Symantec Mobile Management 7.2 MR1 Implementation Guide

Similar documents
Symantec Mobile Management 7.1 Implementation Guide

Symantec Workflow Solution 7.1 MP1 Installation and Configuration Guide

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. For Red Hat Enterprise Linux 5

Altiris Client Management Suite 7.1 from Symantec User Guide

PGP Viewer for ios. Administrator s Guide 1.0

Symantec Endpoint Protection Integration Component User's Guide. Version 7.0

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. AIX 5.3 and 6.1

Symantec Enterprise Security Manager Baseline Policy Manual for Security Essentials. Solaris 10

Altiris Software Management Solution 7.1 from Symantec User Guide

Configuring Symantec. device

Veritas CommandCentral Enterprise Reporter Release Notes

Veritas Cluster Server Application Note: High Availability for BlackBerry Enterprise Server

Configuring Symantec Protection Engine for Network Attached Storage for Hitachi Unified and NAS Platforms

Symantec Encryption Management Server and Symantec Data Loss Prevention. Integration Guide

PGP Viewer for ios. User s Guide 1.0

Symantec NetBackup Vault Operator's Guide

Symantec PGP Viewer for ios

Symantec Enterprise Security Manager Modules for Oracle Release Notes

Veritas Storage Foundation and High Availability Solutions Getting Started Guide

Symantec Enterprise Vault Technical Note

Symantec Backup Exec System Recovery Granular Restore Option User's Guide

Symantec Security Information Manager FIPS Operational Mode Guide

Altiris IT Analytics Solution 7.1 from Symantec User Guide

Symantec Enterprise Vault Technical Note

Veritas Storage Foundation and High Availability Solutions Getting Started Guide

Veritas System Recovery 18 Management Solution Administrator's Guide

Veritas SaaS Backup for Office 365

IM: Symantec Security Information Manager Patch 4 Resolved Issues

Veritas Storage Foundation and High Availability Solutions HA and Disaster Recovery Solutions Guide for Microsoft SharePoint Server

Configuring Symantec AntiVirus for BlueArc Storage System

Symantec ServiceDesk 7.1 SP1 Implementation Guide

Veritas Desktop and Laptop Option 9.2. Disaster Recovery Scenarios

Symantec Enterprise Vault

Veritas Backup Exec Migration Assistant

Veritas SaaS Backup for Salesforce

Symantec Managed PKI. Integration Guide for AirWatch MDM Solution

Security Content Update Release Notes for CCS 12.x

Symantec NetBackup for Lotus Notes Administrator's Guide. Release 7.6

Veritas Cluster Server Library Management Pack Guide for Microsoft System Center Operations Manager 2007

Veritas Operations Manager Storage Insight Add-on for Deep Array Discovery and Mapping 4.0 User's Guide

Veritas System Recovery 16 Management Solution Administrator's Guide

Veritas Dynamic Multi-Pathing readme

Symantec Enterprise Security Manager JRE Vulnerability Fix Update Guide

Symantec System Recovery 2013 R2 Management Solution Administrator's Guide

Symantec Encryption Desktop Version 10.2 for Mac OS X Release Notes. About Symantec Encryption Desktop

Symantec ApplicationHA Release Notes

Symantec NetBackup Appliance Fibre Channel Guide

Symantec Enterprise Security Manager Modules for Microsoft SQL Server Databases Release Notes. Release 2.1 for Symantec ESM 6.0, 6.1, and 6.5.

Veritas Desktop and Laptop Option 9.2. High Availability (HA) with DLO

Symantec Enterprise Security Manager IBM DB2 Modules User Guide for Windows and UNIX. Version 4.2

Symantec Enterprise Security Manager IBM DB2 Modules User Guide for Windows and UNIX. Version 4.6

Symantec NetBackup for Enterprise Vault Agent Administrator's Guide

Symantec Ghost Solution Suite Web Console - Getting Started Guide

Symantec ApplicationHA Agent for Microsoft Internet Information Services (IIS) Configuration Guide

Veritas System Recovery 18 Linux Edition: Quick Installation Guide

Veritas Cluster Server Database Agent for Microsoft SQL Configuration Guide

Veritas Storage Foundation and High Availability Solutions HA and Disaster Recovery Solutions Guide for Enterprise Vault

Symantec Endpoint Encryption Full Disk Maintenance Pack Release Notes

Symantec NetBackup OpsCenter Reporting Guide. Release 7.7

Symantec ApplicationHA Agent for Microsoft SQL Server 2008 and 2008 R2 Configuration Guide

Altiris PC Transplant 6.8 SP4 from Symantec User Guide

Veritas Storage Foundation and High Availability Solutions Application Note: Support for HP-UX Integrity Virtual Machines

Symantec Enterprise Vault Technical Note

NetBackup Copilot for Oracle Configuration Guide. Release 2.7.1

Symantec NetBackup for Enterprise Vault Agent Administrator's Guide

PGP(TM) Universal Server Version 3.2 Maintenance Pack Release Notes

Symantec Mobile Management for Configuration Manager

Partner Information. Integration Overview. Remote Access Integration Architecture

Symantec ServiceDesk 7.1 SP2 Portal User Guide

Wise Mobile Device Package Editor Reference

Veritas Storage Foundation Add-on for Storage Provisioning User's Guide. 4.0 Release Update 1

Symantec Validation & ID Protection Service. Integration Guide for Microsoft Outlook Web App

Veritas NetBackup Copilot for Oracle Configuration Guide. Release 2.7.2

Symantec Network Access Control Linux Agent User Guide

PGP Desktop Version 10.2 for Windows Maintenance Pack Release Notes

Partner Information. Integration Overview Authentication Methods Supported

Symantec Mobile Management User Guide. Version 7.0 SP3

Veritas Storage Foundation and High Availability Solutions Getting Started Guide - Linux

Veritas Desktop and Laptop Option 9.3 README

Symantec Enterprise Vault

Symantec Patch Management Solution for Windows 8.5 powered by Altiris technology User Guide

Symantec Managed PKI. Integration Guide for ActiveSync

Security Content Update Release Notes. Versions: CCS 11.1 and CCS 11.5

Veritas Desktop Agent for Mac Getting Started Guide

Symantec Corporation NetBackup for Microsoft Exchange Server Administrator s Guide

Veritas NetBackup for SQLite Administrator's Guide

Enterprise Vault Requesting and Applying an SSL Certificate and later

Veritas Storage Foundation and High Availability Solutions Application Note: Support for HP-UX Integrity Virtual Machines

Symantec NetBackup for Microsoft Exchange Server Administrator s Guide

Symantec Control Compliance Suite Express Security Content Update for Microsoft Windows Server 2008 R2 (CIS Benchmark 2.1.

PGP(TM) Universal Server Version 3.2 Maintenance Pack Release Notes

Symantec Data Loss Prevention System Maintenance Guide. Version 14.0

Symantec ediscovery Platform

Veritas Storage Foundation and High Availability Solutions Microsoft Clustering Solutions Guide for Microsoft Exchange 2007

Altiris Out of Band Management Component 7.1 SP1 from Symantec Implementation Guide

Symantec Control Compliance Suite Getting Started Guide. Version: 11.0

Enterprise Vault.cloud CloudLink Google Account Synchronization Guide. CloudLink to 4.0.3

Veritas Desktop and Laptop Option Mac Getting Started Guide

Veritas Dynamic Multi-Pathing for Windows Release Notes

Symantec High Availability Solutions Guide for VMware

Transcription:

Symantec Mobile Management 7.2 MR1 Implementation Guide

Symantec Mobile Management 7.2 MR1 The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 7.2.1 Legal Notice Copyright 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party ( Third Party Programs ). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1

Technical Support Contacting Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s support offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services For information about Symantec s support offerings, you can visit our Web site at the following URL: www.symantec.com/business/support/ All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy. Customers with a current support agreement may access Technical Support information at the following URL: www.symantec.com/business/support/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: Product release level

Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Licensing and registration Customer service Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/business/support/ Customer service information is available at the following URL: www.symantec.com/business/support/ Customer Service is available to assist with non-technical questions, such as the following types of issues: Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs, DVDs, or manuals

Support agreement resources If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows: Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America customercare_apac@symantec.com semea@symantec.com supportsolutions@symantec.com

Contents Technical Support... 4 Section 1 Setting up Symantec Mobile Management 7.2... 13 Chapter 1 Introducing Symantec Mobile Management7.2... 15 What's new in Mobile Management 7.2... 15 Getting started with Mobile Management... 15 Before you begin... 16 Components of Mobile Management... 17 Chapter 2 Setting up Mobile Management... 21 Setting up Mobile Management... 21 Mobile Management certificate distribution... 23 Chapter 3 Setting up a Mobile Device Management Certificate... 25 About the Mobile Device Management (MDM) Certificate... 25 Setting up an MDM Certificate... 26 MDM Certificate requirements... 27 Exporting an MDM Certificate using Mac OS X... 28 Generating a certificate request... 29 Exporting an MDM Certificate using a Windows Server 2003 or 2008... 29 Installing an MDM Certificate... 30 Chapter 4 Installing Mobile Management... 33 About installing Mobile Management... 33 Basic installation workflow for Symantec Mobile Management... 34 Running the Symantec Mobile Management Prerequisite Check Utility... 36 Installing Mobile Management on an existing Symantec Management Platform server... 37

8 Contents Installing Mobile Management on a new server... 37 Rolling out the site server... 39 Downloading and installing the Mobile Management Agent app... 39 Enrolling a mobile device... 40 Changing the enrollment URL to an email address for ios devices... 41 Enabling and creating the End User License Agreement for ios devices... 42 About the differences between the app store and the in-house Mobile Management Agent applications... 42 Chapter 5 Migrating to Symantec Mobile Management 7.2... 43 Upgrading Symantec Mobile Management... 43 Chapter 6 Licensing Symantec Mobile Management 7.2... 45 Licensing basics... 45 Using the trial license... 46 Using a license purchased before installing Symantec Mobile Management... 46 Adding or updating a Symantec Mobile Management license... 46 Licensing status summary... 47 Chapter 7 Configuring Mobile Management... 49 Configuring Mobile Management... 49 Integrating an MDM Certificate... 51 Configuring the site server to communicate with mobile devices... 52 Configuring profile security settings... 54 Configuring ios device MDM enrollment... 55 Adding additional configuration profiles... 56 Adding non-approved platforms... 57 Setting up Google Cloud Messaging (GCM)... 58 Setting the Mobile Management Agent configuration schedule for Windows mobile devices... 59 Chapter 8 Setting up Exchange ActiveSync... 61 About using Exchange ActiveSync with Mobile Management... 61 Setting up Exchange ActiveSync... 62 Enabling the Exchange ActiveSync functionality... 64 Configuring the SymantecEASService NT... 64 Selecting the Exchange ActiveSync server... 65

Contents 9 Restarting the Mobile Management Service Agent... 65 Verifying the SymantecEASService configuration... 66 Chapter 9 Setting up Data Loss Prevention for ios on the Mobile Management server... 67 About setting up Data Loss Prevention (DLP) for ios on the Mobile Management server... 67 Configuring Mobile Management to use DLP... 68 Creating VPN credentials... 68 Configuring VPN for DLP... 69 Configuring the VPN assignment for DLP... 70 Configuring the DLP settings... 70 Configuring remediation rules... 71 Setting the resource target... 72 Section 2 Using Symantec Mobile Management... 73 Chapter 10 Using actions, policies, and configuration profiles... 75 About actions... 76 Performing actions on mobile devices... 76 About policies... 76 Creating policies... 77 Assigning policies... 77 Supported policies for specific devices... 78 About configuration profiles on ios devices... 78 Devices that support configuration profiles... 79 Setting up configuration profiles for ios devices... 80 Creating configuration profiles... 80 Adding configuration profiles to a policy... 84 Assigning configuration profile policies... 85 About available configuration profile settings for ios devices... 86 About AutoLock settings on ios devices... 87 Chapter 11 Managing the Mobile Library... 89 About the Mobile Library... 89 Setting up Mobile Library feeds... 90 Creating Mobile Library feeds... 90 Adding items to Mobile Library feeds... 91 Targeting a Mobile Library feed... 93

10 Contents Publishing an existing feed or item... 93 Chapter 12 Chapter 13 Using inventory data, reports, and the event log... 95 About inventory data... 95 Viewing inventory data... 96 Setting the inventory schedule for Windows Mobile devices... 96 Setting the inventory schedule for ios devices... 97 About reports... 98 Running reports... 99 Available reports by device... 99 About event logs... 101 Viewing the event log... 101 Using TouchDown with Symantec Mobile Management... 103 Configuring Symantec Mobile Management for TouchDown... 103 Assigning the TouchDown policy... 105 TouchDown account payload settings... 105 TouchDown policy payload settings... 106 TouchDown user payload settings... 110 Chapter 14 Common Android management tasks... 115 Locking a lost or stolen Android device... 115 Removing policies and resetting the Agent on an Android device... 116 Wiping the data from a lost or stolen Android device.... 116 Clearing and setting passcodes on Android devices... 117 Updating policies on Android devices... 117 Retrieving the inventory from Android devices... 118 Viewing Android device information... 118 Chapter 15 Managing software on Windows Mobile devices... 121 About software management on Windows Mobile devices... 121 Creating software packages for Windows Mobile devices... 122 Delivering software packages to Windows Mobile devices... 123 Configuring the software maintenance windows... 124 Software package actions... 125 Software package health actions... 139 Sample AppUpdate runtime substitution tokens... 142

Contents 11 Appendix A System requirements and port usage for Symantec Mobile Management 7.2... 145 Mobile Management requirements... 145 Network ports used by Mobile Management... 148 Supported devices and device operating systems... 149 Appendix B Mobile device management features... 151 Mobile device features... 151 Appendix C Creating the in-house Mobile Management Agent application for ios devices... 153 About the in-house Mobile Management Agent application... 154 Creating the in-house Mobile Management Agent application... 154 Requirements for creating the in-house Mobile Management Agent application... 158 Downloading a WWDR Intermediate Certificate... 158 Creating a Developer Certificate... 159 Registering an ios device for testing... 159 Setting up an App ID... 159 Downloading the project... 160 Preparing the ios device for testing... 160 Loading the project... 161 Creating and installing a Development Provisioning Profile... 161 Customizing the Bundle identifier... 162 Customizing the localized string files... 163 Customizing the Target settings... 164 Building and testing the application... 164 Building and distributing the application... 165 Appendix D Troubleshooting... 167 Troubleshooting configuration policy distribution problems... 167 Troubleshooting ios device agent enrollment... 168 Troubleshooting Mobile Management Server configurations... 169 About troubleshooting errors with the SymantecEASService configuration... 170 Verifying that the Push Certificate Subject matches the App ID's Bundle identifier... 170 Configuring Mobile Management to work with a development APNS certificate... 171

12 Contents Appendix E Third-Party Attributions... 173 Third-Party Legal Notices... 173 jqueryjs 1.4.1... 174 Libjpeg 6b... 174 Log4Net 1.2.10... 174 Newlib 1.17.0... 175 ZLib v 1.2.2/1.2.3... 192 NLog Advanced.NET Logging 1.0... 192 QuickLZ... 193 SharpZipLib 0.85.4... 194 Silverlight.js 2.0... 194 TBXML 1.4... 195 Windows CE C Library Extensions... 196 Index... 197

Section 1 Setting up Symantec Mobile Management 7.2 Chapter 1. Introducing Symantec Mobile Management7.2 Chapter 2. Setting up Mobile Management Chapter 3. Setting up a Mobile Device Management Certificate Chapter 4. Installing Mobile Management Chapter 5. Migrating to Symantec Mobile Management 7.2 Chapter 6. Licensing Symantec Mobile Management 7.2 Chapter 7. Configuring Mobile Management Chapter 8. Setting up Exchange ActiveSync Chapter 9. Setting up Data Loss Prevention for ios on the Mobile Management server

14

Chapter 1 Introducing Symantec Mobile Management7.2 This chapter includes the following topics: What's new in Mobile Management 7.2 Getting started with Mobile Management Before you begin Components of Mobile Management What's new in Mobile Management 7.2 The 7.2 release of Symantec Mobile Management features several enhancements and new features, including support for NitroDesk TouchDown. For a complete listing of new features and enhancements, see the Symantec Knowledge Base article, What's new in Symantec Mobile Management 7.2 at http://www.symantec.com/docs/tech191144 The document, Symantec Mobile Management 7.2 Release Notes contains details about fixes and updates to the product and contains any last-minute changes. The release notes are at http://www.symantec.com/docs/doc5666. Getting started with Mobile Management Mobile Management integrates with Symantec Management Platform to add mobile device administration capability. Mobile device owners install a device Management Agent and then enroll their mobile devices with Mobile Management. The Agent periodically checks-in with the Mobile Management to retrieve management-related commands, files, and updates. Polices are issued to the

16 Introducing Symantec Mobile Management7.2 Before you begin Before you begin mobile devices to control the device's capabilities and settings. Active Directory/LDAP integration allows the device owner to use their enterprise credentials to enroll and to receive recommended content from administrators. This content can include software and applications, documents, media, or Web links. After users enroll, they can also receive customizable contact information for the IT department in their organization. If the user has a problem with a device, an administrator can remotely control the device to troubleshoot the problem. Because all of the devices communicate back to Mobile Management, the administrator can also collect inventory data and reports from the devices in the environment. In this way, administrators can determine the status of devices in the environment. Through the inventory, reporting, and policy features, administrators can target and schedule the devices that need management or assistance. You use Symantec Installation Manager to install Symantec Mobile Security. If you do not already have Symantec Management Platform installed, you download Symantec Installation Manager, Symantec Management Platform, and Symantec Mobile Management together. Once the products are installed, you access the mobile security components and perform administrative tasks through the Symantec Management Platform console. See Components of Mobile Management on page 17. See Mobile device features on page 151. After installation, Symantec Mobile Management runs as part of Symantec Management Platform. If you are not familiar with Symantec Management Platform, you may need to review the product documentation for assistance. Symantec Management Platform documentation is available in the Help tab of the management console. You can also download the Symantec Management Platform User Guide at http://www.symantec.com/docs/doc4730. Managing mobile devices relies on several services, some of which are unique to the mobile device operating system. Other services are used to generate, provision, and manage trust certificates, and establish server communication. This document assumes that you are familiar with enterprise-class networking technologies, methods, and protocols. You should have a good understanding of establishing trust certificate chains and the services that support them. This document references several third-party documents that provide details and instructions for implementing the various services that are used with Symantec Mobile Management. You are encouraged to review these documents if you are not already familiar with their subject matter.

Introducing Symantec Mobile Management7.2 Components of Mobile Management 17 Note: Links to third-party documentation are accurate at publication of this document, but may change at the owner's discretion. Review the list of components and services Symantec Mobile Management uses and familiarize yourself with those that are new to you. See Components of Mobile Management on page 17. Components of Mobile Management The following table contains descriptions of themobile Management components and supporting services: Table 1-1 Component Mobile Management system components Description Required or optional Mobile Management Servers Symantec Management Console Mobile Management Agent All mobile device communications pass through the Mobile Management Server(s). The Symantec Management Console (or, "console") is a Web-based administration utility that is part of the Symantec Management Platform. After you install Mobile Management, a Mobile Management portion of the console is added on. All of the management tasks that are associated with Mobile Management are accomplished in the console. Note: You must use Internet Explorer 7 or later to access the console. The Mobile Management Agent is installed on the managed mobile devices. The agent communicates with the Mobile Management Server and executes the commands and policy settings on the mobile device. Required Required Required

18 Introducing Symantec Mobile Management7.2 Components of Mobile Management Table 1-1 Mobile Management system components (continued) Component Symantec Management Platform Server Microsoft SQL Server Active Directory or LDAP Description The Symantec Management Platform Server provides the core Symantec Management Platform functionality. The Symantec Management Platform Server communicates with the Mobile Management Server to collect information, provision policies, and to send notifications, software, or alerts to the devices. The Microsoft SQL Server hosts the databases for Mobile Management and Symantec Management Platform Server. Users, groups, and workstations are imported from Active Directory or LDAP. Required or optional Required Required Required Certificate Authority SCEP The Certificate Authority manages security credentials and public and private keys for secure communication. Symantec highly recomends a Certificate Authority for a secure environment. The Simple Certificate Enrollment Protocol (SCEP) works with the Certificate Authority to issue certificates in large enterprises. It handles the issuing and revocation of digital certificates. The SCEP and Certificate Authority can be located on the same server. Optional but strongly recommended Required if you use a Certificate Authority See, Microsoft SCEP Implementation Whitepaper

Introducing Symantec Mobile Management7.2 Components of Mobile Management 19 Table 1-1 Mobile Management system components (continued) Component Microsoft Exchange ActiveSync Description Microsoft Exchange ActiveSync synchronizes the email, contacts, calendar, tasks, and notes that are associated with mailboxes on the Mobile Management Server with devices. See the Microsoft Exchange ActiveSync documentation Required or optional Optional Apple Push Notification Service The Mobile Management Server communicates through the Apple Push Notification Service (APNs) to ios devices. See Setting up an MDM Certificate on page 26. Required if you want to manage ios devices. The Mobile Device Management (MDM) Certificate provides access to APNs. Mobile Device Management (MDM) Certificate Google GCM For more information about APNs, see the Apple OS X Developer Library topic Apple Push Notification Service The Mobile Device Management (MDM) Certificate allows the Mobile Management Server to push commands and Mobile Library items through the Apple Push Notification Service to ios devices in your environment. See Setting up an MDM Certificate on page 26. See Setting up Mobile Library feeds on page 90. Google Cloud Messaging (GCM) is used to push actions and commands to Android devices See Setting up Google Cloud Messaging (GCM) on page 58. Required if you want to manage ios devices Required if you want to push commands to Android devices See Getting started with Mobile Management on page 15.

20 Introducing Symantec Mobile Management7.2 Components of Mobile Management

Chapter 2 Setting up Mobile Management This chapter includes the following topics: Setting up Mobile Management Mobile Management certificate distribution Setting up Mobile Management The process for setting up Mobile Management includes the steps you need to take to set up your environment before you install Mobile Management. It also includes the steps you need to take to configure your environment to work with Mobile Management and install the Mobile Management software. Before you begin, make sure that your environment meets the required system requirements and that the required ports are available. See Mobile Management requirements on page 145. See Network ports used by Mobile Management on page 148. Note: You are advised to run the Symantec Mobile Management Prerequisite Check Utility before you begin the installation process. See Running the Symantec Mobile Management Prerequisite Check Utility on page 36.

22 Setting up Mobile Management Setting up Mobile Management Table 2-1 Step Action Process for setting up Mobile Management Description Step 1 Step 2 Step 3 Step 4 Step 5 Secure your environment. Set up Simple Certificate Enrollment Protocol (SCEP). (Optional) Setup a Mobile Device Management Certificate. Install Mobile Management. (Optional) Setup additional security in your environment. To secure your environment, you need to set up a Certificate Authority. You can either purchase a commercial Certificate Authority or set up a Certificate Authority yourself. If your environment is already secure, you can skip this step. See Mobile Management certificate distribution on page 23. Set up SCEP in your environment. For information about setting up SCEP, see Microsoft SCEP Implementation Whitepaper If you already have SCEP setup in your environment, you can skip this step. If you want to manage ios devices in your environment, this step is mandatory. See Setting up an MDM Certificate on page 26. Install the Mobile Management components. See Basic installation workflow for Symantec Mobile Management on page 34. For additional security, you can set up profile security in your Mobile Management environment. Profile security lets you encrypt and sign data. To set up profile security, add signing certificates and encryption certificates to your Certificate Authority. See Configuring profile security settings on page 54.

Setting up Mobile Management Mobile Management certificate distribution 23 Table 2-1 Step Action Process for setting up Mobile Management (continued) Description Step 6 Step 7 Step 8 Configure Mobile Management in the Symantec Management Console. (Optional) Setup Exchange ActiveSync. (Optional) Setup Google GCM Configure and customize the components of your Mobile Management environment in the Symantec Management Console. See Configuring Mobile Management on page 49. Set up and configure Exchange ActiveSync to work with Mobile Management. See Setting up Exchange ActiveSync on page 62. Create GCM Project ID and Server key, and configure Mobile Management to use GCM. See Setting up Google Cloud Messaging (GCM) on page 58. See Getting started with Mobile Management on page 15. See Components of Mobile Management on page 17. Mobile Management certificate distribution The following table contains a list of Mobile Management components and the certificates that should be installed on each of them. Root certificates are only required when you use a non-commercial certificate authority. Root certificates are not needed if you use your own certificate authority for SCEP but use an external certificate authority for Server Authentication Certificates. SSL is not required for SCEP. If you choose to use SSL, you must have the Server Authentication Certificate or Root Certificate installed.

24 Setting up Mobile Management Mobile Management certificate distribution Table 2-2 Component Mobile Management certificate distribution Certificates Mobile Management server Certificate authority: Server Authentication (SSL) Certificate Root certificate Profile Security: Signing Certificate with public and private keys Encryption Certificate with public key Symantec Management Platform Server Certificate authority: Root certificate ios device Certificate authority: Server Authentication (SSL) Certificate Root certificate Profile Security: Encryption Certificate with public and private keys See Setting up Mobile Management on page 21.

Chapter 3 Setting up a Mobile Device Management Certificate This chapter includes the following topics: About the Mobile Device Management (MDM) Certificate Setting up an MDM Certificate MDM Certificate requirements Exporting an MDM Certificate using Mac OS X Generating a certificate request Exporting an MDM Certificate using a Windows Server 2003 or 2008 Installing an MDM Certificate About the Mobile Device Management (MDM) Certificate The Mobile Device Management (MDM) Certificate allows the Mobile Management Server to push commands through the Apple Push Notification Service to ios devices in your environment. The MDM Certificate creates a trust relationship with Apple and functions as a sort of credential for the Apple Push Notification Service servers. All Apple customers who want to communicate with ios devices have to set up an MDM Certificate.

26 Setting up a Mobile Device Management Certificate Setting up an MDM Certificate Setting up an MDM Certificate You can set up an MDM Certificate on Mac OS X or Windows Server 2003 or 2008. Symantec recommends creating the MDM Certificate on Mac OS X. This task is a step in the process for setting up Mobile Management. See Setting up Mobile Management on page 21. Table 3-1 Process for setting up a Mobile Device Management Certificate on Mac OS X Step Step 1 Step 2 Step 3 Task Create and export an MDM certificate. Have certificate signed by Symantec Install the certificate. Description After you create the MDM Certificate, you need to export it so you can transfer it to your Mobile Management server. See Exporting an MDM Certificate using Mac OS X on page 28. Contact your Symantec Partner or Sales Engineer to submit the certificate for signing by Symantec. You must install the MDM Certificate on all the Mobile Management servers in your environment. See Installing an MDM Certificate on page 30.

Setting up a Mobile Device Management Certificate MDM Certificate requirements 27 Table 3-2 Process for setting up a Mobile Device Management Certificate on a Windows server 2003 or 2008 Step Step1 Step 2 Step 3 Task Generate a certificate request. Have certificate signed by Symantec Install the certificate. Description To create an MDM Certificate on a Windows Server 2003 or 2008, you must first generate a certificate request. See Generating a certificate request on page 29. Contact your Symantec Partner or Sales Engineer to submit the certificate for signing by Symantec. You must install the MDM Certificate on all the Mobile Management servers in your environment. See Installing an MDM Certificate on page 30. See About the Mobile Device Management (MDM) Certificate on page 25. MDM Certificate requirements Be sure that your environment meets the requirements for setting up an MDM Certificate. This topic is part of the process for setting up an MDM Certificate. See Setting up an MDM Certificate on page 26.

28 Setting up a Mobile Device Management Certificate Exporting an MDM Certificate using Mac OS X Table 3-3 Requirement MDM Certificate requirements Description Hardware and software requirements MDM Certificate Signing Request (CSR) signed by Symantec One or more server(s) running the current version of Windows Server 2003 or 2008. Apple Safari, Mozilla Firefox, or Google Chrome Web. (Optional but recommended) Mac computer running the current version of Mac OS X. You must contact Symantec directly to acquire the signed MDM Certificate. Exporting an MDM Certificate using Mac OS X After you create the MDM Certificate, you need to export it so you can transfer it to your Mobile Management server. This task is a step in the process for setting up an MDM Certificate. See Setting up an MDM Certificate on page 26. To create and export an MDM Certificate using Mac OS X 1 Open Keychain Access. 2 Under Keychains in the left pane, select login. 3 Under Categories, select Certificates. 4 Select your Apple Development Push Services or Apple Production Push Services Certificate. 5 Choose File > Export Items... 6 Select Personal Information Exchange as the file format and click Save. 7 Enter a password to lock the MDM Certificate and click OK. 8 Enter your logon key chain password. This password is your Apple computer account password. 9 Click Allow. 10 Transfer the MDM Certificate that you created to the computer running the Mobile Management server.

Setting up a Mobile Device Management Certificate Generating a certificate request 29 Generating a certificate request To create an MDM Certificate on a Windows Server 2003 or 2008, you must first generate a certificate request. This task is a step in the process for setting up an MDM Certificate. See Setting up an MDM Certificate on page 26. To generate a certificate request 1 Select Start > Control Panel > Administrative Tools. 2 Select Internet Information Services (IIS) Manager. 3 Select the server, and then double-click Server Certificates. 4 On the Actions menu, click Create Certificate Request. Enter the following information: Common Name - The name that is attached to your certificate request. Organization - The name of your organization. Organizational unit - The name of the group or department within your organization City/locality - The city or locality where your organization is located. State/province - The state or province where your organization is located. Country/region - The country or region where your organization is located. 5 Click Next. 6 In the CryptographicServiceProviderProperties window, select Microsoft RSA SChannel Cryptographic Provider for the Cryptographic service provider. Select 2048 for the Bit length. 7 Click Next. In the File Name window, type a file path and name or click the ellipsis button to browse. 8 Click Finish to generate and save the certificate request. Exporting an MDM Certificate using a Windows Server 2003 or 2008 After you create the MDM Certificate, you need to export it so you can transfer it to your Mobile Management server. This task is a step in the process for setting up an MDM Certificate.

30 Setting up a Mobile Device Management Certificate Installing an MDM Certificate See Setting up an MDM Certificate on page 26. To create and export an MDM certificate using a Windows Server 2003 or 2008 1 Select Start > Control Panel > Administrative Tools. 2 Select Internet Information Services (IIS) Manager. 3 Select the server, and then double-click Server Certificates. 4 In the Actions menu, click Complete Certificate Request. 5 In the Specify Certificate Authority Response window, click the ellipsis button and browse to the Apple Push Notification Service SSL certificate that you downloaded previously. In the Friendly name field, enter a friendly name. 6 Click OK. 7 Select the Server Certificate with the friendly name that you entered in step 5. 8 In the Actions menu, click Export. 9 In the Export Certificate window, click the ellipsis button and browse to the location where you want to export the MDM Certificate. In the Password field, enter a password to secure the MDM Certificate. 10 Click OK. Transfer the MDM Certificate that you created to the computer running the Mobile Management server. Installing an MDM Certificate You must install the MDM Certificate on all the Mobile Management servers in your environment. This task is a step in the process for setting up an MDM Certificate. See Setting up an MDM Certificate on page 26.

Setting up a Mobile Device Management Certificate Installing an MDM Certificate 31 To install an MDM Certificate on Windows Server 2003 1 Download and install the Windows HTTP Services Certificate Configuration Tool (WinHttpCertCfg.exe) from the following Web site: http://www.microsoft.com/downloads/en/detials.aspx?familyid=c42e27 ac-3409-40e9-8667-c748e422833f&displaylang=en 2 Open a command prompt window and navigate to the install directory of the Windows HTTP Services Certificate Configuration Tool. 3 Execute the following command: winhttpcertcfg -i <PathToMDMCertificate> -c LOCAL_MACHINE\My -a "NETWORK SERVICE" -p <Password> To install an MDM Certificate on Windows Server 2008 1 Click Start and then click Run. 2 In the command prompt, type mmc and then click OK to open the Microsoft Management Console. 3 In the Microsoft Management Console, click File > Add/Remove Snap-in... 4 Click Certificates in the Available snap-ins box and then click Add. 5 In the Certificates snap-in window, select Computer account, and then click Next. 6 Click Finish and then click OK. 7 Expand Certificates, right-click the Personal tree node, and select All Tasks > Import. 8 In the wizard, point to the MDM Certificate and provide the password you entered to secure it. Complete the steps in the wizard. 9 Expand Personal and double-click the Certificates folder. 10 Right-click the MDM Certificate you installed and select All Tasks > Manage Private Keys. 11 In the Security tab, add the Network Service account and provide Read access.

32 Setting up a Mobile Device Management Certificate Installing an MDM Certificate

Chapter 4 Installing Mobile Management This chapter includes the following topics: About installing Mobile Management Basic installation workflow for Symantec Mobile Management Running the Symantec Mobile Management Prerequisite Check Utility Installing Mobile Management on an existing Symantec Management Platform server Installing Mobile Management on a new server Rolling out the site server Downloading and installing the Mobile Management Agent app Enrolling a mobile device Changing the enrollment URL to an email address for ios devices Enabling and creating the End User License Agreement for ios devices About the differences between the app store and the in-house Mobile Management Agent applications About installing Mobile Management Mobile Management is installed onto the Symantec Management Platform. The installation adds the Mobile Management user interface section to the Symantec Management Console and adds the Mobile Management software components to the Symantec Management Platform server.

34 Installing Mobile Management Basic installation workflow for Symantec Mobile Management Once you have installed Symantec Management Platform and Mobile Management Solution, you can deploy Mobile Management server components to additional servers. You can have one or more Mobile Management site servers in your environment. If you already have the Symantec Management Platform installed, you can proceed with the installation immediately. See Installing Mobile Management on an existing Symantec Management Platform server on page 37. If you have not previously installed Symantec Manangement Platform, you begin by downloading Symantec Installation Mananger and Symantec Management Platform. See Installing Mobile Management on a new server on page 37. Basic installation workflow for Symantec Mobile Management Table 4-1 depicts the basic approach to installing and working with Symantec Mobile Management. Table 4-1 Step Step 1 Basic installation workflow Task Run the Symantec Mobile Management Prerequisite Check Utility Description Symantec Mobile Management has specific hardware and software requirements. Run the Prerequisite Check Utility to make sure that your environment is prepared to host the server and the database components. See Running the Symantec Mobile Management Prerequisite Check Utility on page 36.

Installing Mobile Management Basic installation workflow for Symantec Mobile Management 35 Table 4-1 Basic installation workflow (continued) Step Step 2 Step 3 Step 4 Step 5 Task Download and install Symantec Mobile Management 7.2 Roll out the site server Configure the site server to communicate with ios devices Download the Mobile Management agent Description You download Symantec Mobile Management using Symantec Installation Manager. If an instance of Symantec Management Platform is not already installed, you first download Symantec Management Platform which includes Symantec Installation Manager. See Installing Mobile Management on an existing Symantec Management Platform server on page 37. See Installing Mobile Management on a new server on page 37. Post-installation, you roll out one or more site servers. See Rolling out the site server on page 39. To use ios devices, you must configure the site server components and services. See Configuring the site server to communicate with mobile devices on page 52. Concurrently with or after server installation, mobile device users download the Symantec Mobile Management Agent app from the application venue appropriate for their device. See Downloading and installing the Mobile Management Agent app on page 39.

36 Installing Mobile Management Running the Symantec Mobile Management Prerequisite Check Utility Table 4-1 Basic installation workflow (continued) Step Step 6 Step 7 Task Enroll a managed device Manage a device Description Device owners use the Symantec Mobile Management Agent app to enroll their device with the Symantec Mobile Management site server. See Enrolling a mobile device on page 40. You issue a management policy to the mobile device that specifies the management profile for the device. The Agent app interprets the policy and takes any actions that the policy specifies. See Creating policies on page 77. Running the Symantec Mobile Management Prerequisite Check Utility The Symantec Mobile Management Prerequisite Check Utility verifies that the system requirements and other prerequisites are met before the application is installed. The prerequisite checker requires Microsoft.NET 3.5, which is usually part of your Symantec Management Platform instance. Make sure that.net 3.5 is installed before you run the check utility. To run the Symantec Mobile Management Prerequisite Check Utility 1 Navigate to http://www.symantec.com/docs/howto77182 and download PrerequisiteVerification.ZIP. 2 Follow the on-screen instructions to run the checker. 3 Correct any flagged requirements or configuration upgrades. See Basic installation workflow for Symantec Mobile Management on page 34.

Installing Mobile Management Installing Mobile Management on an existing Symantec Management Platform server 37 Installing Mobile Management on an existing Symantec Management Platform server This procedure installs Mobile Management onto an existing Symantec Management Platform server and adds the Mobile Management section to the Symantec Management Console. To install Symantec Mobile Management 7.2 on an existing Symantec Management Platform instance 1 Start the Symantec Installation Manager (Start > All Programs > Symantec > Symantec Installation Manager) 2 On the Install New Products page, set the view filters to Suites and then in the Available products list, select Symantec Mobile Management 7.2. 3 Accept the terms of the license agreement and click Next. 4 Follow the instructions that are provided in the wizard to complete the installation. See Basic installation workflow for Symantec Mobile Management on page 34. Installing Mobile Management on a new server If you do not have the Symantec Management Platform installed, you download Symantec Management Platform and the Mobile Management software in a single process. You first download and install Symantec Installation Manager. Go to go.symantec.com/get_mobile_management, and log into your Symantec account. If you do not have an account, a registration link is provided on the Web page.

38 Installing Mobile Management Installing Mobile Management on a new server Downloading and installing Symantec Installation Manager 1 On the Software Download page for Symantec Mobile Management, click Download Now. Note: The download includes Symantec Installation Manager and Symantec Management Platform. 2 Follow the on-screen instructions to set up Symantec Installation Manager. At the end of the installation, check Automatically launch Symantec Installation Manager, and then click Finish. Note: If an update to Symantec Installation Manager is available, you are prompted to download and install the update. Installing Symantec Management Platform and Symantec Mobile Management 7.2 1 In Symantec Installation Manager, on the Install New Products page, in the Available products list, select the following items: Symantec Management Platform 7.1 SP2 Symantec Mobile Management 7.2 Note: To quickly locate the software, set the left filter option to Filter by ProductTypeand the right filter option to Filter:None and then enter mobile management into the search field. 2 Click Review selected products, verify that the correct products are selected, and then click Next. 3 On the End User License Agreement page, accept the terms of the license and click Next. Note: A 30 day trial license to enroll up to 25 devices is provided with Symantec Mobile Management. To use the trial license, skip the option to add a license.see Using the trial license on page 46. 4 On the Install Readiness Check page, verify that the computer meets the minimum requirements and then click Next.

Installing Mobile Management Rolling out the site server 39 5 The installer prompts you to configure the server and the database. For instructions to configure the components, see the Symantec Management Platform 7.1 SP2 Installation Guide at http://www.symantec.com/docs/doc4798. After you configure the components, click Next. 6 Skip the page, Computers to Manage and then click Begin install. 7 Wait for the installer to complete and then click Finish. See Basic installation workflow for Symantec Mobile Management on page 34. Rolling out the site server Site servers aggregate device administration and communication, and enable multi-site architectures. You deploy site servers through the Symantec Management Console. You can install multiple site servers to improve network performance and enhance administrative capability. Note: Site server computers must have the Symantec Management Agent installed and have Microsoft Message Queuing (MSMQ) services enabled. See Mobile Management requirements on page 145. For for more information about setting up site servers, see the Symantec Management Platform 7.1 SP2 Installation Guide at http://www.symantec.com/docs/doc4798. Roll out the site server 1 In Symantec Management Console, navigate to Home>MobileManagement > Settings > Mobile Management Server Settings. 2 Under Site Server Rollout and Settings, on the toolbar, click New. 3 Enter the name and IP address of the site server computer, and then click Save changes. See Basic installation workflow for Symantec Mobile Management on page 34. Downloading and installing the Mobile Management Agent app You download the Mobile Management Agent app to your mobile device from the app venue that is appropriate for the mobile device. After the app is installed, it

40 Installing Mobile Management Enrolling a mobile device is used to enroll the device so that it can accept and enact management polices on the mobile device. Download the app from one of the following locations: ios- Apple App Store Android- Android Market Windows- Windows Phone Marketplace To download the Mobile Management agent to a mobile device 1 For Android devices only, first set your device's app installation settings to Allow Installation of non Market Applications and to allow Unknown Sources. 2 Go to the app venue for your device and download the Symantec Mobile Managment Agent app. Note: Search for Symantec MGMT or Symantec Mobile Agent 3 Follow the procedure for your mobile device to install the app. See Enrolling a mobile device on page 40. See Basic installation workflow for Symantec Mobile Management on page 34. Enrolling a mobile device Managing mobile devices with Symantec Mobile Managment requires that they are enrolled with the Symantec Mobile Managment server. To enroll a mobile device 1 On your mobile device, start the Symantec Mobile Management Agent app. 2 On the enrollment screen, provide the following information: The URL of the management server. For Android, go to: [server]/mobile Enrollment/SYMC-androidenroll.aspx For ios, go to: [server]/mobile Enrollment/SYMC-iOSenroll.aspx For Windows Phone, go to: [server]/mobile Enrollment/SYMC-WPenroll.aspx Where [server] is the name of the site server computer that you want the device to enroll with.

Installing Mobile Management Changing the enrollment URL to an email address for ios devices 41 Your domain user name and password. Note: URLs are not case sensitive. 3 Tap Enroll to complete the enrollment process. The agent app indicates the status of the connection to the server. If the server is not available, a message appears to indicate a failed server connection and prompts you to try again at a later time. You can also set up DNS to allow ios users to enter an email address instead of the URL. See Changing the enrollment URL to an email address for ios devices on page 41. Android users can enter the domain name for the Mobile Management server. For example, if the URL for your installation is mobileserver.yourcorp.com, then the user can enter yourcorp. Changing the enrollment URL to an email address for ios devices To make enrollment easier, you can change the Mobile Management Agent to request an email address instead of a URL. Set up a resource record in your domain controller. The resource record takes the domain of the email address and looks for the user's credentials. To change the enrollment URL to an email address 1 Log in to your domain controller and run DNS. 2 In DNS, navigate to the domain folder. 3 Right-click the folder, and then click Other New Records... 4 In the Resource record type window, select Text (TXT) and then click Create Record... 5 In the New Resource Record window, leave Record name blank. Enter the following value in Text:, and then click OK: OSIAGENTREGURL=http://<your-site-server-IP-or-Servername> /MobileEnrollment/Symc-IOSEnroll.ASPX

42 Installing Mobile Management Enabling and creating the End User License Agreement for ios devices Enabling and creating the End User License Agreement for ios devices You can require users to accept an End User License Agreement (EULA) when they enroll the Mobile Management Agent on their ios device. The EULA is specific to your company and can be created according to your needs. To enable the EULA for ios devices 1 In the Symantec Management Console, on the Home menu, click Mobile Management. 2 In the left pane, expand Configuration. 3 Click Mobile Management Server settings. 4 On the Mobile Management Server settings page, click the Enrollment tab. 5 Check Require EULA acceptance. 6 Click Save changes. To create the EULA for ios devices 1 On the site server, open the Symantec > Mobile Management > Enrollment folders. 2 Double-click eula-en.html. 3 Edit the EULA text and save the file. The device automatically replaces the placeholder EULA with your company's EULA. About the differences between the app store and the in-house Mobile Management Agent applications The most notable difference between the app store and in-house versions of the Mobile Management Agent application is the presence of the Applications tab. On the app store version of the Mobile Management Agent application, there is no applications tab. Any applications that are delivered to the device appear in the updates tab. These applications remain in the updates tab until a new item is delivered to the updates tab.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback