Apps list).
Featured Select No if you do not want to highlight this app in the
Featured apps list. On the device, the user can tap a but-
ton to display all recommended and in-house apps or a
subset of featured apps. Note that the Message feature
for iOS apps applies only to featured apps and those
installed apps for which an update is available. See
“Informing Users of New Apps and Upgrades for Featured
Apps” on page 15 for information.
Company Confidential
9
Item Description
Data Protection Select Yes to require that data protection be enabled in
Required order to install this app.
Note: Devices without data protection enabled will not
see the app at all in the In-house Apps list on the device-
and will not know that data protection compliance is
required. Therefore, you may want to communicate the
requirement to users.
Provisioning Profile Displays the identifier for the provisioning profile incorpo-
rated in the bundle.
Category Select a category if you would like this app to be dis-
played in a specific group of apps on the device. Click the
here to define new categories.
9. Click Next.
Company Confidential
10
10. Use the following guidelines to complete this page:
Item Description
App Icon Required. Select the icon to be used to
represent this app. The file must be in
JPG, PNG, or GIF format. PNG is recom-
mended for best resizing results. Accept-
able dimensions are 57x57 pixels, 72x72
pixels, or 114x114 pixels.
iPhone and iPod Select up to 4 optional screenshots to dis-
touch screenshots play for the app. Screenshots must be in
JPG, PNG, or GIF format and one of the
following dimensions specifications:
320x480 pixels
640x960 pixels
480x320 pixels
960x640 pixels
iPad screenshots Select up to 4 optional screenshots to dis-
play for the app. Screenshots must be in
JPG, PNG, or GIF format and one of the
following dimensions specifications:
1024x768 pixels
768x1024 pixels
The provisioning profile for the app is also stored on the VSP and is displayed in the
App Settings page.
Company Confidential
11
Adding an App to an Apps List
Once you have added an iOS app (recommended or in-house) to the app distribution
library, you need to select one or more labels to specify which iOS devices should have
the app displayed in an apps list.
1. In Smartphone Manager, select Apps & Files | App Distribution.
Company Confidential
12
5. Select the label that represents the iOS devices on which you want the selected app
to be listed.
6. Click Publish.
7. If you have not done so already, consider linking any recommended app to the cor-
responding entry in the app inventory. This step will help with app tracking because
the name you assign to the app is not likely to be the same as the name reported
by the app once it is installed. You should also consider testing the first installation
of each recommended app so that you can record the corresponding reported app
name. See “Linking Recommended Apps to Inventory Apps” on page 14.
If the user starts the app on the device, the badge appears next to the appropriate
app list. The number on the badge indicates the number of apps available.
If the user deletes a published app, that app will not become available for reinstalling
again until the next sync interval causes the MobileIron VSP to be updated. You can
address user concerns by using the Wakeup Client command to force the MobileIron
Client to update the VSP.
Company Confidential
13
Linking Recommended Apps to Inventory Apps
Recommended apps display in the “App Store apps” list using the app name you spec-
ified when you added it to the app distribution library. However, the App Inventory
page displays the name reported by the app. This name can often be quite different.
Also, the # of Devices Installed list in the App Dist page does reflect installations.
Therefore, to facilitate tracking of installed apps, you may want to create a link
between the two names.
Company Confidential
14
4. Select the corresponding inventory app name from the Inventory Apps list.
5. Click Save.
Once the link is established, the # of Devices Installed column in the App Distribu-
tion screen displays the correct number. You should consider changing the app
name as specified in any app control rules to ensure it matches the official name.
Company Confidential
15
2. Select iOS from the Select Platform list.
3. Select the app you want to work with.
4. Click Message.
5. Click Send.
An APNS message is sent to the devices for whom the app was published. The mes-
sage includes buttons that enable the user to install or upgrade the app.
Company Confidential
16
Again, the message is sent only for apps configured as featured apps in the app
distribution library.
Company Confidential
17
Redesigned Apps Management UI
The apps management UI has been redesigned to accommodate new features and
streamline common procedures. The following figure shows the new Apps & Files tab.
App Settings
The Application Settings menu is now called App Settings. Also note that SCEP is now
available from the main menu and no longer appears under the iOS submenu. This
change reflects SCEP support for additional platforms.
App Distribution
The Application Catalog has been replaced with an App Distribution page, as shown in
the following figure.
Company Confidential
18
Pick a Platform First
The new procedure for preparing apps for distribution starts with selecting a platform
from the Select Platform list. The procedure, required information, and available
actions differ by platform. Picking a platform is also necessary for displaying the exist-
ing apps and managing them.
Add an App
Once you select a platform, you can click the Add App button to start entering the
required information.
For iOS, clicking Add App starts the Add App Wizard, which leads you through the rest
of the procedure, including the selection of recommended or in-house apps. Recom-
mended apps are the same as recommended apps available in previous versions of
MobileIron. In-house apps are apps developed by your organization for internal distri-
bution. The following figure shows an example of a screen from the Add App Wizard.
For all other supported platforms, clicking Add App displays a dialog specific to the
selected platform. These dialogs resemble those from previous versions of MobileIron,
except that they have been tailored for the selected platform. The following figure
shows an example.
Company Confidential
19
Manage Apps
For iOS devices, once you have added an app, you can perform the following tasks:
• Send a message about new or updated apps
• Delete an app
• Apply the app to a label to facilitate distribution
• Remove the app from a label
Note that deleting an iOS app also removes the provisioning profile from the devices
on which the app was installed. This prevents those devices from running the app.
For other supported platforms, once you have added an app, you can perform the fol-
lowing tasks:
• Delete an app
• Install an app
• Uninstall an app
• Publish an app
• Unpublish an app
Company Confidential
20
App Inventory
The App Inventory page displays detected apps that were installed after the produc-
tion image was applied to the device. These include apps that are not managed by
MobileIron. You can filter these apps by platform, label, and app name.
App Control
The App Control page enables you to define app control rules for use in security poli-
cies.
Each app control rule specifies that the apps meeting the specified criteria be desig-
nated as either Required, Allowed, or Disallowed. See “App Control Feature” on
page 22 for more information about using app control rules.
Company Confidential
21
App Control Feature
iOS4.x
App Management Android BlackBerry iOS + MDM7 Symbian webOS WinMo 5 WinMo 6.x Win 7
App Control
Policy yes yes yes yes yes - yes yes -
The app control feature enables you to exert control over which apps are installed on
managed devices. Using app control rules, you can define which apps are required,
allowed, or disallowed. You can then associate these rules with a security policy that
specifies the consequences of being out of policy. Consequences include blocking
ActiveSync access, sending an alert (configured in Event Center) to the specified
administrator and user, and displaying a warning icon in the All Smartphones page.
App control applies to all MobileIron-supported platforms except webOS and Win 7.
The app control rule defines which apps you want to control. Security policies specify
which devices the rules are applied to and the actions to associate with a rule viola-
tion. The alert determines the information that is sent as the result of rule violation,
as well as the recipients of the information.
Company Confidential
23
App Control Rules Applied in Security Policies
The following figure shows app control rules applied in a security policy. In this case,
ActiveSync access will be blocked and an alert will be generated if the specified apps
are detected on a device to which the security policy is applied.
Company Confidential
24
Adding an App Control Rule
To add an app control rule:
1. In Smartphone Manager, select Apps & Files | App Control.
2. Click Add.
Company Confidential
25
3. In the Name field, specify an identifier for this rule.
4. For the Type option, select the type of rule you want to define:
• Required: This rule specifies criteria for apps that MUST be installed.
• Allowed: This rule specifies criteria for apps that MAY be installed, exclusive of
all other apps.
• Disallowed: This rule specifies criteria for apps that MUST NOT be installed.
5. Under Rule Entries, specify one or more criteria to match the name of the app you
want to control:
• Select IS or CONTAINS to indicate whether to use an exact match. Note that if
you selected Required, then you must select IS.
• In the App Search String, enter the app name text you want to match. Do not
enter wildcards.
• In the Device Platform list, select the platform to which you want to apply this
entry.
• In the optional Comment field, you can enter a note about the purpose of the
entry.
6. To add an additional entry, click the + icon.
7. Click Save when you are finished.
The following figure shows an example of an app control rule with criteria for disal-
lowed apps.
Company Confidential
26
8. Specify the rule in the appropriate security policies to apply the rule to managed
devices.
Company Confidential
27
5. Select the checkbox for the App Control rules option.
6. In the dropdown list, select the action you want to perform if the rule is violated.
You can select from:
• Block ActiveSync and Send Alert: Prevents the device from accessing email via
ActiveSync and generates a policy violation alert, if configured in Event Center.
• Send Alert: Generates a policy violation alert if configured in Event Center.
7. Under Rule Type: Required, select the rules you want to apply, if any, and click the
arrow button to move them to the Enabled list.
8. To apply allowed-type or disallowed-type rules, select either Rule Types: Allowed or
Rule Types: Disallowed. You may not select both in the same security policy.
9. Select the allowed-type or disallowed-type rules you want to apply and click the
arrow button to move them to the Enabled list.
10. Click Save.
11. Go to Event Center to configure App Control alerts.
Company Confidential
28
Configuring App Control Alerts
To enable app control alerts:
1. In Smartphone Manager, select Event Center | All Events.
2. Select Add New | Policy Violation Event.
Item Description
Disallowed app found Generate an alert if a disallowed app is
found on a designated device.
App found that is not in Generate an alert if an app is found that
Allowed Apps list is not on the Allowed Apps list for the
designated device.
Required app not found Generate an alert if a required app is not
found on a designated device.
Company Confidential
29
6. Click Save.
Icon Description
App control violation
Select the entry for a device in violation to see details in the device details pane, as
shown in the following figure.
Company Confidential
30
App Control, App Inventory, and Privacy Policies
App control and app inventory features are influenced by the new Apps setting in pri-
vacy policies. By default, it is set to Sync Inventory, which ensures that information
about installed apps is sent to the VSP. If you set Apps to None, then app control
rules, in-house app notifications, and any other features dependent on inventory data
will not function.
Company Confidential
31
BlackBerry 6.0 Support
This release includes support for BlackBerry 6 devices. MobileIron functionality is
much the same as with previous BlackBerry versions. The following differences should
be noted:
• The Lock feature does not lock the device if the user has not already set a passcode
for the device.
Company Confidential
32
Windows Phone 7 Support
This release includes base device management support for Windows Phone 7 via
ActiveSync:
• Password Policy
• Device Inventory
• Device Details
• Allow / Block
• Wipe
• ActiveSync Policy
Note: There is no MobileIron client for Windows Phone 7; therefore users do not reg-
ister their devices with MobileIron. Use the ActiveSync Smartphones page to view
Windows Phone 7 devices that are accessing enterprise email via ActiveSync. Use the
ActiveSync Policies page to manage these devices.
Company Confidential
33
Registration PIN and/or Password (Android/
iOS)
Previously, registration of iOS devices required only a user name, password, and
server name from the device user. This remains the default behavior. However, you
now have the option to require a MobileIron-generated Registration PIN in place of or
in addition to the password. This feature also applies to newly-supported Android
devices.
Note that the iOS registration procedure for the device user has changed slightly to
accommodate this change. Specifically, the Server Name field now displays first
instead of together with the other fields requiring input for registration.
Company Confidential
34
SMS Archive Package
iOS4.x +
Android BlackBerry iOS MDM Symbian webOS WinMo 5 WinMo 6.x WIn 7
SMS
Archive - yes - - -11 - -11 -11 -
11 SMS archiving coverage is not complete for this platform. Also, there are certain devices for which the SMS data is not
currently available.
Setting Description
Forward SMS as Select On to enable the SMS Archive package.
Email
Default From Enter the email address to display in the From
Address field of the emails generated for archiving the
SMSes.
Destination Email Enter the email addresses for the archival sys-
Addresses tems to which the generated emails are being
sent. Separate the email addresses with com-
mas (,).
Company Confidential
35
Setting Description
Host/IP Addresses Enter the host name or IP address of each SMTP
server to use for relaying the email to the SMS
archival destinations. You may specify the same
SMTP server that you specified when you config-
ured the VSP. If you specify multiple addresses,
then MobileIron attempts to connect to each in
the order specified until a successful connection
is established.
TLS Enabled Select Yes if you want to enable TLS for interac-
tions with the SMTP relay server.
STARTTLS Required If you selected Yes for the TLS Enabled option,
indicate whether the STARTTLS protocol is
required for the specified SMTP servers.
SMS Delivery Inter- Enter the number of hours that the VSP should
val wait before forwarding collected SMSes to their
archival destinations. The default value is 4.
Company Confidential
36
4. Set the SMS option to Sync Content.
Company Confidential
37
3. Note the Number of SMS in Queue statistic at the bottom of the section.
A large number of queued SMSes can mean high activity or a problem with SMTP
connectivity. Click the Check SMTP Connection to confirm connectivity. See “Over-
riding the SMS Delivery Interval” on page 38 for information on attempting to
deliver SMSes by overriding the delivery interval.
Company Confidential
38
Expanded Events
System events and policy violations events have been enhanced to include several
additional scenarios.
System Events
The following table lists the system events that have been added.
Event Description
Sentry (standalone and integrated) can- Generates an alert if the MobileIron
not reach EAS server Sentry is unable to contact the Active-
Sync server.
Sentry (standalone and integrated) is Generates an alert if the MobileIron
unreachable VSP is unable to contact the MobileIron
Sentry.
Provisioning Profile Expired Generates an alert if an iOS provision-
ing profile distributed via MobileIron
has expired. In general, this profile will
be associated with an in-house app.
SMTP Relay server is unreachable Generates an alert if the configured
SMTP relay does not respond to a ping
or SMTP ping.
See Settings | Preferences in Smart-
phone Manager for the configured
SMTP relay.
SMTP Relay server error Generates an alert if the configured
SMTP relay returns an error. The alert
includes available details to enable
troubleshooting.
See Settings | Preferences in Smart-
phone Manager for the configured
SMTP relay.
Company Confidential
39
Event Description
SMS Message archive queue is full Generates an alert if the queue of mes-
sages to be archived exceeds 100. This
indicates a possible problem with the
service, causing a backlog in the
queue.
In response to this alert, you should
check the health of the SMTP relay
server and confirm that it is correctly
configured under Settings | Prefer-
ences in Smartphone Manager.
MAI data processing has not succeeded Generates an alert when 24 hours has
for more than 24 hours elapsed since the last time the MAI
data processing task ran successfully.
If the task was initiated (automatically
or manually) during that 24 hour
period, but failed, then the alert will
still be generated. Contact MobileIron
Support for information on trouble-
shooting this issue.
You can schedule this service, check its
status, or launch it manually from
Mobile Activity Intelligence | Settings in
Smartphone Manager.
Event Description
App Control
Disallowed app found Generates an alert if an app that is
specified as Disallowed is not installed
on a device. Apps are specified as
Required, Allowed, or Disallowed under
Apps & Files | App Control.
App found that is not in Allowed Apps Generates an alert if an app that does
list not appear on the list of allowed apps
has been detected on a device. Apps
are specified as Required, Allowed, or
Disallowed under Apps & Files | App
Control.
Company Confidential
40
Event Description
Required app not found Generates an alert if an app that is
specified as Required is not installed on
a device. Apps are specified as
Required, Allowed, or Disallowed under
Apps & Files | App Control.
Device Settings
Passcode is not compliant Generates an alert if a device is
detected having a passcode that does
not meet the requirements specified in
the associated security policy.
iOS
iOS Configuration not compliant Generates an alert if an iOS device
does not have the expected security
policy or application settings. This state
may indicate that a setting was
changed or was not applied success-
fully.
Data Protection is disabled Generates an alert if an iOS device has
its Data Protection feature turned off.
Restored Device connected to server Generates an alert if a previously wiped
device has been restored and attempts
to connect through MobileIron.
Android
Disallowed Android OS version found Generates an alert if an Android device
having a disallowed OS version is
detected. You can specify disallowed
versions in the security policy.
Compromised Android device detected Generates an alert if a compromised
Android device is detected. That is, an
Android user has obtained or provided
an app with root access to the device.
Company Confidential
41
Outbound HTTP Proxy for Gateway Transactions
and System Updates
You can now configure an outbound HTTP proxy for the MobileIron VSP. This proxy is
intended primarily for organizations that require an HTTP proxy for communications
with the MobileIron Gateway and for system updates. MapQuest requests are also
routed through this proxy.
Company Confidential
42
3. Use the following guidelines to complete the fields in this section:
Field Description
HTTP Proxy URL Enter the URL for the outbound HTTP
proxy.
HTTP Proxy Auth Enter the authentication name for the
Name HTTP proxy.
HTTP Proxy Auth Enter the authentication password for the
Password HTTP proxy.
HTTP Client Connect Specify the amount of time to wait for the
Timeout connection setup to complete.
HTTP Client Socket Specify the amount of time to wait for a
Timeout response from the proxy server.
4. Click Save.
At this point, the settings are saved, but not applied. See MobileIron Support for
help with applying these settings.
Company Confidential
43
Specifying Eligible Platforms for Registration
In some cases, you may want to exclude from registration all devices of a particular
platform. For example, if corporate policy dictates that a particular device platform
will not be supported, you may want to prevent users from selecting the platform dur-
ing self registration. Likewise, you may want to prevent helpdesk personnel from mis-
takenly registering the unsupported platform in the Admin Portal.
3. In the Enabled Platforms list, select the platform you want to exclude.
Shift-click platforms to select more than one.
4. Click the left arrow button to move the selected platforms to the Disabled Platforms
list.
5. Click Save.
All methods of registration now exclude the selected platforms.
Company Confidential
44
API Additions
The following APIs have been added for this release:
• Get Devices by App Name
• Get Policies
• Get Policies by Device UUID
• Get All App Settings
• Get App Settings by Type
• Get App Settings by Device UUID
• Apply Policy to Label/Remove Policy fromLabel
Company Confidential
45