Setup overview for MobileIron Access
This section provides an overview of the setup required for implementing access control to cloud services using MobileIron Access and contains the following:
| • | Before you configure MobileIron Access |
| • | Overview of steps to set up MobileIron Access |
| • | Authentication options |
Before you configure MobileIron Access
Before you start configuring MobileIron Access the following infrastructure setup is required:
- Federated authentication
MobileIron Access supports federated authentication using SAML and WS-Fed. Refer to the documentation provided by your SP and IdP for information on how to set up federated authentication using SAML or WS-Fed. -
Standalone Sentry enabled for AppTunnel
By default, MobileIron Access trusts all AppTunnel traffic.NOTE: Required only for a MobileIron Access + Standalone Sentry deployment. -
MobileIron Tunnel or AppConnect
Access control for managed apps requires MobileIron Tunnel. Access control for AppConnect apps requires either MobileIron Tunnel or AppTunnel.NOTE: AppTunnel is supported only with an Access + Standalone Sentry deployment. - App distribution
Managed apps are distributed through MobileIron Core or MobileIron Cloud.
For related documentation, see the following:
- MobileIron Core documentation
For information on how to set up AppTunnel, AppConnect, Tunnel, and app distribution see the following documents: at:- For information on how to setup AppTunnel see the MobileIron Sentry Guide at MobileIron Sentry Product Documentation.
- For information on how to configure MobileIron Tunnel see MobileIron Tunnel Guide for Administrators at
MobileIron Tunnel for Android Product Documentation
MobileIron Tunnel for iOS Product Documentation
MobileIron Tunnel for macOS Product Documentation - For information on how to set up an AppConnect app and how to distribute managed apps using MobileIron Core, see the following at MobileIron Core Product Documentation:
AppConnect and AppTunnel Guide
Apps@Work Guide
Ensure that the MobileIron Tunnel (iOS) VPN setting is selected in the app configuration for non-AppConnect apps.
- MobileIron Cloud documentation
For information on how to set up AppTunnel, AppConnect, Tunnel, and app distribution on MobileIron Cloud, see MobileIron Cloud Product Documentation or by clicking on Help in your MobileIron Cloud instance. - MobileIron Connected Cloud
Unless otherwise noted, the documentation for MobileIron Core generally applies for Connected Cloud as well. For the most recent documentation available for Connected Cloud, see Previous Versions from MobileIron Core Product Documentation.
Overview of steps to set up MobileIron Access
The setup for MobileIron Access is done in the MobileIron Access administrative portal.
Basic configuration
- Get started with the set up.
See Getting Started with MobileIron Access. - If your deployment uses Standalone Sentry, then register and assign Standalone Sentry to MobileIron Access.
See Set up Access + Standalone Sentry.
OR
If your deployment is Access (without Standalone Sentry), set up integration with MobileIron UEM.
See Set up Access with MobileIron UEM. - Set up a cloud service provider (SP) and identity provider (IdP) federated pair.
See Federated Pairs. - Upload Proxy metadata to the cloud service and identity provider.
See Uploading proxy metadata. - Publish the profile.
See Publishing a profile. - Verify traffic flow.
See Verifying traffic flow.
Advanced configuration
- Set up conditional rules for access control. Conditional rules allow you to define which applications and IP network ranges can access a cloud resource.
See Conditional Access. - Set up session revocation, which allows you to terminate or revoke the session token if a device is out of compliance and the compliance action is blocked or a device is retired.
See Session Revocation. - Set up mobile app single sign-on (SSO) to allow users to access enterprise cloud services from their managed mobile devices without having to enter passwords.
See Configuring Mobile App Single Sign-on (SSO). - Set up Zero Sign-on to allow users access to enterprise cloud services from their unmanaged devices without having to enter passwords.
See Fast Identity Online (FIDO2) or Zero Sign-on with MobileIron Access. - Set up multi-factor authentication using the UEM client to allow users to access their enterprise cloud services from an unmanaged device using multi-factor authentication in addition to their enterprise credentials.
See Multi-factor Authentication with MobileIron UEM Client. - Set up MobileIron Access desktop trust agent to verify and establish trust for unmanaged Windows 7 and Windows 10 desktops.
See MobileIron Desktop Trust Agent Guide.
Split tunneling configuration
In a MobileIron Access deployment, all authentication traffic for the federated pairs configured in MobileIron Access goes through MobileIron Access using MobileIron Tunnel VPN. Depending on the type of MobileIron Access deployment, all other traffic through Tunnel VPN goes directly to the destination server or through Standalone Sentry. Split tunneling allows you to control which traffic goes through Standalone Sentry to on-premise enterprise resources and which traffic goes directly to the destination.
For information about configuring Access as the delegated IdP, see Split Tunneling.
Delegated IdP
In most cases, MobileIron Access is deployed as an intermediary between the service provider (SP) and the identity provider (IdP). In such a deployment, MobileIron Access acts as a proxy to the IdP and all federated SP traffic goes through MobileIron Access. In some cases, you may want to retain the existing SP-IdP federated setup, but deploy MobileIron Access to federate a sub set of the traffic, such as traffic from mobile devices. In such cases MobileIron Access can be deployed as a delegated IdP rather than as a proxy to the IdP.
For information about configuring split tunneling, see Delegated IdP.
Authentication options
With a basic Access setup, when users initially attempt to log in to an enterprise cloud service from their managed device, they are prompted for their username and password. In addition, Access allows you to set up various authentication options to allow your users ease of access from both managed and unmanaged devices to enterprise cloud services. The following table describes these options. See Advanced configuration for information on how to set up the various authentication options.
|
Feature |
Purpose |
Description |
|---|---|---|
| Mobile app single sign-on | ||
| Native mobile application single sign-on (SSO) |
Password less access from managed device. |
Password less certificate-based single sign-on from managed devices. Users do not need to enter their username and password. |
|
SaaS sign-on |
||
|
Zero Sign-on
|
Password less access from managed device. |
Password less certificate-based single sign-on from managed devices. Users do not need to enter their username and password. |
|
Password less access from unmanaged devices. |
A QR code is presented to users attempting to access a cloud service from their unmanaged device. Scanning the QR code with their managed device authenticates the user and allows access from the unmanaged device. Users have the option to enable push notifications or one-time passcode (OTP). If enabled, a push notification is sent to the managed device on subsequent logins from the unmanaged device. Alternately, users can use OTP. Users do not need to enter their username and password. |
|
| Multi-factor authentication |
Access from unmanaged devices. |
Two factor authentication allows users to access cloud services from unmanaged devices. Users enter their username and password on the unmanaged device. A push notification is sent to the user's managed device. If accepted, users can access the cloud service from their unmanaged device. Alternately, users can use OTP. |
| Desktop trust agent | ||
| Desktop trust agent |
Access from unmanaged Windows 7 and Windows 10 desktops. |
The MobileIron desktop trust agent verifies and establishes trust for unmanaged Windows 7 and Windows 10 desktops, thus allowing access to cloud services |