Release Upgrade g Dvs p 50

MobileIron® VSPRelease Upgrade Guide

VSP Version 5.0

Proprietary and ConfidentialDo Not Distribute

©2009-2012 Mobile Iron, Inc. All Rights Reserved. Any reproduction or redistribution of part or all of these materials is strictly prohibited. Information in this publication is subject to change without notice. Mobile Iron, Inc. does not warrant the use of this publication.

For some phone images, a third-party database and image library, © 2007-2009 Aeleeta's Art and Design Studio, is used. This database and image library cannot be distributed separate from the Mobile Iron product.

MobileIron, Connected Cloud, and MyPhone@Work are registered trademarks of Mobile Iron, Inc. BlackBerry is a registered trademark of RIM. Windows is a registered trademark of Microsoft, Inc. iPhone is a trademark of Apple, Inc. Android is a trademark of Google Inc.

ContentsChapter 1 Connected Cloud 5.0 Release Notes .......................................1

New Features Summary ............................................................... 1

Other Changes ........................................................................... 1Client Compatibility ..................................................................... 2

Resolved Issues ..........................................................................3

Known Issues ............................................................................. 5

Chapter 2 New Features in VSP 5.0 ......................................................7

Feature Overview of Docs@Work, including Email Attachment Control 8

SharePoint Documents ................................................................ 9Email Attachment Control ...........................................................10Quarantine, Wipe, Retire, Block and Jailbreak Impact on Documents .11

Supported Document Servers, ActiveSync Servers, and Devices ...... 13

Supported Document Servers ......................................................13Supported ActiveSync Servers for Attachment Control ....................13Supported Devices .....................................................................13

Email Attachment Control Details ................................................ 15

Email Attachment Control Options ................................................15Forwarding Emails with Attachments ............................................17Files Types that Email Attachment Control Supports .......................17

Configuring Docs@Work ............................................................. 20

Enable Docs@Work ....................................................................20Set up Docs@Work App Settings ..................................................21Set up Docs@Work Policies .........................................................24Set up Your Preference for Saving Passwords on the VSP ................27

Configuring Email Attachment Control .......................................... 28

Configure the Standalone Sentry ..................................................28Regenerate the Encryption Key if it is Compromised .......................32

Prompting Device Users to Install iOS Apps .................................. 36

Updating Roaming Settings for iOS Devices .................................. 38

Enabling Roaming for iOS Devices ................................................38Disabling Roaming for iOS Devices ...............................................39Viewing Roaming Settings for iOS Devices .....................................40

Enable Roaming Web Services API ............................................... 42

Chapter 3 Upgrading to MobileIron VSP 5.0 ......................................... 44

Prerequisites ............................................................................ 44

Important Notes ....................................................................... 45

Upgrade May Take Three Hours or More ........................................45Database Purge After Upgrade .....................................................45

3

Pre-Upgrade Procedure .............................................................. 46

VM Requirements .......................................................................46Backup Availability .....................................................................46MDM Certificates for iOS Devices ..................................................46Provisioning Port Change ............................................................46

Upgrade Procedure: 4.5.3 to 5.0 ................................................. 48

Configure your update repo. ........................................................48Initiate the upgrade. ..................................................................48Reboot the VSP. ........................................................................48Reboot the VSP again. ................................................................48Verify that the upgrade is complete. .............................................49

Post-Upgrade Procedures ........................................................... 49

Resetting the HTTPS Provisioning Port in System Manager ...............49Notes .......................................................................................50

Chapter 4 Upgrading to MobileIron VSP 5.0: CLI Procedure.................... 52

Prerequisites ............................................................................ 52

Important Notes ....................................................................... 53

Upgrade May Take Three Hours or More ........................................53Database Purge After Upgrade .....................................................53

Pre-Upgrade Procedure .............................................................. 54

VM Requirements .......................................................................54Backup Availability .....................................................................54MDM Certificates for iOS Devices ..................................................54Provisioning Port Change ............................................................54

Upgrade Procedure: 4.5.3 to 5.0 ................................................. 56

Configure your update repo. ........................................................56Initiate the upgrade. ..................................................................56Reboot the VSP. ........................................................................56Reboot the VSP again. ................................................................57Verify that the upgrade is complete. .............................................57

Post-Upgrade Procedures ........................................................... 57

Resetting the HTTPS Provisioning Port in System Manager ...............57Notes .......................................................................................58

4

Connected Cloud 5.0 Release Notes

September 21, 2012

The Release Notes contain the following information:

• New Features Summary

• Resolved Issues

• Known Issues

New Features SummaryThis release includes the following new features:

• Docs@Work (SharePoint document access and attachment control)

• app installation prompts for iOS

• Admin Portal support for enabling/disabling roaming for iOS

• Web Services support for enabling/disabling roaming for iOS

See “New Features in VSP 5.0” on page 7 for detailed information on these features.

Other Changes• The MobileIron app is now called Mobile@Work.

• The MobileIron app storefront is now called Apps@Work.

• MobileIron now provides access to the app storefront by means of a separate web clip only. The App Storefront link has been removed from the main screen of the MobileIron app for iOS. Tap the web clip to display Apps@Work in the device web browser.Note: If you customized the original web clip, the new web clip will not replace your customized version.

• App-based authentication is no longer available for iOS apps. After upgrading (or before), admins will need to enable the desired options

• The MobileIron app icon no longer displays a badge to indicate the availability of updated or featured apps on the App Storefront. Badges related to app updates and availability are now displayed on the tabs within the App Storefront.

• The Smartphone Manager now warns that deleting an in-house app from the VSP also deletes the app from devices running iOS 5 or later.

• A Force Password Change button has been added to the User Management screen in Smartphone Manager. This button enables administrators to force local users to change the password for access to the Smartphone Manager and MyPhone@Work portal.

Company Confidential1

• The Smartphone Manager now locks out administrative users who provide an incor-rect password for 5 consecutive login attempts. The lockout lasts for 30 seconds.

• The Network Monitor in System Manager now has a default of 1000 for maximum number of packets. In addition, the output file is no longer rotated. These changes help ensure that the Network Monitor does not consume excessive amounts of disk space.

• Android device details now include a Secure Apps Encryption State field; however, the underlying feature is not implemented yet. Ignore the value displayed in this field.

• The New Security Policy dialog now includes options called “Enable Secure Apps” and “Secure Apps Password Mode”. This options are not currently implemented. Please ignore them.

• The VSP now purges client logs and notification tables every four hours.

• Bulk registration now includes a Notify User field that enables you to specify whether the user will receive email notification during the registration process.

• The VSP now recognizes and reports devices running Android 4.1.

Client Compatibility• MobileIron for iOS version 4.5.12 and later are supported for use with VSP 5.0

• Versions 4.5.0, 4.5.2, 4.5.3, 4.5.5 and 4.5.6 of MobileIron for Android are support for use with VSP 5.0.


Resolved IssuesThe following issues have been resolved in this release:

• VS-9276: The VSP no longer incorrectly reports a lack of tokens for certain VPP apps due to faulty matching of apps.

• VS-8988: In the VSP System Manager, in Maintenance -> Software Updates, you can now use an IP address in the Software Repository Configuration URL.

• VS-8976: The parameter isRead in the Update Alert Web Services API now works as expected. Specifically, setting isRead to true updates the alert as read, and set-ting is to false updates the alert as not read.

• VS-8912: The badging for featured apps is now updated correctly after the iOS device user installs one of the featured apps.

• VS-8642: In the Exchange app setting, in the field ActiveSync Password, the fol-lowing values now work correctly: $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, and $USER_CUSTOM4$.

• VS-8505: A VSP upgrade no longer erroneously removes ActiveSync devices, such as those that are manually blocked or allowed.

• VS-8238: On an Integrated Sentry that connects with Office 365, use the VSP Smartphone Manager to create a new ActiveSync policy and apply it to a mailbox. The policy is correctly created on Office 365 and applied to the mailbox. However, when you use the VSP Smartphone Manager to modify the ActiveSync policy, the Selected list in the Apply To Mailbox field is blank. It should list the mailbox. Also, the Policy Details pane does not display the mailbox.

• VS-7994: Custom data entered for a Custom SSL VPN app setting is now saved correctly.

• VS-7146: The VSP no longer incorrectly reports Bermuda as the location of certain devices located in the US.

• VS-7138: Bulk registration no longer fails for LDAP user IDs that contain a space.

• VS-6601: The VSP can now push a Wi-Fi profile containing an SSID of "undefined."

• VS-6561: Obsolete settings no longer display in the Device Details pane.

• VS-6553: SMS messages and push notifications for a Policy Violation alert are now not too long for the message and are more readable. Also, the $DEFAULT_POLICY_VIOLATION_MESSAGE variable is optional when you create an Event Center template for a policy violation alert.

• VS-6538: In the VSP Smartphone Manager, in Event Center -> Event History, click-ing Export now works correctly.

• VS-6484: In an ActiveSync policy, changing the Password Type to Simple from Alphanumeric works in all cases. The resulting ActiveSync policy no longer includes the minimum number of complex characters from the previous Alphanumeric set-ting.

• VS-6347: The VSP now accepts NTLMv2 as an authentication method for Microsoft PKI integration.

• VS-6147: Switching between a self-signed certificate and Microsoft CA no longer results in an incorrect issuer name.


• VS-6099: The Data Purge feature no longer runs overnight without completing.

• VS-6089: The Get ActiveSync Devices API no longer throws an exception.

• VS-6047: Auto registration via the BES integration no longer results in incorrect reporting of location for BlackBerry devices.

• VS: 5825: iOS: The VSP no longer requires a proxy user name for WiFi settings.

• VS-5561: In the Web Services API, in the response for an iOS device’s device details, the <device_model> and <iPhone PRODUCT> keys now show values such as “iPad” and “iPhone 4” rather than values such as “iPad1,1 and “iPhone 3,1”.

• VS-5530: Searches in the All Smartphones page no longer result in display of incorrect device count.

• VS-4995: iOS: Searching the Apple App Store from the App Distribution page no longer fails to return information on certain apps.

• VS-4963: The CallLog API no longer incorrectly reports that the called party has a home country of Vietnam.

• VS-4738: The VSP no longer reports "Verizon" and "Verizon Wireless" as separate operators.

• VS-1374: Search by User now works as expected in Event Center.


Known IssuesThis section contains known issues for the current release.

• VS-9514: Certificate issuance fails silently if the key length defined in the SCEP is less then the key length defined in the CA template.

• VS-9260: If the number of in-house app provisioning profiles exceeds 1100, the App Settings screen no longer displays content.

• VS-9177: The VSP Smartphone Manager should not allow the administrator to enable email attachment control unless Docs@Work is enabled.

• VS-9173: Applying two events to the same label results in display of the wrong event name in the Event History screen.

• VS-9163: The VSP incorrectly generates a system alert for the VPP tokens used if there is at least one VPP app configured and the VPP tokens threshold is not config-ured.

• VS-9148: This issue involves multiple devices that use the same ActiveSync mail-box. Some of those devices are possibly blocked from accessing the ActiveSync mailbox if the ActiveSync policy limits the number of devices with the same Active-Sync mailbox. This field in the ActiveSync policy is called "Per-Mailbox smartphone count exceeds". When a device is retired, and manually removed from the Active-Sync Smartphones page, another device that is blocked because of this setting does not become unblocked, even if the limit is no longer exceeded. Workaround: Restart the Standalone Sentry that controls the device that you want to unblock.

• VS-9145: If you edit or create an ActiveSync policy to apply to 5000 or more mail-boxes, and click Save, the VSP SmartPhone Manager displays this error message: "There was an error communicating with the server." Performing this update can take some time, depending on the number of Sentries and network connectivity status. Therefore, the VSP SmartPhone Manager can time out waiting for the updates to complete. However, once the updates are complete, if you reopen the ActiveSync policy, you will see that the ActiveSync policy was correctly updated.

• VS-9136: Increasing the priority of a policy fails to cause the expected update to affected devices.

• VS-9003: Consider the case when your ActiveSync server returns a HTTP 451 response (a redirect error) to the Standalone Sentry when a device attempts to access the ActiveSync server. Standalone Sentry uses the returned redirect URL instead of the original ActiveSync server's URL in subsequent ActiveSync communi-cations from that device. Standalone Sentry does not revert to the original Active-Sync server URL until it receives another HTTP 451 response. If necessary, you can also remove the redirection for the device by removing the device from Smart-phones & Users -> ActiveSync Smartphones in the VSP Smartphones Manager. The next time the device attempts to access the ActiveSync server, the Standalone Sentry uses the original ActiveSync server URL as configured for the Standalone Sentry.

• VS-8987: Users assigned only the Troubleshooting role are unable to create a Homezone in the Troubleshooting tab of the Admin Portal.


• VS-8683: Android devices are not wiped when out of contact for the interval speci-fied in the security policy.

• VS-8664: Editing a bookmark (Apps & Files > App Settings > Bookmarks) produces a page loading error.

• VS-8644: This issue only occurs if you are using Integrated Sentry. If more than one Android device uses the same user account in the Exchange Server (2007, 2010, or Office 365), the VSP can sometimes fail to associate one or more of the devices with the corresponding devices in the VSP’s list of registered devices. When this situation occurs, the VSP displays one or more of the devices as unregistered in the ActiveSync Smartphones view in the VSP Smartphone Manager. This situa-tion occurs only when two or more devices using the same user account first access the Exchange Server during the same Integrated Sentry sync interval. Workaround: Use the Link To button on the ActiveSync Smartphones view to asso-ciate an ActiveSync device to the registered device.

• VS-8534: Editing a web clip (Apps & Files > App Settings > iOS > Web Clips) pro-duces a page loading error.

• VS-8440: Five failed attempts to log in to the Admin Portal does not lock out the current user ID. An additional failed attempt is required.

• VS-8433: The App Store Import feature lists duplicate iOS apps without differenti-ating between iPad and iPhone apps.

• VS-8022: If the language for the device is set to Korean, the registration email will contain an invalid Get App link.

• VS-6401: iOS: The VSP continues to show the status of a provisioning profile as Pending when that profile has been removed as the result of a quarantine.

• VS-6390: The Web Services API does not indicate the type of app policy violation that triggered a quarantined status.

• VS-6261: Android: Changing the priority of a security policy from 2 to 1 does not result in the provisioning of the highest priority policy.

• VS-436: Once an in-house app has been installed on an iOS device, the corre-sponding provisioning profile cannot be deleted from the VSP, though the Admin Portal reports the deletion attempt as successful.


Company Confidential

New Features in VSP 5.0

September 21, 2012 Proprietary and ConfidentialDo Not Distribute

This document provides information on:

• the Docs@Work feature, which includes email attachment control.

The Docs@Work feature requires iOS users to have the Mobile@Work for iOS app on their devices.

• support for prompting iOS device users to install specific apps on device registra-tion.See “Prompting Device Users to Install iOS Apps” on page 36.

• support for enabling and disabling voice and data roaming on iOS devices (5 or higher).See “Updating Roaming Settings for iOS Devices” on page 38.

• the new Web Services API to enable voice or data roaming on an iOS (5 or higher) device.See “Enable Roaming Web Services API” on page 42.

7

Feature Overview of Docs@Work, including Email Attachment ControlDocs@Work is a new feature that allows you to secure the following documents on iOS devices:

• Documents shared on Microsoft SharePoint sites

For more information, see “SharePoint Documents” on page 9.

• Documents attached to an email

This part of the Docs@Work feature is called email attachment control.For general information, see “Email Attachment Control” on page 10. Also, see “Email Attachment Control Details” on page 15.

Docs@Work gives iOS device users an intuitive way to access, store, and view docu-ments from email and Microsoft SharePoint sites. It lets administrators establish data loss prevention controls to protect these documents from unauthorized distribution.

The provided Docs@Work information includes:

• “Feature Overview of Docs@Work, including Email Attachment Control” on page 8, which provides general information about the feature and lists the MobileIron prod-ucts that support it.

• “Supported Document Servers, ActiveSync Servers, and Devices” on page 13, which lists the servers and devices that Docs@Work works with.

• “Email Attachment Control Details” on page 15, which provides a deeper dive into email attachment control.

• “Configuring Docs@Work” on page 20, which steps through the VSP configuration necessary to support secure document sharing.

• “Configuring Email Attachment Control” on page 28, which steps through the VSP and Standalone Sentry configuration necessary to support email attachment con-trol.

For information on how the Mobile@Work for iOS app provides the Docs@Work capa-bilities to the device user, see New Features in the Mobile@Work for iOS app.

Docs@Work is integrated with these existing features:

• quarantining devices

• wiping devices

• retiring devices

• blocking devices from accessing the ActiveSync server.

• jailbreak detection

When any of these situations occur, the secured documents are no longer available to the device user. See “Quarantine, Wipe, Retire, Block and Jailbreak Impact on Docu-ments” on page 11.

The Docs@Work feature requires the following versions of MobileIron products:


• VSP 5.0

• Standalone Sentry 4.0 to support email attachment control

• the Mobile@Work for iOS app

SharePoint DocumentsOn their iOS devices, device users can view folders and documents that are shared on a Microsoft SharePoint site for which they have a valid user ID and password.

Using the Mobile@Work for iOS app, the user can:

• Log in to the SharePoint site.

• Navigate through the folders.

• Preview documents on the SharePoint site. These documents are known as a remote files.

• Save local copies of the documents. These local copies are known as local files.

• View local files.

The device user can access a SharePoint site in Mobile@Work in the following cases:

• The administrator creates a Docs@Work app setting that specifies a SharePoint site, and applies the app setting to a label. Devices with that label receive the Docs@Work app setting when they register with the VSP.

• The device user uses Mobile@Work to specify a SharePoint site.

Note the following:

• A device user must have a permission level for a SharePoint site that is equivalent to or higher than the “contribute” SharePoint permission level. The “contribute” permission level allows the user to view, edit, update, and delete documents on the SharePoint site. Without at least this permission level, the user cannot use Mobile@Work to access the site.

• A device user can work with multiple SharePoint sites, as long as the user enters valid credentials for each one.

• Each time the device user views the remote files of a SharePoint site, Mobile@Work syncs the folders and files so that the user sees the latest contents.

• Each time the device user views local copies of SharePoint files, Mobile@Work syncs the local files so that their contents reflect the latest corresponding Share-Point file.

• When the device user saves local copies of documents or email attachments, the saved copies are protected by the device’s data encryption.Note: To enable data encryption on an iOS device, apply a security policy that requires a password on the device.

• The device user cannot cut and paste data from documents that they view in Mobile@Work into any other app.


Mobile@Work uses the native file viewer that iOS provides to display the contents of different file types. The following list shows the types of SharePoint documents that Mobile@Work can display:

For information about setting up the capability to view SharePoint documents from iOS devices, see “Configuring Docs@Work” on page 20.

Email Attachment ControlNew Standalone Sentry configuration settings determine whether the iOS device user can view email attachments only in the Mobile@Work for iOS app.

Standalone Sentry controls email access between the ActiveSync server and devices. Normally, the iOS device user can view email attachments using any app that works with the attachment type. The new Standalone Sentry configuration settings allow you to restrict viewing email attachments to Mobile@Work. This containerization secures the attachment from applications which could leak the attachment outside of the device. For additional access control, you can use a Standalone Sentry configura-tion setting that encrypts the email attachments that are delivered to devices.

The other option for email attachment control is to remove attachments. This option is also available on non-iOS devices.

Note the following:

• The 20 most recently viewed email attachments are available in Mobile@Work with-out requiring the user to reopen the attachment from its email.

• The user can save an attachment as a local file. Like the attachments, the local files are available for viewing only in Mobile@Work.

• The device user cannot cut and paste data from the email attachments that they view in Mobile@Work into any other app.

• Microsoft Word documents (.doc, .docx)

• Apple Pages documents (.pages, pages.zip)

• Microsoft Excel documents (.xls, .xlsx)

• Apple Numbers spreadsheet files (.numbers, .numbers.zip)

• Microsoft PowerPoint documents (.ppt, .pptx)

• Apple Keynote presentation files (.key, .key.zip)

• Adobe Acrobat documents (.pdf) • AVI video files (.avi)

• Rich Text Format files (.rtf) • Quicktime video files (.mov)

• Rich Text Format directory (.rtfd.zip) • MPEG4 audio/video files (.mp4)

• Image files (.png, .bmp, .jpg, .jpeg, .gif, .tiff)

• MPEG2 audio/video files (.mpeg)

• CSS stylesheet files (.css) • WAV files (.wav)

• Plain text files (.txt) • MP3 audio files (.mp3)


• Device users can view email attachments in Mobile@Work regardless of whether they have access to any SharePoint site.

• Mobile@Work uses the native file viewer that iOS provides to display the contents of different file types. The commonly used file types are listed in “SharePoint Docu-ments” on page 9.

For more information, see “Configuring Email Attachment Control” on page 28.

Quarantine, Wipe, Retire, Block and Jailbreak Impact on Documents

Quarantine Impact on DocumentsThe VSP takes a compliance action on a device if the device violates a security policy that you specify. One compliance action that you can configure is to quarantine the device. Quarantine means that the device user no longer has access to corporate resources, such as email and WiFi.

Regarding the Docs@Work feature, if a device is quarantined, Mobile@Work does the following:

• Prevents the user from accessing the Docs@Work features of the Mobile@Work app. That is, Mobile@Work makes the Local Files and Remote Files tabs unavail-able.

• Removes all local copies of SharePoint files and email attachments

• Removes the list of recent attachments

• Removes the SharePoint site configurations that you configured with Docs@Work app settings on the VSP, depending on the compliance action that you configured. When you create a compliance action that specifies quarantine, you can choose whether to remove the app settings from the device. Removing the app settings includes removing any Docs@Work app settings. Since the Docs@Work app set-tings specify SharePoint sites, Mobile@Work removes the SharePoint site configura-tions. If the user had saved his SharePoint site password, Mobile@Work removes it, too. See “Set up Docs@Work App Settings” on page 21.

When the device is no longer quarantined, Mobile@Work makes the Local Files and Remote Files tabs available again. Docs@Work app settings are restored, and the user can once again access the SharePoint sites that you configured. However, if the user had saved his SharePoint site password, Mobile@Work no longer has it. The user will have to reenter it.

Retire and Wipe Impact on DocumentsWhen you retire or wipe a device, Mobile@Work does the following regarding the Docs@Work feature:

• Removes all SharePoint site configurations, whether the device user added them manually or you configured them with Docs@Work app settings on the VSP




Block Impact on DocumentsDevices can be blocked from accessing the ActiveSync server. You can cause a device to be blocked by doing the following:

• Configure a security policy to automatically block a device if it violates certain set-tings in the policy.

• Configure an ActiveSync policy to automatically block a device if it violates certain settings in the policy.

• Manually block the device.

Blocking a device now also includes blocking its access to the Docs@Work features. Specifically, Mobile@Work does the following:




When the device is no longer blocked, Mobile@Work makes the Local Files and Remote Files tabs available again.

Jailbreak Impact on DocumentsIf the device user jailbreaks the device, Mobile@Work does the following regarding the Docs@Work feature:




Mobile@Work notifies the VSP that the device is jailbroken. The VSP takes further actions depending on the security policy that you configured.

When the device is no longer jailbroken, Mobile@Work makes the Local Files and Remote Files tabs available again.


Supported Document Servers, ActiveSync Servers, and Devices

Supported Document ServersDocs@Work supports the following document servers:

• Microsoft SharePoint 2007

• Microsoft SharePoint 2010

Supported ActiveSync Servers for Attachment ControlStandalone Sentry 4.0 supports the following ActiveSync servers, including support for email attachment control:

• Microsoft Exchange Server 2007 SP1


• Microsoft Exchange Server 2010



• IBM Lotus Notes Traveler 8.5.2

• IBM Lotus Notes Traveler 8.5.2.1

• IBM Lotus Notes Traveler 8.5.3

• IBM Lotus Notes Traveler 8.5.3 Upgrade Pack 1

Supported Devices

iOS DevicesTo support Docs@Work, including full email attachment control, an iOS device must have:

• iOS version 4.2.1 and higher

• the Mobile@Work for iOS app

The supported iOS devices include the following:

• iPhone 3G and later

• iPad 1 and above

• iPod touch 2 and above

Non-iOS DevicesNon-iOS devices do not support Docs@Work, but can support the email attachment control option to remove attachments.


However, because the device user’s experience can vary by device, MobileIron has verified the remove attachments option on the following non-iOS devices:

• Samsung SAFE Android devices running the Samsung email app and Android ver-sion 2.2 and later

• Android devices using the NitroDesk TouchDown email app and Android version 2.2 and later

• Windows Phone 7


Email Attachment Control Details

Email Attachment Control OptionsFor each Standalone Sentry, you can configure the type of email attachment control you want to use using the VSP Smartphone Manager. For configuration steps, see “Configuring Email Attachment Control” on page 28.

The following table summarizes the email attachment control options that are sup-ported on iOS and non-iOS devices (see “Non-iOS Devices” on page 13):

Remove AttachmentThe “Remove attachment” option causes the Standalone Sentry to remove attach-ments from emails, replacing each attachment with another file. The name of the replacement file is the original attachment file name appended with .removed.html. For example, myDocument.pdf is replaced with myDocument.pdf.removed.html.

The replacement file contains the following text message:

"The original attachment was removed as required by the security policies of your administrator."

On iOS devices, the message is translated according to the language setting of the device. The following languages are supported:

• United States English

• Simplified Chinese

• Korean

• Japanese

• French

• German

The language defaults to United States English if the language setting is not one of the supported languages.

Email attachment control option iOS devices non-iOS devices

“Remove Attachment” on page 15

Supported, but typi-cally not used

Supported

“Open Only with Docs@Work” on page 16

Supported Not supported

“Open Only with Docs@Work, and Protect with Encryption” on page 16

Supported Not supported

“Deliver as is” on page 17 Supported, but typi-cally not used

Supported


Supported devices: This option is available on non-iOS and iOS devices.

Note: Typically, you won’t use this option on iOS devices. Other options are available for iOS devices that are less intrusive, but still keep the attachments secure.

Open Only with Docs@WorkThe “Open only with Docs@Work” option means that attachments open only in Mobile@Work. The user cannot open the attachment using any other apps on the device. The user also cannot cut and paste content from the attachment into any other app.

The Standalone Sentry appends the file name of the attachment with .secure. For example, myDocument.pdf is renamed myDocument.pdf.secure. Mobile@Work is the only app that can open files with the .secure file extension.

If Mobile@Work does not support viewing a particular file type, it presents an error message when the user tries to view the attachment.

Note: Mobile@Work uses the native file viewer that iOS provides to display the con-tents of different file types.

Supported devices: This option is available only on iOS devices.

Open Only with Docs@Work, and Protect with EncryptionThe “Open only with Docs@Work, and protect with encryption” option means that attachments open only in Mobile@Work. The user cannot open the attachment using any other apps on the device. The user also cannot cut and paste content from the attachment into any other app. Furthermore, the Standalone Sentry encrypts the attachment, and only Mobile@Work is able to decrypt it, and therefore, display it.

The Standalone Sentry appends the file name of the attachment with .secure. For example, myDocument.pdf is renamed myDocument.pdf.secure. Mobile@Work is the only app that can open files with the .secure file extension.

Mobile@Work is unable to display the file in the following cases:

• It does not support the file type. In this case, it presents an error message when the user tries to view the attachment. Note: Mobile@Work uses the native file viewer that iOS provides to display the con-tents of different file types.

• Its encryption key does not match the attachment’s encryption key.

For more information about this case and how to avoid it, see “Regenerate the Encryption Key if it is Compromised” on page 32.

Note: When the device user saves a local copy of an email attachment, the saved copy is protected by the device’s data encryption.

When to Use Encryption


The encryption protection provides additional access control for the attachment, mak-ing it prohibitively difficult for a malicious app to view the content. However, encryp-tion protection has an impact to Standalone Sentry performance.

Therefore, use the encryption option only if the following statements are true:

• You are operating in a high security environment.

• You are using a physical appliance for your Standalone Sentry or you are using the Virtual Standalone Sentry large configuration.Note: Attempts to configure the encryption option fail for other Standalone Sentry configurations.

Configuration Considerations

Changing to or from this option requires you to re-push the Exchange app setting to the Standalone Sentry’s devices. For more information, see “Configure the Standalone Sentry” on page 28.

Supported devices: This option is available only on iOS devices.

Deliver as isThe “Deliver as is” option delivers all email attachments in their original form. The device user views attachments with any available apps that work with the type of attachment.

Supported devices: This option is available on non-iOS and iOS devices.

Note: Typically, you won’t use this option on iOS devices, because other options that keep the attachments secure are available for iOS devices.

Forwarding Emails with AttachmentsWhen a device user forwards an email that has an attachment, the attachment in the forwarded email is the original attachment. However, if the ActiveSync server delivers the email to another device that Standalone Sentry manages, Standalone Sentry applies the email attachment control to the forwarded email’s attachment.

Note: The exception to this behavior involves the behavior of the iOS Mail app. If the email attachment control option is “Remove Attachment”, the iOS Mail app forwards the replacement file -- the file that contains the replacement text and has the .removed.html file extension. The original attachment is not forwarded. However, you typically do not use the "Remove Attachment" option on iOS devices.

Files Types that Email Attachment Control SupportsEach email attachment has a MIME type. MIME stands for Multipurpose Internet Mail Extensions. MIME is an Internet standard for describing the kind of content that a file contains. An email program, such as the iPhone Mail app or Microsoft Outlook on a Windows PC, sets the MIME type of an email attachment.


Standalone Sentry uses the MIME type to determine which attachments it should apply attachment control to. Although it does not make the decision based on file extension, a typical mapping exists between file extensions and MIME types.

Therefore, in most email environments, Standalone Sentry performs attachment con-trol for files with commonly used file extensions. For example, some of these file types are:

• Microsoft Word documents (doc, .docx)

• Adobe Acrobat documents (.pdf)

• Microsoft Excel documents (.xls, .xlsx)

• Microsoft PowerPoint documents (.ppt, .pptx)

• Rich Text Format files (.rtf)

• Rich Text Format directory (.rtf.zip)

• Archive files (.zip, .tar)

• Apple Pages documents (.pages)

• Apple Numbers spreadsheet files (.numbers)

• Apple Keynote presentation files (.key)

• Audio files (.mp3, .mp4 and others)

• Video files (.wmv, .mkv, and others)

• Certificate files (.cer, .p12and others)

Image and Text FilesImage files and text files are a special case. Standalone Sentry performs attachment control only for .csv text files. For all other image and text files, Standalone Sentry does not perform attachment control when you use one of these options:

• Open only with Docs@Work

• Open only with Docs@Work, and protect with encryption

The device user can open image and text files using any appropriate app. This special case allows emails with embedded text or image attachments, such as signatures, to always be accessible.

Image files typically have one of the following file extensions:

• .png

• .jpeg, .jpg

• .gif

• .tiff

• .bmp

Text files typically have one of the following file extensions:

• .txt

• .html


• .log

File Type Support SummaryThe following table summarizes when a Standalone Sentry applies attachment control for different file types:

Open with Docs@WorkOpen with Docs@Work andprotect with encryption Remove attachments

Image files Not applied Not applied Applied

Text files Not applied Not applied Applied

Other files Applied Applied Applied


Configuring Docs@WorkYou configure Docs@Work using the VSP Smartphone Manager.

Do the following high-level steps:

1. Enable the Docs@Work feature.See “Enable Docs@Work” on page 20.

2. Configure a Docs@Work app setting for each SharePoint site, and apply labels to each app setting. Applying labels is how you specify which devices can access the SharePoint site.See “Set up Docs@Work App Settings” on page 21.

3. Configure a Docs@Work policy to specify settings that change the behavior of Mobile@Work, and apply labels to the policy. Applying labels is how you specify which devices use the policy.See “Set up Docs@Work Policies” on page 24.

4. Configure the option to save passwords on the VSP if you use $PASSWORD$ in the password field for the Docs@Work app setting.See “Set up Your Preference for Saving Passwords on the VSP” on page 27.

Enable Docs@WorkEnable Docs@Work if:

• you are supporting viewing documents from SharePoint sites.

• you are using email attachment control, even if you are not supporting viewing documents from SharePoint sites.

To enable the Docs@Work feature:

1. In the VSP Smartphone Manager, go to Settings | Preferences.2. Select Enable Docs@Work.

3. Click Save.

Caution: If you disable Docs@Work after it has been enabled, the Mobile@Work app on each registered iOS device does the following:


• Removes all SharePoint site configurations, whether the device user added them manually or you configured them with Docs@Work app settings on the VSP



Set up Docs@Work App SettingsUse Docs@Work app settings to specify the SharePoint sites that devices can access. After you configure a Docs@Work app setting, apply it to the labels for the appropri-ate devices.

Do the following:

1. In the VSP SmartPhones Manager, select Apps & Files -> App Settings.2. Select Add New -> Docs@Work.


Use the following guidelines to create or edit a Docs@Work app setting:.

Item Description

Name Enter brief text that identifies this Docs@Work app setting.

Description Enter additional text that clarifies the purpose of this Docs@Work app setting.

URL Enter the URL of a SharePoint site, subsite, library, or folder.

The format of the URL is described in “Specify the URL of the Docs@Work App Setting” on page 23.

User Name Specify the user name that the device user uses to access the SharePoint site.

Enter one of the following variables: $EMAIL$, $USERID$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$, or $NULL$.

You can also enter a combination of one or more variables and text, such as $USERID$:$EMAIL$ or $USERID$_$EMAIL$.

When the device user attempts to access the SharePoint site, Mobile@Work fills a user name field with the user’s information based on the variables you specify in this field.

Enter $NULL$ if you want Mobile@Work to leave the user name field empty, requiring the device user to manually enter the user name.


3. Click Save.4. Select the new Docs@Work app setting.5. Select More Actions -> Apply To Label.6. Select the labels to which you want to apply this app setting.

Specify the URL of the Docs@Work App SettingThe URL that you enter in the URL field of the Docs@Work App Setting specifies one of the following:

• A SharePoint site

• A SharePoint subsite

• A SharePoint library

• A SharePoint folder

The URL includes a hierarchical list of names that drills down to the site, subsite, library, or document you want the device user to access. This URL is not the same as the URL that you see in a Web browser open to the same site, subsite, library, or doc-ument.

For example:

• http://companySharePointSite.com

This example specifies the root SharePoint site.

Password Specify the password that the device user uses to access the SharePoint site.

Enter one of the following variables: $EMAIL$, $USERID$, $PASSWORD$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$, or $NULL$.

You can also enter a combination of one or more variables and text, such as $USERID$:$EMAIL$ or $USERID$_$EMAIL$.

When the device user attempts to access the SharePoint site, Mobile@Work fills a password field with the user’s information based on the variables you specify in this field. However, the text is hidden with asterisks.

Enter $NULL$ if you want Mobile@Work to leave the password field empty, requiring the device user to manually enter the password.

Note: If you include $PASSWORD$, enable “Save User Password” on the Settings -> Preferences page.

Allow Users to Save Password

Select this field to give the device user the option to save SharePoint site passwords on the device. If the user chooses to save a SharePoint site password, Mobile@Work does not present a login screen to the user when the user next accesses the SharePoint site.

Item Description


• http://companySharePointSite.com/Marketing

This example specifies the Marketing subsite in the root SharePoint site.

• http://companySharePointSite.com/Marketing/Demo

This example specifies the Demo subsite within the Marketing site.

• http://companySharePointSite.com/Marketing/NewProductDocuments

This example specifies the NewProductDocuments library in the Marketing site.

• http://companySharePointSite.com/Marketing/NewProductDocuments/TopFeatures

This example specifies the TopFeatures folder in the NewProductDocuments library.

Note:

• Do not copy the URL you see in a browser’s URL address bar into this field. The URL in this field is not the same as the browser’s URL. For example, for the root site on Microsoft SharePoint 2010, the browser’s URL field appears as:https://companySharePointSite.com/SitePages/Home.aspxIn this field, you specify:https://companySharePointSite.com

• A valid URL does not contain spaces or certain special characters. For example, a space is entered in a valid URL as %20. That is, instead of entering:https://companySharePointSite/Shared DocumentsEnter: https://companySharePointSite/Shared%20Documents. Such substitutions are known as URL encoding.

• The URL can include these variables: $USERID$, $EMAIL$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, and $USER_CUSTOM4$.Combinations of text and variables are supported. For example: http://companySharePointSite.com/$USER_CUSTOM1$/$USERID$.When using these variables, make sure the URL still specifies a SharePoint site, subsite, library, or folder.

Set up Docs@Work PoliciesDocs@Work policies specify settings that change the behavior of Mobile@Work.

To configure a Docs@Work policy:1. In the VSP SmartPhones Manager, select Security & Policies -> All Policies.2. Select Add New -> Docs@Work.


Use the following guidelines to create or edit a Docs@Work policy:

Item Description Default Policy Setting

Name Required. Enter a descriptive name for this policy. This is the text that will be displayed to identify this policy through-out the Smartphone Manager. This name must be unique within this policy type.

Tip: Though using the same name for different policy types is allowed (e.g., Executive), consider keeping the names unique to ensure clearer log entries.

Default Docs@Work Policy

Status Select Active to turn on this policy. Select Inactive to turn off this policy.

Active


Priority Specifies the priority of this custom pol-icy relative to the other custom policies of the same type. This priority deter-mines which policy is applied if more than one policy is associated with a spe-cific device. Select “Higher than” or “Lower than”, then select an existing policy from the dropdown list. For exam-ple, to give Policy A a higher priority than Policy B, you would select “Higher than” and “Policy B”. See “Prioritizing Policies” in the MobileIron VSP Adminis-tration Guide or the MobileIron Con-nected Cloud Administration Guide.

Because this priority applies only to cus-tom policies, this field is not enabled when you create the first custom policy of a given type.

Description Enter an explanation of the purpose of this policy.

Default Docs@Work Policy

Allow Open In Select this field if you want to allow device users to:

• Open documents that they are view-ing in Mobile@Work in other apps.

• Email documents that they are view-ing in Mobile@Work.

This option applies to all the documents that they view in Mobile@Work:

• Remote files on a SharePoint site

• Email attachments

Note: Consider the case when the Standalone Sentry’s attachment con-trol settings restrict attachment view-ing to Mobile@Work. In this case, when the device user opens the attachment from the email, it opens in Mobile@Work. From there, the user has the option to open the document in other applications.

• Local copies you made of SharePoint files and email attachments.

Not selected

Item Description Default Policy Setting


Set up Your Preference for Saving Passwords on the VSPIf you use the $PASSWORD$ variable in your Docs@Work app settings (or other app settings such as the Exchange app setting), do the following:

1. Go to Settings -> Preferences in the VSP Smartphones Manager.2. Select Yes for Save User Password.

Selecting Yes means that the VSP keeps the user password and can pass it to the device. For example, when Mobile@Work displays the screen for logging into a remote share, the password field is filled in.

3. Click Save.

Caution: If you plan to use the $PASSWORD$ field in any app settings, be sure to set Save User Password to Yes before any device users register. Device users who regis-tered before you set Save User Password to Yes will have to log in to the MyPhone@Work web portal. Logging in to the MyPhone@Work web portal provides the user’s password to the VSP.


Configuring Email Attachment Control Use the VSP Smartphone Manager to configure email attachment control.

Do the following high-level steps:

1. Enable the Docs@Work preference setting. See “Enable Docs@Work” on page 20.

2. Configure each Standalone Sentry’s attachment control options. See “Configure the Standalone Sentry” on page 28.

3. Regenerate the encryption key if the key is compromised. See “Regenerate the Encryption Key if it is Compromised” on page 32.

Configure the Standalone SentryYou configure each Standalone Sentry with an email attachment control option for:

• iOS devices

• non-iOS devices

If you require different options for different users, use a different Standalone Sentry for each set of users.

To configure email attachment control options:

1. Go to Settings -> Sentry in the VSP Smartphone Manager.2. Click Edit next to the Standalone Sentry entry.


3. Select Enabled from the Attachment Control drop-down list.The Attachment Control Configuration section appears.

Be sure you have enabled Docs@Work. See “Enable Docs@Work” on page 20.Note: Selecting Disabled means the Standalone Sentry uses the Deliver As Is option for iOS and non-iOS devices.

4. For iOS, select the type of attachment control that you want to use.For a description of the options, see “Email Attachment Control Options” on page 15. Make sure you have enabled Docs@Work as described in “Enable Docs@Work” on page 20 if you choose “Open only with Docs@Work” or “Open only with Docs@Work and protect with encryption”.Note: Select “Open only with Docs@Work and protect with encryption” only if you are using the large configuration for the Standalone Sentry. For the small and medium configurations, configuring and saving this option results in an error. To check for this error, see “Checking for Configuration Errors” on page 30.


5. For Other Platforms, select the type of attachment control that you want to use.The only options are Remove Attachments and Deliver As Is. See “Email Attach-ment Control Options” on page 15.

6. Click Save.The Standalone Sentry restarts when you click Save. A restart can cause a brief interruption in email service to device users.

7. If you changed to or from the option “Open only with Docs@Work and protect with encryption”, you see the following:

Click Yes if you understand and agree to the impact.For more information about re-pushing the Exchange app setting, see “Changing the Encryption Option” on page 30.

Checking for Configuration Errors

If the Standalone Sentry is not available when you click Save, it does not receive the new settings. When the Standalone Sentry is available again, open the Edit Stand-alone Sentry view and click Save to send the new settings.

To find out if the Standalone Sentry failed to apply the changes, go to Settings -> Sentry. Click View Errors on Standalone Sentry’s setting for the detailed error mes-sage.

Changing the Encryption OptionChanging the option “Open only with Docs@Work, and protect with encryption” requires you to re-push the Exchange app setting to the iOS devices that the Stand-alone Sentry works with. Otherwise, users will be unable to read or forward previously received attachments. The re-push causes the email app to remove all emails from its email folders and then re-fetch the emails from the ActiveSync server.

The easiest way to re-push an Exchange app setting to a device is to make a simple change, such as adding a space at the end of the Description field. The next time each device checks in, the VSP will send the Exchange app setting to the device.


Therefore, change to or from the encryption option only if:

• you can make the change during a planned maintenance period or non-peak oper-ating hours.

• you have notified users about what to expect.

To re-push the Exchange app setting after changing the encryption option:

1. Go to Apps & Files -> App Settings.

2. Select an Exchange app setting that uses the Standalone Sentry with the changed attachment control option.

3. Click Edit.


4. Add a space to the end of the Description field.5. Click Save.6. Repeat steps 2 through 5 for each Exchange app setting that uses the Standalone

Sentry with the changed attachment control option.

Regenerate the Encryption Key if it is CompromisedStandalone Sentry uses an encryption key to encrypt email attachments when the attachment control option is “Open only with Docs@Work, and protect with encryp-tion”. The VSP provides one encryption key to all Standalone Sentries using the encryption option. The VSP generates the encryption key the first time you select the encryption option. The encryption key is compromised if malicious third-party apps are using it to view email attachments.

If you think the key is compromised, you can generate a new key. However, before generating a new key, consider the following:

• Key regeneration causes a restart for all Standalone Sentries that are using encryp-tion for attachment control. A restart can cause a brief interruption in email service to device users.

• Key regeneration prevents users from reading previously received attachments, unless you subsequently re-push the Exchange app setting to the devices.


Previously received attachments are encrypted with the old key, but Mobile@Work uses the new key after key regeneration. Therefore, Mobile@Work cannot display the old attachment. Furthermore, consider the scenario when a device user forwards an email with an attachment encrypted with the old key.The Standalone Sentry is unable to decrypt the attachment because it is using the new key. In this case, the Standalone Sentry replaces the attachment with a text file with an explanatory message.Therefore, key regeneration requires you to re-push the Exchange app setting to devices. The re-push causes the email app to remove all emails from its email fold-ers and then re-fetch the emails from the ActiveSync server. Re-fetching the emails means that the Standalone Sentry encrypts the email attachments with the new key.The easiest way to re-push an Exchange app setting to a device is to make a simple modification, such as adding a space at the end of the Description field. The next time each device checks in, the VSP will send the Exchange app setting to the device.

Therefore, regenerate the key only if:

• the key has been compromised.

• you can regenerate the key during a planned maintenance period or non-peak operating hours.

• you have notified users about what to expect.

To regenerate the key, do the following.

1. In the VSP Smartphone Manager, go to Settings -> Sentry -> Preferences.

2. Click Regenerate Key.


3. Click Yes if you are sure you want to regenerate the key.4. Go to Apps & Files -> App Settings.

5. Select an Exchange app setting that uses a Standalone Sentry configured with the attachment control encryption option.

6. Click Edit.


7. Add a space to the end of the Description field.8. Click Save.9. Repeat steps 5 through 8 for each Exchange app setting that uses a Standalone

Sentry configured with the attachment control encryption option.

Note: If a Standalone Sentry is not available when you regenerate the key, its entry in Sentry -> Settings displays an error:

To send the new encryption key when the Standalone Sentry is available again:

1. Go to Settings -> Sentry in the VSP Smartphone Manager.2. Click Edit next to the Standalone Sentry entry.3. Click Save in the Edit Standalone Sentry screen.


Prompting Device Users to Install iOS AppsThe Add App Wizard for iOS now includes an option that causes device users to be prompted to install specific apps upon registration of the device (iOS 5 or later). Select the “Send installation request on device registration” option to enable this fea-ture.

When the device user completes registration and the VSP sends the Apps@Work web clip to the device, a prompt similar to the following displays.


When the device user clicks Install, Apps@Work prompts for Apple account informa-tion.


Updating Roaming Settings for iOS DevicesThe Update Roaming Settings action allows you to enable or disable roaming for voice and data on iOS devices (iOS 5 or later). Support for this feature varies by operator.

Note: The “Apply settings” option in the iOS MDM app setting must be selected, or this feature will not work. This setting is selected in the default iOS MDM app setting. If you have edited this setting or created your own iOS MDM app setting, make sure this option is selected.

Enabling Roaming for iOS DevicesTo enable roaming for the selected iOS device:

1. In the All Smartphones page, select the iOS devices you want to work with.


2. Select Update Roaming Settings from the More Actions menu.

3. Select Enable Voice Roaming.4. Select Enable Data Roaming if you want to enable data roaming, as well. 5. Click Send.

Disabling Roaming for iOS DevicesTo disable roaming for the selected iOS devices:


1. In the All Smartphones page, select the iOS devices you want to work with.2. Select Update Roaming Settings from the More Actions menu.

Note that the check boxes remain unselected, regardless of whether roaming has been enabled for the selected devices.

3. Click Send.Clicking Send without making changes in this dialog disables roaming on the selected devices.

Viewing Roaming Settings for iOS DevicesTo view the existing roaming settings on the selected iOS device:

1. In the All Smartphones page, select the iOS device you want to work with.2. Find the Disable Voice Roaming and Disable Data Roaming settings in the Device

Details pane.


Note: N/A indicates that the operator for the selected device does not support this feature. Also note that data roaming might display as enabled, but is effectively dis-abled if voice roaming is disabled.


e.

e, et

Enable Roaming Web Services APIThe MobileIron Web Services API contains a new API that enables or disables voice and data roaming on an iOS 5 or higher device.

Example:

https://myvsp.mobileiron.com/api/v1/dm/devices/enableroaming/ee8198d9-5d79-4961-94c4-e21bf04b2467?voice=true&data=false

URI: https://{host-name}/api/v1/dm/devices/enableroaming/{deviceuuid}

The specified deviceuuid indicates thedevice on which to change roaming settings.

Http Method: PUT

Format: xml, json

Request:

deviceuuid Required. Unique ID of the iOS devicThis ID can be retrieved in the response of other API calls.

voice Required. This parameter is a query parameter.

Set to true to enable voice roaming.

Set to false to disable voice roaming.

data Required. This parameter is a query parameter.

Set to true to enable data roaming.

Set to false to disable data roaming.

If you set the voice parameter to falsdata roaming is disabled even if you sthe data parameter to true.

Response Status Code:

‘404 – No Data Found’ There is no data.

‘200 – OK’ Data is present and the response is returned.

Response:

<deviceManagementWebServiceResponse>

<deviceUuid>

190eb32e-32e1-4fe2-baa1-06a4488aaa4c

</deviceUuid>

<messages>


u-

if

u-

if

Note:

• Voice roaming is available only on certain carriers. If you use this API to enable voice roaming on a device, the API returns success regardless of whether voice roaming is available on that device’s carrier.

• If you disable voice roaming, you are also disabling data roaming, even if you spec-ify true (enable) for the data roaming query parameter.

• The API returns success regardless of whether the device supports the setting. To see whether a device has data or voice roaming enabled, see the Voice Roaming Enabled and DataRoamingEnabled fields in the response to a Get Device API.

<message>

Device voice roaming settings updated suc-cessfully. The voice roaming setting is avail-able only on certain carriers. Disabling voice roaming also disables data roaming.

</message>

Status message for voice roaming.

Success is shown if the method exection is successful.

A descriptive error message is shownthe method execution failed.

<message>

Device data roaming settings updated suc-cessfully.

</message>

Status message for data roaming.

Success is shown if the method exection is successful.

A descriptive error message is shownthe method execution failed.

<messages>

< /deviceManagementWebServiceResponse>


Upgrading to MobileIron VSP 5.0

Version 5.0

September 24, 2012

This document describes the upgrade process using the Software Updates feature in the System Manager. If you expect slow download times, you should consider using the CLI procedure documented in “Upgrading to MobileIron VSP Version 5.0: CLI Pro-cedure.”

Prerequisites4.5.3 is the minimum version required for upgrading to 5.0. If you currently have an earlier version of the VSP, you must upgrade to 4.5.3 or 4.5.4 before proceeding.

44

Important Notes

Upgrade May Take Three Hours or MoreIf you think the upgrade has stalled, it is probably still running. Under no circum-stances should you restart the upgrade. Contact MobileIron Technical Support if you need assistance.

Database Purge After UpgradeFour hours after you complete the upgrade, an automatic database purge will start. You may notice an increase in CPU usage at this time. This is normal and should not impact system performance.

45

Pre-Upgrade Procedure

VM RequirementsBefore upgrading a virtual VSP, confirm that your VM instance meets newly increased requirements. See the latest Installation Guide for these requirements.

Backup AvailabilityIt is always prudent to create backups prior to upgrading. If you are using a virtual VSP, consider creating a .vmdk backup. If MobileIron Professional Services has imple-mented backups for your system, make sure you have a recent successful backup. If neither of these options is available to you, consider running the Show Tech function in System Manager (Troubleshooting > Logs).

MDM Certificates for iOS DevicesBefore upgrading, confirm that your iOS MDM certificate is a production certificate, and not a temporary developer certificate. The ability to change this certificate was removed in the 4.5.2 release. Note that changing your certificate from the developer version to the production version will require that you retire and re-register all iOS devices.

Provisioning Port ChangeBefore upgrading, determine whether your current implementation meets all of the following criteria:

• uses signed certificates

• uses HTTPS/8443 for provisioning

If your implementation meets these criteria, complete the post-upgrade procedures, because 443, not port 8443, is now used for provisioning over HTTPS. The ability to change the HTTPS provisioning port was removed in the 4.5.2 release.

To determine which port you are currently using, select Settings | Port Settings in Sys-tem Manager.

Note that any outstanding enrollment messages will no longer be valid.

46

Note: To use HTTPS as the provisioning protocol for iOS devices, you must have a signed certificate; the default self-signed certificate will not be sufficient.

47

Upgrade Procedure: 4.5.3 to 5.0

Configure your update repo. 1. Enter the following URL to start the System Manager:

https://<FQDN>/mics/mics.html2. Select Maintenance | Software Updates.3. Update the Software Updates Repository Configuration Section:

URL: https://support.mobileiron.com/mi/vsp/5.0.0Username/Password: Enter the credentials assigned by MobileIron Support.

4. Click the Save button.5. Click the Save link in the upper right corner to save the current configuration.

Initiate the upgrade.1. To list the updates available, click the Check Updates button. 2. Confirm that there are no errors displayed.3. Click the Download button.

Note: Slow download times can mean that the browser times out before the upgrade completes. If this happens, use the download procedure in “Upgrading to MobileIron VSP Version 5.0: CLI Procedure” to resume the process.

Reboot the VSP.1. After all the listed updates are installed, select Reboot. 2. Click the displayed Reboot button.3. Click Yes to confirm when prompted.4. Click Yes when prompted about saving the configuration.5. Click OK.6. After one minute, refresh the browser.

The reboot might take up to 15 minutes to complete. 7. To confirm that the upgrade is complete, make sure you can log into the Smart-

phone Manager portion of the Admin Portal:https://<FQDN>/mifsThe upgrade may take three hours or more. If you think the upgrade has stalled, it is probably still running. Under no circumstances should you restart the upgrade. Contact MobileIron Technical Support if you need assistance.The following error might display on the console and should be resolved after you complete the remaining upgrade steps:modprobe: FATAL: Could not load /lib/modules/2.6.18.c15/modules.dcp: No such file or directory

Reboot the VSP again.1. After the initial reboot is complete, select Reboot again.

48

2. Click the displayed Reboot button.3. Click Yes to confirm when prompted.4. Click No when prompted about saving the configuration.5. Click OK.6. After one minute, refresh the browser.

Verify that the upgrade is complete.1. Select Maintenance | Software Updates in System Manager.2. Confirm that the current version is 5.0.0.

Post-Upgrade ProceduresIf your provisioning port was set to something other than 443, you should make the following changes to avoid any confusion concerning the port that is actually being used:

• Reset the port setting in System Manager to reflect the new 443 assignment.

Note that the ability to change the HTTPS provisioning port was removed in the 4.5.2 release, so if you completed that upgrade, you should have completed this process already.

Resetting the HTTPS Provisioning Port in System ManagerTo reset the HTTPS provisioning port in System Manager:

1. In System Manager, select Settings | Port Settings.2. Change the Provision Protocol setting from https to http.

49

This step clears the contents of the Provisioning Port field.3. Change the Provision Protocol setting back to https.

This step sets the Provisioning Port field to 443.4. Click Apply.5. Save the configuration.

Notes• The upgrade will take three hours or more. If you think the upgrade has stalled, it

is probably still running. Under no circumstances should you restart the upgrade. Contact MobileIron Technical Support if you need assistance.

• Once this upgrade procedure is complete, it may take up to 5 minutes for MobileIron Client apps to display in the App Distribution page.

• As a result of upgrading, you may observe that CPU usage increases to 100% every 15 seconds. This behavior is expected as a result of the resolution for an issue with the contact sync feature.

50

Upgrading to MobileIron VSP 5.0: CLI Procedure

Version 5.0

September 24, 2012

This document describes the upgrade processing using the MobileIron CLI. If you expect reasonable download times, you can use the Software Updates feature, instead. See “Upgrading to MobileIron VSP Version 5.0.”

Prerequisites4.5.3 is the minimum version required for upgrading to 5.0. If you currently have an earlier version of the VSP, you must upgrade to 4.5.3 or 4.5.4 before proceeding.

52

Important Notes

Upgrade May Take Three Hours or MoreIf you think the upgrade has stalled, it is probably still running. Under no circum-stances should you restart the upgrade. Contact MobileIron Technical Support if you need assistance.

Database Purge After UpgradeFour hours after you complete the upgrade, an automatic database purge will start. You may notice an increase in CPU usage at this time. This is normal and should not impact system performance.

53

Pre-Upgrade Procedure

VM RequirementsBefore upgrading a virtual VSP, confirm that your VM instance meets newly increased requirements. See the latest Installation Guide for these requirements.

Backup AvailabilityIt is always prudent to create backups prior to upgrading. If you are using a virtual VSP, consider creating a .vmdk backup. If MobileIron Professional Services has imple-mented backups for your system, make sure you have a recent successful backup. If neither of these options is available to you, consider running the Show Tech function in System Manager (Troubleshooting > Logs).

MDM Certificates for iOS DevicesBefore upgrading, confirm that your iOS MDM certificate is a production certificate, and not a temporary developer certificate. The ability to change this certificate is no longer available, so you must upload the production certificate prior to upgrading. Note that changing your certificate from the developer version to the production ver-sion will require that you retire and re-register all iOS devices.

Provisioning Port ChangeBefore upgrading, determine whether your current implementation meets all of the following criteria:

• uses signed certificates

• uses HTTPS/8443 for provisioning

If your implementation meets these criteria, complete the post-upgrade procedures, because 443, not port 8443, is now used for provisioning over HTTPS.

To determine which port you are currently using, select Settings | Port Settings in Sys-tem Manager.

Note that any outstanding enrollment messages will no longer be valid.

54

Note: To use HTTPS as the provisioning protocol for iOS+MDM devices, you must have a signed certificate; the default self-signed certificate will not be sufficient.

55

Upgrade Procedure: 4.5.3 to 5.0

Configure your update repo. 1. Log into the CLI using the administrator account you created during installation.2. Enter the following command to switch to EXEC Privileged mode:

enable3. Enter the password for enabling the EXEC Privileged mode.

The command line prompt changes: #

4. Enter the following command to enable CONFIG mode:configure terminal

5. Enter the following command to specify the URL and credentials for the repo:software repository https://support.mobileiron.com/mi/vsp/5.0.0/ <username> <password>where <username> and <password> are your company's download/documenta-tion credentials as provided by MobileIron Support.

Initiate the upgrade.The upgrade may take three hours or more. If you think the upgrade has stalled, it is probably still running. Under no circumstances should you restart the upgrade. Con-tact MobileIron Technical Support if you need assistance.

1. Enter the following command to exit CONFIG mode:end

2. To list the updates available, enter the following command: software checkupdate

3. Confirm that there are no errors displayed4. Enter the following command to download the latest available updates:

software update

Reboot the VSP.1. After all the listed updates are installed, enter the following command to reload the

appliance: reloadThe following message displays: System configuration may have been modified. Save? [yes/no]

2. Enter no.The following message displays: Proceed with reload? [yes/no]

3. Enter yes.The reboot might take up to 15 minutes to complete.

56

The following error might display on the console and should be resolved after you complete the remaining upgrade steps:modprobe: FATAL: Could not load /lib/modules/2.6.18.c15/modules.dcp: No such file or directory

4. To confirm that the upgrade is complete, make sure you can log into the Smart-phone Manager portion of the Admin Portal:https://<FQDN>/mifs

Reboot the VSP again.1. After the initial reboot is complete, select Reboot again.2. Click the displayed Reboot button.3. Click Yes to confirm when prompted.4. Click No when prompted about saving the configuration.5. Click OK.6. After one minute, refresh the browser.

Verify that the upgrade is complete.1. Enter the following URL to start the System Manager:

https://<FQDN>/mics/mics.html2. Select Maintenance | Software Updates.3. Confirm that the current version is 5.0.0.

Post-Upgrade ProceduresIf your provisioning port was set to something other than 443, you should make the following changes to avoid any confusion concerning the port that is actually being used:

• Reset the port setting in System Manager to reflect the new 443 assignment.

Resetting the HTTPS Provisioning Port in System ManagerTo reset the HTTPS provisioning port in System Manager:

1. In System Manager, select Settings | Port Settings.2. Change the Provision Protocol setting from https to http.

57

This step clears the contents of the Provisioning Port field.3. Change the Provision Protocol setting back to https.

This step sets the Provisioning Port field to 443.4. Click Apply.5. Save the configuration.

Notes• The upgrade will take three hours or more. If you think the upgrade has stalled, it

is probably still running. Under no circumstances should you restart the upgrade. Contact MobileIron Technical Support if you need assistance.

58

• Once this upgrade procedure is complete, it may take up to 5 minutes for MobileIron Client apps to display in the App Distribution page.

• As a result of upgrading, you may observe that CPU usage increases to 100% every 15 seconds. This behavior is expected as a result of the resolution for an issue with the contact sync feature.

59

Release Upgrade g Dvs p 50

Documents

Transcript of Release Upgrade g Dvs p 50