Product Guide. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6

Transcription

1 Product Guide McAfee Enterprise Mobility Management (McAfee EMM ) 9.6

2 COPYRIGHT Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, McAfee EMM, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

3 Contents Preface... 5 About this guide... 5 Audience... 5 Conventions... 5 Finding product documentation... 6 Introducing McAfee EMM... 7 McAfee EMM Features... 7 McAfee EMM Components... 9 Server Components... 9 Client Components Deployment Scenarios McAfee EMM Basic Security Model (Single Sever) McAfee EMM Enhanced Security Model (Dual Servers) McAfee EMM Simplified Deployment Using ActiveSync Protocol User Authentication Options Logging onto and Navigating the McAfee EMM Console Logging On Navigating the Console Exporting the Encryption Key from the Console Logging Off Managing Console Access and Accounts Overview of Roles and Accounts Viewing Role Permissions Creating Console Access Accounts Creating a Local Console Account Creating Console Accounts Based on LDAP Groups Deleting an Access Account from the Console System Settings General Settings (Compliance and Activation Settings) Compliance Settings Overview of Compliance Enabling/Disabling Compliance and Setting Duration Viewing and Changing Activation Settings Authorization Directories Viewing Authorization Directories Adding and Editing an Authorization Directory AD or Domino User Authentication Adding and Editing an Authorization Directory ActiveSync Protocol User Authentication Deleting an Authorization Directory Authorized Users and Provisioning Tokens Allowing All Users Allowing Authorized Users Allowing Authorized Users Through LDAP Allowing Authorized Users By Importing a List Manually Adding Authorized Users Creating a Provisioning Token for a User (ios/android Devices) Deleting a User Viewing Blackberry Enterprise Server (BES) Agents Viewing and Updating Security Certificates Viewing and Adding a Device Catalog Enrollment Agents Viewing and Editing an Enrollment Agent Deleting an Enrollment Agent Connection Configuring SMTP Server (Mail Settings) Viewing EMM Push Notifiers Security Policies Policy Overview and Recommendations Default and Starter Policy Policy Membership Best Practices Viewing Security Policies Creating a New Security Policy Reordering and Prioritizing Security Policies Changing Policy Settings Compliance Settings McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 3

4 Contents Configuration Settings Assigning and Removing Group Membership to Policies Password Options Restrictions VPN Profiles Wi-Fi Profiles Certificate Authority Settings APN Settings Publishing Security Policies Publishing Overview Publishing a Policy Deleting a Security Policy Reports Viewing Reports Audit Log Report Compliance Status Report Package Deployment Report Pending Actions Report Registered Users Report Software Status Report Unregistered Devices Report Exporting Reports Helpdesk and EMM Portal Viewing User and Device Details Generate MDM Pending Actions (Query) Sending a Message to Users (SMS) Wiping Devices Wiping a Device from the Helpdesk Wiping a Device Using the EMM Portal Deleting and PIM Data from ios Devices Uninstalling McAfee EMM from Devices Uninstalling McAfee EMM Profile From ios Devices or Android devices (Remote Policy Removal) 71 Uninstalling McAfee EMM from Windows Mobile Devices Unlocking a User Locking Devices Resetting a Device Password Unlocking a Device/Resetting the Password (Windows Mobile Devices) Updating a Provisioning Token from the Helpdesk Overriding Compliance for a Device Deleting Devices and Users from the Console Package Management Creating a New Package Adding, Removing, and Reordering Files in Packages Adding Files to Packages for ios devices Adding Files to Packages for Android devices Adding Files to Packages for Windows Mobile Devices Reordering Files in Packages Removing Files from Packages Assigning Packages to Users or Groups Pushing Packages to Windows Mobile Devices Deleting Packages Downloading Files from the EMM Portal (ios Devices) Downloading Applications or Files from Recommended Apps (ios Devices and Android devices) 85 Appendix A Policy Worksheets Current Policy Settings for Device Types Legacy Policy Settings for Windows Mobile Devices Index McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

5 Preface This guide provides the information you need to use and configure McAfee Enterprise Mobility Management (McAfee EMM ) software. About this guide Audience Conventions This information describes the guide's target audience and the typographical conventions and icons used in this guide. McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Users People who are responsible for configuring the product options on their systems, or for updating their systems. Security Officers People who determine sensitive and confidential data, and define the corporate policy that protects the company s intellectual property. This guide uses the following typographical conventions and icons. Book title or Emphasis Bold User input, Path, or Code Hypertext Note: Important/Caution: Title of a book, chapter, or topic; introduction of a new term; emphasis. Text that is strongly emphasized. Commands and other text that the user types; the path of a folder or program; a code sample. A live link to a topic or to a website. Additional information, like an alternate method of accessing an option. Valuable advice to protect your computer system, software installation, network, business, or data. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 5

6 Preface Finding product documentation Finding product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. 1 Go to the McAfee Technical Support ServicePortal at 2 Under Self Service, access the type of information you need: To access User documentation KnowledgeBase Do this 1 Click Product Documentation. 2 Select a Product, then select a Version. 3 Select a product document. Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version. 6 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

7 Introducing McAfee EMM The McAfee EMM platform provides secure management of mobile devices. McAfee EMM allows you to integrate smartphones into enterprise networks with the same level of security protection enabled on laptops and desktops. With McAfee EMM, System Administrators have the tools and capabilities needed to effectively secure mobile devices in the enterprise network, seamlessly manage them in a scalable architecture, and efficiently assist users when problems arise. McAfee EMM is a web-based platform that helps manage the entire life cycle of the mobile device. McAfee EMM uses native ActiveSync management capabilities and handset vendor-specific tools. McAfee EMM s unique combination of device management, on-device security, network control, and compliance reporting delivers a powerful mobile device security solution. CONTENTS McAfee EMM Features McAfee EMM Components McAfee EMM Features Network Security McAfee EMM requires all devices to authenticate, register, and pass policy-based compliance verification before accessing your network. ActiveSync traffic is routed to filter servers, ensuring devices cannot bypass the compliance services. Strong Authentication with PKI features Through the optional PKI Agent component, McAfee EMM offers PKI and strong authentication features through provisioning tokens and certificate-based authentication. Simplified Policy and Device Management The McAfee EMM Console is a web-based application through which you manage your security policies and mobile devices. Policies can be assigned based on groups and you can set parameters for how devices work and communicate with your network, such as allowed resources, password criteria, and more. Security policies are pushed to devices through the Console, ensuring the devices remain compliant. Secure and Easy Provisioning McAfee EMM provides secure and easy provisioning using the McAfee EMM app or the EMM Portal. The system interacts with Microsoft Active Directory (AD) or Domino to validate device users and ensure that only authorized users provision. ios device (iphone) and Android users can download a free McAfee EMM app which streamlines provisioning and adds functionality to deliver security policies as needed. McAfee EMM uses Simple Certificate Enrollment Protocol (SCEP) for the provisioning process for ios devices MDM and C2DM Support You can install the McAfee EMM using Mobile Device Management (MDM) for ios4 devices, and Cloud to Device Message (C2DM) for Android devices. MDM/C2DM allows policy updates without user intervention and enhanced Helpdesk capabilities, including remote lock, passcode unlock, cleaner selective wipe, and uninstall without user intervention. You can also collect additional details about devices, including phone numbers, installed apps, certificates, installed profiles, restrictions, policy compliance, IMEI number, and WAPMACA address. ios Device (iphone, ipod Touch, and ipad) Management and Support McAfee EMM provides tools and settings to manage ios devices, including compliance enforcement, reporting, Wi-Fi and VPN configurations. In addition, data loss protection is provided through end-point security with password policies across all ios devices. Remote wipe and on-the-fly policy updates can be pushed to ios devices. For ios devices, McAfee EMM installs MDM at provisioning, keeping the device connected to the McAfee EMM server at all times and McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 7

8 Introducing McAfee EMM McAfee EMM Features providing all the features of MDM. McAfee EMM provides continuous jailbreak detection through the McAfee EMM app for ios devices. Android Support Certified Android devices can be provisioned via the McAfee EMM app. MDM/C2DM is installed on supported Android devices when they provision, providing support for compliance enforcement, remote lock/unlock, remote uninstall, passcodes, Wi-Fi, and for s Android devices, remote wipe and VPN configurations. Encrypted Connections McAfee EMM servers use encrypted SSL (HTTPS) connections to ensure all data transmitted between mobile devices and servers is encrypted. ios devices that do not have native encryption (prior to the iphone 3GS) can be blocked from accessing your network. Windows Native Encryption McAfee EMM system relies on Windows native encryption for data on the main memory and removable storage media of Windows Mobile devices (Windows Mobile 6.0 and above, excluding Windows Phone 7.) This allows faster access to and PIM data. When data is saved and resides on the device, it is automatically encrypted. Server Support The McAfee EMM platform supports servers Exchange 2003, 2007, 2010, and Domino and Domino (the Domino Environment must have a Traveler server in place). Secure Device Check In The device check in process ensures the devices in your network maintain the most recent and accurate policy settings. When a device checks in, information about that device appears in the Console. Only compliant devices can access your enterprise s resources. User Transparency The McAfee EMM software secures the user s device without being intrusive: it is transparent to the user. Users are required to enter a PIN or password to access the devices, but McAfee EMM uses the native , contacts, and calendar applications on all supported devices to provide the best user experience. Users can answer calls without entering a PIN, and the McAfee EMM software does not affect device battery life or application performance. Integrated Helpdesk The McAfee EMM system contains an integrated Helpdesk to troubleshoot and support your mobile device users. The Helpdesk features include remote wipe, removing and PIM data, remote policy removal, and compliance override capabilities. McAfee EMM Portal The McAfee EMM Portal provides a web site through which users can provision their own mobile devices and perform a few basic Helpdesk functions. Users can troubleshoot some device issues on their own, and don t have to rely on Helpdesk personnel for assistance. Reports McAfee EMM software provides a suite of status reports that provide details about your mobile environment. Reports contain details about your devices and users, including device ID, phone numbers, make and model, operating system, assigned security policies, and Active Directory or LDAP membership details. A complete system audit log tracks all activity by all users of the McAfee EMM solution, and all reports can be exported to Microsoft Excel format. Integration with McAfee epolicy Orchestrator McAfee EMM software can be installed as an extension of McAfee epolicy Orchestrator. You can view reports and create a McAfee EMM dashboard from within McAfee epolicy Orchestrator. Blackberry Enterprise Server (BES) Integration The BES Agent connects directly to the BES, collects data, and writes the data to the McAfee EMM database via the Hub. This allows administrators to manage Blackberry devices through the Helpdesk and provides reporting both in McAfee EMM and in McAfee epolicy Orchestrator. Extended Functionality via REST Services You can access certain McAfee EMM functions via REST services, allowing you to manage devices and users with the same functionality as provided via the EMM Console. 8 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

9 Introducing McAfee EMM McAfee EMM Components McAfee EMM Components The McAfee EMM system is based on a client-server architecture with server-side and client-side components. Server Components The McAfee EMM system contains the following server-side components: McAfee EMM Hub McAfee EMM Console McAfee EMM Portal McAfee Device Management Gateway McAfee Enterprise ActiveSync (EAS) Proxy and Compliance Filter McAfee EMM Push Notifier McAfee Blackberry Enterprise Server (BES) Agent (optional) McAfee PKI Agent (optional) Table 1 - McAfee EMM Server Components EMM Server Component Description McAfee EMM Hub The McAfee EMM Hub (Hub) manages communications between McAfee EMM components. The McAfee EMM Hub allows secure communications between McAfee EMM modules across the firewall (between the DMZ and the internal network) and eliminates the need to open custom firewall ports. SSL communications are established between the components. Using a custom installation, the Hub can also communicate with the DMZ components via HTTP (non-secure). McAfee EMM Console The McAfee EMM Console (Console) is the application used to manage the McAfee EMM system and devices. It is an IIS application accessible via Internet Explorer or Firefox web browsers, with Microsoft Silverlight installed. Through the Console, administrative users configure system settings, change policies, manage devices and users, administer McAfee EMM roles, perform Helpdesk functions, and view reports. McAfee EMM Portal The McAfee EMM Portal (EMM Portal) is an internet-facing component that allows device users to initiate requests for software downloads and to perform a few Helpdesk functions. The McAfee EMM Portal is an IIS application. Users access the EMM Portal from a browser on a PC or on a mobile device. The Portal typically resides on a McAfee EMM server that is installed in the DMZ. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 9

10 Introducing McAfee EMM McAfee EMM Components EMM Server Component Description McAfee Device Management Gateway The McAfee Device Management Gateway (DMG) is an internetfacing component that manages the server-side communication with legacy Windows Mobile devices. It controls policy, software, and configuration updates for the mobile devices. The McAfee DMG is an IIS application that communicates with other McAfee EMM components to get information on policies and users. McAfee Enterprise ActiveSync Proxy and Compliance Filter The McAfee Enterprise ActiveSync (EAS) Proxy is an internet-facing component that proxies ActiveSync traffic to the servers. This IIS application resides in the DMZ and enables McAfee EMM to control access to enterprise resources on the DMZ server before reaching the internal network. The McAfee Compliance Filter is a light-weight ISAPI filter installed on the McAfee filter/proxy server that is placed in the DMZ (or for Basic Security deployments, on the internal McAfee EMM server). McAfee EMM Push Notifier The McAfee Push Notifier is an internet-facing component that allows push notifications to be sent to devices. The McAfee Push Notifier is a required component that is usually installed in the DMZ so it can communicate with Apple and Android push notification services. McAfee BES Agent (optional) The McAfee BES Agent is an optional component that allows you to connect to synchronize BES to EMM and perform select device actions. McAfee recommends installing the BES Agent on the McAfee internal server. McAfee PKI Agent (optional) The McAfee PKI Agent is an optional component and is used to dynamically retrieve certificates from a Microsoft Certificate Authority (CA). Client Components The McAfee EMM client components are: For ios devices, a free McAfee EMM app from the Apple App Store. For Android devices, a free McAfee EMM app from the Android Marketplace. For Windows Mobile devices, PDA Secure and the Download Manager. Note: iphone, ipod Touch, and ipad devices are referred to as ios devices throughout this guide. Table 2 - McAfee EMM Client Components EMM Client Component Description McAfee EMM app (ios devices) McAfee EMM is a free ios app that enables easy provisioning by the user and enables push notifications to deliver profile and security policy changes. 10 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

11 Introducing McAfee EMM Deployment Scenarios EMM Client Component Description McAfee EMM app (Android devices) McAfee EMM is a free Android app that enables easy provisioning by the user and enables push notifications to deliver profile and security policy changes. Download Manager (Windows Mobile) The Download Manager is the communication module installed on Windows Mobile devices. It provides and maintains device-side communications with the McAfee EMM server by connecting to the Device Management Gateway. It receives software, policy updates, and server commands. It also reports device details to the server. PDA Secure (Windows Mobile) PDA Secure is the security module installed on Windows Mobile devices. PDA Secure enforces security based on policies created in the McAfee EMM Console. Except for the password screen, there is no visible user-interface for PDA Secure. PDA Secure cannot be modified by the user, and an administrative unlock code is required to remove PDA Secure from the device. Deployment Scenarios This section describes three McAfee EMM deployments: Basic Security Model (Single Server Installation) Enhanced Security Model (Dual Server Installation) Simplified Deployment Using ActiveSync Protocol for User Authentication (trial installation on a single server). McAfee strongly recommends installing using the Enhanced Security Model on two servers. This option provides maximum security and verifies and checks the ActiveSync traffic before the traffic enters your private network. While these scenarios are the most frequently used, there are many ways in which the McAfee EMM system could be installed. For additional options, please contact McAfee Technical Support. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 11

12 Introducing McAfee EMM Deployment Scenarios McAfee EMM Basic Security Model (Single Sever) The Basic Security Model installed on a single server is shown in Figure 1. Figure 1 McAfee EMM Basic Security Model (Single Server Installation) In the Basic Security Model, all McAfee EMM IIS components are installed on a single server that is available to mobile devices by allowing inbound traffic from the Internet for HTTPS sessions on port 443. The McAfee/IIS server is positioned in the internal subnet so that it can access account information in Active Directory/LDAP and connect to the SQL server as needed. This deployment model is most appropriate for smaller organizations without complex security requirements, or for trial installations. 12 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

13 Introducing McAfee EMM Deployment Scenarios McAfee EMM Enhanced Security Model (Dual Servers) The Enhanced Security Model installed on two servers is shown in Figure 2. Figure 2 Enhanced Security Model (Dual Server Installation) The Enhanced Security Model is installed on two servers. The Device Management Gateway, the EMM Portal, the Compliance Filter, the EAS Proxy, and the Push Notifier are installed on an internet-facing IIS server in the DMZ. The McAfee EMM Hub remains in the private subnet and runs the remaining server components. Communication from the Internet to the DMZ is restricted to HTTPS via port 443. Traffic between the McAfee servers is also an SSL connection. Using a custom installation, the Hub can also communicate with the DMZ components via a non-secure HTTP connection. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 13

14 Introducing McAfee EMM Deployment Scenarios McAfee EMM Simplified Deployment Using ActiveSync Protocol The Simplified Deployment installation using ActiveSync Protocol for user authentication is shown in Figure 3. Figure 3 - Simplified Deployment Using ActiveSync Protocol for User Authentication The Simplified Deployment is appropriate when installing McAfee EMM software on a trial basis. The Simplified Deployment installation uses ActiveSync Protocol for user authentication, so you do not have to integrate with an LDAP environment. The server onto which the EMM Hub is installed should be able to communicate with the Exchange server running Exchange ActiveSync and the SQL Server. User Authentication Options When installing McAfee EMM, you can select user authorization to be based on Active Directory (AD), Domino credentials, or using the ActiveSync Protocol (for Simplified Deployments). Active Directory (AD) or Domino You can select AD or Domino user authentication if you install using the Basic Security, Enhanced Security, or Customized deployments. Devices are provisioned to the McAfee EMM system using AD or Domino credentials. If you install using AD, you also have the option to add or import authorized users. ActiveSync Protocol If you are installing McAfee EMM on a trial basis using a Simplified Deployment, you would select ActiveSync Protocol user authentication. Device users must be added to the McAfee EMM system manually or by uploading a file of authorized users. The system then infers a user s authorization through the ActiveSync server identified during installation. 14 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

15 Logging onto and Navigating the McAfee EMM Console This chapter describes how to log onto and navigate the McAfee EMM Console. The McAfee EMM system includes one default, local (local to the McAfee EMM system), administrative account. When logging in for the first time, use the default local administrative account with the following user name and password: User name admin Password TDadmin* Once you log on for the first time, you can create additional accounts. We recommend creating an administrative account for each administrative user and that the default password be changed. For information on creating accounts, see Managing Console Access, on page 19. Contents Logging On Navigating the Console Exporting the Encryption Key from the Console Logging Off Logging On Use this task to log onto the McAfee EMM Console. 1 Launch the Console using one of the following: If you are logged onto the computer on which the Console is installed, from the Windows Start menu, select Start All Programs McAfee EMM McAfee EMM Console. Open a supported web browser window and enter the URL Select Launch Console from the Installation status screen. The McAfee EMM Console log in screen appears. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 15

16 Logging onto and Navigating the McAfee EMM Console Logging On 2 Complete the fields: User name admin Password TDadmin* Domain Do one of the following: o To log on using a local administrative account, select Local. If this is the first log on since installing McAfee EMM, select this option. o To log on using LDAP credentials, select the appropriate domain. 3 Click Login. The McAfee EMM Console Helpdesk screen appears. The top left of the window shows the server name, the current page, and who is logged on. The top right shows About and Logout. The icons at the bottom allow you to access other functions within the Console. Note: McAfee EMM redirects you to the Certificates page at the first logon after an upgrade, or if your EMM portal certificate is scheduled to expire within two months. Verify and update your portal certificate immediately. If the portal certificate expires, devices can t provision or sync. See Viewing and Updating Security Certificates on page McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

17 Logging onto and Navigating the McAfee EMM Console Navigating the Console Navigating the Console Use this task to navigate the Console. 1 To access the functions of the McAfee EMM Console, click one of the icons on the main screen. The icons are described in Table 3. Table 3 - McAfee EMM Console Icon Descriptions Icon Functions System Settings Create and manage Console access accounts, set global compliance enforcement, change the license key, update company information and the use agreement, manage authorization servers, manage authorized users, view BES Agents, update security certificates, update the device catalog, view and edit Enrollment Agents, configure and send SMS messages, and view Push Notifiers. Policies Create, manage, and publish security policies. Select device settings, assign policies to groups, select policy settings for device compliance, , passwords, restrictions, passwords, resource restrictions, VPN, Wi-Fi, certificate authorities, and to define an Access Point Name (APN). Reports View and export reports, including audit logs, compliance status, package deployment, pending actions, registered users, software status, and unregistered devices. Helpdesk Troubleshoot issues on mobile devices, including remote diagnosis, remote wipe, updating provisioning tokens, deleting and PIM data, uninstalling software, locking devices, resetting passwords, and overriding compliance. View device information, including applications, certificates, configuration profiles, pending actions, provisioning profiles, and security details. Packages Create packages and install third party files or applications on mobile devices over-the-air and upload files to the Enterprise App Store. 2 To access a function, click an icon and the window for that function appears, with options on the right. 3 To resize columns, use the cursor to move the column border left or right. (Column sizes will be reset if you refresh the screen or log out.) 4 To view the version of the McAfee EMM Console you are using, click About from the upper-right corner of the McAfee EMM screen. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 17

18 Logging onto and Navigating the McAfee EMM Console Exporting the Encryption Key from the Console Exporting the Encryption Key from the Console Use this task to export the encryption key from the EMM Console. 1 From the EMM Console, click the name of the server in the upper-left corner of the Console screen, and the Export Key dialog box appears. 2 In Key Password, type the key password and select Export Encryption Key. You will be prompted to save the skx file. 3 Use this key file as the encryption key when re-installing or customizing your McAfee EMM system. Logging Off Use this task to log off the McAfee EMM Console. 1 To log off the McAfee EMM Console, click Logout from the upper-right corner of the screen. After 30 minutes of inactivity, the logged on user of the Console will automatically be logged off. 18 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

19 Managing Console Access and Accounts This chapter describes how to manage and control accounts that can access the McAfee EMM Console. Contents Overview of Roles and Accounts Viewing Role Permissions Creating Console Access Accounts Deleting an Access Account from the Console Overview of Roles and Accounts There are four access roles in the McAfee EMM Console: System Administrator Policy Administrator Helpdesk Administrator Reports Viewer These roles can be assigned to accounts based on membership in Active Directory or Domino groups, or the accounts can be created locally. LDAP Group Assignment The LDAP group that the user belongs to must be added to the McAfee EMM role through the Console. This eliminates the need to create and maintain local console users. When an LDAP group is added to a role in the McAfee EMM Console, all the users that are members of the group will have the privileges assigned to the role. Note: In AD, the group property must be set to Security Group. In Domino, the group must be a Multipurpose Group. Local Administrative Accounts Local administrative accounts allow access to the McAfee EMM Console without being a member of an LDAP group. This can be useful for enterprises that outsource the Helpdesk and management of the McAfee EMM Console. McAfee EMM includes one default local, administrative account To log on for the first time, use the default local administrative account, with the user name admin and password TDAdmin*. (For details, see Logging On on page 15.) Once logged on, we recommend creating an administrative account for each administrative user. The audit log report shows the name of each user who is logged onto the Console and the actions that user has taken, so it is useful to create individual accounts. Note: Once a local Console account is created, it cannot be edited. If you want to change something on the account, you must delete and re-create the local account. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 19

20 Managing Console Access and Accounts Viewing Role Permissions Viewing Role Permissions Use this task to view the access rights for each of the four access roles. 1 From the Console, select System Settings, then Console Access, and the Console Access screen appears. 2 Click Show Details. The Role Permission screen appears, showing the access details for each of the roles. 20 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

21 Managing Console Access and Accounts Creating Console Access Accounts 3 To view the permissions for a different role, select the appropriate role from the drop-down list at the top right of the screen. Creating Console Access Accounts This section describes how to assign which accounts can access the McAfee EMM Console. Creating a Local Console Account Use this task to create a local Console account. Note: Once a local Console account is created, it cannot be edited. If you want to change something on the account, you must delete and re-create the local account. 1 From the Console, select System Settings, then Console Access, and the Console Access screen appears. 2 Click Add and the Add Access screen appears. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 21

22 Managing Console Access and Accounts Creating Console Access Accounts 3 In Access type, select Local User, and complete the fields: Role Select the role for the account. Username The user name for the account to be given access to the Console. Password The password for the account. Passwords must be at least seven characters long and include one non-alphanumeric character. 4 Click Save. The Console Access list is updated to reflect the addition of the new account. The local administrative account is now active and can log onto the McAfee EMM Console with the selected role. Creating Console Accounts Based on LDAP Groups Use this task to create Console access accounts based on LDAP groups. In order to assign LDAP groups to McAfee EMM roles, you must log onto the Console with a System Administrator account. Note: When you create a McAfee EMM Console account based on Domino membership, you must to make the following change in the Domino Administration console: From the Domino Administration console, navigate to Server Configuration Settings Edit config. Select the tab Ports Internet Ports. Scroll down and choose the Directory tab and change Authentication Options Anonymous to No. 1 From the Console, select System Settings, then Console Access and the Console Access screen appears. 22 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

23 Managing Console Access and Accounts Creating Console Access Accounts 2 Click Add, and the Add Access screen appears. 3 Complete the fields: Access Type Keep LDAP Group selected. Role The McAfee EMM role for the group: System Administrator, Policy Administrator, Helpdesk Administrator, or Reports Viewer. Location The authorization server domain. Group Name Type at least three characters of the Group name to be added, or press Enter. The group names appear on the screen. 4 Select the group to be added. 5 Click Save. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 23

24 Managing Console Access and Accounts Deleting an Access Account from the Console Deleting an Access Account from the Console Use this task to delete an access account from the Console. When deleting a Console account, the McAfee EMM group association is removed and the users within the removed group will no longer be able to access the Console. This does not delete the group from the LDAP server. 1 From the Console, select System Settings, then Console Access, and the Console Access screen appears. 2 Select the account to be deleted and click Delete. A confirmation dialog box appears. 3 Click OK to delete the account. 24 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

25 System Settings This chapter describes the McAfee EMM System Settings and their functionality. Contents General Settings (Compliance and Activation Settings) Authorization Directories Authorized Users and Provisioning Tokens Viewing Blackberry Enterprise Server (BES) Agents Viewing and Updating Security Certificates Viewing and Adding a Device Catalog Enrollment Agents Configuring Viewing EMM Push Notifiers General Settings (Compliance and Activation Settings) This section describes how to change compliance and activation settings. Compliance Settings This section describes the compliance criteria for the McAfee EMM system, and how to enable and set the duration of the compliance. This ensures that only users with current security policies can sync. Overview of Compliance A device is considered compliant if the following are true: The device has the current version of the McAfee EMM software installed. The device has the current security policy installed. ios devices have the correct device certificate that was issued during provisioning. A device is non-jailbroken (if jailbroken status is set in the Policy) A device is considered non-compliant if one or more of the following is true: The device does not contain the McAfee EMM software. The security policy has been updated and the device does not yet have the new policy. The device has not checked in since the software or security policy was last updated. The device has been hard reset because of a company policy, and the device no longer contains the McAfee EMM software. The ios device has been tampered with or has been jailbroken (if jailbroken status is set in the Policy.) A non-encrypted device is blocked due to policy restrictions. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 25

26 System Settings General Settings (Compliance and Activation Settings) Enabling/Disabling Compliance and Setting Duration Use this task to enable or disable compliance, and to set the compliance duration. 1 From the McAfee EMM Console, click the System Settings icon then click General Settings, and the General Settings screen appears. 2 Complete the fields: Compliance Enforcement Select an option: o Enabled Allows only devices with the current security policy to sync. o Disabled Allows any correctly provisioned device to sync, regardless of its security policy. Compliance Duration (min) The amount of time a compliance check-in is valid. After this period, the device is considered non-compliant. 3 Click Save. Viewing and Changing Activation Settings Use this task to view and change activation settings, which include company information, use agreement, McAfee EMM activation (license) number, and the number of devices to which the license applies. Typically, you would enter a new license key when you need to add more device licenses for your McAfee EMM platform. 1 From the McAfee EMM Console click the System Settings icon, then select General Settings, and the General Settings screen appears. 26 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

27 System Settings Authorization Directories Under Activation Settings, the screen lists information about your company, including a profile name, use agreement, serial number, remaining device registrations, and, if a trial key is being used, the time remaining in the trial key. Note: When there are 10% of available licenses remaining, at each login, the Activation Settings screen appears instead of the Helpdesk screen. The screen will show the status of the license with a link to the McAfee Technical Support page to request additional licenses. 2 Complete the fields: Profile Name - The profile name that is installed on ios devices. Use Agreement - The agreement that appears on devices during provisioning. If it is updated, it will not be pushed to devices that have already been provisioned. Serial Number The McAfee EMM license number. To change a license number and add more devices, in the Serial Number field, enter a new license key. (To get a new license key, contact your McAfee sales executive or McAfee Technical Support.) 3 Click Save. Authorization Directories This section describes how to view, add, update, and delete authorization directories, and how to test authorization directory connections. During provisioning, the McAfee EMM server authenticates users based on AD or Domino credentials, whether your system uses LDAP or ActiveSync Protocol for user authentication. To validate the credentials, the server needs details of the directory and a valid directory account with read-only access. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 27

28 System Settings Authorization Directories Viewing Authorization Directories Use this task to view an authorization directory. 1 From the McAfee EMM Console, select System Settings, then Auth Directories. The Auth Directories screen appears, listing the current authorization directories. The green checkmark to the left of the listed directories indicates that the connection is verified. Adding and Editing an Authorization Directory AD or Domino User Authentication Use this task to add or edit an authorization directory when using LDAP (AD or Domino) user authentication. 1 From the McAfee EMM Console, select System Settings, then Auth Directories. The Auth Directories screen appears, listing the current authorization directories. 2 Do one of the following: To add a directory, click Add. To edit a directory, select the directory from the list and click Edit. 28 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

29 System Settings Authorization Directories The Edit Auth Directory or Add Auth Directory screen appears. If you are editing a directory, the fields will be populated. 3 Complete the fields: Server Type Select the authorization server type: AD or Domino. FQDN Select the fully qualified domain name of the AD or Domino server. If the FQDN is not auto-detected, a field appears to enter the FQDN. Domain The domain for the FQDN. This will auto-populate. DN Complete as follows: o For an AD server, the domain name of the FQDN. This will auto-populate. o For a Domino server, this should remain blank. User Name The user name used to connect to the directory service. Password The password used to connect to the directory service. External ActiveSync DNS Address External DNS or IP address of the server that NAT s or routes to the McAfee EMM server hosting the proxy services. The Use SSL field is checked and cannot be edited. 4 Click Save. Note: Through a policy, you can choose to direct traffic through an alternate server. traffic settings set in policies will override the authorization server selected in System Settings. See Configuration Settings on page 47. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 29

30 System Settings Authorization Directories Adding and Editing an Authorization Directory ActiveSync Protocol User Authentication Use this task to add or edit an authorization directory if your McAfee EMM system uses ActiveSync Protocol for user authentication. Note: ActiveSync Protocol authentication will appear as an option only if McAfee EMM was installed using this protocol. If McAfee EMM was installed using a different authentication type, the ActiveSync Authentication option will not be available from the drop-down menu. 1 From the McAfee EMM Console, select System Settings, then Auth Directories. The Auth Directories screen appears, listing the current authorization directories. 2 Do one of the following: To add a directory, click Add. To edit a directory, select the directory from the list and click Edit. The Add Auth Server screen appears. If you are editing a server, the fields will be populated. The Use SSL field is checked and cannot be edited. 30 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

31 System Settings Authorized Users and Provisioning Tokens 3 Complete the fields: ActiveSync Authentication Address The ActiveSync server to be used for authentication. Domain The domain name of the Active Sync server. o If you are adding a Domino auth server, type Domino Server name/servlet/traveler. o For other servers, type the domain name. Verification Username The valid Exchange ActiveSync user name. Verification Password The valid password for the Exchange ActiveSync account. External ActiveSync DNS Address External DNS or IP address of the server that NAT s or routes to the McAfee EMM server hosting the proxy services. 4 Click Save. Deleting an Authorization Directory Use this task to delete an authorization directory from your McAfee EMM system. If you delete a directory, all users and devices provisioned to the server will be deleted from the system. 1 From the McAfee EMM Console select System Settings, then select Auth Directories. The Auth Directories screen appears. 2 On the Auth Directories screen, select the directory you want to delete and click Delete. A dialogue box appears asking you to confirm removal. All users and devices provisioned to the server will be deleted from the system. 3 Click OK and the directory will be deleted from the McAfee EMM system. Authorized Users and Provisioning Tokens This section describes how to add authorized users so they can provision, and how to designate a provisioning token for a user. You can add all users that belong to an LDAP group, or only authorized users. Authorized users can be added based on their LDAP credentials, or by importing a list. Your options depend on the user authentication being used: AD, Domino, or ActiveSync Protocol. AD or Domino user authentication You can choose to allow all users or only authorized users. If you allow all users, all users with a valid AD or Domino account in the domain specified under Authorized Users can provision. If you choose to allow only authorized users, you can add users based on LDAP or by importing a list of users. ActiveSync Protocol user authentication You can only allow authorized users to provision. You can add authorized users by importing a list or adding users individually. Note: When allowing authorized users, you are not directly assigning AD groups; you are allowing a group of users that belong to an AD group. Note: You can access Adding a User, Deleting a User, Creating Provisioning Tokens, and Querying Users via McAfee EMM REST services, allowing you to manage devices and users with the same functionality as provided via the EMM Console. For more information, contact McAfee Technical Support. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 31

32 System Settings Authorized Users and Provisioning Tokens Allowing All Users Use this task to allow all users to provision. You can use this task only if your McAfee EMM system uses AD or Domino user authentication. 1 From the McAfee EMM Console select System Settings, then select Authorized Users. The Authorized Users screen appears. 2 Under User Registration, select Allow All Users. 3 Click Save. All users with a valid account in the authorization servers can now provision. If you want to create a provisioning token, see Creating a Provisioning Token for a User on page 36. Allowing Authorized Users This section describes how to allow only authorized users to provision. The procedure differs depending what method your system uses for user authentication: AD, Domino, or ActiveSync Protocol. If your system uses AD or Domino user authentication, you can also choose to allow all users. See Allowing All Users on page McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

33 System Settings Authorized Users and Provisioning Tokens Allowing Authorized Users Through LDAP Use this task to allow authorized users for authentication through LDAP. You can use this task only if your McAfee EMM system uses AD or Domino for user authentication. 1 From the Console, select System Settings, then Authorized Users. The Authorized Users screen appears. 2 Under User Registration, select Allow Only Authorized Users. 3 Click Add and the Add Authorized Users screen appears. 4 Complete the fields: Source Select Search LDAP. Location Select the domain to which the users belong. User/Group Complete as follows: o Type at least three characters of the Group name, or press Enter, and the user or group names appear. o Select the users or groups to add as authorized users. Note: If the status No appears in the column, the user will not be able to provision and cannot be added to the authorized user list. An address must be configured for the user. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 33

34 System Settings Authorized Users and Provisioning Tokens 5 Click Save. The authorized users are added to the system and appear on the Authorized Users screen. Note: If a user is added to an AD group that was authorized within McAfee EMM, that user is automatically authorized within McAfee EMM. Allowing Authorized Users By Importing a List Use this task to add users for authentication by importing a list, when using either ActiveSync Protocol or AD for user authentication. If your McAfee EMM system uses ActiveSync Protocol for user authentication, you can use this task to allow authorized users, or you can add users individually (see Manually Adding Authorized Users on page 35.) If your system uses AD for user authentication, you can use this task to allow authorized users, or you can allow users based on LDAP (see Allowing Authorized Users Through LDAP on page 33). 1 Create the list of authorized users in CSV format. 2 From the Console, select System Settings, then Authorized Users. The Authorized Users screen appears. 3 Under User Registration, select Allow Only Authorized Users. 4 Click Add and the Add Authorized Users screen appears. The fields on the screen will vary, depending on the user authentication method being used. 5 From the Source field, select Import CSV. The fields change on the screen. 6 Complete the fields: Location Select the domain to which the users belong. CSV File Path Select the CSV file. 34 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

35 System Settings Authorized Users and Provisioning Tokens 7 Click Save. The users are added to the system and appear on the Authorized Users screen. Manually Adding Authorized Users Use this task to manually add individual users to the McAfee EMM system. This option is available only when using ActiveSync Protocol for user authentication. 1 From the Console, select System Settings, then Authorized Users. The Authorized Users screen appears. 2 Click Add and the Add Authorized Users screen appears. 3 From the Source field, select Manually Define User. 4 Complete the fields: Location Select the domain to which the user belongs. Username The user s user name. The user s address. First Name The user s first name. Last Name The user s last name. 5 Click Save. The user is added to the system and appears on the Authorized Users screen. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 35

36 System Settings Authorized Users and Provisioning Tokens Creating a Provisioning Token for a User (ios/android Devices) Use this task to create a provisioning token (one-time password) for a specific user. A provisioning token can be designated only for users that will provision an ios/android device using the McAfee EMM app. You can designate a token from System Settings only if you are adding an individual user, not an LDAP group. If you need to add an LDAP group and want to create a provisioning token for a user within the group, add the group in System Settings, and then update the user s provisioning token from the Helpdesk. See Updating a Provisioning Token from the Helpdesk on page From the Console, select System Settings, then Authorized Users, and the Authorized Users screen appears. 2 Complete the fields: Allow Only Authorized Users Select to allow only authorized users. Require Provisioning Token Select to require a provisioning token. The Token Length and Hours Valid fields appear. Token Length The default length of the provisioning token (one time password) Hours Valid The default number of hours the token will be valid. 3 Click Save on the Authorized Users screen. Note: Be sure to click Save, or the correct fields will not appear on the Add Authorized Users screen. 4 Click Add, and the Add Authorized Users screen appears. 36 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

37 System Settings Authorized Users and Provisioning Tokens 5 Complete the fields: Source Select Search LDAP. Location Select the domain to which the user belongs. User/Group Type at least three characters of the user s name, or press Enter, and the list of users appears. 6 Select the user from the list and additional fields appear on the screen. The fields will show the default values set on the Authorized Users screen, but can be edited. 7 Edit the fields as needed: Provisioning Token The one-time password. Hours Valid The number of hours the token is valid. Delivery Action - Select one of the following: o No Action Creates the token in McAfee EMM, but does not send a message to the user. The token must be given to the user via other means. Choose this if you don t know the user s or phone number. 8 Click Save. o Send SMS Sends an SMS message to the user with the token in the message. o Send Sends an message to the user with the token in the message. Select this option only if the client is configured on the user s machine. 9 If you selected Send SMS, the Provisioning SMS dialog box appears. Complete the fields and click Send SMS. 10 If you selected Send , the client opens with a message to the recipient. Send the message. When the user provisions, the user will be prompted for the provisioning token. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 37

38 System Settings Viewing Blackberry Enterprise Server (BES) Agents Deleting a User Use this task to remove a user from the authorized users list. Once deleted, the user will not be able to sync or provision. 1 From the Console, select System Settings, then Authorized Users. The Authorized Users screen appears. 2 Select the user and click Delete. The user is deleted from the authorized users list, but the user s device will still appear in the Helpdesk. To remove the device from the Console, see Deleting Devices and Users from the Console on page 76. Viewing Blackberry Enterprise Server (BES) Agents Use this task to view a BES Agent, if a BES Agent was installed with your McAfee EMM software. A BES Agent is an optional component that allows you to connect to a Blackberry Enterprise Server. The BES Agent connects directly to the BES, collects data, and writes the data to the McAfee EMM database via the Hub. 1 From the Console select System Settings and then BES Agents, and the BES Agent screen appears. 38 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

39 System Settings Viewing and Updating Security Certificates Viewing and Updating Security Certificates Use this task to view and update the portal, push, and MDM security certificates. Note: Every time the portal certificate is updated, all ios devices will have the EMM profile removed and the device will have to be re-provisioned. We suggest obtaining a multi-year portal certificate to minimize this occurrence. Note: To update the MDM certificate in the Console, you must get Apple s Product Push SSL certificate through their Apple Enterprise Development Program. For details on Apple s program, see 1 From the McAfee EMM Console select System Settings, then Certificates. The Certificates screen appears, showing your current certificates. If you want to add a portal, push, or MDM certificate, you need to update the certificate. All new certificates will be added as Trusted certificates. 2 To add or update a certificate, click Update and the Update Certificate dialog box appears. If you are updating a portal certificate, a warning first appears indicating that updating the portal certificate will force all device users to re-provision. 3 Complete the fields: Certificate Path Browse to select the new certificate. Password The password for the certificate. Note: An MDM Certificate must be in.p12 format or.pfx format. 4 Click Save. The new certificate information appears on the Certificate screen. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 39

40 System Settings Viewing and Adding a Device Catalog Viewing and Adding a Device Catalog Use this task to view and add a Device Catalog. The Device Catalog contains information on supported mobile devices. The device catalog is automatically added when McAfee EMM installs, but updated Device Catalogs need to be added monthly through the Console. 1 From the Console, select System Settings, then Device Catalog. The Device Catalog screen appears. 2 To add a new catalog, click Add. 3 Browse to select the file SFI.nnnn.zip where nnn is the build number. The Add Device Catalog Screen appears, showing the version and release date. 4 Click Install and the device catalog begins to install. When installation is complete, the Device Catalog screen will show the updated catalog. Enrollment Agents This section describes how to view, edit, and delete an Enrollment Agent. Viewing and Editing an Enrollment Agent Use this task to view or edit an Enrollment Agent connection. 1 From the System Settings screen, select Enrollment Agents and the Enrollment Agents screen appears. 40 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

41 System Settings Enrollment Agents The screen lists all the Enrollment Agents currently installed and communicating with the McAfee EMM Hub. If the Enrollment Agent installation was successful, all fields will be populated and a green checkmark appears next to the agent. Note: This screens shows verification of connection to the Enrollment Agent, but does not request a certificate. To add a certificate configuration for a policy, see Certificate Authority Settings on page To edit an Enrollment Agent, select a connection and click Edit. The Edit Enrollment Agent screen appears. 3 Edit the fields: Server Name Name of the server for the certificate authority server. Server URL Name or FQDN of the server where the Enrollment Agent is installed. Certificate Authority FQDN of the certificate authority, in the format CA-server\CA-name. Signer Certificate The Enrollment Agent certificate installed in the service user s local certificate store. 4 Click Save. Deleting an Enrollment Agent Connection Use this task to delete an Enrollment Agent connection. Note: If the Enrollment Agent is being used by an active policy, it cannot be deleted. 1 From the Console, select System Settings, then Enrollment Agents, and the Enrollment Agent screen appears. 2 Select a connection and click Delete. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 41

42 System Settings Configuring SMTP Server (Mail Settings) Configuring SMTP Server (Mail Settings) Use this task to configure an SMTP server and send a test SMS message to devices. You must specify an SMTP server that will allow the McAfee Hub server to relay. For details on sending SMS messages to users, see Sending a Message to Users (SMS) on page From the Console select System Settings and then Mail Settings, and the Mail Settings screen appears. 2 Update information as it should appear in the messages that will be sent to devices: Message From Address The address from which you want the SMS message sent. This is not authenticated and can be any valid address format. Message Subject Text to be included in the Subject line of the SMS message. EMM Portal Message The provisioning message. SMTP Relay Server The IP address or DNS name of an SMTP relay server. 3 Click Save. 4 To send a test SMS message, click Send Test SMS message. Viewing EMM Push Notifiers Use this task to view McAfee EMM Push Notifiers. The EMM Push Notifier allows push notifications to be sent to both MDM and non-mdm devices for policy updates, and to retrieve device details. 1 From the Console select System Settings and then Push Notifiers, and the Push Notifiers screen appears. 42 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

43 Security Policies This chapter describes how to create and manage the security policies that will be published to your organization s mobile devices. The settings selected in the policies will determine how the devices function and interact with the network to keep the organization s resources secure. Contents Policy Overview and Recommendations Viewing Security Policies Creating a New Security Policy Reordering and Prioritizing Security Policies Publishing Security Policies Deleting a Security Policy Policy Overview and Recommendations This section describes McAfee EMM s policy functions and our recommendations. Default and Starter Policy The default policy is the policy that appears at the bottom of the list on the Policies screen. The default policy cannot have a group assigned to it all users who are not assigned to another policy are assigned the default policy. The McAfee EMM system provides a Starter Policy, and you can use or change the Starter Policy s settings. You can use the Starter Policy as the default policy, or you can create another policy to use as the default. Policy Membership Best Practices Note: If you are using ActiveSync Protocol for user authentication, all users receive the default policy, whether that is the Starter Policy or another policy you create and make the default. Policies that are not the default policy are assigned to users based on LDAP group membership. When users provision their devices, they receive the security policy based on their group membership. (This applies only to McAfee EMM systems using AD or Domino for user authentication.) We also recommend creating policy specific groups. For example, you could create a group with the name Sales_Policy_Group and add that group to the Sales Policy. If a user is listed as a member of multiple groups, and the groups use different policies, the policy with the highest priority will be applied. Priorities are assigned by the system administrator, and are listed in the McAfee EMM Console in priority order from top to bottom, with the highest priority on top. We recommend that a new policy not be applied to production users until it has been tested and verified. We recommend the following sequence: Create the policy Change the policy settings as needed. Assign the policy to a test group of users. Save the policy. Publish the policy. Evaluate the policy on the devices and adjust as needed. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 43

44 Security Policies Viewing Security Policies Change policy membership to the appropriate production groups. Publish the policy. For more recommendations on establishing your policy settings, see Appendix A Policy Worksheet on page 87. Viewing Security Policies Use this task to view security policies in the Console. 1 From the McAfee EMM Console, click the Policies icon. The Policies screen appears, showing the Starter Policy. Policy settings appear on the tabs, and the policies are listed on the right. The first time you view policies, only the Starter Policy is available. 2 To create a new policy, see Creating a New Security Policy on page To reorder and prioritize policies, see Reordering and Prioritizing Security Policies on page To change policy settings, see Changing Policy Settings on page 46. Creating a New Security Policy Use this task to create a new security policy. Only Console users with the System Administrator or Policy Administrator role can create new policies. 1 From the McAfee EMM Console select Policy Settings, then select Create New from the buttons on the right. The Create Policy screen appears. 44 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

45 Security Policies Reordering and Prioritizing Security Policies 2 Complete the fields: Source field Select New Policy or Copy Policy. Policy to Copy If you are copying a policy, this field appears. Select a policy to copy. New Policy Name A unique name for the policy. 3 Click Save. The new policy is created and appears on the right of the Policy screen. An exclamation mark appears next to the policy s icon, indicating it has not yet been published. Unpublished policy icon 4 Complete, edit, and save the policy settings as described Changing Policy Settings on page If you want to make the new policy the default policy, see Reordering and Prioritizing Security Policies on page Publish the policy as described in Publishing Security Policies on page 59. Reordering and Prioritizing Security Policies Use this task to reorder and prioritize security policies. Reordering determines which policy is the default, and sets the priority of the policy. The default policy appears at the bottom of the list on the Policies screen. 1 To reorder the policies, from the Policies screen, select Reorder Policies and the Reorder Policies screen appears. 2 Select a policy, and click the up or down arrows to reposition it in the list. 3 Click Save. The policies appear on the Policies screen in the order selected, and the policy at the bottom of the list is considered the default policy. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 45

46 Security Policies Changing Policy Settings Changing Policy Settings This section describes how to change policy settings. You can set the following policy settings: Compliance Membership (tab does not appear for the Starter Policy) Passwords Restrictions VPN Profiles WiFi Profiles Certificates Authority configurations APNs Note: The policy that appears at the bottom of the list on the right is the default policy. You cannot assign groups to the default policy, so the Membership tab does not appear for whichever policy is the default. Important/Caution: Each time a policy is changed, it should be published. See Publishing Security Policies on page 59. Compliance Settings Use this task to select compliance policy settings for blocking ios devices based on encryption support, jailbroken status, and operating system versions. 1 Select the policy to be changed and select the Compliance tab. 2 Under General Compliance, complete the fields: Block Devices That Don t Support Encryption Select to block devices that don t support encryption. To enforce this option on ios devices, the device has to provision using the McAfee EMM app. Block jailbroken devices Select to block ios devices that have been jailbroken. To enforce this option, the device has to provision using the McAfee EMM app. 46 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

47 Security Policies Changing Policy Settings Check jailbreak status every The interval (in minutes) of how often to send push notifications to check and report on the jailbroken status of the device. Note: If a user ignores the jailbroken check notification, the server starts to send jailbroken push notifications at the nag interval or the Check Jailbroken Status interval, whichever is smaller. The nag interval is set in the Hub s web config file (Hub) and its default value is 1 hour. If the user continues to ignore the jailbroken push notifications, and the policy restricts devices that are jailbroken, the device eventually will go out of compliance. 3 Under OS Compliance, select options to block ios devices based on the OS version. When ios devices with new OS versions provision, the OS versions are added to the list on the Compliance tab in the McAfee EMM system. You can also change the OS compliance versions manually. 4 To manually change the OS versions to be blocked: Click Add OS Version and the Add OS Version dialog box appears. From Device Model, select iphone, ipad, or ipod. In Version, type the OS version for the device, and click Save. 5 When all changes are complete on the Compliance tab, click Save. Important/Caution: Each time a policy is changed, it should be published. See Publishing Security Policies on page 59. Configuration Settings Use this task to select if (an ActiveSync account) will be configured on devices when they provision, and to configure how traffic will be directed: through the EMM Proxy server or through an alternate server. 1 Select the policy to be changed and select the tab. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 47

48 Security Policies Changing Policy Settings 2 Under Configure an ActiveSync account while provisioning, select or deselect the option to have devices configured with (an ActiveSync account) while provisioning. 3 To direct traffic through an EMM proxy server, complete the fields: Direct traffic through an EMM Proxy server - Leave this option selected. ActiveSync Endpoint - Select Use Auth Directory Configuration or Alternate EMM Proxy. If you select Alternate EMM Proxy, the settings selected in this Policy will override settings set in System Settings, Auth Directories. EMM Proxy Address - If you selected Alternate EMM Proxy as the ActiveSync Endpoint, enter the address of the alternate EMM Proxy. 4 To choose and configure an alternate server for directing traffic (not an EMM proxy server), complete the fields: Direct traffic through an EMM Proxy server Deselect this option. ActiveSync Endpoint Select Exchange, Domino, or Other as the ActiveSync Endpoint External ActiveSync DNS Address External DNS or IP address of the server that NAT s or routes to the mail server specified. The address input here will override the External ActiveSync DNS address configured in System Settings, Auth Directories. Send User s Domain If Other was chosen as the External ActiveSync DNS Address, select to send the user s domain is to the mail server specified. 5 Click Save. Assigning and Removing Group Membership to Policies Use this task to assign users to policies based on AD or Domino groups. We recommend creating policy-specific groups in the Directory and adding that group to the policy. This means that users of a group will receive the assigned policy instead of the Starter Policy. For example, you could create a group in the Directory with the name Sales_Policy_Group and add that group to the Sales Policy. Note: If your McAfee EMM system uses ActiveSync Protocol for user authentication, you cannot assign groups to policies all users get the default policy. You can use the Starter Policy as the default policy, or create a new policy and make the new policy the default. Note: Before adding groups to policies, you must first create groups in the Active Directory or Domino directory. Note: You cannot assign groups to the default policy. Create a new policy first. 1 Select the policy to be changed and select the Membership tab. 48 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

49 Security Policies Changing Policy Settings 2 Click Add and the Add Group dialog box appears. 3 Complete the fields: Location Select the domain to which the user group belongs. Group Name Type at least three characters of the group name, or press Enter, and the group names appear. 4 Select the group from the list. 5 Click Save. The Membership screen now lists the group associated with the policy. 6 Add all groups as needed to the policy. 7 To remove the group from the policy, select the group from the Membership tab, and click Delete. Important/Caution: Each time a policy is changed, it should be published. See Publishing Security Policies on page 59. Password Options Use this task to change general password settings such as password type, password requirements, and password length. 1 Select the policy to be changed and select the Passwords tab. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 49

50 Security Policies Changing Policy Settings The Power-On password is the password required for devices when they power on. The Profile Removal Password is an embedded device password that allows administrative access on Windows Mobile devices, or to remove the config profile from non-mdm devices. 2 Under Power-On Password, select or deselect to require a password when accessing a device. If a password is required, select the remaining password settings. Note: For Windows Mobile devices provisioned using PDASecure, you must select to require a password. 3 Under Profile Removal Password: Click Show to show or hide the administrator s password on the screen. Edit the default Administrator password by typing in the field. 4 Click Save. Important/Caution: Each time a policy is changed, it should be published. See Publishing Security Policies on page 59. Restrictions Use this task to define which device resources to restrict users from accessing. 1 Select the policy to be changed and select the Restrictions tab. 50 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

51 Security Policies Changing Policy Settings 2 Under General Restrictions, select the device resources to restrict: Restrict itunes Explicit Content Prevents downloading content that itunes has categorized as explicit. Restrict YouTube Prevents access to YouTube. Restrict itunes Prevents access to itunes. Restrict Camera The camera capabilities of the device. Allow FaceTime Allow FaceTime to be used on the device. This can only be selected if the camera capabilities of the device are not restricted. Restrict Screen Capture Prevents screen captures on the device. Restrict Automatic Sync While Roaming Prevents the device from syncing when roaming. Restricts In App Purchases Prevents the user In App purchases. Restricts Multiplayer Gaming Prevents the user from multiplayer gaming. Restrict Voice Dialing Prevents voice dialing capabilities. Restrict Installing Applications Prevents non-enterprise applications from being installed. Restrict Browser Restricts the Safari browser on ios device. If selected, select to allow or disallow Autofill, fraud warnings, Javascript, pop-ups, or cookies. 3 Under WM5/WM6 Client restrictions, select the device resources to restrict: Restrict Beam/IR The Beam/IR capabilities of the device. Restrict Desktop Sync The device capabilities to sync to a desktop using Active Sync capabilities on the device. Restrict WiFi The Wi-Fi capabilities of the device. Restrict Storage Card The Storage Card capabilities of the device. Restrict SMS/MMS/Text Messaging The SMS/MMS/Test Messaging on the device. This applies only to Windows Mobile devices. Restrict All Bluetooth All Bluetooth capabilities Allow Hands Free Select to allow Bluetooth hands-free. 4 Click Save. Important/Caution: Each time a policy is changed, it should be published. See Publishing Security Policies on page 59. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 51

52 Security Policies Changing Policy Settings VPN Profiles Use this task to create, edit, or delete VPN profiles. All VPN profiles are supported for ios devices. All VPN profiles are supported for ios devices. For Motorola Android devices running Froyo 2.2 and above, L2TP and PPTP VPN profiles are supported. 1 Select the policy to be changed and select the VPN Profiles tab. 2 To add a profile, click Add and the Add VPN Payload screen appears. what 3 On the General tab, complete the fields: Connection Name Type a description name for the VPN settings. Connection Type Select L2TP, PPTP, IPSec (Cisco), Cisco AnyConnect, or Juniper SSL. Server Address Type the IP address or hostname of the VPN. Note: For Motorola Android devices running Froyo 2.2 and above, L2TP and PPTP VPN profiles are supported. 52 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

53 Security Policies Changing Policy Settings 4 On the Authentication tab, complete the fields: Username Template - Specify if users will be required to enter only their username or domain\username. Authentication Type Select the Authentication type for the connection. The fields change according to the connection type and authentication type. Complete the remaining fields as described, depending on Connection Type and Authentication Type: On the General tab, if you chose Connection Type On the Authentication tab, you can chose Authentication Type Complete these fields that appear for your Authentication Type L2TP Password RSA SecurID Shared Secret Type the pass phrase for connection. Send All Traffic Select to disable split tunneling. PPTP Password RSA SecurID Encryption Level Select the level of data encryption applied for the connection: None, Automatic, or Maximum (128 bit) Send All Traffic Select to disable split tunneling. IPSec (Cisco) Shared Secret (Group Name) Group Name Group identifier for the connection. Shared Secret Shared secret for the connection. Use Hybrid Authentication Authenticate using secret, name, and server-side certificate. Prompt for password Prompt user for password on the device. Certificate Identity Certificate Select the certificate that was configured on the Certificates tab. Include User PIN Request a PIN during connection and send with authentication. Enable VPN on Demand Select to have domain and host names establish a VPN. If selected, add Domain/Host names and Actions. Domain/Host The Domain/Host name. Action Select Always Establish, Never Establish, or Establish if Needed. Cisco AnyConnect Password Group - Group identifier for the connection. Password Password for the connection. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 53

54 Security Policies Changing Policy Settings On the General tab, if you chose Connection Type On the Authentication tab, you can chose Authentication Type Complete these fields that appear for your Authentication Type Certificate Group - Group identifier for the connection. Identity Certificate Select the certificate that was configured on the Certificates tab. Enable VPN on Demand Select to have domain and host names establish a VPN. If selected, add Domain/Host names and Actions. Domain/Host The Domain/Host name. Action Select Always Establish, Never Establish, or Establish if Needed. Juniper SSL Password Realm Realm for authenticating the connection. Role Role for authenticating the connection. Password Password for the connection. Certificate Realm Realm for authenticating the connection. Role Role for authenticating the connection. Identity Certificate - Select the certificate that was configured on the Certificates tab. Enable VPN on Demand Select to have domain and host names establish a VPN. If selected, add Domain/Host names and Actions. Domain/Host The Domain/Host name. Action Select Always Establish, Never Establish, or Establish if Needed. 5 On the Proxy tab: Select the Configuration None, Manual, or Automatic. For Manual configurations, complete the fields: o Address Type the address of the proxy. o Port Type the port of the proxy. o Username Type the user name of the proxy. o Password Type the password to the VPN server For Automatic configurations, type the URL of the VPN server. 6 Click Save. 7 Add as many VPN payloads as needed. 8 To edit a VPN connection, from the VPN Profiles tab, select the connection and click Edit. 9 To delete a connection, select a connection name and click Delete. Important/Caution: Each time a policy is changed, it should be published. See Publishing Security Policies on page McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

55 Security Policies Changing Policy Settings Wi-Fi Profiles Use this task to create Wi-Fi profiles for ios devices, and for Android devices running Froyo 2.2 and higher. All Wi-Fi types are supported for ios devices. For Android devices running Froyo 2.2 and above, only WEP, WPA and open WiFi networks are supported. 1 Select the policy to be changed and select the WiFi Profiles tab. 2 Click Add and the Add WiFi Payload screen appears. 3 Complete the fields: Network SSID Type the Network SSID. Hidden Network Select if your access point is not broadcasting the SSID. Security Type Select the encryption for your wireless network. Fields and tabs appear based on the Security Type. 4 Complete the appropriate fields/tabs for the Security Type: Note: For Android devices running Froyo 2.2 and above, only WEP, WPA and open WiFi networks are supported. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 55

56 Security Policies Changing Policy Settings For these Security Types Complete these fields/tabs. WEP WPA/WPA2 Any (Personal) Password The password for the WiFi connection. WEP (Enterprise) WPA/WPA2 (Enterprise) Any (Enterprise) On the Protocols Tab: Select the appropriate protocols. If using TLS or TTLS, select PAP, CHAP, MSCHAP, or MSCHAPv2. If using EAP-FAST, select to use PAC, Provision PAC, or Provision PAC Anonymously. On the Authentication Tab: Username Template - Specify if users will be required to enter only their username or domain\username. Use Per Connection Password - Select if you want to use a perconnection password. Identity Certificate Select the certificate that was configured on the Certificates tab. On the Trust Tab: Trusted Certificate - Lists the trusted certificates as indicated in System Settings Certificates. Trusted Server Certificate Name Click Add to add the certificates that devices should trust and can automatically connect to. Allow Trust Exceptions - Allow trust decisions to be made by the user through a dialog box. 5 Click Save. 6 To edit an existing WiFi payload, on the WiFi Profiles tab, select a payload from the list and click Edit. 7 To delete a Wi-Fi payload, select a payload from the list and click Delete. Important/Caution: Each time a policy is changed, it should be published. See Publishing Security Policies on page 59. Certificate Authority Settings Use this task to select settings that will be used to request a certificate from the certificate authority. The certificate configured on the Certificates tab can be used when configuring VPN and WiFi. Before adding a certificate configuration, you must have an Enrollment Agent in place, and McAfee EMM must be installed using PKI. See Enrollment Agents on page Select the policy to be changed and select the Certificates tab. 56 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

57 Security Policies Changing Policy Settings 2 Click Add and the Add Certificate Configuration screen appears. 3 Complete the fields: Certificate Name Name of the certificate configuration. Enrollment Agent Select the enrollment agent. Certificate Template Certificate template that has to be used to request a certificate from the Certificate Authority. For example, User, Machine, and so on. Subject Template Template for the subject name. Acceptable values are: o User related - Username, Domain, Address. o Device related - SerialNumber, DeviceId, PhoneNumber, IMEI, UDID, DeviceModel, DevicePlatform, DeviceOSVersion, DeviceCarrier, DeviceWiFiMac. For example: E=${ Address}, CN=${Username}, CN=${Domain}, O=QA Key Size Select a key size. Use as Digital Signature Select to use as a digital signature. Use for Key Encipherment Select to use for key encipherment. Additional OIDs To add additional Key Usage OIDs, click Add and a new OID row appears in the list. Type the name of the OID. To delete an OID, select the OID from the list and click Delete. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 57

58 Security Policies Changing Policy Settings 4 To verify the connection to the Certificate Authority: Click Verify Connection and the Verify Certificate screen appears. Complete the fields: o Username The user name for the certificate authority connection. o Domain The domain of the certificate authority connection. o Subject Template Complete the details of the template. This field is dynamic and is based on the subject template. Click Verify Connection. When the connection is successful, a confirmation message appears. Click OK to return to the Verify Connection screen, and click Cancel to return to the Add Certificate Configuration screen. 5 Click Save and the new certificate configuration appears on the Certificates tab. Important/Caution: Each time a policy is changed, it should be published. See Publishing Security Policies on page 59. APN Settings Use this task to define an Access Point Name (APN). Devices will use the APN to connect to a specific mobile network. An APN can be created only for ios devices. 1 Select the policy to be changed and select the APN tab. 2 Select Use custom carrier Access Point Network Name (APN). 58 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

59 Security Policies Publishing Security Policies 3 Complete the fields: Name - Name of the APN. Username Username to log onto the APN. Password Password to access the APN. Proxy Server Proxy server of the APN. Proxy Port Port of the proxy server. 4 Click Save. Important/Caution: Each time a policy is changed, it should be published. See Publishing Security Policies on page 59. Publishing Security Policies A policy must be published to the devices for the settings to take effect. You can save the policy changes and publish at a later time, or you can publish the policy right after saving it. Publishing Overview Please keep the following in mind when creating and publishing security policies: To publish policies to ios devices, the device must have been provisioned with the McAfee EMM app version 3.x or higher. ios devices that provision using the EMM Portal (non-mdm) need to re-provision to get a new policy or policy update. MDM devices receive an MDM profile when they provision. Once published, a policy is pushed to the devices in the background without user intervention. Before publishing a policy to ios4 devices, you should send a message to all users so they are aware that a new policy will be taking effect. When the MDM profile on the device receives the push notification, it contacts the server and gets the new policy. When this happens, the policy exchange account configuration is removed and readded on the device, which causes all mailbox data to re-sync. The user s may seem to disappear for a brief period of time until the re-sync is complete. For ios versions prior to ios4 (non-mdm), an alert is sent to the devices via the Apple Notification Servers when a policy is published. The devices display a pop-up window to indicate a new policy is available. Users can select OK or Cancel, but if they Cancel, the device will be marked as non-compliant until the user accepts the policy change. Windows Mobile devices automatically restart every time a new McAfee EMM policy is published. Publishing a Policy Use this task to publish a security policy. 1 From the Policies screen, locate the policy to be published. If a policy has been changed but not yet published, an exclamation mark appears next to it. Unpublished policy icon McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 59

60 Deleting a Security Policy 2 Click the publish icon for the policy. A confirmation dialog box appears. 3 Click OK to publish the policy. All devices which are currently assigned to the policy will be updated with that policy at the next check in. Deleting a Security Policy Use this task to delete a policy when it is no longer needed or wanted. When a policy is deleted, all users associated with that policy will be assigned to the Starter Policy, which is the default. You cannot delete the default policy. 1 From the Policy screen, locate the policy to be deleted. 2 Click the policy s Delete Policy icon. If the policy is currently selected, the icon appears on the upper-right of the policy screen. If the policy is listed on the right, the icon appears next to its name on the screen. Delete policy icon A confirmation dialog box appears asking to confirm the deletion. 3 Click OK to delete the policy. 60 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

61 Reports This chapter describes the reports available from the McAfee EMM Console. The following reports are available: Audit Log Compliance Status Package Deployment Pending Actions Registered Users Software Status Unregistered Devices Reports are generated in real-time and are not cached. All reports can be exported into Microsoft Excel format. Contents Viewing Reports Exporting Reports Viewing Reports Use this task to view the McAfee EMM Console reports. 1 From the McAfee EMM Console click the Reports icon. The Reports screen appears, with the Audit Log Report 2 Select the appropriate report from the right. The reports are described in the following sections. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 61

62 Reports Viewing Reports Audit Log Report The Audit Log report provides an audit trail of actions initiated by all Console users. The Audit Log Report lists events such as policy changes, logins, deleting devices, wiping devices, or uninstalling policy profiles. Only the System Administrator can view the Audit Log. Compliance Status Report The Compliance Status report shows all registered mobile devices and information on whether those devices are compliant or non-compliant. You can view all users, compliant users, or non-compliant users by selecting an option from the Filter drop-down menu. 62 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

63 Reports Viewing Reports Package Deployment Report The Package Deployment Report shows the status of packages being pushed to devices. You can view which packages are downloading, pending, been acknowledged, or that have completed downloading. Pending Actions Report The Pending Actions report lists any outstanding actions against devices. Pending actions include package updates, delete commands, uninstall commands, and wipe commands. This report shows which devices received commands and which devices did not. Registered Users Report The Registered Users report lists all users that have provisioned mobile devices. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 63

64 Exporting Reports Software Status Report The Software Status report lists each mobile device and it s versions of PDA Secure, Download Manager, and the security policy. The McAfee EMM app for ios devices is not shown on this report. Unregistered Devices Report The Unregistered Devices Report lists those devices that attempt to sync to the ActiveSync server but do not have the McAfee EMM software installed. If compliance enforcement is enabled, these devices will be blocked from getting , and if compliance enforcement is disabled, these devices can sync their . In either case, this report will show when the device last synced. Exporting Reports Use this task to export any report into Microsoft Excel format. 1 From the Reports screen, select the report to be exported. 2 Click the Export icon. You will be prompted to open or save the file. 3 Save the report or open the report. 64 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

65 Helpdesk and EMM Portal This chapter describes the troubleshooting functions available from the McAfee EMM Helpdesk and through the EMM Portal. The Helpdesk provides functions to troubleshoot issues on mobile devices. From the Helpdesk, administrators can view users, view devices, detect the jailbroken status of ios devices, perform remote diagnosis and remote wipe, delete and PIM data, lock and unlock devices, update provisioning tokens, reset passwords, override compliance, send SMS messages, and uninstall McAfee EMM software. The web-based EMM Portal allows users to wipe their own device if lost and to perform software downloads. Contents Viewing User and Device Detail Generate MDM Pending Actions (Query) Sending a Message to Users (SMS) Wiping Devices Deleting and PIM Data from ios Devices Uninstalling McAfee EMM from Devices Unlocking a User Locking Devices Resetting a Device Password Unlocking a Device/Resetting the Password (Windows Mobile Devices) Overriding Compliance for a Device Deleting Devices and Users from the Console Note: You can access certain McAfee EMM Helpdesk functions via REST services, allowing you to manage devices and users with the same functionality as provided via the EMM Console. You can access the following functions: Wiping Devices, Deleting and PIM Data, Uninstalling, Deleting Devices, Locking Devices, Unlocking/Resetting Password, Query, Set Provisioning Token, and Add Authorized users. For more information, contact McAfee Technical Support. Viewing User and Device Details Use this task to view all users and the devices that have provisioned at least once. Users are added to the McAfee EMM Console when their device is provisioned. (For information on provisioning, see the McAfee EMM Installation Guide. 1 From the McAfee EMM Console, click the Helpdesk icon. The Helpdesk screen appears, with a list of current users and devices. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 65

66 Helpdesk and EMM Portal Generate MDM Pending Actions (Query) Users and devices are listed on the top, and device details appear on tabs below the list. The device details vary, depending on device type, OS versions, and pending actions. Device details Shows the details about the device, including name, policy information, compliance information, identification information, and more. Applications Lists the applications and versions installed on the device. Certificates Lists an ios device s security certificate, certificate issuer, generation date, and expiration dates. Config Profiles Lists an ios device s configuration profiles stored on the device, including McAfee-EMM managed profiles and non-mcafee EMM profiles. This tab lists the configuration name, its identifier, and if the configuration is managed by McAfee EMM. Pending Actions Lists the device s pending actions, including the action type and the date and time the action was created. This tab appears only if the device has pending actions. Provisioning Profiles Lists an ios device s provisioning profile. Security Details Lists security information for the device, including if the device supports hardware encryption, is password protected, and if the password is profile compliant according to the policy settings. 2 To hide the device details, click Hide Details. 3 To show device details, double click a user/device, and the tabs reappear. 4 To locate a specific device/user, type one or more search criteria in the search box. A list matching the search criteria appears as you type. Note: If your McAfee EMM system was installed using MDM for ios devices and MDM/C2DM for Android devices, features include remote lock; passcode unlock; cleaner selective wipe; uninstall without user intervention; and ability to collect device details including phone numbers, installed apps, certificates, installed profiles, restrictions, policy compliance, IMEI number, and WAPMACA address. These features are not available if MDM is disabled. Generate MDM Pending Actions (Query) Use this task to generate MDM pending actions for ios devices provisioned with MDM and Android devices provisioned with MDM/C2DM: Get List of Installed Apps, Get Device Info, and Get Security Info. For ios devices, you can also generate the pending action Get Installed Profiles. 1 From the Helpdesk screen, locate and select the device for which you want to generate pending actions. 66 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

67 Helpdesk and EMM Portal Sending a Message to Users (SMS) 2 Click Query. MDM Pending actions are queued up. At the next MDM check-in interval, the device acts upon these actions and updates the server with the information. Sending a Message to Users (SMS) Use this task to send SMS messages to users from the Helpdesk. You can choose to send to all registered users or individual users. To send SMS messages, you must configure the SMTP relay server in the Console (see Configuring on page 42.) 1 Configure the SMTP relay server under the Console s System Settings. See Configuring on page From the Helpdesk main window, click Send SMS. The SMS dialog box appears. 3 Complete the fields: Send to All Registered Devices Select to send the SMS message to all registered users. Recipient s Phone Number Complete if you re sending the message to one user. Carrier Select the carrier of the user you re sending the SMS to. Subject Type a subject line for the message. Message Type the message. 4 Click Send SMS. Wiping Devices This section describes how to wipe devices. Wiping a mobile device performs a hard reset of the device and removes the McAfee EMM software, all data, and all applications from the device and returns it to factory settings. A device would typically be wiped if it is lost or stolen, or when it is being transferred from one user to another. If the device is lost, an end-user can trigger the wipe command from the EMM Portal, or the administrator can issue the wipe command from the Helpdesk. To completely wipe a device, see Wiping a Device from the Helpdesk on page 68, or Wiping a Device Using the EMM Portal on page 68. To remove only corporate , contacts, and calendar data from ios devices, see Deleting and PIM Data from ios Devices on page 70. To uninstall the McAfee EMM configuration/profile from ios devices or Android devices, see Uninstalling McAfee EMM from on page 71. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 67

68 Helpdesk and EMM Portal Wiping Devices To uninstall McAfee EMM software from Windows Mobile or Palm OS devices, see Uninstalling McAfee EMM from Windows Mobile on page 71. Wiping a Device from the Helpdesk Use this task to wipe a device from the Helpdesk. 1 From the Helpdesk screen, locate and select the device to be wiped. 2 Click Wipe. You will be prompted to confirm the wipe. 3 Click OK. Once a device has been wiped, the device s state on the Helpdesk changes to Wipe Complete and the device status update time shows when the wipe was completed. The device has to be deleted from the Helpdesk before it can be re-provisioned. Wiping a Device Using the EMM Portal Use this task to wipe a device using the EMM Portal. 1 Access the URL for the EMM Portal for your organization. 2 Review your company s acceptable use policy. The policy and view of the EMM Portal will vary depending on the browser or device. 3 Click Accept. 4 When prompted, enter your network user name, password, and domain. 68 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

69 Helpdesk and EMM Portal Wiping Devices 5 Select Log On and the Helpdesk screen appears. Note: After three incorrect password attempts, a user is locked out of the EMM Portal for one hour. If the user must be unlocked before one hour elapses, the administrator can unlock the user from the Helpdesk. See Unlocking a User on page Select the device to be wiped and a prompt appears for you to confirm the Wipe. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 69

70 Helpdesk and EMM Portal Deleting and PIM Data from ios Devices 7 Select Wipe. Once a device has been wiped, the device s state on the Helpdesk changes to Wipe Complete and the device status update time shows when the wipe was completed. The device has to be deleted from the Helpdesk before it can be re-provisioned. Deleting and PIM Data from ios Devices Use this task to delete , contacts, and calendar data from an ios device, but keep all other software, profiles, Exchange configurations, and applications intact. To completely wipe a device, see Wiping Devices on page 67. To uninstall the McAfee EMM software from devices, see Uninstalling McAfee EMM from Devices on page From the Helpdesk screen, locate and select the device to be wiped. 2 Click Delete & PIM Data. You will be prompted to confirm the deletion. 3 Click OK. A pending action is created, and the following occurs: The next time the device connects to the server, the Delete action will be initiated and the device status will change to Delete PIM in Progress. Once the data is deleted from the device, the device status changes to Delete PIM Completed and the device status update time is updated. The device will also appear as non-compliant in the Compliance Status Report. For MDM devices, the Enterprise Activation profile is removed, which contains the Exchange configuration and all data. The MDM profile remains, in case the devices has to be fully wiped in the future. For ios versions prior to ios4, the Inbox folder name remains on the device, but all s in the Inbox, all other folders, contacts, and calendar data will be deleted. Once a device has been selectively wiped, the device has to be deleted from the Helpdesk before it can re-provision. 70 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

71 Helpdesk and EMM Portal Uninstalling McAfee EMM from Devices Note: For ios devices prior to ios4, the device status will stay as Delete PIM in Progress even though the Delete has been initiated and completed, under the following conditions: if the user interrupts the deletion process in any way (for example, by manually syncing , resetting the device, or accessing the mail app); if the user s AD account is disabled and the device fails to sync before the Delete action is initiated from the Console; or if Push is turned off on the phone (device is configured to fetch mail instead of Push.) Uninstalling McAfee EMM from Devices This section describes how to uninstall the McAfee EMM profile and policy information from devices. Uninstalling is useful when an employee leaves the organization or no longer needs the device. You can uninstall from ios devices, Android devices provisioned with MDM/C2DM, and Windows Mobile devices. For Palm pre and WP7 devices, you should perform a complete wipe (see Wiping Devices on page 67). Uninstalling McAfee EMM Profile From ios Devices or Android devices (Remote Policy Removal) Use this task to uninstall McAfee EMM from ios devices provisioned with MDM or Android devices provisioned with MDM/C2DM. The Uninstall will completely remove the McAfee profile from the device, including the MDM profile. The device s Wi-Fi configuration and the McAfee EMM app will remain on the device. Uninstall will not remove the Exchange account on Android devices that were provisioned manually (non-mdm/c2dm). On Android devices, WiFi nodes not configured by the McAfee EMM app will also remain. 1 From the Helpdesk screen, locate and select the device to be uninstalled. 2 Click Uninstall. You will be prompted to confirm the uninstall. 3 Click OK. A prompt appears indicating the Uninstall notification was sent. For ios versions prior to ios4, when the device receives the notification, the device user will be prompted to install an Uninstall profile, which will replace their existing McAfee EMM profile. The user should then manually remove the Uninstall configuration profile. The device password will remain, but the user will then have the option to turn it off. The device will appear as non-compliant in the Compliance Status Report. For ios devices and Android devices, the Uninstall occurs behind the scenes and does not require user intervention. Once a device has been uninstalled, the device has to be deleted from the Helpdesk before it can re-provision. Uninstalling McAfee EMM from Windows Mobile Devices Use this task to uninstall McAfee EMM from Windows Mobile Devices. Uninstalling from Windows Mobile devices removes the McAfee EMM software but does not remove data or applications. PDASecure will be removed, but the Download Manager, Exchange data, and Exchange configuration remain. Any encrypted data stored on the device and the SD card will be decrypted. If you want to remove all applications and data from a device, see Wiping Devices on page From the Helpdesk screen, locate and select the device to be wiped. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 71

72 Helpdesk and EMM Portal Unlocking a User 2 Click Uninstall. You will be prompted to confirm the uninstall. 3 Click OK. A prompt appears indicating the Uninstall notification was sent. The McAfee EMM server sends an uninstall command to the device, and the McAfee EMM software will be uninstalled the next time the device checks in. Once a device has been uninstalled, the device has to be deleted from the Helpdesk before it can re-provision. Unlocking a User Use this task to remotely unlock a user, after the user exceeds the allowed password attempts when accessing the McAfee EMM App/EMM Portal. 1 From the Helpdesk, select the user to be unlocked. 2 Click Unlock User, from the top of the Helpdesk screen. The Unlock User screen appears, which displays a list of locked users. 3 Select the locked user from the list, and click Remove User. This removes the user from the locked users list, not from the McAfee EMM system. The user is unlocked. Locking Devices Use this task to remotely lock an ios device or Android device from the Helpdesk. Only MDMprovisioned ios devices and Android devices running Froyo 2.2 and higher can be locked from the Helpdesk. 1 From the Helpdesk, select the device to be locked. 2 Click Lock at the bottom of the Helpdesk screen. The device is locked. If the user knows the password, they can unlock the device. 72 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

73 Helpdesk and EMM Portal Resetting a Device Password Resetting a Device Password Use this task to remotely reset a device password for an ios device or Android device. The user must then reset the password. Only MDM-provisioned ios devices and Android running Froyo 2.2 and higher can have the password reset from the Helpdesk. 1 From the Helpdesk, select the device for which you want to reset the password. 2 Click Reset Password. On an ios device, the device is unlocked and prompts the user to reset the password. On an Android, a dialog box that displays the token appears in the Console. Read the token to the user to unlock the Android. Unlocking a Device/Resetting the Password (Windows Mobile Devices) Use this task to remotely unlock Windows Mobile devices from the Helpdesk. During this procedure, the device user and the Helpdesk operator exchange codes to unlock the device and reset the password. 1 From the Helpdesk, select the device to be unlocked. 2 Click Reset Password from the Helpdesk screen. The Reset Password Confirmation screen appears. 3 Click OK. The Reset Password screen appears asking for the Authentication Code. 4 Ask the device user to select Remote Unlock from the EMM screen on their device. This is done by manually locking the device and then selecting Remote Unlock from the menu of the password screen. 5 Ask the device user to read to you the sixteen-character authentication (SP) code that is displayed on their device. 6 In Authentication Code on the Reset Password screen, type the authentication code that the device user read to you. The code must be typed in uppercase letters. 7 Click Save. An unlock code appears in the EMM Console, which will need to be read back to the device user. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 73

74 Helpdesk and EMM Portal Updating a Provisioning Token from the Helpdesk 8 Read the unlock code to the device user, and tell the user to enter the code on their device. 9 Tell the user to click Next on their device, and to follow the prompts to change their power-on password. Once they have changed the password, the device is unlocked and ready to use with the new password. 10 Click OK to close the dialog box on the EMM Console. Updating a Provisioning Token from the Helpdesk Use this task to create a provisioning token, or one-time password, for a user/device. If authorized users were added using LDAP groups in System Settings, the provisioning token must be created for an individual user through the Helpdesk. 1 From the Helpdesk screen, click Update Token and the Update Token screen appears. 2 Type a user name in the search box, and select a user from the Name list. 3 Complete the fields: Provisioning Token The one-time password that the user needs to input to provision the device. Hours Valid The number of hours the password is valid. Token Expiration is automatically updated with the expiration date. Delivery Action - Select one of the following: 4 Click Save. o No Action Creates the token in McAfee EMM, but does not send a message to the user. The token must be given to the user via other means. Choose this if you don t know the user s or phone number. o Send SMS Sends an SMS message to the user with the token in the message. o Send Sends an message to the user with the token in the message. 74 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

75 Helpdesk and EMM Portal Overriding Compliance for a Device 5 If you selected Send SMS, the Provisioning SMS dialog box appears. Complete the fields and click Send SMS. 6 If you selected Send , the client opens with a message to the recipient. Send the message. Overriding Compliance for a Device Use this task to override the compliance settings for a specific device from within the Helpdesk. You can set the device to always be compliant or never be compliant. Overriding compliance might be done if a user goes on extended leave that is longer than the compliance window for their device. Setting the device to always be compliant until the user s return prevents the device from being marked as non-compliant. For an overview of compliance, see Overview of Compliance on page From the Helpdesk screen, locate and select the device to be overridden. 2 Click Compliance Override. The Compliance Override dialog appears. 3 Complete the fields: Enable Compliance Override Select to enable the override. Compliance Status Complete as follows: o Always Compliant Permits the user to check in and sync their device even when they are not compliant. o Never Compliant Restricts the user from checking in or syncing even when they are compliant. Expiration Date An expiration date for the compliance override. 4 Click Save. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 75

76 Helpdesk and EMM Portal Deleting Devices and Users from the Console Deleting Devices and Users from the Console Use this task to delete a user and device from the Console. Please note the following: A device can be deleted from the Console once it has been wiped, uninstalled, or had and PIM data deleted. Deleting a device removes it from the Console but does not remove the McAfee EMM software or any data or applications on the device. To uninstall the McAfee EMM software from the device, see Uninstalling McAfee EMM from Devices on page 71. To wipe a device, see Wiping Devices on page 67. Deleting a device does not delete the McAfee EMM user account and does not delete or modify the user account in Active Directory or Domino. 1 From the Helpdesk, locate and select the device to be deleted. 2 Click Delete. You will be prompted to confirm the deletion of the user. 3 To confirm the deletion, click OK. The device is deleted. 76 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

77 Package Management This chapter describes how to use the McAfee EMM Console to deliver packages to devices. Through Package Management, you can distribute and install corporate applications without having physical access to the devices. Packages can be created for ios devices, Android devices, and Windows Mobile devices, and can be pushed to devices based on users or groups. Each package can only be sent to one operating system. For example, if you needed to send the file sendme.cab to operating systems PPC5 and PPC6, you will need to create two packages, one for each operating system. For Windows Mobile devices, applications must be in the installable.cab format. Contents Creating a New Package Adding, Removing, and Reordering Files in Packages Assigning Packages to Users or Groups Pushing Packages to Windows Mobile Devices Deleting Packages Creating a New Package Use this task to create a new package. The McAfee EMM system provides three packages that you can use and rename, or you can create a new one. 1 From the EMM Console, select Packages, and the Packages screen appears. The McAfee EMM system provides several package types: Android, ios, Windows Mobile PPC (for Windows Mobile Pocket), and Windows Mobile SP (for Windows Mobile Smartphone). You can select one of these and rename it, or you can create a new package. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 77

78 Package Management Adding, Removing, and Reordering Files in Packages 2 To use a provided package: Select the package from the right side of the screen. Click the rename icon of the package. The Rename Package dialog box appears. Type a new name for the package and click Save. 3 To create a new package: Select Create New and the Create New Package dialog box appears. Complete the fields: o Platform Select the platform for the package. 4 Click Save. o Name The name of the package. o Requires Reset (optional) For Windows Mobile packages, select if you are adding a package that requires the Windows Mobile device to reboot after the package files are installed. The new package appears on the Packages screen. Adding, Removing, and Reordering Files in Packages This section describes how to add and remove files from packages, how to change the installation order of files, and how to remove files from packages. 78 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

79 Package Management Adding, Removing, and Reordering Files in Packages Adding Files to Packages for ios devices Use this task to add files to packages for ios devices. When files are added to the ios package, the files will appear on under Recommended Apps section in the McAfee EMM app on the device. The files also appear on the EMM Portal and can be downloaded by ios devices. Note: The maximum file size for apps is 50 MB. 1 From the right side of the screen, select the ios package to which you want to add files. 2 Click Add and the Add File dialog box appears. 3 Under File Type, select the file type being added, and complete the fields for that file type: MobileConfig A mobile config file: o File Name Select the mobilconfig file. o Version The file version. o Notes Notes that apply to the file, such as a description. Enterprise Application - Apps you are providing that are available only to your users: o Plist Path Select the property list file. o IPA Path Select the application file. o Icon Path Select an icon for the enterprise app. (optional) App Store Application - Apps that you recommend for your users that are available from the Apple App Store: o Application Name Name for the app. o Application Link URL of the app s location in the Apple App Store. o Icon Path Select an icon for the app. Web Clip - A shortcut to a web site: o Display Name Name that will appear for the web clip. o URL URL of the web site. o Icon Path Select an icon for the web clip. o Allow Removal Enable or disable the user from removing the web clip. o Use Full Screen Enable or disable the web clip to use the full display screen. 4 Click Add, and the file is added to the package. The column Show on Portal is checked on the Package Editor screen. Once an MobileConfig, Enterprise App, or App store Application is added, the McAfee EMM App on the device shows the files in the Recommended Apps section. The files also appear on the EMM Portal and can be downloaded from ios devices. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 79

80 Package Management Adding, Removing, and Reordering Files in Packages Once a Web Clip is added, the Web Clip is installed when the device provisions or receives a policy update. Adding Files to Packages for Android devices Use this task to add files to packages for Android devices. 1 From the Packages screen, select the Android package to which you want to add files. 2 Click Add and the Add File dialog box appears. 3 Under File Type, select the file type being added, and complete the fields for that file type: Marketplace Application Android Marketplace apps: o Application Name The name of the Marketplace app to be added. o Application Link The link to the Marketplace app. o Icon Path (optional) Select an icon for the app. Enterprise Application - Apps you are providing that are available only to your users: o Application Name The name of the Marketplace app to be added. o Version The version of the app being added. o Plist Path Select the property list file. o APK Path Select the application file. o Icon Path Select an icon for the enterprise app. This is optional. 4 Click Add File, and the file is added to the package. Adding Files to Packages for Windows Mobile Devices Use this task to add files to packages for Windows Mobile devices. 1 From the Packages screen, select the Windows Mobile package to which you want to add files. 2 Click Add and the Add File dialog box appears. 80 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

81 Package Management Adding, Removing, and Reordering Files in Packages 3 Complete the fields: File Type Select the type of file being added: Third Party or CAB. File Name Select the file to be added. Version Type the file version. Notes Type any notes that apply to the file, such as a description. Silent Install Select to have the files install in the background, without notifying the user. If the file will require a user prompt to install it, do not select silent install. Supported Platforms Select the platforms to which the file applies. 4 Click Add and the file is added to the package. Reordering Files in Packages Use this task to reorder files in packages. 1 From the Packages screen, select a package from the right. 2 Click the Applications & Files tab. 3 Click Reorder and the Reorder Files screen appears. 4 Click the green arrows to set the installation order of the package files. 5 Click Save. Removing Files from Packages Use this task to remove files from packages. 1 From the Packages screen, select a package from the right. 2 Select the Applications & Files tab, and select the file to be removed. 3 Click Remove. 4 Click Save. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 81

82 Package Management Assigning Packages to Users or Groups Assigning Packages to Users or Groups Use this task to assign a package to a user or group. Note: Windows Mobile devices that provision and meet the target device criteria will receive the package in addition to the provisioning package. 1 From the Packages screen, select a package and click the Assigned Devices tab. 2 From Type, select to filter on Users or Groups. 3 From Value, select a specific user or group. The users or groups that appear are authorized or provisioned users of the McAfee EMM system, or members of an LDAP group. 4 If you want to add a new LDAP group: o Under Filter, select Add Group and the Add Group dialog box appears. o Select the Location and Group Name, and click Save. o The Assigned Devices tab reappears and you can now select that group from the Value column. 5 The users or groups to which the package is assigned are listed under Devices. 6 To set another filter, click the blank line under the last filter in the list. 7 To remove a filter, select the filter from the list and click Remove Filter. Note: You can have only one user and one group filter per package. 8 Click Save & Publish. Pushing Packages to Windows Mobile Devices Use this task to push a package to Windows Mobile devices. 1 Select the Windows Mobile package to the pushed. 2 Select the Assigned Devices tab and click Push to Devices. The selected devices are queued to receive the package the next time devices check in. 82 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

83 Package Management Deleting Packages Deleting Packages Use this task to delete a package. A package cannot be deleted if there are pending actions associated with any device that is supposed to get the package. 1 To delete a package, from the Package screen, click the delete icon of that package. The package is deleted. Downloading Files from the EMM Portal (ios Devices) Use this task to download files from the EMM Portal. This feature is available only for ios devices. 1 Access the URL for the EMM Portal for your organization. 2 Review and accept your company s acceptable use policy. The policy and view of the EMM Portal will vary depending on the browser or device. 3 When prompted, enter your network user name, password, and domain. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 83

84 Package Management Downloading Files from the EMM Portal (ios Devices) 4 Select Log On and the Helpdesk screen appears. 84 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide

85 Package Management Downloading Applications or Files from Recommended Apps (ios Devices and Android devices) 5 Select Download Files and the Download Files screen appears. 6 Select the mobile.config file and the file downloads. Downloading Applications or Files from Recommended Apps (ios Devices and Android devices) Use this task to download applications or files from the Recommended Apps section on the device. This can be done only for ios devices and supported Android devices. 1 From the McAfee EMM app, select Recommended Apps. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide 85

86 Package Management Downloading Applications or Files from Recommended Apps (ios Devices and Android devices) 2 Select the application or file to install. 86 McAfee Enterprise Mobility Management (McAfee EMM ) 9.6 Product Guide