Qlik Sense® integration with MobileIron

    This article is a comprehensive guide on the current integration of Qlik Sense with MobileIron as at 31 March 2018.

     

    Recommendation:

    Qlik recommends that customers prove the operation of Safari and/or Web@Work Browser with their Enterprise Mobile Management (EMM) Infrastructure, and familiarise with the deployment and configuration of Qlik Sense Mobile without per-App VPN connectivity (AppConfig "mdm" property, QMC Security Rules). Ensure that MobileIron is iOS v11-ready1 and using MobileIron Sentry v9 (or greater) to provide per-App VPN connectivity from Browsers. The same per-App VPN connectivity is planned to be supported for Qlik Sense Mobile.

    Qlik Sense requires that clients and intermediate infrastructure support websocket connectivity that is used between the Qlik Visualizations and the Qlik Sense Proxy service for retrieval of Associative datasets. Websockets are part of the HTML5 standard, but many proxy servers fail to support it; iOS v11 has resolved previous issues with routing websocket traffic via any per-App VPN. Remaining connectivity problems are now due to configuration/limitations of EMM and other network infrastructure. The following is a comprehensive guide on the current integration of Qlik Sense with MobileIron.

    MobileIron:

    MobileIron describe1 several minimum requirements for their support of iOS v11, particularly:

    • MobileIron Go 2 v3.0
    • MobileIron Tunnel 3 v2.2.6
    • Web@Work Browser 4 v2.1

    MobileIron.png

     

    (A) Customer can utilise the SaaS MobileIron Cloud, or implement the MobileIron Core onPremise

    (B) MobileIron Connector 5 is installed behind the Firewalls, providing replication services from Active Directory to the SaaS Console. The software can be downloaded from the MobileIron Console.

    (C) The MobileIron Sentry is deployed in DMZ as the VPN gateway to private resources. The software can be downloaded from the MobileIron Console or instantiated from an Amazon EC2 AMI.

    (D) The mobile user performs Self-Service enrolment by installing MobileIron Go from iTunes then browsing to https://mobileiron.com/go  MobileIron Go is the agent which MobileIron uses to manage the device.

    (E) Successful Enrolment will add the Enterprise AppStore App Catalog, which is where Managed Applications can be installed from instead of using the Apple App Store.

    (F) The MobileIron Tunnel VPN client may be automatically installed immediately after successful enrollment, or can be downloaded from the App Catalog. This will use an SSL Client Certificate (G) to perform Device Authentication to the MobileIron Sentry and create a Tunnel through which traffic from Managed Applications can reach private resources such as Qlik Sense.

    (G) Configuration details are delivered by MobileIron Go to iOS as "profiles". These are visible in the iOS Settings application. A profile may include Rules for which Browser uses the VPN to access which URLs, but also other features such as WebClips (URL Shortcuts), Email Configuration and SSL Certificates.

    (H) Safari or a Managed Application (eg Qlik Sense Mobile or MobileIron's Web@Work Browser installed from the App Catalog) will use a Profile (G) to determine whether it should have an exclusive and private (per App VPN) conversation with the MobileIron Tunnel (F) VPN client to access a Qlik Sense URL.


    Browser Users will be disconnected from Qlik Sense by MobileIron if they are inactive, and will be shown a "Connection Lost" error message. They can recover their session by simply refreshig the browser but their Current Selections would be lost.  This global timeout is configurable as a property of the MobileIron Tunnel configuration item, and defaults to 60000 milliseconds (1 minute).  It is necessary to add a Custom Data KeyValuePair to the MobileIron Tunnel Configuration, as per MobileIron documentation,6 to assign TcpIdleTmoMs a reasonable value such as 300000 milliseconds (5 minutes). Note that this is different from the Disconnection Timeout property that is shown in the configuration dialog!


    TcpIdleTmoMs.png


    The MobileIron Sentry must be configured to Tunnel (not Proxy) connections to Qlik Sense. Proxied connections do not support Websocket communications, and although the user may be able to authenticate into the Qlik Sense Hub, when they try to open a Document they will not successfully proceed beyond the raindrops animation. The settings controlling how a connection is processed are recorded in the Sentry Profile, accessed from the Admin menu.

     

     

    Testing configuration:

    A diagnostic webpage can be downloaded from branch.qlik.com 7 and should be deployed into the Qlik Sense Content Library via the QMC. Access this deployed content using mobile browsers to determine if websockets are supported by the browser, VPN and other network infrastructure.  Load Balancers between the Qlik Sense Proxy instances may require additional configuration 8 to support websocket traffic.

     

     

     

    Qlik Sense Mobile (iOS app):

    Qlik Sense Mobile provides an online alternative to a browser, and implements our Associative Engine on iOS to also provide offline data analysis on Qlik documents that have been synchronised to the device.

     

    Qlik Sense Mobile is currently supported for deployment and configuration by MobileIron, but not 9 yet (31 March 2018) for operation together with the MobileIron Tunnel per-App VPN.


    Deployment

    Qlik Sense Mobile is currently available from the Apple AppStore 10 and can be added to the MobileIron App Catalog as a Managed Application.


    Configuration

    When installed from the MobileIron App Catalog, MobileIron can supply configuration details too. A single text variable "mdm" can be specified, as documented on at help.qlik.com 11, and contains a JSON array that delivers a collection of Qlik Sense Hub URLs to Qlik Sense Mobile rather than requiring that users browse to the Qlik Sense Hub and download a "Client Authentication Link".

     

    mdm

    { "Accounts" : [ {"name":"United Kingdom", "url":"https://sense.uk.example.com"},

                    {"name":"Brazil",        "url":"https://sense.br.example.com"}

                  ] }


    Per App VPN

    It is clear that per-App VPN connectivity is required for Remote/Home office users who want to interact with Qlik Sense online or to sync documents to their device for offline use. As of 31 March 2018, Qlik has determined that Qlik Sense Mobile operates as intended with Device-level VPN products, but not with MobileIron Tunnel per-App VPN.

     

    MobileIron has confirmed (16 April 2018) to Qlik that the MobileIron Tunnel VPN client improperly intercepts TCP traffic within the App, and does not route traffic as Qlik intends. This is due to the way that iOS delivers ALL app traffic to the VPN client, and the VPN client is forwarding all traffic to the MobileIron Sentry. The MobleIron Sentry contains a configurable Advanced Traffic Control feature but the routing of traffic needs to be adjusted on the iOS client before potentially being delivered to the MobileIron Sentry. MobileIron have raised a case with Apple (Apple RADAR ID: 33553614) seeking adjustment to this behaviour in iOS.


    Without an enhancement to the MobileIron Tunnel VPN client, users see only a blank screen when activating Qlik Sense Mobile in conjunction with the MobileIron Tunnel per-App VPN.

     

    Mutual customers affected by this issue are advised to open Support Calls with both MobileIron and Apple. With sufficient customer pressure, MobileIron should modify their VPN client to route localhost (localhost, IPv6 ::1, IPv4 127.0.0.1) traffic back to the device instead of passing it from the device through to the MobileIron Sentry.

     

    The MobileIron Tunnel per-App VPN does appear to work satisfactorily with mobile browsers as described in an earler section.

     

    Qlik Sense

    Within the Qlik Sense Management Console you must configure Security Rules to permit Offline use of Qlik Sense documents. An example is provided at help.qlik.com 12

    Only Users with a User Access Token can use Qlik Sense Mobile offline. Login tokens may not be used to synchronise content for Offline use.

     

     

     

    1. MobileIron Guidance on iOS 11 Compatibility: https://community.mobileiron.com/docs/DOC-6671

    2. MobileIron Go: https://itunes.apple.com/us/app/mobileiron-go/id672836503?mt=8

      MobileIron Go 3.0.0 for iOS Release Notes: https://community.mobileiron.com/docs/DOC-6923

    3. MobileIron Tunnel: https://itunes.apple.com/us/app/mobileiron-tunnel/id1150035878?mt=8
      MobileIron Tunnel 2.3.1 for iOS Release Notes: https://community.mobileiron.com/docs/DOC-7230
    4. Web@Work Browser: https://itunes.apple.com/us/app/mobileiron-web-work/id596170970?mt=8
      MobileIron Web@Work 2.3.0 for iOS Release Notes: https://community.mobileiron.com/docs/DOC-7581
    5. MobileIron Cloud Connector: http://mi.extendedhelp.mobileiron.com/50/all/en/desktop/Connector.htm
    6. MobileIron Tunnel for iOS Guide for Administrators: https://community.mobileiron.com/docs/DOC-6414 pp13
    7. Websocket Diagnostic Page: http://branch.qlik.com/#!/project/56728f52d1e497241ae69865
    8. BIG-IP support for the WebSocket protocol: https://support.f5.com/csp/article/K14754
      Citrix Netscaler: see bottom of https://docs.citrix.com/en-us/netscaler/11/system/http-configurations.html
    9. Release Notes available from Qlik Download Site: https://da3hntz84uekx.cloudfront.net/QlikSense/12.52/0/QlikSenseMobile_February2018_ReleaseNotes.pdf particularly note at bottom of page 8.
    10. Qlik Sense Mobile: https://itunes.apple.com/us/app/qlik-sense-mobile/id1217049362?mt=8
    11. AppConfig: https://help.qlik.com/en-US/sense/February2018/Subsystems/PlanningQlikSenseDeployments/Content/Deployment/Configuring-the-Qlik-Sense-Mobile-app-hub-list-with-AirWatch.htm
    12. Security Rule for allowing Offline access: https://help.qlik.com/en-US/sense/February2018/Subsystems/ManagementConsole/Content/offline-access-to-apps-by-user-attributes-example.htm