MobileIron Quick Integration Guidefor PacketFence version 7.4.0

MobileIron Quick Integration Guideby Inverse Inc.Version 7.4.0 - Jan 2018Copyright 2014 Inverse inc.Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-CoverTexts. A copy of the license is included in the section entitled "GNU Free Documentation License".The fonts used in this guide are licensed under the SIL Open Font License, Version 1.1. This license is available with a FAQ at: Łukasz Dziedzic,, with Reserved Font Name: "Lato".Copyright Raph Levien,, with Reserved Font Name: "Inconsolata".

Table of ContentsAbout this Guide .Assumptions .Quick installation .Step 1: Configure MobileIron .Step 2: Create an API user .Step 3: Gather the boarding host .Step 4: Configure PacketFence .Step 5: Add the necessary passthroughs .Step 6: Test .Copyright 2014 Inverse inc.123346689iii

Chapter 1About this GuideThis guide has been created in order to help sales engineers, product managers, or networkspecialists demonstrate the PacketFence capabilities on-site with an existing or potential customer.It can also provide guidelines to setup a proof of concept for a potential PacketFence deploymentusing the MobileIron mobile device manager.Copyright 2014 Inverse inc.About this Guide1

Chapter 2Assumptions You have a configured PacketFence environment with working test equipment; You have access to a MobileIron cloud account.Copyright 2014 Inverse inc.Assumptions2

Chapter 3Quick installationStep 1: Configure MobileIronFirst of all you will need to configure the basic functionality of MobileIron using their documentation.MDM profileOne important step is to enable the MDM profile like in this screenshot. Note that this will requireyou to create an MDM certificate with Apple. Refer to the MobileIron documentation for specificsabout this step.Copyright 2014 Inverse inc.Quick installation3

Chapter 3Step 2: Create an API userNext, we will need a user that has the rights to access the MobileIron API in order to verify thestate of the devices directly from PacketFence.First go in the USERS & DEVICES tab and then in Users and click Add local user.Now enter the information about your user and note the user ID and password for usage in thePacketFence configuration, then hit Save.Copyright 2014 Inverse inc.Quick installation4

Chapter 3Now go in the ADMIN tab, check the box next to your newly created user and then in Actions selectAssign to Space.Select the Global space at the top and then check API at the bottom. You should now see API inthe roles list of your newly created user when viewing the users list.Copyright 2014 Inverse inc.Quick installation5

Chapter 3Step 3: Gather the boarding hostTo find the boarding host, add a fake device to MobileIron and at the end of the process you willsee the registration instructions.In it you will find the boarding host and port for the PacketFence configuration. In this case, theboarding host is and the boarding port is 50291.Step 4: Configure PacketFenceIn PacketFence, MDM are referred to as provisioners. This will walk you through adding MobileIronas a provisioner.Create the provisionerLogin in the PacketFence administration interface, then go in the Configuration tab, then inProvisioners. Click Add provisioner then select mobileiron.Copyright 2014 Inverse inc.Quick installation6

Chapter 3Now configure this new provisioner with the information you got above. The Provisioning ID is the friendly name of the provisioner.The Username is the user you created with API access above.The password is the password of the API user.The host is the domain name of the instance your account name if you have a cloud account(ex: Now add the download URI for the agent. See below for more details. The Boarding host is the host that you got in step 3. The Boarding port is the port that you got in step 3.Here are the URIs that should work by default. Replace accountName by your real account/instancename at MobileIron. Android: tml IOS devices: Windows: ver/Discovery.svcAdd the provisioner to the connection profileIn order for the provisioner to be used by your captive portal you need to add it in its configuration.Go in Connection Profiles, then select the portal you want to modify and add mobileiron as aprovisioner.Copyright 2014 Inverse inc.Quick installation7

Chapter 3Step 5: Add the necessary passthroughsNext, still in the PacketFence administration console, go in Fencing in the left menu, then scroll thento Passthroughs.Check the Passthrough box above the field and add the following domains to the passthrough list.* 2014 Inverse inc.Quick installation8

Chapter 3Restart PacketFenceIn order to enable the boarding passthrough for the device enrollment, you will need to restart theiptables service of PacketFence.You can do this using the command line by doing /usr/local/pf/bin/pfcmd service iptables restart orin the administration interface under Status / Services.Step 6: TestYou can now test that MobileIron is mandatory after the device registration. Connect a deviceto your test network and register like you normally would. At the end of the registration processyou will be presented a page asking you to install the MobileIron on your device. After you installthe agent click Continue. If your access is enabled than this means the connectivity betweenPacketFence and MobileIron is good.Copyright 2014 Inverse inc.Quick installation9

MobileIron Quick Integration Guide by Inverse Inc. Version 7.4.0 - Jan 2018 . Now go in the ADMIN tab, check the box next to your newly created user and then in Actions select Assign to Space. Select the Global space at the top and then check API at File Size: 570KB