Skip to main content

 

Druva Documentation

inSync for MobileIron FAQs

Overview

This topic contains answers to frequently asked questions on the inSync for MobileIron app.

Answers

Device compatibility matrix

What are the OS platforms and OS versions and devices with which the inSync for MobileIron app is compatible?

The following table lists the OS platforms, OS versions, and devices with which the inSync for MobileIron app is compatible.

OS Versions Compatible with
iOS 5, iOS 6, iOS 7 iPhone, iPad, and iPod touch

Which MobileIron server versions are compatible with the inSync for MobileIron app?

The inSync for MobileIron app is compatible with MobileIron server 5.5 or later.

Which inSync versions are compatible with the inSync for MobileIron app?

The inSync for MobileIron app is compatible with inSync 5.4.1 or later.

inSync for MobileIron and MobileIron Integration

How is MobileIron integrated with inSync?

The following diagram illustrates the worflows involved in the inSync for MobileIron app integration.

Mobile-Iron-Flows.jpg

Admin workflow

On the MobileIron ADMIN PORTAL, the administrator performs the following steps:

  1. Add users and devices. You will also import the inSync for MobileIron app from the App Store. For more information on how to import the inSync for MobileIron app, see Import inSync for MobileIron app from the App Store.
  2. Create configuration and container policies. In the configuration policy, you specify the key-value pair required by the inSync for MobileIron to authenticate inSync users. In the container policy, you allow or restrict inSync users from sending print requests from their iOS devices, from performing a copy-and-paste operation from files within the inSync for MobileIron app to any other application, and from opening files by using other applications. For more information on how to create configuration policies, see Create and manage AppConnect configuration policies. For more information on how to create container policies, see Create and manage AppConnect container policies.
  3. Create a label and assign your policies to that label and then apply this label to a device. This step is required to silently activate the inSync for MobileIron app on user devices and to push policy updates on the inSync for MobileIron app without user intervention. For more information, see Create and manage labels.

User workflow

On the iOS device, the inSync users perform the following steps:

  1. Install MobileIron (from the App Store) on the iOS device.
  2. After initial MobileIron configuration, install the inSync for MobileIron app from Apps@Work Store.
  3. Open the inSync for MobileIron app on the iOS device.

For more information, see Install and configure the Mobile@Work client on an iOS device.

User authentication workflow

After inSync users install the inSync for MobileIron on their iOS device, the following communication and authentication process occurs:

  1. MobileIron communicates with the MobileIron Virtual Smartphone Platform Server for the configuration policy. During this process, the $EMAIL$ and $USERID$ values in the configuration policy are replaced with the actual Email ID and the user names of the inSync users.
  2. MobileIron then sends the configuration policy to the inSync for MobileIron app.
  3. The inSync for MobileIron sends the Email ID and the IMD token to the inSync Master for verification.
  4. The inSync Master searches for the email ID. If the inSync Master finds a match, the user authentication for the inSync for MobileIron app is successful. If the inSync Master does not find a match for the email ID or if the IMD token does not match, the user authentication fails and the inSync mobile app login window appears.

How does MobileIron integration help?

MobileIron integration with the inSync for MobileIron app helps in many ways. A few benefits are as follows:

  • You can distribute the inSync for MobileIron app on multiple iOS devices.
  • You have granular control over print, copy-paste, and share features.
  • You can ensure compliance of security policies for users.
  • You have complete control on how users install, activate, and use the inSync for MobileIron app on their iOS devices.

inSync for MobileIron app deployment

Can we distribute the inSync for MobileIron app on multiple iOS devices?

Yes. You can distribute the inSync for MobileIron app on multiple iOS devices. For more information, see Create and manage AppConnect configuration policies. If you want to silently activate the inSync for MobileIron app on user devices, see Can users silently activate the inSync for MobileIron app?

Can users silently activate the inSync for MobileIron app?

Yes. After inSync users install the inSync for MobileIron app on their iOS device, the following communication and authentication process occurs:

  1. MobileIron communicates with the MobileIron Server for the configuration policy. During this process, the $EMAIL$ and $USERID$ values in the configuration policy are replaced with the actual Email ID and the user names of the inSync users.
  2. MobileIron then sends the configuration policy to the inSync for MobileIron app.
  3. The inSync for MobileIron app sends the Email ID and the IMD token to the inSync Master for verification.
  4. The inSync Master searches for the email ID. If the inSync Master finds a match, the user authentication for the inSync for MobileIron app is successful. If the inSync Master does not find a match for the email ID or if the IMD token does not match, the user authentication fails and the inSync mobile app login window appears.

Go to top

Communication with Edge Server

inSync Private Cloud Editions: File:/tick.png Elite File:/tick.png Enterprise

 

With Edge Server being accessible from public networks, how does inSync secure or limit the Edge Server to listen only to organization’s official devices (laptops and mobiles) installed with inSync Clients?
The following methods are used to ensure that Edge servers only listen to authorized inSync Clients:Authentication on each connection: When a client connects, the client is first authenticated by using its credentials and unique Device Token.  If authentication fails the connection from the Edge server to the inSync Client is dropped. inSync Client registration (first connection):  The first time a client connects to the Edge Server, it is authenticated against the inSync Server by using its credentials and a unique Mass Deployment Token (MDT).  If authentication succeeds, the client is registered and provided a unique Device Token.   To control which devices are allowed to be registered, the Mass Deployment Token is securely pushed to the client by using the following tools:
  • Mobile Devices -   Currently support MobileIron
  • Laptops/Desktops -  Use mass deployment tools such as System Center Configuration Manager (SCCM)

 

How does Edge Server identify and rejects queries from Non-Druva clients that include all device types? 

The inSync Edge Server sits in a demilitarized zone (DMZ), outside your organization's firewall and facilitates communication between the inSync client and the inSync Server, or the inSync client and the inSync Storage Node. The inSync Server and Storage Nodes maintain an outbound connection to the Edge Server.

inSync Clients verifies the SSL certificate of the Edge Server before sending data to the Edge Server. inSync Clients then creates a connection with the edge server. The Edge server will listen for specific SSL requests on the configured port (default: 443). When the Edge server receives a request from a device, a parameter validation is performed. Only the requests having the right parameters in the correct format are filtered through and sent to inSync Server and storage node for the authentication. This is applicable to all endpoints on Windows, MAC, Linux, iOS, Android, and Windows Phone 8/8.1 platform.

Once the inSync client or mobile app is authenticated successfully, the Edge Server creates a secure tunnel from the inSync client and/or mobile app to the inSync Server or storage node. If a client or mobile app does not have valid credentials, the device will not be able to communicate directly with the inSync Server or Storage Node since the Edge server itself will terminate this connection. Edge server will never initiate a connection to the inSync Server or Storage Node. The inSync Server and Storage Node will initiate this connection with the Edge Server and it uses a unique shared key for this communication. This prevents any other device from masquerading as the Edge Server.

 

In an inSync On-Premise setup with Edge Server and MobileIron, is it possible for a device to make a connection directly with the Edge Server and then further with the Storage node and access the backup data?

It is possible if the inSync Client, that is, the device is authenticated as an authorized client. 

Each time a client needs to connect to the storage, it must first be authenticated against the inSync Server, via the Edge Server, by using the user credentials and unique Device Token.  Only after this can backup or data access proceed.

 

In an inSync On-Premise setup with Edge Server and MobileIron, can any device use the Edge Server as the entry point to the corporate network and access/manipulate the resources in the intranet ? What are the preventive measures for such scenarios?

No.The inSync Server and Storage nodes initiate and maintains a secure outbound connection to the Edge server.  The Edge server has no connection to anything else in the network other than the ability to proxy requests from inSync clients to inSync Server and storage nodes.

Additional security measures include:

  • A unique shared key is used between Edge Server and inSync Server and storage node. This prevents any other device from impersonating as the Edge Server.
  • SSL Certificate: inSync Clients verifies the SSL certificate of the Edge Server before sending data to the Edge Server.
  • TLS v1.2:  All communication uses TLS v1.2, by using AES 256-bit encryption.

 

What is the extent to which the inSync mobile app can integrated with MobileIron?

Druva is a MobileIron AppConnect partner and through its integration with MobileIRON provides the following capabilities for iOS devices:

  1. Ensures that inSync client can only be used on mobile devices authorized by ST Micro.

    The inSync App can only be used on the mobile device if the MobileIron App is installed and has been authorized. If the user installs the inSync app on their personal device that is not authorized by MobileIron, it will not be able to connect to the inSync Servers. 

    If the mobile device is de-authorized by MobileIron, then the inSync App can no longer be used on that device.

  2. Control the functionality that is permitted on the inSync Mobile App

    MobileIron can be used to configure the following capabilities on the inSync App:

    • Enable/Disable copy, paste & print functionality
    • Whitelist which apps can access inSync files.

How does the inSync Client connect and authenticate to the inSync Server and Storage nodes from the public network through the Edge Server

The following section provides details about how data flows through the Edge Server and how inSync prevents connections from unauthorized inSync Clients. 

  • How the Edge Server in DMZ connects to inSync Server and Storage nodes
    Click here to see the details.
    1. The inSync Server and storage nodes initiate and maintain a secure TLS1.2/AES-256 outbound connection to the Edge Server, by using the following:
      • A unique shared key is used for communication between the Edge Server, inSync Server, and storage nodes. This unique key prevents any threat from impersonating as Edge Server.
      • The Edge Server cannot initiate a connection to the inSync Server and storage nodes.
    2. When the inSync Client connects to inSync, the client creates a TLS1.2/AES-256 connection to the Edge Server only.
      • The Edge Server certificate is checked against the CA (certification authority), which prevents a man-in-the-middle attack.
    3. The inSync Client is authorized, by verifying the device token and credentials against the inSync Server. The authorization includes the following checks:
      • The Edge Server checks the format of the authentication call parameters before sending them to the inSync Server.  If the format is not correct and does not appear to be from an authentic Druva client, the connection to the inSync Client is dropped. 
      • If the authentication fails, the connection from the inSync Client to the Edge Server is immediately dropped.
    4. After authentication, all communication between the inSync Client, inSync Server, and storage node is authorized through the Edge Server.
  • Mass deployment of inSync Client
    Click here to see the details.
    1. inSync administrator generates a Mass Deployment Token (MDT) from the inSync Server.
    2. inSync administrator uses automated installation tools to install the inSync Client and the client configuration information. For example, MDT, IP addresses, and so on. Following are the automated installation tools for different devices:
      • Mobile Devices (Phones/Tablets):  MobileIRON is currently supported by Druva.
      • Laptops:  Any standard computer management and software deployment tool. For example, Microsoft System Center Configuration Manager (SCCM), Casper, and so on.
  • inSync Client registration when the client connects for the first time
    Click here to see the details.
    1. inSync Client creates a TLS connection to the Edge Server.
      • inSync Client also verifies the certificate of the Edge Server.
    2. Edge Server authenticates inSync Client against the inSync Server by using the client credentials and Mass Deployment Token (MDT) against inSync Server. 
      • If the authentication fails, then the connection from the Edge Server to the inSync Client is immediately dropped.
    3. The inSync Client is registered.  Additional information about the inSync Client, including a unique hardware identifier is saved by the inSync Server.
    4. inSync Server generates a unique device token and sends the token to the inSync Client.
    5. Device token is securely saved by the inSync Client in the keychain for future authentication.
    6. The session is completed.
  • inSync Client registration after the client is already registered
    Click here to see the details.
    1. inSync Client initiates a TLS connection to the Edge Server.
      • inSync Client also verifies the certificate of the Edge Server.
    2. Edge Server authenticates inSync Client against the inSync Server by using the inSync Client credentials and device token.
      • If the authentication fails, then the connection from the Edge Server to the inSync Client is immediately dropped.
    3. inSync Server returns an encrypted token and pointer to the storage node assigned to the inSync Client.
      • The token is encrypted by using a shared key which only the inSync Server and Storage nodes behind the firewall have.
      • The token is only valid for a short period of time, which is less than 2 minutes. Each time a session is started, a new token needs to be fetched from the inSync Server.
    4. inSync Client initiates a new TLS connection to the Edge Server at the location where the client's  storage node is located. It might be the same Edge Server if it is the same location.
    5. Edge Server authenticates the inSync Client against the storage node by using the encrypted token.
      • If the authentiction fails, then the connection from the Edge Server to the inSync Client is immediately dropped.
    6. Data is securely exchanged between the inSync Client and the Edge Server.  
    7. The session is completed.

     

  • Was this article helpful?