Deploying Carrier-Specific APN Settings using MobileIron

The first step is go into the policies and settings page in MobileIron. You'll need to login as an administrator and then go to the "Policies and Configs" tab and then into "Configurations";

Choose "Add New", then "iOS and OS X" and finally "APN". This will bring up the APN properties dialog to allow you to enter the APN details from the carrier;

We've added two APN's; one for Three and the other for Orange (both in the UK).

We primarily use AD groups to control who gets what but during a migration from one carrier to another this has not worked well. In the UK the switchover can happen anytime and the last thing you want is users to suddenly find themselves unable to access the network.

In order to fix this we've added some additional criteria to the label in MobileIron to ensure that users will only pickup the APN settings if they are on the right network.

The existing label criteria was;

"user.ldap.groups.name" =  "MobileIron_UK_APN"

We would simply put the user in the AD group they would pickup the APN information from our active provider.

This was changed to;

"user.ldap.groups.name" =  "MobileIron_UK_APN"  AND
"common.home_operator_name" =  "Three" AND "common.home_country_name" =  "United Kingdom"

In this way when users swap their sims and are migrated from the label should trigger the removal of the old APN even if the user is in the AD group which should be deploying it.

Similarly we create a another group to work in the other direction - to only apply the new APN for Orange if the user is in the right group AND on the Orange network (in the UK).

This actually had the happy side effect that users who were on Vodafone, O2, or any of the other virtual operators didn't pick up the APN if they'd be left in the group accidentally (or had two devices, one company the other private).

In this way we ensure disruption to the users (not to mention calls to ServiceDesk!) are minimised.

WIN8: Configuring A Workplace (MobileIron) Account on Windows Phone 8.1 (inc. Screenshots)

Here are a brief set of instructions (with lots of screen shots!) showing you how to configure a workplace account on Windows Phone 8.1. It might be slightly different for your configuration - I needed to enter a server address, it might be able to identify yours from your email - but should be good for everyone.

It isn't significantly different from Windows Phone 8.0, but is slightly different.

Start from the home screen;

Touch on the middle of the screen and pull your finger up (to move the screen down) to the very bottom;

The "All Applications" (or next) button will appear at the very bottom right of the screen. Touch here;

Touch any of the letters (C is highlighted, but it could be any letter);

We are after the "Settings" application so touch "s";

Touch "Settings";

Touch on the screen and pull upwards to scroll down. Unfortunately the list items aren't in Alphabetical order so stop when you see "workplace" appear;

Touch "workplace";

Touch "add account";

Touch on the "Email Address" box;

Enter your company email address (1) and then touch "sign in" at the bottom of the screen;

If Windows Phone can identify your server automatically it will just move on, if it can't a Server entry box will appear - touch it;

Enter the name of the Server (you don't need http or https, just something like my.server.com) (1) and then press "sign in";

As you can see here it's correctly identified that it's connected to a MobileIron server. Your email address should be populated from before, touch in the "Password" entry box to bring up the keyboard;

Enter your work password (1), and then touch "sign in" (2);

"We're looking for your settings ..." will appear at the top of the screen, a few seconds will pass and (providing all the details are correct and you're allowed to register new devices) you will see;

Make sure "Install company app" (1) is checked and then touch "done".

Go back to the main screen, back into All Applications (as shown at the start) but this time press "M" rather than "S";

Touch "Mobile@Work";

Touch on the "Email address" box and enter your email address (1) and password (2) and then touch the tick at the bottom the screen (3);

The "Server" box will appear (if it can't find it automatically), touch on the Server box (1), enter your server details exactly as you entered them when configuring the workplace account, and then touch the tick at the bottom (2);

Another few seconds will pass while the client updates from the server and then you will see your company apps;

That's it, you're done.

Safari Punch-out (And A Possible Solution!) with Web Applications in MobileIron 7.0.3

So about 4 hours after an enthusiastic post welcoming it I'm back to report the first (major) issue. Unfortunately it's a bit of a showstopper.

When you deploy a web application via MobileIron rather than opening that web application in Safari it instead opens the application in a browser of MobileIrons own making. For 90% of things this isn't an issue and the screen layout, not having a tonne of tabs visible, shortcuts, menu bar, etc is certainly a visual improvement that the somewhat cluttered view you get in Apps@Work which uses Safari.

This screenshot from within the MobileIron browser looking at the html5test.com website shows that it's basically wrapping Safari;

This is the same number Safari (iOS) scored when I ran the test. You'll notice how clean the top of the image is - maximum space for the web application.

However the issue is that as it's not Safari it's possible that links within the Web Apps will punch out into Safari when the users touch them. Where the system requires a login they will then have to authenticate again.

It's not easy to create a link which punches out ... I would suspect 99% of links will be unaffected. However when the users hit that 1% the effect - to say the least - is jarring.

So how do you solve this? Well the bad news is there is no real solution other than re-writing your application. We do, however, have a workaround: why not just punch out to Safari at the beginning?

Here's the code you'll need to host on a website to punch out (both in the body of a HTML page);

(div id="foz" data-href="http://www.google.com">

(script>
document.getElementById("foz").addEventListener("click", function(evt) {
    var a = document.createElement('a');
    a.setAttribute("href", this.getAttribute("data-href"));
    a.setAttribute("target", "_blank");

    var dispatch = document.createEvent("HTMLEvents");
    dispatch.initEvent("click", true, true);
    a.dispatchEvent(dispatch);
}, false);
(/script>

You'll need to replace ( with the proper bracket - I can't get Blogger to render the tags!

This code comes courtesy of stackoverflow.com (follow the link).

I tried a large number of ways to punch out from the MobileIron app and this was the first one I found that worked. There might be others but I tried all the common ones I could think of/ find!

Deploying A Web Application Using MobileIron 7.0.3

A fairly simple post to highlight how incredibly easy MobileIron have made it to deploy a web application with their latest update to the server.

The first step is to login as a user with permissions to add application;

Click on the "APPS" tab, then click on "App Distribution Library".

A drop down will then appear showing the available platforms for applications (in Alphabetical order, usually Android first). Using the drop down select "Web Application";

Click on the "Add App" button to bring up the popup window;

Now you can enter the details for your application. The most important point (obviously!) is the "App URL".

You can then pick your categories and whether or not the app appears in the store front - just as you do with other applications.

Unfortunately (in this version) what you can't do is choose the web browser that opens the application (for example Chrome) or apply a per-application VPN (which would just be incredibly useful!). And, while you can select a Windows 8 (note 8, not 8.1 - which I can't test) label it does not appear to rollout the application to the device which is a little frustrating.

On the device itself the application appears as a touchable icon to launch (in exactly the same way as other applications).

I'm sure you'll agree an incredibly useful new feature!

MobileIron: Changing Country-Specific Blocking

MobileIron allows you to designate "active" and "inactive" countries. Once you have designated a Country as inactive all attempts to setup devices in that country will be blocked with the user receiving a "Unable to Connect to the Server" error message like the one below in iOS;

To make changes to the country lists log into the MobileIron admin portal;

Click on the "Settings" page at the top and then scroll down to the registration preferences section;

In this section you have the list of Disabled and Enabled Countries. To change the configuration just select the country in which box and click the appropriate arrow to move it between the boxes.

Once you've made the changes click on the "Save" button at the very bottom of the page.

MobileIron: Resolving "MobileIron iOS App Multi-Tasking Is Disabled" error

This one took a few minutes to resolve so in order to save anyone else some time here is what you'll see in the MobileIron control panel;

MobileIron: Users and Devices

The warning is;

MobileIron iOS App Multitasking is Disabled
Verify Location Services is enabled on the device for the MobileIron app by going to Settings | Location Services, then launch the MobileIron app once.

If you have email notifications for your users turned on they'll have received a similar email message in their local language.

Unfortunately if you've been an iOS for quite some time the title of the message will confuse you - you can't switch of Multitasking anymore. As is probably the case for lots of people (like me) you'll reach for Google and not read the rest of the message which explains the problem and lets you know how to fix it.

The issue is, basically, that the MobileIron applicaiton cannot access Location Services. This will either be because Location Services has been compeltely turned off on the device or that the MobileIron application has been specifically denied access to it.

The first step to resolving it is to open the "Settings" application;

iOS7: Settings Application

 Touch the "Privacy" item on the left (at the bottom of the "General" group;

iOS7: Settings > Privacy

In this page you'll have details of how much information you are sharing. Touch "Location Services" at the top;

iOS7: Settings > Privacy > Location Services

As you can see from this screen shot MobileIron is explicitly denied access to Location Services. If you switch this back to green then the warning will go away.

Configuring MobileIron on Windows Phone 8 (Nokia Lumia 925)

This blog post is a quick guide to configuring MobileIron on Windows Mobile 8.0. The software is integrated into the OS and therefore you don't need to install anything from the Windows App Store (like you do with iOS and Android).

To start you need to click on the "settings" icon from either your start screen on the Application List;

Windows Mobile 8.0 "Settings" Application

Once you open this application you're presented with an array of text options;

Windows Mobile 8.0 "Settings" Application (Opened)

Scroll down through list until you find "Company Apps", touch that;

Windows Mobile 8.0 Settings > Company Apps

It's actually quite good to see these warnings. Although I did laugh a bit at the "What's a company policy?" being a hyperlink ... Touch "add account" to get started;

Windows Mobile 8.0 Settings - Company Apps - Add Account

You are now presented with two options; your email address and your password. Once you've entered these touch on "Sign in" and Microsoft will attempt to work out what configuration your IT Department/ Service Provider have put into place for you. I'm not 100% sure what this is doing - but for me anyway this didn't work. After a minute or two I was presented with a slightly more detailed option screen;

Windows Mobile 8.0 Settings - Company Apps - Add Account (More Detail)

The three new options are Username, Domain, and Server. For MobileIron (for my instance of it anyway) it wasn't necessary to enter the username and domain just the server.

Once that's done just touch "sign in".

And that was it, the Phone is now in the hands of your company administrators. In my case this meant the configuring of an Exchange account.

I had a lot of trouble getting this working. A lot of trouble, but it's not clear where the problem lay with this. It would be easy to blame the phone (and certainly the one-error-message-fits-all approach wasn't particularly helpful - i.e. can you find the server? is the login incorrect?) but I can't be 100% certain. I will say though that I've never had this problem on an iPad or an iPhone but that could just be down to luck ... Let me know if this works for you in the comments, or if it doesn't!!

Once you've configured "company apps" you'll see the familiar Apps@Work icon in the your installed application list.

MobileIron: Removing a Deployed Application From iPads

This is a simple quick guide to how to remove an application you are already deploying via MobileIron. This is useful if you need to remove an application urgently but don't want to delete it or if, like us, you are using Active Directory groups to control deploying the application but can't wait until AD replication has caught up to remove the application.

Log into MobileIron click on the APPS & CONFIGS tab, then “App Distribution”, select “iOS” in the Platform drop down, and then click on the “Add Name” column so that the applications are sorted in name order;

MobileIron: Deployed Applications

This gives you the list of all the application (both in-house and recommended applications from the iTunes store). It's probably easier to do a search for the application you're looking to remove. I'm going to remove the "Accellion" application you can see above. It's better to search for the exact application you want to remove as the last thing you want to do is just remove the *current* version of an application and roll all your users back to the previous version.

When you've done the search you will be presented with all the versions of the application you have in the system;

MobileIron: App Distribution - Multiple Versions

Select all the applications (click on the tick on the left), and then in the "Actions" menu select "Remove from Label";

MobileIron: Remove From Label dialog

The top item is labelled as "Partial" because the label is applied to one of the applications I've selected but not the other.

Select all the labels (check box at the top left) and then click "Remove".

You should now start to see the "Devices Installed" count decreasing as each device checks in and MobileIron does its stuff.

MobileIron: Problems Deploying iPad Applications To Active Directory Groups

Background: We have multiple AD domains but we configure and deploy the iPad from a single domain. Let's call it DM001. In Domain DM001 we don't have any end-users, they are in other domains each specific to the country of their users - for example UK001 for UK users, US001 for US users, etc.

Mobile iron is connected to the DM001 domain into which we have created a Group in Active Directory called "MobileIron_SW_Easypush". This group has a scope of "Domain local" and a Group type of "Security".

Into this group we have placed a group from each of the other domains, for example UK001\MobileIron_UK001_SW_EasyPush from UK users, US001\MobileIron_US001_SW_EasyPush for US users, etc.

This allows local IT groups in each Country to manage a local group in their AD Domain to add/remove their users rather than everything having to be done centrally (or with other people able to change AD groups in the admin domain).

The Problem: Users in all-but-one Country were picking up the software - no problem - while users in Switzerland weren't seeing this specific application in the Apps@Work folder but were able to download other applications they had been assigned permission to in other groups.

The problem is a little complicated by replication delays between the AD servers - but after waiting a few hours this could be ruled out.

The problem was eventually traced to this;

Active Directory: Problem Group Properties

AD groups which had a group scope of "Universal" were working, those with a scope of anything else were not.

Once the correct Group Scope was selected (and following an appropriate wait for replication) the problem was fixed.

This took a few hours of effort to work out, hopefully it will same someone else some time!

EasyPush: Installing EasyPush on an iPad (via MobileIron)

The EasyPush application is available via the “Apps@Work” icon on standard company iPads;

MobileIron: Apps@Work

When you start Apps@Work it will connect to your company App Store and show you all the applications you are eligible for;

MobileIron: Apps@Work Application List

To install EasyPush touch the “EasyPush” line and you’ll be taken to the application details screen;

MobileIron: EasyPush Application Details

On this screen touch the “Request” button, after a few seconds a popup will appear;

iOS: App Installation Dialog

Push “Install”. You’ll then be taken back to your home screen while the EasyPush application downloads and installs (this should only take a few seconds);

EasyPush: Application Installation

After the application has downloaded run it. A security dialog will appear;

iOS: "Are You Sure?" Dialog

Push “Continue” and the application will start;

EasyPush: Start Screen showing "Update" Button

After a few seconds an “Update” button will appear (highlighted above). Push it. EasyPush will now start downloading configuration files from the server;

EasyPush: Download Updates

Once the download is complete it will display whatever the users have permission to see.

Troubleshooting Installation/ First Run

I can’t find Apps@Work?

First of all swipe to the far-left and use the search to make sure it’s not hidden in one of the users folders. If you still can’t find it then check to see if MobileIron is installed (again use search). If it’s not then you need to install it, if it is open it and check to see it’s connecting correctly with the server. When you open MobileIron you should see something like;

MobileIron: Connection and Device Status

 If you do then go into Settings, and then select “Re-Enroll Device” (push “Re-Enroll” when prompted).

“No Certificate Installed” – error

You should only get this error when you are attempting to open the Apps@Work icon on a new iPad that has only just had MobileIron installed on it. The issue is caused by MobileIron not having installed all the profiles yet – if you open MobileIron, go into Settings, and then select “Re-Enroll Device” (push “Re-Enroll” when prompted).

Pushing “REQUEST” in Apps@Work Doesn’t Install the Application

There is no fix for this problem (that I have found) only doing a factory reset on the device. Go into Settings > General > Reset (at the bottom) > Erase All Content and Settings.

You have to pick “Erase All Content and Settings” just erasing settings does not work. You need to start again with the iPad and re-install MobileIron to fix the issue.

Pushing “UPDATE” in EasyPush just results in the same blank screen

The users settings in EasyPush are incorrect – in essence it’s showing them nothing because they don’t have permissions to see anything.

They need to be added as a Member and granted the appropriate permissions.