The IBM Connections Chat application on Android / iOS has the ability to be managed by MobileIron Device Management. This article describes the capabilities provided by this environment and how to take advantage of them in your deployment.
If your organization does not use MobileIron Device Management, then you can skip this article. IBM Connections Chat will continue to run normally in environments that are not managed by MobileIron.
Minimum Requirements
The following components are required at the specified minimum levels.
IBM Connections Chat for Android:
- MobileIron AppConnect enabled version of IBM Connections Chat for Android
OR
IBM Connection Chat for iOS:
- MobileIron AppConnect enabled version of IBM Connections Chat for iOS
- Available for download from the Apple AppStore
AND
MobileIron:
- MobileIron Core version 7.5 or later
- MobileIron Sentry version 6.0 or later
- MobileIron Mobile@Work client version 7.5.x or later for Android OR MobileIron Mobile@Work application version 6.1.1 or later for iOS
- MobileIron Secure Apps 7.1.1 or later (Secure Apps Manager) for Android
Managed Application Management (MAM)
As described above, IBM Connections Chat can operate in two different modes: managed, where MobileIron Secure Apps Manager is in use and manages application security, and unmanaged, where an organization does not use MobileIron (or does not use it for managing applications). Depending on whether the environment is managed or unmanaged, the installation process for IBM Connections Chat will differ.
In an unmanaged environment, the user will simply download and install the standard edition of IBM Connections Chat from the Google Play store. In a managed environment, the user must first install the Mobileiron Secure Apps Manager and use that app to download a securely wrapped version of IBM Connections Chat.
A user is able to download and install both the standard edition of IBM Connections Chat and the MobileIron wrapped version of Chat. However, data cannot be transferred between the two different applications. All chat history will remain with the application it was created with. The MobileIron wrapped version of Chat can be distinguished by the padlock symbol on the application's icon (Android only). If Connections Chat is properly being managed by MobileIron, a section will be added to the application's "About" screen. If there is a "Managing Agent" section, then Chat is in managed mode. If this section is absent from the "About" screen, then Chat is in unmanaged mode. This About screen feature is not currently supported on iOS.
Administration
The Policies, Users, and Devices are managed on the MobileIron Admin Portal.
Key Features of MobileIron for IBM Connections Chat
When a 3rd party application such as IBM Connections Chat is wrapped by MobileIron, the following security features can be enabled:
- set a timeout for single sign-on login across your managed applications
- enforce device compliance checks (ie., checks for rooted / jailbroken devices, etc)
- restrict copying to the device clipboard
- restrict screenshots within managed applications
- receive real-time alerts of compliance violations
- automatically deliver and update policies remotely to to the application container based on user and device security posture
- automatically deliver and update configuration data to the application
Behavioral differences when IBM Connections Chat is in managed mode
When IBM Connections Chat is in managed mode, the application:
- may be affected by certain MobileIron policy restrictions such as use of the microphone or camera
- will not allow user modifications of server configurations, beyond user credentials, that are provided by the MobileIron configuration file
Data Security
In a MobileIron environment, managed apps like IBM Connections Chat are notified by MobileIron when the application data needs to be restricted or erased. This may happen because the device has been lost, has gone out of compliance, the device has been rooted, the user has left the company, etc. When this happens, IBM Connections Chat, like any other MobileIron managed application, will block the application UI and present the user with a message (determined by the administrator or MobileIron) why the app is no longer available. Additionally, if required by the policy, the server configurations used by the IBM Connections Chat application and all local data will be erased.
Application Specific Configuration
A key feature of the MobileIron server is the ability for an administrator to upload an application specific configuration for each managed application. The contents of that configuration will be pushed to managed applications at initial startup or whenever the configuration is changed.
A configuration generally specifies connectivity parameters for one or more enterprise servers as well as other parameters that may control how the application behaves in a managed environment. Using a configuration is optional but is highly encouraged so users with managed devices are up and running as soon as a managed application, such as IBM Connections Chat, is installed and started for the first time. Please see the table below for a list of all the possible configuration parameters supported by the IBM Connections Chat application.
The configuration parameters are specified as a series of key-value pairs. A few examples of the key and value strings are shown below:
com.ibm.mobile.chat.communityName = ACME Chat Server
com.ibm.mobile.chat.serverHostName = acme.chat.server.com
com.ibm.mobile.chat.ssl = false
All parameters specific to IBM Connections Chat must have keys that start with 'com.ibm.mobile.chat'.
The complete list of supported parameters are as follows. If a parameter is not specified in a configuration file then the default value for that parameter is assumed.
IBM Connections Chat Server Configuration Parameters
|
Key
|
Value
|
Details
|
|
com.ibm.mobile.chat.communityName
|
Type: A text string
Default: N/A
Example: ACME Chat Server
|
This is the nickname for this configuration. This is how the server will be identified within the IBM Connections Chat application.
Note: Always provide this parameter.
|
|
com.ibm.mobile.chat.serverURL
|
|
This parameter is the fully qualified URL for the Chat server. It must contain the server address, URL scheme, and port number.
Note: Always provide this parameter or the following two parameters: serverHostName and serverPort
|
|
com.ibm.mobile.chat.serverHostName
|
Type: A text string
Default: N/A
Example: acme.chat.server.com
|
This parameter is the URL used to access the IBM Connections Chat server.
Note: Do not provide the URL scheme with this parameter.
Note: Always provide this parameter if serverURL is not being used. If serverURL is being used, then do not provide this parameter.
|
|
com.ibm.mobile.chat.serverPort
|
Type: A number
Default: N/A
Example: 443
|
This parameter is the port used to access the IBM Connections Chat server.
Note: Always provide this parameter if serverURL is not being used. If serverURL is being used, then do not provide this parameter.
|
|
com.ibm.mobile.chat.ssl
|
Type: A boolean (true or false)
Default: false
Example: true
|
This parameter is used to indicate whether the community should use a secure connection or not.
Note: If serverURL is being used, then do not provide this parameter.
|
|
com.ibm.mobile.chat.allowUntrustedSSL
|
Type: A boolean (true or false)
Default: false
Example: false
|
This parameter is used to indicate whether the community should allow untrusted SSL.
Note: This parameter is only available if the 'ssl' parameter is set to true. Otherwise, this parameter will always be stored as false.
|
|
com.ibm.mobile.chat.user
|
Type: A text string
Default: N/A
Example: JohnDoe@acme.com
|
This parameter is used to authenticate the user with the chat server. As the MobileIron administrator, you are able to use a specific login username. However, MobileIron also provides the ability to substitute values that are specific to the individual user. The below three variables are available:
$EMAIL$ - Will be replaced with the email associated with the MobileIron user.
$USERID$ - Will be replaced with the user ID associated with the MobileIron user.
|
|
com.ibm.mobile.chat.password
|
Type: A text string
Default: N/A
Example: abc123
|
This parameter is used to authenticate the user with the chat server.
|
|
com.ibm.mobile.chat.cloudCommunity
|
Type: A boolean (true or false)
Default: false
Example: false
|
This parameter is used to indicate whether the community is a cloud community. Setting this parameter to 'true' will indicate that the configuration is a cloud community.
Note: If community is a cloud community, some of these parameters are no longer applicable. Refer to the below section for configuring cloud communities.
|
|
com.ibm.mobile.chat.authProxyEnabled
|
Type: A boolean (true or false)
Default: true
Example: true
|
This parameter is used to indicate whether the Chat application should attempt to login through an authenticating proxy.
|
|
com.ibm.mobile.chat.photoPort
|
Type: A number
Default: N/A
Example: 444
|
This parameter is used to denote a separate port for providing contact photos to the application.
|
|
com.ibm.mobile.chat.authProxyReuseCredentials
|
Type: A boolean (true or false)
Default: true
Example: true
|
This parameter is used to indicate whether the Chat application should reuse the basic username and password for the authenticating proxy.
|
|
com.ibm.mobile.chat.authProxyUser
|
Type: A text string
Default: N/A
Example: JohnDoe@acme.com
|
This parameter is used to specify a separate username for use with the authenticating proxy.
|
|
com.ibm.mobile.chat.authProxyPassword
|
Type: A text string
Default: N/A
Example: abc123
|
This parameter is used to specify a separate password for use with the authenticating proxy.
|
|
com.ibm.mobile.chat.disablePasswordSave
|
Type: A boolean (true or false)
Default: false
Example: true
|
This parameter is used to indicate to the application whether is should store the user's password or not.
|
Configuring Multiple Chat Servers using a MobileIron Configuration
Some customers use more than one Chat server in their enterprise. For these scenarios, the administrator can configure additional communities by appending an index to the end of the parameter name for each additional community. The first community does not need this index, but each additional community will need their own index for association. For example, the administrator may create a configuration file with three communities. The first community simply specifies the parameters without an index. The second community could use the index of '2' and the third community could use the index of 'test'.
com.ibm.mobile.chat.serverURL = https://acme.chat.com:443
com.ibm.mobile.chat.serverName = ACME Chat Server
com.ibm.mobile.chat.allowUntrustedSSL = false
com.ibm.mobile.chat.serverHostName.2 = acme.2.chat.com
com.ibm.mobile.chat.serverPort.2 = 443
com.ibm.mobile.chat.ssl.2 = true
com.ibm.mobile.chat.serverName.2 = ACME 2nd Chat Server
com.ibm.mobile.chat.allowUntrustedSSL.2 = true
com.ibm.mobile.chat.serverURL.test = http://acme.test.chat.com:1080
com.ibm.mobile.chat.serverName.test = ACME Test Chat Server
com.ibm.mobile.chat.allowUntrustedSSL.test = false
If only one Chat server is being configured, the index is not required and the parameters can be specified as shown in the above table. All parameters for subsequent servers should use the same index per community. Parameters with matching indexes will be grouped together to create a single configuration.
Modifying Chat Servers
Once a Chat server has been configured using the MobileIron configuration, it cannot be modified by the user via the application settings or URL configurations. The only exception to this rule is the user credentials. A user is able to modify both username and password. Due to this capability, any configuration updates for user credentials will be ignored by the application. Again, after the initial configuration is sent down to the device, the MobileIron administrator will be unable to push down any changes to user credentials.
Any community configurations that are sent down to the device by MobileIron are denoted as MDM configurations. If this configuration is ever removed from the configuration file, then it will be designated as an orphan community and immediately removed from the device.
Configuring the SmartCloud Chat Server
All the connectivity information needed for SmartCloud Chat is already known by the Connections Chat mobile client. However, the administrator may still want to manage the behavior of the client when using SmartCloud for Chat. This can be accomplished by specifying a configuration for the SmartCloud server in the MobileIron Configuration. In order to denote that a configuration is for SmartCloud, simply specify the cloudCommunity parameter as true:
com.ibm.mobile.chat.cloudCommunity = true
The actual SmartCloud data center used with this configuration will be determined by the com.ibm.mobile.chat.user parameter. If this parameter is not specified in the configuration file, the user will be prompted for credentials when attempting to login to the SmartCloud chat server. The ID the user provides will determine the data center to be used.
When configuring for a SmartCloud community, the following parameters are the only ones that will be recognized:
com.ibm.mobile.chat.communityName
com.ibm.mobile.chat.cloudCommunity
com.ibm.mobile.chat.user
com.ibm.mobile.chat.password
com.ibm.mobile.chat.disablePasswordSave
All other parameters will be ignored.