You are on page 1of 56

MobileIron VSP Release Upgrade Guide

VSP Version 5.8 Revised: October 2, 2013 Proprietary and Confidential Do Not Distribute

2009-2013 Mobile Iron, Inc. All Rights Reserved. Any reproduction or redistribution of part or all of these materials is strictly prohibited. Information in this publication is subject to change without notice. Mobile Iron, Inc. does not warrant the use of this publication. For some phone images, a third-party database and image library, 2007-2009 Aeleeta's Art and Design Studio, is used. This database and image library cannot be distributed separate from the Mobile Iron product. MobileIron, Connected Cloud, and MyPhone@Work are registered trademarks of Mobile Iron, Inc. BlackBerry is a registered trademark of RIM. Windows is a registered trademark of Microsoft, Inc. iPhone is a trademark of Apple, Inc. Android is a trademark of Google Inc.

Contents
Chapter 1 VSP 5.8 Release Notes .................................................................. 5
New features summary .......................................................................... 6 Other changes ...................................................................................... 6 Client OS compatibility .......................................................................... 7 Mobile@Work compatibility ..................................................................... 7 Supported browsers .............................................................................. 7 Sentry compatibility .............................................................................. 7 Upgrade notes ...................................................................................... 8 Configure KCD for AppTunnel only after Sentry Upgrade ............................ 8 Post-upgrade tasks ............................................................................... 8
Enable quarantine actions on Android devices ................................................... 8 Reenter case sensitive bundle IDs in whitelists .................................................. 8 Re-save policies to support new-line separated bundle IDs in whitelists ................ 8

Resolved issues .................................................................................... 9 Known issues ..................................................................................... 11

Chapter 2

New Features in VSP 5.8 ............................................................. 15


AirPrint .............................................................................................. 16 AirPlay ............................................................................................... 17 AirDrop .............................................................................................. 18 Per-app VPN ....................................................................................... 19 Configuring the Per-app VPN option in VPN settings ................................. 19 Enabling Per-app VPN for an app ........................................................... 19 VPN on Demand .................................................................................. 21 Managed app configuration ................................................................... 24 Managed app configuration overview ..................................................... Configuring the managed app config setting ........................................... Viewing the plist file ............................................................................ Removing a managed app config setting from a device ............................ VSP substitution variables supported in the plist ...................................... Sample plist ....................................................................................... 24 24 25 25 26 26

Single-app mode whitelist .................................................................... 27 iOS restrictions ................................................................................... 29 Web content filter ............................................................................... 30 Configuring the web content filter ......................................................... 30 Browser impact .................................................................................. 32 Removing a Web content configuration from a device .............................. 33 LDAP group sync performance enhancement ........................................... 34 1

Configuring the set of LDAP groups ....................................................... 34 Impact to LDAP Group selection in the Admin Portal ................................ 35
LDAP Group list ........................................................................................... 35 Advanced Search for users and devices .......................................................... 35 Android multiple-apps kiosk policy ................................................................. 35 Android kiosk configuration .......................................................................... 36

Sync impact ....................................................................................... 36 Upgrade impact .................................................................................. 36 Enterprise single sign-on ...................................................................... 38

Supported variables ............................................................................ 39

Chapter 3

Upgrading to MobileIron VSP 5.8 .................................................. 41


Prerequisites ...................................................................................... 41 Important notes .................................................................................. 42 Using the correct upgrade process ......................................................... Mobile@Work 5.5 for Android compatibility ............................................. Upgrade might take three hours or more ................................................ Database purge after upgrade .............................................................. Post-upgrade tasks required for AppConnect apps ................................... 42 42 42 42 42

Pre-upgrade procedure ........................................................................ 43 VM requirements ................................................................................ 43 Backup availability .............................................................................. 43 Upgrading from VSP 5.5.2 .................................................................... 44 Configure your update repo. ................................................................. Initiate the upgrade. ........................................................................... Reboot the VSP. ................................................................................. Verify that the upgrade is complete. ...................................................... Complete the post-upgrade tasks. ......................................................... Notes ................................................................................................ 44 44 44 45 45 45

Upgrading from VSP 5.6.2 .................................................................... 46 Upgrading from VSP 5.7.X .................................................................... 47

Chapter 4

Upgrading to MobileIron VSP 5.8: CLI Procedure............................. 49


Prerequisites ...................................................................................... 49 Important notes .................................................................................. 50 Mobile@Work 5.5 for Android compatibility ............................................. Upgrade might take three hours or more ................................................ Database Purge After Upgrade .............................................................. Post-upgrade tasks required for AppConnect apps ................................... 50 50 50 50

Pre-upgrade procedure ........................................................................ 51 VM requirements ................................................................................ 51 Backup availability .............................................................................. 51 Upgrade procedure .............................................................................. 52 2

Configure your update repo. ................................................................. Initiate the upgrade. ........................................................................... Reboot the VSP. ................................................................................. Verify that the upgrade is complete. ...................................................... Complete the post-upgrade tasks. ......................................................... Notes ................................................................................................

52 52 52 53 53 53

VSP 5.8 Release Notes


September 27, 2013 The Release Notes contain the following information:

New features summary Upgrade notes Resolved issues Known issues

Company Confidential 5

New features summary


This release includes the following new features:

AirPrint on page 16 AirPlay on page 17 AirDrop on page 18 Per-app VPN on page 19 VPN on Demand on page 21 Managed app configuration on page 24 Single-app mode whitelist on page 27 iOS restrictions on page 29 Web content filter on page 30 LDAP group sync performance enhancement on page 34 Enterprise single sign-on on page 38

Other changes
VSP-248: The iOS MDM enrollment CA key has been changed from a 4096-bit key
to a 2048-bit key.

VSP-145: The VSP now maintains only the last known location for each device. New boot-up message for MobileIron Enterprise Connector: After you boot the
MobileIron Connector for the first time, the following message displays:

Welcome to the MobileIron Enterprise Connector Installation Program - For virtual machine installation, type: vm-install<ENTER> - To standard physical appliance installation, type: hw-install<ENTER> - To boot from your local hard disk, type: <ENTER> Note: System will boot from the local hard disk in 30 seconds if no key is pressed. boot:

Company Confidential 6

Client OS compatibility
Android OS Versions supported:
2.2, 2.3.x, 3.x, 4.0.x, 4.1.x, 4.2.x, and 4.3

iOS versions supported:


5.0 and later (web-based registrations supported for 4.2.1)

Mobile@Work compatibility
Android: 5.5 and later iOS: 5.6.2, 5.7.0, 5.7.3, 5.7.4, and later

Supported browsers
Browser Internet Explorer 6 Internet Explorer 7 Internet Explorer 8 Internet Explorer 9 Internet Explorer 10 Chrome FireFox >=20 FireFox < 20 Safari Supported No No Yes No No No Yes No No Should Work No No Yes Yes* Yes* Yes* Yes Yes* Yes*

* This configuration is not covered under MobileIrons product warranty.

Sentry compatibility
VSP 5.8 is supported with the following Standalone Sentry versions:

4.6 4.7 4.7.1 4.7.2 4.8

VSP 5.8 is supported with the following Integrated Sentry versions:

4.2

Company Confidential 7

Upgrade notes
Configure KCD for AppTunnel only after Sentry Upgrade
VSP 5.7 added support to configure the Standalone Sentry to use Kerberos Constrained Delegation for server authentication when using the AppTunnel feature. Do not use the VSP Admin Portal to configure the Standalone Sentry for KCD for AppTunnel until you have upgraded the Standalone Sentry to version 4.7 or later.

Post-upgrade tasks
Enable quarantine actions on Android devices
Starting with VSP 5.7, Android devices support the quarantine compliance action. After upgrading from VSP 5.6.2 to VSP 5.8, if an existing security policy applies to both Android and iOS devices, the quarantine action is not automatically enforced on Android devices. To enable the quarantine action on Android devices for an existing security policy:
1. 2. 3.

In the Admin Portal, in Policies & Configs > Policies, select the security policy. Click Edit. Click Save.

Reenter case sensitive bundle IDs in whitelists


On the AppConnect global policy and AppConnect container policy, you can enter a list of bundle IDs for the Open In whitelist. Prior to VSP 5.7, the VSP converted entered bundle IDs to lowercase. Starting in VSP 5.7, the bundle IDs that you enter are case sensitive. When upgrading from VSP 5.6.2 to VSP 5.8, re-enter any bundle IDs that are casesensitive.

Re-save policies to support new-line separated bundle IDs in whitelists


On the AppConnect global policy and AppConnect container policy, you can enter a list of bundle IDs for the Open In whitelist, one per line. However, prior to VSP 5.7, an issue caused the VSP to ignore all but the first bundle ID listed. When upgrading from VSP 5.6.2 to VSP 5.8, for each applicable AppConnect global policy and AppConnect container policy:
1. 2. 3.

Open the AppConnect global policy or AppConnect container policy for editing. Make a modification, such as adding a space to the description field. Click Save. icy.

Now the VSP applies all specified new-line separated bundle IDs to the Open In pol-

Company Confidential 8

Resolved issues
VS-10180: In Integrated Sentry, a partial database update occured if the number of characters for the device model field was greater than maximum length.This issue is now fixed. The limit is now increased to 255 characters. VS-15203: Registering the device via API for an LDAP user may create the user as a local user. This issue is now fixed. The user is registered as an LDAP user. VS-14783: After upgrading to VSP 5.6.2 the URL field in the Docs@Work setting did not allow the port number to be included. This is now fixed. You can include the port number in this field. VS-11880: The Whitelist Policy in the App Control rules caused some devices to be listed as non compliant. This is now fixed. VS-15393: In the LDAP settings, the Member of Attribute field under Groups may be blank in some cases. This is now fixed. VS-15215 - The View Groups link under Users > LDAP Entities is now working as expected. Previously the link showed an empty list. VS-14986: The Link To function on the ActiveSync Association page now works as expected. Previously, when you clicked on Link To an error message was displayed. VS-12471: The pagination for the ActiveSync Associations page when you filter the records is now fixed. Previously, when you filtered the ActiveSync Associations listed (example: Show > Unregistered) only one page was available. VS-15265: The password for the Outbound HTTP Proxy for Gateway Transactions and System Updates, was not encrypted. The password is now encrypted. VSP-1725: When adding an Android app to the VSP, a UTF8 encoded string is rendered correctly. Previously, a UTF encoded string was rendered as a series of question marks. If this issue impacted apps in a previous release, an upgrade to Version 5.8 does not automatically fix the impacted apps. The workaround is to delete the impacted apps and add them again, or edit the app information and save. VSP-1497: Push notifications with Japanese characters are now rendered correctly. In VSP Version 5.7, the Japanese characters were rendered as a series or question marks. VSP-1458: The VSP Admin Portal is now compatible with IE 9 when the default Document Mode is set to IE7 Standards. VSP-828: On iOS 7 devices, the user cannot enable photostream on the device if this feature is restricted from the VSP. In VSP Version 5.7.1, users could enable photostream on their device even if it was restricted on the VSP.

Company Confidential 9

VSP-309: In IE10 browsers, previously, the Devices page did not display some submenu items. These items were displayed only after the page was refreshed. This issue is now fixed. VSP-268: The Add App button in the App Distribution Library is now disabled when an app is selected and enabled when none of the apps are selected.

Company Confidential 10

Known issues
VSP-349: The following SCEP configurations still have the "Cache locally generated keys" option selected by default:

Auto-created SCEP setting for the iOS Enterprise AppStore CA Auto-created SCEP setting for the Windows Phone Enrollment CA
VSP-303, VSP-1269: If iOS 7 related settings are pushed to labels that have a mix of iOS 7 and earlier versions of iOS, the settings are pushed to all devices in the label. Non iOS 7 devices ignore the new setting. But, when the devices are updated to iOS 7, the new settings are not re-pushed to the devices. To push the settings to the upgraded devices, edit the settings and save. VSP-1050: Atlas is not listed in the Admin Portal UI for System backup and restore. VSP-1196: If you cancel installation for an app which uses a Per APP VPN setting, the app is not installed but the Per App VPN setting is. The setting is removed when the device next syncs with the VSP. VSP-1236: Validation for principal URL in the CardDav and CalDav add/edit screen is incorrect. VSP-1291: The Managed App configuration is not removed from the managed app when the device is quarantined by a security policy. It also is not removed when a user signs out on a multi-user device. VSP-1309: Managed App Config is not pushed to the device after the device is upgraded from iOS6 to iOS7. The workaround is to edit the setting, or remove then reapply to label. VSP-1326: The tool tip disappears after a few seconds even though the mouse pointer is placed on the tool tip icon. VSP-1415: When you edit an On Demand VPN setting with two identical domains but different connections, you only see one of the two entries in the VPN settings. The details pane correctly shows both settings. VSP-1504: Even though the Identity Certificate field in the VPN Setting configuration is a required field, you can save the configuration without making a selection. In this case, when you save the configuration the selection defaults to None. VSP-1512: The VSP fails to push the managed app configuration to iOS devices that received the MDM profile from Apple Configurator. VSP-1522: Traffic continues to be tunneled after AppTunnel is disabled in Setting > Preferences. VSP-1544: Custom attributes provided in a managed app configuration are not applied to iOS 7 devices.

Company Confidential 11

VSP-1578: On native IE8 browsers on Windows XP and on IE9 and IE8 in compatibility mode, when you click on a VPN configuration, the following error message is seen: "A Script on this page is causing Internet explorer to run slowly. Clicking on Yes in the pop-up, does not open the VPN configuration; clicking on No opens the VPN configuration." VSP-1596: If you installed an app with Per App VPN configured, and the admin has selected "Yes" for "Remove app when MDM profile is removed" in the app, when you remove the MDM profile and re-enroll, the per-app vpn profile will be present on the device without the app. VSP-1607: The presence of a null value for a variable in a managed app configuration causes the VSP to omit substitution of the other values. VSP-1633: In a high availability deployment, if the ha_admin user for the primary and the secondary VSP have different user IDs, the initial sync works, but subsequent syncs fail due to permission errors. VSP-1674: Android OS dot versions for 2.3.x, 4.1.x, 4.2.x are not displayed in PLATFORM NAME for Android in VSP Advanced Search. VSP-1676: Apps grouped on iOS devices into Containers for usability ease, loose the container when used with the multiuser webclip. VSP-1689: Certificate Mapping Field values are not removed, when the Kerberos configuration is removed from Sentry Settings. VSP-1696: In a Sentry configured for both ActiveSync and AppTunnel, and uses Kerberos for server authentication, if you disable the AppTunnel configuration, and change the server authentication to pass through, the Keytab is not removed. If you remove the keytab values, you can't save the Sentry configuration. The workaround is to not remove the keytab values. VSP-1730: When you update an App, which uses a Per App VPN setting, to a new version that uses a new Per App VPN setting, both Per App VPN settings are seen on the device. VSP-1754: Once apps are imported from VPP page, if there is new version of the app available, it has to be imported from the app distribution page. VSP-1755: Modifying the Key in the AppConnect App Configuration throws an error message. The workaround is to add a new Key-Value pair and then delete the old KeyValue pair. VSP-1772: If the VSP regenerates the attachment encryption key when the Sentry is not reachable, devices get the new key while Sentry retains the old key. Due to this mismatch in the encryption keys, Docs@Work cannot display secured attachments. The workaround is to ensure that Sentry is reachable before regenerating the encryption keys.

Company Confidential 12

VSP-1904: Specifying a SCEP setting as a configuration value on an AppConnect app configuration does not always work correctly. In some cases, the VSP does not pass the contents of the certificate as the value. It fails when you are using a Local CA, and the SCEP settings key length is less than the key length you specified when you generated the self-signed certificate. Workaround: Change the SCEP setting's key length to be greater than or equal to the key length you specified for the self-signed certificate. VSP-685: App does not enter single app mode even though it is configured in the single app mode whitelist. VSP-988: When an app is installed from the appstore, it is reported in the Device App Inventory page, but the device installed counter is not increased.

Company Confidential 13

Company Confidential 14

New Features in VSP 5.8


September 27, 2013 Proprietary and Confidential Do Not Distribute This document provides information on:

AirPrint on page 16 AirPlay on page 17 AirDrop on page 18 Per-app VPN on page 19 VPN on Demand on page 21 Managed app configuration on page 24 Single-app mode whitelist on page 27 iOS restrictions on page 29 Web content filter on page 30 LDAP group sync performance enhancement on page 34 Enterprise single sign-on on page 38

Company Confidential 15

AirPrint
This feature is only supported for iOS 7 and later devices. AirPrint is an iOS feature that allows you to print to an AirPrint printer from your iOS device without the need to install drivers or download software. For iOS 7 and later devices, you can now configure your VSP to control the printing resources that devices can access. You can specify a whitelist of AirPrint printers that devices can access. To configure AirPrint:
1. 2.

In the Admin Portal, go to Policies & Configs > Configurations. From the Add New drop-down menu, go to iOS and OS X > AirPrint. The New AirPrint Configuration screen displays. Enter a name for the AirPrint Configuration. Enter additional information that describes the AirPrint Configuration. In the AirPrint Destination Whitelist section, click + to add a new destination printer. For each destination printer, enter the following information:
Field Description

3. 4. 5. 6.

IP Address Path

Enter the IP address of the AirPrint printer. Enter the Resource Path associated with the AirPrint printer. This corresponds to the rp parameter of the _ipps.tcp Bonjour record. For example:


Description 7.

printers/Canon_MG5300_series printers/Xerox_Phaser_7600 ipp/print Epson_IPP_Printer.

Enter additional information that describes this destination device. Click if you want to delete this device.

Click Save.

Company Confidential 16

AirPlay
This feature is only supported for iOS 7 and later devices. AirPlay is an iOS feature that allows you to mirror the content displayed on your iOS device on to a destination device, for example, an HDTV. For iOS 7 and later devices, you can now configure your VSP to control the AirPlay resources that supervised devices can access. You can configure the following settings:

Specify the passcode for the AirPlay destination device so that devices can connect
seamlessly.

Specify a whitelist of destination devices to which you can mirror the content that is
displayed on the screen of your supervised iOS 7 device. To configure AirPlay:
1. 2.

In the Admin Portal, go to Policies & Configs > Configurations. From the Add New drop-down menu, go to iOS and OS X > AirPlay. The New AirPlay Configuration screen displays. Enter a name for the AirPlay Configuration. Enter additional information that describes the AirPlay Configuration. In the AirPlay Destination Devices section, click + to add a new destination device. For each destination device, enter the following information:
Field Description

3. 4. 5. 6.

Device Name Password Description 7.

Enter the name of the destination device. Enter the password for the destination device. Enter additional information that describes this destination device. Click if you want to delete this device.

In the AirPlay Whitelist Devices section, click + to add a new destination device to the whitelist. Note: Whitelists are only supported on supervised devices. For each destination device in the whitelist, enter the following information:
Field Description

8.

Device MAC Address Description 9.

Enter the Bonjour Device ID. Enter additional information that describes this destination device. Click if you want to delete this device.

Click Save.
Company Confidential 17

AirDrop
This feature is only supported for iOS 7 and later devices that are supervised. AirDrop is Apples ad hoc Wi-Fi system that enables file sharing with nearby users. On the VSP, you can now enable or disable AirDrop on iOS 7 supervised devices. By restricting this feature, you ensure that sensitive documents are not leaked to unauthorized or unsecured devices. You configure this feature in the Restrictions settings. To enable or disable AirDrop:
1. 2.

In the Admin Portal, go to Policies & Configs > Configurations. From the Add New drop-down menu, go to iOS and OS X > Restrictions. The New Restrictions Configuration screen displays. OR Click on an existing Restrictions profile and click Edit. The Modify Restrictions Setting screen displays.

3.

Under Device Functionality, for the Allow AirDrop (iOS 7.0 and later. Supervised devices only.) setting,

select the checkbox to allow the AirDrop feature.


OR

de-select the checkbox to restrict the AirDrop feature.


4.

Click Save.

Company Confidential 18

Per-app VPN
By configuring Per-app VPN settings in the VSP, you can enable managed apps to automatically connect to VPN when the app is launched. Consider the following:

This feature is only supported for iOS 7 and later. You must update your VPN software to a version that supports iOS 7 features. Safari browsers are not supported. An additional license may be required for this feature.

Configuring the Per-app VPN option in VPN settings


A new Per-app VPN option is added to the VPN settings in the VSP. The Per-app VPN option is available for the following type of connections in the VPN settings:
Connection Type User Authentication

IPsec (Cisco) Cisco AnyConnect Juniper SSL F5 SSL Custom SSL

Certificate Certificate Certificate Certificate Certificate

To configure Per-app VPN settings:


1. 2. 3. 4. 5.

In the Admin Portal go to Policies & Configs > Configurations. Click Add New > VPN. Enter the information as described in the VPN settings section of the VSP Administration Guide. For the Per-app VPN option, select Yes. Click Save.

Note the following:

You cannot apply the Per-app VPN setting to a label. You can apply the Per-app VPN
setting to an app when you either Add or Edit an app.

You cannot delete a Per-app VPN setting that is being used by an app. Remove the
Per-app VPN setting from the app before you delete the setting.

Enabling Per-app VPN for an app


You can enable Per-app VPN for an app when you:

add the app using the Add App Wizard.

Company Confidential 19

A new Per-app VPN field is added to the Managed App Settings section in Add App Wizard.

edit an in-house app or an App Store app in the App Distribution Library.
Note: Before you enable Per-app VPN for an app on the VSP, you must create a Perapp VPN setting. To enable Per-app VPN for an app:
1. 2. 3.

In the Admin Portal go to Apps > App Distribution Library. From the Select Platforms drop-down list, select iOS. Click Add App or click the Edit icon for the app. The Add App Wizard or the Edit App for iOS page displays. For the Per-app VPN field, select the VPN setting you created for Per-app VPN. Click Save.

4. 5.

Company Confidential 20

VPN on Demand
This feature is only supported for iOS 7 and later devices. VPN On Demand rules are applied when the device's primary network interface changes, for example when the device switches to a different Wifi network. You configure the VPN On Demand rules in the VPN settings in the Admin Portal. To configure a VPN On Demand rule:
1. 2. 3. 4. 5.

In the Admin Portal go to Policies & Configs > Configurations. Click Add New > VPN. Enter the information as described in the VPN settings section of the VSP Administration Guide. Select Enable for VPN on Demand. Enter the following information in the On Demand Rules section:
Field Description

Action

Select one of the following actions to apply to the matching rule:


+ Matching Rules:

Connect Disconnect Allow Ignore Evaluate Connection

Click to add either an On Demand rule, or a matching rule. Click to delete either an On Demand rule, or a matching rule.

For each matching rule to which the action is applied enter the type and value pair. Type Select from one of the following key types:

DNS Domain Interface Type Server Address SSID URL String Probe

Company Confidential 21

Field

Description

Value

For each key selected, enter a value. DNS DomainEnter a list of domain names to match against the domain being accessed. Wildcard '*' prefix is supported, e.g. *.example.com would match anything.example.com Interface TypeEnter either Wifi or Cellular. DNS Server AddressEnter a list of DNS servers to match against. All DNS servers have to match the devices current DNS servers or this match will fail. Wildcard '*' is supported, e.g. 1.2.3.* would match any DNS servers with 1.2.3. prefix. SSIDEnter a list of SSIDs to match against the current network. If the network is not a WiFi network or if its SSID does not appear in the list, the match will fail. URL String ProbeEnter a URL to a trusted HTTPS server. This is used to probe for reachability. Redirection is not supported.

Description Domain Action

Enter additional information about this matching rule. Only appears if the Action is Evaluate Connection. Select one of the following Actions for the domain:

Connect if neededThe specified domains trigger a VPN connection attempt if domain name resolution fails. For example: The DNS server indicates that it cannot resolve the domain, or responds with a redirection to a different server, or fails to respond (timeout).

Never connectThe specified domains do not trigger a VPN


connection attempt.
Action Parameters:

Only appears if the Action is Evaluate Connection. Define the Evaluation Type and Value pair. Evaluation Type Select the Evaluation type as one of the following:

Domain (Required) Required DNS Server (only available with Connect if needed) Required URL Probe (only available with Connect if needed)

Company Confidential 22

Field

Description

Value

Enter the value for the evaluation type selected. DomainEnter a list of domains for which this evaluation applies. Wildcard prefixes are supported, for example, *.example.com. Required DNS ServerEnter a list of IP addresses of DNS servers to use for resolving the domains. These servers do not need to be part of the devices current network configuration. If these DNS servers are not reachable, VPN is triggered. Either configure an internal DNS server or trusted external DNS server. Required URL ProbeEnter an HTTP or HTTPS (preferred) URL. The device to probes this URL using a GET request. The probe is successful if the DNS resolution for this server is successful. VPN is triggered if the probe fails.

Description
Default Rule:

Enter additional information about this Evaluation Type and Value pair.

The default rule (action) is applied to a connection that does not match any of the matching rules. If none of the rules above match or if there is no rule defined, choose VPN connection to:
6.

Select the action for the Default Rule.

Click Save.

Company Confidential 23

Managed app configuration


Managed app configuration is a new feature in iOS 7. VSP 5.8 supports this feature by allowing managed apps on iOS 7 devices to get their configuration from the VSP. The device user does not have to manually enter the configuration. This feature results in easier app deployment and fewer support calls for you, and a better user experience for the device user. An additional MobileIron license may be required for this feature.

Managed app configuration overview


Providing a managed app with an app configuration involves these high-level steps:
1. 2.

You get a file containing the app configuration from the app vendor or developer. The file is a property list (plist). It is a text file in XML format. Edit the file as directed by the apps managed app configuration documentation. For example, documentation can instruct you to replace a default server value in the plist with a URL for one of your enterprise servers. You create a managed app config setting on the VSP. When you create the setting, you upload the plist file to the VSP. You apply labels to the setting to indicate which devices the setting applies to. The VSP sends the setting to the device when the device checks in. The managed app installed on the device accesses the configuration using iOS 7 programming interfaces. Note: You can apply a managed app config setting to a device before the app is installed on the device. When the app is installed, it accesses the configuration. Until then, the configuration has no impact on the device.

3. 4. 5. 6. 7.

Configuring the managed app config setting


Before you begin: Edit the provided plist with values specific to your enterprise, as directed by the app documentation. You can use any text editor or plist editor. Put the edited plist file into a folder accessible from your VSP Admin Portal. To configure the managed app config setting:
1. 2. 3.

On the VSP Admin Portal, go to Policies & Configs > Configurations. Select Add New > iOS And OS X > Managed App Config. Use the following guidelines to create or edit a managed app config setting:
Item Description

Name Description

Enter brief text that identifies this managed app config setting. Enter additional text that clarifies the purpose of this managed app config setting.

Company Confidential 24

Item

Description

BundleId File

Enter the bundle ID of the managed app. Click Choose File. Select the plist file that contains the app configuration for the app. Note: The VSP does not validate the plist files type or contents.

4. 5.

Click Save. Select the managed app config setting you just created. The VSP assigns the setting the type MDM APP CONFIG. Select More Actions > Apply To Label. Select the labels to which you want to apply this managed app config setting. Click Apply.

6. 7. 8.

Note:

You cannot edit the managed app config setting, including uploading a different
plist file. If changes are necessary, delete the managed app config setting and create a new one. Be sure to re-apply labels.

You can apply only one managed app config setting for each app to each device,
including when more than one version of the app is installed on a device.

The configuration information is not encrypted on the device. The configuration


should therefore not contain any sensitive information.

Viewing the plist file


To view the contents of the plist file:
1. 2. 3.

On the VSP Admin Portal, go to Policies & Configs > Configurations. Select a managed app setting. Select View File Data in App Settings Detail pane. A pop-up displays the file contents. Close the pop-up when you are done viewing the file contents.

4.

Removing a managed app config setting from a device


A managed app config setting is removed from a device when:

You remove the label associated with the device from the setting, and the device
checks in.

You remove the managed app config setting, and the device checks in. You retire the device.
When the managed app config setting is removed, the managed app automatically removes its use of the configuration.
Company Confidential 25

VSP substitution variables supported in the plist


The plist can use the following VSP variables:
Variable Description

$DEVICE_MAC$ $DEVICE_UDID$ $DISPLAY_NAME$ $EMAIL$ $FIRST_NAME$ $LAST_NAME$ $USERID$

The Wi-Fi MAC (Media Access Control) address of the device. The unique device identifier of the device. The display name of the device user. The email address of the device user. The first name of the device user. The last name of the device user. The user ID of the device user.

When the VSP sends the configuration to a device, it substitutes the appropriate values for the variables.

Sample plist
A plist is a text file in XML format. The XML content vary for each app, and the contents have been validated by the app developer. The following is a sample plist, included here only to illustrate the format you can expect:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Server</key> <string>http://www.somecompanyserver.com</string> <key>Some Dict</key> <dict> <key>A</key> <string>$DISPLAY_NAME$</string> <key>C</key> <string>$DEVICE_UDID$</string> </dict> <key>Some Array</key> <array> <string>abc</string> <string>val</string> <string>$DEVICE_MAC$</string> </array> </dict> </plist>

Company Confidential 26

Single-app mode whitelist


You can use the VSP to specify a list of apps that can autonomously enter single app mode on iOS 7 supervised devices. For example, you can specify custom exam apps for students. As soon as the student launches the app, the app enters single app mode to ensure that the student cannot use other resources while taking the exam. This feature applies to supervised iOS devices only apps developed for autonomous single app mode. Supervision is established with Apple Configurator. Note that this feature is separate from the single app mode policy feature, which enables an administrator to define and invoke single app mode. To specify a single app mode whitelist:
1. 2.

Create a new restrictions configuration (Policies & Configs > Configurations > Add New > iOS and OSX > Restrictions). Scroll down to the bottom of the screen.

3.

Click + under App whitelist for Single App Mode.

Company Confidential 27

4.

Use the following guidelines to add each whitelist entry:


Field Description

App Name Bundle ID

Enter the app name defined in the apps bundle. Enter the bundle identifier for this app. One way to find the bundle identifier is to add the app to the app distribution library on the VSP. After you add the app, edit the app entry to see the Inventory Apps field, which lists the bundle ID for the app.

Description
5. 6.

Enter an optional description of the app.

Click Save. Assign the new configuration to a label that will apply it to the target devices (More Actions > Apply To Label).

Company Confidential 28

iOS restrictions
With the release of iOS 7, the VSP will support the following iOS 7 settings in the iOS Restrictions configuration (Policies & Configs > Configurations > Add New > iOS and OSX > Restrictions):
Setting Description

Allow AirDrop

Enables AirDrop for iOS on the device (iOS 7 or later). AirDrop is Apples ad hoc Wi-Fi system that enables file sharing with nearby users. Enables users with supervised iOS 7 devices to add email accounts and make changes to email accounts that have already been configured. For supervised iOS 7 devices, enables host pairing for iTunes synchronization. In effect, enabling this option allows supervised devices to sync with iTunes on a Mac other than the supervision host. Disabling this option disables all host pairing with the exception of the supervision host. Additional license required to disallow this action. Enables documents in managed apps and accounts to be opened in unmanaged apps and accounts. Disabling this option prevents exchange of documents from managed to unmanaged apps and accounts. For example, you might want to keep enterprise documents from being opened with personal apps. Additional license required to disallow this action. Enables documents in unmanaged apps and accounts to be opened in managed apps and accounts. Disabling this option prevents exchange of documents from unmanaged to managed apps and accounts. For example, you might want to keep users from sending personal documents using company email. Specifies a list of apps that can autonomously enter single app mode on iOS 7 supervised devices. For example, you can specify custom exam apps for students. As soon as the student launches the app, the app enters single app mode to ensure that the student cannot use other resources while taking the exam. This feature applies to supervised iOS devices only apps developed for autonomous single app mode. Supervision is established with Apple Configurator.

Allow ability to modify account settings Allow pairing with non-Configurator hosts

Allow open documents from managed apps and accounts to unmanaged apps and accounts

Allow open documents from unmanaged apps and accounts to managed apps and accounts

App whitelist for Single App Mode

Company Confidential 29

Web content filter


Starting with iOS 7, supervised iOS devices support web content filtering. Web content filtering restricts the web sites that any browser on a supervised device can access. This feature is useful, for example, in fleet-based lock down environments, such as retail stores or schools. VSP 5.8 adds support to configure the web content filter on the VSP Admin Portal. You can do one of the following:

Block access to sites containing adult content. Configure the devices set of accessible sites.

Configuring the web content filter


To configure the web content filter:
1. 2.

Go to Policies and Configs > Configurations on the VSP Admin Portal. Select Add New > iOS And OS X > Web Content Filter. The New Web Content Configuration page displays. Use the following guidelines to create or edit a web content configuration:
Item Description

3.

Name Description Allowed Websites

Enter brief text that identifies this web content configuration. Enter additional text that clarifies the purpose of this web content configuration.

Limit Adult Content


Select this option if you want to block access to web sites based on iOS automatic filters. These filters attempt, with a high degree of accuracy, to block websites with inappropriate content.

Specific Web Sites Only


Select this option if you want to manually list the accessible web sites.

Permitted URLs

Available only if you selected Limit Adult Content. These URLs are accessible even if the iOS automatic filters block them. To add a permitted URL, click + . To delete a permitted URL, click - . You can add up to 50 permitted URLs.

Company Confidential 30

Item

Description

URL

Enter the permitted URL. The URL must begin with either:

http:// https://
Note: If you want to permit both http:// and https:// for the same site, include a row for each URL. All URLs for which the initial characters match the given permitted URL are accessible. Example: http://www.someCompanySite.com permits access to the following: http://www.someCompanySite.com http://www.someCompanySite.com/jobs http://www.someCompanySite.com/products Description Enter additional text that clarifies the purpose of this permitted URL. Available only if you selected Limit Adult Content. These URLs are blocked even if the iOS automatic filters allow them. To add a blacklisted URL, click + . To delete a blacklisted URL, click - . You can add up to 50 blacklisted URLs. URL Enter the blacklisted URL. The URL must begin with either:

Blacklisted URLs

http:// https://
Note: If you want to block both http:// and https:// for the same site, include a row for each URL. All URLs for which the initial characters match the given blacklisted URL are blocked. Example: http://www.someCompanySite.com blocks access to the following: http://www.someCompanySite.com http://www.someCompanySite.com/jobs http://www.someCompanySite.com/products Description Enter additional text that clarifies the purpose of this blacklisted URL.

Company Confidential 31

Item

Description

Specific Websites

Available only if you selected Specific Web Sites Only. These URLs are the only accessible sites. On Safari, they are added as bookmarks. Any existing bookmarks on Safari are disabled. To add an accessible URL, click + . To delete an accessible URL, click - .

URL

Enter the URL of a website you want to make accessible. The URL must begin with either:

http:// https://
Note: If you want to make both http:// and https:// for the same site accessible, include a row for each URL. If you are using the Apps@Work or Secure Sign-in web clips, include an entry for the URL of the VSP. Otherwise, these web clips cannot work. Name Bookmark The title of the bookmark in Safari. Optionally enter the folder into which the bookmark should be added in Safari. Example: /Sales/Products/ If absent, the bookmark is added to the default bookmarks directory. Description
4. 5. 6. 7. 8.

Optionally enter additional text that clarifies the purpose of this URL.

Click Save. Select the web content configuration you just created. Select More Actions > Apply To Label. Select the labels to which you want to apply this web content configuration. Click Apply.

Browser impact
The web content filter feature impacts all browsers and web views on the device including:

Safari
When using the option Specific Web Sites Only, only Safari displays the bookmarks that you specify. Other browsers do not.

Web@Work Apps@Work the Secure Sign-in web clip


Company Confidential 32

other browsers and web views


Therefore, if you use the option Specific Web Sites Only, be sure to include the URL for your VSP so that the Apps@Work and Secure Sign-in web clips work.

Removing a Web content configuration from a device


A web content configuration is removed from a device when:

You remove the label associated with the device from the setting, and the device
checks in.

You remove the web content configuration, and the device checks in. You retire the device.

Multiple Web content configurations on a device


If you apply multiple web content configurations to a device, web access works as follows:

The URL is accessible only if all of the web content configurations on the device allow it and none of the web content configurations block it. The URL is blocked if any of the web content configurations block it.

Company Confidential 33

LDAP group sync performance enhancement


The VSP interacts with LDAP servers to get LDAP information such as LDAP groups. VSP 5.8 now requires that you specify the set of LDAP groups that the VSP gets from each LDAP server. This feature improves VSP performance when you use the VSP Admin Portal to access LDAP groups. The performance improvement is because the VSP has already stored all LDAP group information for the set of groups that you selected. No additional communication with the LDAP server is necessary to complete your task. The feature has the following impact:

You now specify the set of LDAP groups that the VSP gets from each LDAP server.
See Configuring the set of LDAP groups on page 34.

The user interfaces of some VSP Admin Portal pages that involve LDAP groups have
changed. See Impact to LDAP Group selection in the Admin Portal on page 35.

The VSP only syncs the specified set of LDAP groups.


See Sync impact on page 36.

Upgrading to VSP 5.8 automatically populates the set of LDAP groups.


See Upgrade impact on page 36.

Configuring the set of LDAP groups


To configure the set of LDAP groups you can reference in the VSP, do the following steps for each LDAP server:
1. 2. 3.

Go to Settings > LDAP. Select an LDAP server and click Edit. In the Modifying LDAP Setting page, scroll down to the LDAP Groups setting.

Company Confidential 34

4. 5.

In the text box labeled Search By LDAP Groups, enter the first characters of an LDAP Group that you want to select. Click the search icon. The LDAP Groups in the LDAP server that match the search request appear in the Available section.

6. 7. 8.

Click the right arrow to move one or more LDAP groups to the Selected section. Repeat steps 4 through 6 for other LDAP Groups. Click save.

Impact to LDAP Group selection in the Admin Portal


Various places in the VSP Admin Portal that reference LDAP groups now show only the subset of all LDAP groups that you specified. The following places in the VSP Admin Portal are impacted.

LDAP Group list


The LDAP Group list now displays only the LDAP groups that you specified in the LDAP Setting page. To see this change:
1. 2. 3.

Go to Users & Devices > Users. Select LDAP Entities in the To dropdown box. Select LDAP Groups in the Categories dropdown box. The page now displays only the groups you specified in the LDAP Setting page. Also, you can no longer limit the list displayed by searching for the initial characters of the names of LDAP groups.

Advanced Search for users and devices


When you do an advanced search for users, you can specify LDAP groups. Now, you can select only the groups that you specified in the LDAP Setting page. To see this change:
1. 2. 3.

Go to Users & Devices > Devices. Select Advanced Search. Select LDAP_GROUP in a Select Field dropdown box. The corresponding dropdown box for the list of groups shows only the groups you specified in the LDAP Setting page. Also, you can now only select the groups shown; you cannot type an LDAP group name.

Android multiple-apps kiosk policy


On this policy, you specify users who have permission to disable kiosk mode from the device. To specify these users, you select LDAP Groups. Now, you can select only the groups that you specified in the LDAP Setting page. Also, you can no longer narrow the list of groups by starting to type a group name.
Company Confidential 35

To see this change:


1. 2. 3. 4. 5.

Go to Policies & Configs > Policies. Click Add New > Android Kiosk. For Kiosk Mode, select Multiple Apps. For Administrative Access To Exit Kiosk Mode, click +. Select the LDAP Group Name field. The resulting dropdown list includes only the groups you specified in the LDAP Settings page.

Android kiosk configuration


On this configuration, you specify which LDAP groups, (and, therefore, which users) have access to the apps to be displayed for multiple-app devices. Now, you can select only the groups that you specified in the LDAP Setting page. Also, you can no longer narrow the list of groups by starting to type a group name. To see this change:
1. 2. 3. 4.

Go to Policies & Configs > Configurations. Select Add New > Android > Samsung Kiosk. For Choose LDAP Groups, click +. Select the LDAP Group Name field. The resulting dropdown list includes only the groups you specified in the LDAP Settings page.

Sync impact
The VSP syncs with the LDAP server at a regularly scheduled interval that you configure. Syncs no longer occur every time you access a list of LDAP groups. You can also request a sync. Each sync now syncs only the LDAP groups that you specified in the LDAP Setting page. As in prior releases, a sync also syncs any other LDAP entities, such as LDAP users, that are in use on the VSP.

Upgrade impact
No additional steps are required to configure the set of LDAP groups when upgrading to VSP 5.8. Any groups that you referenced in the VSP are automatically included in the set. For example, if you have a custom label that used an LDAP group, that group is included in the set. After upgrading, to see the LDAP groups in the set, do the following steps for each LDAP server:
1. 2. 3.

Go to Settings > LDAP. Select an LDAP server and click Edit. In the Modifying LDAP Setting page, scroll down to the LDAP Groups setting. The LDAP groups that are available to use in the VSP Admin Portal are in the Selected column. If you want to change the set, follow the instructions in ConfigCompany Confidential 36

uring the set of LDAP groups on page 34.

Company Confidential 37

Enterprise single sign-on


This feature is only supported for iOS 7 and later devices. With Enterprise Single SignOn, device users can log into apps and websites without having to re-enter their credentials. For iOS 7 and later devices, you can now configure your VSP to manage the enterprise apps and resources that device users can access without having to enter their enterprise credentials. Consider the following:

This feature requires that you have Kerberos configured in your environment. Devices must have access to a Kerberos Domain Controller (KDC) and the websites
or resources specified in this configuration.

An additional MobileIron license may be required for this feature.


To configure single sign-on:
1. 2.

In the Admin Portal, go to Policies & Configs > Configurations. From the Add New drop-down menu, go to iOS and OS X > Single Sign-On Account. The New Single Sign-On (SSO) Configuration screen displays. Complete the form using the following guidelines:
Field Description

3.

Name Description Principal Name

Enter a name for this configuration. Enter additional information that describes this configuration. (Required) Enter the Kerberos principal name. You can also specify a variable. See Supported variables on page 39.

Realm

(Required) The default is $Realm$. This is the only valid variable. $Realm$ is supported for LDAP users only. The realm is calculated by extracting the base DN (e.g. DC=auto, DC=MyCompany, DC=com) and converting to a domain. Example: AUTO.MYCOMPANY.COM. You can also enter a domain name. The domain name you enter is automatically capitalized. Example: AUTO.MYCOMPANY.COM.

Company Confidential 38

Field

Description

URL Prefix Matches (Required)

Add the URLs or resources that the device user can access using SSO. Atleast one URL is required. You can add upto twenty URLs per configuration. If a bundle ID (application ID) is configured, SSO is enabled for the specified apps only when the apps access the URLs that match the configured URL prefixes. If a bundle ID (application ID) is not configured, SSO is applicable to all apps that support SSO when they access the URLs that match the configured URL prefixes. + URL Click to add an URL. Enter the URL that the user can access using SSO. Consider the following:

The website or resource must support Kerberos based


authentication.

URLs must have either an HTTP or an HTTPS prefix. You can enter only the prefix. In this case the device
user can access any website or resource with that prefix. Description Enter additional information describing this resource. Click to delete the URL.

Application Identifier Matches (Optional)

Add the apps that the device user can use to access the URLs or resources listed in URL Prefix Matches without having to enter their enterprise credentials. You can add upto twenty bundle IDs (application IDs) per configuration. If no apps are entered, the device user can access the URLs or resources from any app without having to enter their enterprise credentials. + BundleID Description _
4. 5. 6. 7.

Click to add an app. Enter the bundle ID (application ID) for the app. Enter additional information describing the app. Click to delete the app.

Click Save. In the Configurations page, select the app. Click More Actions > Apply To Label Select a label to apply, and click Apply. The app is pushed to the devices to which the label is applied.

Supported variables
The following variables are supported:

$EMAIL$ $USERID$
Company Confidential 39

$FIRST_NAME$ $LAST_NAME$ $DISPLAY_NAME$ $USER_DN$ $USER_UPN$ $USER_CUSTOM1$ $USER_CUSTOM2$ $USER_CUSTOM3$ $USER_CUSTOM4$

Company Confidential 40

Upgrading to MobileIron VSP 5.8


Revised: October 2, 2013 This document describes the upgrade process using the Software Updates feature in the System Manager. If you expect slow download times, you should consider using the CLI procedure documented in Upgrading to MobileIron VSP Version 5.8: CLI Procedure.

Prerequisites
The following upgrade paths are supported to upgrade to 5.8:

5.6.2 --> 5.8.0 5.7.0 --> 5.8.0 5.7.1 --> 5.8.0


If you are upgrading from a version not listed here, then you need to complete one or more previous upgrades first. See the 5.8.0 Upgrade paths Knowledge Base article on the MobileIron Support site for additional information.

41

Important notes
Using the correct upgrade process
In VSP 5.6.0, we introduced a new upgrader. In VSP 5.7.0, we made minor changes to the Step Upgrader UI and to the status messages. Therefore, the upgrade process differs based on the version you are upgrading from. If you are upgrading from version 5.6.2, see Upgrading from VSP 5.6.2 on page 46. If you are upgrading from version 5.7.x, see Upgrading from VSP 5.7.X on page 47. If you are upgrading from version5.5.2, see Upgrading from VSP 5.5.2 on page 44.

Mobile@Work 5.5 for Android compatibility


The kiosk feature in Mobile@Work 5.5 for Android is not compatible with VSP versions 5.6.2 or later. If you are using the Android kiosk feature with Mobile@Work 5.5, you should consider upgrading your VSP to version 5.7 before upgrading your Android devices to Mobile@Work 5.6.0.

Upgrade might take three hours or more


If you think the upgrade has stalled, it is probably still running. Under no circumstances should you restart the upgrade. Contact MobileIron Technical Support if you need assistance.

Database purge after upgrade


Four hours after you complete the upgrade, an automatic database purge will start. You may notice an increase in CPU usage at this time. This is normal and should not impact system performance.

Post-upgrade tasks required for AppConnect apps


You will need to do AppConnect configuration steps after this upgrade if:

In VSP 5.5.2, you configured AppConnect for Android. You used the Open In data loss prevention policy and specified case sensitive or
new-line terminated bundle IDs for a whitelist.

42

Pre-upgrade procedure
VM requirements
Before upgrading a virtual VSP, confirm that your VM instance meets newly increased requirements. See the latest Installation Guide for these requirements.

Backup availability
It is always prudent to create backups prior to upgrading. You have different options for performing a backup:

If you are upgrading from 5.6.2, consider using the new Backup and Restore feature in System Manager.

If MobileIron Professional Services has implemented backups for your system,


make sure you have a recent successful backup.

If you are using a virtual VSP, consider creating a .vmdk backup. If none of these options is available to you, consider running the Show Tech function in System Manager (Troubleshooting > Logs).

43

Upgrading from VSP 5.5.2


Note: If you are upgrading from VSP 5.6.2, see Upgrading from VSP 5.6.2 on page 46. If you are upgrading from VSP 5.7.x, see Upgrading from VSP 5.7.X on page 47.

Configure your update repo.


1.

Enter the following URL to start the System Manager: https://<FQDN>/mics/mics.html Select Maintenance | Software Updates. Update the Software Updates Repository Configuration Section: URL: https://support.mobileiron.com/mi/vsp/5.7.1 OR URL: https://support.mobileiron.com/mi/vsp/5.7.0 Username/Password: Enter the credentials assigned by MobileIron Support.

2. 3.

4. 5.

Click the Save button. Click the Save link in the upper right corner to save the current configuration.

Initiate the upgrade.


1. 2. 3.

To list the updates available, click the Check Updates button. Confirm that there are no errors displayed. Click the Download button.

Reboot the VSP.


1. 2. 3. 4. 5. 6.

After all the listed updates are installed, select Reboot. Click the displayed Reboot button. Click Yes to confirm when prompted. Click Yes when prompted about saving the configuration. Click OK. After one minute, refresh the browser. The reboot might take up to 15 minutes to complete. To confirm that the upgrade is complete, make sure you can log into the Admin Portal: https://<FQDN>/mifs The upgrade may take three hours or more. If you think the upgrade has stalled, it is probably still running. Under no circumstances should you restart the upgrade. Contact MobileIron Technical Support if you need assistance. The following error might display on the console and should be resolved after you complete the remaining upgrade steps: modprobe: FATAL: Could not load /lib/modules/2.6.18.c15/modules.dcp: No such file or directory

7.

44

Verify that the upgrade is complete.


1. 2.

Select Maintenance > Software Updates in System Manager. Confirm that the current version is 5.7.1 or 5.7.0.

Complete the post-upgrade tasks.


See Post-upgrade tasks on page 13.

Notes
The upgrade will take three hours or more. If you think the upgrade has stalled, it
is probably still running. Under no circumstances should you restart the upgrade. Contact MobileIron Technical Support if you need assistance.

Once this upgrade procedure is complete, it may take up to 5 minutes for MobileIron Client apps to display in the App Distribution page.

As a result of upgrading, you may observe that CPU usage increases to 100% every
15 seconds. This behavior is expected as a result of the resolution for an issue with the contact sync feature.

45

Upgrading from VSP 5.6.2


If you are upgrading from VSP 5.6.2, complete the following steps:
1.

In System Manager, select Maintenance > Software Updates. The Software Version 5.6.2 is displayed. The default URL, https://support.mobileiron.com/, should be sufficient. Do not change it unless instructed to do so.

2. 3. 4.

Enter the credentials assigned by MobileIron Support. Click Apply. Click OK to dismiss the success popup.

5. 6. 7. 8. 9. 10.

Click Check Updates. Select the update. Click Download Only or Download and Install. Refresh the screen and click Check Updates until the status for your update indicates it is complete. If you selected Download Only, click Download and Install when you are ready to install. Select Maintenance > Reboot to reboot the VSP. A reboot is required to complete the installation.

46

Upgrading from VSP 5.7.X


To upgrade from VSP 5.7.x:
1.

In System Manager, select Maintenance > Software Updates. The Software Version 5.7.x is displayed. The default URL, https://support.mobileiron.com/, should be sufficient. Do not change it unless instructed to do so.

2. 3. 4. 5.

Enter the credentials assigned by MobileIron Support. Click Apply. Click OK to dismiss the success popup. Click Check Updates. The available updates are listed. Select the update. Click Download if you want to download the update now and complete the installation at a later time. Refresh the screen and click Check Updates. After the download is complete, the status for the update changes to Downloaded. Click Stage for Install when you are ready to install. If you had already downloaded the selected update, the system stages the update for installation. If you did not previously download the selected update, it is downloaded and staged for installation.

6. 7. 8.

9.

10.

Refresh the screen and click Check Updates. After the software update has been staged for installation, the status for the update changes to Reboot to Install. You can now install the update by rebooting the system. If the status of an update is not Reboot to Install, rebooting the system will not install the update.

47

Select Maintenance > Reboot to reboot the VSP.


To successfully install the update, you must reboot after the status is Reboot to install.

48

Upgrading to MobileIron VSP 5.8: CLI Procedure


Revised: October 2, 2013 This document describes the upgrade processing using the MobileIron CLI. If you expect reasonable download times, you can use the Software Updates feature, instead. See Upgrading to MobileIron VSP Version 5.8.0.

Prerequisites
The following upgrade paths are supported to upgrade to 5.8:

5.6.2 --> 5.8.0 5.7.0 --> 5.8.0 5.7.1 --> 5.8.0


If you are upgrading from a version not listed here, then you need to complete one or more previous upgrades first. See the 5.8.0 Upgrade paths Knowledge Base article on the MobileIron Support site for additional information.

49

Important notes
Mobile@Work 5.5 for Android compatibility
The kiosk feature in Mobile@Work 5.5 for Android is not compatible with VSP versions 5.6.2 or later. If you are using the Android kiosk feature with Mobile@Work 5.5, you should consider upgrading your VSP to version 5.7 before upgrading your Android devices to Mobile@Work 5.6.0.

Upgrade might take three hours or more


If you think the upgrade has stalled, it is probably still running. Under no circumstances should you restart the upgrade. Contact MobileIron Technical Support if you need assistance.

Database Purge After Upgrade


Four hours after you complete the upgrade, an automatic database purge will start. You may notice an increase in CPU usage at this time. This is normal and should not impact system performance.

Post-upgrade tasks required for AppConnect apps


You will need to do AppConnect configuration steps after this upgrade if:

In VSP 5.5.2, you configured AppConnect for Android. You used the Open In data loss prevention policy and specified case sensitive or
new-line terminated bundle IDs for a whitelist.

50

Pre-upgrade procedure
VM requirements
Before upgrading a virtual VSP, confirm that your VM instance meets newly increased requirements. See the latest Installation Guide for these requirements.

Backup availability
It is always prudent to create backups prior to upgrading. You have different options for performing a backup:

If you are upgrading from 5.6.2, consider using the new Backup and Restore feature in System Manager.

If MobileIron Professional Services has implemented backups for your system,


make sure you have a recent successful backup.

If you are using a virtual VSP, consider creating a .vmdk backup. If none of these options is available to you, consider running the Show Tech function in System Manager (Troubleshooting > Logs).

51

Upgrade procedure
Configure your update repo.
1. 2.

Log into the CLI using the administrator account you created during installation. Enter the following command to switch to EXEC Privileged mode: enable Enter the password for enabling the EXEC Privileged mode. The command line prompt changes: #

3.

4.

Enter the following command to enable CONFIG mode: configure terminal Enter the following command to specify the URL and credentials for the repo: software repository https://support.mobileiron.com/mi/vsp/5.8.0/ <username> <password> where <username> and <password> are your company's download/documentation credentials as provided by MobileIron Support.

5.

Initiate the upgrade.


The upgrade may take three hours or more. If you think the upgrade has stalled, it is probably still running. Under no circumstances should you restart the upgrade. Contact MobileIron Technical Support if you need assistance.
1.

Enter the following command to exit CONFIG mode: end To list the updates available, enter the following command: software checkupdate Confirm that there are no errors displayed Enter the following command to download the latest available updates: software update

2.

3. 4.

Reboot the VSP.


1.

After all the listed updates are installed, enter the following command to reload the appliance: reload The following message displays: System configuration may have been modified. Save? [yes/no]

2.

Enter no. The following message displays: Proceed with reload? [yes/no]

3.

Enter yes. The reboot might take up to 15 minutes to complete.

52

The following error might display on the console and should be resolved after you complete the remaining upgrade steps: modprobe: FATAL: Could not load /lib/modules/2.6.18.c15/modules.dcp: No such file or directory
4.

To confirm that the upgrade is complete, make sure you can log into the Admin Portal: https://<FQDN>/mifs

Verify that the upgrade is complete.


1.

Enter the following URL to start the System Manager: https://<FQDN>/mics/mics.html Select Maintenance | Software Updates. Confirm that the current version is 5.8.0.

2. 3.

Complete the post-upgrade tasks.


See Post-upgrade tasks on page 8.

Notes
The upgrade will take three hours or more. If you think the upgrade has stalled, it
is probably still running. Under no circumstances should you restart the upgrade. Contact MobileIron Technical Support if you need assistance.

Once this upgrade procedure is complete, it may take up to 5 minutes for MobileIron Client apps to display in the App Distribution page.

As a result of upgrading, you may observe that CPU usage increases to 100% every
15 seconds. This behavior is expected as a result of the resolution for an issue with the contact sync feature.

53

54

You might also like