Mobile iron is connected to the DM001 domain into which we have created a Group in Active Directory called "MobileIron_SW_Easypush". This group has a scope of "Domain local" and a Group type of "Security".
Into this group we have placed a group from each of the other domains, for example UK001\MobileIron_UK001_SW_EasyPush from UK users, US001\MobileIron_US001_SW_EasyPush for US users, etc.
This allows local IT groups in each Country to manage a local group in their AD Domain to add/remove their users rather than everything having to be done centrally (or with other people able to change AD groups in the admin domain).
The Problem: Users in all-but-one Country were picking up the software - no problem - while users in Switzerland weren't seeing this specific application in the Apps@Work folder but were able to download other applications they had been assigned permission to in other groups.
The problem is a little complicated by replication delays between the AD servers - but after waiting a few hours this could be ruled out.
The problem was eventually traced to this;
|Active Directory: Problem Group Properties|
Once the correct Group Scope was selected (and following an appropriate wait for replication) the problem was fixed.
This took a few hours of effort to work out, hopefully it will same someone else some time!