Skip to main content
Skyhigh Security

Configuring the MobileIron MDM solution for Android devices

Before you begin please follow steps below to deploy the Identity Certificates and Trusted Certificates.

  • Configuration of Root CA certificate in MobileIron
  • Configuration of Identity Certificate in MobileIron


To get Android devices configured and working with MobileIron the MobileIron instance must be registered with Google EMM services and this is documented in the MobileIron help section Setting up Android enterprise. Once this is complete please follow the steps below to configure the Android VPN Client.

How to configure Mobile Iron

clipboard_e9b632144cfa44a30633241ec5238cc74.png

Then proceed to edit or add the below configurations.

Android enterprise (Android for Work) Configuration

clipboard_ea2f06defe5cb6617d153490a5eb12ff7.png

clipboard_e6be6aed349f4755bbde1c1d4870336fa.png

The key point is to make sure it is enabled and ensure that it applies to devices in all spaces.

Managed Device with Work Profile Configuration

This is required for Android 8+ devices

clipboard_e44ebf44a665306fa2228f376b73d6a38.png

clipboard_e8ea16ee34c95140d67aadc833c4a833f.png

Ensure that it is enabled and set to distribute to desired device classes (Shown here as all devices but it can actually be a custom list)

Android enterprise: Work Managed Device(Android for Work) Type: Work Managed Devices(Device Owner)

Enable this to test Work Managed Devices (this is what Supervised mode is called on Android.)

clipboard_e2637a32718b7b91ac0cff71935ff08e3.png

clipboard_e80e991d3020ad18affa4211197c7436d.png

Ensure that it is enabled and set to distribute to desired device classes (Shown here as all devices but it can actually be a custom list)

Setting Default App Runtime Permissions

(Unclear if as of this writing this is needed and if it can help w/ auto configuring the identity certificate in the VPN Profile.)

clipboard_e11213545ad56ac617098bfc1f68f5f30.png

clipboard_e5c31d26f0f51d42f682e4b18e89ed813.png

Configure the App Catalog to include the Skyhigh Mobile Cloud Protection Client

Navigate to the Application Catalog by clicking on Apps in the top bar and then select Add to add the application. Change the dropdown for source to Google Play and search for the client as shown.

clipboard_ee089bce1e1688767d0eaa37ce34bc457.png

 

The test version of the app should be found by typing in the package ID com.Skyhigh.mcpmobile.test as shown.

In production search by the App name which will be "Skyhigh Mobile Cloud Protection"

clipboard_e8d47af50a537de3a46045e74df4777a3.png

Choose one or more categories and optionally enter a description. The description can be used to ensure you are seeing the version you intended on the device.

clipboard_e78a21a3e84f9841c44283acae5d05175.png

Ensure the App is delegated to all spaces.

clipboard_e0596b37fb0626203885e10b7ebfae179.png
Ensure the distribution is set to everyone or your target set of users by defining a custom distribution.

clipboard_e5b6c2bad7b212d421cb653112baa2a6b.png

Click on the + button next to Managed Configurations for Android.

clipboard_e43d7dae1aaecf38d64e55770bccbff57.png

Enter Skyhigh Secure Web Gateway Address - c49493498.vpn.mcafee-cloud.com (Get this information from MVision Cloud -> Certificate Page

clipboard_ed8f06863d7080ffcab9bb3f99b5382d1.png

Enter a name for the configuration and set the Gateway Address, User Certificate, Remote ID and Local ID as required.

clipboard_e71f1c87f44b93bd59e9b17d76f80bf58.png

To set the user certificate first click on the Icon next to the value shown above. This will change the control to a drop down list. You can then change the value to the configuration name of the Identity certificate you would have defined earlier.

clipboard_e56fcc66df645fa81cf0048948a39b33f.png

Click on "Install Application configuration settings and ensure that "Install on Device" is turned on. You can also use the optional silent install for KNOX and Zebra devices if you are using those.

clipboard_e6163efb9bbc7cc6dd2b11c7156547fd7.png

Optionally you can click on "Google Play Release" and set the desired release track, Production,Alpha or Beta - Leave this alone for most purposes.

Note that it takes MobileIron a few minutes to reflect the newly added app and it will eventually appear on the App catalog screen. It may take a few hours for the app to appear on the devices.

Configure Always On VPN

Must be done after the App has been added to the App Catalog.

Navigate to Configurations on the mobile iron top bar. Click Add and then choose Always On VPN

clipboard_eee29d71f4aeb6d7831baf7b7097ade25.png

Choose the Skyhigh App by typing into the name fi eld and then ensure distribution is set right and that the configuration is enabled.

clipboard_e096bd444357ba73ba51cc4bd8c39cabc.png

clipboard_eb3a56c1d8ae5d6be391dd4d8cfc0619c.png

Configuration on the device

  1. Install the Mobile Iron GO app
  2. Enter user credentials as provided by the administrator
  3. The Skyhigh Mobile Cloud Protection client will show up in a while and be configured and the profile will be visible on the main screen.
  4. If Always On was configured it will immediately connect and show connected status.
  • Was this article helpful?