EMM Governing Tenants

Deployment Decisions







What is MobileIron?

MobileIron is software that companies use to secure and manage business apps, documents, and other business content on mobile phones and tablets. MobileIron software includes an administration console for the IT department and an app that employees download onto their devices from The App Store or Google Play. IT uses the MobileIron console to set security and management rules. The MobileIron app provides the IT department with information about the device and its security state. This includes things like carrier, country, device make and model, operating system (OS) version, phone number, and corporate email.

How does it work?

Your company’s IT department uses the MobileIron console to set policies, the rules that regulate the behavior of mobile devices and apps. For example, IT may set a policy that blocks a jailbroken or rooted device from getting company email.

When the MobileIron app is installed on your device you can:

  • Access your corporate email, calendar, and contacts
  • Connect to corporate WiFi and VPN networks
  • Find and install work related applications if your company is using them
  • Check compliance with corporate security policies
  • Locate lost or stolen devices


The exact functionality of MobileIron on your device depends on the policies and configuration determined by your employer. We encourage you to reach out to your employer for additional details about your organization’s policy on company- and personally-owned devices managed by MobileIron.


Why does my employer want me to install MobileIron on my phone/tablet?

Companies use MobileIron to protect company information from being stolen or lost. Data theft can happen in many ways but some of the more likely examples include (i) use of a jailbroken or rooted device, (ii) running an old version of the operating system that has known security vulnerabilities, (iii) installation of a malicious app that can steal information from other apps on the device or (iv) connecting to the corporate network via an unsecure network like the Wi-Fi in a coffee shop.


What does MobileIron do when it’s installed?

The technical term for what MobileIron does is “containerization”, which means separating personal apps and content from work apps and content. All of your work information and apps are kept together in a way that they can share information between themselves but can’t share it with your personal apps.


What can my employer do to my mobile device?

While it depends on the exact policies and configuration in your company, these are the types of actions an IT administrator could take:

  • Wipe enterprise content off of your phone, leaving your personal information untouched
  • Locate your device
  • Lock or unlock the device
  • Require that certain apps be installed
  • Block access to corporate email and internal resources if the device is out of compliance with company policies


What can my employer see on my phone/tablet when MobileIron is installed?

The answer varies by mobile operating system and company policy, but on iOS, as an example, employers could potentially see data such as carrier, country, device make and model, OS version, phone number, location, list of installed apps, and corporate email. But, even if they wanted to, employer could not see data such as personal email, voicemails, photos, videos, and web activity (unless going through the corporate network).

Texts are a different situation. On Android specifically, IT can relay SMS messages from the device to corporate email archival systems. In this scenario, your IT administrator responsible for MobileIron cannot view these messages, however your compliance or data security team would have access to these messages. Please check with your IT administrator for details on your company’s policies.

If your company is using MobileIron’s Visual Privacy you have a list of what your company can see and what actions can be taken on your device.


Can my employer see my location?

Your company can choose whether or not to track your location and, if they decide to track location, they use a setting in the administrative console. A typical reason companies decide to track location is to help locate a device that is lost or stolen. If your company is using MobileIron’s Visual Privacy it will say if your company is tracking location.


Can I keep my employer from seeing my location?

You can turn off sharing location data in settings. However, if your company requires that location services be turned on, you may receive a notification that you are out of compliance with your company rules or you may be blocked from being able to access your work information on your device including apps, email, calendar, and contacts. For assistance in this situation, please contact your IT department.


Can my employer read my personal emails?

Your employer cannot read emails sent and received from personal accounts such as Gmail. If you are sending personal emails using your work account, then yes, your employer has access to that information, the same way they do if you’re using a PC/laptop. However, they cannot read, or even see, your emails using the MobileIron console.


Can my employer see the apps I’ve installed?

If your employer distributes mobile apps to employees, it can see those apps because they are being secured using MobileIron. Your employer has the option to be able to see a list of all the apps that are installed on the device. However, not every company chooses to do this. When they do, it’s usually to understand whether there are potentially malicious apps on the device (such as apps that steal data) or whether there are apps that are against the company policies (such as gambling apps) that should not be permitted to operate on the company’s premises.


What’s wrong with a jailbroken or rooted device?

Because a jailbroken or rooted device bypasses some of the critical security features built into the device operating system (for example, application sandboxing), most malware (i.e., malicious apps) targets compromised devices, using the jailbroken or rooted device to gain unauthorized access to information from other apps on the device or to the corporate network.


Can MobileIron unlock my phone?

While MobileIron software may be used by your IT administrator to unlock your phone, we (i.e., MobileIron as a company) cannot take any direct actions on your phone. Only people at your company, usually the IT department, can take actions such as unlocking the device, wiping corporate data, etc. using the MobileIron console.


Why can my IT department lock or unlock my phone?

Your IT department can choose to set a policy that will allow it to lock or unlock your phone. Typically, when a phone is used for work email and apps, the security best practice is to make sure the phone is “locked” by means of a passcode. This protects against data loss if the phone is lost or stolen. With MobileIron software on the phone, the IT department can unlock the device if you have forgotten your passcode (assuming that they’ve confirmed your identity). In case of a lost or stolen device, the IT department can also quarantine the device (to prevent loss of corporate data) or, in extreme cases, remotely wipe the device.


What happens if I remove MobileIron?

Your device will be out of compliance. Depending upon the policy that your IT department has implemented, you will likely receive notice of non-compliance. In addition, you may lose access to all work-related apps and data, including your work email, work contacts, work calendar and apps.



Products BACK TO TOP


What is MobileIron Core?

MobileIron Core is a key component of the MobileIron Platform. It is the administrative console through which administrators can define security and management policies for devices, apps and content. Core also integrates with enterprise IT systems such as LDAP directories, email, content repositories and network access control systems. Core may be deployed as a physical hardware appliance or as a virtual appliance using VMware ESX or Microsoft Hyper-V.

How many devices can you support on a single server?

MobileIron Core has been tested to manage up to 100,000 devices per server and up to 200 simultaneous device registrations. These numbers may vary based on the customer environment.

What is MobileIron Insight?

Insight is a native mobile application that allows IT administrators to view and manage policies on MobileIron Core. It is available for both, iOS and Android devices.

What reporting capabilities does Core support?

MobileIron Core collects over 200 fields of data with device, application, user metrics, and status which administrators can use to analyze, visualize, and get actionable insights into their mobile infrastructure. This data can be exported natively to Splunk, or other third party reporting tools like Tableau, Crystal Reports, and QlikView.

Does MobileIron support delegation of administrative roles and functions?

Yes. MobileIron Core now allows IT to establish data and task boundaries to protect user privacy and provide flexible delegation of IT responsibilities. Secure spaces with delegated administration and role based access enables the global IT lead to provide local IT or helpdesk admins with access to key systems based on their role within the organization. Global IT teams can also determine which devices local IT or helpdesk admins can see and what they can do on those devices. This enables global organizations to gain flexibility and create secure spaces for various functions within which they can complete key actions, while ensuring user privacy.

What is MobileIron Sentry?

MobileIron Sentry is the second component of the MobileIron enterprise mobility management platform. It is an in-line gateway that manages, encrypts, and secures traffic between the mobile device and back-end enterprise systems. Sentry may be deployed as a physical hardware appliance or as a virtual appliance using VMware ESX or Microsoft Hyper-V.

What is MobileIron Client?

MobileIron Client, also known as Mobile@Work, is a mobile app that users download to register their devices to the corporate EMM server. Once a device is registered, Client downloads configuration, apps and other content from Core and enforces security policies established by IT.

What is MobileIron Connected Cloud?

MobileIron Connected Cloud solution is a subscription-based SaaS service. The MobileIron Connector, which sits on-premise in the customer's data center, ensures that Connected Cloud syncs with enterprise resources such as LDAP. MobileIron Sentry, which provides access control for email, is optional and not required.

What is Apps@Work?

Apps@Work is an enterprise app storefront. It is an application distribution library, using which IT can publish approved in-house and 3rd party mobile apps to end-users, based on their role and function within the organization. For end-users, Apps@Workis the single source to get enterprise-ready applications to help them be more productive on mobile.

What is AppConnect?

AppConnect is an app containerization technology. It creates a secure container through either an SDK and wrapper for iOS or a wrapper for Android. Apps secured using AppConnect become a secure container whose data is encrypted, protected from unauthorized access. IT can dynamically push app-specific configuration and policies to restrict open-in and copy/paste functions. A key component of AppConnect is AppTunnel which provides secure per app tunneling and access control to protect app data-in-motion.

What kind of apps does AppConnect work with? HTML5, etc.

AppConnect can secure both in-house and 3rd party applications. Security for HTML5 app is provided by the AppConnect enabled Web@Worksecure browser. A complete list of AppConnect enabled 3rd party apps is available here. In addition to device-at-rest encryption, AppConnect also leverages per-app VPN to secure data-in-transit.

What is MobileIron Tunnel?

Tunnel is an Apple iOS per app VPN solution. It allows organizations to authorize specific business apps, including internally built and App Store apps, to access corporate resources behind the firewall. Unapproved and personal apps are blocked so that only business data flows through Tunnel.

What is Docs@Work?

Docs@Work is a secure, on-device content repository. It gives the end user an intuitive way to access, store, and view documents from email and enterprise content shares such as SharePoint and lets the administrator establish data loss prevention controls to protect these documents from unauthorized distribution.

How is using Docs@Work different from using the VPN client on my device?

Docs@Work provides secure, VPN-less access to back-end repositories like SharePoint and other CIFS or WebDAV based file shares. This provides end-users seamless access to enterprise content behind the firewall. Docs@Work connects to the intranet via Sentry. As a result, intranet access is restricted to Docs@Work making it a more secure option than traditional VPNs. Traditional, device wide VPNs disrupt the user-experience by requiring users to manually establish a VPN connection every time they wants to access enterprise content. Additionally, device-wide VPNs allow any app on the device to access sensitive data.

Can you view documents offline with Docs@Work?

If enabled by the IT admin, end-users can save content locally, within the secure Docs@Work container for offline viewing.

What content management systems does Docs@Work support?

MobileIron Docs@Work works with all CMS systems that support IIS and Apache based WebDAV interfaces.

What is Web@Work?

Web@Work is an enterprise mobile browser that enables immediate, secure access to internal websites and web applications, while preserving a native and high-fidelity web browsing experience.

Does Web@Work secure cached data?

Yes. All cookies and cached data is encrypted as a part of the AppConnect container. This data can be wiped as a part of a selective wipe, should the device fall out of compliance.

What is MobileIron DataView?

DataView is a mobile application that provides mobile data usage monitoring. IT administrators can define data caps and notification settings to alert users when their mobile data use is nearing monthly caps.

Does MobileIron have APIs?

MobileIron has developed a set of Application Programming Interface (API) libraries allowing both customers and technology partners to leverage information on the mobile deployment from Core.

What operating systems does MobileIron support?

MobileIron supports three major mobile platforms: Apple's iOS, Google's Android, and Microsoft's Windows Phone. In addition, MobileIron also provides management capabilities for Windows 8 and Mac OS X.

Can you perform selective wipe and restore?

Yes. MobileIron can wipe and restore corporate data while keeping personal data intact.

Can you perform jailbreak/root detection?

Yes. MobileIron can detect if an iOS or Android device has been compromised and can block the device from accessing corporate resources.

Can you restrict voice, SMS, and data?

No, because most operating systems do not allow it. Restricting voice calls also introduces liability in an emergency situation. Instead, the MobileIron solution allows administrators to set thresholds and mobile data usage caps for any time period, and provides real-time notification using DataView.

Can you prevent or force OS upgrades?

No, because most operating systems do not allow it. Instead, the MobileIron solution allows for real-time insight into operating system version (and policy compliance, including whether a phone is jailbroken/rooted) and informs administrators of non-compliance. However, administrators can set policies based on OS version and block certain versions from accessing enterprise resources.

Can you prevent or force application installation or removal?

No, because most operating systems do not allow it. It is not in the interest of the OS vendor to restrict what applications can be installed on the device. Instead, MobileIron allows monitoring of applications that are installed on a device and inform administrators and users of non-compliance.

Please note that web-clips are not applications, though they appear similar; web-clips, in contrast to apps, may be forcibly removed or installed at will.

Is the MobileIron Platform certified for FIPS 140-2 compliance?

Yes. The MobileIron platform is certified for the use of FIPS 140-2 cryptographic modules. Our FIPS 140-2 certification letters are available here.



EMM Governing Tenants BACK TO TOP

Why is preserving the “native experience” important?

“Native experience” refers to the particular design choices, user interaction paradigms, and feature sets chosen by operating system developers to promote and enhance their respective platforms. It is these “native” features that end-users care about.

A crucial factor in the use and adoption of mobile technology are these individual design decisions and interfaces chosen by operating system developers and embraced by users. For example the native experience of the iPhone includes the Apple email app for communication, the Safari app for browsing, the iTunes app for media, and the ability to download a wide range of other apps to the device. If the user can’t use these features, they can’t take advantage of the full potential of the device and will generally be unhappy. There are mobile device management solutions that do not preserve the native experience because they create an artificial, closed environment on the device. Users are forced to use enterprise capabilities only within this closed environment -- email, browsing and apps are limited to what’s in this walled garden, detracting from the user experience.

Why is jailbreak and root detection important?

To jailbreak (or root) a phone circumvents the built-in security and protection of the operating system, opening up the phone to malware and unsupported uses. Jailbroken devices also allow any application to be installed on the phone and malicious applications to steal contacts and corporate data. This inherently makes the mobile device less secure.

Why is having an application (or agent) on the device important?

In order to detect jailbroken devices — and thus keep corporate data secure — devices must have an agent installed, and the agent must be part of the registration process to ensure that the agent and device is identified with a specific enterprise user.

The agent also can check the device and analyze its posture, monitoring for compliance with corporate policies. Without an agent, the device could be compliant during the initial registration process but non-compliant later. Based on the current state of the device, the agent can block the device from corporate resources and send alerts.

Why is having an enterprise app store important?

An enterprise app store is similar to other app stores, but tailor-made to the needs of a corporation by providing a centralized location for IT approved applications. These applications can be 3rd party apps, available in other app stores like the Apple app store or the Google Play store, or ones that have been developed in-house for internal use.

When the enterprise app store is on a registered device and tied to a specific user, not only can the user discover applications easily, but they can also be notified of the apps that are recommended based on their role and function within the organization.

What is the approach to Mobile Security?

Lockdown security approaches fail in mobile because they compromise the user experience. MobileIron introduces a less autocratic and more sustainable approach to mobile security: IT sets the central policy and then monitors devices for compliance. When a device falls out of compliance, IT can take several remediation actions including notifying the user, blocking access to the enterprise, or wiping the mobile device.

How does single sign on work for Apps?

MobileIron provides time-based app-level single sign-on across all applications secured using the AppConnect platform. In addition on iOS, MobileIron provides SSO for back-end resources that support Kerberos based authentication.

How do you make sure a rogue app does not capture corporate data?

MobileIron AppConnect encrypts and stores all AppConnect Enabled (ACe) app data in a virtual container on the device. Rogue applications cannot access the data stored in the virtual container. In addition IT administrators can also define policy on how data is shared between ACe applications.




Deployment Decisions BACK TO TOP

What is the difference between the virtual appliance and physical appliance?

MobileIron Core can be deployed as a virtual appliance or a physical appliance. The virtual appliance is a software image downloaded from the MobileIron Support website that can be installed on customer-owned servers. MobileIron supports VMware ESX and Microsoft Hyper-V. Core can also be deployed as a standalone hardware appliance.

What is the difference between the standalone and integrated Sentry?

Standalone Sentry sits inline between the mobile device and enterprise resources such as the email server. It may be deployed as either a virtual or physical appliance. Integrated Sentry, which only supports Exchange 2007 and 2010, does not sit inline and is instead installed on the ActiveSync server. For most customers, standalone Sentry is the preferred option because it provides greater access control for both email and apps accessing corporate resources.

What is the difference between MobileIron's on-premise and cloud solution?

The MobileIron Cloud solutions is a subscription-based SaaS offering that gives customers features and functionality, similar to Core, without the need to install the MobileIron solution in a data center. For an on-premise MobileIron Core installation, the appliance must reside at an in-house data center or third-party datacenter.

What is the difference between a perpetual license and subscription license?

MobileIron software can be purchased as either a perpetual license with an additional annual support fee, or as a monthly subscription that includes support.

What is the difference between professional services and independent installation?

MobileIron and its partners offers a variety of professional services for guided assistance in installing the MobileIron solution, including training and deployment services.

How do we migrate from a Blackberry environment to a multi-OS mobile environment?

The MobileIron solution is complementary to BES (BlackBerry Enterprise Server). The BES server is specifically designed to manage Blackberry devices. MobileIron provides EMM capabilities primarily for iOS, Android and Windows Phone devices. In addition, we have limited support for Blackberry devices. Detailed guidelines on migrating can be found here.

Do you replace ActiveSync?

No. The MobileIron solution is complementary to ActiveSync. ActiveSync mobilizes email and provides a handful of basic management settings. MobileIron provides advanced device management, security, and application management.




Implementation BACK TO TOP

What are policies and how do you use them?

Policies are a set of rules configured on Core, used to secure, manage and regulate the behavior of mobile devices. One example is a policy that blocks a device from enterprise resources if it is rooted or jailbroken. Policies can be applied.

What can you do over the air?

"Over the air" is remote configuration with no physical connection between the mobile device to a computer. All data transfer occurs over wireless (WiFi or 3G). In this mode MobileIron can provision, wipe, encrypt and lock phones.

What can MobileIron ‘push’ to mobile devices?

To "push" means to send data or configurations to an employee's device without the employee having to take an action. MobileIron pushes security settings, application configurations and profiles. Note that no management platform can push applications to iOS or Android devices without the user’s permission, though MobileIron does publish the catalog of available apps to the user and then provisions the app at the user’s request.