Version 17.4
On this page:
[Show/Hide]- 1 iOS Client
- 1. 1 Standard (‘Vanilla’)
- 2. 2 BlackBerry Secure Workspace
- 3. 3 BlackBerry Technology MDM
- 3.1. 1 Configuring the BlackBerry Dynamics Server (Formerly GOOD Dynamics)
- 3.2. 2 Provisioning
- 3.3. 3 Installing Certificates through BlackBerry Control
- 3.4. 4 Deploying the App to End-Users
- 3.5. 5 Authentication Delegation
- 3.6. 6 Pre-configuring the username and server details - iOS and Android
- 3.7. 7 Data Loss Prevention
- 4. 4 MobileIron MDM
- 4.1. 1 Enable AppConnect
- 4.2. 2 Configure an AppConnect global policy
- 4.3. 3 Configure a new AppConnect container policy
- 4.4. 4 Configuring MobileIron Tunnel
- 4.5. 5 Configuring MobileIron AppTunnel
- 4.6. 6 Installing certificates through MobileIron Administration Portal
- 4.7. 7 Pre-configuring the username and server details
- 5. 7 Airwatch Deployment
- 6. 8 Citrix
- 2 Android Client
- 4 BlackBerry 10 Client
- 5 Logging
1 iOS Client
1. 1 Standard (‘Vanilla’)
To deploy the Standard version of the MindLink Mobile App to your end user device is simple – the user logs into the App Store, searches for MindLink and hits the “Get” button.
Figure 1 – MindLink in the App Store
1.1. .1 Mobile Autodiscovery
When Mobile Autodiscovery is setup the user can expect to utilise a domain email to initialise to the server hosting the MindLink Mobile application. This saves the user time and spares them from having to ask administrators for a server address.
Please note: This will not work in the event your MDM platform is set to automatically provision the MindLink Mobile server address.
2. 2 BlackBerry Secure Workspace
2.1. 1 Deployment through BlackBerry Enterprise Service 10
1. Using your browser navigate to your BlackBerry Enterprise Service – Please note: When using BES10 please navigate to BES10 – Universal Device Service .
Figure 2 – BlackBerry Enterprise Server 10 (BES10) Universal Device Service
2. Add the ‘App store’ app to BES10
a. Navigate to ‘Library’ on the top navigation bar
b. Click the ‘+’ icon on ‘Application Definitions’
c. Below on the right of ‘Application sources’ click the ‘+’ icon again.
d. Select ‘App store app’
Figure 3 – Uploading an App Store app to BES10
e. You will now be prompted to fill in the following fields as depicted in the image below.
Figure 4 – Creating a new application source, BES10
f. For ‘Application name’ fill in a useful name like: MindLink for SECTOR
g. For ‘Application version’, make sure it corresponds with the version available on the App Store. Please Note: Do not use full stops, rather, if the version number is for example, 3.3.0.5 enter: 3030005 instead (replacing each full stop with a 0). MindLink will provide you with the current version number.
h. For ‘Application Identifier’ enter the following: com.mindlinksoft.mindlinkmobile.sector
i. For ‘Secure Application’, tick the box.
j. For ‘Application source’ please select ‘Application web address’ from the drop down menu.
k. For ‘Application web address’, fill in the entire App Store URL:
https://itunes.apple.com/us/app/mindlink-for-sector/id763628791
3. Create a new software configuration for the iOS version of the MindLink Mobile client for SECTOR. Assign the application to the software configuration.
Figure 5 – Creating a new software configuration, BES10
4. Apply the software configuration from Step 3 to the user by clicking the ‘+’ icon and selecting the profile from the drop-down menu.
Figure 6 – Adding a software configuration to a user, BES10
5. Send an activation email to the user. The user will receive the activation email including the activation password and further instructions.
6. Download & install the BES12 Client (mobile) on the iOS device from the ‘App Store’ or instruct the user to do so (as well as follow the instructions from the activation email).
7. Open the BES12 Client (mobile) and enter the activation details received in the activation email.
8. After activation is complete the user will be requested to enter a Secure Work Space password. Additionally the user will be prompted to download any applications that have been specified for the user/group. This includes MindLink Mobile for SECTOR. (Please Note: After each application is downloaded the user may need to press the back button to initiate the next download).
2.2. 2 Installing Certificates through BES10
If the MindLink Mobile server is secured with a certificate issued by an internal CA authority, the CA’s root certificate must be installed as a trusted root certificate on the device.
1. Export the required certificates from your certificate store using the Management Console (MMC) and store the file in a known, accessible location.
Figure 7 – Management Console; Certificates snap-in
2. Using your web browser navigate to the BlackBerry Enterprise Service 10 Universal Device Service and logon.
Figure 8 – BlackBerry Enterprise Service 10 (BES10), Universal Device Service (UDS)
3. Using the navigation menu above select; Library
Figure 9 - BES10 UDS Menu
4. On the left hand side of your browser you will see various options, choose: CA certificate by clicking the “ + ” icon
Figure 10 – CA Certificate profiles
5. Enter a name and, optionally, a description for the certificate profile then browse to the location of the exported CA certificate and choose: Open
Figure 11 - Creating a new CA Certificate Profile
6. After creating the new CA Certificate Profile it must be applied to the relevant users/groups for the BES10 to push the profile onto any applicable devices. This is done by navigating to Users & Devices using the menu bar.
7. Depending on whether you want to apply the CA Certificate Profile to a user or to an entire group; click ‘All Users’ or ‘Groups’
Figure 12 Applying a CA Certificate Profile to individual users or groups
8. Select the user or group you would like to apply the CA Certificate Profile by clicking on it
9. The browser will transition to a group/user configuration screen where you can add IT policies and profile to a group/user.
10. To apply a policy or profile, click the “ + ” icon.
Figure 13 – Applying IT policies and profiles to groups/users
11. From the drop-down menu, select: CA Certificate
Figure 14 – Drop-down menu, adding IT policies and profiles
12. You can now choose which CA Certificate profile you would like to apply
Figure 15 – Choose a CA Certificate profile to apply
2.3. 3 Deployment through BlackBerry Enterprise Service 12
1. Using your web browser, navigate to your BES12
Figure 16 – Logging on BlackBerry Enterprise Service 12 Administration Portal (BES12)
2. Using the navigation bar click ‘Apps’
Figure 17 – Navigation bar, BES12
3. Click the ‘Add an app’ icon
Figure 18 – Adding an app, BES12
4. You will now see a selection of locations to add an app from, please select App Store (for iOS).
Figure 19 – Select App Store, BES12
5. A window titled ‘Add iOS apps’ will now appear as shown below.
Figure 20 – Search for App Store apps, BES12
6. Type in the name of the app; MindLink for SECTOR.
7. Press ‘Search’.
8. The MindLink for SECTOR iOS client should now appear below.
9. To finalize, press ‘Add’
10. The app should now appear in the ‘App Management’ screen in BES12
11. In order to deploy MindLink for Workspace to your mobile device you must assign the application to individual users or user groups.
12. To assign an app to individual users, proceed to the ‘Users and Devices’ tab.
13. To assign an app to groups, proceed to the ‘Groups’ tab.
14. For each user or group you wish to assign the application to find and click the ‘+’ icon in the corresponding ‘App’ table to assign an app.
Figure 21 – Assigning apps, BES12
Clicking ‘Next’ will bring up the following options illustrated in the image below:
Figure 22 – Select app disposition, BES12
Users can now download the MindLink for SECTOR app from the App Store.
2.4. 4 Installing Certificates through BES12
If the MindLink Mobile server is secured with a certificate issued by an internal CA authority, the CA’s root certificate must be installed as a trusted root certificate on the device.
1. Export the required certificates from your certificate store using the Management Console (MMC) and store the file in a known, accessible location.
Figure 23 – Management Console; Certificates snap-in
2. Once the certificate has been exported it must be uploaded to the BlackBerry Enterprise Server (BES12). Navigate to the Administration Portal of the relevant BES.
Figure 24 – Navigation bar, BES12
Once logged on the BlackBerry Enterprise Server (BES12), navigate to the ‘Policies and Profiles’ tab. After navigating to ‘Policies and Profiles’ there is a menu bar visible on the left of the page. In the list of menu items click ‘+’ next to ‘CA certificate’.
Figure 25 – Adding a CA certificate profile, BES12
Ensure the certificate has the file suffix: .der if not, simply rename the file extension to e.g. FileName.der
Also ensure that the relevant device operating system and certificate store have been selected before clicking the ‘Add’ button.
The CA certificate profile should now be visible on the BES12 and you can now assign the profile to various user groups or specific users. To do so navigate to either the ‘Users and Devices’ tab or ‘Groups’ tab.
3. For specific users;
a. For specific users simply click on the user you wish to assign the CA certificate profile to and then click the ‘+’ icon next to ‘IT policy and profiles’.
b. Select ‘CA certificate’ and locate the appropriate ‘CA certificate profile’ from the drop-down menu (Please note: If the CA certificate has already been applied to a user, this certificate will no longer appear in the drop-down menu).
c. The selected CA certificate profile should now be visible in the overview of IT policies and profiles applied to the specified user.
4. For groups;
a. Click the group for which you wish to apply the CA certificate profile.
b. Click the ‘Settings’ tab for that group.
c. Click the ‘+’ icon next to ‘IT policy and profiles’ and select ‘CA certificate profile’.
d. Select the appropriate CA certificate profile and press ‘Assign’.
Please note, as with the deployment of the MindLink Mobile client, it may take some time before the BES12 pushes the CA certificate profile on to the device(s).
3. 3 BlackBerry Technology MDM
3.1. 1 Configuring the BlackBerry Dynamics Server (Formerly GOOD Dynamics)
1. Launch your web browser.
2. Go to https://community.good.com/marketplace.jspa and filter by Categories > Collaboration.
3. Click "Start a Trial" – you must ensure that this is requested from the BlackBerry Control(Formerly Good Control Console) console’s Administrative user email address. After your trial license is converted to a full license; MindLink will publish the application to your BlackBerry Control console.
4. MindLink for BlackBerry can be found under APPS > Manage Apps in your BlackBerry Control console.
Figure 26 – Applications in BlackBerry Control
If your domain is trusted in Settings – Clusters – GC Clusters , proceed to step 9
5. Click on MindLink for BlackBerry – This will transition to the configuration options.
6. Click the BlackBerry Dynamics tab.
7. We now need to whitelist the MindLink Servers/Ports. In Host Name type the FQDN of your MindLink Mobile Server and in the Port enter the port of the relevant MindLink Services (Web Services Port and Secure Socket Port – defaults are 7074 and 7072 respectively).
Figure 27 – Enter server details, BlackBerry Control
8. Alternatively you may decide to whitelist the server for multiple apps. This is done through the Policies menu by clicking Connectivity Profiles, moving to the APP Servers tab and adding the server domain as an allowed domain
9. Go to App Groups and click the “ + ” symbol.
Figure 28 – Adding a new group, BlackBerry Control
10. Specify a Group Name and click Create Group.
11. Click the “+” button.
12. In the dialogue box that pops out tick the tick box for the relevant users and click OK.
Figure 29 – Selecting users, BlackBerry Control
13. Click Add More (under Allowed Applications).
14. Select MindLink for BlackBerry (under Partner) and click OK.
Figure 30 – Add an allowed application, BlackBerry Control
3.2. 2 Provisioning
Provision the MindLink App can be done using one of two methods; either the administrator provisions users individually or users can use BlackBerry Control’s Self Service.
3.2.1. 1 Administrator provisions users
1. Ensure you are logged onto BlackBerry Control as an administrator
2. Go to User tab > Users and Groups
Figure 31 - Manage Users, BlackBerry Control
3. Find and click the user you wish to provision an access key for
Figure 32 – Select a user to provision, BlackBerry Control
4. Now click; Edit
Figure 33 – Edit User, BlackBerry Control
5. Click the Access Keys tab
Figure 34 - Access Key provisioning, BlackBerry Control
6. Click: New Access Key
Figure 35 – Provisioned Access Key, BlackBerry Control
7. The access key has now been provisioned, you may opt to email it to the user by clicking the envelope icon.
3.2.2. 2 Self Service provisioning
As an alternative to the administrator provisioning individual users; administrators can encourage users to use Self Service provisioning in the BlackBerry Control Console.
1. Users should log onto BlackBerry Control using their BlackBerry Control credentials
2. Click the Access Keys tab
Figure 36 – Self Service Access Key provisioning, BlackBerry Control
3. Click Provision
4. The Access Key will appear under the header Provisioned Access Keys
Figure 37 – Provisioned Access Key, BlackBerry Control
5. Users may use the Access Key directly from the BlackBerry Control Console or they may choose to email it to themselves by clicking the envelope icon.
3.3. 3 Installing Certificates through BlackBerry Control
If the MindLink Mobile server is secured with a certificate issued by an internal CA authority, the CA’s root certificate must be installed as a trusted root certificate on the device. This is done using the BlackBerry MDM platform which, once configured, will push the required certificate(s) to any applicable devices.
3.4. 4 Deploying the App to End-Users
The BlackBerry Dynamics version of the App is available from the App Store by searching “MindLink” (or “MindLink for BlackBerry”) and tapping “Get” next to the entry for MindLink for BlackBerry. Alternatively, the BlackBerry Dynamics version of the app is also available through the Google Play Store.
Figure 38 – MindLink for BlackBerry in the App Store & Play Store
3.5. 5 Authentication Delegation
BlackBerry Control allows you to configure authentication delegation. To start configuring, launch your web browser and navigate to BlackBerry Control.
1. From the Navigation menu on the left select: POLICY SETS
Figure 39 – Policy Sets, BlackBerry Control
2. Here you can select the BlackBerry Default Policy or any other applicable policies.
Figure 40 – BlackBerry Default Policy, BlackBerry Control
3. Click the SECURITY POLICIES tab.
Figure 41 – Security Policies
4. Scroll down to Authentication Delegation
Figure 42 – Authentication Delegation, BlackBerry Control
5. Using the arrows you may select a primary and secondary authentication delegate.
6. Optionally you can allow self-authentication by checking the relevant tick box.
7. There are some additional options available such as the option to Prevent Data Leakage (disables copy/pasting from into and out of the BlackBerry container), and the option to enable Federal Information Processing Standards (FIPS).
3.6. 6 Pre-configuring the username and server details - iOS and Android
Figure 43 – BlackBerry console
Start by navigating to the BlackBerry console, here is where you will be able to make the changes required to directly affect the MindLink Mobile for BlackBerry app.
Figure 44 – Policy Sets
To begin making changes you will want to navigate towards the 'Policies' section specifically under 'Policy Sets'. Once here you will be presented with the policy sets that exist within your infrastructure. For the purpose of this guide we will use the 'BlackBerry Default Policy'
Figure 45 – Manage Policy Set
Once you have clicked on the Policy Set you will be brought to the management section of the set. Here you will want to navigate to the 'Apps' section as shown above. From here you will be able to pre-configure MindLink Mobile for BlackBerry with server and log on credentials.
Figure 46 and 47 – Pre-Configurable options
The above screenshots are where you can pre-configure the MindLink Mobile for BlackBerry app. Within the 'Server URL' option you can enter the FQDN of the server running the MindLink Mobile service and as a result BlackBerry will register this and these details will be automatically registered when using the app. Conversely you can also enable 'Logon name' which will automatically log users on. When an AD enabled user registers with BlackBerry during enrollment this option enables those details to be pushed onto the MindLink Mobile for BlackBerry app. For example, if 'iphonetest1@DevResource.local' enrolls with BlackBerry, assuming those UPN credentials exist on AD, they will be pushed to the MindLink app. Thus you will see the username 'iphonetest1@DevResource.local' automatically filled out.
Figure 48 - Pre-configured log on - Android
As can be seen from the above screenshot the pre-configured log on name has been applied, this will occur if the option discussed previously has been enabled.
Figure 49 - Pre-configured log on - iOS
And the same applies for the iOS flavour of the MindLink for Mobile BlackBerry app.
3.7. 7 Data Loss Prevention
As part of your deployment it is possible to configure certain DLP policies that will subsequently be enforced on the MindLook for BlackBerry app on iOS and Android respectively. The following will run through how this is done.
To begin navigate to your BlackBerry policies and in particular the one that applies to your fleet of devices. Once this has been done you will be presented with a screen similar to the one above. The next step is to click on 'Security Policies'.
Once on the 'Security Policies' tab you will want to scroll down to 'Data Leakage Prevention' as shown in the screen above. Here is where you can configure the various DLP policies that will apply to your fleet of devices. Note: some of these policies are exclusive to Android and/or iOS. If you've made any changes make sure to click 'Update' to push this configuration down to the devices.
For example, if you enable 'Prevent copy from GD apps into non-GD apps', MindLink for BlackBerry will register this and as a result, if a user attemps to copy content from MindLink for BlackBerry to another non-GD app, they will be unable to do so. As a result, all possible avenues for data leakage are prevented and adhered to by the MindLink for BlackBerry app.
4. 4 MobileIron MDM
The MindLink Mobile iOS client is available for the MobileIron AppConnect container and leverages MobileIron Tunnel per-app VPN for connectivity.
4.1. 1 Enable AppConnect
Before enabling AppConnect on your admin portal, confirm that your organization has purchased the required AppConnect licenses. Contact your MobileIron representative if you require additional details on AppConnect license purchases.
1. To enable AppConnect and MobileIron Tunnel functionality on the admin portal, navigate to the Settings page
Figure 50 – Navigation menu bar, MobileIron Admin Portal
Check the boxes as shown below.
Figure 51 – Settings for additional products, MobileIron Admin Portal
2. Select the option for “Enable AppConnect for third-party and in-house apps”
4.2. 2 Configure an AppConnect global policy
To modify an existing AppConnect global policy:
1. On the MobileIron Admin Portal, go to Policies & Configs > Policies
2. Select an AppConnect global policy
3. Click Edit
4. Edit the AppConnect global policy based on your requirements. Please refer to the AppConnect chapter of the VSP Administration Guide for details about each field.
An AppConnect global policy configures the security settings for all AppConnect apps, including: Whether AppConnect is enabled for the devices that the policy is applied to and AppConnect passcode requirements.
Figure 52 – Modify AppConnect Global Policy, MobileIron Admin Portal
Note: The AppConnect passcode is not the same as the device passcode.
Figure 53 - AppConnect Passcode settings, MobileIron Admin Portal
5. You may opt to modify AppConnect security controls such as out-of-contact timeouts
Figure 54 - AppConnect Security, MobileIron Admin Portal
6. Specify the app check-in interval and the default end-user message for when an app is not authorized by default
Note: The app check-in interval is independent of the MDM check-in timer and controls, and apps cannot be forced to check-in before the interval expires. The recommended configuration for the app check-in interval is 60 minutes.
Figure 55 – App Authorization, MobileIron Admin Portal
7. You can configure whether AppConnect apps with no AppConnect container policy are authorized by default in addition to other data loss prevention settings.
Figure 56 – Data Loss Prevention policies, MobileIron Admin Portal
4.3. 3 Configure a new AppConnect container policy
An AppConnect container policy specifies data loss protection policies for the app. The AppConnect container policy is required for an application to be authorized unless the AppConnect global policy allows apps without a container policy to be authorized. Such apps get their data loss protection policies from the AppConnect global policy.
Details about each field are in the AppConnect chapter of the MobileIron Core Administration Guide.
To configure an AppConnect container policy:
1. On the MobileIron Admin Portal, go to Policies & Configs > Configurations > Add New > AppConnect > Container Policy.
Figure 57 – Creating a new configuration, MobileIron Admin Portal
2. Enter the Name, Description, and Application.
Note: For the Application field, choose an application from the app distribution library, or for iOS apps, specify the iOS bundle ID ( com.mindlinksoft.mindlinkmobile.mobileiron ). You can find the bundle ID by going to Apps > App Distribution Library, and clicking to edit the app. The field Inventory Apps displays the bundle ID in parenthesis.
Figure 58 – Creating a new AppConnect Container Policy, MobileIron Admin Portal
3. Configure the data loss protection policies according to your requirements.
Figure 59 – Data Loss Prevention policies, MobileIron Admin Portal
4.4. 4 Configuring MobileIron Tunnel
To ensure the MindLink Mobile for MobileIron app can function within your AppConnect enterprise workspace you must create a MobileIron Tunnel configuration.
4.4.1. 1 Prerequisites
In order to create a MobileIron Tunnel configuration the following prerequisites must be met.
· MobileIron Sentry (license required) must be deployed within the relevant environment and configured using the MobileIron Administration Portal.
· Configuration can be done by navigating to: Settings > Sentry (Configuration depends on the deployment environment and any potential associated restrictions)
· Please consult the MobileIron Administration guide/manual for deployment and configuration instructions for MobileIron Sentry.
4.4.2. 2 Configuration
To start configuring MobileIron Tunnel log into the MobileIron Administration Portal.
1. Using the menu bar, navigate to: ‘Policies & Configs’
Figure 60 – Policies & Configs, MobileIron Admin Portal
2. Create a VPN setting by selecting: Add New > VPN
Figure 61 - Add New VPN Configuration, MobileIron Admin Portal
3. For the fields displayed below to appear you must first select MobileIron Tunnel as your connection type.
Figure 62 - Configure VPN, MobileIron Admin Portal
4. Next select the Sentry to be used in this VPN configuration from the drop down menu. Please Note: A license is required to do this.
5. Select the Sentry Service (options will be displayed once a Sentry has been selected).
6. Select an Identity Certificate (choice of certificate type is dependent on the deployment environment and any potential restrictions). You may have to create a new Identity Certificate configuration specific to VPN, this process is described in the following section.
7. Additional (optional) configuration options include: Custom Data and iOS7 only configuration option to specify Safari domains.
8. The MobileIron Tunnel configuration must now be applied to the application; navigate to: Apps using the navigation bar.
9. Find the App you wish to apply the configuration to and click the edit icon.
10. Scroll down to find the option: ‘Per App VPN’
Figure 63 – Apply VPN configuration to App, MobileIron Admin Portal
11. Ensure that your configuration is in the ‘Selected’ column and click ‘Save’
12. Ensure that you apply your newly created VPN configuration it to all relevant labels.
13. On the device, the next time the user checks in:
· The user will receive the latest MDM profile with the updated per App VPN settings
· The next time the app attempts to make a TCP connection or a HTTP request the VPN is triggered, users will be able to see this in the status bar of their device.
4.5. 5 Configuring MobileIron AppTunnel
In order to configure the AppTunnel for iOS, you need to complete the following tasks:
- Enable the AppTunnel on Core through the MobileIron Admin Portal
- Enable the AppTunnel on the Standalone Sentry
- Configure device and server authentication on the Standalone Sentry
- Configure the Sentry with an AppTunnel service
- Upload the app to MobileIron Core
- Configure the AppTunnel service in the AppConnect app configuration
For detailed instructions on steps 1-5, refer to the ‘AppConnect and AppTunnel Guide’ on MobileIron’s Support Community website.
For step 6, follow the instructions below:
1. Using the menu bar, navigate to Policies & Configs > Configurations
Figure 1.4.5a - Policies & Configs, MobileIron Admin Portal
2. Select Add New > AppConnect > App Configuration
Figure 1.4.5b - Add new App Configuration
3. Enter a name for the AppConnect app configuration, for example MLM AppConnect .
4. In the Application field, fill in the bundle ID for the MindLink public app: com.mindlinksoft.mindlinkmobile.mobileiron .
5. In the AppTunnel Rules section, click Add+ to add a new AppTunnel rule.
Figure 1.4.5c - Configure the AppTunnel rule
- SENTRY: Select the Sentry number from the drop-down list.
- SERVICE: Select the service that you configured in the AppTunnel Configuration section of the specified Sentry.
- URL WILDCARD: Enter a URL wildcard that matches the host name of the MindLink server, or the load balancer and each MindLink server if deployed as a pool.
- PORT: Enter the port number that the app requests to access. This should be the same as the configured port for the session service on the MindLink Management Tool.
- IDENTITY CERTIFICATE: Select the Certificate or the Certificate Enrollment setting that you created for app tunneling.
6. Click Save.
7. Select the new AppConnect app configuration from the list.
8. Select More Actions > Apply To Label > iOS > Apply
Try the free CSS tidy which lets you beautify stylesheets for your websites.
4.6. 6 Installing certificates through MobileIron Administration Portal
If the MindLink Mobile server is secured with a certificate issued by an internal CA authority, the CA’s root certificate must be installed as a trusted root certificate on the device.
Installing certificates on devices that use the MobileIron version of MindLink Mobile must be done through the MobileIron Administration Portal.
1. Logon to your MobileIron Administration Portal
Figure 64 – MobileIron Admin Portal; Policies & Configs
2. Using the top navigation bar, click ‘Policies & Configs’
Figure 65 – Add certificate profile, MobileIron Admin Portal
3. Click ‘Add New’ and select ‘Certificates’
Figure 66 – Creating a new certificate setting, MobileIron Admin Portal
4. Fill in the fields of the New Certificate Setting and browse to the file location of the CA certificate.
5. Save the New Certificate Setting.
Figure 67 – Apply CA Certificate profile to label
6. Apply the newly created Certificate Setting to the desired label(s).
4.7. 7 Pre-configuring the username and server details
Figure 68– MobileIron Console
Start by navigating to the MobileIron console, here is where you will be able to make the changes required to directly affect the MindLink Mobile for MobileIron app.
Figure 69– Policies and Configs
Once you have clicked on 'Policies and Configs' you will be brought to a sumarry page of all the configurations currently setup on your conosle. For the purpose of this guide you will want to select the configuration that you would've already created beforehand. Note that this is the configuration that will be pushed to the device and thus you will want to make sure that this configuration is applied to the correct label applicable to your fleet of devices.
Figure 70– Configuration details
Once you've selected the appropriate configuration you will be presented with a summary of the details surrounding said configuration. In this case the details relate to the app tunnel configuration.
When you are ready to make changes click on 'Edit'
Figure 71– Editing configuration details
When you have clicked 'Edit' you will be brought to the above screen. Here you will notice the section 'App-Specific Configurations' this relates directly to the MindLink Mobile for MobileIron app. Here you can match specific key-value pairs (specific to your infrastructure) to the MindLink Mobile app. In the example above the key 'mlmServerUrl' is pointed towards a server running the MindLink Mobile service. You are also able to pre-configure the MLM log on name which can be seen in the screenshot below.
Figure 72– Device pre-configured username
As can be seen above the following key (set on the console) has been pushed to the device, resulting the pre-configured log on name. Note: the value can be any number of variables that MobileIron core is capable of understanding (please refer to the AppConnect documentation). These variables are defined in the LDAP configuration for the Core server. This can be found under 'Services > LDAP'. For example, you could use the 'user ID' variable and have the samaccountnamefield attached to it, so for example, test1 is being pulled from the samaccountnamefield and is matched via the $USERID$ variable as can be seen in Figure 71.
5. 7 Airwatch Deployment
Figure 73 – Where to begin deployment
The above screenshot indicates where to begin deployment of MLM for AirWatch, start by heading over to the AirWatch console. You will want to start by clicking 'Add'
Figure 74 – Adding the application
Once you have clicked 'Add' you will be presented by the window as shown in the screenshot above, here you will want to choose the platform of deployment. In this case you will want to choose Apple iOS
Figure 75 – Sourcing the MindLink for AirWatch app
To continue the deployment of the MindLink for Airwatch app you will want to select 'Search App Store'. From here you will want to enter 'MindLink for AirWatch'. Upon successfully doing this, you will be brought to the screenshot presented in Figure 140
Figure 76 – Pointing towards the application
The above is the screen you will be greeted with once you have pointed towards the application pathway by name. From here you will be able to configure information about the app, assignment groups and specifics regarding deployment.
Figure 77 – Assigning the app
To assign the app to the devices you will want to navigate towards the 'Apps and Books' section of the AW console
Figure 78 – Deploying the app
Here is where you will want to choose the assignment groups that will have the app 'pushed' down to the associated devices in the assignment groups. You will then get a preview of all the devices that will be affected by the assignment. This is a chance for you to review the deployment of MindLink for AirWatch.
5.1. 1 Creating the MindLink SDK Profile
To successfully administer the MindLink for AirWatch application you will need to create a MindLink related SDK.
The following will walk you through the steps required to do this
Figure 79 – Airwatch Console Header
You will want to start by navigating to the console header
Figure 80 – Adding a new profile
Following figure 80 you will want to click 'Add' this will present the drop down as presented in the screenshot above. From here choose the 'Profile' option.
Figure 81 – Choosing platform
Once you have chosen to create a profile you will have a selection of platforms to choose from - for this guide we will be using Apple iOS
Figure 82 – Configuring SDK Profile
As shown above from here you will be able to configure how the MindLink for AirWatch app is controlled. For example, you will be able to specify whether or not you want to enforce Data Loss Prevention policies which will then be reflected on the MindLink for AirWatch app. This should be created to reflect your company's administrative infrastructure.
5.2. 2 Enabling the App Tunnel at the SDK profile level
Figure 83 – Configuring the integrated tunnel
During creation of the Mindlink for AirWatch SDK there is an option to configure an integrated tunnel provided by AirWatch. Assuming this is applicable to your organisation, the following will run through how this can be leveraged by the MindLink for AirWatch app.
Figure 84 – Enabling the AW integrated tunnel
In order to enable the AW integrated tunnel and thus have it applied to MLM for AW, you will want to navigate to the MindLink SDK that was created. From here, you will want to navigate down to the 'Proxy' tab. Simply tick 'Enable App Tunnel'. Once this has been done (by clicking 'Save'), the MindLink for AirWatch app will be leveraging the AirWatch integrated tunnel.
5.3. 3 Creating the per-app VPN profile
Figure 85 – Setting up the app specific VPN profile
To set up an app specific VPN you will want to click on the 'Devices' tab, once this has been opened you will want to view the 'Profiles' section. As shown in the screenshot above you will want to click 'Add' in order to setup the VPN
Figure 86 – VPN configuration
Once you have successfully started the process to setup the profile you will be greeted with the screen as shown in the above screenshot. From here you will want to configure the VPN specific settings as per your administrative infrastructure.
Figure 87 – Turning the per-app VPN on or off
Once you have created the VPN profile in order to turn it on or off (depending on your administrative preferences) you will want to go to the profile and then to the 'VPN' section whereby you will want to tick the Per-App VPN rules so that by default MLM for AW will use the Per-App VPN as its means of connection
5.4. 4 Applying the per-app VPN profile
Figure 88 – Where to apply the per-app VPN
To apply the per-app VPN to the app you will want to navigate to the apps and books section of the AirWatch console. From here you will want to select the MindLink app that you added earlier (section 5.5.)
To do this use the radio button to select the MindLink for AirWatch app that you would have selected during the deployment stage.
Figure 89 – Where to apply the per-app VPN -2
To assign the application you will want to navigate to the top of the apps & books section whereby you will find the 'Assign' button, this is what you will want to press in order to begin the application of the per-app VPN
Figure 90 – Choosing an assignment group
From here you will want to select the assignment groups that you wish the VPN to be applied to - this will of course depend on the administrative infrastructure present amongst your organisation. From here you will want to click 'Add Assignment'
Figure 91 – Adding an assignment
Once you have clicked on 'Add Assignment' you will be brought to the screen above. From here you will notice the 'Advanced' tab - this is where you will need to apply the app specific VPN profile that you created.
Figure 92 – Choosing the drop down
The following is done by selecting from a drop down. Assuming that you have configured your app specific VPN correctly this will 'Push' the assignment down to the groups that were selected beforehand
Figure 93 – Devices affected by assignment
Once you have selected the per-app VPN you will be brought to a screen similar to the one above whereupon you will be greeted with the list of devices affected by the assignment. This will be dependent on the assignment group you selected during the beginning of this process. However, this is a chance for you to review the potential changes that will be made.
5.5. 5 Managing Data Loss Prevention Policies
Figure 94 – Devices affected by assignment
To manage data loss prevention policies on the MindLink for AirWatch app you will want to start by enabling the ability to do so on the AirWatch console
This can be seen in the above screenshot whereby under 'Restrictions' you need to tick 'Enable Data Loss Prevention'
Figure 95 – Devices affected by assignment
Once you have enabled data loss prevention, a number of options will be available to you. For example, enabling copy and paste on the AirWatch console will enable users to copy and paste on the MindLink for AirWatch app. And thus conversely the expected behaviour if this is disabled, is that the user will not be able to copy and paste i.e. from outside of the MindLink for Airwatch app to within the MindLink for Airwatch app
Ensure that any changes to be made are reflective of your company's administrative infrastructure
5.6. 6 Pre-configuring the username and server details
Figure 96 – Beginning the assignment
To start you will want to begin by selecting the MindLink for AirWatch app under 'apps & books', you will want to select the app version that you added earlier. To do this you will want to select the app via radio button
Figure 97 – Beginning the assignment
To assign the application you will want to navigate to the top of the apps & books section whereby you will find the 'Assign' button, this is what you will want to press in order to begin the application of the per-app VPN.
Figure 98 – Beginning the assignment -2
To assign the application you will want to navigate to the top of the apps & books section whereby you will find the 'Assign' button, this is what you will want to press in order to begin the application of the per-app VPN.
Figure 99 – Choosing the assignment group
To setup the pre-configured URL and log on name, you will want to correctly choose the assignment group you wish this policy to be 'pushed' to.
Any users in this assignment group from here onwards will have a preconfigured server URL to point towards and if chosen, a pre configured username on the MindLink for AirWatch app
Figure 100 – Pre configuring the server and log on values
Here you are able to pre-configure the server details for the Mindlink for AirWatch app - the values for this will depend on setup but here for example it is 'mlmServerUrl' and 'mlmLogOnName'
Figure 101 – Device side
The above indicates the successful 'push' of the pre-configured values to the MindLink for AirWatch app
6. 8 Citrix
Citrix requirements can be provided by your Account manager
2 Android Client
1. 1 Standard (‘Vanilla’)
1.1. 1 Downloading the app
Users must download the application from the Google Play store. Search for “MindLink” and install the app.
1.2. 2 Providing server address
When the MindLink Mobile app is launched for the first time, users will be prompted to enter the server details into the device. These details include the server address which points to the Web Service Port specified on MindLink Management Centre, under the MindLink Mobile tab.
Figure 102 – Request URL screen, MindLink Mobile
1.3. 3 Deploying internal certificates
If a certificate is issued by an internal certificate authority, then the authority’s root certificate should be deployed to each device. The certificate itself can be delivered to devices by email or by hosting it for download via the web.
2. 2 BlackBerry Secure Workspace
2.1. 1 Deployment through BlackBerry Enterprise Service 10
1. Using your browser navigate to your BlackBerry Enterprise Service – Please note: When using BES10 please navigate to
BES10 – Universal Device Service .
Figure 103 – BlackBerry Enterprise Service 10 (BES10) Universal Device Service
2. Add the Play store app to BES10
3. Navigate to ‘Library’ on the top navigation bar
4. Click the ‘+’ icon on ‘Application Definitions’
5. Below on the right of ‘Application sources’ click the ‘+’ icon again.
6. Select ‘App store app’
Figure 104 – Upload an App store app, BES10
7. You will now be prompted to fill in the following fields as depicted in the image below.
Figure 105 – Creating a new application source, BES10
8. For ‘Application name’ fill in a useful name like: MindLink for SECTOR
9. For ‘Application version’, make sure it corresponds with the version available on Google Play store. Please Note: Do not use full stops, rather if the version number is for example, 3.3.0.5 enter: 3030005 instead (replace each full stop with a 0).
10. For ‘Application Identifier’ enter:
com.mindlinksoft.mindlinkmobile.SEC_APP
11. For ‘Secure Application’, tick the box.
12. For ‘Application web address’, fill in the entire Play store URL.
13. Create a new software configuration for the Android version of the MindLink Mobile client for SECTOR. Assign the application to the software configuration.
Figure 106 – Creating a new software configuration, BES10
14. Apply the software configuration from Step 3 to the user by clicking the ‘+’ icon and selecting the profile from the drop-down menu.
Figure 107 – Adding a software configuration to a user, BES10
15. Send an activation email to the user. The user will receive the activation email including the activation password and further instructions.
16. Download & install the BES12 Client (mobile) on the Android device from the Google Play store or instruct the user to do so (as well as follow the instructions from the activation email).
17. Open the BES12 Client (mobile) and enter the activation details received in the activation email.
18. After activation is complete the user will be requested to enter a Secure Work Space password. Additionally the user will be prompted to download any applications that have been specified for the user/group. This includes MindLink Mobile for SECTOR. (Please Note: After each application is downloaded the user may need to press the back button to initiate the next download).
2.2. 2 Installing Certificates through BES10
If the MindLink Mobile server is secured with a certificate issued by an internal CA authority, the CA’s root certificate must be installed as a trusted root certificate on the device.
1. Export the required certificates from your certificate store using the Management Console (MMC) and store the file in a known, accessible location.
Figure 108 – Management Console; Certificates snap-in
2. Using your web browser navigate to the BlackBerry Enterprise Service 10 Universal Device Service and logon.
Figure 109 – BlackBerry Enterprise Service 10 (BES10), Universal Device Service (UDS)
3. Using the navigation menu above select; Library
Figure 110 - BES10 UDS Menu
4. On the left hand side of your browser you will see various options, choose: CA certificate by clicking the “ + ” icon
Figure 111 – CA Certificate profiles
5. Enter a name and, optionally, a description for the certificate profile then browse to the location of the exported CA certificate and choose: Open
Figure 112 - Creating a new CA Certificate Profile
6. After creating the new CA Certificate Profile it must be applied to the relevant users/groups for the BES10 to push the profile onto any applicable devices. This is done by navigating to Users & Devices using the menu bar.
7. Depending on whether you want to apply the CA Certificate Profile to a user or to an entire group; click ‘All Users’ or ‘Groups’
Figure 113 Applying a CA Certificate Profile to individual users or groups
8. Select the user or group you would like to apply the CA Certificate Profile by clicking on it
9. The browser will transition to a group/user configuration screen where you can add IT policies and profile to a group/user.
10. To apply a policy or profile, click the “ + ” icon.
Figure 114 – Applying IT policies and profiles to groups/users
11. From the drop-down menu, select: CA Certificate
Figure 115 – Drop-down menu, adding IT policies and profiles
12. You can now choose which CA Certificate profile you would like to apply
Figure 116 – Choose a CA Certificate profile to apply
2.3. 3 Deployment through BlackBerry Enterprise Service 12
1. Using your web browser, navigate to your BES12
Figure 117 – Logging on BlackBerry Enterprise Service 12 Administration Portal (BES12)
2. Using the navigation bar click ‘Apps’
Figure 118 – Navigation bar, BES12
3. Click the ‘Add an app’ icon
Figure 119 – Adding an app, BES12
4. You will now see a selection of locations to add an app from, please select Google Play (for Android).
Figure 120 – Select Google Play store, BES12
5. A window titled ‘Add Android apps’ will now appear as shown below.
Figure 121 – Adding Android apps, BES12
6. Fill in all required fields:
a. App name; give the app a relevant/useful name like MindLink Mobile SECTOR for Android
b. App icon; choose an icon for the app.
c. Add the Google Play store URL of the app
7. To finalize, press ‘Add’
8. The app should now appear in the ‘App Management’ screen in BES12
9. In order to deploy MindLink for Workspace to your mobile device you must assign the application to individual users or user groups.
a. To assign an app to individual users, proceed to the ‘Users and Devices’ tab.
b. To assign an app to groups, proceed to the ‘Groups’ tab.
10. For each user or group you wish to assign the application to find and click the ‘+’ icon in the corresponding ‘App’ table to assign an app.
Figure 122 – Assigning apps, BES12
Clicking ‘Next’ will bring up the following options illustrated in the image below:
Figure 123 – Select app disposition, BES12
Users can now download the App from Google Play Store.
2.4. 4 Installing Certificates through BES12
If the MindLink Mobile server is secured with a certificate issued by an internal CA authority, the CA’s root certificate must be installed as a trusted root certificate on the device.
1. Export the required certificates from your certificate store using the Management Console (MMC) and store the file in a known, accessible location.
Figure 124 – Management Console; Certificates snap-in
2. Once the certificate has been exported it must be uploaded to the BlackBerry Enterprise Server (BES12). Navigate to the Administration Portal of the relevant BES.
Figure 125 – Navigation bar, BES12
3. Once logged on the BlackBerry Enterprise Server (BES12), navigate to the ‘Policies and Profiles’ tab. After navigating to ‘Policies and Profiles’ there is a menu bar visible on the left of the page. In the list of menu items click ‘+’ next to ‘CA certificate’.
Figure 126 – Adding a CA certificate profile, BES12
Ensure the certificate has the file suffix: .der if not, simply rename the file extension to e.g. FileName.der
Also ensure that the relevant device operating system and certificate store have been selected before clicking the ‘Add’ button.
The CA certificate profile should now be visible on the BES12 and you can now assign the profile to various user groups or specific users. To do so navigate to either the ‘Users and Devices’ tab or ‘Groups’ tab.
4. For specific users;
a. For specific users simply click on the user you wish to assign the CA certificate profile to and then click the ‘+’ icon next to ‘IT policy and profiles’.
b. Select ‘CA certificate’ and locate the appropriate ‘CA certificate profile’ from the drop-down menu (Please note: If the CA certificate has already been applied to a user, this certificate will no longer appear in the drop-down menu).
c. The selected CA certificate profile should now be visible in the overview of IT policies and profiles applied to the specified user.
5. For groups;
a. Click the group for which you wish to apply the CA certificate profile.
b. Click the ‘Settings’ tab for that group.
c. Click the ‘+’ icon next to ‘IT policy and profiles’ and select ‘CA certificate profile’.
d. Select the appropriate CA certificate profile and press ‘Assign’.
Please note, as with the deployment of the MindLink Mobile client, it may take some time before the BES12 pushes the CA certificate profile on to the device(s).
3. 3 Android for Work
Mindlink Mobile supports Android for Work deployments.
3.1. 1 Android for Work - Deployment
As of 16.8 MindLink supports the deployment of our mobile app through Android for Work. Before beginning the deployment process ensure that Android for Work is enabled.
To enable Android for Work, AirWatch administrators can leverage token-based setup by visiting the Google portal, verifying their domain and obtaining an EMM token for Android for Work. Administrators will then upload and verify the token in AirWatch.
Figure 127 – Apps & Books
Assuming the above has been done, to begin deployment through Android for Work you will want to head to the 'Apps & Books' section of the AirWatch console.
Figure 128 – List View
Once you have opened the 'Apps & Books' tab you will want to open the 'List View. From here you will want to navigate to the 'Public' tab.
Figure 129 – Adding the application -1
Once you are ready to add the application, you will want to press the 'Add application' button as shown above.
Figure 130 – Adding the application -2
Once you have pressed the 'Add Application' button you will be presented with the above screen. Here you will want to select the 'Search App Store' option, this will search the Google Play Store for the MindLink Mobile app. Ensure that the chosen platform is Android.
Figure 131 – Adding the application -3
When the search term 'MindLink' has presented itself you will want to click the 'Select' button. This will allow you to configure the various options based around the applications, such as deployment.
Figure 132 – Adding the application -4
Once you are happy with the configuration of the application deployment, you will want to ensure that the option 'Device must be MDM managed to install this App' is ticked. When this is selected, enrollment using Agent leverages the Android for Work functionality thus allowing you to manage the app through the AirWatch console.
3.2. 2 Creating the per-app VPN
Figure 133 – Creating the per app VPN -1
In order to begin leveraging an app specific VPN to Android for Work enabled MindLink, you will need to create a profile specific to your Android for Work deployment. This guide will walk you through the VPN section so as to enable MindLink to utilize an app specific VPN.
Figure 134 - Creating the per app VPN -2
Once you have clicked 'Add' you will want to choose the platform which in this case is 'Android'.
Figure 135 - Creating the per app VPN -3
When you have chosen your platform, you will want to select 'Android for Work' as shown above
Figure 136 - Creating the per app VPN -4
Once you have reached this stage you can begin configuring the app-specific VPN. Note: that the settings here will depend on your existing IT infrastructure and is as such custom to your organisation.
3.3. 3 Applying the per-app VPN
Figure 137 – Applying the per-app VPN - 1
By utilizing the AirWatch console you are able to enable an app-specific VPN configuration which will be applied to your Android for Work enabled MindLink Mobile app. To begin this process head to the 'Apps & Books' section of the AirWatch console.
Figure 138 – Applying the per-app VPN - 2
Once you have completed the above step you will want to navigate to the 'Public' tab from here you will want to look for the 'MindLink' app under 'app source' you will want to look for Android for Work.
Figure 139 – Applying the per-app VPN - 3
Once you located the application you will want to click on the 'Edit' button, from here you will be able to enable the app-specific VPN which will be leveraged by the MindLink Android for Work enabled app.
Figure 140 – Applying the per-app VPN - 4
Once you have clicked 'Edit' you will be brought to the screen above, if you navigate to the 'Deployment' tab you will want to enable the 'Use VPN' option and will then want to select your VPN specific profile that you created earlier. Note: that the profile used will be entirely dependent on your setup and organisational standards. Once this is done assuming everything is setup correctly Android for Work enabled MindLink will be leveraging the VPN profile you have created.
3.4. 4 Pre-configured server URL and log on name
Figure 141 – Pre-Configuring the server name and server details - 1
To pre-configure the MLM server URL and log on name start by navigating to the 'Public' section of the 'Apps & books' feature, from here select the Android for Work enabled MindLink app. Once you have done this navigate to the 'Deployment' tab, the above is what you will see once this is complete.
Figure 142 – Pre-Configuring the server name and server details - 2
Here you will notice the 'Send Application Configuration check box. This is where you will be required to add your key-value pairs in order to allow MindLink to utilise a pre-configured server URL and/or a pre-configured log on name. To begin the process, tick this box.
Figure 143 – Pre-Configuring the server name and server details - 3
Once you have ticked 'Send Application Configuration' you will be presented with the above image. Depending on your administrative settings, you can assign key-value pairs to allow the MindLink app to utilize a pre-configured URL and/or a pre-configured log on name. Note: these pairs are custom to your deployment.
Figure 144 – Pre-Configuring the server name and server details - 4
As can be seen from above the pre-configured value that was applied has been successfully picked up by the device and has been displayed as such.
4. 2 BES12 Deployment
Coming Soon.
5. 3 Configuration
This section provides detailed explanations for various configuration options.
Once the MindLink Mobile Client has been deployed on the device. Several settings can be configured during the initial launching of the MindLink Mobile Client whilst other configuration options are available through the MindLink Mobile Management Tool. The MindLink Mobile Management Tool can be found on your Lync/MindLink Mobile server. The configuration options of the Management Tool are discussed in further detail in our Administration guide.
5.1. 1 Initial launching of the MindLink Mobile client
When launching the application for the first time you will be prompted with a prompt to grant certain permissions to the app, followed by a Welcome screen where you can enter your server URL and configure additional settings.
After the BlackBerry Administration/Enterprise Service has successfully deployed the MindLink Mobile client to the device(s) the application logo will appear as shown below.
Figure 145 – MindLink application on the home screen
Clicking and accessing the application for the first time will prompt the user to grant the application certain permissions which are required to use the MindLink Mobile client.
After allowing the application the requested permissions the application will transition to the initialisation screen, and after successful initialisation, the login screen appears where the user may configure additional options such automatic login, remember password and disable IM mode.
Figure 146 – Login screen, MindLink Mobile
If initialisation is not successful the user will receive an error. For more information about various errors, please consult the troubleshooting guide.
4 BlackBerry 10 Client
1. 1 BES10 Deployment
To upload MindLink Mobile to your BlackBerry Enterprise Server 10 please use the following steps:
1. Using your internet browser, navigate to the BES10 Administration Portal and use your Administrator credentials to log in.
Figure 147 – BlackBerry Enterprise Service 10 (BES10) Login Screen
2. Using the navigation on the left side of the webpage, go to Software > Applications > Add or update applications.
Figure 148 – Adding/Updating an application, BES10
3. Browse to the file location, select the MindLinkWorkspace.bar file and click ‘Next’
Figure 149 – Locating and selecting client file, BES10
4. To finalize; click > Publish application
Figure 150 – Publishing the application, BES10
5. Once the file has been successfully uploaded you can add/update the application to an existing software configuration, or create a new software configuration for the application.
a. To create a new software configuration, click on Software > Create a software configuration.
i. After clicking ‘Create a new software configuration’ you can give your new software configuration a name and enter a brief description.
ii. Press ‘Save’ to continue.
b. After creating a new software configuration or to update an existing software configuration click on Software > Manage a software configuration and select your software configuration.
i. Select the software configuration you wish to add the application to and then click ‘Edit software configuration’.
ii. Click the ‘Applications’ tab next to the ‘Configuration Information’ tab, followed by clicking ‘Add applications to software configuration’.
6. Locate the application you wish to add to the software configuration and mark the checkbox. Additionally you may select whether the application is either ‘Required’ or ‘Optional’. After selecting the desired settings; click ‘Add to software configuration’.
Figure 151 – Add application to software configuration, BES10
7. If the application has been updated in an existing software configuration, the configuration may already be applied to existing users and groups. If this is the case the MindLink Mobile client will be deployed once the configuration has been updated. Depending on your settings for deployment jobs it may take some time for deployment to occur.
8. Depending on which ‘Disposition’ you have selected for your users/user groups will affect the way the MindLink Mobile Client is deployed on each of the users’ devices.
a. Choosing ‘Optional’ will result in each user having to individually download the app onto their device using BlackBerry App World (for Work). Additionally, by choosing for ‘Optional’ the user may also remove the application at their own discretion.
b. Choosing ‘Required’ will push/force the application onto the device directly. Please allow some time for this to occur. Users cannot uninstall the application, this is done remotely on the BES12.
9. If the application has been added to a new software configuration; the software configuration must be applied to a user or groups for the MindLink Mobile Client to deploy on the devices.
1.1. 1 Installing certificates through BES10
If the MindLink Mobile server is secured with a certificate issued by an internal CA authority, the CA’s root certificate must be installed as a trusted root certificate on the device.
1. Export the required certificates from your certificate store using the Management Console (MMC) and store the file in a known, accessible location.
Figure 152 – Management Console; Certificates snap-in
2. Log onto the server hosting the BlackBerry Enterprise Service 10 (BES10)
3. Navigate to the C:\Program Files (x86)\Common Files\Research in Motion\ApplicationStore\Shared\Certificates\ENTERPRISE folder.
4. Place the certificate in the exported certificate in this folder.
5. The BlackBerry Enterprise Service will monitor this folder and push the certificate out to the relevant devices.
2. 2 BES12 Deployment
To upload MindLink Mobile to your BlackBerry Enterprise Server 12 please use the following steps:
1. Using your internet browser, navigate to the BES12 Administration Portal and use your Administrator credentials to log in.
Figure 153 – Logging on BlackBerry Enterprise Service 12 Administration Portal (BES12)
2. Using the navigation bar, click on the ‘Apps’ tab.
Figure 154 – Navigation bar, BES12
3. Find and click the ‘+’ icon to add an application.
Figure 156 – Adding an app, BES12
4. Browse and locate the ‘MindLink for Workspace.bar’ file to upload it to BES12.
Figure 157 – Adding an internal app, BES12
5. Once the upload has completed it will appear as a listed app in the ‘App Management’ page.
Figure 158 – Application management, BES12
6. In order to deploy MindLink for Workspace to your mobile device you must assign the application to individual users or user groups.
a. To assign an app to individual users, proceed to the ‘Users and Devices’ tab.
b. To assign an app to groups, proceed to the ‘Groups’ tab.
7. For each user or group you wish to assign the application to find and click the ‘+’ icon in the corresponding ‘App’ table to assign an app.
Figure 159 – Assigning an application, BES12
Clicking ‘Next’ will bring up the following options illustrated in the image below:
Figure 160 – Specify application disposition, BES12
8. Depending on which ‘Disposition’ you have selected for your users/user groups will affect the way the MindLink Mobile Client is deployed on each of the users’ devices.
a. Choosing ‘Optional’ will result in each user having to individually download the app onto their device using BlackBerry App World (for Work). Additionally, by choosing for ‘Optional’ the user may also remove the application at their own discretion.
b. Choosing ‘Required’ will push/force the application onto the device directly. Please allow some time for this to occur. Users cannot uninstall the application, this is done remotely on the BES12.
9. Once the application has been deployed, depending on whether you have selected either ‘Optional’ or ‘Required’ you may be prompted to restart the device, if so please restart the device before attempting to log on to the MindLink Mobile client.
2.1. 1 Installing certificates through BES12
If the MindLink Mobile server is secured with a certificate issued by an internal CA authority, the CA’s root certificate must be installed as a trusted root certificate on the device.
1. Export the required certificates from your certificate store using the Management Console (MMC) and store the file in a known, accessible location.
Figure 161 – Management Console; Certificates snap-in
2. Once the certificate has been exported it must be uploaded to the BlackBerry Enterprise Server (BES12). Navigate to the Administration Portal of the relevant BES.
Figure 162 – Navigation bar, BES12
Once logged on the BlackBerry Enterprise Server (BES12), navigate to the ‘Policies and Profiles’ tab. After navigating to ‘Policies and Profiles’ there is a menu bar visible on the left of the page. In the list of menu items click ‘+’ next to ‘CA certificate’.
Figure 163 – Adding a CA certificate profile, BES12
Ensure the certificate has the file suffix: .der if not, simply rename the file extension to e.g. FileName.der
Also ensure that the relevant device operating system and certificate store have been selected before clicking the ‘Add’ button.
The CA certificate profile should now be visible on the BES12 and you can now assign the profile to various user groups or specific users. To do so navigate to either the ‘Users and Devices’ tab or ‘Groups’ tab.
3. For specific users;
a. For specific users simply click on the user you wish to assign the CA certificate profile to and then click the ‘+’ icon next to ‘IT policy and profiles’.
b. Select ‘CA certificate’ and locate the appropriate ‘CA certificate profile’ from the drop-down menu (Please note: If the CA certificate has already been applied to a user, this certificate will no longer appear in the drop-down menu).
c. The selected CA certificate profile should now be visible in the overview of IT policies and profiles applied to the specified user.
4. For groups;
a. Click the group for which you wish to apply the CA certificate profile.
b. Click the ‘Settings’ tab for that group.
c. Click the ‘+’ icon next to ‘IT policy and profiles’ and select ‘CA certificate profile’.
d. Select the appropriate CA certificate profile and press ‘Assign’.
Please note, as with the deployment of the MindLink Mobile client, it may take some time before the BES12 pushes the CA certificate profile on to the device(s).
3. 3 Configuration
This section provides detailed explanations for various configuration options.
Once the MindLink Mobile Client has been deployed on the device. Several settings can be configured during the initial launching of the MindLink Mobile Client whilst other configuration options are available through the MindLink Mobile Management Tool. The MindLink Mobile Management Tool can be found on your Lync/MindLink Mobile server. The configuration options of the Management Tool are discussed in further detail in our Administration guide.
3.1. 1 Initial launching of the MindLink Mobile client
When launching the application for the first time you will be prompted with a prompt to grant certain permissions to the app, followed by a Welcome screen where you can enter your server URL and configure additional settings.
After BES10/BES12 has successfully deployed the MindLink Mobile client to the device(s) the application logo will appear as shown below.
Figure 164 – MindLink application on the home screen
Clicking and accessing the application for the first time will prompt the user to grant the application certain permissions which are required to make optimal use of the MindLink Mobile client.
Figure 165 – MindLink application permissions
After allowing the application the requested permissions the application will transition to the Welcome screen where the user may enter the server URL and configure additional options such as Enabling Logging, Push notifications and timestamps.
Figure 166 – Request URL screen, MindLink Mobile
Once the server URL has been entered the user can press ‘Save and continue to login screen’. Upon doing so the MindLink Mobile client will initialise with the server, this will take a few moments. When initialisation with the server has completed successfully the login screen will be visible and users can start using the application. If initialisation is not successful the user will receive an error. For more information about various errors, please consult the troubleshooting guide.
5 Logging
As of 17.7 it is possible to enable/disable logging and have this leveraged through your MDM console of choice. The following will walk you through this.
5.1 Manual enabling/disabling logging
Settings should be immediately applied when enabling/disabling logging from the server settings view in the MindLink app. MindLink Mobile will need to be relaunched for these settings to be applied.
Figure 167 – Enable logging for iOS and Android
5.2 Controlling logging using managed configuration
5.2.1 Vanilla
Administrators can use any MDM console to apply the settings. While the app will not be managed by that MDM, administrators can still leverage a managed configuration within the MDM console. For example, in the AirWatch console this can be done through: Apps & Books > MindLink > Assign > All devices > Edit. Scroll down to 'Application Configuration' and enable the configuration as shown below.
Figure 168 – Logging keys
Administrators will be provided with an additional option to configure MindLink Mobile using key value pairs. The applicable key value pairs for logging settings are: 'mlmDisableLogging' and 'mlmDisableVerboseLogging'. The corresponding values for the key value pair should be set to Boolean. To disable logging or verbose logging, both values must be set to 'True'
5.2.2 Blackberry (Good Console)
The administrator can 'Enable Logging' within the Blackberry Console (formerly known as Good Console) which will allow for the configuration of logging settings. This can be done through: Policies > Policies Sets > 'Policy name here' > Apps > App specific policies > MindLink Mobile > Configure Logging.
Figure 169 – Logging keys in the Good console
5.2.3 MobileIron Console
The administrator can 'enable logging' within MobileIron (MI) which will allow them to configure the logging settings. However, logging will always be enabled to some level within MobileIron. This can be done through: Policies & Configs > 'MindLink application policy name goes here' > Edit > App Specific Configuration, from this view the administrator can enable or disable logging.
Figure 170 – Logging keys in the MobileIron console
5.2.4 AirWatch Console
The administrator can 'enable logging' through the following steps: Groups & Settings > All Settings > Apps > Settings and Policies > Settings.
Figure 171 – Enabling Logging in the AirWatch console
5.3 Exporting log files
When logging to mobile devices we log to sandbox files that are created on the device, as well as to the device console. Files are created up to the size of 1MB and then a new log file is created. Whenever file logging is enabled the device will create files on the device which the logs are written to. Exporting log files means sending these files from the device's storage to a recipient. Usually this will be done by exporting the log file through the native email application or through whichever mail application is compatible with the used MDM.
5.3.1 Vanilla
When logging is enabled the logs button will be visible on the server settings page and on the server connection failure page. Clicking the export logs button will open up a menu, which users can select from a list of apps.
5.3.2 Blackberry
Exporting in BlackBerry should only be possible through the Good Work application. Trying to export using this app should open up the email interface and create a template with the logs files. If the Good Work application is not installed on the device, exporting logs will fail.
5.3.3 MobileIron
Trying to export the log files using an app not managed by MI will not be allowed. While logging is enabled the log button will be shown, if the logging is disabled then the button it will be disabled. It will return an error stating there is no file. If logging is not enabled, log files will not be generated.
5.3.4 AirWatch
This can be found on the server details page or the about screen for the Android devices. When successful, users will be presented with a list of eligible apps from which the logs can be exported. Users are only able to select AirWatch-managed applications.