Deploying Carrier-Specific APN Settings using MobileIron

The first step is go into the policies and settings page in MobileIron. You'll need to login as an administrator and then go to the "Policies and Configs" tab and then into "Configurations";

Choose "Add New", then "iOS and OS X" and finally "APN". This will bring up the APN properties dialog to allow you to enter the APN details from the carrier;

We've added two APN's; one for Three and the other for Orange (both in the UK).

We primarily use AD groups to control who gets what but during a migration from one carrier to another this has not worked well. In the UK the switchover can happen anytime and the last thing you want is users to suddenly find themselves unable to access the network.

In order to fix this we've added some additional criteria to the label in MobileIron to ensure that users will only pickup the APN settings if they are on the right network.

The existing label criteria was;

"user.ldap.groups.name" =  "MobileIron_UK_APN"

We would simply put the user in the AD group they would pickup the APN information from our active provider.

This was changed to;

"user.ldap.groups.name" =  "MobileIron_UK_APN"  AND
"common.home_operator_name" =  "Three" AND "common.home_country_name" =  "United Kingdom"

In this way when users swap their sims and are migrated from the label should trigger the removal of the old APN even if the user is in the AD group which should be deploying it.

Similarly we create a another group to work in the other direction - to only apply the new APN for Orange if the user is in the right group AND on the Orange network (in the UK).

This actually had the happy side effect that users who were on Vodafone, O2, or any of the other virtual operators didn't pick up the APN if they'd be left in the group accidentally (or had two devices, one company the other private).

In this way we ensure disruption to the users (not to mention calls to ServiceDesk!) are minimised.