MobileIron Docs@Work 2.8.

0 for iOS
Guide for Administrators
for MobileIron Core and MobileIron Cloud

September 10, 2018

Proprietary and Confidential | Do Not Distribute

Copyright © 2014 - 2018 MobileIron, Inc. All Rights Reserved.

Any reproduction or redistribution of part or all of these materials is strictly prohibited. Information in this publication
is subject to change without notice. MobileIron, Inc. does not warrant the use of this publication. For some phone
images, a third-party database and image library, Copyright © 2007-2009 Aeleeta's Art and Design Studio, is used.
This database and image library cannot be distributed separate from the MobileIron product.

“MobileIron,” the MobileIron logos and other trade names, trademarks or service marks of MobileIron, Inc.
appearing in this documentation are the property of MobileIron, Inc. This documentation contains additional trade
names, trademarks and service marks of others, which are the property of their respective owners. We do not
intend our use or display of other companies’ trade names, trademarks or service marks to imply a relationship
with, or endorsement or sponsorship of us by, these other companies.
Contents
Chapter 1 Overview of Docs@Work for iOS ........................................................................... 4
About Docs@Work ........................................................................................................... 4
Enable MobileIron Access for Docs@Work ........................................................................ 5
Where to find Docs@Work for iOS .................................................................................. 5
About Docs@Work for iOS configuration ...................................................................... 5
What the users see in Docs@Work for iOS .................................................................... 6
Chapter 2 Configuring Docs@Work for iOS............................................................................ 7
Required components for Docs@Work for iOS deployment ........................................ 7
Main steps for configuring Docs@Work for iOS (Core) ................................................ 7
Set up app distribution ...................................................................................................................7
Set up Docs@Work .......................................................................................................................8
AppTunnel setup ...........................................................................................................................8
Attachment control setup ...............................................................................................................8
Docs@Work app behavior setup ...................................................................................................8
Before you begin ................................................................................................................. 8
Distributing as a recommended app ................................................................................... 8
Enabling Docs@Work ....................................................................................................... 11
Configuring the AppConnect global policy ........................................................................ 12
Applying to a label .......................................................................................................................12
Configuring an AppConnect container policy .................................................................... 13
Configuring content sites in the Docs@Work configuration .............................................. 13
Adding SharePoint, WebDAV, CIFS, and DFS sites ...................................................................14
Support for variables in configuring content sites ............................................................. 17
Prerequisites for using variables for configuring content sites ....................................................17
Supported Content sites for variables .........................................................................................17
Supported variables for configuring content sites ........................................................................17
Verifying the SharePoint URL ........................................................................................... 18
Adding Box enterprise as a Group site ............................................................................. 19
Adding a SharePoint Group site with Federated authentication ....................................... 19
Adding a SharePoint Group site with derived credentials ................................................. 20
Adding Google Drive as a Group site ............................................................................... 20
Authentication with an identity provider (IdP) ..............................................................................21
Configuring DFS content site ............................................................................................ 21
Enabling DFS ..............................................................................................................................21
Configuring an AppTunnel service for DFS .................................................................................21
Configuring AppTunnel rules and DFS site in the Docs@Work setting .......................................22
Configuring an AppTunnel service .................................................................................... 24
Configuring AppTunnel rules ............................................................................................ 27
Configuring attachment control ......................................................................................... 29
Main steps for configuring Docs@Work for iOS (Cloud) ............................................ 30
User-added sites ............................................................................................................... 32
Docs@Work installation on an iOS device (Core and Cloud) ..................................... 33
AES-256-GCM encryption for email attachments ........................................................ 33
Configuring 256-bit encryption .......................................................................................... 34

MobileIron Docs@Work 2.8.0 for iOS Guide | 1

 Configuring certificate pinning ...................................................................................... 35
Chapter 3 Additional configurations using key-value pairs.................................................... 36
Configuring Docs@Work application behavior ........................................................... 36
Key-value pairs to configure app behavior .................................................................. 37
What users see ................................................................................................................ 48
Edit functionality in Docs@Work .................................................................................. 49
Disabling the edit functionality in Docs@Work .................................................................49
Chapter 4 Working with Docs@Work features...................................................................... 51
Touch ID ........................................................................................................................... 51
Content sites ................................................................................................................... 52
Favorites .......................................................................................................................... 52
User added sites .............................................................................................................52
Sorting content sites ...................................................................................................... 53
View options for SharePoint sites in Docs@Work ...................................................... 54
Google Drive group site ................................................................................................. 54
Email document links from Docs@Work ...................................................................... 55
Email documents from Docs@Work ............................................................................. 55
Requirement for emailing documents ............................................................................... 56
Emailing documents from Docs@Work for iOS ................................................................ 56
Email Docs@Work logs .................................................................................................. 56
Add attachments from Docs@Work in Email+ ............................................................. 57
Add attachments from Docs@Work in Native mail ..................................................... 57
Email documents from Docs@Work through third-party email clients ..................... 57
Edit documents in Docs@Work .................................................................................... 57
Editing and annotating documents .................................................................................... 57
Edit Online ....................................................................................................................... 59
Extracting files from .zip files ........................................................................................ 59
File and folder management .......................................................................................... 61
Creating files and folders in My Files ................................................................................ 61
Renaming files and folders in My Files ............................................................................. 62
Moving files and folders in My Files .................................................................................. 63
Locating file or folder ..................................................................................................... 65
Sorting files and folders ................................................................................................. 67
Background notifications for Published sites ............................................................. 67
Changing notification settings ........................................................................................... 67
Importing images and video .......................................................................................... 69
Browse and add SharePoint site ................................................................................... 71

MobileIron Docs@Work 2.8.0 for iOS Guide | 2

Adding a SharePoint site by browsing in Docs@Work ..................................................... 71
Single Sign On ................................................................................................................ 73
Support for multiple configurations .............................................................................. 73
Allow Drag and Drop from Docs@Work for iOS 11 ..................................................... 73
Watermark text ................................................................................................................ 74
Other features ................................................................................................................. 74

MobileIron Docs@Work 2.8.0 for iOS Guide | 3

 1

Overview of Docs@Work for iOS

The following provide an overview of the Docs@Work app for iOS devices:
• About Docs@Work
• Where to find Docs@Work for iOS
• About Docs@Work for iOS configuration
• What the users see in Docs@Work for iOS

About Docs@Work
The Docs@Work app gives device users an intuitive and secure way to access, store, view, edit, and annotate
documents from content repositories, such as Microsoft SharePoint, and cloud services such as Box and Dropbox.
It allows administrators to configure content repositories, which are then automatically available to device users. It
also lets administrators establish data loss prevention controls to protect documents from unauthorized
distribution. Docs@Work supports AES-256-GCM for encrypting email attachments.

Device users must have a valid user ID and password to access content sites.

Device users can:

• Log in to content repositories and navigate through folders.
• Download documents from content repositories.
• View documents.
• Edit and annotate local files.
• Upload documents to content repositories.
• Download, view, and email encrypted attachments.
• Add content repositories to Docs@Work.

A MobileIron license is required for Docs@Work. Docs@Work uses certain aspects of AppConnect, including
passcode access and app tunneling. However, an AppConnect license is not required for Docs@Work. The
Docs@Work app for iOS is an AppConnect enabled app.

Docs@Work for iOS is an AppConnect-enabled app. AppConnect is a MobileIron feature that containerizes apps
to protect content on iOS and Android devices. Each AppConnect app becomes a secure container whose content
is encrypted and, protected from unauthorized access. Because each user has multiple business apps, each app
container is also connected to other secure app containers. This connection allows the AppConnect apps to share
content. AppConnect apps are managed using policies configured in a MobileIron Enterprise Mobility Management
(EMM) platform. The EMM platform is either MobileIron Core or MobileIron Cloud.

MobileIron Docs@Work 2.8.0 for iOS Guide | 4

 Overview of Docs@Work for iOS

As an AppConnect app, all Docs@Work content is secured. The app interacts with other apps according to the
data loss prevention policies that you specify. The app has the following secure features:
• Secure apps passcode: A secure apps passcode, if you require one, protects access to all secure apps. This
is the AppConnect passcode, which you define in MobileIron EMM. The AppConnect passcode provides an
additional layer of security for secure apps, beyond the device passcode.
• Data encryption: AppConnect encrypts all AppConnect-related data on the device, such as Docs@Work app
data, app configurations, and policies. This means app data is secure even if a device is compromised.
• Data loss prevention: You determine whether Docs@Work for iOS can use the iOS copy/paste or open-in
features. AppConnect data loss prevention policies control if users can copy/paste data out of Docs@Work and
control how email attachments can be shared with other apps via open-in.

For information about AppConnect features and configuration beyond Docs@Work for iOS, see the AppConnect
and AppTunnel Guide.

Enable MobileIron Access for Docs@Work

In a MobileIron Core and MobileIron Access as a service deployment, federated traffic from Docs@Work through
Access is only supported with MobileIron Tunnel. However, using Tunnel to CIFs services will fail.

Federated traffic through AppTunnel and Access as a service is not supported for Docs@Work. Selecting Enable
Access in the Docs@Work configuration has no impact.

Where to find Docs@Work for iOS

You can download Docs@Work for iOS from the Apple App Store.

About Docs@Work for iOS configuration

Device users can download Docs@Work for iOS directly from the Apple AppStore. You can also distribute
Docs@Work for iOS as a recommended app through Apps@Work.

NOTE: Mobile@Work must be available on the device and registered with MobileIron Core, before installing
the Docs@Work app.
• If you are using the Default AppConnect Global Policy, you may not need to create a new policy.
• Configuring an AppConnect container policy is required only if you did not Authorize for Apps without an
AppConnect container policy in the AppConnect Global policy. Or, if you want to configure a different set of data
loss prevention policies for Docs@Work.
• Standalone Sentry configured for AppTunnel is required if you want to tunnel traffic to content repositories.
CIFS traffic must be tunneled through Standalone Sentry.
• Standalone Sentry configured for ActiveSync is required to open encrypted email attachments in Docs@Work.
• Use the Docs@Work configuration to specify:
- AppTunnel rules

MobileIron Docs@Work 2.8.0 for iOS Guide | 5

 Overview of Docs@Work for iOS

- Content sites
- Docs@Work app behavior

For more information on Configurations, See “Configuring Docs@Work for iOS” on page 7.

What the users see in Docs@Work for iOS

When users launch Docs@Work for iOS, they can access the following from the main screen:
• Add Site
• Docs@Work
• My Files
• Recent Files
• Favorites
• Notifications
• Settings
• Search

MobileIron Docs@Work 2.8.0 for iOS Guide | 6

 2

Configuring Docs@Work for iOS

The Docs@Work app enables iOS users to access, store, view, edit, and annotate documents from content
repositories, such as Microsoft SharePoint. MobileIron Cloud administrators can set up Docs@Work so that:
• users see all available content repositories
• documents are protected from unauthorized distribution

Users can also configure access to content repositories.

The following describe how to set up Docs@Work for iOS.

• Required components for Docs@Work for iOS deployment
• Main steps for configuring Docs@Work for iOS (Core)
• Main steps for configuring Docs@Work for iOS (Cloud)
• Docs@Work installation on an iOS device (Core and Cloud)
• AES-256-GCM encryption for email attachments
• Configuring certificate pinning

Required components for Docs@Work for iOS

deployment
The following components are required for Docs@Work for iOS deployment:
• MobileIron Enterprise Mobility Management (EMM) platform: MobileIron Core or MobileIron Cloud.
• Sentry, with ActiveSync enabled (required if you want to secure access to the ActiveSync server using Sentry).
• An iOS device that is registered with a MobileIron EMM.
• MobileIron client: Mobile@Work for MobileIron Core deployments; MobileIron Go for MobileIron Cloud
deployments.

For supported versions see the MobileIron Docs@Work for iOS Release Notes.

NOTE: If a device user has already launched Docs@Work for iOS as a standalone trial app, the device user
must uninstall and reinstall Docs@Work for iOS to use it as a secure AppConnect-enabled app.

Main steps for configuring Docs@Work for iOS (Core)

Complete the following basic tasks to set up Docs@Work and distribute content sites:

Set up app distribution

• “Distributing as a recommended app” on page 8

MobileIron Docs@Work 2.8.0 for iOS Guide | 7

 Configuring Docs@Work for iOS

Set up Docs@Work
• “Enabling Docs@Work” on page 11
• “Configuring the AppConnect global policy” on page 12
• “Configuring an AppConnect container policy” on page 13
• “Configuring content sites in the Docs@Work configuration” on page 13

AppTunnel setup

Complete the following additional tasks to set up app tunneling to content repositories.
1. “Configuring an AppTunnel service” on page 24
2. “Configuring AppTunnel rules” on page 27

Attachment control setup

Complete the following tasks to set up attachment control

• “Configuring attachment control” on page 29
• “Configuring 256-bit encryption” on page 34

Docs@Work app behavior setup

• “Additional configurations using key-value pairs” on page 36

Before you begin

• If you have an existing deployment of the Docs@Work functionality embedded in Mobile@Work for iOS
devices or available through the AppConnect enabled apps required for iOS devices, you will still have to
create new configurations for deploying the Docs@Work app.
• If you are using the Default AppConnect Global Policy, you may not need to create a new policy.
• Configuring an AppConnect container policy is required only if you did not Authorize for Apps without an
AppConnect container policy in the AppConnect Global policy. Or, if you want to configure a different set of
data loss prevention policies for Docs@Work.
• Standalone Sentry configured for AppTunnel is required if you want to tunnel traffic to content repositories.
CIFS traffic must be tunneled through Standalone Sentry.
• Standalone Sentry configured for ActiveSync is required to open encrypted email attachments in Docs@Work.
• Use the Docs@Work configuration to specify:
- AppTunnel rules
- Content sites
- Docs@Work app behavior

Distributing as a recommended app

Device users can download Docs@Work for iOS directly from the Apple AppStore. You can also distribute
Docs@Work for iOS as a recommended app through Apps@Work.

Procedure
1. In the Admin Portal, go to Apps > App Catalog.

MobileIron Docs@Work 2.8.0 for iOS Guide | 8

 Configuring Docs@Work for iOS

2. Click Add+.
3. Click iTunes to import Docs@Work for iOS from the Apple App Store.
4. Enter MobileIron Docs@Work in the Application Name text box.
5. Click Search.
6. Select the app from the list that is displayed.
7. Click Next.
8. (Optional) Select one or more categories if you want to display this app in a specific group of apps on the
device. Click Add New Category to define new categories.
9. Click Next.
10. Use the following guidelines to make the appropriate selections for App@Work Catalog:

Item Description

This is a Free App Select for free recommended apps.

iOS allows Managed App features to be applied to free apps and apps purchased
with VPP credits, but not to apps paid for by the user. Specifying whether the app
is free ensures successful download of apps that otherwise require user payment.

Hide this App from the Select to prevent this app from being displayed in Apps@Work. For example, you
Apps@Work catalog might want to hide apps that will be installed upon registration anyway. Hiding a
mandatory app reduces clutter in Apps@Work, leaving device users with a
concise menu of the approved apps they might find useful.

Allow conversion of Select if you want to allow the app to be converted from an unmanaged app to a
apps from unmanaged managed app in Apps@Work on devices running iOS 9 through the most recently
to managed in released version as supported by MobileIron. The unmanaged app will not require
Apps@Work (iOS 9 or uninstallation, as it will be converted directly to a managed app.
later).

Feature this App in the Select this option if you want to highlight this app in the Featured apps list.
Apps@Work Catalog
NOTE: The Message feature for iOS apps applies only to featured apps. For
more information, see “Informing users of new apps and upgrades for
featured apps” in the Apps@Work Guide.

11. Click Next.

MobileIron Docs@Work 2.8.0 for iOS Guide | 9

 Configuring Docs@Work for iOS

12. Use the following guidelines to complete the screen:

Item Description

Per App VPN Settings

Per App VPN by Label Select the VPN setting you created for per app VPN in the right (all) column, and
Only click the right arrow to move it to the left (selected) column. If the app will use
MobileIron Tunnel, select the MobileIron Tunnel VPN setting you created. You can
select multiple per app VPN settings.
To reorder the per app VPN configurations in the Selected column, use the up and
down arrows to sort the names in the list.
This feature applies to iOS 7 through the most recently released version as
supported by MobileIron.
See Managing VPN settings in the MobileIron Core Device Management Guide
for information on creating a per app VPN or MobileIron Tunnel VPN setting.
See “Setting per app VPN priority” in the Apps@Work Guide.

Managed App Settings

Prevent backup of the Select to ensure that iTunes will not attempt to back up possibly sensitive data
app data associated with the given app.

Remove app when Select to enable configured compliance actions to remove the app if a policy
device is quarantined violation results in a quarantined device or the device signs out in multi-user
or signed out mode.
To enable this feature, you must also configure a corresponding compliance
action, and security policy with that compliance action selected. Once the device
is no longer quarantined, the app can be downloaded again.

NOTE: If you change the setting after the app is added, the changed setting
will not be applied to the app.

Send installation Select this option so that after device registration is complete, or after a user signs
request or send convert in on a multi-user device:
unmanaged to • The device user is prompted to install this app.
managed app request
• The app is converted to a managed app, if the app is already installed as an
(iOS 9 and later) on
unmanaged app.
device registration or
sign-in. To allow conversion to a managed app, also select the option Allow conversion
of apps from unmanaged to managed in Apps@Work (iOS 9 or later).
This setting is not selected by default.

MobileIron Docs@Work 2.8.0 for iOS Guide | 10

 Configuring Docs@Work for iOS

Item Description

Send installation or Select this option to enable the following on quarantined devices:
convert unmanaged to • Prompt the device user to install the app.
managed app request
• Convert the app to a managed app, if the app is already installed as an
to quarantined devices
unmanaged app.

NOTE: These settings are applied even if a compliance action blocks new
app downloads for a quarantined device.

Advanced Settings
Remove app when Select this option to remove this app from the device when the MDM profile is
MDM profile is removed removed from the device.

13. Associate the app with a label to have that app listed on iOS devices.
a. Go to Apps > App Catalog.
b. Select iOS from the Platform list.
c. Select the app you want to work with.
d. Click Actions > Apply to Label.
e. Select the label that represents the iOS devices for which you want the selected app to be displayed.
f. Click Apply.
14. Make sure that the Apps@Work web clip is also applied to the same labels, so that iOS devices can access
your enterprise storefront.
a. Select Policies & Configs > Configurations.
b. Select the System - iOS Enterprise AppStore setting.
c. Select More Actions > Apply to Label.
d. Select the iOS label and click Apply.

Enabling Docs@Work
A Docs@Work license is required on MobileIron Core to enable support. Enabling this setting indicates that you
have the required license to deploy Docs@Work. Enabling Docs@Work is also required for AES-256-GCM
encryption for email attachments.

Procedure
1. In the Admin Portal, go to Settings > System Settings.
2. In the left menu bar, click Additional Products > Licensed Products.
3. Select Docs@Work.
4. Select Enable merging of configurations option to enable merging multiple configurations for a device.

NOTE: The Enable merging of configurations option is disabled by default.

5. Click Save.

MobileIron Docs@Work 2.8.0 for iOS Guide | 11

 Configuring Docs@Work for iOS

Configuring the AppConnect global policy

Docs@Work for iOS is an AppConnect app, so AppConnect must be enabled in the AppConnect global policy if it
has not yet been configured. The AppConnect global policy specifies AppConnect app settings such as
AppConnect passcode and data loss prevention requirements. You can use the Default AppConnect Global Policy.

You may decide to create a new AppConnect Global Policy (Add New > AppConnect). If you create a new
AppConnect Global Policy, you must apply it to the appropriate labels. You do not need to apply the Default
AppConnect Global Policy to a label.

Procedure
1. In the Admin Portal, go to Policies & Configs > Policies.
2. Select Default AppConnect Global Policy.

3. For AppConnect, select Enabled.

4. (Optional) Scroll down to the Security Policies section.
5. (Optional) For Apps without an AppConnect container policy, select Authorize.
NOTE: If you do not select Authorize, then you must create an AppConnect container policy for
Docs@Work.
6. (Optional) If you select Authorize for Apps without an AppConnect container policy, also select the data
loss preventions options you want to enable for iOS.
7. Click Save.

Applying to a label

Applying a policy or configuration to a label makes the policy or configuration available to all the devices that are
associated with that label. Perform these steps only if you created a new AppConnect Global Policy. You do not
need to apply a default AppConnect Global Policy to a label.

Procedure
1. Select the AppConnect global policy.
2. Click More Actions > Apply To Label.
3. Select the appropriate labels to which you want to apply the policy.
4. Click Apply.

MobileIron Docs@Work 2.8.0 for iOS Guide | 12

 Configuring Docs@Work for iOS

Related topics

For more information about the AppConnect Global policy, see the “Configuring the AppConnect global policy”
section in the AppConnect and AppTunnel Guide.

Configuring an AppConnect container policy

This task is only required:
• If you did not select Authorize for Apps without an AppConnect container policy, in the AppConnect Global
Policy.
• If you want to configure a different set of data loss prevention policies for Docs@Work.

The AppConnect container policy authorizes an AppConnect app and specifies the data loss prevention settings.
The container policy overrides the corresponding settings in the AppConnect Global Policy. Separate AppConnect
container policies are required for each operating system (Android or iOS).

NOTE: Ensure that only one Docs@Work AppConnect container policy is applied to a device.

Procedure
1. In the Admin Portal, go to Policy & Configs > Configurations.
2. Click Add New > AppConnect > Container Policy.
3. Enter a name for the policy. For example, enter Docs@Work container policy for iOS.
4. Enter a description for the policy.
5. In the Application field, select Docs@Work.
Select Docs@Work only if the app is available in the app catalog as a recommended app. If not, you must enter
the app bundle ID.
6. Select the data loss prevention settings.
7. Select Save.
8. Select the Docs@Work container policy.
9. Click More Actions > Apply To Label.
10. Select the appropriate labels to which you want to apply this policy.
11. Click Apply.

Related topics

For more information on configuring the AppConnect Container Policy, see the “Configuring AppConnect container
policies” section in the AppConnect and AppTunnel Guide.

Configuring content sites in the Docs@Work configuration

Content sites configured in the Doc@Work configuration are automatically added to the Docs@Work app. Device
user action is not required. These sites are called Group sites. SharePoint (including OneDrive for Business),
WebDAV, CIFS, and DFS sites are configured in the Content Sites section of the Docs@Work configuration. Box,

MobileIron Docs@Work 2.8.0 for iOS Guide | 13

 Configuring Docs@Work for iOS

SharePoint sites that use Federated authentication, and Google Drive sites are configured in the Custom
Configurations section using key-value pairs.
• “Adding SharePoint, WebDAV, CIFS, and DFS sites” on page 14
• “Support for variables in configuring content sites” on page 17
• “Verifying the SharePoint URL” on page 18
• “Adding Box enterprise as a Group site” on page 19
• “Adding a SharePoint Group site with Federated authentication” on page 19
• “Adding a SharePoint Group site with derived credentials” on page 20
• “Configuring DFS content site” on page 21

Adding SharePoint, WebDAV, CIFS, and DFS sites

Content sites configured in the Doc@Work configuration are automatically added to the Docs@Work app. Device
user action is not required. SharePoint (including OneDrive for Business), WebDAV, CIFS, and DFS sites are
configured in the Content Sites section of the Docs@Work configuration.

Procedure
1. In the Admin Portal, go to Policies & Configs > Configurations.
2. Select Add New > Docs@Work.
3. Use the following guidelines to create or edit a Docs@Work setting and add content sites:

Item Description

Name Enter brief text that identifies this setting.

Description Enter additional text that clarifies the purpose of this Docs@Work setting.

Content Sites

Name Enter a name for the content site.

MobileIron Docs@Work 2.8.0 for iOS Guide | 14

 Configuring Docs@Work for iOS

Item Description

URL Enter a valid URL for the content site.

A valid URL must start with http:// or https://. Starting with MobileIron Core 7.5.1.0, if
you are using variables, http:// or https: is not required. However, the entry in the
URL field must map to a valid URL that starts with a 
http://, https://, or smb://. UNC is also supported.
Examples:
$USER_CUSTOM2$
https://$USER_CUSTOM1$

CIFS sites
For CIFS sites, the URL must also include the CIFS port. A valid URL can start with
smb:// or \\. UNC is supported. Both domain name and IP address are supported.
Examples for CIFS:
https://server.name:445/path/to/share/folder
smb://server.name:445/path/to/share/folder
\\server.name:445\path\to\share\folder

Variables
You can also specify variables in the URL. You can specify a single variable, or a
combination of variables. LDAP or AD integration is required for using variables.
See also, “Support for variables in configuring content sites” on page 17.
Examples with variables:
https://networkdrive/users/$FIRST_NAME$
https://sharepoint.mycompany.com/personal/
$FIRST_NAME$_$LAST_NAME$_company_com/

OneDrive for Business

The credentials for OneDrive for Business are always in lower case. If the
credentials in LDAP or AD are mixed case, they may not match with the credentials
in OneDrive and may result in failure to access the OneDrive for Business site from
Docs@Work. To ensure that device users can successfully access OneDrive for
Business add #LOWER to the variable in the URL.
Example for OneDrive for Business:
https://company.sharepoint.com/personal/#LOWER($USERID$)#_company_com/
documents

Domain Select the type of content site you are configuring:

• SharePoint
Select SharePoint for OneDrive for Business.
• WebDAV
• CIFS

MobileIron Docs@Work 2.8.0 for iOS Guide | 15

 Configuring Docs@Work for iOS

Item Description

Subdomain Select the subdomain type for the content site:

• SharePoint: Office 365, Corporate
Select Office 365 if you are configuring OneDrive for Business.
• WebDAV: NetworkDrive, CloudStorage
• CIFS: NetworkDrive
• DFS: NetworkDrive

Authentication Select if the device has to authenticate to the server.

Do not select if you are using Single Sign On using Kerberos Constrained
Delegation.
See also “Supported authentication to content repositories” in the MobileIron
Docs@Work Release Notes.

Published Select to designate the site as a Published site.

All content in a Published site is automatically downloaded and mirrored locally on
the device when the device syncs. If the option is not selected, the device user
must manually download the content. Documents in a Published site cannot be
edited. Devices users cannot upload or create files or folders in published site.
A Web View site cannot be configured as a Published site, and a Published site
cannot be configured as a Web View site.

NOTE: Published sites for SharePoint are not supported at root, site, and subsite
levels. Published sites are supported at document library and folder
levels. MobileIron recommends that Published sites be set for publishing
50-100 documents.

Web View Only for SharePoint domains. Only applicable to iOS devices. Does not apply to
Android devices.
Select to allow device users to view and navigate SharePoint folders in browser
view.

Published Site Configurations

These settings only apply to Published sites.

Update Interval Specify the update interval for Published sites.

(Minutes)
The Default setting is every 60 minutes.

Max auto download Specify the maximum file size for automatic download.
size (MB)
Files greater than this size will not be automatically downloaded. The default
setting is 500 MB.

MobileIron Docs@Work 2.8.0 for iOS Guide | 16

 Configuring Docs@Work for iOS

Item Description

Max documents per Specify the maximum number of documents to update for each site.
update
Only the number of files specified will be updated. The default setting is 100 files.

Update Mode Specify the method devices can use to update Published sites.
Select either Wi-Fi Only or Wi-Fi and Cellular.
MobileIron recommends using Wi-Fi only if you support large number of
documents.

4. Click Save.
5. Select the Docs@Work configuration.
6. Click More Actions > Apply To Label.
7. Select the appropriate labels to which you want to apply the configuration.
8. Click Apply.

NOTE: Docs@Work is a document centric application. It relies on an API (in native mode) to query directories
and files. If the entity that is queried is not a folder or a file, then the APIs fail. As a result, List support is
limited to only DocumentLibrary. No other type of List is supported.

Support for variables in configuring content sites

Variables allow you to configure content server access that is specific to the user or group. For example, in Active
Directory, you can specify a user’s home directory on a network drive as an attribute. If you include the variable in
the URL for the content site, the user's view of the network drive will be their home folder.

Prerequisites for using variables for configuring content sites

• Requires LDAP or AD integration.

Supported Content sites for variables

• SharePoint (including Office 365)
• Network Drives
• Cloud Storage

Variables for Box and Dropbox are not supported.

Supported variables for configuring content sites

$EMAIL$
$USERID$
$FIRST_NAME$
$LAST_NAME$
$USER_UPN$
$DISPLAY_NAME$
$USER_CUSTOM1$
$USER_CUSTOM2$

MobileIron Docs@Work 2.8.0 for iOS Guide | 17

 Configuring Docs@Work for iOS

$USER_CUSTOM3$
$USER_CUSTOM4$

Verifying the SharePoint URL

You can view the SharePoint or WebDAV URL in Docs@Work that you should use when configuring a SharePoint
or WebDAV site. This allows you to verify and enter the correct URL in the Docs@Work configuration in MobileIron
Core to configure SharePoint and WebDAV group sites.

Procedure
1. Add the SharePoint or WebDAV site as a User site in Docs@Work.
2. In Docs@Work, tap on the SharePoint or WebDAV site.
3. Navigate to the folder you want to configure as a Group site.
4. Tap, hold, and then release the ... menu.
The menu items will display.

MobileIron Docs@Work 2.8.0 for iOS Guide | 18

 Configuring Docs@Work for iOS

5. Select one of the menu items to either view the URL or email the URL.

Item Description

Email path A draft email message with the site URL displays.
Enter an email address to email the URL path.

Show path The URL path for the content site displays.

Adding Box enterprise as a Group site

You add a key-value pair in the Custom Configurations section to configure Box as a Group site. Group sites are
automatically pushed to the Docs@Work app.

Procedure
1. In the Core Admin Portal, go to Policies & Configs > Configurations > Add New > Docs@Work >
Docs@Work.
2. Scroll down to the Custom Configurations section.
3. Add the SITE_DETAILS_N key-value pair. For more information, see “Key-value pairs to configure app
behavior” section.
4. Click Save.

Device users can also add a Box User site.

NOTE: iOS devices support one Group site and multiple user sites.

Adding a SharePoint Group site with Federated authentication

You add a key-value pair in the Custom Configurations section to configure a SharePoint site that uses
Federated authentication as a Group site. Group sites are automatically pushed to the Docs@Work app. If
authentication to the SharePoint server is done using Active Directory Federation Services (ADFS), the users must
enter their enterprise AD or LDAP credentials to authenticate to the server.

Procedure
1. In the MobileIron Core Admin Portal, go to Policies & Configs > Configurations > Add New > Docs@Work
> Docs@Work.
2. Scroll down to the Custom Configurations section.
3. Add the SITE_DETAILS_N key-value pair. For more information, see “Key-value pairs to configure app
behavior” section.
4. Click Save.

MobileIron Docs@Work 2.8.0 for iOS Guide | 19

 Configuring Docs@Work for iOS

Adding a SharePoint Group site with derived credentials

Derived credentials with Entrust PIV-D certificates and p12 certificates are supported for SharePoint sites with
ADFS. See the MobileIron Derived Credentials with Entrust Guide for information about how to set up derived
credentials with Docs@Work.

Adding Google Drive as a Group site

You add a key-value pair in the Custom Configurations section to configure Google Drive as a Group site. Group
sites are automatically pushed to the Docs@Work app.

NOTE: Variables are not supported in the URL for configuring the Google Drive site. For example, you will not
be able to specify a user name as part of the JSON value. However, you can configure
fAUTOFILL_CREDENTIALS key-value pair to autofill the username for Google Drive.

Procedure
1. In the MobileIron Core Admin Portal, go to Policies & Configs > Configurations.
2. Select the Docs@Work configuration to which you want to add Google Drive.
3. Click Edit.

4. Scroll down to the Custom Configuration section.

5. Click Add+ to enter the following key value pair:

Key Value

SITE_DETAILS_N Enter parameters for the content site in the following JSON format:
Where n is a number 1- {"name":"name for the site","domain":"GoogleDrive","url":"https://
100 drive.google.com”}
Example:
NOTE:
SITE_DETAILS_1 • Values are case sensitive.
Description
name for the site: Enter a name for the site. Example: Google Drive.

6. Click Save.

MobileIron Docs@Work 2.8.0 for iOS Guide | 20

 Configuring Docs@Work for iOS

Authentication with an identity provider (IdP)

If your Google Drive setup uses an identity provider (IdP) for authentication, device users are directed to the IdP
without having to go through any intermediate screens.

If Google Drive is set up through the Docs@Work configuration in MobileIron Core, you must also configure the
AUTOFILL_CREDENTIALS key-value pair to enable this feature.

Configuring DFS content site

Distributed File System (DFS) allows administrators access to group shared folders located on different servers by
transparently connecting them to one or more DFS namespaces. DFS uses CIFS protocol.

Requirements
• Standalone Sentry 8.0.1 through the most recently released version as supported by MobileIron.
• Standalone Sentry 8.5.0 through the most recently released version as supported by MobileIron is required for
create, upload, and delete (CUD) operations for files and folders.
• MobileIron Core 9.0.0.0 through the most recently released version as supported by MobileIron.

Before you begin

• Ensure that you have Standalone Sentry set up for AppTunnel.
DFS traffic must be tunneled through Standalone Sentry.
NOTE: Context headers, server-side proxy, and ATC are not supported for tunneling to DFS servers.
• Ensure that the necessary SCEP or Certificate setting is created. You will reference the SCEP or Certificate
setting when you create the AppTunnel rule in the Docs@Work configuration.

Configuration tasks summary

The following configuration tasks are required. These tasks are done in the MobileIron Core Admin Portal.
1. Enable DFS in Standalone Sentry settings.
See “Enabling DFS” on page 21.
2. Configure an AppTunnel service for a CIFS repository in Standalone Sentry settings.
See “Configuring an AppTunnel service for DFS” on page 21.
3. Configure AppTunnel rules and DFS content site in Docs@Work configuration.
See “Configuring AppTunnel rules and DFS site in the Docs@Work setting” on page 22.

Enabling DFS
1. In the Admin Portal, go to Services > Sentry.
2. Edit the entry for the Standalone Sentry that supports AppTunnel.
3. In the App Tunneling Configuration section, select the check box for Enable DFS.

Configuring an AppTunnel service for DFS

1. In the Admin Portal, go to Services > Sentry.
2. Edit the entry for the Standalone Sentry that supports AppTunnel.
3. In the App Tunneling Configuration section, under Services, click + to add a new service.

MobileIron Docs@Work 2.8.0 for iOS Guide | 21

 Configuring Docs@Work for iOS

4. Use the following guidelines to configure a tunnel service:

Item Description

Service Name The Service Name is used in the Docs@Work configuration for setting up tunneling to
the content repository.
Enter one of the following:
• A unique name for the service that Docs@Work accesses. One or more of your
internal app servers provide the service. You list the servers in the Server List
field.
- The service name must begin with CIFS_.
- A service name cannot contain these characters: 'space' \ ; * ? < > " |.
• <CIFS_ANY>
Select <CIFS_ANY> to allow tunneling to any URL for a CIFS-based or DFS
content server. Typically, you select <CIFS_ANY> if the URL for a CIFS-based or
DFS content server contains wildcards for tunneling, such as *.myCompany.com.

NOTE THE FOLLOWING:

• The order of the Service Name entries does not matter.
• Do not select <ANY>, <TCP_ANY>, <IP_ANY>, or <IP_ANY_WP8.1> for
tunneling to DFS.

Server Auth Select Pass Through

The Sentry passes through the authentication credentials, such as the user ID and
password (basic authentication) or NTLM, to DFS.

Server List NOTE: The Server List field is not applicable when the service name is
<CIFS_ANY>.
Enter the DFS server’s host name or IP address (usually an internal host name or IP
address). Include the port number on the DFS server that Standalone Sentry can
access.
Example: fs1.companyname.com:445
You can enter multiple servers. Depending on the Global Configuration settings for
the Sentry, either round-robin or priority distribution is used to load balance the
servers. Separate each server name with a semicolon.
Example: fs1.companyname.com:445;fs2.companyname.com:445
TLS Enabled Not applicable for app tunnel to DFS.

Proxy/ATC Not applicable for app tunnel to DFS.

Server SPN List Not applicable for app tunnel to DFS.

5. Click Save.

Configuring AppTunnel rules and DFS site in the Docs@Work setting

1. In the Admin Portal, go to Policies & Configs > Configurations.
2. Select the Docs@Work configuration and click Edit.

MobileIron Docs@Work 2.8.0 for iOS Guide | 22

 Configuring Docs@Work for iOS

3. In the AppTunnel Rules section, use the following guidelines to add an AppTunnel rule for CIFS repository:

Item Description

AppTunnel Rules
Configure AppTunnel rules settings for Docs@Work.
When Docs@Work tries to connect to the URL configured here, Standalone Sentry creates a tunnel to the
content server.
To add an AppTunnel entry, click + .
To delete an AppTunnel entry, click - .

Sentry Select the Standalone Sentry on which you configured the AppTunnel service.
The drop-down list contains all Standalone Sentrys that are configured to support
AppTunnel.

Service Select an AppTunnel Service Name from the drop-down list.

This service name specifies an AppTunnel service configured in the App
Tunneling Configuration section of the specified Sentry.

URL Wildcard Enter one of the following:

• A content server’s hostname
Example: cifs-windows.yourcompany.com
• A hostname with wildcards, if the Service Name is <CIFS_ANY>. The
wildcard character is *.
Example: *.yourcompanyname.com
If you want finer granularity regarding what requests Standalone Sentry tunnels,
configure multiple AppTunnel rows.
The Sentry and Service fields that you specify in this AppTunnel row determine
the target content server.

NOTE THE FOLLOWING:

A hostname with wildcards works only with the service <CIFS_ANY>. Unlike
services with specific service names, these services do not have associated app
servers. The Standalone Sentry tunnels the data to the URL specified in the app.
MobileIron recommends that you carefully consider how you use wildcards. For
example, do not use just * for the URL.
The order of these AppTunnel rows matters. If you specify more than one
AppTunnel row, the first row that matches the hostname requested is chosen.
That row determines the Standalone Sentry and Service to use for tunneling.
Do not include a URI scheme, such as http:// or https:/, in this field.

Port Enter the port number that Docs@Work can request. Typically, the port number
is 445.

Identity Certificate Select the Certificate or the SCEP profile that you created for devices to present
to the Standalone Sentry that supports app tunneling.

MobileIron Docs@Work 2.8.0 for iOS Guide | 23

 Configuring Docs@Work for iOS

4. In the Content Sites section, enter the following information:

Item Description

Name Enter a name for the content site.

This name will be displayed on the device.

URL Enter a valid URL for the DFS. Both domain name and IP address are supported.
A valid URL must start with http:// or https://.
Format example:
https://resolvablehostname:445/URL
Variables:
You can enter a valid URL with variables for the content site. Variables in the protocol or
the hostname are not supported. See also, “Support for variables in configuring content
sites” on page 17.
Examples with variables:
\\$USER_CUSTOM1$
Format of DFS URL with UserId:
https://resolvablehostname:445/users/$USERID$

NOTE THE FOLLOWING:

LDAP or AD integration is required for using variables.

If the Site URL is invalid, it will not be distributed to users.

Domain Select CIFS from the drop-down list.

Subdomain Select NetworkDrive from the drop-down list.

Authentication Select if the device has to authenticate to the server.

NOTE: Only basic authentication is supported.

Published Site Select to designate the site as a Published site.

5. Click Save.
6. Select the Docs@Work configuration.
7. Click More Actions > Apply To Label.
8. Select the appropriate labels to which you want to apply the configuration.
9. Click Apply.

Configuring an AppTunnel service

You create an AppTunnel service in Standalone Sentry as part of the AppTunnel setup required to tunnel traffic to
content repositories. CIFS traffic must be tunneled through Standalone Sentry.

MobileIron Docs@Work 2.8.0 for iOS Guide | 24

 Configuring Docs@Work for iOS

Before you begin

Ensure that you have a Standalone Sentry that is set up for AppTunnel and the necessary device authentication is
also configured. See “Configuring Standalone Sentry for app tunneling” in the MobileIron Sentry Guide.

Procedure
1. In the Admin Portal, go to Services > Sentry.
2. Edit the entry for the Standalone Sentry that supports AppTunnel.
3. In the App Tunneling Configuration section, under Services, click + to add a new service.
4. Use the following guidelines to configure a tunnel service:

Item Description

Service Name The Service Name is used in the Docs@Work configuration for setting up tunneling
to the content repository.
Enter one of the following:
• A unique name for the service that the AppConnect app on the device accesses.
One or more of your internal app servers provide the service. You list the servers
in the Server List field.
For example, some possible service names are:
- SharePoint
- Human Resources
A service name cannot contain these characters: 'space' \ ; * ? < > " |.
Special prefixes:
- For app tunnels that point to CIFS-based content servers, the service name
must begin with CIFS_.
• <ANY>
Select <ANY> to allow tunneling to any URL that the app requests. Typically, you
select <ANY> if an AppConnect app’s app configuration specifies a URL with
wildcards for tunneling, such as *.myCompany.com. The Sentry tunnels the data
for any URL request that the app makes that matches the URL with wildcards.
The Sentry tunnels the data to the app server that has the URL that the app
specified. The Server List field is therefore not applicable when the Service Name
is <ANY>.
For example, consider when the app requests URL
myAppServer.mycompany.com, which matches *.mycompany.com in the app
configuration. The Sentry tunnels the data to myAppServer.myCompany.com.
Docs@Work typically uses the <ANY> service, so that it can browse to any of
your internal servers.
NOTE: Do not select the <ANY> option for tunneling to CIFS-based content
servers, Office 365, Box, and Dropbox. For CIFS-based content servers,
select <CIFS_ANY>.
• <CIFS_ANY>
Select <CIFS_ANY> to allow tunneling to any URL for a CIFS-based content
server. Typically, you select <CIFS_ANY> if the URL for a CIFS-based content
server contains wildcards for tunneling, such as *.myCompany.com.
NOTE: The order of the Service Name entries does not matter.

MobileIron Docs@Work 2.8.0 for iOS Guide | 25

 Configuring Docs@Work for iOS

Item Description

Server Auth Select the authentication scheme for the Standalone Sentry to use to authenticate
the user to the app server:
• Pass Through
The Sentry passes through the authentication credentials, such as the user ID
and password (basic authentication) or NTLM, to the app server.
• Kerberos
The Sentry uses Kerberos constrained delegation (KCD). KCD supports Single
Sign On (SSO). SSO means that the device user does not have to enter any
credentials when the AppConnect app accesses the app server.
The Kerberos option is only available if you selected Identity Certificate for
Device Authentication.

Server List Enter the app server’s host name or IP address (usually an internal host name or IP
address). Include the port number on the app server that the Sentry can access.
Example:
sharepoint1.companyname.com:443
Acceptable characters in a host name are letters, digits, and a hyphen. The name
must begin with a letter or digit.
You can enter multiple servers. The Sentry uses a round-robin distribution to load
balance the servers. That is, it sets up the first tunnel with the first app server, the
next with the next app server, and so on. Separate each server name with a
semicolon.
Example:
sharepoint1.companyname.com:443;sharepoint2.companyname.com:443
NOTE: The Server List field is not applicable when the service name is <ANY>
or <CIFS_ANY>.

TLS Enabled Select TLS Enabled if the app servers listed in the Server List field require SSL.
This option is not applicable when the service name is <ANY> or <CIFS_ANY>.

NOTE: Although port 443 is typically used for https and requires SSL, the app
server can use other port numbers requiring SSL.

MobileIron Docs@Work 2.8.0 for iOS Guide | 26

 Configuring Docs@Work for iOS

Item Description

Proxy/ATC Select if you want to direct the AppTunnel service traffic through the proxy server.
You must also have configured Server-side Proxy or Advanced Traffic Control (ATC).

Server SPN List Enter the Service Principal Name (SPN) for each server, separated by semicolons.
For example:
sharepoint1.company.com;sharepoint2.company.com.
The Server SPN List applies only when the Service Name is not <ANY> and the
Server Auth is Kerberos.
If each server in the Server List has the same name as its SPN, you can leave the
Server SPN List empty. However, if you include a Server SPN List, the number of
SPNs listed must equal the number of servers listed in the Server List. The first
server in the Server List corresponds to the first SPN in the Server SPN List, the
second server in the Server List corresponds to the second server in the Server SPN
List, and so on.

NOTE: When the Service Name is <ANY> and the Server Auth is Kerberos, the
Standalone Sentry assumes that the SPN is the same as the server name
received from the device.

5. Click Save.

Related topics

For more information on configuring AppTunnel, advanced traffic control, and AppTunnel rules, see “Configuring
an AppTunnel service” in the AppConnect and AppTunnel Guide.

Configuring AppTunnel rules

You create AppTunnel rules in the Docs@Work configuration as part of an AppTunnel setup required to tunnel
traffic to content repositories. When Docs@Work tries to connect to the URL configured in AppTunnel Rules,
Standalone Sentry creates an AppTunnel to the content server.

NOTE THE FOLLOWING:

• MobileIron strongly recommends that you do not configure AppTunnel rules with '*' in the URL. Docs@Work
may not be able to activate the license for the embedded editor, impacting viewing and editing functionality.
• Standalone Sentry does not support tunneling traffic to Office 365, Box, and Dropbox. Therefore, if you are
configuring access to Office 365, Box, or Dropbox, do not use URL patterns (example: *) to configure the
AppTunnel traffic rules.

Before you begin

Ensure the following:

• Standalone Sentry is configured for AppTunnel.
• An AppTunnel service is configured in Standalone Sentry. See “Configuring an AppTunnel service” on page 24.

MobileIron Docs@Work 2.8.0 for iOS Guide | 27

 Configuring Docs@Work for iOS

Procedure
1. In the MobileIron Core Admin Portal, go to Policies & Configs > Configurations.
2. Select for the Docs@Work configuration you want to add AppTunnel rules.
3. Click on Edit.
4. In the AppTunnel Rules section click on Add+.
5. Use the following guidelines to create an AppTunnel rule:

Item Description

AppTunnel Rules

Sentry Select the Standalone Sentry that you want to tunnel the URLs listed in this AppTunnel
entry. The drop-down list contains all Standalone Sentrys that are configured to support
AppTunnel.

Service Select a Service Name from the drop-down list.

This service name specifies an AppTunnel service configured in the App Tunneling
Configuration section of the specified Sentry.

URL Wildcard Enter one of the following:

• A content server’s hostname
Example: finance.yourcompany.com
• A hostname with wildcards. The wildcard character is *.
Example: *.yourcompanyname.com
If you want finer granularity regarding what requests the Standalone Sentry tunnels,
configure multiple AppTunnel rows.

URL Wildcard The Sentry and Service fields that you specify in the AppTunnel row determine the target
content server.

NOTE THE FOLLOWING:

• A hostname with wildcards works only with the service <ANY> or <CIFS_ANY>. Unlike
services with specific service names, these services do not have associated app
servers. The Standalone Sentry tunnels the data to the app server that has the URL that
the app specified.
• The order of these AppTunnel rows matters. If you specify more than one AppTunnel
row, the first row that matches the hostname requested is chosen. That row determines
the Standalone Sentry and Service to use for tunneling.
• Do not include a URI scheme, such as http:// or https:/, in this field.
• If you are directing Office 365, Box, or Dropbox traffic through an AppTunnel, do not use
URLs with wildcards.

NOTE: Tunneling traffic through Standalone Sentry is not supported for Box and
Dropbox.
• Docs@Work data is tunneled only if the Docs@Work request matches the hostname in
the URL Wildcard field and the port number specified in the Port field.

MobileIron Docs@Work 2.8.0 for iOS Guide | 28

 Configuring Docs@Work for iOS

Item Description

Port Enter the port number that Docs@Work requests to access.

App data is tunneled only if the app’s request matches the hostname in the URL Wildcard
field and this port number.

NOTE: If a port number is not configured, for http and https traffic, the default port is
used. The default port used for http is 80 and the default port used for https is
443.

Identity Select the Certificate or the SCEP profile that you created for devices to present to the
Certificate Standalone Sentry that supports app tunneling.

Configuring attachment control

Configuring email attachments to open in Docs@Work and encrypt, protects corporate data from being leaked.

Before you begin

A Standalone Sentry set up for ActiveSync is required to enable device users to open encrypted email attachments
in Docs@Work.

See “Configuring Standalone Sentry for ActiveSync” in the MobileIron Sentry Guide for information about how to
set up a Standalone Sentry for ActiveSync.

Procedure
1. In the Admin Portal, go to Services > Sentry.
2. Select the Standalone Sentry that handles email for the devices.
3. Click the edit icon.
4. In the section Attachment Control Configuration, select Enable Attachment Control.
5. For iOS using native Email, select Open with Docs@Work and protect with encryption.
6. Click Save.

For information on setting up Standalone Sentry and configuring attachment control, see “Email attachment control
with Standalone Sentry” in the MobileIron Sentry Guide.

What users see

When the device user opens an email attachment,

• the attachment is automatically downloaded to the Imported Files folder in My Files. An Imported Files folder is
automatically created if one did not already exist.
• if the document type is supported, the attachment is automatically opened for viewing.

MobileIron Docs@Work 2.8.0 for iOS Guide | 29

 Configuring Docs@Work for iOS

Main steps for configuring Docs@Work for iOS (Cloud)

You can configure Docs@Work for cloud.

Before you start

• Decide which repositories you want to make available. All repositories you configure for Docs@Work are
visible to all users. You can provide select users with instructions for accessing restricted repositories.
• Decide whether you want to make each repository a published site. Content on published sites is automatically
downloaded and mirrored on devices.
• Collect the following information for each repository:
- URL for the site
- type of repository (SharePoint, WebDAV)
- subtype of repository (Office 365, NetworkDrive, and so on.)

Follow these steps to configureDocs@Work:

1. Edit the Default AppConnect device configuration or create a new one.

NOTE: If the same settings will apply to all user groups and all AppConnect-enabled apps, then you can edit
the default configuration. Only one AppConnect device configuration can be applied to a given
device and all AppConnect-enabled apps on that device.
2. Add the Docs@Work app to the app catalog.
• Under Advanced Options and App Configuration, provide the following information for each content site you
want to display in Docs@Work:

MobileIron Docs@Work 2.8.0 for iOS Guide | 30

 Configuring Docs@Work for iOS

Item Description

App Configuration

URL Enter a URL for the content site.

The URL must include http:// or https://. Both domain name and IP address are supported.

Domain Select the type of content site you are configuring:

• SharePoint (Select SharePoint for One Drive for Business.)
• WebDAV

Subdomain Select the subdomain type for the content site:

• SharePoint: Office 365, Corporate

Select Office 365 if you are configuring OneDrive for Business.

• WebDAV: NetworkDrive, CloudStorage

Authentication Select if you want the device to authenticate to the server.

Published Site Select to designate the site as a published site.

All content in a published site is automatically downloaded and mirrored locally on the
device when the device syncs. If the option is not selected, the user must manually
download the content.

A Web View site cannot be configured as a published site, and a published site cannot be
configured as a Web View site.

NOTE: Published sites for SharePoint are not supported at root, site, and subsite levels.
Published sites are supported at document library and folder levels. MobileIron
recommends that published sites be set for publishing 50-100 documents..
Web View Only for SharePoint domains.
Select to allow users to view and navigate SharePoint folders in browser view.

• Provide the following information for the published sites:

MobileIron Docs@Work 2.8.0 for iOS Guide | 31

 Configuring Docs@Work for iOS

Item Description

Published site

Update Interval Specify the updated interval for published sites.

(Minutes)
The Default setting is every 60 minutes.

Max auto Specify the maximum file size for automatic download. Files above this size will not be
download size automatically downloaded. The default setting is 500 MB.
(MB)

Max Specify the maximum number of documents to update for each updated site. Only the
documents per number of files specified will be updated. The default setting is 100 files.
update

Update Mode Specify the method devices can use to update published sites. Select either Wi-Fi Only or
Wi-Fi and Cellular. MobileIron recommends using Wi-Fi Only if you support large number of
documents.

• Select a device group for app distribution.

User-added sites
Users can add the following types of sites:
• Box
• Cloud Storage
• Dropbox
• Network Drive
• SharePoint

MobileIron Docs@Work 2.8.0 for iOS Guide | 32

 Configuring Docs@Work for iOS

To add corporate sites, the user will need the following information:
• The site’s URL. The URL must include http:// or https://. Both domain name and IP address are supported.
• Type of Authentication for Network drives. The authentication setting is labeled No Authentication.
• Device users should enable this setting, if the site does not require authentication.
• Type of authentication for SharePoint servers:

Authentication
type Description

Corporate User authenticates with on-premise SharePoint using either Windows NTLM or
Forms-based authentication with corporate credentials. User credentials can be
domain\username or just username, depending on how SharePoint is set up with
Windows domain authentication.

Office 365 User authenticates with Office 365 SharePoint using the authentication
mechanism supported by Office 365. User credentials map to the user’s account
on Office 365, or to the user’s AD credentials. If Office 365 has been integrated
with corporate AD, then user’s SharePoint credentials map to AD credentials.

NoAuthn User doesn’t need to provide credentials for authentication. The SharePoint
server supports anonymous access..

• Web View. For SharePoint sites, the user can turn on Web View to be able to view and navigate SharePoint
folders in browser view.

Docs@Work installation on an iOS device (Core and

Cloud)
Device users can install Docs@Work from a notification they receive on their iOS device, or from the MobileIron
app catalog on their device.
• Docs@Work for iOS installation from notification: After you send an installation request for Docs@Work for
iOS, users receive a notification that prompts them to install the new or updated app. By tapping Install,
Docs@Work for iOS is installed to the device.
• Docs@Work for iOS installation from the MobileIron app catalog: When a featured app or an update to an
installed app is published to device users, those users see a badge that appears on the corresponding tab in
the MobileIron app catalog.
The number on the badge indicates the number of apps or updates available. The availability of an update is
determined by comparing the version number for the installed app to that of the newly-published app.

After importing Docs@Work for iOS into the app distribution library, the app appears in Apps@Work on the
device. Tap the entry for Docs@Work and follow the prompts to install the app.

AES-256-GCM encryption for email attachments

You can configure Docs@Work to use 256-bit encryption. If you already have Docs@Work (original) enabled and
are now enabling Docs@Work, the system continues to use 128-bit encryption for email attachments. To use 256-

MobileIron Docs@Work 2.8.0 for iOS Guide | 33

 Configuring Docs@Work for iOS

bit encryption with Docs@Work, you must first disable Docs@Work (Original) and then regenerate the attachment
encryption key. A 256-bit key is only generated if Docs@Work (Original) is disabled and all Standalone Sentrys are
at least at version 6.1.0.

Docs@Work Encryption key

(Original) Docs@Work Sentry Version generated

Enabled Enabled - AES-128-ECB

Disabled Enabled Some Standalone Sentrys are AES-128-ECB

at least at version 6.1.0.

Disabled Enabled All Sentrys are at least at AES-256-GCM

version 6.1.0.

NOTE THE FOLLOWING:

• Key regeneration causes a restart for all Standalone Sentrys that use encryption for attachment control. A
restart can cause a brief interruption in email service to device users.
• After regenerating the encryption key, iOS device users who use the iOS native email client cannot read
previously received attachments. If device users need to read previously received attachments, re-push the
Exchange setting to the devices. MobileIron advises caution when re-pushing the Exchange setting. Re-
pushing the Exchange setting increases the load on the Exchange server.

TIP: After you upgrade Standalone Sentry, in the Core Admin Portal, go to Services > Overview, and click
Verify for the Standalone Sentry. This action immediately updates the Standalone Sentry version in Core.
Otherwise, the Standalone Sentry version in Core is updated at the next sync. All Standalone Sentry
versions in Core must be at least at version 6.1.0 to generate a 256-bit key.

Configuring 256-bit encryption

You will need to enable 256-bit encryption, if you previously had Docs@Work (Original) enabled.

Procedure
1. Ensure that all Sentrys configured on Core are at least at version 6.1.0.
2. In the Admin Portal, go to Settings > System Settings.
3. Scroll down to the Additional Products section.
4. Click on Licensed Products.
5. De-select Enable Docs@Work (Original).
6. Ensure that Enable Docs@Work is enabled.
7. Click on Save.
8. Go to Settings > Sentry, and click Preferences.
9. In the Standalone Sentry section, click Regenerate Key.

Related topics

For information about regenerating the encryption key, see “Regenerating the encryption key” in the MobileIron
Sentry Guide.

MobileIron Docs@Work 2.8.0 for iOS Guide | 34

 Configuring Docs@Work for iOS

Configuring certificate pinning

To use Certificate Pinning, in Docs@Work configuration enable Client TLS option and select the configured Client
TLS configuration listed to provide more security between Docs@Work and enterprise server communication. For
more information to configure Client TLS see, Creating a Client TLS configuration section in the MobileIron Core
AppConnect and AppTunnel Guide.

MobileIron Docs@Work 2.8.0 for iOS Guide | 35

 3

Additional configurations using key-value pairs

• Configuring Docs@Work application behavior

• Key-value pairs to configure app behavior
• What users see
• Edit functionality in Docs@Work

Key-value pairs allow you to manage and control the device user experience in the following ways:
• Making it easier for the device user to email you logs for the app.
• Controlling the detail in the device logs to help troubleshoot issues.
• Controlling which types of sites device users can add to Docs@Work.
• Restricting the number of User sites device users can add.
• Disabling editing in Docs@Work
• Enabling the embedded viewer in Docs@Work
• Autofilling username and domain

Unless otherwise noted, key-value pairs are not case sensitive.

Configuring Docs@Work application behavior

To configure app behavior, you add key-value pairs in the Custom Configurations section of the Docs@Work
configuration.

Procedure
1. In the MobileIron Core Admin Portal, go to Policies & Configs > Configurations.
2. Select for the Docs@Work configuration you want to edit.
3. Click Edit.
4. In the Custom Configurations section click on Add+ to add a key-value pair.
See “Key-value pairs to configure app behavior” on page 37.
5. Click Save.

MobileIron Docs@Work 2.8.0 for iOS Guide | 36

 Additional configurations using key-value pairs

Key-value pairs to configure app behavior

TABLE 1. KEY-VALUE PAIRS TO CONFIGURE APP BEHAVIOR

Value: Enter/Select
Key one Description and Value

Specify the level of detail for logs

log_level • DEBUG Select one of the following:

• INFO • DEBUG: Includes debug level
• WARNING information for application flow
• ERROR and request, response messages
for target repositories. This is the
highest level and verbose, so
choose this level only when
needed.
• INFO: Includes only information
related to specific flows and
requests.
• WARNING: Includes only
warnings about runtime errors and
target repositories.
• ERROR: Includes only runtime
errors, and error and status codes
from requests to target
repositories.

Email logs

support_email_id Enter a valid email Automatically populates the email

address. address when the device user emails
the device logs.

Block adding content

MobileIron Docs@Work 2.8.0 for iOS Guide | 37

 Additional configurations using key-value pairs

Value: Enter/Select
Key one Description and Value

blocked_storage_domains • Box Blocks device users from adding the

• WebDav content site to Docs@Work:
• CIFS Enter the values as a semicolon (;)
• SharePoint separated list.
Example: Box;Dropbox;CIFS
Microsoft SharePoint includes Office
365 SharePoint sites.
• If SharePoint, Box, or Dropbox is
blocked, the option will not be
available when the device user
tries to add a site.
• If WebDAV is blocked, both
Network Drive and Cloud storage
options will not be available. All
WebDAV and CIFS sites will be
removed from Docs@Work.
• If CIFS is blocked, the device user
is presented with an error
message when trying to add a
CIFS site. Existing CIFS sites will
be removed. WebDAV sites will
not be removed. Network Drive
and Cloud storage options will
continue to be available when the
device user tries to add a site.
• Documents from the blocked sites
marked as Favorites or in Recents
will be removed. Documents in My
Files are not removed.
Block adding user sites

disable_user_sites true Blocks device users from adding sites

to Docs@Work.
false
User added sites will be removed.
Documents from User sites marked
as Favorites or in Recents will be
removed.

Restrict number of allowed user sites

MobileIron Docs@Work 2.8.0 for iOS Guide | 38

 Additional configurations using key-value pairs

Value: Enter/Select
Key one Description and Value

restrict_number_of_user_sites Connector type: Restricts the number of User sites

Number of sites that that a device user can add. If a site
are allowed. type is not configured, there are no
restrictions on the number of User
For example: sites for that site type.
SharePoint:2, Box:1 Restricting number of User sites has
no impact on blocked sites. This key-
value pair only applies to allowed
sites. The configuration is ignored if
DISABLE_USER_SITES is true.

Enter the following value:

• site type and number in the
following format:
Site type1:number; Site
type2:number.
Valid entries for site type are:
SharePoint, Box, Dropbox, WebDAV,
CIFS.
Number is a positive integer greater
than 0.
In this example, the device user will
be able to add up to two SharePoint
sites, and only one Box site. There
are no restrictions on any other type
site.

Disable editing

disable_editing true Disables the following in My Files and

all content sites in Docs@Work:
false
• Editing.
• Creating new files and folders.
• Importing images from photo
gallery.
• Uploading to and deleting files in
the backend resource.

Add group sites using key-value pairs

MobileIron Docs@Work 2.8.0 for iOS Guide | 39

 Additional configurations using key-value pairs

Value: Enter/Select
Key one Description and Value

SITE_DETAILS_N Where n is a number Adding a SharePoint Group site with

1-100 Federated authentication
Example: name for the site: The name is
displayed in the Docs@Work app.
SITE_DETAILS_1
valid url for the content repository
Enter parameters for
including port: The URL must start
the content site in the
with http:// or https://. Both domain
following JSON
name and IP address are supported.
format:
If priority is not defined, the default
{"name":"name for
setting is false. "priority":"false"
the site","url":"valid
identifies the content site as a Group
url for the content
site. Configuring “priority”:“true”
repository including
identifies the site as a Published site.
port","domain":"Shar
You can configure a site as a
ePoint",
Published site only if “subDomain” is
"subDomain":"Federa
also configured.
ted","priority":“true |
false”, If "webView":"true", the SharePoint
"webView":“true | documents can be opened in
false”} Microsoft’s online web viewer and
editor. The site is automatically a
Example to add a
Group site. It cannot be configured as
Google drive:
a Published site.
{"name":"Google
Pushing Google Drive from Core.
Group","domain":"Go
ogleDrive","url":"https
://drive.google.com"}
Pushing Enterprise Box Site from
Example to add a Core.
Box Site: Example:
{"name":"Box1","dom {"name":"SharePoint","url":"https://
ain":"BoxEnterprise"," sharepoint.acme.com","domain":"Sha
url":"https:// rePoint","subDomain":"Federated","pr
www.box.com"} iority":"false"}

NOTE:
• Ensure that there
are no spaces
• Values are case
sensitive

Required
parameters:
“name”, “url”,
“domain”,
“subDomain”

Autofill Credentials

MobileIron Docs@Work 2.8.0 for iOS Guide | 40

 Additional configurations using key-value pairs

Value: Enter/Select
Key one Description and Value

autofill_credentials Automatically URL: Enter the URL for the content

populates the user site. Include the protocol. Example:
name for the content http, https.
site.
Domain Type: Enter one of the
Enter parameters for following: SharePoint, WebDAV, Box,
the content site in the BoxEnterprise, GoogleDrive, CIFS.
following JSON
Domain: Enter the domain name to
format:
which the username defaults if the
{"URL":{"domainType username for the URL cannot be
": resolved. Variables are not supported.
"DomainType","userN
ame":"$USERID$"}, Examples:
"default":"Domain/ • {"https://sharepoint.miacme.com":
$USERID$"} {"domainType":"SharePoint","user
Name":"miacme/
NOTE: For JSON $USERID$"},"default":"miacme.co
format: m/$USERID$"}
- Ensure that • {"https://
there are no sharepoint.miacme.com":{"domai
spaces. nType":"SharePoint","userName":
- Values are "miacme\\$USERID$"},"default":"
case miacme.com\\$USERID$"}
sensitive. • {"default": "domain/$USERID$"}
- Ensure that NOTE: Copying and pasting
the JSON JSON strings might result
format is in invalid JSON.
valid. MobileIron recommends
- The variable that you validate the
JSON string before using
for user name
it. There are validator
can be
tools such as JSONLint
preceded by
(jsonlint.com) that will
either a single
help validate the JSON
forward slash
string.
or two back
slashes:
Domain/
$USERID$ or
Domain\\$US
ERID$

Custom browser applications rather than default Safari browser

MobileIron Docs@Work 2.8.0 for iOS Guide | 41

 Additional configurations using key-value pairs

Value: Enter/Select
Key one Description and Value

http_prefix • mibrowser Allows users to tap on a URL starting

URLs starting with http:// and view the site in a
with http:// are browser. If the key-value pair is not
opened in configured, users will not be able to
Web@Work. view an http link in a browser.
• http If the key-value pair is not configured,
URLs starting http:// links are not opened in any
with http:// are browser.
opened in Safari.
MobileIron recommends that both
• googlechrome HTTP_PREFIX and HTTPS_PREFIX
URLs starting are configured. If only one URL
with http:// are scheme is configured, the
opened in Google unconfigured URL scheme will not be
Chrome. opened in any browser, thus
impacting user experience.

https_prefix • mibrowsers Allows users to tap on a URL starting

URLs starting with https:// and view the site in a
with https:// are browser. If the key-value pair is not
opened in configured, users will not be able to
Web@Work. view an https link in a browser.
• https If the key-value pair is not configured,
URLs starting https:// links are not opened in any
with https:// are browser.
opened in Safari.
MobileIron recommends that both
• googlechrome HTTP_PREFIX and HTTPS_PREFIX
URLs starting are configured. If only one URL
with http:// are scheme is configured, the
opened in Google unconfigured URL scheme will not be
Chrome. opened in any browser, thus
impacting user experience.

Apply SSO label to add SharePoint site flow

apply_sso_label • true Changes the NoAuthn label to

• false Corporate single sign-on (SSO) in
Docs@Work. The NoAuthn option is
seen in the Authentication settings
for SharePoint sites in Docs@Work.
There is no functional change.

Share PDF documents

ENABLE_PDF_DOCUMENT_DEFINE • true Makes the Share option available for

• false PDF documents.

Default to Polaris Viewer instead of iOS Native Viewer

MobileIron Docs@Work 2.8.0 for iOS Guide | 42

 Additional configurations using key-value pairs

Value: Enter/Select
Key one Description and Value

enable_polaris_viewer • true Use this key-value pair to set the

• false Docs@Work embedded viewer as
default instead of iOS Native viewer.

Enable Polaris document content share

ENABLE_POLARIS_DOCUMENT_CONTENT_SHARE • true Makes the Share option available for

• false Microsoft Office documents in Polaris
editor, regardless of whether Copy or
Paste is enabled in AppConnect
policy.
This key-value pair is case sensitive.

Load/Authentication SharePoint for WebView

ENABLE_WEBVIEW_AUTHENTICATION • true Use this key-value pair if the

• false SharePoint server is not set up to use
persistent authentication cookies and
users encounter issues with opening
WebView for SharePoint sites.
This key-value pair is case sensitive.

Custom email app such as Email+ client

mailto_prefix To open Email+, use Brings up the email client for which
email+launcher:// the schema is configured in
docsatwork?url=mailto: mailto_prefix.
To open IBM Verse, Use this key-value pair to open the
use email client for which the schema is
ibmverse:// configured in mailto_prefix.
com.ibm.lotus.travele Support for third party email client
r/mailto?to= enabled.
To open SecurePIM,
use
spmailto:

Enable Certificate Based Authentication (CBA)

MobileIron Docs@Work 2.8.0 for iOS Guide | 43

 Additional configurations using key-value pairs

Value: Enter/Select
Key one Description and Value

IdCertificate_1_host IdCertificate_1_host Use this key-value pair to enable the

certificate-based authentiation (CBA).
IdCertificate_1
For example:
cert_hostname such as
(defender.stutz.qa.domain.com)
SharePoint
client-scep using authentication type.
This key-value pair is case sensitive.

Display SharePoint title for files and folders

show_title • true Displays user friendly title for files and

• false folders in SharePoint.
Use the following values to set the
key-value pair:
• true: Enables title display.
• false: Disables title display.
The default value is set to false.

Allow sending analytics from Docs@Work to Mixpanel

allow_analytics • true Use the following values to set the

• false key-value pair:
• true: Enables sending analytics
from Docs@Work to Mixpanel.
• false: Disables sending analytics
from Docs@Work to Mixpanel.
If the key-value pair is not defined in
the configuration, allow_analytics is
set to true by default.

Enable watermarks when viewing documents

watermark_text Use a user identifying Displays a diagonal watermark text

variables as values (provided by the administrator) over
such as, $USERID$ all the documents viewed or edited
and $EMAIL$. using Docs@Work.

Allow document sharing from Docs@Work

mi_enable_doc_sharing • true Use this key-value pair to enable the

• false Docs@Work document sharing
feature.
The default value is set to false, and
must be set to true to enable
document sharing.

MobileIron Docs@Work 2.8.0 for iOS Guide | 44

 Additional configurations using key-value pairs

Value: Enter/Select
Key one Description and Value

Allow document sharing from Docs@Work for AppConnect apps

MI_SHARED_GROUP_ID A unique, sufficiently This key manages the decryption of

complex documents from Docs@Work
alphanumeric string extension. Once this key is set in
Docs@Work configuration, only the
apps having the identical key value in
their configuration would be able to
decrypt the documents from
Docs@Work Extension.
This is an optional key.
The key is case sensitive. Enter the
key in uppercase.
IMPORTANT: Configure
mi_enable_doc_sharing with value
true to enable document sharing.

MI_AC_ACCESS_CONTROL_ID A unique, sufficiently This key manages the access control

complex between the apps. Once this key is
alphanumeric string set in Docs@Work configuration, only
the apps having the identical key
value in their configuration would be
able to access the documents from
Docs@Work Extension.
Ensure that the key-value pair is
configured in the Email+ configuration
as well and that the value is identical
(including case) in both Docs@Work
and Email+ configurations.
The key is case sensitive. Enter the
key in uppercase.
IMPORTANT: Configure
mi_enable_doc_sharing with value
true to enable document sharing.

Allow document sharing from Docs@Work for non AppConnect apps

MobileIron Docs@Work 2.8.0 for iOS Guide | 45

 Additional configurations using key-value pairs

Value: Enter/Select
Key one Description and Value

MI_AC_DOCUMENT_EXTENSION_DLP • Sentry This key allows Docs@Work to share

• All documents to iOS native email.
This key is required for sharing
documents from Docs@Work with
non AppConnect apps.
Sentry: The documents are
encrypted using Sentry attachment
control key.
All: The attachments are not
encrypted and are sent as plain text.
This key-value pair is case sensitive.

block_unmanaged_extension • true Allows the admin to block or unblock

• false unmanaged versions of Docs@Work
from exposing the document
extension to all the apps.
Default is set to false.
If an admin wants to restrict the
document sharing extension to only
managed apps, then the
block_unmanaged_extension key
should be set to true.
In addition to this, a separate
configuration parameter
IS_MANAGED should be set to true
via the iOS MDM managed
configuration. A sample of sample of
managed app configuration is as
follows:
<?xml version=“1.0” encod‐
ing=“UTF‐8"?>
<!DOCTYPE plist PUBLIC “‐//
Apple//DTD PLIST
1.0//EN” “http://www.apple.com/
DTDs/PropertyList‐1.0.dtd“>
<plist version=“1.0”>
<dict>
<key>IS_MANAGED</key>
<true/>
</dict>
</plist>

Custom keyboards

MobileIron Docs@Work 2.8.0 for iOS Guide | 46

 Additional configurations using key-value pairs

Value: Enter/Select
Key one Description and Value

MI_AC_IOS_ALLOW_KEYBOARDS • true Allows the admin to enable or disable

• false the use of custom keyboards.
This key is enabled for AppConnect.
true: Email+ allows the use of custom
keyboards
false: Email+ does not allow the use
of custom keyboards.
Default if key-value is not configured:
true.
This key-value pair is case sensitive.

AppConnect logs

MI_AC_LOG_LEVEL • Error Specifies the level of logging from the

• Info least to the most verbose.
• Verbose Default if key-value is not configured:
• Debug true.

MI_AC_LOG_LEVEL_CODE Any string Underspecification prompted in

Mobile@Work to activate AppConnect
logs.

MI_AC_ENABLE_LOGGING_TO_FILE • Yes Enables collecting AppConnect logs

• No to a file in Docs@Work.

Allow digital signature for PDF

signing_certificate Certificate This key allows the admin to enable

or disable the use of digital signature
for PDF forms in Docs@Work added.
To enable digital signature add
signing_certificate to Docs@Work
configuration to provide the certificate
in .p12 format used for PDF signing.

MobileIron Docs@Work 2.8.0 for iOS Guide | 47

 Additional configurations using key-value pairs

Value: Enter/Select
Key one Description and Value

signing_certificate_ca_(n) Certificate This key allows the admin to add

multiple Certificate Authorities to
trusted CA’s.
If the signing_certificate is not issued
by the CA which is not publicly
trusted.
Where, the value of n can be from 0
to 9.
For example:
signing_certificate_ca_0,
signing_certificate_ca_1

Miscelleneous

document_menu_restricted_items • define This key allows the admin to fix the

• lookup text data leak from Docs@Work
document view or edit when you
perform the Define and LookUp
functions.
For example:
document_menu_restricted_items =
define|lookup

disable_slideshow_autolock • yes This key prevents the device screen

• no from getting locked during Microsoft
PowerPoint presentation after Auto
Lock timeout.

What users see

Device user experience can be defined based on the key-value pairs the administrator configures.

Procedure
1. In MobileIron Core Admin Portal, go to Policies & Configs > Configurations.

2. Select the Docs@Work configuration in which you want to enable the embedded viewer.

MobileIron Docs@Work 2.8.0 for iOS Guide | 48

 Additional configurations using key-value pairs

3. Click Edit.
4. Scroll down to the Custom Configuration section.

5. Click on Add+ to add enable_polaris_viewer key-value pair. For more information, see Key-value pairs to
configure app behavior section.
6. Click Save to save the changes.

Edit functionality in Docs@Work

The editing feature is available by default. If you want to restrict mobile device users to read-only access to
enterprise content, you can turn off editing in Docs@Work. Enter the DISABLE_EDITING key-value pair in the
Custom Configurations section of the Docs@Work configuration. The key-value pair disables the following in My
Files and all content sites in Docs@Work:
• Editing
• Creating new files and folders
• Importing images from photo gallery
• Uploading to and deleting files in the backend resource

Disabling the edit functionality in Docs@Work

You disable the edit functionality in Docs@Work using key-value pairs. If editing is disabled, device users will no
longer see the edit options in Docs@Work. Users will also not be able to switch to edit mode while viewing a
document.

Procedure
1. In the MobileIron Core Admin Portal, go to Policies & Configs > Configurations.
2. Select the Docs@Work configuration for which you want to disable editing.

MobileIron Docs@Work 2.8.0 for iOS Guide | 49

 Additional configurations using key-value pairs

3. Click Edit.

4. Scroll down to the Custom Configuration section.

5. Click Add+ to enter the following key value pair:

Key Value

DISABLE_EDITING true

6. Click Save.

MobileIron Docs@Work 2.8.0 for iOS Guide | 50

 4

Working with Docs@Work features

• Touch ID
• Content sites
• Favorites
• User added sites
• Sorting content sites
• View options for SharePoint sites in Docs@Work
• Google Drive group site
• Email document links from Docs@Work
• Email documents from Docs@Work
• Email Docs@Work logs
• Add attachments from Docs@Work in Email+
• Add attachments from Docs@Work in Native mail
• Email documents from Docs@Work through third-party email clients
• Edit documents in Docs@Work
• Edit Online
• Extracting files from .zip files
• File and folder management
• Locating file or folder
• Sorting files and folders
• Background notifications for Published sites
• Importing images and video
• Browse and add SharePoint site
• Single Sign On
• Support for multiple configurations
• Allow Drag and Drop from Docs@Work for iOS 11
• Watermark text
• Other features

Touch ID
If Touch ID is enabled for accessing secure apps, Docs@Work users can use Touch ID as an alternative to using
their secure apps passcode. For information about enabling Touch ID for secure apps, see the AppConnect and
AppTunnel Guide.

MobileIron Docs@Work 2.8.0 for iOS Guide | 51

 Working with Docs@Work features

Content sites
Content sites configured by the administrator are automatically available in Docs@Work on the device. If a content
site is configured as a Published site, the content is automatically downloaded to the device.

Content sites in Docs@Work fall into three types:

• Group sites
Group sites are configured by the administrator and automatically pushed to Docs@Work. Group sites cannot
be deleted by the device user.
• Published sites
Published sites are Group sites that update automatically and are available for offline use. If there are any
changes, content is updated to the latest version at the configured update interval. Published sites can also be
manually updated when you pull to refresh. An update notification is also sent, and the Notifications icon is
badged.
Published sites cannot be deleted by the device user. Documents in Published sites cannot be edited. Editing
for documents in Published sites can only be enabled in Content Security Service.
• User sites
Device users can also add sites to Docs@Work. Sites that a user adds are identified as User sites.

Site details are available by tapping the Info icon on the site.

Favorites
When you mark a document as favorite, the document is downloaded and available for offline viewing in Favorites.
If changes are made to the document on the content site, the updated version of the document becomes available
only when the device user launches the content site containing the document. At the same time, an update
notification is also sent and the Notifications icon is badged.

User added sites

Apart from the configured content sites pushed to Docs@Work, device users can add both corporate and personal
sites. Device users can add the following types of sites:
• Box
• Cloud Storage
• Dropbox
• Network Drive
• SharePoint

To add corporate sites, the device user will need the following information:
• The site’s URL. The URL must include http:// or https://. Both domain name and IP address are supported.
• Type of Authentication for Network drives. The authentication setting is labeled No Authentication.

MobileIron Docs@Work 2.8.0 for iOS Guide | 52

 Working with Docs@Work features

Device users should enable this setting, if the site does not require authentication or you have set up Kerberos
Single Sign On using MobileIron.
• Type of authentication for SharePoint servers. This can be Corporate, Office 365, NoAuthn, or Federated.

Authentication
type Description

Corporate User authenticates with on-premise SharePoint using either Windows NTLM or
Forms-based authentication with corporate credentials. User credentials can be
domain\username or just username, depending on how SharePoint is set up with
Windows domain authentication.

Office 365 User authenticates with Office 365 SharePoint using the authentication
mechanism supported by Office 365. User credentials map to the user’s account
on Office 365, or to the user’s AD credentials. If Office 365 has been integrated
with corporate AD, then user’s SharePoint credentials map to AD credentials.

NoAuthn User does not need to provide any credentials for authentication. Access to on-
premise SharePoint is set up with Kerberos Constrained Delegation (using
Standalone Sentry), or the SharePoint server supports anonymous access.

Federated User enters the enterprise AD or LDAP credentials to authenticate to the

SharePoint server. The SharePoint server must be set up to use Active Directory
Federation Services (ADFS).

• Web View. (Only for iOS devices) For SharePoint sites, the device user can turn on Web View to be able to
view and navigate SharePoint folders in browser view.

Sorting content sites

Device users can sort content sites by site name, creation date, or last opened. In addition, they can order the sites
in ascending or descending order.

Procedure
1. Go to Settings in Docs@Work.
2. Tap the Site Order option.
3. Tap one of the following options to Sort:
- Alphabetical Names: to sort by content site name.
- Creation Date: to sort by the date the content site was added to Docs@Work.
- Last Opened: to sort by when a content site was last opened.
4. Tap one of the following options to order the content sites:
- Ascending: to order alphabetically from A to Z or from the most recent to the oldest date and time.
- Descending: to order alphabetically from Z to A or from the oldest to the most recent date and time.

MobileIron Docs@Work 2.8.0 for iOS Guide | 53

 Working with Docs@Work features

View options for SharePoint sites in Docs@Work

Device users have the ability to choose between web view and file view for SharePoint sites already added to
Docs@Work. This feature does not require any configuration changes by the device user or the administrator. To
choose how the SharePoint site is viewed, tap the more information icon on the SharePoint tile in Docs@Work,
then select either View as web view or View as file list.

Google Drive group site

Device users can do the following in a Google Drive content site in Docs@Work:
• Access documents in My Drive and Shared with me.
• Download and upload documents to and from My Files in Docs@Work.
• View, favorite, edit, and annotate documents.
• View and edit Google document formats (docs, slides, sheets, and drawings) in Docs@Work. Google
document formats will display the following icon:

When you edit a Google document format, the changed document is saved in the corresponding Microsoft
document format to My Files. The original Google document is not changed.
Example: If you edit a Google Slides file, the changed Slides file is saved as a PowerPoint file to My Files. The
original Google Slides file remains unchanged.
• Delete files and folders in My Drive.

Favorites and Recents are synced across user's devices.

MobileIron Docs@Work 2.8.0 for iOS Guide | 54

 Working with Docs@Work features

If document encryption is enabled for Google Drive content site, documents uploaded from Docs@Work to Google
Drive will be encrypted. Documents in the Google Drive site that are edited using Docs@Work will also be
encrypted. These documents will have the .midx suffix. Example: myfile.doc.midx.

Email document links from Docs@Work

Device users can now email or copy a link to a document from within Docs@Work. The recipient of the email must
have the correct permissions to view the document. However, the recipient does not need Docs@Work to open the
document.

A secure email client is required on the device. For iOS, the native email client is required.

The Email a Link and Copy Link to Clipboard options are available when you open the document.

Content site Description

SharePoint, Office 365 The recipient must have the correct permissions to view the document.
Docs@Work does not check if the recipient has the correct permissions when the
device user shares the link.
The URL is of the form:
https://sharepoint1.companyname.com/
Shared Documents/Architecture/document.docx

Dropbox Uses Dropbox APIs to create a public shareable link to the document.
The URL is of the form:
https://www.dropbox.com/folder/5lg6dgrv7m2c862/Getting%20Started.pdf?dl=0

Box Uses Box APIs to create a public shareable link to the document.
The URL is of the form:
https://app.box.com/folder/50rvf49stdhqsywoj8lx

WebDAV network drive The URL of the document corresponds to the WebDAV http or https URL.
or cloud storage
The URL is of the form:
https://webdavserver.documents.mydoc.docx.

CIFS network drive Not supported.

Email documents from Docs@Work

Docs@Work users can email documents from Docs@Work on their device. This provides users a true mobile
experience and the flexibility to securely share documents directly from Docs@Work.

MobileIron Docs@Work 2.8.0 for iOS Guide | 55

 Working with Docs@Work features

Requirement for emailing documents

• For iOS, Open In must be enabled in the AppConnect Global Policy or the AppConnect Container Policy.

Emailing documents from Docs@Work for iOS

The Email option is available in an opened document.

Procedure
1. Tap to open a document.

2. Tap in the opened document.

3. Tap Email.
The document is downloaded and attached to a new email message.

NOTE: If attachment control is enabled to Open only with Docs@Work and protect with encryption, then
the attachment will have .secure or the .attachctrl suffix.

Email Docs@Work logs

Occasionally it is necessary for you, the administrator, to obtain the Docs@Work logs from the user's device. You
may need the Docs@Work logs to troubleshoot an issue. Device users can send the logs by tapping on Email logs
under Settings > Help. By default, the native email client is used to email the Docs@Work logs.

MobileIron Docs@Work 2.8.0 for iOS Guide | 56

 Working with Docs@Work features

Add attachments from Docs@Work in Email+

Docs@Work supports adding attachments to a mail using Email+ app. This capability will later be extended to
other AppConnect-enabled applications including third-party email clients.

Email+ allows only a single file attachment and the file is attached to the email when you select the file.

Add attachments from Docs@Work in Native mail

Docs@Work supports adding attachments to a mail using native mail.

Email documents from Docs@Work through third-party

email clients
The mailto_prefix key-value pair lets you choose a preferred email client within Docs@Work to send an email. The
following options are available to email from Docs@Work:
• Email a document: Email a document option is supported for Email+ and native clients and third-party email
clients
• Email a link: Email a link option works entirely dependent on the value of mailto_prefix, and is not
dependent on different AppConnect data loss prevention (DLP) policy options.

The email client must be AppConnect enabled. For example: Email+, IBM Verse, SecurePIM and so on.

Edit documents in Docs@Work

When the device user first tries to edit a document, the device must have access to the Internet. The editor
embedded in Docs@Work requires a license to activate. When it is first launched, the embedded editor tries to
contact a license activation server to get a license. If the device is offline, an error message is displayed to the
device user.

If a user tries to view an unsupported file, an error message is displayed.

Editing and annotating documents

To edit or annotate, users must download the document to My Files. If the file type is not supported for editing, the
edit icon will not be available. Online editing is only available with Office Web Apps.

Since Office Web Apps are only supported with SharePoint, Docs@Work supports online editing only with
SharePoint folders. Office Web Apps must be enabled on the SharePoint server. If Office Web Apps are not
enabled, the edit icon will not be available when you tap to view documents.

MobileIron Docs@Work 2.8.0 for iOS Guide | 57

 Working with Docs@Work features

To edit or annotate a document:

1. Tap on the document.

2. Tap the edit icon.

3. If you are editing a document directly from a content repository, tap the doc icon.
4. Tap one of the options presented.

Option Description

Save Tap to save the edited file with the same file name.
A local copy is created.

Save as Tap to specify a different file name for the edited file.
A local copy is created with the new file name.

Export Tap to create a PDF.

You have the option to change the file name. A local copy of the PDF is
created.

Exit Exits edit mode.

Any changes to the file are not saved.

5. Tap one of the options presented when you exit edit mode.
These options are only presented if you tapped on Save as or Export.

Option Description

Save this File Tap to save the edited file to the same location in the content repository.

Save a Copy Tap to specify a different location to save the edited file. The location could be in
the same content repository or different content repository.
The file in the original location is not changed.

Download to My Files Tap to download the edited file to My Files.

The file in the original location is not changed. If a file with the same name is
available a new file is added.

Cancel Changes to the file are not saved.

• If saving to a different location fails, you will be presented with the option to download the document to My
Files.
• To save an edited document, you must also tap Exit. If you do not Exit from edit mode, changes to the edited
document will not be saved. If users try to open an email attachment while another document is open in edit

MobileIron Docs@Work 2.8.0 for iOS Guide | 58

 Working with Docs@Work features

mode, they are provided with the option to discard changes to the opened document before viewing the
attachment.

Edit Online
On iPad devices, Docs@Work users may see an additional Edit Online option. The Edit Online option is available
only for .docx, .pptx, and .xlsx files on SharePoint sites that have Office Web Apps enabled. Tapping on the Edit
Online option takes the user to SharePoint Office Web Apps. The user can then edit the documents using Office
Web Apps.

Extracting files from .zip files

Only .zip compressed files and password protected .zip files are supported. Other types of compressed files, such
as gzip, .tar files, are not supported.

Note that .key, .numbers., and .pages files are displayed with a .zip extension in Docs@Work. Also, .key,
.numbers, and .pages files with .zip extensions are not supported and cannot be extracted.

Procedure
1. Tap on the .zip file.
If the .zip file is in a content repository, the My Files pop-up window displays. If necessary, you can tap an
existing folder or tap Create Folder. Depending on your selection, the files are extracted into My Files, the
selected folder, or the newly created folder.

MobileIron Docs@Work 2.8.0 for iOS Guide | 59

 Working with Docs@Work features

If the .zip file was already in My Files, a pop-up is not displayed. The file is automatically extracted to the same
location as the .zip file.

2. Tap Extract Here. (This step is only for a .zip file in a content repository.)

3. If a password is required, enter the password, then tap Extract.

MobileIron Docs@Work 2.8.0 for iOS Guide | 60

 Working with Docs@Work features

The .zip file and the extracted files are downloaded directly to My Files or to the folder in My Files that you
specified. The files are extracted into a folder with the same name as the .zip file.
NOTE: If the .zip file contains a single file, a folder is not created for the extracted file.

File and folder management

Device users can create, move, and rename files in My Files. This allows users to manage files and folders on
their mobile devices and upload the newly created files to content repositories.Device users can create text files
(.txt) and the following Microsoft Office file types:
• .docx
• .pptx
• .xlsx

Devices users cannot upload or create files or folders in Published sites.

Creating files and folders in My Files

Device users can create files and folders in My Files.

Procedure
1. In Docs@Work, tap My Files.

2. Tap ... at the top of the screen.

MobileIron Docs@Work 2.8.0 for iOS Guide | 61

 Working with Docs@Work features

3. Tap Create new ....

4. Tap Folder to create a new folder or tap one of the document types to create a new file.

Renaming files and folders in My Files

Device users can rename files and folders in My Files.

MobileIron Docs@Work 2.8.0 for iOS Guide | 62

 Working with Docs@Work features

Procedure
1. In Docs@Work, tap My Files.

2. Tap ... next to the file or folder.

3. Tap the rename icon .

4. Enter a new name for the file or folder and tap Rename.

Moving files and folders in My Files

Device users can move files and folders in My Files.

MobileIron Docs@Work 2.8.0 for iOS Guide | 63

 Working with Docs@Work features

Procedure

To move files or folders in My Files:

1. In Docs@Work, tap My Files.

2. Tap ... at the top of the screen.

3. Tap Manage.

MobileIron Docs@Work 2.8.0 for iOS Guide | 64

 Working with Docs@Work features

4. Select the file and folders to move, then tap the move icon .
Device users can select multiple files or folders to move.

5. Tap a folder, or tap Create Folder, or tap Move Here to move the selected files and folders to a different
location.

Locating file or folder

The Locate function displays temporarily when the device user creates, moves, uploads, or downloads a file or
folder. The function does not display if the device user is in the same folder or location on Docs@Work to which the
document is moved. If the device user is in the same folder or location, the affected file is highlighted.

The Locate function allows the device user to quickly and easily navigate to the actual location of the file or folder.

MobileIron Docs@Work 2.8.0 for iOS Guide | 65

 Working with Docs@Work features

Procedure
1. Download, upload, or move the file or folder.

2. Tap Locate at the bottom of the screen.

The actual location of the file or folder appears. If Locate points to a file, the file is temporarily highlighted.

MobileIron Docs@Work 2.8.0 for iOS Guide | 66

 Working with Docs@Work features

Sorting files and folders

Device users can sort files and folder by the following methods:
• Name
• Date Created
• Last modified
• Last opened

Click on Sort Files in the menu, then select the method to sort.

Background notifications for Published sites

Background notifications alert device users to new content or updated content in Published sites even when
Docs@Work is not running in the foreground. However, the user must be signed into Docs@Work. Notifications
allow users to always be aware of any changes in documents and have the latest versions of a document on their
device.

Docs@Work checks for updates at the update interval set for the Published site and provides background
notification if there are any changes. If other processes are running on the device at the update interval, the check
by Docs@Work for updates might be delayed. Internet connectivity is required for Docs@Work to check for
Published site updates.
TABLE 1. BACKGROUND NOTIFICATION TYPES FOR PUBLISHED SITES

Notification type Description If device user taps on the notification

Single document updates Only one new or updated file is Docs@Work will be launched into the
available in any Published site foreground and start downloading the
new or updated file

Grouped document Multiple files were added or Docs@Work will be launched into the
updates modified in any Published sites foreground and start downloading the
new or updated files.

Please sign / published One of the Published sites requires Docs@Work will be launched into the
sites the user to enter their credentials foreground, start downloading files and
prompt the user for authentication

Published site updates A new Published site is added by
the administrator
Docs@Work will be launched into the
foreground, start downloading files for
the newly added Published site as well
as any newly added or updated files from
other Published sites

Changing notification settings

Device users can change the notification settings in Docs@Work.

MobileIron Docs@Work 2.8.0 for iOS Guide | 67

 Working with Docs@Work features

Procedure
1. Launch Docs@Work.

2. Tap the settings icon.

MobileIron Docs@Work 2.8.0 for iOS Guide | 68

 Working with Docs@Work features

3. Tap Notifications.

4. Use the switch for the notification to either enable or disable the notification.

Importing images and video

Device users can add images and video to Docs@Work from the device. This allows users to upload new images
and video to content repositories.

Procedure
1. In My Files, tap on ....

MobileIron Docs@Work 2.8.0 for iOS Guide | 69

 Working with Docs@Work features

2. Tap on Add Media.

3. From Photos, select the photo you want to add.

4. In the Add Media text box, enter a name for the image.
5. Tap on Add.

6. The new image is added to My Files.

You can now Favorite, Upload, and Rename the image.

MobileIron Docs@Work 2.8.0 for iOS Guide | 70

 Working with Docs@Work features

Browse and add SharePoint site

Device users can add SharePoint sites by browsing for a SharePoint site in Docs@Work. This reduces the chance
for error when a SharePoint site URL is copied and pasted.

Adding a SharePoint site by browsing in Docs@Work

You can add a SharePoint site to Docs@Work.

Before you begin

• You must have the SharePoint site URL.
• If authentication is required, your credentials to access the SharePoint site.

Procedure
1. In Docs@Work, tap to add a site.

2. Enter the SharePoint URL in the browse search box, and tap Go.
The URL should include the http:// or https:// prefix.

MobileIron Docs@Work 2.8.0 for iOS Guide | 71

 Working with Docs@Work features

Depending on the authentication requirements, you might be asked to enter your corporate credentials.

3. Tap Add Site.

4. Enter a name for the site to appear in Docs@Work.

5. Tap File View or Web View to set the default view and add the SharePoint site to Docs@Work.
6. Tap Done to close the browser.

MobileIron Docs@Work 2.8.0 for iOS Guide | 72

 Working with Docs@Work features

Single Sign On
Single Sign On (SSO) for Docs@Work is supported. The device user registers with MobileIron Core using
Mobile@Work. Then, the device user can use Docs@Work to access content servers without having to enter any
further credentials.

To use SSO:
• The content server must support authentication using Kerberos.
• Docs@Work must use the AppTunnel feature, configured so that the Standalone Sentry uses Kerberos
Constrained Delegation (KCD) to authenticate the user to the content server.
• The content server must be either a Microsoft SharePoint server or IIS-based WebDAV content repository or
Apache-based content repository.
• When you configure the content site in the Docs@Work configuration setting, Authentication must be
unchecked.

Support for multiple configurations

Merging of multiple configurations for Docs@Work are supported. You can select Enable merging of configurations
option on Core to push multiple configurations to a device as a single configuration. Multiple configurations are
merged as follows:
• Content site: The combination of all sites is pushed to the device.
• AppTunnel Rules: The latest modified AppTunnel rule is pushed to the device.
• Custom Configurations: The key-value pairs listed in Custom Configurations get merged and combination of all
is pushed to device. If there are different values for same key in different configurations then the last modified
configuration gets pushed to the device. For example:

Configuration-1: DISABLE_EDITING=true

Configuration-2: DISABLE_EDITING=false

Allow Drag and Drop from Docs@Work for iOS 11

You can drag content from Docs@Work for iOS to other AppConnect or third party apps. The drag functionality will
work if you have configured data loss prevention (DLP) policies for Docs@Work for iOS. The content can be
dragged from Docs@Work to the other apps only when the DLP policy for copy and paste option is set to All apps.
For other DLP policy settings for copy and paste, the data cannot be dragged from Docs@Work.

MobileIron Docs@Work 2.8.0 for iOS Guide | 73

 Working with Docs@Work features

Watermark text
The files and documents that are viewed or edited using Docs@Work are marked with a customized watermark.
Any string can be used to create the watermark. Use a user identifying variables as values such as, $USERID$
and $EMAIL$. These values will create watermark strings that are unique to each user.

Other features
Device users can do the following:
• Track changes in .doc and .docx files.

The native Docs@Work editor allows device users to do the following:

• View bookmarks in a PDF.
• View a PDF in full-screen mode in an iPhone.
The top navigation bar and the bottom tool bar are hidden in full screen mode. Tap the top of the page to turn
full-screen mode on and off.
• Search within a PDF.

MobileIron Docs@Work 2.8.0 for iOS Guide | 74