Configuring Zero Sign-on

A Zero Sign-on setup requires an Access deployment with MobileIron UEM, as well as additional configurations forZero Sign-on in Access and in the MobileIron UEM. A Zero Sign-on configuration enables passwordless access to cloud resources by using the user identifying information in the Tunnel certificate for authentication.Zero Sign-on is part of a MobileIron Access deployment. Therefore, before configuring Zero Sign-on ensure that you have an Access deployment and that single sign-on is configured for cloud service providers.

Before you begin 

• Ensure that you have an Access deployment with MobileIron UEM.
  See Overview of configuration with Ivanti Neurons for MDM.
  OR
  See Overview of configuration with Ivanti EPMM

  A Tunnel setup is part of deploying Access with MobileIron UEM. Detailed steps and references for setting up Tunnel and required certificates for Tunnel are included in the instructions for deploying Access with MobileIron UEM.

• Ensure that mobile app single sign-on (SSO) is configured for the service provider (SP).
  For a federated pair, see Configuring Mobile App Single Sign-on (SSO).
  For delegated IdP, see Configuring Ivanti Access as the delegated IdP .

• MobileIron recommends, where available, that managed app configurations are deployed in MobileIron UEM for your cloud service provider apps, such as for Salesforce, Concur, Box, or Outlook. For a seamless end-user experience, deploy a managed app configuration to streamline the user and organization information input. For information about how to set up a managed app configuration, see the following:

  • For MobileIron Core: See "iOS managed app configuration" or "App configuration for Android enterprise apps" in the Ivanti EPMM Apps@Work Guide.

  • For MobileIron Cloud: See "Using iOS Managed App Configuration" or "Managed Configurations for Android" in the Ivanti Neurons for MDM Administrator Guide.

Procedure: Overview of steps

1. Configure Zero Sign-on in MobileIron Access.
   See Configuring Zero Sign-on in Ivanti Access.
   1. Enable Zero Sign-on and configure the user identifying information to use for authentication.
      See Step 1: Enabling Password-less Authentication on MobileIron Go and Mobile@Work
   2. Review or modify the registration settings used by clients to register users device with Access.
      see Step 2: Review Registration Settings
      
   3. Add a conditional rule in Access for enabling Zero Sign-on.
      See Step 3: Adding a Zero Sign-on Rule in the Policies.
   4. Configure your company branding. Users see the branding on the messages on the device from which they attempt to access cloud services and on MobileIron Go.
      See Configuring branding for Zero Sign-on.
   5. Publish the changes.
      See Publishing the changes.
2. Configure Zero Sign-on in MobileIron UEM.
   See Configuring Zero Sign-on in Ivanti Neurons for MDM.

   OR

   See Configuring Zero Sign-on in Ivanti EPMM

    

Related topics 

• About Zero Sign-on with MobileIron Access
• What users see for FIDO2