MobileIron Support Version 1.1 - November 2015 Table of Contents 1. Introduction 2. Supported Features 3. Relevant Components 4. Testing a Trial Version with AppConnect 5. Creating a Configuration on the MobileIron CORE 6. Creating a Container Policy on the MobileIron CORE 7. Assigning Labels to the Configuration and Container Policy 8. Activating the Teamwire App with AppConnect 9. Setting up Teamwire with a Sentry Instance in the MobileIron CORE 1. Introduction Security, privacy, compliance and management are important questions that enterprises and IT are challenged to address with the proliferation of mobile devices. How can enterprise IT provide secure messaging and sharing on mobile device for employees and teams? To address this, MobileIron has partnered with grouptime GmbH, maker of Teamwire, the secure enterprise messaging app. Teamwire enables IT to provide their users with secure and managed access to a company-wide messaging service. The user gets a fast, easy to use and secure app for all their enterprise messaging needs, and IT can implement the security and management capabilities required by their organization. Whether a company has a BYOD (bring your own device) strategy, provides employees with mobile devices, or a mix of both, Teamwire can ensure secure messaging for all colleagues and teams company-wide. 2. Supported Features Teamwire is available for the MobileIron AppConnect platform. The Teamwire app can be auto-configured and managed, along with other AppConnect-enabled apps, by AppConnect defined authorizations and policies.
Teamwire supports the following features of the MobileIron App Conntect platform: Authorization IT configures via AppConnect whether or not the user of a mobile device is authorized to use the Teamwire app. If the use is authorized, AppConnect allows access to the app. In situations that cause an authorized user to become unauthorized, AppConnect unauthorizes the use of the Teamwire app. In situations that retire the Teamwire app, AppConnect unauthorizes the use of the app, and removes all data. If IT decides that the Teamwire app should not be managed via AppConnect anymore, the app gets retired (with content deletion). If AppConnect allows the use of unmanaged apps, then Teamwire could still run in unmanaged mode. At any time, if IT decides that the Teamwire app should be managed again, it can become re-managed via AppConnect. IT can set a registration token via AppConnect, which prevents the use of the Teamwire app on unmanaged devices. Configuration IT can specify various values via AppConnect which will be used to auto-complete the registration of users for Teamwire. IT can configure to which users this configuration should apply to. IT can restrict various sharing features of the Teamwire App (e.g disable sharing of photos, videos, locations, calendar dates or voice messages). Container Policies IT can configure if the user has to authenticate with the AppConnect passcode.
IT can restrict various capabilities of the Teamwire app (Copy/Paste, Open In, etc.). 3. Relevant Components The following components are required in order for Teamwire to work with the MobileIron AppConnect platform: MobileIron Administration Platform (CORE) - A server-based console that allows the enterprise to enable client access to AppConnect-enabled apps, auto-configure those apps, create policies that govern app capabilities, and the ability to revoke access to or wipe AppConnect-enabled apps on specific devices. MobileIron Mobile@Work App - This app brokers the authentication, configuration and policies of AppConnect-enabled apps. It must be installed on the mobile device before AppConnect-enabled apps can be configured and managed. Teamwire ios or Android App - The standard version of Teamwire for ios, which is available on the itunes App Store, or for Android, which is available on Google Play. The Teamwire app includes the ability to be configured and managed by AppConnect. MobileIron Web@Work App (optional) - The app is an enterprise mobile browser enables end users to access internal web resources quickly and easily, using familiar processes with minimal setup. The native and high-fidelity web browsing experience is preserved without sacrificing security, as Web@Work protects the data - both in rest and in motion - on the device. 4. Testing a Trial Version with AppConnect If you want to test Teamwire with AppConnect, the process is pretty much the same as the regular trial of Teamwire. The Teamwire app is available as a free download. Please download and install the app on the mobile test devices. You need to have an AppConnect configuration created on your MobileIron Administration Platform (CORE) for the Teamwire app, before it can be auto-configured for access.
The mobile test devices also need to have the MobileIron Mobile@Work app installed before any AppConnect-enabled apps can be activated. When you are ready to activate the Teamwire clients with AppConnect, please proceed to the following sections of this document. 5. Creating a Configuration on the MobileIron CORE First, please log into your MobileIron CORE web console and select the POLICIES & CONFIGS tab. Within "Configurations", click "Add New" and in the drop down menu select "AppConnect" > "Configuration". Then, please enter the following information within this new AppConnect app configuration: Name This can be any name you would like (e.g. Teamwire User Data Autofill). Description This can be any description you would like (e.g. Auto-complete registration of Teamwire with user's data). Application This must be set to the bundle identifier of the Teamwire app, which is:
com.teamwire.messenger In addition to ios, for the Android wrapped app delivered through the MobileIron Mobile@Work app you will have to create an additional configuration. However, in the Application field please use forgepond.com.teamwire.messenger as the app identifier. This means we need a separate configuration for the ios and Android app, but with the same values. On-Premise Server or Private Cloud Instance Configuration This section allows you to set the hostname of an on-premise backend or a private cloud instance that will be used for the app. backendserverurl - Set this value to the server s hostname. IMPORTANT: - If you don t have an on-premise deployment or a private cloud instance, don t set this key. Also if the backendserverurl is set by DNS or other means, this value is not required. - You must use the hostname only, without http(s):// For example: backend.teamwire.eu App-specific Configurations This section further down in the window allows you to specify values that will be used to auto-complete the Teamwire registration for the users who this configuration applies to. You can enter the following keys:
registrationfirstname The value of this key will be inserted into the first name field in the Teamwire registration form. You can use a MobileIron variable to autocomplete this value with the user s first name. You must enter $FIRST_NAME$ in the corresponding value field. registrationfamilyname The value of this key will be inserted into the family name field in the Teamwire registration form. You can use a MobileIron variable to autocomplete this value with the user s family name. You must enter $LAST_NAME$ in the corresponding value field. registrationphonenumber The value of this key will be inserted into the phone number field in the Teamwire registration form. You can use a MobileIron variable to autocomplete this value with the user s phone number. You must enter $NULL$ in the corresponding value field. registrationemail The value of this key will be inserted into the email field in the Teamwire registration form. You can use a MobileIron variable to autocomplete this value with the user s email address. You must enter $EMAIL$ in the corresponding value field. registrationtoken The token prevents the use of the Teamwire app on unmanaged devices. Very important: Only set this key, if you have entered the key in the Teamwire Administrator Portal in the field Registration Token beforehand. You must enter exactly the same alphanumeric key, which you have entered and saved in the Teamwire Administrator Portal in the field Registration Token. Please see our Administrator Portal documentation for more information. Finally, please click "Save". IMPORTANT: Please be aware that all values and keys are case sensitive (see screenshot below).
If you would like to restrict the sharing capabilities of the Teamwire app, please enter the following keys in the App-specific Configurations: DisableLocationSharing - Set this to YES if you want to disable the sending of locations. Any other value or the setting missing will make this enabled. DisableVoiceRecording - Set this to YES if you want to disable the sending of voice messages. Any other value or the setting missing will make this enabled. DisableVideoSharing - Set this to YES if you want to disable the sending of videos. Any other value or the setting missing will make this enabled. DisablePictureSharing - Set this to YES if you want to disable the sending of photos (both taken with the camera and selected from the device's photo album). Any other value or the setting missing will make this enabled. DisableCalendarSharing - Set this to YES if you want to disable the sending of dates from the device's calendar. Any other value or the setting missing will make this enabled. DisableFileSharing Set this to YES if you want to disable the sending of any files (e.g. via Box). Any other value or the setting missing will make this enabled. Finally, please click "Save".
6. Creating a Container Policy on the MobileIron CORE Please log into your MobileIron CORE web console's POLICIES & CONFIGS tab. Within "Configurations", click "Add New" and in the drop down menu select "AppConnect" > "Container Policy". Within this new AppConnect Container Policy, please enter the following information: Name This can be any name you would like (e.g. Teamwire Policies). Description This can be any description you would like (e.g. Data loss prevention policies for the Teamwire app). Application This must be set to the bundle identifier of the Teamwire app, which is: com.teamwire.messenger Exempt from AppConnect Passcode Policy - Please select this option, if you would like users to be able to open Teamwire without having to first authenticate with their AppConnect passcode. Print - Teamwire currently has no printing features, and thus messages and contents cannot be printed. Therefore this option is not selectable. Copy/Paste To - Please select this option, if you would like users to be allowed to copy and paste messages from Teamwire into other apps, which are not managed by AppConnect. If you allow copy and paste, you also enable the "Email Chat History" feature of the Teamwire app. (If you don't allow Copy/Paste To on ios, you should add an App-specific Configuration - see chapter 5 above - to achieve the same compliance on Android: DisableAndroidCopyPaste - set this to YES if you would like users to be disallowed to copy and paste messages from Teamwire into other apps, and to be disallowed to use the "Email Chat History" feature. Any other value or the setting missing will make these enabled.) Open In - Please select this option, if you would like to allow Teamwire users to open documents into other applications on the device. If selected, this option will also allow you to specify a list of specific apps that are allowed. (If you don't allow Open In on ios, you should add an App-specific Configuration - see chapter 5 above - to achieve the same compliance on Android:
DisableAndroidOpenIn - set this to YES if you would like users to be disallowed to open web pages in an external browser. Any other value or the setting missing will make this enabled.) Screen Capture - For ios this option is not yet supported in the AppConnect SDK. In Teamwire, users will be allowed to perform screen captures, unless they are disabled on a device-wide level by their MDM configuration. For Android, please select this option, if you would like to allow Teamwire users to take screenshots. Finally, please click "Save". 7. Assigning Labels to the Configuration and Container Policy In order for the new configuration and policies to be applied to mobile devices, ensure that you assign the MobileIron labels for any required users to both the Configuration and the Container Policy. Please log into your MobileIron CORE web console's POLICIES & CONFIGS tab. Within "Configurations", select your Configuration and Container Policy. Then click "More Actions" and in the drop down menu select "Apply to Label". In the pop-up window, please select "ios" and/or "Android", and confirm with "Apply".
8. Activating the Teamwire App with AppConnect Once the Configuration and Container Policies have been set up on the MobileIron CORE, you are ready to install and configure Teamwire on the mobile devices. 8.1. Ensure Mobile@Work Is Installed and Configured Before installing or activating Teamwire, please ensure that you have installed the MobileIron Mobile@Work app on your mobile device. This app serves as the conduit through which Teamwire communicates with the MobileIron CORE and receives AppConnect configuration, policies and commands. After Mobile@Work is installed, you must configure it with your user account information and the address of your CORE server. Once Mobile@Work is installed and configured, you're ready to move forward with Teamwire. 8.2. Install and Start Teamwire You will need to download and install the Teamwire app for the first time from the App Store or Google Play. Once installed, start Teamwire. Teamwire will check for the presence of a configured Mobile@Work app, temporarily switch over to the Mobile@Work app, and then switch back to Teamwire. If a valid Teamwire AppConnect Configuration is found, Teamwire will automatically present the user with the first screen of the Teamwire registration. Any fields included in the AppConnect configuration will be automatically filled out during the registration. The user will typically just have to enter their confirmation PIN (delivered via SMS) on the last screen of the registration. Once this is completed, the user will be ready to begin using the app, and the specified Container Policies will be applied. If a valid Configuration for Teamwire does not exist on the CORE, the user will receive an error message or, in the case Mobile@Work is not installed, Teamwire will simply start up in its standard mode without AppConnect enabled.
8.3. Ongoing AppConnect Management of Teamwire App Once Teamwire is being actively managed by AppConnect, any changes to the applicable Container Policy will be received by Teamwire, when it checks in with the Mobile@Work app on its device. Also any changes to the authorization, revocation of access to the Teamwire app, etc. will be applied to the app, at the next time it checks in with the Mobile@Work app. 8.4 MobileIron Web@Work App (optional) The MobileIron Web@Work App is optional: You should have it installed, if you have enabled the Open In setting and Web@Work at the same time (VPS: Settings -> Preferences -> Additional Products -> Enable Web@Work checkbox). 9. Setting up Teamwire with a Sentry Instance in the MobileIron CORE In case you have a Sentry instance (set up by MobileIron or self-hosted) the following steps are needed in the CORE, so the Teamwire app can use it when communicating with the Teamwire backend (cloud or on-premise). 9.1 Configure a Local Certificate (Local CA) 1. Click on the "Settings" tab, and then click on the "Local CA" submenu. 2. Under the "Add" drop-down click "Generate Self Signed Cert". Fill out the values as shown below: Local CA Name - A meaningful name for your certificate that will help you identify it later, if you have multiple certificates in use. Key Length - 2048 Signature Algorithm - SHA256 Key Lifetime - 10950 (or default value)
Issuer Name - This has to be in the following format CN=any_name 3. Click Generate. The default values of the Client Certificate Template screen should be enough for the certificate to be generated, but it can be modified based on your specific needs.
4. Click Save. 5. You will be returned to the Local CA screen and the new certificate will show up in the list. Click on the View Certificate link that belongs to the new generated certificate, copy the whole text (including the headers) and save it in a text file. 9.2 Configure the Local SCEP 1. In the "Policies & Configs" sub-menu, click on the "Configurations" sub-menu, and select "Add New> Certificate Enrollment > Local. The "New Local Certificate Enrollment Setting" dialog will appear. 2. Fill in the settings as below: Name - The name for the Local SCEP (any text) Local CAs - Select the certificate generated above Subject - This needs to be in the format CN=any_text Signing - Checked Encryption - Unchecked Key Size - 2048 Signature Algorithm - SHA256
3. Click on the "Issue Test Certificate" button. The certificate information will be displayed. (Optionally save this text to a file.) 4. Click on "Save". 9.3 Enable the Sentry for AppTunneling 1. In the "Settings" menu, select the "Sentry" submenu. 2. Click on "Add New", then on "Standalone Sentry". The "New Standalone Sentry" dialog will appear: Sentry Host Name / IP - Please use the hostname or ip of the Sentry instance. This should be provided by MobileIron or your IT Department in case of an onpremise instance. Port - Normally the default value (9090) should be fine, but it might change
depending on the installation. This should also be provided by MobileIron or your IT Department in case of a change. 3. Check the "Enable AppTunnel" option. A "Device Authentication Configuration" options group will appear: Device Authentication - Please select Identity Certificate. Click on the Upload Certificate button and select the file saved earlier in the Configure a Local Certificate section. 4. In the "AppTunnel Configuration" options group, click on the "+" sign to add a service: Service Name - Teamwire Server Auth - Select Pass Through Server List - If you use Teamwire s public cloud enter backend.teamwire.eu:443 If you have an on-premise installation or private cloud of Teamwire, your IT department should provide you with the hostname and the port. The format of this field has to be hostname:port TLS Enabled Checked
5. Save the new settings. 9.4 Add the Sentry Instance to the App Policy Configuration 1. In the "Policies & Configs" menu, select the "Configurations" submenu. 2. Select the Teamwire app whose configuration you wish to enable with the Sentry, and click the "Edit" button on the far right of the screen. The "Edit AppConnect Configuration" dialog will appear. 3. Below the AppTunnel rules, click the "Add/+" button and enter the following data: SENTRY - Select your sentry instance in the Enable Sentry for AppTunneling section SERVICE - Select Teamwire URL WILDCARD For the Teamwire public cloud use backend.teamwire.eu For an on-premise installation or a private cloud your IT department should provide you with the hostname and the port (used below). PORT 443
Identity Certificate - Select the Local SCEP which you set up in the Configure the Local SCEP section. IMPORTANT: If ios and Android are in use, the Add the Sentry Instance to the App Policy Configuration step needs to be carried out for the configuration policies of ios and Android. About Teamwire: Teamwire is a fast, easy to use and secure enterprise messaging app. Teamwire improves the internal communication with colleagues and teams, and increases the productivity of businesses and large corporations. Users can send 1:1 and group messages, post status updates, exchange video and voice messages, and share calendar dates, files and much more with colleagues. Teamwire fully complies with strong German and European data protection needs and is a completely encrypted solution. The service can be easily managed for the whole organization and ensures company-wide compliance. Teamwire is available as a private cloud or an on-premise solution. More information: www.teamwire.eu