Junos Pulse Mobile Security Gateway

Similar documents
Junos Pulse Mobile Security Gateway

Junos Pulse for Google Android

Junos Pulse Mobile Security Dashboard

Junos Pulse Mobile Security Dashboard

Junos Pulse Mobile Security Gateway

JUNIPER NETWORKS PRODUCT BULLETIN

Web Device Manager Guide

Pulse Supported Mobile Platforms

Juniper Secure Analytics

NSM Plug-In Users Guide

Junos Pulse Supported Mobile Platforms

JUNOSPHERE RELEASE NOTES

Juniper Secure Analytics Patch Release Notes

Juniper Secure Analytics Patch Release Notes

NSM Plug-In Users Guide

Junos Pulse Secure Access Service

EX2500 Ethernet Switch 3.1 Release Notes

JUNOSPHERE RELEASE NOTES

Subscriber Traffic Redirection

Juniper Secure Analytics Patch Release Notes

JUNOS PULSE MOBILE SECURITY SUITE. Stallion Winter Seminar Jukka Piirainen & Jani Ripatti

Junos Space. Reports. Release Published: Copyright 2014, Juniper Networks, Inc.

Junos Pulse Secure Access Service

Junos Pulse Supported Mobile Platforms


Compliance Manager ZENworks Mobile Management 2.7.x August 2013

Junos Pulse MSS MSG Release 4.2R1

STRM Administration Guide

Juniper Secure Analytics Patch Release Notes


Junos Pulse Supported Mobile Platforms

Pulse Workspace Appliance. Administration Guide

Mobility Manager 9.5. Users Guide

VST Hospital Administrator Guide. Version 2.0.4

Sophos Mobile in Central administrator help. Product version: 7.1

Juniper Secure Analytics Virtual Appliance Installation Guide

ESET Mobile Security for Windows Mobile. Installation Manual and User Guide - Public Beta

ForeScout Extended Module for MobileIron

Junos Pulse Secure Access Service

Sophos Mobile Control Administrator guide. Product version: 5.1

Forescout. eyeextend for MobileIron. Configuration Guide. Version 1.9

Compliance Manager ZENworks Mobile Management 3.0.x January 2015

Verizon MDM UEM Unified Endpoint Management

ENTERPRISE MOBILITY USER GUIDE

Dell OpenManage Mobile Version 1.0 User s Guide

IDP Detector Engine Release Notes

Oracle Beehive. Before Using Oracle Beehive Client and Communicator. Using BlackBerry with Oracle Beehive Release 2 ( )

Quick Heal Total Security for Android. Anti-Theft Security. Web Security. Backup. Real-Time Protection. Safe Online Banking & Shopping.

INTACTPHONE USER GUIDE

AT&T Toggle. 2/3/2014 Page i

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Symantec Mobile Management 7.1 Implementation Guide

AT&T Toggle. 12/12/2013 Page i

Quick Heal Mobile Security. Free protection for your Android phone against virus attacks, unwanted calls, and theft.

USER GUIDE KASPERSKY MOBILE SECURITY 8.0

VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes

Upgrading STRM to

VMware Workspace ONE UEM Integration with Apple School Manager

Contrail Release Release Notes

Installing and Configuring vcloud Connector

Administering Jive Mobile Apps for ios and Android

Symantec Mobile Management for Configuration Manager 7.2 MR1 Release Notes

Forescout. eyeextend for IBM MaaS360. Configuration Guide. Version 1.9

Juniper Networks. Junos Pulse on Mobile Release 2.0. Android build #7687. BlackBerry build #154. Apple ios build #8059. Juniper Networks, Inc.

Juniper Networks CTPOS Release 7.0R1 Software Release Notes

ESET ENDPOINT SECURITY FOR ANDROID


Sophos Mobile in Central

ForeScout Extended Module for VMware AirWatch MDM


Product Guide. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6

Integration with Apple Configurator 2. VMware Workspace ONE UEM 1902

JUNOSPHERE RELEASE NOTES

Supporting ios Devices

Junos Pulse. Client Customization Developer Guide. Release 5.0. Published: Copyright 2013, Juniper Networks, Inc.

VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes

KACE GO Mobile App 5.0. Release Notes

Sophos Mobile. administrator help. product version: 9


ForeScout Extended Module for MaaS360

Table of Contents... ii. GO AHEAD BRING YOUR OWN DEVICE TO WORK... 1 Requirements... 1

Supporting Apple ios Devices

Building a BYOD Program Using Jamf Pro. Technical Paper Jamf Pro or Later 2 February 2018

3CX Mobile Device Manager

STRM Log Manager Administration Guide


Vodafone Secure Device Manager Administration User Guide

KACE GO Mobile App 4.0. Release Notes

Sophos Mobile Control SaaS startup guide. Product version: 6.1

McAfee Enterprise Mobility Management 12.0 Software

Troubleshooting Guide

Dell OpenManage Mobile Version 1.0 User s Guide

Sophos Mobile Control SaaS startup guide. Product version: 7

NotifyMDM Device Application User Guide Installation and Configuration for Android

Lookout Mobile Endpoint Security. Deploying Lookout with BlackBerry Unified Endpoint Management

QuickStart Guide for Mobile Device Management. Version 8.7

STRM Series to JSA Series



Dell OpenManage Mobile Version 1.5 User s Guide (ios)

Transcription:

Junos Pulse Mobile Security Gateway Administration Guide Release 4.1 November 30, 2012 R1 Copyright 2012, Juniper Networks, Inc.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785. Copyright 2012, Juniper Networks, Inc. All rights reserved. ii Copyright 2012, Juniper Networks, Inc.

Table of Contents About This Guide Audience...v Obtaining Documentation... v Documentation Feedback... v Requesting Technical Support... v Self-Help Online Tools and Resources... vi Opening a Case with JTAC... vi Chapter 1 Getting Started 1 Pulse Mobile Security Overview... 1 Enterprise and Consumer Deployments... 2 Administrators and Roles... 2 Customer Service Roles... 3 New Features in Pulse Mobile Security Release 4.1... 3 Accessing the Pulse Mobile Security Gateway...4 Using the Pulse Mobile Security Gateway Management Console...5 Chapter 2 Setting Up the Pulse Mobile Security Gateway 7 Add Partners and Enterprises... 7 Adding a Partner... 7 Adding an Enterprise...8 Editing the Default Enterprise Policy Settings...9 Adding Administrator Accounts... 14 Adding an Administrator Role... 15 Adding a User Account... 16 Assigning a Role and User Control List to a User Account...17 Registering Devices...17 Manual Registration of ios Devices...17 Manual Registration of non-ios Devices... 18 Automatic Registration... 18 Configuring Device Identity Servers... 18 Importing Certificates for Device Identity Servers... 19 Importing the Certificate for the Pulse Mobile Security Gateway 20 Configuring GCM and System Log Settings... 20 Updating Malware Signatures...21 Creating Certificates for the Pulse Mobile Security Gateway...22 Importing Certificates for the Control Center and Signature Update Server...23 Configuring the Control Center Settings...23 Configuring the Signature Update Server...23 v Table of Contents iii

JWOS Command Reference Guide Chapter 3 Device Profiles 25 Defining Prohibited Applications... 25 Managing MDM Profiles... 26 Adding and Editing MDM Profiles... 26 Importing and Exporting MDM Profiles... 34 Setting the Default MDM Profile... 35 Deleting MDM Profiles... 35 Managing Firewall Rules and Profiles... 35 Adding Firewall Rules... 35 Modifying Firewall Rules... 36 Deleting Firewall Rules... 36 Adding Firewall Profiles... 36 Modifying Firewall Profiles...37 Deleting Firewall Profiles...37 Managing Antispam Rules and Profiles...37 Adding Antispam Rules...37 Modifying Antispam Rules... 38 Deleting Antispam Rules... 38 Adding an Antispam Profile... 38 Modifying an Antispam Profile... 38 Deleting Antispam Profiles... 39 Chapter 4 User Accounts 41 Managing User Accounts... 41 Adding a User Account... 41 Modifying User Accounts... 42 Deleting User Accounts... 42 Managing User Groups... 43 Chapter 5 Devices 45 Devices Overview... 45 Adding Devices Manually...46 Modifying Device Settings...47 Applying MDM Profiles to Devices... 53 Sending Device Commands... 53 Backing Up and Restoring Personal Data... 56 Managing Device Groups... 56 Chapter 6 Reports 59 Viewing Reports... 59 Removing Applications From Managed Devices... 61 Viewing Device Applications, Contacts, Pictures, and Messages... 62 Tracking Devices with GPS... 62 Viewing the Gateway and Change History Logs... 63 Appendix A Summary of Supported Features 65 Pulse Mobile Security Features by Device Type... 65 Index 67 iv Table of Contents

: About This Guide The Junos Pulse Mobile Security Suite consists of the Pulse client application and the cloud-based Mobile Security Gateway, with its associated management Console and end-user Dashboard. This guide describes how to configure and manage Pulse client devices using the management Console of the Mobile Security Gateway. Audience This guide is intended for: Enterprise security administrators responsible for the setup and/or maintenance of the Junos Pulse Mobile Security Gateway Enterprise security administrators and customer service personnel responsible for providing support for users of the Junos Pulse Mobile Security client and Dashboard Obtaining Documentation To obtain the most current version of all Juniper Networks technical documentation, see the products documentation page on the Juniper Networks Web site at http://www.juniper.net/. Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to techpubs-comments@juniper.net, or fill out the documentation feedback form at https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include the following information with your comments: Document or topic name URL or page number Software release version (if applicable) Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC. JTAC policies For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/customers/support/downloads/710059.pdf. Product warranties For product warranty information, visit http://www.juniper.net/support/warranty/. Copyright 2012, Juniper Networks, Inc. Audience v

JTAC hours of operation The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings http://www.juniper.net/customers/support/ Search for known bugs http://www2.juniper.net/kb/ Find product documentation http://www.juniper.net/techpubs/ Find solutions and answer questions using our Knowledge Base http://kb.juniper.net/ Download the latest software versions and review release notes http://www.juniper.net/customers/csc/software/ Search technical bulletins for relevant hardware and software notifications http://www.juniper.net/alerts/ Join and participate in the Juniper Networks Community Forum http://www.juniper.net/company/communities/ Open a case online in the CSC Case Manager http://www.juniper.net/cm/ To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool https://tools.juniper.net/serialnumberentitlementsearch/ Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. Use the Case Manager tool in the CSC at http://www.juniper.net/cm/. Call 1-888-314-JTAC (1-888-314-5822 toll free in USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, visit us at http://www.juniper.net/support/requesting-support/. vi Requesting Technical Support Copyright 2012, Juniper Networks, Inc.

Chapter 1: Getting Started Chapter 1 Getting Started This chapter provides a brief overview of the Pulse Mobile Security Gateway. Pulse Mobile Security Overview on page 1 Accessing the Pulse Mobile Security Gateway on page 4 Using the Pulse Mobile Security Gateway Management Console on page 5 Pulse Mobile Security Overview The Pulse Mobile Security Gateway lets you centrally manage mobile (handheld) devices that are protected by the Junos Pulse Mobile Security Suite. The Pulse Mobile Security Suite is client software that protects mobile devices from viruses, spyware, identity theft and other threats. Users can install the Pulse client software from the applications store associated with any of the following mobile operating systems: Apple ios RIM Blackberry Google Android Nokia Symbian Windows Mobile For a list of the supported versions of each operating system, see the Junos Pulse Mobile Supported Platforms Guide, which is available at http://www.juniper.net/support/products/pulse/mobile/ The Layer 3 VPN feature of the Pulse client (not supported by Blackberry) provides secure access to private networks by connecting to a Juniper Networks SA Series SSL VPN appliance. To activate all other security features, and allow the gateway to manage the device, the mobile device must be registered with the Pulse Mobile Security Gateway. The Pulse Mobile Security Suite provides the following features: Antivirus Devices are protected by real-time antivirus and malware protection with automatic updates (non-ios devices only). You can scan files across network connections, perform on-demand scans, and provide virus and malware detection alerts. Note that users can enable the following options on Android devices: Scan Memory Card on Insert The memory card is scanned when it is first installed (if the power is on), not when files are added. Scan application on install Applications are scanned for malware during installation. If the administrator defines any prohibited applications, scanning occurs during installation even if this feature is disabled. Copyright 2012, Juniper Networks, Inc. Pulse Mobile Security Overview 1

Android malware detection Android devices receive signatures to detect both malware and suspicious applications, and you can define a list of prohibited applications. Depending on the device type, malware and prohibited applications are deleted automatically or the user is prompted periodically to perform the deletion. Personal firewall Provides inbound and outbound IP address and port filtering. Antispam Provides filtering to block voice and SMS spam and to deny unknown or unwanted calls. Backup and restore The contact list and calendar on non-ios devices can be backed up in a standard format and restored to another device. Loss and theft protection From the gateway, you can perform remote lock, remote wipe, GPS locate and track, remote alarm and notification, and SIM change notification. Device monitoring and control The gateway provides tools for application inventory and removal, monitoring (SMS, MMS, e-mail message content, and photos stored on device), and the ability to view the call log and the user s contacts. Consumer Dashboard Allows users to log in to the gateway to locate a lost or stolen device, view reports of device usage, or use other security features. Informational Note: The firewall and antispam features are supported only by the Windows Mobile and Symbian devices. For more information about version support for each device type, see the Junos Pulse Supported Mobile Platforms Guide. Enterprise and Consumer Deployments The features deployed for enterprise and consumer users may differ. For example, a typical enterprise solution may include the Junos Pulse SSL VPN client features, while a typical consumer solution might be comprised of just the Pulse client's anti-malware and anti-theft features. Administrators and Roles Each gateway administrator account requires a role that determines the functions that the user can perform and a user access control list that determines the mobile devices the user can access. User roles and accounts can be defined at each administrative level (Root, Partner, and Enterprise), but most administrators will have an Enterprise account. Each role specifies the permissions (view, add, edit, delete, and move) for the following objects that you manage in the Pulse Mobile Security Gateway: Partner A group of one or more Enterprises. Only Root and Partner administrators can add or view Partners. Enterprise An organization that manages registered mobile devices. Registered devices exist only at the Enterprise level. Each Enterprise has a Consumer or Enterprise license. Enterprise administrators can allow users to log in to the gateway Dashboard to locate a lost phone or use other security features. User An Enterprise user account is created automatically when a mobile device is registered. To create an administrator account, you can add a role and access control list to an existing user account, or manually create a new account. User Group Enterprise user accounts can be organized into user groups, such as by department or business unit. You can then issue commands to the devices associated with the users in one or more groups. 2 Pulse Mobile Security Overview Copyright 2012, Juniper Networks, Inc.

Chapter 1: Getting Started Device A device record is created in the appropriate Enterprise when a mobile device is registered. Mobile devices are identified by their MSISD (Mobile Subscriber Integrated Services Digital Network number, which includes the phone number, country code, and area code) and IMEI number (International Mobile Equipment Identity). Device Group Enterprise devices can be organized into device groups. You can then issue commands to the devices in one or more groups or view reports for a selected device group. Profiles Groups of rules that you can assign to an Enterprise or apply to specific devices. Profiles assigned to an Enterprise are applied to each device that registers with the Enterprise. The current profiles are: MDM Profile Defines various settings for ios and Android devices, such as user restrictions, password requirements, and the VPN and Wi-Fi networks that users can access. Firewall Profile Defines Internet access permissions, both inbound and outbound, for Windows Mobile and Symbian devices. Antispam Profile Defines antispam conditions that let you block incoming calls and SMS messages from specific phone numbers on Windows Mobile and Symbian devices. Each role also lets you allow or disallow certain tasks, such as sending commands to devices or viewing specific device reports. If you are not authorized for certain tasks, the related menu items and buttons are hidden or disabled. For each new Enterprise, a Root or Partner administrator must create the Enterprise and add an Enterprise user account and role for use by the Enterprise administrator. Partner administrators can manage all Enterprises associated with the Partner. Root administrators can manage all Partners and Enterprises. For more information about user accounts and roles, see Adding Administrator Accounts on page 14. Customer Service Roles Juniper Networks provides Customer Service personnel with credentials that allow access to all tasks related to the support of Pulse client users. Enterprise tasks regarding groups, profiles, and policies are not performed by support personnel. IMPORTANT!: Each chapter of this guide begins by indicating whether enterprise administrators or customer service personnel typically performs the tasks in that chapter. More specific notes about the tasks relevant to customer service personnel are included in each section, as appropriate. New Features in Pulse Mobile Security Release 4.1 Release 4.1 includes the following new features: Console interface enhancements The management Console has been revised and enhanced. The navigation tree has been removed and separate Roles and Groups tabs have been added. Users with access to multiple Partners and Enterprises can select them from drop-down lists at the top of the page. MDM profiles ios profiles have been replaced with mobile device management (MDM) profiles that apply to both Android and ios devices. The same profile can be used for both device types even though some settings are specific to ios or Android. Copyright 2012, Juniper Networks, Inc. Pulse Mobile Security Overview 3

ios configuration files Configurations created with the Apple iphone Configuration Utility (IPCU) can be imported to the Mobile Security gateway and used as MDM profiles for ios devices. The IPCU provides ios configuration options that are not available in MDM profiles created with the gateway. Prohibited applications for Partners and Enterprises Prohibited applications for Android devices can now be defined at the Partner and Enterprise levels, as well as the Root level. The list of prohibited applications applied to a device is a combination of the applications defined at the Enterprise, Partner, and Root levels. GCM support The Google Cloud Messaging (GCM) service replaces C2DM as an alternative to SMS for communicating with Android devices (version 2.2 or later). If the GCM service is not available, SMS is used as the default. Jailbroken/rooted indicator A red icon is displayed in the Status field next to jailbroken ios devices and rooted Android devices. These devices may be less secure because users have full (root) access to the operating system and can install applications from any source. Alert indicator The Pulse client application icon for Android and Blackberry devices changes to indicate the presence of the highest priority alert or notification message. The icons and message priorities can be customized for branded clients. Compatibility with previous releases Release 4.1 of the gateway supports all previous Junos Pulse clients, but requires Pulse 4.1 clients to support the new features in this release. Pulse 4.1 clients are not guaranteed to be compatible with earlier versions of the gateway. Accessing the Pulse Mobile Security Gateway The URL used to access the management Console of a Pulse Mobile Security Gateway depends on whether you are hosting the gateway in your own network. To access the management console of a gateway hosted by Juniper Networks, enter the following URL in your browser: https://mss.junospulse.juniper.net Use the login credentials provided for you. If you are the Root administrator logging in for the first time to a gateway in your own network, use root@smobilesystems.com and password for the username and password. If you are a customer service representative, your login credentials give you access to the appropriate gateway and user accounts. If access to the gateway Dashboard is enabled, users can use their registration e-mail address and password to log in to the Dashboard at the following URL to view device reports, locate a missing device, or use other security features, depending on the features purchased or available. The Dashboard URL for a gateway hosted by Juniper Networks is: https://mss.junospulse.juniper.net/smobile/dashboard/login.htm For Windows Mobile and Symbian users, who can enter just the license key during registration, the IMEI number is used for the e-mail address (imei @a.a) and password. Administrators can change the defaults and notify the user. Informational Note: To use the Pulse Mobile Security Gateway, your browser must be Google Chrome version 6.0, Microsoft Internet Explorer version 7.0 or 8.0, or Mozilla Firefox 3.0, 3.5, or 3.6. JavaScript and cookies must be enabled on the browser. 4 Accessing the Pulse Mobile Security Gateway Copyright 2012, Juniper Networks, Inc.

Chapter 1: Getting Started Using the Pulse Mobile Security Gateway Management Console The management Console of the Pulse Mobile Security Gateway has a central data panel and a top panel for additional features, such as search and help. Administrators with access to multiple Partners or Enterprises can select a Partner or Enterprise from the drop-down lists at the top of the page (see Figure 1 on page 5). For Customer service personnel and other administrators who manage a single Enterprise and its associated users and devices, only the Enterprise name is displayed at the top of the page. Figure 1: Pulse Mobile Security Gateway Management Console The top panel provides the following selections: Search Lets you search for device identifiers, or the names of users, Enterprises, user groups, or device groups. The device identifiers include the phone number (MSISD) and the DID, ESN, IMEI, IMSI, and UUID. As you type in a value, a list of matching items is displayed. My Account Lets you change your login account. Help Provides information about software versions, the license, and system uptime, the list of commands that can be sent to managed devices, and the current list of known viruses. The following Tabs are presented below the top panel, depending on the user s access privileges: Reporting Shows a summary of virus and registration activity and provides links to more detailed reports. For more information about reports, see Viewing Reports on page 59. Profiles Lets you define MDM profiles for Android and ios devices, firewall and antispam profiles for Windows Mobile and Symbian devices, and prohibited applications for Android devices. Customer service personnel generally do not define the profiles, but in some cases may need to access these functions (see Device Profiles on page 25). Copyright 2012, Juniper Networks, Inc. Using the Pulse Mobile Security Gateway Management Console 5

Users Lists the current user accounts. When a mobile device is registered, the gateway creates a user account that includes the device information. You can edit a user account, reset the password, and assign a user role and access control list to an administrator account. Devices Shows the registered mobile devices in an Enterprise. You can edit the settings for individual devices, apply MDM profiles to Android and ios devices, move devices to a device group, and send commands to selected devices. Groups Lists the user groups and device groups. You can add and delete device and user groups, and send commands to the devices in one or more groups. Roles Lets you to define the roles that specify an administrator s privileges and assign the roles to administrator accounts. Settings Lets you define the default security settings that are applied to devices when they register with an Enterprise. You can also configure the GCM settings for Android devices. Root administrators can configure Device Identity Servers, certificates, and connections to the Control Center and Signature Update Server. Logs Provides access to the gateway logs at the Root and Enterprise levels. You can search the logs and view the log entries to assist in troubleshooting and reporting. 6 Using the Pulse Mobile Security Gateway Management Console Copyright 2012, Juniper Networks, Inc.

Chapter 2: Setting Up the Pulse Mobile Security Gateway Chapter 2 Setting Up the Pulse Mobile Security Gateway This chapter contains information for partner and enterprise administrators, and includes topics (indicated by an asterisk in the list below) that are relevant to service providers who install the Pulse Mobile Security Gateway in their own network. Typically, customer service personnel do not perform these tasks and do not have access to these settings. Most setup tasks are performed by Juniper Networks personnel before users install the Junos Pulse client and register with the gateway. Add Partners and Enterprises on page 7 Adding Administrator Accounts on page 14 Registering Devices on page 17 Configuring Device Identity Servers on page 18 * Configuring GCM and System Log Settings on page 20 * Updating Malware Signatures on page 21 * Add Partners and Enterprises The following topics describe how to add Partners and Enterprises (at least one of each is required), and how to move an Enterprise to a different Partner: Adding a Partner on page 7 Adding an Enterprise on page 8 Editing the Default Enterprise Policy Settings on page 9 Adding a Partner A Partner is used to identify a group of Enterprises. At least one Partner is required, and the Default Partner is created automatically. A Root administrator can define new Partners or change the Default Partner. Root administrators can then add one or more Enterprises or create a user account for a Partner administrator who can add the needed Enterprises. To add a Partner: 1. Log in to the gateway as a Root administrator. 2. On the Home tab, click Add Partner. 3. Specify the following properties: Partner Name Typically, the name of the organization. Notes Information such as how to contact the Partner administrator. 4. Click Save to create the Partner. Copyright 2012, Juniper Networks, Inc. Add Partners and Enterprises 7

Adding an Enterprise An Enterprise is any organization that manages mobile devices. For each Partner, a Default Enterprise is created automatically. A Root or Partner administrator can define new Enterprises or change the Default Enterprise. Root or Partner administrators can manage each Enterprise or create a user account for an Enterprise administrator who can perform Enterprise-specific management tasks. To add an Enterprise: 1. Log in to the gateway as a Root or Partner administrator. 2. On the Home tab, click the Partner where you want to add an Enterprise, and click Add Enterprise. 3. Specify the following properties: Setting Enterprise Name Enterprise Code License Type License Count License Expiration Date or License Length Require Customer Account Allow Insecure Clients Allow Manual Registration Allow Dashboard Access Notes Products A descriptive name. A code that identifies this Enterprise to managed devices. If the license type is Enterprise, the Enterprise code is used as the license key during registration. The Enterprise code must be unique. Select whether the software is licensed by the Enterprise or by the device (Consumer). Number of licensed devices. For an Enterprise license type, enter or select the license expiration date for the Enterprise and all of its registered devices. For a Consumer license type, enter the number of days that each registered device is licensed to use the software. The expiration date cannot exceed 2031. Requires administrators to create a user account before a device can register with the Enterprise. If you do not select this box, a user account is created automatically when a device is registered. Allows gateway access for devices that do not use the latest authentication method (selecting this option is recommended). Allows users to register with the Enterprise by manually entering a license key. Currently, only Android, Blackberry, and ios devices can be registered automatically. Allows users to log in to the gateway Dashboard to locate a lost phone or use other security features. If this check box is cleared, the Enterprise administrator uses the management Console to perform all the tasks available on the Dashboard. Descriptive information about this Enterprise. Select the features enabled in this Enterprise. To change the default settings for each feature, see Editing the Default Enterprise Policy Settings on page 9. Disabling a feature hides the relevant sections of the Enterprise and device settings, as well as the related device commands. Firewall Antispam Antivirus Monitor & Control For Android devices, disabling Antivirus also disables scanning for malware and suspicious applications, but scanning for prohibited applications cannot be disabled. For ios devices, the GPS Update Period can be set in the MDM profile even when Monitor & Control is disabled (see Tracking (ios Devices) on page 33). 8 Add Partners and Enterprises Copyright 2012, Juniper Networks, Inc.

Chapter 2: Setting Up the Pulse Mobile Security Gateway 4. Click Save to add the Enterprise to the end of the list of Enterprises on the Partner Home tab. You may have to refresh the page to see the new Enterprise. 5. To change these Enterprise settings, click the Edit icon to the right of the Enterprise. To change the default policy settings for the Enterprise, click the Enterprise Settings icon next to the Edit icon or click the Enterprise and click the Settings tab (see Editing the Default Enterprise Policy Settings on page 9). Editing the Default Enterprise Policy Settings Enterprise administrators can change the default policy settings that are applied to new devices when they register with the Enterprise. After registration, feature settings can be changed for specific devices (see Modifying Device Settings on page 47). Informational Note: The supported features vary by device type. If a device does not support a feature, the feature settings are ignored. For example, the firewall and antispam settings apply only to Symbian and Windows Mobile devices. To view and edit Enterprise settings: 1. To view the basic Enterprise settings, such as the Enterprised code and license, select the Home tab for the Enterprise. To change the basic settings, see Adding an Enterprise on page 8. If you access the Enterprise from another system using SOAP API calls, click Generate UUID to generate a universally unique identifier for the Enterprise. 2. To change the Enterprise policy settings, select the Settings tab, select the General Settings, MDM Settings, or Device Features in the left frame, edit the settings described in the following table, and click Update. Setting General Settings Aggregator Settings Username Password SMS Sender Code API URL The username passed to the SMS provider s gateway API when sending commands. An SMS gateway is required to send commands to non-ios devices. The password passed to the SMS provider s gateway API when sending commands. Reserved for future use. The API key assigned by the aggregator. The key, along with the username and password, provide authentication to the SMS gateway when you send a command to a device. The base URL of the SMS aggregator's API. The Pulse Mobile Security Gateway adds the remainder of the URL when you send a command. Other Settings Software Download URL Update Schedule Android Malware Scan Interval Web page where users can download and install the Pulse client for their device. If you manually add a device, the gateway sends an SMS message or e-mail to the device with a link to this URL and a license key. Select how often the settings on the gateway, including virus definitions, are synchronized with the settings on non-ios devices. Select never to disable synchronization with the gateway. If users change the update schedule on the device, it is reset during the next synchronization. Select Hours (1 to 72) or Minutes (1 to 999) and enter the number of hours or minutes between scans for malware on Android devices. To disable malware scanning, enter zero. Copyright 2012, Juniper Networks, Inc. Add Partners and Enterprises 9

Setting Default UI Settings (non-ios devices) UI Mode UI Button Mode (service bundle) Indicates the Junos Pulse features available to users of Android and Blackberry devices. Select one of the following: Full UI Includes all features of the Junos Pulse client. Minimal UI Includes only a Splash screen, license screen, and a Home screen with an About button. Detected viruses, malware, and prohibited applications are deleted automatically, and suspicious applications are displayed to the user so they can be deleted or allowed. If a device does not support automatic deletion of applications, the Scan Results page is displayed periodically until the offending applications are deleted manually. Security UI Includes all Junos Pulse features, except the ability to define VPN connections to private networks. Users can scan for viruses and malware, view scan results, back up data, and so on. For Android and Blackberry devices, if the UI Mode is Full UI or Security UI, the following features can be active or inactive and visible or hidden on the device and Dashboard. If a feature is inactive, its associated device commands are hidden (see Sending Device Commands on page 53). Active features can be hidden to simplify the user interface. Inactive/Visible features are grayed out so that users can select them to purchase the feature. Professional Services can customize the URL associated with grayed out buttons or text and assist you with enabling features programmatically through the gateway API. For Windows Mobile and Symbian devices, Active and Inactive settings affect the Dashboard and command list, but not the device. The Hidden and Visible settings are ignored, and the Custom Button does not apply. Select the activation status for each of the following: Anti Virus If Anti Virus is enabled for the Enterprise, the Active/Visible selection displays a Scan/Threats Detected button and a Security Settings selection on the device so that users can start a scan or change the default scan and virus update settings. On the Dashboard home page, an Anti-Virus Activity section is displayed with an event count that users can select to view the list of events. The Active/Hidden selection hides the feature on the device and Dashboard, but viruses, malware, and prohibited applications are detected on the device and deleted automatically or the user is prompted to remove them. Backup The Active/Visible selection displays a Backup button on the device and a Backup and Restore button on the Dashboard. Users can back up their personal contacts and calendar from the device, but they must use the Dashboard (or contact an administrator) to restore the last backup. The Active/Hidden selection has the same effect as Inactive/Hidden. Monitor & Control If Monitor & Control is enabled for the Enterprise, the Active/Visible selection displays the Remote Monitoring button on the device so that users can view which items are monitored and whether GPS tracking is enabled. The Dashboard is updated as follows: The Remote Monitoring section is displayed on the home page with counts of the monitored messages, calls, applications, and photographs that users can select to view lists of each item. The Alert Setup tab allows users to set up alerts based on the message content (if messages are monitored). The Reports tab allows users to view a Text and Email Monitoring report. 10 Add Partners and Enterprises Copyright 2012, Juniper Networks, Inc.

Chapter 2: Setting Up the Pulse Mobile Security Gateway Setting The Settings page allows Dashboard users to change the default monitor and control options for a device. The Active/Hidden selection hides the feature on the device and Dashboard, but allows an administrator to view the device activity logs (see Viewing Device Applications, Contacts, Pictures, and Messages on page 62). Anti Theft The following buttons can be displayed on the Dashboard home page. If any of these buttons is visible, an Anti Theft button is displayed on the device that allows users to view, and optionally change, the status of each feature. Active/Visible features are shown as enabled; Inactive/Visible features are shown as disabled. The Active/Hidden and Inactive/Hidden selections have the same effect. Wipe Device The Active/Visible selection allows Dashboard users to erase personal data from a device, depending on the device type (see Personal Data Erased by Handset Wipe Command on page 66). Lock/Unlock Device The Active/Visible selection allows Dashboard users to lock or unlock a device. Scream Locate The Active/Visible selection allows Dashboard users to enable an alarm to help locate a device in the immediate area. Locate Device The Active/Visible selection allows Dashboard users to enable GPS reporting on a non-ios device and view the device s location on a map. To view the location of an ios device, an administrator must enable GPS reporting on the device. Custom Button The Active/Visible selection displays a customized button on the home page of the device and Dashboard that users can select to purchase or cancel optional features. The Inactive/Visible selection also displays the button. Professional Services can configure the button and its associated URL. MDM Settings ios Default Profile Android Default Profile Device Check-In Period Select the profiles to be applied to ios and Android devices when they register with the Enterprise. The two profiles can be the same, except that an imported profile created with the Apple IPCU utility cannot be used for Android devices. The AutomaticDefault profile (for ios) and the AutomaticAndroidDefault profile, both of which can be changed, are created automatically for each Enterprise. To add or change a profile, click MDM Profiles. You can change a device s profile after the device is registered. Select the number of days between the prompts sent to each ios device to check in with the gateway for profile and updates. Select Disable to stop sending check-in prompts to registered devices. APNS Certificate The status and expiration date is displayed after you upload the Apple Push Notification Service (APNS) certificate. Use the Upload button in the next section. The Upload button in this section is for compatibility with the APNS procedure used in release 3.0. If you are using a Secure Access server, the Host Checker requires the client CA certificate to support ios devices. To dowload the client CA certificate for import to a Secure Access server, click Download CA Certificate. Certificates are valid for one year. When a certificate expires, you can click Delete and upload a new certificate. NOTE: After the new certificate is installed, users who are already registered must uninstall and reinstall the Pulse client. Copyright 2012, Juniper Networks, Inc. Add Partners and Enterprises 11

Setting MDM APNS Certificate Signing Request (CSR) Generate To manage ios devices, an APNS certificate must be uploaded to the Enterprise. Without an APNS certificate, ios devices can register, and iphones and ipads with 3G support can report their GPS location (Dashboard users will see only the GPS location), but the certificate is required for all other features. After the certificate is installed, users who are already registered must uninstall and reinstall the Pulse client. Before you begin, note the following: If you do not have an Apple ID, go to https://appleid.apple.com to create one. If the Control Center is not configured, see Configuring the Control Center Settings on page 23. To obtain an APNS certificate: 1. To create a CSR, click Generate, and specify the following: Common Name Unique name used to identify the certificate. Organizational unit Name of your department. Organization Legal name of your company/organization. Locality Name of the city where your organization is located. State (fully spelled out) State or province name. Country (2 letter code) Country or region code. 2. Click Generate to have the Control Center sign the CSR. Contact Technical Support if the error MSG Control Center failed to sign certificate request is displayed. 3. Click Download and save the apnscsr.plist file. 4. Click Upload CSR to Apple, log in to the Apple portal, and do the following: a. Click Create a Certificate, accept the terms, and then browse to the location of the apnscsr.plist file, and click Upload. b. Click the Download button next to the generated certificate and save the file locally. The APNS certificate file name is: MDM_<VendorName>_Certificate.pem. 5. On the Enterprise page, click the Upload button, click Browse, select the APNS certificate file, and click Upload. The certificate type must be PEM. The Upload button is hidden after a certificate is uploaded to the Enterprise. Device Features Default Antivirus Settings (non-ios devices) The following settings apply when Anti Virus is enabled in the General Settings Disable Handset Modifications Scan Memory Card Scan Files Scan Inside Archives Optimize Media Scanning Prevents users from changing the antivirus settings on non-ios devices, and the commands to enable or disable file scanning are not persistent. During periodic synchronizations with the gateway, the gateway settings override the settings on the device. Clear the check box to allow the device settings to override the gateway settings during each synchronization. Enables periodic scans of the secure digital (SD) memory card on non-ios devices. Enables periodic scans of the files on non-ios devices. Enables recursive scanning of archive files that are contained within other archive files (Android devices only). The supported archive files are.zip,.gzip, and.jar. Enables media files larger than 1 MB to be skipped if the file has not changed since the previous scan (Android devices only). A file is skipped if the MD5 checksum has not changed. The supported media files are.gpp,.m4a,.mov,.mpg,.mp3,.mp4,.wav,.bmp,.gif,.jpg,.png, and.tif/.tiff. 12 Add Partners and Enterprises Copyright 2012, Juniper Networks, Inc.

Chapter 2: Setting Up the Pulse Mobile Security Gateway Setting Default Firewall Settings (Windows Mobile and Symbian devices) Active Disable Handset Modifications Security Level Profile Displays the firewall application on Symbian and Windows Mobile devices. Clear the check box to hide the application. Prevents users from changing the firewall settings on the device. Clear the check box to allow the device settings to override the gateway settings during the periodic synchronizations with the gateway. Choose one of the following: Disable Disables the firewall component. Allow Permits all traffic that is not specifically blocked in the firewall profile rules. Block Blocks all traffic that is not specifically allowed in the firewall profile rules. Set of firewall rules that are applied to devices when they are registered. Use the list box to select a firewall profile. If you have not yet defined profiles, you can edit this setting later. You can also apply profiles to individual devices. Default Antispam Settings (Windows Mobile and Symbian devices) Active Disable Handset Modifications Block Short Codes Profile Displays the antispam application on Symbian and Windows Mobile devices. Clear the check box to hide the application. Prevents users from changing the antispam settings on the device. Clear the check box to allow the device settings to override the gateway settings during the periodic synchronizations with the gateway. Blocks SMS messages to or from short codes. Short codes are five- or six-digit SMS codes that serve as short phone numbers and are often used by premium SMS services. SMS messages from short codes are more likely to be spam than messages from regular phone numbers. Outgoing SMS messages to short codes can incur phone charges. Short codes are also used for instant messaging (IM) services. Blocking short codes increases security but also limits service to the client. Set of antispam rules that are applied to devices when they are registered. If you have not yet defined profiles, you can edit this setting later. You can also apply profiles to individual devices. Default Monitor and Control Settings (non-ios devices) The following settings apply when Monitor & Control is enabled in the General Settings Log Event Limit Log Size Limit Log Email Log SMS Log MMS Number of events that are logged on non-ios devices before they are uploaded to the server. An event is an instance of any logged item (e-mail, SMS or MMS message, phone call, or image). Higher values delay server updates, but minimize SMS charges and conserve battery life. Select Off to disable uploads based on the number of events. NOTE: Device logs are uploaded to the gateway over HTTPS, not SMS. Maximum amount of file space used for the event log on non-ios devices (100K is recommended). The log can exceed this value, but if the log becomes full, an attempt to upload the log occurs after each event. Select Off to disable uploads based on the log size. If both the Log Event and Log Size limits are off, uploads occur only when requested from the management Console or user Dashboard. NOTE: By default, log entries for the past three days are retained. Saves all e-mails in the log (not supported on Android and ios devices). Saves all SMS messages in the log on non-ios devices. Saves the text portion of all MMS messages in the log on Blackberry and Symbian devices. Graphics are included only if they are saved on the device and the Log Images option is selected. Copyright 2012, Juniper Networks, Inc. Add Partners and Enterprises 13

Setting Log Voice Disable Voice Log Images Log Web Images GPS Update Period Saves a record of each phone call in the log on non-ios devices, including date, time, and remote phone number. Disables the ability to make phone calls (not supported on Blackberry and ios devices). Saves images in the log that are loaded on non-ios devices. Saves images in the log that are accessed with the device Web browser (not supported on Android and ios devices). Select how often a non-ios device reports its GPS location to the gateway, or select Disable Updates to disable GPS reporting. For ios devices (iphones and ipads with 3G support), this setting can be specified in the MDM profile (see Tracking (ios Devices) on page 33). A device s last reported location can be viewed on the GPS Tracking Report (see Tracking Devices with GPS on page 62). Default SIM Change Settings (non-ios devices only) Lock on SIM Change Wipe on SIM Change Locks a non-ios handset if the SIM card is changed after the device is registered. Changing the SIM card changes the phone number, and disables communication with the gateway. This feature helps protect personal data if the phone is lost or stolen. Logging in with the user s registration password unlocks the device and updates the phone number on the gateway. NOTE: For a device registered automatically, the user must replace the SIM to unlock the device. Also, locking the device does not disable active background applications, such as a phone call or the music player. Wipes the user data from a non-ios handset if the SIM card is changed after the device is registered (Lock on SIM Change must be enabled). The data erased depends on the device type (see Personal Data Erased by Handset Wipe Command on page 66). Note the following: On Android 2.2 (or later) devices that have the Device Administrator function enabled, the device is not locked, but a factory reset occurs that removes all applications installed by the user, including Junos Pulse. If the Device Administrator is disabled, the device is locked, and GPS Theft Mode and Monitor & Control logging is enabled. On Android 2.1 devices, the device is locked, and GPS Theft Mode and Monitor & Control logging is enabled. The contacts and history are wiped, but not the SD memory card. Adding Administrator Accounts The Root administrator of the Pulse Mobile Security Gateway can create other administrator accounts at the Root, or for a specific Partner, or Enterprise. A Partner-level account can access only that Partner and one one or more of its Enterprises. An Enterprise-level account can access only that Enterprise. The procedure for creating administrator accounts is the same at each level: create a role that has the administrator permissions, create a user account, and then assign the role and a user control list to the account. Informational Note: Do not change the name of the predefined Root account (root@smobilesystems.com). The Root account is required to configure the Control Center and Malware Signature Server settings for malware signature updates. 14 Adding Administrator Accounts Copyright 2012, Juniper Networks, Inc.

Chapter 2: Setting Up the Pulse Mobile Security Gateway Adding an Administrator Role A role is a set of permissions that you can apply to a user account. For example, you can define a role that allows view permission on everything but allows edit permission on only a few objects. For an administrator role, you typically allow all permissions. To define an administrator role: 1. Select the Root, a Partner, or an Enterprise. The role must be created at the same level as the user accounts where you want to apply the role. Informational Note: To allow administrators to add a Partner, the Root level must be selected. 2. Select the Roles tab, and click Add Role. 3. Select the permissions View, Add, Edit, Delete, and Move for each of the following objects. Click Select All to enable all permissions. The following table describes the effect of the View permission, which is required for all other permissions. Object Partner Enterprise Device Identity Server User User Group User Role Device Device Group Firewall Rule MDM Profile Firewall Profile Antispam Rule Antispam Profile Android Prohibited Application Enterprise Settings System Settings of View Permission Displays the list of available Partners on the Home tab for users defined at the Root level. Displays the list of available Enterprises on the Partner Home tab for users defined at the Root or Partner level. For Enterprise-level users, the Home tab displays the basic settings for the Enterprise, such as Enterprise name and license. For Root and Partner users, the Edit permission displays an icon next to each Enterprise that allows the basic settings to be changed. To allow all other Enterprise settings to be viewed or changed, see Enterprise Settings. Displays the Device Identity Servers selection on the Settings tab at the Root, Partner, and Enterprise levels (available only in roles created at the Root level). Displays the Users tab at each level. Displays the User Groups selection on the Groups tab for each Enterprise. Displays the Roles tab at each level. The Add permission allows roles to be defined, but the Assign User Role(s) permission is needed to assign a role to an account (see Step 5). Displays the Devices tab for each Enterprise. Displays the Device Groups selection on the Groups tab for each Enterprise. Displays the Firewall Rules selection on the Profiles tab at each level. Displays the MDM Profiles selection on the Profiles tab for each Enterprise. Displays each selection on the Profiles tab at each level. Displays the Prohibited Applications selection on the Profiles tab at each level. Displays the Enterprise Settings selection for the device-related setings on the Settings tab in each Enterprise. The Edit permission also displays an icon next to each Enterprise on the Partner Home tab. Displays the System Settings selection on the Settings tab at each level. Copyright 2012, Juniper Networks, Inc. Adding Administrator Accounts 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback