MobileIron Integration

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Doesn't Need an Answer
Hi,

Currently in the process of integrating MobileIron and wondering if anyone has any experience, guidance or any literature on the process.

What I currently have is the 'Install Guide Extreme Connect 2016.pdf' which is very helpful in guiding me how to configure the API integration, the elements in MobileIron I need to configure and some of the customisation I can introduce to on-board devices like the 'Register with MobileIron' button.

Where I'm a little at a loss is configuring the Guest Web Registration piece. I assume I configure this as normal, but its how to tie it into the MobileIron piece I'm stuck.

Think all I perhaps have to do is associate the various MobileIron End-system groups to the various stages of registration?

Its possible I could work it out but wanted to throw this out to the community to see if there was anything out there to assist me further?

Also, any additional documentation I can grab my hands on as its useful to read and at least be aware of what all my options might be.

Many thanks in advance.
Photo of Martin Flammia

Martin Flammia

  • 6,326 Points 5k badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Darin Seiler

Darin Seiler

  • 402 Points 250 badge 2x thumb
We currently use Mobile Iron as our MDM but are getting rid of it and switching to Microsoft Intunes MDM. We utilize OneFabric Connect as the API to interface MobileIron with our Extreme Access Control NAC. With Intunes we won’t use OFConnect but will use the NAC utility to manage Mac addresses in NAC groups.
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 9,824 Points 5k badge 2x thumb
Microsoft intunes will be supported by Extreme Connect (OneFabricConnect) soon.
Photo of Darin Seiler

Darin Seiler

  • 402 Points 250 badge 2x thumb
Any timeframe that you could share? We just got Intunes in place so would love to try it when it is available
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 9,824 Points 5k badge 2x thumb
Please contact me directly if you want to be “early adopter” even for testing = not production. We are searching for volunteers now :) so production extremely soon. :)

My contact is zpala&extreme...

Thx

Z.
Photo of Martin Flammia

Martin Flammia

  • 6,326 Points 5k badge 2x thumb
Hi Darin,

You could be useful source of information as the customer I am currently working is likely to be doing the same thing. 

Is there anything you can share on how things are setup your end to assist me in my endeavour, possibly any screenshots maybe?

Many thanks.
Photo of Darin Seiler

Darin Seiler

  • 402 Points 250 badge 2x thumb
Photo of Darin Seiler

Darin Seiler

  • 402 Points 250 badge 2x thumb
Photo of Martin Flammia

Martin Flammia

  • 6,326 Points 5k badge 2x thumb
Hi Darin,

Thanks for taking the time post the screenshots.

Thinking about this, its probably easier than I thought. Perhaps all I need to do in NAC is just create some rules that test if the devices MAC address are in the specific MobileIron End-System groups and apply the roles based on that.

The Web Registration just allows you to on-board a device through the registration page?

Guess that's all that's really too it once all the backend / API is setup?

Will be trying this soon, so will post my results.

Thanks.
Photo of Bin

Bin, Employee

  • 5,372 Points 5k badge 2x thumb
Hello Martin,

Here is one Youtube video to introduce MobileIron Integration with ExtremeControl(Enterasys Moblie IAM).

https://www.youtube.com/watch?v=edilmWxSryE


Best regards,
Bin 
Photo of Martin Flammia

Martin Flammia

  • 6,326 Points 5k badge 2x thumb
Thanks Bin.

Have been playing with this and the setup on the Extreme side seems pretty simple, in that I just needed to enable the MDM module in connect, put in the credentials to talk to the API and leave everything else as default.

Just created three rules in NAC ass follows:

MDM Business -> End-System (Managed Mobile Devices Business) -> Allow Profile
MDM Personal -> End-System (Managed Mobile Devices Personal) -> Allow Profile
MDM Decommissioned -> (Managed Mobile Devices Decommissioned) -> Deny Profile

Also followed the instruction in the 'Install Guide Extreme Connect 2016' for setting up web registration for custom 'Register with MobileIron' button.

The problem I seem to be experiencing at the moment is what looks to be a rights issue on MobileIron. To validate that I used the 'Postman' addin in Chrome and simulated connecting to the MobileIron API.

To do that if you go to the link below inside Postman:

https://MDMSERVER/api/v1/dm/devices/

Set the Authorisation to type 'Basic Auth' and enter the username and password configured on MobileIron. Then go to the 'Headers' tab and enter the following:

"Accept" : "application/xml"

Once done, update request and send.

The problem I am then getting is the following:

<html>
    <body>
        <h2>HTTP Status 403 - Access is denied</h2>
        <h3>You are unauthorized to access this page.</h3>
    </body>
</html>

Some screenshots below. Have set the account in MobileIron to be able to use API. The MobileIron version is 9.4.

The Debug messages when enabled on the MDM module show the following error:

2017-10-06 11:34:46,816 ERROR [com.enterasys.fusion.modules.MobileIronHandler] org.xml.sax.SAXParseException; lineNumber: 10670; columnNumber: 31; An invalid XML character (Unicode: 0x17) was found in the element content of the document.





So if anyone is familiar with this issue, or has a step by step guide in how to setup API user rights / access for MobileIron v9.4 that might help?

If I finally get it working in the meantime I'll post the steps.

Thanks
Photo of Bin

Bin, Employee

  • 5,372 Points 5k badge 2x thumb
Hello Martin,

Thank you so much for your post.
I am not familiar with MobileIron Integration. So sorry that I could not help you more.

Kindly request you could keep posting your step if your could find the solution.

Many thanks in advanced.