MDM Android Client x - User Guide 7P Mobile Device Management. Doc.Rel: 1.0/

Similar documents
MDM Android Client User Guide 7P Mobile Device Management. Doc.Rel: 1.0/

MDM Android Client x - User Guide 7P Mobile Device Management. Doc.Rel: 1.0/

7P MDM Server x - ios Client Guide 7P Mobile Device Management. Doc.Rel: 1.0/

7P MDM Server x - ios Client Guide 7P Mobile Device Management. Doc.Rel: 1.0/

7PMDM Server x - SymbianS60 Client Guide. 7P Mobile Device Management. Doc.Rel: 1.3 / Doc.Nr.: n/a

7PMDM Server x - SymbianS60 Client Guide. 7P Mobile Device Management. Doc.Rel: 1.4 / Doc.Nr.: n/a

Telenor MDM. Quick Start Guide

Telenor MDM v x Zero Touch Enrollment

Telenor MDM. Samsung KME Note ( )

Telenor MDM. Samsung KME Note ( )

Android User Guide. for version 5.3

Dell EMC OpenManage Mobile. Version User s Guide (Android)

Enterprise Security Solutions by Quick Heal. Seqrite.

Strengths of Knox Manage Kiosk

Vodafone Secure Device Manager Administration User Guide

Verizon MDM UEM Unified Endpoint Management

Dell EMC OpenManage Mobile. Version 3.0 User s Guide (Android)

VMware AirWatch Self-Service Portal End User Guide

Dell EMC OpenManage Mobile. Version User s Guide (ios)

The following device commands are used most frequently: Lock/Unlock device O - O O. Reset screen password O - O - Factory reset + Initialize SD Card

Sophos Mobile Control Administrator guide. Product version: 5.1

ForeScout Extended Module for VMware AirWatch MDM

3CX Mobile Device Manager

Windows 8/RT Features Matrix

MDM Feature overview - Server Version 5.31 from

ForeScout Extended Module for MobileIron

AirWatch for ios Devices

7PMDM Server x - Microsoft Windows Phone 8 7P Mobile Device Management. Doc.Rel: 1.0 / Doc.No.: Windows_ Phone 8 _EN

ForeScout Extended Module for MaaS360

Dell EMC OpenManage Mobile Version 2.0 User s Guide (ios)

Microsoft Intune App Protection Policies Integration. VMware Workspace ONE UEM 1811

VMware Mirage Web Manager Guide

AirWatch for Android Devices for Skype for Business

VMware AirWatch Chrome OS Platform Guide Managing Chrome OS Devices with AirWatch

VMware AirWatch Chrome OS Platform Guide Managing Chrome OS Devices with AirWatch

EasiShare ios User Guide

Vodafone Mobile Wi-Fi Monitor. Android Troubleshoot Guide


Samsung Knox Mobile Enrollment. VMware Workspace ONE UEM 1902

7P MDM Server Admin Quick Start 7P Mobile Device Management

7PMDM Server x - CSV Import 7P Mobile Device Management. Rel:1.0 / 03 Jan. 18

Integration with Apple Configurator 2. VMware Workspace ONE UEM 1902

ENTERPRISE MOBILITY USER GUIDE

Sophos Mobile. startup guide. Product Version: 8.1

INTACTPHONE USER GUIDE

VMware AirWatch Android Platform Guide

ipad in Business Mobile Device Management

Mobility Manager 9.5. Users Guide

VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes

VMware Workspace ONE UEM Integration with Apple School Manager

SIGNATUS USER MANUAL VERSION 3.7

MDM Server 5.26 Release Highlights. 7P Mobile Device Management. Rel: 1.0 /

Table of Contents... ii. Go Ahead Bring Your Own Device to Work... 1 Requirements... 1

COMMUNITAKE ENTERPRISE MOBILITY: USE GUIDELINES

Administrator IT Guide. Samsung Knox Configure Shared Device

NotifyMDM Device Application User Guide Installation and Configuration for Android


Sophos Mobile. user help. product version: 8.6

Sophos Mobile in Central administrator help. Product version: 7.1

Sophos Mobile Control startup guide. Product version: 7

Knox Mobile Enrollment

Seqrite Mobile Device Management

AirWatch for Android Devices for AirWatch InBox

Sync User Guide. Powered by Axient Anchor

Sophos Mobile in Central


McAfee MVISION Mobile Threat Detection Android App Product Guide

Using the Self-Service Portal


Mobile Inventory Tracking & Sales Management Software. Installation Procedure

Sophos Mobile in Central

Sophos Mobile as a Service

Pulse Workspace Appliance. Administration Guide

BAE Systems employee app - installation Guide

GRS Enterprise Synchronization Tool

VMware AirWatch and Office 365 Application Data Loss Prevention Policies

Seqrite Mobile Device Management

MANAGING ANDROID DEVICES: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes

Sophos Mobile. startup guide. Product Version: 8.5

Workspace ONE Chrome OS Platform Guide. VMware Workspace ONE UEM 1811

VMware AirWatch Symbian Platform Guide Deploying and managing Symbian devices

QuickStart Guide for Mobile Device Management. Version 8.7

VMware Workspace ONE UEM Apple tvos Device Management. VMware Workspace ONE UEM 1811 VMware AirWatch

SAS Factory Miner 14.2: User s Guide

7PMDM Server x - CSV Import 7P Mobile Device Management. Rel: 1.0 /

VMware Mirage Web Management Guide. VMware Mirage 5.9.1

Forescout. eyeextend for MobileIron. Configuration Guide. Version 1.9

SATO Online Services User s Manual May 19, 2017 Version 1.0

DSS User Guide. End User Guide. - i -

Task On Gingerbread On Ice Cream Sandwich Notification bar on lock screen Notification bar is not accessible on the lock screen.

CounterACT Afaria MDM Plugin

EAM Portal User's Guide

Installation Guide for Android Revision v4.02, November 29th 2016

Forescout. eyeextend for IBM MaaS360. Configuration Guide. Version 1.9

NotifyMDM Device Application User Guide Installation and Configuration for ios with TouchDown

VMware Mirage Web Management Guide

VMware Workspace ONE UEM Integration with Smart Glasses. VMware Workspace ONE UEM 1811

Sophos Mobile SaaS startup guide. Product version: 7.1

Intune Policies Guide

Transcription:

MDM Android Client 5.26.0x - User Guide 7P Mobile Device Management Doc.Rel: 1.0/ 2017-07-16

Table of Contents 1 Objectives and Target Groups... 9 1.1 Important information... 9 1.2 Third-Party Materials... 9 1.3 Text conventions... 9 1.4 Integrity of device OS... 9 1.5 Hyperlink navigation... 10 1.6 Home hyperlink... 10 1.7 Menu Items... 10 1.8 Description of the warning flags... 10 1.9 Additional documentation... 11 1.10 Automatic MDM client selection... 12 1.11 MDM client distribution... 13 1.12 Device administrators permission... 13 1.12.1 Android 4.x devices unknown sources path... 13 1.12.2 Android 2.x devices unknown sources path... 14 2 MDM Client Installation... 15 2.1 SMS initiated delivery with automatic activation... 15 2.2 Wi-Fi installation with QR code activation... 16 2.3 MDM Client download and installation... 16 2.3.1 Downloaded application installation... 17 2.4 Activate device administration?... 18 2.5 Client Activation Methods... 19 2.5.1 SMS activation (preferred)... 19 2.5.2 Activation using QR code... 19 2.6 Activation confirmation... 20 2.6.1 Backup security code... 20 2.6.2 Client Activated... 21 2.7 Additional activation steps (Samsung Knox Workspace)... 22 3 MDM Client Android Console version 5.24 and above... 23 3.1 Access to the MDM Client... 23 3.1.1 Activation error... 24 3.1.2 About the MDM 5.24.04 client... 25 3.2 MDM client navigation Force a connection shortcut... 25 7PMDM_Client_Android_v5.26.0x_EN.docx Page 2 / 74 ^Home

3.2.1 3.2.2 3.2.3 3.3 3.4 3.4.1 3.4.2 3.5 3.5.1 3.5.2 3.6 3.6.1 3.7 3.7.1 3.7.2 3.8 3.8.1 3.8.2 MDM client navigation Open AppStore icon shortcut... 26 MDM client navigation Open MDM SSP icon shortcut... 26 Open the MDM client settings... 27 MDM Client's menu structure... 28 MDM client preferences About... 29 About Application name and version... 29 Tools - Activity details... 29 Tools AppStore... 30 Tools Change security code... 30 Tools Activate... 31 Tools Reset data... 31 Tools - Policies... 32 Connection connect... 33 Connection Online... 33 Android for Work... 34 Privacy settings Send GPS data... 34 Privacy Settings Security code... 35 Privacy settings Device encryption... 35 4 MDM Client Android Console version 5.22 and below... 37 4.1 Access to the MDM Client... 37 4.1.1 About the MDM client... 38 4.2 MDM client navigation bar shortcuts... 39 4.2.1 Force a connection icon shortcut... 39 4.2.2 Open the MDM client AppStore icon shortcut... 39 4.2.3 Open the MDM client navigation bar icon... 40 4.2.4 Open the MDM SSP icon shortcut... 40 4.3 MDM Client's menu structure... 41 4.4 MDM client preferences About... 42 4.4.1 About Application name and version... 42 4.5 Application management AppStore... 42 4.6 MDM Client preferences - Connection... 43 4.6.1 Connection connect... 43 4.6.2 Connection - Activity details... 43 4.6.3 Connection Activate... 44 4.7 MDM Client preferences -Advanced... 44 4.7.1 Advanced - Policies... 44 7PMDM_Client_Android_v5.26.0x_EN.docx Page 3 / 74 ^Home

4.8 4.8.1 4.8.2 4.8.3 4.8.4 MDM Client preferences - Privacy Settings... 45 Privacy Change security code... 45 Privacy settings Send GPS data... 45 Privacy Settings Security code... 46 Privacy settings Device encryption... 46 5 MDM Client - Android Kiosk Mode... 48 5.1 Android Kiosk Mode applications... 48 5.2 Creating the Android Kiosk mode configuration... 49 5.2.1 Disable Kiosk mode internet connected device... 49 5.2.2 Disable Kiosk mode internet disconnected device... 49 5.3 Enabling Kiosk Mode... 50 5.3.1 Deploying a basic Kiosk mode configuration... 51 5.4 Disabling Kiosk Mode... 52 5.5 Enabling Kiosk Mode (Advanced)... 53 5.5.1 Application list (defined)... 54 5.6 Adding an application to an individual cell location... 55 5.6.1 Using Other Application list (manual addition)... 56 5.7 Kiosk Settings application... 56 5.8 Kiosk Settings application Clear data... 57 6 Samsung Knox Workspace... 58 6.1 Samsung Knox Workspace... 58 6.2 Samsung Knox Workspace compatible devices... 58 6.3 Samsung Knox Workspace compatible device API matrix... 59 6.4 7P MDM server Knox Workspace pre-requisites... 60 6.4.1 Valid Knox Workspace license token... 60 6.4.2 Use the license to Activate field... 60 6.4.3 Create Knox container Configuration... 61 6.4.4 Create an Optional Autolock configuration... 61 6.4.5 Initiate the Knox Workspace on the device... 62 6.5 User action experience... 62 6.6 7P MDM server administrator commands and indications... 65 6.6.1 Knox Container Lock - Lock... 65 6.6.2 Knox Container Lock - Unlock... 66 6.6.3 Knox Container password Enforce change... 66 6.6.4 Knox Container password Reset... 66 6.6.5 Knox Container - Remove... 67 7PMDM_Client_Android_v5.26.0x_EN.docx Page 4 / 74 ^Home

6.7 6.8 6.9 6.10 Defining target delivery... 67 Specifying device default location target... 68 Installing an application to the Knox Workspace... 69 Inspecting Knox applications... 70 7 Remove (uninstall) the MDM Client... 71 7.1 Manual uninstall of the MDM Client... 71 8 Samsung KNOX Mobile Enrollment (KME)... 73 7PMDM_Client_Android_v5.26.0x_EN.docx Page 5 / 74 ^Home

Table of Figures Figure 1 Android 4.x unknown sources... 13 Figure 2 Android 2.x unknown sources permission... 14 Figure 3 SMS download link... 15 Figure 4 Email containing download link.... 16 Figure 5 Auto detection of the device.... 16 Figure 6 Accessing the downloaded MDM client... 17 Figure 7 Do you want to install the application?... 17 Figure 8 Application installed.... 18 Figure 9 Automatic activation message.... 18 Figure 10 QR code activation email.... 19 Figure 11 Activate with QR code.... 19 Figure 12 Inputting the activation PIN code... 20 Figure 13 Backup security code warning... 20 Figure 14 Samsung Knox Workspace acknowledgement... 22 Figure 15 Knox Standard management privileges... 22 Figure 16 MDM Client icon.... 23 Figure 17 Accessing the MDM Client menu structure... 25 Figure 18 Force connection icon shortcut... 25 Figure 19 Navigation bar shortcut to the AppStorage contents... 26 Figure 20 Accessing the MDM SSP user interface... 26 Figure 21 Access to MDM client structure icon... 27 Figure 22 About the MDM Client.... 29 Figure 23 Tools Activity details... 29 Figure 24 Tools location.... 30 Figure 25 Change security code.... 30 Figure 26 MDM client activation methods.... 31 Figure 27 Policies.... 32 Figure 28 Policies front panel alert icon... 32 Figure 29 Force connection to MDM Server.... 33 Figure 30 Send GPS data.... 34 Figure 31 Send security code... 35 Figure 32 Device encryption... 35 Figure 33 Encryption - choose screen lock type... 36 Figure 34 Encryption - encrypt device... 36 7PMDM_Client_Android_v5.26.0x_EN.docx Page 6 / 74 ^Home

Figure 35 MDM Client icon.... 37 Figure 36 Accessing the MDM Client menu structure... 38 Figure 37 Force connection icon shortcut... 39 Figure 38 Navigation bar shortcut to the AppStorage contents... 39 Figure 39 Access to MDM client structure icon... 40 Figure 40 Accessing the MDM SSP user interface... 40 Figure 41 About the MDM Client.... 42 Figure 42 Tools location.... 42 Figure 43 Force connection to MDM Server.... 43 Figure 44 Tools Activity details... 43 Figure 45 MDM client activation methods.... 44 Figure 46 Policies.... 44 Figure 47 Change security code.... 45 Figure 48 Send GPS data.... 45 Figure 49 Send security code... 46 Figure 50 Device encryption... 46 Figure 51 Enabling (Basic) Kiosk mode... 50 Figure 52 Define inbuilt Kiosk mode applications... 51 Figure 53 Disable Kiosk mode configuration... 52 Figure 54 Application list creation... 54 Figure 55 Kiosk settings... 56 Figure 56 Kiosk settings application buttons... 57 Figure 57 Knox Workspace supported devices... 58 Figure 58 Courtesy Samsung Enterprise Alliance Program... 59 Figure 59 Device Actions - Install configuration... 62 Figure 60 On device Knox Workspace configuration screen... 62 Figure 61 User must accept Terms and Conditions... 63 Figure 62 User must select security method and insert code... 63 Figure 63 Knox Workspace navigation tips displayed... 64 Figure 64 Knox Workspace successfully created... 64 Figure 65 Samsung Knox workspace receives Lock command... 65 Figure 66 Knox - Container password- Reset command... 66 Figure 67 Knox Workspace container erased... 67 Figure 68 Defining the default target location Device or Knox Workspace... 68 Figure 69 Installing application to Knox Workspace... 69 Figure 70 Deactivate MDM Client.... 71 Figure 71 Active uninstall button.... 71 7PMDM_Client_Android_v5.26.0x_EN.docx Page 7 / 74 ^Home

Figure 72 Removal of MDM Client.... 72 List of Tables Table 1 Text convention... 9 Table 2 MDM Client's menu structure... 28 Table 3 MDM Client's menu structure... 41 Table 4 Kiosk Mode main settings... 50 Table 5 Kiosk mode supported applications... 53 Table 6 Kiosk mode kiosk settings... 57 7PMDM_Client_Android_v5.26.0x_EN.docx Page 8 / 74 ^Home

1 Objectives and Target Groups Objectives: The aim of this document is to describe to customers of SEVEN PRINCIPLES AG the key features and deployment of the 7P MDM Android Client. It describes the installation process of the MDM Client, using both GSM (i.e. devices with an active SIM card and data plan) and Wi-Fi only compatible devices. The installation is followed by a description of the activation process which allows the MDM Client to successfully communicate with a designated MDM Server. The section entitled "MDM Client Android console," details the settings and functionality available to the MDM Client. This includes a full disclosure of the MDM Clients "Privacy Settings." The document also describes the installation process for the Android 2.x and Android 4.x operating system. Both installation and activation procedure only differ slightly. This document reflects the current functions of the 7P MDM Android Client. Any updates or feature enhancements made to the product will be promptly reflected in future releases of this document. Target group: This document was created specifically for the customers of SEVEN PRINCIPLES AG. 1.1 Important information The installation of both Identity and Root certificates is supported on the MDM Android platform providing the root certificate is of type ".cert, " and the identity certificate is of type ".p12" or ".pfx" and that an MDM client security code is present, otherwise the certificates installation will be silently rejected by the device. 1.2 1.3 1.4 Third-Party Materials All third-party trademarks are the property of their respective owners. Text conventions The following conventions are typically adhered to in the construction of this document. Convention Key names The word enter Bold Italics Description Integrity of device OS Keys that are pressed simultaneously are linked by a plus sign (+): e.g. Press Ctrl + Alt + Del Enter indicates you type something and then press the Return or Enter key. Used to distinguish certain words from others within the text Used to distinguish certain words from others within the text Table 1 Text convention The MDM server relies on the integrity of the device's OS to forward information to the MDM server by the device proprietary messaging OS, or via the MDM client acting with the device messaging OS. In the unfortunate event that a device OS is compromised or has been corrupted in any way, the information passed to the MDM server may be corrupt, impeded or non-existent. The handling of such a situation is beyond the scope of the 7P MDM server. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 9 / 74 ^Home

1.5 Hyperlink navigation Hyperlinks are used to allow detailed examination of information. For example, if an Operation (named SIM change test) has been deployed to the device, a status message would be included in the device history. Selecting the "SIM change test" hyperlink will open the Operation > SIM change test allowing closer examination. Selecting the browsers "back" button will return the administrator to the device history log. When hyperlinks are available, selecting the hyperlink will either: Navigate the administrator to the origin of the link, for example, a configuration statement To further functionality, for example, as with the displaying of GPS records Utilising the back facility of the browser may return the administrator to the original page. It is always advisable, due to the dynamic nature of the updating data, for the administrator to restart their query with the vertical menu buttons. 1.6 1.7 1.8 Home hyperlink A hyperlink (^Home) is inserted into the bottom right-hand side of the footer which when pressed will return the reader to the beginning of the document and is only active in PDF format. Menu Items The greater than sign ( > ) with spaces before and after the sign, separates items in the menu. For example, Operations > Operations > Is roaming > Pull down selection ( Yes / No ) indicates that you first choose "Operations" from the main tabs, then "Operations" from the left-hand menu options, followed by the selection of an operation name, then the condition to be applied. Description of the warning flags This document may contain warnings and safety recommendations of the following meaning: Attention: May have undesired consequences Caution: Operational functionality may be impeded Further attention may be required when implemented General information 7PMDM_Client_Android_v5.26.0x_EN.docx Page 10 / 74 ^Home

1.9 Additional documentation The following additional documentation is available from your 7P representative or service provider: Documentation title Documentation title 7PMDM_Manual_AdminGuide_EN 7PMDM_Note_AppleDEP_EN 7PMDM_Client_Android_EN 7PMDM_Manual_InstallGuide_EN 7PMDM_Client_iOS_EN 7PMDM_Delivery_RelNote_DE 7PMDM_Note_AppleVPP_EN 7PMDM_Delivery_RelNote_EN 7PMDM_Spec_SSP_EN 7PMDM_Delivery_ReleaseBulletin_EN 7PMDM_Spec_CSVImport_EN 7PMDM_Delivey_FeatureList_EN The following titles are considered static and will only be updated if there is a significant change or update to the details. 7PMDM_Client_SymbianS60_EN 7PMDM_Spec_LDAP_EN 7PMDM_Client_WindowsPhone_EN 7PMDM_Client_WindowsDevice_EN 7PMDM_MSCompanyHub_EN 7PMDM_Spec_AppWrapping_EN 7PMDM_Client_Files2Go_EN 7PMDM_Spec_Files2Go_EN 7PMDM_Spec_MSCompanyHub_EN 7PMDM_Spec_Vodafone_UltraCard_EN Revision details have been omitted from all the documentation lists as the most current version will be available from your 7P representative or service provider 7PMDM_Client_Android_v5.26.0x_EN.docx Page 11 / 74 ^Home

1.10 Automatic MDM client selection The MDM Server currently supports a diverse range of Android devices. Some devices have extended facilities that require the use of licensed API's to integrate with client software modules. Newer devices with additional functionalities may require additional application coding, and therefore a different MDM client. The proliferation of device dependent MDM clients can become challenging to IT administrators. To assist in this challenge, 7P have created an intelligent download repository of MDM client applications for use by 7P MDM server customers. During the enrollment process, the enrolling device will be guided to a specific website www.mdmclient.net/download which automatically identifies the make and manufacturer of the browsing device, automatically presenting the appropriate MDM client application to the requesting device. Administrators need to be aware that the Android MDM client is evolves with progressive versions of manufacturers API s. As such, there will be occasions when specific MDM client application are not compatible with the OS version installed on the device, and different (older versions) of the MDM client must be used. For example, the 5.24 version of the Android client is not compatible with Android devices whose OS is less than version 4.0. ( For devices with Android 3.x and older, the MDM android client version 5.22.00 should be used). When used with a 7P MDM server, the enrollment process requires that the device downloads and installs a 7P MDM client application which will then be activated to an MDM server. 1. Samsung compatible Android devices will use the 7P MDM Client 2. Knox Standard compatible Android devices will use the 7P MDM Knox Standard Client 3. HTC PRO /PRO2 series Android devices will use the 7P MDM HTC Client 4. Generic Android devices will use the 7P MDM Knox Standard Client Tomorrows device with extended functionality to be confirmed The 7P MDM Generic client is 7P MDM Knox Standard client and will accommodate the majority of Android devices manufactured by smaller organisations Once the appropriate MDM client has been downloaded and installed on the user's device, the MDM client activation process can begin. The MDM client can be activated by either of the following methods: 1. SMS activation the MDM server sends an SMS package allowing automated activation 2. QR code activation the user receives an email containing a QR code. The user scans the QR code with their device for activation. Once activated, the user will benefit from the silent OTA management of their mobile device. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 12 / 74 ^Home

1.11 MDM client distribution The MDM client is distributed to the end user in one of two ways: MDM server initiated MDM client installation User initiated MDM client installation using the SPP (Self-Provisioning Portal) Both methods are applicable to either device that contain SIM modules, or devices that do not contain SIM modules, typically Wi - Fi only devices, such as e.g. many tablets. 1.12 Device administrators permission Prior to the installation of the MDM Client for Android devices, it is essential to ensure that the device is capable of installing non-market applications. 1.12.1 Android 4.x devices unknown sources path Navigate to Settings >Security >Device administrators and ensure the "Unknown sources" box is selected. Figure 1 Android 4.x unknown sources Once the "Unknown sources" tick box is selected, the device is ready to proceed with the MDM Client installation process. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 13 / 74 ^Home

1.12.2 Android 2.x devices unknown sources path Prior to the installation of the MDM Client for Android 2.x devices, it is essential to ensure that the device is capable of installing non-market applications. Navigate to Settings >Applications >Unknown sources and ensure the Unknown sources box is selected. Figure 2 Android 2.x unknown sources permission. Once the "Unknown sources" tick box is selected, the device is ready to proceed with the MDM Client installation process. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 14 / 74 ^Home

2 MDM Client Installation This chapter describes the Over-the-Air (OTA) installation of the 7P MDM Android Client in Global System for Mobile Communications (GSM) enabled devices, i.e. devices that have an active Subscriber Identity Module (SIM) card through a data provider. The benefit of this preferred method is that the MDM Client is automatically activated to its corresponding MDM server without user intervention. This chapter consists of the following sub-chapters: 2.1 SMS initiated delivery with automatic activation 2.2 Wi-Fi installation with QR code activation 2.3 MDM client download and installation 2.4 Activate device administration? 2.5 Client Activation Methods 2.6 Activation confirmation 2.7 Additional activation steps (Samsung SAFE) 2.1 SMS initiated delivery with automatic activation The MDM server operator will add your details to the MDM Server resulting in a short SMS message being sent to your mobile device. This message is important. The message contains the download hyperlink for the MDM Client that will be installed on the user's device. Embedded in the SMS text message is an encrypted activation code, used by the MDM client application. Figure 3 SMS download link. The user must open the message link, completing the operation by selecting the browser of their choice. The URL selected will be opened in a new screen.

2.2 Wi-Fi installation with QR code activation The Wi-Fi installation method of the MDM client is used with devices that do not have an enabled SIM card and generally only have access to email messages. The MDM administrator would choose to "Enroll device via email." An email will then be sent to the MDM server registered email address for the specific user(s) that contains instructions and a hyperlink URL to an internet site where the required MDM client is hosted. Figure 4 Email containing download link. The user would open the email on their Android device, select the link and download the MDM client application to their device. The procedure is then as described in "MDM Client Installation" except that the MDM server will not automatically activate with the MDM server, the steps described in the QR activation must be followed. 2.3 MDM Client download and installation The mobile device will be automatically recognised by the designated MDM client download site, and a specific MDM Client will be presented to the device for download. Figure 5 Auto detection of the device. Once the download warning has been accepted a "Downloading" message will be displayed, and the animated "downloading arrow" indicator will appear at the top of the device display screen in the user's notification tab, remaining animated until the file download is complete. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 16 / 74 ^Home

2.3.1 Downloaded application installation The user must now select the downloaded application file. This can be achieved by swiping the device screen, from the top of the device screen, allowing the device notification bar, and the notifications to be revealed, or the user can open the "downloaded" icon on their device which will open the downloaded file folder. Figure 6 Accessing the downloaded MDM client The user would then select their chosen package for installation. Once the user selects the downloaded MDM Client package has been selected, the user will be advised of the applications ability to read personal information from their Android device. Figure 7 Do you want to install the application? The user, at this stage, has the option to either cancel the installation or to commence the installation of the MDM client by tapping the "Install" button. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 17 / 74 ^Home

The user is informed that the selected application is installing. An animated progress indicator is used to show that the installation process is running. Figure 8 Application installed. Within a short period of time, the advisement will change from "Installing" to "App installed." The user would then proceed with the installation of the application by tapping "OPEN" to continue 2.4 Activate device administration? A notification screen detailing the "Device administration" privileges of the 7P MDM Client is displayed. The user must tap "ACTIVATE" to proceed with the MDM client installation. Figure 9 Automatic activation message. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 18 / 74 ^Home

2.5 Client Activation Methods The three valid methods of MDM client activation are: Automatically using embedded information within the initial enrollment SMS text message ( preferred) Quick Response code (QR), allowing the corresponding MDM server's credentials to be inserted into the MDM client application by scanning a specially prepared QR code image. 2.5.1 SMS activation (preferred) If the associated MDM Server is configured to deliver the MDM Client with automatic activation selected, and the MDM client installation commenced on receipt of an enrollment SMS message, then the MDM Client will automatically activate when "ACTIVATE" is selected, with no further action required from the user. 2.5.2 Activation using QR code The user must open the MDM client download and activation QR code email on a laptop or similar device. This n method of MDM client activation requires the user to point their device's camera at the QR code so that it can be read and consumed by the MDM client. Figure 10 QR code activation email. To activate the MDM Client using the QR code, the user must first select the "Activation with QR code" button. This will initialize the devices' on board camera. The user must then point their device's camera at the QR code. Figure 11 Activate with QR code. The QR code image will then be evaluated; the details embedded within the QR code will then be consumed by the MDM Client for activation processing. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 19 / 74 ^Home

2.6 Activation confirmation The user will be supplied with a PIN code that must be entered into the "Confirm activation" input field. Figure 12 Inputting the activation PIN code The activation confirmation PIN code is different for all MDM server installations and must be communicated to the user prior to installing the MDM client of their device. The default PIN code is 1234, then tap "Continue." 2.6.1 Backup security code A "Backup security code" warning pop up will be displayed. The MDM client uses a "security code," which can be updated by the user, through the MDM client menu system. This security code is used as part of the encryption key when information is backed up to, or restored from the MDM server. Figure 13 Backup security code warning If a Backup security code is altered, then any information previously backed up to the MDM server will not be restored to the user's expectations. A user must complete a new backup every time their "Backup security code" is changed. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 20 / 74 ^Home

2.6.2 Client Activated The MDM client will display the expected (Next) connection time and the previous (Last) connection time and dates to the MDM server. There are no further steps to perform with the installation of the MDM client to: 1. Samsung SAFE3 compatible Android devices 2. HTC PRO /PRO2 series Android devices 3. Generic Android devices Additional steps will be required for the activation of Samsung Workplace (KNOX/SAFE4) compatible devices 7PMDM_Client_Android_v5.26.0x_EN.docx Page 21 / 74 ^Home

2.7 Additional activation steps (Samsung Knox Workspace) With Samsung Knox Workspace (SAFE4) compatible devices, a further acknowledgement is required prior to the MDM client activation. This will allow the user to utilise the KNOX facilities on their device which is licensed to Samsung Figure 14 Samsung Knox Workspace acknowledgement The user must tap in the acknowledgement box, which changes from any empty box, to a green "tick," then tap "Confirm." Figure 15 Knox Standard management privileges The user would then accept the extended mobile device management privileges by tapping "Continue." The acknowledgment and KNOX registration will be processed, resulting with the "Knox Standard License was accepted" on the MDM client front UI 7PMDM_Client_Android_v5.26.0x_EN.docx Page 22 / 74 ^Home

3 MDM Client Android Console version 5.24 and above This section describes the content, usage, and functions that are available through the MDM Client menu system. MDM Client functionality itself may differ, depending on the configuration settings of the corresponding MDM Server. 3.1 Access to the MDM Client Access to the MDM Client is gained by selecting the 7P MDM Client icon on the main screen of your Android Mobile device. Figure 16 MDM Client icon. Once open, the MDM client screen is presented. Typically the MDM client screen will inform of: Whether the MDM client service is activated or non- activated. The expected date and time of the "Next connection" to the MDM server The exact date and time of the "Last connection" to the MDM server The date and time that the "Last backup" command was executed, if no backup has been performed, then "n/a"( not applicable) will be shown. Notification Initiating Checking policies Gathering inventory Sending inventory Receiving response Checking policies Busy Description Typically seen when the MDM client commences the activation process. The MDM client checks the MDM server ensuring any (security) policies are applied to the device The MDM client is producing an inventory of the device prior to sending to MDM server The MDM client is sending the gathered inventory of the device to the MDM server The MDM client is receiving a response from the MDM server to a request The MDM client is checking whether any security policies exist, if they do, then they will be applied Typically the MDM client is not activated and is awaiting user interaction Enter to the MDM client menu structure by selecting down arrow, located at the top right-hand side of the MDM client navigation bar.

3.1.1 Activation error It is possible, on occasion that a newly connected device, fails to connect and the Waiting for activation message is clearly displayed. The most common reason for a MDM client to fail activation is The IMEI of the device activating already exists within the MDM server. This may be due to the following: The device had been previously enrolled into the MDM server and the enrolled device had not been deleted. An import CSV file had been run containing a data error with regard to IMEI The QR activation code may have been generated from a different installed device instance or user. To quickly identify whether a duplicate IMEI may exist, on the MDM server, do the following: Navigate to Reports > Assigned devices Load a report and use the Export to CSV facility. Open the downloaded CSV file, select the IMEI column and select the find command. Input the IMEI of the device. If an IMEI match is confirmed, examine and investigate the duplicate IMEI s device data entry within the MDM server. Correct the or delete the duplicate IMEI s device information. The MDM client should now activate when a connection is forced to the MDM server. If the device still fails to activate Reset the activation data within the MDM client, and. Re-issue a QR code to user. On scanning the QR code the MDM client will activate. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 24 / 74 ^Home

3.1.2 About the MDM 5.24.04 client The MDM 54.24.04 client takes advantage of the improvements found within Samsung s evolving API s. Only Android devices whose Android OS version is 4.0 and above are supported by recent API improvements. To identify which MDM client is installed in the device navigate to Settings > About Figure 17 Accessing the MDM Client menu structure The "Generic Android devices" MDM client uses and displays Knox Standard compatible Android devices 3.2 MDM client navigation Force a connection shortcut Force a connection from the MDM client to MDM server Figure 18 Force connection icon shortcut Generally used if the user requires immediate delivery of a newly created application or operation policy. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 25 / 74 ^Home

3.2.1 MDM client navigation Open AppStore icon shortcut Open the App Store access to the MDM Clients AppStorage container Figure 19 Navigation bar shortcut to the AppStorage contents. All applications contained in the AppStorage container are managed by group membership. Application availability is determined by the MDM server administrator. 3.2.2 MDM client navigation Open MDM SSP icon shortcut Open the MDM server SSP access shortcut Figure 20 Accessing the MDM SSP user interface Tapping the open MDM server SSP icon will open the devices web browser in a new screen. The SSP server address will automatically populate the address bar, revealing the SSP log in screen to the device user. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 26 / 74 ^Home

3.2.3 Open the MDM client settings The location of the MDM client settings button is generally device dependant. An icon similar to visible on the device. If visible, selecting the icon will reveal the MDM client settings may be Figure 21 Access to MDM client structure icon Other devices make use of soft navigation buttons, located at the bottom left ( or right) of the device screen, adjacent to the Home button. Selecting one of these soft buttons will reveal the MDM client settings. The MDM client settings allow the user to set or clear specific MDM client features, through an easy to use menus structure. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 27 / 74 ^Home

3.3 MDM Client's menu structure The table below is presented to assist administrators or help desk operatives to navigate the MDM client menu structure if they do not have a device readily on hand. Main menu Submenu Description About Application name/version Shows the application name Tools Activity details Shows the connection attempts and any errors that have occurred AppStorage Change security code Activate Displays applications available in the AppStore Allows the user to change MDM security code Change or reset the client activation settings Reset Data Allows the user to reset the MDM client activation data ( removes trusted connection to MDM server) Policies Allows the user to inspect (and accept) any policies or messages sent by the MDM server. Connection Connect Forces connection with MDM Server Online Android for Work NFC Provisioning (Not yet available) Tap or click the check box provided to allow/disallow the MDM client to connect to the internet. Privacy Settings Send GPS data If enabled, allows GPS data to be transmitted to the MDM Server. Security code Device encryption Send the MDM client security code to the MDM server is administrator requests it. Utilises the built-in device encryption of the mobile device. Table 2 MDM Client's menu structure Details and location of the elements of the menu structure are shown in the following pages. The "Reset data" functionality must be enabled by the MDM server administrator. Navigate to Settings> System > MDM Client > Allow Data Reset The MDM server will collect the location data of the device even if the corresponding settings have been disabled in the MDM client privacy settings. To disable the MDM servers forced GPS data collection and return the control of GPS location data collection to the device user (through MDM client Privacy settings) then the "Force enable GPS collection on client" checkbox must be disabled (unchecked) in the MDM server - Settings>System>GPS 7PMDM_Client_Android_v5.26.0x_EN.docx Page 28 / 74 ^Home

3.4 MDM client preferences About The "about section" displays information regarding the installed version of the MDM client 3.4.1 About Application name and version The Settings >About displays the installed MDM Client application name, version number, and specific "build" information. Figure 22 About the MDM Client. 3.4.2 Tools - Activity details Displays a time-stamped log of the MDM Clients connection activity with the MDM Server. The "activity details" also displays any error information that may have occurred during an activity (for example, file copy) with the MDM Server. Figure 23 Tools Activity details. The above shows a successful completion of "The user forced connection" with the MDM server." 7PMDM_Client_Android_v5.26.0x_EN.docx Page 29 / 74 ^Home

3.5 Tools AppStore Access to the MDM Clients AppStorage container can also be made from within the MDM client by selecting the "AppStorage" in the Application management field. Figure 24 Tools location. All applications contained in the AppStorage container are managed by group membership. Which applications are available to what user is determined by the MDM server administrator. 3.5.1 Tools Change security code This menu item allows the user to change their MDM security code. The user has to enter their current 5 digit numeric code. The user then has to insert and confirm their new 5 digit numeric code. Figure 25 Change security code. Please note that the reserved security code of 12345 cannot be used. If the user changes their security code, then all previous backups will not be available for restore as the 5 digit numeric code is used as part of the encryption keys used to safeguard all backup and restore information. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 30 / 74 ^Home

3.5.2 Tools Activate The general method for MDM client activation is with an encoded SMS message deployed to the user's device on initial configuration. Figure 26 MDM client activation methods. However, some devices do not support SMS capabilities, so the MDM client must be activated by either entering the MDM server details into the MDM client manually or by capturing the MDM client activation QR code through the devices on-board camera (see Client Activation Methods). 3.6 Tools Reset data The Reset data facility allows the user to reset the configuration details of an enrolled MDM client with regard to the connected MDM server. If the reset data command is confirmed, then the device must be reactivated with the original or different MDM server either through an SMS enrollment text message or by QR code activation. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 31 / 74 ^Home

3.6.1 Tools - Policies The Policies option will allow the user to view all current policies applied to this device by the MDM server. Figure 27 Policies. If the user does not agree or understand any enforced policy that is active on their device they should contact the system administrator for guidance. The following notification icon will be displayed on the front page of the MDM client if there is a pending notification policy action that requires the users attention. Figure 28 Policies front panel alert icon The MDM client > Policies screen will open when the alert notification icon is selected on the MDM client front panel. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 32 / 74 ^Home

3.7 Connection connect The Connect button allows the user to force the MDM Client to connect to the MDM Server. Figure 29 Force connection to MDM Server. "Forced connection" is used when a user wishes to make a connection to the MDM Server, outside of the normal connection interval. 3.7.1 Connection Online The user may, at any time, disable communication of the MDM client to the MDM server by selecting the (MDM client) Online connection setting. If the MDM client has been taken offline with the MDM server, then by selecting the Online checkbox, any outstanding updates, configurations or security policies will be applied to the device. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 33 / 74 ^Home

3.7.2 Android for Work The Android for Work functionality Near Field Connection (NFC) provisioning is disabled in this version of the Android MDM client. This feature is planned and allows the administrator to quickly provision Android NFC devices prior to MDM server enrollment. 3.8 Privacy settings Send GPS data If selected, sends location information, using the built-in GPS hardware of the device. If no GPS device is present, no information will be sent. Figure 30 Send GPS data. The data is sent only if the MDM server has requested it to be sent and if the user has selected a valid interval. The GPS data is accessible to view by the system administrator. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 34 / 74 ^Home

3.8.1 Privacy Settings Security code If selected, the MDM client will transfer MDM client security code to the MDM server on every connection. Figure 31 Send security code The MDM security code is used as an encryption/decryption key for all backup/restore operations of the MDM client. If the security code is changed, ensure the user does a fresh backup as the previous backup will be unintelligible due to an incorrect (previous) decryption key 3.8.2 Privacy settings Device encryption If selected, the MDM Client will invoke the on-board encryption mechanism and encrypt all data defined by the user. The encryption process is device dependant. Figure 32 Device encryption. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 35 / 74 ^Home

The user is advised to fully understand the impact on performance and power consumption prior to encrypting their device. Figure 33 Encryption - choose screen lock type Ensure that the device is fully charged, and then enter the device screensaver PIN code. Once entered, tap "continue" and the device encryption process will begin Figure 34 Encryption - encrypt device Once the Encrypt device is selected some suitable Android icon will be displayed as the device commences its encryption routine. Once the device has encrypted and rebooted you need to enter the password created during the encryption routine to unlock the device. Please check and re-enter all Wi Fi access point passwords, as these may have been encrypted and therefore will be different than that expected of the Wi Fi access point. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 36 / 74 ^Home

4 MDM Client Android Console version 5.22 and below This section describes the content, usage, and functions that are available through the MDM Client menu system. MDM Client functionality itself may differ, depending on the configuration settings of the corresponding MDM Server. 4.1 Access to the MDM Client Access to the MDM Client is gained by selecting the 7P MDM Client icon on the main screen of your Android Mobile device. Figure 35 MDM Client icon. Once open, the MDM client screen is presented. Typically the MDM client screen will inform of: Whether the MDM client service is activated or non- activated. The expected date and time of the "Next connection" to the MDM server The exact date and time of the "Last connection" to the MDM server The date and time that the "Last backup" command was executed, if no backup has been performed, then "n/a"( not applicable) will be shown. Notification Initiating Gathering inventory Sending inventory Receiving response Checking policies Busy Description Typically seen when the MDM client commences the activation process. The MDM client is producing an inventory of the device prior to sending to MDM server The MDM client is sending the gathered inventory of the device to the MDM server The MDM client is receiving a response from the MDM server to a request The MDM client is checking whether any security policies exist, if they do, then they will be applied Typically the MDM client is not activated and is awaiting user interaction Enter to the MDM client menu structure by selecting down arrow, located at the top right-hand side of the MDM client navigation bar.

4.1.1 About the MDM client Only three Android clients are utilised with the MDM server. To identify which MDM client is installed in the device navigate to Settings > About The Android client structure shares a common theme and layout allowing ease of support over the entire Android product range. Figure 36 Accessing the MDM Client menu structure For display purposes, each of the three supported MDM client "About " screens have been displayed. 1. Knox Standard compatible Android devices 2. Samsung SAFE3 compatible Android devices 3. HTC PRO /PRO2 series Android devices The "Generic Android devices" MDM client uses and displays Knox Standard compatible Android devices) 7PMDM_Client_Android_v5.26.0x_EN.docx Page 38 / 74 ^Home

4.2 MDM client navigation bar shortcuts Three active icons appear in the MDM client navigation bar: 4.2.1 Force a connection icon shortcut Force a connection from the MDM client to MDM server Figure 37 Force connection icon shortcut Generally used if the user requires immediate delivery of a newly created application or operation policy. 4.2.2 Open the MDM client AppStore icon shortcut Open the App Store access to the MDM Clients AppStorage container Figure 38 Navigation bar shortcut to the AppStorage contents. All applications contained in the AppStorage container are managed by group membership. Application availability is determined by the MDM server administrator. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 39 / 74 ^Home

4.2.3 Open the MDM client navigation bar icon Open the MDM client menu structure Figure 39 Access to MDM client structure icon Tapping the open MDM client navigation bar icon will open the MDM client application allowing the user to navigate through, and select their specific functionality of the MDM client. 4.2.4 Open the MDM SSP icon shortcut Open the MDM server SSP access shortcut Figure 40 Accessing the MDM SSP user interface Tapping the open MDM server SSP icon will open the devices web browser in a new screen. The SSP server address will automatically populate the address bar, revealing the SSP log in screen to the device user. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 40 / 74 ^Home

4.3 MDM Client's menu structure The table below is presented to assist administrators or help desk operatives to navigate the MDM client menu structure if they do not have a device readily on hand. Main menu Submenu Description About Application name/version Shows the application name Application management AppStorage Displays applications available in the AppStore Connection Connect Forces connection with MDM Server Online Activity details Activate Tap or click the check box provided to allow/disallow the MDM client to connect to the internet. Shows the connection attempts and any errors that have occurred Change the activation settings Advanced Policies Allows the user to inspect any messages sent by the MDM server. Reset Data Allows the user to reset the MDM client activation data ( removes trusted connection to MDM server) Privacy Settings Change security code Allows the user to change MDM security code Send GPS data Security code Device encryption If enabled, allows GPS data to be transmitted to the MDM Server. Send the MDM client security code to the MDM server is administrator requests it. Utilises the built-in device encryption of the mobile device. Table 3 MDM Client's menu structure Details and location of the elements of the menu structure are shown in the following pages. The "Reset data" functionality must be enabled by the MDM server administrator. Navigate to Settings> System > MDM Client > Allow Data Reset The MDM server will collect the location data of the device even if the corresponding settings have been disabled in the MDM client privacy settings. To disable the MDM servers forced GPS data collection and return the control of GPS location data collection to the device user (through MDM client Privacy settings) then the "Force enable GPS collection on client" checkbox must be disabled (unchecked) in the MDM server - Settings>System>GPS 7PMDM_Client_Android_v5.26.0x_EN.docx Page 41 / 74 ^Home

4.4 MDM client preferences About The "about section" displays information regarding the installed version of the MDM client 4.4.1 About Application name and version The Settings >About displays the installed MDM Client application name, version number, and specific "build" information. Figure 41 About the MDM Client. 4.5 Application management AppStore Access to the MDM Clients AppStorage container can also be made from within the MDM client by selecting the "AppStorage" in the Application management field. Figure 42 Tools location. All applications contained in the AppStorage container are managed by group membership. Which applications are available to what user is determined by the MDM server administrator. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 42 / 74 ^Home

4.6 MDM Client preferences - Connection The Connection section of the MDM client allows the user to inspect and specify connection activity and details. 4.6.1 Connection connect The Connect button allows the user to force the MDM Client to connect to the MDM Server. Figure 43 Force connection to MDM Server. "Forced connection" is used when a user wishes to make a connection to the MDM Server, outside of the normal connection interval. 4.6.2 Connection - Activity details Displays a time-stamped log of the MDM Clients connection activity with the MDM Server. The "activity details" also displays any error information that may have occurred during an activity (for example, file copy) with the MDM Server. Figure 44 Tools Activity details. The above shows a successful completion of "The user forced connection" with the MDM server." 7PMDM_Client_Android_v5.26.0x_EN.docx Page 43 / 74 ^Home

4.6.3 Connection Activate The general method for MDM client activation is with an encoded SMS message deployed to the user's device on initial configuration. Figure 45 MDM client activation methods. However, some devices do not support SMS capabilities, so the MDM client must be activated by either entering the MDM server details into the MDM client manually or by capturing the MDM client activation QR code through the devices on-board camera (see Client Activation Methods). 4.7 MDM Client preferences -Advanced The Advanced section of the MDM client allows the user to inspect and specify shortcuts and activity. 4.7.1 Advanced - Policies The Policies option will allow the user to view all current policies applied to this device by the MDM server. Figure 46 Policies. If the user does not agree or understand any enforced policy that is active on their device they should contact the system administrator for guidance. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 44 / 74 ^Home

4.8 MDM Client preferences - Privacy Settings Privacy settings contain elements of sensitive information that can either be sent or not, to the MDM Server. 4.8.1 Privacy Change security code This menu item allows the user to change their MDM security code. The user has to enter their current 5 digit numeric code. The user then has to insert and confirm their new 5 digit numeric code. Figure 47 Change security code. Please note that the reserved security code of 12345 cannot be used. If the user changes their security code, then all previous backups will not be available for restore as the 5 digit numeric code is used as part of the encryption keys used to safeguard all backup and restore information. 4.8.2 Privacy settings Send GPS data If selected, sends location information, using the built-in GPS hardware of the device. If no GPS device is present, no information will be sent. Figure 48 Send GPS data. The data is sent only if the MDM server has requested it to be sent and if the user has selected a valid interval. The GPS data is accessible to view by the system administrator. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 45 / 74 ^Home

4.8.3 Privacy Settings Security code If selected, the MDM client will transfer MDM client security code to the MDM server on every connection. Figure 49 Send security code The MDM security code is used as an encryption/decryption key for all backup/restore operations of the MDM client. If the security code is changed, ensure the user does a fresh backup as the previous backup will be unintelligible due to an incorrect (previous) decryption key 4.8.4 Privacy settings Device encryption If selected, the MDM Client will invoke the on-board encryption mechanism and encrypt all data defined by the user. The encryption process is device dependant. Figure 50 Device encryption. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 46 / 74 ^Home

The user is advised to fully understand the impact on performance and power consumption prior to encrypting their device. Ensure that the device is fully charged, and then enter the device screensaver PIN code. Once entered, tap "continue" and the device encryption process will begin 7PMDM_Client_Android_v5.26.0x_EN.docx Page 47 / 74 ^Home

5 MDM Client - Android Kiosk Mode This section describes the additional restrictions that an administrator can apply to a Samsung Android device running the 7P MDM client and the 7P Android Kiosk application. Kiosk mode is a common way to lock down (restrict) an Android device, ensuring that it can only use apps specified explicitly by the MDM administrator. The apps, up to a maximum of 24 per page, and currently a maximum of 2 pages giving a total of 48 apps may include pre-installed applications and built-in function like Calendar, Phone, and Contacts. Kiosk mode may only be enabled on MDM server registered Samsung devices running version 5.21.00 of the 7P MDM Android client, and 1.00.21 Build 22009 and above of the 7P Android Kiosk application. Both applications are available from the mdmclinet.net website. 5.1 Android Kiosk Mode applications At present, there are two Android Kiosk mode applications: Kiosk app (standard version) - Version ID: 1.00.21 Build 22009 Allows two pages of 24 applications to be displayed Each page can display a total of 24 apps ( displays 4*6 apps in portrait mode, and 6*4 apps in landscape mode) Kiosk app (standard version + CLR ) - Version ID: 1.00.21 Build 22009 Allows two pages of 24 applications to be displayed Each page can display a total of 24 apps ( displays 4*6 apps in portrait mode, and 6*4 apps in landscape mode) The standard version + CLR is the same as identical to the 7P Kiosk (standard) app. However, there is a special CLR (clear data) option integrated into this Kiosk app version. The purpose of the clear data facility is to clear all browser, cache and app data within the Standard Samsung Native browser and the Chrome Browser. The clear option in this Kiosk app works in these 5 situations: When device is turned off and on again When device is being rebooted When autolock gets activated due to timeout on device When autolock gets activated because the user has quickly clicked on the power button to turn off the screen or and there has been a period greater than +10 secs of no activity When MDM server sends remote lock command

5.2 Creating the Android Kiosk mode configuration 1. Navigate to Infrastructure > Configurations and create an Enable Kiosk mode configuration. 2. Add the following 7P Kiosk mode settings application detail in the Other(s) application list of the Kiosk mode configuration: com.sevenprinciples.android.mdm.settings Ensure that the URL in the Kiosk mode configuration contains a pointer to a valid location of version 1.00.21 and above of the 7P Android Kiosk Mode application. 3. Navigate to Users & Devices > Device > Actions and from the device Actions menu, apply the Enable Kiosk mode configuration to the device. The target device UI screen will change in appearance from Native mode to Kiosk mode. When the device is in Kiosk mode only specified applications and buttons, determined by the administrator, will maintain their functionality. 5.2.1 Disable Kiosk mode internet connected device Create a Disable Kiosk mode configuration Deploy the Disable Kiosk mode configuration to the device through Actions> Install configurations 5.2.2 Disable Kiosk mode internet disconnected device The only way to disable Kiosk mode with a device that has no connection to the 7P MDM server would be to hard reset the device. (See device manufacturer s guide.) 7PMDM_Client_Android_v5.26.0x_EN.docx Page 49 / 74 ^Home

5.3 Enabling Kiosk Mode Navigate to Infrastructure > Configurations > Add > Kiosk > Memorable Name of Configuration settings. Figure 51 Enabling (Basic) Kiosk mode From the Main settings ensure the Kiosk mode dropdown is displaying Enabled, then use the information in the following table to complete the form. Parameter Kiosk mode URL Background image Allow multi-window mode Allow task manager Hide system bar Hide status bar Hide navigation bar Wipe recent tasks Disallow hardware keys Description Enabled OR Disabled This URL points to the location where the 7P Android Client Kiosk application may be accessed. http://mdmclient.net/ The JPEG image that will be used as the Kiosk mode background wallpaper. This JPEG file may be uploaded directly to the MDM server or via a hosted internet location URL Allows the use of Android 7 (Nougat) devices multi-window mode (Must be 7 or above) Allows the use of the Task Manager when selected in Kiosk mode Hides the system bar when selected Hides the status bar when selected Hides the navigation bar when selected Wipes recent tasks when selected The following comma separated values are available: HOME, MENU, BACK, VOLUME_UP,VOLUME_DOWN Table 4 Kiosk Mode main settings 7PMDM_Client_Android_v5.26.0x_EN.docx Page 50 / 74 ^Home

Once the Main settings have been completed, then the administrator would select the applications that may be performed on the device in Kiosk mode from the Supported applications selection. Figure 52 Define inbuilt Kiosk mode applications For Application list, please refer to Enabling Kiosk mode (Advanced) further down in this section. 5.3.1 Deploying a basic Kiosk mode configuration Select a device, then Action > Install configuration > Named Kiosk mode configuration> Send Normal mode Kiosk mode being applied Kiosk mode The device will initially appear as normal; the screen will be blocked when the Kiosk mode application is received, resulting in a fully restricted Android device. The user will be restricted to the functionality and application that have been made available by the MDM administrator. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 51 / 74 ^Home

5.4 Disabling Kiosk Mode Navigate to Infrastructure > Configurations > Add > Kiosk > Memorable Name of Configuration settings. Figure 53 Disable Kiosk mode configuration From the Main settings ensure the Kiosk mode dropdown is displaying Disabled, and Save the configuration. Select a device, then Action > Install configuration > Named Kiosk mode configuration> Send Kiosk mode Normal mode The device screen will return to normal once the Kiosk mode application ( and all restriction) has stopped. For devices that are already in Kiosk mode, and do not have any internet connectivity, then the only way to restore the device to normal operations will be to use the manufacturers recommended a hard reset. The manufacturer's hard reset is device dependant and must be implemented as instructed by the manufacturer. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 52 / 74 ^Home

5.5 Enabling Kiosk Mode (Advanced) Navigate to Infrastructure > Configurations > Add > Kiosk > Memorable Name of Configuration settings. From the Main settings ensure the Kiosk mode dropdown is displaying Enabled, then use the information in the following table to complete the form. Supported applications Calendar Talks ( Phone call) Browser Camera MMS Contacts Email Application list Definition of Kiosk application list Description Allows the Calendar app when selected Allow the user to make calls when selected Allows the user internet access when selected Allows the user to take pictures when selected Allows the user to use the Multimedia Messaging Service (SMS etc.) Allows the user to access contacts when selected Allows the user access to native email when selected Allows the administrator to select from pre-configured application lists from the drop down selection (See application list) It is possible to define where an application icon will be placed on the user's device screen. At present, Kiosk mode is designed to display 2 pages of 24 application icons, whether in Portrait or Landscape mode. To take advantage of the automated placement, then the administrator must use the Application list name created. In manual mode, an application must be defined in the MDM server before it will appear in the application list pull down. Table 5 Kiosk mode supported applications 7PMDM_Client_Android_v5.26.0x_EN.docx Page 53 / 74 ^Home

5.5.1 Application list (defined) Navigate to Infrastructure > Configurations > Add > Application List > Memorable Name of Application list settings. Figure 54 Application list creation Ensure that Kiosk list(knox Standard) is selected. Once selected, two grids (page 1 and page ) each containing 24 cells each will be displayed. The grid cells represent the location that an application icon can be placed on a user s device. A maximum number of 24 applications per screen page, with a maximum of two screen pages may be configured in Kiosk Mode. This total of 48 applications is made up of the number of selected inbuilt apps plus the number of additional apps ( defined through the other(s) input box). The application icons will always be displayed on the target device as either a 4x6 matrix, in portrait mode, or a 6x4 matrix in landscape mode. The order in which the apps appear on the device is determined by the order the applications were added to the application list. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 54 / 74 ^Home

5.6 Adding an application to an individual cell location With the Application List configuration template displayed, and with the Kiosk List (Knox standard) radio button selected, and then when selecting any of the displayed grid cells, the following pop-up window will be displayed. You are given the option to either name an application and supply the application identifier, for example Ikarus (Antivirus software) com.ikarus.mobi, or you may select an application from the MDM server application list by selecting an application from the application list drop down selection. Once the application format is complete, press Save. The Kiosk list will be saved to the MDM server. The Application List configuration must now be selected in the Kiosk configuration. Navigate to Infrastructure > Configuration > Kiosk and add the newly created Kiosk application list from the Predefined application list pull down selection. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 55 / 74 ^Home

5.6.1 Using Other Application list (manual addition) If the administrator chooses to add applications manually to the Kiosk configuration, then they must ensure that the application is installed on the target devices and that the correct application ID s are used in the comma separated list. A typical application ID is : com.samsung.android.email.provider, Once the other(s) list has been completed, select Save and deploy the configuration. 5.7 Kiosk Settings application The Kiosk settings icon will be displayed on the target device once the Kiosk settings application has been deployed ( and enabled in Kiosk mode). Figure 55 Kiosk settings If the Kiosk setting application icon is selected, then the following screen will appear 7PMDM_Client_Android_v5.26.0x_EN.docx Page 56 / 74 ^Home

Figure 56 Kiosk settings application buttons Parameter WiFi Bluetooth Torch Rotate Brightness (slider) Description Allows the user to turn on/off the device's WiFi. Allows the user to turn on/off, pair and scan for Bluetooth devices Allows the user to turn on/off the devices torch (light) Allows the user to turn on/off active screen rotation Allows the user to adjust the brightness of the device's display Table 6 Kiosk mode kiosk settings 5.8 Kiosk Settings application Clear data If internet browsing is enabled, or if applications are enabled that allow for autofill data to be stored on the device, then a potential security data breach could exist when the device is returned to a central location, at the end of a work cycle, to be picked up by a fellow work colleague for example. The Clear data button when selected, will manually erase any stored data ensuring that the device contains no internet browsing data for example, when locked and passed to another user.. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 57 / 74 ^Home

6 Samsung Knox Workspace 6.1 Samsung Knox Workspace Samsung KNOX 2.0, a secure Android platform introduced by Samsung in 2013 as Samsung KNOX, targeted primarily at mid and high-tier devices, it leverages hardware security capabilities to offer multiple levels of protection for the operating system and applications. Samsung Knox Workspace is a defence grade dual persona container product designed to separate, isolate, encrypt, and protect enterprise data from attackers. This work/play environment ensures work data and personal data are separated and that only the work container is managed by the enterprise. Personal information such as photos and messages are not managed or controlled by the IT department. Once activated, the Knox Workspace product is tightly integrated into the Knox platform. Samsung 2016 Key features of the Knox Workspace include Trusted Boot, ARM TrustZone -based Integrity and Security services, SE for Android enhancements, and the KNOX 2.0 container. In addition, KNOX 2.0 features a new enterprise enrollment process that vastly improves both the employee and IT administrator experience for enrolling devices into the company s MDM system. In 2016, Samsung SAFE has been rebranded as Knox Standard, and Knox container has been rebranded as Knox Workspace. 6.2 Samsung Knox Workspace compatible devices The following URL is a direct link to the Samsung Knox Workspace supported device website, which is maintained and updated by Samsung. https://www.samsungknox.com/en/knox-supported-devices/knox-workspace Figure 57 Knox Workspace supported devices Please check with the above site if you have any doubts whether your current or legacy Samsung device is Knox Workspace compatible:

6.3 Samsung Knox Workspace compatible device API matrix The following URL is a direct link to the Samsung Knox Workspace API matrix website, which is maintained and updated by Samsung. https://seap.samsung.com/faq/what-versions-android-support-knox-standard-and-knox-premium-sdks Figure 58 Courtesy Samsung Enterprise Alliance Program Please check with the above site to check the API version of your current or legacy Samsung device. To reveal the Knox API version from the device Navigate to Settings > About Phone then scroll down the page until the Knox details are displayed. For current information regarding the Samsung Knox initiative, please refer to the following Samsung website https://www.samsungknox.com/ 7PMDM_Client_Android_v5.26.0x_EN.docx Page 59 / 74 ^Home

6.4 7P MDM server Knox Workspace pre-requisites Prior to deploying the Knox Workspace configurations ensure that the following requirements are met: The MDM server and or Tenancy has a valid Knox Workspace license token. The device has the Use the license to activate field set on the devices contact and enrollment information. This can be done manually or through a CSV import setting the knoxactivation field. Create Knox container Configuration has been created that can be applied to the device through an Action statement. 6.4.1 Valid Knox Workspace license token On the MDM server - Navigate to Settings > Android > Knox Workspace Edit and insert a valid Knox Workspace license key and press Save. Edit and insert a valid Knox Workspace license key. Press Save. The Samsung KNOX license key is available directly from 7P,.7P authorised partners and Samsung 6.4.2 Use the license to Activate field Navigate to Organization > Users & devices > Device > Contact and enrollment information From the Samsung Knox Workspace drop down selection ( located at the bottom third of the user's display) select the Use the license to activate and press Save. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 60 / 74 ^Home

6.4.3 Create Knox container Configuration Navigate to Organization > Configurations > Add then select Knox Workspace Add a memorable name to the Configuration setting then select the Create container from the mode drop-down list. Select Save. 6.4.4 Create an Optional Autolock configuration It is possible to determine the Knox container lock/unlock method prior to the Knox containers creation. Navigate to Organization > Configurations > Add then select Autolock Add a memorable name to the Configuration setting. 1. Create auto-lock policy and set the parameter Target to Knox Workspace 2. Send the configuration to a device (make sure that Knox- Create container has not been sent previously) 3. Send the Knox- Create container Configuration command 4. The Knox activation commences starts and the MDM administrator has defined the lock/unlock method according to the settings of the Autolock configuration 7PMDM_Client_Android_v5.26.0x_EN.docx Page 61 / 74 ^Home

6.4.5 Initiate the Knox Workspace on the device The Configuration command Create container can be sent to the device using the following methods: Manually, by the MDM administrator, using Organization > Users & devices > device > Action > Apply configuration > Create Knox container Automatically through the construction of an Operation Figure 59 Device Actions - Install configuration Once the Create Knox Workspace command has been deployed, the user must complete the deployment activity before the Knox Workspace container is created. 6.5 User action experience On receipt of a Create Knox Workspace container configuration command to a user s device, the user's display will change from its normal appearance to the Knox welcome screen. Figure 60 On device Knox Workspace configuration screen This means that the configuration command has been received and the device is ready, with the user's assistance to create the Knox Workspace environment. The user must select START to begin the process. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 62 / 74 ^Home

Figure 61 User must accept Terms and Conditions The user will be presented with the Terms of Use, which they must accept before proceeding by selecting NEXT. The appearance and design of the Knox Workspace UI is dependent on the version of the Knox API and characteristics of the actual device. The above screenshots are typical of a Samsung S4 with Knox API 2.3 The user will then be given a choice of Unlock methods that will be used to enable the user to secure the Knox container against unauthorised access. Figure 62 User must select security method and insert code The user must, in this case, insert a PIN number that is at least 8 numbers in length. The user will also be asked to confirm the initial PIN entry. Once both entered and confirmed PIN data matches, then the user will continue by pressing OK. The choice of Unlock methods is dependent on the version of the device. Newer devices will allow Biometric input as the Unlock method. The example above is using the PIN method. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 63 / 74 ^Home

The user will be shown how to enter and exit the Knox Workspace. This may be done by selecting the Knox icon (shortcut) on the device, or selecting the Knox icon from the notification screen. Figure 63 Knox Workspace navigation tips displayed The user must select SKIP for the creation of the Knox container to complete. The user will then be shown the Knox Workspace which is easily identifiable by the following characteristics: The display uses a Knox shield logo as a background All Knox Workspace applications will have the Know shield logo displayed on the bottom right-hand side of the application icon. Figure 64 Knox Workspace successfully created Once the Knox Workspace has been initialised, the Shortcut KNOX created will be briefly displayed. Different versions of the Knox API along with more recent mobile phone technology will allow for the Knox Workspace applications to be displayed alongside device applications. Again, all Knox Workspace applications will have the Knox logo attached to the applications logo. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 64 / 74 ^Home

6.6 7P MDM server administrator commands and indications If the KNOX configuration is updated and resubmitted to a device, through Actions, Operations of Configurations then the current Knox Workspace is completely removed from the device including all Knox stored created content! Navigate to Organization > Users & devices > Device > Actions > Knox Once the Knox Workspace container has been successfully created the MDM administrator may perform the following available commands 6.6.1 Knox Container Lock - Lock Either issue a Lock or Unlock command to the devices Knox Workspace. On receipt of the Lock command, the Knox Workspace screen is locked; to unlock the Knox Workspace screen the user must enter either their Knox Workspace PIN, Swipe or Password that they configured during the Knox Workspace initialisation phase. Figure 65 Samsung Knox workspace receives Lock command The Knox Workspace can only be unlocked via the MDM Server Knox Unlock command which will be sent by the MDM administrator. Once the Unlock command is received, the user will be presented with the Know Workspace screen where they will have to enter their security details PIN, Swipe or Password. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 65 / 74 ^Home

6.6.2 Knox Container Lock - Unlock The Unlock Knox Workspace MDM server command removes the MDM server lock command from the device allowing the device user to enter their security details PIN, Swipe or Password to enter into the Knox Workspace. 6.6.3 Knox Container password Enforce change If the MDM administrator issues the "Enforce change" Knox function from the MDM server then this will result in a Knox formatted message being sent to the user's device which will force the user to first enter their original Knox Workspace security code (PIN in this example) and is then forced to change their Knox Workspace security code before proceeding to the Knox Workspace. 6.6.4 Knox Container password Reset If the MDM administrator issues the "Reset" Knox function this will result in a Knox formatted message to the user's device which will automatically reset the password. Figure 66 Knox - Container password- Reset command When the Knox Container password Reset command is issued, the user must use a different password than 7PMDM_Client_Android_v5.26.0x_EN.docx Page 66 / 74 ^Home

that used in previous weeks. If the password is similar to a recently used password then the following warning will be displayed on the screen Device administrator prohibits using a recent PIN 6.6.5 Knox Container - Remove When the Remove Knox container command is sent to the device from the MDM server, the user is notified through an on-screen message that the shortcut to the Knox container has been removed and that the Knox container has been uninstalled. The entire Knox Workspace container is then erased from the device. Figure 67 Knox Workspace container erased An indication that the Knox Workspace container has been removed ( Erased ) can be seen on the MDM server. 6.7 Defining target delivery The MDM server has the facility to deliver a configuration package or application to the following Knox Workspace enabled device locations: Default location The Knox Workspace Device The default location is defined by a Knox configuration command, which allows the MDM administrator to define the default target location as the Knox Workspace, the device or Knox Workspace if available. An additional Knox container configuration command may also be sent to the device, which in effect, changes the device's default target location from the Knox Workspace to the device itself. Therefore all commands or packages, when sent to the Default device, would be directed only to the device. Great care must be taken with the device target configuration to ensure that respective applications and / or configurations arrive at their designated target locations when the Default location is used with MDM server commands. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 67 / 74 ^Home

6.8 Specifying device default location target Navigate to Organizations > Configurations > Add > Knox Workspace Figure 68 Defining the default target location Device or Knox Workspace The default target location will remain at the value set by the latest Knox Workspace configuration command. If the latest Knox Workspace configuration command specified the default target as Knox Workspace, then when the value default is used to specify the target location then all applications and commands will be targeted to the Knox Workspace. If the latest Knox Workspace configuration command specified the default target as Only device, then when the value default is used to specify the target location then all applications and commands will be targeted to the device. If the latest Knox Workspace configuration command specified the default target as Use Knox Workspace if available, then when the value default is used to specify the target location then all applications and commands will be targeted to Use Knox Workspace if available. Last Default target configuration value Only Knox Workspace Only device Use Knox Workspace if available Value of Default Knox Workspace only Device only Knox workspace if available The MDM server allows multiple commands to multiple devices. On occasion, the MDM administrator will wish to send an application, for example, to all registered Android devices. In this case it would be imperative to change the default target location for Knox enabled devices from Know Workspace ( if set ) to device. If the MDM administrator requires to complete a batch Operation for example when many applications are being installed into different Android and Samsung devices, then the default location Knox Workspace can be sent to the Knox enabled devices, as often as required, in effect switching the default location from the device to the Knox Workspace. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 68 / 74 ^Home

6.9 Installing an application to the Knox Workspace The procedure to install an application from the MDM server to a Knox Workspace enabled device is as follows: 1. Create a Knox Workspace configuration specifying the default target location is Knox Workspace 2. Apply the Configuration to the device 3. Through Device Actions install the application on the device. In this example specifying the Target location as Use default will have the same effect as specifying the target location as Knox Workspace because a Knox Configuration had already been sent to the device defining the Target location to be Knox Workspace.. The chosen application will be installed silently into the users Knox Workspace. The icon will appear on their Knox container. Figure 69 Installing application to Knox Workspace All applications specified as target location default or target location Knox Workspace or target location Knox Workspace if available will be installed into the Knox Workspace. Only apps with the apk extension can be installed. Installation of aps from the Google Play store is not permitted. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 69 / 74 ^Home

6.10 Inspecting Knox applications Navigate to Organization> Users & devices > device >Installations> Knox applications A full list of all Knox applications resident in the Knox Workspace container of the specified are listed for the convenience of the MDM administrator. 7PMDM_Client_Android_v5.26.0x_EN.docx Page 70 / 74 ^Home

7 Remove (uninstall) the MDM Client This section describes the removal (uninstall) process of the MDM Client from the user's device. The removal process is dependent on the configuration of the MDM Server and may be prohibited. 7.1 Manual uninstall of the MDM Client Prior to removing the MDM Client from the Android device, the user has to change the status of the MDM Client from "Activated device administrators" to "Deactivate device administrators." This is accomplished by navigating to Settings >Security >Device administrators, selecting the 7P MDM client, then "Deactivate." Figure 70 Deactivate MDM Client. The uninstall button is now active in Settings >Applications >7P MDM Client. Figure 71 Active uninstall button. If you wish to remove the 7P MDM Client from your Android device, navigate to Settings >Applications, and select 7P MDM Client.

Figure 72 Removal of MDM Client. Begin the "Uninstall" of the 7P MDM Client process by selecting the "Uninstall button." Confirm the action by pressing the OK button. Once completed, you will be advised that the "uninstall finished." 7PMDM_Client_Android_v5.26.0x_EN.docx Page 72 / 74 ^Home

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback