Beruflich Dokumente
Kultur Dokumente
Contents
Section 1
Chapter 1
Chapter 2
Chapter 3
25 25 26 27 28 29 29 30
Chapter 4
Contents
Rolling out the site server .............................................................. 39 Downloading and installing the Mobile Management Agent app ........... 39 Enrolling a mobile device ............................................................... 40
Chapter 5 Chapter 6
Chapter 7
49
Upgrading Symantec Mobile Management ....................................... 49 Ugrading the Symantec Mobile Management device Agent. .................. 50
Chapter 8
Chapter 9
Contents
Selecting the Exchange ActiveSync server ........................................ Restarting the Mobile Management Service Agent .............................. Verifying the SymantecEASService configuration .............................. Configuring Symantec Mobile Management to work with Exchange 2010 .................................................................................... Impact on Exchange 2010 when Mobile Management is uninstalled ........................................................................... Controlling access to Exchange ActiveSync ....................................... Blocking EAS access using Exchange 2010 ........................................ Blocking EAS access using F5 BIG-IP LTM .........................................
67 68 68 69 71 71 71 72
Chapter 10
Setting up Data Loss Prevention for iOS on the Mobile Management server ......................................... 77
About setting up Data Loss Prevention (DLP) for iOS on the Mobile Management server ................................................................ Configuring Mobile Management to use DLP ..................................... Creating VPN credentials ............................................................... Configuring VPN for DLP ............................................................... Configuring the VPN assignment for DLP ......................................... Configuring the DLP settings .......................................................... Configuring remediation rules ........................................................ Setting the resource target ............................................................. 77 78 78 79 80 81 81 82
Chapter 11
Chapter 12
87
Section 2
Chapter 13
Contents
Creating policies .......................................................................... 93 Assigning policies ........................................................................ 93 Supported policies for specific devices ............................................. 94 About configuration profiles on iOS devices ...................................... 95 Devices that support configuration profiles ...................................... 95 Setting up configuration profiles for iOS devices ................................ 96 Creating configuration profiles ....................................................... 96 Adding configuration profiles to a policy ........................................ 101 Assigning configuration profile policies .......................................... 102 About available configuration profile settings for iOS devices ............. 103 About AutoLock settings on iOS devices ......................................... 104
Chapter 14
107 107 108 108 109 110 111 111 113 113
Chapter 15
Chapter 16
About the Mobile Library ............................................................. Setting up Mobile Library feeds ..................................................... Creating Mobile Library feeds ....................................................... Adding items to Mobile Library feeds .............................................
Contents
Targeting a Mobile Library feed .................................................... 131 Publishing an existing feed or item ................................................ 131 Delivering apps to iOS devices ...................................................... 132
Section 3
Chapter 17
Section 4
Chapter 18
Chapter 19
Contents
Section 5
Chapter 20
Chapter 21
Appendix A
System requirements and port usage for Symantec Mobile Management 7.2 ............................................ 199
Mobile Management requirements ................................................ 199 Network ports used by Mobile Management .................................... 202 Supported devices and device operating systems .............................. 203
Appendix B Appendix C
Creating the in-house Mobile Management Agent application for iOS devices ........................................ 207
About the in-house Mobile Management Agent application ................ Creating the in-house Mobile Management Agent application ............. Requirements for creating the in-house Mobile Management Agent application .......................................................................... Downloading a WWDR Intermediate Certificate ............................... Creating a Developer Certificate .................................................... Registering an iOS device for testing .............................................. 208 208 212 212 213 213
Contents
Setting up an App ID ................................................................... Downloading the project .............................................................. Preparing the iOS device for testing ............................................... Loading the project ..................................................................... Creating and installing a Development Provisioning Profile ............... Customizing the Bundle identifier ................................................. Customizing the localized string files ............................................. Customizing the Target settings .................................................... Building and testing the application ............................................... Building and distributing the application ........................................
213 214 214 215 215 216 217 218 218 219
Appendix D
Appendix E
10
Contents
Section
Chapter 1. Introducing Symantec Mobile Management7.2 Chapter 2. Setting up Mobile Management Chapter 3. Setting up a Mobile Device Management Certificate Chapter 4. Installing Mobile Management Chapter 5. First-run diagnostic check and status report Chapter 6. Licensing Symantec Mobile Management 7.2 Chapter 7. Upgrading to Symantec Mobile Management 7.2 Chapter 8. Configuring Mobile Management Chapter 9. Setting up Exchange ActiveSync Chapter 10. Setting up Data Loss Prevention for iOS on the Mobile Management server Chapter 11. Configuring multiple domain Active Directory / LDAP authentication Chapter 12. Configuring Mobile Management to require SSL
12
Chapter
What's new in Mobile Management 7.2 SP1 Getting started with Mobile Management Before you begin Components of Mobile Management
Supports iOS 6 feature sets. Add iOS App provisioning that supports the Apple Volume Purchace and B2B programs. New post-installation diagnostics and repair facility built-into the Management Status page. Several UI enhancements to improve ease-of-use. New SSL setup features to support environments that require SSL. New email blocking functionality, incuding integration with F5 BIG-IP LTM and Exchange 2010 / Office 365. Support for multi-domain authentication. Over 80 resolved issues from previous versions.
14
The document, Symantec Mobile Management 7.2 SP1 Release Notes contains details about fixes and updates to the product and contains any last-minute changes. The release notes are at http://www.symantec.com/docs/DOC6051. The latest versions of the otherSymantec Mobile Management product documentation are available at the following locations:
Symantec Mobile Management 7.2 SP1Implementation Guide (this document): http://www.symantec.com/docs/DOC6049 Symantec Mobile Management 7.2 SP1 Quick-start Guide: http://www.symantec.com/docs/DOC6050
Links to the knowledge base articles germane to this release are provided in the Troubleshooting appendix of this document.
15
Mobile Management Servers All mobile device communications Required pass through the Mobile Management Server(s).
16
The Symantec Management Required Console (or, "console") is a Web-based administration utility that is part of the Symantec Management Platform. After you install Mobile Management, a Mobile Management portion of the console is added on. All of the management tasks that are associated with Mobile Management are accomplished in the console.
Required
17
Certificate Authority
The Certificate Authority manages Optional but strongly security credentials and public and recommended private keys for secure communication. Symantec highly recomends a Certificate Authority for a secure environment. The Simple Certificate Enrollment Required if you use a Protocol (SCEP) works with the Certificate Authority Certificate Authority to issue certificates in large enterprises. It handles the issuing and revocation of digital certificates. The SCEP and Certificate Authority can be located on the same server. See, Microsoft SCEP Implementation Whitepaper
SCEP
Microsoft Exchange ActiveSync Optional synchronizes the email, contacts, calendar, tasks, and notes that are associated with mailboxes on the Mobile Management Server with devices. See the Microsoft Exchange ActiveSync documentation
The Mobile Management Server communicates through the Apple Push Notification Service (APNs) to iOS devices. See Setting up an MDM Certificate on page 26. For more information about APNs, see the Apple OS X Developer Library topic Apple Push Notification Service
Required if you want to manage iOS devices. The Mobile Device Management (MDM) Certificate provides access to APNs .
18
Required or optional
Required if you want to manage iOS devices
Google GCM
Google Cloud Messaging (GCM) is Required if you want to used to push actions and push commands to commands to Android devices Android devices See Setting up Google Cloud Messaging (GCM) on page 22.
Chapter
Setting up Mobile Management Mobile Management certificate distribution Setting up Google Cloud Messaging (GCM)
20
Description
To secure your environment, you need to set up a Certificate Authority. You can either purchase a commercial Certificate Authority or set up a Certificate Authority yourself. If your environment is already secure, you can skip this step. See Mobile Management certificate distribution on page 21.
Step 2
Set up SCEP in your environment. For information about setting up SCEP, see Microsoft SCEP Implementation Whitepaper If you already have SCEP setup in your environment, you can skip this step.
Step 3
If you want to manage iOS devices in your environment, this step is mandatory. See Setting up an MDM Certificate on page 26.
Step 4
Install the Mobile Management components. See Basic installation workflow for Symantec Mobile Management on page 34.
Step 5
(Optional) Setup additional security For additional security, you can set up in your environment. profile security in your Mobile Management environment. Profile security lets you encrypt and sign data. To set up profile security, add signing certificates and encryption certificates to your Certificate Authority. See Configuring profile security settings on page 57.
21
Description
Configure and customize the components of your Mobile Management environment in the Symantec Management Console. See Configuring Mobile Management on page 52.
Step 7
Set up and configure Exchange ActiveSync to work with Mobile Management. See Setting up Exchange ActiveSync on page 64.
Step 8
Create GCM Project ID and Server key, and configure Mobile Management to use GCM. See Setting up Google Cloud Messaging (GCM) on page 22.
See Getting started with Mobile Management on page 14. See Components of Mobile Management on page 15.
22
Profile Security: Signing Certificate with public and private keys Encryption Certificate with public key
Certificate authority:
Root certificate
iOS device
Certificate authority:
Profile Security:
Create a new project at Google's APIs Web site, obtain the Project ID number, and generate a Google API server key. Configure Symantec Mobile Management to use GCM.
23
To create a new project and obtain the Project ID number and API server key
1 2 3 4
Go to https://code.google.com/apis/console , sign into your Google account, and then click, Create project On the left side of the APIs Dashboard page, click the drop-down menu and select Create . . . Enter a name for the project and click Create Report. Your browser refreshes and displays a new URL. In the URL, locate the element, #project. Record the number that follows #project. For example, https://console.google.com/apis/console/#project:1066916068160 Note: Note: This number is called the Google Project ID and it is required when you configure Symantec Mobile Management to use GCM.
5 6 7 8 9
Select your project from the API Project drop-down list and then in the left pane, select Services. Scroll down the page to Google Cloud Messaging for Android, and set the ON/OFF widget to ON. On the Google APIs Terms of Service page, agree to and accept the terms of the agreement. Return to the APIs home page and towards the bottom of the page, click Create new Server key. On the Configure Server Key for My Project panel, you can optionally specify a particular server or servers that can use GCM. Enter the IP address of each server on a separate line. Leave the field blank to allow any server IP address. Check the Google documentation for more information. for server apps (with IP locking). Record the server key string for use in the next procedure
10 Click Create. The server key is displayed on the API Access page under Key
1 2
On the Symantec Management Console, go to Home > Mobile Management > Settings > Android Enrollment. In the right pane, enter the Project ID and API key ("Server Key") you generated in the previous procedure.
24
3 4
Click Save changes. On the Mobile Management server go to Start > Administrative Tools > Services and restart the Mobile Management Service Agent.
Mobile Management is now configured to send GCM data to Android mobile devices.
Chapter
About the Mobile Device Management (MDM) Certificate Setting up an MDM Certificate MDM Certificate requirements Exporting an MDM Certificate using Mac OS X Generating a certificate request Exporting an MDM Certificate using a Windows Server 2003 or 2008 Installing an MDM Certificate
26
Step
Step 1
Create and export an MDM certificate. After you create the MDM Certificate, you need to export it so you can transfer it to your Mobile Management server. See Exporting an MDM Certificate using Mac OS X on page 28.
Step 2
Contact your Symantec Partner or Sales Engineer to submit the certificate for signing by Symantec. You must install the MDM Certificate on all the Mobile Management servers in your environment. See Installing an MDM Certificate on page 30.
Step 3
27
Table 3-2
Process for setting up a Mobile Device Management Certificate on a Windows server 2003 or 2008 Task
Generate a certificate request.
Step
Step1
Description
To create an MDM Certificate on a Windows Server 2003 or 2008, you must first generate a certificate request. See Generating a certificate request on page 29.
Step 2
Contact your Symantec Partner or Sales Engineer to submit the certificate for signing by Symantec. You must install the MDM Certificate on all the Mobile Management servers in your environment. See Installing an MDM Certificate on page 30.
Step 3
See About the Mobile Device Management (MDM) Certificate on page 25.
28
Setting up a Mobile Device Management Certificate Exporting an MDM Certificate using Mac OS X
You must contact Symantec directly to acquire the signed MDM Certificate.
1 2 3 4 5 6 7 8 9
Open Keychain Access. Under Keychains in the left pane, select login. Under Categories, select Certificates. Select your Apple Development Push Services or Apple Production Push Services Certificate. Choose File > Export Items.... Select Personal Information Exchange as the file format and click Save. Enter a password to lock the MDM Certificate and click OK. Enter your logon key chain password. This password is your Apple computer account password. Click Allow. Mobile Management server.
10 Transfer the MDM Certificate that you created to the computer running the
29
1 2 3 4
Select Start > Control Panel > Administrative Tools. Select Internet Information Services (IIS) Manager. Select the server, and then double-click Server Certificates. On the Actions menu, click Create Certificate Request. Enter the following information:
Common Name - The name that is attached to your certificate request. Organization - The name of your organization. Organizational unit - The name of the group or department within your organization City/locality - The city or locality where your organization is located. State/province - The state or province where your organization is located. Country/region - The country or region where your organization is located.
5 6
Click Next. In the Cryptographic Service Provider Properties window, select Microsoft RSA SChannel Cryptographic Provider for the Cryptographic service provider. Select 2048 for the Bit length. Click Next. In the File Name window, type a file path and name or click the ellipsis button to browse. Click Finish to generate and save the certificate request.
7 8
30
See Setting up an MDM Certificate on page 26. To create and export an MDM certificate using a Windows Server 2003 or 2008
1 2 3 4 5
Select Start > Control Panel > Administrative Tools. Select Internet Information Services (IIS) Manager. Select the server, and then double-click Server Certificates. In the Actions menu, click Complete Certificate Request. In the Specify Certificate Authority Response window, click the ellipsis button and browse to the Apple Push Notification Service SSL certificate that you downloaded previously. In the Friendly name field, enter a friendly name. Click OK. Select the Server Certificate with the friendly name that you entered in step 5. In the Actions menu, click Export. In the Export Certificate window, click the ellipsis button and browse to the location where you want to export the MDM Certificate. In the Password field, enter a password to secure the MDM Certificate.
6 7
8 9
10 Click OK.
Transfer the MDM Certificate that you created to the computer running the Mobile Management server.
31
Download and install the Windows HTTP Services Certificate Configuration Tool (WinHttpCertCfg.exe) from the following Web site: http://www.microsoft.com/downloads/en/detials.aspx?familyid=c42e27 ac-3409-40e9-8667-c748e422833f&displaylang=en
2 3
Open a command prompt window and navigate to the install directory of the Windows HTTP Services Certificate Configuration Tool. Execute the following command:
winhttpcertcfg -i <PathToMDMCertificate> -c LOCAL_MACHINE\My -a "NETWORK SERVICE" -p <Password>
1 2 3 4 5 6 7 8 9
Click Start and then click Run. In the command prompt, type mmc and then click OK to open the Microsoft Management Console. In the Microsoft Management Console, click File > Add/Remove Snap-in.... Click Certificates in the Available snap-ins box and then click Add. In the Certificates snap-in window, select Computer account, and then click Next. Click Finish and then click OK. Expand Certificates, right-click the Personal tree node, and select All Tasks > Import. In the wizard, point to the MDM Certificate and provide the password you entered to secure it. Complete the steps in the wizard. Expand Personal and double-click the Certificates folder. Private Keys.
10 Right-click the MDM Certificate you installed and select All Tasks > Manage 11 In the Security tab, add the Network Service account and provide Read access.
32
Chapter
About installing Mobile Management Basic installation workflow for Symantec Mobile Management Running the Symantec Mobile Management Prerequisite Check Utility Installing Mobile Management on an existing Symantec Management Platform server Installing Mobile Management on a new server Rolling out the site server Downloading and installing the Mobile Management Agent app Enrolling a mobile device
34
Installing Mobile Management Basic installation workflow for Symantec Mobile Management
If you already have the Symantec Management Platform installed, you can proceed with the installation immediately. See Installing Mobile Management on an existing Symantec Management Platform server on page 37. If you have not previously installed Symantec Manangement Platform, you begin by downloading Symantec Installation Mananger and Symantec Management Platform. See Installing Mobile Management on a new server on page 37.
Description
Symantec Mobile Management has specific hardware and software requirements. Run the Prerequisite Check Utility to make sure that your environment is prepared to host the server and the database components. See Running the Symantec Mobile Management Prerequisite Check Utility on page 36.
Installing Mobile Management Basic installation workflow for Symantec Mobile Management
35
Description
You download Symantec Mobile Management using Symantec Installation Manager. If an instance of Symantec Management Platform is not already installed , you first download Symantec Management Platform which includes Symantec Installation Manager. See Installing Mobile Management on an existing Symantec Management Platform server on page 37. See Installing Mobile Management on a new server on page 37.
Step 3
Post-installation, you roll out one or more site servers. See Rolling out the site server on page 39.
Step 4
To use iOS devices, you must configure the site server components and services. See Configuring the site server and enrollment settings on page 53.
Step 5
Download the Mobile Management Concurrently with or after server agent installation, mobile device users download the Symantec Mobile Management Agent app from the application venue appropriate for their device. See Downloading and installing the Mobile Management Agent app on page 39.
36
Installing Mobile Management Running the Symantec Mobile Management Prerequisite Check Utility
Description
Device owners use the Symantec Mobile Management Agent app to enroll their device with the Symantec Mobile Management site server. See Enrolling a mobile device on page 40.
Step 7
Manage a device
You issue a management policy to the mobile device that specifies the management profile for the device. The Agent app interprets the policy and takes any actions that the policy specifies. See Creating policies on page 93.
1 2 3
Go to http://www.symantec.com/docs/HOWTO77182 and download PrerequisiteVerification.ZIP. Follow the on-screen instructions to run the checker. Correct any flagged requirements or configuration upgrades.
See Basic installation workflow for Symantec Mobile Management on page 34.
Installing Mobile Management Installing Mobile Management on an existing Symantec Management Platform server
37
1 2 3 4
Start the Symantec Installation Manager (Start > All Programs > Symantec > Symantec Installation Manager) On the Install New Products page, set the view filters to Suites and then in the Available products list, select Symantec Mobile Management 7.2 SP1. Accept the terms of the license agreement and click Next. Follow the instructions that are provided in the wizard to complete the installation.
See Basic installation workflow for Symantec Mobile Management on page 34.
38
On the Software Download page for Symantec Mobile Management, click Download Now. Note: The download includes Symantec Installation Manager and Symantec Management Platform.
Follow the on-screen instructions to set up Symantec Installation Manager. At the end of the installation, check Automatically launch Symantec Installation Manager, and then click Finish . Note: If an update to Symantec Installation Manager is available, you are prompted to download and install the update.
Installing Symantec Management Platform and Symantec Mobile Management 7.2 SP1
In Symantec Installation Manager, on the Install New Products page, in the Available products list, select the following items:
Symantec Management Platform 7.1 SP2 Symantec Mobile Management 7.2 SP1
Note: To quickly locate the software, set the left filter option to Filter by Product Type and the right filter option to Filter: None and then enter mobile management into the search field.
2 3
Click Review selected products, verify that the correct products are selected, and then click Next. On the End User License Agreement page, accept the terms of the license and click Next. Note: A 30 day trial license to enroll up to 25 devices is provided with Symantec Mobile Management. To use the trial license, skip the option to add a license.See Using the trial license on page 46.
On the Install Readiness Check page, verify that the computer meets the minimum requirements and then click Next.
39
The installer prompts you to configure the server and the database. For instructions to configure the components, see the Symantec Management Platform 7.1 SP2 Installation Guide at http://www.symantec.com/docs/DOC4798. After you configure the components, click Next.
6 7
Skip the page, Computers to Manage and then click Begin install . Wait for the installer to complete and then click Finish.
See Basic installation workflow for Symantec Mobile Management on page 34.
1 2 3
In Symantec Management Console, navigate to Home > Mobile Management > Settings > Mobile Management Server Settings. Under Site Server Rollout and Settings, on the toolbar, click New. Enter the name and IP address of the site server computer, and then click Save changes.
See Basic installation workflow for Symantec Mobile Management on page 34.
40
iOS- App Store Android- Android Market Windows- Windows Phone Marketplace
For Android devices only, first set your device's app installation settings to Allow Installation of non Market Applications and to allow Unknown Sources. Go to the app venue for your device and download the Symantec Mobile Management Agent app. Note: Search for Symantec MGMT or Symantec Mobile Agent
Follow the procedure for your mobile device to install the app.
See Enrolling a mobile device on page 40. See Basic installation workflow for Symantec Mobile Management on page 34.
1 2
On your mobile device, start the Symantec Mobile Management Agent app. On the enrollment screen, provide the following information:
For Windows Phone, go to: [server]/MobileEnrollment/SYMC-WPenroll.aspx Where [server] is the name of the site server computer that you want the device to enroll with.
41
The agent app indicates the status of the connection to the server. If the server is not available, a message appears to indicate a failed server connection and prompts you to try again at a later time. You can also set up DNS to allow iOS users to enter an email address instead of the URL. See Changing the enrollment URL to an email address for iOS devices on page 144. Android users can enter the domain name for the Mobile Management server. For example, if the URL for your installation is mobileserver.yourcorp.com, then the user can enter yourcorp.
42
Chapter
44
First-run diagnostic check and status report First-run diagnostic check and status report
The Mobile Management Status page displays information and as appropriate, fix-links for the following components:
Mobile Management Server Status- Checks for the presence, connectivity, and general state of the main server component. iOS Enrollment Readiness Status- Tests for APNS functionality and account information. Android Enrollment Readiness Status- Tests for the presence of Google GCM account information. Windows Phone Enrollment Readiness Status- Checks that all required Windows Phone enrollment components are in place and working. Exchange ActiveSync Readiness Status- Checks that Exchange ActiveSync functionality is enabled and that the Mobile Management Server can connect to the Exchange ActiveSync interface instance. DLP Readiness Status- Checks for proper configuration of the Data Loss Prevention components.
Chapter
Licensing basics Using the trial license Using a license purchased before installing Symantec Mobile Management Adding or updating a Symantec Mobile Management license Licensing status summary
Licensing basics
For use beyond the trial license period, Symantec Mobile Management requires a paid license. You purchase a license based on the number of managed mobile devices. You purchase licenses from your Symantec Sales Partner or sales representative. Note: Mobile devices or devices refers to both the physical and the emulated forms of the mobile devices that run any of the supported operating systems. The terms of the license apply equally regardless of form or operating system. Each managed device comprises a single licensing node within the product license. When you purchase a license, you purchase licensing for a specific number of nodes. For instance, you purchase a 500-node license to manage 500 devices. You purchase licenses from your Symantec Sales Partner or sales representative. For more information about licensing Symantec products, go to http://www.symantec.com/products/licensing/.
46
Add a license when Symantec Mobile Management is already installed Upgrade from the Trial license Extend an existing paid license Add more nodes to an existing license
Note: The license file must be accessable from the computer that hosts the installation of Symantec Mobile Management.
47
Open Symantec Installation Manager Note: Symantec Installation Manager is installed with Symantec Management Platform.
2 3
Click Add/Update License, and then provide the required information. When prompted to install the license, click Yes.
48
Chapter
Upgrading Symantec Mobile Management Ugrading the Symantec Mobile Management device Agent.
1 2 3
You upgrade Mobile Management through the Symantec Installation Manager. Go to Start > All Programs > Symantec > Symantec Installation Manager. On the Installed Products page, click View and install updates. Select Symantec Mobile Management 7.2 SP1 and click Next.
50
Upgrading to Symantec Mobile Management 7.2 Ugrading the Symantec Mobile Management device Agent.
4 5 6 7 8
On the Optional Installations page, click Next Accept the EULA and click Next. On the Contact Information page, click Next. Verify the installation details and click Next. On the Installation Complete page, click Finish.
After you install Mobile Management 7.2 SP1, you must upgrade Mobile Management servers manually in the Symantec Management Console to complete the upgrade. Use this procedure to upgrade Symantec Mobile Management servers: Upgrading the Mobile Management Server manually
1 2 3 4
In the Symantec Management Console, click Home > Mobile Management > Settings > Mobile Management Server Settings In the right pane, highlight the site server and then on the toolbar, click Upgrade. Repeat Step 2 for each server. Click Save changes
For more information about upgrading the products that use the Symantec Management Platform, see Symantec Knowledge-base article HOWTO 44338, Installing an update or an additional product.
Chapter
About configuring Mobile Management Configuring Mobile Management Generating and installing an Apple Push / MDM Certificate Configuring the site server and enrollment settings Configuring profile security settings Configuring iOS device MDM enrollment Adding additional configuration profiles Adding non-approved platforms Using Symantec Managed PKI services with Symantec Mobile Management Configuring app compliance Configuring device naming
52
Description
To manage iOS devices, you must install and MDM Certificate from Apple. See Generating and installing an Apple Push / MDM Certificate on page 53.
Step 2
(Optional) Configure the site If you want to manage iOS server and enrollment devices in your environment, settings. this step is required. See Configuring the site server and enrollment settings on page 53.
Step 3
If profile security is set up in your environment, you can complete this step. See Configuring profile security settings on page 57.
Step 4
If you set up the MDM Certificate to manage iOS devices, this step is required. See Configuring iOS device MDM enrollment on page 58.
Step 5
If you want to send configuration profiles to all iOS devices on enrollment, you can add configuration profiles during setup. See Adding additional configuration profiles on page 58.
Configuring Mobile Management Generating and installing an Apple Push / MDM Certificate
53
(Optional) Configure Google If you want to push GCM for Android devices commands to Android devices, you must set up GCM. See Setting up Google Cloud Messaging (GCM) on page 22.
1 2 3
On the console, go to Home > Mobile Management > Settings > iOS Enrollment. In the right pane, under Apple Push / MDM Certificate, click Request Signed CSR File. Follow the instructions that are provided at the CSR request Web site. Note: You are directed to upload the signed CSR to Apple. Apple sends you the certificate in a separate email.
4 5
After you receive the certificate from Apple, click Import to complete the installation of the certificate. Click Save changes.
54
Configuring Mobile Management Configuring the site server and enrollment settings
1 2 3
In Symantec Management Console, go to Home > Mobile Management > Settings > Mobile Management Servers. In the right pane, under Mobile Management Server Rollout and Settings, on the toolbar, click New. Computers that are qualified to operate as a site server appear in a list. Select the computer you want to use as a site server and then click OK Note: Site server computers must have the Symantec Management Agent installed, and use Windows Server 2008 R2. For more information about the Symantec Managment Agent and system requirements, see the Symantec Management Platform Installation Guide at http://www.symantec.com/docs/DOC4798.
In the left pane, select General Enrollment. In the right pane, select the options you require, as follows:
Enable Authentication Check. If you check this option, you must enter your server information. The server information is used to validate the user name and password from the agents enrollment page. If you do not check this option, users without credentials can enroll their device and access content and information in the Mobile Management Agent. You can also enter a list of Allowed Groups. The allowed groups are AD or LDAP groups. If you enter a list of groups in this field, only users in those groups can enroll. Enter the groups with a pipe character between them; for example, Sales|Engineering|Marketing. Optionally add the following information:
Support Company - This information appears on the Mobile Management Agent's About page. Support Phone - This information appears on the Mobile Management Agent's About page. Support URL - This information appears on the Mobile Management Agent's About page.
Agent Settings allow you to set the reporting interval and policy update frequency. If you require device owners to accept an End User License Agreement (EULA), enable Require EULA acceptance. If you check this option, any
Configuring Mobile Management Configuring the site server and enrollment settings
55
user who does not accept the EULA. is not enrolled. Select the language for the EULA text, and replace the default text with your own.
If you want to track which enrolled devices are corporate and which devices are personal, enable the Corporate device option. Device owners are presented with a selection option upon enrollment, to choose Corporate or Personal. If this option is not checked, no option is presented to the device owner and no ownership distinction is made in the reports.
(Optional) To change the site server from using FQDN to an IP address, in the Site Server Rollout and Settings section select the server. Click the edit button (pencil icon). For each server connection, check Override server connection info and in the Server name override field, enter the IP address. In the Port field, enter 80 and click Save changes.
Check Manual Settings if you want to edit web.config files manually. If you check Manual Settings the Mobile Management Server files and configuration files are not automatically updated. Check Https to force device communication over https instead of http.
It can take up to 15 minutes for the settings to be applied to the site server.
1 2
In Symantec Management Console, go to Home > Mobile Management > Settings > iOS Enrollment. Configure the following options as needed to meet your requirements:
Allow Jailbroken Devices. If you check this option, any device that fails the jailbreak test during enrollment is not managed. Jailbroken devices can enroll, but they cannot see content in the Mobile Library. Minimum OS Version. Devices with operating system versions that are earlier than the values in the fields on this page are not allowed to enroll. These fields default to the earliest OS version of each OS that are supported by Mobile Management. You can only set a single value for all devices of each operating system. Leaving the fields empty defaults the configuration to the earliest supported version of each operating system.
To manage and push notifications, you must install an SSL certificate from Apple. Follow the steps that are provided in the UI under Apple Push / MDM Certificate If you want to secure the management profiles that are sent to the devices, add the chain-of-trust certificate information in the following fields:
56
Configuring Mobile Management Configuring the site server and enrollment settings
Profile Signing CertThumbprint. The thumbprint of the certificate that is used for signing the Mobile Management server personal store. Profile Encryption Cert Thumbprint. The thumbprint of the certificate that is used for encryption on the Mobile Management server personal store. Device Decryption Cert Config. The credential payload that is placed on devices for decryption. Device Signing Validation Cert Config. The credential payload that is placed on devices to validate signing. Device Signing/Encryption Root Cert Config. The credential payload that is placed on devices to complete the certificate chain for the decryption and signing validation certificates.
5 6 7
Under SCEP, select the SCEP provider. If you use Microsoft NDES, select Microsoft NDES and enter the requested information. If you use Symantec MPKI services, select Symantec MPKI and enable Symantec MPKI integration. Enter the thumbprint and Symantec MPKI URL. Note: You must have a Symantec Managed PKI account to use this service. Contact your Symantec Partner or sales representative for more information.
8 9
Under Additional Configuration Profiles, click the yellow star and add the Root CA certificate. Click Save changes.
1 2
In Symantec Management Console, go to Home > Mobile Management > Settings > Android Enrollment. In the right pane, optionally allow devices that have been jailbroken and set the minimum OS version that is allowed. Note: Android version 2.2 is the earliest allowed.
Enter the Project ID and Server key you generated for use with GCM. See Setting up Google Cloud Messaging (GCM) on page 22.
57
1 2 3
In Symantec Management Console, go to Home > Mobile Management > Settings > WP Enrollment. In the right pane, set the minimum version of Windows Phone to allow. Click Save changes.
1 2 3 4
In the Symantec Management Console, click Home > Mobile Management. In the left pane, expand Settings and click Mobile Management Server settings. In the Mobile Management Server Settings pane, click Profile Security. Enter one or more of any of the following settings:
Profile Signing Cert Thumbprint - The thumbprint of the certificate that is used for signing the Mobile Management server personal store. Profile Encryption Cert Thumbprint - The thumbprint of the certificate that is used for encryption on the Mobile Management server personal store. Device Decryption Cert Config - The credential payload that contains a certificate that is placed on devices for decryption. Device Signing Validation Cert Config - The credential payload that contains a certificate that is placed on devices to validate signing. Device Signing/Encryption Root Cert Config - The credential payload that contains a root certificate that is placed on devices to complete the certificate chain for the decryption and signing validation certificates.
58
1 2 3
In the Symantec Management Console, click Home. Expand Configuration and click iOS MDM Enrollment Configuration. In the Push Certificate Subject field, enter the subject of the Apple Push Notification Service certificate that is used for MDM. For more information, see the MDM Certificate Guide for iOS. If you use a development MDM Certificate and not a production certificate, select the Use Development APNS Server. Warning: The state of the checkbox must match the state of the checkbox for Use Development APNS on the APNS tab of the Mobile Management server settings.
In the Cryptographic credential used for authentication field, choose the credential for Mobile Management to use for iOS device identification purposes. Click Save changes.
59
See Configuring Mobile Management on page 52. To add additional configuration profiles
1 2 3 4
In the Symantec Management Console, click Home > Mobile Management. In the left pane, expand Settings > iOS Enrollment. Under Additional Configurations, click the yellow star button. In the Select Mobile Configuration window, select the configuration profile to include, and click OK. See Creating configuration profiles on page 96.
1 2
Enter the values in table Table 8-2 based on the devices you want to block. Separate the values with the pipe character. For example, iPhone1,2|iPod2,1. Non-approved platform values Description
First-generation iPad Second-generation iPad WiFi Second-generation iPad GSM Second Generation iPad CDMA iPhone 2G/Edge iPhone 3G iPhone 3Gs iPhone 4 iPhone 4 CDMA
60
Configuring Mobile Management Using Symantec Managed PKI services with Symantec Mobile Management
See Configuring the site server and enrollment settings on page 53.
1 2 3 4 5
On the console, go to Home > Mobile Management > Settings > Mobile Management Server Settings and click the Symantec MPKI tab. Place a checkmark next to Enable Symantec MPKI integration. Enter the Root authority certificate thumbprint for your instance of Symantec MPKI. Enter the URL for the Symantec MPKI server that your account uses. Click Save changes. See Configuring Mobile Management on page 52.
61
1 2
On the console go to Home > Mobile Mangagement > Settings > iOS App Compliance. In the right pane, click the yellow star icon and provide the following information:
A name for the rule. For Package name, first select one of the logical operators and then choose the app from the dropdown list For App version, first select one of the logical operators and enter the version number for the blacklisted app.
Click OK.
1 2
On the console go to Home > Mobile Mangagement > Settings > Android App Compliance. In the right pane, click the yellow star icon and provide the following information:
A name for the rule. For Package name, first select one of the logical operators and then choose the app from the dropdown list For App version, first select one of the logical operators and enter the version number for the blacklisted app.
Click OK.
62
Go to Home > Mobile Management > Settings and choose either iOS App Compliance or Android App Compliance. Note: The apps you add apply only to the operating system you select in this step. Repeat this procedure for each device operating system.
2 3 4
On the toolbar, click the Import apps from devices icon (white square with a blue arrow). Use the device filter to identify the device with the apps you want to import. The list of apps on the device appear in the Available items list. Do one of the following:
Click the >> button to add all of the apps to the available apps pool. Hightlight an app and click the > button. Note: You remove apps from the list with the << and < buttons
Click OK.
1 2
On the console, go to Home > Mobile Management > Settings, and select either iOS Device Naming or Android Device Naming. In the right pane, select and order the available fields. Select a field in the Available fields box and use the > button to move it to theSelected fields box. Change the order as needed with the Move up and Move down buttons. A live sample displays how the device names appear in lists and reports. For Android only, specify an email domain to include only the email accounts that use the specified domain. Click Save changes.
3 4
Chapter
About using Exchange ActiveSync with Mobile Management Setting up Exchange ActiveSync Enabling the Exchange ActiveSync functionality Configuring the SymantecEASService NT Selecting the Exchange ActiveSync server Restarting the Mobile Management Service Agent Verifying the SymantecEASService configuration Configuring Symantec Mobile Management to work with Exchange 2010 Impact on Exchange 2010 when Mobile Management is uninstalled Controlling access to Exchange ActiveSync Blocking EAS access using Exchange 2010 Blocking EAS access using F5 BIG-IP LTM
64
Exchange ActiveSync is a protocol that synchronizes a mobile device with Microsoft Exchange. Exchange ActiveSync enables management, role-based access policies, and viewing details on individual devices or groups. It also lets you perform a range of administrative tasks. Exchange ActiveSync supports the following device operating systems:
Apple iOS 2.x, 3.x, 4.x, 5.x, 6 Android 2.x, 3.x Windows Mobile 6.1 and 6.5 Windows Phone 7 Palm (hpWebOS) 1.4.5 Nokia (running Mail for Exchange v3.0.50)
Exchange ActiveSync functionality varies by OS and OS version. For a listing of supported functionality by OS and version, see the Microsoft support document, Exchange ActiveSync Client Comparison Table. See Setting up Exchange ActiveSync on page 64.
Set up an Exchange Administrator Microsoft requires an Exchange account. Administrator account to secure communications and access Exchange ActiveSync. For more information and to sign up for an account, visit the following URL: http://technet.microsoft.com/ en-us/exchange/default.aspx
Step 2
The Exchange ActiveSync functionality is not set up by default. You need to enable the Exchange ActiveSync functionality in the Symantec Management Console. See Enabling the Exchange ActiveSync functionality on page 66.
65
Description
For Mobile Management to communicate with Exchange ActiveSync, you need to configure the SymantecEASService NT. See Configuring the SymantecEASService NT on page 67.
Step 4
Set access rights for the Exchange See Microsoft Exchange ActiveSync Administrator account. documentation at the following URL: http://technet.microsoft.com/ en-us/library/bb124558.aspx
Step 5
See Microsoft Exchange ActiveSync documentation at the following URL: http://technet.microsoft.com/ en-us/library/bb124558.aspx
Step 6
Set up the Exchange Administrator account as a member of the local IIS_WPG group in Windows Server 2003 (IIS6) or as a member of the IIS_IUSRS group in Windows Server 2008 (IIS7). See Microsoft Exchange ActiveSync documentation at the following URL: http://technet.microsoft.com/ en-us/library/bb124558.aspx
Step 7
Set up the Exchange Administrator account read and write access rights.
See Microsoft Exchange ActiveSync documentation at the following URL: http://technet.microsoft.com/ en-us/library/bb124558.aspx If you use Exchange ActiveSync 2010 the Exchange ActiveSync Inventory and Service Policy Web Service must have domain admin privileges.
Step 8
(Optional) Give the Exchange ActiveSync Inventory and Service Policy Web Service domain admin privileges.
66
Description
See Microsoft Exchange ActiveSync documentation at the following URL: http://technet.microsoft.com/ en-us/library/bb124558.aspx
Step 10
In the Symantec Management Console, select the server on which you want Exchange ActiveSync to be installed. See Selecting the Exchange ActiveSync server on page 67.
Step 11
Restart the Mobile Management Service Agent to refresh the settings. See Restarting the Mobile Management Service Agent on page 68.
Step 12
After the Exchange ActiveSync setup is complete, you should verify that the SymantecEASService configuration and the EAS folders' security permissions are correct. See Verifying the SymantecEASService configuration on page 68.
See About using Exchange ActiveSync with Mobile Management on page 63.
1 2 3
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Exchange ActiveSync, and then click EAS Settings. In the right pane, check Enable Exchange ActiveSync Functionality.
67
4 5
Select the Mobile Management Server that runs the Exchange ActiveSync Interface. If you want to use Exchange 2010 rules to control access to Exchange ActiveSync, enable the Exchange ActiveSync Acess option. Click Save changes.
1 2 3 4 5 6 7 8
On the Start menu, click Administrative Tools > Services. Right-click SymantecEASService, and click Properties. In the Properties dialog box, click the Log On tab. Click This Account and click Browse to navigate to your Exchange Administrator account. Click the Exchange Administrator account and enter the account password. Click Apply. (Optional) If a dialog box is displayed, click OK to allow the account to log on as a service. Click OK.
68
1 2 3 4 5
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Settings, and then click Exchange ActiveSync. Under Exchange ActiveSync, check Enable Exchange ActiveSync functionality. Select the Mobile Management Server that runs the Exchange ActiveSync Interface. Click Save changes.
1 2 3 4
On the Start menu, click Administrative Tools > Services. In the Services dialog box, click Symantec Mobile Management Service Agent. Click Restart the service. (Optional) On the toolbar, click Action > Refresh to see the current status of the SymantecEASService.
Setting up Exchange ActiveSync Configuring Symantec Mobile Management to work with Exchange 2010
69
1 2 3
On the Start menu, click Administrative Tools > Event Viewer. In the Event Viewer window, click Application. In the right pane, click AthenaEASService. Depending on the results of the setup and configuration, you see the following entries in the event log for the AthenaEASService source:
Service successfully transmitted a total of (6) ActiveSync device partnerships is displayed An error message is displayed. The SymantecEASService configuration is correct.
The SymantecEASService configuration is not correct. The EAS folders' security permissions are not correct.
1 2
On the Exchange server, make sure that Basic Authentication is enabled on the PowerShell virtual directory. On the Mobile Management server, open the following two files in a text editor:
Edit the following settings in both files and make sure that the values in both files are identical:
70
Setting up Exchange ActiveSync Configuring Symantec Mobile Management to work with Exchange 2010
If you use Exchange 2010, Office 365, or BPOS, make sure that the value equals True.
Change this value to be the FQDN of the Exchange, Office 365, or BPOS server that Mobile Management interfaces with for Exchange communication. The server must resolve through the specified FQDN.
The value must be the URL for the PowerShell component of the Exchange server. "serializationLevel=Full" may not be required in some installations, but is recommended. Test the URL from a browser to be sure it can be reached, and if prompted for authentication, put in valid credentials. A blank page is returned regardless, as no commands are submitted,
This value can be either True or False. If False, the IIS certificate on the Exchange server must trust the Mobile Management server. If True, any IIS certificate warning is ignored.
These values must be the valid credentials that are provided to the Exchange server to access Exchange content. These values must be displayed in plain text, which requires that the Symantec Mobile Management server is secure. Make sure that permissions are set for the EAS folder to prevent viewing. If you do not want to insert the passwords in plain text, make the following changes:
Change the logon account for the service, "SymantecEASService" and Application pool identity for "SymantecEASAppPool" to an Administrator account. Leave the user name and passwords values in the configuration files empty.
See Configuring a Symantec Mobile Management iOS profile for Office 365 on page 146.
Setting up Exchange ActiveSync Impact on Exchange 2010 when Mobile Management is uninstalled
71
Exchange 2010 Allow/Block/Quarantine (ABQ) rules. Integration with an F5 BIG-IP LTM server that is configured with Exchange blocking rules.
Note: Due to operating system limitations, EAS blocking applies only to iOS and Android devices.
You use Exchange 2010 That you have configured an Exchange group that contains the mobile devices that are authorized to access Exchange ActiveSync.
72
1 2 3 4 5
On the console, go to Home > Mobile Management > Exchange ActiveSync > EAS Settings. In the right pane under Exchange ActiveSync, select Enable Exchange ActiveSync functionality. Enable the use of Exchange 2010 access rules. Select the Authorized Devices that are allowed to connect to Exchange ActiveSync. Optionally, allow the system to notify the user by email when their account is quarantined. Note: You can customize the email message for quarantined devices. See the Microsoft article Customize E-mails for Blocked or Quarantined Devices at http://help.outlook.com/en-us/140/gg316698.aspx
See Configuring Symantec Mobile Management to work with Exchange 2010 on page 69. See Configuring a Symantec Mobile Management iOS profile for Office 365 on page 146.
Have already established the Exchange virtual server in BIG-IP. Have configured a target group for your allowed devices in Symantec Mobile Management
In Symantec Mobile Management, create a new iOS EAS account that points to the BIG IP Exchange virtual server instance (as referenced in 1.1). See Configuring iOS devices to access EAS through F5 BIG-IP
73
Similarly for Android, create a new Touchdown EAS account that points to the BIG IP Exchange virtual server. See Configuring Android devices to access EAS through F5 BIG-IP Note: Some EAS limitations exist for Android devices. For details,
In Symantec Mobile Management EAS settings, add the BIG IP Exchange virtual server (as referenced in 1.1). Select the Approved Devices list as referenced in 1.2.You optionally identify the email app(s) to allow. . When you click Save changes, Mobile Management creates a BIG-IP iRule and sends it up to BIG IP. When a new device enrolls, Mobile Management sends the management policy to the device. In turn, the device sends its Device ID back to SMM. On a scheduled basis, SMM checks the list of approved devices as selected in Step 4. Device IDs are sent to BIG IP to inform it of the devices that are allowed. Allowed devices can retrieve email and disallowed devices are blocked. Optionally, blocked devices receive a quarantine message.
5 6 7
Note: The Symantec Mobile Management rules are processed first, and BIG IP iRules are processed secondly. You may need to reconcile the two sets of rules if they conflict. Refer to your BIG IP documentation for instructions to edit BIG IP iRules Configuring iOS devices to access EAS through F5 Big-IP
1 2 3 4 5 6 7 8
On the console, go to Home > Mobile Management > Device Management > Configuration Editor > iOS Configuration and select EAS. In the right pane, click the Add icon (yellow star). Enter a name and description for the account. In the Exchange ActiveSync Host field, enter the FQDN for your F5 BIG-IP Exchange virtual server. Enter the domain for the account. Leave the User, Email Address, and Password fields blank. Set the Past Days of Mail to Sync to Unlimited. Leave Identity Certificateblank.
74
On the console, go to Home > Mobile Management > Device Management > Configuration Editor > Android Configuration and select Touchdown Account. In the right pane, click the Add icon (yellow star). Enter a name and description for the account. In the Exchange ActiveSync Host field, enter the FQDN for your F5 BIG-IP Exchange virtual server. Enter the domain for the account. Leave the User, Email Address, and Password fields blank. If your server uses a self-signed trust certificate, you can elect to use the servers certificate, and skip the certificate check routine. Place a checkmark in the box to use this option. Optionally, enter the Authentication Credential Name for a trust certificate from a Certificate Authority. Click Save changes.
2 3 4 5 6 7
8 9
That you have at least one instance of F5 BIG-IP LTM configured with blocking rules and available within your network. That you have one or more virtual servers configured in F5 BIG-IP LTM to handle Exchange ActiveSync traffic.
2 3 4 5 6
On the console, go to Home > Mobile Management > Exchange ActiveSync > EAS settings In the right pane under F5 Exchange Blocking, select Use F5 rules to block communication from unauthorized devices . Select the Authorized Devices that are allowed to connect to Exchange ActiveSync. Optionally, allow only approved email apps. Enter the name of the email apps, separating multiple apps with a comma. On the toolbar, click the Add icon.
75
Provide the F5 Server information, and enable or disable the options Use HTTPS, and Allow untrusted SSL certificates. Note: Secure communication is enabled by default.
Click the Add icon to select the virtual servers that handle Microsoft Exchange ActiveSync traffic through F5. Note: You receive an error message if an F5 server cannot be reached.
Click OK.
76
Chapter
10
Setting up Data Loss Prevention for iOS on the Mobile Management server
This chapter includes the following topics:
About setting up Data Loss Prevention (DLP) for iOS on the Mobile Management server Configuring Mobile Management to use DLP Creating VPN credentials Configuring VPN for DLP Configuring the VPN assignment for DLP Configuring the DLP settings Configuring remediation rules Setting the resource target
About setting up Data Loss Prevention (DLP) for iOS on the Mobile Management server
DLP provides mechanisms to help prevent the loss of business information by accidental or intentional distribution to unauthorized parties. Remote agents receive a policy that uses VPN on Demand to route traffic from remote devices through VPN to a DLP server.
78
Setting up Data Loss Prevention for iOS on the Mobile Management server Configuring Mobile Management to use DLP
Note: The DLP and VPN on Demand functionality for this version of Symantec Mobile Management Server applies to iPads only.
Description
DLP requires a chain of trust between all active components and the VPN. You generate the appropriate credentials that are required for the VPN. See Creating VPN credentials on page 78.
Step 2
Configure VPN
You configure the VPN to allow the DLP functionality See Configuring VPN for DLP on page 79.
Step 3
Configure the VPN You configure a DLP VPN assignment policy to distribute assignment the DLP VPN functionality. See Configuring the VPN assignment for DLP on page 80.
Step 4
You enable DLP functionality in the Mobile Management console. See Configuring the DLP settings on page 81.
Step 5
Configure You configure the remediation rules that determine the Remediation Rules actions taken to remediate a non-compliant remote device. See Configuring remediation rules on page 81.
Step 6
You select the managed remote devices to receive the DLP VPN assignment. See Setting the resource target on page 82.
Setting up Data Loss Prevention for iOS on the Mobile Management server Configuring VPN for DLP
79
This procedure is a step in the process of setting up DLP for iOS on the Mobile Management Server. Before you begin, be sure you have the following files and information
An identity certificate for the device, for VPN access (.P12 or .PFX file). The password to access the identity certificate, if needed. One or more .CER files for certificate authority. These must be DER encoded (not base64). The URL or IP address of the VPN server. The account name for the device.
1 2 3 4 5
Open the Symantec Management console and click Home > Configuration > iOS Configuration Editor. In iOS Configuration Profiles, select Credentials. Add the device identity certificate and the other intermediate and root certificates individually. Click the yellow star to add each new certificate. For each credential, select the certificate file, enter a name description, and if required, the password to open the identity certificate. Enter the required information and then click Save Changes.
Note: If you use a proxy server to mediate VPN traffic in your network, the VPN proxy requires a trust certificate for the Mobile Management Server. When the Mobile Management Server certificates are issued by an internal or intermediate certificate authority, you must install the certificate chain and root certificate on the VPN proxy server.
1 2
On the Symantec Management console, click Home > Configuration > iOS Configuration Editor. In iOS Configuration Profiles, select VPN.
80
Setting up Data Loss Prevention for iOS on the Mobile Management server Configuring the VPN assignment for DLP
3 4
Click the yellow star to add a new VPN configuration. Make the following settings:
Enter a name for the VPN configuration. Enter a description for the configuration. Select a connection type. For example, Cisco (IPsec). Enter the URL or IP address for the DLP server (ex: vpn.fordlp.com). Enter an account name (ex: dlpvpn1). For Machine authentication, select Certificate. In the Identity Certificate field, select the identity certificate that was installed earlier. Leave Include User Pin unchecked. Check Enable VPN on demand. In the Matching domain/host field, use the + sign to add new entries for each of the letters a - z and each of the numbers 0 9 (for a total of 36 new entries). Leave Proxy as None.
1 2 3 4 5
On the Symantec Management console, click DLP > DLP VPN Assignment Policy. Expand the Policy Rules/Actions section of the page. Place checkmarks next to each profile setting you want to use. Under Configuration settings, click the yellow star to add a new configuration. Select the configuration settings you want to add. You generally add a VPN configuration, the credential certificate for the VPN connection type, and a root certificate for the VPN server. You may require other settings depending upon your particular implementation.
Setting up Data Loss Prevention for iOS on the Mobile Management server Configuring the DLP settings
81
6 7
Make sure that the DLP assignment state is set to ON. Click Save changes.
1 2
On the Symantec Management console, click DLP > DLP settings, and then place a check in the Enable DLP checkbox. Enter the values for each of the DLP settings. Note: Compliance Check Frequency, Notification Grace Period, and Report Frequency are expressed in seconds.
Under VPN Profile Settings, enter the required information. Note: The VPN Configuration Name must be a previously defined, valid VPN payload.
1 2 3
On the Mobile Management console Settings tab, click All Settings. In the left pane, click Monitoring and Alerting > Alert Rule Settings. In the right pane, on the Task Rules tab. The default task is Unmanage Device Task (DLP Breach) . Add any other rules as desired.
82
Setting up Data Loss Prevention for iOS on the Mobile Management server Setting the resource target
Click, Add existing, and add the jobs to which the rule applies. Note: Select Resources must be used to determine the target resources for which the task applies.
1 2 3 4 5
On the Mobile Management console, click DLP > DLP VPN Assignment Policy. Expand the Applied To section of the page. Set the View menu to Targets. Click on Apply to and then select the agents to receive the VPN assignment. Click Save changes.
Chapter
11
Network connection to domain controller: Mobile Management uses the standard LDAP protocol on port 389. If Mobile Management is set to encrypt authentication (Mobile Management > General Settings > General Enrollment > Enable Authentication > Encrypt authentication check using SSL), LDAP traffic passes on port 636. Permissions required on domain controller: The users in Domain User group with read permissions can enroll to the Mobile Management Server. Users in the Roles >Active Directory Domain Services >Active Directory Users and Computers > yourdomain.com >User folder will have default permissions to access the LDAP services.
Users with revoked read permissions will fail authentication when a domain setting with Allowed groups functionality is enabled.
84
Configuring multiple domain Active Directory / LDAP authentication Configuring multi-domain Active Directory / LDAP authentication
The Mobile Management Server administrator must specify admin credentials in the Mobile Management Server General Settings > General Enrollment->Enable Authentication > Add/Edit Authentication Server Settings dialog. The authentication service uses the admin credentials to validate the user
Query executed against domain: The query used to retrieve the user information has the format:
"(&(objectCategory-person)(SAMAccountName-{account name}))"
Objects required to execute the query: The objects under CN=Users,DC=[userdomain],DC=com must be accessible in the domain. The object can be a person or a group. The following attributes are used: User Object
distinguisedName memberOf
Description
Must be accessible. Must be accessible if Allowed groups must be verified Must be accessible if Allowed groups must be verified Must be accessible if Allowed groups must be verified
primaryGroupID
objectSID
Group Object
distinguisedName memberOf
Description
Must be accessible. Must be accessible if Allowed groups must be verified
Container for authentication groups: The container must be CN=Users, under the organization's root. For instance, CN=Users,DC=Yourdomain,DC=com
Configuring multiple domain Active Directory / LDAP authentication Configuring multi-domain Active Directory / LDAP authentication
85
configure Mobile Management. You can use Microsoft Active Directory, ADAM, or other LDAP servers to provide the authentication credentials. To configure multiple domains
On the console, go to Home > Mobile Management > Settings > General Enrollment and in the Authentication Settings, select Enable authentication check. Optionally, elect to encrypt the authentication check. On the toolbar, click the Add icon (blue plus-mark). Enter the requested information:
2 3
Domain: The name of the domain in which the authentication resides. AD/LDAP Server: The IP or host name of the server to authenticate against. Allowed Groups: The group or groups that authenticate against the selected server. Separate each group with a comma (no white space required .) Note: Do not add individual device owners in this field.
Click Verify to verify the network connection to the AD/LDAP server. If the test fails, make sure that the server is online and available from the Symantec Mobile Management server. Note: Port 389 is the default port for LDAP. Port 636 is the default port for secure LDAP.
Repeat the process to add additional domains. Note: You can only add one authentication server per domain
86
Configuring multiple domain Active Directory / LDAP authentication Configuring multi-domain Active Directory / LDAP authentication
Chapter
12
That all site servers and Notification Servers have SSL certificates installed and enabled in their IIS bindings. That for each server, the subject of each certificate matches the fully-qualified domain name that is used to communicate with that server. That all devices can connect to and trust the IIS SSL certificate that is installed on the site-server(s). That the Symantec Management Platform is set up to use SSL for communication. See the Symantec Knowledge Base Article, Configuring the Symantec Management Platform to use SSL That all Symantec Management Agents are installed using HTTPS and that they can access the Symantec Management Platform Notification Server using HTTPS. See the Symantec Knowledge Base Article, Configuring Notification Server to use SSL
88
Configuring Mobile Management to require SSL Configuring Mobile Management to require SSL
That all communication between Notification Servers and Symantec Mobile Management Server is set to use HTTPS. If necessary, force server communications to use HTTPS. To force server communication to use HTTPS That all device-to-Mobile Management Server communications are set to use HTTPS. You can force the use of HTTPS between mobile devices and the Mobile Management Server: To force device-to-server communication to use HTTPS
Go to Home > Mobile Management > Mobile Management Servers Settings > Site Server > Notification Server-Mobile Management Server Communication override menu. Enable the Use HTTPS option. Click Save Changes.
2 3
1 2 3
Go to Home > Mobile Management > Notification Server Settings menu. Enable the Use HTTPs option. Click Save changes.
1 2 3 4 5 6
Go to Home > Mobile Management > Mobile Management Server Settings > Site Server > Notification Server Enter the Notification Server- to-Site Server FQDN in the text box. Enter the SSL port for your environment. Place a checkmark in the Require SSL checkbox. Click Save changes. On the site server , restart the Symantec Mobile Management Agent service.
The Symantec Mobile Management server agent reconfigures the site server to require SSL on the default Web site.
Section
Chapter 13. Using actions, policies, and configuration profiles Chapter 14. Using inventory data, reports, and the event log Chapter 15. Remotely managing devices Chapter 16. Managing the Mobile Library
90
Chapter
13
About actions Performing actions on mobile devices About policies Creating policies Assigning policies Supported policies for specific devices About configuration profiles on iOS devices Devices that support configuration profiles Setting up configuration profiles for iOS devices Creating configuration profiles Adding configuration profiles to a policy Assigning configuration profile policies About available configuration profile settings for iOS devices About AutoLock settings on iOS devices
92
About actions
Actions are the features available for devices based on the solutions that are installed in your environment. Depending on the device, the actions that are listed are different. Actions are available for all the devices in your environment. See Performing actions on mobile devices on page 92.
1 2 3
In the Symantec Management Console, on the Manage menu, click Mobile > Devices. On the Mobile page, under Name, right-click the device name, and then click Resource Manager. On the Resource Manager page, choose the actions for the mobile device.
About policies
Policies are collections of settings that Exchange ActiveSync enforces to ensure that devices are in compliance. Policies can include password, sync, and device settings. They can also include instructions to uninstall, install, or upgrade applications. Policies are distributed and assigned through Exchange ActiveSync. Because of the way Microsoft licenses Exchange ActiveSync, each device manufacturer can choose what policy functionalities their devices support. It means that three devices with the same operating system could work completely differently even if they have the same policies assigned to them. Symantec recommends testing the devices in your environment to see how they react to the policies. See Creating policies on page 93. See Assigning policies on page 93. See Supported policies for specific devices on page 94. See About configuration profiles on iOS devices on page 95.
93
Creating policies
This section explains how to create policies. Policies are collections of settings that Exchange ActiveSync enforces to ensure that devices are in compliance. Policies can include password, sync, and device settings. They can also include instructions to uninstall, install, or upgrade applications. See About policies on page 92. See Assigning policies on page 93. See Supported policies for specific devices on page 94. To create a new policy for mobile devices
1 2 3 4 5 6
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Exchange ActiveSync, and click Manage policies.... In the EAS Policy Editor window, click the Create New Policy icon (yellow star). In the Explorer User Prompt dialog box, enter the name of the policy, and click OK. In the right pane, configure the options and settings for the policy. Click Save changes.
Assigning policies
Policies are assigned through Exchange ActiveSync. In the Symantec Management Console, you assign policies by device. However, the policy is assigned to the mailbox that is associated with the device. If there are multiple devices associated with the mailbox, all of the devices receive the policy that you assigned. For more information, see the topics on assigning policies and targets in the Symantec Management Platform Help. See About policies on page 92. See Creating policies on page 93. See Supported policies for specific devices on page 94.
94
Using actions, policies, and configuration profiles Supported policies for specific devices
To assign a policy
1 2 3
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Exchange ActiveSync, and click Assign Policy to devices. In the Assign EAS Policy window, in the left pane, click the policy that you want to assign to the devices. In the right pane, under Applied To, specify to which devices you want to apply the policy, and then click Save Changes. The set policy is automatically applied to all new devices that match the settings you specify by using Filters, Groups, or by excluding specific resources. If you want to target a specific device or list of devices, then you should specifically pick those devices. Use the Resource List filtering criteria to select the desired devices. Right-click the specific devices to exclude them from the filtered lists. Click Update Results to verify what devices are targeted.
4 5
On the upper right corner of the page, click the colored circle and then click On to turn on the policy. Click Save Changes.
Note: When you assign the Mobile Management Service Install (x86) policy, you must first have added a Mobile Management Server. If you have not added a Mobile Management Server, no computers are listed for this policy. To add a Mobile Management Server, navigate to the Mobile Management Server. Once servers are added on the page they show up in the policy.
Using actions, policies, and configuration profiles About configuration profiles on iOS devices
95
Supported version
Minimum iOS version
4.1
Models supported
3G 3GS 4 4S 5
iPod Touch
4.1
Models supported
96
Using actions, policies, and configuration profiles Setting up configuration profiles for iOS devices
All models
Description
Create a configuration profile that contains the settings of your choice. See Creating configuration profiles on page 96. When you have created the configuration profile, you need to add it to a policy. See Adding configuration profiles to a policy on page 101. Apply the policy to the devices you want to target. See Assigning configuration profile policies on page 102.
Step 2
Step 3
97
This task is a step in the process for setting up configuration profiles for iOS and Android devices. See Setting up configuration profiles for iOS devices on page 96. To create a configuration profile for iOS devices
1 2 3 4
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Device Management, and then click Configuration Editor. In the right pane, expand iOS Configuration page, and in the left sub-pane click the type of payload that you want to add to the configuration profile. In the right pane, click the yellow star button to create a new payload and then specify the payload options. Be aware of the following:
You must enter a value in the Host field for every payload. Some of the payload settings include specific values you should enter. The table,Table 13-3provides usage notes for the payloads. For more details about the payload settings, see the Apple Support article Payload settings reference at help.apple.com/configurator/mac/1.0/#cad5370d89.
CalDAV
98
99
LDAP
This payload adds LDAPv3 connection settings for automating account and contact look-up. If Account Username is left blank, the validated user name is substituted.
Passcode
This payload is used to set the passcode when Exchange is not used.
SCEP
Subscribed Calendars
100
Wi-Fi
Provisioning Profile
Application Lock
1 2 3
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Device Management, and then click Configuration Editor. In the right pane, expand Android Configuration page, and in the left sub-pane click the type of payload that you want to add to the configuration profile. In the right pane, click the yellow star button to create a new payload and then specify the payload options. Click Save Changes.
4 5
Using actions, policies, and configuration profiles Adding configuration profiles to a policy
101
Device Options
102
Using actions, policies, and configuration profiles Assigning configuration profile policies
See About policies on page 92. See Adding additional configuration profiles on page 58. To add configuration profiles to a policy
1 2 3 4
In the Symantec Management Console, on the Manage menu, click Policies. Expand Policies > Mobile Management, and right-click Mobile Configuration Policies. Click New > Mobile Device Configuration Policy. In the right pane, click the New Mobile Device Configuration Policy title, and then enter a name for your configuration profile policy. If you want to rename the policy, either do it before you edit the policy or after you have saved it. If you edit the policy and then change the name before you save it, your settings and edits are lost.
Under Profile settings, specify the settings. You can sign and encrypt profiles and allow end users to remove the profiles that are included in the policy. This removal can be done without having to remove the full MDM profile. You can also specify whether a password is required for user removal of the policy set. These settings are applied to all of the profiles that are included in this policy.
6 7 8
Under Configuration settings, click the yellow star button. In the Symantec Management Console dialog box, select the preconfigured profiles that you want to add to the policy, and then click OK. Click Save Changes.
1 2
In the Symantec Management Console, on the Manage menu, click Policies. Expand Policies > Mobile Management > Mobile Configuration Policies.
Using actions, policies, and configuration profiles About available configuration profile settings for iOS devices
103
3 4
Click the policy that you want to assign. Under Applied To, specify to which devices you want to apply the policy, and then click Ok. Note: You may have to scroll the page down to see this section. The set policy is automatically applied to all new devices that match the settings you specify by using Filters and Groups or by excluding specific resources. If you want to target a specific device or list of devices, then you should specifically pick those devices. Use the Resource List filtering criteria to select the desired devices. Right-click the specific devices to exclude them from the filtered lists. Click Update Results to verify which devices are targeted.
On the upper right corner of the page, click the colored circle and then click On to turn on the policy. When the policy is turned on, it is delivered to the devices. Click Save Changes.
104
Using actions, policies, and configuration profiles About AutoLock settings on iOS devices
Credentials
Passcode
You can add the user's email address in two different formats in the Symantec Management Console. In the Apple Configuration Utility only one format is accepted. This profile is removed in the Symantec Management Console.
Using actions, policies, and configuration profiles About AutoLock settings on iOS devices
105
Unless the configuration profile sends down the strictest AutoLock setting, the user of the device can reset the AutoLock setting to a stricter setting. The following chart shows the relationship between possible AutoLock settings and how they are interpreted on different iOS devices: Table 13-6 AutoLock setting
1 minute 2 minutes 3 minutes 4 minutes 5 minutes 10 minutes 15 minutes --
Result on iPad
2 minutes 2 minutes 2 minutes 2 minutes 5 minutes 10 minutes 15 minutes Never
See About available configuration profile settings for iOS devices on page 103.
106
Using actions, policies, and configuration profiles About AutoLock settings on iOS devices
Chapter
14
About inventory data Viewing inventory data Setting the inventory schedule for Windows Mobile devices Setting the inventory schedule for iOS devices About reports Running reports Available reports by device About event logs Viewing the event log
108
Using inventory data, reports, and the event log Viewing inventory data
See Setting the inventory schedule for iOS devices on page 109. See Viewing inventory data on page 108. For more information, view topics on inventory in the Symantec Management Platform Help.
1 2 3 4
In the Symantec Management Console, on the Manage menu, click Mobile > Devices. On the Mobile page, under Name, right-click the device name, and then click Resource Manager. On the Resource Manager page, on the View menu, click Inventory. In the center pane, expand Data Classes > Inventory > Mobile Inventory, and click the inventory that you want to view. You can also switch between the Current and History tabs in the right pane to view current and past inventory data.
Using inventory data, reports, and the event log Setting the inventory schedule for iOS devices
109
1 2 3 4
In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, expand Settings > Mobile Management > Mobile Agent Settings. Click Inventory Schedule. In the right pane, specify the Sample schedule information:
Number of units. Type of unit. Either hours or days. Hour and minutes.
The Sample schedule specifies when data is collected from a mobile device.
Number of units. Type of unit. Either hours or days. Hours and minutes.
The Transmit schedule specifies when the collected data is sent to the Mobile Management server and then to Symantec Management Platform.
Specify the Heartbeat schedule in minutes. The Heartbeat schedule specifies when the device sends a short message to the Mobile Management server to let it know that it is still connected.
Mobile_Certificate_iOS Mobile_Device_iOS_MDM
110
Using inventory data, reports, and the event log About reports
By default, the inventory data that the Mobile Management Agent collects is transmitted once a day. You can change this iOS agent inventory transmit schedule. The Mobile Management Agent collects the following inventories:
1 2 3 4
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Settings. Click Mobile Management Servers. In the right pane, under Agent, set the Report Frequency (seconds). Note: The minimum reporting frequency is 600 seconds.
About reports
Mobile Management lets you run reports on all of the devices in your environment. In the Symantec Management Console, you can choose from a list of pre-made reports that collect and provide data from the devices in your environment in real
Using inventory data, reports, and the event log Running reports
111
time. The reports can contain summary information, such as lists of devices by manufacturer, platform, or operating system. The reports can also list the devices that are running out of memory or battery power. Most of the reports contain customizable parameters. These parameters may include options such as whether you want the latest information or information from the last report that was saved. In some reports, you can also enter the timeframe from which the information is collected. See Running reports on page 111. See Available reports by device on page 111.
Running reports
Most of the reports contain customizable parameters. These parameters may include options such as whether you want the latest information or information from the last report that was saved. In some reports, you can also enter the timeframe from which the information is collected. See About reports on page 110. See Available reports by device on page 111. To run reports
1 2 3
In the Symantec Management Console, on the Reports menu, click All Reports. In the left pane, expand Reports > Mobile Management. Click one of the standard reports that are listed. After the report runs, the data appears in the right pane.
112
Using inventory data, reports, and the event log Available reports by device
Devices with Low Program Memory Devices with Outdated Inventory Jailbroken iOS Devices Mobile Device Summary Remote Management Activity Audit
Remote Management Usage Summary By Action Remote Management Usage Summary By Device Software Compliance Remediation Summary Software Compliance Status
Devices with Low Program Memory Devices with Outdated Inventory Mobile Device Summary Remote Management Activity Audit
Remote Management Usage Summary By Action Remote Management Usage Summary By Device Software Compliance Remediation Summary Software Compliance Status
Using inventory data, reports, and the event log About event logs
113
Exchange ActiveSync Devices with Pending Wipe Non-Synced Exchange ActiveSync Devices Wiped Exchange ActiveSync Devices
1 2 3 4 5 6
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Overviews and Reports, and click All other reports.... In the left pane, select Devices by Platform and Operating System. Under Device Platform, right-click the device name, and then click Resource Manager. On the Resource Manager page, on the View menu, click Events. Expand Data Classes > Mobile Events > Inventory, and then click Mobile _Log.
114
Using inventory data, reports, and the event log Viewing the event log
Chapter
15
About remotely managing devices Creating remote settings for devices Starting a remote session with a device Remote options for Windows Mobile devices Remote options for BlackBerry devices Function key mapping during remote sessions with Windows Mobile devices Function key mapping during remote sessions with BlackBerry devices Options for remotely wiping devices
116
1 2 3
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Configuration, and then click Remote Control settings. (Windows Mobile only) On the Remote Control Policy page, under Remote Control Session Settings, choose one of the following options for the Request behavior:
Always allow Remote Control request Prompt user to allow Remote Control request Always deny Remote Control request
(Windows Mobile only) Choose one of the following options for the Control behavior:
Always allow keyboard and mouse interaction Prompt user to allow keyboard and mouse interaction Always deny keyboard and mouse interaction
Select a color depth for the remote session. The larger color depths can negatively affect your network load. You can select either 2-bit, 4-bit, 8-bit, or 16-bit color depth. If you use a wide-area device, we recommend that you use the 4-bit option. However, you can experiment and see what setting works best in your environment.
117
Select the size scale for the session. You can select either the same size (1x) or twice the size (2x).
1 2 3
In the Symantec Management Console, on the Actions menu, click Mobile > Remote Management. On the Remote Management page, click the mobile device to which you want to connect. Click Connect.
118
in the right pane. The information might take a few seconds to load because it is collected in real time. See Starting a remote session with a device on page 117. Table 15-1 Option
Device name
Remote Control
Identification
Lists the identifying information for the device. For example, the name, ID, and OEM ID of the device. Lists the information about the operating system that is currently running on the device. For example, the type, ID, and version number of the platform that is on the device. Lists the information about the processor on the device. For example, the architecture, core, clock speed, and name of the processor on the device. Lists the information about the battery and the power for the device. For example, the voltage, temperature, and chemistry of the battery in the device. Lists the information about the memory for the device. For example, the percentage load, total and available physical and virtual memory, and storage memory for the device. Lists the horizontal and the vertical resolution and the display colors of the device. Lists the information about the processes that are running on the device. For example, the name and ID of the process, the thread count, and the CPU time for each process.
Operating System
Processor
Power
Memory
Display
Processes
119
Adapters
Connections
IP Routing Table
ARP Table
TCP/IP Statistics
Wi-Fi Applications
Program Files
File Explorer
Note: When you use File Explorer only upload one file at a time.
Registry Explorer Lets you manipulate the registry entries on the device. You can search for a specific string in the node that is currently highlighted.
120
Remote Control
Identification
Lists the identifying information for the device. For example, the name, ID, and OEM ID of the device. Lists the information about the operating system that is currently running on the device. For example, the type, ID, and version number of the platform that is on the device. Lists the information about the battery and the power for the device. For example, the voltage, temperature, and chemistry of the battery in the device. Lists the information about the memory for the device. For example, the percentage load, total and available physical and virtual memory, and storage memory for the device. Lists the horizontal and the vertical resolution and the display colors of the device.
Operating System
Power
Memory
Display
Remotely managing devices Function key mapping during remote sessions with Windows Mobile devices
121
CDMA
WLAN
Applications
Modules
Function key mapping during remote sessions with Windows Mobile devices
To remotely control the devices that do not have a touch screen, you can use your computer keyboard to perform remote actions on the device. However, the effect that each function key has on the mobile device may be different than the effect that it usually has on your computer. See Starting a remote session with a device on page 117. Table 15-3 Function key mapping during remote sessions with Windows Mobile devices Remote control action on device
Navigate to the left, right, up, or down. Backspace. Open the menu. End. Run the action. Go back.
122
Remotely managing devices Function key mapping during remote sessions with BlackBerry devices
Table 15-3
Function key mapping during remote sessions with Windows Mobile devices (continued) Remote control action on device
Use the soft key 1 (left). Use the soft key 2 (right). Talk. End, or lock. Mute the sound volume. Decrease the sound volume. Use the dial pad * symbol, or increase the sound volume. Navigation click, or use the Dial pad # symbol. Create voice notes or record audio. Open the symbol list. Send. Use the left convenience key. Use the right convenience key.
123
Table 15-4
Function key mapping during remote sessions with BlackBerry devices (continued) Remote control action on device
Open the menu. Go back. Send. End. Lock. Mute the sound volume. Decrease the sound volume. Increase the sound volume. Navigation click. Use the left convenience key. Use the right convenience key.
124
Delete Partnership
This action can be performed through Exchange ActiveSync. It removes the devices partnership in Exchange. The device can reestablish the partnership in Exchange by attempting to sync and thus reenable the trust connection between the server and the device. To remove the device's partnership so that it cannot reestablish it, you must complete this action and remove the partnership on the device. See Creating policies on page 93.
Clear Wipe
This action can be performed through Exchange ActiveSync. It lets you cancel the Wipe Device action. See Creating policies on page 93.
125
Selective wipe
This action lets you selectively wipe devices by deleting or turning off individual policies. If you delete or turn off an individual policy, the policy privileges are revoked. See Creating policies on page 93.
126
Chapter
16
About the Mobile Library Setting up Mobile Library feeds Creating Mobile Library feeds Adding items to Mobile Library feeds Targeting a Mobile Library feed Publishing an existing feed or item Delivering apps to iOS devices
Applications Commercial and in-house applications Documents Documents, PDFs, presentations, and spreadsheets Media YouTube video links, Web links, MP4 videos, images, graphics, MP3s, podcasts, and eBooks
Mobile Library content can be hosted on public application stores, Web sites, or private servers. The Mobile Library is delivered to the Mobile Management Agent
128
as a set of RSS feeds. All feeds that match the Mobile Management Agent language selection on the device are delivered to the device. These feeds provide organizations with employees in multiple countries or with multiple languages the content that is tailored to the language preference of the users. If there are multiple feeds for a language, all of the feeds are delivered to the device. If items in feeds are changed, the Mobile Management Agent updates the content in the Mobile Library. The items in the feeds are available on the device even when the device is offline. The device to which you deliver the content determines the file size that is allowed. Warning: Due to Apple restrictions, any applications that are installed from the Mobile Library on iOS devices are not remotely removable. Applications can only be removed by the end user. Also, any files that are sent to a device through the Mobile Library that are opened and saved in another application are not remotely removable.
Description
Create a Mobile Library feed that will contain the items you want to send to the devices. See Creating Mobile Library feeds on page 128.
Step 2
Add the items of your choice to the feed. See Adding items to Mobile Library feeds on page 129.
129
All feeds that match the Mobile Management Agent language selection on the device are delivered to the device. These feeds provide organizations with employees in multiple countries or with multiple languages the content that is tailored to the language preference of the users. If there are multiple feeds for a language, all of the feeds are delivered to the device. If items in feeds are changed, the Mobile Management Agent updates the content in the Mobile Library. The items in the feeds are available on the device even when the device is offline. To create a Mobile Library feed
1 2 3 4 5
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Device Management, and then click Mobile Library Editor. On the Mobile Library Editor page, click Feeds. On the Feeds page, click New Feed. In the Create New Feed dialog box, specify the information. If you do not have a feed for every language, you can check Feed Is Language Default. The feed that has this checked is delivered to any devices whose set language does not have a corresponding feed. Check Feed Is Published if you want to publish the feed. If the feed is not published, it is not sent to the devices. If you want to configure the feed and add items to it before it is published, you may choose not to publish the feed immediately. See Publishing an existing feed or item on page 131.
Click OK.
1 2
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Device Management, and then click Mobile Library Editor.
130
3 4 5 6
On the Mobile Library page, click Items. Under Items, select the feed to which you want to add items from the drop-down menu. Click New Item. In the Create New Feed Item dialog box, specify the information and upload the files. Note: Files in items can be up to 25 MB.
Check Item Is Published if you want to publish the item in the feed. If the item is not published, it is not sent to the devices. If you want to configure the item before it is published, you may choose not to publish the item immediately. See Publishing an existing feed or item on page 131. Note: Under Platform Type, unsupported platforms are listed. You must choose a supported device platform to deliver your item to the Mobile Library. See Mobile Management requirements on page 199. Item Priority is used to sort the items in the feed on the agent. The following are the different options for the Item Priority:
Optional The lowest priority items. Items appear toward the bottom of the list. Recommended Medium priority items. Items are displayed in the middle of the list. Required The highest priority items. Items are displayed at the top of the list. Required items also have a pop-up warning that appears to the user, informing them that there is a required item available. This warning appears even if the agent is in the background.
Only upload one file per document item. When you select an application item, set the Item Type to Commercial or In-house. If you want to add a commercial application, you need to add the link to the application's App Store page in the field labeled Item Link. The App Store link is found on the applications App Store page.
131
Warning: Do not edit the Item Link field when you create a commercial application. If you do so, the user who attempts to download the application item receives multiple error messages. If you want to add an in-house iOS application, you must upload the .ipa, the .plist, and all image files that are referenced in the .plist. These files must be selected and uploaded in the following order: Image files, .ipa file, .plist file. The .plist and the .ipa files are generated after you archive the agent framework in Xcode and go through the sharing wizard. The Mobile Management server modifies the .plist file so that the file links automatically point to the application files on the Mobile Management server. Before saving the item in the library, you must upload the .ipa, the .plist, and the image files. For library items to appear with a custom icon, you must upload a .png file that is 57x57 pixels. Otherwise, a generic icon appears next to the item.
Click OK.
1 2 3 4 5
On the console, go to Manage > Mobile Management > Mobile Configuration Policy and click New Mobile Device Configuration Policy. In the right pane, under Feed Settings, click the yellow star icon on the toolbar . In the Select Mobile Library Feed dialog, select the desired feed and then click OK. Under Applied To, select the resources that receive the new feed. Click, Save changes
132
1 2 3 4 5 6
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Configuration, and then click Mobile Library Editor. On the Mobile Library page, click the Feeds or Items tab. On the Feeds or Items tab, select the green edit icon next to the feed or item you want to edit. In the Edit Feed or Edit Item window, select Feed Is Published or Item is Published. Click OK.
Required apps are those that your company has deemed necessary for the mobile device to be compliant with corporate polices. Recommended apps are those that your company considers important or useful, but that are not required to be compliant. Optional apps are those that are possibly interesting to some device owners.
Additionally, you can manage the apps that you build in-house and commercial apps. The following workflows provide a high-level overview of the processes for managing applications on iOS devices. Sending in-house apps to iOS devices
Create a new mobile library item that specifies the in-house iOS app. See Creating Mobile Library feeds on page 128.
Attach the in-house app .IPA, .PLIST, and icon (image) files as feed items. See Creating Items for iOS in-house applications on page 135.
133
Target the new feed to desired iOS devices. See Targeting a Mobile Library feed on page 131.
4 5
Enrolled iOS devices check in and download the new feed containing the app files. The device displays a notification to the device owner that the app is available for installation.
1 2
Go to the App Store and retrieve the URL for the free app. Create a new mobile library feed and add the app ID to the new feed. See Adding items to Mobile Library feeds on page 129.
Target the new feed to desired devices. See Targeting a Mobile Library feed on page 131.
4 5 6
Device checks in and gets feed with app ID. User is prompted to install. User installs the app.
Purchase Volume Purchase Program codes from Apple. For more information about Volume Purchase Program codes, see the Apple Web page, http://www.apple.com/business/vpp/. Get the app ID for the purchased app from the App Store. Create a new mobile library feed and add the app ID and VPP code to the new feed. See Creating Items for iOS commercial applications on page 136.
2 3
Target the new feed to desired devices. See Targeting a Mobile Library feed on page 131.
5 6 7
Device checks in and gets feed with App ID and VPP code for the app. User is prompted to install the app. User installs the app.
134
Volume Purchase Program codes are purchased from Apple. Apple sends a VPP file (.xls) to the email address you specify when you register and purchase VPP codes. Go into the Mobile Library and import the VPP file. See Creating Items for iOS commercial applications on page 136.
Verify that the expected number of codes are imported. See Delivering apps to iOS devices on page 132.
1 2
Beyond uploading the VPP codes for a specific app, no further action is required.. The VPP code is automatically associated with the mobile device upon app installation by the device owner, Note: The count of available VPP codes decrements by one each time the VPP-enabled app is associated with a device.
The code remains with the device owner even when the app is deleted. If the device owner downloads and installs the app again, the previous code remains in effect.
Reclaiming the codes that are delivered to an iOS device but are not required
A VPP code is always sent with a commercial app even though the app may not require one. For these apps, the code is used to complete the installation process, but is then returned to the VPP code pool. Codes are recycled in three cases:
The device owner installs an app with a VPP code on a second device. The app is installed, uninstalled, and then reinstalled. The app is previously purchased and installed
135
1 2 3
Go to Device details page or the iOS VPP App Codes report, and locate the device from which the app is to be removed . Right-click on chosen device and select Remove App. The app is removed. Note: Only managed apps can be removed with this method. The device owner must remove the apps that are not managed. The device owner can always remove any app, including apps that are set to Required.
1 2
Go to Reports tab > Mobile Management > New > iOS Volume Purchase Program Apps The report shows the apps, associated code and its status, the name of each device, and the code issuance dates.
1 2 3 4
Go to Home > Mobile Management > Device Management > Mobile Library Editor In the Mobile Library Editor, create a new Feed. Select the Feed from the list. Click the Items tab, then click New Item. Enter the following information:
Item Name- name for the Item, which is required to save the Item and information. A maximum of 10 characters are allowed for the name. Item Version- version number for the Item. Item Author- name of the person who created the Item. Item Description- description of the Item.
Item Category- select Application. Item Type- select In-house. Platform Type- select iOS (iPhone/iPad/iPod Touch). Platform Min Version- enter the minimum iOS device operating system version that is required. Leave this entry blank if you do not want to specify a minimum version.
136
Required apps are those that your company has deemed necessary for the mobile device to be compliant with corporate polices. Recommended apps are those that your company considers important or useful, but that are not required to be compliant. Optional apps are those that are possibly interesting to some device owners.
iOS in-house applications require an iPhone Application Archive file (App (.ipa)) , Portable Network Graphics file (Icon (.png)) , and a Property List file (Settings (.plist)). The next three steps illustrate the process. Note: Make sure that no spaces precede the .plist file name and make sure that the application has not expired before you upload the Item.
7 8
Click Select Files, locate the App (.ipa) file, then click Upload Files. Click Select Files, locate the Icon (.png) file, then click Upload Files. The maximum PNG size is 59 x 60 pixels. After you upload the files, the Item Icon (PNG) field is automatically populated with the Icon (.png) file path. Click Select Files, locate the Settings (.plist) file, and then click Upload Files.
Item Is Featured- select to place an indicator on the Item to highlight it when the Item is viewed in the Mobile Library on the device. Item Is Published- select to publish the Item so that it can be viewed in the Mobile Library on the iOS device.
1 2 3 4 5
Go to Home > Mobile Management > Device Management > Mobile Library Editor In the Mobile Library Editor, create a new Feed. Select the Feed from the list. Click the Items tab, then click New Item > New Commercial iOS App and enter the iTunes Store Link to the app, and then click OK. In the Item Priority field, select either Required, Recommended, or Optional.
Required apps are those that your company has deemed necessary for the mobile device to be compliant with corporate polices.
137
Recommended apps are those that your company considers important or useful, but that are not required to be compliant. Optional apps are those that are possibly interesting to some device owners.
6 7
For VPP paid apps, click Select Files, locate the VPP (.xls) file, then click Upload Files. Make the following selections:
Item Is Featured- select to place an indicator on the Item to highlight it when the Item is viewed in the Mobile Library on the device. Item Is Published- select to publish the Item so that it can be viewed in the Mobile Library on the iOS device.
138
Section
Chapter 17. Setting up the Mobile Management Agent application on iOS devices
140
Chapter
17
About the Mobile Management Agent application on iOS devices Setting up the Mobile Management Agent application on iOS devices Enrolling iOS devices Changing the enrollment URL to an email address for iOS devices Creating and enabling the End User License Agreement for iOS devices About the differences between the app store and the in-house Mobile Management Agent applications Configuring a Symantec Mobile Management iOS profile for Office 365
142
Setting up the Mobile Management Agent application on iOS devices Setting up the Mobile Management Agent application on iOS devices
the mobile devices communicate with the Mobile Management server and Symantec Management Platform. The agent also enables you to use Mobile Management to do the following:
Automatically configure the device's access to corporate email and VPN. Publish a set of recommended applications, files, and links through the Mobile Library to the device. Automatically apply a set of policies to the device, such as security and passcode policies. Perform remote actions such as remote wipe, remote lock, and passcode reset. Get centralized reporting on the device. Configure and implement data-loss prevention (DLP) on iPads.
See Setting up the Mobile Management Agent application on iOS devices on page 142. See Changing the enrollment URL to an email address for iOS devices on page 144. See Creating and enabling the End User License Agreement for iOS devices on page 145. See About setting up Data Loss Prevention (DLP) for iOS on the Mobile Management server on page 77.
Setting up the Mobile Management Agent application on iOS devices Enrolling iOS devices
143
Description
You can have users download the Mobile Management Agent from the Apple App Store. See Downloading and installing the Mobile Management Agent app on page 39.
You can create the Mobile Management Agent application for internal deployment and upload it to an internal site for See About the differences download. After you have created between the app store and the the agent and uploaded it, users in-house Mobile Management Agent applications on page 145. can browse to the internal Web site and download and install the agent. See Creating the in-house Mobile Management Agent application on page 208. Step 2 After users have downloaded and After the Mobile Management installed the agent, they need to Agent is installed on an iOS enroll their device. device, you must enroll it with a Mobile Management server. See Enrolling iOS devices on page 143.
144
Setting up the Mobile Management Agent application on iOS devices Changing the enrollment URL to an email address for iOS devices
1 2
Tap the Mobile Management Agent iOS application on the iOS device to start it. On the enrollment screen, provide the following information:
URL: http://<Site Server Name or Address>/MobileEnrollment/Symc-IOSEnroll.aspx See Changing the enrollment URL to an email address for iOS devices on page 144. Name: Your domain user name. Password: Your domain password. Note: Name and password may not be required if authentication is disabled.
On the License screen, click Yes. See Creating and enabling the End User License Agreement for iOS devices on page 145.
Complete the enrollment wizard to enroll your device. When you enroll an agent that was downloaded from an internal Web site, you are directed back to the browser after enrollment is complete. To return to the Mobile Management Agent, close the browser and re-open the application.
1 2 3
Log in to your domain controller and run DNS. In DNS, navigate to the domain folder. Right-click the folder, and then click Other New Records....
Setting up the Mobile Management Agent application on iOS devices Creating and enabling the End User License Agreement for iOS devices
145
4 5
In the Resource record type window, select Text (TXT) and then click Create Record.... In the New Resource Record window, leave Record name blank. Enter the following value in Text:, and then click OK: OSIAGENTREGURL=http://<your-site-server-IP-or-Servername> /MobileEnrollment/Symc-IOSEnroll.ASPX
Creating and enabling the End User License Agreement for iOS devices
You can require users to accept an End User License Agreement (EULA) when they enroll the Mobile Management Agent on their iOS device. The EULA is specific to your company and can be created according to your needs. See About the Mobile Management Agent application on iOS devices on page 141. To create and enable the EULA for iOS devices
1 2 3 4 5
In the Symantec Management Console, go to Home > Mobile Management > Settings > General Enrollment Settings. In the right pane under Agent EULA, check Require EULA acceptance. Select the language for the EULA. Enter the text for the EULA. Click Save changes.
About the differences between the app store and the in-house Mobile Management Agent applications
The most notable difference between the app store and in-house versions of the Mobile Management Agent application is the presence of the Applications tab. On the app store version of the Mobile Management Agent application, there is no applications tab. Any applications that are delivered to the device appear in the updates tab. These applications remain in the updates tab until a new item is delivered to the updates tab.
146
Setting up the Mobile Management Agent application on iOS devices Configuring a Symantec Mobile Management iOS profile for Office 365
1 2 3 4 5 6
Go Home > Mobile Management > Device Management > Configuration Editor > iOS Configuration. Select EAS and then click the Add icon (yellow star). Name the payload and provide a description if desired. Set the server to m.outlook.com. Optionally elect to use SSL, but leave the Domain, User, Email Address, and Password fields blank. Save the payload and then apply it to a device policy.
When the device owner enrolls with the Office 365 policy, the owner uses their Office 365 email address. Once the device is enrolled, the policy is delivered to the device and the owner is prompted to provide their Office 365 password. The device communicates with the Office 365 server to receive the server name for the email account. Office 365 uses two modes: "Shared" mode and "Dedicated" mode. Because the Dedicated mode is specific to each instance of Office 365, only the Shared mode has been tested. For Dedicated-mode instances, the following PowerShell cmdlets are required:
Setting up the Mobile Management Agent application on iOS devices Configuring a Symantec Mobile Management iOS profile for Office 365
147
See Configuring Symantec Mobile Management to work with Exchange 2010 on page 69.
148
Setting up the Mobile Management Agent application on iOS devices Configuring a Symantec Mobile Management iOS profile for Office 365
Section
Chapter 18. Using TouchDown with Symantec Mobile Management Chapter 19. Common Android management tasks
150
Chapter
18
Configuring Symantec Mobile Management for TouchDown Assigning the TouchDown policy TouchDown account payload settings TouchDown policy payload settings TouchDown user payload settings
Configure TouchDown account settings See Configuring Symantec Mobile Management for TouchDown on page 151.
152
Using TouchDown with Symantec Mobile Management Configuring Symantec Mobile Management for TouchDown
Configure TouchDown policy settings. See Configuring Symantec Mobile Management for TouchDown on page 151. Configure TouchDown user settings. See Configuring Symantec Mobile Management for TouchDown on page 151. Assign the TouchDown policy to the devices. See Assigning the TouchDown policy on page 153.
Use the following procedures to configure each of the three groups of settings: To configure TouchDown account settings
1 2 3 4
On the Management Console, go to Home > Mobile Management > Device Management > Configuration Editor. In the right pane, select Android Configuration > TouchDown Account Click the yellow star icon to open a new configuration panel. Provide the information requested. See TouchDown account payload settings on page 153. for details about the information you enter in this panel.
1 2 3 4 5 6
On the Management Console, go to Home > Mobile Management > Device Management > Configuration Editor. In the right pane, select Android Configuration > TouchDown Policy Click the yellow star icon to open a new configuration panel. Provide the information requested. See TouchDown policy payload settings on page 154. for details about the information you enter in this panel. Click Save changes.
1 2 3 4
On the Management Console, go to Home > Mobile Management > Device Management > Configuration Editor. In the right pane, select Android Configuration > TouchDown User Settings Click the yellow star icon to open a new configuration panel. Provide the information requested.
Using TouchDown with Symantec Mobile Management Assigning the TouchDown policy
153
5 6
See TouchDown user payload settings on page 158. for details about the information you enter in this panel. Click Save changes.
1 2 3 4 5 6
On the Management Console, go to Home > Mobile Management >Device Management > Go to policy management ... In the left pane, select New Mobile Device Configuration Policy. In the right pane, under Configuration Settings, click the yellow star icon to open a new Configuration Settings panel. Select the TouchDown policy and click OK Expand the Applied To section Do one of the following:
To apply the policy to a group, on the tool bar, click Apply to > Quick Apply, and either enter the name of the group or select a group from the pull-down list. Click Apply to complete the policy assignment. Note: Groups must be previously defined in the Symantec Management Platform. See the Symantec Management Platform documentation for information and instructions to create groups. To apply the policy to an individual device, on the tool bar, click Apply to > Mobile devices. On the Select resources panel, click Update results to display all of the enrolled devices. Alternatively, you can click Add rule to add a rule to filter the list of devices. Click OK to finish the policy assignment.
154
Using TouchDown with Symantec Mobile Management TouchDown policy payload settings
Description- information about the TouchDown Account payload settings. Exchange ActiveSync Host- Microsoft Exchange server name. Domain- account domain. User- account user name. Note: Leave this setting blank for generic Exchange ActiveSync profiles. Email Address- account email address. Password- account password. Get Server Certificate- for self-signed servers, select this setting to obtain the server certificate from the server and bypass the server certificate check. Authentication Credential Name Note: Click the plus button to select a certificate, the minus button to remove a certificate, and Certificate Details to view the certificate.
Using TouchDown with Symantec Mobile Management TouchDown policy payload settings
155
EnableDevicePassword- select to enable a password on the device. Password Complexity- PIN or password set on the Android device. Select an option from the drop-down list: Unspecified- no password complexity is required. Something- a PIN or password is required. Alphanumeric- an alphanumeric password is required. Complex- a complex password is required. Minimum number of complex characters- enable a minimum number of non-alphanumeric characters for a password. Auto-Lock (in seconds)- time period in seconds before a device automatically locks. Maximum number of failed attemptsnumber of password entries before a device is wiped. Minimum Passcode Length- minimum amount of characters for passcode. Maximum passcode age- number of days until a password expires. Passcode history- (Android 3.0 and higher devices) number of unique passwords before a password can be reused. Disable Easy PIN recovery- select to disable resetting a PIN using the Exchange account password.
156
Using TouchDown with Symantec Mobile Management TouchDown policy payload settings
Security Features Require encryption Require manual synching when roaming Disable database backup
Disable email widget Disable calendar widget Disable task widget Disable universal widget Hide widget data when locked
Using TouchDown with Symantec Mobile Management TouchDown policy payload settings
157
Allow HTML email- selected (enabled) by default. Disable user from changing email signature Disable ability to copy contacts to the device phone book Disable user ability to copy from or paste to an email Disable Notifications for email data Allow Attachments Maximum Attachment Size- maximum size in kilobytes (KB) allowed for email attachments. Past Email Filter-time period for past email to synchronize. Maximum Email Body Size- maximum size in kilobytes (KB) allowed for email content (body). Select Phone Book Fields- open to select the phone book fields to synchronize. Set Signature- open to access the TouchDown Signature Editor.
App
Prevent TouchDown from displaying select options- specifies fields to not show to users in the TouchDown application. Click Set Suppressions to configure which fields are suppressed. TouchDown License Key- enter a valid TouchDown license key to automatically install TouchDown on the device without user intervention. Disable TouchDown PIN prompt- when launching TouchDown, disable prompting for a PIN by TouchDown even if Exchange prompts for a PIN. By default, when Exchange is set to prompt for a PIN, TouchDown also prompts for a PIN. Use this option to override the default behavior.
158
Using TouchDown with Symantec Mobile Management TouchDown user payload settings
Past Calendar Filter- maximum range of past events to sync- time period for past events to synchronize. Select an option from the drop-down list: Unlimited- sync all past events.
1 Month- sync 1 month of past events. 3 Months- sync 3 months of past events. 6 Months- sync 6 months of past events. Hide all calendar information on the Notifications bar- select to hide all calendar information from displaying in the Android device notifications bar.
Using TouchDown with Symantec Mobile Management TouchDown user payload settings
159
Honor user setting to disable Background settings Display tasks on home screen and the task widget as viewed in TouchDown task screen. Defer batch updates with server (selected by default). Security Features Remove any attachments TouchDown has downloaded to the SD card Require manual sync when roaming
Notify on new email (selected by default.) Notify appointment reminders (selected by default)
160
Using TouchDown with Symantec Mobile Management TouchDown user payload settings
Whether to update contact information from the server How much past email to sync
Display tab- configure how email is displayed on the device. This tab includes: Email summary display option Whether to display the sender in larger, bold text. Auto-filter search content when typing Unread mail highlighting
Security tab- configure the security options that are available to the user. This tab includes: Auto-download images of HTML ActiveSync email (selected by default). Allow user to move email to non-synched folder (selected by default). Enable preview (selected by default).
Confirm deletion (selected by default). Maximum email body size (in KB)
TouchDown App
Set Suppressions- Click to select which device options are not displayed by TouchDown View Email on Startup- select to view the user's email list when TouchDown starts.
Using TouchDown with Symantec Mobile Management TouchDown user payload settings
161
162
Using TouchDown with Symantec Mobile Management TouchDown user payload settings
Chapter
19
Locking a lost or stolen Android device Removing policies and resetting the Agent on an Android device Wiping the data from a lost or stolen Android device. Clearing and setting passcodes on Android devices Updating policies on Android devices Retrieving the inventory from Android devices Viewing Android device information
1 2
On the console, go to Home > Mobile Management > Device Management and in the left pane, click Manage Mobile Devices. In the right pane, select the device you want to locate. Note: Use the search tool to more quickly find a device within a long list.
164
Common Android management tasks Removing policies and resetting the Agent on an Android device
3 4
Right-click on the device you want to lock and from the menu, select Android Management > Lock Device. On the Lock Device panel, click OK.
1 2
On the console, go to Home > Mobile Management > Device Management and in the left pane, click Manage Mobile Devices. In the right pane, select the device you want to locate. Note: Use the search tool to more quickly find a device within a long list.
3 4
Right-click on the device you want to lock and from the menu, select Android Management > Remove MDM and Reset Agent. Click OK.
Common Android management tasks Clearing and setting passcodes on Android devices
165
1 2
On the console, go to Home > Mobile Management > Device Management and in the left pane, click Manage Mobile Devices. In the right pane, select the device you want to locate. Note: Use the search tool to more quickly find a device within a long list.
3 4
Right-click on the device you want to wipe and from the menu, select Android Management > Wipe Device. Click OK.
1 2
On the console, go to Home > Mobile Management > Device Management and in the left pane, click Manage Mobile Devices. In the right pane, select the device you want to locate. Note: Use the search tool to more quickly find a device within a long list.
3 4 5
Right-click on the device you want to either clear or reset the passcode on and clickAndroid Management > Wipe Device. To clear the passcode, select Clear Passcode and then click OK. To set a new passcode, select Set Passcode. Enter the new passcode and then click OK.
166
Common Android management tasks Retrieving the inventory from Android devices
1 2
On the console, go to Home > Mobile Management > Device Management and in the left pane, click Manage Mobile Devices. In the right pane, select the device you want to update. Note: Use the search tool to more quickly find a device within a long list.
3 4
Right-click on the device you want to update the policies on and click Android Management > Update Policies. Click OK .
1 2
On the console, go to Home > Mobile Management > Device Management and in the left pane, click Manage Mobile Devices. In the right pane, select the device you want to locate. Note: Use the search tool to more quickly find a device within a long list.
3 4
Right-click on the device from which you want to retrieve the inventory and click Android Management > Send Inventory. Click OK.
1 2
On the console, go to Home > Mobile Management > Device Management and in the left pane, click Manage Mobile Devices. In the right pane, select the device you want to locate. Note: Use the search tool to more quickly find a device within a long list.
167
3 4
Right-click on the device from which you want to retrieve the inventory and click Android Security > View Device Information. Click OK.
168
Section
Chapter 20. Setting up the Mobile Management Agent on Windows Mobile devices Chapter 21. Managing software on Windows Mobile devices
170
Chapter
20
About the Mobile Management Agent on Windows Mobile devices Setting up the Mobile Management Agent on Windows Mobile devices Setting the Mobile Management Agent configuration schedule for Windows mobile devices
To configure the device's access to corporate email and VPN. To apply a set of policies to the device, such as security and passcode policies.
172
Setting up the Mobile Management Agent on Windows Mobile devices Setting up the Mobile Management Agent on Windows Mobile devices
To perform remote actions such as remote wipe, remote lock, and passcode reset. To get centralized reporting on the device.
See Setting up the Mobile Management Agent on Windows Mobile devices on page 172. See Setting the Mobile Management Agent configuration schedule for Windows mobile devices on page 173.
On the Internet, go to http://<MobileManagementServer>/mobilemanagement to access the local site server Web page. Your Mobile Agent download URL can be found in the Symantec Management Platform. On the Home menu, click Mobile Management. Expand Configuration and then click Agent installation. On the Mobile Agent Install page, the Mobile Agent download URL is listed.
2 3 4
Enter the credentials. if required. Click Open to download the locatesiteserver.cab file. Complete the rest of the installation process.
Setting up the Mobile Management Agent on Windows Mobile devices Setting the Mobile Management Agent configuration schedule for Windows mobile devices
173
Setting the Mobile Management Agent configuration schedule for Windows mobile devices
You can choose how often agent configuration updates are requested on Windows Mobile devices. By default, agent configuration update requests occur every hour. To change the agent configuration schedule for mobile devices
1 2 3 4
In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, expand Settings > Mobile Management > Mobile Agent Settings. Click Agent Configuration Update Schedule. In the right pane, specify the configuration schedule information:
174
Setting up the Mobile Management Agent on Windows Mobile devices Setting the Mobile Management Agent configuration schedule for Windows mobile devices
Chapter
21
About software management on Windows Mobile devices Creating software packages for Windows Mobile devices Delivering software packages to Windows Mobile devices Configuring the software maintenance windows Software package actions Software package health actions Sample AppUpdate runtime substitution tokens
176
Managing software on Windows Mobile devices Creating software packages for Windows Mobile devices
See Creating software packages for Windows Mobile devices on page 176. See Delivering software packages to Windows Mobile devices on page 177.
1 2 3 4 5 6
In the Symantec Management Console, on the Manage menu, click Mobile > Software. In the left pane, expand Software > Mobile Software. Right-click the Mobile Software folder and then click New > Mobile Software. In the right pane, click the New Mobile Software title and enter a name for your software package. On the Properties tab, enter the version of the software. Choose the priority.
Automatic - The software automatically installs and no user intervention is required. Use this option most of the time. Manual - The mobile device user must run the software update manually (using AppUpdate) on the device.
Choose the company and the software product. Click Browse to find existing companies or software products or click New to add a new company or software product.
On the Package tab, click Add package to add software to the package. You can add packages or edit the actions on each package from the Package tab.
In the Add or Edit Package dialog box on the Details page, specify the details of your package. The Name field is the only one that is required.
Managing software on Windows Mobile devices Delivering software packages to Windows Mobile devices
177
10 Click Add and browse to the file you want to include in your package. 11 On the Package Server tab, specify the Package Destination Location. In
the Assign package to menu, select a server. Click OK to add the software to the package.
12 On the Actions tab, click Auto Generate to automatically create the steps
for downloading and installing the files in each of the packages.
On the Actions tab, you can choose the actions to perform on software resources and the order in which the actions are performed. See Software package actions on page 179. Click the Add New Action symbol to select other actions to perform on software resources. You can use the AppUpdate runtime substitution tokens when you define the actions. See Sample AppUpdate runtime substitution tokens on page 196. You can click the Edit symbol and select an action to edit a current action.
The Health tab lets you choose the data that is checked to ensure that the software installs correctly. You can add your own metrics and choose from the File Hash, Version, or Size statistics. See Software package health actions on page 193.
178
Managing software on Windows Mobile devices Configuring the software maintenance windows
For more information, view topics on policies and schedules in the Symantec Management Platform Help. To deliver software to mobile devices
1 2 3 4 5 6 7 8 9
In the Symantec Management Console, on the Manage menu, click Policies. In the left pane, expand Policies > Mobile Management. Right-click the Software Management folder. Click New > Mobile Device Software Delivery. In the right pane, click the New Mobile Device Software Delivery title and enter a name for your software delivery policy. Click Select Software in the right pane. On the Select Software page, select the package that you want to include in your policy. Click the appropriate arrow icons to move your selections to the Selected software box. Click OK.
10 Click the down arrow next to Applied To. 11 Select Resources to choose the devices to which to deliver the software and
click Ok. The set policy is automatically applied to all new devices that match the settings you specify by using Filters, Groups, or by excluding specific resources. If you want to target a specific device or list of devices, then you should specifically pick those devices. Use the Resource List filtering criteria to select the desired devices. Right-click the specific devices to exclude them from the filtered lists. Click Update Results to verify what devices are targeted.
12 At the upper right corner of the page, click the colored circle, and then click
On to turn on the policy.
13 Click Save changes to deliver your software packages to the selected devices.
179
1 2 3 4 5 6 7
In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, expand Mobile Management > Mobile Software Maintenance Windows. Right-click the Mobile Software Maintenance Windows folder. Click New > Mobile Maintenance Window. In the right pane, click the New Mobile Maintenance Window title and enter a name for your software maintenance window. Configure your software maintenance window. Click the down arrow next to Applied To. The set policy is automatically applied to all new devices that match the settings you specify by using Filters, Groups, or by excluding specific resources. If you want to target a specific device or list of devices, then you should specifically pick those devices. Use the Resource List filtering criteria to select the desired devices. Right-click the specific devices to exclude them from the filtered lists. Click Update Results to verify what devices are targeted.
8 9
At the upper right corner of the page, click the colored circle, and then click On to turn on the policy. Click Apply to apply your software maintenance window to the selected devices.
180
Download Actions Settings Source - contains the Web server directory path and file name of the file to be downloaded to the device if required by versioning. Target - {DeviceFileName} data type. Text value that specifies the Web server directory path and file name of the file to be downloaded to the device if versioning indicates it is required. This string can contain any device subdirectories prefixing the file name. Note that the AppUpdate Runtime Substitution Token values can be used within the value to define target subdirectories for target files. See Sample AppUpdate runtime substitution tokens on page 196.
Targeted Device Type Used to provision specific devices by processor, major version, and platform:
OS Major - {osmajor value} data type. Integer that specifies the major version number of the device operating system. OS Platform - contains the mobile operating system of the device.
181
Install Action Settings The following parameters specify the name of the installable file: Command - {command value} data type. Optional text value that specifies an installation command. File - {localfilename} data type. Text value which specifies a file name of an installable file residing on the device. Installable files include CAB files, ActiveX DLL files, REG import files, CPF files in OMA format and other XML formats which follow install file guidelines.
Targeted Device Type Used to provision specific devices by processor, major version, and platform:
OS Major - {osmajor value} data type. Integer that specifies the major version number of the device operating system. OS Platform - contains the mobile operating system of the device.
182
Name - {applicationname} data type. Text that specifies the name of an application that is installed on a device. The application name can be located by navigating on the device to Start > Settings > System > Remove Programs. Any applications appearing in the list can be specified for Uninstall.
Targeted Device Type Used to provision specific devices by processor, major version, and platform:
OS Major - {osmajor value} data type. Integer that specifies the major version number of the device operating system. OS Platform - contains the mobile operating system of the device.
183
Process>WarmBoot Specifies an Install Action that soft/warm resets the device when all actions for the specified package are completed (not at the time the WarmBoot Action is encountered or after the last action of all packages). The WarmBoot Install Action does not require parameters. Actions Settings Critical, continue only on success - (default) specifies that subsequent action steps in the package are only run if this step completes successfully. Critical, continue - specifies that subsequent action steps in the package are run regardless of the success or failure of this step. Critical, continue only on error - specifies that subsequent action steps in this package are only run if this step fails.
Targeted Device Type Used to provision specific devices by processor, major version, and platform:
OS Major - {osmajor value} data type. Integer that specifies the major version number of the device operating system. OS Platform - contains the mobile operating system of the device. To customize the warm boot logic, place a custom executable (which must be named warmboot.exe) in the same directory as the AppUpdate executable. When the file warmboot.exe is found it is executed instead of the default warm boot Install Action.
184
185
Run Action Settings This command execution is specified by the following: Command - {Commandline} data type. Text value that specifies a directory path and file name on the device of the file to be run and any command line arguments to modify the run. Embedded blanks are allowed and double quotes are not required in the program path to enclose directories with embedded blanks. Command line arguments with embedded blanks should be tested as shortcuts before using here. Note that the AppUpdate Runtime Substitution Token values can be used within a value to define subdirectories for executable files and command line arguments as needed. See Sample AppUpdate runtime substitution tokens on page 196. Timeout - {Timeout value} data type. Integer value that specifies how long the device should wait when it executes the Run Action before it continues to process. The following are the allowable values: {value less than zero, ex. -1} - (default) specifies that device processing waits indefinitely for the action to finish before it continues with subsequent steps. {"0"} - Device processing does not wait for the action to finish before it continues with subsequent steps. {value greater than zero, ex. 10} - device processing waits (value that is specified in milliseconds) for the action to finish before it continues with subsequent steps.
Targeted Device Type Used to provision specific devices by processor, major version, and platform:
186
Process>Terminate Specifies an Install Action that terminates a module process running on the device. Actions Settings Critical, continue only on success - (default) specifies that subsequent action steps in the package are only run if this step completes successfully. Critical, continue - specifies that subsequent action steps in the package are run regardless of the success or failure of this step. Critical, continue only on error - specifies that subsequent action steps in this package are only run if this step fails. Note that the Terminate Install Action issues an error return code if the process to be terminated was not running at the time the call was made. Changing the default Critical continue only on success Action Setting to Critical continue allows subsequent Install Action processing to continue if the Install Action cannot install a specified file or stop a process that is not running.
Terminate Action Settings The name of the process(es), specified by the following:
Modules - {ModuleName} data type. Text value that specifies an executable name (cmd.exe) or wildcard inclusion of multiple executable names running on the device (ex c*.* or * for all processes).
Targeted Device Type Used to provision specific devices by processor, major version, and platform:
OS Major - {osmajor value} data type. Integer that specifies the major version number of the device operating system. OS Platform - contains the mobile operating system of the device.
187
File System>Copy Specifies an Install Action that copies one or more files from one area Files (directory or folder) of the device to another. Actions Settings Critical, continue only on success - (default) specifies that subsequent action steps in the package are only run if this step completes successfully. Critical, continue - specifies that subsequent action steps in the package are run regardless of the success or failure of this step. Critical, continue only on error - specifies that subsequent action steps in this package are only run if this step fails.
Copy Files Action Settings The name of the source folder and file name and the target folder that is specified by the following: Source - {localsourcefilespec} data type. Path and file name(s) existing on the device to copy from during provisioning. Using wildcard characters is allowed. Target - {localtargetfoldername} data type. Path existing on the device to receive files during provisioning.
Targeted Device Type Used to provision specific devices by processor, major version, and platform:
OS Major - {osmajor value} data type. Integer that specifies the major version number of the device operating system. OS Platform - contains the mobile operating system of the device.
188
Move Files Action Settings The name of the source folder and file name and the target folder that is specified by the following: Source - {localsourcefilespec} data type. Path and file name(s) existing on the device to move from during provisioning. Using wildcard characters is allowed. Files are removed from this location upon successful move to target. Target- {localtargetfoldername} data type. Path existing on the device to receive the moved files during provisioning.
Targeted Device Type Used to provision specific devices by processor, major version, and platform:
OS Major - {osmajor value} data type. Integer that specifies the major version number of the device operating system. OS Platform - contains the mobile operating system of the device.
189
Delete Files Action Settings The name of the file to be deleted, specified by the following:
Path - {localfilename} data type. File name(s) on the device to delete during provisioning. Using wildcard characters is allowed.
Targeted Device Type Used to provision specific devices by processor, major version, and platform:
OS Major - {osmajor value} data type. Integer that specifies the major version number of the device operating system. OS Platform - contains the mobile operating system of the device.
190
Rename File Action Settings The name of the source file (existing file name) and the target file name (new file name), specified by the following: Source - {existingfilename} data type. Path and file name existing on the device to be renamed during provisioning. Target - {newfilename} data type. New file name not yet existing in the path that is specified in source. Note: Do not prefix with the path/folder specification. Use the raw file name.
Targeted Device Type Used to provision specific devices by processor, major version, and platform:
OS Major - {osmajor value} data type. Integer that specifies the major version number of the device operating system. OS Platform - contains the mobile operating system of the device.
191
Create Folder Action Settings The name of the folder (directory) to be created, specified by the following:
Path - {localfoldername} data type. Folder name on the device to be created during provisioning.
Targeted Device Type Used to provision specific devices by processor, major version, and platform:
OS Major - {osmajor value} data type. Integer that specifies the major version number of the device operating system. OS Platform - contains the mobile operating system of the device.
192
Remove Folder Action Settings The name of the folder (directory) to be deleted, specified by the following:
Path - {localfoldername} data type. Folder name on the device to delete during provisioning. All files in this folder are also deleted.
Targeted Device Type Used to provision specific devices by processor, major version, and platform:
OS Major - {osmajor value} data type. Integer that specifies the major version number of the device operating system. OS Platform - contains the mobile operating system of the device.
193
Rename Folder Action Settings The name of the source folder name (existing folder or directory on the device) and the target folder name (new folder or directory on the device), specified by the following: Source - {existingfoldername} data type. Path existing on the device to be renamed during provisioning. Target - {newfoldername} data type. New folder name not yet existing on device.
Targeted Device Type Used to provision specific devices by processor, major version, and platform:
OS Major - {osmajor value} data type. Integer that specifies the major version number of the device operating system. OS Platform - contains the mobile operating system of the device.
194
Metric Generation Settings Metric Source- file name and path of the server repository source file that is used to derive the file version for comparing to the device file. The device file version must match this file version. The Metric source cannot be manually entered. Folder- path for Metric source file.
CAB File- CAB file containing Metric source file. Virtual File- Metric source file that is contained in the CAB file.
Targeted Device Type CPU- specifies the processor type of a device. OS Major- specifies the major version number of a device OS. OS Platform- mobile operating system of a device.
195
Metric Generation Settings Metric Source- file name and path of the server repository source file that is used to derive the file version for comparing to the device file. The device file version must match this file version. Folder- path for Metric source file.
CAB File- file containing Metric source file. Virtual File- metric source file that is contained in the CAB file.
Targeted Device Type CPU- specifies the processor type of a device. OS Major- specifies the major version number of a device OS. OS Platform- mobile operating system of a device.
196
Managing software on Windows Mobile devices Sample AppUpdate runtime substitution tokens
Metric Source- file name and path of the server repository source file that is used to derive the file version for comparing to the device file. The device file version must match this file version. The Metric source cannot be manually entered.
Targeted Device Type CPU- specifies the processor type of a device. OS Major- specifies the major version number of a device OS. OS Platform- mobile operating system of a device.
Managing software on Windows Mobile devices Sample AppUpdate runtime substitution tokens
197
{STARTUP} - startup shortcuts directory on the device. {PROGRAMS} - program files on the device. {DOCUMENTS} - personal documents on the device. {START_MENU} - root start menu on the device. {PROGRAMS_MENU} - programs menu on start menu (same as {START_MENU} on Smartphone) on the device. {DEVICE_ID} - hex device ID (MD5 hash). {DEVICE_ID2} - unique ID algorithm. {DEVICE_ID3} - unique ID algorithm for older devices (pre-Windows Mobile 5). {DEVICE_ID4} - unique ID algorithm that indicates the platform. {DEVICE_CPU} - instruction set (ARMV4, ARMV4I, etc). {DEVICE_OEM} - OEM info string (Windows CE only). {OS_MAJOR} - major OS version (e.g. 4). {OS_MINOR} - minor OS version (e.g. 20). {OS_BUILD} - OS build number. {OS_PLATFORM} - WinCE or Win32. {OS_SHELL} - Standard, PocketPC, or Smartphone. {PRODUCT} - name attribute ({PRODUCT}) of the current package being processed in the Manifest (server-side and device-side). {VERSION} - version attribute ({VERSION}) of the current package being processed in the Manifest (Server-side and Device-side). {SCREEN_CX} - device horizontal resolution. {SCREEN_CY} - device vertical resolution. {Hxxx\yyyy\zzzz...\} - Registry entry value. The first segment of the specification either be a long name or short name of one of the following Root key values: HKEY_CLASSES_ROOT or HKCR HKEY_CURRENT_USER or HKCU HKCU and HKEY_LOCAL_MACHINE or HKLM - Supported value types that can be returned are REG_SZ (string), REG_DWORD (hexadecimal value, preceded with 0x) and REG_BINARY (block of 2-digit hexadecimal values). {MAC_ADDRESS} - device Network Interface Card (NIC) Media Access Layer (MAC) address of the NIC used to retrieve the hosts Manifest XML payload. {APP_MAJOR} - major release number. {APP_MINOR} - minor release number. {APP_BUILD} - build number. {NLS_LCID} - National Language Support table device location identifier. {NLS_OEMCP} - National Language Support table OEM code page. {NLS_ANSICP} - National Language Support table ANSI code page. {BATTERY_LEVEL} - percent of battery charge level on the device. {DEVICE_NAME} - device name. {DEVICE_PHONE} - device phone number. {FREE_SPACE} - available free space on the device.
198
Managing software on Windows Mobile devices Sample AppUpdate runtime substitution tokens
See Creating software packages for Windows Mobile devices on page 176.
Appendix
System requirements and port usage for Symantec Mobile Management 7.2
This appendix includes the following topics:
Mobile Management requirements Network ports used by Mobile Management Supported devices and device operating systems
200
System requirements and port usage for Symantec Mobile Management 7.2 Mobile Management requirements
Windows Server 2003 and Windows Server 2008 R2 & R2 SP1, 64-bit onlyEnterprise, Standard, and Datacenter editions. Core Edition is not supported. Symantec Management Agent. See Symantec Management Platform 7.1 SP2 Installation Guide for more information about the Symantec Management Agent Web Server (IIS) version corresponding to operating system version. Role defaults plus IIS 6 Management compatibility. .NET Framework corresponding to operating system and IIS version. ASP.NET. Apple Push Notification Service (APNS) certificate. Internet Explorer 7.1, or later Java Runtime Environment See Symantec Management Platform 7.1 SP2 Installation Guide for additional requirements.
iPhone 3G, 3GS, 4, and 4S running iOS 4.3 or later. Symantec Mobile Management 7.2 supports policy settings on iOS 5 iPod Touch 2nd generation, 3rd generation, and 4th generation running iOS 4.3 or later iPad running iOS 4.3 or later
Windows Mobile 6.0, 6.1, and 6.5Professional and Standard Windows CE 4.2 to 6.0
System requirements and port usage for Symantec Mobile Management 7.2 Mobile Management requirements
201
Microsoft Silverlight 3.x, 4.x, 5.x Symantec Management Platform 7.1 SP1/SP2 See Symantec Management Platform 7.1 SP2 Installation Guide for additional requirements.
Microsoft SQL Server Active Directory LDAP Certificate Authority SCEP Microsoft Exchange ActiveSync
See SQL Server documentation. See Active Directory documentation. See LDAP documentation. See Certificate Authority documentation. See SCEP documentation. Exchange ActiveSync integration software requirements: Microsoft Exchange 2007 SP1 or SP2 with Exchange Server 2007 Management Tools or Microsoft Exchange 2010 Microsoft Windows Management Framework, specifically Windows PowerShell 2.0
202
System requirements and port usage for Symantec Mobile Management 7.2 Network ports used by Mobile Management
To
Description
Mobile Management IIS HTTP for agent Server communication, IIS HTTPS for agent communication (optional) Mobile Management Remote control Server connection Apple Push Notification Service APNS communications to Apple by APNS servers APNS communications to agent by APNS servers
7780
Agent
5223
Agent
7778
80
IIS HTTP
System requirements and port usage for Symantec Mobile Management 7.2 Supported devices and device operating systems
203
7778
Symantec Mobile Management Remote control Management Console Server connection browser Symantec Management Platform Server Symantec Management Platform Server Microsoft SQL Server Database
50120-50124
204
System requirements and port usage for Symantec Mobile Management 7.2 Supported devices and device operating systems
Exchange ActiveSync
Apple iOS running iOS 2.x, 3.x, and 4.x Android 2.2 and later Windows Mobile 6.1 and 6.5 Windows Phone 7 Palm WebOS 1.4.5 Nokia (running Mail for Exchange v3.0.50)
Apple iPhone 3G, 3GS, and 4 running iOS 4.1 or later Apple iPad running iOS 4.2 or later
iPod Touch 2nd generation, 3rd generation, and 4th generation running 4.1 or later Android 2.2 or later
Windows Mobile 2003, 5, 6.1, and 6.5 Windows CE 4.2 to 6.0 Blackberry OS 4.3 to 5.0
Appendix
Customizable Mobile Management Agent Mobile Library Exchange ActiveSync Configuration profiles Actions Policies Reports Remote wipe Inventory data Event log Provisioning apps from the Apple App store with the Apple Volume Purchase Program
206
Customizable Mobile Management Agent Exchange ActiveSync/TouchDown Configuration profiles Actions Policies Reports Remotely trigger alarm Remote wipe and lock Location mapping Inventory data Event log Mobile Management Agent
Windows Mobile
Appendix
Creating the in-house Mobile Management Agent application for iOS devices
This appendix includes the following topics:
About the in-house Mobile Management Agent application Creating the in-house Mobile Management Agent application Requirements for creating the in-house Mobile Management Agent application Downloading a WWDR Intermediate Certificate Creating a Developer Certificate Registering an iOS device for testing Setting up an App ID Downloading the project Preparing the iOS device for testing Loading the project Creating and installing a Development Provisioning Profile Customizing the Bundle identifier Customizing the localized string files Customizing the Target settings Building and testing the application
208
Creating the in-house Mobile Management Agent application for iOS devices About the in-house Mobile Management Agent application
Step
Step 1
Description
You must ensure that your environment meets the requirements for creating the in-house Mobile Management Agent application. See Requirements for creating the in-house Mobile Management Agent application on page 212.
Creating the in-house Mobile Management Agent application for iOS devices Creating the in-house Mobile Management Agent application
209
Table C-1
Process for preparing to create the in-house Mobile Management Agent application (continued) Action
Log on to your iOS Developer Enterprise Program account.
Step
Step 2
Description
Log on to your iOS Developer Enterprise Program account as the Team Agent entity at the following Web site: https://developer.apple.com/ membercenter/index.action #iPhoneDev
Step 3
Download a WWDR Intermediate The WWDR Intermediate certificate. Certificate tests the authenticity of your other certificates. See Downloading a WWDR Intermediate Certificate on page 212.
Step 4
The Developer Certificate identifies you as the owner of the applications you build. See Creating a Developer Certificate on page 213.
Step 5
Register an iOS device for testing. iOS devices must be registered with Apple before they can be used for testing. See Registering an iOS device for testing on page 213.
Step 6
The App ID is an identifier for any project that is made through Apple. See Setting up an App ID on page 213.
210
Creating the in-house Mobile Management Agent application for iOS devices Creating the in-house Mobile Management Agent application
Table C-1
Process for preparing to create the in-house Mobile Management Agent application (continued) Action
Download the project.
Step
Step 7
Description
Symantec provides a pre-compiled project to use to develop the agent application. When you install Mobile Management, this template is placed in your Symantec Management Platform Server directory. See Downloading the project on page 214.
Step 8
Prepare an iOS device for testing. You need to prepare your registered Apple testing device for testing. See Preparing the iOS device for testing on page 214.
Table C-2
Process for creating the in-house Mobile Management Agent application Action
Load the project in Xcode.
Step
Step 1
Description
Symantec provides a pre-compiled project to use to develop the agent application. Symantec recommends that you make a copy of the provided project template and make modifications to the copy. See Loading the project on page 215.
Step 2
Create and install a Development Apple uses the Development Provisioning Profile to build and test Provisioning Profile to your application. determine who works on which projects, and on which devices they can test. See Creating and installing a Development Provisioning Profile on page 215.
Creating the in-house Mobile Management Agent application for iOS devices Creating the in-house Mobile Management Agent application
211
Table C-2
Process for creating the in-house Mobile Management Agent application (continued) Action
Customize the Bundle identifier value.
Step
Step 3
Description
The Bundle identifier is built into the application and attaches to certifications. It allows the device to receive notifications from the Apple Push Notification Service. See Customizing the Bundle identifier on page 216.
Step 4
Customize the localized string files. The string files contain the information that appears in the settings of the application on the device. See Customizing the localized string files on page 217.
Step 5
The Target settings are the various settings that are set to determine to which devices the agent is delivered. See Customizing the Target settings on page 218.
Step 6
Build the application for testing and To test the application, build it test it. for testing and test it in your device. See Building and testing the application on page 218.
Step 7
Build the application for distribution After you build and test your and set up the download URL. application, it should install and launch on your testing device. After the application installs and launches successfully on your testing device, you can build the application for internal deployment. See Building and distributing the application on page 219.
See About the in-house Mobile Management Agent application on page 208.
212
Creating the in-house Mobile Management Agent application for iOS devices Requirements for creating the in-house Mobile Management Agent application
Membership requirements
iOS Developer Enterprise Program membership You can sign up at the following Web site: http://developer.apple.com/programs/ios /enterprise/
2 3
Click Click here to download now. After the certificate has downloaded, double-click the certificate to add it to your key chain.
Creating the in-house Mobile Management Agent application for iOS devices Creating a Developer Certificate
213
Generating a Certificate Signing Request Submitting a Certificate Signing Request for Approval Approving Certificate Signing Requests Downloading and Installing Development Certificates
Setting up an App ID
The App ID is an identifier for any project that is made through Apple.
214
Creating the in-house Mobile Management Agent application for iOS devices Downloading the project
This task is a step in the process for preparing to create the in-house Mobile Management Agent application. See Creating the in-house Mobile Management Agent application on page 208. To set up an App ID
Generating an App ID Since the App ID needs to be enabled for APNs, it cannot be a wildcard. Symantec recommends that you use a name like com.<YourCompany>.<YourAppName>. This name is also used in the AthenaFramework-Info.plist file. Registering an App ID for Apple Push Notification Service Configure Development Push SSL certificate
Note: Anytime you change your App ID settings, you must regenerate and replace any existing provisioning profiles that use the App ID.
Creating the in-house Mobile Management Agent application for iOS devices Loading the project
215
This task is a step in the process for preparing to create the in-house Mobile Management Agent application. See Creating the in-house Mobile Management Agent application on page 208. To prepare an iOS device for testing
1 2 3 4 5 6 7
Open Xcode. In the Windows menu, click Organizer. On the Organizer page, in the left pane, expand iPhone Development, and click Provisioning Profiles. Connect your registered iOS device to your Mac computer using a USB cable. In the left pane, expand Devices, and click the registered iOS device. Click Use for Development. Enter your iOS Developer Enterprise Program credentials.
1 2 3
Open Xcode and click Open Other. Browse to the Athena Framework project folder and select iOSAgentFramework.zip. Click Open.
216
Creating the in-house Mobile Management Agent application for iOS devices Customizing the Bundle identifier
See Creating the in-house Mobile Management Agent application on page 208. To create and install a Development Provisioning Profile
Creating a Development Provisioning Profile Installing a Development Provisioning Profile Building and installing your Development Application In step 2, your device will be available from the drop-down menu in the upper-left hand corner. Perform step 5 before step 4. Complete all other steps in order. The Build and Go button that is referenced in step 6 is instead labeled Build and Run.
Warning: Do not attempt to use the Xcode Simulator to test your build. You must perform the tests on an actual device. If you use the Mobile Management Agent template to build applications, they do not load in the simulator. The simulator lacks required functionality, such as the Apple Push Notification Service.
1 2 3
Open your project in Xcode. In the left pane, under Groups & Files, expand athenaFramework-template > Resources > plists, and click AthenaFramework-Info.plist. In the Bundle identifier field, enter the same value as your App ID.
Creating the in-house Mobile Management Agent application for iOS devices Customizing the localized string files
217
1 2 3 4
Open your project in Xcode. In the left pane, under Groups & Files, expand AthenaFramework-template > Resources > plists, and click LocalizableStrings-en.plist. In the right pane, modify the content of AboutView, EnrollView, HomeView, Preferences, and StatusView. (Optional) If you change the name of the Mobile Management Agent, you need to change the name of the agent in the string files and also in the Target settings.
Action Steps
Change Mobile Management Agent name in the string files In HomeView, change the Agent Title field to the name of your agent. In AboutView, change the Name field to match the name of your agent. ChangeMobile Management Agent name in the Target settings Under Packaging, change Product Name to match the name of your agent. See Customizing the Target settings on page 218.
218
Creating the in-house Mobile Management Agent application for iOS devices Customizing the Target settings
1 2 3 4 5
Open your project in Xcode. Click Project in the left pane. In the middle pane, click the project under Targets. Click Build Settings. Under Architectures, make the following changes:
Set Base SDK according to the target for your application. The minimum value is iOS Device 4.2. You can select newer SDK versions, but not older versions. Under Code Signing, select the previously created provisioning profile. Under Deployment, choose the desired Targeted Device Family. iOS 4.1 is the minimum supported version.
(Optional) If you change the name of the Mobile Management Agent, you need to change the name of the agent in the Target settings. Under Packaging, change Product Name to match the name of your agent.
Creating the in-house Mobile Management Agent application for iOS devices Building and distributing the application
219
See Creating the in-house Mobile Management Agent application on page 208. To build and test your application
1 2 3 4
Open your project in Xcode. Connect your registered iOS testing device to your Mac computer. In the field in the upper left of the screen, make sure that your testing device is selected. Click the Run button in the top left corner. If the application installs and launches on your testing device, the application is complete and the project is correct.
Log in to your iOS Developer Enterprise Program account as the Team Agent entity at the following Web site: https://developer.apple.com/membercenter/index.action#iPhoneDev
Building your Application with Xcode for Distribution Verifying a Successful Distribution Build Updating your Application
220
Creating the in-house Mobile Management Agent application for iOS devices Building and distributing the application
Appendix
Troubleshooting
This appendix includes the following topics:
KB articles specific to the Symantec Mobile Management 7.2 SP1 release Troubleshooting configuration policy distribution problems Troubleshooting iOS device agent enrollment Troubleshooting Mobile Management Server configurations About troubleshooting errors with the SymantecEASService configuration Verifying that the Push Certificate Subject matches the App ID's Bundle identifier Configuring Mobile Management to work with a development APNS certificate
Title
Resetting Exchange ActiveSync blocking solutions after uninstalling or changing the Symantec Management Platform infrastructure Mobile Management logs indicate APNS errors but commands to iOS devices still work as usual Locating the password that was used to lock a mobile device
222
Troubleshooting KB articles specific to the Symantec Mobile Management 7.2 SP1 release
Title
Exchange Allow/Block/Quarantine (ABQ) rules are still active upon reinstall of Symantec Mobile Management server What do the "ManagementFlags" values mean in the Mobile_ManagedApplicationList_iOS inventory list? Authentication stops working after upgrading to Symantec Mobile Management 7.2 SP1 Devices known to be missing required apps do not appear as non-compliant in reports Logs show many NSE errors after upgrading to Symantec Mobile Management 7.2 SP1 Customizing the email message sent by Exchange for quarantined or blocked devices After enrolling with Symantec Mobile Management, some Android devices appear twice in the Mobile Management Device Inventory Functional limitations for Android devices when using Exchange ActiveSync access control Reporting on non-compliant devices in Symantec Mobile Management 7.2 SP1 Reporting on rooted or jailbroken mobile device in Symantec Mobile Management Cannot download large files from the Symantec Mobile Management Mobile Library 2-way SSL does not work on iOS devices
http://www.symantec.com/docs/ TECH197067
http://www.symantec.com/docs/ TECH197019 http://www.symantec.com/docs/ TECH196854 http://www.symantec.com/docs/ TECH196793 http://www.symantec.com/docs/ TECH196656 http://www.symantec.com/docs TECH196709
http://www.symantec.com/docs/ TECH196654 http://www.symantec.com/docs/ TECH196517 http://www.symantec.com/docs/ TECH196515 http://www.symantec.com/docs/ TECH196511 http://www.symantec.com/docs/ TECH196509 http://www.symantec.com/docs/ TECH196495 http://www.symantec.com/docs/ TECH196323
Exchange ActiveSync policies are missing after upgrading Symantec Mobile Management After upgrading to Symantec Mobile Management 7.2 SP1, Android device OS information is displayed as "Unknown" Single Android device has two sets of device information in the Resources list
http://www.symantec.com/docs/ TECH196318
223
Title
Error downloading from Mobile Library
Reporting frequency default settings per device type Mobile Management server status checks fail to import to Symantec Management Platform SP1
Make sure that you turned on the policy. See Assigning policies on page 93.
Make sure that you properly targeted your device. See Assigning policies on page 93.
3 4 5 6
Run the Update Policies action on the device. Make sure that policies are delivered. Check for delivery by sending the Lock Device action to a device you have and see if it locks within a few minutes. Make sure that the APNS ports are open in your environment. Check your MDM Certificate configuration. See Configuring iOS device MDM enrollment on page 58.
7 8
Make sure that you have an MDM profile on your device. Check for this profile by going to Settings > General > Profiles on the device. Make sure that you apply the policies from the correct Mobile Management Server.
224
You can see the Mobile Library content in the Mobile Management Agent. You can see the MDM profile on the device. You can check this item by going to Settings > General > Profiles on the device. The agent appears on the desktop of the device. The Agent and MDM Enrollment status in the Symantec Management Console are listed as true. You can check this status in the Symantec Management Console. Click the Reports tab and then click All Reports. In the left pane, expand Mobile Management and click Detailed iOS Device Status. Find the device you want to have enrolled and make sure that Agent Enrolled and MDM Enrolled are both True. The Push Certificate Subject matches the App ID's Bundle identifier that is found in the APNS certificate. The device receives notifications from the Symantec Management Platform through APNS.
If one of the preceding items was unverifiable, the Mobile Management Agent was not enrolled correctly. To try to fix the agent enrollment, you can do the following:
Remove the agent and then re-download and re-enroll it. If you are not able to enroll the Mobile Management Agent on an iOS device, you may need to remove any old MDM profiles. The existence of old MDM profiles on the device can cause the installation of the Mobile Management Agent to fail. Remove the Mobile Management Agent and any old MDM profiles. After you have completely removed the agent, re-download and re-enroll it. See Downloading and installing the Mobile Management Agent app on page 39. See Enrolling a mobile device on page 40. Troubleshoot the Mobile Management Server installation. If you get an MDM enrollment error when you attempt to enroll a device your Mobile Management Server configuration may be wrong. See Troubleshooting Mobile Management Server configurations on page 225. After you install the APNS certificate on your Mobile Management Server, you can verify that the Push Certificate Subject matches the App ID's Bundle identifier. See Verifying that the Push Certificate Subject matches the App ID's Bundle identifier on page 226. If your APNS certificate was created for development and not production, you need to make sure that you configure Mobile Management accordingly.
225
See Configuring Mobile Management to work with a development APNS certificate on page 226.
1 2
Make sure that the APNS certificate is installed on the site server. Make sure that the Mobile Management Server settings are correct. For example, make sure that the server IP or name is properly entered in Site Server Settings. Make sure that the APNS thumbprint matches the APNS certificate. Make sure that the type of APNS certificate is properly selected. Make sure that the SCEP information is properly entered. For example, verify the URL, Subject, and Challenge phr\ase. Make sure that the SCEP service is properly set up. Make sure the Push Certificate Subject matches the APNS certificate.
3 4 5 6 7
The eadmin account is a member of the Exchange Organization Administrators tab. The SymantecEASService is running as Exchange Admin. The eadmin has read and write access to %ProgramFiles%\Symantec\Mobile Management\eas\. The SymantecEASPolicyAppPool has a configurable identity.
226
Troubleshooting Verifying that the Push Certificate Subject matches the App ID's Bundle identifier
SYMMOBILE\eadmin is a member of the local IIS_WPG group. The eadmin has read and write access to %SystemRoot%\Temp.
Verifying that the Push Certificate Subject matches the App ID's Bundle identifier
After you install the APNS certificate on your Mobile Management Server, you can verify that the Push Certificate Subject matches the App ID's Bundle identifier. To verify that the Push Certificate Subject matches the App ID's Bundle identifier
1 2 3 4 5 6 7 8 9
Click Start. In the search box, type mmc. Click the mmc.exe. In the MMC console, navigate to File > Add/Remove Snap-in. Select Certificates from the left pane. Click Add and select Computer Account. Click Next, Finish, and then click OK. Next, navigate to Certificates (Local Computer) > Personal > Certificates. Find the certificate you created in the right pane and double-click the certificate. Click on the Details tab and select Subject. example, = com.apple.mgmt.<yourstring>. Record the Bundle Identifier so you can compare it with the one in the Symantec Management Console.
10 Look in the bottom box of the window and locate the Bundle Identifier. For
11 Open the Symantec Management Console. 12 Navigate to Home > Mobile Management > iOS MDM Enrollment
Configuration.
13 The Push Certificate Subject field on the iOS MDM Enrollment page should
match the Bundle Identifier that is recorded from the APNS certificate.
227
See Configuring the site server and enrollment settings on page 53. To configure Mobile Management to work with a development APNS certificate
1 2 3 4 5 6 7
Open the Symantec Management Console and click the Home tab. Expand Mobile Management and click Mobile Management Server Settings. Click the APNS tab, and then check Use Development APNS. Click Save changes. Next, navigate to Home > Mobile Management > iOS MDM Enrollment Configuration. On the iOS MDM Enrollment page, check Use Development APNS. Click Save changes.
228
Appendix
Third-Party Attributions
This appendix includes the following topics:
Third-Party Legal Notices jQueryjs 1.4.1 Libjpeg 6b Log4Net 1.2.10 Newlib 1.17.0 ZLib v 1.2.2/1.2.3 NLog Advanced .NET Logging 1.0 QuickLZ SharpZipLib 0.85.4 Silverlight.js 2.0 TBXML 1.4 Windows CE C Library Extensions
230
the Third Party Programs, where applicable. Third-party components included in Symantec Mobile Management include:
jQueryjs 1.4.1
Copyright (c) 2011 John Resig, http://jquery.com/ Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Libjpeg 6b
This software is based in part on the work of the Independent JPEG Group. This software is copyright (C) 1991-2012, Thomas G. Lane, Guido Vollbeding. All Rights Reserved except as specified below.
Log4Net 1.2.10
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for the specific language governing permissions and limitations under the License.
231
Newlib 1.17.0
The newlib subdirectory is a collection of software from several sources. Each file may have its own copyright/license that is embedded in the source file. Unless otherwise noted in the body of the source file(s), the following copyright notices will apply to the contents of the newlib subdirectory:
(1) Red Hat Incorporated Copyright (c) 1994-2009 Red Hat, Inc. All rights reserved. This copyrighted material is made available to anyone wishing to use, modify, copy, or redistribute it subject to the terms and conditions of the BSD License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY expressed or implied, including the implied warranties of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. A copy of this license is available at http://www.opensource.org/licenses. Any Red Hat trademarks that are incorporated in the source code or documentation are not subject to the BSD License and may only be used or replicated with the express permission of Red Hat, Inc. (2) University of California, Berkeley Copyright (c) 1981-2000 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimers. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
232
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
(3) David M. Gay (AT&T 1991, Lucent 1998) The author of this software is David M. Gay. Copyright (c) 1991 by AT&T. Permission to use, copy, modify, and distribute this software for any purpose without fee is hereby granted, provided that this entire notice is included in all copies of any software which is or includes a copy or modification of this software and in all copies of the supporting documentation for such software. THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED WARRANTY. IN PARTICULAR, NEITHER THE AUTHOR NOR AT&T MAKES ANY REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR PURPOSE. ------------------------------------------------------------------------------------------------------------------------------------------------The author of this software is David M. Gay. Copyright (C) 1998-2001 by Lucent Technologies All Rights Reserved Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that the copyright notice and this permission notice and warranty disclaimer appear in supporting documentation, and that the name of Lucent or any of its entities not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. LUCENT DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL LUCENT OR ANY OF ITS ENTITIES BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. (4) Advanced Micro Devices Copyright 1989, 1990 Advanced Micro Devices, Inc. This software is the property of Advanced Micro Devices, Inc (AMD) which specifically grants the user the right to modify, use and distribute this software provided this notice is not removed or altered. All other rights are reserved by AMD. AMD MAKES NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THIS SOFTWARE. IN NO EVENT SHALL AMD BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH OR
233
ARISING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS SOFTWARE. So that all may benefit from your experience, please report any problems or suggestions about this software to the 29K Technical Support Center at: 800-29-29-AMD (800-292-9263) in the USA, or 0800-89-1131 in the UK, or 0031-11-1129 in Japan, toll free. The direct dial number is 512-462-4118. Advanced Micro Devices, Inc. 29K Support Products Mail Stop 573 5900 E. Ben White Blvd. Austin, TX 78741 800-292-9263
(5) C.W. Sandmann Copyright (C) 1993 C.W. Sandmann This file may be freely distributed as long as the author's name remains. (6) Eric Backus (C) Copyright 1992 Eric Backus This software may be used freely so long as this copyright notice is left intact. There is no warrantee on this software. (7) Sun Microsystems Copyright (C) 1993 by Sun Microsystems, Inc. All rights reserved. Developed at SunPro, a Sun Microsystems, Inc. business. Permission to use, copy, modify, and distribute this software is freely granted, provided that this notice is preserved. (8) Hewlett Packard (c) Copyright 1986 HEWLETT-PACKARD COMPANY To anyone who acknowledges that this file is provided "AS IS without any express or implied warranty: permission to use, copy, modify, and distribute this file for any purpose is hereby granted without fee, provided that the above copyright notice and this notice appears in all copies, and that the name of Hewlett-Packard Company not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Hewlett-Packard Company makes no representations about the suitability of this software for any purpose. (9) Hans-Peter Nilsson Copyright (C) 2001 Hans-Peter Nilsson Permission to use, copy, modify, and distribute this software is freely granted, provided that the above copyright notice, this notice and the following disclaimer are preserved with no changes. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
234
(10) Stephane Carrez (m68hc11-elf/m68hc12-elf targets only) Copyright (C) 1999, 2000, 2001, 2002 Stephane Carrez (stcarrez@nerim.fr) The authors hereby grant permission to use, copy, modify, distribute, and license this software and its documentation for any purpose, provided that existing copyright notices are retained in all copies and that this notice is included verbatim in any distributions. No written agreement, license, or royalty fee is required for any of the authorized uses. Modifications to this software may be copyrighted by their authors and need not follow the licensing terms described here, provided that the new terms are clearly indicated on the first page of each file where they apply. (11) Christopher G. Demetriou Copyright (c) 2001 Christopher G. Demetriou All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
(12) SuperH, Inc. Copyright 2002 SuperH, Inc. All rights reserved This software is the property of SuperH, Inc (SuperH) which specifically grants the user the right to modify, use and distribute this software provided this notice is not removed or altered. All other rights are reserved by SuperH. SUPERH MAKES NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THIS SOFTWARE. IN NO EVENT SHALL SUPERH BE LIABLE FOR
235
INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH OR ARISING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS SOFTWARE. So that all may benefit from your experience, please report any problems or suggestions about this software to the SuperH Support Center via e-mail at softwaresupport@superh.com . SuperH, Inc. 405 River Oaks Parkway San Jose CA 95134 USA
(13) Royal Institute of Technology Copyright (c) 1999 Kungliga Tekniska Hgskolan (Royal Institute of Technology, Stockholm, Sweden). All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of KTH nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
(14) Alexey Zelkin Copyright (c) 2000, 2001 Alexey Zelkin <phantom@FreeBSD.org> All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
236
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
(15) Andrey A. Chernov Copyright (C) 1997 by Andrey A. Chernov, Moscow, Russia. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
(16) FreeBSD Copyright (c) 1997-2002 FreeBSD Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
237
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
(17) S. L. Moshier Author: S. L. Moshier. Copyright (c) 1984, 2000 S.L. Moshier Permission to use, copy, modify, and distribute this software for any purpose without fee is hereby granted, provided that this entire notice is included in all copies of any software which is or includes a copy or modification of this software and in all copies of the supporting documentation for such software. THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED WARRANTY. IN PARTICULAR, THE AUTHOR MAKES NO REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR PURPOSE. (18) Citrus Project Copyright (c) 1999 Citrus Project, All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
238
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
(19) Todd C. Miller Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com> All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
(20) DJ Delorie (i386) Copyright (C) 1991 DJ Delorie All rights reserved. Redistribution and use in source and binary forms is permitted provided that the above copyright notice and following paragraph are duplicated in all such forms.
239
This file is distributed WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
(21) Free Software Foundation LGPL License (*-linux* targets only) Copyright (C) 1990-1999, 2000, 2001 Free Software Foundation, Inc. This file is part of the GNU C Library. Contributed by Mark Kettenis <kettenis@phys.uva.nl>, 1997. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. (22) Xavier Leroy LGPL License (i[3456]86-*-linux* targets only) Copyright (C) 1996 Xavier Leroy (Xavier.Leroy@inria.fr) This program is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License for more details. (23) Intel (i960) Copyright (c) 1993 Intel Corporation Intel hereby grants you permission to copy, modify, and distribute this software and its documentation. Intel grants this permission provided that the above copyright notice appears in all copies and that both the copyright notice and this permission notice appear in supporting documentation. In addition, Intel grants this permission provided that you prominently mark as "not part of the original" any modifications made to this software or documentation, and that the name of Intel Corporation not be used in advertising or publicity pertaining to distribution of the software or the documentation without specific, written prior permission. Intel Corporation provides this AS IS, WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intel makes
240
no guarantee or representations regarding the use of, or the results of the use of, the software and documentation in terms of correctness, accuracy, reliability, currentness, or otherwise; and you rely on the software, documentation and results solely at your own risk. IN NO EVENT SHALL INTEL BE LIABLE FOR ANY LOSS OF USE, LOSS OF BUSINESS, LOSS OF PROFITS, INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES OF ANY KIND. IN NO EVENT SHALL INTEL'S TOTAL LIABILITY EXCEED THE SUM PAID TO INTEL FOR THE PRODUCT LICENSED HEREUNDER.
(24) Hewlett-Packard (hppa targets only) (c) Copyright 1986 HEWLETT-PACKARD COMPANY To anyone who acknowledges that this file is provided "AS IS without any express or implied warranty: permission to use, copy, modify, and distribute this file for any purpose is hereby granted without fee, provided that the above copyright notice and this notice appears in all copies, and that the name of Hewlett-Packard Company not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Hewlett-Packard Company makes no representations about the suitability of this software for any purpose. (25) Henry Spencer (only *-linux targets) Copyright 1992, 1993, 1994 Henry Spencer. All rights reserved. This software is not subject to any license of the American Telephone and Telegraph Company or of the Regents of the University of California. Permission is granted to anyone to use this software for any purpose on any computer system, and to alter it and redistribute it, subject to the following restrictions:
1. The author is not responsible for the consequences of use of this software, no matter how awful, even if they arise from flaws in it. 2. The origin of this software must not be misrepresented, either by explicit claim or by omission. Since few users ever read sources, credits must appear in the documentation. 3. Altered versions must be plainly marked as such, and must not be misrepresented as being the original software. Since few users ever read sources, credits must appear in the documentation. 4. This notice may not be removed or altered.
(26) Mike Barcroft Copyright (c) 2001 Mike Barcroft <mike@FreeBSD.org> All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
241
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
(27) Konstantin Chuguev (--enable-newlib-iconv) Copyright (c) 1999, 2000 Konstantin Chuguev. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
242
iconv (Charset Conversion Library) v2.0 Copyright (c) 2003, Artem B. Bityuckiy, SoftMine Corporation. Rights transferred to Franklin Electronic Publishers. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
(29) IBM, Sony, Toshiba (only spu-* targets) (C) Copyright 2001,2006, International Business Machines Corporation, Sony Computer Entertainment, Incorporated, Toshiba Corporation, All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Neither the names of the copyright holders nor the names of their contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
243
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
(30) - Alex Tatmanjants (targets using libc/posix) Copyright (c) 1995 Alex Tatmanjants alex@elvisti.kiev.ua at Electronni Visti IA, Kiev, Ukraine. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
(31) - M. Warner Losh (targets using libc/posix) Copyright (c) 1998, M. Warner Losh <imp@freebsd.org> All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
244
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
(32) - Andrey A. Chernov (targets using libc/posix) Copyright (C) 1996 by Andrey A. Chernov, Moscow, Russia. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
(33) - Daniel Eischen (targets using libc/posix) Copyright (c) 2001 Daniel Eischen <deischen@FreeBSD.org>. All rights reserved.
245
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
(34) - Jon Beniston (only lm32-* targets) Contributed by Jon Beniston <jon@beniston.com> Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
246
(35) - ARM Ltd (arm and thumb variant targets only) Copyright (c) 2009 ARM Ltd All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. The name of the company may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY ARM LTD ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ARM LTD BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
(36) - Xilinx, Inc. (microblaze-* and powerpc-* targets) Copyright (c) 2004, 2009 Xilinx, Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of Xilinx nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
247
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
(37) Texas Instruments Incorporated (tic6x-* targets) Copyright (c) 1996-2010 Texas Instruments Incorporated http://www.ti.com/ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of Texas Instruments, Incorporated nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NO LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
(38) National Semiconductor (cr16-* and crx-* targets) Copyright (c) 2004 National Semiconductor Corporation The authors hereby grant permission to use, copy, modify, distribute, and license this software and its documentation for any purpose, provided that existing copyright notices are retained in all copies and that this notice is included verbatim in any distributions. No written agreement, license, or royalty fee is required for any of the authorized uses. Modifications to this
248
software may be copyrighted by their authors and need not follow the licensing terms described here, provided that the new terms are clearly indicated on the first page of each file where they apply.
ZLib v 1.2.2/1.2.3
Copyright (C) 1995-2012 Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution.
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of Jaroslaw Kowalski nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
249
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
QuickLZ
1. GRANT OF LICENSE This commercial license lets you use QuickLZ version 1.0.0 to 1.9.9, both inclusive, for development within the company for any amount of closed source products and product titles with unlimited distribution/sales. The license is persistent, non-exclusive and non-transferable. The license does not cover derived or ported versions created by third parties under GPL. The license does not need to be renewed if the amount of employees increases. 2. APPLICABLE LAW This license shall be deemed to have been made in, and shall be construed pursuant to, the laws of Denmark. 3. DISCLAIMER OF WARRANTIES AND LIMITATION ON LIABILITY 3.1. No warranties. To the maximum extent permitted by applicable law, the software is provided as is without warranty, express or implied, of any kind or nature, including, but not limited to, any warranties of performance or merchantability or fitness for a particular purpose. 3.2. No Liability for Consequential Damages. To the maximum extent permitted by applicable law, in no event shall licensor be liable for any special, incidental, indirect or consequential damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or any pecuniary loss) arising out of the use or inability to use the software, even if licensor has been advised of the possibility of such damages. 4.LIMITEDINTELLECTUALPROPERTYINDEMNIFICATIONLicensor agrees that in the event of any actual or alleged infringement of any patent, copyright, trade secret, trademark, or other proprietary right arising out of licensee's use of the licensed software, licensor shall, at licensee's option and at no charge to licensee, (a) obtain a license so licensee may continue use of the software; (b) modify the software to avoid the infringement; (c) replace the software with a compatible, functionally equivalent and non-infringing product; or if these options are commercially unreasonable (d) refund to licensee the amount paid
250
for the software. The foregoing states the entire set of obligations and remedies flowing between licensee and licensor arising from any intellectual property claim by a third party.
SharpZipLib 0.85.4
Copyright (C) 2002 Ben Lowery (blowery@monkey.org) This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution.
Silverlight.js 2.0
Microsoft Public License (Ms-PL) This license governs use of the accompanying software. If you use the software, you accept this license. If you do not accept the license, do not use the software.
1. Definitions The terms "reproduce," "reproduction," "derivative works," and "distribution" have the same meaning here as under U.S. copyright law. A "contribution" is the original software, or any additions or changes to the software. A "contributor" is any person that distributes its contribution under this license. "Licensed patents" are a contributor's patent claims that read directly on its contribution. 2. Grant of Rights (A) Copyright Grant- Subject to the terms of this license, including the license conditions and limitations in section 3, each contributor grants you a non-exclusive, worldwide, royalty-free copyright license to reproduce its
251
contribution, prepare derivative works of its contribution, and distribute its contribution or any derivative works that you create. (B) Patent Grant- Subject to the terms of this license, including the license conditions and limitations in section 3, each contributor grants you a non-exclusive, worldwide, royalty-free license under its licensed patents to make, have made, use, sell, offer for sale, import, and/or otherwise dispose of its contribution in the software or derivative works of the contribution in the software.
3. Conditions and Limitations (A) No Trademark License- This license does not grant you rights to use any contributors' name, logo, or trademarks. (B) If you bring a patent claim against any contributor over patents that you claim are infringed by the software, your patent license from such contributor to the software ends automatically. (C) If you distribute any portion of the software, you must retain all copyright, patent, trademark, and attribution notices that are present in the software. (D) If you distribute any portion of the software in source code form, you may do so only under this license by including a complete copy of this license with your distribution. If you distribute any portion of the software in compiled or object code form, you may only do so under a license that complies with this license. (E) The software is licensed "as-is." You bear the risk of using it. The contributors give no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this license cannot change. To the extent permitted under your local laws, the contributors exclude the implied warranties of merchantability, fitness for a particular purpose and non-infringement.
TBXML 1.4
Copyright 2012 71Squared. All rights reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
252
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Index
A
about actions 92 AutoLock settings on iOS devices 104 available configuration profile settings 103 configuration profiles 95 configuring Mobile Management 51 event logs 113 Exchange ActiveSync 63 in-house Mobile Management Agent application 208 installing Mobile Management 33 inventory data 107 MDM Certificate 25 Mobile Library 127 Mobile Management Agent on iOS devices 141 on Windows Mobile devices 171 policies 92 remotely managing devices 115 reports 110 software management on mobile devices 175 actions about 92 performing 92 Active Directory, requirements 199 adding additional configuration profiles 58 configuration profiles to a policy 101 agent. See Mobile Management Agent Android enrolling with Symantec Mobile Management 40 APNS certificate 226 App ID setting up 213 Apple devices. See iOS devices Apple Push Notification Service network ports used 202 requirements 199 apps pushing to iOS devices 132
AppUpdate, sample runtime subtitution tokens 196 assigning configuration profile policies 102 Mobile Library feed 131 policies 93 AutoLock settings, about 104
B
BlackBerry devices available reports 111 function key mapping during remote sessions 122 remote options 120 building and distributing the in-house Mobile Management Agent application 219 building and testing the in-house Mobile Management Agent application 218 Bundle identifier, customizing 216
C
Certificate Authority requirements 199 setting up 19 certificate request, generating 29 certificates 21 changing, enrollment URL to an email address 144 components, Mobile Management 15 configuration policies, troubleshooting 223 configuration profiles about 95 adding additional 58 adding to a policy 101 assigning 102 available settings 103 creating 96 setting up 96 supported devices 95 configuration schedule, setting 173 configuring iOS device MDM enrollment 58 Mobile Management 52
254
Index
configuring (continued) Mobile Management to work with a development APNS certificate 226 policy security settings 57 software maintenance windows 178 Symantec Managed PKI 60 SymantecEASService NT 67 TouchDown payloads 151 creating configuration profiles 96 Developer Certificate 213 Development Provisioning Profile 215 EULA 145 in-house Mobile Management Agent application 208 Mobile Library feeds 128 policies 93 remote settings for devices 116 software packages 176 customizing Bundle identifier 216 localized string files 217 Target settings 218
enrolling, iOS devices 143 enrollment URL, changing to an email address 144 EULA creating 145 enabling 145 event logs about 113 viewing 113 Exchange ActiveSync about 63 enabling functionality of 66 requirements 199 setting up 64 supported device operating systems 63 supported devices 203 Exchange ActiveSync server, selecting 67 exporting MDM Certificate using a Windows Server 29 MDM Certificate using Mac OS X 28
F
feed targeting 131 feeds adding items to 129 creating 128 publishing existing 131 setting up 128 function key mapping during remote sessions BlackBerry devices 122 Windows Mobile devices 121
D
delivering, software packages 177 Developer Certificate, creating 213 Development Provisioning Profile creating 215 installing 215 devices configuring the site server to communicate with 53 software management 175 downloading Mobile Management Agent app 39 project 214 WWDR Intermediate certificate 212
G
generating, certificate request 29
I
in-house agent application. See Mobile Management Agent installing Development Provisioning Profile 215 MDM Certificate 30 Mobile Management on a new server 37 Mobile Management on an existing Symantec Management Platform Server 37 integrating MDM Certificate 53 inventory data about 107
E
enabling EULA 145 Exchange ActiveSync functionality 66 Encryption Certificate 21 End User License Agreement. See EULA enrolling iOS 40 mobile devices 40
Index
255
inventory data (continued) setting the inventory sechedule iOS devices 109 Windows Mobile devices 108 viewing 108 inventory schedule, setting iOS devices 109 Windows Mobile devices 108 iOS enrolling 40 iOS Developer Enterprise Program membership 27 iOS devices available features 205 available reports 111 configuring MDM enrollment of 58 enrolling 143 preparing for testing 214 registering for testing 213 setting up Mobile Management Agent on 142 supported configuration profiles 95 supported policies 94 troubleshooting agent enrollment 223 items adding to feeds 129 publishing existing 131
L
LDAP, requirements 199 licensing Symantec Mobile Management 45 loading, project 215 localized string files, customizing 217
M
MDM Agreement 27 MDM Certificate about 25 exporting using a Windows Server 29 exporting using Mac OS X 28 installing 30 integrating 53 requirements 27 setting up 26 Microsoft Exchange ActiveSync. See Exchange ActiveSync Microsoft SQL Server. See SQL Server Mobile Device Management Certificate. See MDM Certificate
mobile devices available features 205 remotely wiping 123 Mobile Library about 127 adding items to feeds 129 creating feeds 128 publishing an existing feed or item 131 setting up feeds 128 targeting feed 131 Mobile Management about configuring 51 about installing 33 certificates 21 components 15 configuring 52 deploying to the site server 39 getting started with 14 installing on a new server 37 installing on an existing Symantec Management Platform Server 37 network ports used 202 requirements 199 setting up 19 what's new in 7.1 13 Mobile Management Agent about on iOS devices 141 on Windows Mobile devices 171 about the in-house application 208 building and distributing the in-house application 219 building and testing the in-house application 218 creating the in-house application 208 differences between versions 145 downloading app 39 enrolling 143 in-house application requirements 212 requirements 199 setting the configuration schedule 173 setting up iOS devices 142 Windows Mobile devices 172 supported devices 203 Mobile Management Server network ports used 202 requirements 199 troubleshooting configuration of 225
256
Index
Mobile Management Service Agent, restarting 68 Mobile Management site server. See site server
N
network ports used 199 network ports used by Mobile Management 202
P
Palm devices available reports 111 payloads TouchDown, configuring 151 policies about 92 assigning 93 creating 93 supported 94 policy security, configuring settings of 57 ports usage 199 preparing, iOS devices for testing 214 Profile security 19 project downloading 214 loading 215 Push Certificate Subject, verifying 226 pushing apps to iOS devices 132
remotely managing devices (continued) remote options BlackBerry devices 120 Windows Mobile devices 117 remotely wiping devices 123 starting remote sessions 117 remotely wiping, mobile devices 123 reports about 110 available by device 111 running 111 requirements in-house Mobile Management Agent application 212 MDM Certificate 27 Mobile Management 199 restarting, Mobile Management Service Agent 68 Root Certificate 21 running, reports 111
S
sample AppUpdate runtime substitution tokens 196 SCEP requirements 199 setting up 19 selecting, Exchange ActiveSync server 67 Server Authentication Certificate 21 setting inventory schedule iOS devices 109 Windows Mobile devices 108 Mobile Management Agent configuration schedule 173 setting up App ID 213 Certificate Authority 19 configuration profiles 96 Exchange ActiveSync 64 MDM Certificate 26 Mobile Library feeds 128 Mobile Management 19 Mobile Management Agent iOS devices 142 Windows Mobile devices 172 SCEP 19 Signing Certificate 21 site server about deploying 33
R
registering, iOS devices for testing 213 remote options BlackBerry devices 120 Windows Mobile devices 117 remote sessions function key mapping BlackBerry devices 122 Windows Mobile devices 121 starting 117 remote settings for devices creating 116 remotely managing devices about 115 creating remote settings 116 function key mapping BlackBerry devices 122 Windows Mobile devices 121
Index
257
site server (continued) configuring to communicate with mobile devices 53 deploying 39 software maintenance windows, configuring 178 software package actions 179 software package health actions 193 software packages actions 179 creating 176 delivering 177 health actions 193 SQL Server network ports used 202 requirements 199 SSL Certificate. See Server Authentication Certificate starting, remote sessions 117 Symantec Agent. See Mobile Management Agent Symantec Managed PKI service using with Symantec Mobile Management 60 Symantec Management Console, Mobile Management section 33 Symantec Management Console, requirements 199 Symantec Management Platform installing 37 requirements 199 Symantec Management Platform Server network ports used 202 requirements 199 SymantecEASService troubleshooting errors with 225 verifying configuration of 68 SymantecEASService NT, configuring 67 Symbian devices available reports 111
V
verifying Push Certificate Subject 226 SymantecEASService configuration 68 viewing event logs 113 inventory data 108 Volume Purchase Program, Apple 132
W
Windows Mobile available features 205 Windows Mobile and CE devices available reports 111 supported policies 94 Windows Mobile devices function key mapping during remote sessions 121 remote options 117 setting up Mobile Management Agent on 172 wiping devices, remotely 123 WWDR Intermediate certificate, downloading 212
T
Target settings, customizing 218 targeting Mobile Library feed 131 Third-Party Attributions 229 TouchDown configuring 151 troubleshooting configuration policy distribution problems 223 errors with the SymantecEASService configuration 225 iOS device agent enrollment 223 Mobile Management Server configurations 225