System Requirements. Version Mobile Service Manager

Similar documents
Installation Guide. Version Mobile Service Manager

Upgrade Installation Guide

Good Share 3.0 High Availability Deployment Instructions

Good Share Client User Guide for Android Devices

Configuration and Administration

Good Mobile Messaging Good Mobile Control for IBM Lotus Domino

ISEC7 - B*Nator EMM Suite. Check Before Installation Guide

Server Installation ZENworks Mobile Management 2.6.x January 2013

Version Installation Guide. 1 Bocada Installation Guide

Sophos Mobile in Central

Server Software Installation Guide

Storage Manager 2018 R1. Installation Guide

HYCU SCOM Management Pack for F5 BIG-IP



Sophos Mobile. server deployment guide. product version: 9


VMware AirWatch Content Gateway Guide for Windows

Quest Unified Communications Analytics Deployment Guide

VMware AirWatch Content Gateway Guide for Windows

VMware AirWatch Content Gateway Guide for Linux For Linux

Quest VROOM Quick Setup Guide for Quest Rapid Recovery for Windows and Quest Foglight vapp Installers

VMware AirWatch Content Gateway Guide for Windows

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Sophos Mobile. server deployment guide. product version: 8.6

VMware AirWatch Content Gateway Guide for Windows

NETWRIX INACTIVE USER TRACKER

Sophos Mobile in Central

Sophos Mobile. server deployment guide. Product Version: 8.1

Polycom RealPresence Access Director System, Virtual Edition

Patch Manager INSTALLATION GUIDE. Version Last Updated: September 25, 2017

LifeSize Control Installation Guide

Sophos Mobile as a Service

akkadian Global Directory 3.0 System Administration Guide

Quest Enterprise Reporter 2.0 Report Manager USER GUIDE

HYCU SCOM Management Pack for F5 BIG-IP

VMware AirWatch Content Gateway for Windows. VMware Workspace ONE UEM 1811 Unified Access Gateway

VMware vfabric Data Director Installation Guide

Quest Collaboration Services 3.6. Installation Guide

vfire 9.9 Prerequisites Guide Version 1.1

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Quest VROOM Quick Setup Guide for Quest Rapid Recovery for Windows and Quest Foglight vapp Installers

Configuration Guide. BlackBerry UEM Cloud

AvePoint RevIM Installation and Configuration Guide. Issued May AvePoint RevIM Installation and Configuration Guide

Good Control/Good Proxy Backup and Restore Version 4.2

BlackBerry Enterprise Server for Microsoft Exchange

SOA Software Intermediary for Microsoft : Install Guide

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

Application Launcher & Session Recording

BlackBerry Enterprise Server for Lotus Domino 2.0 Service Pack 5 Readme file

Sophos Mobile SaaS startup guide. Product version: 7.1

VMware AirWatch Content Gateway Guide For Linux

Installation on Windows Server 2008

on VMware Deployment Guide November 2018 Deployment Guide for Unitrends Free on VMware Release 10.3 Version Provide feedback

Operations and Monitoring Guide

Kaspersky Security Center 10

Enterprise Vault.cloud CloudLink Google Account Synchronization Guide. CloudLink to 4.0.3

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Veeam Backup & Replication. Version 9.0

Intel Small Business Extended Access. Deployment Guide

Configuration Guide. Installation and. BlackBerry Enterprise Server for Novell GroupWise. Version: 5.0 Service Pack: 4

vfire Prerequisites Guide Version 1.1

Symantec Managed PKI. Integration Guide for AirWatch MDM Solution

Quest VROOM Quick Setup Guide for Quest Rapid Recovery and Foglight Windows Installers

Quest VROOM Quick Setup Guide for Quest Rapid Recovery and Foglight Windows Installers

Oracle Health Sciences Information Gateway. 1 Introduction. Security Guide Release 2.0.1

VMware AirWatch Product Provisioning and Staging for Windows Rugged Guide Using Product Provisioning for managing Windows Rugged devices.

One Identity Active Roles Diagnostic Tools 1.2.0

HP Device Connect - Software Lite Technical Quick Specs

VMware AirWatch Google Sync Integration Guide Securing Your Infrastructure

Dell GPOADmin 5.7. About Dell GPOADmin 5.7. New features. Release Notes. December 2013

Setting Up Quest QoreStor with Veeam Backup & Replication. Technical White Paper

Deployment Guide for Unitrends Backup on VMware

DameWare Server. Administrator Guide

Veritas Desktop and Laptop Option 9.3.1

App Orchestration 2.0

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

SynapSense Software. Installation Manual. Release 7.1 Issue 1

Configuration Guide. BlackBerry UEM. Version 12.9

AdminStudio 10.0 ZENworks Edition

Installation Guide. McAfee Enterprise Mobility Management 10.1

Sophos Mobile Control SaaS startup guide. Product version: 7

Version 9 Release 0. IBM i2 Analyst's Notebook Configuration IBM

HYCU SCOM Management Pack for F5 BIG-IP

vcenter Chargeback User s Guide

Endpoint Manager for Mobile Devices Setup Guide

BlackBerry Enterprise Server for Lotus Domino 2.1 Service Pack 1 Readme file

VMware AirWatch Google Sync Integration Guide Securing Your Infrastructure

Veritas Access Enterprise Vault Solutions Guide

Dell Lifecycle Controller Integration Version 1.1 for Microsoft System Center 2012 Virtual Machine Manager Installation Guide

Good Mobile Service Manager Release Notes 8.6

About One Identity Quick Connect for Base Systems 2.4.0

Symantec Encryption Management Server and Symantec Data Loss Prevention. Integration Guide

Microsoft Active Directory Plug-in User s Guide Release

Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

1Y0-371 Q&As. Designing, Deploying and Managing Citrix XenMobile 10 Enterprise Solutions. Pass home 1Y0-371 Exam with 100% Guarantee

VMware Workspace ONE UEM Recommended Architecture Guide

OnCommand Unified Manager 7.2: Best Practices Guide

VMware AirWatch Recommended Architecture Guide Setting up and managing your on-premises AirWatch deployment

Transcription:

System s Version 8.3.0.1.1274 Mobile Service Manager

Legal Notice This document, as well as all accompanying documents for this product, is published by Good Technology Corporation ( Good ). Good may have patents or pending patent applications, trademarks, copyrights, and other intellectual property rights covering the subject matter in these documents. The furnishing of this, or any other document, does not in any way imply any license to these or other intellectual properties, except as expressly provided in written license agreements with Good. This document is for the use of licensed or authorized users only. No part of this document may be used, sold, reproduced, stored in a database or retrieval system or transmitted in any form or by any means, electronic or physical, for any purpose, other than the purchaser s authorized use without the express written permission of Good. Any unauthorized copying, distribution or disclosure of information is a violation of copyright laws. While every effort has been made to ensure technical accuracy, information in this document is subject to change without notice and does not represent a commitment on the part of Good. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those written agreements. The documentation provided is subject to change at Good s sole discretion without notice. It is your responsibility to utilize the most current documentation available. Good assumes no duty to update you, and therefore Good recommends that you check frequently for new versions. This documentation is provided as is and Good assumes no liability for the accuracy or completeness of the content. The content of this document may contain information regarding Good s future plans, including roadmaps and feature sets not yet available. It is stressed that this information is non-binding and Good creates no contractual obligation to deliver the features and functionality described herein, and expressly disclaims all theories of contract, detrimental reliance and/or promissory estoppel or similar theories. Legal Information Copyright 2016. All rights reserved. All use is subject to license terms posted at www.good.com/ legal. GOOD, GOOD TECHNOLOGY, the GOOD logo, GOOD FOR ENTERPRISE, GOOD FOR GOVERNMENT, GOOD FOR YOU, GOOD APPCENTRAL, GOOD DYNAMICS, SECURED BY GOOD, GOOD MOBILE MANAGER, GOOD CONNECT, GOOD SHARE, GOOD TRUST, GOOD VAULT, and GOOD DYNAMICS APPKINETICS are trademarks of Good Technology Corporation and its related entities. All third-party technology products are protected by issued and pending U.S. and foreign patents.

Contents System s/s 4 Server Hardware s 4 File System Configuration 4 Core System s 5 Good Dynamics s 9 GEMS s 10 Exchange s 11 Exchange Management Tools 12 Good Mobile Messaging s 13 BlackBerry Enterprise Server s 14 BES One-Click Fix-It s (Optional) 15 GFE and BlackBerry User Self-Service (USS) 15 Good MSM Security Management Module 16 MDM Gateway Server Demilitarized Zone (DMZ) s 18

01 System s/s This section outlines the minimum requirements and lists other provisions necessary to complete your Good MSM installation. Good MSM strongly recommends reviewing the requirements before proceeding with the installation. The following prerequisites are recommendations to build your Good MSM servers. Noncompliance with system requirements could result in compromised system performance or an unsuccessful installation.! Note: Though BoxTone is now officially Good Mobile Service Manager, some of the content in this guide will still reference BoxTone to remain consistent with system file, server, account, and directory names. Server Hardware s Below are the minimum hardware requirements to operate Good MSM in your environment. Use the table to determine the proper hardware configurations for your enterprise. File System Configuration The recommended file system configuration will optimize Good MSM system performance. RAID 10 or SAN storage are recommended for Database Storage and Redo logs. Deployments with more than 5,000 devices are required to use a dual server configuration. For large deployments exceeding 20K devices, please call Good MSM Client Services to assist with your installation. The file system configurations shown below are recommendations. The signifies the letter(s) of the drive. Monitored Devices Server #CPU Core CPU GHz RAM Recommended File System Configuration 1-2,000 /Database 8 2.66GHz 8GB : - Windows OS:40 GB : - Good MSM : 30 GB : - Good MSM DB: 200 GB 2,000-5,000 /Database 8 2.66GHz 16GB : - Windows OS: 40 GB : - Good MSM : 30 GB : - Good MSM DB: 200 GB Installation Guide 4

Monitored Devices Server #CPU Core CPU GHz RAM Recommended File System Configuration 5,000-15,000 Database 8 2.66GHz 16GB : - Windows OS:40GB : - Good MSM : 20 GB : - Good MSM DB Storage: 300 GB :-Redo logs : 10GB 8 2.66GHz 16GB :- Win OS: 40 GB : -Good MSM : 50 GB 15,000-20,000 Database 8 2.66GHz 32GB : - Win OS: 40GB : - DB : 20 GB : - DB Storage: 500 GB : - Redo logs: 10 GB 8 2.66GHz 32GB :- Win OS: 40 GB : - Good MSM : 50 GB 20,000+ Please consult your Good Sales Engineer or TAM Optional Remote Log Collector 4 2.66GHz 4GB :- Win OS: 40 GB : - Good MSM : 20 GB Core System s Operating System Good MSM supports the following operating systems (English version): Windows Server 2008 R2 Windows Server 2012 R2 Standard Note: The most recent service pack should be installed on the server. Note: There is an issue that causes IP addresses on a single network adapter to be registered improperly within DNS. The following Microsoft hotfix should be applied. Windows 2008 SP2: http://support.microsoft.com/kb/975808 Windows 2008 R2: http://support.microsoft.com/kb/2386184 Region/Location Settings The Region and Location Format (Control Panel -> Region and Language -> Formats) must be set to United States. Anti-Virus Scanning Must be disabled during the installation and for all Good MSM application and database directories during operation. Installation Guide 5

Server Service Ports Remotely Accessible Listen Outbound Local TCP Ports Broker Service Action Gateway Note: In a dual-server 28080 4445 4446 25050 deployment, the Good MSM repository server must be able to connect to the Good MSM application server on this port. Log Collector 32001 HTTP Load Balancing Service 4925 Collector Server 5354 Admin Services 19190 19290 WMI Gateway Service 8825 Console 80 443 Repository Oracle Repository 1521 5500 2484 7777 Integrator 80 389 443 636 Broker (BES/GFE/GD 1433 User Sync BBUAT 1433 GFE Web Services 19005 Log Collector 135-139 445 WMI Gateway 135 SCOM Connector (Optional/BES Only) 5724 Installation Guide 6

File System Backups Must be disabled on all Good MSM application and database directories. Good MSM Backup Utility will be installed during Good MSM implementation for environment backup. Internet Information Services (IIS) Microsoft PowerShell Disk Contention IIS Services must NOT be installed or enabled on the Good MSM Server. Servers must not have the Web Server role enabled to avoid port conflicts with Good MSM consoles. Microsoft PowerShell v2 or greater Good MSM recommends that each logical drive (C:, D:, E:, etc) be on separate physical arrays to maximize disk I/O performance, and minimize contention among BoxTone services. Temp Directory Data Retention Policy Service Account IPv6 Static IP Address.NET Framework Virtualization Adobe Flash At least 20GB of free space must be available on the drive of the temp directory (typically C:) prior to installation of Good MSM. File system requirements listed above assume you are using the default Good MSM data retention settings. Additional space may be required if the data retention policies are changed. Service Account (BTAdmin) is required to run Good MSM services Domain User Local Administrator on Good MSM Server Local Security Policy Requires the following privileges: o Log on as a service o Log on as a batch job o Log on locally IPv6 Support must be disabled on the Good MSM server The core Good MSM installation requires a static IP address. Additional IP addresses may be required if additional modules are enabled. (See requirements sections for modules being installed)..net Framework 2.0 or greater with the latest published service pack. When running Good MSM on a VM, it is recommended that 75% of the RAM required for your implementation (see Server Hardware s table above) be reserved/dedicated on the host.good MSM has certified VMware for single server deployments with up to 1,500 managed devices. Adobe Flash v10 or greater is required to access Good MSM s web consoles. It may be necessary to manually enable the Flash plugin on the newest Firefox releases. Installation Guide 7

Web Browser The following web browsers are certified in Good MSM 8.3: Internet Explorer 9 & 11.x Chrome (Latest Version) Firefox (Latest Version) Mobile Device Users Group All ad blocking extensions should be disabled or a rule excluding the MSM application server must be created for Admin users. Please see KB 21085 for additional information. An AD group should exist that contains all users who have a mobile device associated with your environment. This group will be mapped to the MobileDeviceUsers role in Good MSM. If this AD group does not exist in your environment, create it before proceeding to installation. The MDU group should only be mapped to all mobile users in deployments with Security Management. If AD Optimal Sync Mode is enabled, the MDU must be mapped to monitored/vip users. If Full AD Sync is enabled (required for Security Management/MDM), a security group,( in Active Directory or a local Windows Group on the MSM Server) must be created. This group must include all users that have or will have a monitored mobile device. If Optimal AD Sync is enabled, then an Active Directory or a local Windows Group must be created that includes all users for which VIP monitoring is desired. Installation Guide 8

Good Dynamics s Please review the monitored GD s to ensure you have assigned the proper roles and permissions and obtained the certified software versions for all associated GD requirements. Good Control (GC) SQL Database Access Good Control (GC) Log Monitoring Good Proxy (GP) Service Monitoring GP Log Monitoring GP Name Discovery (Optional) Good Dynamics Software Version Good MSM requires read access to the Good Control database (GC). This requirement can be met via one of the following: o Windows Integrated Authentication - The Service Account must be granted the db_datareader role within the database. o SQL Authentication - Provide a SQL account that has the db_datareader role within the database. Identify the port (default=1433) and instance that the GC SQL database is bound to. Ensure the database has remote IP access enabled. Good MSM currently supports only a single GC database per SQL server. The following are required for Good MSM to monitor Good Contorl diagnostic nformation via log files: The GC s diagnostic log directory must be shared on the Good Proxy Server. The default location is C:\Good\GCLogs. The Service Account requires read access to the shared log directory The Service Account must be a member of Administrators group on each monitored GP and GC to monitor service status via WMI. * Monitoring via WMI is optional. The following are required for Good MSM to monitor Good Dynamics application information via log files: The Good Proxy Server s diagnostic log directory must be shared. The default location is C:\Good\GPSLogs. The Service Account requires read access to the shared log directory In order to discover the common names of Good Dynamics applications, it is necessary to connect to the Good Dynamics NOC. This connection is made on port 443 to the following host gdmdc.good.com This connection must be unproxied. The following Good Dynamics software versions are supported in Good MSM 8.3: Good Control 2.0+ (certified) 1.10+ 1.9+ Good Proxy 2.0+ (certified) 1.10+ 1.9+ Installation Guide 9

GEMS s GEMS EWS Database Access GEMS Connect Database Access GEMS Service Monitoring GEMS Log Monitoring Good Enterprise Mobility Server Version Good MSM requires read access to the GEMS EWS database (EWS). This requirement can be met via one of the following: o Windows Integrated Authentication - The Service Account must be granted the db_datareader role within the database. o SQL Authentication - Provide a SQL account that has the db_datareader role within the database. Identify the port (default=1433) and instance the GEMS EWS database is bound to. Ensure the database has remote IP access enabled. Good MSM requires read access to the GEMS Connect database (Connect). This requirement can be met via one of the following: Windows Integrated Authentication - The Service Account must be granted the db_ datareader role within the database. SQL Authentication: Provide a SQL account that has the db_datareader role within the database. Identify the port (default=1433) and instance that the GEMS Connect database is bound to. Ensure the database has remote IP access enabled. The Service Account must be a member of Administrators group on each monitored GEMS to monitor service status via WMI. * Monitoring via WMI is optional. The following are required for Good MSM to monitor GEMS information via log files: For GEMS EWS monitoing, the following log folder must be shared and will typically appear in one of the following locations. GEMS 1.4 and below: \Program Files\Good Technology\Good Enterprise Mobility Server\Good Server Distribution\gems-karaf-1..\data\log. GEMS 1.5 : \Program Files\Good Technology\Good Enterprise Mobility Server\ Good Server Distribution\gems-quickstart-1.5.\data\log For GEMS Connect monitoring, the following service log folder must be shared and will typically appear in one of the following location. \Program Files\Good Technology\Good Enterprise Mobility Server\Good Connect\ logs The Service Account requires read access to the shared log directories. The following GEMS version(s) are supported in Good MSM 8.3: 1.6+ (certified) 1.5+ 1.4+ 1.3+ Installation Guide 10

Exchange s Please review the Exchange s to ensure you have allowed access to logs and assigned the proper ports, roles, and permissions as required. Service Monitoring Exchange Version Log Monitoring BoxTone Service Account For Exchange 2007 and Exchange 2010 the Service Account must be a member of the local Administrators group on each server with the Client Access role to monitor service availability via WMI.For Exchange 2013 the Service Account must be a member of the local Administrator group on each server with the Mailbox role to monitor service availability via WMI. * Monitoring via WMI is optional. Good MSM Supports Exchange 2007, 2010, 2013 with the latest service pack installed. The following is required for Good MSM to read the IIS transaction (W3SVC) and HTTPERR logs: Microsoft Exchange CAS, Mailbox (Exchange 2013 only) and HTTPERR log folders must be shared (default locations are listed below). a. HTTPERR: C:\Windows\System32\LogFiles\HTTPERR b. CAS: C:\inetpub\logs\LogFiles\W3SVC1 c. Mailbox (Exchange 2013 only): C:\inetpub\logs\LogFiles\W3SVC2 The service account requires read access to the log folder Validate that logs are accessible from the Good MSM server Logging should be configured as follows: o Format: W3C o Encoding: UTF-8 o Rollover schedule: Daily The BoxTone Service Account must have the following roles to collect ActiveSync connected device information from the Exchange environment. o Exchange 2007 View-Only Exchange Administrator Role o Exchange 2010 - View-Only Organization Management Role o Exchange 2013 - View-Only Organization Management Role The PowerShell RemoteSigned Execution policy must be in place. To check, run the following in PowerShell: 1. get-executionpolicy 2. if RemoteSigned is not returned, run the following command to set the policy to RemoteSigned 3. set-executionpolicy remotesigned Installation Guide 11

Exchange Management Tools Please review the corresponding versions of the Exchange Management Tools based upon the version(s) of Exchange that will be monitored. Exchange Environment Exchange 2007 EMS 2007 Exchange 2010 Exchange 2013 Exchange 2007 and Exchange 2010 EMS 2007 Exchange 2010 and Exchange 2013 Exchange 2007 and Exchange 2013 EMS 2007 Exchange Management Shell (EMS) Tools required n/a n/a n/a To learn more about the Microsoft Exchange Tools, select one of the links below. The following Microsoft Knowledge Base (KB) articles provide details about the installation of these tools: http://technet.microsoft.com/en-us/library/bb232090%28echg.80%29.aspx Installation Guide 12

Good Mobile Messaging s Please review the monitored Good Mobile Messaging requirements to ensure you have assigned the proper roles and permissions and met registry key requirements. GMC SQL Database Access GMM Log Monitoring GMM Service Monitoring GMM server registry keys Good MSM requires read access to the Good Mobile Control database (GMCDB) This requirement can be met via one of the following: o Windows Integrated Authentication - The Service Account must be granted the db_datareader role within the database. o SQL Authentication - Provide a SQL account that has the db_datareader role within the database. Identify the port (default=1433) and instance that the Good SQL database is bound to. Ensure the database has remote IP access enabled. The following is required for BoxTone to monitor GMM server health and mail flow via log files. GMM log folder must be shared Service Account requires read access to the shared log directory Service Account must be a member of Administrators group on each monitored GMM to monitor service status via WMI. * Monitoring via WMI is optional. The following registry keys are required on any monitored Good Mobile Messaging server. All keys will be located in HKLM\SYSTEM\CurrentControlSet\Services\GoodLinkServer\ parameters\diagnostics. NOTE: If the Diagnostics key does not exist, you must create it and then create the appropriate string values as stated below: To decrypt the log files and ensure they flush in real-time, set the following registry values. encrypt =0 expand =1 cachesize =0 GFE One-Click Fix It The Service Account should be added to the Service Administrator role on the GMC. Port 19005 must be open on the GMC to allow the Good MSM Service Account to communicate with web services for GFE Fix-It. Installation Guide 13

BlackBerry Enterprise Server s Please review the BlackBerry Enterprise Server Guidelines below to ensure you have assigned the proper roles and permissions as required. BES Version The following BES versions are certified in Good MSM 8.3: BES 5.0.4 BES SQL Server Access Good MSM requires read access to the BlackBerry Configuration Database (BESMgmt). This requirement can be met via one of the following: o Windows Integrated Authentication - The Service Account must be granted the db_datareader role within the database. o SQL Authentication - Provide a SQL account that has the db_ datareader role within the database. Please be sure to identify the port (default=1433) and instance that the BES Configuration Database (BESMgmt) is bound to. Ensure the database has remote IP access enabled. BES Service Monitoring BES Log Monitoring The Service Account must be a member of Administrators group on each monitored BES to monitor service status via WMI. * Monitoring via WMI is optional. The following bullets are required for Good MSM to read the BES Logs: BlackBerry Enterprise Server log directory must be shared Service Account requires read access to the shared log directory BES Log Levels must be set DEBUG on BES 5.0.4 The following BES logs must be set to debug -MAGT -SYNC -POLC -DISP -CTRL Validate that the BES Logs are accessible from the Good MSM Server Installation Guide 14

BES One-Click Fix-It s (Optional) Please review the Good MSM One-Click Fix-It requirements below to download and install the BES User Administration tool. Once installed, ensure that the proper roles and permissions have been assigned. Good MSM BES Fix-It s BES 5.0.4 Domain To configure Good MSM One-Click Fix-It, download the BlackBerry Enterprise Server User Administration Tool. This download is available from http://www. blackberry.com/brk. Ensure the version that you download matches your BES version. Good MSM requires BlackBerry Enterprise Server Resource Kit version 5.0 Service Pack 4. Install the BlackBerry Enterprise Server User Administration Tool on the Good MSM Server. The Service Account should be given the proper permissions on the BES SQL Server (One-Click Fix-it requires the Enterprise Administrator role.) The BlackBerry Administration Service (BAS) must be listening on the default TCP Port (443). One-Click Fix-It is not supported with other port configurations. GFE and BlackBerry User Self-Service (USS) DNS Entry for Cross-Platform USS A DNS entry should be created for the USS hostname that will point to the core IP address of the BoxTone server. Please Note: BlackBerry User Self-Service (BB USS) is featured in BoxTone versions prior to 7.5. Customers upgrading to 8.3 may continue to use their previous versions of BB USS. However, only Cross-Platform USS will be licensed for new installations of Good MSM 8.3. Installation Guide 15

Security Management Module (MDM) DNS and Static IP Port s The Good MSM Server requires 2 additional Static IP addresses. 1 static IP for Device Enrollment 1 static IP for Device Management DNS entries must also be made for IP address to hostname mapping on internal networks. Example: enroll.<company>.com and mdm.<company>.com The following ports are required to be open on the Good MSM Server. Outbound Port 2195 Send requests to le Push Notification Service (APNS) In an Exchange 2010 environment, TCP Port 80 is required to be open for outbound connections between the Good MSM server and all Exchange 2010 mailbox servers in order to retrieve device information: For details, see http:// technet.microsoft.com/en-us/library/dd297932(v=exchg.141).aspx SSL Certificate for Security Management Generate an APNs Certificate Service Account Good MSM 8.3 requires the purchase of an SSL Certificate for use with the Activation lication. This SSL Certificate must be purchased from an lerecognized certificate vendor. Additional details can be found in the Configuration and Administration Guide. This is required for Good MSM Security Management. The following permissions are required for the service account to perform Exchange Actions: Exchange 2007 o Local Administrator on each of the 2007 Exchange servers o Exchange View-Only Administrator Role o Exchange Recipient Management Role (required to enable or disable ActiveSync) o Exchange Server Administrator on all Exchange Mailbox Servers (required to wipe device) Exchange 2010 o View-Only Organization Administrator Role o Exchange Recipient Management Role (required to enable or disable ActiveSync & wipe device) Exchange 2013 o View-Only Organization Administrator Role o Exchange Recipient Management Role (required to enable or disable ActiveSync & wipe device) Write privileges for msexchomaadminwirelessenable in the user objects category Installation Guide 16

Non-Exchange Environments Volume Purchasing Program (VPP) To enable ActiveSync email configuration within non-exchange environments, the following must be configured: Users must authenticate utilizing Active Directory credentials. o The Users primary SMTP address must populated in the AD attribute mail In order to utilize the VPP distribution capabilities of Good MSM, a valid le VPP for Business account must be set-up. Please refer to le s Volume Purchasing Program for Business guide found at http://www.apple.com/business/vpp for details. Certificate Authorities To enable Good MSM to distribute identity certificates from a Microsoft Certificate Authority, please set-up permissions and templates as outlined in the document Good MSM Certificates Technical Overview which can be found in the \Good MSM\ Documentation directory on your server. Installation Guide 17

MDM Gateway Server Demilitarized Zone (DMZ) s If MDM is being used with externally connected ios devices (via cellular or remote Wi-Fi access points), a separate MDM Gateway Server in the perimeter network/demilitarized Zone (DMZ) is strongly recommended. MDM Gateway Server Hardware s DNS and Static IP The Good MDM Gateway Server accepts inbound connections from MDM devices. Hardware requirements are listed below: 4 CPU Core @ 2.66 GHz 4 GB RAM Recommended File System Configuration: o C: - Windows OS 40 GB o D: - Apache 40 GB The Good MDM Gateway Server requires 2 Static IP addresses in the DMZ. 1 static IP for device enrollment 1 static IP for device management These IP addresses must be publicly routable or must have publicly routable IP addresses referencing them via NAT. Port requirements Public Internet to DMZ Port requirements DMZ to Internal Network DNS Entries must also be made for IP address to hostname mappings to public Internet and to Internal Network. Good MSM recommends the following naming scheme: Device Enrollment IP Address: enroll.<company>.com Device Management IP Address: mdm.<company>.com The following ports are required to be open from the public Internet to IP addresses on the Good MDM Gateway Server enroll.<company>.com o 80 and 443 HTTP(S) mdm.<company>.com o 443 HTTPS The following ports are required to be open from the DMZ server to the Good MSM server on the internal network. 80 and 443 HTTP(S) 28009 AJP/SCEP Good MSM requires allowing traffic on these ports from all IP address on the DMZ server to both Security Management IP address (Enroll and MDM) on the internal server. Installation Guide 18

Port requirements Internal Server to le The following ports are required to be open for outbound connections from the Good MSM server on the internal network to le s network (17.0.0.0/8) 2195 APNs Apache Download The Good MDM Gateway Server requires the most recent 2.2 release version of Apache HTTP Server with OpenSSL to be installed. As of the writing of this document this is 2.2.29 openssl-0.9.8t.msi). http://www.apachehaus.com/cgi-bin/download.plx#apache22vc09 Download Apache HTTP Server (httpd) Win32 binary includingopenssl 1.0.1m (MSI Installer) Installation Guide 19

System s Overview Version 8.3 Copyright 2016 by Good Technology. All rights reserved. Trademarks Good is a registered trademark of Good Technology Incorporated. Microsoft and Microsoft Windows are registered trademarks of Microsoft Corporation. All other product names used are trademarks of their respective owners. Notice The material in this document is for information only and is subject to change without notice. While reasonable efforts have been made in the preparation of this document to assure its accuracy, Good Technology Inc. assumes no liability resulting from errors or omissions in this document, or from the use of the information contained herein. Good Technology Inc. reserves the right to make changes in the product design without reservation and without notification to its users. Edition January 2016 Mobile Service Manager