Setting up MobileIron Bridge
Setting up MobileIron Bridge includes the following steps:
Creating the MobileIron Bridge certificate
This step happens automatically, with no actions taken by administrators. MobileIron Core creates a certificate with each latest release or update to be used by MobileIron Bridge. This certificate is available to administrators to authenticate and communicate with both devices and servers.
Figure 1. MobileIron Bridge set up
Core sends this certificate to all Windows 10 Desktop devices at the time the Core Server is created and the Windows 10 device is registered.
Enabling the MobileIron Bridge certificate
Before you can use MobileIron Bridge, you must select the authentication certificate.
Procedure
|
1.
|
Log into the Admin Portal. |
|
2.
|
Go to Settings > System Settings > Windows > Certificate Authentication. |
|
3.
|
Click the box next to Enable certificate authentication for Windows 10 Bridge to assign your cert for MobileIron Bridge. |
You can also choose the same Certificate Enrollment with Apps@Work.
If you use certificates for both Apps@Work and MobileIron Bridge (by checking the Enable certificate authentication for Windows 10 Apps@Work option), MobileIron Bridge uses the certificate in the device store and Apps@Work uses the certificate in the user store.
Deploying the MobileIron Bridge app
Once the certificate is on the device you can deploy the MobileIron Bridge app to Windows 10 Desktop devices.
|
NOTE:
|
Refer to the Apps@Work Guide for more information about managing applications for Windows devices. |
Procedure
|
1.
|
Log into the Admin Portal. |
|
2.
|
Go to Apps > App Catalog. |
|
3.
|
Select the MobileIron Bridge app you want to install on the devices. |
There could be one or more versions of the app. For details on deploying the MobileIron Bridge app, refer to the latest MobileIron Core Apps@Work Guide.
|
4.
|
Sort the list, if necessary, to find the MobileIron Bridge app. |
Figure 2. Finding MobileIron Bridge apps
|
5.
|
Select Actions > Apply to Labels. |
|
6.
|
Select the appropriate label(s) and click Apply. |
The app silently installs after devices sync with the label to which the MobileIron Bridge app is associated.
Verifying MobileIron Bridge installation
Once the app is deployed, administrators can view the device as a part of the application list by turning on the Windows 10 Inventory for Win32 applications.
Procedure
|
1.
|
Log into the Admin Portal. |
|
2.
|
Go to Policy & Configs > Policies. |
|
3.
|
Select Default Privacy Policy and click the Edit button in the Policy Details pane. |
|
4.
|
Go to the Windows 10 Inventory section. |
|
5.
|
Click Win 32 Inventory > Enabled > Save. |
|
6.
|
Force a check-in or wait for the next sync period. |
|
7.
|
Go to Devices & Users > Devices. |
|
8.
|
Double-click a Windows 10 Desktop device. |
|
9.
|
Click the Apps tab to view the installed apps for the selected device. |
Uploading scripts
There are two ways to manage actions in MobileIron Bridge:
Uploading scripts using configurations
After applying a label to a device with the MobileIron Bridge app installed, the script is delivered the next time the device syncs with Core and the MobileIron Bridge app executes the action defined by the script.
|
1.
|
Log into the Admin Portal. |
|
2.
|
Go to Policies & Configs > Configurations. |
|
3.
|
Select Add New > Windows > MobileIron Bridge (Windows 10 Only) > Script. |
|
4.
|
Enter a name, upload an existing script, and click Save. |
|
5.
|
Select the configuration then click Actions > Apply to Label. |
|
6.
|
Select the appropriate label(s) and click Apply. |
When working with MobileIron Bridge scripts make sure you have properly defined your labels by the types of devices (departments, geographically, etc.) you want to receive the actions created by the scripts.
Pushing a single-use script to a device
The other option for managing actions is by pushing a single-use MobileIron Bridge script directly to a Windows 10 Desktop device. This is often useful for managing a single device for troubleshooting purposes.
Procedure
|
1.
|
Log into the Admin Portal. |
|
2.
|
Go to Devices & Users > Devices. |
|
3.
|
Select a single device. |
|
4.
|
Select Actions > Windows Only > MobileIron Bridge (Windows 10 only). |
|
5.
|
Enter a name, upload an existing MobileIron Bridge Script, and click Execute. |
MobileIron Bridge script reversal
This feature allows administrators to set up MobileIron Bridge action scripts (install scripts) as well as scripts to reverse those actions (uninstall scripts).
Not all actions have a corresponding undo action. Administrators need to be aware of these actions before attempting to upload uninstall scripts. In addition, Core cannot run an undo script if a user un-enrolls their device. To ensure that uninstall scripts can be activated, administrators need to restrict users from initiating MDM un-enrollment.
Administrators must complete the following prerequisites to successfully reverse script actions:
|
•
|
Disable MDM un-enrollment by changing the lockdown policy for Windows devices and disabling MDM un-enrollment. See Disabling MDM un-enrollment section for details. |
|
•
|
Disable the phone reset feature by disabling the reset phone feature in the lockdown policy. |
|
NOTE:
|
Although MobileIron Bridge is only available on Windows 10 Desktop devices, the disabling phone reset feature is still applicable to MobileIron Bridge script reversal actions. |
Resetting Windows 10 devices
To make sure users cannot un-enroll a device from MDM before Core can issue the undo scripts, administrators will want to reset the Windows 10 devices.
To disable the lockdown policy:
|
1.
|
Log into the Admin Portal. |
|
2.
|
Go to Policies & Configs > Policies. |
|
3.
|
Select the Default Lockdown Policy and then click Edit. |
|
4.
|
Scroll to the Windows Phone - Corporate Owned Devices Only section. |
|
5.
|
Select the Disable option for Reset Phone. |
Disabling MDM un-enrollment
To disable the lockdown policy:
|
1.
|
Log into the Admin Portal. |
|
2.
|
Go to Policies & Configs > Policies. |
|
3.
|
Select Default Lockdown Policies > Edit. |
|
4.
|
Scroll to the Windows Phone - Corporate Owned Devices Only section. |
|
5.
|
Select the Disable option for MDM Un-enrollment. |
Configuring reversal scripts
You can set up install and uninstall scripts at the same time. If you do not upload an uninstall script only the install script is used.
To set up MobileIron Bridge scripts and reversal scripts:
|
1.
|
Log into the Admin Portal. |
|
2.
|
Go to Policies & Configs > Configurations. |
|
3.
|
Select Add New > Windows > MobileIron Bridge (Windows 10 Only) > Scripts. |
|
4.
|
Add a name for the configuration. |
|
5.
|
Enter a description and the target folder (optional). |
|
6.
|
Browse and select the action script in the MobileIron Bridge Script field. |
See Supported variables as script arguments for a list of arguments you can use.
|
7.
|
Modify script arguments (optional). |
|
8.
|
Browse and select the reversal script in the MobileIron Bridge Uninstall Script field. |
See Supported variables as script arguments for a list of arguments you can use.
|
9.
|
Modify script arguments (optional). |
Supported variables as script arguments
|
•
|
GOOGLE_AUTOGEN_PASSWORD |
|
•
|
DEVICE_PIVD_ACTIVATION_LINK |