Professional Documents
Culture Documents
VSP Version 5.8 Revised: October 2, 2013 Proprietary and Confidential Do Not Distribute
2009-2013 Mobile Iron, Inc. All Rights Reserved. Any reproduction or redistribution of part or all of these materials is strictly prohibited. Information in this publication is subject to change without notice. Mobile Iron, Inc. does not warrant the use of this publication. For some phone images, a third-party database and image library, 2007-2009 Aeleeta's Art and Design Studio, is used. This database and image library cannot be distributed separate from the Mobile Iron product. MobileIron, Connected Cloud, and MyPhone@Work are registered trademarks of Mobile Iron, Inc. BlackBerry is a registered trademark of RIM. Windows is a registered trademark of Microsoft, Inc. iPhone is a trademark of Apple, Inc. Android is a trademark of Google Inc.
Contents
Chapter 1 VSP 5.8 Release Notes .................................................................. 5
New features summary .......................................................................... 6 Other changes ...................................................................................... 6 Client OS compatibility .......................................................................... 7 Mobile@Work compatibility ..................................................................... 7 Supported browsers .............................................................................. 7 Sentry compatibility .............................................................................. 7 Upgrade notes ...................................................................................... 8 Configure KCD for AppTunnel only after Sentry Upgrade ............................ 8 Post-upgrade tasks ............................................................................... 8
Enable quarantine actions on Android devices ................................................... 8 Reenter case sensitive bundle IDs in whitelists .................................................. 8 Re-save policies to support new-line separated bundle IDs in whitelists ................ 8
Chapter 2
Single-app mode whitelist .................................................................... 27 iOS restrictions ................................................................................... 29 Web content filter ............................................................................... 30 Configuring the web content filter ......................................................... 30 Browser impact .................................................................................. 32 Removing a Web content configuration from a device .............................. 33 LDAP group sync performance enhancement ........................................... 34 1
Configuring the set of LDAP groups ....................................................... 34 Impact to LDAP Group selection in the Admin Portal ................................ 35
LDAP Group list ........................................................................................... 35 Advanced Search for users and devices .......................................................... 35 Android multiple-apps kiosk policy ................................................................. 35 Android kiosk configuration .......................................................................... 36
Sync impact ....................................................................................... 36 Upgrade impact .................................................................................. 36 Enterprise single sign-on ...................................................................... 38
Chapter 3
Pre-upgrade procedure ........................................................................ 43 VM requirements ................................................................................ 43 Backup availability .............................................................................. 43 Upgrading from VSP 5.5.2 .................................................................... 44 Configure your update repo. ................................................................. Initiate the upgrade. ........................................................................... Reboot the VSP. ................................................................................. Verify that the upgrade is complete. ...................................................... Complete the post-upgrade tasks. ......................................................... Notes ................................................................................................ 44 44 44 45 45 45
Upgrading from VSP 5.6.2 .................................................................... 46 Upgrading from VSP 5.7.X .................................................................... 47
Chapter 4
Pre-upgrade procedure ........................................................................ 51 VM requirements ................................................................................ 51 Backup availability .............................................................................. 51 Upgrade procedure .............................................................................. 52 2
Configure your update repo. ................................................................. Initiate the upgrade. ........................................................................... Reboot the VSP. ................................................................................. Verify that the upgrade is complete. ...................................................... Complete the post-upgrade tasks. ......................................................... Notes ................................................................................................
52 52 52 53 53 53
Company Confidential 5
AirPrint on page 16 AirPlay on page 17 AirDrop on page 18 Per-app VPN on page 19 VPN on Demand on page 21 Managed app configuration on page 24 Single-app mode whitelist on page 27 iOS restrictions on page 29 Web content filter on page 30 LDAP group sync performance enhancement on page 34 Enterprise single sign-on on page 38
Other changes
VSP-248: The iOS MDM enrollment CA key has been changed from a 4096-bit key
to a 2048-bit key.
VSP-145: The VSP now maintains only the last known location for each device. New boot-up message for MobileIron Enterprise Connector: After you boot the
MobileIron Connector for the first time, the following message displays:
Welcome to the MobileIron Enterprise Connector Installation Program - For virtual machine installation, type: vm-install<ENTER> - To standard physical appliance installation, type: hw-install<ENTER> - To boot from your local hard disk, type: <ENTER> Note: System will boot from the local hard disk in 30 seconds if no key is pressed. boot:
Company Confidential 6
Client OS compatibility
Android OS Versions supported:
2.2, 2.3.x, 3.x, 4.0.x, 4.1.x, 4.2.x, and 4.3
Mobile@Work compatibility
Android: 5.5 and later iOS: 5.6.2, 5.7.0, 5.7.3, 5.7.4, and later
Supported browsers
Browser Internet Explorer 6 Internet Explorer 7 Internet Explorer 8 Internet Explorer 9 Internet Explorer 10 Chrome FireFox >=20 FireFox < 20 Safari Supported No No Yes No No No Yes No No Should Work No No Yes Yes* Yes* Yes* Yes Yes* Yes*
Sentry compatibility
VSP 5.8 is supported with the following Standalone Sentry versions:
4.2
Company Confidential 7
Upgrade notes
Configure KCD for AppTunnel only after Sentry Upgrade
VSP 5.7 added support to configure the Standalone Sentry to use Kerberos Constrained Delegation for server authentication when using the AppTunnel feature. Do not use the VSP Admin Portal to configure the Standalone Sentry for KCD for AppTunnel until you have upgraded the Standalone Sentry to version 4.7 or later.
Post-upgrade tasks
Enable quarantine actions on Android devices
Starting with VSP 5.7, Android devices support the quarantine compliance action. After upgrading from VSP 5.6.2 to VSP 5.8, if an existing security policy applies to both Android and iOS devices, the quarantine action is not automatically enforced on Android devices. To enable the quarantine action on Android devices for an existing security policy:
1. 2. 3.
In the Admin Portal, in Policies & Configs > Policies, select the security policy. Click Edit. Click Save.
Open the AppConnect global policy or AppConnect container policy for editing. Make a modification, such as adding a space to the description field. Click Save. icy.
Now the VSP applies all specified new-line separated bundle IDs to the Open In pol-
Company Confidential 8
Resolved issues
VS-10180: In Integrated Sentry, a partial database update occured if the number of characters for the device model field was greater than maximum length.This issue is now fixed. The limit is now increased to 255 characters. VS-15203: Registering the device via API for an LDAP user may create the user as a local user. This issue is now fixed. The user is registered as an LDAP user. VS-14783: After upgrading to VSP 5.6.2 the URL field in the Docs@Work setting did not allow the port number to be included. This is now fixed. You can include the port number in this field. VS-11880: The Whitelist Policy in the App Control rules caused some devices to be listed as non compliant. This is now fixed. VS-15393: In the LDAP settings, the Member of Attribute field under Groups may be blank in some cases. This is now fixed. VS-15215 - The View Groups link under Users > LDAP Entities is now working as expected. Previously the link showed an empty list. VS-14986: The Link To function on the ActiveSync Association page now works as expected. Previously, when you clicked on Link To an error message was displayed. VS-12471: The pagination for the ActiveSync Associations page when you filter the records is now fixed. Previously, when you filtered the ActiveSync Associations listed (example: Show > Unregistered) only one page was available. VS-15265: The password for the Outbound HTTP Proxy for Gateway Transactions and System Updates, was not encrypted. The password is now encrypted. VSP-1725: When adding an Android app to the VSP, a UTF8 encoded string is rendered correctly. Previously, a UTF encoded string was rendered as a series of question marks. If this issue impacted apps in a previous release, an upgrade to Version 5.8 does not automatically fix the impacted apps. The workaround is to delete the impacted apps and add them again, or edit the app information and save. VSP-1497: Push notifications with Japanese characters are now rendered correctly. In VSP Version 5.7, the Japanese characters were rendered as a series or question marks. VSP-1458: The VSP Admin Portal is now compatible with IE 9 when the default Document Mode is set to IE7 Standards. VSP-828: On iOS 7 devices, the user cannot enable photostream on the device if this feature is restricted from the VSP. In VSP Version 5.7.1, users could enable photostream on their device even if it was restricted on the VSP.
Company Confidential 9
VSP-309: In IE10 browsers, previously, the Devices page did not display some submenu items. These items were displayed only after the page was refreshed. This issue is now fixed. VSP-268: The Add App button in the App Distribution Library is now disabled when an app is selected and enabled when none of the apps are selected.
Company Confidential 10
Known issues
VSP-349: The following SCEP configurations still have the "Cache locally generated keys" option selected by default:
Auto-created SCEP setting for the iOS Enterprise AppStore CA Auto-created SCEP setting for the Windows Phone Enrollment CA
VSP-303, VSP-1269: If iOS 7 related settings are pushed to labels that have a mix of iOS 7 and earlier versions of iOS, the settings are pushed to all devices in the label. Non iOS 7 devices ignore the new setting. But, when the devices are updated to iOS 7, the new settings are not re-pushed to the devices. To push the settings to the upgraded devices, edit the settings and save. VSP-1050: Atlas is not listed in the Admin Portal UI for System backup and restore. VSP-1196: If you cancel installation for an app which uses a Per APP VPN setting, the app is not installed but the Per App VPN setting is. The setting is removed when the device next syncs with the VSP. VSP-1236: Validation for principal URL in the CardDav and CalDav add/edit screen is incorrect. VSP-1291: The Managed App configuration is not removed from the managed app when the device is quarantined by a security policy. It also is not removed when a user signs out on a multi-user device. VSP-1309: Managed App Config is not pushed to the device after the device is upgraded from iOS6 to iOS7. The workaround is to edit the setting, or remove then reapply to label. VSP-1326: The tool tip disappears after a few seconds even though the mouse pointer is placed on the tool tip icon. VSP-1415: When you edit an On Demand VPN setting with two identical domains but different connections, you only see one of the two entries in the VPN settings. The details pane correctly shows both settings. VSP-1504: Even though the Identity Certificate field in the VPN Setting configuration is a required field, you can save the configuration without making a selection. In this case, when you save the configuration the selection defaults to None. VSP-1512: The VSP fails to push the managed app configuration to iOS devices that received the MDM profile from Apple Configurator. VSP-1522: Traffic continues to be tunneled after AppTunnel is disabled in Setting > Preferences. VSP-1544: Custom attributes provided in a managed app configuration are not applied to iOS 7 devices.
Company Confidential 11
VSP-1578: On native IE8 browsers on Windows XP and on IE9 and IE8 in compatibility mode, when you click on a VPN configuration, the following error message is seen: "A Script on this page is causing Internet explorer to run slowly. Clicking on Yes in the pop-up, does not open the VPN configuration; clicking on No opens the VPN configuration." VSP-1596: If you installed an app with Per App VPN configured, and the admin has selected "Yes" for "Remove app when MDM profile is removed" in the app, when you remove the MDM profile and re-enroll, the per-app vpn profile will be present on the device without the app. VSP-1607: The presence of a null value for a variable in a managed app configuration causes the VSP to omit substitution of the other values. VSP-1633: In a high availability deployment, if the ha_admin user for the primary and the secondary VSP have different user IDs, the initial sync works, but subsequent syncs fail due to permission errors. VSP-1674: Android OS dot versions for 2.3.x, 4.1.x, 4.2.x are not displayed in PLATFORM NAME for Android in VSP Advanced Search. VSP-1676: Apps grouped on iOS devices into Containers for usability ease, loose the container when used with the multiuser webclip. VSP-1689: Certificate Mapping Field values are not removed, when the Kerberos configuration is removed from Sentry Settings. VSP-1696: In a Sentry configured for both ActiveSync and AppTunnel, and uses Kerberos for server authentication, if you disable the AppTunnel configuration, and change the server authentication to pass through, the Keytab is not removed. If you remove the keytab values, you can't save the Sentry configuration. The workaround is to not remove the keytab values. VSP-1730: When you update an App, which uses a Per App VPN setting, to a new version that uses a new Per App VPN setting, both Per App VPN settings are seen on the device. VSP-1754: Once apps are imported from VPP page, if there is new version of the app available, it has to be imported from the app distribution page. VSP-1755: Modifying the Key in the AppConnect App Configuration throws an error message. The workaround is to add a new Key-Value pair and then delete the old KeyValue pair. VSP-1772: If the VSP regenerates the attachment encryption key when the Sentry is not reachable, devices get the new key while Sentry retains the old key. Due to this mismatch in the encryption keys, Docs@Work cannot display secured attachments. The workaround is to ensure that Sentry is reachable before regenerating the encryption keys.
Company Confidential 12
VSP-1904: Specifying a SCEP setting as a configuration value on an AppConnect app configuration does not always work correctly. In some cases, the VSP does not pass the contents of the certificate as the value. It fails when you are using a Local CA, and the SCEP settings key length is less than the key length you specified when you generated the self-signed certificate. Workaround: Change the SCEP setting's key length to be greater than or equal to the key length you specified for the self-signed certificate. VSP-685: App does not enter single app mode even though it is configured in the single app mode whitelist. VSP-988: When an app is installed from the appstore, it is reported in the Device App Inventory page, but the device installed counter is not increased.
Company Confidential 13
Company Confidential 14
AirPrint on page 16 AirPlay on page 17 AirDrop on page 18 Per-app VPN on page 19 VPN on Demand on page 21 Managed app configuration on page 24 Single-app mode whitelist on page 27 iOS restrictions on page 29 Web content filter on page 30 LDAP group sync performance enhancement on page 34 Enterprise single sign-on on page 38
Company Confidential 15
AirPrint
This feature is only supported for iOS 7 and later devices. AirPrint is an iOS feature that allows you to print to an AirPrint printer from your iOS device without the need to install drivers or download software. For iOS 7 and later devices, you can now configure your VSP to control the printing resources that devices can access. You can specify a whitelist of AirPrint printers that devices can access. To configure AirPrint:
1. 2.
In the Admin Portal, go to Policies & Configs > Configurations. From the Add New drop-down menu, go to iOS and OS X > AirPrint. The New AirPrint Configuration screen displays. Enter a name for the AirPrint Configuration. Enter additional information that describes the AirPrint Configuration. In the AirPrint Destination Whitelist section, click + to add a new destination printer. For each destination printer, enter the following information:
Field Description
3. 4. 5. 6.
IP Address Path
Enter the IP address of the AirPrint printer. Enter the Resource Path associated with the AirPrint printer. This corresponds to the rp parameter of the _ipps.tcp Bonjour record. For example:
Description 7.
Enter additional information that describes this destination device. Click if you want to delete this device.
Click Save.
Company Confidential 16
AirPlay
This feature is only supported for iOS 7 and later devices. AirPlay is an iOS feature that allows you to mirror the content displayed on your iOS device on to a destination device, for example, an HDTV. For iOS 7 and later devices, you can now configure your VSP to control the AirPlay resources that supervised devices can access. You can configure the following settings:
Specify the passcode for the AirPlay destination device so that devices can connect
seamlessly.
Specify a whitelist of destination devices to which you can mirror the content that is
displayed on the screen of your supervised iOS 7 device. To configure AirPlay:
1. 2.
In the Admin Portal, go to Policies & Configs > Configurations. From the Add New drop-down menu, go to iOS and OS X > AirPlay. The New AirPlay Configuration screen displays. Enter a name for the AirPlay Configuration. Enter additional information that describes the AirPlay Configuration. In the AirPlay Destination Devices section, click + to add a new destination device. For each destination device, enter the following information:
Field Description
3. 4. 5. 6.
Enter the name of the destination device. Enter the password for the destination device. Enter additional information that describes this destination device. Click if you want to delete this device.
In the AirPlay Whitelist Devices section, click + to add a new destination device to the whitelist. Note: Whitelists are only supported on supervised devices. For each destination device in the whitelist, enter the following information:
Field Description
8.
Enter the Bonjour Device ID. Enter additional information that describes this destination device. Click if you want to delete this device.
Click Save.
Company Confidential 17
AirDrop
This feature is only supported for iOS 7 and later devices that are supervised. AirDrop is Apples ad hoc Wi-Fi system that enables file sharing with nearby users. On the VSP, you can now enable or disable AirDrop on iOS 7 supervised devices. By restricting this feature, you ensure that sensitive documents are not leaked to unauthorized or unsecured devices. You configure this feature in the Restrictions settings. To enable or disable AirDrop:
1. 2.
In the Admin Portal, go to Policies & Configs > Configurations. From the Add New drop-down menu, go to iOS and OS X > Restrictions. The New Restrictions Configuration screen displays. OR Click on an existing Restrictions profile and click Edit. The Modify Restrictions Setting screen displays.
3.
Under Device Functionality, for the Allow AirDrop (iOS 7.0 and later. Supervised devices only.) setting,
Click Save.
Company Confidential 18
Per-app VPN
By configuring Per-app VPN settings in the VSP, you can enable managed apps to automatically connect to VPN when the app is launched. Consider the following:
This feature is only supported for iOS 7 and later. You must update your VPN software to a version that supports iOS 7 features. Safari browsers are not supported. An additional license may be required for this feature.
In the Admin Portal go to Policies & Configs > Configurations. Click Add New > VPN. Enter the information as described in the VPN settings section of the VSP Administration Guide. For the Per-app VPN option, select Yes. Click Save.
You cannot apply the Per-app VPN setting to a label. You can apply the Per-app VPN
setting to an app when you either Add or Edit an app.
You cannot delete a Per-app VPN setting that is being used by an app. Remove the
Per-app VPN setting from the app before you delete the setting.
Company Confidential 19
A new Per-app VPN field is added to the Managed App Settings section in Add App Wizard.
edit an in-house app or an App Store app in the App Distribution Library.
Note: Before you enable Per-app VPN for an app on the VSP, you must create a Perapp VPN setting. To enable Per-app VPN for an app:
1. 2. 3.
In the Admin Portal go to Apps > App Distribution Library. From the Select Platforms drop-down list, select iOS. Click Add App or click the Edit icon for the app. The Add App Wizard or the Edit App for iOS page displays. For the Per-app VPN field, select the VPN setting you created for Per-app VPN. Click Save.
4. 5.
Company Confidential 20
VPN on Demand
This feature is only supported for iOS 7 and later devices. VPN On Demand rules are applied when the device's primary network interface changes, for example when the device switches to a different Wifi network. You configure the VPN On Demand rules in the VPN settings in the Admin Portal. To configure a VPN On Demand rule:
1. 2. 3. 4. 5.
In the Admin Portal go to Policies & Configs > Configurations. Click Add New > VPN. Enter the information as described in the VPN settings section of the VSP Administration Guide. Select Enable for VPN on Demand. Enter the following information in the On Demand Rules section:
Field Description
Action
+ Matching Rules:
Click to add either an On Demand rule, or a matching rule. Click to delete either an On Demand rule, or a matching rule.
For each matching rule to which the action is applied enter the type and value pair. Type Select from one of the following key types:
DNS Domain Interface Type Server Address SSID URL String Probe
Company Confidential 21
Field
Description
Value
For each key selected, enter a value. DNS DomainEnter a list of domain names to match against the domain being accessed. Wildcard '*' prefix is supported, e.g. *.example.com would match anything.example.com Interface TypeEnter either Wifi or Cellular. DNS Server AddressEnter a list of DNS servers to match against. All DNS servers have to match the devices current DNS servers or this match will fail. Wildcard '*' is supported, e.g. 1.2.3.* would match any DNS servers with 1.2.3. prefix. SSIDEnter a list of SSIDs to match against the current network. If the network is not a WiFi network or if its SSID does not appear in the list, the match will fail. URL String ProbeEnter a URL to a trusted HTTPS server. This is used to probe for reachability. Redirection is not supported.
Enter additional information about this matching rule. Only appears if the Action is Evaluate Connection. Select one of the following Actions for the domain:
Connect if neededThe specified domains trigger a VPN connection attempt if domain name resolution fails. For example: The DNS server indicates that it cannot resolve the domain, or responds with a redirection to a different server, or fails to respond (timeout).
Only appears if the Action is Evaluate Connection. Define the Evaluation Type and Value pair. Evaluation Type Select the Evaluation type as one of the following:
Domain (Required) Required DNS Server (only available with Connect if needed) Required URL Probe (only available with Connect if needed)
Company Confidential 22
Field
Description
Value
Enter the value for the evaluation type selected. DomainEnter a list of domains for which this evaluation applies. Wildcard prefixes are supported, for example, *.example.com. Required DNS ServerEnter a list of IP addresses of DNS servers to use for resolving the domains. These servers do not need to be part of the devices current network configuration. If these DNS servers are not reachable, VPN is triggered. Either configure an internal DNS server or trusted external DNS server. Required URL ProbeEnter an HTTP or HTTPS (preferred) URL. The device to probes this URL using a GET request. The probe is successful if the DNS resolution for this server is successful. VPN is triggered if the probe fails.
Description
Default Rule:
Enter additional information about this Evaluation Type and Value pair.
The default rule (action) is applied to a connection that does not match any of the matching rules. If none of the rules above match or if there is no rule defined, choose VPN connection to:
6.
Click Save.
Company Confidential 23
You get a file containing the app configuration from the app vendor or developer. The file is a property list (plist). It is a text file in XML format. Edit the file as directed by the apps managed app configuration documentation. For example, documentation can instruct you to replace a default server value in the plist with a URL for one of your enterprise servers. You create a managed app config setting on the VSP. When you create the setting, you upload the plist file to the VSP. You apply labels to the setting to indicate which devices the setting applies to. The VSP sends the setting to the device when the device checks in. The managed app installed on the device accesses the configuration using iOS 7 programming interfaces. Note: You can apply a managed app config setting to a device before the app is installed on the device. When the app is installed, it accesses the configuration. Until then, the configuration has no impact on the device.
3. 4. 5. 6. 7.
On the VSP Admin Portal, go to Policies & Configs > Configurations. Select Add New > iOS And OS X > Managed App Config. Use the following guidelines to create or edit a managed app config setting:
Item Description
Name Description
Enter brief text that identifies this managed app config setting. Enter additional text that clarifies the purpose of this managed app config setting.
Company Confidential 24
Item
Description
BundleId File
Enter the bundle ID of the managed app. Click Choose File. Select the plist file that contains the app configuration for the app. Note: The VSP does not validate the plist files type or contents.
4. 5.
Click Save. Select the managed app config setting you just created. The VSP assigns the setting the type MDM APP CONFIG. Select More Actions > Apply To Label. Select the labels to which you want to apply this managed app config setting. Click Apply.
6. 7. 8.
Note:
You cannot edit the managed app config setting, including uploading a different
plist file. If changes are necessary, delete the managed app config setting and create a new one. Be sure to re-apply labels.
You can apply only one managed app config setting for each app to each device,
including when more than one version of the app is installed on a device.
On the VSP Admin Portal, go to Policies & Configs > Configurations. Select a managed app setting. Select View File Data in App Settings Detail pane. A pop-up displays the file contents. Close the pop-up when you are done viewing the file contents.
4.
You remove the label associated with the device from the setting, and the device
checks in.
You remove the managed app config setting, and the device checks in. You retire the device.
When the managed app config setting is removed, the managed app automatically removes its use of the configuration.
Company Confidential 25
The Wi-Fi MAC (Media Access Control) address of the device. The unique device identifier of the device. The display name of the device user. The email address of the device user. The first name of the device user. The last name of the device user. The user ID of the device user.
When the VSP sends the configuration to a device, it substitutes the appropriate values for the variables.
Sample plist
A plist is a text file in XML format. The XML content vary for each app, and the contents have been validated by the app developer. The following is a sample plist, included here only to illustrate the format you can expect:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Server</key> <string>http://www.somecompanyserver.com</string> <key>Some Dict</key> <dict> <key>A</key> <string>$DISPLAY_NAME$</string> <key>C</key> <string>$DEVICE_UDID$</string> </dict> <key>Some Array</key> <array> <string>abc</string> <string>val</string> <string>$DEVICE_MAC$</string> </array> </dict> </plist>
Company Confidential 26
Create a new restrictions configuration (Policies & Configs > Configurations > Add New > iOS and OSX > Restrictions). Scroll down to the bottom of the screen.
3.
Company Confidential 27
4.
Enter the app name defined in the apps bundle. Enter the bundle identifier for this app. One way to find the bundle identifier is to add the app to the app distribution library on the VSP. After you add the app, edit the app entry to see the Inventory Apps field, which lists the bundle ID for the app.
Description
5. 6.
Click Save. Assign the new configuration to a label that will apply it to the target devices (More Actions > Apply To Label).
Company Confidential 28
iOS restrictions
With the release of iOS 7, the VSP will support the following iOS 7 settings in the iOS Restrictions configuration (Policies & Configs > Configurations > Add New > iOS and OSX > Restrictions):
Setting Description
Allow AirDrop
Enables AirDrop for iOS on the device (iOS 7 or later). AirDrop is Apples ad hoc Wi-Fi system that enables file sharing with nearby users. Enables users with supervised iOS 7 devices to add email accounts and make changes to email accounts that have already been configured. For supervised iOS 7 devices, enables host pairing for iTunes synchronization. In effect, enabling this option allows supervised devices to sync with iTunes on a Mac other than the supervision host. Disabling this option disables all host pairing with the exception of the supervision host. Additional license required to disallow this action. Enables documents in managed apps and accounts to be opened in unmanaged apps and accounts. Disabling this option prevents exchange of documents from managed to unmanaged apps and accounts. For example, you might want to keep enterprise documents from being opened with personal apps. Additional license required to disallow this action. Enables documents in unmanaged apps and accounts to be opened in managed apps and accounts. Disabling this option prevents exchange of documents from unmanaged to managed apps and accounts. For example, you might want to keep users from sending personal documents using company email. Specifies a list of apps that can autonomously enter single app mode on iOS 7 supervised devices. For example, you can specify custom exam apps for students. As soon as the student launches the app, the app enters single app mode to ensure that the student cannot use other resources while taking the exam. This feature applies to supervised iOS devices only apps developed for autonomous single app mode. Supervision is established with Apple Configurator.
Allow ability to modify account settings Allow pairing with non-Configurator hosts
Allow open documents from managed apps and accounts to unmanaged apps and accounts
Allow open documents from unmanaged apps and accounts to managed apps and accounts
Company Confidential 29
Block access to sites containing adult content. Configure the devices set of accessible sites.
Go to Policies and Configs > Configurations on the VSP Admin Portal. Select Add New > iOS And OS X > Web Content Filter. The New Web Content Configuration page displays. Use the following guidelines to create or edit a web content configuration:
Item Description
3.
Enter brief text that identifies this web content configuration. Enter additional text that clarifies the purpose of this web content configuration.
Permitted URLs
Available only if you selected Limit Adult Content. These URLs are accessible even if the iOS automatic filters block them. To add a permitted URL, click + . To delete a permitted URL, click - . You can add up to 50 permitted URLs.
Company Confidential 30
Item
Description
URL
Enter the permitted URL. The URL must begin with either:
http:// https://
Note: If you want to permit both http:// and https:// for the same site, include a row for each URL. All URLs for which the initial characters match the given permitted URL are accessible. Example: http://www.someCompanySite.com permits access to the following: http://www.someCompanySite.com http://www.someCompanySite.com/jobs http://www.someCompanySite.com/products Description Enter additional text that clarifies the purpose of this permitted URL. Available only if you selected Limit Adult Content. These URLs are blocked even if the iOS automatic filters allow them. To add a blacklisted URL, click + . To delete a blacklisted URL, click - . You can add up to 50 blacklisted URLs. URL Enter the blacklisted URL. The URL must begin with either:
Blacklisted URLs
http:// https://
Note: If you want to block both http:// and https:// for the same site, include a row for each URL. All URLs for which the initial characters match the given blacklisted URL are blocked. Example: http://www.someCompanySite.com blocks access to the following: http://www.someCompanySite.com http://www.someCompanySite.com/jobs http://www.someCompanySite.com/products Description Enter additional text that clarifies the purpose of this blacklisted URL.
Company Confidential 31
Item
Description
Specific Websites
Available only if you selected Specific Web Sites Only. These URLs are the only accessible sites. On Safari, they are added as bookmarks. Any existing bookmarks on Safari are disabled. To add an accessible URL, click + . To delete an accessible URL, click - .
URL
Enter the URL of a website you want to make accessible. The URL must begin with either:
http:// https://
Note: If you want to make both http:// and https:// for the same site accessible, include a row for each URL. If you are using the Apps@Work or Secure Sign-in web clips, include an entry for the URL of the VSP. Otherwise, these web clips cannot work. Name Bookmark The title of the bookmark in Safari. Optionally enter the folder into which the bookmark should be added in Safari. Example: /Sales/Products/ If absent, the bookmark is added to the default bookmarks directory. Description
4. 5. 6. 7. 8.
Optionally enter additional text that clarifies the purpose of this URL.
Click Save. Select the web content configuration you just created. Select More Actions > Apply To Label. Select the labels to which you want to apply this web content configuration. Click Apply.
Browser impact
The web content filter feature impacts all browsers and web views on the device including:
Safari
When using the option Specific Web Sites Only, only Safari displays the bookmarks that you specify. Other browsers do not.
You remove the label associated with the device from the setting, and the device
checks in.
You remove the web content configuration, and the device checks in. You retire the device.
The URL is accessible only if all of the web content configurations on the device allow it and none of the web content configurations block it. The URL is blocked if any of the web content configurations block it.
Company Confidential 33
You now specify the set of LDAP groups that the VSP gets from each LDAP server.
See Configuring the set of LDAP groups on page 34.
The user interfaces of some VSP Admin Portal pages that involve LDAP groups have
changed. See Impact to LDAP Group selection in the Admin Portal on page 35.
Go to Settings > LDAP. Select an LDAP server and click Edit. In the Modifying LDAP Setting page, scroll down to the LDAP Groups setting.
Company Confidential 34
4. 5.
In the text box labeled Search By LDAP Groups, enter the first characters of an LDAP Group that you want to select. Click the search icon. The LDAP Groups in the LDAP server that match the search request appear in the Available section.
6. 7. 8.
Click the right arrow to move one or more LDAP groups to the Selected section. Repeat steps 4 through 6 for other LDAP Groups. Click save.
Go to Users & Devices > Users. Select LDAP Entities in the To dropdown box. Select LDAP Groups in the Categories dropdown box. The page now displays only the groups you specified in the LDAP Setting page. Also, you can no longer limit the list displayed by searching for the initial characters of the names of LDAP groups.
Go to Users & Devices > Devices. Select Advanced Search. Select LDAP_GROUP in a Select Field dropdown box. The corresponding dropdown box for the list of groups shows only the groups you specified in the LDAP Setting page. Also, you can now only select the groups shown; you cannot type an LDAP group name.
Go to Policies & Configs > Policies. Click Add New > Android Kiosk. For Kiosk Mode, select Multiple Apps. For Administrative Access To Exit Kiosk Mode, click +. Select the LDAP Group Name field. The resulting dropdown list includes only the groups you specified in the LDAP Settings page.
Go to Policies & Configs > Configurations. Select Add New > Android > Samsung Kiosk. For Choose LDAP Groups, click +. Select the LDAP Group Name field. The resulting dropdown list includes only the groups you specified in the LDAP Settings page.
Sync impact
The VSP syncs with the LDAP server at a regularly scheduled interval that you configure. Syncs no longer occur every time you access a list of LDAP groups. You can also request a sync. Each sync now syncs only the LDAP groups that you specified in the LDAP Setting page. As in prior releases, a sync also syncs any other LDAP entities, such as LDAP users, that are in use on the VSP.
Upgrade impact
No additional steps are required to configure the set of LDAP groups when upgrading to VSP 5.8. Any groups that you referenced in the VSP are automatically included in the set. For example, if you have a custom label that used an LDAP group, that group is included in the set. After upgrading, to see the LDAP groups in the set, do the following steps for each LDAP server:
1. 2. 3.
Go to Settings > LDAP. Select an LDAP server and click Edit. In the Modifying LDAP Setting page, scroll down to the LDAP Groups setting. The LDAP groups that are available to use in the VSP Admin Portal are in the Selected column. If you want to change the set, follow the instructions in ConfigCompany Confidential 36
Company Confidential 37
This feature requires that you have Kerberos configured in your environment. Devices must have access to a Kerberos Domain Controller (KDC) and the websites
or resources specified in this configuration.
In the Admin Portal, go to Policies & Configs > Configurations. From the Add New drop-down menu, go to iOS and OS X > Single Sign-On Account. The New Single Sign-On (SSO) Configuration screen displays. Complete the form using the following guidelines:
Field Description
3.
Enter a name for this configuration. Enter additional information that describes this configuration. (Required) Enter the Kerberos principal name. You can also specify a variable. See Supported variables on page 39.
Realm
(Required) The default is $Realm$. This is the only valid variable. $Realm$ is supported for LDAP users only. The realm is calculated by extracting the base DN (e.g. DC=auto, DC=MyCompany, DC=com) and converting to a domain. Example: AUTO.MYCOMPANY.COM. You can also enter a domain name. The domain name you enter is automatically capitalized. Example: AUTO.MYCOMPANY.COM.
Company Confidential 38
Field
Description
Add the URLs or resources that the device user can access using SSO. Atleast one URL is required. You can add upto twenty URLs per configuration. If a bundle ID (application ID) is configured, SSO is enabled for the specified apps only when the apps access the URLs that match the configured URL prefixes. If a bundle ID (application ID) is not configured, SSO is applicable to all apps that support SSO when they access the URLs that match the configured URL prefixes. + URL Click to add an URL. Enter the URL that the user can access using SSO. Consider the following:
URLs must have either an HTTP or an HTTPS prefix. You can enter only the prefix. In this case the device
user can access any website or resource with that prefix. Description Enter additional information describing this resource. Click to delete the URL.
Add the apps that the device user can use to access the URLs or resources listed in URL Prefix Matches without having to enter their enterprise credentials. You can add upto twenty bundle IDs (application IDs) per configuration. If no apps are entered, the device user can access the URLs or resources from any app without having to enter their enterprise credentials. + BundleID Description _
4. 5. 6. 7.
Click to add an app. Enter the bundle ID (application ID) for the app. Enter additional information describing the app. Click to delete the app.
Click Save. In the Configurations page, select the app. Click More Actions > Apply To Label Select a label to apply, and click Apply. The app is pushed to the devices to which the label is applied.
Supported variables
The following variables are supported:
$EMAIL$ $USERID$
Company Confidential 39
Company Confidential 40
Prerequisites
The following upgrade paths are supported to upgrade to 5.8:
41
Important notes
Using the correct upgrade process
In VSP 5.6.0, we introduced a new upgrader. In VSP 5.7.0, we made minor changes to the Step Upgrader UI and to the status messages. Therefore, the upgrade process differs based on the version you are upgrading from. If you are upgrading from version 5.6.2, see Upgrading from VSP 5.6.2 on page 46. If you are upgrading from version 5.7.x, see Upgrading from VSP 5.7.X on page 47. If you are upgrading from version5.5.2, see Upgrading from VSP 5.5.2 on page 44.
In VSP 5.5.2, you configured AppConnect for Android. You used the Open In data loss prevention policy and specified case sensitive or
new-line terminated bundle IDs for a whitelist.
42
Pre-upgrade procedure
VM requirements
Before upgrading a virtual VSP, confirm that your VM instance meets newly increased requirements. See the latest Installation Guide for these requirements.
Backup availability
It is always prudent to create backups prior to upgrading. You have different options for performing a backup:
If you are upgrading from 5.6.2, consider using the new Backup and Restore feature in System Manager.
If you are using a virtual VSP, consider creating a .vmdk backup. If none of these options is available to you, consider running the Show Tech function in System Manager (Troubleshooting > Logs).
43
Enter the following URL to start the System Manager: https://<FQDN>/mics/mics.html Select Maintenance | Software Updates. Update the Software Updates Repository Configuration Section: URL: https://support.mobileiron.com/mi/vsp/5.7.1 OR URL: https://support.mobileiron.com/mi/vsp/5.7.0 Username/Password: Enter the credentials assigned by MobileIron Support.
2. 3.
4. 5.
Click the Save button. Click the Save link in the upper right corner to save the current configuration.
To list the updates available, click the Check Updates button. Confirm that there are no errors displayed. Click the Download button.
After all the listed updates are installed, select Reboot. Click the displayed Reboot button. Click Yes to confirm when prompted. Click Yes when prompted about saving the configuration. Click OK. After one minute, refresh the browser. The reboot might take up to 15 minutes to complete. To confirm that the upgrade is complete, make sure you can log into the Admin Portal: https://<FQDN>/mifs The upgrade may take three hours or more. If you think the upgrade has stalled, it is probably still running. Under no circumstances should you restart the upgrade. Contact MobileIron Technical Support if you need assistance. The following error might display on the console and should be resolved after you complete the remaining upgrade steps: modprobe: FATAL: Could not load /lib/modules/2.6.18.c15/modules.dcp: No such file or directory
7.
44
Select Maintenance > Software Updates in System Manager. Confirm that the current version is 5.7.1 or 5.7.0.
Notes
The upgrade will take three hours or more. If you think the upgrade has stalled, it
is probably still running. Under no circumstances should you restart the upgrade. Contact MobileIron Technical Support if you need assistance.
Once this upgrade procedure is complete, it may take up to 5 minutes for MobileIron Client apps to display in the App Distribution page.
As a result of upgrading, you may observe that CPU usage increases to 100% every
15 seconds. This behavior is expected as a result of the resolution for an issue with the contact sync feature.
45
In System Manager, select Maintenance > Software Updates. The Software Version 5.6.2 is displayed. The default URL, https://support.mobileiron.com/, should be sufficient. Do not change it unless instructed to do so.
2. 3. 4.
Enter the credentials assigned by MobileIron Support. Click Apply. Click OK to dismiss the success popup.
5. 6. 7. 8. 9. 10.
Click Check Updates. Select the update. Click Download Only or Download and Install. Refresh the screen and click Check Updates until the status for your update indicates it is complete. If you selected Download Only, click Download and Install when you are ready to install. Select Maintenance > Reboot to reboot the VSP. A reboot is required to complete the installation.
46
In System Manager, select Maintenance > Software Updates. The Software Version 5.7.x is displayed. The default URL, https://support.mobileiron.com/, should be sufficient. Do not change it unless instructed to do so.
2. 3. 4. 5.
Enter the credentials assigned by MobileIron Support. Click Apply. Click OK to dismiss the success popup. Click Check Updates. The available updates are listed. Select the update. Click Download if you want to download the update now and complete the installation at a later time. Refresh the screen and click Check Updates. After the download is complete, the status for the update changes to Downloaded. Click Stage for Install when you are ready to install. If you had already downloaded the selected update, the system stages the update for installation. If you did not previously download the selected update, it is downloaded and staged for installation.
6. 7. 8.
9.
10.
Refresh the screen and click Check Updates. After the software update has been staged for installation, the status for the update changes to Reboot to Install. You can now install the update by rebooting the system. If the status of an update is not Reboot to Install, rebooting the system will not install the update.
47
48
Prerequisites
The following upgrade paths are supported to upgrade to 5.8:
49
Important notes
Mobile@Work 5.5 for Android compatibility
The kiosk feature in Mobile@Work 5.5 for Android is not compatible with VSP versions 5.6.2 or later. If you are using the Android kiosk feature with Mobile@Work 5.5, you should consider upgrading your VSP to version 5.7 before upgrading your Android devices to Mobile@Work 5.6.0.
In VSP 5.5.2, you configured AppConnect for Android. You used the Open In data loss prevention policy and specified case sensitive or
new-line terminated bundle IDs for a whitelist.
50
Pre-upgrade procedure
VM requirements
Before upgrading a virtual VSP, confirm that your VM instance meets newly increased requirements. See the latest Installation Guide for these requirements.
Backup availability
It is always prudent to create backups prior to upgrading. You have different options for performing a backup:
If you are upgrading from 5.6.2, consider using the new Backup and Restore feature in System Manager.
If you are using a virtual VSP, consider creating a .vmdk backup. If none of these options is available to you, consider running the Show Tech function in System Manager (Troubleshooting > Logs).
51
Upgrade procedure
Configure your update repo.
1. 2.
Log into the CLI using the administrator account you created during installation. Enter the following command to switch to EXEC Privileged mode: enable Enter the password for enabling the EXEC Privileged mode. The command line prompt changes: #
3.
4.
Enter the following command to enable CONFIG mode: configure terminal Enter the following command to specify the URL and credentials for the repo: software repository https://support.mobileiron.com/mi/vsp/5.8.0/ <username> <password> where <username> and <password> are your company's download/documentation credentials as provided by MobileIron Support.
5.
Enter the following command to exit CONFIG mode: end To list the updates available, enter the following command: software checkupdate Confirm that there are no errors displayed Enter the following command to download the latest available updates: software update
2.
3. 4.
After all the listed updates are installed, enter the following command to reload the appliance: reload The following message displays: System configuration may have been modified. Save? [yes/no]
2.
Enter no. The following message displays: Proceed with reload? [yes/no]
3.
52
The following error might display on the console and should be resolved after you complete the remaining upgrade steps: modprobe: FATAL: Could not load /lib/modules/2.6.18.c15/modules.dcp: No such file or directory
4.
To confirm that the upgrade is complete, make sure you can log into the Admin Portal: https://<FQDN>/mifs
Enter the following URL to start the System Manager: https://<FQDN>/mics/mics.html Select Maintenance | Software Updates. Confirm that the current version is 5.8.0.
2. 3.
Notes
The upgrade will take three hours or more. If you think the upgrade has stalled, it
is probably still running. Under no circumstances should you restart the upgrade. Contact MobileIron Technical Support if you need assistance.
Once this upgrade procedure is complete, it may take up to 5 minutes for MobileIron Client apps to display in the App Distribution page.
As a result of upgrading, you may observe that CPU usage increases to 100% every
15 seconds. This behavior is expected as a result of the resolution for an issue with the contact sync feature.
53
54