MobileIron Cloud, Standalone Sentry, and device interaction

The following describe MobileIron Core, Standalone Sentry, and device interaction:

When an ActiveSync device accesses email
When an app accesses the backend resource
When MobileIron Cloud detects a security policy violation
When Sentry initializes
Periodic Standalone Sentry check in with MobileIron Cloud

When an ActiveSync device accesses email

The following illustrates the interaction between Standalone Sentry, UEM, and the device when the device first attempts to access the ActiveSync server.

Figure 1. Device first attempt to access the ActiveSync server

1. Device attempts to access the ActiveSync server.
2. Sentry queries Cloud for registered devices and unregistered tunnels that might match the device.

Sentry checks for unregistered tunnels to ensure that the device is not already allowed on a different Sentry registered to MobileIron Cloud.

3. Standalone Sentry correlates the list provided by Cloud and picks the best match based on the following criteria: Active Sync ID, User ID. If a match is found, Sentry does additional checks to ensrue that the device is in compliance before allowing or blocking the device access to the ActiveSync server.
4. Standalone Sentry adds the device to its list of devices.
5. If access is allowed, device continues email processing.

If access is blocked, the device will not be able to process email through Standalone Sentry.

6. Standalone Sentry checks in with Cloud, at the next check-in interval, to update Cloud with the tunnel (activesync and app) inventory in its list.

The next time a device attempts to access the ActiveSync server, the device is already in the Standalone Sentry’s list. Standalone Sentry periodically checks in with Cloud to update the compliance status for the device. The device is either allowed or blocked access based on the compliance status.

If Standalone Sentry cannot communicate with MobileIron Cloud

Allowing or blocking new device access to the ActiveSync server, if MobileIron Cloud is not accessible, is configured on MobileIron Cloud.

1. Based on the setting in MobileIron Cloud, Standalone Sentry either allows or blocks access to the ActiveSync server.
2. When the connection is reestablished, Standalone Sentry evaluates the status of the device following the steps described in When an ActiveSync device accesses email.

When an app accesses the backend resource

When using Standalone Sentry for AppTunnel, when an app first attempts to access the backend resource, the following occurs:

1. MobileIron UEM tells Standalone Sentry whether to allow or block the app’s access to the backend resource based on:
- the device’s security policy and traffic control rules
- whether the app is an authorized app
2. Standalone Sentry creates an AppTunnel for the app to access the backend resource based on the AppTunnel status provided by the UEM.
3. The AppTunnel view on the UEM now includes the new AppTunnel.
4. The next time the app attempts to access the backend resource, the app uses the AppTunnel that was created to access the backend resource.

On the first attempt, if Standalone Sentry is temporarily unable to communicate with the UEM due to, for example, a network error, the following occurs:

1. Standalone Sentry allows the app to access the backend resource.
2. At the periodic Sentry check in with MobileIron Cloud, the UEM sends Standalone Sentry the proper state of the device (allowed, blocked, or wiped).

When MobileIron Cloud detects a security policy violation

MobileIron Cloud detects a security policy violation when, for example, a device checks in. At the periodic Cloud-Sentry check in, Standalone Sentry get the updated status for the devices and blocks the device from accessing the ActiveSync server and backend resources if MobileIron Cloud is configured so that Sentry blocks the device.

When Sentry initializes

When Standalone Sentry starts or restarts, the following occurs:

1. When a device attempts to access the ActiveSync server it is as though it is the first time. See When an ActiveSync device accesses email.
2. Standalone Sentry retrieves the AppTunnels equal to the Sentry device cache size (number).

Periodic Standalone Sentry check in with MobileIron Cloud

Standalone Sentry periodically checks in with Cloud to do the following:

Get the updated compliance status for devices.
Get any administrator actions taken on tunnels. Example: If a tunnel is blocked, Standalone Sentry retrieves the blocked status when it periodically checks in with Cloud.
Update Cloud with the tunnel (ActiveSync and app) inventory in its list.

These are separate check ins with Cloud and occur on different schedules.