Versions Compared

Version Old Version 2 New Version 3
Changes made by

Maureen Blando

Maureen Blando

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Anchor
_Hlk42712906
_Hlk42712906

...

Administrator’s Basic

Guide to LINK

2023-01B

...


Table of Contents

Table of Contents


Anchor
_Toc125372093
_Toc125372093
Introduction

The LINK administration panel provides all control functionality for the Mobile Helix LINK system. This document shows how to use the Controller web interface to manage Users, Applications, Devices, Resources, Actions, Roles, Policies, Profiles, Reports, Servers, and System Settings.

...

Logging into the Controller brings you to the Users tab:

...

Anchor
_Toc125372094
_Toc125372094
Mobile Helix UI Symbols Explained:

Image RemovedImage Added

Add (e.g., create a new user, application, etc.)

Open item for editing

Image RemovedImage Added

Delete item

Image RemovedImage Added

Save item

Go back (without saving) NOTE: do not press the browser back button!

Image RemovedImage Added

Next page

Previous page


Anchor
_Toc125372095
_Toc125372095
Working with Mobile Helix Support

The Servers tab provides a portal of support information regarding the Mobile Helix servers, controller logs and support connection to the Mobile Helix support engineer.

...

Mobile Helix recommends always sending all logs when logs are requested. To select logs for a specific system (the Gateway for example) simply click anywhere on the row being selected. Hold “ctrl” key to select multiple systems (for example Controller and Gateway) although Mobile Helix recommends always sending all logs.

Upgrades

LINK upgrades are conducted via secure remote connection by Mobile Helix Support personnel. The upgrade will be scheduled at your convenience. You will be asked to “Connect to Support” as described above.

...

Please contact Mobile Helix support at support@mobilehelix.com, or your named support contact, to discuss upgrades.

Software Version Numbers

Anchor
_Toc125372097
_Toc125372097

...

Go to the LINK Email Inbox and tap the Gear icon. The version number is at the top of the Settings screen.

...


LINK App Client Version

From the LINK home screen, tap Settings.

...

In most cases, this version number should be the version in the App Store.

...

...

...


Anchor
_Toc125372099
_Toc125372099
Managing and Adding Users

The default system installation creates only the admin user. Additional users must be added to the system on the “Users tab”. Each user must be assigned one or more roles. Three roles are pre-configured in each Mobile Helix installation:

...

Also ask us about using Active Directory sync, where users will be added or deleted via AD sync.

...


Anchor
_Toc125372101
_Toc125372101
Ways to Activate LINK

When a new user is first added to LINK, that user’s device(s) must be provisioned in LINK. This process is known as “activation,” and it involves send the requisite data to the new device to:

...

Code-based activation is configured in the LINK Controller on the “Settings” tab. The first step is to change the launch link type to be “Activation Pincode” in the “Controller Settings” pane on the “Settings” tab. To do so, change the link type using the dropdown pictured here:

Image RemovedImage RemovedImage RemovedImage AddedImage AddedImage Added

Activation Pincode

Please make sure that the “Attach a QR code …” and “Attach an hxl file …” are both toggled off.

...

Limiting usages (first text box) and days (second text box):


Anchor
_Toc125372107
_Toc125372107
Resend Device Welcome Email (Launch Link)

If the user is already correctly set up as above, go to the User ID, click the Actions button, select “Resend Welcome Email” button to send the Device Welcome email with launch link to the email in the user’s record.

...

Anchor
_Toc125372108
_Toc125372108
Reset User’s LINK PIN CODE

This option is used when a user forgets or would like to reset the pin code assigned to a particular device to access the LINK app. Resetting the PIN code will ask the user to reset the PIN code once they have logged off of their session.

...

User is prompted to do an AD Login.

Anchor
_Toc125372109
_Toc125372109
Configuring an Intranet Application in Link

LINK allows you to mobilize your Intranet by mapping Intranet URLs to tiles that appear on the home screen in the LINK app. Through this mechanism, you can either mobilize an internal site (e.g., your Intranet) or 1 or more important pages within a larger site (e.g., the search page and the directory page in your Intranet).

...

All tiles in LNK are role-based, meaning that different groupings of users can see different subsets of the configured tiles. Through this mechanism, you can customize the user’s experience in the LINK app based on his or her role in your organization.

Prerequisites

Mobilizing a web application in LINK requires 3 pieces of information:

...

  1. The start URL of the application – this is the URL that you want the LINK app to load when the user taps on the tile that you create for this application.

  2. A name for this application and any additional descriptive text. This must be concise as space is limited, but it should clearly indicate to the user what the tile mobilizes.

  3. An icon, which is used as a simple visual indicator to help the user identify each tile.


Creating a new Application in the LINK Controller

Application Basics

On the Applications tab in the LINK Controller, click the “+ Create” button.

Select the type as “Web Application”.

Image RemovedImage Added

Enter a name for this application, which must be unique within the Controller. If the name you would like to appear at the top of the tile in the LINK app differs from the unique name, enter that in the “Display Name …” field. The “Category Name” (typically row name) is required, and it is used to separate tiles in the LINK app into groupings (with a header in between them). This field will auto-complete to existing categories within the Controller, but you can type a new value here to create a new category (row).

...

The last field, “Restrict Application Devices”, would be used to introduce restrictions like only displaying a device on iOS vs. Android, or iPhone vs. iPad. Consult Mobile Helix Support if you would like to enable this functionality.

Roles

Next, select the user roles that should be permitted to see this application. Move roles that should see the application from the left to the right box on the page by double-clicking on the role or using the buttons to move list items from “Available Roles” to “Selected Roles.”

Image RemovedImage Added


Web Application Basics

This section focuses entirely on the display of this application on the device:

  • “App description” is the grey text at the bottom of the app tile in tiles mode, or to the right side of the list in list mode.

  • “App icon” is the icon used in the tile or in the list entry in the LINK app. Upload a .png file; recommended 150 X 150 pixels.

  • “Show splash screen on device” displays an icon on the loading screen when the app is loading from the network.

  • “Splash screen image” is the image to show during loading

  • “Display as full screen” should be generally toggled OFF. Leaving this toggle on hides the header bar of the LINK Browser, removing the exit button and the back/forward/refresh/stop buttons.

  • “Hide the bottom tab bar …” – this is a legacy option. Ignore.

  • “Display this app on the device” – toggle this off to hide this app from display on the device without otherwise changing this application record. This is useful when you are testing various tiles and want to temporarily toggle a tile on/off.

  • “Filter passwords …” is a security feature that attempts to block users from sending a password to this web application. This feature has limited use cases. Please use in consultation with Mobile Helix Support.


URL

This section specifies what LINK loads when the user taps on the tile for this Application:

...

  • “Full URL …” is the URL to load when the user taps on the tile. Load this page in a desktop browser first and confirm that it is the page that you want a user to see upon tapping the tile.

  • “URL filter…” is a feature to allow you to exclude certain parts of an intranet site from mobile access. Contact Mobile Helix Support for more detail.

  • “Show address bar …” determines whether a text box is shown in the LINK browser with the URL that the user is currently browsing. Users can also type a new address in the address bar to browse to a different address.

Anchor
_Advanced_Settings
_Advanced_Settings
Advanced Settings

These settings are used to customize the load behavior of a web application or to modify the load behavior of that application:

...

When you are done working through all options in the Application record, click “Save” in the blue header bar to save this application record.


Assign the New Application to a Profile

After creating an Application in the LINK Controller, the final step is to assign this application to the “Default Apps Profile” profile on the “Profiles” tab in LINK. Profiles apply an additional set of feature restrictions to an app. In advanced configurations, profiles may be customized to different user roles.

...

Edit the “Default Apps Profile” and move the app that you just created from the “Available Applications” to “Selected Applications” by double-clicking on it, or by using the arrow buttons.

Anchor
_Hlk121322076
_Hlk121322076
Copy An Application Setup

From the Applications tab page, identify another web application. Use the copy button, right-most in the application listing, to duplicate your Application record.

...

You must Save first. Use the button in the upper left.

Image RemovedImage Added


Anchor
_Toc125372111
_Toc125372111
Email and File access

In addition to proxying Intranet applications, LINK allows users to access their company email and a variety of file repositories from a mobile device. Supported email servers include both M365, cloud-based Exchange, and on-prem Exchange 2013+. Supported file repositories include:

...

Depending on the type of application created, either assign the new application to profiles of types 1 and 3 or types 1 and 4. This assignment will ensure that all of the appropriate settings are specified for the new application tile.

Anchor
_Toc125372112
_Toc125372112
Online Policies

In the LINK Controller, go to the Policies tab.

...

An individual user may log out from their device. From the LINK app home screen, tap the 3 bars menu in the upper right. Select logout. Now, fully login with first and second factors.

Image RemovedImage RemovedImage AddedImage Added


Anchor
_Toc125372120
_Toc125372120
Email push notifications & settings

...

To be clear, the individual user may also go to the device OS Settings to manage LINK app notifications (if they are turned on in the LINK Controller). The user can turn off notifications for LINK as with any other app.


Anchor
_Toc125372121
_Toc125372121
Change Expiration For Files in “My Files”

“My Files” provides encrypted local storage of files within the LINK secure container. The default setting for file expiration is 30 days. This is 30 days of *idle* time, which means that every time the user opens the doc and does something with it, the 30 day counter resets. Hence, the document only expires after 30 straight days of not touching it at all. 

You can change the global policy (or you can assign different policies to different user groups, if appropriate) on the "Profiles" tab in your Controller. You should have a profile usually called "Offline Profile." Edit that profile (with the pencil button to the far right), and you will see a field labelled "Number of days that files saved to the My Files tab remain on the device. This specifies idle time - the expiration is reset each time the file is opened." This is the setting that determines the expiration period.

Image RemovedImage Added

Note: When you change this setting and save your change, users will not see this change until: (i) they login to a fresh session by entering their A-D password in the LINK app, and (ii) they download a new file. This policy change is not applied retroactively to files that are already downloaded, and we do not dynamically change the policies of existing user sessions.


Anchor
_Toc125372122
_Toc125372122
Change Download File Size

Downloading large documents may take a long time or fail on a poor network. This may create a poor user experience.

...

At Files, tap the pencil icon.

...

Files

Change settings as shown below. Tap the Diskette icon to save.

Users will have to logout via the three bars menu in the upper right in the LINK app to start a new session with the changes active.

...


Anchor
_Toc125372123
_Toc125372123
User Summary Reports

This guide shows how to generate the most commonly used report – number of users.

...

You can readily tally the number of users in Excel.

Example of settings:

...


Anchor
_Toc125372124
_Toc125372124
Microsoft Azure MIP Integration with LINK

Create an App Registration in Azure

Login to your Azure portal at https://portal.azure.com. To create a new App Registration, search for “App Registrations” and click on the service when it appears. Once you have opened the “App Registrations” panel:

...

Before proceeding further, capture the “Application (client) ID” and the “Directory (tenant) ID” from this page. Both will be used as configuration parameters in the LINK Controller.

Add an Additional Redirect URI

From the app registration page for your new app, add a new redirect URI by clicking the link next to “Redirect URIs:”. Toggle on the checkbox next to https://login.microsoftonline.com/common/oauth2/nativeclient for the redirect URI.

Click “Save” at the bottom of the screen.

Add Required API Permissions

Next, add API permissions to your app registration. To do so, click “API Permissions” in the “Manage” section on the left panel of the page.

(See https://github.com/Azure-Samples/MipSdk-Dotnet-File-ServicePrincipalAuth for the original source):


Azure Rights Management Services

  1. Click API permissions.

  2. Click Add a permission.

  3. Select Microsoft APIs.

  4. Select Azure Rights Management Services.

...

Permission Type

Permissions Required

Application permissions

Content.DelegatedWriter

Content.Writer

Microsoft Information Protection Sync Service

  1. Select Add permissions.

  2. Again, Select Add a permission.

  3. Select APIs my organization uses.

  4. In the search box, type Microsoft Information Protection Sync Service then select the service.

...

Permission Type

Permissions Required

Application permissions

UnifiedPolicy.Tenant.Read

Grant Admin Consent

  1. Select Add permissions.

  2. In the API permissions blade, Select Grant admin consent for and confirm.

Add a Client Secret

Finally, click “Certificates & Secrets” in the “Manage” section of the left panel of the page. Click “+ New client secret” to create a new client secret. Add a descriptive name for this secret and select an expiration. NOTE: you will be responsible for creating a new secret before the current secret expires, and for updating the LINK Controller configuration accordingly.

...

Before you leave this page, click the copy button to the right of the secret value that is shown in the second to last column. Capture this value as you will need it in your LINK Controller configuration.


Configure LINK to use MIP

Browse to the Resources tab in LINK and edit the file resource for which you would like to enable information protection. Scroll down until you find the option that says “Enable Azure MIP protection when editing files”. Click “Change to yet” to enable Azure MIP integration. Doing so will reveal the following configuration parameters:

...

Once enabled, checkout-and-edit should trigger the encryption of this document. The checkin process should strip away these MIP protections on the server side.


Anchor
_Toc125372125
_Toc125372125
Deploying the LINK App with Microsoft Intune

The LINK app can be distributed to your users via the Intune Mobile Device Management system. To do so involves the following steps:

...

  1. Add LINK as an app in Intune and deploy it to your target user group

  2. Ensure that LINK can share documents with the Office apps for iOS

  3. Ensure that only Intune Managed Devices can register with your LINK installation

Add LINK as an app in Intune and deploy it to your target user group

Login to https://endpoint.microsoft.com, your Intune management console. Under “All Services” or “Favorites”, select “Apps”. Click “All Apps”, “Add” … and select the following:

...

LINK should now be deployed along with all other MDM Managed Apps to your Intune Company Portal. For groups that are “Required” to deploy LINK, the LINK app should be installed automatically on those devices.

Ensure that LINK can share documents with the Office apps for iOS

To edit documents and to import documents authored in the Office apps for iOS, LINK must be able to share documents with the Office apps for iOS. When using an Intune App Protection policy to add additional policy restrictions to the Office apps for iOS, the “Send org data to other apps” must allow document sharing to LINK in order to permit users to author documents in Office for iOS, then upload them to DMS or email them via LINK. Because LINK is not specifically integrated with Intune, this setting should be “Policy managed apps with OS sharing”.

...

In addition, the setting “Receive data from other apps” must allow LINK to send data to apps governed by an App Protection policy. Choosing “All apps” or “Any app with incoming org data” for this setting should enable LINK to share files with the Office for iOS apps.

Ensure that only Intune Managed Devices can register with your LINK installation

To prevent users from downloading LINK from the public app store and using a registration email to configure LINK on an unmanaged device, LINK can deploy an encryption secret to your MDM managed devices that is also used to encrypt a unique identifier placed in each launch link. Only managed devices will then be able to unlock that unique identifier and authenticate it with your LINK installation.

...