MobileIron Threat Defense Integration FAQ · MobileIron Confidential MobileIron Threat Defense...
-
Upload
nguyenthien -
Category
Documents
-
view
265 -
download
3
Transcript of MobileIron Threat Defense Integration FAQ · MobileIron Confidential MobileIron Threat Defense...
MobileIron Confidential
MobileIron Threat Defense Integration FAQ Phases 1 and 2a Releases
MobileIron Core
Q: What is the version of MobileIron Core required?
A: For Android OS, Core 9.6.0.0 is required because of the addition of the Zimperium Configuration Type menu
selection for the Android XML Configuration.
For iOS, since a PLIST is pushed to the integrated client to enable, Core 9.3.0.0 through Core 9.6.0.0 is
supported.
MobileIron Cloud Q: What is the version of MobileIron Cloud required?
A: Support for MobileIron Cloud is not here yet. The integrated MobileIron Go client bundled with Zimperium
is on the roadmap for Q2 2018.
Mobile@Work Integrated Client Q: What is the version of Mobile@Work that has the integrated Zimperium SDK bundled?
A: For Android OS, the initial version of Mobile@Work is 9.6.0.0. For iOS, the initial version is 9.7.0.0.
Q: What will the integrated client do?
A: The Mobile@Work side of the client acts as the conduit that enables the Zimperium z9 engine to talk to the
Zimperium zConsole administrative portal.
Q: How is the Mobile@Work integrated client auto-activated when it is on the device?
A: The mechanism to do the auto-activation is via pushing a Managed App Configuration to an iOS device
within the Mobile@Work > Managed App Configuration menu shown below. For Android OS, an XML file is
required and uploaded to an Android XML Configuration, and pushed to an Android Enterprise device.
On iOS devices, app inventory is provided by Core to zConsole via the MDM API. This means all apps installed
on the iOS device are scanned and analyzed for security and privacy risks. Device posture and network threats
are evaluated device-wide.
On Android OS, since the Mobile@Work app resides within the Android Enterprise work profile, only the apps
that are installed within the work profile are scanned and analyzed for security and privacy risks. Device
posture and network threats are evaluated device-wide.
2
MobileIron - 415 East Middlefield Road - Mountain View, CA 94043 USA - Tel. +1.650.919.8100 - Fax +1.650.919.8006
[email protected] | http://mobileiron.com
MobileIron Confidential
iOS Managed App Configurations Q: How do you configure the iOS Managed App Configuration that enables the Zimperium client?
A: The first step is to add from the iOS App Store or upload the Mobile@Work version 9.7 IPA file into the App
Catalog. Within Apps > App Catalog > select Mobile@Work Version 9.7, scroll down to the Managed App
Configuration section. There are two different ways to configure the Managed App Configurations depending
on the deployment scenario.
The first deployment scenario is to send the Managed App Configuration to all iOS devices registered to Core.
Under the Default Configuration for MobileIron section, expand all the MobileIron Threat Defense Settings.
Then copy-and-paste the token string, obtained from Zimperium or MobileIron, into the Activation Code field.
Place a checkmark to Activate, which will automatically activate the Zimperium client bundled with
Mobile@Work. Save the configuration and then apply the iOS label to it.
The second deployment scenario is to send the Managed App Configuration to a subset of registered iOS
devices based on device grouping. An example use case can be that the Core administrator wants to deploy
the new Mobile@Work with the Zimperium client activated to BYOD users only.
From the Managed App Configuration section, click on the Add+ blue button. Enter an App Configuration
Name, and then expand all. Under the Mobile Threat Defense Settings, copy-and-paste the token string
obtained from Zimperium or MobileIron, into the Activation Code field. Place a checkmark to Activate, which
will automatically activate the Zimperium client bundled with Mobile@Work. Save the configuration and then
select the Employee-Owned label within the Managed App Configuration. Create another Managed App
3
MobileIron - 415 East Middlefield Road - Mountain View, CA 94043 USA - Tel. +1.650.919.8100 - Fax +1.650.919.8006
[email protected] | http://mobileiron.com
MobileIron Confidential
Configuration to deploy the Mobile@Work client that does not add the Activation Code and Activate, so the
Zimperium client is not activated. Then select the Company-Owned label to the Managed App Configuration.
4
MobileIron - 415 East Middlefield Road - Mountain View, CA 94043 USA - Tel. +1.650.919.8100 - Fax +1.650.919.8006
[email protected] | http://mobileiron.com
MobileIron Confidential
Note: The order of precedence is the Managed App Configuration created by using the Add+ blue button
(second method above) is the highest priority, if there is another Managed App Configuration created within
the Mobile@Work app configuration itself (first method above). A Managed App Configuration using a PLIST is
not applicable to the Mobile@Work client.
Android XML Configuration Q: How do you configure the Android XML Configuration that enables the Zimperium client?
A: Go to Policies & Config > Configurations > Add New > Android > Android XML Configuration. Provide a
friendly name, description, and select Zimperium for the Configuration Type. Upload the XML file created
previously. Place a checkmark for I Agree and then save the configuration. Apply the Android and Android
Enterprise labels to the configuration.
The contents of the XML file that is required to be uploaded into an Android XML Configuration, are shown
below. Just the license key obtained directly from Zimperium or MobileIron are added within the <token> and
</token> delimiters.
<?xml version="1.0" encoding="UTF-8"?>
<zimperium>
<token> LICENSE KEY OBTAINED FROM ZIMPERIUM </token>
</zimperium>
5
MobileIron - 415 East Middlefield Road - Mountain View, CA 94043 USA - Tel. +1.650.919.8100 - Fax +1.650.919.8006
[email protected] | http://mobileiron.com
MobileIron Confidential
Core to zConsole Integration Q: How do you configure MobileIron Core to integrate with the Zimperium zConsole? A: Add a local user in Core that has the proper roles granted that will allow zConsole to communicate with Core.
Assign the following roles:
Privacy Control
- View apps and iBooks in device details
- Locate device
Label Management
- View label
- Manage label
6
MobileIron - 415 East Middlefield Road - Mountain View, CA 94043 USA - Tel. +1.650.919.8100 - Fax +1.650.919.8006
[email protected] | http://mobileiron.com
MobileIron Confidential
User Management
- View User
- Manage user
Other Roles
- API
7
MobileIron - 415 East Middlefield Road - Mountain View, CA 94043 USA - Tel. +1.650.919.8100 - Fax +1.650.919.8006
[email protected] | http://mobileiron.com
MobileIron Confidential
Q: What’s required on the the Zimperium zConsole to integrate with Core?
A: Create and MDM Setting using the local user that was created in Core. From the zConsole Dashboard, go to
Management > MDM Settings > Add MDM.
In Step 1, select MobileIron 9.x, which allows zConsole to use version 1 and 2 APIs to communications to Core.
8
MobileIron - 415 East Middlefield Road - Mountain View, CA 94043 USA - Tel. +1.650.919.8100 - Fax +1.650.919.8006
[email protected] | http://mobileiron.com
MobileIron Confidential
In Step 2, add the URL for Core. Then add the Username and Password of the local user added in Core.
In Step 3, Import Labels from Core for the device platforms supported. Normally All Smartphones is sufficient,
or you can specify Android, Android Enterprise, and iOS (devices). Order labels by priority. Select Finish.
9
MobileIron - 415 East Middlefield Road - Mountain View, CA 94043 USA - Tel. +1.650.919.8100 - Fax +1.650.919.8006
[email protected] | http://mobileiron.com
MobileIron Confidential
Local Remediation
Coexistence and Migration
Q: If our enterprise has already deployed the Zimperium zIPS client, will it interfere with the Mobile@Work
integrated client?
A: No, the two clients can co-exist on the same iOS or Android device, and both clients can talk to the same
zConsole tenant. The only caveat would be the device will show up as two separate devices within zConsole.
For Android deployments, the zIPS product can protect the device (personal) side, while Mobile@Work can
protect the Android Enterprise work profile, if the device is Android Enterprise capable.
Q: If our enterprise was using another Enterprise Mobility Management (EMM) solution (not MobileIron),
what would I need to get started if we wanted to deploy the integrated Mobile@Work client?
A: Just follow all the steps outlined in this FAQ and the narrated videos to deploy the Mobile@Work
integrated client for iOS and Android devices.
Troubleshooting
Q: What do I need to capture to start troubleshooting any issues with the Mobile@Work integrated client?
A: For iOS, within Mobile@Work > Settings, enable Enhanced Logging, and then Send Mobile@Work Logs.
For Android, also within Mobile@Work > enable Debug Logging and Send Logs.
10
MobileIron - 415 East Middlefield Road - Mountain View, CA 94043 USA - Tel. +1.650.919.8100 - Fax +1.650.919.8006
[email protected] | http://mobileiron.com
MobileIron Confidential
Statements in this document concerning future prospects, business outlook, and product availability and
plans are forward looking statements that involve a number of uncertainties and risks. Factors that could
cause actual events or results to differ materially include: sales productivity; possible disruptive effects of
organizational changes; shifts in customer demand; perceptions of MobileIron and its prospects;
technological changes; competitive factors; unanticipated delays in scheduled product availability dates;
general business conditions; delays and inabilities in negotiating third partner partnerships, and other
factors. The information in the document should not be relied upon in making purchasing decisions. The
information on any future shown is not a commitment, promise or legal obligation to deliver any material,
code or functionality. The development, release and timing of any features or functionality described for
our products in this document remains at MobileIron’s sole discretion. Future product will be priced
separately. This document does not constitute an offer to sell any product or technology.