CA Mobile Device Management 2014 Q1 Administrating

Transcription

1 CA Mobile Device Management 2014 Q1 Administrating

2 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy. The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION AS IS WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. The use of any software product referenced in the Documentation is governed by the applicable license agreement and such license agreement is not modified in any way by the terms of this notice. The manufacturer of this Documentation is CA. Provided with Restricted Rights. Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 1212, , and (c)(1) - (2) and DFARS Section (b)(3), as applicable, or their successors. Copyright 2014 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. Administrating 2

3 Table of Contents Devices Enroll Devices Enroll Android Devices Required Formats for Android Devices Remove CA MDM from Android Devices Enroll ios Devices Enrolling ios 7 Devices in Management Using MDM 1-Step Enrollment Enrolling ios 7 Devices in Management Using The Self-Service Portal Enroll Jailbroken ios Devices Reset CA MDM User Credentials on an ios Device Enroll BlackBerry Devices Enroll Windows Devices Update Considerations for Windows Devices Windows OS Variations and CA MDM Operations Windows Browser Sessions Windows Phone Devices Enroll Windows Phone Devices Remove Windows Phone Devices from Management Manage Devices View and Create Custom Device Views View the Device List Custom Buttons on the Device Page Create Custom Device Activity Views Remove Device Activity Data for a Subscriber Display Device Location on Map Search for Devices Approve Devices Inspect Devices Edit Device Information Device Naming Considerations for Database Specific Value Send Message to a Device Move Device to another Tenant Modify Device Owner Delete Device or Device Data Perform Security Actions on Devices Security Actions for Android Devices Security Actions for BlackBerry Devices Security Actions for ios Devices Security Actions for Windows Phone Device Administrating 3

4 Connect Device to Apply Policies Connect Device to Run Channel View Group Linked to Device Link and Manage Static Group to Device View Policy Linked to Device Import a Corporate Device List Device Activity Views Prepare and Manage Device Activity Collection Prepare Devices for Activity Collection Device Activity Collection Considerations Device Activity Collection Frequency Start Device Activity Collection Stop Device Activity Collection Reprompt for Device Activity Enrollment Configure General Device Activity Settings Configure Device Activity Settings for Roaming Configure Device Activity Settings for Data Views Enable Device Activity Cleanup Customize Device Activity Cleanup Schedule Groups Manage Groups View Group List Create Static Group Link and Unlink a Static Group Create Dynamic Group Create User Group Create Composite Group Edit or Delete a Group Inspect Group Connect Device of a Group to Apply Policies Connect Devices of a Group to Run a Channel Link and Manage Policy to Groups Export Group Policies Manage Policies View the Policy List Edit or Delete a Policy Substitution Variables in Policies Add Substitution Variables Substitution Variables in the Device Editor Administrating 4

5 Device Configuration Policies Application Policies System Substitution Variables Directory Substitution Variables User-Defined Substitution Variables Define End-User Prompts in Enrollment Policies Validation Rules for Substitution Variables Inspect Policy Publish and Unpublish Policies View the Groups Linked to a Policy View the Device Links of a Policy Link a Group to a Policy Export a Policy View Manage Application Policies Manage App Store Application Policies for ios Devices Prepare ios Devices for Application Management Prepare ios App Store Application Management Create an Application Policy for ios App Store Apps Deploy ios App Store Apps Manage Enterprise Application Policies for ios Devices Prepare ios Devices for Application Management Prepare ios Enterprise Application Management for Required Applications Prepare ios Enterprise Application Management for Optional Applications Create an Application Policy for ios Enterprise Applications Deploy ios Enterprise Applications Disable an ios Enterprise Application on a Device Volume Purchase Program Licensed Application Policies for ios Devices Volume Purchase Program License Management Prepare for Distribution of VPP Apps Create a Volume Purchase Program Licensed App Policy Deploy VPP Apps on the Device View License Details and User Status for VPP App Policies Revoke License for VPP Apps Retire the VPP User Manage Google Play Application Policies for Android Devices Prepare Android Devices for Application Management Prepare Android Google Play Application Management Create an Application Policy for Android Google Play Apps Deploy Android Google Play Apps Manage Enterprise Application Policies for Android Devices Prepare Android Devices for Application Management Prepare Android Enterprise Application Management Create an Application Policy for Android Enterprise Applications Deploy Android Enterprise Applications Remove an Android Required Enterprise Application from a Device Administrating 5

6 App Store Application Policies for Windows Phone Devices Prepare for Windows Store Application Management Create an Application Policy for Windows Phone App Store Applications Deploy Windows Store Application Enterprise Application Policies for Windows Phone Devices Work with Windows Phone Enterprise Applications Upload the Application Enrollment Token and Signed CA MDM Application Prepare for Windows Phone Enterprise Application Management Create an Application Policy for Windows Phone Enterprise Applications Deploy Windows Phone Enterprise Applications Manage Configuration Policies Create Configuration Policy for Android Devices Schedule Page Configure Basic Settings for Android Devices Configure Android LG Devices Configure Android Motorola Devices Configure Android Samsung Devices Configure AES General Settings for Samsung Devices Configure Exchange ActiveSync for Samsung Devices Remove Exchange ActiveSync Configuration from Samsung Devices Install and Update Applications for Samsung Devices View Managed Application Inventory for Samsung Devices Manage Installed or Known Applications for Samsung Devices Remove Applications from Samsung Devices Samsung SAFE Pages Samsung KNOX Pages Enter a Samsung Enterprise License Key Post-Session Processing for Channels Create Configuration Policy for BlackBerry or Windows Devices Create Configuration Policy for ios Devices ios Configuration Policy MDM Payloads Send Multiple Configuration Policies to Devices The SSL Option in Policies Embedded SCEP Requests as Identity Certificates Import ios Device Configuration Policies ios Policies from the Apple iphone Configuration Utility Manage Session Policies Create Configuration Policy for Windows Phone Manage Enrollment Policies Create Enrollment Policy for Android Devices Automatic Naming Data for Android Enrollment Policies Create Enrollment Policy for BlackBerry Devices Create Enrollment Policy for ios Devices Update Enrollment Policy for MDM- First Enrollment Create Enrollment Policy for Windows Administrating 6

7 Create Enrollment Policy for Windows Phone Protect Enrollment Policies Configure Session Policies Configure Bandwidth Throttling Configure File Compression and File Differencing Configure Failed Session Cleanup Configure Authentication and Assignments for Sessions Configure User-Defined Field Customize App Store Application ios Home Branding Element Map ios About Branding Element Map Language Localization and Branding on the CA MDM ios Application Server Configure Outbound Notifications Configure Security Configure NT Domain Configure LDAP Configure Active Directory Create and Manage Tenants Select a Tenant Manage Schedules Manage Server List View Enable and Manage Logging Configure Google Cloud Messaging Service Deploy and Configure GetUI Configure GetUI Define and Manage Access Control Policies Define Access Control Policy for Android Define Access Control Policy for ios Define an Access Control Policy for Windows Phone Define Access Control Policy for Unknown Devices Define Access Control Policy to Block or Allow by Group Define Remediation Policy for Android Define Remediation Policy for ios Define a Remediation Policy for Windows Phone Bring Android Devices Back in Compliance Access Control Policy Conflict Resolution Access Control Device List Manually Add a Device for Access Control View Access Control Information of a Device Edit Device Information of an ios Device Manually Manage Domain for Access Control Administrating 7

8 Exchange Environment Unique Device ID Value Configure Application of Android Devices While Using Access Control Policy Required Formats for Android Devices Build Database of Known Android Devices Change Access Control Policy for a Device End-User Access Control Policy Notification Manage User Roles Permissions Device, Groups, and Policy Permissions Data Views Permissions Device Inspector Tabs Permissions Remote Actions on Devices Permissions Server Actions Permissions Server Pages Permissions Server Configuration Pages Permissions View the Server Roles Add or Edit User Role Log in as Added User Application Onboarding Data Provisioning for ios and Android Applications Monitoring and Reporting Acknowledge and Manage Alerts Delete an Alert View Pending Alerts Create an Alert Definition Create Contact for Alerts Configure an Alert Response View Defined Events Create Event for Configuring Alert Channel Administration Create or Edit a Session Manager Channel Views Available for Session Manager Channel Editor Assignments View Default View Filter the View Channels View Events View Managing Worklist or Sendlist for a Channel Assign a Worklist or Sendlist to your Channel Administrating 8

9 Unassign Objects from your Channel Add Events to a Worklist or Sendlist Display or Hide Event Flags Set Event Colors Define Event Properties Using Directory and File Names in Events Using Variables in Events Using Wildcards in Events Event File Comparison and Transfer Properties Event Options Properties Import or Export Events Import an Event Export an Event Optimizing Channel Sessions Pre-Processing Tasks Streamline Remaining Tasks Create Worklist Efficiencies Administrating 9

10 Administrating Administrating section describes how to manage devices, users, groups, and policies. Devices Groups Policies Server Application Onboarding Monitoring and Reporting Channel Administration Administrating 10

11 Devices CA MDM allows you to manage devices using groups and policies. Devices include phone and computing devices, such as smart phones, tablets, and desktop or laptop. In the CA MDM Administrator, the Device page is the main page for device-focused tasks. Enroll Devices Manage Devices Device Activity Views Prepare and Manage Device Activity Collection Enroll Devices Contents Enroll Android Devices Required Formats for Android Devices Remove CA MDM from Android Devices Enroll ios Devices Enrolling ios 7 Devices in Management Using MDM 1-Step Enrollment Enrolling ios 7 Devices in Management Using The Self-Service Portal Enroll Jailbroken ios Devices Reset CA MDM User Credentials on an ios Device Enroll BlackBerry Devices Enroll Windows Devices Update Considerations for Windows Devices Windows OS Variations and CA MDM Operations Windows Browser Sessions Windows Phone Devices Enroll Windows Phone Devices Remove Windows Phone Devices from Management Administrating 11

12 You can manage the devices using the CA MDM application, as published to a commercial market. The third party manages the market with certificate authority as the developing entity for a client. The lifecycle of CA MDM on any device is as follows: Install the CA MDM application from a commercial market, such as Apple App Store and Google Play. Enroll the device for a management with the CA MDM environment. Update the application. Stop device management. The administrator wipes the device, or the user removes the application. You complete the following actions when you enroll the device: Configure the CA MDM application. (Optional) Generate the CA MDM client name. (Optional) Apply Access Control for policy. (Optional) Enroll in groups. If you automatically approve devices, then provision CA MDM, apply policies and collect inventory. Enroll Android Devices CA MDM lets you enroll devices that use applications that are installed from an Android market such as Google Play. Create an enrollment policy on the CA MDM Server. If the users enroll using CA MDM Self-Service Portal, then install the portal using an enrollment code from the policy. Install the CA MDM application from the Google Play market Distribute the enrollment code to the users from the Enrollment policy. Instruct the users to enroll and receive an enrollment code. Start the application and enter the enrollment code from the CA MDM Self-Service Portal. If the server security or the enrollment policy is set to approve devices, then CA MDM completes the enrollment. The device can be in an unapproved state when reenrolling for a new Note: tenant. If the device enrollment fails, then the device prompts for entering an enrollment code. Administrating 12

13 Required Formats for Android Devices Remove CA MDM from Android Devices 6. On the CA MDM Administrator Console, approve the unapproved device for the CA MDM according to your organization processes. The username requirement for CA MDM Access Control for depends on your enterprise environment for Android devices. Note: Verify the username requirements on CA MDM application configuration page. The required format for Android devices is as follows: Samsung devices- domain\user Motorola devices- To remove the CA MDM client from the device, deactivate the Device Administrator rights and then uninstall the client. Enroll ios Devices ios devices have native support for device management using Apple Mobile Device Management (MDM). You can install the CA MDM application on the CA MDM customer support site from the following location: From the custom-signed enterprise CA MDM application portal. From the Apple App Store. Create an enrollment policy on the CA MDM Server If the users enroll using the CA MDM Self-Service Portal, then install the portal using an enrollment code from the policy. Install the CA MDM application from the custom-signed CA MDM enterprise application portal or from the Apple App Store. Distribute the enrollment code to the users from the Enrollment policy. Instruct the user to enroll and receive an enrollment code. Start the application and enter the enrollment code from the CA MDM Self-Service Portal. If the server security or the enrollment policy is set to approve devices, then CA MDM completes the enrollment. Note: The device can be in an unapproved state when reenrolling for a new tenant. If the device enrollment fails, then the device prompts for entering an enrollment code. Administrating 13

14 7. On the CA MDM Administrator Console, approve the unapproved device for the CA MDM according to your organization processes. Enrolling ios 7 Devices in Management Using MDM 1-Step Enrollment Enroll ios 7 devices using an MDM enrollment link that you distribute to users. The enrollment policy generates the MDM enrollment link. When the enrollment is complete, the device is subject to the policies in CA MDM. These policies require you to perform more actions on your device. For example, set a passcode for the device. On the CA MDM Server, create an enrollment policy. Send the MDM enrollment link from the enrollment policy to the user. On the device, browse to the MDM enrollment link and enter your credentials. 4. If prompted, enter values for the user-defined variables To start the installation of the MDM Device Enrollment Profile Service, click Install and then Install now. If a password is set on the device, enter the password to authorize the installation If prompted to install a profile, click Install. Click Done. To install the CA MDM Client, click Install. Enrolling ios 7 Devices in Management Using The Self-Service Portal Enroll ios 7 devices using the Self-Service Portal. When the enrollment is complete, the device is subject to the policies in CA MDM. These policies require you to perform more actions on your device. For example, set a passcode for the device On the CA MDM Server, create an enrollment policy. Send the Self-Service Portal link from the enrollment policy to the user. On the device, browse to the Self-Service Portal and enter your credentials. Click Enroll New Device, Enroll. If prompted, enter your credentials, values for the user-defined variables. To start the installation of the MDM Device Enrollment Profile Service, click Install and then Install now. Administrating 14

15 7. If a password is set on the device, enter the password to authorize the installation If prompted to install a profile, click Install. Click Done. To install the CA MDM Client, click Install. Enroll Jailbroken ios Devices CA MDM allows jailbroken or compromised ios devices to complete the CA MDM enrollment process, including the MDM relationship enrollment. Log in to the CA MDM Administrator Console, and navigate to Policy, Edit, Enrollment, ios. Click General on the Enrollment Setting page, select Enable jailbroken devices, and Save. Reset CA MDM User Credentials on an ios Device Note: A jailbroken ios device can proceed with the MDM enrollment process only if this option is selected. Change the domain, user name, or password that the CA MDM application uses for the authentication. Close the CA MDM application on the device. Navigate to Settings, General, CA MDM, and Reset Credentials and then set to On. The user is prompted to enter credentials the next time the application requires authentication. Enroll BlackBerry Devices The organization deploys the CA MDM application on BlackBerry devices. To update or upgrade the application, connect the device to the CA MDM Server. The application is automatically updated without any user interaction. Consider the following points: Verify third-party application rights and carriers. User intervention for the installation and usage of CA MDM differs between carriers. Administrating 15

16 To complete the CA MDM installation, temporarily allow third-party applications on the BlackBerry Enterprise Server (BES) configuration setting. You can change the configuration setting after the CA MDM installation is complete. The CA MDM application starts when the device power is switched on. Create an enrollment policy on the CA MDM Server. If the users enroll using the CA MDM Self-Service Portal, then install the portal using an enrollment code from the policy. Deploy the application using one of the following methods: Download the application from the enrollment policy and distribute to users with an enrollment code. Install the CA MDM Self-Service Portal instance that uses the enrollment policy. Allow the users to connect with their devices, and download the application and get an enrollment code Install the CA MDM application. Start the application and enter the enrollment code Connect the device and allow the actions for a successful CA MDM client session. The actions such as the SMS connection, act as a server, access to ///store and socket connection. If the server security or the enrollment policy is set to approve devices, then CA MDM completes the enrollment. Note: The device can be in an unapproved state when reenrolling for a new tenant. If the device enrollment fails, then the device prompts for entering an enrollment code. On the CA MDM Administrator Console, approve the unapproved device for the CA MDM according to your organization processes. Enroll Windows Devices The organization deploys the CA MDM application on Windows devices. Enroll devices using applications from enrollment policies that you distribute to users. On the Windows computers, run the setup executable file to install the product. To update or upgrade the application, connect the device to CA MDM Server. The application is automatically updated without any user interaction. On the CA MDM Server, create an enrollment policy and download the CA MDM application. Administrating 16

17 4. Deploy the application using network, local, or portable media. On the device, install the application. Connect to the CA MDM Server. Update Considerations for Windows Devices If the server security or the enrollment policy is set to approve devices, then CA MDM completes the enrollment. Note: The device can be in an unapproved state when reenrolling for a new tenant. If the device enrollment fails, then the device prompts for entering an enrollment code. On the CA MDM Administrator Console, approve the unapproved device for the CA MDM according to your organization processes. The device session verifies the server for updates to apply on the device. CA MDM automatically delivers the file updates. Installation of updates depends on the value of the following CA MDM Server registry key. This registry key is installed during the product installation: hklm\software\ca MDM\CA MDM\server\silentupgrade Review the following key values. 0 - Not silent. 1 - Silent and an attended reboot is required. 2 - Silent and an unattended reboot is initiated. 3 - Obsolete. This key defaults to the behavior of key value Silent and no reboot is required. This key is included for backward compatibility and must be used with a caution. 5 - Silent and a delayed reboot is required. When CA MDM applies an upgrade for the CA MDM Windows device, restart the device to complete the upgrade. Windows OS Variations and CA MDM Operations CA MDM supports the Windows OS versions. The Windows OS versions use different native APIs,.NET Framework technologies, and differ in user and application security and management. CA MDM is designed to install and operate in different contexts: as a logged on user, as a service without associated user credentials, and as a service with associated user credentials. Administrating 17

18 Consider the following scenarios as you plan and manage CA MDM Windows client operations for various different Windows OS versions. Installation and Data Storage Installation and data directory The Windows OS versions differ in the security restrictions. These security restrictions are enforced when writing application data to the Program Files folder. Therefore, the CA MDM Windows devices use different implementations for storing install files and data files. These files are based on the Windows OS version. The Windows Vista client default install folder %PROGRAMFILES%\Aclient\Bin. The Windows Vista client default data folder %ALLUSERSPROFILE%\AClient\Data. Windows prevista clients install and data folder %PROGRAMFILES%\Aclient. Session variables Session variables <ClientDataDir> and <ClientOS> used during operations, decide, and execute the functioning that is based on OS versions. Install the package and application installation. Session Channel Operations Windows Vista Within the User Access Control (UAC) security framework, the application is installed with the LOCAL SYSTEM account. The LOCAL SYSTEM account does not require the user credentials to run an application as a service. Windows prevista The security framework for running an application as a service optionally permits associating user credentials with the service operations. CA MDM context indicates the CA MDM service or user context for performing channel tasks: CA MDM installed as a service without associated administrator credentials CA MDM installed as a service with associated administrator credentials CA MDM installed as a logged on a user Operating system security restrictions indicates that the operating system restricts or limits channel tasks at the client. The following restrictions vary by a Windows OS version. Administrating 18

19 Windows Browser Sessions Write to the root folder Write to the Windows folder Write to the Windows system folder. Write to the registry Interact with the user interface The session channels include features and options that enable you to work successfully within the operating system security framework. Read, write, and delete files and folders. Get, set, and delete registry values. Impersonate user events Execute programs and scripts Expose a message to the user interface event. Use and set session variables Use and read environmental variables CA MDM supports HTML-based channels that the Windows devices can execute through a Web browser. The Windows devices that run a channel are referred to as CA MDM browser sessions. Browser sessions can also run non-html channels. By default, the browser sessions connect only to the master CA MDM Server. In a farm environment, you can distribute browser session connections. You can force the distribution by using a round robin load balancer. Windows Phone Devices The Windows Phone devices include a built-in device management client that communicates with the CA MDM Server. Enroll the devices using the enrollment URL that you obtain from the Self-Service Portal or that the administrator distributes. After the enrollment, during the first connection to the server, the CA MDM application is installed on the device. The Windows Phone device management client has the following two components: The Enrollment client enrolls and configures the device to communicate with the CA MDM Server. Device management client periodically synchronizes and verifies for updates on the CA MDM Server, and applies the latest policies to the device. The following sequence of events provisions and configures the client to connect to the CA MDM Server: Administrating 19

20 4. Enroll Windows Phone Devices Discovery Web service that provides the configuration information necessary for a user to enroll the device with CA MDM management. Certificate installation handles user authentication, certificate generation, and installs certificates for SSL authentication. Client provisioning provisions the device management client to connect to the CA MDM Server after enrollment. Administrator configures an inbound connection schedule with predefined values, as Windows Phone does not support outbound connections. To enroll the Windows Phone devices in CA MDM management, use the MDM enrollment URL, or that the users obtain from the Self-Service Portal. Windows Phone device enrollment works only with HTTPS, when communicating with the discovery service and the enrollment server. If you use nondefault port and HTTPS in a self-signed environment, specify the port in the enrollment server address. If you use default port in a self-signed environment, the enrollment settings that are configured for HTTP is automatically switch to HTTPS on the device. For more information about the Enrollment Server, see Configure SSL Connections in Installing. In the CA MDM Administrator Console, create a Windows Phone enrollment policy. The MDM Enrollment URL used to enroll the device is auto generated based on the enrollment server settings in Enrollment Server page. If you are enrolling devices using the portal, install the portal using an enrollment code from the policy. Activate the enrollment code URL on the portal If the variables have been configured in the associated enrollment policy, enter the values for user variables. On the device, navigate to the Settings, company apps page and create a user account. The details that you enter while creating the company apps account vary based on the type of authentication. LDAP-based authentication is not supported for the Windows Phone devices. If you use directory substitution variables with Active Directory authentication, leave Username and Domain fields blank. Copy the URL from the portal and paste it into the Server field on the company apps page. Users can also enter the URL provided by the administrator directly. Click login. The enrollment code URL uses the discovery service to obtain the management service details for enrollment and authentication. The device connects through a proxy or directly, according to the CA MDM environment configuration. After the enrollment and when the CA MDM Server is connected, the CA MDM application is installed on the device. CA MDM completes the enrollment when server security or the enrollment policy is set to approve clients, or when you approve a device. Administrating 20

21 Remove Windows Phone Devices from Management 7. Approve the device for CA MDM management according to the processes of your organization. The Windows Phone devices can be removed from CA MDM management either by the user or by the administrator. The administrator uses the remote wipe action to disconnect the device from management. To initiate the disconnection process from the device, the user must delete the company apps account created during the enrollment. When disconnecting from CA MDM management, the client performs the following actions on a device: The device from the client and the configured root certificates are removed. The enforcing policies are stopped. Client configuration details from the device are removed. The client remains dormant until the user reconnects. If the administrator initiates the disconnection process, the users are notified that the device has been removed from management. Note: The remote wipe and remove control actions occurs until the device initiates the connection, as Windows Phone devices do not support outbound connections. Manage Devices Contents View and Create Custom Device Views View the Device List Custom Buttons on the Device Page Create Custom Device Activity Views Remove Device Activity Data for a Subscriber Display Device Location on Map Search for Devices Approve Devices Inspect Devices Edit Device Information Device Naming Considerations for Database Specific Value Send Message to a Device Move Device to another Tenant Administrating 21

22 Modify Device Owner Delete Device or Device Data Perform Security Actions on Devices Security Actions for Android Devices Security Actions for BlackBerry Devices Security Actions for ios Devices Security Actions for Windows Phone Device Connect Device to Apply Policies Connect Device to Run Channel View Group Linked to Device Link and Manage Static Group to Device View Policy Linked to Device Import a Corporate Device List CA MDM allows you to manage devices using groups and policies. Devices include phone and computing devices, such as smart phones, tablets, and desktop or laptop. In the CA MDM Administrator, the Device page is the main page for device-focused tasks. View and Create Custom Device Views You can view summary information of all devices using default, system, or custom view. You can change the order of a row, edit the alias of a row, show, hide, or sort properties. You can define criteria by selecting multiple criteria rows and can group or ungroup the selection. To define criteria, select a view, or to populate a view, create a custom device view. Log in to the CA MDM Administrator, navigate to Device. The default view is unfiltered; it includes all devices and spans multiple pages. To view a device in a custom view, select view and navigate to the System Views and Custom Views folder. To create a custom device view, perform the following actions: a. Click Select View, and select the Custom View folder. Administrating 22

23 b. c. Click Add new view within currently opened folder, enter the view details. To add a column and criteria in your view, select fields in Data Field. 4. Click Save. View the Device List You can view the CA MDM Device Activity List in the default system-defined data view. You can review the CA MDM Device Activity data in the custom view. Log in to the CA MDM Administrator Console, navigate to Device, click Activity List. The Subscribers view is the default view. To view the device activity list in the custom view, navigate to Activity List, and click Select View. Select a view. The Device, Activity views page is displayed. 4. (Optional) Click the title of any column to sort by that column. The device activity list is viewed in the default view. Custom Buttons on the Device Page You can add custom buttons to the top toolbar on the device page. Custom buttons allow you to send information about devices that you select in the CA MDM Administrator to web pages. To create custom buttons, add the following code to the CAMDM.Admin\web.config file. The config Sections code must be the first section in the configurations section. <configuration> <configsections> <section name="devicepagebuttons" type="afaria.admin.utilities.custombuttonsconfig"/> </configsections> <DevicePageButtons> <buttons> <add iconurl="url" pageurl="url" uniqueid="string" tooltiptext="string" typefilterlist="list" tenantnamefilterlist="list"/> </buttons> </DevicePageButtons> Administrating 23

24 Each of the add lines creates a button. The following table describes the attributes that define the custom buttons: Attribute Description iconurl The URL of the image file for the button. If the URL starts with ~/, it is relative to the root of the CA MDM Administrator Console web page. The image must be 16 by 16 pixels. pageurl The address of the web page and the information that is sent to the web page. Include the attributes for the selected device in this format: URL?attribute name=%device attribute%&attributename=%device attribute%$amp;... The URL can include: Uid Name Type Approved TenantID Tenant The device attributes are case-insensitive. If a device attribute value is unavailable, the URL includes the localized string of unknown for the device attribute. uniqueid The unique string that identifies the button. Keep the string short to minimize page load time. (Optional) tooltiptext The string that appears as hover text for the button. (Optional) typefilterlist A comma- or semicolon-delimited list of device type IDs that determines the device types for which the button appears. To make the button visible for all device types, exclude this attribute. (Optional) tenantname- FilterList A semicolon-delimited list of tenant names determines for which tenants the buttons appear. To make the button visible for all tenants, exclude this attribute. This attribute is case-insensitive and, before a match, the strings are trimmed to remove extra spaces. Administrating 24

25 Create Custom Device Activity Views You can select the columns for a custom device activity view. You can define a criteria for selecting which subscribers populate your view. You can further define criteria by selecting multiple criteria rows and can group or ungroup the selection. Log in to the CA MDM Administrator Console, navigate to Device, Activity List, and click Select View. (Optional) To define a new folder for the view, select a target folder and click Add new view within currently opened folder To add a column and criteria in your view, select fields in Data Field. (Optional) When the view is defined, click Show as the SQL statement link to open the resulting SQL statement. Review the SQL statement or copy it to the Windows clipboard. Click Save. The view is added to your custom views list. Remove Device Activity Data for a Subscriber To clear call logs and other data, remove all CA MDM Device Activity data that are related to one subscriber. Log in to the CA MDM Administrator Console, navigate to Device, Device List. Select a subscriber, and click Delete. All device activity data that is collected for the subscriber is deleted. Display Device Location on Map The location view displays the date and time when the location of device was last found. This information is based on the local time zone of the browser of the CA MDM Administrator Console. The CA MDM displays the last reported location of a device. Log in to the CA MDM Administrator, navigate to Device, Activity List, and click Select View, Location View. To view device location on map, select a subscriber, and click Map. Administrating 25

26 Note: Due to vendor restrictions, device geographic location services are unavailable for CA MDM instances in China, Turkey, Myanmar, and Vietnam. Latitude and the Longitude columns appear in the Location view in the device activity data view. <longitude > <latitude> specifies the last retrieved approximate longitude and latitude of the device. The longitude and latitude is based on a crowd-sourced Wi-Fi hotspot and mobile cell tower location. The level varies by device type. For ios and the Android devices, the accuracy that is requested is 1- kilometer (0.62 miles). Unknown specifies that the location of the device is temporarily unknown. Disabled defines that the location services are disabled on the device. Not Collected Collection of subscriber location information is disabled on the Device Activity General Settings tab of the CA MDM Administrator Console. Unsupported defines that the device that does not support location services. Search for Devices To know the available devices in the CA MDM Server, search for devices across tenants. Log in to the CA MDM Administrator Console, navigate to Device, Search. Select your criteria for the tenant, OS, and field columns. Note: You can use literal, or literal plus wildcard, characters to define the string. The search supports wildcard characters "*" and "?" for multiple characters and single characters, respectively. For example, type br*n to search for devices. Use br*n with names that have a "br" string and then an "n," such as "J Brown" and "LBromein." Leave the search string empty to include all client names. Review the list and continue with operations. 4. (Optional) To restore the list to show all devices on the left toolbar, click Device List. The list showing all devices is restored. Administrating 26

27 Approve Devices Approve the devices that are in an unapproved state so they can be managed with policies on future connections. To discontinue the management, unapprove the devices. To approve devices automatically, configure your server. You can configure the server by navigating to Server, Configuration, Security page. Log in to the CA MDM Administrator Console, navigate to Device, and select one or more devices. To approve all selected devices for the management, click Approve. To unapprove all selected devices for the management, click Unapprove. 4. (Optional) For the devices you approve, take an extra action to define management actions, such as: ios example allows you to reenroll a device using the same enrollment code. The Reenrolling provisions mobile device management (MDM) and applies policies. The Non-iOS example allows you to send a command to run a channel. Inspect Devices You can inspect the summary and detail information for a device. Details vary by device type but include data, such as hardware inventory, software inventory, and the file transfers. You can also view the application package status details for a device. The information about this page filters the details of Android or ios depending on the device selected. Log in to the CA MDM Administrator, navigate to Device. To inspect a device, click Show/Hide Inspector, and select a device. The summary information about the device is displayed. To access the package tracking log, click Package Tracking. The Package Tracking page displays a list of device package status details. You can access the Package Tracking Log from either the Policy list Note: page or the Device list page. The columns are displayed depending on the context. Administrating 27

28 Edit Device Information You can edit the device information depending on the device you select. The device information includes the following options: Self-Service Portal registered user name of a device. Device name CA MDM Access Control for the policy. Log in to the CA MDM Administrator, navigate to Device, select a device, and click Edit. Edit data as appropriate, and click Save. You can edit the device information for the following device types: Android device The device information includes the device name, device ownership type, Self-Service Portal registered user name, and the SMS address. BlackBerry device The device information includes device name, device ownership type, Self-Service Portal registered user name, and the SMS address. ios device The device information includes the following options: Device name Device ownership type Values for user variables SSP registered user name CA MDM Access Control for policy. Windows device The device information includes device name, device ownership type, Self-Service Portal registered user name, and the IP address. Windows Phone device The device information includes device owner, SSP Registered User, and address. Administrating 28

29 Device Naming Considerations for Database Specific Value Database Specific Value is a data column option for a device naming when you perform the following tasks: Create an enrollment policy for any Windows device. Edit a device type. The syntax for database-specific value is as follows: tablename.columnname Send Message to a Device Review the following consideration for database-specific value: Verify that the table, column, and row exist in the CA MDM database. The value is retrieved during each device initial connection, but always returns the first row of the table. Populate the table during the connection time. Consider using techniques such as stored procedures and triggers. These techniques detect a connection and the devices identity, and populate the table accordingly. Send the messages to a group or each ios or the Android devices either by or a push notification. Log in to the CA MDM Administrator, navigate to Device, and select the Android, ios, or Windows Phone devices. Click Send Message, and select , Push Notification, or both. Note: For the Windows Phone devices, the send action determines which address to use based on the following criteria: When multiple addresses are configured through a configuration policy, CA MDM uses the first address to send . When address is not configured through a configuration policy, then address available in the Device record. For Self-Service Portal user, to register a user while enrolling the device using the portal, use address. If there is no address, sent to null message is displayed in the server log. (Push Notification) To send a message to a Windows Phone device, launch the CA MDM application on the device. Administrating 29

30 Enter the subject or message. Note: When the CA MDM application is closed, the notification message length on the Windows Phone device is restricted. The restriction is based on the limitations of the device operating system. 4. Click Yes, Continue to send the message. Move Device to another Tenant To verify that the message has been sent, view Server, Server Log. To associate the devices future sessions with a different tenant, move a device. A device associated data is also moved to a new tenant. You can move a device to a tenant only after creating the groups and policies of a tenant. Log in to the CA MDM Administrator, navigate to Device, and select one or more devices. Click Move to Tenant, and select a tenant. The device is moved to the specified tenant. The next time that the device connects, it is updated with the new tenant policies. Note: If you move a Windows Phone device to another tenant uploaded with different AET, reenroll the device to enable features. The features such as app management, push notification, and location collection. Modify Device Owner Set the owner of the device to corporate, personal, or to the default device type setting. Default ownership settings for device types are personal (Android, ios, Windows Phone) and corporate (BlackBerry, Windows). To apply updates to Android or ios device records, apply corporate device ownership setting, or import a corporate device list. Log in to the CA MDM Administrator, navigate to Device, and select a device. Click Modify Device Owner, and select the device for ownership. Click Yes, Continue. Delete Device or Device Data The device record is updated and the new value appears in the device lists Owner column in the device Inspector. Delete the device record and data from the server, or you can delete only the data from the server. Administrating 30

31 Log in to the CA MDM Administrator, navigate to Device, and select one or more devices. Click Delete, and select All Device Data Below. Perform Security Actions on Devices The device and all its data from the server is deleted. To keep the device but delete the selected data from the server, select the data from the list. You can send a security command to a device to perform security actions. The security action such as lock, unlock, delete data, and wipe. Security commands require appropriate user role. The server sends the command to the device using communication transport. The communication transport such as SMS, Apple push notification, or Google GCM as appropriate for the device. Log in to CA MDM Administrator Console, navigate to Click a security command, such as Lock. Device, select a device. Security Actions for Android Devices Security commands are used to perform the following security actions on the Android devices. Delete Device Data Apply Administrative Lock Lock Device Unlock Clear Passcode Remote Wipe Lock KNOX Container Unlock KNOX Container Remove KNOX Container Reset KNOX Container Password The server sends the command to device in the following order: Google, Cloud Messaging Short Message Service (SMS) Administrating 31

32 Security Actions for BlackBerry Devices Security Actions for ios Devices Security Actions for Windows Phone Device Connect Device to Apply Policies Security commands are used to Delete Device data, lock, and unlock the BlackBerry devices. The server sends the command to device through SMS and then SMTP. The delete device data option deletes application data, including CA MDM application and configuration data. Use a BlackBerry Security, Wipe Handheld option. For backup and restoration, use the BlackBerry Desktop Manager. Security commands are used to Lock, delete device, Administrator Lock/ Unlock Clear Passcode, Remove Control, Remote Wipe the ios devices. The server sends the command to device by Apple push notification. You can perform the following security actions on Windows Phone devices from the server: Remote Wipe deletes or wipes the device from a remote location, all internal storage, and SD card. Remove Control removes the device and all its content from CA MDM OMA DM control. Note: The remote wipe and remove control actions occurs until the device initiates the connection. These actions occur as Windows Phone devices do not support outbound connections. When you disconnect the device from CA MDM Management, the configured Microsoft Exchange account on the device is removed. To connect a device immediately to the CA MDM Server and to apply policies, send a notification to a device. Log in to the CA MDM Administrator, navigate to To apply policies, click Apply Policies. Device, and select a device. Connect Device to Run Channel The policies are applied to a device. The device connects to the server. If the notification fails due to unknown or invalid address, you can edit the device. To update the SMS, IP, or SMTP address, edit the device. To connect a device to the CA MDM Server to request a published channel, send a notification to the device. For the device to run the channel, the channel must be included in one of its session policies. Administrating 32

33 Log in to the CA MDM Administrator Console, navigate to Device, and select a device. Click Run Channel. Select a published channel, and include it to one of the devices session policies. 4. Click Select on the Run Channel toolbar. View Group Linked to Device Note: If the notification fails due to unknown or invalid address, edit the device. To update the SMS, IP, or SMTP address, edit the device. You can view the groups that are linked to a device. Log in to the CA MDM Administrator Console, navigate to Device, and select one or more devices. To display the filtered linked items, Click Show/Hide Link. Link and Manage Static Group to Device The filters for the group panel behave differently depending upon how many devices you have selected. You can manually add a device to a static group and can remove a device from a static group. 4. Log in to the CA MDM Administrator Console, navigate to a device. To display the filtered linked items, click Show/Hide Link. Select the static group and click Link. (Optional) To add a group to a device, change the filter to Linked. Device, and select The groups that are linked to the selected device are displayed. 5. (Optional) To remove a group from a device, click Unlinked to show the groups unlinked from the device. View Policy Linked to Device View the policies that are linked to a device. Devices are implicitly linked to policies through their common relationship with groups. Administrating 33

34 Note: Enrollment policy that links the relationships to groups or devices always appear as blank and cannot link to groups. The Enrollment policies are applied to a device when the device enrolls in the management. Log in to the CA MDM Administrator Console, navigate to Device, select one or more devices. To display the filtered link items, click Show/Hide Link. Import a Corporate Device List The filters for the policy panel behave differently depending upon how many groups you have selected. To modify Android or ios device records and to override personal ownership setting with corporate ownership, make a bulk update. By default during enrollment, the ios and Android devices are defined as personally owned. The update process comprises of two stages: To create device identifying values, import the device list. Connect the devices with new hardware inventory reports. Note: The corporate device list import process ignores values that are redundant and that are already processed in the current list. Log in to the CA MDM Administrator, navigate to Device, click Import Corporate Device List, and click Browse. Navigate to an import file (.CSV) and then select the file. Click Open. The import file is processed. You return to the Import Corporate Device List dialog with results message. To import a corporate device list for corporate device ownership settings, the import file must be of.csv type. The corporate device list file requirements are as follows: Import file type must be a comma-separated value. File structure: First row, the first field is CorporateDeviceID Extra rows, one per device to update, first field is DeviceIdentifyingField Administrating 34

35 Corporate Device List Device-Identifying Fields Android and ios use are different device identifying fields. For Android, valid fields are: From the Device Inspector Summary page, User, Phone number, IMEI (IMSI, MEID), and ClientFriendlyName. From the Device Inspector Hardware pages, Phone SIM serial number, WIFI MAC address, PhoneSIMSubscriberID, and Device address. Note: Hardware inventory item Device, Serial number is not guaranteed to be unique across all Android devices. For ios, valid fields are: From the Device Inspector Summary page, User, Phone number, IMEI, UDID, and Serial number. From the Device Inspector Hardware pages, WIFI MAC address and Bluetooth MAC address. Corporate Device List File Example Mixed Identifiers A corporate device list file can use different identifiers in a single file. Multiple Devices, Mixed Identifiers Corporate Device List File Example Like Identifiers A corporate device list file can use different identifiers in a single file. Administrating 35

36 Multiple Devices, Like Identifiers Device Activity Views The CA MDM Device Activity views display subsets of device activity data that are stored in your database tables. Available data views include the following system-defined views: The Subscribers view displays the lists of all the subscribers that are connected to the CA MDM Server. The list of subscribers are displayed only after device activity is enabled. Roaming subscribers view displays the lists of all the subscribers whose last known state was roaming. Exceed Threshold summary views displays the lists of all the subscribers who have exceeded user-defined thresholds for at least one activity within an accounting period. Activity summary views shows aggregate values for data, call, and message activities for each subscriber within an accounting period. Activity thresholds views compares the aggregate values for data, call, and message activities to user-defined thresholds. Location view shows last determined latitude and longitude of the devices that are enrolled in the device activity. Note: Due to vendor restrictions, device geographic location services are not available for instances of CA MDM in following countries: China Turkey Myanmar Vietnam Administrating 36

37 Network info view shows worldwide cellular networks. Activity Details view for each Subscriber shows call, data, and message activities for individual subscribers. Custom views display the custom views that you create with a view editor. When applicable, the device activity list aggregates and displays data based on current and previous accounting periods. Each accounting period is for one month. To match the billing cycle of your cellular provider, change the period start date in the month, as defined on the Data Views page. The device activity monitors a date and time that appears in UTC. Prepare and Manage Device Activity Collection Contents Prepare Devices for Activity Collection Device Activity Collection Considerations Device Activity Collection Frequency Start Device Activity Collection Stop Device Activity Collection Reprompt for Device Activity Enrollment Configure General Device Activity Settings Configure Device Activity Settings for Roaming Configure Device Activity Settings for Data Views Enable Device Activity Cleanup Customize Device Activity Cleanup Schedule Configure the CA MDM Device Activity settings on CA MDM Server and prepare the devices that support device activity. To configure device activity settings on a tenant-by-tenant basis, use CA MDM Administrator. Prepare Devices for Activity Collection Prepare device for the activity collection by installing the CA MDM application and enabling Location Services. Preparing the device varies by device type. Install the CA MDM application on the device and enroll in CA MDM. Administrating 37

38 During the application installation, authorize and enable Location Services. On ios devices, for a device activity to be able to monitor activities, CA MDM application must run. Enabling Location Services for CA MDM keeps the CA MDM application continuously running in the background. Device Activity Collection Considerations CA MDM Device Activity data collection allows you to collect various types of data from enrolled devices. Use that data for monitoring and report purposes. Note: The Device activity data collection is disabled by default. Starting data collection: If the user authorization is required, device activity data collection begins after the user accepts device activity enrollment. The user response is sent back to the CA MDM Server. This response appears in the Opt-in column of the Subscribers view. If the user authorization is not required, device activity data collection begins after you enable the device activity collection. Restart the CA MDM Server service and then the device connects to the server. If the device changes the tenant, a device retains its device activity collection preference. When you move the device to a tenant, the device activity collection begins without user notification. The Device activity data is associated with a subscriber. If a device has an SIM, the SIM IMSI or ICCID identifies the subscriber. The Device activity data moves with the SIM from the device to device. On ios devices, device activity data collection stops automatically if the user turns off location services for more than 10 minutes. Device Activity Collection Frequency Data collection frequency settings indicate when CA MDM collects device activity data from enrolled devices. The frequency of data collection varies by device type. For ios devices, CA MDM collects device activity data once a day between 2:00 a.m. and 3:00 a.m. (client local time). For Android devices, CA MDM collects device activity data at the frequency that is based on the schedule settings. The schedule settings are defined in the configuration policy. For the BlackBerry devices, CA MDM collects device activity data when: The user opens the CA MDM application on the device and successfully establishes a connection to the server. Administrating 38

39 The administrator sends an outbound notification to the applicable devices. For the Windows Phone devices, a background service is enabled for the CA MDM application, that runs along with other scheduled operating system tasks, and collects device activity data. This background task runs approximately every 20 minutes and sends the device coordinates to the CA MDM Server. Start Device Activity Collection Start collecting CA MDM Device Activity from devices. Log in to CA MDM Administrator Console, navigate to Server, Configuration, Component, Device Activity. To start device activity collection, select Enable Activity Collection on the General Settings tab. If you select Prompt Subscriber for Activity Enrollment, data collection begins at the time the user accepts enrollment. Click Save, Restart Server. After you restart the server, CA MDM collects device activity data when the device connects to the server. Stop Device Activity Collection Stop collecting CA MDM Device Activity from various devices. Log in to CA MDM Administrator Console, navigate to Server, Configuration, Component, Device Activity. To start device activity collection, unselect Enable Activity Collection on the General Settings tab. Click Save, Restart Server. After you restart the server, device activity data collection stops for each device connecting to the server. Reprompt for Device Activity Enrollment Reprompt the users and resend the CA MDM Device Activity enrollment notifications to the accepted or declined enrollment users. Prerequisites Administrating 39

40 Before you set up the reprompt, ensure that Prompt Subscriber for Activity Enrollment is selected on the Device Activity General Settings. Log in to CA MDM Administrator Console, navigate to Device, Activity List, and click Select View. Select the Subscribers view. Select a subscriber and click Reprompt to resend the notification. The Opt In column in the Subscribers view indicates the accepted or declined enrollment users. Based on the settings on Device Activity General Settings page, user receives either the default enrollment notification or the custom notification. Configure General Device Activity Settings Enable and configure the CA MDM Device Activity data collection by configuring CA MDM Administrator. Restart the CA MDM Server service only after you configure device activity settings, and initiate the device activity data collection. Log in to CA MDM Administrator Console, navigate to Server, Configuration, Component, Device Activity. Select Enable Activity Collection on the General Settings tab. If you do not want to start the data collection at the next service restart, unselect Enable Activity Collection. (Optional) Select the required Collection Settings that are based on your requirement. The general device settings are configured. Configure Device Activity Settings for Roaming Configure the CA MDM Device Activity so that the users get notified that their devices are in international roaming state. Log in to CA MDM Administrator Console, navigate to Server, Configuration, Component, Device Activity. Select Enable Activity Collection on the General Settings tab. Administrating 40

41 If a device activity is enabled, a notification appears on the device every time the device enters international roaming. Enter the required values in the Roaming Settings tab. The device activity settings for roaming are configured. Configure Device Activity Settings for Data Views Customize how CA MDM Device Activity data appears in Data Views. Customize the data views that appear in the CA MDM Device Activity. CA MDM is highly customizable and allows you to model data views on your enterprise mobility plan. Log in to CA MDM Administrator, navigate to Server, Configuration, Component, Device Activity, and select the Data Views tab. Set the values for the Accounting Period area, Threshold area, and Roaming Network area. Save the changes. Example: Enterprise mobile plan with prepaid activities for each subscriber each accounting period Your enterprise mobile plan includes the following prepaid activities, for each accounting period and for each subscriber: Local network: Roaming: MB for data 700 outgoing messages Unlimited outgoing local calls Unlimited incoming calls and messages 400 -MB for data 500 messages (both outgoing and incoming) 300 minutes for calls (both outgoing and incoming) Set the threshold field for each activity accordingly. Administrating 41

42 For example, enter 700 in the Number of Outgoing Messages field and 0 in the Total Outgoing Calls field in the Local Network. Incoming calls and messages in the local network are unlimited prepaid activities. As a result, do not set thresholds for those activities. The Roaming Network views show the percentage of the prepaid activities for each subscriber during the current or previous accounting period. To flag a subscriber, who exceeds the prepaid activities, set 95 as the percentage value for each activity. The Exceed Threshold Summary view lists all subscribers who have exceeded 95 percent for any of the prepaid activities. A subscriber, who exceeded the percentage threshold for one kind activity, continues to appear in the Exceed Threshold Summary view. The Activity threshold views show the percentage of the prepaid activities that each subscriber has carried on during either the current or previous accounting period. For example, If a subscriber sent 350 messages while in the local network, the Msg Out percent column of the Message Threshold Summary view shows 50 percent. Enable Device Activity Cleanup To remove CA MDM Device Activity data from your system, enable device activity cleanup. Log in to CA MDM Administrator Console, navigate to Server, Configuration, Component, Device Activity, and select the Cleanup Settings tab. Select Enable Activity Cleanup and enter the value for Cleanup Settings. When a device activity cleanup is enabled, CA MDM automatically removes old device activity data. The old device activity data is removed at the time of default schedule. The default schedule occurs at every midnight. The device activity data is also removed at the time you specify in the custom device activity cleanup schedule. Customize Device Activity Cleanup Schedule Customize the date and time at which the CA MDM Server deletes old Device Activity data. The device activity cleanup schedule applies to all tenants with device activity cleanup enabled. 4. Log in to CA MDM Administrator Console, navigate to Server, Configuration, Server, Schedule. To edit a schedule, click the Edit connection rule. Specify your schedule settings. Click Save. Administrating 42

43 When Activity Cleanup is enabled, CA MDM removes old device activity data at the time and frequency you set in your schedule. Administrating 43

44 Groups A group is a collection of devices. To manage all devices in a group, link a group to a policy. In the CA MDM Administrator, the Group page is the landing page for group-focused tasks. Manage Groups Manage Groups Contents View Group List Create Static Group Link and Unlink a Static Group Create Dynamic Group Create User Group Create Composite Group Edit or Delete a Group Inspect Group Connect Device of a Group to Apply Policies Connect Devices of a Group to Run a Channel Link and Manage Policy to Groups Export Group A group is a collection of devices. To manage all devices in a group, link a group to a policy. In the CA MDM Administrator, the Group page is the landing page for group-focused tasks. Various group types are available that leverage to manage the portfolio devices. Within the CA MDM, devices and policies are linked to groups. Group association establishes security and governance of a device. The following four types of groups are available. Static includes a device that you select manually. Membership changes for the following points: When you add a device to the group. When you delete a device from the group or from CA MDM. Administrating 44

45 Dynamic includes the devices that are included in a device view. Membership changes automatically based on changes to the results of the view. User includes the devices that are associated with users included in a user group. The user group includes the Windows users groups of the CA MDM Server, LDAP groups, or NT domain groups. The device members change as the user group membership changes. Membership changes automatically based on changes to the selected groups. Composite includes one or more CA MDM groups. View Group List To view the group summary information, view the group list. The group information includes the size of the group and when a device from the group is last connected. The group list includes a predefined group that includes all devices. The group size for a composite group is the number of groups it contains. The group size for all other group types is the number of devices. Log in to the CA MDM Administrator Console, navigate to Group, and review the group list. Note: The default view is unfiltered; the default view includes all groups and spans multiple pages. (Optional) Click the title of any column to sort by that column. The group summary is viewed. Create Static Group If you want to add a group in the CA MDM Server, create an empty static group. To populate the group, use the Link panel to add devices manually to a group. Log in to the CA MDM Administrator Console, navigate to Group, New, Static. Fill in the details, and click Save. An empty group is created. To populate the group, use the Link panel to link devices to the static group. Link and Unlink a Static Group Add a device or remove a device from a static group. As group size changes, the sort order also changes. When you link and unlink devices and policies, ensure that correct group is selected. Administrating 45

46 Log in to the CA MDM Administrator Console, navigate to Group. To add devices to a static group, perform the following steps: a. Select a static group, click Show/Hide Link. Note: By default, the Link panel is filtered to show linked items. b. c. d. To display the list of unlinked groups, change the filter to Unlinked. Select the devices, and click Link. To display the linked devices to a group, change the filter to Linked. To delete a device from a static group, perform the following steps: a. b. c. Select a static group, and click Delete. To display the list of linked groups, change the filter to Linked. To remove the devices from a group, click Unlink. The devices are added to the static group, and are removed from a static group. Create Dynamic Group If you want to include devices in a device view, create a dynamic group. Create a dynamic group whose membership updates automatically based on changes of the device view. To define the device view in the Device page, click Select View. Log in to the CA MDM Administrator Console, navigate to Group, New, Dynamic. Fill in the details, and select the view. Click Save. Note: The list of devices in a dynamic group refreshes automatically, based on the server schedules. These schedules are enabled in the system. Create User Group Create a user group that includes devices that are associated with users. The user group includes the following groups: Windows users groups of CA MDM Server Administrating 46

47 Prerequisites The Active Directory groups The LDAP groups NT domain groups. To create user group assignments for ios, enable authentication on the Enrollment server and Package server. Self-Service Portal authentication can be used for user group assignments for ios 7 devices. Note: If you change settings in the LDAP or the Active Directory, the user group definitions do not work as expected. Log in to the CA MDM Administrator Console, navigate to Group, New, User. Fill in the details, select groups from the group list. Click Add selected group. The LDAP-based user group allows both Organizational Unit (OU) level and groups to be assigned. The Active Directory user group only allows groups to be assigned. Note: If "Support OU membership" is selected in the Security page and an OU is expanded, the following error message is displayed: Unknown error that is returned from LDAP request Reset the option to "Support OU and group membership" in the Security page. To filter the LDAP groups, use filter syntax ( cn=group)(cn=commonname). To filter the results by group and common name, use this filter syntax. 4. Click Save. Create Composite Group Create one or more composite groups, which let you manage various types of groups as a single entity. Log in to the CA MDM Administrator Console, navigate to Group, New, Composite. Fill in the details, select the groups from the available groups list, and click Add selected group. The groups that you select are added to the linked groups list. Click Save. Administrating 47

48 Edit or Delete a Group Edit or delete the group information, such as the name, note, and definition. Log in to the CA MDM Administrator Console, navigate to Group. To edit a group, select a group and click Edit. To delete a group, select a group and click Delete. Note: To change the device membership for a static group, link and unlink devices from the Link panel. Inspect Group Inspect the contents of a group, such as the groups that make up a composite group. The information varies by group type. You can view the device membership for a static group by clicking Show/Hide Link. Log in to the CA MDM Administrator Console, navigate to Group, select a group. Click Show/Hide Inspector. The group information is displayed. Connect Device of a Group to Apply Policies To manage all the devices in a group, apply policies. You can apply the policies to devices immediately, rather than waiting for a manual or scheduled connection. Log in to the CA MDM Administrator Console, navigate to Group and select groups. To apply policies, click Apply Policy. The policies are applied to the devices of the group. Connect Devices of a Group to Run a Channel Run session policies for devices in a group that has a linked session policy. Administrating 48

49 Log in to the CA MDM Administrator Console, navigate to Group, and select groups. Click Run Channel. The devices of the group are connected to run on a channel. Link and Manage Policy to Groups To manage all devices in a group, link policy to groups. All devices in the group receive the policy when connect. Enrollment policy link relationships to groups or devices always appear as blank and cannot link to groups. The enrollment policies are applied to a device only when the device enrolls in the management. As group size changes, the sort order of that group changes. When you link and unlink devices and policies, ensure that the correct group is selected. The Link panel list spans multiple pages, toolbar actions, such as a link or unlink. Log in to the CA MDM Administrator Console, navigate to Group, select a group. To link policies to a group, perform the following actions: a. Click Show/Hide Link. b. By default, the Link panel is filtered to show linked items. To display the unlinked list of policies that are not linked to this group, change the filter to Unlinked. c. To add the selected group, click Link. To remove policies from a group, perform the following actions: a. b. Click Show/Hide Link. Select the policies, and click Unlink. The page refreshes with the policies removed from the list. Export Group Export the group list in its current state with any filters or sort applied. You can export to Excel, Word, and CSV. Log in to the CA MDM Administrator, navigate to Group, Export View. Administrating 49

50 Select Content and the Format type. Click OK. The group is exported in the required format. Administrating 50

51 Policies To enroll and manage devices, use policies. In the CA MDM Administrator, the Policy page is the landing page for policy-focused tasks. Policies let you perform the following tasks: Provision and enroll devices in management. Define device settings Secure devices and data Collect inventory Distribute software Collect device activity data The different types of policies allow you to enroll and manage different applications, devices, and channels. Manage Policies Manage Application Policies Manage Configuration Policies Manage Enrollment Policies Protect Enrollment Policies Configure Session Policies Customize App Store Application Manage Policies Contents View the Policy List Edit or Delete a Policy Substitution Variables in Policies Add Substitution Variables Substitution Variables in the Device Editor Device Configuration Policies Application Policies Administrating 51

52 System Substitution Variables Directory Substitution Variables User-Defined Substitution Variables Define End-User Prompts in Enrollment Policies Validation Rules for Substitution Variables Inspect Policy Publish and Unpublish Policies View the Groups Linked to a Policy View the Device Links of a Policy Link a Group to a Policy Export a Policy View To enroll and manage devices, use policies. The following types of policies are available in CA MDM: Application manages the applications for ios and the Android devices. Configuration defines the device settings and options, and collects device inventory and device activity expense management data. Enrollment enrolls and provision devices that are assigned configuration policies. Assigning configuration policies enforce security parameters and can deploy and manage enterprise applications. Session selects the channels for devices to run. Channels include scripted events and logic to perform tasks on the devices, such as file transfers and registry updates. View the Policy List View policy summary information, such as operating system and type. Name is the default sorting on the policy page. Log in to the CA MDM Administrator Console, navigate to Policy, review the policy list. The default view is unfiltered, it includes all policies and spans multiple pages. (Optional) Click the title of any column to sort by that column. Administrating 52

53 Edit or Delete a Policy You can edit or delete the policy information, such as name, note, and published state. Log in to the CA MDM Administrator Console, navigate to Policy, select a policy. To edit a policy, select a policy and click Edit. To delete a policy, select a policy and click Delete. The policy information is edited or deleted based on your requirement. Substitution Variables in Policies CA MDM allows you to use system, directory, and user-defined substitution variables in application and configuration policies. Variables are global for the current tenant. The values that you define for variables are valid for the current device. Substitution Variables and Multi-tenancy Review the following consideration for the substitution variable ownership and management in a multi-tenancy environment: The system variables are global for all tenants. A tenant defines user-defined variables that are visible only to that tenant. If a tenant defines the variable of a system tenant, the system tenant takes ownership of the variable. The variable is available to all tenants. If the system tenant deletes the variable, the variable is restored to the originating tenant. That variable is deleted from all other tenants. The system tenant defines the tenants that cannot create user-defined variables. Only the system tenant can delete its user-defined variables. Moving a device from one tenant to another, displays its variables and associated values only in the target tenant. Add Substitution Variables Add directory or user-defined variables from device editor or from a text field in an application or configuration policy. You can also delete directory or user-defined variables. Administrating 53

54 Substitution Variables in the Device Editor Edit the value of system variables and create user-defined and directory variables for a specific device. Log in to the CA MDM Administrator, navigate to Device, and select Android or ios device. Note: You can change the value of system variables displaying on this page but not the variables themselves. To display summary information about the device, click Edit. To define user-defined or new directory values, click Add in the Substitution field. 4. Select DIR or the USR type. Define the Variable name for directory variables and the Variable name and Value for user-defined variables. 5. Click Insert, and Save. The directory values are updated from Active Directory. All variables are updated to a device through a policy, when the scheduled policy runs and devices are connected. Note: If two invalid columns are saved simultaneously for the user-defined variables, any one column gets saved. Device Configuration Policies Create new or use existing substitution variables in your device configuration policy for ios or Android. Log in to the CA MDM Administrator Console, navigate to Device. Select ios or Android enterprise or market configuration policy. Click the Substitution link. Example:To use a variable as a substitute for a literal value in an ios configuration policy, add the variable SalesTeam. Define the value in the CA MDM ios device record as NWSales and insert the variable reference into your policy as SalesTeam Select USR or DIR. To add the variables, click Add. Click Insert, and Save. Administrating 54

55 The policy is pushed to the device when the policy schedule runs and device are connected. Application Policies Create new or select existing substitution variables to specific fields in your ios or Android application policies Log in to the CA MDM Administrator Console, navigate to Device. Select ios or Android enterprise or market application policy. Select Configuration. To import a substitution variable text file or create a variable, click Edit. Enter the variable or click the Substitution link. Variable syntax: %U.SampleHere%. For example, to create a substitution variable for an domain: a. Enter the domain in the device definition table. For example, my company.com. b. Insert the variable reference in the policy as %U.ExchangeDomain%. 6. Click Insert, and save your variables and policy. The policy is pushed to the device when the policy schedule runs and device are connected. System Substitution Variables The system variables are defined in the CA MDM environment. You can update the system defined variable value but cannot change the variable. The system variables are used in application or configuration policy. For the system tenant variables, values get updated automatically when device is enrolled. Note: Android does not collect inventory on every connection due to enterprise privacy concerns. The following system variables (SYS) are predefined in CA MDM for ios and Android: NotificationAddress (ios only) EUSSPUser EUSSPDomain Administrating 55

56 UserName CA MDMDeviceID (ios only) ExchangeDomain (for Exchange and the Domino environments) ExchangeUser (for Exchange and the Domino environments) 8. ExchangeID (for Exchange and the Domino environments, concatenation of the Domain and User ID) 9. ExchangePassword (for Exchange and the Domino environments) Note: Android also collects values from user prompts and user-defined variables. Review the following values for ios devices: IMEI ICCID UDID SerialNumber Product Version Directory Substitution Variables The directory substitution variable remains blank until it is updated automatically from the Active Directory mapping when the device connects. The directory variable name that you define in CA MDM must match the attribute name on the user object. The user object maps the directory variable in Active Directory. Defined directory variables in the system tenant are automatically shared across tenants. Notes: If a user name is not provided or available, then the directory values do not get updated or resolved. For new devices, the values are blank, and for existing devices values are removed. The directory variables are case-sensitive. If the variable name is incorrect, directory values cannot be retrieved, updated, or resolved successfully. Binary or octet data types are not supported for retrieval of directory variable values. Administrating 56

57 Date format attributes retrieved from LDAP-based directories are converted or captured in the CA MDM database as integers. For the Active directories, the date format gets retained. User-Defined Substitution Variables Define your custom substitution variables on ios devices. Populate the user-defined variables with values specific to your organization. You can create user-defined variables from application policy, configuration policy, or from the Device editor. You can create a user-defined variable and can set a user prompt for the enrollment. The values the user enters are returned to CA MDM during the enrollment, populating the substitution variables with actual values. Do not use commas in the substitution variable syntax for an Exchange account policy. To view the substitution variables that are applied to the device, inspect the device. The fields are displayed in the Device Inspector only after the device connects to the CA MDM Server. The device connects to the CA MDM Server through the enrollment process. Define End-User Prompts in Enrollment Policies To allow users to provide values that populate substitution values in CA MDM, define end-user prompts. The end-user prompts are displayed on the device. Prerequisites Create or select a user-defined substitution variable in a configuration or application policy or in the Device editor Log in to the CA MDM Administrator Console, navigate to Policy, Enrollment. Select either Android or ios enrollment policy. Select Variable, or applicable substitution variable, or create one. Type a message in the Device Prompt field. To select an Entry Mask, select Yes or No. Click Save. The user is prompted to enter the values on their device during the enrollment process. Administrating 57

58 Validation Rules for Substitution Variables Validation rules for adding or deleting substitution variables. Rules or behavior for adding and deleting substitution variables: From the Policy or Device list page: ios or Android substitution variables are added even if the policy or the device is not saved. From the Policy or Device list page, editing policy or device rights must add the user-defined or directory variables. Review the following name restrictions for substitution variables: The length must be greater than zero and less than or equal to 80. Adding the variables with a period in the second character is not allowed due to predefined variables. For example, system (S.), user (U.), directory (D.). The name must not contain xml entities or whitespace characters. For example, {["&'<>\s]. If a nonsystem tenant has a variable of the same name, both variable definitions continue to exist in the database. In the variable list, the nonsystem tenant lists only the system tenant variable. For a nonsystem tenant, a new user-defined or directory variable name must be unique for that tenant. If the substitution variable is deleted but the reference is still in the policy, it returns the literal string in the policy field. Inspect Policy Inspect the contents of a policy, such as enrollment codes and supporting settings. Identify all applications available to devices and view package status. The information about this page displays Android or ios details depending on the selected device. If Android device is selected, the Status by MDM column does not display. Note: You can access the Package Tracking Log from either the Policy list page or the Device list page. The columns are displayed depending on the context. Log in to the CA MDM Administrator Console, navigate to Policy, and select a policy. Click Show/Hide Inspector. Administrating 58

59 The information about a policy is displayed. To view the package status of a policy, click Package Tracking in the Inspect toolbar. Publish and Unpublish Policies To put the policies in effect, publish the policies and to take the policies out of effect, unpublish the policies. The enrollment policies are always in a published state. You can edit the policy and can disable or delete its enrollment codes instead of unpublishing a policy. To publish or unpublish the selected policies, navigate to Policy page in the CA MDM Administrator Console. View the Groups Linked to a Policy View the groups that are linked to a policy. Enrollment policy link relationships to groups or devices always appear as blank and cannot link to groups. The Enrollment policies are applied to a device only when the device enrolls in the management. Log in to the CA MDM Administrator Console, navigate to Policy, and select the policies. To display the link panel, click Show/Hide Link. By default, the Link panel is filtered to show linked items. The filters for the groups panel behave differently depending upon the policies you select. View the Device Links of a Policy View the devices that are linked to a policy. Devices are indirectly linked to policies through their membership in a group. You can link a device to a group, and you can link a group to a policy. Log in to the CA MDM Administrator Console, navigate to Policy, and select the policies. Click Show/Hide Link. By default, the Link panel is filtered to show linked items. The filters for the device panel behave differently depending upon how many policies you have selected. Administrating 59

60 Link a Group to a Policy To manage the groups devices with the policy, link a group to a policy. To discontinue managing the devices of a group, remove a group from a policy. Enrollment policy link relationships to groups or devices always appear as blank and cannot link to groups. The enrollment policies are applied to a device only when the device enrolls in the management. As group size changes, the sort order changes for that group. When you link and unlink devices and policies, ensure that you have the correct group selected. Log in to the CA MDM Administrator Console, navigate to Policy, and select the policies. Click Show/Hide Link on the left toolbar. Note: By default, the Link panel is filtered to show linked items. Change the filter to Unlinked to display the unlinked groups to the policy. 4. To add groups to the policies, click Link. To remove groups from the policies, click Unlink. Export a Policy View Export the policy list in its current state with any filters or sort applied. You can export a policy to Excel, Word, and CSV. Log in to the CA MDM Administrator Console, navigate to Policy, Export View. Select Content and the Format type. Click OK. Note: The Telerik controls in CA MDM use Excel 2003 format to export data. If you open or export a file on a computer with Excel 2007 installed, then the following message is displayed: "The file you are trying to open, [Filename].xls, is in a different format than specified by the file extension. Verify that the file is not corrupted and is from a trusted source before opening the file. Do you want to open the file now?" 4. To view the exported data, click Yes. The policy is exported to the desired format. Administrating 60

61 Manage Application Policies Contents Manage App Store Application Policies for ios Devices Prepare ios Devices for Application Management Prepare ios App Store Application Management Create an Application Policy for ios App Store Apps Deploy ios App Store Apps Manage Enterprise Application Policies for ios Devices Prepare ios Devices for Application Management Prepare ios Enterprise Application Management for Required Applications Prepare ios Enterprise Application Management for Optional Applications Create an Application Policy for ios Enterprise Applications Deploy ios Enterprise Applications Disable an ios Enterprise Application on a Device Volume Purchase Program Licensed Application Policies for ios Devices Volume Purchase Program License Management Prepare for Distribution of VPP Apps Create a Volume Purchase Program Licensed App Policy Deploy VPP Apps on the Device View License Details and User Status for VPP App Policies Revoke License for VPP Apps Retire the VPP User Manage Google Play Application Policies for Android Devices Prepare Android Devices for Application Management Prepare Android Google Play Application Management Create an Application Policy for Android Google Play Apps Deploy Android Google Play Apps Administrating 61

62 Manage Enterprise Application Policies for Android Devices Prepare Android Devices for Application Management Prepare Android Enterprise Application Management Create an Application Policy for Android Enterprise Applications Deploy Android Enterprise Applications Remove an Android Required Enterprise Application from a Device App Store Application Policies for Windows Phone Devices Prepare for Windows Store Application Management Create an Application Policy for Windows Phone App Store Applications Deploy Windows Store Application Enterprise Application Policies for Windows Phone Devices Work with Windows Phone Enterprise Applications Upload the Application Enrollment Token and Signed CA MDM Application Prepare for Windows Phone Enterprise Application Management Create an Application Policy for Windows Phone Enterprise Applications Deploy Windows Phone Enterprise Applications The Application policies define commercial and enterprise application packages for ios and Android devices. For the devices to browse and install, the policies determine the available applications. Manage App Store Application Policies for ios Devices ios App Store application policies define the Apple App Store applications. These applications are available for installing from the CA MDM application app list. The commercial applications are delivered from the Apple App Store. Application package content includes: Identifying information for the application (Optional) Information for Apple redemption codes (The application onboarding) File or data for the application onboarding data provisioning. Administrating 62

63 Prepare ios Devices for Application Management To prepare devices for application management, enroll ios devices in the management before deploying the applications. Prepare ios App Store Application Management For each applicable App Store application, collect required application information. Locate and record App number and country code using web browser. For example, Backflip Studios developed Paper Toss application with the app store number , and the country code is US. The app store number and country code is extracted from the URL " itunes.apple.com/us/app/paper-toss/id ?mt=8." Create an Application Policy for ios App Store Apps Create a policy for an application from the Apple App Store. Prerequisites Record the App Store number and country code of application. Task The device user must have an itunes account. App Store user agreements and costs are independent of CA MDM operations. Log in to CA MDM Administrator Console, and navigate to Policy, New, Application, ios App Store. Enter policy details on the Summary page. You can specify duplicate policy names across tenants and within a tenant for all policy types. Connecting the devices receive only published policies. Enter the application information on the General page. Notes: Deploy using MDMprotocol pushes the application policy to the device when the MDM commands are processed. The MDM protocol option is not compatible with an ios Configuration policy with a restriction payload. This restriction payload disables the Apple App Store. If the Application ID field is left blank and the App Store package is deployed using the MDM protocol, it is automatically populated with the application identifier during the MDM process. To display the package tracking results correctly, enter the application ID exactly as the identifier appears in the application. Administrating 63

64 4. 5. The package server serves an application policy with the Application ID, to the connecting devices. (Optional) Select or add the category to be associated with the policy on the Categories page. (Optional) Select Yes or No to indicate whether the selected category is a featured category. 6. (Optional) Click Browse and select the image file (.JPG or.png) and enter any additional note. Note: The maximum length for the file name must be 258 characters, and the maximum image size must be 1- MB. For an easy download and to minimize data traffic, use smaller image files of size up to 100- KB. The recommended resolution for the category image on an ios device is up to 1448 x 1422 pixels. The category image is scaled to the required resolution, without changing the aspect ratio, and is then cropped (Optional) In the Available Categories list, select a category and click Edit, Delete, Inspect Image or Clear Image. If a category attached to another policy is deleted, the category from the referring policy is deleted. If you click Inspect Image, then the image opens in the Server, Category Image File window. In the Pre-defined Categories list, select a category and click Edit, Inspect Image or Clear Image. If you click Clear Image, the associated image with the Pre-defined Category is removed. (Optional) Enter the application description on the Description Detail page. Deploy ios App Store Apps 10. (Optional) Add a redemption code purchase order spreadsheet as received from Apple on the Redemption Codes page. Users require the Redemption codes for Apps with a charge being deployed through MDM. After the user enrolls in device management and application policies are created, applications are deployed to devices in the following ways: The user browses the App Store list and installs the application. If MDM controls the devices during the enrollment phase and the device connectivity is established, applications are installed immediately. The application policy is created for ios App Store Apps. Deploy ios applications either by: Deploying the application policy to a device automatically using the MDM protocol option Allow user to browse the app list on their device and install the application. Administrating 64

65 Prerequisites The device user must have an itunes account with Apple. App Store user agreements and costs are independent of CA MDM operations. To prepare for an ios App Store application, create the application policy and configure it. The created and configured policy is used with the MDM protocol option. Notes: Task As Apple supports this feature through their MDM protocol in ios 5.x devices, users can install applications only on ios 5.x devices. The MDM protocol option is not compatible with an ios Configuration policy with a Restriction payload. This payload disables the Apple App Store. Users open the CA MDM application, and enroll, or reenroll in the device management. The device connects to CA MDM. If a policy is defined using the MDM protocol with the Install Required option, install each application prompt appears on the device. A user can postpone installation, but cannot cancel it. If a policy is defined using the MDM protocol with the Install Optional option, the application appears in the app list for installation. Manage Enterprise Application Policies for ios Devices ios enterprise application policies define the enterprise-signed applications that are available for devices to install. The developing entity produces the Enterprise-signed applications and is delivered from the CA MDM package server. The Application packages include: Identifying information for the application Defined MDM protocol (Application onboarding) File or data for the application onboarding data provisioning The preparation and deployment process differs based on defining the application as required or optional in the application policy: Required For the deployment, from the CA MDM application, install the application automatically without browsing a list of applications. Deployment process includes: Compile the application. Deploy its provisioning file in a configuration policy. Create an application policy. Administrating 65

66 Optional For deployment, users must use the CA MDM Self-Service Portal for a device management to browse and install applications. Deployment process includes: Compile the application. Deploy its provisioning file in a configuration policy. Create an application policy. Prepare ios Devices for Application Management To define the appropriate group for the application policy, create an enrollment policy. Install, reinstall, or verify an instance of CA MDM Self-Service Portal that is configured for the enrollment policy. Update the enrollment policy with a reference to the portal for the app list that appears in the CA MDM device application. To prepare the ios devices for the application management, enroll ios devices in the management before deploying applications. Prepare ios Enterprise Application Management for Required Applications For each required enterprise-signed application, the deployment process includes: The compiled application and its provisioning file must be available for CA MDM use. Deploy the provisioning file to devices. Create the application policy. If you deploy the provisioning file in the advance of the application, ensure that you disable the application in future. Prerequisites Manage the devices that have Apple App Store version of the CA MDM application. Task Compile your application according to the ios Developer Enterprise Program procedures. Apple defines and manages the Apple ios Developer Enterprise Program. Note: For about the ios Developer Enterprise Program, see Make a copy of the compiled application (.ipa) and the associated provisioning file of an application (.mobileprovision). Administrating 66

67 The application must include a complete manifest file (.plist), as defined by Apple ios Developer Enterprise Program. Create an ios configuration policy on the CA MDM Administrator Policy page. The configuration policy uses the provisioning file of an application to define an MDM Payload > Provisioning File item. 4. Deploy the provisioning file to the application group. a. b. On the Policy page, link the configuration policy to a group. On the Group page, to apply policies to the devices of a group, send a command. Devices connect to CA MDM and install the provisioning file without the user interaction. You can verify the file on the device on the Settings, General, Profiles page. 5. Create an application policy for the application with the required attribute on the CA MDM Administrator Policy page. The application policy for the application is created. Prepare ios Enterprise Application Management for Optional Applications For each optional enterprise-signed application, The compiled application and its provisioning file must be available for CA MDM. Prepare for CA MDM Self-Service Portal use. Deploy the provisioning file to devices. The portal self-management lets users browse and install optional enterprise applications. If you deploy the provisioning file in the advance of the application, ensure that you disable the application in future. Prerequisites Manage the devices that have Apple App Store version of the CA MDM application. Task Compile your application according to the ios Developer Enterprise Program procedures. Apple defines and manages the Apple ios Developer Enterprise Program. Note: For about the ios Developer Enterprise Program, see Make a copy of the compiled application (.ipa) and the associated provisioning file of an application (.mobileprovision). The application must include a complete manifest file (.plist), as defined by Apple ios Developer Enterprise Program. Administrating 67

68 Create an ios configuration policy on the CA MDM Administrator Policy page. The configuration policy uses the provisioning file of an application to define an MDM Payload, Provisioning File item. 4. Deploy the provisioning file to the application group. a. b. On the Policy page, link the configuration policy to a group. On the Group page, to apply policies to the devices of a group, send a command. Devices connect to CA MDM and install the provisioning file without the user interaction. 5. On the CA MDM Administrator Policy page, perform the following actions: a. Create an application policy for the application with the optional attribute. b. Create an enrollment policy that includes the group Install, reinstall, or verify an instance of CA MDM Self-Service Portal that is configured for the enrollment policy. The group can connect to the enrollment policy for reenrollment and management. To define the attributes for SSP, update the enrollment policy on the Policy page. The enrollment policy is updated. Create an Application Policy for ios Enterprise Applications Create a policy for optional or required enterprise-signed applications on ios devices. Log in to CA MDM Administrator Console, navigate to Click Policy, New, Application, ios Enterprise Application. Enter the policy details on the Summary page. You can specify duplicate policy names across tenants and within a tenant for all policy types. Changes that are made in the Self-Service Portal application to support duplicate policy names and multiple categories are compatible with CA MDM 2013Q3 and CA MDM 2013Q4 servers. 4. Enter the details of the application on the General page. (Optional) Select or add one or more categories to be associated with the policy on the Categories page. 5. Select Yes or No to indicate whether the selected category is a featured category.' Administrating 68

69 6. (Optional) Click Browse and select the image file (.JPG or.png), and enter any additional note. Note: The maximum length for the file name must be 258 characters, and the maximum image size must be 1- MB. For an easy download and to minimize data traffic, use smaller image files of size up to 100- KB. The recommended resolution for the category image on an ios device is up to 1448 x 1422 pixels. The category image is scaled to the required resolution, without changing the aspect ratio, and is then cropped (Optional) In the Available Categories list, select a category and click Edit, Delete, Inspect Image or Clear Image. If a category attached to another policy is deleted, the category from the referring policy is deleted. If you click Inspect Image, then the image opens in the Server, Category Image File window. In the Pre-defined Categories list, select a category and click Edit, Inspect Image or Clear Image. If you click Clear Image, the associated image with the Pre-defined Category is removed. (Optional) Enter the application description on the Description Detail page. Deploy ios Enterprise Applications Note: The appearance of the uploaded image changes depending on the size of the image and the browser settings. The maximum image size that is allowed is 1- MB. After the user enrolls in device management and the application policies are created, applications are deployed to devices. Review the following ways to deploy applications: The user browses the App Store list and installs the application. If MDM controls the devices during the enrollment phase and the device connectivity is established, applications are installed immediately. Once you create an application policy for ios Enterprise, deploy ios enterprise applications. The ios Enterprise includes required or optional applications. Prerequisites Create an enterprise application policy and specify it as required or optional. If an application is configured to be removed using MDM, the application is deleted from the device. Note: As Apple supports this feature through the MDM protocol in ios 5.x devices, users can optionally install applications on ios 5.x devices. Task Users open the CA MDM application on their device, and enroll or reenroll in the device management. The device connects to CA MDM. The required applications are pushed to devices automatically when configured for the MDM protocol. A user can postpone the installation of a required application, but cannot cancel it. If you do Administrating 69

70 not define the application policy to use the MDM protocol, the application is considered optional. The application is pushed to the device. The application is displayed in the CA MDM app list for users to browse and install manually. Notes: If the user uninstalls a required application from the device, initiate the inventory scan (device refresh) from the server. The inventory scan gets the updated software inventory from the device to update the Package Tracking status to Uninstalled. Once the CA MDM inventory shows the uninstalled application, the user receives a prompt to install the application. The prompt is displayed only when a subsequent Apply Policies action is sent from the server. You can either manually send an Apply Policies notification to that device, or set the ios Apply Policies schedule accordingly. Some latency exists between the time a user installs software and the time it is reported to the database. Therefore, a user is prompted to install software that is already installed. Similarly, some latency exists between the time user removes a required application and the time the server prompts the user to install it. For an inventory update, Administrator executes an apply policies action or run the ios Device Refresh schedule. For the applications that are 100- MB or smaller, the status bar tracks progress. For the applications larger than 100- MB, the device appears to freeze at 100 percent progress point, but requires extra time to complete. Disable an ios Enterprise Application on a Device To prevent the user from running the application, disable an optional or required enterprise application. If the device is managed using MDM and the device is removed from the MDM management, the device is removed from service but the application remains on the device. On the configuration policy that delivered the provisioning file of the application to the device, remove the provisioning file payload from the policy. On the Group page, to connect the group devices to apply policies send a command to the group. The device connects to CA MDM and reports its current inventory. The server delivers instructions to remove the provisioning file from the device. The subsequent attempts to launch the application fail. You can restore the ability of a user to run the application by reinstalling the provisioning file payload. Volume Purchase Program Licensed Application Policies for ios Devices The Volume Purchase Program (VPP) from Apple provides a simple and efficient method to purchase ios apps from the App Store in bulk, for distribution within your organization. ios VPP licensed application policies define which Apple VPP store apps can be installed on the devices in your enterprise. Administrating 70

71 After you upload the service token file (stoken) for the purchased apps, create the policies in the CA MDM Administrator Console. Volume Purchase Program License Management Prepare for Distribution of VPP Apps The Volume Purchase Program app licensing enables enterprises to assign apps to users, while retaining full control and ownership on the apps. Users can enroll for the program using their personal itunes ID. The app licenses are assigned to the VPP-enrolled users, under the control of the administrator for the enterprise. Volume Purchase Program lets you perform the following tasks: Search for apps. Determine the quantity that is needed. Complete the purchase with a corporate credit card or procurement card. To start buying apps in volume, enroll in the program and create a volume purchasing account with Apple. Once you have enrolled, you can purchase apps from the VPP web site. Upload the stoken for the purchased apps, in the CA MDM Administrator Console. To deploy the apps on the device, create ios VPP application policies. Prerequisites Register with the Apple Volume Purchase Program and purchase apps for distribution in the organization. Download the service token (stoken) used for authenticating app assignments. Task The VPP apps can be deployed only using MDM. Log in to the CA MDM Administrator Console, navigate to Server, Configuration, ios Volume Purchase page. Upload the stoken you obtained from the Apple VPP web site. You see a list of all the apps you have purchased and that are associated with the specified stoken. 4. To create VPP licensed app policies, select the apps and click Create Policies (+). You can also create VPP app policies in the Policy, Application, ios VPP Licensed App page. Link the policies with the required groups, for distribution. Create a Volume Purchase Program Licensed App Policy Create a policy for an application from the Apple Volume Purchase Program store. Prerequisites The device user must have an itunes account. To prepare for a VPP store licensed application, complete the procedure. The procedure includes recording the App Store number and the country code for the application. Administrating 71

72 Task The Configuration page in the policy is reserved for application onboarding data provisioning and is not part of this procedure. For more details, see Application Onboarding section. Note: If you change the service token that is associated with an ios VPP Licensed Application policy, devices still display the applications from the original stoken. The users cannot install the applications from the original stoken. Log in to the CA MDM Administrator Console, navigate to Policy, New, Application, ios VPP Licensed App. Enter the policy details on the Summary page, and indicate whether the policy is published or unpublished. Connecting the devices receive only published policies. Enter the application information on the General page, and click Update to populate the Information box. 4. (Optional) On the Categories page, select one or more categories to be associated with the policy. Click Add to add a new category (Optional) To indicate if the selected category is a featured category, select Yes or No. (Optional) Click Browse and select the image file (.JPG or.png) and enter any additional note. Note: The maximum length for the file name is 258 characters, and the maximum image size is 1- MB. For an easy download and to minimize data traffic, use smaller image files of size up to 10- KB. 7. (Optional) Enter description for the application and modify the display name on the Description Detail page. Deploy VPP Apps on the Device The display name of the application is automatically updated when you upload the application package on the General page. To participate in the VPP program, users must register with the program. You can use the web clip URL that is sent to the device during enrollment, or after enrollment. Enroll the device in CA MDM, and associate the device with a group for which VPP is enabled. CA MDM verifies that the user is a registered VPP user. Register the user for VPP with a valid Apple ID, if it is the first-time access. VPP service returns an Invitation URL. This URL associates with the registered VPP user with the itunes account of a user. During the enrollment, CA MDM sends a web clip containing the Invitation URL to the device. Administrating 72

73 4. 5. View License Details and User Status for VPP App Policies Click the web clip and accept the agreement. itunes informs VPP about the association of the VPP user with the itunes account. Any licenses that are allocated to the VPP user are automatically reflected in the associated itunes account. Apply the policy for the device. If the device is already enrolled in CA MDM, apply the policy twice: first time, the web clip is pushed to the device; the second time, the apps are pushed. Applying the policy twice is a one-time activity for each user. The Subsequent pushes of VPP policies to a device do not require the second apply policy connection. Based on availability, licenses are allocated for the apps. The apps appear in the purchase history of the itunes account. Note: One license is allocated to all VPP users using the same itunes account. For example, using the same itunes ID on an ipad and an iphone, consumes only one license. View license details and status information for VPP, in the policy and the device inspector panels. These details are tenant-specific. Log in to CA MDM Administrator Console, navigate to Policy, select a VPP licensed app policy. On the left toolbar, click Show/Hide Inspector. On the Inspector panel top toolbar, click VPP License View. The Inspector panel shows details. For example, the number of purchased licenses, number of consumed licenses, and the remaining number of licenses. You can also view the device ID, user name, license number, and the license issue date. 4. On the Device list page, select the device to which the VPP policy is applied. 5. Revoke License for VPP Apps On the left toolbar, click Show/Hide Inspector. The VPP user status in the Inspector panel Summary page is displayed. When a user leaves the organization, revoke app licenses from the VPP users for security reasons. You can make revoked licenses available to other users. Licenses for the VPP apps are revoked in CA MDM when: A policy or a device is unlinked from the group. Remove control is initiated for the device. Remote wipe is initiated for the device. Administrating 73

74 4. Unlink the VPP app policy from the group or remove the device from the VPP group. During the next apply policy connection, CA MDM detects that the app must be removed from a particular user. It also requests the VPP store to revoke the license. VPP informs the itunes about the license revocation; itunes in turn informs the user. CA MDM sends the remove command to the device, and the apps are removed from the device. Retire the VPP User The Retire VPP users leaves the organization and revoke the app licenses allocated to them. When a VPP user leaves the organization, the CA MDM administrator initiates a delete action for the device. CA MDM informs VPP to revoke all the licenses that are allocated to the user. VPP removes all the apps from the purchase history of the itunes account of the user. When a device is moved from one tenant to another, the VPP users on the device are retired. If the destination tenant has a different stoken, the VPP users on the device are retires. If a tenant is deleted, all VPP users that are associated with the tenant are retired. Manage Google Play Application Policies for Android Devices Google Play Android application policies define which Google Play applications are available for devices to browse and install from the CA MDM application app list. The commercial applications are delivered from the Google Play commercial market. The application packages include: Identifying information for the application Prepare Android Devices for Application Management (Application onboarding) The File or data for the application onboarding data provisioning To prepare the android devices for the application management, enable the applications from unknown sources. After you enable the applications, enroll the Android devices in CA MDM. To allow the enterprise application deployment, ensure that devices allow installing applications from unknown sources. Click and enable unknown sources on the x Settings, Applications, and x devices. Administrating 74

75 Click Settings, Security, and enable unknown sources on 4.x devices. The following features must be available on the devices: The installed CA MDM application. Prepare Android Google Play Application Management Configuration policy with enabled inventory. Configuration policy that configures the GCM messaging or an SMS address on the device record. For each Google Play application, collect required application information. Use the following methods for collecting the package name: Create an Application Policy for Android Google Play Apps To locate and record an application name as defined by the developing entity, use a web search. To select an application and extract the package name from the URL, use the Google Play site. For example, The application package name for Kindle is com.amazon.kindle, as extracted from URL " Collect software inventory from an installed application device. The application package name is reported as the software name. Create the policies for managing applications from Google Play. Prerequisites To prepare for a Google Play application, complete the procedure and record the application name. Task The device user must have an account with Google Play. Google Play user agreements and costs are independent of CA MDM operations. Log in to CA MDM Administrator Console, navigate to Policy, New, Application, Android Market. Enter the policy details on the Summary page. You can specify duplicate policy names across tenants and within a tenant for all policy types. Connecting the devices receive only published policies. Changes that are made in the CA MDM application to support duplicate policy names and multiple categories are compatible with CA MDM 2013Q3 and CA MDM 2013Q4 servers. Administrating 75

76 Enter the application information on the General page. Data retrieval is subject to data availability from the Google Play. 4. (Optional) Select or add one or more categories to be associated with the policy on the Categories page. 5. Select Yes or No to indicate whether the selected category is a featured category.' 6. (Optional) Click Browse and select the image file (.JPG or.png), and enter any additional note. Note: The maximum length for the file name must be 258 characters, and the maximum image size must be 1- MB. For an easy download and to minimize data traffic, use smaller image files of size up to 100- KB. The recommended resolution for the category image on an ios device is up to 1448 x 1422 pixels. The category image is scaled to the required resolution, without changing the aspect ratio, and is then cropped (Optional) In the Available Categories list, select a category and click Edit, Delete, Inspect Image or Clear Image. If a category attached to another policy is deleted, the category from the referring policy is deleted. If you click Inspect Image, then the image opens in the Server, Category Image File window. In the Pre-defined Categories list, select a category and click Edit, Inspect Image or Clear Image. If you click Clear Image, the associated image with the Pre-defined Category is removed. (Optional) Enter description for the application and modify the display name on the Description Detail page. Deploy Android Google Play Apps The display name of the application is automatically updated when you upload the application package on a General page. The application policy for android Google play apps is created. Deploy the Android Google Play applications by deploying the application policy. On the CA MDM application of a device, use the application list to browse the applications and install Google Play. Prerequisites The device user must have an account with Google Play. Google Play user agreements and costs are independent of CA MDM operations. Task Only the users can remove the application. If the device is a Samsung AES device, remove the application by using a configuration policy with Samsung application properties. Administrating 76

77 Log in to CA MDM Administrator Console, navigate to Policy. Link the application policy to a group. Linking to a user group for the Android policies is not supported. To apply policies, navigate to Group and connect the devices of a group. The device connects to CA MDM and reports its current software inventory. 4. On the user device, navigate to Apps page and browse the list of applications. If you use the optional category attribute, category groups the applications. 5. On the device, install the Google Play. The CA MDM application closes and the device connects to Google Play, where the user can initiate the installation. Manage Enterprise Application Policies for Android Devices Android enterprise application policies define the available enterprise applications for devices to browse and install from the CA MDM application app list. The Third-party entities develop Enterprise applications and are delivered from the CA MDM package server. The Application packages include: Identifying information for the application Prepare Android Devices for Application Management (Application onboarding) File or data for an application onboarding data provisioning To prepare the android devices for the application management, enable the applications from unknown sources. After the applications are enabled, enroll the Android devices in the CA MDM. To allow the enterprise application deployment, ensure that devices allow installing applications from unknown sources. Click Settings, Applications, and enable unknown sources on the x and x devices. Click Settings, Security, and enable unknown sources on the 4.x devices. The following features must be available on the devices: The installed CA MDM application. Administrating 77

78 Prepare Android Enterprise Application Management Configuration policy with enable inventory. Configuration policy that configures the GCM messaging or an SMS address on their device record. For each enterprise-developed application, use Android development procedures to make compiled applications available for CA MDM use. Make a copy of the compiled application (.apk) available to the CA MDM Administrator. Create an application policy for the application on the CA MDM Administrator Policy page. Create an Application Policy for Android Enterprise Applications Create the policies for managing enterprise-developed applications on the Android devices. For Samsung Advanced Enterprise Security (AES) devices that use the Samsung-signed CA MDM application, create a required enterprise application. To remove the application, change the attribute of an application to optional and redeliver the policy. Log in to CA MDM Administrator Console, navigate to Policy, New, Application, and Android Enterprise. Enter the policy details on the Summary page. You can specify duplicate policy names across tenants and within a tenant for all policy types. Connecting the devices receive only published policies. Changes that are made in the CA MDM application to support duplicate policy names and multiple categories are compatible with CA MDM 2013Q3 and CA MDM 2013Q4 servers. 4. Enter the information of an application on the General page. (Optional) Select or add one or more categories to be associated with the policy on the Categories page. 5. Select Yes or No to indicate whether the selected category is a featured category.' 6. (Optional) Click Browse and select the image file (.JPG or.png), and enter any additional note. The maximum length for the file name is 258 characters, and the Note: maximum image is 1- MB. For an easy download and to minimize data traffic, use smaller image files of size up to 100- KB. The recommended resolution for the category image on an ios device is up to 1448 x 1422 pixels. The category image is scaled to the required resolution, without changing the aspect ratio, and is then cropped. Administrating 78

79 (Optional) In the Available Categories list, select a category and click Edit, Delete, Inspect Image or Clear Image. If a category attached to another policy is deleted, the category from the referring policy is deleted. If you click Inspect Image, then the image opens in the Server, Category Image File window. In the Pre-defined Categories list, select a category and click Edit, Inspect Image or Clear Image. If you click Clear Image, the associated image with the Pre-defined Category is removed. (Optional) Enter an application description and modify the display name on the Description Details page. Deploy Android Enterprise Applications The display name and application version are automatically updated when you upload the application package on the General page. You can upload as many as eight screens shots. To appear an image on the device, select any screen shot for the application image. Note: The appearance of the uploaded image changes depending on the size of the image and the browser settings. The maximum image size that is allowed is 1- MB. The application policy for android enterprise applications is created. Deploy Android enterprise applications by deploying the application policy. On the CA MDM application of a device, users can use the application list to browse the list of applications. Users can also launch a package-server-based installation. Only the user can remove the installed application. If the device is a Samsung AES device, remove the application using the configuration policy with Samsung application properties. Link the application policy to a group on the Policy page. Linking to a user group for the Android policies is not supported. To apply policies, navigate to Group and connect the devices of a group. The device connects to CA MDM and reports its current software inventory. On the user device, navigate to Apps page and browse the list of applications. 4. When the user opens the Apps page, the device connects to the package server. The server refreshes the list of applications of a device. The user browses the application list and installs the application. If you use the optional category attribute, category groups the application. Administrating 79

80 5. On the device, launch the installation. The CA MDM application connects to the package server, downloads the application, and initiates the installation. Remove an Android Required Enterprise Application from a Device To prevent the application use on a device, remove the required enterprise application. The user cannot remove it unless you change the attribute of an application to optional and cannot redeliver the policy. Log in to CA MDM Administrator Console, navigate to Policy, New, Configuration, Android. Navigate to Samsung, Application policy page, enter the policy properties: Samsung Application Enable/Disable Policy adds the application to the list and set the Uninstallation Enable/Disable attribute to enabled. Samsung Application Install/Remove/Update Policy adds the application package name to the list and removes the Policy attribute. 4. Link the configuration policy to a group on the Policy page. To apply policies, navigate to Group page, send a command to the group to connect the devices. The device connects to CA MDM and reports inventory. The server delivers instructions to remove the application from the device. After a subsequent connection, the Device Inspector, Managed Software inventory page displays that the application is removed. App Store Application Policies for Windows Phone Devices The App Store application policies for Windows Phone define the Windows Store applications that appear on the CA MDM app list. These applications are available for the installation. The Commercial applications are delivered from the Windows Phone commercial market. An application package includes information that identifies the application. Enroll the Windows Phone devices in management before deploying any applications. Prepare for Windows Store Application Management To locate and record an application name, as defined by the developing entity, use a web search. To discover the package name, perform the following steps: Select an application. Administrating 80

81 Extract the package name from the URL. For example, if the Windows Store app URL is " ", then: Windows Store ID 34158d7e-fdc9-457b-be7f-b19a417cef40 Country code en-us Package name arcotid-otp To navigate to Windows Store and select the required app, click the Windows Store URL available in the App Store application policy screen. Create an Application Policy for Windows Phone App Store Applications Create an application policy for the Windows Store app. Log in to the CA MDM Administrator Console, navigate to Policy, New, Application, Windows Phone App Store. Enter the policy details on the Summary Page. Connecting the devices receive only published policies. You can specify duplicate policy names across tenants and within a tenant for all policy types. Enter the application information on the General Page. To populate the information box, click Update. 4. (Optional) Select or add the category to be associated with the policy on the Categories page. Move categories from the Available Categories table to the Selected Categories table. 5. Select Yes or No to indicate whether the selected category is a featured category. 6. (Optional) Click Browse and select the image file (.JPG or.png), and enter any additional note. The maximum length for the file name is 258 characters, and the maximum image size is 1 -MB. To enable easy download and minimize data traffic, use smaller image up to 100 -KB. 7. (Optional) Enter the application description on the Description Detail page. Deploy Windows Store Application The display name of the application is automatically updated when you upload the application package on the General page. Deploy the Windows Phone application by deploying the application policy to a device using the MDM protocol option. You can also allow a user to browse the app list their device and install the application. Prerequisites Administrating 81

82 To download apps from the Windows Store, device users must have an account with Microsoft. Microsoft user account agreements and costs are independent of CA MDM operations. Log in to the CA MDM Administrator Console, navigate to Policy, link the Windows Store application policy to a group To apply policies, navigate to Group page, and connect the devices of a group. Enroll the devices in CA MDM management. The CA MDM application is installed on the device. Launch CA MDM on the device and browse the list of applications on the Apps page. If you use the optional category attribute, category groups the applications. On the device, click Install to install an app. The device connects to the Windows Store, where the user can initiate the installation. Enterprise Application Policies for Windows Phone Devices Windows Phone enterprise application policies define which enterprise-signed applications are available for devices to install. The third-party entities produce the Enterprise-signed applications and are delivered from the CA MDM Package server. An application package includes information that identifies the application. Enroll the Windows Phone devices in management before deploying any applications. Work with Windows Phone Enterprise Applications To install Windows Phone enterprise applications, company employees must enroll their phones for app distribution from their company. Review the following steps describe to establish an enterprise account, enroll devices, and distribute apps to enrolled devices: The company must register on the Windows Phone Dev Center and must acquire an enterprise mobile code-signing certificate from Microsoft. This certificate is required to generate the Application Enrollment Token (AET) to sign the enterprise apps. Export a PFX file from the certificate. Windows Phone SDK 8.0 provides the AETGenerator tool, use this tool to generate an application enrollment token (AET). Prepare the enterprise apps for distribution. To prepare enterprise apps, precompile the assemblies included in the XAP into native code. After you precompile, sign the XAP with the PFX file exported from the enterprise certificate. Administrating 82

83 In the CA MDM Administrator console, upload the AET file and the signed CA MDM application. Enroll the devices in CA MDM. The AET file and the signed the CA MDM application are pushed to the device during enrollment. Sign the enterprise applications with the same code-signing certificate used to generate the AET file. To deploy the apps on the device, use enterprise application policies. You can create a company account, generate enrollment tokens, and can code-sign applications. For more information, see the Windows Phone Dev Center documentation. Upload the Application Enrollment Token and Signed CA MDM Application Upload the Application Enterprise Token (AET) generated using the code-signing certificate for the enterprise, and the CA MDM application (.XAP) signed by the same code-signing certificate. Log in to the CA MDM Administrator Console, navigate to Server, Configuration, Component, Windows Phone page. In the AET File field, click Browse and select the AET file to upload. Download the unsigned CA MDM application (.XAP) file. 4. Sign the CA MDM application using the same code-signing certificate that is used to generate the AET file. 5. Click Browse to select and upload the signed CA MDM application. The CA MDM application is silently installed on the Windows Phone device, when the device enrolls in management. Prepare for Windows Phone Enterprise Application Management For each enterprise-developed application, use Windows Phone development procedures to make compiled applications available for CA MDM use. Make a copy of the compiled application (.xap) available to the administrator who is responsible for creating application policies. Ensure that the application enrollment token (AET) for the enterprise is available on the device. The same code-signing certificate that is used to generate the AET must sign the Enterprise apps. Create an Application Policy for Windows Phone Enterprise Applications Create a policy for optional or required enterprise-signed applications for Windows Phone devices. The policy includes multiple pages, such as Summary and General. Complete them in any order. To save changes on all pages, click Save at the top of any page. Administrating 83

84 Log in to the CA MDM Administrator, navigate to Policy, New, Application, Windows Phone Device. Enter the policy details on the Summary Page. Connecting the devices receive only published policies. You can specify duplicate policy names across tenants and within a tenant for all policy types. Enter the application information on the General Page (Optional) Select or add the category to be associated with the policy on the Categories page. (Optional) Select Yes or No to indicate whether the selected category is a featured category. 6. (Optional) Click Browse and select the image file (.JPG or.png), and enter any additional note. Deploy Windows Phone Enterprise Applications 8. Note: The maximum length for the file name is 258 characters, and the maximum image size is 1 -MB. To enable easy download and minimize data traffic, use smaller image up to 100 -KB. 7. (Optional) Enter the application description on the Description Detail page. The display name of the application is automatically updated when you upload the application package on the General page. Click New, browse, and select the application screen shot that appears on the device. You can upload as many as eight screen shots. To appear an image on the device, select any application image. Note: The appearance of the uploaded image changes, depending on the size of the image and the browser settings. The maximum image size is 1- MB. Deploy Windows Phone enterprise applications by deploying the application policy. Launch the CA MDM application on the device, browse the application list, and install the enterprise applications. Prerequisites Ensure that the application enrollment token (AET) for the enterprise is available on the device. The same code-signing certificate that generates the AET must sign the enterprise apps. Log in to the CA MDM Administrator Console, navigate to Policy. Link the Windows Phone Enterprise application policy to a group. On the Group page, connect the devices of a group to apply policies. 4. Enroll the devices in CA MDM management. Administrating 84

85 5. Launch the CA MDM application on the device, and browse the list of applications on the Apps page. The device displays the list of applications from the Package Server. If you use the optional category attribute, category groups the applications. 6. On the device, click Install to install an app. CA MDM connects to the Package Server, downloads the application, and initiates the installation. Manage Configuration Policies Contents Create Configuration Policy for Android Devices Schedule Page Configure Basic Settings for Android Devices Configure Android LG Devices Configure Android Motorola Devices Configure Android Samsung Devices Configure AES General Settings for Samsung Devices Configure Exchange ActiveSync for Samsung Devices Remove Exchange ActiveSync Configuration from Samsung Devices Install and Update Applications for Samsung Devices View Managed Application Inventory for Samsung Devices Manage Installed or Known Applications for Samsung Devices Remove Applications from Samsung Devices Samsung SAFE Pages Samsung KNOX Pages Enter a Samsung Enterprise License Key Post-Session Processing for Channels Create Configuration Policy for BlackBerry or Windows Devices Create Configuration Policy for ios Devices Administrating 85

86 ios Configuration Policy MDM Payloads Send Multiple Configuration Policies to Devices The SSL Option in Policies Embedded SCEP Requests as Identity Certificates Import ios Device Configuration Policies ios Policies from the Apple iphone Configuration Utility Manage Session Policies Create Configuration Policy for Windows Phone Configuration policies collect inventory and set device settings. Inventory is collected for hardware, software, or both. Configuration policy settings vary by device type, but includes settings for passwords, Wi-Fi, roaming, and VPN. For Samsung and the Motorola Android devices, the policy sets items that are available only through manufacturer APIs. These items are not visible in the user interface. Create Configuration Policy for Android Devices Create a policy for scheduling device connections, collecting inventory, and configuring device settings for the Android devices. Log in to the CA MDM Administrator Console, navigate to Policy, New, Configuration, and Android. Enter the Policy name and the required properties on the Summary Page. You can specify duplicate policy names across tenants and within a tenant for all policy types. Changes that are made to support duplicate policy names are compatible with CA MDM 2013Q3 and CA MDM 2013Q4 servers. Note: The authentication option is available only when the authentication is enabled on the server, as defined on the Security page. 4. (Optional) To configure a daily connection, define Schedule page properties. (Optional) Configure the remaining pages according to your requirements. Schedule Page For Android configuration policies, set a schedule. The CA MDM client uses this schedule to connect to CA MDM and apply the configuration policy. On the Schedule page, you can create, select, edit, and delete schedules. You can also define the Administrating 86

87 Configure Basic Settings for Android Devices number of times the server must retry the scheduled task. To create a schedule, click New to open the Schedule Editor. To edit a schedule, select a schedule and click Edit. To set the number and frequency or retries, click Retries and configure settings from the Configuration Policy, Retries dialog. For the Android devices, use CA MDM to configure basic settings for password, Bluetooth, Wi-Fi, and daily connection. Enable the password on device to activate the password security option in CA MDM. Log in to CA MDM Administrator Console, navigate to Policy, New, Configuration, Android. (Optional) To configure a daily connection, click Schedule, and fill in the details. (Optional) To configure password attributes, click Security, and enter the password attributes. Note: Define extra password attributes on the Device Policy page for the Samsung devices with Advanced Enterprise Security (AES). 4. (Optional) To configure the Bluetooth capabilities, click Bluetooth, and select Enable Bluetooth and Scan Devices Configure Android LG Devices Note: Configure and enforce enabling Bluetooth on the Restriction Policy page for the Samsung devices with AES. (Optional) To configure devices for wireless LAN (WLAN) connectivity, click Wireless LAN, and select the configuration setting. Note: Configure and enforce enabling connectivity on the Restriction Policy page for the Samsung devices with AES. (Optional) To configure devices for a CA MDM Server connection, click Device Communications, and select the configuration settings. Save and publish the policy, link it to a group profile, and then connect the devices. Configuration policy LG features let you use CA MDM Advanced Enterprise Security (AES) on LG Android devices. This CA MDM AES support enterprise device management. Install the LG signed the CA MDM application on the enterprise device management. The application is available from the LG Apps store or Google Play. Use configuration policy LG property pages for security management, application management, configuration management, and Microsoft Exchange client configuration. For more information about the LG product documentation for devices, see LG support site. Administrating 87

88 Configure Android Motorola Devices Review the following LG Android device Policies: Application Policy allows you to set the properties for the following applications: Accessing Google Play (renamed from Android Market). Manage consumer and enterprise applications. Manage application data. To Install the applications from consumer market, such as Google Play requires user interaction. Important! Do not disable the CA MDM application, as doing so causes subsequent sessions to fail. Removing the disabled application can fail, and reinstalling the application cannot restore normal operations. Bluetooth Policy defines the Bluetooth setting. Audio only disables Bluetooth radio for connecting to computers and other devices. Account Policy allows you to set the properties for connecting to and from the remote server. To deploy the policy during the next session, select the check box. Exchange Account Policy allows you to set the properties for the native Microsoft Exchange ActiveSync (EAS) client. Once the client is defined on a device, you can remove it from the device. Note: Until you remove an item from a device, do not remove an item from the policy editor list. If the device is not on the editors list with the same identifier, you cannot remove the configuration from a device. Location Policy allows you to enable the GPS location provider for LG and the Samsung devices. Password Policy allows you to set the properties for the password security for the password. Roaming Policy allows you to set the properties for the data synchronization while roaming. The properties set values on your devices Settings, Wireless and Network, Mobile Networks. Restriction Policy defines the restrictions for user access to certain features. Security Policy allows you to set the properties for a device encryption and credential storage. Configure the Motorola Android devices that support enterprise device management for certificates, Microsoft Exchange ActiveSync accounts, and VPN connections. For more information about the Motorola product documentation for devices, see Motorola support downloads site. Administrating 88

89 Configure Android Samsung Devices Review the following Motorola Android device policies: Certificate Configuration allows you to set the properties for installation, user authentication, and certificate authority certificates. These properties are present on the device SD card. VPN Configuration allows you to set the properties for the VPN connections. Once the connection is defined on a device, modify or remove the connection from the device. CA MDM configures the following VPN types: PPTP L2TP L2TP-IPSec-CRT L2TP-IPSec-PSK The VPN types require same data values. The IT administrator defines many of these values. EAS Configuration allows you to set the properties for the native Microsoft Exchange ActiveSync (EAS) client. Once the client is defined on a device, remove it from the device. Configuration policy Samsung features let you use CA MDM Advanced Enterprise Security (AES) on Samsung Android devices. The Samsung Android devices support enterprise device management and installed Samsung-signed CA MDM application. The application is available from either the Samsung Apps store or Google Play. Use configuration policy Samsung property pages for security management, application management, configuration management, and Microsoft Exchange client configuration. For more information about the Samsung product documentation, see Samsung support site. Important Information for Upgrading Samsung Clients Only the policies that are assigned to devices during upgrade are reapplied. These policies are reapplied when the device connects from an upgraded Samsung client. Ensure that all policies are correctly assigned to the device during the upgrade. Review the following Samsung Android device policies: Firewall Policy allows you to set the properties for the Firewall options. Enterprise Device Manager Policy prevents or allows users to enable or disable the administration of the device. For more information about device policies, see Configure Android LG Devices. Administrating 89

90 Configure AES General Settings for Samsung Devices For the Android Samsung devices with Advanced Enterprise Security (AES) capability, configure AES settings for the following features: Stronger passwords Device restarts Device feature capabilities Encryption Roaming data synchronization Installation of a certificate. Log in to the CA MDM Administrator Console, navigate to Policy, New, Configuration, Android. Fill in the details on the Summary page. (Optional) To strengthen password attributes or force a device restart, change the settings on Samsung, Device Policy page. 4. (Optional) To enable functionality for Bluetooth, Wi-Fi, camera, microphone, encryption, or install a certificate, change the settings on Samsung, Restriction Policy page. Once the Encrypt device property is applied on the device, each subsequent connection includes the Encrypt device attribute. Encrypting device is a known behavior of the Samsung APIs. "The same policy is already applied" message is displayed. If the Encrypt SD card property is applied on the device, it is a known behavior of the Samsung APIs. "Unable to use SD card without data encryption" message is displayed. You can dismiss this message. The device encrypts the data. If you install a certificate, the certificate is installed during each connection. The certificate property is set for each connection regardless of whether the certificate is already installed. 5. (Optional) To manage the data synchronization while roaming, change the settings on Samsung, Roaming Policy page. Configure Exchange ActiveSync for Samsung Devices 6. Save and publish the policy, link it to a group profile, then connect the devices. To configure one or more accounts on a device, deploy a single Microsoft Exchange policy for: Administrating 90

91 The Android Samsung devices with (AES) capability The native Microsoft Exchange ActiveSync (EAS) Log in to the CA MDM Administrator Console, navigate to Policy, New, Configuration, Android. Create a configuration policy for the Android devices including the Samsung, Exchange Account Policy page with defined configuration items. To define policies, use temporary values in the data elements that require the differentiation for each user. The policies can be deployed to multiple users. In the policy configuration list, select each item on the list to deploy Save and publish the policy, link it to a group profile, then connect the devices. If a policy includes temporary values for some of the Exchange account data elements, synchronization with the server fails. On the devices Settings, locate the account, verify, and personalize configuration data elements, such as a user name and password. On the device using the native Microsoft Exchange ActiveSync client, the user synchronizes with the server. Remove Exchange ActiveSync Configuration from Samsung Devices Remove the CA MDM-defined Microsoft Exchange account from a device as needed. Log in to the CA MDM Administrator Console, navigate to Policy, New, Configuration, Android. Create a configuration policy for the Android devices that includes the Samsung, Exchange Account Policy page with the defined accounts In the policy configuration list, select an account to remove. To invoke the inline editor, click Edit. Delete the address, and then select the Update icon. Install and Update Applications for Samsung Devices 6. Save and publish the policy, link it to a group profile, then connect the devices. Install enterprise applications from compiled application files (.apk) present on the device, or update applications that are already installed from compiled application files present on the device. Administrating 91

92 Log in to the CA MDM Administrator Console, navigate to Policy, New, Configuration, Android. Create a configuration policy for the Android devices. Navigate to Application Policy, Samsung Application Install/ Remove/Update Policy list. 4. Enter the values for Policy, Package Path, and Package Name. 5. Save and publish the policy, link it to a group profile, then connect the devices. The application is installed on the device at the conclusion of the CA MDM session. View Managed Application Inventory for Samsung Devices For the Samsung Android devices with managed applications, view the associated inventory data. The associated inventory data is on a devices Device Inspector, Hardware, Managed Software page. Note: The information about managed software is populated only for Samsung AES capable devices. These devices are installed with the CA MDM AES application. Manage Installed or Known Applications for Samsung Devices For the Android Samsung devices with Advanced Enterprise Security (AES) capability, you can perform the following tasks: Control access to Google Play. Control application actions. Wipe application data on the device and CA MDM Server. Management actions are for enterprise or market applications. These applications are already installed on the device, or are known but not installed. Log in to the CA MDM Administrator Console, navigate to Policy, New, Configuration, Android. 4. Create a configuration policy for the Android devices that includes Samsung, Application Policy page. (Optional) To control the usage of the Google Play application on the device, select Enable Android Market. Navigate to Application Policy, Samsung Application Enable/Disable Policy, and set the policy properties. Only selected policies go into effect when the device connects. Administrating 92

93 Remove Applications from Samsung Devices 5. Save and publish the policy. Link the policy with Embedded SCEP Requests as Identity Certificates group profile, and then connect the devices. For the Android Samsung devices with Advanced Enterprise Security (AES) capability, remove installed enterprise applications. Log in to the CA MDM Administrator Console, navigate to Policy, New, Configuration, Android. Create a configuration policy for the Android devices that includes the Samsung, Application Policy page that installed the application. Navigate to Application Policy, Samsung Application Install/Remove/Update Policy, select the application on the list. 4. Remove the application item Save and publish the policy, link it to a group profile, and then connect the devices. On the device, at the end of the CA MDM session, the application is removed. Samsung SAFE Pages The Samsung SAFE policies allow you to use Samsung for Enterprise on Samsung devices. These policies support enterprise device management, and have the Samsung-signed CA MDM application installed. The application is available from either the Samsung Apps store or Google Play. Use Samsung SAFE policy pages for following configurations and managements: APN configuration Application management Bluetooth configuration account configuration Microsoft Exchange client configuration Firewall configuration Location configuration Password management Enterprise device management Restriction configuration Roaming configuration Administrating 93

94 Security management WiFi configuration For more information about Samsung product documentation for devices, see the Samsung support site. Important Information for Upgrading Samsung Clients Only the policies that are assigned to devices during upgrade are reapplied. These policies are reapplied when the device connects from an upgraded Samsung client. Ensure that all policies previously applied on devices are correctly assigned to the device during the upgrade. APN Policy Page APN policy page configures one or more Access Point Name (APN) profiles for a Samsung SAFE device. An APN identifies a gateway between the mobile network of a user and a data network. This gateway is required for users to access the Internet or send and receive MMS messages. You can create default or MMS APN profiles. You can configure an APN profile to allow corporate devices direct access to your internal network from a mobile network. By defining a profile for your corporate environment, you can provide better control over who has access to your network. Configure more profiles so that users who are traveling for business can connect through an APN server in their region. To create an APN profile, click Add and configure settings as required. Application Policy Page For the Samsung SAFE devices, define properties for accessing Google Play, managing consumer and enterprise applications, and managing application data. User interaction is required to install applications from a consumer market, such as Google Play. User interaction is not required to install applications from your CA MDM package server. Important! Do not disable the CA MDM application, as doing so causes subsequent sessions to fail. If you remove the disable application, application fails. Reinstalling the application does not restore normal operations. Application Black and White List Management Settings To define the applications that you, do not want the user to download from Google Play, use the blacklist. To define applications the user is allowed to download, use the white list. Enable/Disable Policy Settings To enable or disable an application, use Enable/Disable policy. Application Install/Remove/Update Policy Settings To install, remove, or update an application, use Application Install/Remove/Update policy. Administrating 94

95 Bluetooth Policy Page For Samsung SAFE devices, sets properties for select Bluetooth capabilities. Account Policy Page For Samsung SAFE devices, sets properties for connecting to the remote server. To deploy the policy during the next session, select the checkbox. Exchange Account Policy Page For a Samsung SAFE user that is defined in the Microsoft Exchange environment, set the properties for the native Microsoft Exchange ActiveSync (EAS) client. Once the client is defined on a device, lets you remove it from the device. If a client has multiple accounts and uses shared preference settings, then all accounts use one preferred signature setting. In the CA MDM, the last account on the policy editor list is applied last. The applied policy becomes the preferred setting for all accounts. To add a configuration item to the list in the policy editor, click Add account. To remove an ActiveSync item from the client, include the item and delete the address. The item with that Identifier is deleted when the client runs this policy. To remove a defined item from the list, select it and click Remove current account. Important! If the configuration is on the list of an editor, then you can remove the configuration from a device. Firewall Policy Page For Samsung SAFE devices, sets properties for Firewall options. Password Policy Page For Samsung SAFE devices, sets properties for more security for the password you enable on the policy editor Security page. You can also execute a remote restart on the device. Enterprise Device Manager Policy Page For the Samsung SAFE devices, prevents or allows users from removing CA MDM as a device administrator on the device. Note: Samsung introduced support for the Set CA MDM Administrative privileges removable setting starting with Android 0. This setting is not supported on Samsung devices running earlier versions of the OS. Users of these devices can remove CA MDM as a device administrator even when this setting is set to "No". Restriction Policy Page For the Samsung SAFE devices, defines restrictions for user access to certain features. Roaming Policy Page For Samsung SAFE devices, sets properties for data synchronization while roaming. The properties set values on the Mobile Networks window of your device. Security Policy Page For Samsung SAFE devices, sets properties for device encryption and credential storage. WiFi Policy Page Administrating 95

96 To allow users to connect your network through wireless connection, configure the WiFi connections on Samsung SAFE devices. You can also block users from connecting to a configured network connection. This policy also allows you to configure a wireless adapter of a device. For example, you can allow or block users from configuring their own profiles or from changing the settings to network connections that are configured through this policy. Note: To remove a network configuration from a device, clear the Network SSID from the connection profile and set it to Include. When the policy is applied, the connection with this ID is deleted from the device. Samsung KNOX Pages Enter a Samsung Enterprise License Key To configure policies on KNOX capable-samsung devices, use the policy pages in the Samsung KNOX page group. Samsung KNOX is a hardware and software security solution for Samsung devices. The solution includes a secure container on the device for enterprise data. This container allows users to separate personal and business content on a device. This container also includes security features. The security features include Security-Enhanced Linux (SELinux), Security-Enhanced Android (SEAndroid based on SELinux), and boot tampering protection with Samsung Attestation. When you use a KNOX policy to configure a KNOX-capable device, install the KNOX container. Once you install the KNOX container, configure it on the device. Note: You must obtain a Samsung Enterprise license from a KNOX reseller. Enter the license key into CA MDM before you can install the KNOX container on a device. Provide a Samsung Enterprise license key to install and configure KNOX on Samsung devices. Provide a license key to install and configure the KNOX container on a device. When you apply a KNOX configuration policy to a device, the device connects with the Samsung Licensing server. The device uses the key to enable KNOX on the device. A license key can be configured for multiple tenants or per-tenant. Note: Obtain a license key from an authorized KNOX reseller. Log in to CA MDM Administrator, navigate to Server, Configuration, Component, Samsung Enterprise. Enter the license key in the Samsung Enterprise License Key field. (Optional) Enter a note for the license key. Review the following Samsung KNOX Policy Pages: Application Policy The application policy page allows you to define application data and cache clearing rules for applications that are installed in the KNOX container. Configure an application policy to perform the following tasks: To uninstall or disable KNOX container applications. Administrating 96

97 To add or delete application shortcuts from the KNOX home screen. If you uninstall an application, an application is removed from the container. Disabling an application leaves it installed but prevents users from launching it. Cache and Data Clearing Rules The Cache and Data Clearing Rules specifies the list as the white list or black list while creating a list of rules for app data and cache clearing. A white list means that users can only clear the cache or data if the application is on the list. They are prevented from clearing anything on all other KNOX container applications. A black list means that the rules in the list restrict the users. They are allowed to clear cache and data all other KNOX container applications. Uninstalling or Disabling Applications To uninstall or disable an application that is installed in the KNOX container, click Add and set the options: Adding or Deleting Application Shortcuts Browser Policy Page The browser policy page configures the settings for the browser that is installed in the KNOX container. You can disable cookies, JavaScript, and pop-ups on the browser. You can also specify the address of the web proxy server you want the browser to use. Most of the settings include a User-controlled option. If you select User-controlled, the user is allowed to set these settings on the device. Certificate Policy Page The certificate policy page configures the settings for the Certificate Authority certificates. These certificates are used to authenticate connections between the KNOX container and your network. You can specify which certificates are trusted and which are untrusted. The untrusted certificates are removed from the system. The untrusted items take precedence over trusted items. When a certificate is added as untrusted, it is removed from the system. The certificate is removed even if it is part of a trusted certificate chain. To verify if a certificate used to authenticate a connection for a specific application has been revoked, configure the system. Exchange Account Policy Page The exchange account policy page c onfigures an Exchange account on the KNOX container. From the Exchange Account Policy page, select EnableKNOXExchange Account Policy to configure an exchange account. Firewall Policy Page The firewall policy allows you to create firewall rules. These rules controls network traffic on the KNOX container on a Samsung device. You can create Allow, Deny, Reroute, and the Redirect Exception rules. The KNOX firewall inspects the destination host and port on incoming and outgoing network packets. The KNOX firewall allows, redirects, or drops these network packets that are based on the rules you configure here. You can also create rules to block the browser in the KNOX container from accessing a URL. Administrating 97

98 Allow and Deny Rules Allow and Deny Rules allow rules to let you specify allowed destination addresses for incoming and outgoing traffic. Example: Tto define an allow rule that allows outgoing traffic to port 80 on IP 4, specify the following values: Host: 4 Port: 80 Port Location: Remote The Deny rules let you specify the denied destination addresses for incoming and outgoing traffic for a specified application. Example: To define a deny rule that drops outgoing traffic from a KNOX container app to port 80 on IP 4, specify the following values: Host: 4 Port: 80 Port Location: Remote Package name of the application If KNOX Firewall policy is enabled, ensure that you create at least one allow rule. If you do not create a rule, the firewall drops all incoming and outgoing traffic. The firewall drops all traffic except for traffic that the allow rules allow explicitly. The Allow rules take precedence over deny rules. Reroute Rules The Reroute rules let you define traffic. The traffic is rerouted from applications running within the KNOX container from one target IP address and port to another. This process of rerouting the traffic allows you to redirect traffic to a proxy server. Redirect Exception Rules Redirect exception rules let you override reroute rules to exclude specific target IP destinations from being rerouted. Blocked URL Rules The Blocked URL rules let you block the browser in the KNOX container from accessing a webpage, site, or domain. Password Policy Page Password Policy page configures password settings for the KNOX container. For example, you can set the timeout period, the password type, and the expiration period. You can also define character strings that are not allowed in the KNOX password. Premium VPN Policy Page The VPN policy defines the connection between the Samsung KNOX device and virtual private network of your enterprise. Create one or more VPN profiles, and perform the following steps. Administrating 98

99 Add the created VPN profiles to available list of VPN profiles from KNOX. Associate these profiles with an application on the device. The VPN profiles define the VPN settings that are required to establish a connection to the VPN server. The VPN settings include the following options: VPN server hostname or IP address The required authentication method Internet Key Exchange (IKE) configuration information Note: The VPN policy requires that the Mocana KeyVPN app and KeyVPN service APKs are installed on the device. VPN Profile Settings Device-Wide VPN Settings o configure device-wide VPN connection profiles you want to push to the device, use the device-wide VPN settings. These VPN connection profiles appear in the VPN profile list on the device. The user uses this list to initiate a connection to the VPN of your enterprise. Application VPN Settings To associate an application with a VPN profile, use application VPN settings. If you associate a VPN with an application, the device establishes a VPN connection for the application. When you apply the profile to the device, VPN connection is established. This application remains connected to the VPN indefinitely. Only traffic for the specified app is forwarded through the tunnel. You can create per-app for both KNOX and non-knox applications using the appropriate list. Restriction Policy Page Restriction Policy page configures restrictions on the KNOX container. For example, you can configure the policy to disable the camera when inside the KNOX camera. Security Policy Page Security Policy page configures security settings for KNOX-capable devices. You can enable or disable KNOX Attestation on the device and set SEAndroid security settings. The SEAndroid security settings such as AMS policy and log levels. SE Android Settings Samsung does not support the SE Android Settings at the time of publication. Use of these settings is not recommended. Single Sign-On Policy Page Administrating 99

100 Post-Session Processing for Channels Single Sign-On Policy page configures single sign-on (SSO) on the KNOX container. Single sign-on allows users to log in to SSO-enabled applications in the KNOX container with one set of credentials. For configuration policies, some configuration items require processing after the CA MDM session ends. After the CA MDM session ends, the user verifies the informational and error messages in the device log. Device receives the messages that appear in the device log. Create Configuration Policy for BlackBerry or Windows Devices Create a policy for scheduling device connections, collecting inventory, and configuring device settings. You can configure a policy for BlackBerry or Windows devices. Log in to the CA MDM Administrator Console, and navigate to Policy, New, Configuration. Select BlackBerry or Windows device, and fill in the details on the Summary Page. You can specify duplicate policy names across tenants and within a tenant for all policy types. Changes that are made in the CA MDM to support duplicate policy names are compatible with CA MDM 2013Q3 and CA MDM 2013Q4 servers Navigate to Schedule and create a schedule. Enter the values for Schedule, Note, Type. Select appropriate setting for a schedule. To retry a schedule, select a schedule. Click Retries to define the number of times the server retries the scheduled task. Create Configuration Policy for ios Devices To create the MDM payloads, create a policy that defines settings such as settings for Wi-Fi and passcodes. Log in to the CA MDM Administrator Console, and navigate to,, Policy New Configuration. Administrating 100

101 Fill in the details for configuration policy for ios device. (Optional) Configure more pages according to your requirements. ios Configuration Policy MDM Payloads The CA MDM configuration policy and MDM data allows you to manage device settings for Wi-Fi, passwords, and applications. The Policy definitions are compliant with the Apple iphone Configuration Utility (ipcu) version 6 definitions. For more information about the Apple iphone Configuration Utility, see the Apple resources. For example, ipcu help and Apple support resources for enterprise device management. For the available MDM payloads, navigate to Policy, New, Configuration, ios, MDM payload in Administrator Console. Send Multiple Configuration Policies to Devices The SSL Option in Policies CA MDM combines multiple policies into a single delivery payload before sending them to a device. Apple designed ios management to support multiple instances of some policy types. Apple designed ios management also supports only a single instance of other policy types. The Apple reserves the right to change requirements without notice. The following policy types are limited to a single instance on a device: Passcode AirPrint AirPlay Restrictions Guided Access Exchange ActiveSync Advanced Web Container Filter If you plan to use the SSL option in any policy, then the device requires a certificate with appropriate credentials. For some policy types to define credentials, select the appropriate certificate from the policy editor. For other policy types, define a separate credentials policy. Administrating 101

102 Embedded SCEP Requests as Identity Certificates Wi-Fi and the VPN policies include an option to define and embed a SCEP request. The SCEP requests embed and defined to obtain an identify certificate when the policy is deployed. The Embedded SCEP request uses the certificate authority that is configured for the CA MDM operations. The Embedded SCEP request is defined on the Certificate Authority page. All the required data elements in SCEP request are populated with values from the selected certificate authority profile. You can access certificate authority profiles from the enrollment or package server drop-down list. To edit the SCEP requests subject data, open Certificate Authority page: Navigate to the required Certificate Authority profile, and update the details. Perform the following tasks: Navigate to the Profiles page on a device. The policy contains list that includes the following items: For a Wi-Fi with SCEP policy, select SCEP enrollment request and a Wi-Fi Network. For a VPN with SCEP policy, select SCEP enrollment request and a VPN Setting. For a Mail with SCEP policy, select SCEP enrollment request and a Mail Setting. For a ActiveSync with SCEP policy, select SCEP enrollment request and an ActiveSync Setting. Import ios Device Configuration Policies Import Apple iphone configuration policies or export the CA MDM policies to make them available as CA MDM configuration policies. Log in to the CA MDM Administrator Console, navigate to Policy, Import ios Mobile Configuration File. Browse for the source file, and click Ok. For example, (.mobileconfig). You can either import the selected payload into one generic policy or import the selected payload into an individual policy. 4. Click Edit. Administrating 102

103 5. Click Import and select the required policy or a generic policy. If you are importing a valid file, it gets uploaded according to the option that the Administrator selects. If you are importing an invalid file, it could be due to the following reasons: Invalid file extension. File size is zero. XML keys or tags are not as per the IPCU format. Administrator is not allowed to proceed with upload (Error message is displayed). 6. Click OK. ios Policies from the Apple iphone Configuration Utility The process imports a snapshot of the policy. Once imported, CA MDM assumes the management of the policy. The subsequent changes to the original target policy file do not affect the CA MDM policy. To create the device configuration policies, perform the following steps: Export policies from the Apple iphone Configuration Utility. From the utility, save the policies as an individual file that is (.mobileconfig). Import the policies into the CA MDM Administrator application policy page. Note:Policies that you import into CA MDM cannot be encrypted or signed. Therefore, select None as the security method when exporting policies from the configuration utility. Manage Session Policies For one or more device types in a single policy, session policies define default and more channels to run. Channels include scripted events and registry updates. For some devices, users select a schedule for running the session channels. Session channels are created and managed on the CA MDM Channel Administrator. They are created and managed as a standalone Windows application on the CA MDM master server. Create a policy for running session channels on Android, BlackBerry, and the Windows devices. Log in to the CA MDM Administrator Console, and navigate to, Policy New, Session. Administrating 103

104 Provide the policy details, except the default channel. Notes: The priority sets a user-defined value. The CA MDM uses this value to determine which configuration policy prevails when multiple policies define the same default settings. The lower the numeric value, the higher is the priority. The authentication option is available only if you have an authentication that is enabled on the server. The authentication option is defined on the Security page. 4. On the Channels page, to add the list of channels, click Select Channel. (Optional) Select a default channel from the list of channels. The connecting device requests the default channel during every connection. 5. Click Save. The policy is created for the running session channels on the devices. Create Configuration Policy for Windows Phone To define the settings for the MDM payloads, create a policy for Windows Phone devices. The settings include configuring Exchange ActiveSync and passcodes. Log in to the CA MDM Administrator Console, navigate to Policies, New, Configuration, Windows Phone. Enter the policy details on the Summary page. You can specify duplicate policy names across tenants and within a tenant for all policy types. Note: The device management client on the Windows Phone device sends the software inventory-related information to the CA MDM Server. This information is sent during the device refresh. The refresh interval is preprogrammed in to the device management client at the time of enrollment. To connect to the corporate Exchange server, configure an Exchange ActiveSync account on the Exchange ActiveSync page. You can create the account by specifying the user name, host name, and address, or only the host name. Users provide other values when they install the policy. If an Exchange policy with a blank password field is synchronized with the device, you cannot add the password later. Administrating 104

105 For the password, if you use a directory substitution variable, you cannot decrypt the credentials on the Active Directory domain. The use does not receive messages until the user adds the password field in the Exchange account. If any of the variables have the right values, the device configures the account successfully. These values are defined under the attributes for Active Directory. 4. Enter the minimum password length, password expiration days, and other password characteristics on the Passcode page. Note: Use a complex password policy for a Windows Phone device. When the configuration policy loads, the user must enter a passcode that satisfies the policy. If the Exchange security settings are more secure than the passcode policy, the user must change the password on the device. Manage Enrollment Policies Contents Create Enrollment Policy for Android Devices Automatic Naming Data for Android Enrollment Policies Create Enrollment Policy for BlackBerry Devices Create Enrollment Policy for ios Devices Update Enrollment Policy for MDM- First Enrollment Create Enrollment Policy for Windows Create Enrollment Policy for Windows Phone The Enrollment policies let you define provisioning details for devices that you plan to enroll in CA MDM. Based on a device, enrollment policy defines items. The items include devices connection address, device ID, and whether the device uses CA MDM Access Control for . The enrollment policy prompts the user to collect the user information, and adds a device to group management. The enrollment policies are always in a published state. You can edit the policy and can disable or delete its enrollment codes. Create Enrollment Policy for Android Devices Create a policy for enrolling the Android devices in the CA MDM. Log in to CA MDM Administrator Console, navigate to Policy, New, Enrollment, Android. Enter the Policy details and Code details on the Summary page. Administrating 105

106 You can specify duplicate policy names across tenants and within a tenant for all policy types. Changes that are made in the CA MDM application to support duplicate policy names are compatible with CA MDM 2013Q3 and 2013Q4 servers To generate an enrollment code and a date, click Save. To define a policy for enrolling devices, navigate to General page and fill in the details. To populate the groups when the devices enroll, navigate to Group page Automatic Naming Data for Android Enrollment Policies A device receives the groups linked policies. To enroll a device, select a dynamic group. If the device does not meet the group criteria, it is removed from the group. To select variables to populate during the enrollment, click Add on the Variable page. Users are prompted to enter the variables on the device during the enrollment. Automatic naming data columns include predefined columns, the user name variable, and any extra user-defined substitution variables. The automatic naming data columns include Device Serial Number Device Sync Name Device type - concatenation of device OS and platform version. IMEI/MEID/ESN - IMEI is for GSM devices, MEID for CDMA devices, and serial number for nontelephony devices. International Mobile Subscriber Identity (IMSI) Number Telephone Number - blank for nontelephony devices. UserName - variable. User is prompted for a value during the enrollment. Review the device prompt text and mask on the enrollment policies Variable page. Create Enrollment Policy for BlackBerry Devices Create a policy and installable CA MDM application for enrolling BlackBerry devices in CA MDM. After you create or edit a policy, download and distribute the application when users install it for the enrollment. Administrating 106

107 Log in to the CA MDM Administrator Console and navigate to the Policy, New, Enrollment, BlackBerry. Enter the Policy details and Code details on the Summary Page. You can specify duplicate policy names across tenants and within a tenant for all policy types. Changes that are made in the CA MDM application to support duplicate policy names are compatible with CA MDM 2013Q3 and 2013Q4 servers. 4. To generate an enrollment code and date, click Save. To define a policy for enrolling devices, navigate to General page and fill in the details. Connection Address defines the CA MDM Server address or relay server address. The Address for Client Communication value initially populates the value that you can change in the Server Address, as defined on the Device Communication Page. Device Connect String defines the Access Point Name value for the CA MDM application. The access point name value is used when connecting to the CA MDM Server. The requirement for using this value can vary by carrier. Some carriers require a password. Syntax: socket:// [ServerIP:ServerPort];apn=[CarrierAPN];tunnelauthusername=[. T-Mobile example: socket:// [ServerIP:ServerPort];apn=wap.tmobile.com;tunnelauthusernam does not require user name or password. Cingular example: socket:// [ServerIP:ServerPort];apn=proxy;tunnelauthusername=[Carrier 5. To populate the groups when the devices enroll, navigate to Group page. A device receives the groups linked policies. To enroll a device, select a dynamic group. If a device does not meet the group criteria, it is removed from the group. Create Enrollment Policy for ios Devices Create a policy for enrolling ios devices in CA MDM. Note: Ensure that you save the changes on all pages. Log in to the CA MDM Administrator Console and navigate to the Policy, New, Enrollment, ios. Administrating 107

108 Enter the Policy details and Code details on the Summary page. You can specify duplicate policy names across tenants and within a tenant for all policy types. Changes that are made in the CA MDM application to support duplicate policy names are compatible with CA MDM 2013Q3 and 2013Q4 servers. 4. To generate an enrollment code and date, click Save. To define a policy for enrolling devices, navigate to General page and fill in the details. 5. Access Control Domain defines the domain node of the address, as a fully qualified domain. Access Control Policy accepts or overrides the enterprise default policy for ios, as defined on the ios tab on the Access Control Option page. If you plan to deploy the optional enterprise applications, define a shortcut to Self-Service Portal for CA MDM application list. 6. To populate the groups when the devices enroll, navigate to Group page. 7. A device receives the groups linked policies. To enroll a device, select a dynamic group. If the device does not meet the group criteria, it is removed from the group. To select any variable that populates during the enrollment, navigate to Variable page and fill in the details. The enrollment policy is created for the ios devices. Update Enrollment Policy for MDM- First Enrollment To update an enrollment policy that is created in a previous version of CA MDM to support MDM-first enrollment for ios 7 devices, open the policy in CA MDM 2013Q4. When you open the enrollment policy, CA MDM generates an MDM-first enrollment URL for the policy. Log in to CA MDM Administrator Console, navigate to Policy, and select the enrollment policy. Click Edit. Click Save to update the database with the enrollment policy. Create Enrollment Policy for Windows Create a policy and CA MDM application for enrolling the following devices in the CA MDM. Windows Vista, Windows 2008, or Windows 7. Administrating 108

109 Windows XP or 2003 devices. Once you create or edit a policy, download and distribute the application when users install it for the enrollment. Log in to the CA MDM Administrator Console and navigate to the Policy, New, Enrollment, Windows device. Enter the policy details on the Summary page. You can specify duplicate policy names across tenants and within a tenant for all policy types. Changes that are made in the CA MDM application to support duplicate policy names are compatible with CA MDM 2013Q3 and 2013Q4 servers. Enter the following properties on the General page. Server Address defines the CA MDM Server address or relay server address. The Address for Client Communication value initially populates the value in the server address, as defined on the Device Communication page. (Optional) Optional Prefix defines a prefix for the name. For example, "Sales ". (Optional) Data Column allows you to select a data item that concatenates with the prefix for naming the client. The list includes predefined columns, user name variable, and more user-defined substitution variables you define. For effective searching, create a value for building custom views, or differentiate like-named clients. 4. To populate the groups when the devices enroll, navigate to Group page. A device receives the groups linked policies. To enroll a device, select dynamic group. If a device does not meet the group criteria, it is removed from the group. 5. Fill in the details on the Advanced page. Device Path defines a complete path on the client server. The device path is the default installation path at the client side. The installer can change the path to a nondefault value at installation time. Device Service (for Windows XP or 2003 devices) Allow you to supply credentials for running the CA MDM client as a service. The user interface is not required while running the client as a service. The user interface prevents the program to appear in the system tray. If the specified account password changes, create an executable file. To implement the new password, distribute the executable file to your clients. Administrating 109

110 Note: User Context is an extra setting for Windows Vista, Windows 2008, or Windows 7 devices. The user context is used for the authentication when the CA MDM application is running without a logged on user. 6. To specify the certificate details for platforms that support device authentication, navigate to Certificate page. Note: The certificate file must be in the Personal Information Exchange (PFX) format. 7. Click Download on the Summary page. The application is downloaded. Create Enrollment Policy for Windows Phone To enroll a Windows Phone device, create an enrollment policy. The enrollment code URL used to enroll the device is generated automatically based on the enrollment server settings. Prerequisites For the device enrollment to work properly, configure a certificate authority server, on the Server, Configuration, Certificate Authority page. Log in to the CA MDM Administrator Console, navigate to Policy, New, Enrollment, Windows Phone Device. Enter the policy name and a description for the policy in Summary page. The MDM Enrollment URL that the users use to enroll the device is auto-generated based on the enrollment server settings on the Enrollment Server page. If the enrollment server is not configured, the user sees an error message. Define the policy for enrolling the devices on the General page. 4. To populate the group, select any groups when devices enroll on the Group page. A device receives the linked policies for a group. If you select a dynamic group, the newly enrolled device is added in to the group without any evaluation of definition criteria of a group. 5. (Optional) On the Variables page, click Add to select any variables to populate during enrollment. Users are prompted on the device during enrollment. The variable prompts, if configured, appear for user input only if the Note: enrollment happens through the Self-Service portal. Administrating 110

111 Protect Enrollment Policies Several layers of security prevent rogue devices from using enrollment codes and policies to enroll in the CA MDM. Security includes: Relay server allows you to use a relay server. The relay server acts like secure proxy for incoming client connections to your CA MDM Server components. CA MDM provisioning server allows you to install the provisioning server behind your enterprise firewall and with the authentication enabled. Enrollment code expiration allows you to create enrollment codes with the expiration dates. The enrollment code expiration manages the time during which a code is valid. Self-service portal only flag allows you to create enrollment codes. These enrollment codes are valid only when used with the CA MDM Self-Service Portal. Enrollment code disable allows you to disable an active enrollment code any time you feel it is necessary. Configure Session Policies Contents Configure Bandwidth Throttling Configure File Compression and File Differencing Configure Failed Session Cleanup Configure Authentication and Assignments for Sessions Configure User-Defined Field For session policies, CA MDM Administrator lets you define system-wide parameters. The system-wide parameters include the bandwidth throttling, a file compression, a file differencing, failed session cleanup, and session authentication. If you change any values, stop and restart the CA MDM Server for the changes to take effect. The CA MDM services must be up and running to manage the CA MDM Note: system. Administrating 111

112 Configure Bandwidth Throttling To run other network applications more effectively when communicating with the CA MDM Server, configure the bandwidth throttling. The bandwidth throttling increases or decreases the communications rate allowing device users. Log in to the CA MDM Administrator, navigate to Server, Configuration, Communication, Bandwidth Throttling. To enable the bandwidth throttling on the server, select the Enable bandwidth throttling and its associated settings. Select a configuration from the drop-down list. 4. To create a configuration, click New. Using a bandwidth configuration set at 14.6 Kbps, with 10 - minute or greater channel delivery segmentation criteria, results in dropped connections In Client throughput, specify the minimum and maximum throughput rate by entering numerical values in the fields. In Throttle down, specify percentages and times by entering numerical values in the Threshold, Wait time, and Percent fields. Note: If you enter zero in the Percent field, bandwidth throttling never occurs. 7. Click Save. Configure File Compression and File Differencing To reduce connection times for sessions that include a file transfer, compress session channel files. Use a file differencing to maintain different versions of files that you frequently send to the CA MDM devices. File differencing reduces connection times for sessions that include the stored files. Log in to the CA MDM Administrator, navigate to Server, Configuration, Communication, Bandwidth Throttling. Select Compression or File Differencing based on your setting. Configure and manage the compression and differencing cache. Notes: Store your cached files locally to prevent occurrences of network access outages that delete files. Administrating 112

113 Adding the files to compression and differencing caches can be a slow process. 4. Click Save. Configure Failed Session Cleanup Configure the automatic cleanup for the following points: To recover the interrupted sessions. To force a channel to restart from the beginning, configure the manual cleanup. Log in to the CA MDM Administrator, navigate to Server, Configuration, Server Failed Session Cleanup. 4. To set the Automatic Cleanup, enter a value. If a channel continues to fail, use the Manual Cleanup and click Show List. Select a channel and click Delete. Note: The channel restarts during the next session. 5. Click Save. Configure Authentication and Assignments for Sessions For running session channels with the user authentication and group validation security, configure user authentication and user group assignment timeouts. A typical timeout value for both authentication and assignments is 30 days. Log in to the CA MDM Administrator, navigate to Server, Configuration, Server, Security. To enable the authentication for session channels, select Enable authentication. To specify the amount of time the authentication cookie is valid, set the Authentication Timeout and the Auto renew period. 4. To specify the amount of time the user group assignments cookie remains valid, set the Assignment Timeout. 5. Click Save. Administrating 113

114 Configure User-Defined Field To define or remove user-defined fields in your CA MDM database, configure user-defined field. Log in to the CA MDM Administrator, navigate to Server, Configuration, Server, User-Defined Field Click Add column. Enter the column name and select the type for the and click OK. User-Defined Column, To delete a user-defined field, select a field and click Delete selected column. Click Save. Customize App Store Application Contents ios Home Branding Element Map ios About Branding Element Map Language Localization and Branding on the CA MDM ios Application Download the CA MDM application from Apple App Store, and customize it with your own corporate brand. You can use custom elements, such as, background image, logo, and text. Log in to CA MDM Administrator Console, navigate to Server, Configuration, Component, ios Branding. Select the default text or enter the custom text for enterprise branding. The text that you have entered appears on the CA MDM application info page, on the device. The entered text is common for all ios device types and must be specified only once. 4. (Optional) Click Language Option to define the text in other languages. Select the device type for Splash Screen text label. 5. Select the default or custom image option (.JPG or.png) for portrait and landscape image formats. 6. (Optional) Click Browse and select the custom branding image. On an ipad, the browse option works only when the file system is Note: supported on ios devices. Administrating 114

115 7. Click Save. The new or the updated branding appears on the device, when you open the CA MDM application. ios Home Branding Element Map The Branding elements on the Home Branding diagram map to elements on the Apple App Store CA MDM Administrator Console. 1 - title. 2 - Logo. 3 - (Optional) Displays the text and text color. 4 - text color. 5 - background image in portrait mode. NA - background image in landscape mode. ios About Branding Element Map The Branding elements on the About Branding diagram map to elements on the Apple App Store CA MDM Administrator Console. Administrating 115

116 1 - title. 2 - Logo. 3 - (Optional) Displays the text and text color. 4 - background image in portrait mode. NA - background image in portrait mode. Language Localization and Branding on the CA MDM ios Application The appearance of the text on the CA MDM application info page depends upon: The settings that you use on the associated ios Branding page. The languages that are supported on the device. The regional settings on the device. The Language Option link on the ios branding page opens the multiple languages branding dialog. You can define the branding text for supported languages on this dialog. To access the multiple languages branding dialog, click the Languages link on the Home Branding and About Branding pages. Localization and branding page settings: specifies the devices that use a Default text, without a language branding regional setting for a supported language. The text is localized with system-localized content. For the devices using a regional setting for an unsupported language, the text is in English. Administrating 116

117 Custom text, without a language branding displays a custom text on all ios devices, regardless of the regional setting. specifies the devices that Default or custom text, with a language branding you use as a regional setting for a language that has a defined text. The text appears as defined in the multiple languages branding dialog. Administrating 117

118 Server The CA MDM server is the central point for all CA MDM operations. The operations include, viewing logs and dashboards, managing roles and alerts, and configuring all server properties. Configure Outbound Notifications Configure Security Create and Manage Tenants Manage Schedules Manage Server List View Enable and Manage Logging Configure Google Cloud Messaging Service Deploy and Configure GetUI Define and Manage Access Control Policies Manage User Roles Configure Outbound Notifications To prevent the CA MDM Server with incoming sessions, set the flood control level. To control renotify devices and the maximum number of retries, enable the notification retries. 4. Log in to the CA MDM Administrator Console, and navigate to Server, Configuration, Server, Outbound Notification. Set the values under the Flood control section. Select Enable Notification Retries, and set the values for Notification Retries. Click Save. If there is a failed outbound notification, the pop-up message does not indicate an error. To see the actual status of the outbound message, verify the server message logs. Configure Security Contents Administrating 118

119 Configure NT Domain Configure LDAP Configure Active Directory Use the Security property page, to perform the following actions: To configure NT, LDAP, or the Active Directory user authentication. To set timeout values for user authentication and user group assignments. To specify whether to approve new, and enrolling clients. To enable the highest security level in LDAP or the Active Directory environments, enable both authentication and SSL. When you enable SSL on the Security property page, you enable SSL for LDAP-supported or Active Directory authentication and assignments. The SSL is not enabled for the NT domains. To support user authentication and assignments, configure NT, LDAP domain settings that are based on your requirements. Configure NT Domain To support user authentication and assignments, configure NT domain settings. Log in to the CA MDM Administrator, and navigate to Server, Configuration, Server, Security. Click Automatically approve new device. The Approved devices, when connected to the CA MDM Server, receive group profiles and system files. 4. Select NT Domain as the directory type. Enter the value for Directory Settings. If you use NT for authentication and assignments, change the NT domain. If you did not specify any domain once you installed the server, users automatically authenticate against the local computer. Separate the multiple domains with commas. 5. Select Enable Authentication. The Authentication Timeout is used for the cookie validity. The Auto renew period is used for cookie renewal for either NT or SSL communication between your server and devices. 6. Enter the value for Assignment Timeout. The Assignment value specifies the length of time that user-group-assignment cookies remain valid. Administrating 119

120 7. Click Save. Configure LDAP To support user authentication and assignments, configure LDAP domain settings Log in to the CA MDM Administrator, and navigate to Server, Configuration, Server, Security. Enable Automatically approve new device. Select LDAP-based as the directory type. Enter the details for DirectoryType. Enter the LDAP property in the Common Name Attribute. The LDAP property provides the identity of the certificate. If the Certificate Common Name of a user is different from the authenticated username, the administrator specifies the LDAP Property. The common name of the retrieve certificate is set to the queried value. 6. Select Enable Authentication. The Authentication Timeout is used for the cookie validity. The Auto renew period is used for cookie renewal for either NT or SSL communication between your server and devices. 7. Enter the value for Assignment Timeout. The Assignment value specifies the length of time that user-group-assignment cookies remain valid. 8. Click Save. Configure Active Directory To support user authentication and assignments, configure Active Directory (AD) domain settings. Log in to the CA MDM Administrator, and navigate to Server, Configuration, Server, Security. Enable Automatically approve new device. When the Approved devices connect to the CA MDM Server, they receive group profiles and system files. Select Active Directory as the directory type. Administrating 120

121 4. Enter the values for Directory Settings. Notes: Users added to the AD Users container are not displayed when you view the members from the Group editor. However, policies that are assigned to implicit users are deployed successfully. Deleting a user from AD does not disable the user in the groups list. The AD monitor only receives notifications that users have been deleted when they have been disabled. You cannot add the nondefault class name for users or user name attributes to the default selection list. If the directory server changes, the existing groups with the assigned users cannot be removed. The users must be removed manually (Optional) Select the Remove devices from the management when the user is disabled from Active Directory. Select Enable Authentication. The Authentication Timeout is used for the cookie validity. The Auto renew period is used for cookie renewal for either NT or SSL communication between your server and devices. 7. Enter the value for Assignment Timeout. The Assignment value specifies the length of time that user-group-assignment cookies remain valid. 8. Click Save. Note: To monitor the changes in the Active Directory object data using DirSync control, enable the Replicating Directory Changes permission. Enable the Replicating Directory Changes permission on the domain naming context. To grant the Replicating Directory Changes permission to a user account or group, modify the permissions on the directory partition object. Create and Manage Tenants A tenant is an entity that you associate with a subset of the device base and its related operations and assets. Tenants let you separate devices and operations for different hosting customers, enterprise divisions, or other entities. In CA MDM, you have a predefined system tenant and nonsystem tenants. defines predefined tenant with a name that matches the System tenant server name. The System tenant is the only tenant, and is valid for devices, groups, policies, server configuration, and all operations. Its policies are shared across all other defined tenants. You can use system tenant policies but cannot edit system tenant policies. Administrating 121

122 Non-system tenant - The Nonsystem tenants are valid tenants for devices, groups, policies, some server configuration, and all operations. They have access to a limited set of server configuration properties. They rely on system tenant configuration settings for all other configuration properties. The tenant has the following status: Enabled displays connected and managed devices. The CA MDM Administrator console users operate and support the tenant. Disabled displays connected devices but with no extra management. However, the existing data remains accessible to a CA MDM Administrator user. You can add, delete, and disable a tenant. Log in to the CA MDM Administrator Console, and navigate to Server, Configuration, Server, Tenant. To establish an entity for associated devices, groups, and policies, click New to add a tenant To prevent devices from running sessions for a tenant but preserve all the existing data of a tenant, click Disable. The tenant is disabled. To remove the record from your system, click Delete to delete a tenant. Click Save Select a Tenant When multiple tenants are defined, select a tenant to change the tenant context for the configuration and management. If the system has only the system tenant, then it appears on the CA MDM Administrator Console. The system tenant is the default tenant for all operations. The tenant list is cached when you start a session. If an administrator changes the list during a session, other administrators do not see the change until their next session. Click the Tenant selector list on the CA MDM Administrator Console. Select a tenant. The tenant list is displayed. Note: The tenant selection persists until you change it. Administrating 122

123 Manage Schedules Schedules enable you to set specific tasks. The schedules perform the following actions: Updates channel content or refresh dynamic groups. Perform the schedules automatically at specific times, days, and for a specified length of time. Without changing the normal run time of schedule, you can change the schedule settings. The setting includes edit schedule, enable or disable schedules, and manually run a schedule. Note: For each individual schedule, the following settings can be changed: Start and end times of each schedule The time period of a running schedule If the schedule fails, then retry and run the schedule. Log in to the CA MDM Administrator Console, and navigate to Server, Configuration, Server, Schedule. Select a schedule. To edit, enable, disable, or to run a schedule, perform one of the following appropriate actions: To edit, click the Edit Connection rule tab. To enable or disable a schedule, click the Enable or Disable tab. To run a schedule, click the Run Now tab. The selected schedule runs, and the Last Run column is updated. Manage Server List View To allow or disallow the server selection in the CA MDM Administrator server list, show or hide a server. For example, hide a server that you want to take down for the maintenance. Note: You cannot hide the master server. Log in to the CA MDM Administrator Console, and navigate to Server, Configuration, Server, Server Farm. Administrating 123

124 Select a server and click Edit. Select Visible or Hidden and click Save. The server list view is managed. Enable and Manage Logging Configure the type, detail level, and cleanup frequency for CA MDM Server-side logging. Configure the CA MDM Server-side logging options by type and detail level. By default, all logs are enabled. Specify the cleanup frequency for server-side logs. Log in to the CA MDM Administrator Console, and navigate to Server, Configuration, Server, Log Option. To disable logging options, click Disable every log below. To enable log types, select the log types and click Save. 4. To specify the cleanup frequency for server-side logs, perform the following steps: a. b. c. d. Select Log Cleanup on the Server page. Enable or disable cleanup for individual log types. To reset all options, click Reset to defaults. Click Save. The logs are now managed and enabled. Configure Google Cloud Messaging Service Use Google Cloud Messaging (GCM) to reduce the SMS data usage and simplify the CA MDM implementation for Android devices. To use GCM, the devices must have an active Google account. To get started with GCM, refer the Google Developer website. To use the GCM messaging as an alternative to SMS-based notifications, configure the CA MDM Server. Prerequisites Obtain the required application Project ID and API key from Google. For more details on obtaining a Google Project ID and API key, refer the Google Developer website. Administrating 124

125 Ensure that you have a Gmail account that is created on behalf of your organization. Log in to the CA MDM Administrator, navigate to Server, Configuration, Component, GCM Server, and select Enable GCM. Enter the server address, as defined by Google. If you select the Reset to default link, the valid URL for GCM is populated Enter the GCM Project ID, and GCM API key. Click Save. Restart the CA MDM Server service. Connect the devices manually. For new devices, create an enrollment policy with GCM enabled. When the user enters the enrollment code on the device, the enrollment policy using GCM is applied. When an existing device connects, the configuration policy containing the new GCM information is pushed to the device. Then, the device is registered with GCM and the CA MDM Server is updated with the new Device ID. Deploy and Configure GetUI CA MDM supports GetUI Push Notification Service for Android Devices in addition to the Google Cloud Messaging service. Deploy the GETUIPushNotificationGateway on IIS web server. Extract the GETUIPushNotificationGateway folder and copy it to Inetpub\wwwroot directory. Navigate to Start, Internet Information Service (IIS) Manager, expand the localhost. To change the.net Framework Version, perform the following steps: a. Select Application Pools, and click Set Application Pool Defaults under the Actions pane. The Application Pool Defaults window appears. b. Under General category, select v4.0.net Framework Version from the drop-down list. Note: If the.net Framework Version v4.0 is not available, then install it. c. Click OK. Administrating 125

126 4. Expand Sites, Default Web Site under the Connection pane. 5. Right-click the GetUI-deploy directory, and select Convert to Application. The Add Application window appears and the alias name and the physical directory path is prepopulated Click OK. To verify the.net Framework version, perform the following steps: a. Right-click the application, navigate to Manage Application, Advanced Settings. b. Under the General category, select the application pool from the drop-down list. c. Verify that the.net Framework version is v4.0 under the Properties section. 8. Click Browse Application under the Actions pane. The application opens in the browser. Configure GetUI Once you have deployed the GETUIPushNotificationGateway, configure the Server Address, and GCM Project ID in the CA MDM Server. Log in to the CA MDM Administrator, navigate to Server, Configuration, Component, GCM Server. Enter the values in the following fields: Server Address defines the GetUI proxy web application address. For example, GETUI Server Agent domain name}/getuiagent. GCM Project ID - GETUI The GetUI Agent Proxy is configured. Enable the GetUI Project ID, while creating an enrollment policy. Define and Manage Access Control Policies Contents Define Access Control Policy for Android Define Access Control Policy for ios Define an Access Control Policy for Windows Phone Define Access Control Policy for Unknown Devices Define Access Control Policy to Block or Allow by Group Administrating 126

127 Define Remediation Policy for Android Define Remediation Policy for ios Define a Remediation Policy for Windows Phone Bring Android Devices Back in Compliance Access Control Policy Conflict Resolution Access Control Device List Manually Add a Device for Access Control View Access Control Information of a Device Edit Device Information of an ios Device Manually Manage Domain for Access Control Exchange Environment Unique Device ID Value Configure Application of Android Devices While Using Access Control Policy Required Formats for Android Devices Build Database of Known Android Devices Change Access Control Policy for a Device End-User Access Control Policy Notification To control access rights to a particular group, use access control policies. The Access Control Policies define default synchronization policies, by device type or by group. These policies are applicable to both the devices. The devices that synchronize with your enterprise and the devices that CA MDM does not manage. Define Access Control Policy for Android To manage the synchronization for the Android devices that enroll or reenroll in CA MDM, define a default access control policy. When both group policies and device type policies are defined, the most restrictive policy prevails. To use CA MDM access control to manage on an Android device, configure the Exchange account through CA MDM. from unmanaged accounts is blocked by default. For other devices, use the appropriate LG or Samsung SAFE Exchange account configuration policy. Changing the default policy impacts only newly enrolling or reenrolling devices. CA MDM does not retroactively apply a change to previously enrolled devices. Administrating 127

128 Log in to CA MDM Administrator Console, navigate to Server, Configuration, Component, Access Control Option, Access Policy. Select the Android tab and define the following access policy action parameters: Always allow allow the synchronization requests always. Always block block synchronization requests always. Allow when: Administrator setting enabled allows the synchronization only when CA MDM is installed on the device with CA MDM administrator privileges activated. Password policy enabled allows the synchronization only when the user ignores password prompt a few times while connecting to CA MDM on the device. Device not compromised allows the synchronization only when the most recent connection of a device did not report the status of a device as rooted. Device connected within allows the synchronization only when the device is connected within the number of days and hours specified. Define Access Control Policy for ios To manage the synchronization for ios devices that enroll or reenroll in CA MDM, define a default access control policy. Prioritize the Access control policies in the following order: a. Group-level policy Device-level policy Server-level policy Log in to CA MDM Administrator Console, navigate to Server, Configuration, Component, Access Control Option, Access Policy. Select the ios tab and define the following access policy action parameters: Always allow allow the synchronization requests always. Always block block synchronization requests always. Allow when: Administered by mobile device management The device is under CA MDM ios mobile device management (MDM) control. Administrating 128

129 CA MDM installed and device connected within CA MDM is installed on the device and the device is connected within the number of days and specified hours. If the CA MDM application is removed from the device, then the access is blocked. Assigned policy delivered within The assigned policies are reported to CA MDM Server as delivered and installed on the device within the number of days and specified hours, and as verified in the Policy Delivery log. Device hardware encrypted The device has the hardware encryption feature enabled. Device uncompromised The most recent connection of a device did not report the status of a device as jailbroken. Define an Access Control Policy for Windows Phone To manage synchronization for Windows Phone devices that enroll or reenroll, define a default access control policy. When both group policies and device type policies are defined, the most restrictive policy prevails. Note: If an is configured through the CA MDM configuration policy, you can manage Access Control policy for Windows Phone devices. Changing the default policy impacts only newly enrolling or reenrolling devices. CA MDM does not retroactively apply a change to previously enrolled devices. Log in to CA MDM Administrator Console, navigate to Server, Configuration, Component, Access Control Option, Access Policy. Select the Windows Phone tab and define the following access policy action parameters: Always allow allow the synchronization requests always. Always block block synchronization requests always. Allow when: Administered by mobile device management allows synchronization requests when the device is under CA MDM Windows Phone mobile device management (MDM) control. Allow when connected within time frame allows synchronization requests when the most recent connection of a device occurred within the defined time frame. Administrating 129

130 Define Access Control Policy for Unknown Devices To manage the synchronization for devices that are not enrolled in CA MDM, define a default access control policy for a local . You are advised to define an unknown device policy for each domain that your server manages. Note: For the cloud implementation on unknown devices, the connection is rejected. 4. Log in to CA MDM Administrator Console, navigate to Server, Configuration, Component, Access Control Option, Access Policy. Select the Unknown tab and click Add to define unknown device properties. Enter the of server domain. Select the default policy for that domain. 5. Define the interval at which CA MDM ISAPI filter queries CA MDM Server for a list of known devices and policies. 6. In the inline editor row, click the Check icon to save the changes. The access control policy for unknown devices is defined on the Access Policy, Unknown page. Define Access Control Policy to Block or Allow by Group To allow or block the synchronization requests by a group, create a group-specific policy. If you create policies that conflict for a device, the most restrictive policy prevails. Blocking and allowing by groups lets you: Block the devices that do not meet some criteria. Allow the devices that meet some criteria. You define the dynamic group with your criteria to use with this feature. The timing of what group policy goes into effect on a device depends upon the following points: The frequency of the Dynamic Group Refresh schedule. Access control polling interval. Device inventory reporting. Administrating 130

131 Log in to CA MDM Administrator Console, navigate to Server, Configuration, Component, Access Control Option, and select the Groups tab. (Optional) For blocking specific groups, in the block area: Select a group in the available list and to move the group to the selected list, click the Arrow icon. (Optional) For allowing groups, in the allow area: Click Enable, select a group, and to move the group to the selected list, click the Arrow icon. All groups are blocked except for the selected groups. 4. Click Save. A server restart is not required. Define Remediation Policy for Android Define the remediation policy and remediation actions for an Android device that goes out of compliance. CA MDM Administrator uses remediation policies to define: The conditions under which a device is considered to be noncompliant with one or more MDM policies. The server takes the corrective actions when a device is reported as noncompliant. Log in to CA MDM Administrator, navigate to Server, Configuration, Component, Access Control Option, and select the Remediation Policy. Select the Android tab and select the parameters for the Remediation Policy, Remediation Action, and Re-compliant Message Settings parameters. The remediation policy and remediation actions are defined on the android device. Define Remediation Policy for ios Define the remediation policy and remediation actions for an ios device that goes out of compliance. CA MDM Administrator uses remediation policies to define: The conditions under which a device is considered to be noncompliant with one or more MDM policies. The server takes the corrective action when a device is reported as noncompliant. Administrating 131

132 Log in to CA MDM Administrator, navigate to Server, Configuration, Component, Access Control Option, and select the Remediation Policy. Select ios tab and select the parameters for the Remediation Policy, Remediation Action, and Re-compliant Message Settings parameters. The remediation policy and remediation actions are defined on an ios device. Define a Remediation Policy for Windows Phone Define the remediation policy and remediation actions for Windows Phone device that goes out of compliance. The Remediation policies define the following points: The conditions under which a device is considered to be noncompliant with one or more MDM policies. The server takes the corrective actions when a device is reported as noncompliant. Log in to CA MDM Administrator, navigate to Server, Configuration, Component, Access Control Option, and select the Remediation Policy. Select ios tab and select the parameters for the Remediation Policy and Remediation Action parameters. Bring Android Devices Back in Compliance The remediation is caused when the user removes the administrator rights of the CA MDM application. Until the user enables administrator rights, the CA MDM administrator cannot manage the device effectively. To bring back the device in compliance, enable the administrator settings, password settings, and remediation policy on a device. Access Control Policy Conflict Resolution When a device is subject to more than one access control policy, the most restrictive policy prevails. Example: If an Android device is subject to a default policy, then the device is blocked from synchronizing with the server. Administrating 132

133 Access Control Device List Depending on the device type, CA MDM displays access control devices and their policy assignments in different locations of user interface. The Assignment locations include for Android and ios devices. For the Android devices, navigate to Server, Configuration, Component, Access Control Option, and select Devices. The device list displays CA MDM devices and access controlled white list devices. CA MDM Server populates this list only after the connecting devices are assigned with the synchronization policy. Therefore, the lists are added or removed as each CA MDM device connects and receives its synchronization policy assignment. Note: When an Android or ios device does not contain a known ActiveSync ID or an Exchange User ID, Access Control ID displays the value NOT_EXCHANGE followed by the client GUID. For the ios devices, navigate to Server, Configuration, Component, Access Control Option, and select Devices. The devices types list displays last retrieved information from devices. Manually Add a Device for Access Control For the unmanaged Android devices, manually add a device for access control. For ios devices, to add devices for access control, enroll the devices and define its enrollment policy. You can also manually edit its device record. Add a device when: The device synchronizes with your server but CA MDM application is not installed. The CA MDM application is installed on a device and is not connected to the server. Ensure that the first synchronization request is managed with a nondefault policy. Log in to CA MDM Administrator Console, navigate to Server, Configuration, Component, Access Control Option, and select Devices tab. Click Add, and enter the device details. Select the operating system of a device. 4. Select an access control policy for the device. Administrating 133

134 5. Click Save A device is added for the access control. View Access Control Information of a Device To view access control information for Android and ios devices, use the Device Inspector. Log in to the CA MDM Administrator Console, navigate to Device, and select a device. Click Show/Hide Inspector. The Device Inspector displays the following information about access control: Access control policy that is applicable to the device. Current access policy state for the device: allowed or blocked. Device compliance state: Whether the device is compliant or not. Last remediations timestamp for the device. Edit Device Information of an ios Device Edit device information for an ios device. To edit ios device information, perform the following steps: Follow the procedure from the Device Inspector page. Select an ios device from the Device page and click the Modify Access Control Policy icon. Log in to the CA MDM Administrator, navigate to Click Edit, and edit the data as appropriate. Device, and select a device. Under the Access Control Policy, click Setup, and specify the access control policy settings for a device. 4. (Optional) If the variable is not on the list, click Add to enter the variable name and value for the current device. The variables on the list are global for the current tenant. The values that you define for the variables are for only the current device. 5. Click Save. Administrating 134

135 Manually Manage Domain for Access Control Add, modify, or delete a domain of an Exchange server for access control. Log in to CA MDM Administrator Console, navigate to Server, Configuration, Component, Access Control Option, and select Domains tab. Click Add, and enter the details for Primary Domain of the tenant, Access Control Policy, Retry Rate (minute), and Accepted Domains. You can add multiple accepted domains that are separated by a comma. You can add a number of accepted domains. The name of each accepted domain must be fewer than 65 characters in length. The total list of accepted domains, including comma separators, must be less than 2550 characters in length. Exchange servers often host messages for multiple domains Notes: Retry rate is the interval time set for a domain. The retry rate is based on the HTTP client requests that are made to the CA MDM Server. Retry rate lists the devices that are known for that domain with Always allow or Always block status. Duplicate accepted domains are automatically deleted from the Accepted Domains field when you save the domain information. 4. Click Save. (Optional) To make domain changes, select the domain to change, then click Edit or Delete. The domain for access control is now managed. Exchange Environment Unique Device ID Value For CA MDM Access Control for the feature in a Microsoft Exchange environment, the Unique Device ID value is the Device ID. The Device ID is stored in the registry of a device. If a device is already connected to the server, you can obtain the value from a device. If the CA MDM client is not installed, CA MDM cannot retrieve the value. To retrieve the value, use your own method, or follow the listed methods: To read the value, use a device utility. Use your Exchange Server ActiveSync Web Administration tool (browser address: <YourExchangeServer>/mobileadmin, is the default location) to run a query and to retrieve the value. Choose the Remote Device Wipe menu option and query. The query returns information about the devices that are associated with the user. Copy the value from the Device ID column and exit the page without any further action. Administrating 135

136 Configure Application of Android Devices While Using Access Control Policy Configure an application of Android devices while using an access control policy. Prerequisites Task Add the device type to the database. Know the correct address format. CA MDM does not identify the incoming Android devices and therefore cannot map the Android default policy to the device. After the Android device is listed in the CA MDM database table, use data from the CA MDM access control filter logs. The CA MDM access control filter logs configure the Android user name property. On the enrolled Android device in the CA MDM, configure the native application. The address format must match the format that the device reported in CA MDM table A_ANDROID_DEVICES when it connects to the environment. To synchronize a device with the server, connect the device. On the server that hosts the CA MDM access control filter, obtain the user name format. The device reports user name format in the following location: C:\Windows \System32\config\systemprofile\AppData\Roaming\XSISAPI \XSISAPIPipe_Log.txt. 4. Install the CA MDM application on the device. 5. Enroll the device in the CA MDM using an enrollment policy. The enrollment policy includes a user-facing prompt for the device user name. If the Microsoft Exchange user name prompt is not used: Navigate to the CA MDM application on the device, and select Configuration, Exchange User Name. Enter the same user name format that is obtained from the XSISAPIPipe_Log.txt file. 6. Connect to the CA MDM database server. 7. To verify that the device is in list, see A_ANDROID_DEVICES table. Administrating 136

137 If the Android device is not listed, repeat the connection to Exchange and to CA MDM. Once the device is listed in the A_ANDROID_DEVICES table, it also appears in the Devices tab of CA MDM Administrator. 8. Connect the device to CA MDM. Navigate to Server, Configuration, Component, Access Control Option. The Android device appears with the correct Device ID and Exchange ID in the Devices tab. You can now manage the Android devices using separate, per-device policies, rather than having to use the default policy. Required Formats for Android Devices For the Android devices, the user name requirement for CA MDM Access Control for varies according to your enterprise environment. Ensure that users enter the information correctly. On the application configuration page of the CA MDM device, the user name must comply with your server requirement. The format, as observed in the CA MDM table A_ANDROID_DEVICES is: (for the Samsung devices) domain\user (for the Motorola devices) Build Database of Known Android Devices To allow CA MDM to map the Android devices for Android default policy, capture the device type value from the access control filter log. Add this log to the CA MDM database table. The Android devices use nonstandard device type identifiers. CA MDM does not identify the incoming Android devices. As a result, it cannot determine if the default policy must be applied to the connecting device. Nonstandard device type values include MotoDROID2v451 and htcholiday. For CA MDM to identify the Android device and add it as an access control device, perform the following task: Capture the Android device type. To identify the known Android device type values, add value to the CA MDM database table. Use data from the CA MDM access control filter logs to configure the Android user name property. Based on the local server configuration and manufacturer specifications, the Android devices identify themselves to CA MDM. CA MDM requires extra steps to add the Android devices for access control. Administrating 137

138 On an Android device that is enrolled in the CA MDM, configure the native application. To synchronize a device with the server, connect the device On the server that hosts the CA MDM access control filter, obtain the device type reported by the device in the following location. C:\Windows\System32\config\systemprofile \AppData\Roaming\XSISAPI\XSISAPIPipe_Log.txt. For example, the device reports itself with a device type value such as TOUCHDOWN, MotoDROID2v451, htcholiday. A sample entry from XSISAPIPipe_Log.txt file is :43 Responding '2' to request: ID=' ', USER='domain-name\droid', TYPE='TouchDown' Compare the device type reported in the XSISAPIPipe_Log.txt with the device type in the C:\Windows\System32\config\systemprofile\AppData\Roaming \XSISAPI\Devices.xml file. If the device type is in the Devices.xml file, the Access Control manages the Android device. If the device type is in Devices.xml, no further action is required. To add device type that is reported in XSISAPIPipe_Log.txt, use database management console. Open the A_CONFIGURATION_PROPERTY table and update the ISAPIAndroidDeviceTypes row. 6. Restart the CA MDM service. CA MDM Server updates the devices list, according to the polling period defined on the Access Control Option page. Ensure that the new device type is included in the devices list. Change Access Control Policy for a Device For the Android devices, change the synchronization policy of a device to affect its next synchronization. For ios devices, change the policy by editing its device record. Log in to CA MDM Administrator Console, navigate to Server, Configuration, Component, Access Control Option, and select Devices tab. Select one or more devices on the managed device list, and click Edit. Select new policy and click Save. (Android) For the devices changing from a blocked policy to an allow policy, a device restart is required. Administrating 138

139 End-User Access Control Policy Notification Notify your access control device users about their synchronization policy assignment. If a device is not under compliance, establish the following points: An understanding about complying with policy requirements. Corrective action when device-denied behavior occurs during Synchronization. Manage User Roles Contents Permissions Device, Groups, and Policy Permissions Data Views Permissions Device Inspector Tabs Permissions Remote Actions on Devices Permissions Server Actions Permissions Server Pages Permissions Server Configuration Pages Permissions View the Server Roles Add or Edit User Role Log in as Added User The CA MDM Administrator application uses role management to control access to the application and its individual features and tenants. By default, only the user who installed the product can log in to CA MDM Administrator. If you are in a different user context, the application prompts you to install the appropriate user credentials. If you are using Microsoft Active Directory or Microsoft Windows NT Server, select a predefined user role from CA MDM Administrator Console Role Selection page. The following types of role are available: Administrators define the role for performing various administrative tasks and policies, including role assignments, and adding and removing servers. By default, the Administrators role allows unrestricted access to the server. Administrating 139

140 Help Desk defines the role for server operations. The role such as for individuals who perform administrative operations and provide support for users. Note: If your role is defined in CA MDM Administrator, you can edit the predefined roles or can add new roles. Permissions Device, Groups, and Policy Permissions Permissions determine the information and functionality that roles can access in CA MDM. If the role of that administrator does not allow access to the information or functionality, CA MDM Administrator does not display information or functionality for an administrator. The Device, Groups, and Policy permissions determine which information roles can view and which actions roles can perform on devices, groups, and policies in the CA MDM Administrator console. Permission Description Create The Create permissions allows the role to create groups and policies. Dashboard The Dashboard permission allows the role to view dashboards in the CA MDM Administrator console. Delete The Delete permission allows the role to remove devices, groups, and policies from the CA MDM Administrator console. Link View The Link View permission allows the role to load, filter, sort, and link or unlink devices, groups, or policies in the link panel on pages in CA MDM Administrator Console. For example, when a role includes the Link View permission for Policy: The role can access the policy grid in the link panel on the Group page. The role can access the policy grid in the link panel on the Device page. List View The List View permission allows the role to view the list view on the Device, Group, and Policy pages. Update The Update permissions allow the role to edit devices, groups, and policies. Administrating 140

141 Data Views Permissions The Data View permissions determine which data views and logs that a role can access in the CA MDM Administrator console. Permission Description Select The Select permission allows the role to select the data views that CA MDM displays on the Device and Server log pages. The role can select data views from the list of existing data views. Update The Update permissions allow the role to create new data views. Device Inspector Tabs Permissions The Device Inspector Tabs permissions determine which information roles can view in the Device Inspector in CA MDM Administrator Console. Permission Description View The View permission allows the role to see the tabs in the Device Inspector that contain inventory information and log files. Remote Actions on Devices Permissions The Remote Actions on the Devices permissions determine which actions roles can perform on devices in CA MDM Administrator Console. Permission Description Access The Access permission allows users to perform remote actions on devices. Server Actions Permissions The Server Actions permissions determine which actions roles can perform on servers in CA MDM Administrator Console. Permission Description Access The Access permission allows the role to perform actions on servers. Server Pages Permissions The Server Pages permissions determine which information roles can view and which settings roles can edit on the server pages in CA MDM Administrator Console. Administrating 141

142 Note: The View permission for Configuration must be selected for the Server Configuration Pages permissions to apply. Permission Description View The View permission allows the role to view server pages in the CA MDM Administrator Console. Update The Update permissions allow the role to configure alerts and roles. Server Configuration Pages Permissions The Server Configuration Pages permissions determine which information roles can view and which configuration settings roles can edit in CA MDM Administrator Console. Note: The Server Configuration Pages permissions apply only if the View permission is selected for Configuration in the Server Pages permissions. If the View permission is selected for Configuration in the Server Pages permissions, the server configuration pages are visible to the role. Permission Description View The View permission allows the role to view server configuration pages. Update The Update permissions allow the role to edit the server configuration. View the Server Roles Server Role controls the access permissions for different tenants and users. To view the server roles, follow these steps. Log in to CA MDM Administrator Console, navigate to Server, and select Role. (Optional) To inspect the roles detail, select a role and then click Edit. Add or Edit User Role To define features and tenants of a role and to assign users to the role, add or edit user role. Log in to CA MDM Administrator Console, navigate to Server, and click Role. Administrating 142

143 4. To add or select existing role, click Add. To edit a role, click Edit and enter the role properties in the Role tab. To select or specify tenants, click the Tenants tab. Note: Every CA MDM installation has a default system tenant, but you can create more tenants. 5. To assign the directories, click the Assignments tab. 6. Note: If MicrosoftWindowsNT is used in your environment, then the filter for next expansion text box does not appear. To exclude users within a group, select the group, and click Excluded in next expansion, Reload List. Notes: Add a user or group by navigating to the directory and selecting the user or group from the assignments tree. Add a user or group by entering a description for the group or user for the Role panel. For example, Use DomainName \GroupName for group and UserName@Domain for user. 7. Click Save. Log in as Added User Log in as added user provides access to the dash-board that is the Administrator console. To log in as an added user, use your Windows user credentials. Log in to the CA MDM, using your Windows user credentials. You can switch your user context by using the Logon As User feature. Click Logon As User from the CA MDM Administrator Console. Supply your Windows user credentials and click OK. The default page opens with content appropriate for your user role. Your user context appears on the banner. Administrating 143

144 Application Onboarding Users can enroll their own devices using the Self-Service Portal. During on-boarding, the user authenticates to prove their identity and record the custody of the device. For commercial or enterprise applications for ios and Android devices, CA MDM can provision data and certificates to facilitate onboarding. Data provisioning CA MDM delivers application configuration data as needed, such as for connectivity or operations. Certificate provisioning CA MDM delivers a certificate to a device as needed, such as for user authentication. Data Provisioning for ios and Android Applications Create an ios or Android enterprise or commercial application package that includes configuration data for the application onboarding. Log in to the CA MDM Administrator Console, and navigate to Policy and review the policy list. Click New, Application, and application type. Enter the policy details. Note: Connecting the devices receive only published policies. 4. Click Configuration, and type or import your application seeding configuration data. Importing a file overwrites the content in the data field. If you edit the file in the CA MDM Administrator interface, it is stored in UTF-8 format. The file is also stored in its original format. 5. Click Edit, Substitution. The substitution list combines predefined and user-defined substitution variables. 6. To select, add and delete a variable, perform the following actions: To add a substitution variable to the application, click Select. To add a user-defined variable, click Add a new variable. To delete a user-defined variable, click Delete. The user-defined variable and any associated value are deleted from all ios and Android definitions. Administrating 144

145 7. Click Save. Administrating 145

146 Monitoring and Reporting CA MDM enables the administrator to monitor the detailed hardware and software configuration of each device. Information about the device environment such as the mobile network, roaming, WiFi access, and many other characteristics. This reporting is essential to monitor the compliance status of devices, including whether devices have been rooted or jailbroken. Besides monitoring of device status, the administrator can intervene in the event of a lost or stolen device. The administrator can also remove the passcode centrally, as well as unregister the device. Acknowledge and Manage Alerts Acknowledge and Manage Alerts Contents Delete an Alert View Pending Alerts Create an Alert Definition Create Contact for Alerts Configure an Alert Response View Defined Events Create Event for Configuring Alert Alerts increase the visibility of system event that requires your attention. Acknowledge an alert raised to inform that the alert has been noticed and is being worked on. Acknowledging the alert stops any response that was defined for the alert. The alert such as paging or sending to a contact. Log in to CA MDM Administrator Console, navigate to Server, Alert, and select Raised Alert. Select the alert and click Acknowledge. Click Yes, Continue to acknowledge the alert. The state of the alert changes from Unacknowledged to Acknowledged. Administrating 146

147 Delete an Alert To remove the alert from list of raised alerts when no further action is required, delete an alert. You can delete either an acknowledged alert or an unacknowledged alert. Log in to CA MDM Administrator Console, navigate to Server, Alert, and select the Raised Alert tab. Select the alert and click Delete. (Optional) Enter the comments about deleting the alert in the Server alert, Delete raised alert dialog, and click OK. The alert is deleted from the raised alerts list. The deleted alert details are available in the Alerts Log. View Pending Alerts View alerts for which at least one associated event has occurred. Alerts having multiple associated events can cause pending alerts. Log in to CA MDM Administrator, navigate to Server, Alert, and select the Pending Alert tab. (Optional) To view the details of a pending alert, select alert, and click Inspect. The pending alert details are viewed. Create an Alert Definition To define the events and actions that are related to the alert, create an alert. Prerequisites Before you create an alert, perform the following actions: Task Create alert contacts Configure alert response addresses for messages to contacts and for sending the SNMP traps to IP addresses. No alerts appear on the Raised Alerts page until you have defined and enabled them. Administrating 147

148 Log in to CA MDM Administrator Console, navigate to Server, Alert, and select the Defined Alert tab. Click New and enter the properties of an alert. Enter the values for the following tabs that are based on your requirements. Assigned events Alert response Alert threshold Alert response repeat interval 4. Click Save. The alert definition is created for events and actions. Create Contact for Alerts Create a contact who is responsible for handling raised alerts. Log in to CA MDM Administrator, navigate to Server, Alert, Defined Contact. Click New and enter the contact details. Click Save. Configure an Alert Response To assign the values for mail server and for the forward SNMP traps, configure alert response. The mail server stores the contacts. You can configure alert responses from any of the following pages: Defined Alert Defined Event or Defined Contact. Log in to CA MDM Administrator Console, navigate to Server, Alert. Select Defined Alert, Defined Event, or Defined Contact, and click Configure alert response. Specify a Host Name for the mail server, or enter an IP address for Forwarding SNMP Trap. Administrating 148

149 4. Click OK. The alert response is configured successfully. View Defined Events View the system-defined and user-defined events on the system. Defined Events page displays the event details. The event details such as the event name, description, and the component that is associated with the event. A component indicates a general category for grouping events that are based on a functional area of the product. Log in to CA MDM Administrator, navigate to Server, Alert, and select Defined Event. The list of alerts are displayed. (Optional) To view the alert that is associated with an event, select event and click Inspect assigned alert. The defined events are viewed. Create Event for Configuring Alert To trigger alerts in the system, create custom events. You can define events that work with other system-defined events to trigger an alert on your system. Any event that you define on your server appears as User-defined. Log in to CA MDM Administrator Console, navigate to Server, Alert, and select Defined Events. The list of alerts that are defined are displayed. Click New and enter the event details. The component field displays User-Defined as default value. You cannot edit this value. Click Save. The event is created for configuring alert. Administrating 149

150 Channel Administration The session channels are selected in session policies. Session channels let you perform various scripted tasks on your non-ios CA MDM devices. Create session channels using the CA MDM Channel Administrator and select them in session policies. In addition to sending and retrieving files, you can perform system tasks. The system tasks include disk maintenance, registry updates, and script execution. You can also use control flow logic to condition the task execution. The device types that are supported are BlackBerry, Windows, and Android. Create or Edit a Session Manager Channel Views Available for Session Manager Channel Editor Managing Worklist or Sendlist for a Channel Define Event Properties Import or Export Events Optimizing Channel Sessions Create or Edit a Session Manager Channel To provide custom, systems-management channels send and receives data and execute the programs, create, or edit session channels. Create or edit session channels during a session between the device and a server. To create a channel, click File, New Channel, Session Manager Channel. The wizard guides you through the channel creation process, and then opens the channel editor. To edit a channel, right-click a channel, and click Edit to open the channel editor. To deploy a channel to devices, perform the following steps: a. b. Publish a channel. Add the channel to a session policy. c. Link the policy to a group. Administrating 150

151 Views Available for Session Manager Channel Editor Contents Assignments View Default View Filter the View Channels View Events View The Session Manager Channel Editor opens when you create or edit a Session Manager channel. The editor uses a tri-pane window view that includes a channel tree, a results page, and a toolbar. The tri-pane window allow you to create or edit a channel. Assignments View Default View The Assignments view is the default view when you create or edit a Session Manager channel. The assignment view displays any worklist and sendlist objects that are associated with the selected channel. To open the Channels view, select any channel in the channel tree. You can create or edit a channel in the edit mode. Any channel that is listed in the "Other channels" folder is in read-only mode. The assignments view contains worklist and sendlist objects that are associated with the selected channel. Worklist performs a file and directory management, notifications, and system registry management tasks. Sendlist indicates the worklists that are optimized for file transfer. Much of the session processing happens before the connection occurs, so using a sendlist can result in shorter connection times. Sendlists are limited in the events available. Use sendlist when you want to send files to a client. Filter the View The assignments view allows you to the view to include all worklist and sendlist objects, sendlists only, or worklists only. To filter the view, selecte a filter from the View drop-down list. Channels View The channels view displays all defined Session Manager channels. To open the Channels view, select the Session Manager Channels item in the left pane of the editor. The results pane lists all the Session Manager channels. Administrating 151

152 untitled3 Events View Worklists and sendlists contain events. When you select worklist or sendlist in the left pane, Events view is displayed in the right pane. This view lists all of the events that are contained in the selected object. Objects that do not contain any events appear blank. Events that are listed define the task order and details that are associated with that object. The event list displays all Session Manager events. For worklists, all events in the event list are valid selections and are displayed in full color. For the sendlists, only events that are valid for sendlists are displayed in full color. Managing Worklist or Sendlist for a Channel Contents Assign a Worklist or Sendlist to your Channel Unassign Objects from your Channel Add Events to a Worklist or Sendlist Display or Hide Event Flags Set Event Colors After you create the session channel, define instructions to execute during a connection with a client. Or, define instructions as a part of a session. These instructions are named worklist or sendlist objects. The worklists and sendlists that you create and edit are objects. The objects Note: are independent from the session channel to which they are assigned. The worklists and sendlists can be assigned to multiple channels for multiple client types. As independent objects, changes made to an object in one channel affect all other channels including same object assignment. Administrating 152