News

Mobile Device Management per l'Enterprise

  • Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that have been used in the blog.
  • Login
    Login Login form
Gary McConnell

Gary McConnell

Co-founder of Clever Consulting, a professional services company based in Milan Italy specialising in providing strategic IT consulting to enterpises.
A sharp mind and quick thinker, with proven skills in executing complex IT projects over the years with particular focus on Mobile Device Management and Data Classification solutions. At the age of 20 obtained a BSc from University College Dublin and has been working in the IT industry ever since.
Work Hard, play harder.

Sono trascorsi sei anni da quando abbiamo iniziato ad accompagnare molte imprese italiane verso la realizzazione dei loro progetti fortemente orientati alla collaboration e communication, sostenuti da piattaforme di mobility che avessero come peculiarità imprescindibili: semplicità, scalabilità e sicurezza.

Attraverso queste esperienze, abbiamo sviluppato e perfezionato un modello progettuale e operativo che è diventato nel tempo uno strumento indispensabile. Questo consente i nostri clienti di esplorare e valutare al meglio il percorso da compiere e i risultati ottenibili a fronte degli investimenti programmati.

La roadmap che abbiamo realizzato si basa su una matrice operativa che tiene in considerazione i seguenti elementi fondamentali:

  • Asset e Inventory Management
  • Standardizzazione sicurezza e privacy
  • Email
  • WiFi
  • App Store Aziendale
  • Certificati
  • Singlel Sign On (SSO)
  • Gestione traffico

Asset e Inventory Management.

Partiamo da qui. Questa attività censisce e aggrega nella piattaforma di gestione tutti i dispositivi mobili aziendali registrati. Questo passo soddisfa la principale richiesta da parte dell’organizzazione ICT, e cioè quella di avere un repository unico per l’Inventory Management, che permetta una correlazione semplice tra i device disponibili e gli utenti degli stessi.

Standardizzazione sicurezza e privacy.

Standardizzare i processi permette alle aziende di rispondere in modo omogeneo all’applicazione delle relative policy di sicurezza e privacy necessarie a regolamentare le esigenze aziendali e le sue normative, in modo che rispondano pienamente alla legislazione vigente. In quest'ambito incombono gli imminenti obblighi del General Data Protection Regulation (GDPR). Infatti, per mezzo del controllo degli audit log, la società è in grado di dimostrare in modo inconfutabile, verso gli utenti e revisori, che esiste una netta separazione tra i dati personali e quelli aziendali.

...
 
We have developed a series of bash scripts which can be used to monitor the MobileIron platform, we've used these scripts extensively with our customers who have the Nagios platform in house.
We've decided to release these scripts into the public domain so that others can add further functionality beyond what we currently have, these scripts can be found on my github repository.
 
These scripts are divided into two distinct types:
  1. SNMP Monitoring
  2. MobileIron Application Level Monitoring.
The SNMP Monitoring scripts use standard nagios snmp checks to query the underlying operating system snmp objects providing information on CPU, storage and network interface usage.
 
The MobileIron application level monitoring scripts interact with the MobileIron application querying for specific metrics and values. The metrics are retrieved by interacting with the MICS and MIFS web consoles provided by the MobileIron application.  In order to access the MICS and MIFS interfaces application level users must be created on the MobileIron platform and configured in the nagios check scripts.
 
The SNMP Monitoring checks currently monitor the following metrics:
 
  • MobileIron Host Resources via the SNMP MIB:
    • CPU
    • DISK
    • Network use
 
The MobileIron Application level checks currently monitor the following metrics:
  • MobileIron Core
    • Application Status
    • System Backup Status
    • SSL Certificate Expiry
    • MDM Certificate Expiry
    • DNS Gateway health
    • EMAIL relay health
    • MapQuest health
    • NTP Health
    • SCEP Health
    • BES Health
    • MobileIron Support Site reachability
    • Ldap Connector Status
    • Ldap Sync Status

  • MobileIron Sentry
    • ActiveSync Backend Status
    • NTP Status
    • Core Status
    • DNS Status
    • number of open connections
    • cpu utilization
    • heap memory usage
    • number of connected devices
    • system memory usage 
    • thread pool utilization

  • MobileIron Connector
    • NTP Status
    • Core Status
    • DNS Status

All scripts can be found on gitgub at the following repository: https://github.com/garymcconnell/mobileiron-nagios

If you require assistance with the installation of the scripts and configuration of the Nagios platform please This email address is being protected from spambots. You need JavaScript enabled to view it. for a professional services engagement.

 

Hits: 2034

Revised for Core 9.x

Generate structured PDF reports for your MobileIron installations.

 

We have released version 1.2 of our MobileIron Configuration reporting tool.

This now supports Core 9.0.x and 9.1.x installs.

This is a java based command line tool and generates pdf files with the details of the MobileIron core application configurations.

An example of the output generated can be found here.

...
Edit 25/06/2017: Connected Cloud bug resolved.  Also tested on Core 9.4, 9.3
Edit 28/09/2016: We now support 9.0.x and 9.1.x versions of MobileIron core.

Edit 29/06/2016: The tool has now been updated to correct some minor bugs.

Tracking and documenting MobileIron Core installations is not that easy so we wrote a small tool for internal use a while back which exported MobileIron core configs to csv files.

We then took this a step further and made a web based version of the tool which produces structured pdfs allowing quick reporting of customer installs.

This did not fit some of our security conscious customers as the core was often unreachable to the outside world and so we had to go and find an alternative solution.

We have now developed a standalone version of our reporting tool which when run against a MobileIron core will create a pdf report of the configurations and profiles.  This provides detailed and extremely quick reporting of the MobileIron Configurations enabling historic archiving of the configurations for documentation purposes.

...

 

Deploying many 100's or even 1000's of devices to employees is by no means an easy feat. From the moment the device has been unboxed to when the end user is operational can take a significant effort, even with the latest EMM tools such as MobileIron driving the deployment.

One of the challenges facing enterprises is how to optimize and standardize the deployment process reducing the amount of human intervention to a minimum. We have engineered a process which resolves the following problems:

  1. how to install EMM agent, enroll device with EMM and preload applications on a device before shipping to end user
  2. how to complete the previous step without having prior knowledge as to which user will receive the device when shipped.

The automation process is illustrated in the below video where we take a Samsung Galaxy Note, place it in developer mode and then automatically complete all steps via our automation framework eliminating human intervention. We can execute this process on many devices concurrently.

 Android deployment Automation

...
 
[edit - 26/05/2016 - we've discontinued this script as it only supports up to version 7.x... see our new java reporting version here for 8.5.x support]
 
Given that we've installed many MobileIron deployments over the last three years we've developed a few in-house utilities to help us document and verify our work in the field.  One of the frequent requests we have is how to carryout change control and documentation.  We've knocked together a few scripts which help us speed up this process and you can download a powershell 4.0 script we use for config and policy export to csv files, we use this data along with the labels export (included in script) to build excel files which provide the customer documentation and a means to query the MobileIron configuration without having to access the MobileIron console.

You need to provide the following input (example input shown)

VSP Hostname  (https://testmdm.clever-consulting.com)
VSP Username (admin)
Output file directory  (c:\temp)

The script will write the values to environment variables so that you do not have to input each time.
 
PS C:\Users\mcconnellg> D:\Clever\Git\mi_documentor\mi_config_matrix.1.2.ps1
VSP Hostname? ( "https://...") [https://testmdm.clever-consulting.com]:
VSP Username? [admin]:
Output file directory? [c:\temp]:
[2015-01-05 03:36:52] Output File: c:\temp\testmdm.clever-consulting.com.20150105153652.LabelsToConfig.csv
[2015-01-05 03:36:52] Output File: c:\temp\testmdm.clever-consulting.com.20150105153652.Config.csv
[2015-01-05 03:36:52] Output File: c:\temp\testmdm.clever-consulting.com.20150105153652.Labels.csv
[2015-01-05 03:36:52] trying to login to https://testmdm.clever-consulting.com
[2015-01-05 03:36:54] ------------ Labels --------------
[2015-01-05 03:36:55] Labels,_app_agp,,,True
[2015-01-05 03:36:55] Labels,_Demo_1_Dataview,_Demo_1_Dataview,,True
.....
[2015-01-05 03:36:55] ------------ Policies --------------
[2015-01-05 03:36:55] Policy,Demo Samsung Lockdown,_Demo_Samsung_Lockdown
[2015-01-05 03:36:55] Policy,LOCKDOWN,Demo Samsung Lockdown,Action Center Notifications,Enabled

[2015-01-05 03:37:04] ------------ Configurations --------------
[2015-01-05 03:37:04] Configuration,APPCONFIG,_demo_1_email_divide,Application,forgepond.com.enterproid.divide.pim
....
[2015-01-05 03:37:11] Created CSV File, Label Map : c:\temp\testmdm.clever-consulting.com.20150105153652.LabelsToConfig.csv [2015-01-05 03:37:11] Created CSV File, Config : c:\temp\testmdm.clever-consulting.com.20150105153652.Config.csv
[2015-01-05 03:37:11] Created CSV File, Labels : c:\temp\testmdm.clever-consulting.com.20150105153652.Labels.csv

PS C:\Users\mcconnellg>

We use this script with all of our deployments but .... this script is provided with absolutely no warranties, this has been tested with v6.x and v7.x Core installations.

I'm interested in having feedback, we've other scripts which also document most of the core and sentry settings but I'd rather not release them as they are a bit "raw".

The script can be accessed here (only supports 6.x and 7.x)
 
[Edit - please see our newer java version here for 8.5.x support]
 


If you are interested in our professional services do not hesitate to This email address is being protected from spambots. You need JavaScript enabled to view it. .
Hits: 9272

Following on from my previous posts regarding MobileIron Nagios monitoring and MobileIron snmp here are some details of how to configure Nagios to monitor MobileIron appliances.

The following instructions are valid for Nagios 3.51, I haven't tested this on any other version of Nagios for the moment.

 
SNMP Monitoring of MobileIron appliances with Nagios, applies to Core, Sentry and Ldap connector appliances.  The first step you need to carry out is enable the snmp service on the MobileIron appliances:
  • Enable SNMP monitoring on the MobileIron Appliance:
    • Login to Mics https://appliancename:8443/mics/mics.html
    • Settings -> SNMP -> SNMP Control ->SNMP Service = Enable
    • Set the SNMP Community
    • Click on Apply

mobileiron enable snmp

On your Nagios installation download and install the the following Nagios check scripts to your nagios plugins directory, this is "/usr/lib64/nagios/plugins" on my centos box
 
cd /usr/lib64/nagios/plugins
wget http://nagios.manubulon.com/check_snmp_int.pl
wget http://nagios.manubulon.com/check_snmp_load.pl
wget http://nagios.manubulon.com/check_snmp_mem.pl
wget http://nagios.manubulon.com/check_snmp_storage.pl
 
Change the permissions on the downloaded scripts so that they can be executed
chmod 777 check_snmp_*.pl
 
Edit the check_snmp_mem.pl and check_snmp_storage.pl files to change the library location specific to your Nagios install.
For my installation on centos, change :
    use lib "/usr/local/nagios/libexec";
to
    use lib "/usr/lib64/nagios/plugins";
 
Check to make sure that the scripts can query the MobileIron appliance correctly by running the check script directly from the command line.
 
[root@byod plugins]# ./check_snmp_mem.pl -H testmdm.clever-consulting.com -C mipublic  -f -w 99,20 -c 100,85

Ram : 91%, Swap : 22% : > 99, 20 ; WARNING | ram_used=3635664;3938462;3978244;0;3978244 swap_used=911936;838858;3565148;0;4194292
 
You should get a response like the above indicating the Ram and Swap used. The above query is using the parameters to provide a warning if RAM <99%, Swap <20% and critical if RAM is 100% and swap 30%. For details of the specific parameters please see the http://nagios.manubulon.com website.
 
Now that we have verified the scripts we need to add them to Nagios as Nagios commands.
I put all of my MobileIron specific commands into a file mi_commands.cfg which I then place in the /etc/nagios/conf.d directory
 
/etc/nagios/conf.d/mi_commands.cfg

define command{
command_name check_snmp_int_v1
command_line /usr/bin/perl $USER1$/check_snmp_int.pl -H $HOSTADDRESS$ -C $ARG1$ -n $ARG2$ $ARG3$
}

define command{
command_name check_snmp_load_v1
command_line /usr/bin/perl $USER1$/check_snmp_load.pl -H $HOSTADDRESS$ -C $ARG1$ $ARG2$
}

define command{
command_name check_snmp_storage_v1
command_line /usr/bin/perl $USER1$/check_snmp_storage.pl -H $HOSTADDRESS$ -C $ARG1$ $ARG2$
}

define command{
command_name check_snmp_mem_v1
command_line /usr/bin/perl $USER1$/check_snmp_mem.pl -H $HOSTADDRESS$ -C $ARG1$ $ARG2$
}
 
 
Note:  In order to avoid any issues with miniperl in nagios I explicitly declare the /usr/bin/perl executable in the command_line
 
 
We now need to add these commands to the MobileIron host object we need to monitor, again I create a configuration file per host and place this in the /etc/nagios/conf.d directory.
/etc/nagios/conf.d/testmdm.cfg
 
###############################################################################
#
# HOST DEFINITION
#
############################################################################### define host{
use linux-server
host_name testmdm
alias testmdm
address 192.168.1.12
} ###############################################################################
#
# SERVICE DEFINITIONS
#
############################################################################### # Define "ping" Service define service{
use generic-service ; Name of service template to use
host_name testmdm
service_description PING
check_command check_ping!100.0,20%!500.0,60%
}
# Define SNMP Services define service {
use generic-service,nagiosgraph
host_name testmdm
service_description Snmp/Network
check_command check_snmp_int_v1!mipublic!eth0!-f -k -w 100,50 -c 0,0
} define service {
use generic-service,nagiosgraph
host_name testmdm
service_description Snmp/Cpu
check_command check_snmp_load_v1!mipublic!-f -w 3,3,2 -c 4,4,3 -T netsl
} define service {
use generic-service,nagiosgraph
host_name testmdm
service_description Snmp/Disk
check_command check_snmp_storage_v1!mipublic!-f -m / -r -w 80% -c 90%
} define service {
use generic-service,nagiosgraph
host_name testmdm
service_description Snmp/Memory
check_command check_snmp_mem_v1!mipublic!-f -w 99,70 -c 100,85
}

 

In my configuration we are also using the nagiosgraph (http://nagiosgraph.sourceforge.net/) plugin to provide graphing of the performance data, this is optional and can be excluded.

...
Hits: 16626


I've been asked for more information on monitoring MobileIron after my previous post, especially regarding the use of snmp.
The MobileIron Core officially supports the HOST-RESOURCES MIB, however if you do a snmpwalk of the core, sentry and ldap connector you will see that the following MIB's are present:

snmpwalk -v 1 -c <core-snmp-community-name> <core-ip-address> | cut -f1 -d":" | sort | uniq
DISMAN-EVENT-MIB
EtherLike-MIB
HOST-RESOURCES-MIB
IF-MIB
IP-FORWARD-MIB
IP-MIB
IPV6-MIB
MTA-MIB
NOTIFICATION-LOG-MIB
RFC1213-MIB
RMON-MIB
SNMPv2-MIB
TCP-MIB
UDP-MIB

The most useful of these MIBS for monitoring are the HOST-RESOURCES-MIB and IF-MIB which provide the possibility to monitor the following elements:

  • Disk
  • CPU 
  • Memory
  • Network

As these are standard MIBS there are many people who have already implemented Nagios checks for this, the following for examples, even if quite old, work quite well:

The author of these plugins also provides the necessary information to create the associated Nagios commands and services. I will publish a complete Nagios MobileIron configuration once I get my documentation in order :)

If any further information is required ... don't hesitate to This email address is being protected from spambots. You need JavaScript enabled to view it.

Hits: 7233

As the Italian distributor for MobileIron we are fortunate to work with top resellers and system integrators on some of the largest mdm deployments in Italy. Quite often we are required to implement monitoring solutions so that the MobileIron platform can be integrated with the enterprise operational framework in the customer environment. As we frequently find Nagios implemented, we have developed a series of Nagios plugin's to allow customers to easily add Nagios based monitoring of the MobileIron platform. The plugins that we have developed enable both health checking and alarms, we also provide perfdata metrics which can be passed to Nagios backend graphing solutions like nagiosgraph.

We currently monitor the following metrics:

MobileIron Core

  • MobileIron Host Resources via the SNMP MIB:
    • CPU
    • DISK
  • MobileIron Application Monitors
    • Application Status
    • System Backup Status
    • SSL Certificate Expiry
    • MDM Certificate Expiry
    • DNS Gateway health
    • EMAIL relay health
    • MapQuest health
    • NTP Health
    • SCEP Health
    • BES Health
    • MobileIron Support Site reachability
    • Ldap Connector Status
    • Ldap Sync Status

This is an example of the Nagios checks on a MobileIron core server:

Mdm Monitoring

...
Hits: 10312

Il recente consiglio di Gartner alle aziende di sviluppare ed eseguire un piano per il passaggio da BlackBerry ad altri dispositivi mobili e piattaforme di Enterprise Mobility Management entro i prossimi sei mesi ha allarmato numerose aziende, che sono rimaste fedeli a BlackBerry nonostante il tumulto degli ultimi anni. Alla base della scelta di queste aziende di rimanere fedeli a Blackberry risiedevano ottime motivazioni, fra le più citate vi erano le funzionalità di sicurezza e di blocco. Adesso tali aziende devono tentare di replicare queste funzionalità di sicurezza “necessarie” su una serie di dispositivi studiati e realizzati affinché i consumatori possano eseguirvi qualsiasi operazione. Devono inoltre stabilire se possano effettuare questa transizione prima della scadenza del contratto attualmente in vigore o se debbano affidarsi a un contratto di assistenza, valido per un altro anno, e del quale potrebbero non aver bisogno.

Negli ultimi mesi, poiché il destino di Blackberry era sempre più segnato, abbiamo assistito a un numero sempre maggiore di clienti che ci hanno chiesto aiuto per lasciare Blackberry, una volta il loro dispositivo aziendale preferito. Solitamente questi clienti rientrano in due categorie: 1) coloro che accettano il fatto di non poter disporre del medesimo livello di controllo sui dispositivi iOS e Android e preferiscono concentrarsi sull’attivazione di nuove funzionalità da poter offrire ai dipendenti (un’esperienza utente migliorata, più app, modifica dei contenuti, ecc.) e 2) coloro che insistono nel voler replicare lo stesso livello elevato di controllo. Molti di coloro che rientrano nella prima categoria decidono di passare al BYOD. Ma quel che è davvero interessante è il fatto che molti dei clienti della seconda categoria finiscono per passare alla prima.

Non certo perché manchino le possibilità per i maniaci del controllo. Le preoccupazioni più diffuse citate da questi clienti includono l’incapacità di impedire il download delle app e di limitare i siti web che gli utenti possono visitare. La supervisione del dispositivo da parte di Apple Configurator offre numerose funzionalità di blocco, tra cui la disabilitazione di AirDrop, che costituisce un serio rischio per la sicurezza aziendale. Anche i dispositivi di Samsung SAFE e KNOX offrono notevoli funzionalità di blocco per le periferiche Android.

Osserviamo clienti che esaminano queste opzioni, valutano l’overhead amministrativo necessario alla gestione e al rafforzamento di tali limitazioni, nonché la funzionalità specifica (per la quale pagano) del dispositivo che verrebbe disattivata e che, infine, riconsiderano la propria ipotesi in merito a ciò che effettivamente è necessario per la protezione dell’azienda e a ciò che invece potrebbe risultare semplicemente un’esagerazione.

Spesso finiscono per decidere che sia accettabile il modello di sicurezza “regole e conseguenze”, dove si informano i dipendenti delle regole (ad es., vietato il download di app non autorizzate per l’archiviazione nel cloud) e delle conseguenze (se tale divieto verrà infranto, si perderà l’intero accesso alle risorse aziendali, rendendo il dispositivo di per sé inutile), piuttosto che bloccare completamente le attività. Ciò consente ai dipendenti di trarre maggior vantaggio dalle funzionalità di questi dispositivi. 

...

Posted by on in Integration

Inegrating systems in large enterprises requires that you have a broad knowledge of the many technologies and systems that you will encounter.  Over the years we have accumlated significant experience when faced with complex challenges and this certainly proved useful in a recent issue.  One of our enterprise customers, a large global multinational, has a very complex ldap environment with many directory services ranging from over seventy Active Directory domains to several Critical Path directories, all of which requiring integration with our Mobile Device Management platform.

This specifc customer is also using certificates extensively for authentication purposes.  We faced a challenge in that they require to construct their certificates with the certificate subject name containing the Microsoft netbios domain name and user accountname - ie <domain>\<samaccountname>.

The Challenge

The problem that we faced was that our MDM platform requests the creation of the certificates based on information we extract from Ldap, and Microsoft Active Directory does not provide the netbios domain name information in ldap.

The sequence is as follows:

...
Hits: 214380

Accellion, leader nel Secure Mobile File Sharing a livello Enterprise, ha di recente lanciato kitepoint™, nuovo componente della suite Accellion Mobile File Sharing che rende le informazioni aziendali fruibili in mobilità senza più la necessità di una VPN.

kitepoint™ consente agli utenti di condividere i file all'esterno dell'azienda con un accesso mobile sicuro e univoco ai file archiviati all'interno di sistemi di Enterprise Content Management (ECM) come SharePoint,  assicurando allo stesso tempo sicurezza e compliance.

Superando la necessità di connessioni vPN, kitepoint™ è accessibile su smartphone e tablet attraverso l'applicazione Accellion per iOS e Android e sui laptop attraverso l'interfaccia web Accellion.

Come funziona kitepoint™? Guarda questo simpatico video.

...
JoomShaper