Configure the Ivanti Neurons MDM for Android
Before you begin, follow the steps below to install the Identity Certificates and Trusted Certificates. Complete these steps on the user interface that is provided for working with the ivanti Neurons Mobile Device Management (MDM, formerly: MobileIron MDM) product.
- Configuration of the Root CA certificate
- Configuration of the Identity Certificate
To get Android devices configured and working with ivanti Neurons, the ivanti Neurons instance must be registered with Google EMM services. Once this is complete, follow the steps below to configure the Android VPN Client.
Configure the Android VPN Client
Then proceed to edit or add the below configurations.
Android enterprise (Android for Work) Configuration
The key point is to make sure it is enabled and ensure that it applies to devices in all spaces.
Managed Device with Work Profile Configuration
This is required for Android 8+ devices
Ensure that it is enabled and set to distribute to desired device classes (Shown here as all devices but it can actually be a custom list)
Android enterprise: Work Managed Device (Android for Work) Type: Work Managed Devices (Device Owner)
Enable this to test Work Managed Devices (this is what Supervised mode is called on Android.)
Ensure that it is enabled and set to distribute to desired device classes (Shown here as all devices but it can actually be a custom list)
Setting Default App Runtime Permissions
(Unclear if as of this writing this is needed and if it can help w/ auto configuring the identity certificate in the VPN Profile.)
Configure the App Catalog to include the Skyhigh Mobile Cloud Security Client
Navigate to the Application Catalog by clicking on Apps in the top bar and then select Add to add the application. Change the dropdown for source to Google Play and search for the client.
In production search by the App name which will be "Skyhigh Mobile Cloud Security"
Choose one or more categories and optionally enter a description. The description can be used to ensure you are seeing the version you intended on the device.
Ensure the App is delegated to all spaces.
Ensure the distribution is set to everyone or your target set of users by defining a custom distribution.
Click on the + button next to Managed Configurations for Android.
Enter Skyhigh Secure Web Gateway Address - c<customer ID>.smcs.skyhigh.cloud
You can get this information from the certificate page.
The following information is required to configure an SMCS app in the MDM of your choice.
Enter a name for the configuration and set the Gateway Address, User Certificate, Remote ID, Local ID, and Excluded Subnets as required.
To set the user certificate first click on the Icon next to the value shown above. This will change the control to a drop down list. You can then change the value to the configuration name of the Identity certificate you would have defined earlier.
Click on "Install Application configuration settings and ensure that "Install on Device" is turned on. You can also use the optional silent install for KNOX and Zebra devices if you are using those.
Optionally you can click on "Google Play Release" and set the desired release track, Production, Alpha or Beta - Leave this alone for most purposes.
Note that it takes ivanti Neurons a few minutes to reflect the newly added app and it will eventually appear on the App catalog screen. It may take a few hours for the app to appear on the devices.
Configure Always On VPN
Must be done after the App has been added to the App Catalog.
Navigate to Configurations on the mobile iron top bar. Click Add and then choose Always On VPN
Choose the Skyhigh Mobile Cloud Security App by typing into the name fi eld and then ensure distribution is set right and that the configuration is enabled.
Configure the Device
- Install the ivanti Neurons GO app.
- Enter user credentials as provided by the administrator.
- The Skyhigh Mobile Cloud Security client will show up in a while and be configured and the profile will be visible on the main screen.
- If Always On was configured it will immediately connect and show connected status.