In this guide, we are going to learn how to install SphereShield for SfB's dedicated app for MobileIron

MDM integration has 2 types of behaviors:

• Conditional Registration - Limiting registration only to managed devices by the MDM vendor.
• Conditional Access -  Consistent validation that the device is managed and did not become out of compliance.

Regarding Conditional Access SphereShield for SfB can function according to the following approaches:

• WiFi - Registration can only be done from and a WiFi network that requires a certificate in order to connect to. The certificate is managed by the MDM.
• SkypeShield Application -  Registration can be performed only by using a specific SkypeShield (SkS) app, that is only available from the corporate store/catalog to the devices that are managed.
• VPN Redirection - Registration can only be done from a device that is configured to work with Split Tunnel VPN managed by the MDM.

Prerequisites

Before we begin the installation we need to make sure we have a SkypeShield app package containing:

• SkypeShield_MobileIron.ipa
• SkypeShield_MobileIron.apk
• AppConfig.txt

All of the package components will be provided to you by AGAT administration team.

To use internally by AGAT: /wiki/spaces/SKYP/pages/625247362     /wiki/spaces/SKYP/pages/625247178

Important Notes:

Due to technology limitation, the implementation of iOS and Android apps is different.

• For Android deployment, please send the lyncdiscover URL to support@agatsoftware.com.
• For iOS deployment, it is required to edit the AppConfig.txt file and change the company name and default host field with the appropriate values.

Create a Label for Testing your App (optional)

MobileIron Core utilizes labels in order to associate policies and apps with devices. It is possible to create a new label so that your policies will
affect only specific devices.

1. In MobileIron's Admin Portal go to Device & Users → Labels
2. Click
3. Enter a name for the Label
4. Click 

Upload SkypeShield App to MobileIron Core

For iOS

1. In MobileIron's Admin Portal go to Apps → App Catalog
2. Click 
3. Select 'In House' and browse to select 'SkypeShield_MobileIron.ipa':
   
   
   
4. Click Next
5. Click Next
6. Click Finish
7. Open the App Catalog in Apps → App Catalog
8. Select the row listing your app and click Actions → Apply to Labels
   
   
   
9. Select iOS label or another custom label you've created for specific devices.
10. Click 

For Android

1. In MobileIron's Admin Portal go to Apps → App Catalog
2. Click 
3. Select 'In House' and browse to select 'SkypeShield_MobileIron.apk':
   
   
   
4. Click Next
5. Click Next
6. Click Finish
7. Open the App Catalog in Apps → App Catalog
8. Select the row listing your app and click Actions → Apply to Labels
   
   
   
9. Select an Android label or another custom label you've created for specific devices.
10. Click 

Enable AppConnect in MobileIron Core

1. In the Admin Portal navigate to Settings → Additional Products → Licensed Products
2. Enable 'AppConnect for Third-party and In-house Apps'
   
   
   
   
3. Click

Edit the Default AppConnect Global Policy

In order for SphereShield for SfB to work properly, it is required to have a global policy configured.

1. In MobileIron's Admin Portal go to  Policies & Configs → Policies
2. Select 'Default AppConnect Global Policy' and click  on the right pane window that has popped up.
   
   
   
3. Make sure 'Enabled' is selected
   

AppConnect Passcode

Regardless of whether the device's password is turned On or Off, the user will be required to create a secured apps passcode.
Then the user will use that passcode for access to all secured apps. It is up to your company security preferences to create secure apps passcode.

4. Select the types of device to whom passcode will apply.

5. Under 'Security Policies'  set the policy according to your needs and requirements.

6. Click 

AppConnect Container Policy

Create a SkypeShield AppConnect Container Policy

An app is be authorized only an AppConnect container policy for that app can be found on the device.

For iOS

1. In Mobileiron's Admin Portal go to Policies & Configs → Configurations
   
   
   
2. Select Add New → AppConect → Container Policy
   
   
   
3. Enter a name for AppConnect container policy
4. In the Application field you can either enter the bundle ID of SphereShield for SfB manually or select it from the drop-down list and it will be added automatically.
   
5. Click 
6. Select the SphereShield for SfB container policy you've created. and go to Actions → Apply To Label
    

For Android

For Android, an AppConnect container policy is created Automatically. You can find it under the name 'SkypeShield' and package ID 'foregepond.com.agat.skypeshield'.

You can configure the policy by selecting it and clicking .

By default, SkypeShield AppConnect policy is applied to Android label. To change that do the following:

1. Select the SkypeShield app policy
2. Click on Actions → Remove From Label.
3. Select the Android label and click 
4. Select your label once more and click Action → Apply To Label
5. Select your required label and click 

AppConnect App Configuration

The SkypeShield app retrieves its configuration settings from your MobileIron MDM environment.

For iOS

1. In MobileIron's Admin Portal, select Policies & Configs → Configurations
2. Click Add New → AppConnect → App Configuration
   
   
   
3. Enter a name for the AppConnect app configuration.
4. n the Application field you can either enter the bundle ID of the SphereShield for SfB manually or select it from the drop-down list and it will be added automatically.
5. Scroll down to 'App-Specific Configurations' and click on  to add a new key/value pair
6. The key value should be 'AppConfig' and the value is the content of AppConfig.txt (provided by AGAT).
   
   
   
7. Click 
8. Select the SkypeShield App Configuration you've created.
9. Click Actions → Apply To Label
10. Select the default iOS label or any other custom label you've created for specific devices.

For Android

Not required 

Web Services Being Used by SphereShield for SfB 

Authentication

Access to the web service is granted y using roles. Only administrators with the '‘Manage administrators and device spaces'  can assign the 'API' role to a user.

1. In MobileIron's Admin Portal go to Admin → Admins
2. Select a user from the list.
3. Click Actions → Edit Roles
   
4. Select the API role which is listed under 'Other Roles'
   
   
   
5. Click

Get Devices by Status

A device in MobileIron can exist in a variety of different states. Each one of them can be retrieved using an  API request.

For example, states such as:

• Enrollment in progress
• Active
• Retired
• Lost
• Wiped

can be retrieved.

Get Device Details

Device details such as the manufacturer. model, OS, status and registered email address can be retrieved in the following ways:

• Search by phone number
• Search by user ID - if the user has more than 1 device, multiple devices will be returned.
• Search by a label - the API will return all devices assigned to that label.

For example, the following request will query the API for all devices assigned to the Android label:

https://mycore.mobileiron.com/api/v1/dm/labels/android