EMM Governing Tenants

Deployment Decisions



Products BACK TO TOP

What is MobileIron Core?

MobileIron Core is a key component of the MobileIron Platform. It is the administrative console through which administrators can define security and management policies for devices, apps and content. Core also integrates with enterprise IT systems such as LDAP directories, email, content repositories and network access control systems. Core may be deployed as a physical hardware appliance or as a virtual appliance using VMware ESX or Microsoft Hyper-V.

How many devices can you support on a single server?

MobileIron Core has been tested to manage up to 100,000 devices per server and up to 200 simultaneous device registrations. These numbers may vary based on the customer environment.

What is MobileIron Insight?

Insight is a native mobile application that allows IT administrators to view and manage policies on MobileIron Core. It is available for both, iOS and Android devices.

What reporting capabilities does Core support?

MobileIron Core collects over 200 fields of data with device, application, user metrics, and status which administrators can use to analyze, visualize, and get actionable insights into their mobile infrastructure. This data can be exported natively to Splunk, or other third party reporting tools like Tableau, Crystal Reports, and QlikView.

Does MobileIron support delegation of administrative roles and functions?

Yes. MobileIron Core now allows IT to establish data and task boundaries to protect user privacy and provide flexible delegation of IT responsibilities. Secure spaces with delegated administration and role based access enables the global IT lead to provide local IT or helpdesk admins with access to key systems based on their role within the organization. Global IT teams can also determine which devices local IT or helpdesk admins can see and what they can do on those devices. This enables global organizations to gain flexibility and create secure spaces for various functions within which they can complete key actions, while ensuring user privacy.

What is MobileIron Sentry?

MobileIron Sentry is the second component of the MobileIron enterprise mobility management platform. It is an in-line gateway that manages, encrypts, and secures traffic between the mobile device and back-end enterprise systems. Sentry may be deployed as a physical hardware appliance or as a virtual appliance using VMware ESX or Microsoft Hyper-V.

What is MobileIron Client?

MobileIron Client, also known as Mobile@Work, is a mobile app that users download to register their devices to the corporate EMM server. Once a device is registered, Client downloads configuration, apps and other content from Core and enforces security policies established by IT.

What is MobileIron Connected Cloud?

MobileIron Connected Cloud solution is a subscription-based SaaS service. The MobileIron Connector, which sits on-premise in the customer's data center, ensures that Connected Cloud syncs with enterprise resources such as LDAP. MobileIron Sentry, which provides access control for email, is optional and not required.

What is Apps@Work?

Apps@Work is an enterprise app storefront. It is an application distribution library, using which IT can publish approved in-house and 3rd party mobile apps to end-users, based on their role and function within the organization. For end-users, Apps@Workis the single source to get enterprise-ready applications to help them be more productive on mobile.

What is AppConnect?

AppConnect is an app containerization technology. It creates a secure container through either an SDK and wrapper for iOS or a wrapper for Android. Apps secured using AppConnect become a secure container whose data is encrypted, protected from unauthorized access. IT can dynamically push app-specific configuration and policies to restrict open-in and copy/paste functions. A key component of AppConnect is AppTunnel which provides secure per app tunneling and access control to protect app data-in-motion.

What kind of apps does AppConnect work with? HTML5, etc.

AppConnect can secure both in-house and 3rd party applications. Security for HTML5 app is provided by the AppConnect enabled Web@Worksecure browser. A complete list of AppConnect enabled 3rd party apps is available here. In addition to device-at-rest encryption, AppConnect also leverages per-app VPN to secure data-in-transit.

What is MobileIron Tunnel?

Tunnel is an Apple iOS per app VPN solution. It allows organizations to authorize specific business apps, including internally built and App Store apps, to access corporate resources behind the firewall. Unapproved and personal apps are blocked so that only business data flows through Tunnel.

What is Docs@Work?

Docs@Work is a secure, on-device content repository. It gives the end user an intuitive way to access, store, and view documents from email and enterprise content shares such as SharePoint and lets the administrator establish data loss prevention controls to protect these documents from unauthorized distribution.

How is using Docs@Work different from using the VPN client on my device?

Docs@Work provides secure, VPN-less access to back-end repositories like SharePoint and other CIFS or WebDAV based file shares. This provides end-users seamless access to enterprise content behind the firewall. Docs@Work connects to the intranet via Sentry. As a result, intranet access is restricted to Docs@Work making it a more secure option than traditional VPNs. Traditional, device wide VPNs disrupt the user-experience by requiring users to manually establish a VPN connection every time they wants to access enterprise content. Additionally, device-wide VPNs allow any app on the device to access sensitive data.

Can you view documents offline with Docs@Work?

If enabled by the IT admin, end-users can save content locally, within the secure Docs@Work container for offline viewing.

What content management systems does Docs@Work support?

MobileIron Docs@Work works with all CMS systems that support IIS and Apache based WebDAV interfaces.

What is Web@Work?

Web@Work is an enterprise mobile browser that enables immediate, secure access to internal websites and web applications, while preserving a native and high-fidelity web browsing experience.

Does Web@Work secure cached data?

Yes. All cookies and cached data is encrypted as a part of the AppConnect container. This data can be wiped as a part of a selective wipe, should the device fall out of compliance.

What is MobileIron DataView?

DataView is a mobile application that provides mobile data usage monitoring. IT administrators can define data caps and notification settings to alert users when their mobile data use is nearing monthly caps.

Does MobileIron have APIs?

MobileIron has developed a set of Application Programming Interface (API) libraries allowing both customers and technology partners to leverage information on the mobile deployment from Core.

What operating systems does MobileIron support?

MobileIron supports three major mobile platforms: Apple's iOS, Google's Android, and Microsoft's Windows Phone. In addition, MobileIron also provides management capabilities for Windows 8 and Mac OS X.

Can you perform selective wipe and restore?

Yes. MobileIron can wipe and restore corporate data while keeping personal data intact.

Can you perform jailbreak/root detection?

Yes. MobileIron can detect if an iOS or Android device has been compromised and can block the device from accessing corporate resources.

Can you restrict voice, SMS, and data?

No, because most operating systems do not allow it. Restricting voice calls also introduces liability in an emergency situation. Instead, the MobileIron solution allows administrators to set thresholds and mobile data usage caps for any time period, and provides real-time notification using DataView.

Can you prevent or force OS upgrades?

No, because most operating systems do not allow it. Instead, the MobileIron solution allows for real-time insight into operating system version (and policy compliance, including whether a phone is jailbroken/rooted) and informs administrators of non-compliance. However, administrators can set policies based on OS version and block certain versions from accessing enterprise resources.

Can you prevent or force application installation or removal?

No, because most operating systems do not allow it. It is not in the interest of the OS vendor to restrict what applications can be installed on the device. Instead, MobileIron allows monitoring of applications that are installed on a device and inform administrators and users of non-compliance.

Please note that web-clips are not applications, though they appear similar; web-clips, in contrast to apps, may be forcibly removed or installed at will.

Is the MobileIron Platform certified for FIPS 140-2 compliance?

Yes. The MobileIron platform is certified for the use of FIPS 140-2 cryptographic modules. Our FIPS 140-2 certification letters are available here.

EMM Governing Tenants BACK TO TOP

Why is preserving the “native experience” important?

“Native experience” refers to the particular design choices, user interaction paradigms, and feature sets chosen by operating system developers to promote and enhance their respective platforms. It is these “native” features that end-users care about.

A crucial factor in the use and adoption of mobile technology are these individual design decisions and interfaces chosen by operating system developers and embraced by users. For example the native experience of the iPhone includes the Apple email app for communication, the Safari app for browsing, the iTunes app for media, and the ability to download a wide range of other apps to the device. If the user can’t use these features, they can’t take advantage of the full potential of the device and will generally be unhappy. There are mobile device management solutions that do not preserve the native experience because they create an artificial, closed environment on the device. Users are forced to use enterprise capabilities only within this closed environment -- email, browsing and apps are limited to what’s in this walled garden, detracting from the user experience.

Why is jailbreak and root detection important?

To jailbreak (or root) a phone circumvents the built-in security and protection of the operating system, opening up the phone to malware and unsupported uses. Jailbroken devices also allow any application to be installed on the phone and malicious applications to steal contacts and corporate data. This inherently makes the mobile device less secure.

Why is having an application (or agent) on the device important?

In order to detect jailbroken devices — and thus keep corporate data secure — devices must have an agent installed, and the agent must be part of the registration process to ensure that the agent and device is identified with a specific enterprise user.

The agent also can check the device and analyze its posture, monitoring for compliance with corporate policies. Without an agent, the device could be compliant during the initial registration process but non-compliant later. Based on the current state of the device, the agent can block the device from corporate resources and send alerts.

Why is having an enterprise app store important?

An enterprise app store is similar to other app stores, but tailor-made to the needs of a corporation by providing a centralized location for IT approved applications. These applications can be 3rd party apps, available in other app stores like the Apple app store or the Google Play store, or ones that have been developed in-house for internal use.

When the enterprise app store is on a registered device and tied to a specific user, not only can the user discover applications easily, but they can also be notified of the apps that are recommended based on their role and function within the organization.

What is the approach to Mobile Security?

Lockdown security approaches fail in mobile because they compromise the user experience. MobileIron introduces a less autocratic and more sustainable approach to mobile security: IT sets the central policy and then monitors devices for compliance. When a device falls out of compliance, IT can take several remediation actions including notifying the user, blocking access to the enterprise, or wiping the mobile device.

How does single sign on work for Apps?

MobileIron provides time-based app-level single sign-on across all applications secured using the AppConnect platform. In addition on iOS, MobileIron provides SSO for back-end resources that support Kerberos based authentication.

How do you make sure a rogue app does not capture corporate data?

MobileIron AppConnect encrypts and stores all AppConnect Enabled (ACe) app data in a virtual container on the device. Rogue applications cannot access the data stored in the virtual container. In addition IT administrators can also define policy on how data is shared between ACe applications.


Deployment Decisions BACK TO TOP

What is the difference between the virtual appliance and physical appliance?

MobileIron Core can be deployed as a virtual appliance or a physical appliance. The virtual appliance is a software image downloaded from the MobileIron Support website that can be installed on customer-owned servers. MobileIron supports VMware ESX and Microsoft Hyper-V. Core can also be deployed as a standalone hardware appliance.

What is the difference between the standalone and integrated Sentry?

Standalone Sentry sits inline between the mobile device and enterprise resources such as the email server. It may be deployed as either a virtual or physical appliance. Integrated Sentry, which only supports Exchange 2007 and 2010, does not sit inline and is instead installed on the ActiveSync server. For most customers, standalone Sentry is the preferred option because it provides greater access control for both email and apps accessing corporate resources.

What is the difference between MobileIron's on-premise and cloud solution?

The MobileIron Cloud solutions is a subscription-based SaaS offering that gives customers features and functionality, similar to Core, without the need to install the MobileIron solution in a data center. For an on-premise MobileIron Core installation, the appliance must reside at an in-house data center or third-party datacenter.

What is the difference between a perpetual license and subscription license?

MobileIron software can be purchased as either a perpetual license with an additional annual support fee, or as a monthly subscription that includes support.

What is the difference between professional services and independent installation?

MobileIron and its partners offers a variety of professional services for guided assistance in installing the MobileIron solution, including training and deployment services.

How do we migrate from a Blackberry environment to a multi-OS mobile environment?

The MobileIron solution is complementary to BES (BlackBerry Enterprise Server). The BES server is specifically designed to manage Blackberry devices. MobileIron provides EMM capabilities primarily for iOS, Android and Windows Phone devices. In addition, we have limited support for Blackberry devices. Detailed guidelines on migrating can be found here.

Do you replace ActiveSync?

No. The MobileIron solution is complementary to ActiveSync. ActiveSync mobilizes email and provides a handful of basic management settings. MobileIron provides advanced device management, security, and application management.


Implementation BACK TO TOP

What are policies and how do you use them?

Policies are a set of rules configured on Core, used to secure, manage and regulate the behavior of mobile devices. One example is a policy that blocks a device from enterprise resources if it is rooted or jailbroken. Policies can be applied.

What can you do over the air?

"Over the air" is remote configuration with no physical connection between the mobile device to a computer. All data transfer occurs over wireless (WiFi or 3G). In this mode MobileIron can provision, wipe, encrypt and lock phones.

What can MobileIron ‘push’ to mobile devices?

To "push" means to send data or configurations to an employee's device without the employee having to take an action. MobileIron pushes security settings, application configurations and profiles. Note that no management platform can push applications to iOS or Android devices without the user’s permission, though MobileIron does publish the catalog of available apps to the user and then provisions the app at the user’s request.