McAfee Enterprise Mobility Management 12.0 Software

Similar documents
Installation Guide. McAfee Enterprise Mobility Management 10.1

McAfee Firewall Enterprise epolicy Orchestrator Extension

McAfee Boot Attestation Service 3.5.0

Product Guide. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6

McAfee Rogue Database Detection For use with epolicy Orchestrator Software

McAfee Host Intrusion Prevention 8.0

McAfee epolicy Orchestrator Software

Boot Attestation Service 3.0.0

McAfee Data Protection for Cloud 1.0.1

McAfee Management for Optimized Virtual Environments AntiVirus 4.5.0

McAfee Endpoint Security

Migration Guide. McAfee File and Removable Media Protection 5.0.0

McAfee File and Removable Media Protection 6.0.0

McAfee MVISION Mobile Microsoft Intune Integration Guide

Installation Guide. McAfee Web Gateway. for Riverbed Services Platform

Addendum. McAfee Virtual Advanced Threat Defense

Best Practices Guide. Amazon OpsWorks and Data Center Connector for AWS

Product Guide Revision A. McAfee Client Proxy 2.3.2

McAfee SiteAdvisor Enterprise 3.5.0

Installation Guide. McAfee Web Gateway Cloud Service

McAfee Client Proxy Product Guide

McAfee MVISION Mobile AirWatch Integration Guide

McAfee Client Proxy Product Guide. (McAfee epolicy Orchestrator)

McAfee MVISION Mobile Microsoft Intune Integration Guide

Installation Guide. McAfee Endpoint Security for Servers 5.0.0

McAfee Client Proxy Product Guide. (McAfee epolicy Orchestrator)

Reference Guide Revision B. McAfee Cloud Workload Security 5.0.0

McAfee MVISION Mobile epo Extension Product Guide

McAfee MVISION Mobile IBM MaaS360 Integration Guide

Product Guide. McAfee Plugins for Microsoft Threat Management Gateway Software

McAfee MVISION Mobile IBM MaaS360 Integration Guide

McAfee Content Security Reporter Installation Guide. (McAfee epolicy Orchestrator)

McAfee MVISION Endpoint 1808 Installation Guide

Product Guide. McAfee Endpoint Upgrade Assistant 1.5.0

Cloud Workload Discovery 4.5.1

McAfee MVISION Mobile Citrix XenMobile Integration Guide

Account Management. Administrator Guide. Secure Gateway (SEG) Service Administrative Guides. Revised August 2013

McAfee Change Control and McAfee Application Control 8.0.0

McAfee Content Security Reporter 2.6.x Migration Guide

Migration Guide. McAfee Content Security Reporter 2.4.0

Data Loss Prevention Discover 11.0

McAfee MVISION Endpoint 1811 Installation Guide

McAfee Application Control Windows Installation Guide. (McAfee epolicy Orchestrator)

Installation Guide Revision B. McAfee Cloud Workload Security 5.0.0

McAfee Management of Native Encryption 3.0.0

McAfee Content Security Reporter Release Notes. (McAfee epolicy Orchestrator)

Product Guide Revision B. McAfee Cloud Workload Security 5.0.0

McAfee Endpoint Upgrade Assistant 2.3.x Product Guide

McAfee MVISION Mobile MobileIron Integration Guide

Scripting Guide. McAfee Drive Encryption 7.2.0

Firewall Enterprise epolicy Orchestrator

Archiving Service. Exchange server setup (2010) Secure Gateway (SEG) Service Administrative Guides

McAfee Change Control and McAfee Application Control 6.1.4

Product Guide. McAfee Endpoint Upgrade Assistant 1.4.0

McAfee MVISION Mobile Threat Detection Android App Product Guide

McAfee Endpoint Upgrade Assistant Product Guide. (McAfee epolicy Orchestrator 5.9.0)

McAfee Client Proxy Installation Guide

McAfee Network Security Platform 8.3

McAfee Rogue System Detection 5.0.0

Product Guide. McAfee Web Gateway Cloud Service

McAfee File and Removable Media Protection Installation Guide

McAfee Endpoint Security Threat Prevention Installation Guide - macos

Product Guide. McAfee Web Gateway Cloud Service

Product Guide. McAfee SiteAdvisor Enterprise 3.5 Patch2

McAfee Endpoint Upgrade Assistant Product Guide. (McAfee epolicy Orchestrator)

Vodafone Secure Device Manager Administration User Guide

McAfee Endpoint Security Migration Guide. (McAfee epolicy Orchestrator)

McAfee Drive Encryption Client Transfer Migration Guide. (McAfee epolicy Orchestrator)

McAfee Network Security Platform 8.1

McAfee File and Removable Media Protection Product Guide

McAfee Cloud Workload Security Suite Amazon Machine Image Installation Guide

VMware Workspace ONE UEM Integration with Apple School Manager

McAfee Cloud Workload Security Product Guide

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes

Addendum. McAfee Virtual Advanced Threat Defense

Sophos Mobile. startup guide. Product Version: 8.1

Hardware Guide. McAfee MVM3200 Appliance

Sophos Mobile Control startup guide. Product version: 7

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

McAfee Investigator Product Guide

Installation Guide. McAfee epolicy Orchestrator Software. Draft for Beta

ipad in Business Mobile Device Management

McAfee Policy Auditor 6.2.2

McAfee Endpoint Security Threat Prevention Installation Guide - Linux

McAfee Agent Interface Reference Guide. (McAfee epolicy Orchestrator Cloud)

McAfee Cloud Identity Manager

VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes

McAfee MVISION Mobile Silverback Integration Guide


McAfee epo Deep Command 1.0.0

Product Guide Revision A. Endpoint Intelligence Agent 2.2.0

McAfee Content Security Reporter 2.6.x Installation Guide

Mobility Manager 9.5. Users Guide


Sophos Mobile Control Administrator guide. Product version: 5.1

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

ForeScout Extended Module for VMware AirWatch MDM

McAfee Application Control Windows Installation Guide

Building a BYOD Program Using Jamf Pro. Technical Paper Jamf Pro or Later 2 February 2018

Transcription:

Product Guide McAfee Enterprise Mobility Management 12.0 Software For use with epolicy Orchestrator 4.6.7-5.1 Software

COPYRIGHT Copyright 2014 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, epolicy Orchestrator, McAfee epo, McAfee EMM, Foundscore, Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Enterprise Mobility Management 12.0 Software Product Guide

Contents Preface 5 About this guide.................................. 5 Audience.................................. 5 Conventions................................. 5 Find product documentation.............................. 6 1 Introduction 7 epolicy Orchestrator features customized for McAfee EMM.................. 8 McAfee EMM components............................... 8 Server components.............................. 9 Client components.............................. 10 Using McAfee EMM in PKI environments......................... 10 2 Getting started 13 Update the default administrator account........................ 13 Create a service record............................... 14 Configure an authorization directory.......................... 14 Configure an SMTP server and default notification settings................. 15 Configure a SCEP server for PKI environments...................... 15 Customize the company profile............................ 16 Customize certificate expiration notifications....................... 16 Using permission sets with McAfee EMM........................ 17 3 Authorizing users 19 Manage provisioning tokens............................. 19 Require provisioning tokens.......................... 19 Update provisioning tokens........................... 20 Authorize users.................................. 21 Bulk-authorize and notify LDAP or ActiveSync users................. 21 Authorize select LDAP users.......................... 22 Authorize select ActiveSync users........................ 23 Authorize LDAP or ActiveSync users based on a list................. 23 Unlock users................................... 24 Managing device mapping.............................. 25 Activate manual Android Device ID Mapping.................... 25 Manually approve Android Device ID Mapping................... 25 4 Working with devices 27 Device configuration requirements........................... 27 Communicating with users.............................. 28 Configure devices................................. 28 Configure ios devices............................. 29 Configure Android devices........................... 29 Configure Windows Phones........................... 31 Resolving compliance issues on devices......................... 31 McAfee Enterprise Mobility Management 12.0 Software Product Guide 3

Contents 5 Managing devices 33 Organizing mobile devices in the System Tree...................... 33 Viewing mobile properties.............................. 33 Performing mobile actions.............................. 34 Managing compliance in epolicy Orchestrator...................... 35 Updating mobile devices............................... 36 Distributing apps and files.............................. 36 Create or modify packages........................... 37 Assign and push packages........................... 38 Managing volume licenses for ios apps......................... 39 Add or update volume licenses for ios package apps................ 39 Manually redeem or delete volume licenses.................... 40 Using McAfee VMS with McAfee EMM.......................... 40 Deploy McAfee VMS.............................. 40 6 Configuring policies 43 Using McAfee EMM policies in epolicy Orchestrator.................... 43 Configure policies................................. 44 7 Monitoring devices 45 Using dashboards and monitors with McAfee EMM.................... 45 Using queries and reports with McAfee EMM....................... 46 Using the Threat Event Log with McAfee EMM...................... 49 8 Performing system maintenance 51 Edit the McAfee EMM registered server......................... 51 Update MDM, push, and portal certificates........................ 52 Update GCM settings................................ 52 Update the device catalog.............................. 53 Back up your McAfee EMM installation......................... 53 Viewing McAfee EMM log files............................. 53 A Policy settings 55 B Mobile properties 59 Index 65 4 McAfee Enterprise Mobility Management 12.0 Software Product Guide

Preface This guide provides the information you need to work with your McAfee product. Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Conventions This guide uses these typographical conventions and icons. Book title, term, emphasis Bold User input, code, message Interface text Hypertext blue Title of a book, chapter, or topic; a new term; emphasis. Text that is strongly emphasized. Commands and other text that the user types; a code sample; a displayed message. Words from the product interface like options, menus, buttons, and dialog boxes. A link to a topic or to an external website. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product. McAfee Enterprise Mobility Management 12.0 Software Product Guide 5

Preface Find product documentation Find product documentation After a product is released, information about the product is entered into the McAfee online Knowledge Center. Task 1 Go to the McAfee ServicePortal at http://support.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 6 McAfee Enterprise Mobility Management 12.0 Software Product Guide

1 1 Introduction McAfee Enterprise Mobility Management (McAfee EMM ) provides management and security for mobile devices in enterprise environments. McAfee EMM leverages McAfee epolicy Orchestrator to deliver management and security for ios and Android devices, and Windows Phones. With McAfee EMM, enterprises smoothly integrate mobile data protection into their existing infrastructure. McAfee EMM can be used to: Enforce authentication, authorization, and encryption Manage and secure corporate email, contacts, and calendars Define security and use policies Block jailbroken or rooted devices Remotely lock or wipe lost devices Centrally manage McAfee VirusScan Mobile Security (McAfee VMS) on Android devices Secure Android devices with App Protection through McAfee Global Threat Intelligence (McAfee GTI) Monitor and report on the mobile enterprise McAfee EMM offers a comprehensive, scalable solution for the rapidly expanding bring-your-own-device (BYOD) market and for traditional enterprise-driven environments, providing a unified solution for complete mobile security. Contents epolicy Orchestrator features customized for McAfee EMM McAfee EMM components Using McAfee EMM in PKI environments McAfee Enterprise Mobility Management 12.0 Software Product Guide 7

1 Introduction epolicy Orchestrator features customized for McAfee EMM epolicy Orchestrator features customized for McAfee EMM McAfee EMM is managed exclusively by epolicy Orchestrator. Understanding how these products' features interact helps you navigate and use the system effectively. For this epolicy Orchestrator feature Dashboards Permission Sets Policy Catalog Queries & Reports Server Settings McAfee EMM adds... Predefined, mobile-specific dashboards and monitors. McAfee Enterprise Mobility Management permission category. Mobile Actions permission category. EMM Hub and SCEP Server permissions in the existing Registered Servers permission category. Android, ios, and Windows Phone policy categories in the Enterprise Mobility Management 12.0.0 product group. Predefined, mobile-specific queries. Custom query property groups: EMM Properties, Device Details, Device Properties, Mobile Applications, Telecommunication Properties, PKI Properties, and (PKI) Certificate Properties. EMM Server Settings with access to System Settings, Package Management, and User Notifications. Package Management, User Notifications, and some System Settings still appear in the legacy McAfee EMM console. These pages are launched from epolicy Orchestrator and appear in Silverlight. If you're having trouble viewing these pages, enable pop-ups from your epolicy Orchestrator URL. Server Tasks System Information Threat Event Log User Management EMM Certificates Notification server task. Mobile Properties window. Mobile actions: Lock, MDM Uninstall, Unlock, Wipe, and Wipe Corporate Data. Predefined, mobile-specific threats. Locked Users page. McAfee EMM components The McAfee EMM system includes server-side and client-side components that are managed through epolicy Orchestrator. McAfee EMM 12.0 can be used with epolicy Orchestrator 4.6.7 5.1. The McAfee EMM extension bundle for epolicy Orchestrator includes these extensions: McAfee Enterprise Mobility Management Provides the core McAfee EMM functionality. McAfee Mobile epo Allows epolicy Orchestrator to communicate with mobile devices. PKI Enables secure, certificate-based authentication for VPN or Wi-Fi connections on ios devices. Help Provides context-sensitive help for McAfee EMM interface pages, and provides on-screen access to the product guide. 8 McAfee Enterprise Mobility Management 12.0 Software Product Guide

Introduction McAfee EMM components 1 In addition to the built-in McAfee EMM components, some product features require supplementary servers. Product feature Single sign-on policies (ios 7 and later) Server requirement Kerberos-based authentication server, like a Windows Domain Controller with Kerberos enabled. Directory Services, such as Active Directory or LDAP. PKI PKI with certificate-based authentication for VPN or Wi-Fi Certificate authority (CA) server running Windows Server 2008 R2 64-bit with Service Pack 1 or later, with SCEP enabled. To use challenge authentication (recommended), the server must be in English or Spanish. Validation authority, such as a Remote Authentication Dial-In User Service (RADIUS) server. Server components These components are installed on enterprise servers to administer McAfee EMM. Figure 1-1 Typical enhanced security configuration For High Availability or basic security configurations, see the McAfee EMM Installation Guide. McAfee EMM server component Hub Portal Description Manages communication between McAfee EMM components and with epolicy Orchestrator. The Hub allows secure communication across the firewall (between the DMZ and the internal network) and eliminates the need to open custom firewall ports. SSL communication is established between the components. The Hub is paired with the McAfee EMM database, which stores all data required for McAfee EMM to function. Allows device users to initiate wipe requests in the event their device is lost or stolen. Users access the Portal from a browser on a PC or mobile device. We recommend installing the Portal in the DMZ. McAfee Enterprise Mobility Management 12.0 Software Product Guide 9

1 Introduction Using McAfee EMM in PKI environments McAfee EMM server component Proxy Push Notifier Description Proxies ActiveSync traffic to the email servers. This IIS (Internet Information Services) application controls access to enterprise resources on the DMZ server. We recommend installing the Proxy in the DMZ. Sends push notifications to mobile devices. The Push Notifier is a required component that communicates with Apple and Google push notification services. We recommend installing the Push Notifier in the DMZ. Client components These components are installed on mobile devices that are registered on the enterprise network. They help configure the device and communicate with the McAfee EMM server. McAfee EMM client component McAfee EMM ios app McAfee EMM Android app McAfee Secure Container app (Android devices) Description Free app that enforces security policies, notifies users of compliance issues, and configures corporate email, contacts, and calendars using the device's native apps. Free app that enforces security policies, notifies users of compliance issues, and optionally pairs with McAfee Secure Container to manage corporate email, contacts, and calendars. Free app that encrypts and passcode-secures enterprise email, contacts, and calendars. For Android devices, you can require or recommend the McAfee VMS app with McAfee EMM to centrally manage anti-malware protection. Using McAfee EMM in PKI environments When used in Public Key Infrastructure (PKI) environments, McAfee EMM provides secure, certificate-based authentication for VPN or Wi-Fi connections on ios devices. In PKI environments, device-based or client authentication certificates can be used instead of, or in addition to, a password when ios users connect to VPN or Wi-Fi. In McAfee EMM 12.0 and later, PKI functionality is fully integrated with epolicy Orchestrator. Certificates, as well as VPN and Wi-Fi configurations, are managed with McAfee EMM policies. McAfee EMM serves as the registration authority in PKI environments, relaying certificate requests and actual certificates between user devices and your chosen certificate authority (CA). McAfee EMM does not act as a CA. McAfee EMM also checks certificate expiration dates during device check-in, then requests and relays a renewed certificate if the expiration date falls within 21 days. You can modify the 21-day default in the Hub web.config file. PKI Requirements To take advantage of certificate-based authentication for VPN or Wi-Fi, you need the following. 10 McAfee Enterprise Mobility Management 12.0 Software Product Guide

Introduction Using McAfee EMM in PKI environments 1 An established account with a standalone or enterprise Microsoft CA. The account used for the challenge key must be a service account with Manage CA permissions (for standalone) or Enroll permissions (for enterprise). A CA server running Windows Server 2008 R2 64-bit with Service Pack 1 or later, with SCEP enabled. To use challenge authentication (recommended), the server must be in English or Spanish. An application, such as IIS Manager, capable of binding SSL to CertSrv (the SCEP service web application). A validation authority, like a Remote Authentication Dial-In User Service (RADIUS) server. Certificate distribution can occur without this server, but it's required for certificate-based VPN or Wi-Fi authentication. Figure 1-2 Typical PKI and High Availability configuration Getting started with PKI After establishing the infrastructure for your PKI environment, follow these steps to take advantage of certificate authentication functionality in epolicy Orchestrator. Configure a Simple Certificate Enrollment Protocol (SCEP) server in epolicy Orchestrator Registered Servers. This enables epolicy Orchestrator to communicate with the CA. See Configure a SCEP server for PKI environments. Add server and client certificates on the Certificates tab of McAfee EMM ios policies. Configure VPN or Wi-Fi on the VPN and Wi-Fi tabs of McAfee EMM ios policies. See also Configure a SCEP server for PKI environments on page 15 McAfee Enterprise Mobility Management 12.0 Software Product Guide 11

1 Introduction Using McAfee EMM in PKI environments 12 McAfee Enterprise Mobility Management 12.0 Software Product Guide

2 2 Getting started Get started quickly by completing these preliminary tasks. Contents Update the default administrator account Create a service record Configure an authorization directory Configure an SMTP server and default notification settings Configure a SCEP server for PKI environments Customize the company profile Customize certificate expiration notifications Using permission sets with McAfee EMM Update the default administrator account Secure the connection between the McAfee EMM Hub and the epolicy Orchestrator server by changing the default system administrator logon credentials. Task 1 Select Menu Configuration Server Settings Enterprise Mobility Management System Settings Console Access. 2 Click Add, complete the fields, then click Save. Option Access Type Role Username Password Definition Local User System Administrator User name for the connection to the McAfee EMM server. Password for the connection to the McAfee EMM server. 3 Select the default account, then click Delete. McAfee Enterprise Mobility Management 12.0 Software Product Guide 13

2 Getting started Create a service record Create a service record A service (SRV) record automatically directs user devices to the McAfee EMM Portal so users don't need to enter the server name during device configuration. Task 1 Create an SRV record with this format: _activation._tcp.<domainname>. 86400 IN SRV 0 1 443 <EMMportalhostname> <domainname> is the domain name used in company email addresses. <EMMportalhostname> is the fully qualified domain name of the McAfee EMM portal. An SRV record for Acme, Corp. would look like this: _activation._tcp.acme.com. 86400 IN SRV 0 1 443 emm.acme.com 2 Publish the SRV record to a device-accessible Domain Name System (DNS) server. Configure an authorization directory To authorize users, specify an authorization directory. You can use LDAP or ActiveSync Protocol for user authentication. Email policy settings override authorization directory settings. Task 1 Select Menu Configuration Server Settings Enterprise Mobility Management System Settings Auth Directories. 2 Do one of the following: To add a directory, click Add. To edit a directory, select the directory from the list, then click Edit. 3 Complete or modify the fields based on your authentication type, then click Save. User authentication options vary depending on the LDAP server settings specified during installation. For LDAP user authentication: Option Server Type FQDN Domain DN Username Password Definition AD Domino Fully qualified domain name of the LDAP server. This field populates when FQDN is completed. Domain distinguished name of the LDAP. AD This field populates when FQDN is completed. Domino Leave this field blank. User name for the connection to the server. Password for the connection to the server. 14 McAfee Enterprise Mobility Management 12.0 Software Product Guide

Getting started Configure an SMTP server and default notification settings 2 Option External EMM Proxy Server Address Use SSL Definition Fully qualified domain name of the McAfee EMM Proxy. Devices connect to this McAfee EMM Proxy address for ActiveSync. This option is selected by default and can't be changed. For ActiveSync Protocol user authentication: Option ActiveSync Authentication Address Domain Verification Username Verification Password ActiveSync External DNS Use SSL Definition Fully qualified domain name of the ActiveSync server. Domain name of the ActiveSync server. User name for the connection to the server. Password for the connection to the server. External DNS or IP address of the server that connects to the McAfee EMM Proxy. This option is selected by default and can't be changed. Configure an SMTP server and default notification settings Before sending user notifications, configure an SMTP server. You can also specify default notification settings to speed the bulk-authorization process. Task 1 Select Menu Configuration Server Settings Enterprise Mobility Management System Settings Mail Settings. 2 Complete the fields, then click Save. Option Message From Address Message Subject Self Service Portal Message SMTP Relay Server Definition Email address that user notifications are sent from. Subject line for user notifications. Body of the default user notification email message. For details, see Bulk-authorize and notify LDAP or ActiveSync users. External DNS or IP address of the SMTP server. 3 (Optional) To send a test text message, click Send Test SMS. See also Bulk-authorize and notify LDAP or ActiveSync users on page 21 Configure a SCEP server for PKI environments Configuring a Simple Certificate Enrollment Protocol (SCEP) server enables dynamic retrieval of certificates from a Microsoft certificate authority in PKI environments. Before you begin Set up your PKI infrastructure. For details, see Using McAfee EMM in PKI environments. You can configure multiple SCEP servers, one for each certificate authority. McAfee Enterprise Mobility Management 12.0 Software Product Guide 15

2 Getting started Customize the company profile Task For option definitions, click? in the interface. 1 Select Menu Configuration Registered Servers, then click New Server. 2 From the Server type drop-down list, select SCEP Server, enter a unique name for the server, then click Next. 3 Provide details about the connection to your SCEP server, click Verify connection to establish connection with the server, then click Save. See also Using McAfee EMM in PKI environments on page 10 Customize the company profile Customize the company name and user agreement that appears on user devices during configuration. An editable, default user agreement is provided for the standard epolicy Orchestrator languages, with English displayed by default until you add other languages. The language displayed in epolicy Orchestrator is based on the language selected when you logged on. The language displayed on user devices is based on the language specified on the device. Language-aware user notifications require ios app 4.9.1 or later or Android app 3.0 or later. Task For option definitions, click? in the interface. 1 Select Menu Configuration Server Settings Enterprise Mobility Management. 2 At bottom right of the screen, click Edit. 3 In the General Settings section, modify the Company Name and User Agreement, then click Save. If you select a User Agreement language for which default translated text isn't provided, text is displayed in the epolicy Orchestrator language selected at logon, or in English. Translate or modify this text as needed for the selected language. Customize certificate expiration notifications Automatically receive notification when portal, push, or mobile device management (MDM) certificates near expiration by customizing the default EMM Certificates Notification server task. The server task can be viewed, edited, or disabled, but it can't be deleted. Before you begin An email server must be configured in epolicy Orchestrator. For details, see the epolicy Orchestrator documentation. 16 McAfee Enterprise Mobility Management 12.0 Software Product Guide

Getting started Using permission sets with McAfee EMM 2 Task For option definitions, click? in the interface. 1 Select Menu Automation Server Tasks. 2 In the EMM Certificates Notification row, click Edit. 3 Use the Server Task Builder to customize the server task. Using permission sets with McAfee EMM McAfee EMM permissions define rights for policies, server settings, and actions performed on mobile devices. McAfee EMM adds these permissions: McAfee Enterprise Mobility Management permissions category Defines permissions for McAfee EMM policies and Server Settings, including the legacy McAfee EMM console. Mobile Actions permissions category Defines permissions for mobile actions and Locked Users. EMM Hub and SCEP Server permissions Located in the existing Registered Servers permission category, defines permissions for McAfee EMM servers. For users not assigned a global administrator user role, McAfee EMM grants No Permissions by default. Permissions must be granted for users to access or use permission-controlled features of McAfee EMM. Permissions assigned to epolicy Orchestrator features might affect users' ability to perform McAfee EMM functions. For example, to access mobile actions, users must also have permission to view the System Tree. For details about managing permission sets, see the epolicy Orchestrator documentation. McAfee Enterprise Mobility Management 12.0 Software Product Guide 17

2 Getting started Using permission sets with McAfee EMM 18 McAfee Enterprise Mobility Management 12.0 Software Product Guide

3 3 Authorizing users Grant users access to your network from their mobile devices based on LDAP or ActiveSync credentials. You can set temporary passwords, or provisioning tokens, unlock users with failed password attempts, and (optionally) manage Device ID Mapping for certain Android devices. Contents Manage provisioning tokens Authorize users Unlock users Managing device mapping Manage provisioning tokens Provisioning tokens provide an optional, extra measure of security when users configure their devices. You can use provisioning tokens only with ios and Android devices. Windows Phones can't be configured successfully if users are assigned provisioning tokens. Tasks Require provisioning tokens on page 19 Turn on the provisioning token requirement so that you can create and send provisioning tokens as you authorize users. Update provisioning tokens on page 20 Update a user's provisioning token manually when a token expires, or when a user needs to configure another device. Require provisioning tokens Turn on the provisioning token requirement so that you can create and send provisioning tokens as you authorize users. Selecting the provisioning token option doesn't affect users who have already configured their devices. If you require provisioning tokens: McAfee Enterprise Mobility Management 12.0 Software Product Guide 19

3 Authorizing users Manage provisioning tokens When you bulk-authorize users, a default token and expiration are added to the notification message. See Bulk-authorize and notify LDAP or ActiveSync users. When you authorize select users, you're prompted to specify provisioning token options. See Authorize select LDAP users. Task 1 Select Menu Configuration Server Settings Enterprise Mobility Management System Settings Authorized Users. 2 Select Allow Only Authorized Users and Require Provisioning Token. 3 Specify options for the provisioning token, then click Save. Option Token Length Hours Valid Definition Number of characters in the token. Number of hours the temporary password is valid. See also Bulk-authorize and notify LDAP or ActiveSync users on page 21 Authorize select LDAP users on page 22 Update provisioning tokens Update a user's provisioning token manually when a token expires, or when a user needs to configure another device. Before you begin The user must be on the Authorized Users list. See Authorize users. (Optional) To send the updated provisioning token to users in a text message or email, an SMTP server must be configured in Mail Settings. See Configure an SMTP server and default notification settings. Task 1 Select Menu Configuration Server Settings Enterprise Mobility Management System Settings Authorized Users. 2 Click Update Token, then select a user or group. 3 Specify options for the provisioning token, then click Save. Option Provisioning Token Hours Valid Delivery Action Definition Temporary password. Number of hours the temporary password is valid. This value overrides the default value set on the Authorized Users screen. Select how the user receives the temporary password: No Action Send SMS Opens the Provisioning SMS screen. Enter the Recipient's Phone Number, Carrier, Subject, and Message, then click Send SMS. Send E-mail Opens an email to the user containing the temporary password. Click Send to deliver the email. See also Authorize users on page 21 Configure an SMTP server and default notification settings on page 15 20 McAfee Enterprise Mobility Management 12.0 Software Product Guide

Authorizing users Authorize users 3 Authorize users Choose an authorization method based on the type of user authentication in use on your system and the number of users you need to authorize. Tasks Bulk-authorize and notify LDAP or ActiveSync users on page 21 Authorize many users at once and automatically send them emails or text messages with configuration details. You can bulk-authorize users based on LDAP groups or by importing a list in comma-separated value (CSV) format. This authorization method is recommended if you require provisioning tokens. Authorize select LDAP users on page 22 By default, all users with valid Active Directory or Domino credentials can configure their devices. For greater security, specify which LDAP users or groups can configure devices. Authorize select ActiveSync users on page 23 Allow selected users to configure their devices by manually specifying their ActiveSync credentials. Authorize LDAP or ActiveSync users based on a list on page 23 Allow a list of users to configure their devices using LDAP or ActiveSync credentials. Bulk-authorize and notify LDAP or ActiveSync users Authorize many users at once and automatically send them emails or text messages with configuration details. You can bulk-authorize users based on LDAP groups or by importing a list in comma-separated value (CSV) format. This authorization method is recommended if you require provisioning tokens. Before you begin An SMTP server must be configured in Mail Settings. See Configure an SMTP server and default notification settings. (Optional) To automatically assign temporary passwords as you authorize users, change your settings to require provisioning tokens. See Require provisioning tokens. (Optional) To authorize users based on a CSV list, create a list. For details about formatting, see CSV format for list-based user authorization. Task 1 Select Menu Configuration Server Settings Enterprise Mobility Management User Notifications. 2 Click Provision Users, complete the fields, then click Next. Search LDAP (LDAP authentication) Option Source Location User/Group Search Results Definition Search LDAP Specifies the domain of the LDAP server. Select the users or groups to add as authorized users. Entering a user or group name populates the Search Results. Select users from this list and use the arrows to move them to the list of Users to Provision. McAfee Enterprise Mobility Management 12.0 Software Product Guide 21

3 Authorizing users Authorize users Import CSV (LDAP or ActiveSync Protocol authentication) Option Source Location CSV File Path Definition Import CSV Specifies the domain of the LDAP or ActiveSync server. Browse to select the CSV file. 3 On the second Provision Users screen, complete the fields, then click Send Email or Send SMS. Option Delivery Method Definition Email SMS This option is available only with CSV import. Notification Message Enter the message you want to send to users. If you select Email as the Delivery Method, the default notification text specified in Mail Settings appears. You can edit the message before sending. If you select SMS as the Delivery Method, the notification message can't exceed 140 characters. If your system settings require a provisioning token, a default token and expiration are added to your notification message in the format OTPToken: %OTPToken % Token Expiration: %OTPTokenExpiration%. Don't delete this text. Targeted Users Confirm the users to authorize. See also Configure an SMTP server and default notification settings on page 15 Require provisioning tokens on page 19 CSV format for list-based user authorization on page 24 Authorize select LDAP users By default, all users with valid Active Directory or Domino credentials can configure their devices. For greater security, specify which LDAP users or groups can configure devices. Before you begin (Optional) To create and send temporary passwords as you authorize users, change your settings to require provisioning tokens. See Require provisioning tokens. Task 1 Select Menu Configuration Server Settings Enterprise Mobility Management System Settings Authorized Users. 2 Select Allow Only Authorized Users. 3 Click Add, then complete the fields to search for a user or group: Option Source Location User/Group Definition Search LDAP Domain of the LDAP server. Enter at least the first three characters of the user or group to add. 4 Do one of the following, based on whether your settings require provisioning tokens: Provisioning tokens Select the user or group to add, specify additional options, then click Save. 22 McAfee Enterprise Mobility Management 12.0 Software Product Guide

Authorizing users Authorize users 3 Option Provisioning Token Hours Valid Delivery Action Definition Temporary password. Number of hours the temporary password is valid. This value overrides the default value set on the Authorized Users screen. Select how the user receives the temporary password: No Action Send SMS Opens the Provisioning SMS screen. Enter the Recipient's Phone Number, Carrier, Subject, and Message, then click Send SMS. Send E-mail Opens an email to the user containing the temporary password. Click Send to deliver the email. No provisioning tokens Select the user or group to add, click Save to add them to the list of authorized users, then click Save again. See also Require provisioning tokens on page 19 Authorize select ActiveSync users Allow selected users to configure their devices by manually specifying their ActiveSync credentials. Task 1 Select Menu Configuration Server Settings Enterprise Mobility Management System Settings Authorized Users. 2 Click Add, complete the fields, then click Save. Option Source Location Username E-mail First Name Last Name Definition Manually Define User Domain of the ActiveSync server. User name of the individual to authorize. Email address of the individual to authorize. First name of the individual to authorize. Last name of the individual to authorize. Authorize LDAP or ActiveSync users based on a list Allow a list of users to configure their devices using LDAP or ActiveSync credentials. Before you begin Create a CSV list of authorized users. For details on formatting, see CSV format for list-based user authorization. McAfee Enterprise Mobility Management 12.0 Software Product Guide 23

3 Authorizing users Unlock users Task 1 Select Menu Configuration Server Settings Enterprise Mobility Management System Settings Authorized Users. 2 Select Allow Only Authorized Users. 3 Click Add, complete the fields, then click Save. Option Source Location CSV File Path Definition Import CSV Domain of the LDAP or ActiveSync server. Browse to select the CSV file. See also CSV format for list-based user authorization on page 24 CSV format for list-based user authorization Use these guidelines to format a CSV file for importing authorized users. Format your CSV file with a file name on row one of your spreadsheet, column headings on row two, and user data beginning on row three. Column headings must read exactly as shown here. [File Name] UserName Email FirstName LastName Phone UserXyz userxyz@company.com User Xyz 123-456-7890 Unlock users When users exceed the number of allowed attempts to enter their credentials during device configuration, an administrator must unlock the user account. Administrators must be granted permission in the Mobile Actions permission category for the Locked Users page to appear in the epolicy Orchestrator menu. Task For option definitions, click? in the interface. 1 Select Menu User Management Locked Users. 2 Select the users to unlock, then click Actions Unlock. The user is removed from the Locked Users list. See also Performing mobile actions on page 34 24 McAfee Enterprise Mobility Management 12.0 Software Product Guide

Authorizing users Managing device mapping 3 Managing device mapping During configuration, certain mobile devices require resolution of device identification information. The resolution method varies by device type. ios 7 devices If a user has two or more of the same device type running ios 7, the user selects the unique serial number (Wi-Fi device) or IMEI number (SIM-enabled device) during configuration. The IMEI or serial number is usually printed on the back of the device or available in the device's general settings. If a user selects an incorrect IMEI or serial number during configuration, enabling Clear McAfee ID in Settings allows them to log on to the app again and select the correct device. Android devices Android devices that were provisioned with ActiveSync for email might report two separate Device IDs to the McAfee EMM server. Device ID Mapping pairs the duplicate IDs so that the device appears only once in the System Tree. By default, Device ID Mapping is set to Automatic. This is the recommended setting, but you can manually approve Device ID pairings for increased security and assurance of user and device identity. Manual Device ID Mapping requires action by both the McAfee EMM administrator and the device user. When manual Device ID Mapping is activated: The Device Status for unpaired devices appears as Pending Approval until an administrator approves the Device ID pairing. Android users with a Device ID Mapping discrepancy must respond to a confirmation notification during email provisioning. Users can't sync email until the Device ID pairing is resolved. For details about provisioning Android devices with manual Device ID Mapping activated, see Manually configure email for Android devices. See also Manually configure email for Android devices on page 30 Activate manual Android Device ID Mapping To manually approve Android Device ID pairings, activate manual Device ID Mapping. McAfee EMM automatically maps Device IDs by default. Task 1 Select Menu Configuration Server Settings Enterprise Mobility Management System Settings Device ID Mapping. 2 Select Manual, then click Save. Manually approve Android Device ID Mapping If you activated manual ID mapping for Android devices, you must approve each duplicate Device ID pairing when users configure their devices. Task 1 Select Menu Configuration Server Settings Enterprise Mobility Management System Settings Device ID Mapping. 2 Select the device to approve, then click Approve. McAfee Enterprise Mobility Management 12.0 Software Product Guide 25

3 Authorizing users Managing device mapping The McAfee EMM server sends the user a confirmation notification. After the user confirms, the Device Status on the System Information page (Mobile Properties Device Details) changes from Pending Approval to Available and the device begins syncing. 26 McAfee Enterprise Mobility Management 12.0 Software Product Guide

4 Working with devices In order for devices to sync corporate data and communicate with the McAfee EMM server, they must be configured and in compliance. Contents Device configuration requirements Communicating with users Configure devices Resolving compliance issues on devices Device configuration requirements Before configuring mobile devices, verify these requirements for your McAfee EMM installation and the devices on your network. Category Servers Requirement Configure ActiveSync to use the same LDAP server as McAfee EMM for authentication. Grant these server permissions: Grant this permission... Local administrator rights on the McAfee EMM Hub server. Read-only access to the LDAP Directory server. To the LDAP account used to... Access the database. Query the database for user and group searches. Authorization Configure an authorization directory. See Configure an authorization directory. If your system selectively authorizes users, add users to the Authorized Users list. If you set provisioning tokens for authorized users, send users their tokens. Use the User Notifications feature to bulk-authorize users and send their provisioning tokens at the same time. See Bulk-authorize and notify LDAP or ActiveSync users. SRV record McAfee EMM device catalog To enable devices to automatically detect the McAfee EMM Portal, create an SRV record. See Create a service record. To configure new mobile device models, update the McAfee EMM device catalog. See Update the device catalog. McAfee Enterprise Mobility Management 12.0 Software Product Guide 27

4 Working with devices Communicating with users Category Device operating system Device Wi-Fi access rules Requirement For details about supported mobile device operating systems, see KB81475. ios Port 5223 outbound must be open. Android Port 5228 outbound must be open. See also Configure an authorization directory on page 14 Bulk-authorize and notify LDAP or ActiveSync users on page 21 Create a service record on page 14 Update the device catalog on page 53 Communicating with users Facilitate a smooth onboarding process by communicating with mobile device users about configuration steps and planned changes or restrictions to their devices. User Notifications allow you to authorize many users at once and automatically send an email with configuration steps and provisioning tokens. For guidance on sending User Notifications, see Bulk-authorize and notify LDAP or ActiveSync users. After configuring their devices, users might notice some changes in functionality. In some cases, the only difference is that users must enter a passcode to access their device. In other cases, your security policy might limit access to apps or block corporate data sync based on device status. To reduce support calls, make users aware of anticipated changes in advance. See also Bulk-authorize and notify LDAP or ActiveSync users on page 21 Configure devices Mobile devices are configured with the McAfee EMM app and, optionally for Android devices, McAfee Secure Container and McAfee VMS. Configuration provides access to corporate email, contacts, and calendars. Configuration must be done on the device. Because the process involves entering user credentials, we recommend sharing the configuration instructions with users so that they can configure their own devices. After configuration, if a device is noncompliant, the user receives push notifications describing compliance issues. Compliance issues must be resolved in order for the device to sync corporate data. See Resolving compliance issues on devices. Carefully plan your optional McAfee VMS deployment before configuring devices. Some compliance settings might interfere with configuration. See Using McAfee VMS with McAfee EMM. 28 McAfee Enterprise Mobility Management 12.0 Software Product Guide

Working with devices Configure devices 4 Tasks Configure ios devices on page 29 Use the McAfee EMM app to configure ios devices. Configure Android devices on page 29 The configuration method for Android devices varies depending on whether you get email through McAfee Secure Container or through the device's native apps. Configure Windows Phones on page 31 Use Exchange ActiveSync to manually configure email for Windows Phone 7 or Windows Phone 8. See also Resolving compliance issues on devices on page 31 Using McAfee VMS with McAfee EMM on page 40 Configure ios devices Use the McAfee EMM app to configure ios devices. Task 1 Download the McAfee EMM app from the Apple App Store. 2 Launch the McAfee EMM app, enter your email address and password, then tap Sign In. If prompted, enter the server address provided by your administrator, then tap Sign In. If prompted, enter the provisioning token provided by your administrator, then tap OK. 3 Review and accept the terms of the license agreement, then click Next. 4 Tap Install, then confirm by tapping Install Now. If prompted, enter the device passcode, then tap Done. 5 Tap Install to allow your administrator to remotely manage your device, then tap Done. Configure Android devices The configuration method for Android devices varies depending on whether you get email through McAfee Secure Container or through the device's native apps. These instructions provide general guidance to configure an Android device. Specific screens might vary by device manufacturer. To configure email through McAfee Secure Container, follow the steps in Configure Android devices with the McAfee EMM app. To configure email through your device's native email apps, follow the steps in Configure Android devices with the McAfee EMM app, then Manually configure email for Android devices. Tasks Configure Android devices using the McAfee EMM app on page 30 Use the McAfee EMM app to configure all Android devices. During configuration, the app facilitates installation of McAfee Secure Container and McAfee VMS, if those apps are required or recommended. Manually configure email for Android devices on page 30 If McAfee Secure Container isn't required and you choose not to install it, you can configure email through your device's native email app. McAfee Enterprise Mobility Management 12.0 Software Product Guide 29

4 Working with devices Configure devices Configure Android devices using the McAfee EMM app Use the McAfee EMM app to configure all Android devices. During configuration, the app facilitates installation of McAfee Secure Container and McAfee VMS, if those apps are required or recommended. Task 1 Download the McAfee EMM app from Google Play, confirm the download, tap Install, then confirm the installation. 2 Launch the McAfee EMM app, enter your email address and password, then tap Sign In. If prompted, enter the server address provided by your administrator, then tap Sign In. If prompted, enter the provisioning token provided by your administrator, then tap OK. 3 Review and accept the terms of the license agreement, then click Accept. 4 Tap Activate to activate Device Administrator. 5 If prompted, enter the device passcode, then tap OK. 6 If prompted, install McAfee VMS. a Do one of the following, depending on how McAfee VMS is distributed. McAfee EMM Recommended Apps From McAfee EMM Recommended Apps, tap McAfee VMS. Corporate app store Access the corporate app store using the URL provided by your administrator, then tap McAfee VMS. Google Play Private Channel Tap Play Store Apps Categories <Organization Name>, then tap McAfee VMS. If prompted, select to allow app installation from unknown sources. b Open the notification bar, select the downloaded file, then tap Install. If prompted, select to install using a package installer. 7 Install McAfee Secure Container. McAfee Secure Container is either required or recommended based on your company's security policies. If required, you can't sync corporate data without configuring McAfee Secure Container. If recommended, you can skip McAfee Secure Container configuration and set up email using Exchange ActiveSync. See Manually configure email for Android devices. a b c From McAfee EMM Recommended Apps, select McAfee Secure Container to access the app in Google Play, then tap Install. When installation is complete, return to the McAfee EMM app, then tap Update Configuration. Enter your email password and set a passcode for McAfee Secure Container. See also Manually configure email for Android devices on page 30 Manually configure email for Android devices If McAfee Secure Container isn't required and you choose not to install it, you can configure email through your device's native email app. Before you begin Configure your device using the McAfee EMM app. If allowed by your organization, skip installing McAfee Secure Container during configuration in order to enable manual email configuration. See Configure Android devices using the McAfee EMM app. 30 McAfee Enterprise Mobility Management 12.0 Software Product Guide

Working with devices Resolving compliance issues on devices 4 If security policy blocks unencrypted devices, verify that encryption is enabled in device settings. Task 1 Tap Applications Settings Accounts and sync Add Account Microsoft Exchange ActiveSync. 2 Enter your email address, password, domain\user name, and proxy server address, then tap Done. If you receive a push notification about compliance issues, review the notification, resolve compliance issues, then attempt to re-sync email. If you receive an email sync error message followed by a push notification, open the notification, then tap OK to confirm email setup. It might take a few minutes for the McAfee EMM server to send a notification to your device. If you receive a second email sync error message, contact your system administrator for resolution. When the administrator resolves the issue, a second notification appears in the notification area. Open it and tap OK to complete the email setup. 3 If prompted, tap OK to allow remote security administration. See also Configure Android devices using the McAfee EMM app on page 30 Configure Windows Phones Use Exchange ActiveSync to manually configure email for Windows Phone 7 or Windows Phone 8. This task provides general guidance to configure a Windows Phone. Specific screens might vary by device manufacturer. Task 1 Tap Settings Email & Accounts Add an Account Outlook. 2 Enter your email address and password, then tap Sign In. The message "Your settings could not be found..." appears. 3 Enter the domain, then tap Sign In. The message "Your settings could not be found..." appears. 4 Tap OK, then tap Advanced. 5 Enter the server address of the McAfee EMM Proxy, then tap Sign In. Resolving compliance issues on devices Compliance issues must be resolved on the device. The McAfee EMM and McAfee VMS apps can help users resolve issues. When a device is flagged as noncompliant, the device stops syncing corporate data and a notification is automatically sent to the device. Notifications tell users how to resolve the problem so they can resume corporate data sync. Users receive one notification for each noncompliance event. After resolving all compliance issues, devices become compliant at the next attempt to sync email. McAfee Enterprise Mobility Management 12.0 Software Product Guide 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback