Bridgeway Security Solutions

Bridge Host & Bridge Manage: Co-managed MobileIron service, hosted in secure datacentre

Bridgeway is proud to offer a unique co-managed, fully-hosted MobileIron service. This service includes our own IronWorks reporting solution to evidence project success, our Bridge Train for MobileIron administrator and help-desk training, and our market-leading 24x7 Bridge Support service for peace of mind. UK hosted, supported and data residency.


  • MobileIron hosting in PSN, N3 and HSCN connected secure datacentre
  • Support, hosting and training all delivered from within the UK
  • Only UK Authorised Training Partner (ATP) for MobileIron
  • Service credits, administrator training and MobileIron reporting included
  • Mobility project key performance indicator (KPI) charting
  • Automated, scheduled emailed PDF reports aligned to line-of-business
  • Comprehensive trend analysis and charting of your mobility project
  • Compliance reporting for GDPR, ISO27001, IG Toolkit and PSN CoCo
  • Daily MobileIron security health-check and operational dashboard
  • Integrated MobileIron licence tracking and efficiency calculator


  • Data residency and secure interconnections for UK public sector
  • Key delivery personnel vetted to SC, DV available via sponsorship
  • Maximise the value and the capabilities of your MobileIron investment
  • Only MobileIron true one-stop-shop hosting provider in UK
  • Measure, track and evidence the success of your MobileIron project
  • Disseminate bespoke MobileIron reports directly to team leaders
  • Complete and consistent historical MobileIron information for mobility project reporting
  • Evidence your continuous improvement towards reaching and maintaining compliance
  • Identify potential mobility project issues before they become a problem
  • Save money by identifying optimum MobileIron licensing model and split


£20 to £32 per person per year

Service documents


G-Cloud 11

Service ID

5 9 1 0 4 5 0 5 1 6 4 6 8 6 3


Bridgeway Security Solutions

Jason Holloway

01223 979 090

Service scope

Service constraints
Bridge Host is bound by current published and supported MobileIron virtual machine specifications, for which guidance is available as part of the service.
IronWorks integrates via API calls with MobileIron deployments.
Mobility projects that do not use MobileIron as the security MDM/EMM/UEM are not supported at present.
One training course candidate place included per annum, any additional candidates at usual training course cost.
System requirements
  • MobileIron Core v9.1 or greater for integration
  • A local user with (read-only) API roles on MobileIron
  • A modern web browser and internet connection
  • An email address for delivery of optional emailed PDF reports
  • Any relevant and current MobileIron service requirements (available on request)
  • MobileIron licences are transferred, or purchased as part of service

User support

Email or online ticketing support
Email or online ticketing
Support response times
Tickets are assigned a priority level, which may be altered during the lifecycle of the ticket, but always based on agreement between the customer and our support team. A P1 (mission critical) priority level has a 1 hour first response time. A P5 (information) priority level, has a first response time of 48 hours.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
Our Bridge Support services are flexible: we can augment your existing support arrangements, or provide a complete outsourced support function. Bridge Host includes full 24x7 Bridge Support tickets and/or onsite consultancy visits, which would consume a pre-agreed number of service credits. Additional service credits available in different pricing bands, if so required.
Support available to third parties

Onboarding and offboarding

Getting started
Bridge Host includes the migration (lift-and-shift) of an existing MobileIron deployment, or the creation of a brand new instance, according to customer's needs.
Part of this set-up service also includes a health-check and consultancy work to address the most serious and pressing identified challenges. All such consultancy work to take place under jointly-agreed Statements of Work (SoWs) and implementation plans.
Bridge Host also includes one administrator training course (Bridge Train) candidate place per annum. Bridge Train courses take place regularly in Cambridge, on the dates published on our website.
Service documentation
Documentation formats
End-of-contract data extraction
Backups of the live MobileIron servers can be extracted through the GUI. Full device fleet details can be obtained via API and/or CSV export. Devices can be backed up (if policy allows).
IronWorks users can request data extraction upon which we would create and share a copy of their underlying database data.
End-of-contract process
At the end of the term, the customer is welcome to renew their contract and the service would continue. Alternatively, if the customer verifies in writing their preference not to continue, their account and associated data are deleted.

Using the service

Web browser interface
Using the web interface
Customers can access the MobileIron management and administration portal via web interface. All the MobileIron administration functions are available, except for the System Manager portal, which is reserved for Bridge Host operations team.
Customers can also access IronWorks for reporting and configuration needs.
Web interface accessibility standard
None or don’t know
How the web interface is accessible
No testing has been carried out.
Web interface accessibility testing
No testing has been carried out.
What users can and can't do using the API
MobileIron API provides programatic access to a whole host of device control and reporting APIs for integration with other solutions. For organisations looking for augmented operational dashboards, historical trend reporting, management reports and/or compliance reporting, we recommend Bridgeway's IronWorks, which is included in this service.

IronWorks collects data from MobileIron instances through the use of APIs. IronWorks also has APIs available for customer integration of the resulting computed information into existing business intelligence tools (e.g. Power BI and similar). Full documentation of all the available API calls is available and integration consultancy services are available at extra cost.
API automation tools
Other API automation tools
API documentation
API documentation formats
  • HTML
  • PDF
Command line interface


Scaling available
Scaling type
  • Automatic
  • Manual
Independence of resources
MobileIron instances are architected with reasonable project growth in mind, so as not to become resource bound. VM and infrastructure performance are monitored by the Bridge Host team at Bridgeway, to ensure service availability and responsiveness.
IronWorks was designed and developed with scalability, availability and confidentiality in mind. Built with NodeJS and on Docker containers, the solution is self-healing and self-managing through the use of Kops and Kubernetes for enterprise- and carrier-grade deployment, with reliability and scaling configurations automatically ensuring a smooth customer experience.
Usage notifications
Usage reporting
  • API
  • Email
  • Other


Infrastructure or application metrics
Metrics types
Other metrics
  • Number of managed devices, users, applications, etc.
  • Compliance and non-compliance status and reasons
  • Number and lists of active and inactive users
  • OS and application versions and usage splits
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Reseller providing extra features and support
Organisation whose services are being resold

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least every 6 months
Penetration testing approach
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
Other data at rest protection approach
Security vetting of consultancy personnel (SC and NPPV3 by default, other vetting options available upon request). ISO27001 approved datacentre. Documented processes and internal policies. Physical and electronic security systems and controls. Encryption of data at rest (AES-256). Role-based access controls of personnel data access. GDPR-ready data handling processes, policies and user training.
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
What’s backed up
  • MobileIron backup and recovery tools are used for daily backups
  • IronWorks database is backed up as part of the service
Backup controls
Different backup and storage arrangements are available on request. A charge may be incurred by alternate arrangements.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Supplier controls the whole backup schedule
Backup recovery
  • Users can recover backups themselves, for example through a web interface
  • Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network

Availability and resilience

Guaranteed availability
Service part-refund for non-performance. SLAs determined by chosen option, customer need and mutual agreement. Current MobileIron technical support SLAs are covered here:
Bridgeway's support SLAs for Bridge Support are listed here:
Approach to resilience
Bridge Host resilience available on request.
IronWorks resilience: Location and configuration of the service components are tracked and monitored through existing AWS, Kubernetes and Kops tools. Changes to the service are discussed internally at initial design, during development and before implementation. Security changes are discussed amongst a wider group, including the consultancy team and SMT to identify any weaknesses before implementation
Outage reporting
Email alerts and customer ingest logs/dashboards track service outages (whether these are IronWorks or MobileIron outages or those on hosting equipment).

Identity and authentication

User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Access restricted by Role Based Access Control (RBAC). Devices authenticate with centrally managed (and issued) digital certificates. 2FA and SAML SSO available.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
Cyber Essentials currently, but moving to ISO27001 compliance in 2019.
Information security policies and processes
We follow ISO27001 and industry best-practice, with a few additional bespoke controls and policies of our own. Contact details and reporting structure available on request.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Location and configuration of the service components are tracked and monitored through existing service management, Kubernetes and Kops tools. Changes to the service are discussed internally through change advisory board process at initial design, during development and before implementation. Security changes are discussed amongst a wider group, including the consultancy team and SMT to identify any weaknesses before implementation.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Bridgeway monitor numerous security sources to remain abreast of the latest threats and attacks. Risks are assessed, prioritised and alerted to relevant personnel so that remedial action can be planned, change control process applied, and systematically implemented
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Bridgeway's own approach available on request. Integration with customer's GPG-13 compliant protective monitoring service also available. Please contact us for further details and pricing.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Available on request

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Who implements virtualisation
Virtualisation technologies used
How shared infrastructure is kept separate
Independent instances run in dedicated VMs, ensuring segregation of data. For sensitive data, we would use a single, i.e. dedicated, VM per host server instead - this may incur an additional charge.

Energy efficiency

Energy-efficient datacentres


£20 to £32 per person per year
Discount for educational organisations
Free trial available
Description of free trial
Full service, but time-limited and without on-boarding service.
Link to free trial

Service documents

Return to top ↑