Setting up Bridge
Setting up Bridge includes the following steps:
•Step 1: Creating the Bridge certificate
•Step 2: Enabling the Bridge certificate
•Step 3: Deploying the Bridge app
•Step 4: Uploading scripts
Creating the Bridge certificate
This step happens automatically, with no actions taken by administrators. Core creates a certificate with each latest release or update to be used by Bridge. This certificate is available to administrators to authenticate and communicate with both devices and servers.
Figure 1. Bridge set up
Core sends this certificate to all Windows 10 Desktop devices at the time the Core Server is created and the Windows 10 device is registered.
Enabling the Bridge certificate
Before you can use Bridge, you must select the authentication certificate.
Procedure
| 1. | Log into the Admin Portal. |
| 2. | Go to Settings > System Settings > Windows > Certificate Authentication. |
| 3. | Click the box next to Enable certificate authentication for Windows 10 Bridge to assign your cert for Bridge. |
You can also choose the same Certificate Enrollment with Apps@Work.
If you use certificates for both Apps@Work and Bridge (by checking the Enable certificate authentication for Windows 10 Apps@Work option), Bridge uses the certificate in the device store and Apps@Work uses the certificate in the user store.
| 4. | Click Save. |
Deploying the Bridge app
Once the certificate is on the device you can deploy the Bridge app to Windows 10 Desktop devices.
Refer to the Apps@Work Guide for more information about managing applications for Windows devices.
Procedure
| 1. | Log into the Admin Portal. |
| 2. | Go to Apps > App Catalog. |
| 3. | Select the MobileIron Bridge app you want to install on the devices. |
There could be one or more versions of the app. For details on deploying the Bridge app, refer to the latest Core Apps@Work Guide.
| 4. | Sort the list, if necessary, to find the Bridge app. |
Figure 2. Finding Bridge apps
| 5. | Select Actions > Apply to Labels. |
| 6. | Select the appropriate label(s) and click Apply. |
The app silently installs after devices sync with the label to which the Bridge app is associated.
Verifying Bridge installation
Once the app is deployed, administrators can view the device as a part of the application list by turning on the Windows 10 Inventory for Win32 applications.
Procedure
| 1. | Log into the Admin Portal. |
| 2. | Go to Policy & Configs > Policies. |
| 3. | Select Default Privacy Policy and click the Edit button in the Policy Details pane. |
| 4. | Go to the Windows 10 Inventory section. |
| 5. | Click Win 32 Inventory > Enabled > Save. |
| 6. | Force a check-in or wait for the next sync period. |
| 7. | Go to Devices & Users > Devices. |
| 8. | Double-click a Windows 10 Desktop device. |
| 9. | Click the Apps tab to view the installed apps for the selected device. |
Uploading scripts
There are two ways to manage actions in Bridge:
•Uploading scripts using configurations
•Pushing a single-use script to a device
Uploading scripts using configurations
After applying a label to a device with the Bridge app installed, the script is delivered the next time the device syncs with Core and the Bridge app executes the action defined by the script.
| 1. | Log into the Admin Portal. |
| 2. | Go to Policies & Configs > Configurations. |
| 3. | Select Add New > Windows > MobileIron Bridge (Windows 10 Only) > Script. |
| 4. | Enter a name, upload an existing script, and click Save. |
| 5. | Select the configuration then click Actions > Apply to Label. |
| 6. | Select the appropriate label(s) and click Apply. |
When working with Bridge scripts make sure you have properly defined your labels by the types of devices (departments, geographically, etc.) you want to receive the actions created by the scripts.
Pushing a single-use script to a device
The other option for managing actions is by pushing a single-use Bridge script directly to a Windows 10 Desktop device. This is often useful for managing a single device for troubleshooting purposes.
Procedure
| 1. | Log into the Admin Portal. |
| 2. | Go to Devices & Users > Devices. |
| 3. | Select a single device. |
| 4. | Select Actions > Windows Only > MobileIron Bridge (Windows 10 only). |
| 5. | Enter a name, upload an existing Bridge Script, and click Execute. |
Bridge script reversal
This feature allows administrators to set up Bridge action scripts (install scripts) as well as scripts to reverse those actions (uninstall scripts).
Not all actions have a corresponding undo action. Administrators need to be aware of these actions before attempting to upload uninstall scripts. In addition, Core cannot run an undo script if a user un-enrolls their device. To ensure that uninstall scripts can be activated, administrators need to restrict users from initiating MDM un-enrollment.
Administrators must complete the following prerequisites to successfully reverse script actions:
•Disable MDM un-enrollment by changing the lockdown policy for Windows devices and disabling MDM un-enrollment. See Disabling MDM un-enrollment section for details.
•Disable the phone reset feature by disabling the reset phone feature in the lockdown policy.
| NOTE: | Although Bridge is only available on Windows 10 Desktop devices, the disabling phone reset feature is still applicable to Bridge script reversal actions. |
Resetting Windows 10 devices
To make sure users cannot un-enroll a device from MDM before Core can issue the undo scripts, administrators will want to reset the Windows 10 devices.
To disable the lockdown policy:
| 1. | Log into the Admin Portal. |
| 2. | Go to Policies & Configs > Policies. |
| 3. | Select the Default Lockdown Policy and then click Edit. |
| 4. | Scroll to the Windows Phone - Corporate Owned Devices Only section. |
| 5. | Select the Disable option for Reset Phone. |
Disabling MDM un-enrollment
To disable the lockdown policy:
| 1. | Log into the Admin Portal. |
| 2. | Go to Policies & Configs > Policies. |
| 3. | Select Default Lockdown Policies > Edit. |
| 4. | Scroll to the Windows Phone - Corporate Owned Devices Only section. |
| 5. | Select the Disable option for MDM Un-enrollment. |
Configuring reversal scripts
You can set up install and uninstall scripts at the same time. If you do not upload an uninstall script only the install script is used.
To set up Bridge scripts and reversal scripts:
| 1. | Log into the Admin Portal. |
| 2. | Go to Policies & Configs > Configurations. |
| 3. | Select Add New > Windows > MobileIron Bridge (Windows 10 Only) > Scripts. |
| 4. | Add a name for the configuration. |
| 5. | Enter a description and the target folder (optional). |
| 6. | Browse and select the action script in the MobileIron Bridge Script field. |
See Supported variables as script arguments for a list of arguments you can use.
| 7. | Modify script arguments (optional). |
| 8. | Browse and select the reversal script in the MobileIron Bridge Uninstall Script field. |
See Supported variables as script arguments for a list of arguments you can use.
| 9. | Modify script arguments (optional). |
| 10. | Click Save. |
Supported variables as script arguments
•USERID
•PASSWORD
•GOOGLE_AUTOGEN_PASSWORD
•FIRST_NAME
•LAST_NAME
•DISPLAY_NAME
•USER_DN
•USER_UPN
•USER_LOCALE
•DEVICE_UUID
•DEVICE_UUID_NO_DASHES
•DEVICE_UDID
•DEVICE_IMSI
•DEVICE_IMEI
•DEVICE_SN
•DEVICE_ID
•DEVICE_MAC
•DEVICE_CLIENT_ID
•USER_CUSTOM1
•USER_CUSTOM2
•USER_CUSTOM3
•USER_CUSTOM4
•MI_APPSTORE_URL
•REALM
•DEVICE_PIVD_ACTIVATION_LINK
•CN
•EMAIL_DOMAIN
•EMAIL_LOCAL
•OU
•SAM_ACCOUNT_NAME
•ICCID
•MODEL
•PHONE_NUMBER
•CONFIG_UUID
•TIMESTAMP_MS
•RANDOM_16
•RANDOM_32
•RANDOM_64