Registration considerations

This section describes features and dependencies to consider before registering devices, organized by operating system.

Registration considerations: Android

Following is a list of registration considerations for Android devices.

  • Administrators will need to decide on whether they are supporting password, registration PIN or both for device registration.
  • Registration currently depends on acquiring the MobileIron client app (Mobile@Work) from the Google Play store.
  • For devices that cannot access Google Play, provide another way for the device users to get the Mobile@Work for Android app. For example, email the app to the device users. You can also place the app on a website and provide the URL to the device users.
  • Configuring the Server Name Lookup preference (in the Admin Portal under Settings > System Settings, in the Users & Devices > Device Registration page) makes registration easier by automatically filling in the server address for the user. Note that the administrator must initiate registration or invite the user to register. Contact Customer Support to register your server.
  • If you have configured a MobileIron Sentry to support Android devices connecting via ActiveSync, then you can initiate registration from the ActiveSync Devices screen.
  • By default, the user is required to enter a password to register the device. If you prefer, you can change this behavior to require a MobileIron-generated Registration PIN instead, or to require both a password and a Registration PIN. See the section, “Configuring user authentication requirements for registration” in the Device Management Guide for information on specifying behavior for this feature.
  • Enroll with Android enterprise. ndroid enterprise enables devices to have separate private and work profiles in BYOD deployments, and enables administrators to have more control over enterprise owned and provisioned devices. For details on enrolling in Android enterprise see, MobileIron Core Device Management Guide for Android for Work.
  • When an app is hidden it can be used by other apps, but not available to launch in the kiosk. For example, a browser can be added to the kiosk but hidden so that it can be used to open URLs from an email app

Registration restrictions for Android

When performing bulk registration of Android devices, you can restrict the OS version as well as the minimum security patch level. Also, you can set a manufacturer's Whitelist or Blacklist and set a minimum SafetyNet certification to enforce SafetyNet attestation. For more information about SafetyNet Attestation, see "Enabling SafetyNet Attestation on Android Devices" in the MobileIron Core Device Management Guide for Android and Android enterprise Devices.

NOTE: When placing registration restrictions on Android devices, use Mobile@Work for Android 10.3.0.0 through the most recently released versions as supported by MobileIron for the optimum user experience.

To access the registration restriction fields for Android, go to Settings > System Settings > Users & Devices > Device Registration and scroll down to the "Restrictions for Android" heading. The following fields restrict device registration on Android devices.

Table 1. Registration Restrictions for Android devices

Item

Description

Default Policy Setting

Minimum OS Version

Use the pull-down menu to set the minimum Android OS version that can run on a registered Android device.

No Setting

Minimum Security Patch Level

Specify the minimum number of days a security patch level is active by using the pull-down menu.

No Setting

Manufacturer Whitelist/Blacklist

Restrict the Android manufacturers that can be configured as Android devices. Select from the following:

None: This is the default value. It sets neither whitelist nor blacklist registration restrictions.

NOTE: For both the Create a Whitelist and Create a Blacklist fields, the Manufacturer names are case sensitive.

Create a Whitelist: Allows only devices from specific manufacturers to register as Android devices. Select the check box and then the Manufacturer Name menu is displayed. Use the Add+ button to add the names of one or more manufacturer. Also, Manufacturers who are not specified by this field are block from registering as Android devices.

Create a Blacklist: Prevents devices from specific manufacturers from registering as Android devices. Select the check box and then the Manufacturer Name menu is displayed. Use the Add+ button to add the names of one or more manufacturers.

None

Minimum SafetyNet 
Certification

Set a required minimum SafetyNet certification level for registering Android devices. If you enable this field, you must also enable SafetyNet Attestation in the default security policy for the devices.

None: It sets no minimum SafetyNet certifications for registration. This is the default value.

basic: Select to allow only devices with a basic SafetyNet certification from registering as Android devices.

certified: Select to allow only devices with a certified SafetyNet certification from registering as Android devices.

None

Registration considerations: iOS and macOS

Following is a list of registration considerations for iOS or macOS devices.

  • Administrators will need to decide on whether they are supporting password, registration PIN or both for device registration.
  • If you are registering a device with the MobileIron client app, Mobile@Work, you must use an iTunes account to download the app from the iTunes App Store. A credit card is not needed to establish an iTunes account. Simply download Mobile@Work, click Create New Account, and select None as your payment method.
  • If you have configured a MobileIron Sentry to support iOS devices connecting via ActiveSync, then you can initiate registration from the ActiveSync Devices screen.
  • By default, the user is required to enter a password to register the device. If you prefer, you can change this behavior to require a Core-generated registration PIN instead, or both a password and a registration PIN. See the section, “Configuring user authentication requirements for registration” in the MobileIron Core Device Management Guide for iOS, to specify the behavior for this feature. Registration PINs are not supported for iOS managed apps.
  • For MDM-enabled iOS devices, MDM features are not dependent on Mobile@Work after registration. Therefore, if a user uninstalls the Mobile@Work, features like app inventory will continue to function.
  • If you need to register many macOS or iOS devices on behalf of users, such as when Macs or iPhones are purchased by the corporation and rolled out in bulk, depot-style registration may be preferable. See “Web-based registration for iOS and macOS devices” in the MobileIron Core Device Management Guidefor iOS.
  • Consider an extra security option if you are including Mobile@Work for iOS in the MobileIron Core App Catalog and sending an installation request to devices after device users complete registration, such as with web-based registration. In this case, users do not have to reenter their credentials when they launch Mobile@Work. However, you can limit this silent registration with Mobile@Work to one time only. In the Admin Portal, go to Settings > System Settings > Users & Devices > Device Registration and select Allow silent in-app registration only once. (iOS only).
  • In iOS 13, the option to "Allow Always" was removed from the iOS Settings app. Instead, a dialog box displays requesting device users to enable tracking when the Mobile@Work app is running. Mobile@Work opens iOS Settings where device users can choose "Ask Next Time" or "Never". MobileIron recommends device users to enable tracking. This change applies to all versions of iOS 13 through the latest version as supported by MobileIron. Mobile@Work for iOS does not track device users' location without consent.
  • You can register an Apple TV to MobileIron Core only through the Apple Configurator. See “Registering an AppleTV” in the MobileIron Core Device Management Guide for iOS and macOS Devices.
  • For registering users and devices for Apple Education Manager and Apple Business Manager, see the MobileIron Core Device Management Guide for iOS and macOS Devices

Registration considerations: Windows

Following is a list of registration considerations for Windows devices.

  • The Apps@Work app is installed for Windows Phone 8.1 as part of the registration process.
  • To register Windows 10 devices, open Settings > Accounts > Your Workplace > Connect to Workplace.

  • MobileIron Sentry is required for the available device management features.

    NOTE: These devices do not have device management features. However, these devices can sync using Exchange ActiveSync and be managed using ActiveSync policies.

     

  • Single device registration, bulk registration, and invitations to register are supported for all available Windows devices.
  • Registration of the all available Windows device is done through the Windows native client.
  • Device registration fails if the device user enters a password that contains UTF-8 characters. Only ASCII characters are supported in the password field.
  • If auto discovery is not set up, the registration process requires the device user to enter the VSP server address (FQDN). The device user will also have to enter the VSP server address when logging into Apps@Work for the first time.
  • A root or intermediate certificate from a trusted certificate authority (CA) is required.
  • The User Portal role is required for the user to register with MobileIron Core.
  • Single device registration, bulk registration, invitations to register are supported.
  • Registering your Windows Phone device 8.1 in the User Portal is supported.
  • Select Windows as the device platform.
  • Reprovisioning the device is not supported. To re-provision the device, first retire the device, then re-register.
  • Device registration fails if the device user enters a password that contains special characters. Only ASCII characters are supported in the password field.
  • Force Device Check-In may not be available for a few minutes after the Windows Phone 8.1 device registers. If you try to retire the device during this time, it may take up to 24 hours to retire the device.
  • MobileIron certificates pushed to Windows 8.1 Phone devices are now always stored on the device TPM chip. This provides additional security to the certificate key.
  • Autodiscovery is not required. We recommend autodiscovery for a seamless registration experience.
  • A Subject Alternative Name (SAN) SSL certificate from a trusted Certificate Authority (CA), such as Verisign or GoDaddy, is required.
  • Device registration from the Admin Portal or User Portal is not supported. Users can register only from their device.
  • Pin-based registration is supported in Windows Phone 8.1 devices.
  • The following registration statuses are supported:
    • Verified: After the device registers and before the first check in.
    • Active: The device has successfully synced with Core.
    • Retired: The Retire action was successfully applied.
    • Pending: The user’s device has been registered on the MobileIron Server, but downloading Apps@Work has not yet been completed.