You are here: Pulse Connect Secure > Pulse Connect Secure Administration Guide > Access Management Framework > Device Access Management Framework > Deploying a BYOD Policy for MobileIron Managed Devices > Configuring the MobileIron MDM Service

Configuring the MobileIron MDM Service

This solution assumes you know how to configure and use the features of your MDM, and that you can enroll employees and their devices. For more information about the MobileIron MDM, refer to its documentation and support resources. This section focuses on the following elements of the MDM configuration that are important to this solution:

When the user installs the MDM application on the device and completes enrollment, the MDM pushes the device certificate to the device. After enrollment, the MDM maintains a database record that includes information about the enrollee—attributes related to device identity, user identity, and posture assessment against MDM policies. Table 63 describes these attributes. In this solution, these attributes are used in the role mapping that is the basis for network access and resource access policies. When you configure role-mapping rules, you specify the normalized Connect Secure attribute name.

Table 63: MobileIron Device Attributes

MobileIron Attribute

Normalized Connect Secure Name

Description

Data Type

@id

deviceId

Device identifier.

String

blockedReason

blockedReason

Reason MDM has blocked the device. Can be a multivalued string. Values are:

  • AllowedAppControlPolicyOutOfCompliance
  • AppControlPolicyOutOfCompliance
  • DataProtectionNotEnabled
  • DeviceAdminDeactivated
  • DeviceComplianceStatusUnknown
  • DeviceCompliant
  • DeviceCompromised
  • DeviceExceedsPerMailboxLimit
  • DeviceManuallyBlocked
  • DeviceNotRegistered
  • DisallowedAppControlPolicyOutOfCompliance
  • ExchangeReported
  • HardwareVersionNotAllowed
  • OsVersionLessThanSupportedOsVersion
  • PolicyOutOfDate
  • RequiredAppControlPolicyOutOfCompliance

String

compliance

complianceReason

MDM policy compliance status. Can be a multivalued string. Values are:

  • AllowedAppControlPolicyOutOfCompliance
  • AppControlPolicyOutOfCompliance
  • DataProtectionNotEnabled
  • DeviceAdminDeactivated
  • DeviceComplianceStatusUnknown
  • DeviceCompliant
  • DeviceCompromised
  • DeviceExceedsPerMailboxLimit
  • DeviceManuallyBlocked
  • DeviceNotRegistered
  • DisallowedAppControlPolicyOutOfCompliance
  • ExchangeReported
  • HardwareVersionNotAllowed
  • OsVersionLessThanSupportedOsVersion
  • PolicyOutOfDate
  • RequiredAppControlPolicyOutOfCompliance

String

compliance

isCompliant

True if the device is in compliance with its MDM security policies; false otherwise.

Boolean

compliance

isCompromised

True if the device is compromised; false otherwise.

Boolean

countryName

countryName

Country name corresponding with the country code of the device.

String

currentPhoneNumber

phoneNumber

Phone number entered during registration.

String

emailAddress

userEmail

E-mail address of device user.

String

employeeOwned

ownership

Values: Employee or Corporate.

String

homeOperator

homeOperator

The service operator for the device when it is not roaming.

String

iPhone IMEI (iOS), imei (Android)

Imei

IMEI number of the device.

String

iPhone UDID

UDID

Unique device identifier.

String

isBlocked

isBlocked

True if the device is blocked from accessing the ActiveSync server; false otherwise.

Boolean

isQuarantined

isQuarantined

True if the device is quarantined by the MDN; false otherwise.

Boolean

lastConnectAt

lastSeen

Date and time the device last made successful contact with the MDM.

Timestamp

manufacturer

manufacturer

Manufacturer is automatically reported by the device during registration.

String

mdmManaged

mdmManaged

True if the MDM profile is enabled on the device; false otherwise. This field applies only to iOS devices. For other devices, the value is always false.

Boolean

ModelName, model, device_model

model

Model is automatically reported by the device during registration.

String

name

deviceName

The concatenated name used to identify the device/user combination.

String

operator

operator

Service provider. The value PDA indicates no operator is associated with the device.

String

OSVersion (iOS), os_version (Android)

osVersion

OS version.

String

platform

platform

Platform specified during registration.

String

principal

userId

User ID.

String

quarantinedReason

quarantinedReason

MDM policy compliance status. Can be a multivalued string. Values are:

  • AllowedAppControlPolicyOutOfCompliance
  • AppControlPolicyOutOfCompliance
  • DataProtectionNotEnabled
  • DeviceAdminDeactivated
  • DeviceComplianceStatusUnknown
  • DeviceCompliant
  • DeviceCompromised
  • DeviceExceedsPerMailboxLimit
  • DeviceManuallyBlocked
  • DeviceNotRegistered
  • DisallowedAppControlPolicyOutOfCompliance
  • ExchangeReported
  • HardwareVersionNotAllowed
  • OsVersionLessThanSupportedOsVersion
  • PolicyOutOfDate
  • RequiredAppControlPolicyOutOfCompliance

 

SerialNumber

serialNumber

Serial number.

String

statusCode

isEnrolled

True if the device has completed enrollment or registration; false otherwise.

Boolean

uuid

UUID

Universal unique device identifier.

String

userDisplayName

userName

Name of device user.

String

wifi_mac (iOS), wifi_mac_addr (Android)

macAdress

The Wi-Fi MAC address.

String

To configure the MDM:

  1. Enroll devices in the MDM using the methods supported by the MDM.
  2. Create a Simple Certificate Enrollment Protocol (SCEP) configuration that specifies the field and type of identifier for client device certificates. See Figure 60.
  1. The MDM configuration templates provide flexibility in how the device identifier can be placed in the device certificate’s subject or alternative subject. We recommend you include the user ID in the certificate, so the certificate can identify both the user and the device. For example:
  2. CN=<DEVICE_UUID>, uid=<USER_ID>, o=Company
  1. Create a VPN configuration that specifies the Juniper SSL connection type and the URL for the system sign-in page. See Figure 61. During the enrollment process, this profile is provisioned to the device. Select the SCEP configuration completed in Step 1.
  2. Select the VPN configuration and apply it to a group label you have provisioned to manage this group of devices. See Figure 62.
  3. Apply the group label to the devices when you add them to the MDM. See Figure 63. If they have already been added to the MDM, use the edit configuration utilities in the device inventory page to apply the group label.

    Figure 60: MobileIron SCEP Configuration

    Figure 61: MobileIron VPN Configuration

    Figure 62: Applying the VPN Configuration to a Label

    Figure 63: Adding a Device to the MDM