Mobile Device Management Testing: Setting up a basic Mobile Iron lab

Mobile device security is a hot topic for 2012 and some current industry leaders are Mobile Iron, AirwatchGood Technologies and Zenprise. There are two approaches to addressing mobile device security, which are a “sandbox” or “application management” approach (more info can be found HERE). My team found the majority of our customers prefer the application management approach offered by Mobile Iron and Airwatch. For those interested in evaluating Mobile Iron, below are some steps to setup a basic lab for testing functions such as remote wipe, policy enforcement, flagging jailbroken devices and other features.

Mobile Iron has two parts to their solution. There is a Mobile Iron VSP (management system) and Sentry (policy enforcement) server that can be a physical appliance or virtual server. The Sentry piece isn’t required but used 95% of the time since it enforces policies built by the VSP. A basic Mobile Iron lab will need ESX4.0 or greater, around 4GB of memory and 40GB of disk space. You can download a Mobile Iron ISO from Mobile Iron will need some ports opened for communicating to devices and data synchronization. Plan to open outside ports 8080 or 8443, 9997, 9998, 443, 2195 / 2196 and inside ports 25, 389 / 636, 9090, 443, 22 and 8443 depending on what services you will be testing. Ports can be changed on the main dashboard if needed.

After booting the Mobile Iron VSP for the first time, you will be prompted to enter basic network information (subnet, gateway, etc.). Fill out the requested information and wait for the VSP to boot up. Access your Mobile Iron system via the domain name you provided plus /admin (IE. mydomain/admin) and you will see a login. Login with the username and password specified during the initial build and you will see the following dashboard.Mobile Iron

You can add local users by clicking “Smartphone and users” or a LDAP (under LDAP) for user database integration. At the very top, there is a system link to configure management settings. Make sure to configure SMTP under email settings so you can test alerting. Verify and update basic network info that configured during the initial setup. You can also check for software updates under the maintenance tab.

For those testing Apple products, Mobile Iron recently added an enhanced certificate option that doesn’t require a  Apple development license to generate a cert (we learned this the hard way and paid the $299 weeks before the update). For users looking to test custom built applications, a developer license is required however labs testing basic functions such as managing existing apps via the app store, mobile security, etc. won’t need this. Create a certificate and upload it under Smartphones, Settings and Local Certificate Authorities. To read more on generating IOS certificates, go HERE.

At this point, you have a working Mobile Iron VSP and can register a test device a few different ways. One way is to click the Register button in the VSP and fill in the request page. An email will be send to the user you created explaining how to download the Mobile Iron application, server name, user name and password. A second way is to go the user GUI, which is your domain without /admin at the end. Users can log in and register their devices based on accounts created in the Mobile Iron VSP. A third way is having users find the Mobie Iron app using their mobile devices and filling out the server information that is sent via email requests from the VSP. Below are some pictures me registering devices


Labels are used to group device types and policies together. The default labels and new ones can be built under Smartphones & Users, Managed Labels. Policies are checks that can be performed on devices part of Labels. Policies can be found at Security & Policies, All Polices. Compliance Actions are what can be done if a Policy is violated (IE blocking or sending a alert if somebody violates the policy “Downloading Angry Birds”. Test out building a label and apply some policies to that label. Create a few Compliance Actions for each policy such as sending out alerts. Place some users under your test label and register a device. Below is a screenshot of testing a policy against Angry Birds on IOS devices.

This is a very brief crash course on Mobile Iron. Check out for more information on their solution. I’ll probably do a simliar post for those looking to test AirWatch in the near future. Happy New Year! 

VN:F [1.9.22_1171]
Rating: 3.0/5 (8 votes cast)
Mobile Device Management Testing: Setting up a basic Mobile Iron lab, 3.0 out of 5 based on 8 ratings

11 thoughts on “Mobile Device Management Testing: Setting up a basic Mobile Iron lab”

  1. Pretty well discussion!! I’m planning to utilize Mobile Iron because it’s requirement match with my basic expectation. Thanks for the information; it’s very useful for me. 🙂

    VA:F [1.9.22_1171]
    Rating: 2.0/5 (4 votes cast)
  2. Thanks for the walk through on Mobile Iron’s MDM Solution. For those looking into MDM, there are many factors to evaluate. Make sure that the MDM vendor you choose fits well with your IT solutions. There are other industry leading MDM solutions such as Fiberlink’s MaaS360 that offer cloud based MDM. I noticed that they were not provided in the vendors listed.

    VA:F [1.9.22_1171]
    Rating: 5.0/5 (1 vote cast)
    1. Agreed there are others as well. Sorry to any vendor that I missed

      VN:F [1.9.22_1171]
      Rating: 5.0/5 (1 vote cast)
  3. if you have the lab still installed, can you tell me if when you set up a wifi profile to be pushed the devices, can you import the identity certificate for WPAEnterprise wifi network? we have one identity certificate for our wifi and our current MDM does not allow it to be used. thanks.

    VA:F [1.9.22_1171]
    Rating: 1.0/5 (1 vote cast)
    1. Hey C Ireland,

      From my teammate Aamir Lakhani “MobileIron does let you achieve that particular configuration.

      In MDMs such as MobileIron you can use SCEP to distribute certificates from a remote server. Essentially you will need the URL for the CA server. You can also load the certificate directly on the device and distribute it thru the MDMs built-in CA.

      In newer versions, many MDM providers can tie directly into a Microsoft CA or PKI infrastructure as well.”

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
  4. Hello,

    I was curious to know if maybe you can help me out as far as installing MobileIron. We do not have a dedicated server for it. So I loaded VirtualBox and installed VMWare ESXi 5 on there. From that point I am not sure what to do. We are waiting for AT&T status call to move forward but I wish to gain some foot ground and knowledge how to setup and use the software for a smooth transition.

    Anything you can help with will be very much appreciate it.


    VA:F [1.9.22_1171]
    Rating: 1.0/5 (2 votes cast)
    1. Hi Clark. Check Mobile Iron’s website regarding the lastest specs however this post gives you most of it. You should be fine with ESXI 5 (we are using that). Just download the ISO and create a new machine from ISO. Give that machine enough juice to support the specs listed above and follow my guide for the initial setup.

      Are you looking for details around lighting up the ISO in ESXI or Mobile Iron config help?

      VN:F [1.9.22_1171]
      Rating: 1.0/5 (2 votes cast)
  5. MobileIron is the worst MDM solution i tested and saw in the market today.
    Unsecure in DMZ deployment, wich is not flexible, internal DMZ firewall is made a swiss cheese with al the ports that need to be open. and even get more swiss cheesed when you add monitoring, backup, notifications and more mngttask. VSP intercepts EAS traffic , never intercept EAS traffic from the EMAIL flow only with a mail relay or antivirus/intrusion if necessary. CAS/EDGE is leading, if you want to manage the authorization let CAS/EDGE handle it by for example powershell commands. Also HA functionality is very poor with Mobileiron so when VSP gets in front of CAS/EDGE you make you email infrastructure weak and unreliable. I can go on and on, but i think my point is made. Look for much better solutions, like Citrix Xenmobile, BlackBerry Enterprise Service 10 or VMWare Airwatch. Leaf Mobileiron out of scope.

    VA:F [1.9.22_1171]
    Rating: 3.3/5 (7 votes cast)
    1. ??
      EAS proxy is a viable option

      VA:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.