- Are there many mobile operating systems, evolving and adapting to user requirements?
- Which operating systems do you support?
- What is the Virtual Smartphone Platform (VSP)?
- How many devices can you support on one VSP?
- What is Sentry?
- What is the Connected Cloud?
- What is Docs@Work?
- How is using Docs@Work different from using the VPN client on my device?
- Can you view documents offline with Docs@Work?
- What CMS software does Docs@Work support?
- Does Docs@Work support editing?
- What is AppConnect?
- What kind of apps does AppConnect work with? HTML5, etc.
- Does an app developer need to do anything different to enable the app to be AppConnect ready?
- What is Web@Work?
- What is MyPhone@Work?
- What is the Enterprise App Storefront?
- Why is preserving the "native experience" important?
- Why is jailbreak/root detection important?
- Why is having an agent on the device important?
- Why is having an enterprise app store important?
The "Trust/Verify" model
- What is the Trust/Verify Model?
- Can you restrict voice, SMS, and data?
- Can you prevent or force OS upgrades?
- Can you prevent or force application installation or removal?
- Can you filter web access?
- How does single sign on work for Apps?
- How do you make sure a rouge app does not capture corporate data?
- What is the difference between the virtual and physical VSP?
- What is the difference between standalone and integrated Sentry?
- What is the difference between MobileIron's on-premise and cloud solution?
- What is the difference between a perpetual license and subscription?
- What is the difference between professional services and independent installation?
- Do you support delegated admin?
- Do you replace BES?
- Do you replace ActiveSync?
- Do you replace Good?
- How does the client-side application work?
- Which encryption methods are used and supported?
- Can you perform selective wipe and restore?
- Can you perform jailbreak/root detection?
- Can you provide a secure app store?
- What are policies and how do you use them?
- What is an alert?
- What can you do over the air?
- What can you push?
- Does MobileIron have APIs?
- How does MobileIron integrate with Office 365?
Products BACK TO TOP
Are there many mobile operating systems, evolving and adapting to user requirements?
There are many mobile operating systems, constantly evolving and adapting to user needs. Each operating system has different capabilities depending on how it was written and the APIs the operating system makes available to third parties. Most, if not all, were designed with the consumer in mind, and thus provide a limited but growing set of capabilities for the enterprise. As each operating system developer releases new enterprise functionality, MobileIron supports it as soon as possible. For example, MobileIron was the first to market with features such as SCEP certificate proxy, iOS jailbreak detection, and an enterprise app store.
Which operating systems do you support?
MobileIron supports seven major mobile platforms: Apple's iOS, Google's Android, RIM's BlackBerry, HP's webOS, The Symbian Foundation's Symbian, Microsoft's Windows Mobile, and Microsoft's Windows Phone. As new platforms and vendors emerge, MobileIron is often first to market with advanced management and security features.
The MobileIron Virtual Smartphone Platform ("VSP") is the central hub of the MobileIron solution. It may be deployed as a physical hardware appliance or as a virtual appliance using VMware ESX. The VSP interfaces with the MobileIron application and enterprise resources such as LDAP, Exchange ActiveSync, certificate authorities, and the BlackBerry Enterprise Server.
MobileIron VSP has been tested to manage up to 100,000 devices per server and up to 200 simultaneous device registrations.
MobileIron Sentry provides access control for email. Sentry connects to Microsoft ActiveSync-enabled email systems such as Microsoft Exchange, IBM Lotus Notes, Google Gmail, and Microsoft Office 365. Like the VSP, it may be deployed as a physical hardware appliance or a virtual appliance using VMware ESX. MobileIron Sentry is included in the MobileIron Advanced Management package, though the hardware appliance is sold separately.
The MobileIron Connected Cloud solution is a subscription-based SaaS service that allows the customer to administer the MobileIron solution using a web browser over the Internet. There is a Connector, which sits on-premise in the customer's data center and ensures that Connected Cloud syncs with enterprise resources such as LDAP. Sentry, which provides access control for email, is optional and not required.
Docs@Work is a solution for securely managing mobile access to enterprise content. It gives the end user an intuitive way to access, store, and view documents from email and SharePoint and lets the administrator establish data loss prevention controls to protect these documents from unauthorized distribution
Docs@Work provides VPN-less access to corporate content repositories like SharePoint via the MobileIron Sentry. End-users have seamless connectivity to enterprise resources behind the firewall. Traditional VPN clients require end-users to manually establish a remote connection to the enterprise to access corporate resources. In addition to seamless access, Docs@Work also provides additional security. Since Docs@Work connects to the intranet via MobileIron Sentry, other applications on the device cannot access sensitive corporate information. Traditional device level VPNs provide device level access to corporate resources. Once the VPN tunnel is established any application on the device can access sensitive corporate resources.
If enabled by the admin, end-users can save content locally, within the Docs@Work container for offline viewing.
MobileIron Docs@Work works with all CMS systems that support IIS and Apache based WebDAV interfaces.
The current version of Docs@Work does not support document editing.
MobileIron AppConnect creates a secure app container through either an SDK and wrapper for iOS or a wrapper for Android. This container is connected to other secure app containers and to the MobileIron console for ongoing management. Security features provided by the AppConnect platform include data-at-rest encryption, SSO, DLP controls, dynamic configuration/ policy updates and selective wipe of app-specific data.
AppConnect can secure both in-house and 3rd party applications. Apps can be made AppConnect enabled through either an SDK and wrapper for iOS or a wrapper for Android. Security for HTML5 app is provided by the AppConnect enabled Web@Work secure browser.
Mobile Apps can be made AppConnect enabled by either using the AppConnect SDK or wrapper for iOS and the AppConnect wrapper for Android.
Web@Work is an Enterprise Mobile Browser that enables immediate, secure access to internal websites and web applications, while preserving a native and high-fidelity web browsing experience.
MyPhone@Work is the employee's interface to MobileIron, and operates in conjunction with the VSP and Sentry. It can be accessed in two ways: through a web browser or through the MobileIron application on the employee's smart device. With MyPhone@Work an employee can perform basic administrative tasks without contacting the IT department, such as registering new devices and wiping lost devices. On iOS and Android, MyPhone@Work provides an enterprise app storefront for the discovery and distribution of enterprise apps and the recommendation of external third-party apps.
The MobileIron enterprise app storefront provides the employee a catalog of mobile applications tailored to the needs of the enterprise. These apps are either approved by IT and available in commercial app stores or created by IT for internal business use. When the enterprise app storefront is on a device registered with MobileIron, it is tied to a specific user so the user can discover applications easily and IT can secure the distribution of enterprise apps.
Importance BACK TO TOP
Why is preserving the “native experience” important?
“Native experience” refers to the particular design choices, user interaction paradigms, and feature sets chosen by operating system developers to promote and enhance their respective platforms. It is these “native” features that make a Blackberry a Blackberry and an iPhone an iPhone.
A crucial factor in the use and adoption of mobile technology are these individual design decisions and interfaces chosen by operating system developers and embraced by users.
For example the native experience of the iPhone includes the Apple email app for communication, the Safari app for browsing, the iTunes app for media, and the ability to download a wide range of other apps to the device. If the user can’t use these features, they can’t take advantage of the full potential of the device and will generally be unhappy.
There are mobile device management solutions that do not preserve the native experience because they create an artificial, closed environment on the device. Users are forced to use enterprise capabilities only within this closed environment -- email, browsing and apps are limited to what’s in this walled garden, detracting from the user experience. In addition, these “container-based” solutions often don’t follow industry standards.
To jailbreak (or root) a phone circumvents the built-in security and protection of the operating system, opening up the phone to malware and unsupported uses. Jailbroken devices also allow any application to be installed on the phone and malicious applications to steal contacts and corporate data.
An application (or agent) is a piece of software that is installed on a user’s device. In order to detect jailbroken devices — and thus keep corporate data secure — smart devices must have an agent on the device itself, and the agent must be part of the registration process to ensure that the agent and device is identified with a specific enterprise user.
The agent also can check the device and analyze its current state, monitoring for compliance with corporate policies. Without an agent, the device could be compliant during the initial registration process but non-compliant later. Based on the current state of the device, the agent can block the device from corporate resources and send alerts.
An enterprise app store is similar to other app stores, but tailor-made to the needs of a corporation by providing a centralized location for business applications. These applications can be ones that are already readily available in other app stores, or ones that have been created by the enterprise for internal use.
When the enterprise app store is on a registered device and tied to a specific user, not only can the user discover applications easily, but they can also be notified of the apps that are appropriate while keeping inappropriate ones from the user.
The "Trust/Verify" model BACK TO TOP
Lockdown security models fail in mobile because they damage the user experience. MobileIron introduces a less autocratic and more sustainable model of security: IT sets the central policy and then monitors devices for compliance. When a device falls out of compliance, IT can take several remediation actions including notifying the user, blocking access to the enterprise, or wiping the mobile device.
No, because most operating systems do not allow it. Restricting voice calls also introduces liability in an emergency situation. Instead, the MobileIron solution allows administrators to set thresholds and usage caps for any time period, and provides real-time event monitoring and warning of non-compliance.
No, because most operating systems do not allow it. Instead, the MobileIron solution allows for real-time insight into operating system version (and policy compliance, including whether a phone is jailbroken/rooted) and informs administrators of non-compliance.
However, administrators can set policies based on OS version and block certain versions from accessing enterprise resources.
No, because most operating systems do not allow it. It is not in the interest of the OS vendor to restrict what applications can be installed on the device. Instead, MobileIron allows monitoring of applications that are installed on a device and inform administrators and users of non-compliance. The VSP comes pre-loaded with certain bad strings (like "porn") and disallow apps with those titles.
Please note that web-clips are not applications, though they appear similar; web-clips, in contrast to apps, may be forcibly removed or installed at will.
No, because web traffic must first be routed to the enterprise via a VPN before it may be filtered using third-party web filtering software. Instead, MobileIron can notify an administrator if a user is not using the company VPN for web traffic and subsequently block access to corporate resources.
MobileIron provides time-based app-level sign-on across all applications secured using the AppConnect platform.
MobileIron AppConnect encrypts and stores all AppConnect Enabled (ACe) app data in a virtual container on the device. Rouge applications cannot access the data stored in the virtual container. In addition IT administrators can also define policy on how data is shared between ACe applications.
Installation Decisions BACK TO TOP
The virtual VSP is a software image downloaded from the MobileIron Support website that can be installed on customer-owned servers. MobileIron supports VMware ESX. The physical VSP is a standalone hardware appliance that ships with VSP software already installed.
Standalone Sentry sits inline between the mobile device and the email server. It may be deployed as either a virtual or physical appliance. Integrated Sentry, which only supports Exchange 2007 and 2010, does not sit inline and is instead installed on the ActiveSync server. For most customers, standalone Sentry is the preferred option because it provides greater access control across a greater variety of email systems.
The MobileIron Connected Cloud solutions is a subscription-based SaaS offering that gives customers all VSP features and functionality without the need to install the MobileIron solution in a data center. For an on-premise MobileIron VSP installation, the appliance must reside at an in-house data center or third-party datacenter.
MobileIron software can be purchased as either a perpetual license with an additional annual support fee, or as a monthly subscription that includes support.
MobileIron and its partners offers a variety of professional services for guided assistance in installing the MobileIron solution, including training and deployment services.
Customers can use Atlas, MobileIron’s advanced management and reporting tool for delegated admin features.
Implementation BACK TO TOP
No. The MobileIron solution is complementary to BES (BlackBerry Enterprise Server), providing additional features such as real-time telecom expense monitoring.
No. The MobileIron solution is complementary to ActiveSync. ActiveSync mobilizes email and provides a handful of basic management settings. MobileIron provides advanced device management, security, and application management.
Some of Good's functionality (such as email) are deployed in a complementary fashion by many MobileIron customers.
On platforms like iOS and Android, MobileIron makes available a client application that resides on the employee's device. The application allows employee access to MyPhone@Work, enabling the employee to communicate with IT, but also provides real-time application, usage, and security insight into the phone.
Where possible, the application runs unobtrusively in the background. Battery impact, space and memory usage are nominal. Since many platforms do not prevent application removal, the MobileIron VSP automatically notifies an IT administrator if the client application has been removed from the employee's phone.
MobileIron does not provide encryption and is agnostic to native encryption methods. Depending on the operating system, MobileIron is able to create and enforce polices based on the encryption status.
Yes. MobileIron can wipe and restore corporate data while keeping employee data intact.
Yes. MobileIron can detect if an iOS or Android device has been compromised and can block the device from accessing corporate resources.
Yes. MobileIron can determine whether or not the device is compliant with security polices at any given moment in time, ensuring that the app store and the apps only appear on devices that meet enterprise standards.
Policies are a set of rules the VSP uses to secure, manage and regulate the behavior of the smart devices. One example is a policy that blocks a device from enterprise resources if it is rooted or jailbroken.
An alert is a notification that is sent to a device and is triggered by a policy rule. It can be a notification using native OS capabilities, a text message or a badge that appears on the MobileIron icon. One example of an alert would be a notification that the device has a banned app installed.
"Over the air" is remote configuration with no physical connection from the employee device to a computer server. Any data transfer occurs over wireless (WiFi or 3G). In this mode MobileIron can provision, wipe, encrypt and lock phones, but cannot backup data or upgrade the OS. This limitation is in the process of being addressed by various OS vendors.
To "push" means to send data or configurations to an employee's device without the employee having to take an action. MobileIron pushes security settings, application configurations and profiles. Note that no management platform can push applications to iOS or Android devices without the user’s permission, though MobileIron does publish the catalog of available apps to the user and then provisions the app at the user’s request.
MobileIron has developed a set of Application Programming Interface (API) libraries for partners and customers to extract data about telecom expense management (TEM) from the MobileIron VSP.
MobileIron supports Office 365