Support Center > Search Results > SecureKnowledge Details
Configuring MDM Cooperative Enforcement with iOS 7 and above Technical Level

To use MDM Cooperative Enforcement with iOS 7 the VPN application cannot be installed from Apple's AppStore and need to be installed from the MDM portal. You must follow the instructions here. Currently MobileIron is supported for Check Point Mobile Enterprise and Check Point Mobile VPN with iOS 7.


Overview of the workflow to configure MobileIron for iOS 7 with a Check Point App:

  1. Create a Property List (plist) text file.
  2. In the MobileIron Administrator Portal, configure managed app settings and upload the plist.


Creating the Property List File

The Property List (plist) is a short text file in XML format that contains definitions required for MobileIron to work with an app. You upload the plist to the MobileIron Administrator Portal in a later step.

To create a plist file for iOS with Mobile VPN or Mobile Enterprise:

  1. Create a new plain text file.

  2. Copy this text and paste it into the new file:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
    <plist version="1.0">
  3. Save the file on your computer with the name cpvpn.plist.


Configuring App Settings in the MobileIron Portal

Configure managed app settings for Mobile VPN or Mobile Enterprise in the MobileIron Administrator Portal. Then apply labels to the settings.


  • You cannot edit the managed app config setting or upload a different plist file. If changes are necessary, delete the managed app config setting and create a new one. Make sure to re-apply labels.
  • You can only apply one managed app configuration setting for each app to each device. This includes situations when more than one version of the app is installed on a device.
  • The configuration information is not encrypted on the device. Make sure that the configuration does not contain sensitive information.
  • MobileIron does not validate the plist file's type or contents. It is passed directly to managed mobile devices.

To configure a managed App configuration setting:

  1. In the MobileIron Administrator Portal, go to Policies & Configs > Configurations.
  2. Select Add New > iOS And OS X > Managed App Config.
  3. Create or edit a managed app configuration setting. Enter this information:
    • Name - A short name that identifies the managed app config setting.
    • Description - Additional text that clarifies the purpose of the managed app config setting.
    • BundleID - The bundle ID of the managed app.
      • For Mobile VPN, the bundle ID is
      • For Mobile Enterprise, the Bundle ID is com.checkpoint.secureconnectid
    • File - Click Choose File to upload the plist file. Select the plist file that contains the app configuration for the app.
  4. Click Save.

To apply labels to managed app settings:

  1. Select a managed app configuration setting that you created. (MobileIron assigns the setting the type MDM APP CONFIG).
  2. From the toolbar, select More Actions > Apply To Label.
  3. Select the labels to which you want to apply this managed app config setting.
  4. Click Apply.


Removing a Managed App Setting from a Device

A managed app configuration setting is removed from a device when:

  • You remove the label associated with the device from the setting, and the device checks in.
  • You remove the managed app config setting, and the device checks in.
  • You retire the device.

When the managed app configuration is removed, the managed app automatically removes its use of the configuration.


Viewing the Property List File

To view the contents of the plist file:

  1. On the MobileIron Admin Portal, go to Policies & Configs > Configurations.
  2. Select a managed app setting.
  3. Select View File Data from the App Settings Detail pane.
    A pop-up window shows the file contents.
  4. Close the pop-up windows when you finish viewing the file contents.

Variables in the Property List File

The Property List (plist) file includes MobileIron variables. When the MobileIron MDM server sends the configuration to a device, it substitutes the appropriate values for the variables.

Usually, you can use the provided text for the plist and it is not necessary to edit it for the Check Point App. The table below is for general information only.

Check Point Apps use only the $DEVICE_MAC$ and $DEVICE_UDID$ fields.

Variable Description
$DEVICE_MAC$ The Wi-Fi MAC (Media Access Control) address of the device
$DEVICE_UDID$ The unique device identifier of the device
$DISPLAY_NAME$ The display name of the device user
$EMAIL$ The email address of the device user
$FIRST_NAME$ The first name of the device user
$LAST_NAME$ The last name of the device user
$USERID$ The user ID of the device user

Overview of the workflow to configure Airwatch for iOS 7 with a Check Point App

  1. Configure Capsule Workspace or Capsule Connect to be deployed using Airwatch.
  2. Deploy the app on related devices.

Add the Check Point application from the Apple Store

  1. Go to 'Apps & Book > List view > Public > Add Application'.
  2. Select Platform "Apple iOS".
  3. Select Source "Search App Store".
  4. Name "Capsule Workspace" or "Capsule Connect".
  5. Click "Next".
  6. Click "Select".
  7. In the app configuration, select Deployment tab:

  8. Then select "Send Application Configuration", and add configuration Key “MAC”, Value Type “String” Configuration Value “{DeviceWLANMac}” as shown below:

  9. You can save and publish your Capsule application.

Now, the gateway, where "Cooperative enforcement" is enabled, will be able to recognize the device Mac address of iOS devices, in order to check the compliance status.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document