Setting up Bridge

Setting up Bridge includes the following steps:

Creating the Bridge certificate

This step happens automatically, with no actions taken by administrators. Ivanti EPMM creates a certificate with each latest release or update to be used by Bridge. This certificate is available to administrators to authenticate and communicate with both devices and servers.

Figure 1. Bridge set up

Ivanti EPMM sends this certificate to all Windows 10 Desktop devices at the time the Ivanti EPMM Server is created and the Windows 10 device is registered.

Enabling the Bridge certificate

Before you can use Bridge, you must select the authentication certificate.

Procedure 

  1. Log into the Admin Portal.
  2. Go to Settings > System Settings > Windows > Certificate Authentication.
  3. Select the box next to Enable certificate authentication for Windows 10 Bridge to assign your cert for Bridge.

    You can also choose the same Certificate Enrollment with Apps@Work.

    If you use certificates for both Apps@Work and Bridge (by checking the Enable certificate authentication for Windows 10 Apps@Work option), Bridge uses the certificate in the device store and Apps@Work uses the certificate in the user store.

  4. Select Save.

Deploying the Bridge app

Once the certificate is on the device you can deploy the Bridge app to Windows 10 Desktop devices.

Refer to the Ivanti EPMM Apps@Work Guide for more information about managing applications for Windows devices.

Procedure 

  1. Log into the Admin Portal.
  2. Go to Apps > App Catalog.
  3. Select the MobileIron Bridge app you want to install on the devices.There could be one or more versions of the app. For details on deploying the Bridge app, refer to the latest Ivanti EPMM Apps@Work Guide
  4. Sort the list, if necessary, to find the Bridge app.

    Figure 2. Finding Bridge apps

  5. Select Actions > Apply to Labels.
  6. Select the appropriate label(s) and select Apply.

    The app silently installs after devices sync with the label to which the Bridge app is associated.

Verifying Bridge installation

Once the app is deployed, administrators can view the device as a part of the application list by turning on the Windows 10 Inventory for Win32 applications.

Procedure 

  1. Log into the Admin Portal.
  2. Go to Policy & Configs > Policies.
  3. Select Default Privacy Policy and select the Edit button in the Policy Details pane.
  4. Go to the Windows 10 Inventory section.
  5. Select Win 32 Inventory > Enabled > Save.
  6. Force a check-in or wait for the next sync period.
  7. Go to Devices & Users > Devices.
  8. Double-click a Windows 10 Desktop device.
  9. Select the Apps tab to view the installed apps for the selected device.

Uploading scripts

There are two ways to manage actions in Bridge:

Uploading scripts using configurations

After applying a label to a device with the Bridge app installed, the script is delivered the next time the device syncs with Ivanti EPMM and the Bridge app executes the action defined by the script.

  1. Log into the Admin Portal.
  2. Go to Policies & Configs > Configurations.
  3. Select Add New > Windows > MobileIron Bridge (Windows 10 Only) > Script.
  4. Enter a name, upload an existing script, and select Save.
  1. Select the configuration then select Actions > Apply to Label.
  2. Select the appropriate label(s) and select Apply.When working with Bridge scripts make sure you have properly defined your labels by the types of devices (departments, geographically, etc.) you want to receive the actions created by the scripts.

Pushing a single-use script to a device

The other option for managing actions is by pushing a single-use Bridge script directly to a Windows 10 Desktop device. This is often useful for managing a single device for troubleshooting purposes.

Procedure 

  1. Log into the Admin Portal.
  2. Go to Devices & Users > Devices.
  3. Select a single device.
  4. Select Actions > Windows Only > MobileIron Bridge (Windows 10 only).
  5. Enter a name, upload an existing Bridge Script, and select Execute.

Bridge script reversal

This feature allows administrators to set up Bridge action scripts (install scripts) as well as scripts to reverse those actions (uninstall scripts).

Not all actions have a corresponding undo action. Administrators need to be aware of these actions before attempting to upload uninstall scripts. In addition, Ivanti EPMM cannot run an undo script if a user un-enrolls their device. To ensure that uninstall scripts can be activated, administrators need to restrict users from initiating MDM un-enrollment.

Administrators must complete the following prerequisites to successfully reverse script actions:

  • Disable MDM un-enrollment by changing the lockdown policy for Windows devices and disabling MDM un-enrollment. See Disabling MDM un-enrollment section for details.
  • Disable the phone reset feature by disabling the reset phone feature in the lockdown policy.

    Although Bridge is only available on Windows 10 Desktop devices, the disabling phone reset feature is still applicable to Bridge script reversal actions.

Resetting Windows 10 devices

To make sure users cannot un-enroll a device from MDM before Ivanti EPMM can issue the undo scripts, administrators will want to reset the Windows 10 devices.

Procedure 

  1. Log into the Admin Portal.
  2. Go to Policies & Configs > Policies.
  3. Select the Default Lockdown Policy and then select Edit.
  4. Scroll to the Windows Phone - Corporate Owned Devices Only section.
  5. Select the Disable option for Reset Phone.

Disabling MDM un-enrollment

Procedure 

  1. Log into the Admin Portal.
  2. Go to Policies & Configs > Policies.
  3. Select Default Lockdown Policies > Edit.
  4. Scroll to the Windows Phone - Corporate Owned Devices Only section.
  5. Select the Disable option for MDM Un-enrollment.

Configuring reversal scripts

You can set up install and uninstall scripts at the same time. If you do not upload an uninstall script only the install script is used.

Setting up Bridge scripts and reversal scripts

  1. Log into the Admin Portal.Go to Policies & Configs > Configurations.
  2. Select Add New > Windows > MobileIron Bridge (Windows 10 Only) > Scripts.
  3. Add a name for the configuration.
  4. Enter a description and the target folder (optional).
  5. Browse and select the action script in the MobileIron Bridge Script field.

    See Supported variables as script arguments for a list of arguments you can use.

  6. Modify script arguments (optional).
  7. Browse and select the reversal script in the MobileIron Bridge Uninstall Script field.

    See Supported variables as script arguments for a list of arguments you can use.

  8. Modify script arguments (optional).
  9. Select Save.

Supported variables as script arguments

  • EMAIL
  • USERID
  • PASSWORD
  • GOOGLE_AUTOGEN_PASSWORD
  • FIRST_NAME
  • LAST_NAME
  • DISPLAY_NAME
  • USER_DN
  • USER_UPN
  • USER_LOCALE
  • DEVICE_UUID
  • DEVICE_UUID_NO_DASHES
  • DEVICE_UDID
  • DEVICE_IMSI
  • DEVICE_IMEI
  • DEVICE_SN
  • DEVICE_ID
  • DEVICE_MAC
  • DEVICE_CLIENT_ID
  • USER_CUSTOM1
  • USER_CUSTOM2
  • USER_CUSTOM3
  • USER_CUSTOM4
  • MI_APPSTORE_URL
  • REALM
  • DEVICE_PIVD_ACTIVATION_LINK
  • CN
  • EMAIL_DOMAIN
  • EMAIL_LOCAL
  • OU
  • SAM_ACCOUNT_NAME
  • ICCID
  • MODEL
  • PHONE_NUMBER
  • CONFIG_UUID
  • TIMESTAMP_MS
  • RANDOM_16
  • RANDOM_32
  • RANDOM_64