- What is MobileIron?
- How does it work?
- Why does my employer want me to install MobileIron on my phone/tablet?
- What does MobileIron do when it’s installed?
- What can my employer do to my mobile device?
- What can my employer see on my phone/tablet when MobileIron is installed?
- Can my employer see my location?
- Can I keep my employer from seeing my location?
- Can my employer read my personal emails?
- Can my employer see the apps I’ve installed?
- What’s wrong with a jailbroken or rooted device?
- Can MobileIron unlock my phone?
- Why can my IT department lock or unlock my phone?
- What happens if I remove MobileIron?
- What is MobileIron Core?
- How many devices can you support on a single server?
- What is MobileIron Insight?
- What reporting capabilities does Core support?
- Does MobileIron support delegation of administrative roles and functions?
- What is MobileIron Sentry?
- What is MobileIron Client?
- What is MobileIron Connected Cloud?
- What is MobileIron Apps@Work?
- What is AppConnect?
- What kind of apps does AppConnect work with? HTML5, etc.
- What is MobileIron Tunnel?
- What is Docs@Work?
- How is using Docs@Workdifferent from using the VPN client on my device?
- Can you view documents offline with Docs@Work?
- What content management systems does Docs@Worksupport?
- What is Web@Work?
- Does Web@Worksecure cached data?
- What is MobileIron DataView?
- Does MobileIron have APIs?
- What operating systems does MobileIron support?
- Can you perform selective wipe and restore?
- Can you perform jailbreak/root detection?
- Can you restrict voice, SMS and data?
- Can you prevent or force OS upgrades?
- Can you prevent or force application installation or removal?
- Is the MobileIron Platform certified for FIPS 140-2 compliance?
EMM Governing Tenants
- Why is preserving the “native experience” important?
- Why is jailbreak and root detection important?
- Why is having an application (or agent) on the device important?
- Why is having an enterprise app store important?
- What is the approach to Mobile Security?
- How does single sign on work for Apps?
- How do you make sure a rogue app does not capture corporate data?
- What is the difference between the virtual appliance and physical appliance?
- What is the difference between the standalone and integrated Sentry?
- What is the difference between MobileIron's on-premise and cloud solution?
- What is the difference between a perpetual license and subscription license?
- What is the difference between professional services and independent installation?
- How do we migrate from a Blackberry environment to a multi-OS mobile environment?
- Do you replace ActiveSync?
- What are policies and how do you use them?
- What can you do over the air?
- What can MobileIron ‘push’ to mobile devices?
Privacy BACK TO TOP
What is MobileIron?
MobileIron is software that companies use to secure and manage business apps, documents, and other business content on mobile phones and tablets. MobileIron software includes an administration console for the IT department and an app that employees download onto their devices from The App Store or Google Play. IT uses the MobileIron console to set security and management rules. The MobileIron app provides the IT department with information about the device and its security state. This includes things like carrier, country, device make and model, operating system (OS) version, phone number, and corporate email.
Your company’s IT department uses the MobileIron console to set policies, the rules that regulate the behavior of mobile devices and apps. For example, IT may set a policy that blocks a jailbroken or rooted device from getting company email.
When the MobileIron app is installed on your device you can:
- Access your corporate email, calendar, and contacts
- Connect to corporate WiFi and VPN networks
- Find and install work related applications if your company is using them
- Check compliance with corporate security policies
- Locate lost or stolen devices
The exact functionality of MobileIron on your device depends on the policies and configuration determined by your employer. We encourage you to reach out to your employer for additional details about your organization’s policy on company- and personally-owned devices managed by MobileIron.
Companies use MobileIron to protect company information from being stolen or lost. Data theft can happen in many ways but some of the more likely examples include (i) use of a jailbroken or rooted device, (ii) running an old version of the operating system that has known security vulnerabilities, (iii) installation of a malicious app that can steal information from other apps on the device or (iv) connecting to the corporate network via an unsecure network like the Wi-Fi in a coffee shop.
The technical term for what MobileIron does is “containerization”, which means separating personal apps and content from work apps and content. All of your work information and apps are kept together in a way that they can share information between themselves but can’t share it with your personal apps.
While it depends on the exact policies and configuration in your company, these are the types of actions an IT administrator could take:
- Wipe enterprise content off of your phone, leaving your personal information untouched
- Locate your device
- Lock or unlock the device
- Require that certain apps be installed
- Block access to corporate email and internal resources if the device is out of compliance with company policies
The answer varies by mobile operating system and company policy, but on iOS, as an example, employers could potentially see data such as carrier, country, device make and model, OS version, phone number, location, list of installed apps, and corporate email. But, even if they wanted to, employer could not see data such as personal email, voicemails, photos, videos, and web activity (unless going through the corporate network).
Texts are a different situation. On Android specifically, IT can relay SMS messages from the device to corporate email archival systems. In this scenario, your IT administrator responsible for MobileIron cannot view these messages, however your compliance or data security team would have access to these messages. Please check with your IT administrator for details on your company’s policies.
If your company is using MobileIron’s Visual Privacy you have a list of what your company can see and what actions can be taken on your device.
Your company can choose whether or not to track your location and, if they decide to track location, they use a setting in the administrative console. A typical reason companies decide to track location is to help locate a device that is lost or stolen. If your company is using MobileIron’s Visual Privacy it will say if your company is tracking location.
You can turn off sharing location data in settings. However, if your company requires that location services be turned on, you may receive a notification that you are out of compliance with your company rules or you may be blocked from being able to access your work information on your device including apps, email, calendar, and contacts. For assistance in this situation, please contact your IT department.
Your employer cannot read emails sent and received from personal accounts such as Gmail. If you are sending personal emails using your work account, then yes, your employer has access to that information, the same way they do if you’re using a PC/laptop. However, they cannot read, or even see, your emails using the MobileIron console.
If your employer distributes mobile apps to employees, it can see those apps because they are being secured using MobileIron. Your employer has the option to be able to see a list of all the apps that are installed on the device. However, not every company chooses to do this. When they do, it’s usually to understand whether there are potentially malicious apps on the device (such as apps that steal data) or whether there are apps that are against the company policies (such as gambling apps) that should not be permitted to operate on the company’s premises.
Because a jailbroken or rooted device bypasses some of the critical security features built into the device operating system (for example, application sandboxing), most malware (i.e., malicious apps) targets compromised devices, using the jailbroken or rooted device to gain unauthorized access to information from other apps on the device or to the corporate network.
While MobileIron software may be used by your IT administrator to unlock your phone, we (i.e., MobileIron as a company) cannot take any direct actions on your phone. Only people at your company, usually the IT department, can take actions such as unlocking the device, wiping corporate data, etc. using the MobileIron console.
Your IT department can choose to set a policy that will allow it to lock or unlock your phone. Typically, when a phone is used for work email and apps, the security best practice is to make sure the phone is “locked” by means of a passcode. This protects against data loss if the phone is lost or stolen. With MobileIron software on the phone, the IT department can unlock the device if you have forgotten your passcode (assuming that they’ve confirmed your identity). In case of a lost or stolen device, the IT department can also quarantine the device (to prevent loss of corporate data) or, in extreme cases, remotely wipe the device.
Your device will be out of compliance. Depending upon the policy that your IT department has implemented, you will likely receive notice of non-compliance. In addition, you may lose access to all work-related apps and data, including your work email, work contacts, work calendar and apps.
Products BACK TO TOP
What is MobileIron Core?
MobileIron Core is a key component of the MobileIron Platform. It is the administrative console through which administrators can define security and management policies for devices, apps and content. Core also integrates with enterprise IT systems such as LDAP directories, email, content repositories and network access control systems. Core may be deployed as a physical hardware appliance or as a virtual appliance using VMware ESX or Microsoft Hyper-V.
MobileIron Core has been tested to manage up to 100,000 devices per server and up to 200 simultaneous device registrations. These numbers may vary based on the customer environment.
Insight is a native mobile application that allows IT administrators to view and manage policies on MobileIron Core. It is available for both, iOS and Android devices.
What reporting capabilities does Core support?
MobileIron Core collects over 200 fields of data with device, application, user metrics, and status which administrators can use to analyze, visualize, and get actionable insights into their mobile infrastructure. This data can be exported natively to Splunk, or other third party reporting tools like Tableau, Crystal Reports, and QlikView.
Does MobileIron support delegation of administrative roles and functions?
Yes. MobileIron Core now allows IT to establish data and task boundaries to protect user privacy and provide flexible delegation of IT responsibilities. Secure spaces with delegated administration and role based access enables the global IT lead to provide local IT or helpdesk admins with access to key systems based on their role within the organization. Global IT teams can also determine which devices local IT or helpdesk admins can see and what they can do on those devices. This enables global organizations to gain flexibility and create secure spaces for various functions within which they can complete key actions, while ensuring user privacy.
MobileIron Sentry is the second component of the MobileIron enterprise mobility management platform. It is an in-line gateway that manages, encrypts, and secures traffic between the mobile device and back-end enterprise systems. Sentry may be deployed as a physical hardware appliance or as a virtual appliance using VMware ESX or Microsoft Hyper-V.
MobileIron Client, also known as Mobile@Work, is a mobile app that users download to register their devices to the corporate EMM server. Once a device is registered, Client downloads configuration, apps and other content from Core and enforces security policies established by IT.
MobileIron Connected Cloud solution is a subscription-based SaaS service. The MobileIron Connector, which sits on-premise in the customer's data center, ensures that Connected Cloud syncs with enterprise resources such as LDAP. MobileIron Sentry, which provides access control for email, is optional and not required.
Apps@Work is an enterprise app storefront. It is an application distribution library, using which IT can publish approved in-house and 3rd party mobile apps to end-users, based on their role and function within the organization. For end-users, Apps@Workis the single source to get enterprise-ready applications to help them be more productive on mobile.
AppConnect is an app containerization technology. It creates a secure container through either an SDK and wrapper for iOS or a wrapper for Android. Apps secured using AppConnect become a secure container whose data is encrypted, protected from unauthorized access. IT can dynamically push app-specific configuration and policies to restrict open-in and copy/paste functions. A key component of AppConnect is AppTunnel which provides secure per app tunneling and access control to protect app data-in-motion.
AppConnect can secure both in-house and 3rd party applications. Security for HTML5 app is provided by the AppConnect enabled Web@Worksecure browser. A complete list of AppConnect enabled 3rd party apps is available here. In addition to device-at-rest encryption, AppConnect also leverages per-app VPN to secure data-in-transit.
Tunnel is an Apple iOS per app VPN solution. It allows organizations to authorize specific business apps, including internally built and App Store apps, to access corporate resources behind the firewall. Unapproved and personal apps are blocked so that only business data flows through Tunnel.
Docs@Work is a secure, on-device content repository. It gives the end user an intuitive way to access, store, and view documents from email and enterprise content shares such as SharePoint and lets the administrator establish data loss prevention controls to protect these documents from unauthorized distribution.
Docs@Work provides secure, VPN-less access to back-end repositories like SharePoint and other CIFS or WebDAV based file shares. This provides end-users seamless access to enterprise content behind the firewall. Docs@Work connects to the intranet via Sentry. As a result, intranet access is restricted to Docs@Work making it a more secure option than traditional VPNs. Traditional, device wide VPNs disrupt the user-experience by requiring users to manually establish a VPN connection every time they wants to access enterprise content. Additionally, device-wide VPNs allow any app on the device to access sensitive data.
If enabled by the IT admin, end-users can save content locally, within the secure Docs@Work container for offline viewing.
MobileIron Docs@Work works with all CMS systems that support IIS and Apache based WebDAV interfaces.
Web@Work is an enterprise mobile browser that enables immediate, secure access to internal websites and web applications, while preserving a native and high-fidelity web browsing experience.
Yes. All cookies and cached data is encrypted as a part of the AppConnect container. This data can be wiped as a part of a selective wipe, should the device fall out of compliance.
DataView is a mobile application that provides mobile data usage monitoring. IT administrators can define data caps and notification settings to alert users when their mobile data use is nearing monthly caps.
MobileIron has developed a set of Application Programming Interface (API) libraries allowing both customers and technology partners to leverage information on the mobile deployment from Core.
MobileIron supports three major mobile platforms: Apple's iOS, Google's Android, and Microsoft's Windows Phone. In addition, MobileIron also provides management capabilities for Windows 8 and Mac OS X.
Yes. MobileIron can wipe and restore corporate data while keeping personal data intact.
Yes. MobileIron can detect if an iOS or Android device has been compromised and can block the device from accessing corporate resources.
No, because most operating systems do not allow it. Restricting voice calls also introduces liability in an emergency situation. Instead, the MobileIron solution allows administrators to set thresholds and mobile data usage caps for any time period, and provides real-time notification using DataView.
No, because most operating systems do not allow it. Instead, the MobileIron solution allows for real-time insight into operating system version (and policy compliance, including whether a phone is jailbroken/rooted) and informs administrators of non-compliance. However, administrators can set policies based on OS version and block certain versions from accessing enterprise resources.
No, because most operating systems do not allow it. It is not in the interest of the OS vendor to restrict what applications can be installed on the device. Instead, MobileIron allows monitoring of applications that are installed on a device and inform administrators and users of non-compliance.
Please note that web-clips are not applications, though they appear similar; web-clips, in contrast to apps, may be forcibly removed or installed at will.
Yes. The MobileIron platform is certified for the use of FIPS 140-2 cryptographic modules. Our FIPS 140-2 certification letters are available here.
EMM Governing Tenants BACK TO TOP
“Native experience” refers to the particular design choices, user interaction paradigms, and feature sets chosen by operating system developers to promote and enhance their respective platforms. It is these “native” features that end-users care about.
A crucial factor in the use and adoption of mobile technology are these individual design decisions and interfaces chosen by operating system developers and embraced by users. For example the native experience of the iPhone includes the Apple email app for communication, the Safari app for browsing, the iTunes app for media, and the ability to download a wide range of other apps to the device. If the user can’t use these features, they can’t take advantage of the full potential of the device and will generally be unhappy. There are mobile device management solutions that do not preserve the native experience because they create an artificial, closed environment on the device. Users are forced to use enterprise capabilities only within this closed environment -- email, browsing and apps are limited to what’s in this walled garden, detracting from the user experience.
To jailbreak (or root) a phone circumvents the built-in security and protection of the operating system, opening up the phone to malware and unsupported uses. Jailbroken devices also allow any application to be installed on the phone and malicious applications to steal contacts and corporate data. This inherently makes the mobile device less secure.
In order to detect jailbroken devices — and thus keep corporate data secure — devices must have an agent installed, and the agent must be part of the registration process to ensure that the agent and device is identified with a specific enterprise user.
The agent also can check the device and analyze its posture, monitoring for compliance with corporate policies. Without an agent, the device could be compliant during the initial registration process but non-compliant later. Based on the current state of the device, the agent can block the device from corporate resources and send alerts.
An enterprise app store is similar to other app stores, but tailor-made to the needs of a corporation by providing a centralized location for IT approved applications. These applications can be 3rd party apps, available in other app stores like the Apple app store or the Google Play store, or ones that have been developed in-house for internal use.
When the enterprise app store is on a registered device and tied to a specific user, not only can the user discover applications easily, but they can also be notified of the apps that are recommended based on their role and function within the organization.
Lockdown security approaches fail in mobile because they compromise the user experience. MobileIron introduces a less autocratic and more sustainable approach to mobile security: IT sets the central policy and then monitors devices for compliance. When a device falls out of compliance, IT can take several remediation actions including notifying the user, blocking access to the enterprise, or wiping the mobile device.
MobileIron provides time-based app-level single sign-on across all applications secured using the AppConnect platform. In addition on iOS, MobileIron provides SSO for back-end resources that support Kerberos based authentication.
MobileIron AppConnect encrypts and stores all AppConnect Enabled (ACe) app data in a virtual container on the device. Rogue applications cannot access the data stored in the virtual container. In addition IT administrators can also define policy on how data is shared between ACe applications.
Deployment Decisions BACK TO TOP
MobileIron Core can be deployed as a virtual appliance or a physical appliance. The virtual appliance is a software image downloaded from the MobileIron Support website that can be installed on customer-owned servers. MobileIron supports VMware ESX and Microsoft Hyper-V. Core can also be deployed as a standalone hardware appliance.
Standalone Sentry sits inline between the mobile device and enterprise resources such as the email server. It may be deployed as either a virtual or physical appliance. Integrated Sentry, which only supports Exchange 2007 and 2010, does not sit inline and is instead installed on the ActiveSync server. For most customers, standalone Sentry is the preferred option because it provides greater access control for both email and apps accessing corporate resources.
The MobileIron Cloud solutions is a subscription-based SaaS offering that gives customers features and functionality, similar to Core, without the need to install the MobileIron solution in a data center. For an on-premise MobileIron Core installation, the appliance must reside at an in-house data center or third-party datacenter.
MobileIron software can be purchased as either a perpetual license with an additional annual support fee, or as a monthly subscription that includes support.
MobileIron and its partners offers a variety of professional services for guided assistance in installing the MobileIron solution, including training and deployment services.
The MobileIron solution is complementary to BES (BlackBerry Enterprise Server). The BES server is specifically designed to manage Blackberry devices. MobileIron provides EMM capabilities primarily for iOS, Android and Windows Phone devices. In addition, we have limited support for Blackberry devices. Detailed guidelines on migrating can be found here.
No. The MobileIron solution is complementary to ActiveSync. ActiveSync mobilizes email and provides a handful of basic management settings. MobileIron provides advanced device management, security, and application management.
Implementation BACK TO TOP
Policies are a set of rules configured on Core, used to secure, manage and regulate the behavior of mobile devices. One example is a policy that blocks a device from enterprise resources if it is rooted or jailbroken. Policies can be applied.
"Over the air" is remote configuration with no physical connection between the mobile device to a computer. All data transfer occurs over wireless (WiFi or 3G). In this mode MobileIron can provision, wipe, encrypt and lock phones.
To "push" means to send data or configurations to an employee's device without the employee having to take an action. MobileIron pushes security settings, application configurations and profiles. Note that no management platform can push applications to iOS or Android devices without the user’s permission, though MobileIron does publish the catalog of available apps to the user and then provisions the app at the user’s request.