BYODPortal Product Guide

Transcription

BYODPortal.com Product GuideVersion 2020.08.011MobileIron Confidential

ContentsOverview and Features . 4Getting Help . 4Core Server Requirements . 4On-Premise CORE Requirements . 4Connected Cloud CORE Requirements . 5End-User Requirements . 6Creating A New BYODPortal.com Company Account . 6Configuration and End User Usage . 7Accessing the Portal . 7Portal Administration – BYODPortal.com (Cloud Service) . 7Logging In To the Admin Portal . 7Logging In To the Admin Portal For The First Time . 7Section: Portal Status & Reports . 8Section: Your Account Settings. 8Converting a Trial Portal Account to Your Subscription . 9Configuring a Custom Domain Name (CNAME) . 9Section: MobileIron CORE / Connected Cloud Settings. 10Section: Your Portal Preferences . 11Section: Terms of Service. 17Further Customizations . 19Section: Custom Branding / CSS. 20Section: Single Sign On Integration via SAML2 . 22Section: Integrations . 24End User Usage – Registering a Device . 25Accessing With an Unsupported Device . 25Registration Screen . 27Terms of Service Acknowledgment . 28Final Registration Steps . 29Pending Registrations . 32Too Many Devices (Limiting Number of Devices per user) . 32Registering via a QR Code . 33BYO.ME . 332MobileIron Confidential

End User Usage – Managing Your Own Devices . 34Logging In To the Portal. 34The Device Management Screen . 34Multi-User / Shared Device Scenarios . 39Customizing BYODPortal Workflow or Adding Your Own Logic . 39Embedding the BYOD Portal In Your Website . 39Running the BYOD Portal Update Set for ServiceNow. 39Downloading the Update Set for ServiceNow . 40For BYODPortal.com Customers: . 40For Onpremise BYOD Portal Customers: . 40Installing the Update Set for ServiceNow . 40Configuring the Update Set for ServiceNow . 42For BYODPortal.com Customers: . 43For Onpremise BYOD Portal Customers: . 43Configuring BYOD Portal . 44Using the BYOD Portal Update Set for ServiceNow . 44Managing Devices . 44Enrolling A New Device . 46Running BYODPortal On-Premise . 50System Requirements . 50Server OS and Software Requirements. 50Server Hardware Requirements . 50Installation . 50Portal Administration (On-Premise) . 52Setup and Preferences . 52Custom Workflow and Code Changes . 52Upgrading The On-Premise Code . 52Release Notes . 533MobileIron Confidential

Overview and FeaturesBYODPortal.com is a SAAS based solution meant to enhance and extend an organizations existing MDMinvestment. With the service a user can create a custom self-service device management experience fortheir end users, allowing users to easily register and manage their corporate connected devices, bothBYOD or corporate liable.The solution works with your existing MobileIron Mobile Device Management solution (both on-premiseand cloud based MobileIron deployments). There is nothing more to install to use BYODPortal.comThe solution provides many key features around: Registration ControlSelf ServiceBranding & WorkflowSingle Sign OnIntegrationFully Customizable Open Code On premise Option (fully customizable workflow, integrations, etc.)And moreGetting HelpBYODPortal is supported by MobileIron Support. If you need product assistance, please contactMobileIron support or your sales account manager.Core Server RequirementsBYODPortal.com supports integration with MobileIron’s CORE Platform (on-premise deployments), aswell as MobileIron’s Connected Cloud offering (SAAS Based MDM).BYODPortal.com is currently compatible with the following MobileIron versions: Minimum 4.5.2.On-Premise CORE RequirementsThe following is needed in order for BYODPortal.com to integrate with your MDM platformproperly: oNetwork Access to the MobileIron CORE’s My Phone@Work, Smartphone Manager, APIConnection, and iOS iReg URL portals. over port 443.Best practice is to create ACL’s on the MobileIron CORE that only allows access from theBYODPortal network to the MobileIron API and Employee portal and Admin Portal.4MobileIron Confidential

ooo Here is the list of BYOD Portal IP’s:54.164.10.146, 54.164.96.242. 54.84.11.118, 54.85.96.208, 54.88.124.155Also is best practice to disable self-registration rights on the MI Employee portal if youplan to allow users to still access the default employee portal. Otherwise only allowBYODPortal.com to access the employee portal via ACL.The picture below shows where in the CORE System portal to configure portal acl's.Recommended portals to restrict are the My Phone@Work, Smartphone Manager, APIConnection, and iOS iReg URL portals.A MobileIron account username/password that has API and FULL ADMIN rights toMobileIron.To be affective, your CORE must be set to PIN Only or PIN Username/Password. Do notuse Username/Password only registration to make sure in app registration is disabled.NOTE: PIN only based iReg/web based registration must be enabled to utilize SSOfeatures of BYOD Portal. Highly recommended to ensure PIN is turned on for iReg.Connected Cloud CORE RequirementsThe following is needed in order for BYODPortal.com to integrate with your Connected Cloudinstance: A MobileIron account username/password that has API and ADMIN rights toMobileIron.To be affective, your CORE must be set to PIN Only or PIN Username/Password. Do notuse Username/Password only registration to make sure in app registration is disabled.5MobileIron Confidential

NOTE: PIN only based iReg/web based registration must be enabled to utilize SSOfeatures of BYOD Portal. Highly recommended to ensure PIN is turned on for iReg.End-User RequirementsOnly thing an end user needs is a web browser. All major web browsers have been tested withBYODPortal.com. To register a device, an end user needs the USER PORTAL role assigned tohim/her in MobileIron. If USER PORTAL role is not applied, user can not register, but they canstill manage existing devices.Creating A New BYODPortal.com Company AccountTo use BYODPortal.com, you must first create an account for your organization. To do that, go to theBYODPortal.com home page and select the Create An New Account link. The most important part of theconfiguration is choosing your account name as it will be part of the URL that users use to register andmanage devices (i.e.: YOURCOMPANYNAME.byodportal.com).Account names and private URL’s are served on a first come, first serve basis. Follow the instructionsfrom that point forward. You will be asked to verify your email address. A BYODPortal.com staff membermay contact you to verify your information before your account is activated.Please note: If your organization has an active, licensed, subscription to byodportal.com, you areentitled to creating as many portal accounts as you wish during your subscription. When creating anaccount, be sure to enter in the Subscription Email address that was set up with your subscription.Your subscriber email address can be different than your administrator email address. When theaccount is created, the service will look to find a valid subscription under the subscriber email, andsend them a verification request.6MobileIron Confidential

Configuration and End User UsageAccessing the PortalThere are a few URL’s that will be used to access different parts of your portal: Admin Site URL:https:// YOUR ACCOUNT NAME .byodportal.com/adminThis is the address you as an administrator will use to configure and manage your portal.End User Self-Service Device Management:https:// YOUR ACCOUNT NAME .byodportal.com ORhttps:// YOUR ACCOUNT NAME .byodportal.com/manageThis is the address your users will use to login from their devices or desktops to manage theirdevices that are currently managed by your MDM.End User Self-Service Device Management:https:// YOUR ACCOUNT NAME .byodportal.com/regThis is the address your users will use to register a new device. This is accessed from the devicethey are trying to register.CNAME Support: If you configured a custom domain name to use with this service (see CNAMEsupport), your end users will access the service at http://yourdomain for the employee selfservice portal and http://yourdomain/reg for device registrations. The admin URL remains thesame as shown above.Portal Administration – BYODPortal.com (Cloud Service)Logging In To the Admin PortalThe admin will login to the admin URL (specified in the Accessing the Portal section of thisdocument). The username is the email address of the admin that was used when they createdthe account as well as the password.Logging In To the Admin Portal For The First TimeYour portal will be disabled until you finish configuring it. When you login for the first time, theportal will prompt you to finish configuring the items needed in order to enable it.7MobileIron Confidential

Section: Portal Status & ReportsIn this section you can see the status of your portal as well as run some reports including a 30day action/audit log, a Registration trend report over last 12 months, a device breakdown reportfrom your MDM solution, and a device info CSV export.Section: Your Account SettingsIn this section, you can manage your admin contact information as well as your company displayname. All your custom URL’s will show here as well.8MobileIron Confidential

Converting a Trial Portal Account to Your SubscriptionYou may convert a trial portal to production provided you have the subscriber email address foryour organization. Enter the email address in the Subscriber Email field and a verificationrequest will be sent to the company subscription contact. Once they verify the request via emailby clicking a link, the portal will be associated with your company account.Configuring a Custom Domain Name (CNAME)You may enter a custom domain name to be used with this portal. Requires you setup a CNAMErecord for that address to point to CNAME.BYODPORTAL.COM. Leave blank if no customdomain name will be used. If configured, your end users can use your custom domain to accessthe BYODPortal, and the BYODPortal.com domain will be replaced on all end user facing screenswith your custom domain (ie, "To register a new device go to http://companydomain/reg.")9MobileIron Confidential

Note: The address bar will redirect to a URL that still shows a byodportal.com address to avoidSSL certificate warnings.Section: MobileIron CORE / Connected Cloud SettingsIn this section, you specify specifics for your MDM server implementation. This includes yourimplementation type (onsite vs. cloud), your MDM URL and API user name and password.Connectivity will be tested upon saving the configuration.NOTE: The MDM Account entered MUST HAVE FULL ADMIN AND API rights to your CORE.Multiple/Conditional VSP/Cor/ Cloud ServersThe Core server entered above is the primary Core/VSP that is used for all end userauthentication and LDAP lookups. You have the ability to configure additional Core10MobileIron Confidential

servers and apply logic as to how you want devices spread across the cores by eitherround robin, device type (user agent), device ownership, or user LDAP group.Distribute which Core servers you want devices to enroll to by LDAP Group Name, byDevice User Agent Identifier (ie, entering 'contains' and 'iPad' would match the iPad'suser agent string), user ownership selection, or Random selection. If you choose the'Migrate' option, the portal will migrate users from that specified Core server by unenrolling all of their devices from the server specified to the proper new Core server.Setting Type and Logic only applies to device enrollment. Self service managementportal will automatically pull all devices for a user across all portals. Rules are run andmatched in the order they are entered. If a condition is not matched, then the defaultcore will be used to enroll the device. Admin username and password from the defaultCore server are used for all additional cores.Section: Your Portal PreferencesIn this section, you can customize your portal experience for your end users.11MobileIron Confidential

Enable and Disabling of Mange and Registration PortalsYou have the ability to use both the self service management portal and registration portal(default) or just one. Disabling the Manage Portal will redirect a user to the registration portal.Disabling the Registration portal will direct the user to the manage portal. Disabling both willshow a disabled message to the end user.Default Language and Language DetectionBYOD Portal supports 9 languages in both admin and end user portals. Languages supported areEnglish, Spanish, French, Italian, German, Japanese, Korean, Chinese Simplified, ChineseTraditional. By default, BYOD Portal will attempt to detect the default language of the end userdevice and display the appropriate language. Otherwise, the default Language will be chosen.If you wish to have everyone view the same language, regardless of the device language theyare accessing from, select the DETECT USER LANGUAGE option to OFF. This will force all users tothe default language selection.End User Helpdesk Contact InstructionsEnter in your IT helpdesk contact information so that end users can be directed what to do incase of any issues or questions they run into. This portion supports HTML. Videos can beembedded providing end users with video tutorials.12MobileIron Confidential

Max Number of DevicesChoose the maximum number of devices a user can have registered at any time. If the user isover that amount, they will be notified d

Network Access to the MobileIron CORE’s My Phone@Work, Smartphone Manager, API Connection, and iOS iReg URL portals. over port 443. o Best practice is to create ACL’s on the MobileIron CORE that only allows access from the BYODPortal network to the MobileIron API and Employee portal and Admin