Bridgeway Security Solutions

IronWorks: scheduled compliance and operational reporting for MobileIron

MobileIron is the world's leading mobility management and security solution for large organisations. IronWorks unleashes the power of MobileIron's data to enable: scheduled reports providing actionable insights, long-term trend analysis, identification and location of missing or unused devices, and granular visibility of your most cost-effective MobileIron licensing model.


  • Mobility project key performance indicator (KPI) charting
  • Automated, scheduled emailed PDF reports aligned to line-of-business
  • Automatic data ingestion from MobileIron via API integration
  • Comprehensive trend analysis and charting of your mobility project
  • Compliance reporting for GDPR, ISO27001, IG Toolkit and PSN CoCo
  • Daily MobileIron security health-check and operational dashboard
  • Aggregated lost and missing device out-of-contact map views
  • Integrated MobileIron licence tracking and efficiency calculator
  • Identify and list inactive users present on your MobileIron estate
  • List mobile devices vulnerable to Spectre and Meltdown attacks


  • Measure, track and evidence the success of your mobility project
  • Disseminate team mobility reports directly to their team managers
  • Ensures complete and consistent information for mobility project reporting
  • Plan and budget for mobile growth with insightful trend analysis
  • Evidence your continuous work towards reaching and maintaining compliance
  • Identify potential MobileIron issues before they become a problem
  • Locate, recover and repurpose missing mobile devices to cut costs
  • Identify optimum MobileIron licensing split and save money
  • Highlight inactive mobile users to reduce attack surface area
  • Track and manage your mobile security risks and exposure


£6.30 to £9 per device per year

Service documents

G-Cloud 11


Bridgeway Security Solutions

Jason Holloway

01223 979 090

Service scope

Service scope
Software add-on or extension Yes
What software services is the service an extension to IronWorks is a reporting solution that integrates with MobileIron (MDM/EMM/UEM) deployments, whether these have been deployed as cloud or on-premises.
IronWorks provides data driven decision making for MobileIron mobility projects.
Cloud deployment model Public cloud
Service constraints IronWorks integrates via API calls with MobileIron deployments. Mobility projects that do not use MobileIron as the security MDM/EMM/UEM are not supported at present.
System requirements
  • MobileIron Core v9.1 or greater for integration
  • Alternatively, MobileIron Connected Cloud, also v9.1 or greater
  • A local user with (read-only) API roles on MobileIron
  • A modern web browser and internet connection
  • An email address for delivery of optional emailed PDF reports

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Bridgeway SLAs guarantee a first considered response within 1 hour from initial ticket being logged, and progress updates start from within 3 hours from receipt of all relevant information. Different SLAs apply according to mutually-agreed priority level.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Yes, at an extra cost
Web chat support availability 24 hours, 7 days a week
Web chat support accessibility standard WCAG 2.1 AA or EN 301 549
Web chat accessibility testing Our support service (Bridge Support) is typically provided as phone and email support, but optionally - at an agreed extra cost - we can integrate into existing customer processes and systems. For example, using customer's existing Zendesk, JIRA or SalesForce support tools, knowledge bases and escalation processes.
These services have their own WCAG compliant interfaces for user web chat support, which we would leverage in the support service delivery.
Onsite support Yes, at extra cost
Support levels Our Bridge Support services are flexible: we can augment your existing support arrangements, or provide a complete outsourced support function. Standard support is available during UK office hours and can be extended to include full 24x7 and/or onsite consultancy visits.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started IronWorks on-boarding is fast and easy to do, and typically takes five minutes in total to achieve. Bridgeway will assist a prospective or new customer to integrate by providing a list of the necessary settings prior to a joint webinar call. This call then connects the customer's MobileIron solution with IronWorks, and the connection is tested.
Online training in the main IronWorks features then follows, and short videos describing the main features are also available for e-Learning and self-education.
24x7 technical support is also available as part of the service.
Service documentation No
End-of-contract data extraction Users can request data extraction upon which we would create and share a copy of their underlying database data.
End-of-contract process At the end of the term, the customer is welcome to renew their licence and the service would continue.
Alternatively, if the customer verifies in writing their preference not to continue, their account and associated data are deleted. The customer would be expected to remove the local API user from their MobileIron solution at this stage.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service None, all functionality present on both device types and across all form-factors
Accessibility standards None or don’t know
Description of accessibility No testing has been carried out.
Accessibility testing No testing has been carried out.
What users can and can't do using the API IronWorks collects data from MobileIron instances through the use of APIs. IronWorks also has APIs available for customer integration of the resulting computed information into existing business intelligence tools (e.g. Power BI and similar).
Full documentation of all the available API calls is available and integration consultancy services are available at extra cost.
API documentation Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment No
Customisation available Yes
Description of customisation Customers can set their preferred organisation name, which users can access the service and their respective roles. Additionally, the organisation administrator can add email report recipients and choose from pre-defined template reports, or custom build their own.

Optionally, IronWorks can also be customer branded at extra cost.


Independence of resources IronWorks was designed and developed with scalability, availability and confidentiality in mind. Built with NodeJS and on Docker containers, the solution is self-healing and self-managing through the use of Kops and Kubernetes for enterprise- and carrier-grade deployment, with reliability and scaling configurations automatically ensuring a smooth customer experience.


Service usage metrics Yes
Metrics types This is a mobility project reporting solution, so it is precisely designed to provide service usage metrics across many mobility project measurements, including but not limited to: number of devices, number of users, OS split, mission-critical application versions and split, number of out-of-contact devices, number and reasons for non-compliance of devices, active and inactive user lists, etc., etc.
In addition to which, operational dashboard metrics also cover certificate expiry notices, internet-exposed administration consoles, devices at risk from known security vulnerabilities, administrator roles and service access statistics.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
Other data at rest protection approach Security vetting of consultancy personnel (SC and NPPV3 by default, other vetting options available upon request). ISO27001 approved datacentre. Documented processes and internal policies. Physical and electronic security systems and controls. Encryption of data at rest (AES-256). Role-based access controls of personnel data access. GDPR-ready data handling processes, policies and user training.
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach IronWorks includes automated PDF report emailing on a scheduled basis, as well as user-initiated (on-demand) CSV export of all charts, tables and map data.
Extracting the tenant's data from the underlying IronWorks database is an optional service.
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • Native database
Data import formats Other
Other data import formats Not applicable

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network SSH

Availability and resilience

Availability and resilience
Guaranteed availability Service part-refund for non-performance. SLAs determined by chosen option, customer need and mutual agreement.

Bridgeway's support SLAs for Bridge Support are listed here:
Approach to resilience Location and configuration of the service components are tracked and monitored through existing AWS, Kubernetes and Kops tools.
Changes to the service are discussed internally at initial design, during development and before implementation.
Security changes are discussed amongst a wider group, including the consultancy team and SMT to identify any weaknesses before implementation
Outage reporting Email alerts and customer ingest logs/dashboards track service outages (whether these are IronWorks outages or those on customer equipment).

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels IronWorks authenticates users to the web portal using strong passwords.
Bridgeway support only accepts support tickets to be raised by recognised administrators of the IronWorks platform
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users receive audit information on a regular basis
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users receive audit information on a regular basis
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 EY Certify Point
ISO/IEC 27001 accreditation date 18/11/2010, with latest re-issue on 15/12/2017
What the ISO/IEC 27001 doesn’t cover Scope covers datacentre services and facilities, does not cover on-premises installations or customer's own processes/implementations.
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 2018
CSA STAR certification level Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover As per service scope definition
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards Cyber Essentials currently, but moving to ISO27001 compliance in 2019.
Information security policies and processes We follow ISO27001 and industry best-practice, with a few additional bespoke controls and policies of our own.
Contact details and reporting structure available on request.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Location and configuration of the service components are tracked and monitored through existing AWS, Kubernetes and Kops tools.
Changes to the service are discussed internally at initial design, during development and before implementation.
Security changes are discussed amongst a wider group, including the consultancy team and SMT to identify any weaknesses before implementation
Vulnerability management type Supplier-defined controls
Vulnerability management approach Bridgeway monitor numerous security sources to remain abreast of the latest threats and attacks.
Risks are assessed, prioritised and alerted to relevant personnel so that remedial action can be planned, change control process applied, and systematically implemented
Protective monitoring type Supplier-defined controls
Protective monitoring approach IronWorks user access logs are gathered and retained, along with usage data to allow for forensic examination of any suspicious activity.
Bridgeway is planning to integrate IronWorks logging into its existing protective monitoring solution (implementation date TBC)
Incident management type Supplier-defined controls
Incident management approach Incident management and support escalation processes are in place and proven.
Bridgeway recommends customers report any possible security incidents or concerns through our logged and tracked 24x7 telephone and email support service.
Security incidents are notified immediately - day or night - to the Bridgeway SMT

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks
  • Public Services Network (PSN)
  • NHS Network (N3)


Price £6.30 to £9 per device per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial A fully-featured service available for a jointly-agreed but time-limited period.
Link to free trial

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions pdf document: Modern Slavery statement
Service documents
Return to top ↑