MobileIron Confidential

MobileIron Threat Defense Integration FAQ Phases 1 and 2a Releases

MobileIron Core

Q: What is the version of MobileIron Core required?

A: For Android OS, Core 9.6.0.0 is required because of the addition of the Zimperium Configuration Type menu

selection for the Android XML Configuration.

For iOS, since a PLIST is pushed to the integrated client to enable, Core 9.3.0.0 through Core 9.6.0.0 is

supported.

MobileIron Cloud Q: What is the version of MobileIron Cloud required?

A: Support for MobileIron Cloud is not here yet. The integrated MobileIron Go client bundled with Zimperium

is on the roadmap for Q2 2018.

Mobile@Work Integrated Client Q: What is the version of Mobile@Work that has the integrated Zimperium SDK bundled?

A: For Android OS, the initial version of Mobile@Work is 9.6.0.0. For iOS, the initial version is 9.7.0.0.

Q: What will the integrated client do?

A: The Mobile@Work side of the client acts as the conduit that enables the Zimperium z9 engine to talk to the

Zimperium zConsole administrative portal.

Q: How is the Mobile@Work integrated client auto-activated when it is on the device?

A: The mechanism to do the auto-activation is via pushing a Managed App Configuration to an iOS device

within the Mobile@Work > Managed App Configuration menu shown below. For Android OS, an XML file is

required and uploaded to an Android XML Configuration, and pushed to an Android Enterprise device.

On iOS devices, app inventory is provided by Core to zConsole via the MDM API. This means all apps installed

on the iOS device are scanned and analyzed for security and privacy risks. Device posture and network threats

are evaluated device-wide.

On Android OS, since the Mobile@Work app resides within the Android Enterprise work profile, only the apps

that are installed within the work profile are scanned and analyzed for security and privacy risks. Device

posture and network threats are evaluated device-wide.

2

MobileIron - 415 East Middlefield Road - Mountain View, CA 94043 USA - Tel. +1.650.919.8100 - Fax +1.650.919.8006

info@mobileiron.com | http://mobileiron.com

MobileIron Confidential

iOS Managed App Configurations Q: How do you configure the iOS Managed App Configuration that enables the Zimperium client?

A: The first step is to add from the iOS App Store or upload the Mobile@Work version 9.7 IPA file into the App

Catalog. Within Apps > App Catalog > select Mobile@Work Version 9.7, scroll down to the Managed App

Configuration section. There are two different ways to configure the Managed App Configurations depending

on the deployment scenario.

The first deployment scenario is to send the Managed App Configuration to all iOS devices registered to Core.

Under the Default Configuration for MobileIron section, expand all the MobileIron Threat Defense Settings.

Then copy-and-paste the token string, obtained from Zimperium or MobileIron, into the Activation Code field.

Place a checkmark to Activate, which will automatically activate the Zimperium client bundled with

Mobile@Work. Save the configuration and then apply the iOS label to it.

The second deployment scenario is to send the Managed App Configuration to a subset of registered iOS

devices based on device grouping. An example use case can be that the Core administrator wants to deploy

the new Mobile@Work with the Zimperium client activated to BYOD users only.

From the Managed App Configuration section, click on the Add+ blue button. Enter an App Configuration

Name, and then expand all. Under the Mobile Threat Defense Settings, copy-and-paste the token string

obtained from Zimperium or MobileIron, into the Activation Code field. Place a checkmark to Activate, which

will automatically activate the Zimperium client bundled with Mobile@Work. Save the configuration and then

select the Employee-Owned label within the Managed App Configuration. Create another Managed App

3

MobileIron - 415 East Middlefield Road - Mountain View, CA 94043 USA - Tel. +1.650.919.8100 - Fax +1.650.919.8006

info@mobileiron.com | http://mobileiron.com

MobileIron Confidential

Configuration to deploy the Mobile@Work client that does not add the Activation Code and Activate, so the

Zimperium client is not activated. Then select the Company-Owned label to the Managed App Configuration.

4

MobileIron - 415 East Middlefield Road - Mountain View, CA 94043 USA - Tel. +1.650.919.8100 - Fax +1.650.919.8006

info@mobileiron.com | http://mobileiron.com

MobileIron Confidential

Note: The order of precedence is the Managed App Configuration created by using the Add+ blue button

(second method above) is the highest priority, if there is another Managed App Configuration created within

the Mobile@Work app configuration itself (first method above). A Managed App Configuration using a PLIST is

not applicable to the Mobile@Work client.

Android XML Configuration Q: How do you configure the Android XML Configuration that enables the Zimperium client?

A: Go to Policies & Config > Configurations > Add New > Android > Android XML Configuration. Provide a

friendly name, description, and select Zimperium for the Configuration Type. Upload the XML file created

previously. Place a checkmark for I Agree and then save the configuration. Apply the Android and Android

Enterprise labels to the configuration.

The contents of the XML file that is required to be uploaded into an Android XML Configuration, are shown

below. Just the license key obtained directly from Zimperium or MobileIron are added within the <token> and

</token> delimiters.

<?xml version="1.0" encoding="UTF-8"?>

<zimperium>

<token> LICENSE KEY OBTAINED FROM ZIMPERIUM </token>

</zimperium>

5

MobileIron - 415 East Middlefield Road - Mountain View, CA 94043 USA - Tel. +1.650.919.8100 - Fax +1.650.919.8006

info@mobileiron.com | http://mobileiron.com

MobileIron Confidential

Core to zConsole Integration Q: How do you configure MobileIron Core to integrate with the Zimperium zConsole? A: Add a local user in Core that has the proper roles granted that will allow zConsole to communicate with Core.

Assign the following roles:

Privacy Control

- View apps and iBooks in device details

- Locate device

Label Management

- View label

- Manage label

6

MobileIron - 415 East Middlefield Road - Mountain View, CA 94043 USA - Tel. +1.650.919.8100 - Fax +1.650.919.8006

info@mobileiron.com | http://mobileiron.com

MobileIron Confidential

User Management

- View User

- Manage user

Other Roles

- API

7

MobileIron - 415 East Middlefield Road - Mountain View, CA 94043 USA - Tel. +1.650.919.8100 - Fax +1.650.919.8006

info@mobileiron.com | http://mobileiron.com

MobileIron Confidential

Q: What’s required on the the Zimperium zConsole to integrate with Core?

A: Create and MDM Setting using the local user that was created in Core. From the zConsole Dashboard, go to

Management > MDM Settings > Add MDM.

In Step 1, select MobileIron 9.x, which allows zConsole to use version 1 and 2 APIs to communications to Core.

8

MobileIron - 415 East Middlefield Road - Mountain View, CA 94043 USA - Tel. +1.650.919.8100 - Fax +1.650.919.8006

info@mobileiron.com | http://mobileiron.com

MobileIron Confidential

In Step 2, add the URL for Core. Then add the Username and Password of the local user added in Core.

In Step 3, Import Labels from Core for the device platforms supported. Normally All Smartphones is sufficient,

or you can specify Android, Android Enterprise, and iOS (devices). Order labels by priority. Select Finish.

9

MobileIron - 415 East Middlefield Road - Mountain View, CA 94043 USA - Tel. +1.650.919.8100 - Fax +1.650.919.8006

info@mobileiron.com | http://mobileiron.com

MobileIron Confidential

Local Remediation

Coexistence and Migration

Q: If our enterprise has already deployed the Zimperium zIPS client, will it interfere with the Mobile@Work

integrated client?

A: No, the two clients can co-exist on the same iOS or Android device, and both clients can talk to the same

zConsole tenant. The only caveat would be the device will show up as two separate devices within zConsole.

For Android deployments, the zIPS product can protect the device (personal) side, while Mobile@Work can

protect the Android Enterprise work profile, if the device is Android Enterprise capable.

Q: If our enterprise was using another Enterprise Mobility Management (EMM) solution (not MobileIron),

what would I need to get started if we wanted to deploy the integrated Mobile@Work client?

A: Just follow all the steps outlined in this FAQ and the narrated videos to deploy the Mobile@Work

integrated client for iOS and Android devices.

Troubleshooting

Q: What do I need to capture to start troubleshooting any issues with the Mobile@Work integrated client?

A: For iOS, within Mobile@Work > Settings, enable Enhanced Logging, and then Send Mobile@Work Logs.

For Android, also within Mobile@Work > enable Debug Logging and Send Logs.

10

MobileIron - 415 East Middlefield Road - Mountain View, CA 94043 USA - Tel. +1.650.919.8100 - Fax +1.650.919.8006

info@mobileiron.com | http://mobileiron.com

MobileIron Confidential

Statements in this document concerning future prospects, business outlook, and product availability and

plans are forward looking statements that involve a number of uncertainties and risks. Factors that could

cause actual events or results to differ materially include: sales productivity; possible disruptive effects of

organizational changes; shifts in customer demand; perceptions of MobileIron and its prospects;

technological changes; competitive factors; unanticipated delays in scheduled product availability dates;

general business conditions; delays and inabilities in negotiating third partner partnerships, and other

factors. The information in the document should not be relied upon in making purchasing decisions. The

information on any future shown is not a commitment, promise or legal obligation to deliver any material,

code or functionality. The development, release and timing of any features or functionality described for

our products in this document remains at MobileIron’s sole discretion. Future product will be priced

separately. This document does not constitute an offer to sell any product or technology.