Qlik Sense integration with MobileIron
Qlik recommends that customers prove the operation of Safari and/or Web@Work Browser with their...
Qlik Sense integration with MobileIron
Qlik recommends that customers prove the operation of Safari and/or Web@Work Browser with their Enterprise Mobile Management (EMM) Infrastructure, and familiarise with the deployment and configuration of Qlik Sense Mobile without per-App VPN connectivity (AppConfig "mdm" property, QMC Security Rules). Ensure that MobileIron is iOS v11-ready and using MobileIron Sentry v9 (or greater) to provide per-App VPN connectivity from Browsers.
Qlik Sense requires that clients and intermediate infrastructure support websocket connectivity that is used between the Qlik Visualizations and the Qlik Sense Proxy service for retrieval of Associative datasets. Websockets are part of the HTML5 standard, but many proxy servers fail to support it; iOS v11 has resolved previous issues with routing websocket traffic via any per-App VPN. Remaining connectivity problems are now due to configuration/limitations of EMM and other network infrastructure.
The following is a comprehensive guide on the current integration of Qlik Sense with MobileIron as at January 2019.
As at 23 December 2018, MobileIron have informed Qlik that they are investigating an enhancement to their MobileIron Tunnel VPN client to better support the TCP interactions performed by Qlik Sense Mobile.
MobileIron have also acknowledged that their Web@Work browser requires an update to use the current Apple WebKit as the older WebKit still used does not render Qlik Sense properly.
Customer can utilise the SaaS MobileIron Cloud, or implement the MobileIron Core onPremise.
MobileIron Connector is installed behind the Firewalls, providing replication services from Active Directory to the SaaS Console. The software can be downloaded from the MobileIron Console.
The MobileIron Sentry is deployed in DMZ as the VPN gateway to private resources. The software can be downloaded from the MobileIron Console or instantiated from an Amazon EC2 AMI.
The mobile user performs Self-Service enrolment by installing MobileIron Go from iTunes then browsing to https://mobileiron.com/go MobileIron Go is the agent which MobileIron uses to manage the device.
Successful Enrolment will add the Enterprise AppStore App Catalog, which is where Managed Applications can be installed from instead of using the Apple App Store.
The MobileIron Tunnel VPN client may be automatically installed immediately after successful enrollment, or can be downloaded from the App Catalog. This will use an SSL Client Certificate (7) to perform Device Authentication to the MobileIron Sentry and create a Tunnel through which traffic from Managed Applications can reach private resources such as Qlik Sense.
Configuration details are delivered by MobileIron Go to iOS as "profiles". These are visible in the iOS Settings application. A profile may include Rules for which Browser uses the VPN to access which URLs, but also other features such as WebClips (URL Shortcuts), Email Configuration and SSL Certificates.
Safari or a Managed Application (eg Qlik Sense Mobile or MobileIron's Web@Work Browser installed from the App Catalog) will use a Profile (G) to determine whether it should have an exclusive and private (per App VPN) conversation with the MobileIron Tunnel (6) VPN client to access a Qlik Sense URL.
Browser Users will be disconnected from Qlik Sense by MobileIron if they are inactive, and will be shown a "Connection Lost" error message. They can recover their session by simply refreshing the browser but their Current Selections would be lost. This global timeout is configurable as a property of the MobileIron Tunnel configuration item, and defaults to 60000 milliseconds (1 minute). It is necessary to add a Custom Data KeyValuePair to the MobileIron Tunnel Configuration, as per MobileIron documentation, to assign TcpIdleTmoMs a reasonable value such as 300000 milliseconds (5 minutes). Note that this is different from the Disconnection Timeout property that is shown in the configuration dialog!
The MobileIron Sentry must be configured to Tunnel (not Proxy) connections to Qlik Sense. Proxied connections do not support Websocket communications, and although the user may be able to authenticate into the Qlik Sense Hub, when they try to open a Document they will not successfully proceed beyond the raindrops animation. The settings controlling how a connection is processed are recorded in the Sentry Profile, accessed from the Admin menu.
A diagnostic webpage can be downloaded from https://developer.qlik.com/garden/56728f52d1e497241ae69865 and should be deployed into the Qlik Sense Content Library via the QMC. Access this deployed content using mobile browsers to determine if websockets are supported by the browser, VPN and other network infrastructure. Load Balancers between the Qlik Sense Proxy instances may require additional configuration to support websocket traffic.
Qlik has determined (December 2018) that the Safari and Chrome browsers interoperate with the MobileIron Tunnel and Sentry satisfactorily.
Qlik Sense Mobile (iOS app)
Qlik Sense Mobile provides an online alternative to a browser, and implements our Associative Engine on iOS to also provide offline data analysis on Qlik documents that have been synchronized to the device.
Qlik Sense Mobile is currently supported for deployment and configuration by MobileIron, but not yet (9 January 2019) for operation together with the MobileIron Tunnel per-App VPN.
Qlik Sense Mobile is currently available from the Apple AppStore and can be added to the MobileIron App Catalog as a Managed Application.
When installed from the MobileIron App Catalog, MobileIron can supply configuration details too. A single text variable "mdm" can be specified, as documented on at help.qlik.com, and contains a JSON array that delivers a collection of Qlik Sense Hub URLs to Qlik Sense Mobile rather than requiring that users browse to the Qlik Sense Hub and download a "Client Authentication Link".
It is clear that per-App VPN connectivity is required for Remote/Home office users who want to interact with Qlik Sense online or to sync documents to their device for offline use. As of 31 March 2018, Qlik determined that Qlik Sense Mobile operates as intended with Device-level VPN products, but not with the MobileIron Tunnel per-App VPN.
MobileIron has confirmed (16 April 2018) to Qlik that the MobileIron Tunnel VPN client improperly intercepts TCP traffic within the App, and does not route traffic as Qlik intends. This is due to the way that iOS delivers ALL app traffic to the VPN client, and the VPN client is forwarding all traffic to the MobileIron Sentry. The MobileIron Sentry contains a configurable Advanced Traffic Control feature but the routing of traffic needs to be adjusted on the iOS client before potentially being delivered to the MobileIron Sentry. MobileIron have raised a case with Apple (Apple RADAR ID: 33553614) seeking adjustment to this behaviour in iOS.
Without an enhancement to the MobileIron Tunnel VPN client, users see only a blank screen when activating Qlik Sense Mobile in conjunction with the MobileIron Tunnel per-App VPN.
Mutual customers affected by this issue are advised to open Support Calls with both MobileIron and Apple. With sufficient customer pressure, MobileIron should modify their VPN client to route localhost (localhost, IPv6 ::1, IPv4 127.0.0.1) traffic back to the device instead of passing it from the device through to the MobileIron Sentry.
MobileIron have advised (23 December 2018) that their R&D teams are studying the problem, and researching an update to their Tunnel product.
The MobileIron Tunnel per-App VPN does appear to work satisfactorily with mobile browsers as described in an earlier section of this document.
Within the Qlik Sense Management Console you must configure Security Rules to permit Offline use of Qlik Sense documents. An example is provided at help.qlik.com
Users with only a Login Access Token cannot synchronize content for Offline use.