SMM 7.2.SP1.03 Ig

Symantec Mobile Management 7.
2 SP1 Implementation Guide
Contents
Section 1
Chapter 1
Setting up Symantec Mobile Management 7.2 ................................................................................... 11

Introducing Symantec Mobile Management7.2 ........... 13
What's new in Mobile Management 7.2 SP1 ....................................... Getting started with Mobile Management ......................................... Before you begin .......................................................................... Components of Mobile Management ................................................ 13 14 15 15
Chapter 2
Setting up Mobile Management ....................................... 19

Setting up Mobile Management ...................................................... 19 Mobile Management certificate distribution ...................................... 21 Setting up Google Cloud Messaging (GCM) ........................................ 22
Chapter 3
Setting up a Mobile Device Management Certificate .......................................................................

About the Mobile Device Management (MDM) Certificate .................... Setting up an MDM Certificate ........................................................ MDM Certificate requirements ....................................................... Exporting an MDM Certificate using Mac OS X .................................. Generating a certificate request ...................................................... Exporting an MDM Certificate using a Windows Server 2003 or 2008 .................................................................................... Installing an MDM Certificate .........................................................
25 25 26 27 28 29 29 30
Chapter 4
Installing Mobile Management ......................................... 33

About installing Mobile Management ............................................... Basic installation workflow for Symantec Mobile Management ............. Running the Symantec Mobile Management Prerequisite Check Utility .................................................................................. Installing Mobile Management on an existing Symantec Management Platform server ..................................................................... Installing Mobile Management on a new server ................................. 33 34 36 37 37
Contents
Rolling out the site server .............................................................. 39 Downloading and installing the Mobile Management Agent app ........... 39 Enrolling a mobile device ............................................................... 40
Chapter 5 Chapter 6
First-run diagnostic check and status report ................ 43

First-run diagnostic check and status report ..................................... 43
Licensing Symantec Mobile Management 7.2 .............. 45

Licensing basics ........................................................................... Using the trial license ................................................................... Using a license purchased before installing Symantec Mobile Management ......................................................................... Adding or updating a Symantec Mobile Management license ................ Licensing status summary ............................................................. 45 46 46 46 47
Chapter 7
Upgrading to Symantec Mobile Management 7.2 ....................................................................................
49
Upgrading Symantec Mobile Management ....................................... 49 Ugrading the Symantec Mobile Management device Agent. .................. 50
Chapter 8
Configuring Mobile Management .................................... 51

About configuring Mobile Management ............................................ Configuring Mobile Management .................................................... Generating and installing an Apple Push / MDM Certificate ................. Configuring the site server and enrollment settings ........................... Configuring profile security settings ................................................ Configuring iOS device MDM enrollment .......................................... Adding additional configuration profiles .......................................... Adding non-approved platforms ..................................................... Using Symantec Managed PKI services with Symantec Mobile Management ......................................................................... Configuring app compliance ........................................................... Adding apps to the list of available apps for blacklisting ................ Configuring device naming ............................................................ 51 52 53 53 57 58 58 59 60 61 61 62
Chapter 9
Setting up Exchange ActiveSync ...................................... 63

About using Exchange ActiveSync with Mobile Management ............... Setting up Exchange ActiveSync ..................................................... Enabling the Exchange ActiveSync functionality ............................... Configuring the SymantecEASService NT ......................................... 63 64 66 67
Contents
Selecting the Exchange ActiveSync server ........................................ Restarting the Mobile Management Service Agent .............................. Verifying the SymantecEASService configuration .............................. Configuring Symantec Mobile Management to work with Exchange 2010 .................................................................................... Impact on Exchange 2010 when Mobile Management is uninstalled ........................................................................... Controlling access to Exchange ActiveSync ....................................... Blocking EAS access using Exchange 2010 ........................................ Blocking EAS access using F5 BIG-IP LTM .........................................
67 68 68 69 71 71 71 72
Chapter 10
Setting up Data Loss Prevention for iOS on the Mobile Management server ......................................... 77
About setting up Data Loss Prevention (DLP) for iOS on the Mobile Management server ................................................................ Configuring Mobile Management to use DLP ..................................... Creating VPN credentials ............................................................... Configuring VPN for DLP ............................................................... Configuring the VPN assignment for DLP ......................................... Configuring the DLP settings .......................................................... Configuring remediation rules ........................................................ Setting the resource target ............................................................. 77 78 78 79 80 81 81 82
Chapter 11
Configuring multiple domain Active Directory / LDAP authentication .................................................... 83

LDAP integration overview ............................................................ 83 Configuring multi-domain Active Directory / LDAP authentication ....................................................................... 84
Chapter 12
Configuring Mobile Management to require SSL ...................................................................................
87
Configuring Mobile Management to require SSL ................................ 87
Section 2
Chapter 13
Using Symantec Mobile Management ............ 89

Using actions, policies, and configuration profiles ............................................................................. 91
About actions .............................................................................. 92 Performing actions on mobile devices .............................................. 92 About policies .............................................................................. 92
Contents
Creating policies .......................................................................... 93 Assigning policies ........................................................................ 93 Supported policies for specific devices ............................................. 94 About configuration profiles on iOS devices ...................................... 95 Devices that support configuration profiles ...................................... 95 Setting up configuration profiles for iOS devices ................................ 96 Creating configuration profiles ....................................................... 96 Adding configuration profiles to a policy ........................................ 101 Assigning configuration profile policies .......................................... 102 About available configuration profile settings for iOS devices ............. 103 About AutoLock settings on iOS devices ......................................... 104
Chapter 14
Using inventory data, reports, and the event log ...................................................................................

About inventory data .................................................................. Viewing inventory data ............................................................... Setting the inventory schedule for Windows Mobile devices ............... Setting the inventory schedule for iOS devices ................................. About reports ............................................................................ Running reports ......................................................................... Available reports by device ........................................................... About event logs ........................................................................ Viewing the event log ..................................................................
107 107 108 108 109 110 111 111 113 113
Chapter 15
Remotely managing devices ............................................ 115

About remotely managing devices ................................................. Creating remote settings for devices .............................................. Starting a remote session with a device .......................................... Remote options for Windows Mobile devices ................................... Remote options for BlackBerry devices ........................................... Function key mapping during remote sessions with Windows Mobile devices ............................................................................... Function key mapping during remote sessions with BlackBerry devices ............................................................................... Options for remotely wiping devices .............................................. 115 116 117 117 120 121 122 123
Chapter 16
Managing the Mobile Library
......................................... 127 127 128 128 129
About the Mobile Library ............................................................. Setting up Mobile Library feeds ..................................................... Creating Mobile Library feeds ....................................................... Adding items to Mobile Library feeds .............................................
Contents
Targeting a Mobile Library feed .................................................... 131 Publishing an existing feed or item ................................................ 131 Delivering apps to iOS devices ...................................................... 132
Section 3
Chapter 17
Managing iOS devices ............................................. 139

Setting up the Mobile Management Agent application on iOS devices ........................................ 141
About the Mobile Management Agent application on iOS devices ............................................................................... Setting up the Mobile Management Agent application on iOS devices ............................................................................... Enrolling iOS devices .................................................................. Changing the enrollment URL to an email address for iOS devices ............................................................................... Creating and enabling the End User License Agreement for iOS devices ............................................................................... About the differences between the app store and the in-house Mobile Management Agent applications ............................................. Configuring a Symantec Mobile Management iOS profile for Office 365 .................................................................................... 141 142 143 144 145 145 146
Section 4
Chapter 18
Managing Android devices ................................... 149

Using TouchDown with Symantec Mobile Management ................................................................. 151
Configuring Symantec Mobile Management for TouchDown ............ Assigning the TouchDown policy ................................................... TouchDown account payload settings ............................................ TouchDown policy payload settings ............................................... TouchDown user payload settings ................................................. 151 153 153 154 158
Chapter 19
Common Android management tasks ........................... 163

Locking a lost or stolen Android device ........................................... Removing policies and resetting the Agent on an Android device ........ Wiping the data from a lost or stolen Android device. ........................ Clearing and setting passcodes on Android devices ........................... Updating policies on Android devices ............................................. Retrieving the inventory from Android devices ................................ Viewing Android device information .............................................. 163 164 164 165 165 166 166
Contents
Section 5
Chapter 20
Managing Windows devices ................................ 169

Setting up the Mobile Management Agent on Windows Mobile devices ............................................ 171
About the Mobile Management Agent on Windows Mobile devices ............................................................................... 171 Setting up the Mobile Management Agent on Windows Mobile devices ............................................................................... 172 Setting the Mobile Management Agent configuration schedule for Windows mobile devices ........................................................ 173
Chapter 21
Managing software on Windows Mobile devices ........................................................................... 175

About software management on Windows Mobile devices .................. Creating software packages for Windows Mobile devices ................... Delivering software packages to Windows Mobile devices .................. Configuring the software maintenance windows .............................. Software package actions ............................................................. Software package health actions ................................................... Sample AppUpdate runtime substitution tokens .............................. 175 176 177 178 179 193 196
Appendix A
System requirements and port usage for Symantec Mobile Management 7.2 ............................................ 199
Mobile Management requirements ................................................ 199 Network ports used by Mobile Management .................................... 202 Supported devices and device operating systems .............................. 203
Appendix B Appendix C
Mobile device management features ............................ 205

Mobile device features ................................................................. 205
Creating the in-house Mobile Management Agent application for iOS devices ........................................ 207
About the in-house Mobile Management Agent application ................ Creating the in-house Mobile Management Agent application ............. Requirements for creating the in-house Mobile Management Agent application .......................................................................... Downloading a WWDR Intermediate Certificate ............................... Creating a Developer Certificate .................................................... Registering an iOS device for testing .............................................. 208 208 212 212 213 213
Contents
Setting up an App ID ................................................................... Downloading the project .............................................................. Preparing the iOS device for testing ............................................... Loading the project ..................................................................... Creating and installing a Development Provisioning Profile ............... Customizing the Bundle identifier ................................................. Customizing the localized string files ............................................. Customizing the Target settings .................................................... Building and testing the application ............................................... Building and distributing the application ........................................
213 214 214 215 215 216 217 218 218 219
Appendix D
Troubleshooting ................................................................. 221

KB articles specific to the Symantec Mobile Management 7.2 SP1 release ................................................................................ Troubleshooting configuration policy distribution problems .............. Troubleshooting iOS device agent enrollment .................................. Troubleshooting Mobile Management Server configurations .............. About troubleshooting errors with the SymantecEASService configuration ....................................................................... Verifying that the Push Certificate Subject matches the App ID's Bundle identifier .................................................................. Configuring Mobile Management to work with a development APNS certificate ........................................................................... 221 223 223 225 225 226 226
Appendix E
Third-Party Attributions ................................................... 229

Third-Party Legal Notices ............................................................ jQueryjs 1.4.1 ............................................................................. Libjpeg 6b ................................................................................. Log4Net 1.2.10 ........................................................................... Newlib 1.17.0 ............................................................................. ZLib v 1.2.2/1.2.3 ........................................................................ NLog Advanced .NET Logging 1.0 ................................................ QuickLZ .................................................................................... SharpZipLib 0.85.4 ...................................................................... Silverlight.js 2.0 ......................................................................... TBXML 1.4 ................................................................................ Windows CE C Library Extensions ................................................. 229 230 230 230 231 248 248 249 250 250 251 252
Index ................................................................................................................... 253
10
Contents
Section
Setting up Symantec Mobile Management 7.2
Chapter 1. Introducing Symantec Mobile Management7.2 Chapter 2. Setting up Mobile Management Chapter 3. Setting up a Mobile Device Management Certificate Chapter 4. Installing Mobile Management Chapter 5. First-run diagnostic check and status report Chapter 6. Licensing Symantec Mobile Management 7.2 Chapter 7. Upgrading to Symantec Mobile Management 7.2 Chapter 8. Configuring Mobile Management Chapter 9. Setting up Exchange ActiveSync Chapter 10. Setting up Data Loss Prevention for iOS on the Mobile Management server Chapter 11. Configuring multiple domain Active Directory / LDAP authentication Chapter 12. Configuring Mobile Management to require SSL
12
Chapter
Introducing Symantec Mobile Management7.2

This chapter includes the following topics:

What's new in Mobile Management 7.2 SP1 Getting started with Mobile Management Before you begin Components of Mobile Management
What's new in Mobile Management 7.2 SP1

The 7.2 SP1 release of Symantec Mobile Management features several enhancements and new features:

Supports iOS 6 feature sets. Add iOS App provisioning that supports the Apple Volume Purchace and B2B programs. New post-installation diagnostics and repair facility built-into the Management Status page. Several UI enhancements to improve ease-of-use. New SSL setup features to support environments that require SSL. New email blocking functionality, incuding integration with F5 BIG-IP LTM and Exchange 2010 / Office 365. Support for multi-domain authentication. Over 80 resolved issues from previous versions.
14
Introducing Symantec Mobile Management7.2 Getting started with Mobile Management
The document, Symantec Mobile Management 7.2 SP1 Release Notes contains details about fixes and updates to the product and contains any last-minute changes. The release notes are at http://www.symantec.com/docs/DOC6051. The latest versions of the otherSymantec Mobile Management product documentation are available at the following locations:
Symantec Mobile Management 7.2 SP1Implementation Guide (this document): http://www.symantec.com/docs/DOC6049 Symantec Mobile Management 7.2 SP1 Quick-start Guide: http://www.symantec.com/docs/DOC6050
Links to the knowledge base articles germane to this release are provided in the Troubleshooting appendix of this document.
Getting started with Mobile Management

Mobile Management integrates with Symantec Management Platform to add mobile device administration capability. Mobile device owners install a device Management Agent and then enroll their mobile devices with Mobile Management. The Agent periodically checks-in with the Mobile Management to retrieve management-related commands, files, and updates. Polices are issued to the mobile devices to control the device's capabilities and settings. Active Directory/LDAP integration allows the device owner to use their enterprise credentials to enroll and to receive recommended content from administrators. This content can include software and applications, documents, media, or Web links. After users enroll, they can also receive customizable contact information for the IT department in their organization. If the user has a problem with a device, an administrator can remotely control the device to troubleshoot the problem. Because all of the devices communicate back to Mobile Management, the administrator can also collect inventory data and reports from the devices in the environment. In this way, administrators can determine the status of devices in the environment. Through the inventory, reporting, and policy features, administrators can target and schedule the devices that need management or assistance. You use Symantec Installation Manager to install Symantec Mobile Security. If you do not already have Symantec Management Platform installed, you download Symantec Installation Manager, Symantec Management Platform, and Symantec Mobile Management together. Once the products are installed, you access the mobile security components and perform administrative tasks through the Symantec Management Platform console. See Components of Mobile Management on page 15.
Introducing Symantec Mobile Management7.2 Before you begin
15
See Mobile device features on page 205.
Before you begin

After installation, Symantec Mobile Management runs as part of Symantec Management Platform. If you are not familiar with Symantec Management Platform, you may need to review the product documentation for assistance. Symantec Management Platform documentation is available in the Help tab of the management console. You can also download the Symantec Management Platform User Guide at http://www.symantec.com/docs/DOC4730. Managing mobile devices relies on several services, some of which are unique to the mobile device operating system. Other services are used to generate, provision, and manage trust certificates, and establish server communication. This document assumes that you are familiar with enterprise-class networking technologies, methods, and protocols. You should have a good understanding of establishing trust certificate chains and the services that support them. This document references several third-party documents that provide details and instructions for implementing the various services that are used with Symantec Mobile Management. You are encouraged to review these documents if you are not already familiar with their subject matter. Note: Links to third-party documentation are accurate at publication of this document, but may change at the owner's discretion. Review the list of components and services Symantec Mobile Management uses and familiarize yourself with those that are new to you. See Components of Mobile Management on page 15.
Components of Mobile Management

The following table contains descriptions of theMobile Management components and supporting services: Table 1-1 Component Mobile Management system components Description Required or optional
Mobile Management Servers All mobile device communications Required pass through the Mobile Management Server(s).
16
Introducing Symantec Mobile Management7.2 Components of Mobile Management
Table 1-1 Component
Mobile Management system components (continued) Description Required or optional
Symantec Management Console
The Symantec Management Required Console (or, "console") is a Web-based administration utility that is part of the Symantec Management Platform. After you install Mobile Management, a Mobile Management portion of the console is added on. All of the management tasks that are associated with Mobile Management are accomplished in the console.
Note: You must use Internet

Explorer 7 or later to access the console. Mobile Management Agent The Mobile Management Agent is Required installed on the managed mobile devices. The agent communicates with the Mobile Management Server and executes the commands and policy settings on the mobile device. The Symantec Management Required Platform Server provides the core Symantec Management Platform functionality. The Symantec Management Platform Server communicates with the Mobile Management Server to collect information, provision policies, and to send notifications, software, or alerts to the devices. The Microsoft SQL Server hosts the databases for Mobile Management and Symantec Management Platform Server. Users, groups, and workstations are imported from Active Directory or LDAP. Required
Symantec Management Platform Server
Microsoft SQL Server
Active Directory or LDAP
Required
17
Table 1-1 Component
Mobile Management system components (continued) Description Required or optional
Certificate Authority
The Certificate Authority manages Optional but strongly security credentials and public and recommended private keys for secure communication. Symantec highly recomends a Certificate Authority for a secure environment. The Simple Certificate Enrollment Required if you use a Protocol (SCEP) works with the Certificate Authority Certificate Authority to issue certificates in large enterprises. It handles the issuing and revocation of digital certificates. The SCEP and Certificate Authority can be located on the same server. See, Microsoft SCEP Implementation Whitepaper
SCEP
Microsoft Exchange ActiveSync
Microsoft Exchange ActiveSync Optional synchronizes the email, contacts, calendar, tasks, and notes that are associated with mailboxes on the Mobile Management Server with devices. See the Microsoft Exchange ActiveSync documentation
Apple Push Notification Service
The Mobile Management Server communicates through the Apple Push Notification Service (APNs) to iOS devices. See Setting up an MDM Certificate on page 26. For more information about APNs, see the Apple OS X Developer Library topic Apple Push Notification Service
Required if you want to manage iOS devices. The Mobile Device Management (MDM) Certificate provides access to APNs .
18
Table 1-1 Component
Mobile Management system components (continued) Description

The Mobile Device Management (MDM) Certificate allows the Mobile Management Server to push commands and Mobile Library items through the Apple Push Notification Service to iOS devices in your environment. See Setting up an MDM Certificate on page 26. See Setting up Mobile Library feeds on page 128.
Required or optional
Required if you want to manage iOS devices
Mobile Device Management (MDM) Certificate
Google GCM
Google Cloud Messaging (GCM) is Required if you want to used to push actions and push commands to commands to Android devices Android devices See Setting up Google Cloud Messaging (GCM) on page 22.
See Getting started with Mobile Management on page 14.
Chapter
Setting up Mobile Management


Setting up Mobile Management Mobile Management certificate distribution Setting up Google Cloud Messaging (GCM)
Setting up Mobile Management

The process for setting up Mobile Management includes the steps you need to take to set up your environment before you install Mobile Management. It also includes the steps you need to take to configure your environment to work with Mobile Management and install the Mobile Management software. Before you begin, make sure that your environment meets the required system requirements and that the required ports are available. See Mobile Management requirements on page 199. See Network ports used by Mobile Management on page 202. Note: You are advised to run the Symantec Mobile Management Prerequisite Check Utility before you begin the installation process. See Running the Symantec Mobile Management Prerequisite Check Utility on page 36.
20
Setting up Mobile Management Setting up Mobile Management
Table 2-1 Step

Step 1
Process for setting up Mobile Management Action

Secure your environment.
Description
To secure your environment, you need to set up a Certificate Authority. You can either purchase a commercial Certificate Authority or set up a Certificate Authority yourself. If your environment is already secure, you can skip this step. See Mobile Management certificate distribution on page 21.
Step 2
Set up Simple Certificate Enrollment Protocol (SCEP).
Set up SCEP in your environment. For information about setting up SCEP, see Microsoft SCEP Implementation Whitepaper If you already have SCEP setup in your environment, you can skip this step.
Step 3
(Optional) Setup a Mobile Device Management Certificate.
If you want to manage iOS devices in your environment, this step is mandatory. See Setting up an MDM Certificate on page 26.
Step 4
Install Mobile Management.
Install the Mobile Management components. See Basic installation workflow for Symantec Mobile Management on page 34.
Step 5
(Optional) Setup additional security For additional security, you can set up in your environment. profile security in your Mobile Management environment. Profile security lets you encrypt and sign data. To set up profile security, add signing certificates and encryption certificates to your Certificate Authority. See Configuring profile security settings on page 57.
Setting up Mobile Management Mobile Management certificate distribution
21
Table 2-1 Step

Step 6
Process for setting up Mobile Management (continued) Action

Configure Mobile Management in the Symantec Management Console.
Description
Configure and customize the components of your Mobile Management environment in the Symantec Management Console. See Configuring Mobile Management on page 52.
Step 7
(Optional) Setup Exchange ActiveSync.
Set up and configure Exchange ActiveSync to work with Mobile Management. See Setting up Exchange ActiveSync on page 64.
Step 8
(Optional) Setup Google GCM
Create GCM Project ID and Server key, and configure Mobile Management to use GCM. See Setting up Google Cloud Messaging (GCM) on page 22.
See Getting started with Mobile Management on page 14. See Components of Mobile Management on page 15.
Mobile Management certificate distribution

The following table contains a list of Mobile Management components and the certificates that should be installed on each of them. Root certificates are only required when you use a non-commercial certificate authority. Root certificates are not needed if you use your own certificate authority for SCEP but use an external certificate authority for Server Authentication Certificates. SSL is not required for SCEP. If you choose to use SSL, you must have the Server Authentication Certificate or Root Certificate installed.
22
Setting up Mobile Management Setting up Google Cloud Messaging (GCM)
Table 2-2 Component
Mobile Management certificate distribution Certificates

Certificate authority:

Mobile Management server
Server Authentication (SSL) Certificate Root certificate
Profile Security: Signing Certificate with public and private keys Encryption Certificate with public key
Root certificate
iOS device

Server Authentication (SSL) Certificate Root certificate
Profile Security:
Encryption Certificate with public and private keys
See Setting up Mobile Management on page 19.
Setting up Google Cloud Messaging (GCM)

Google Cloud Messaging (GCM) enables Symantec Mobile Mangement to quickly communicate with Android mobile devices. GCM lets you push commands to Android devices instead of waiting for the device to check in. Note: To receive GCM messages, a Google Gmail is required to be set up on the devices running Android 4.04 or older. You set up GCM in two phases:
Create a new project at Google's APIs Web site, obtain the Project ID number, and generate a Google API server key. Configure Symantec Mobile Management to use GCM.
23
To create a new project and obtain the Project ID number and API server key
1 2 3 4
Go to https://code.google.com/apis/console , sign into your Google account, and then click, Create project On the left side of the APIs Dashboard page, click the drop-down menu and select Create . . . Enter a name for the project and click Create Report. Your browser refreshes and displays a new URL. In the URL, locate the element, #project. Record the number that follows #project. For example, https://console.google.com/apis/console/#project:1066916068160 Note: Note: This number is called the Google Project ID and it is required when you configure Symantec Mobile Management to use GCM.
5 6 7 8 9
Select your project from the API Project drop-down list and then in the left pane, select Services. Scroll down the page to Google Cloud Messaging for Android, and set the ON/OFF widget to ON. On the Google APIs Terms of Service page, agree to and accept the terms of the agreement. Return to the APIs home page and towards the bottom of the page, click Create new Server key. On the Configure Server Key for My Project panel, you can optionally specify a particular server or servers that can use GCM. Enter the IP address of each server on a separate line. Leave the field blank to allow any server IP address. Check the Google documentation for more information. for server apps (with IP locking). Record the server key string for use in the next procedure
10 Click Create. The server key is displayed on the API Access page under Key
To configure Symantec Mobile Management to use GCM
1 2
On the Symantec Management Console, go to Home > Mobile Management > Settings > Android Enrollment. In the right pane, enter the Project ID and API key ("Server Key") you generated in the previous procedure.
24
3 4
Click Save changes. On the Mobile Management server go to Start > Administrative Tools > Services and restart the Mobile Management Service Agent.
Mobile Management is now configured to send GCM data to Android mobile devices.
Chapter
Setting up a Mobile Device Management Certificate


About the Mobile Device Management (MDM) Certificate Setting up an MDM Certificate MDM Certificate requirements Exporting an MDM Certificate using Mac OS X Generating a certificate request Exporting an MDM Certificate using a Windows Server 2003 or 2008 Installing an MDM Certificate
About the Mobile Device Management (MDM) Certificate

The Mobile Device Management (MDM) Certificate allows the Mobile Management Server to push commands through the Apple Push Notification Service to iOS devices in your environment. The MDM Certificate creates a trust relationship with Apple and functions as a sort of credential for the Apple Push Notification Service servers. All Apple customers who want to communicate with iOS devices have to set up an MDM Certificate.
26
Setting up a Mobile Device Management Certificate Setting up an MDM Certificate
Setting up an MDM Certificate

You can set up an MDM Certificate on Mac OS X or Windows Server 2003 or 2008. Symantec recommends creating the MDM Certificate on Mac OS X. This task is a step in the process for setting up Mobile Management. See Setting up Mobile Management on page 19. Table 3-1 Process for setting up a Mobile Device Management Certificate on Mac OS X Task Description
Step
Step 1
Create and export an MDM certificate. After you create the MDM Certificate, you need to export it so you can transfer it to your Mobile Management server. See Exporting an MDM Certificate using Mac OS X on page 28.
Step 2
Have certificate signed by Symantec
Contact your Symantec Partner or Sales Engineer to submit the certificate for signing by Symantec. You must install the MDM Certificate on all the Mobile Management servers in your environment. See Installing an MDM Certificate on page 30.
Step 3
Install the certificate.
Setting up a Mobile Device Management Certificate MDM Certificate requirements
27
Table 3-2
Process for setting up a Mobile Device Management Certificate on a Windows server 2003 or 2008 Task
Generate a certificate request.
Step
Step1
Description
To create an MDM Certificate on a Windows Server 2003 or 2008, you must first generate a certificate request. See Generating a certificate request on page 29.
Step 2
Have certificate signed by Symantec
Contact your Symantec Partner or Sales Engineer to submit the certificate for signing by Symantec. You must install the MDM Certificate on all the Mobile Management servers in your environment. See Installing an MDM Certificate on page 30.
Step 3
Install the certificate.
See About the Mobile Device Management (MDM) Certificate on page 25.
MDM Certificate requirements

Be sure that your environment meets the requirements for setting up an MDM Certificate. This topic is part of the process for setting up an MDM Certificate. See Setting up an MDM Certificate on page 26.
28
Setting up a Mobile Device Management Certificate Exporting an MDM Certificate using Mac OS X
Table 3-3 Requirement
MDM Certificate requirements Description

One or more server(s) running the current version of Windows Server 2003 or 2008. Apple Safari, Mozilla Firefox, or Google Chrome Web. (Optional but recommended) Mac computer running the current version of Mac OS X.
Hardware and software requirements
MDM Certificate Signing Request (CSR) signed by Symantec
You must contact Symantec directly to acquire the signed MDM Certificate.
Exporting an MDM Certificate using Mac OS X

After you create the MDM Certificate, you need to export it so you can transfer it to your Mobile Management server. This task is a step in the process for setting up an MDM Certificate. See Setting up an MDM Certificate on page 26. To create and export an MDM Certificate using Mac OS X
1 2 3 4 5 6 7 8 9
Open Keychain Access. Under Keychains in the left pane, select login. Under Categories, select Certificates. Select your Apple Development Push Services or Apple Production Push Services Certificate. Choose File > Export Items.... Select Personal Information Exchange as the file format and click Save. Enter a password to lock the MDM Certificate and click OK. Enter your logon key chain password. This password is your Apple computer account password. Click Allow. Mobile Management server.
10 Transfer the MDM Certificate that you created to the computer running the
Setting up a Mobile Device Management Certificate Generating a certificate request
29
Generating a certificate request

To create an MDM Certificate on a Windows Server 2003 or 2008, you must first generate a certificate request. This task is a step in the process for setting up an MDM Certificate. See Setting up an MDM Certificate on page 26. To generate a certificate request
1 2 3 4
Select Start > Control Panel > Administrative Tools. Select Internet Information Services (IIS) Manager. Select the server, and then double-click Server Certificates. On the Actions menu, click Create Certificate Request. Enter the following information:

Common Name - The name that is attached to your certificate request. Organization - The name of your organization. Organizational unit - The name of the group or department within your organization City/locality - The city or locality where your organization is located. State/province - The state or province where your organization is located. Country/region - The country or region where your organization is located.
5 6
Click Next. In the Cryptographic Service Provider Properties window, select Microsoft RSA SChannel Cryptographic Provider for the Cryptographic service provider. Select 2048 for the Bit length. Click Next. In the File Name window, type a file path and name or click the ellipsis button to browse. Click Finish to generate and save the certificate request.
7 8
Exporting an MDM Certificate using a Windows Server 2003 or 2008

After you create the MDM Certificate, you need to export it so you can transfer it to your Mobile Management server. This task is a step in the process for setting up an MDM Certificate.
30
Setting up a Mobile Device Management Certificate Installing an MDM Certificate
See Setting up an MDM Certificate on page 26. To create and export an MDM certificate using a Windows Server 2003 or 2008
1 2 3 4 5
Select Start > Control Panel > Administrative Tools. Select Internet Information Services (IIS) Manager. Select the server, and then double-click Server Certificates. In the Actions menu, click Complete Certificate Request. In the Specify Certificate Authority Response window, click the ellipsis button and browse to the Apple Push Notification Service SSL certificate that you downloaded previously. In the Friendly name field, enter a friendly name. Click OK. Select the Server Certificate with the friendly name that you entered in step 5. In the Actions menu, click Export. In the Export Certificate window, click the ellipsis button and browse to the location where you want to export the MDM Certificate. In the Password field, enter a password to secure the MDM Certificate.
6 7
8 9
10 Click OK.
Transfer the MDM Certificate that you created to the computer running the Mobile Management server.
Installing an MDM Certificate

You must install the MDM Certificate on all the Mobile Management servers in your environment. This task is a step in the process for setting up an MDM Certificate. See Setting up an MDM Certificate on page 26.
31
To install an MDM Certificate on Windows Server 2003
Download and install the Windows HTTP Services Certificate Configuration Tool (WinHttpCertCfg.exe) from the following Web site: http://www.microsoft.com/downloads/en/detials.aspx?familyid=c42e27 ac-3409-40e9-8667-c748e422833f&displaylang=en
2 3
Open a command prompt window and navigate to the install directory of the Windows HTTP Services Certificate Configuration Tool. Execute the following command:
winhttpcertcfg -i <PathToMDMCertificate> -c LOCAL_MACHINE\My -a "NETWORK SERVICE" -p <Password>
To install an MDM Certificate on Windows Server 2008
1 2 3 4 5 6 7 8 9
Click Start and then click Run. In the command prompt, type mmc and then click OK to open the Microsoft Management Console. In the Microsoft Management Console, click File > Add/Remove Snap-in.... Click Certificates in the Available snap-ins box and then click Add. In the Certificates snap-in window, select Computer account, and then click Next. Click Finish and then click OK. Expand Certificates, right-click the Personal tree node, and select All Tasks > Import. In the wizard, point to the MDM Certificate and provide the password you entered to secure it. Complete the steps in the wizard. Expand Personal and double-click the Certificates folder. Private Keys.
10 Right-click the MDM Certificate you installed and select All Tasks > Manage 11 In the Security tab, add the Network Service account and provide Read access.
32
Chapter
Installing Mobile Management


About installing Mobile Management Basic installation workflow for Symantec Mobile Management Running the Symantec Mobile Management Prerequisite Check Utility Installing Mobile Management on an existing Symantec Management Platform server Installing Mobile Management on a new server Rolling out the site server Downloading and installing the Mobile Management Agent app Enrolling a mobile device
About installing Mobile Management

Mobile Management is installed onto the Symantec Management Platform. The installation adds the Mobile Management user interface section to the Symantec Management Console and adds the Mobile Management software components to the Symantec Management Platform server. Once you have installed Symantec Management Platform and Mobile Management Solution, you can deploy Mobile Management server components to additional servers. You can have one or more Mobile Management site servers in your environment.
34
Installing Mobile Management Basic installation workflow for Symantec Mobile Management
If you already have the Symantec Management Platform installed, you can proceed with the installation immediately. See Installing Mobile Management on an existing Symantec Management Platform server on page 37. If you have not previously installed Symantec Manangement Platform, you begin by downloading Symantec Installation Mananger and Symantec Management Platform. See Installing Mobile Management on a new server on page 37.
Basic installation workflow for Symantec Mobile Management

Table 4-1 depicts the basic approach to installing and working with Symantec Mobile Management. Table 4-1 Step
Step 1
Basic installation workflow Task

Run the Symantec Mobile Management Prerequisite Check Utility
Description
Symantec Mobile Management has specific hardware and software requirements. Run the Prerequisite Check Utility to make sure that your environment is prepared to host the server and the database components. See Running the Symantec Mobile Management Prerequisite Check Utility on page 36.
Installing Mobile Management Basic installation workflow for Symantec Mobile Management
35
Table 4-1 Step

Step 2
Basic installation workflow (continued) Task

Download and install Symantec Mobile Management 7.2
Description
You download Symantec Mobile Management using Symantec Installation Manager. If an instance of Symantec Management Platform is not already installed , you first download Symantec Management Platform which includes Symantec Installation Manager. See Installing Mobile Management on an existing Symantec Management Platform server on page 37. See Installing Mobile Management on a new server on page 37.
Step 3
Roll out the site server
Post-installation, you roll out one or more site servers. See Rolling out the site server on page 39.
Step 4
Configure the site server to communicate with iOS devices
To use iOS devices, you must configure the site server components and services. See Configuring the site server and enrollment settings on page 53.
Step 5
Download the Mobile Management Concurrently with or after server agent installation, mobile device users download the Symantec Mobile Management Agent app from the application venue appropriate for their device. See Downloading and installing the Mobile Management Agent app on page 39.
36
Installing Mobile Management Running the Symantec Mobile Management Prerequisite Check Utility
Table 4-1 Step

Step 6
Basic installation workflow (continued) Task

Enroll a managed device
Description
Device owners use the Symantec Mobile Management Agent app to enroll their device with the Symantec Mobile Management site server. See Enrolling a mobile device on page 40.
Step 7
Manage a device
You issue a management policy to the mobile device that specifies the management profile for the device. The Agent app interprets the policy and takes any actions that the policy specifies. See Creating policies on page 93.
Running the Symantec Mobile Management Prerequisite Check Utility

The Symantec Mobile Management Prerequisite Check Utility verifies that the system requirements and other prerequisites are met before the application is installed. The prerequisite checker requires Microsoft .NET 3.5, which is usually part of your Symantec Management Platform instance. Make sure that .NET 3.5 is installed before you run the check utility. To run the Symantec Mobile Management Prerequisite Check Utility
1 2 3
Go to http://www.symantec.com/docs/HOWTO77182 and download PrerequisiteVerification.ZIP. Follow the on-screen instructions to run the checker. Correct any flagged requirements or configuration upgrades.
See Basic installation workflow for Symantec Mobile Management on page 34.
Installing Mobile Management Installing Mobile Management on an existing Symantec Management Platform server
37
Installing Mobile Management on an existing Symantec Management Platform server

This procedure installs Mobile Management onto an existing Symantec Management Platform server and adds the Mobile Management section to the Symantec Management Console. To install Symantec Mobile Management 7.2 on an existing Symantec Management Platform instance
1 2 3 4
Start the Symantec Installation Manager (Start > All Programs > Symantec > Symantec Installation Manager) On the Install New Products page, set the view filters to Suites and then in the Available products list, select Symantec Mobile Management 7.2 SP1. Accept the terms of the license agreement and click Next. Follow the instructions that are provided in the wizard to complete the installation.
Installing Mobile Management on a new server

If you do not have the Symantec Management Platform installed, you download Symantec Management Platform and the Mobile Management software in a single process. You first download and install Symantec Installation Manager. Go to go.symantec.com/Get_Mobile_Management, and log into your Symantec account. If you do not have an account, a registration link is provided on the Web page.
38
Installing Mobile Management Installing Mobile Management on a new server
Downloading and installing Symantec Installation Manager
On the Software Download page for Symantec Mobile Management, click Download Now. Note: The download includes Symantec Installation Manager and Symantec Management Platform.
Follow the on-screen instructions to set up Symantec Installation Manager. At the end of the installation, check Automatically launch Symantec Installation Manager, and then click Finish . Note: If an update to Symantec Installation Manager is available, you are prompted to download and install the update.
Installing Symantec Management Platform and Symantec Mobile Management 7.2 SP1
In Symantec Installation Manager, on the Install New Products page, in the Available products list, select the following items:

Symantec Management Platform 7.1 SP2 Symantec Mobile Management 7.2 SP1
Note: To quickly locate the software, set the left filter option to Filter by Product Type and the right filter option to Filter: None and then enter mobile management into the search field.
2 3
Click Review selected products, verify that the correct products are selected, and then click Next. On the End User License Agreement page, accept the terms of the license and click Next. Note: A 30 day trial license to enroll up to 25 devices is provided with Symantec Mobile Management. To use the trial license, skip the option to add a license.See Using the trial license on page 46.
On the Install Readiness Check page, verify that the computer meets the minimum requirements and then click Next.
Installing Mobile Management Rolling out the site server
39
The installer prompts you to configure the server and the database. For instructions to configure the components, see the Symantec Management Platform 7.1 SP2 Installation Guide at http://www.symantec.com/docs/DOC4798. After you configure the components, click Next.
6 7
Skip the page, Computers to Manage and then click Begin install . Wait for the installer to complete and then click Finish.
Rolling out the site server

Site servers aggregate device administration and communication, and enable multi-site architectures. You deploy site servers through the Symantec Management Console. You can install multiple site servers to improve network performance and enhance administrative capability. Note: Site server computers must have the Symantec Management Agent installed. For for more information about setting up site servers, see the Symantec Management Platform 7.1 SP2 Installation Guide at http://www.symantec.com/docs/DOC4798. Roll out the site server
1 2 3
In Symantec Management Console, navigate to Home > Mobile Management > Settings > Mobile Management Server Settings. Under Site Server Rollout and Settings, on the toolbar, click New. Enter the name and IP address of the site server computer, and then click Save changes.
Downloading and installing the Mobile Management Agent app

You download the Mobile Management Agent app to your mobile device from the app venue that is appropriate for the mobile device. After the app is installed, it is used to enroll the device so that it can accept and enact management polices on the mobile device.
40
Installing Mobile Management Enrolling a mobile device
Download the app from one of the following locations:

iOS- App Store Android- Android Market Windows- Windows Phone Marketplace
To download the Mobile Management agent to a mobile device
For Android devices only, first set your device's app installation settings to Allow Installation of non Market Applications and to allow Unknown Sources. Go to the app venue for your device and download the Symantec Mobile Management Agent app. Note: Search for Symantec MGMT or Symantec Mobile Agent
Follow the procedure for your mobile device to install the app.
See Enrolling a mobile device on page 40. See Basic installation workflow for Symantec Mobile Management on page 34.
Enrolling a mobile device

Managing mobile devices with Symantec Mobile Management requires that they are enrolled with the Symantec Mobile Management server. To enroll a mobile device
1 2
On your mobile device, start the Symantec Mobile Management Agent app. On the enrollment screen, provide the following information:
The URL of the management server.
For Android, go to: [server]/MobileEnrollment/SYMC-androidenroll.aspx For iOS, go to: [server]/MobileEnrollment/SYMC-iOSenroll.aspx
For Windows Phone, go to: [server]/MobileEnrollment/SYMC-WPenroll.aspx Where [server] is the name of the site server computer that you want the device to enroll with.
Your domain user name and password.
41
Note: URLs are not case sensitive.
Tap Enroll to complete the enrollment process.
The agent app indicates the status of the connection to the server. If the server is not available, a message appears to indicate a failed server connection and prompts you to try again at a later time. You can also set up DNS to allow iOS users to enter an email address instead of the URL. See Changing the enrollment URL to an email address for iOS devices on page 144. Android users can enter the domain name for the Mobile Management server. For example, if the URL for your installation is mobileserver.yourcorp.com, then the user can enter yourcorp.
42
Chapter
First-run diagnostic check and status report


When you start Symantec Mobile Management for the first time, a default Mobile Management Status page is displayed. This page shows the current state of several important system components. The indicators provide inter-program links to the appropriate component option and configuration UI pages. Post-installation, the page is always available in the console at Home > Mobile Management > Overviews and Reports > Mobile Management Status. You can optionally enable the Mobile Management Status page as your default Mobile Management portal page. Properly functioning components display a green checkmark icon, and components in an error state show a warning triangle icon. Components in an error state display either a View link or a Fix link. View links are displayed when there is more than one cause for the error. Fix links are displayed for specific errors. When you click either type of link, the console displays the portion of the UI that requires attention. On the pages that require attention, error conditions and their details appear in red. Assistance is provided in the UI to complete the prescribed repair or configuration activities. If no action is required, links are not displayed and the status message indicates that the readiness checks completed successfully. With the exception of the Mobile Management Server Status, the other checks are optionally selectable. For instance, if you do not manage Windows Phone devices, you can leave the Windows Phone Enrollment Readiness Status turned off.
44
First-run diagnostic check and status report First-run diagnostic check and status report
The Mobile Management Status page displays information and as appropriate, fix-links for the following components:
Mobile Management Server Status- Checks for the presence, connectivity, and general state of the main server component. iOS Enrollment Readiness Status- Tests for APNS functionality and account information. Android Enrollment Readiness Status- Tests for the presence of Google GCM account information. Windows Phone Enrollment Readiness Status- Checks that all required Windows Phone enrollment components are in place and working. Exchange ActiveSync Readiness Status- Checks that Exchange ActiveSync functionality is enabled and that the Mobile Management Server can connect to the Exchange ActiveSync interface instance. DLP Readiness Status- Checks for proper configuration of the Data Loss Prevention components.
Chapter
Licensing Symantec Mobile Management 7.2


Licensing basics Using the trial license Using a license purchased before installing Symantec Mobile Management Adding or updating a Symantec Mobile Management license Licensing status summary
Licensing basics
For use beyond the trial license period, Symantec Mobile Management requires a paid license. You purchase a license based on the number of managed mobile devices. You purchase licenses from your Symantec Sales Partner or sales representative. Note: Mobile devices or devices refers to both the physical and the emulated forms of the mobile devices that run any of the supported operating systems. The terms of the license apply equally regardless of form or operating system. Each managed device comprises a single licensing node within the product license. When you purchase a license, you purchase licensing for a specific number of nodes. For instance, you purchase a 500-node license to manage 500 devices. You purchase licenses from your Symantec Sales Partner or sales representative. For more information about licensing Symantec products, go to http://www.symantec.com/products/licensing/.
46
Licensing Symantec Mobile Management 7.2 Using the trial license
Using the trial license

When you install Symantec Mobile Management, you are prompted to install a license. If you have not purchased a license, you skip this step and the trial license is invoked automatically. The trial license is for 25 nodes and expires 30 days after the initial installation of Symantec Mobile Management. The License Report shows the status of your trial license and the number of enrolled devices. Each enrolled device uses one node of the license regardless of form or operating system. For more information, see Licensing alerts and reports.
Using a license purchased before installing Symantec Mobile Management

If you purchase a license before you install the product, you install the license during the installation procedure. The installer prompts you to provide a license file and then proceed with the installation. The license file is sent to you by email when you complete your license purchase. Note: The license file must be accessible from the computer that hosts the installation of Symantec Mobile Security. After installation, the License Report and License Overview reflect the paid license, its expiry date, and the number of available license nodes.
Adding or updating a Symantec Mobile Management license

Use the following procedure to:

Add a license when Symantec Mobile Management is already installed Upgrade from the Trial license Extend an existing paid license Add more nodes to an existing license
Note: The license file must be accessable from the computer that hosts the installation of Symantec Mobile Management.
Licensing Symantec Mobile Management 7.2 Licensing status summary
47
Adding a license after installing Symantec Mobile Management
Open Symantec Installation Manager Note: Symantec Installation Manager is installed with Symantec Management Platform.
2 3
Click Add/Update License, and then provide the required information. When prompted to install the license, click Yes.
Licensing status summary

The License status summary provides information about the number of licensed nodes used, the status of licenses, and license timeframe information. On the console, go to Home > Mobile Management > Overview and Reports > License status Note: In the License status summary, a licensed node is are implied by the term, license.
48
Licensing Symantec Mobile Management 7.2 Licensing status summary
Chapter
Upgrading to Symantec Mobile Management 7.2


Upgrading Symantec Mobile Management Ugrading the Symantec Mobile Management device Agent.
Upgrading Symantec Mobile Management

Use the following procedure to update to latest version of Symantec Mobile Management: Warning: This update to Symantec Mobile Management 7.2 SP1 can result in the loss of WiFi connectivity for managed iOS devices. The managed devices that have a WiFi profile are affected. Read the knowledge base article TECH194739Loss of Device Wi-Fi Communication After Upgrade of SMM to 7.2 SP1for more information about this issue. Some installations may also lose authentication services. For more information and instructions to correct the problem, see the Symantec knowledge base article, Authentication stops working after upgrading to Symantec Mobile Management 7.2 SP1 at http://www.symantec.com/docs/TECH197019. To upgrade Symantec Mobile Management
1 2 3
You upgrade Mobile Management through the Symantec Installation Manager. Go to Start > All Programs > Symantec > Symantec Installation Manager. On the Installed Products page, click View and install updates. Select Symantec Mobile Management 7.2 SP1 and click Next.
50
Upgrading to Symantec Mobile Management 7.2 Ugrading the Symantec Mobile Management device Agent.
4 5 6 7 8
On the Optional Installations page, click Next Accept the EULA and click Next. On the Contact Information page, click Next. Verify the installation details and click Next. On the Installation Complete page, click Finish.
After you install Mobile Management 7.2 SP1, you must upgrade Mobile Management servers manually in the Symantec Management Console to complete the upgrade. Use this procedure to upgrade Symantec Mobile Management servers: Upgrading the Mobile Management Server manually
1 2 3 4
In the Symantec Management Console, click Home > Mobile Management > Settings > Mobile Management Server Settings In the right pane, highlight the site server and then on the toolbar, click Upgrade. Repeat Step 2 for each server. Click Save changes
For more information about upgrading the products that use the Symantec Management Platform, see Symantec Knowledge-base article HOWTO 44338, Installing an update or an additional product.
Ugrading the Symantec Mobile Management device Agent.

Device owners can download the new version of the Symantec Mobile Management 7.2 SP1 Agent app from the app venue that is appropriate for their device operating system. The process to upgrade the agent is the same as when you download and install a new agent. See Downloading and installing the Mobile Management Agent app on page 39.
Chapter
Configuring Mobile Management


About configuring Mobile Management Configuring Mobile Management Generating and installing an Apple Push / MDM Certificate Configuring the site server and enrollment settings Configuring profile security settings Configuring iOS device MDM enrollment Adding additional configuration profiles Adding non-approved platforms Using Symantec Managed PKI services with Symantec Mobile Management Configuring app compliance Configuring device naming
About configuring Mobile Management

After all of the components of your Mobile Management environment are set up, you need to configure them to work with Mobile Management. See Configuring Mobile Management on page 52.
52
Configuring Mobile Management Configuring Mobile Management
Configuring Mobile Management

You configure and customize the components of your Mobile Management environment in the Symantec Management Console. See Setting up Mobile Management on page 19. Table 8-1 Step
Step 1
Process for configuring Mobile Management Task

(Optional) Set up the the Apple Push / MDM Certificate.
Description
To manage iOS devices, you must install and MDM Certificate from Apple. See Generating and installing an Apple Push / MDM Certificate on page 53.
Step 2
(Optional) Configure the site If you want to manage iOS server and enrollment devices in your environment, settings. this step is required. See Configuring the site server and enrollment settings on page 53.
Step 3
(Optional) Configure profile security settings.
If profile security is set up in your environment, you can complete this step. See Configuring profile security settings on page 57.
Step 4
(Optional) Configure iOS device MDM enrollment.
If you set up the MDM Certificate to manage iOS devices, this step is required. See Configuring iOS device MDM enrollment on page 58.
Step 5
(Optional) Add additional configuration profiles.
If you want to send configuration profiles to all iOS devices on enrollment, you can add configuration profiles during setup. See Adding additional configuration profiles on page 58.
Configuring Mobile Management Generating and installing an Apple Push / MDM Certificate
53
Table 8-1 Step

Step 6
Process for configuring Mobile Management (continued) Task Description
(Optional) Configure Google If you want to push GCM for Android devices commands to Android devices, you must set up GCM. See Setting up Google Cloud Messaging (GCM) on page 22.
Generating and installing an Apple Push / MDM Certificate

After you install the MDM Certificate on your Mobile Management servers, you must configure Mobile Management to use the MDM Certificates. See Setting up an MDM Certificate on page 26. To generate and install the Apple Push / MDM Certificate
1 2 3
On the console, go to Home > Mobile Management > Settings > iOS Enrollment. In the right pane, under Apple Push / MDM Certificate, click Request Signed CSR File. Follow the instructions that are provided at the CSR request Web site. Note: You are directed to upload the signed CSR to Apple. Apple sends you the certificate in a separate email.
4 5
After you receive the certificate from Apple, click Import to complete the installation of the certificate. Click Save changes.
Configuring the site server and enrollment settings

These procedures establish the site server for Mobile Management and configure enrollment settings
54
Configuring Mobile Management Configuring the site server and enrollment settings
To configure the site server
1 2 3
In Symantec Management Console, go to Home > Mobile Management > Settings > Mobile Management Servers. In the right pane, under Mobile Management Server Rollout and Settings, on the toolbar, click New. Computers that are qualified to operate as a site server appear in a list. Select the computer you want to use as a site server and then click OK Note: Site server computers must have the Symantec Management Agent installed, and use Windows Server 2008 R2. For more information about the Symantec Managment Agent and system requirements, see the Symantec Management Platform Installation Guide at http://www.symantec.com/docs/DOC4798.
Configuring general enrollment settings
In the left pane, select General Enrollment. In the right pane, select the options you require, as follows:
Enable Authentication Check. If you check this option, you must enter your server information. The server information is used to validate the user name and password from the agents enrollment page. If you do not check this option, users without credentials can enroll their device and access content and information in the Mobile Management Agent. You can also enter a list of Allowed Groups. The allowed groups are AD or LDAP groups. If you enter a list of groups in this field, only users in those groups can enroll. Enter the groups with a pipe character between them; for example, Sales|Engineering|Marketing. Optionally add the following information:
Support Company - This information appears on the Mobile Management Agent's About page. Support Phone - This information appears on the Mobile Management Agent's About page. Support URL - This information appears on the Mobile Management Agent's About page.
Agent Settings allow you to set the reporting interval and policy update frequency. If you require device owners to accept an End User License Agreement (EULA), enable Require EULA acceptance. If you check this option, any
55
user who does not accept the EULA. is not enrolled. Select the language for the EULA text, and replace the default text with your own.
If you want to track which enrolled devices are corporate and which devices are personal, enable the Corporate device option. Device owners are presented with a selection option upon enrollment, to choose Corporate or Personal. If this option is not checked, no option is presented to the device owner and no ownership distinction is made in the reports.
(Optional) To change the site server from using FQDN to an IP address, in the Site Server Rollout and Settings section select the server. Click the edit button (pencil icon). For each server connection, check Override server connection info and in the Server name override field, enter the IP address. In the Port field, enter 80 and click Save changes.
Check Manual Settings if you want to edit web.config files manually. If you check Manual Settings the Mobile Management Server files and configuration files are not automatically updated. Check Https to force device communication over https instead of http.
It can take up to 15 minutes for the settings to be applied to the site server.
Click Save changes.
Configuring iOS enrollment settings
1 2
In Symantec Management Console, go to Home > Mobile Management > Settings > iOS Enrollment. Configure the following options as needed to meet your requirements:
Allow Jailbroken Devices. If you check this option, any device that fails the jailbreak test during enrollment is not managed. Jailbroken devices can enroll, but they cannot see content in the Mobile Library. Minimum OS Version. Devices with operating system versions that are earlier than the values in the fields on this page are not allowed to enroll. These fields default to the earliest OS version of each OS that are supported by Mobile Management. You can only set a single value for all devices of each operating system. Leaving the fields empty defaults the configuration to the earliest supported version of each operating system.
To manage and push notifications, you must install an SSL certificate from Apple. Follow the steps that are provided in the UI under Apple Push / MDM Certificate If you want to secure the management profiles that are sent to the devices, add the chain-of-trust certificate information in the following fields:
56
Profile Signing CertThumbprint. The thumbprint of the certificate that is used for signing the Mobile Management server personal store. Profile Encryption Cert Thumbprint. The thumbprint of the certificate that is used for encryption on the Mobile Management server personal store. Device Decryption Cert Config. The credential payload that is placed on devices for decryption. Device Signing Validation Cert Config. The credential payload that is placed on devices to validate signing. Device Signing/Encryption Root Cert Config. The credential payload that is placed on devices to complete the certificate chain for the decryption and signing validation certificates.
5 6 7
Under SCEP, select the SCEP provider. If you use Microsoft NDES, select Microsoft NDES and enter the requested information. If you use Symantec MPKI services, select Symantec MPKI and enable Symantec MPKI integration. Enter the thumbprint and Symantec MPKI URL. Note: You must have a Symantec Managed PKI account to use this service. Contact your Symantec Partner or sales representative for more information.
8 9
Under Additional Configuration Profiles, click the yellow star and add the Root CA certificate. Click Save changes.
Configuring Android enrollment settings
1 2
In Symantec Management Console, go to Home > Mobile Management > Settings > Android Enrollment. In the right pane, optionally allow devices that have been jailbroken and set the minimum OS version that is allowed. Note: Android version 2.2 is the earliest allowed.
Enter the Project ID and Server key you generated for use with GCM. See Setting up Google Cloud Messaging (GCM) on page 22.
Click Save changes.
Configuring Mobile Management Configuring profile security settings
57
Configuring Windows Phone enrollment settings
1 2 3
In Symantec Management Console, go to Home > Mobile Management > Settings > WP Enrollment. In the right pane, set the minimum version of Windows Phone to allow. Click Save changes.
Configuring profile security settings

If you set up profile security in your Mobile Management environment, you can configure the security settings of the profile security to work with Mobile Management. This task is a step in the process for configuring Mobile Management. See Configuring Mobile Management on page 52. To configure profile security settings
1 2 3 4
In the Symantec Management Console, click Home > Mobile Management. In the left pane, expand Settings and click Mobile Management Server settings. In the Mobile Management Server Settings pane, click Profile Security. Enter one or more of any of the following settings:
Profile Signing Cert Thumbprint - The thumbprint of the certificate that is used for signing the Mobile Management server personal store. Profile Encryption Cert Thumbprint - The thumbprint of the certificate that is used for encryption on the Mobile Management server personal store. Device Decryption Cert Config - The credential payload that contains a certificate that is placed on devices for decryption. Device Signing Validation Cert Config - The credential payload that contains a certificate that is placed on devices to validate signing. Device Signing/Encryption Root Cert Config - The credential payload that contains a root certificate that is placed on devices to complete the certificate chain for the decryption and signing validation certificates.
Click Save changes.
58
Configuring Mobile Management Configuring iOS device MDM enrollment
Configuring iOS device MDM enrollment

If you set up the MDM Certificate to manage iOS devices, you must set up iOS device MDM enrollment. The Mobile Management server settings must be configured to include a cryptographic credential that is created during MDM Credential setup. The settings that you configure control how enrollment occurs and where iOS device users can get help. The settings also define how messages are sent to the Apple Push Notification Service. In addition, they define how the configuration profiles that are sent to iOS devices are secured against tampering or viewing by third parties. To configure iOS device MDM enrollment
1 2 3
In the Symantec Management Console, click Home. Expand Configuration and click iOS MDM Enrollment Configuration. In the Push Certificate Subject field, enter the subject of the Apple Push Notification Service certificate that is used for MDM. For more information, see the MDM Certificate Guide for iOS. If you use a development MDM Certificate and not a production certificate, select the Use Development APNS Server. Warning: The state of the checkbox must match the state of the checkbox for Use Development APNS on the APNS tab of the Mobile Management server settings.
In the Cryptographic credential used for authentication field, choose the credential for Mobile Management to use for iOS device identification purposes. Click Save changes.
Adding additional configuration profiles

If you want to send configuration profiles to all iOS devices on enrollment, you can add configuration profiles during setup. Adding configuration profiles at this point adds a point of failure. Therefore, if any configuration profiles do not successfully install on the iOS devices, the entire enrollment fails and rolls back. Symantec recommends that you only send credentials profiles during enrollment. Symantec also recommends that you do not send policies that contain passcodes or restrictions during setup.
Configuring Mobile Management Adding non-approved platforms
59
See Configuring Mobile Management on page 52. To add additional configuration profiles
1 2 3 4
In the Symantec Management Console, click Home > Mobile Management. In the left pane, expand Settings > iOS Enrollment. Under Additional Configurations, click the yellow star button. In the Select Mobile Configuration window, select the configuration profile to include, and click OK. See Creating configuration profiles on page 96.
Click Save changes.
See About configuration profiles on iOS devices on page 95.
Adding non-approved platforms

When you configure the Mobile Management site server you can add a list of non-approved iOS platforms. Non-approved iOS platforms must be entered in a specific way. To add non-approved platforms
1 2
Enter the values in table Table 8-2 based on the devices you want to block. Separate the values with the pipe character. For example, iPhone1,2|iPod2,1. Non-approved platform values Description
First-generation iPad Second-generation iPad WiFi Second-generation iPad GSM Second Generation iPad CDMA iPhone 2G/Edge iPhone 3G iPhone 3Gs iPhone 4 iPhone 4 CDMA
Table 8-2 Value

iPad1,1 iPad2,1 iPad2,2 iPad2,3 iPhone1,1 iPhone1,2 iPhone2,1 iPhone3,1 iPhone3,3
60
Configuring Mobile Management Using Symantec Managed PKI services with Symantec Mobile Management
Table 8-2 Value

iPod1,1 iPod2,1 iPod3,1 iPod4,1
Non-approved platform values (continued) Description

First-generation iPod touch Second-generation iPod touch Third-generation iPod touch Fourth-generation iPod touch
See Configuring the site server and enrollment settings on page 53.
Using Symantec Managed PKI services with Symantec Mobile Management

Symantec Managed PKI (MPKI) services provide an alternative to using the Microsoft SCEP certificate distribution infrastructure. To use Symantec MPKI services, you must set up an account with Symantec. If you do not already have an account, contact your Symantec Partner for information and assistance to set up Symantec MPKI services in your environment. You can also register for a Symantec MPKI service testing account at:https://testdrive-pki-account.symauth.com/account-manager/test-drive/new.xhtml Additional information about Symantec MPKI services is available at: http://www.symantec.com/verisign/managed-pki-service/?tid=gnps Once you have your Symantec MPKI account set up, you configure the Mobile Management Server settings to use the service. Use the following procedure to configure the server: To enable Symantec MPKI on Symantec Mobile Management
1 2 3 4 5
On the console, go to Home > Mobile Management > Settings > Mobile Management Server Settings and click the Symantec MPKI tab. Place a checkmark next to Enable Symantec MPKI integration. Enter the Root authority certificate thumbprint for your instance of Symantec MPKI. Enter the URL for the Symantec MPKI server that your account uses. Click Save changes. See Configuring Mobile Management on page 52.
Configuring Mobile Management Configuring app compliance
61
Configuring app compliance

You can define a blacklist for apps that must not be installed on managed iOS or Android devices. To set iOS app compliance
1 2
On the console go to Home > Mobile Mangagement > Settings > iOS App Compliance. In the right pane, click the yellow star icon and provide the following information:

A name for the rule. For Package name, first select one of the logical operators and then choose the app from the dropdown list For App version, first select one of the logical operators and enter the version number for the blacklisted app.
Click OK.
To set Android app compliance
1 2
On the console go to Home > Mobile Mangagement > Settings > Android App Compliance. In the right pane, click the yellow star icon and provide the following information:

A name for the rule. For Package name, first select one of the logical operators and then choose the app from the dropdown list For App version, first select one of the logical operators and enter the version number for the blacklisted app.
Click OK.
Adding apps to the list of available apps for blacklisting

You can import the app inventory from devices and add it to the list of available apps that can be blacklisted. The apps you add to the list appear in the dropdown list when you set iOS or Android app compliance. See Configuring app compliance on page 61.
62
Configuring Mobile Management Configuring device naming
To add apps to the list of available apps for blacklisting
Go to Home > Mobile Management > Settings and choose either iOS App Compliance or Android App Compliance. Note: The apps you add apply only to the operating system you select in this step. Repeat this procedure for each device operating system.
2 3 4
On the toolbar, click the Import apps from devices icon (white square with a blue arrow). Use the device filter to identify the device with the apps you want to import. The list of apps on the device appear in the Available items list. Do one of the following:

Click the >> button to add all of the apps to the available apps pool. Hightlight an app and click the > button. Note: You remove apps from the list with the << and < buttons
Click OK.
Configuring device naming

You can configure how mobile devices appear in the lists and reports for Mobile Management. The procedure is the same for either iOS or Android: To configure device naming
1 2
On the console, go to Home > Mobile Management > Settings, and select either iOS Device Naming or Android Device Naming. In the right pane, select and order the available fields. Select a field in the Available fields box and use the > button to move it to theSelected fields box. Change the order as needed with the Move up and Move down buttons. A live sample displays how the device names appear in lists and reports. For Android only, specify an email domain to include only the email accounts that use the specified domain. Click Save changes.
3 4
Chapter
Setting up Exchange ActiveSync


About using Exchange ActiveSync with Mobile Management Setting up Exchange ActiveSync Enabling the Exchange ActiveSync functionality Configuring the SymantecEASService NT Selecting the Exchange ActiveSync server Restarting the Mobile Management Service Agent Verifying the SymantecEASService configuration Configuring Symantec Mobile Management to work with Exchange 2010 Impact on Exchange 2010 when Mobile Management is uninstalled Controlling access to Exchange ActiveSync Blocking EAS access using Exchange 2010 Blocking EAS access using F5 BIG-IP LTM
About using Exchange ActiveSync with Mobile Management

Mobile Management has the capability to manage Windows Mobile, Windows Phone, iOS, Palm, and Android devices through the use of Exchange ActiveSync.
64
Setting up Exchange ActiveSync Setting up Exchange ActiveSync
Exchange ActiveSync is a protocol that synchronizes a mobile device with Microsoft Exchange. Exchange ActiveSync enables management, role-based access policies, and viewing details on individual devices or groups. It also lets you perform a range of administrative tasks. Exchange ActiveSync supports the following device operating systems:

Apple iOS 2.x, 3.x, 4.x, 5.x, 6 Android 2.x, 3.x Windows Mobile 6.1 and 6.5 Windows Phone 7 Palm (hpWebOS) 1.4.5 Nokia (running Mail for Exchange v3.0.50)
Exchange ActiveSync functionality varies by OS and OS version. For a listing of supported functionality by OS and version, see the Microsoft support document, Exchange ActiveSync Client Comparison Table. See Setting up Exchange ActiveSync on page 64.
Setting up Exchange ActiveSync

You can set up Exchange ActiveSync to work with Mobile Management. Table 9-1 Step
Step 1
Setting up Exchange ActiveSync Action Description
Set up an Exchange Administrator Microsoft requires an Exchange account. Administrator account to secure communications and access Exchange ActiveSync. For more information and to sign up for an account, visit the following URL: http://technet.microsoft.com/ en-us/exchange/default.aspx
Step 2
Enable Exchange ActiveSync functionality.
The Exchange ActiveSync functionality is not set up by default. You need to enable the Exchange ActiveSync functionality in the Symantec Management Console. See Enabling the Exchange ActiveSync functionality on page 66.
Setting up Exchange ActiveSync Setting up Exchange ActiveSync
65
Table 9-1 Step

Step 3
Setting up Exchange ActiveSync (continued) Action

Configure SymantecEASService NT Service.
Description
For Mobile Management to communicate with Exchange ActiveSync, you need to configure the SymantecEASService NT. See Configuring the SymantecEASService NT on page 67.
Step 4
Set access rights for the Exchange See Microsoft Exchange ActiveSync Administrator account. documentation at the following URL: http://technet.microsoft.com/ en-us/library/bb124558.aspx
Step 5
Secure the IIS Application Pool.
See Microsoft Exchange ActiveSync documentation at the following URL: http://technet.microsoft.com/ en-us/library/bb124558.aspx
Step 6
Set up the Exchange Administrator account as a member of the correct groups.
Set up the Exchange Administrator account as a member of the local IIS_WPG group in Windows Server 2003 (IIS6) or as a member of the IIS_IUSRS group in Windows Server 2008 (IIS7). See Microsoft Exchange ActiveSync documentation at the following URL: http://technet.microsoft.com/ en-us/library/bb124558.aspx
Step 7
Set up the Exchange Administrator account read and write access rights.
See Microsoft Exchange ActiveSync documentation at the following URL: http://technet.microsoft.com/ en-us/library/bb124558.aspx If you use Exchange ActiveSync 2010 the Exchange ActiveSync Inventory and Service Policy Web Service must have domain admin privileges.
Step 8
(Optional) Give the Exchange ActiveSync Inventory and Service Policy Web Service domain admin privileges.
66
Setting up Exchange ActiveSync Enabling the Exchange ActiveSync functionality
Table 9-1 Step

Step 9
Setting up Exchange ActiveSync (continued) Action

Restart the Application Pool.
Description
See Microsoft Exchange ActiveSync documentation at the following URL: http://technet.microsoft.com/ en-us/library/bb124558.aspx
Step 10
Select the Exchange ActiveSync server.
In the Symantec Management Console, select the server on which you want Exchange ActiveSync to be installed. See Selecting the Exchange ActiveSync server on page 67.
Step 11
Restart the Mobile Management Service Agent.
Restart the Mobile Management Service Agent to refresh the settings. See Restarting the Mobile Management Service Agent on page 68.
Step 12
(Optional) Verify that the SymantecEASService configuration is correct.
After the Exchange ActiveSync setup is complete, you should verify that the SymantecEASService configuration and the EAS folders' security permissions are correct. See Verifying the SymantecEASService configuration on page 68.
See About using Exchange ActiveSync with Mobile Management on page 63.
Enabling the Exchange ActiveSync functionality

The Exchange ActiveSync functionality is not set up by default. You need to enable the Exchange ActiveSync functionality in the Symantec Management Console. This task is a step in the process for setting up Exchange ActiveSync. See Setting up Exchange ActiveSync on page 64. To enable Exchange ActiveSync functionality
1 2 3
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Exchange ActiveSync, and then click EAS Settings. In the right pane, check Enable Exchange ActiveSync Functionality.
Setting up Exchange ActiveSync Configuring the SymantecEASService NT
67
4 5
Select the Mobile Management Server that runs the Exchange ActiveSync Interface. If you want to use Exchange 2010 rules to control access to Exchange ActiveSync, enable the Exchange ActiveSync Acess option. Click Save changes.
Configuring the SymantecEASService NT

For Mobile Management to communicate with Exchange ActiveSync, you need to configure the SymantecEASService NT. This task is a step in the process for setting up Exchange ActiveSync. See Setting up Exchange ActiveSync on page 64. To configure the SymantecEASService NT Service
1 2 3 4 5 6 7 8
On the Start menu, click Administrative Tools > Services. Right-click SymantecEASService, and click Properties. In the Properties dialog box, click the Log On tab. Click This Account and click Browse to navigate to your Exchange Administrator account. Click the Exchange Administrator account and enter the account password. Click Apply. (Optional) If a dialog box is displayed, click OK to allow the account to log on as a service. Click OK.
Selecting the Exchange ActiveSync server

In the Symantec Management Console, select the server on which you want Exchange ActiveSync to be installed. The server hosting Exchange ActiveSync needs to be able to communicate with the Symantec Management Platform server. This task is a step in the process for setting up Exchange ActiveSync. See Setting up Exchange ActiveSync on page 64.
68
Setting up Exchange ActiveSync Restarting the Mobile Management Service Agent
To select the Exchange ActiveSync server
1 2 3 4 5
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Settings, and then click Exchange ActiveSync. Under Exchange ActiveSync, check Enable Exchange ActiveSync functionality. Select the Mobile Management Server that runs the Exchange ActiveSync Interface. Click Save changes.
Restarting the Mobile Management Service Agent

Restart the Mobile Management Service Agent to refresh the settings. This task is a step in the process for setting up Exchange ActiveSync. See Setting up Exchange ActiveSync on page 64. To restart the Mobile Management Service Agent
1 2 3 4
On the Start menu, click Administrative Tools > Services. In the Services dialog box, click Symantec Mobile Management Service Agent. Click Restart the service. (Optional) On the toolbar, click Action > Refresh to see the current status of the SymantecEASService.
Verifying the SymantecEASService configuration

After the Exchange ActiveSync setup is complete, you should verify that the SymantecEASService configuration and the EAS folders' security permissions are correct. This task is a step in the process for setting up Exchange ActiveSync. See Setting up Exchange ActiveSync on page 64.
Setting up Exchange ActiveSync Configuring Symantec Mobile Management to work with Exchange 2010
69
To verify the SymantecEASService configuration
1 2 3
On the Start menu, click Administrative Tools > Event Viewer. In the Event Viewer window, click Application. In the right pane, click AthenaEASService. Depending on the results of the setup and configuration, you see the following entries in the event log for the AthenaEASService source:
Service successfully transmitted a total of (6) ActiveSync device partnerships is displayed An error message is displayed. The SymantecEASService configuration is correct.
The SymantecEASService configuration is not correct. The EAS folders' security permissions are not correct.
An access denied error message is displayed.
Configuring Symantec Mobile Management to work with Exchange 2010

Microsoft Exchange Server 2010 allows direct control through PowerShell, and does not require the Exchange Management tools to be installed on the Mobile Management site server. Use the following workflow to configure Symantec Mobile Management to work with Exchange 2010: Configuring Mobile Management for Exchange 2010
1 2
On the Exchange server, make sure that Basic Authentication is enabled on the PowerShell virtual directory. On the Mobile Management server, open the following two files in a text editor:
C:\Program Files (x86)\Symantec\Mobile Management\EAS\AthenaEASService.exe.config
C:\Program Files (x86)\Symantec\Mobile Management\EAS\PolicyWS\web.config
Edit the following settings in both files and make sure that the values in both files are identical:
<add key="IsExchange2010" value="True" />
70
Setting up Exchange ActiveSync Configuring Symantec Mobile Management to work with Exchange 2010
If you use Exchange 2010, Office 365, or BPOS, make sure that the value equals True.
<add key="Exchange2010ServerName" value="exchangeserver.domain.com" />
Change this value to be the FQDN of the Exchange, Office 365, or BPOS server that Mobile Management interfaces with for Exchange communication. The server must resolve through the specified FQDN.
<add key="Exchange2010Url" value="https://exchangeserver.domain.com/powershell?serializationLevel=Full" />
The value must be the URL for the PowerShell component of the Exchange server. "serializationLevel=Full" may not be required in some installations, but is recommended. Test the URL from a browser to be sure it can be reached, and if prompted for authentication, put in valid credentials. A blank page is returned regardless, as no commands are submitted,
add key="SkipCertChecks" value="False" /
This value can be either True or False. If False, the IIS certificate on the Exchange server must trust the Mobile Management server. If True, any IIS certificate warning is ignored.
<add key="OverrideUsername" value="user@domain.com" /> and <add key="OverridePassword" value="password" />
These values must be the valid credentials that are provided to the Exchange server to access Exchange content. These values must be displayed in plain text, which requires that the Symantec Mobile Management server is secure. Make sure that permissions are set for the EAS folder to prevent viewing. If you do not want to insert the passwords in plain text, make the following changes:
Change the logon account for the service, "SymantecEASService" and Application pool identity for "SymantecEASAppPool" to an Administrator account. Leave the user name and passwords values in the configuration files empty.
See Configuring a Symantec Mobile Management iOS profile for Office 365 on page 146.
Setting up Exchange ActiveSync Impact on Exchange 2010 when Mobile Management is uninstalled
71
Impact on Exchange 2010 when Mobile Management is uninstalled

When an instance of Symantec Mobile Managementmanaging access to Exchange is uninstalled, allowed devices remain associated with their Exchange blocking solution; F5 or Exchange ABQ. Once Symantec Mobile Management is uninstalled, you must manage the whitelist and any mobile device management activities either manually or with another solution. Note: In some cases, you may need to reset or "clean up" your F5 or Exchange 2010 servers after uninstalling or making changes to your Symantec Management Platform infrastructure. For information and instructions, see the Symantec knowledge base article, Resetting Exchange ActiveSync blocking solutions after uninstalling or changing the Symantec Management Platform infrastructure at http://www.symantec.com/docs/TECH197075
Controlling access to Exchange ActiveSync

You can limit Exchange ActiveSync (EAS) access to only authorized devices. You can block unauthorized devices with either:

Exchange 2010 Allow/Block/Quarantine (ABQ) rules. Integration with an F5 BIG-IP LTM server that is configured with Exchange blocking rules.
Note: Due to operating system limitations, EAS blocking applies only to iOS and Android devices.
Blocking EAS access using Exchange 2010

This task requires that:

You use Exchange 2010 That you have configured an Exchange group that contains the mobile devices that are authorized to access Exchange ActiveSync.
72
Setting up Exchange ActiveSync Blocking EAS access using F5 BIG-IP LTM
To block EAS access using Exchange 2010
1 2 3 4 5
On the console, go to Home > Mobile Management > Exchange ActiveSync > EAS Settings. In the right pane under Exchange ActiveSync, select Enable Exchange ActiveSync functionality. Enable the use of Exchange 2010 access rules. Select the Authorized Devices that are allowed to connect to Exchange ActiveSync. Optionally, allow the system to notify the user by email when their account is quarantined. Note: You can customize the email message for quarantined devices. See the Microsoft article Customize E-mails for Blocked or Quarantined Devices at http://help.outlook.com/en-us/140/gg316698.aspx
Click Save changes.
See Configuring Symantec Mobile Management to work with Exchange 2010 on page 69. See Configuring a Symantec Mobile Management iOS profile for Office 365 on page 146.
Blocking EAS access using F5 BIG-IP LTM

You can integrate Symantec Mobile Management with F5 BIG IP to control Exchange Active Sync access. The integration workflow proceeds as follows: . 6. 7. . Mobile Management - F5 integration workflow
This workflow requires that you:

Have already established the Exchange virtual server in BIG-IP. Have configured a target group for your allowed devices in Symantec Mobile Management
In Symantec Mobile Management, create a new iOS EAS account that points to the BIG IP Exchange virtual server instance (as referenced in 1.1). See Configuring iOS devices to access EAS through F5 BIG-IP
73
Similarly for Android, create a new Touchdown EAS account that points to the BIG IP Exchange virtual server. See Configuring Android devices to access EAS through F5 BIG-IP Note: Some EAS limitations exist for Android devices. For details,
In Symantec Mobile Management EAS settings, add the BIG IP Exchange virtual server (as referenced in 1.1). Select the Approved Devices list as referenced in 1.2.You optionally identify the email app(s) to allow. . When you click Save changes, Mobile Management creates a BIG-IP iRule and sends it up to BIG IP. When a new device enrolls, Mobile Management sends the management policy to the device. In turn, the device sends its Device ID back to SMM. On a scheduled basis, SMM checks the list of approved devices as selected in Step 4. Device IDs are sent to BIG IP to inform it of the devices that are allowed. Allowed devices can retrieve email and disallowed devices are blocked. Optionally, blocked devices receive a quarantine message.
5 6 7
Note: The Symantec Mobile Management rules are processed first, and BIG IP iRules are processed secondly. You may need to reconcile the two sets of rules if they conflict. Refer to your BIG IP documentation for instructions to edit BIG IP iRules Configuring iOS devices to access EAS through F5 Big-IP
1 2 3 4 5 6 7 8
On the console, go to Home > Mobile Management > Device Management > Configuration Editor > iOS Configuration and select EAS. In the right pane, click the Add icon (yellow star). Enter a name and description for the account. In the Exchange ActiveSync Host field, enter the FQDN for your F5 BIG-IP Exchange virtual server. Enter the domain for the account. Leave the User, Email Address, and Password fields blank. Set the Past Days of Mail to Sync to Unlimited. Leave Identity Certificateblank.
74
Leave Make Identity Certificate Compatible with iOS 4 blank.
10 Click Save changes.

Configuring Android devices to access EAS through F5 BIG-IP
On the console, go to Home > Mobile Management > Device Management > Configuration Editor > Android Configuration and select Touchdown Account. In the right pane, click the Add icon (yellow star). Enter a name and description for the account. In the Exchange ActiveSync Host field, enter the FQDN for your F5 BIG-IP Exchange virtual server. Enter the domain for the account. Leave the User, Email Address, and Password fields blank. If your server uses a self-signed trust certificate, you can elect to use the servers certificate, and skip the certificate check routine. Place a checkmark in the box to use this option. Optionally, enter the Authentication Credential Name for a trust certificate from a Certificate Authority. Click Save changes.
2 3 4 5 6 7
8 9
Configuring Mobile Management to block EAS access with F5 BIG-IP LTM
This task assumes the following:
That you have at least one instance of F5 BIG-IP LTM configured with blocking rules and available within your network. That you have one or more virtual servers configured in F5 BIG-IP LTM to handle Exchange ActiveSync traffic.
2 3 4 5 6
On the console, go to Home > Mobile Management > Exchange ActiveSync > EAS settings In the right pane under F5 Exchange Blocking, select Use F5 rules to block communication from unauthorized devices . Select the Authorized Devices that are allowed to connect to Exchange ActiveSync. Optionally, allow only approved email apps. Enter the name of the email apps, separating multiple apps with a comma. On the toolbar, click the Add icon.
75
Provide the F5 Server information, and enable or disable the options Use HTTPS, and Allow untrusted SSL certificates. Note: Secure communication is enabled by default.
Click the Add icon to select the virtual servers that handle Microsoft Exchange ActiveSync traffic through F5. Note: You receive an error message if an F5 server cannot be reached.
Click OK.
76
Chapter
10
Setting up Data Loss Prevention for iOS on the Mobile Management server
About setting up Data Loss Prevention (DLP) for iOS on the Mobile Management server Configuring Mobile Management to use DLP Creating VPN credentials Configuring VPN for DLP Configuring the VPN assignment for DLP Configuring the DLP settings Configuring remediation rules Setting the resource target
About setting up Data Loss Prevention (DLP) for iOS on the Mobile Management server
DLP provides mechanisms to help prevent the loss of business information by accidental or intentional distribution to unauthorized parties. Remote agents receive a policy that uses VPN on Demand to route traffic from remote devices through VPN to a DLP server.
78
Setting up Data Loss Prevention for iOS on the Mobile Management server Configuring Mobile Management to use DLP
Note: The DLP and VPN on Demand functionality for this version of Symantec Mobile Management Server applies to iPads only.
Configuring Mobile Management to use DLP

You must configure the Mobile Management Server to use the VPN on Demand functionality with mobile agents. You perform the following tasks to configure the server: Table 10-1 Step
Step 1
Configuring Mobile Management Server for DLP Action

Create VPN credentials
Description
DLP requires a chain of trust between all active components and the VPN. You generate the appropriate credentials that are required for the VPN. See Creating VPN credentials on page 78.
Step 2
Configure VPN
You configure the VPN to allow the DLP functionality See Configuring VPN for DLP on page 79.
Step 3
Configure the VPN You configure a DLP VPN assignment policy to distribute assignment the DLP VPN functionality. See Configuring the VPN assignment for DLP on page 80.
Step 4
Configure DLP settings
You enable DLP functionality in the Mobile Management console. See Configuring the DLP settings on page 81.
Step 5
Configure You configure the remediation rules that determine the Remediation Rules actions taken to remediate a non-compliant remote device. See Configuring remediation rules on page 81.
Step 6
Set the resource target
You select the managed remote devices to receive the DLP VPN assignment. See Setting the resource target on page 82.
Creating VPN credentials

Use this procedure to create the necessary VPN credentials.
Setting up Data Loss Prevention for iOS on the Mobile Management server Configuring VPN for DLP
79
This procedure is a step in the process of setting up DLP for iOS on the Mobile Management Server. Before you begin, be sure you have the following files and information

An identity certificate for the device, for VPN access (.P12 or .PFX file). The password to access the identity certificate, if needed. One or more .CER files for certificate authority. These must be DER encoded (not base64). The URL or IP address of the VPN server. The account name for the device.
Creating VPN credentials
1 2 3 4 5
Open the Symantec Management console and click Home > Configuration > iOS Configuration Editor. In iOS Configuration Profiles, select Credentials. Add the device identity certificate and the other intermediate and root certificates individually. Click the yellow star to add each new certificate. For each credential, select the certificate file, enter a name description, and if required, the password to open the identity certificate. Enter the required information and then click Save Changes.
Note: If you use a proxy server to mediate VPN traffic in your network, the VPN proxy requires a trust certificate for the Mobile Management Server. When the Mobile Management Server certificates are issued by an internal or intermediate certificate authority, you must install the certificate chain and root certificate on the VPN proxy server.
Configuring VPN for DLP

Use this procedure to configure the VPN for DLP. This procedure is a step in the process of setting up DLP for iOS on the Mobile Management Server. Configuring VPN
1 2
On the Symantec Management console, click Home > Configuration > iOS Configuration Editor. In iOS Configuration Profiles, select VPN.
80
Setting up Data Loss Prevention for iOS on the Mobile Management server Configuring the VPN assignment for DLP
3 4
Click the yellow star to add a new VPN configuration. Make the following settings:

Enter a name for the VPN configuration. Enter a description for the configuration. Select a connection type. For example, Cisco (IPsec). Enter the URL or IP address for the DLP server (ex: vpn.fordlp.com). Enter an account name (ex: dlpvpn1). For Machine authentication, select Certificate. In the Identity Certificate field, select the identity certificate that was installed earlier. Leave Include User Pin unchecked. Check Enable VPN on demand. In the Matching domain/host field, use the + sign to add new entries for each of the letters a - z and each of the numbers 0 9 (for a total of 36 new entries). Leave Proxy as None.
Click Save Changes.
Configuring the VPN assignment for DLP

Use this procedure to configure the VPN assignment for DLP. This procedure is a step in the process of setting up DLP for iOS on the Mobile Management Server. Configuring the VPN assignment
1 2 3 4 5
On the Symantec Management console, click DLP > DLP VPN Assignment Policy. Expand the Policy Rules/Actions section of the page. Place checkmarks next to each profile setting you want to use. Under Configuration settings, click the yellow star to add a new configuration. Select the configuration settings you want to add. You generally add a VPN configuration, the credential certificate for the VPN connection type, and a root certificate for the VPN server. You may require other settings depending upon your particular implementation.
Setting up Data Loss Prevention for iOS on the Mobile Management server Configuring the DLP settings
81
6 7
Make sure that the DLP assignment state is set to ON. Click Save changes.
Configuring the DLP settings

Use this procedure to configure the DLP settings. This procedure is a step in the process of setting up DLP for iOS on the Mobile Management Server. Configuring DLP settings
1 2
On the Symantec Management console, click DLP > DLP settings, and then place a check in the Enable DLP checkbox. Enter the values for each of the DLP settings. Note: Compliance Check Frequency, Notification Grace Period, and Report Frequency are expressed in seconds.
Under VPN Profile Settings, enter the required information. Note: The VPN Configuration Name must be a previously defined, valid VPN payload.
Click Save changes.
Configuring remediation rules

Use this procedure to configure the remediation rules that are applied to non-compliant devices. This procedure is a step in the process of setting up DLP for iOS on the Mobile Management Server. Configuring remediation rules
1 2 3
On the Mobile Management console Settings tab, click All Settings. In the left pane, click Monitoring and Alerting > Alert Rule Settings. In the right pane, on the Task Rules tab. The default task is Unmanage Device Task (DLP Breach) . Add any other rules as desired.
82
Setting up Data Loss Prevention for iOS on the Mobile Management server Setting the resource target
Click, Add existing, and add the jobs to which the rule applies. Note: Select Resources must be used to determine the target resources for which the task applies.
Click Save Changes.
Setting the resource target

Use this procedure to select the remote devices that receive the DLP VPN assignment. This procedure is a step in the process of setting up DLP for iOS on the Mobile Management Server. Setting the resource target
1 2 3 4 5
On the Mobile Management console, click DLP > DLP VPN Assignment Policy. Expand the Applied To section of the page. Set the View menu to Targets. Click on Apply to and then select the agents to receive the VPN assignment. Click Save changes.
See Assigning policies on page 93.
Chapter
11
Configuring multiple domain Active Directory / LDAP authentication


LDAP integration overview Configuring multi-domain Active Directory / LDAP authentication
LDAP integration overview

Symantec Mobile Management can integrate LDAP services for authentication. Before you set up LDAP integration with Symantec Mobile Management, review the following:
Network connection to domain controller: Mobile Management uses the standard LDAP protocol on port 389. If Mobile Management is set to encrypt authentication (Mobile Management > General Settings > General Enrollment > Enable Authentication > Encrypt authentication check using SSL), LDAP traffic passes on port 636. Permissions required on domain controller: The users in Domain User group with read permissions can enroll to the Mobile Management Server. Users in the Roles >Active Directory Domain Services >Active Directory Users and Computers > yourdomain.com >User folder will have default permissions to access the LDAP services.
Users with revoked read permissions will fail authentication when a domain setting with Allowed groups functionality is enabled.
84
Configuring multiple domain Active Directory / LDAP authentication Configuring multi-domain Active Directory / LDAP authentication
The Mobile Management Server administrator must specify admin credentials in the Mobile Management Server General Settings > General Enrollment->Enable Authentication > Add/Edit Authentication Server Settings dialog. The authentication service uses the admin credentials to validate the user
Query executed against domain: The query used to retrieve the user information has the format:
"(&(objectCategory-person)(SAMAccountName-{account name}))"
Objects required to execute the query: The objects under CN=Users,DC=[userdomain],DC=com must be accessible in the domain. The object can be a person or a group. The following attributes are used: User Object
distinguisedName memberOf
Description
Must be accessible. Must be accessible if Allowed groups must be verified Must be accessible if Allowed groups must be verified Must be accessible if Allowed groups must be verified
primaryGroupID
objectSID
Group Object
distinguisedName memberOf
Description
Must be accessible. Must be accessible if Allowed groups must be verified
Container for authentication groups: The container must be CN=Users, under the organization's root. For instance, CN=Users,DC=Yourdomain,DC=com
Configuring multi-domain Active Directory / LDAP authentication

You can set up Mobile Management to authenticate users from multiple domains within the same forest, as well as from domains within multiple forests. You can test the server connections and verify that authentication works while you
85
configure Mobile Management. You can use Microsoft Active Directory, ADAM, or other LDAP servers to provide the authentication credentials. To configure multiple domains
On the console, go to Home > Mobile Management > Settings > General Enrollment and in the Authentication Settings, select Enable authentication check. Optionally, elect to encrypt the authentication check. On the toolbar, click the Add icon (blue plus-mark). Enter the requested information:

2 3
Domain: The name of the domain in which the authentication resides. AD/LDAP Server: The IP or host name of the server to authenticate against. Allowed Groups: The group or groups that authenticate against the selected server. Separate each group with a comma (no white space required .) Note: Do not add individual device owners in this field.
Click Verify to verify the network connection to the AD/LDAP server. If the test fails, make sure that the server is online and available from the Symantec Mobile Management server. Note: Port 389 is the default port for LDAP. Port 636 is the default port for secure LDAP.
Repeat the process to add additional domains. Note: You can only add one authentication server per domain
When you finish adding authentication servers, click Save changes.
You can test the credentials of an account.
86
Chapter
12
Configuring Mobile Management to require SSL


If you use SSL to secure communication in your network, you must configure Mobile Management to require that SSL is used for network communication. Use the following procedure to enable Mobile Management to require SSL. Before you begin, make sure of the following:
That all site servers and Notification Servers have SSL certificates installed and enabled in their IIS bindings. That for each server, the subject of each certificate matches the fully-qualified domain name that is used to communicate with that server. That all devices can connect to and trust the IIS SSL certificate that is installed on the site-server(s). That the Symantec Management Platform is set up to use SSL for communication. See the Symantec Knowledge Base Article, Configuring the Symantec Management Platform to use SSL That all Symantec Management Agents are installed using HTTPS and that they can access the Symantec Management Platform Notification Server using HTTPS. See the Symantec Knowledge Base Article, Configuring Notification Server to use SSL
88
Configuring Mobile Management to require SSL Configuring Mobile Management to require SSL
That all communication between Notification Servers and Symantec Mobile Management Server is set to use HTTPS. If necessary, force server communications to use HTTPS. To force server communication to use HTTPS That all device-to-Mobile Management Server communications are set to use HTTPS. You can force the use of HTTPS between mobile devices and the Mobile Management Server: To force device-to-server communication to use HTTPS
To force server communication to use HTTPS
Go to Home > Mobile Management > Mobile Management Servers Settings > Site Server > Notification Server-Mobile Management Server Communication override menu. Enable the Use HTTPS option. Click Save Changes.
2 3
To force device-to-server communication to use HTTPS
1 2 3
Go to Home > Mobile Management > Notification Server Settings menu. Enable the Use HTTPs option. Click Save changes.
To configure Mobile Management to require SSL
1 2 3 4 5 6
Go to Home > Mobile Management > Mobile Management Server Settings > Site Server > Notification Server Enter the Notification Server- to-Site Server FQDN in the text box. Enter the SSL port for your environment. Place a checkmark in the Require SSL checkbox. Click Save changes. On the site server , restart the Symantec Mobile Management Agent service.
The Symantec Mobile Management server agent reconfigures the site server to require SSL on the default Web site.
Section
Using Symantec Mobile Management
Chapter 13. Using actions, policies, and configuration profiles Chapter 14. Using inventory data, reports, and the event log Chapter 15. Remotely managing devices Chapter 16. Managing the Mobile Library
90
Chapter
13
Using actions, policies, and configuration profiles


About actions Performing actions on mobile devices About policies Creating policies Assigning policies Supported policies for specific devices About configuration profiles on iOS devices Devices that support configuration profiles Setting up configuration profiles for iOS devices Creating configuration profiles Adding configuration profiles to a policy Assigning configuration profile policies About available configuration profile settings for iOS devices About AutoLock settings on iOS devices
92
Using actions, policies, and configuration profiles About actions
About actions
Actions are the features available for devices based on the solutions that are installed in your environment. Depending on the device, the actions that are listed are different. Actions are available for all the devices in your environment. See Performing actions on mobile devices on page 92.
Performing actions on mobile devices

This section explains how to perform actions on mobile devices. Actions are the features available for devices based on the solutions that are installed in your environment. See About actions on page 92. To perform actions on mobile devices
1 2 3
In the Symantec Management Console, on the Manage menu, click Mobile > Devices. On the Mobile page, under Name, right-click the device name, and then click Resource Manager. On the Resource Manager page, choose the actions for the mobile device.
About policies
Policies are collections of settings that Exchange ActiveSync enforces to ensure that devices are in compliance. Policies can include password, sync, and device settings. They can also include instructions to uninstall, install, or upgrade applications. Policies are distributed and assigned through Exchange ActiveSync. Because of the way Microsoft licenses Exchange ActiveSync, each device manufacturer can choose what policy functionalities their devices support. It means that three devices with the same operating system could work completely differently even if they have the same policies assigned to them. Symantec recommends testing the devices in your environment to see how they react to the policies. See Creating policies on page 93. See Assigning policies on page 93. See Supported policies for specific devices on page 94. See About configuration profiles on iOS devices on page 95.
Using actions, policies, and configuration profiles Creating policies
93
Creating policies
This section explains how to create policies. Policies are collections of settings that Exchange ActiveSync enforces to ensure that devices are in compliance. Policies can include password, sync, and device settings. They can also include instructions to uninstall, install, or upgrade applications. See About policies on page 92. See Assigning policies on page 93. See Supported policies for specific devices on page 94. To create a new policy for mobile devices
1 2 3 4 5 6
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Exchange ActiveSync, and click Manage policies.... In the EAS Policy Editor window, click the Create New Policy icon (yellow star). In the Explorer User Prompt dialog box, enter the name of the policy, and click OK. In the right pane, configure the options and settings for the policy. Click Save changes.
Assigning policies
Policies are assigned through Exchange ActiveSync. In the Symantec Management Console, you assign policies by device. However, the policy is assigned to the mailbox that is associated with the device. If there are multiple devices associated with the mailbox, all of the devices receive the policy that you assigned. For more information, see the topics on assigning policies and targets in the Symantec Management Platform Help. See About policies on page 92. See Creating policies on page 93. See Supported policies for specific devices on page 94.
94
Using actions, policies, and configuration profiles Supported policies for specific devices
To assign a policy
1 2 3
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Exchange ActiveSync, and click Assign Policy to devices. In the Assign EAS Policy window, in the left pane, click the policy that you want to assign to the devices. In the right pane, under Applied To, specify to which devices you want to apply the policy, and then click Save Changes. The set policy is automatically applied to all new devices that match the settings you specify by using Filters, Groups, or by excluding specific resources. If you want to target a specific device or list of devices, then you should specifically pick those devices. Use the Resource List filtering criteria to select the desired devices. Right-click the specific devices to exclude them from the filtered lists. Click Update Results to verify what devices are targeted.
4 5
On the upper right corner of the page, click the colored circle and then click On to turn on the policy. Click Save Changes.
Note: When you assign the Mobile Management Service Install (x86) policy, you must first have added a Mobile Management Server. If you have not added a Mobile Management Server, no computers are listed for this policy. To add a Mobile Management Server, navigate to the Mobile Management Server. Once servers are added on the page they show up in the policy.
Supported policies for specific devices

For a list of devices and the policies they support, see the following article on the Symantec knowledge base . BlackBerry devices are not listed in the article because Mobile Management policies are not supported on BlackBerry devices. Any policies you want to enforce on BlackBerry devices must be created through the BlackBerry Enterprise Server (BES). http://www.symantec.com/docs/HOWTO35972 See About policies on page 92.
Using actions, policies, and configuration profiles About configuration profiles on iOS devices
95
About configuration profiles on iOS devices

Configuration profiles are the XML files that are used to configure sets of preferences and configurations. They can contain security policies and restrictions, VPN information, WiFi settings, email and calendar accounts, and authentication credentials. With Mobile Management, configuration profiles let you set how often inventory data is collected from the managed iOS devices in your environment. Through configuration profiles, you can also choose how often and at what time the payload information is sent to the Mobile Management server and Symantec Management Platform. Configuration profiles are delivered through policies to selected devices. See Setting up configuration profiles for iOS devices on page 96. See Devices that support configuration profiles on page 95. See About policies on page 92.
Devices that support configuration profiles

The following table contains the iOS devices that support configuration profiles. See About configuration profiles on iOS devices on page 95. Table 13-1 Device
iPhone
Supported version
Minimum iOS version
4.1
Models supported

3G 3GS 4 4S 5
iPod Touch
Minimum iOS version
4.1
Models supported

2nd generation 3rd generation 4th generation
96
Using actions, policies, and configuration profiles Setting up configuration profiles for iOS devices
Table 13-1 Device

iPad
(continued) Supported version

Models supported
All models
Setting up configuration profiles for iOS devices

The following table contains the process to set up configuration profiles for iOS devices. Configuration profiles contain device security policies and restrictions, VPN configuration information, WiFi settings, email and calendar accounts, and authentication credentials. Configuration profiles allow iOS devices to work with your enterprise systems. See About configuration profiles on iOS devices on page 95. See Devices that support configuration profiles on page 95. Table 13-2 Step
Step 1
Process for setting up configuration profiles for iOS devices Task

Create the configuration profiles. Add the configuration profiles to a policy.
Description
Create a configuration profile that contains the settings of your choice. See Creating configuration profiles on page 96. When you have created the configuration profile, you need to add it to a policy. See Adding configuration profiles to a policy on page 101. Apply the policy to the devices you want to target. See Assigning configuration profile policies on page 102.
Step 2
Step 3
Assign the policy.
Creating configuration profiles

Configuration profiles are the files that configure the settings on iOS and Android devices. Configuration profiles contain one or more configuration payloads. Payloads are individual collections of settings within a configuration profile. For example, a profile may contain EAS, email, and VPN payloads and each payload is individually configurable.
Using actions, policies, and configuration profiles Creating configuration profiles
97
This task is a step in the process for setting up configuration profiles for iOS and Android devices. See Setting up configuration profiles for iOS devices on page 96. To create a configuration profile for iOS devices
1 2 3 4
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Device Management, and then click Configuration Editor. In the right pane, expand iOS Configuration page, and in the left sub-pane click the type of payload that you want to add to the configuration profile. In the right pane, click the yellow star button to create a new payload and then specify the payload options. Be aware of the following:

You must enter a value in the Host field for every payload. Some of the payload settings include specific values you should enter. The table,Table 13-3provides usage notes for the payloads. For more details about the payload settings, see the Apple Support article Payload settings reference at help.apple.com/configurator/mac/1.0/#cad5370d89.
Click Save Changes. iOS payload descriptions and usage Usage

Use this payload to enable the device to connect to a GPRS Access Point. This payload allows access to a corporate CalDAV server. If Account Username is left blank, the validated user name is substituted.
Table 13-3 Payload

Advanced
CalDAV
Warning: Do not enter a number greater

than 65535 in the CalDAV port fields.
98
Table 13-3 Payload

CardDAV
iOS payload descriptions and usage (continued) Usage

This payload allows access to a corporate CardDAV server. If Account Username is left blank, the validated user name is substituted.
Warning: Do not enter a number greater

than 65535 in the CardDAV port fields. Credentials This payload adds the ability to manage certificates and identities for the device. PKSC1 and PKCS12 certificate formats are supported. You can use the SCEP settings to configure how a device obtains certificates.
Note: The user is prompted for an identity

passphrase unless it is included in the profile. EAS This payload provides connection to Microsoft Exchange servers in your organization. Enter values for Account Name, Exchange ActiveSync Host, Use SSL, and Past Days of Mail to Sync. However, it is best to leave User, Email Address, and Password blank.
Note: When the User field is left blank, the

validated user name is substituted. See About available configuration profile settings for iOS devices on page 103.
99
Table 13-3 Payload

Email

This payload adds email management functionality. If User Name on Incoming or Outgoing Mail tabs are left blank, the validated user name is substituted. You must enter a value in the Mail Server, Port, and Email Address fields for the email payload. The validated user name is also added to the Email address domain name. For example, validatedusername@domainname.com.
LDAP
This payload adds LDAPv3 connection settings for automating account and contact look-up. If Account Username is left blank, the validated user name is substituted.
Passcode
This payload is used to set the passcode when Exchange is not used.
Note: The user cannot override this

passcode on the device. Restrictions Use this payload to restrict the use of specified device features. This payload allows the device to use SCEP to obtain trust certificates from a CA. This payload adds read-only subscriptions to the Calandar app. If Username is left blank, the validated user name is substituted.
SCEP
Subscribed Calendars
100
Table 13-3 Payload

VPN

Use this payload to configure the VPN settings that allow the device to connect to your network. For information about the supported VPN protocols and authentication modes, see the Apple Support article VPN Server Configuration for iOS Device at http://help.apple.com/iosdeployment-vpn/
Note: If the profile is configured to use

LDAP, you must establish VPN through another app, such as Safari. Web Clips This payload allows you to add web clips to the Home screen of a device. This payload allows you to configure Wi-Fi access, credentials, and connection options. This payload allows you to send provisioning profiles to devices. This payload allows you lock specific applications on managed devices. Enter the Identifier number for the blocked app. This payload is used to set the HTTP proxy that the device uses to connect to your network.
Wi-Fi
Provisioning Profile
Application Lock
Global HTTP Proxy
To create a configuration profile for Android devices
1 2 3
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Device Management, and then click Configuration Editor. In the right pane, expand Android Configuration page, and in the left sub-pane click the type of payload that you want to add to the configuration profile. In the right pane, click the yellow star button to create a new payload and then specify the payload options. Click Save Changes.
4 5
Using actions, policies, and configuration profiles Adding configuration profiles to a policy
101
Table 13-4 Payload

Passcode
Android payload descriptions and usage Usage

Use this payload to set the user passcode on the Android device. Use this payload to enable or disable the camera and storage encryption on the device.
Device Options
Note: The camera setting applies to iOS 3.0

and higher. The encryption setting applies to iOS 4.0 and higher. TouchDown Account Use this payload to specify the connection settings for users who use TouchDown to access their email. See TouchDown account payload settings on page 153. TouchDown Policy Use this payload to specify the Exchange ActiveSync policy settings for users who use TouchDown. See TouchDown policy payload settings on page 154. TouchDown User Settings Use this payload to specify the settings and behavior of the TouchDown app. See TouchDown user payload settings on page 158.
Adding configuration profiles to a policy

After you have created the configuration profiles you need to add them to a policy. Most configuration profiles are distributed to the devices in your environment through policies. Some configuration profiles can also be distributed on enrollment. This task is a step in the process for setting up configuration profiles with iOS devices. See Setting up configuration profiles for iOS devices on page 96. Unlike the policies that are enforced through Exchange ActiveSync, policies on iOS devices always act the same way. For more information, view topics about using policies and targeting in the Symantec Management Platform Help.
102
Using actions, policies, and configuration profiles Assigning configuration profile policies
See About policies on page 92. See Adding additional configuration profiles on page 58. To add configuration profiles to a policy
1 2 3 4
In the Symantec Management Console, on the Manage menu, click Policies. Expand Policies > Mobile Management, and right-click Mobile Configuration Policies. Click New > Mobile Device Configuration Policy. In the right pane, click the New Mobile Device Configuration Policy title, and then enter a name for your configuration profile policy. If you want to rename the policy, either do it before you edit the policy or after you have saved it. If you edit the policy and then change the name before you save it, your settings and edits are lost.
Under Profile settings, specify the settings. You can sign and encrypt profiles and allow end users to remove the profiles that are included in the policy. This removal can be done without having to remove the full MDM profile. You can also specify whether a password is required for user removal of the policy set. These settings are applied to all of the profiles that are included in this policy.
6 7 8
Under Configuration settings, click the yellow star button. In the Symantec Management Console dialog box, select the preconfigured profiles that you want to add to the policy, and then click OK. Click Save Changes.
Assigning configuration profile policies

After you have created the configuration profiles you need to distribute them to the devices in your environment. The distribution is done by using policies. This task is a step in the process for setting up configuration profiles with iOS devices. See Setting up configuration profiles for iOS devices on page 96. For more information, view topics about using policies and targeting in the Symantec Management Platform Help. To assign a configuration profile policy
1 2
In the Symantec Management Console, on the Manage menu, click Policies. Expand Policies > Mobile Management > Mobile Configuration Policies.
Using actions, policies, and configuration profiles About available configuration profile settings for iOS devices
103
3 4
Click the policy that you want to assign. Under Applied To, specify to which devices you want to apply the policy, and then click Ok. Note: You may have to scroll the page down to see this section. The set policy is automatically applied to all new devices that match the settings you specify by using Filters and Groups or by excluding specific resources. If you want to target a specific device or list of devices, then you should specifically pick those devices. Use the Resource List filtering criteria to select the desired devices. Right-click the specific devices to exclude them from the filtered lists. Click Update Results to verify which devices are targeted.
On the upper right corner of the page, click the colored circle and then click On to turn on the policy. When the policy is turned on, it is delivered to the devices. Click Save Changes.
About available configuration profile settings for iOS devices

The available configuration profile settings specify the details of the configuration settings you can apply to the devices. The settings define device security policies and restrictions, VPN configuration information, WiFi settings, email and calendar accounts, and authentication credentials. For more details about the different profiles, see the topics about creating configuration profiles in Apple's iPhone Configuration Utility guide. You can find the guide at the following URL: developer.apple.com/library/ios/#featuredarticles/FA_iPhone_Configuration_Utility Though most of the profiles available with Mobile Management are the same as Apple's, there are a few differences. The following table outlines the differences between Symantec's and Apple's configuration profiles.
104
Using actions, policies, and configuration profiles About AutoLock settings on iOS devices
Table 13-5 Profile

Web Clip
Configuration profile differences with Mobile Management Notes

When you use Mobile Management, web clip URLs must contain http:// or https://. Also, the Item Icon for web links may change after the user clicks the link for the first time. The Item Icon changes to the web link's default icon if the creator of the Web page set a default icon. The Item Icon of web links to video pages does not change. View Certificate shows different information in the Symantec Management Console than in the Apple Configuration Utility. The AutoLock options in the Symantec console are different than in the Apple Configuration Utility. See About AutoLock settings on iOS devices on page 104.
Credentials
Passcode
Email
You can add the user's email address in two different formats in the Symantec Management Console. In the Apple Configuration Utility only one format is accepted. This profile is removed in the Symantec Management Console.
Mobile Device Management
See About configuration profiles on iOS devices on page 95.
About AutoLock settings on iOS devices

AutoLock settings are settings sent to iOS devices through passcode configuration profiles. However, the AutoLock setting can react differently depending on the iOS device it is sent to. If the iOS device changes the AutoLock setting, it opts for a stricter setting than the one that is in the configuration profile. For example, a configuration profile specifying a 3-minute AutoLock was sent to an iPad and an iPhone. The iPad automatically rounds up the AutoLock to 2 minutes, the strictest setting on the iPad. The iPhone leaves the AutoLock setting at 3 minutes.
105
Unless the configuration profile sends down the strictest AutoLock setting, the user of the device can reset the AutoLock setting to a stricter setting. The following chart shows the relationship between possible AutoLock settings and how they are interpreted on different iOS devices: Table 13-6 AutoLock setting
1 minute 2 minutes 3 minutes 4 minutes 5 minutes 10 minutes 15 minutes --
iOS Passcode configuration profile AutoLock behavior Result on iPhone/iPod Touch

1 minute 2 minutes 3 minutes 4 minutes 5 minutes 5 minutes 5 minutes Never
Result on iPad
2 minutes 2 minutes 2 minutes 2 minutes 5 minutes 10 minutes 15 minutes Never
See About available configuration profile settings for iOS devices on page 103.
106
Chapter
14
Using inventory data, reports, and the event log


About inventory data Viewing inventory data Setting the inventory schedule for Windows Mobile devices Setting the inventory schedule for iOS devices About reports Running reports Available reports by device About event logs Viewing the event log
About inventory data

Inventory data is detailed data viewable per device in Symantec Management Platform. Inventory data is collected from all of the devices in your environment. A full inventory scan runs once a day through Exchange ActiveSync. Incremental inventory scans through Exchange ActiveSync run every five minutes to check for new devices. The Mobile Management Agent also runs an inventory scan. The inventory schedule of the agent is configurable on Windows Mobile and iOS devices. See Setting the inventory schedule for Windows Mobile devices on page 108.
108
Using inventory data, reports, and the event log Viewing inventory data
See Setting the inventory schedule for iOS devices on page 109. See Viewing inventory data on page 108. For more information, view topics on inventory in the Symantec Management Platform Help.
Viewing inventory data

After the inventory scan you can view the inventory data that is collected. See About inventory data on page 107. See Setting the inventory schedule for Windows Mobile devices on page 108. See Setting the inventory schedule for iOS devices on page 109. To view inventory data
1 2 3 4
In the Symantec Management Console, on the Manage menu, click Mobile > Devices. On the Mobile page, under Name, right-click the device name, and then click Resource Manager. On the Resource Manager page, on the View menu, click Inventory. In the center pane, expand Data Classes > Inventory > Mobile Inventory, and click the inventory that you want to view. You can also switch between the Current and History tabs in the right pane to view current and past inventory data.
Setting the inventory schedule for Windows Mobile devices

You can set the schedule for how often inventory data is collected and sent to Symantec Management Platform for Windows Mobile devices. The times that you select to collect and transmit data coordinate with the time on the specific mobile device, not the Mobile Management server computer. You can reduce your network load by collecting several data samples from a mobile device before sending it. By default, Mobile Management collects data every six hours and transmits that data once a day. If you use the default schedule, Mobile Management collects four inventories in a day and then transmits the data one time as a compressed transmission. See About inventory data on page 107.
Using inventory data, reports, and the event log Setting the inventory schedule for iOS devices
109
Setting the inventory schedule for Windows Mobile devices
1 2 3 4
In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, expand Settings > Mobile Management > Mobile Agent Settings. Click Inventory Schedule. In the right pane, specify the Sample schedule information:

Number of units. Type of unit. Either hours or days. Hour and minutes.
The Sample schedule specifies when data is collected from a mobile device.
Specify the Transmit schedule information:

Number of units. Type of unit. Either hours or days. Hours and minutes.
The Transmit schedule specifies when the collected data is sent to the Mobile Management server and then to Symantec Management Platform.
Specify the Heartbeat schedule in minutes. The Heartbeat schedule specifies when the device sends a short message to the Mobile Management server to let it know that it is still connected.
Click Save changes.
Setting the inventory schedule for iOS devices

You can set the schedule for the inventory that the Mobile Management Agent collects on iOS devices. Two types of inventory are collected on iOS devices. One type is through the MDM certificate. The other type is through the Mobile Management Agent. By default, the inventory data that the MDM certificate collects is transmitted once a day. This inventory schedule is not configurable through the Symantec Management Console. The MDM certificate collects the following inventories: See About inventory data on page 107.

Mobile_Certificate_iOS Mobile_Device_iOS_MDM
110
Using inventory data, reports, and the event log About reports
Mobile_GlobalRestrictions_iOS Mobile_Profile_iOS Mobile_ProfileContent_iOS Mobile_ProfileRestrictions_iOS Mobile_Program_iOS Mobile_Provisioning_Profile_iOS Mobile_SecurityInfo_iOS
By default, the inventory data that the Mobile Management Agent collects is transmitted once a day. You can change this iOS agent inventory transmit schedule. The Mobile Management Agent collects the following inventories:

Mobile_Device Mobile_Device_iOS Mobile_Device_Site_Server Mobile_Identification Mobile_Memory Mobile_Operating_System Mobile_Power
To set the agent inventory schedule for iOS devices
1 2 3 4
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Settings. Click Mobile Management Servers. In the right pane, under Agent, set the Report Frequency (seconds). Note: The minimum reporting frequency is 600 seconds.
Click Save changes.
About reports
Mobile Management lets you run reports on all of the devices in your environment. In the Symantec Management Console, you can choose from a list of pre-made reports that collect and provide data from the devices in your environment in real
Using inventory data, reports, and the event log Running reports
111
time. The reports can contain summary information, such as lists of devices by manufacturer, platform, or operating system. The reports can also list the devices that are running out of memory or battery power. Most of the reports contain customizable parameters. These parameters may include options such as whether you want the latest information or information from the last report that was saved. In some reports, you can also enter the timeframe from which the information is collected. See Running reports on page 111. See Available reports by device on page 111.
Running reports
Most of the reports contain customizable parameters. These parameters may include options such as whether you want the latest information or information from the last report that was saved. In some reports, you can also enter the timeframe from which the information is collected. See About reports on page 110. See Available reports by device on page 111. To run reports
1 2 3
In the Symantec Management Console, on the Reports menu, click All Reports. In the left pane, expand Reports > Mobile Management. Click one of the standard reports that are listed. After the report runs, the data appears in the right pane.
Available reports by device

The following table lists the possible devices in your environment and the reports that are available on them. See About reports on page 110. See Running reports on page 111.
112
Using inventory data, reports, and the event log Available reports by device
Table 14-1 Device

iOS
Available reports by device Supported reports

Detailed iOS Device Status Devices by Manufacturer
Devices by Platform and Operating System Devices with Low Battery

Devices with Low Program Memory Devices with Outdated Inventory Jailbroken iOS Devices Mobile Device Summary Remote Management Activity Audit
Remote Management Usage Summary By Action Remote Management Usage Summary By Device Software Compliance Remediation Summary Software Compliance Status
Software Installation Summary Devices by Manufacturer
BlackBerry and Windows Mobile
Devices by Platform and Operating System Devices with Low Battery

Devices with Low Program Memory Devices with Outdated Inventory Mobile Device Summary Remote Management Activity Audit
Remote Management Usage Summary By Action Remote Management Usage Summary By Device Software Compliance Remediation Summary Software Compliance Status
Software Installation Summary
Using inventory data, reports, and the event log About event logs
113
Table 14-1 Device
Available reports by device (continued) Supported reports

Palm/hpWebOS and Symbian/Nokia
Exchange ActiveSync Devices by Policy
Exchange ActiveSync Devices with Pending Wipe Non-Synced Exchange ActiveSync Devices Wiped Exchange ActiveSync Devices
About event logs

Mobile Management provides a history of important events for managed devices in your environment through the event log. For example, if someone tries to break into the device, it is recorded in the event log. This feature allows the administrator to detect and monitor security risks on each device. The event log is available for the devices on which the Mobile Management Agent is installed. See Viewing the event log on page 113.
Viewing the event log

Events on managed devices are automatically recorded. You can view the event logs for your managed devices through the Symantec Management Console. See About event logs on page 113. To view the event log
1 2 3 4 5 6
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Overviews and Reports, and click All other reports.... In the left pane, select Devices by Platform and Operating System. Under Device Platform, right-click the device name, and then click Resource Manager. On the Resource Manager page, on the View menu, click Events. Expand Data Classes > Mobile Events > Inventory, and then click Mobile _Log.
114
Using inventory data, reports, and the event log Viewing the event log
Chapter
15
Remotely managing devices


About remotely managing devices Creating remote settings for devices Starting a remote session with a device Remote options for Windows Mobile devices Remote options for BlackBerry devices Function key mapping during remote sessions with Windows Mobile devices Function key mapping during remote sessions with BlackBerry devices Options for remotely wiping devices
About remotely managing devices

Mobile Management lets you remotely access the Windows Mobile and BlackBerry devices in your environment on which the Mobile Management Agent is installed. During a remote session, you can view and fix any problems a user experiences on their device. Mobile Management allows access to the file system, registry, and processes subsystems of the managed mobile device. You can specify if each remote session is automatically accepted or if the user has to approve the session request. You can also specify options and choose how each session looks, such as the color depth and size of a session. See Creating remote settings for devices on page 116. See Starting a remote session with a device on page 117.
116
Remotely managing devices Creating remote settings for devices
Creating remote settings for devices

In Symantec Management Platform, you can determine how every remote session looks and behaves. On Windows Mobile devices, you can set the Request behavior, Control behavior, and color depth and size of remote sessions. The Request behavior determines how the remote session request is handled. The Control behavior determines how the remote session handles keyboard and mouse interactions. On BlackBerry devices, you can set the color depth and size of remote sessions. See About remotely managing devices on page 115. See Starting a remote session with a device on page 117. To create the remote settings for mobile devices
1 2 3
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Configuration, and then click Remote Control settings. (Windows Mobile only) On the Remote Control Policy page, under Remote Control Session Settings, choose one of the following options for the Request behavior:

Always allow Remote Control request Prompt user to allow Remote Control request Always deny Remote Control request
(Windows Mobile only) Choose one of the following options for the Control behavior:

Always allow keyboard and mouse interaction Prompt user to allow keyboard and mouse interaction Always deny keyboard and mouse interaction
Select a color depth for the remote session. The larger color depths can negatively affect your network load. You can select either 2-bit, 4-bit, 8-bit, or 16-bit color depth. If you use a wide-area device, we recommend that you use the 4-bit option. However, you can experiment and see what setting works best in your environment.
Remotely managing devices Starting a remote session with a device
117
Select the size scale for the session. You can select either the same size (1x) or twice the size (2x).
Click Save changes to save your remote settings.
Starting a remote session with a device

Through a remote session, you can control any managed device in your organization. The remote session uses the remote settings that you can define in the Symantec Management Console. If you press a function key on your computer, it performs an action on the mobile device during a remote session. The effect that each function key has on your mobile device might be different than the effect that it usually has on your computer. See Creating remote settings for devices on page 116. See Function key mapping during remote sessions with Windows Mobile devices on page 121. See Function key mapping during remote sessions with BlackBerry devices on page 122. See Remote options for Windows Mobile devices on page 117. See Remote options for BlackBerry devices on page 120. To start a remote session with a device
1 2 3
In the Symantec Management Console, on the Actions menu, click Mobile > Remote Management. On the Remote Management page, click the mobile device to which you want to connect. Click Connect.
Remote options for Windows Mobile devices

After connecting to a Windows Mobile device, you can choose from several options that provide access to the device. For example, you can remotely control the device and manage its file system, registry, and processes subsystems. The right pane of the device page contains the static information that was last captured in the inventory scan. If you click an option in the left pane, data appears
118
Remotely managing devices Remote options for Windows Mobile devices
in the right pane. The information might take a few seconds to load because it is collected in real time. See Starting a remote session with a device on page 117. Table 15-1 Option
Device name
Remote options for Windows Mobile devices Description

Lists the static information about the device that was collected during the last inventory scan. For example, the date that the inventory was last collected, the name, and the IP address of the device. Lets you remotely control and view the mobile device. You can start processes and explore the device by double-clicking this option. In the Remote Control window, you can also choose the color and the zoom options for the session. If you click the camera symbol in the Remote Control window, you can take a screen shot of the mobile device. However, even if you select the 2-bit color option in your remote settings, the screen shot reflects the device's color settings.
Remote Control
Identification
Lists the identifying information for the device. For example, the name, ID, and OEM ID of the device. Lists the information about the operating system that is currently running on the device. For example, the type, ID, and version number of the platform that is on the device. Lists the information about the processor on the device. For example, the architecture, core, clock speed, and name of the processor on the device. Lists the information about the battery and the power for the device. For example, the voltage, temperature, and chemistry of the battery in the device. Lists the information about the memory for the device. For example, the percentage load, total and available physical and virtual memory, and storage memory for the device. Lists the horizontal and the vertical resolution and the display colors of the device. Lists the information about the processes that are running on the device. For example, the name and ID of the process, the thread count, and the CPU time for each process.
Operating System
Processor
Power
Memory
Display
Processes
Remotely managing devices Remote options for Windows Mobile devices
119
Table 15-1 Option

Certificates
Remote options for Windows Mobile devices (continued) Description

Lists the information about the certificates that are currently issued on the device. For example, the issuer name, issue and expiration dates, and public and private key information for each certificate. Lists the information about the adapters that are on the device. For example, the name, IP address, mask, and gateway for each adapter. Lists the connection information for the device. For example, the status, local address and remote address, and local and remote port of each connection. Lists the IP routing information for the device. For example, the destination IP address, adapter name, protocol, and age (in seconds) for each connection. Lists the Address Resolution Protocol (ARP) information for the device. For example, the name and index of the adapter, Mac and IP address, and type. Lists the information about the TCP/IP connections for the device. For example, the minimum timeout and maximum timeout values, number of open connections, and segments received. Lists the Wi-Fi information for the device. Lists the applications that are currently installed on the device. You can remove applications from the device through this page. Lists the program files that are on the device. For example, the name, size, version, and date modified. Lets you manipulate the directories and files on the device. You cannot delete a folder if it contains any files. You can also search for a specific string in the current folder.
Adapters
Connections
IP Routing Table
ARP Table
TCP/IP Statistics
Wi-Fi Applications
Program Files
File Explorer
Note: When you use File Explorer only upload one file at a time.
Registry Explorer Lets you manipulate the registry entries on the device. You can search for a specific string in the node that is currently highlighted.
120
Remotely managing devices Remote options for BlackBerry devices
Remote options for BlackBerry devices

After connecting to a BlackBerry device, you can choose from several options that provide access to the device. The right pane of the device page contains the static information that was last captured in the inventory scan. If you click an option in the left pane, data appears in the right pane. The information might take a few seconds to load because it is collected in real time. See Starting a remote session with a device on page 117. Table 15-2 Option
Device name
Remote options for BlackBerry devices Description

Lists the static information about the device that was collected during the last inventory scan. For example, the date that the inventory was last collected, the name, and the IP address of the device. Lets you remotely control and view the mobile device. You can start processes and explore the device by double-clicking this option. In the Remote Control window, you can also choose the color and the zoom options for the session. If you click the camera symbol in the Remote Control window, you can take a screen shot of the mobile device. However, even if you select the 2-bit color option in your remote settings, the screen shot reflects the device's color settings.
Remote Control
Identification
Lists the identifying information for the device. For example, the name, ID, and OEM ID of the device. Lists the information about the operating system that is currently running on the device. For example, the type, ID, and version number of the platform that is on the device. Lists the information about the battery and the power for the device. For example, the voltage, temperature, and chemistry of the battery in the device. Lists the information about the memory for the device. For example, the percentage load, total and available physical and virtual memory, and storage memory for the device. Lists the horizontal and the vertical resolution and the display colors of the device.
Operating System
Power
Memory
Display
Remotely managing devices Function key mapping during remote sessions with Windows Mobile devices
121
Table 15-2 Option

General Statistics GSM
Remote options for BlackBerry devices (continued) Description

Lists the number of bytes Sent and Received. Lists the information about the GSM Network adapter configuration. Lists the information about the CDMA Network adapter configuration. Lists the information about the WLAN Network adapter configuration. Lists the applications that are currently installed on the device. You can remove applications from the device through this page. Lets you list and search the modules for the installed applications on the Blackberry Smartphone.
CDMA
WLAN
Applications
Modules
Function key mapping during remote sessions with Windows Mobile devices
To remotely control the devices that do not have a touch screen, you can use your computer keyboard to perform remote actions on the device. However, the effect that each function key has on the mobile device may be different than the effect that it usually has on your computer. See Starting a remote session with a device on page 117. Table 15-3 Function key mapping during remote sessions with Windows Mobile devices Remote control action on device
Navigate to the left, right, up, or down. Backspace. Open the menu. End. Run the action. Go back.
Computer function key

Arrow keys Backspace Insert End Enter Esc
122
Remotely managing devices Function key mapping during remote sessions with BlackBerry devices
Table 15-3
Function key mapping during remote sessions with Windows Mobile devices (continued) Remote control action on device
Use the soft key 1 (left). Use the soft key 2 (right). Talk. End, or lock. Mute the sound volume. Decrease the sound volume. Use the dial pad * symbol, or increase the sound volume. Navigation click, or use the Dial pad # symbol. Create voice notes or record audio. Open the symbol list. Send. Use the left convenience key. Use the right convenience key.

F1 F2 F3 F4 F6 F7 F8 F9 F10 F11 Home Page Up Page Down
Function key mapping during remote sessions with BlackBerry devices

To remote control the devices that do not have a touch screen, you can use your computer keyboard to perform remote actions on the device. However, the effect that each function key has on the mobile device may be different than the effect that it usually has on your computer. See Starting a remote session with a device on page 117. Table 15-4 Function key mapping during remote sessions with BlackBerry devices Remote control action on device
Navigate to the left, right, up, or down.

Arrow keys
Remotely managing devices Options for remotely wiping devices
123
Table 15-4
Function key mapping during remote sessions with BlackBerry devices (continued) Remote control action on device
Open the menu. Go back. Send. End. Lock. Mute the sound volume. Decrease the sound volume. Increase the sound volume. Navigation click. Use the left convenience key. Use the right convenience key.

Insert Esc Home End F4 F6 F7 F8 F9 Page Up Page Down
Options for remotely wiping devices

This table describes the different ways you can remotely wipe devices. Devices can be wiped in multiple ways through actions, policies, and the Mobile Management Agent.
124
Table 15-5 Option

Wipe Device
Options to remotely wipe devices Description

This action can be performed through Exchange ActiveSync. It performs a complete wipe of the device. Personal data and other information is removed from the device, and the device is completely reset. This action can also be performed on iOS devices through the Apple Push Notification Service. The functionality is the same as when the action is performed through Exchange ActiveSync. See Creating policies on page 93.
Delete Partnership
This action can be performed through Exchange ActiveSync. It removes the devices partnership in Exchange. The device can reestablish the partnership in Exchange by attempting to sync and thus reenable the trust connection between the server and the device. To remove the device's partnership so that it cannot reestablish it, you must complete this action and remove the partnership on the device. See Creating policies on page 93.
Clear Wipe
This action can be performed through Exchange ActiveSync. It lets you cancel the Wipe Device action. See Creating policies on page 93.
125
Table 15-5 Option
Options to remotely wipe devices (continued) Description

This action performs a full wipe of all of the Mobile Management components on iOS devices through the Apple Push Notification Service. This wipe includes all of the corporate settings and the Mobile Library. When the corporate email settings are removed, all the email content, contacts, and calendar information that is associated with the profile is wiped. However, the Mobile Management Agent is not removed. The user can re-enroll the device after it has been wiped. See Creating policies on page 93.
Remove MDM and Reset Agent
Selective wipe
This action lets you selectively wipe devices by deleting or turning off individual policies. If you delete or turn off an individual policy, the policy privileges are revoked. See Creating policies on page 93.
126
Chapter
16
Managing the Mobile Library


About the Mobile Library Setting up Mobile Library feeds Creating Mobile Library feeds Adding items to Mobile Library feeds Targeting a Mobile Library feed Publishing an existing feed or item Delivering apps to iOS devices
About the Mobile Library

The Mobile Library enables you to publish sets of content to the managed devices in your environment. The Mobile Management Agent supports three types of content that you can publish:

Applications Commercial and in-house applications Documents Documents, PDFs, presentations, and spreadsheets Media YouTube video links, Web links, MP4 videos, images, graphics, MP3s, podcasts, and eBooks
Mobile Library content can be hosted on public application stores, Web sites, or private servers. The Mobile Library is delivered to the Mobile Management Agent
128
Managing the Mobile Library Setting up Mobile Library feeds
as a set of RSS feeds. All feeds that match the Mobile Management Agent language selection on the device are delivered to the device. These feeds provide organizations with employees in multiple countries or with multiple languages the content that is tailored to the language preference of the users. If there are multiple feeds for a language, all of the feeds are delivered to the device. If items in feeds are changed, the Mobile Management Agent updates the content in the Mobile Library. The items in the feeds are available on the device even when the device is offline. The device to which you deliver the content determines the file size that is allowed. Warning: Due to Apple restrictions, any applications that are installed from the Mobile Library on iOS devices are not remotely removable. Applications can only be removed by the end user. Also, any files that are sent to a device through the Mobile Library that are opened and saved in another application are not remotely removable.
Setting up Mobile Library feeds

This section explains the process for setting up Mobile Library feeds. Mobile Library feeds deliver sets of content to the managed iOS and Android devices in your environment. This content can include applications, documents, and media. Table 16-1 Step
Step 1
Process for setting up Mobile Library feeds Action

Create the Mobile Library feed.
Description
Create a Mobile Library feed that will contain the items you want to send to the devices. See Creating Mobile Library feeds on page 128.
Step 2
Add items to the Mobile Library feed.
Add the items of your choice to the feed. See Adding items to Mobile Library feeds on page 129.
Creating Mobile Library feeds

The Mobile Library feed contains the items that are sent when you publish sets of content to the managed devices in your environment.
Managing the Mobile Library Adding items to Mobile Library feeds
129
All feeds that match the Mobile Management Agent language selection on the device are delivered to the device. These feeds provide organizations with employees in multiple countries or with multiple languages the content that is tailored to the language preference of the users. If there are multiple feeds for a language, all of the feeds are delivered to the device. If items in feeds are changed, the Mobile Management Agent updates the content in the Mobile Library. The items in the feeds are available on the device even when the device is offline. To create a Mobile Library feed
1 2 3 4 5
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Device Management, and then click Mobile Library Editor. On the Mobile Library Editor page, click Feeds. On the Feeds page, click New Feed. In the Create New Feed dialog box, specify the information. If you do not have a feed for every language, you can check Feed Is Language Default. The feed that has this checked is delivered to any devices whose set language does not have a corresponding feed. Check Feed Is Published if you want to publish the feed. If the feed is not published, it is not sent to the devices. If you want to configure the feed and add items to it before it is published, you may choose not to publish the feed immediately. See Publishing an existing feed or item on page 131.
Click OK.
Adding items to Mobile Library feeds

After you create a Mobile Library feed, you can add items to it. Items can include applications, documents, links, and media. The items in the feeds are available on the device even when the device is offline. See About the Mobile Library on page 127. To add items to a Mobile Library feed
1 2
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Device Management, and then click Mobile Library Editor.
130
Managing the Mobile Library Adding items to Mobile Library feeds
3 4 5 6
On the Mobile Library page, click Items. Under Items, select the feed to which you want to add items from the drop-down menu. Click New Item. In the Create New Feed Item dialog box, specify the information and upload the files. Note: Files in items can be up to 25 MB.
Check Item Is Published if you want to publish the item in the feed. If the item is not published, it is not sent to the devices. If you want to configure the item before it is published, you may choose not to publish the item immediately. See Publishing an existing feed or item on page 131. Note: Under Platform Type, unsupported platforms are listed. You must choose a supported device platform to deliver your item to the Mobile Library. See Mobile Management requirements on page 199. Item Priority is used to sort the items in the feed on the agent. The following are the different options for the Item Priority:
Optional The lowest priority items. Items appear toward the bottom of the list. Recommended Medium priority items. Items are displayed in the middle of the list. Required The highest priority items. Items are displayed at the top of the list. Required items also have a pop-up warning that appears to the user, informing them that there is a required item available. This warning appears even if the agent is in the background.
Only upload one file per document item. When you select an application item, set the Item Type to Commercial or In-house. If you want to add a commercial application, you need to add the link to the application's App Store page in the field labeled Item Link. The App Store link is found on the applications App Store page.
Managing the Mobile Library Targeting a Mobile Library feed
131
Warning: Do not edit the Item Link field when you create a commercial application. If you do so, the user who attempts to download the application item receives multiple error messages. If you want to add an in-house iOS application, you must upload the .ipa, the .plist, and all image files that are referenced in the .plist. These files must be selected and uploaded in the following order: Image files, .ipa file, .plist file. The .plist and the .ipa files are generated after you archive the agent framework in Xcode and go through the sharing wizard. The Mobile Management server modifies the .plist file so that the file links automatically point to the application files on the Mobile Management server. Before saving the item in the library, you must upload the .ipa, the .plist, and the image files. For library items to appear with a custom icon, you must upload a .png file that is 57x57 pixels. Otherwise, a generic icon appears next to the item.
Click OK.
Targeting a Mobile Library feed

You can quickly target a library feed to a device or group of devices. To target a Mobile Library feed
1 2 3 4 5
On the console, go to Manage > Mobile Management > Mobile Configuration Policy and click New Mobile Device Configuration Policy. In the right pane, under Feed Settings, click the yellow star icon on the toolbar . In the Select Mobile Library Feed dialog, select the desired feed and then click OK. Under Applied To, select the resources that receive the new feed. Click, Save changes
Publishing an existing feed or item

If you did not check Item Is Published when you created a feed or an item, you can publish the feed or item after you saved it. See About the Mobile Library on page 127. See Setting up Mobile Library feeds on page 128.
132
Managing the Mobile Library Delivering apps to iOS devices
To publish an existing feed or item
1 2 3 4 5 6
In the Symantec Management Console, on the Home menu, click Mobile Management. In the left pane, expand Configuration, and then click Mobile Library Editor. On the Mobile Library page, click the Feeds or Items tab. On the Feeds or Items tab, select the green edit icon next to the feed or item you want to edit. In the Edit Feed or Edit Item window, select Feed Is Published or Item is Published. Click OK.
Delivering apps to iOS devices

You can use Symantec Mobile Management to manage the in-house and commercial apps that are installed on enrolled iOS devices. Additionally, Symantec Mobile Management supports the use of Apple's App Store Volume Purchase Program (VPP) and Apples B2B program. The VPP service lets you purchase apps in multiples, before they are downloaded and installed. For more information about the Apple's App Store Volume Purchase Program and regional availability, see the Apple Web page, http://www.apple.com/business/vpp/. You can flag apps to be required, recommended, or optional:
Required apps are those that your company has deemed necessary for the mobile device to be compliant with corporate polices. Recommended apps are those that your company considers important or useful, but that are not required to be compliant. Optional apps are those that are possibly interesting to some device owners.
Additionally, you can manage the apps that you build in-house and commercial apps. The following workflows provide a high-level overview of the processes for managing applications on iOS devices. Sending in-house apps to iOS devices
Create a new mobile library item that specifies the in-house iOS app. See Creating Mobile Library feeds on page 128.
Attach the in-house app .IPA, .PLIST, and icon (image) files as feed items. See Creating Items for iOS in-house applications on page 135.
133
Target the new feed to desired iOS devices. See Targeting a Mobile Library feed on page 131.
4 5
Enrolled iOS devices check in and download the new feed containing the app files. The device displays a notification to the device owner that the app is available for installation.
Sending a free app from the Apple App Store
1 2
Go to the App Store and retrieve the URL for the free app. Create a new mobile library feed and add the app ID to the new feed. See Adding items to Mobile Library feeds on page 129.
Target the new feed to desired devices. See Targeting a Mobile Library feed on page 131.
4 5 6
Device checks in and gets feed with app ID. User is prompted to install. User installs the app.
Sending a purchased app from the Apple App Store
Purchase Volume Purchase Program codes from Apple. For more information about Volume Purchase Program codes, see the Apple Web page, http://www.apple.com/business/vpp/. Get the app ID for the purchased app from the App Store. Create a new mobile library feed and add the app ID and VPP code to the new feed. See Creating Items for iOS commercial applications on page 136.
2 3
Target the new feed to desired devices. See Targeting a Mobile Library feed on page 131.
5 6 7
Device checks in and gets feed with App ID and VPP code for the app. User is prompted to install the app. User installs the app.
134
Importing VPP codes into the Symantec Mobile Management inventory
Volume Purchase Program codes are purchased from Apple. Apple sends a VPP file (.xls) to the email address you specify when you register and purchase VPP codes. Go into the Mobile Library and import the VPP file. See Creating Items for iOS commercial applications on page 136.
Verify that the expected number of codes are imported. See Delivering apps to iOS devices on page 132.
Delivering a VPP code to a specific device upon request
1 2
Beyond uploading the VPP codes for a specific app, no further action is required.. The VPP code is automatically associated with the mobile device upon app installation by the device owner, Note: The count of available VPP codes decrements by one each time the VPP-enabled app is associated with a device.
The code remains with the device owner even when the app is deleted. If the device owner downloads and installs the app again, the previous code remains in effect.
Reclaiming the codes that are delivered to an iOS device but are not required
A VPP code is always sent with a commercial app even though the app may not require one. For these apps, the code is used to complete the installation process, but is then returned to the VPP code pool. Codes are recycled in three cases:

The device owner installs an app with a VPP code on a second device. The app is installed, uninstalled, and then reinstalled. The app is previously purchased and installed
135
Removing an app from a single device
1 2 3
Go to Device details page or the iOS VPP App Codes report, and locate the device from which the app is to be removed . Right-click on chosen device and select Remove App. The app is removed. Note: Only managed apps can be removed with this method. The device owner must remove the apps that are not managed. The device owner can always remove any app, including apps that are set to Required.
Viewing the App/VPP report
1 2
Go to Reports tab > Mobile Management > New > iOS Volume Purchase Program Apps The report shows the apps, associated code and its status, the name of each device, and the code issuance dates.
Creating Items for iOS in-house applications
1 2 3 4
Go to Home > Mobile Management > Device Management > Mobile Library Editor In the Mobile Library Editor, create a new Feed. Select the Feed from the list. Click the Items tab, then click New Item. Enter the following information:
Item Name- name for the Item, which is required to save the Item and information. A maximum of 10 characters are allowed for the name. Item Version- version number for the Item. Item Author- name of the person who created the Item. Item Description- description of the Item.
Make the following selections:

Item Category- select Application. Item Type- select In-house. Platform Type- select iOS (iPhone/iPad/iPod Touch). Platform Min Version- enter the minimum iOS device operating system version that is required. Leave this entry blank if you do not want to specify a minimum version.
136
Item Priority- Select Required, Recommended, or Optional.
Required apps are those that your company has deemed necessary for the mobile device to be compliant with corporate polices. Recommended apps are those that your company considers important or useful, but that are not required to be compliant. Optional apps are those that are possibly interesting to some device owners.
iOS in-house applications require an iPhone Application Archive file (App (.ipa)) , Portable Network Graphics file (Icon (.png)) , and a Property List file (Settings (.plist)). The next three steps illustrate the process. Note: Make sure that no spaces precede the .plist file name and make sure that the application has not expired before you upload the Item.
7 8
Click Select Files, locate the App (.ipa) file, then click Upload Files. Click Select Files, locate the Icon (.png) file, then click Upload Files. The maximum PNG size is 59 x 60 pixels. After you upload the files, the Item Icon (PNG) field is automatically populated with the Icon (.png) file path. Click Select Files, locate the Settings (.plist) file, and then click Upload Files.
10 Make the following selections:
Item Is Featured- select to place an indicator on the Item to highlight it when the Item is viewed in the Mobile Library on the device. Item Is Published- select to publish the Item so that it can be viewed in the Mobile Library on the iOS device.
11 Click OK to save the item.

Creating Items for iOS commercial applications
1 2 3 4 5
Go to Home > Mobile Management > Device Management > Mobile Library Editor In the Mobile Library Editor, create a new Feed. Select the Feed from the list. Click the Items tab, then click New Item > New Commercial iOS App and enter the iTunes Store Link to the app, and then click OK. In the Item Priority field, select either Required, Recommended, or Optional.
Required apps are those that your company has deemed necessary for the mobile device to be compliant with corporate polices.
137
Recommended apps are those that your company considers important or useful, but that are not required to be compliant. Optional apps are those that are possibly interesting to some device owners.
6 7
For VPP paid apps, click Select Files, locate the VPP (.xls) file, then click Upload Files. Make the following selections:
Item Is Featured- select to place an indicator on the Item to highlight it when the Item is viewed in the Mobile Library on the device. Item Is Published- select to publish the Item so that it can be viewed in the Mobile Library on the iOS device.
Click OK to save the item.
138
Section
Managing iOS devices
Chapter 17. Setting up the Mobile Management Agent application on iOS devices
140
Chapter
17
Setting up the Mobile Management Agent application on iOS devices


About the Mobile Management Agent application on iOS devices Setting up the Mobile Management Agent application on iOS devices Enrolling iOS devices Changing the enrollment URL to an email address for iOS devices Creating and enabling the End User License Agreement for iOS devices About the differences between the app store and the in-house Mobile Management Agent applications Configuring a Symantec Mobile Management iOS profile for Office 365
About the Mobile Management Agent application on iOS devices

The Mobile Management Agent should be installed on all of the iOS devices in your environment. This agent lets Symantec Management Platform monitor and manage the devices. After a Mobile Management server is created, you can install the Mobile Management Agent on the mobile devices in your environment. The agent lets
142
Setting up the Mobile Management Agent application on iOS devices Setting up the Mobile Management Agent application on iOS devices
the mobile devices communicate with the Mobile Management server and Symantec Management Platform. The agent also enables you to use Mobile Management to do the following:

Automatically configure the device's access to corporate email and VPN. Publish a set of recommended applications, files, and links through the Mobile Library to the device. Automatically apply a set of policies to the device, such as security and passcode policies. Perform remote actions such as remote wipe, remote lock, and passcode reset. Get centralized reporting on the device. Configure and implement data-loss prevention (DLP) on iPads.
See Setting up the Mobile Management Agent application on iOS devices on page 142. See Changing the enrollment URL to an email address for iOS devices on page 144. See Creating and enabling the End User License Agreement for iOS devices on page 145. See About setting up Data Loss Prevention (DLP) for iOS on the Mobile Management server on page 77.
Setting up the Mobile Management Agent application on iOS devices

You can set up the Mobile Management Agent on iOS devices. See About the Mobile Management Agent application on iOS devices on page 141.
Setting up the Mobile Management Agent application on iOS devices Enrolling iOS devices
143
Table 17-1 Step

Step 1
To set up the Mobile Management Agent application on iOS devices Task

There are two different ways to install the Mobile Management Agent, depending on how you want to distribute it to the device. One way is to have users download the Mobile Management Agent from the Apple App Store. Another way is to have users download the Mobile Management Agent from an internal Web site.
Description
You can have users download the Mobile Management Agent from the Apple App Store. See Downloading and installing the Mobile Management Agent app on page 39.
You can create the Mobile Management Agent application for internal deployment and upload it to an internal site for See About the differences download. After you have created between the app store and the the agent and uploaded it, users in-house Mobile Management Agent applications on page 145. can browse to the internal Web site and download and install the agent. See Creating the in-house Mobile Management Agent application on page 208. Step 2 After users have downloaded and After the Mobile Management installed the agent, they need to Agent is installed on an iOS enroll their device. device, you must enroll it with a Mobile Management server. See Enrolling iOS devices on page 143.
Enrolling iOS devices

After the Mobile Management Agent is installed on an iOS device, you must enroll it with a Mobile Management server. Once a device is enrolled, the MDM enrollment configuration is set on the device. If you make changes to the MDM configuration the changes are not reflected on the device unless you re-enroll it. See About the Mobile Management Agent application on iOS devices on page 141.
144
Setting up the Mobile Management Agent application on iOS devices Changing the enrollment URL to an email address for iOS devices
To enroll the Mobile Management Agent iOS application
1 2
Tap the Mobile Management Agent iOS application on the iOS device to start it. On the enrollment screen, provide the following information:
URL: http://<Site Server Name or Address>/MobileEnrollment/Symc-IOSEnroll.aspx See Changing the enrollment URL to an email address for iOS devices on page 144. Name: Your domain user name. Password: Your domain password. Note: Name and password may not be required if authentication is disabled.
On the License screen, click Yes. See Creating and enabling the End User License Agreement for iOS devices on page 145.
Complete the enrollment wizard to enroll your device. When you enroll an agent that was downloaded from an internal Web site, you are directed back to the browser after enrollment is complete. To return to the Mobile Management Agent, close the browser and re-open the application.
Changing the enrollment URL to an email address for iOS devices

To make enrollment easier, you can change the Mobile Management Agent to request an email address instead of a URL. Set up a resource record in your domain controller . The resource record takes the domain of the email address and looks for the user's credentials. To change the enrollment URL to an email address
1 2 3
Log in to your domain controller and run DNS. In DNS, navigate to the domain folder. Right-click the folder, and then click Other New Records....
Setting up the Mobile Management Agent application on iOS devices Creating and enabling the End User License Agreement for iOS devices
145
4 5
In the Resource record type window, select Text (TXT) and then click Create Record.... In the New Resource Record window, leave Record name blank. Enter the following value in Text:, and then click OK: OSIAGENTREGURL=http://<your-site-server-IP-or-Servername> /MobileEnrollment/Symc-IOSEnroll.ASPX
Creating and enabling the End User License Agreement for iOS devices
You can require users to accept an End User License Agreement (EULA) when they enroll the Mobile Management Agent on their iOS device. The EULA is specific to your company and can be created according to your needs. See About the Mobile Management Agent application on iOS devices on page 141. To create and enable the EULA for iOS devices
1 2 3 4 5
In the Symantec Management Console, go to Home > Mobile Management > Settings > General Enrollment Settings. In the right pane under Agent EULA, check Require EULA acceptance. Select the language for the EULA. Enter the text for the EULA. Click Save changes.
About the differences between the app store and the in-house Mobile Management Agent applications
The most notable difference between the app store and in-house versions of the Mobile Management Agent application is the presence of the Applications tab. On the app store version of the Mobile Management Agent application, there is no applications tab. Any applications that are delivered to the device appear in the updates tab. These applications remain in the updates tab until a new item is delivered to the updates tab.
146
Setting up the Mobile Management Agent application on iOS devices Configuring a Symantec Mobile Management iOS profile for Office 365
Configuring a Symantec Mobile Management iOS profile for Office 365

You can configure an iOS profile to use Office 365. The profile is similar to other Exchange email account profiles, with two significant changes. To configure Symantec Mobile Management to use Office 365, do the following: To configure the iOS policy to use Office 365
1 2 3 4 5 6
Go Home > Mobile Management > Device Management > Configuration Editor > iOS Configuration. Select EAS and then click the Add icon (yellow star). Name the payload and provide a description if desired. Set the server to m.outlook.com. Optionally elect to use SSL, but leave the Domain, User, Email Address, and Password fields blank. Save the payload and then apply it to a device policy.
When the device owner enrolls with the Office 365 policy, the owner uses their Office 365 email address. Once the device is enrolled, the policy is delivered to the device and the owner is prompted to provide their Office 365 password. The device communicates with the Office 365 server to receive the server name for the email account. Office 365 uses two modes: "Shared" mode and "Dedicated" mode. Because the Dedicated mode is specific to each instance of Office 365, only the Shared mode has been tested. For Dedicated-mode instances, the following PowerShell cmdlets are required:

Remove-ActiveSyncDevice Clear-ActiveSyncDevice Get-CASMailbox Get-ActiveSyncMailboxPolicy Set-ActiveSyncMailboxPolicy New-ActiveSyncMailboxPolicy Remove-ActiveSyncMailboxPolicy Set-CASMailbox Get-ActiveSyncDeviceStatistics
147
See Configuring Symantec Mobile Management to work with Exchange 2010 on page 69.
148
Section
Managing Android devices
Chapter 18. Using TouchDown with Symantec Mobile Management Chapter 19. Common Android management tasks
150
Chapter
18
Using TouchDown with Symantec Mobile Management


Configuring Symantec Mobile Management for TouchDown Assigning the TouchDown policy TouchDown account payload settings TouchDown policy payload settings TouchDown user payload settings
Configuring Symantec Mobile Management for TouchDown

NitroDesk Touchdown is an email client for Android that uses Microsoft Exchange ActiveSync to synchronize and configure email options and policies on Android devices. Symantec Mobile Management 7.2 supports the use of the TouchDown app. For complete information about TouchDown and the available options, visit the NitroDesk TouchDown Web site at http://www.nitrodesk.com/ . The workflow proceeds as follows:
Configure TouchDown account settings See Configuring Symantec Mobile Management for TouchDown on page 151.
152
Using TouchDown with Symantec Mobile Management Configuring Symantec Mobile Management for TouchDown
Configure TouchDown policy settings. See Configuring Symantec Mobile Management for TouchDown on page 151. Configure TouchDown user settings. See Configuring Symantec Mobile Management for TouchDown on page 151. Assign the TouchDown policy to the devices. See Assigning the TouchDown policy on page 153.
Use the following procedures to configure each of the three groups of settings: To configure TouchDown account settings
1 2 3 4
On the Management Console, go to Home > Mobile Management > Device Management > Configuration Editor. In the right pane, select Android Configuration > TouchDown Account Click the yellow star icon to open a new configuration panel. Provide the information requested. See TouchDown account payload settings on page 153. for details about the information you enter in this panel.
Click Save changes.
To configure TouchDown policy settings
1 2 3 4 5 6
On the Management Console, go to Home > Mobile Management > Device Management > Configuration Editor. In the right pane, select Android Configuration > TouchDown Policy Click the yellow star icon to open a new configuration panel. Provide the information requested. See TouchDown policy payload settings on page 154. for details about the information you enter in this panel. Click Save changes.
To configure TouchDown user settings
1 2 3 4
On the Management Console, go to Home > Mobile Management > Device Management > Configuration Editor. In the right pane, select Android Configuration > TouchDown User Settings Click the yellow star icon to open a new configuration panel. Provide the information requested.
Using TouchDown with Symantec Mobile Management Assigning the TouchDown policy
153
5 6
See TouchDown user payload settings on page 158. for details about the information you enter in this panel. Click Save changes.
Assigning the TouchDown policy

You assign the TouchDown policy to the Android devices that have TouchDown installed. To deploy the policy, you assign it to the devices that use TouchDown. To assign the TouchDown policy
1 2 3 4 5 6
On the Management Console, go to Home > Mobile Management >Device Management > Go to policy management ... In the left pane, select New Mobile Device Configuration Policy. In the right pane, under Configuration Settings, click the yellow star icon to open a new Configuration Settings panel. Select the TouchDown policy and click OK Expand the Applied To section Do one of the following:
To apply the policy to a group, on the tool bar, click Apply to > Quick Apply, and either enter the name of the group or select a group from the pull-down list. Click Apply to complete the policy assignment. Note: Groups must be previously defined in the Symantec Management Platform. See the Symantec Management Platform documentation for information and instructions to create groups. To apply the policy to an individual device, on the tool bar, click Apply to > Mobile devices. On the Select resources panel, click Update results to display all of the enrolled devices. Alternatively, you can click Add rule to add a rule to filter the list of devices. Click OK to finish the policy assignment.
TouchDown account payload settings

The TouchDown Account payload creates the TouchDown account and contains the following settings:
Name- TouchDown Exchange ActiveSync account name.
154
Using TouchDown with Symantec Mobile Management TouchDown policy payload settings
Description- information about the TouchDown Account payload settings. Exchange ActiveSync Host- Microsoft Exchange server name. Domain- account domain. User- account user name. Note: Leave this setting blank for generic Exchange ActiveSync profiles. Email Address- account email address. Password- account password. Get Server Certificate- for self-signed servers, select this setting to obtain the server certificate from the server and bypass the server certificate check. Authentication Credential Name Note: Click the plus button to select a certificate, the minus button to remove a certificate, and Certificate Details to view the certificate.
TouchDown policy payload settings

The TouchDown Policy payload configures policies that the TouchDown application enforces on the Android device. How you configure TouchDown depends on the requirements for managing mobile devices in your organization. Table 18-1 provides a list of the available settings:
155
Table 18-1 Tab

Password
TouchDown Policy payload settings Settings
EnableDevicePassword- select to enable a password on the device. Password Complexity- PIN or password set on the Android device. Select an option from the drop-down list: Unspecified- no password complexity is required. Something- a PIN or password is required. Alphanumeric- an alphanumeric password is required. Complex- a complex password is required. Minimum number of complex characters- enable a minimum number of non-alphanumeric characters for a password. Auto-Lock (in seconds)- time period in seconds before a device automatically locks. Maximum number of failed attemptsnumber of password entries before a device is wiped. Minimum Passcode Length- minimum amount of characters for passcode. Maximum passcode age- number of days until a password expires. Passcode history- (Android 3.0 and higher devices) number of unique passwords before a password can be reused. Disable Easy PIN recovery- select to disable resetting a PIN using the Exchange account password.
156
Table 18-1 Tab

Device Options
TouchDown Policy payload settings (continued) Settings
Storage Card Features Allow storage card

Require storage card encryption Disable backup of settings to SD card
Security Features Require encryption Require manual synching when roaming Disable database backup

Disable reconfiguration Disable wipe of configuration settings
Widgets Disable 3rd party widgets

Disable email widget Disable calendar widget Disable task widget Disable universal widget Hide widget data when locked
Notifications Disable speech notifications
Disable task notifications
157
Table 18-1 Tab

Email
Allow HTML email- selected (enabled) by default. Disable user from changing email signature Disable ability to copy contacts to the device phone book Disable user ability to copy from or paste to an email Disable Notifications for email data Allow Attachments Maximum Attachment Size- maximum size in kilobytes (KB) allowed for email attachments. Past Email Filter-time period for past email to synchronize. Maximum Email Body Size- maximum size in kilobytes (KB) allowed for email content (body). Select Phone Book Fields- open to select the phone book fields to synchronize. Set Signature- open to access the TouchDown Signature Editor.
App
Prevent TouchDown from displaying select options- specifies fields to not show to users in the TouchDown application. Click Set Suppressions to configure which fields are suppressed. TouchDown License Key- enter a valid TouchDown license key to automatically install TouchDown on the device without user intervention. Disable TouchDown PIN prompt- when launching TouchDown, disable prompting for a PIN by TouchDown even if Exchange prompts for a PIN. By default, when Exchange is set to prompt for a PIN, TouchDown also prompts for a PIN. Use this option to override the default behavior.
158
Using TouchDown with Symantec Mobile Management TouchDown user payload settings
Table 18-1 Tab

Calendar
Past Calendar Filter- maximum range of past events to sync- time period for past events to synchronize. Select an option from the drop-down list: Unlimited- sync all past events.

2 Weeks- sync 2 weeks of past events.
1 Month- sync 1 month of past events. 3 Months- sync 3 months of past events. 6 Months- sync 6 months of past events. Hide all calendar information on the Notifications bar- select to hide all calendar information from displaying in the Android device notifications bar.
TouchDown user payload settings

The TouchDown User Settings payload enables an administrator to set restrictions on policy creation or modification by other users. You provide a name and short description, and whether to disable the Exchange option to push email to the device. Additional settings are arranged under four separate tabs, and are listed in TouchDown user payload settings
159
Table 18-2 Tab

Device Options
TouchDown User payload settings Settings
General Disable tablet mode
Honor user setting to disable Background settings Display tasks on home screen and the task widget as viewed in TouchDown task screen. Defer batch updates with server (selected by default). Security Features Remove any attachments TouchDown has downloaded to the SD card Require manual sync when roaming
Notifications Notify on successful poll

Notify on failed poll Notify on incorrect password
Notify on new email (selected by default.) Notify appointment reminders (selected by default)
160
Table 18-2 Tab

Email
TouchDown User payload settings (continued) Settings

The email options are arranged under four separate tabs: General tab- configure the global settings for email behavior. Server Interactions tab- configure how the device and server work together. This tab includes: Deleted mail behavior
Whether to update contact information from the server How much past email to sync

Phone book name format
Display tab- configure how email is displayed on the device. This tab includes: Email summary display option Whether to display the sender in larger, bold text. Auto-filter search content when typing Unread mail highlighting

Email text size
Security tab- configure the security options that are available to the user. This tab includes: Auto-download images of HTML ActiveSync email (selected by default). Allow user to move email to non-synched folder (selected by default). Enable preview (selected by default).

Confirm deletion (selected by default). Maximum email body size (in KB)
TouchDown App
Set Suppressions- Click to select which device options are not displayed by TouchDown View Email on Startup- select to view the user's email list when TouchDown starts.
161
Table 18-2 Tab

Calendar
TouchDown User payload settings (continued) Settings

Past Calendar Filter- specifies the time period for synchronization of past events Apps that use Calendar features- selects view options for applications that use the calendar options. Event Creation- specifies the option to perform when new events are created. Specify Calendar view options- click Edit Calendar View to access the Calendar View Options screen. These options are used to configure display, reminder, and appointment options for the Calendar.
162
Chapter
19
Common Android management tasks


Locking a lost or stolen Android device Removing policies and resetting the Agent on an Android device Wiping the data from a lost or stolen Android device. Clearing and setting passcodes on Android devices Updating policies on Android devices Retrieving the inventory from Android devices Viewing Android device information
Locking a lost or stolen Android device

You can remotely lock a managed Android device to prevent unauthorized access. Locking a lost or stolen Android device
1 2
On the console, go to Home > Mobile Management > Device Management and in the left pane, click Manage Mobile Devices. In the right pane, select the device you want to locate. Note: Use the search tool to more quickly find a device within a long list.
164
Common Android management tasks Removing policies and resetting the Agent on an Android device
3 4
Right-click on the device you want to lock and from the menu, select Android Management > Lock Device. On the Lock Device panel, click OK.
Removing policies and resetting the Agent on an Android device

You can remotely remove the Mobile Device Management (MDM) policies, leaving the device in an unmanaged state. This action also resets the Agent on the device. Note: To restore device management after the Agent is reset, the device must be enrolled again. Removing polices and resetting the Agent
1 2
3 4
Right-click on the device you want to lock and from the menu, select Android Management > Remove MDM and Reset Agent. Click OK.
Wiping the data from a lost or stolen Android device.

You can remotely wipe the data from a managed Android device to prevent unauthorized access to media, apps, and sensitive information. Warning: Unless previously synched with a backup system, any data, apps, or media on the device and its SD card are permanently erased. The call history and contacts list on the SIM card is also erased and the device is restored to factory settings.
Common Android management tasks Clearing and setting passcodes on Android devices
165
Wiping data from a lost or stolen device
1 2
3 4
Right-click on the device you want to wipe and from the menu, select Android Management > Wipe Device. Click OK.
Clearing and setting passcodes on Android devices

You can remotely clear and set passcodes on enrolled Android devices. Clearing and setting passcodes
1 2
3 4 5
Right-click on the device you want to either clear or reset the passcode on and clickAndroid Management > Wipe Device. To clear the passcode, select Clear Passcode and then click OK. To set a new passcode, select Set Passcode. Enter the new passcode and then click OK.
Updating policies on Android devices

You can remotely update management policies on enrolled Android devices.
166
Common Android management tasks Retrieving the inventory from Android devices
Updating policies on Android devices
1 2
On the console, go to Home > Mobile Management > Device Management and in the left pane, click Manage Mobile Devices. In the right pane, select the device you want to update. Note: Use the search tool to more quickly find a device within a long list.
3 4
Right-click on the device you want to update the policies on and click Android Management > Update Policies. Click OK .
Retrieving the inventory from Android devices

You can request that a device send its current device information to the Management server. Retrieving the inventory from Android devices
1 2
3 4
Right-click on the device from which you want to retrieve the inventory and click Android Management > Send Inventory. Click OK.
Viewing Android device information

You can select an enrolled Android device and view the Retrieving the inventory from Android devices
1 2
Common Android management tasks Viewing Android device information
167
3 4
Right-click on the device from which you want to retrieve the inventory and click Android Security > View Device Information. Click OK.
168
Common Android management tasks Viewing Android device information
Section
Managing Windows devices
Chapter 20. Setting up the Mobile Management Agent on Windows Mobile devices Chapter 21. Managing software on Windows Mobile devices
170
Chapter
20
Setting up the Mobile Management Agent on Windows Mobile devices


About the Mobile Management Agent on Windows Mobile devices Setting up the Mobile Management Agent on Windows Mobile devices Setting the Mobile Management Agent configuration schedule for Windows mobile devices
About the Mobile Management Agent on Windows Mobile devices

The Mobile Management Agent should be installed on all of the Windows Mobile devices in your environment. The agent enables Symantec Management Platform to monitor and manage them. After the Mobile Management Agent is installed, the device becomes a managed device. After a Mobile Management server is created, you can install the Mobile Management Agent on the mobile devices in your environment. The agent lets the mobile devices communicate with the Mobile Management server and Symantec Management Platform. The agent also enables you to use Mobile Management to do the following:

To configure the device's access to corporate email and VPN. To apply a set of policies to the device, such as security and passcode policies.
172
Setting up the Mobile Management Agent on Windows Mobile devices Setting up the Mobile Management Agent on Windows Mobile devices
To perform remote actions such as remote wipe, remote lock, and passcode reset. To get centralized reporting on the device.
See Setting up the Mobile Management Agent on Windows Mobile devices on page 172. See Setting the Mobile Management Agent configuration schedule for Windows mobile devices on page 173.
Setting up the Mobile Management Agent on Windows Mobile devices

After a Mobile Management server is created, you can install the Mobile Management Agent on the Windows Mobile devices in your environment. The Mobile Management Agent should be installed on all of the Windows Mobile and BlackBerry devices in your environment. This agent lets Symantec Management Platform monitor and manage the devices. Note: Before you complete this procedure, make sure that Internet Information Services (IIS) is configured to run on the default port on the Mobile Management server. If IIS is configured to run on a non-default port, you must manually enter the port on the Mobile Agent Install page. By providing the appropriate port number, you ensure that you receive the proper URL to bootstrap the device or export the configuration file. See About the Mobile Management Agent on Windows Mobile devices on page 171. See Setting the Mobile Management Agent configuration schedule for Windows mobile devices on page 173. To set up the Mobile Management Agent on Windows Mobile devices
On the Internet, go to http://<MobileManagementServer>/mobilemanagement to access the local site server Web page. Your Mobile Agent download URL can be found in the Symantec Management Platform. On the Home menu, click Mobile Management. Expand Configuration and then click Agent installation. On the Mobile Agent Install page, the Mobile Agent download URL is listed.
2 3 4
Enter the credentials. if required. Click Open to download the locatesiteserver.cab file. Complete the rest of the installation process.
Setting up the Mobile Management Agent on Windows Mobile devices Setting the Mobile Management Agent configuration schedule for Windows mobile devices
173
Setting the Mobile Management Agent configuration schedule for Windows mobile devices
You can choose how often agent configuration updates are requested on Windows Mobile devices. By default, agent configuration update requests occur every hour. To change the agent configuration schedule for mobile devices
1 2 3 4
In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, expand Settings > Mobile Management > Mobile Agent Settings. Click Agent Configuration Update Schedule. In the right pane, specify the configuration schedule information:

Number of units. Type of unit. Either minutes, hours, or days.
Click Save changes.
174
Setting up the Mobile Management Agent on Windows Mobile devices Setting the Mobile Management Agent configuration schedule for Windows mobile devices
Chapter
21
Managing software on Windows Mobile devices


About software management on Windows Mobile devices Creating software packages for Windows Mobile devices Delivering software packages to Windows Mobile devices Configuring the software maintenance windows Software package actions Software package health actions Sample AppUpdate runtime substitution tokens
About software management on Windows Mobile devices

Mobile Management lets you manage software and software settings on the Windows Mobile devices in your environment. Software packages can contain single pieces of software, multiple pieces of software, or actions that run on the devices. You can also create upgrade packages and packages to remove other software packages. Through the Symantec Management Console, you can create, change, and deliver software packages. For more information on software delivery, see the Symantec Management Platform Help.
176
Managing software on Windows Mobile devices Creating software packages for Windows Mobile devices
See Creating software packages for Windows Mobile devices on page 176. See Delivering software packages to Windows Mobile devices on page 177.
Creating software packages for Windows Mobile devices

Software packages can contain single pieces of software, multiple pieces of software, or actions that run on the devices. You can also create upgrade packages and packages to remove other software packages. The integrity of the software is checked and repaired whenever the software delivery or configuration policy runs. See About software management on Windows Mobile devices on page 175. See Delivering software packages to Windows Mobile devices on page 177. To create software packages for mobile devices
1 2 3 4 5 6
In the Symantec Management Console, on the Manage menu, click Mobile > Software. In the left pane, expand Software > Mobile Software. Right-click the Mobile Software folder and then click New > Mobile Software. In the right pane, click the New Mobile Software title and enter a name for your software package. On the Properties tab, enter the version of the software. Choose the priority.
Automatic - The software automatically installs and no user intervention is required. Use this option most of the time. Manual - The mobile device user must run the software update manually (using AppUpdate) on the device.
Choose the company and the software product. Click Browse to find existing companies or software products or click New to add a new company or software product.
On the Package tab, click Add package to add software to the package. You can add packages or edit the actions on each package from the Package tab.
In the Add or Edit Package dialog box on the Details page, specify the details of your package. The Name field is the only one that is required.
Managing software on Windows Mobile devices Delivering software packages to Windows Mobile devices
177
10 Click Add and browse to the file you want to include in your package. 11 On the Package Server tab, specify the Package Destination Location. In
the Assign package to menu, select a server. Click OK to add the software to the package.
12 On the Actions tab, click Auto Generate to automatically create the steps
for downloading and installing the files in each of the packages.
On the Actions tab, you can choose the actions to perform on software resources and the order in which the actions are performed. See Software package actions on page 179. Click the Add New Action symbol to select other actions to perform on software resources. You can use the AppUpdate runtime substitution tokens when you define the actions. See Sample AppUpdate runtime substitution tokens on page 196. You can click the Edit symbol and select an action to edit a current action.
13 On the Health tab, click Auto Generate to automatically create a set of

standard statistics.
The Health tab lets you choose the data that is checked to ensure that the software installs correctly. You can add your own metrics and choose from the File Hash, Version, or Size statistics. See Software package health actions on page 193.
Delivering software packages to Windows Mobile devices

Mobile Management lets you deliver the software packages that you have created to managed mobile devices through policies. Software packages are delivered according to the schedule that the maintenance windows set. By default, there are no maintenance windows policies enabled. A maintenance windows policy must be enabled to allow for the scheduled delivery of software. The integrity of the software is checked and repaired when the software delivery or configuration policy runs. See About software management on Windows Mobile devices on page 175. See Creating software packages for Windows Mobile devices on page 176. See Configuring the software maintenance windows on page 178.
178
Managing software on Windows Mobile devices Configuring the software maintenance windows
For more information, view topics on policies and schedules in the Symantec Management Platform Help. To deliver software to mobile devices
1 2 3 4 5 6 7 8 9
In the Symantec Management Console, on the Manage menu, click Policies. In the left pane, expand Policies > Mobile Management. Right-click the Software Management folder. Click New > Mobile Device Software Delivery. In the right pane, click the New Mobile Device Software Delivery title and enter a name for your software delivery policy. Click Select Software in the right pane. On the Select Software page, select the package that you want to include in your policy. Click the appropriate arrow icons to move your selections to the Selected software box. Click OK.
10 Click the down arrow next to Applied To. 11 Select Resources to choose the devices to which to deliver the software and
click Ok. The set policy is automatically applied to all new devices that match the settings you specify by using Filters, Groups, or by excluding specific resources. If you want to target a specific device or list of devices, then you should specifically pick those devices. Use the Resource List filtering criteria to select the desired devices. Right-click the specific devices to exclude them from the filtered lists. Click Update Results to verify what devices are targeted.
12 At the upper right corner of the page, click the colored circle, and then click
On to turn on the policy.
13 Click Save changes to deliver your software packages to the selected devices.
Configuring the software maintenance windows

Software maintenance windows configure the Mobile Management Agent and tell it when to perform software update checks. See Delivering software packages to Windows Mobile devices on page 177.
Managing software on Windows Mobile devices Software package actions
179
To configure software maintenance windows
1 2 3 4 5 6 7
In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, expand Mobile Management > Mobile Software Maintenance Windows. Right-click the Mobile Software Maintenance Windows folder. Click New > Mobile Maintenance Window. In the right pane, click the New Mobile Maintenance Window title and enter a name for your software maintenance window. Configure your software maintenance window. Click the down arrow next to Applied To. The set policy is automatically applied to all new devices that match the settings you specify by using Filters, Groups, or by excluding specific resources. If you want to target a specific device or list of devices, then you should specifically pick those devices. Use the Resource List filtering criteria to select the desired devices. Right-click the specific devices to exclude them from the filtered lists. Click Update Results to verify what devices are targeted.
8 9
At the upper right corner of the page, click the colored circle, and then click On to turn on the policy. Click Apply to apply your software maintenance window to the selected devices.
Software package actions

The following table describes the install actions, settings, and parameters that can be entered when you configure software package actions.
180
Table 21-1 Action

Download
Software package actions Description

Specifies an Install Action that executes a file download for the following settings: Actions Settings Critical, continue only on success - (default) specifies that subsequent action steps in the package are only run if this step completes successfully. Critical, continue - specifies that subsequent action steps in the package are run regardless of the success or failure of this step. Critical, continue only on error - specifies that subsequent action steps in this package are only run if this step fails.
Download Actions Settings Source - contains the Web server directory path and file name of the file to be downloaded to the device if required by versioning. Target - {DeviceFileName} data type. Text value that specifies the Web server directory path and file name of the file to be downloaded to the device if versioning indicates it is required. This string can contain any device subdirectories prefixing the file name. Note that the AppUpdate Runtime Substitution Token values can be used within the value to define target subdirectories for target files. See Sample AppUpdate runtime substitution tokens on page 196.
Targeted Device Type Used to provision specific devices by processor, major version, and platform:

CPU - contains the processor type of the device.
OS Major - {osmajor value} data type. Integer that specifies the major version number of the device operating system. OS Platform - contains the mobile operating system of the device.
181
Table 21-1 Action

Install
Software package actions (continued) Description

Specifies an Install Action that installs an installable file such as a CAB. Actions Settings Critical, continue only on success - (default) specifies that subsequent action steps in the package are only run if this step completes successfully. Critical, continue - specifies that subsequent action steps in the package are run regardless of the success or failure of this step. Critical, continue only on error - specifies that subsequent action steps in this package are only run if this step fails.
Install Action Settings The following parameters specify the name of the installable file: Command - {command value} data type. Optional text value that specifies an installation command. File - {localfilename} data type. Text value which specifies a file name of an installable file residing on the device. Installable files include CAB files, ActiveX DLL files, REG import files, CPF files in OMA format and other XML formats which follow install file guidelines.

182
Table 21-1 Action

Uninstall

Specifies an Install Action that uninstalls an installed CAB file. Actions Settings Critical, continue only on success - (default) specifies that subsequent action steps in the package are only run if this step completes successfully. Critical, continue - specifies that subsequent action steps in the package are run regardless of the success or failure of this step. Critical, continue only on error - specifies that subsequent action steps in this package are only run if this step fails.
Uninstall Action Settings The application to uninstall, specified by the following:
Name - {applicationname} data type. Text that specifies the name of an application that is installed on a device. The application name can be located by navigating on the device to Start > Settings > System > Remove Programs. Any applications appearing in the list can be specified for Uninstall.

183
Table 21-1 Action
Process>WarmBoot Specifies an Install Action that soft/warm resets the device when all actions for the specified package are completed (not at the time the WarmBoot Action is encountered or after the last action of all packages). The WarmBoot Install Action does not require parameters. Actions Settings Critical, continue only on success - (default) specifies that subsequent action steps in the package are only run if this step completes successfully. Critical, continue - specifies that subsequent action steps in the package are run regardless of the success or failure of this step. Critical, continue only on error - specifies that subsequent action steps in this package are only run if this step fails.

OS Major - {osmajor value} data type. Integer that specifies the major version number of the device operating system. OS Platform - contains the mobile operating system of the device. To customize the warm boot logic, place a custom executable (which must be named warmboot.exe) in the same directory as the AppUpdate executable. When the file warmboot.exe is found it is executed instead of the default warm boot Install Action.
184
Table 21-1 Action

Process > Run
185
Table 21-1 Action

Specifies an Install Action that executes a program locally on the device. Actions Settings Critical, continue only on success - (default) specifies that subsequent action steps in the package are only run if this step completes successfully. Critical, continue - specifies that subsequent action steps in the package are run regardless of the success or failure of this step. Critical, continue only on error - specifies that subsequent action steps in this package are only run if this step fails.
Run Action Settings This command execution is specified by the following: Command - {Commandline} data type. Text value that specifies a directory path and file name on the device of the file to be run and any command line arguments to modify the run. Embedded blanks are allowed and double quotes are not required in the program path to enclose directories with embedded blanks. Command line arguments with embedded blanks should be tested as shortcuts before using here. Note that the AppUpdate Runtime Substitution Token values can be used within a value to define subdirectories for executable files and command line arguments as needed. See Sample AppUpdate runtime substitution tokens on page 196. Timeout - {Timeout value} data type. Integer value that specifies how long the device should wait when it executes the Run Action before it continues to process. The following are the allowable values: {value less than zero, ex. -1} - (default) specifies that device processing waits indefinitely for the action to finish before it continues with subsequent steps. {"0"} - Device processing does not wait for the action to finish before it continues with subsequent steps. {value greater than zero, ex. 10} - device processing waits (value that is specified in milliseconds) for the action to finish before it continues with subsequent steps.
186
Table 21-1 Action

Process>Terminate Specifies an Install Action that terminates a module process running on the device. Actions Settings Critical, continue only on success - (default) specifies that subsequent action steps in the package are only run if this step completes successfully. Critical, continue - specifies that subsequent action steps in the package are run regardless of the success or failure of this step. Critical, continue only on error - specifies that subsequent action steps in this package are only run if this step fails. Note that the Terminate Install Action issues an error return code if the process to be terminated was not running at the time the call was made. Changing the default Critical continue only on success Action Setting to Critical continue allows subsequent Install Action processing to continue if the Install Action cannot install a specified file or stop a process that is not running.
Terminate Action Settings The name of the process(es), specified by the following:
Modules - {ModuleName} data type. Text value that specifies an executable name (cmd.exe) or wildcard inclusion of multiple executable names running on the device (ex c*.* or * for all processes).

187
Table 21-1 Action
File System>Copy Specifies an Install Action that copies one or more files from one area Files (directory or folder) of the device to another. Actions Settings Critical, continue only on success - (default) specifies that subsequent action steps in the package are only run if this step completes successfully. Critical, continue - specifies that subsequent action steps in the package are run regardless of the success or failure of this step. Critical, continue only on error - specifies that subsequent action steps in this package are only run if this step fails.
Copy Files Action Settings The name of the source folder and file name and the target folder that is specified by the following: Source - {localsourcefilespec} data type. Path and file name(s) existing on the device to copy from during provisioning. Using wildcard characters is allowed. Target - {localtargetfoldername} data type. Path existing on the device to receive files during provisioning.

188
Table 21-1 Action

File System > Move Files

Specifies an Install Action that moves one or more files from one area (directory or folder) of the device to another. Actions Settings Critical, continue only on success - (default) specifies that subsequent action steps in the package are only run if this step completes successfully. Critical, continue - specifies that subsequent action steps in the package are run regardless of the success or failure of this step. Critical, continue only on error - specifies that subsequent action steps in this package are only run if this step fails.
Move Files Action Settings The name of the source folder and file name and the target folder that is specified by the following: Source - {localsourcefilespec} data type. Path and file name(s) existing on the device to move from during provisioning. Using wildcard characters is allowed. Files are removed from this location upon successful move to target. Target- {localtargetfoldername} data type. Path existing on the device to receive the moved files during provisioning.

189
Table 21-1 Action

File System > Delete Files

Specifies an Install Action that deletes a local file on the device. Actions Settings Critical, continue only on success - (default) specifies that subsequent action steps in the package are only run if this step completes successfully. Critical, continue - specifies that subsequent action steps in the package are run regardless of the success or failure of this step. Critical, continue only on error - specifies that subsequent action steps in this package are only run if this step fails.
Delete Files Action Settings The name of the file to be deleted, specified by the following:
Path - {localfilename} data type. File name(s) on the device to delete during provisioning. Using wildcard characters is allowed.

190
Table 21-1 Action

File System > Rename File

Specifies an Install Action that renames a file in a specified folder on the device. Actions Settings Critical, continue only on success - (default) specifies that subsequent action steps in the package are only run if this step completes successfully. Critical, continue - specifies that subsequent action steps in the package are run regardless of the success or failure of this step. Critical, continue only on error - specifies that subsequent action steps in this package are only run if this step fails.
Rename File Action Settings The name of the source file (existing file name) and the target file name (new file name), specified by the following: Source - {existingfilename} data type. Path and file name existing on the device to be renamed during provisioning. Target - {newfilename} data type. New file name not yet existing in the path that is specified in source. Note: Do not prefix with the path/folder specification. Use the raw file name.

191
Table 21-1 Action

File System > Create Folder

Specifies an Install Action that creates a local folder (directory) on the device. Actions Settings Critical, continue only on success - (default) specifies that subsequent action steps in the package are only run if this step completes successfully. Critical, continue - specifies that subsequent action steps in the package are run regardless of the success or failure of this step. Critical, continue only on error - specifies that subsequent action steps in this package are only run if this step fails.
Create Folder Action Settings The name of the folder (directory) to be created, specified by the following:
Path - {localfoldername} data type. Folder name on the device to be created during provisioning.

192
Table 21-1 Action

File System > Remove Folder

Specifies an Install Action that deletes a local folder (directory) on the device. Actions Settings Critical, continue only on success - (default) specifies that subsequent action steps in the package are only run if this step completes successfully. Critical, continue - specifies that subsequent action steps in the package are run regardless of the success or failure of this step. Critical, continue only on error - specifies that subsequent action steps in this package are only run if this step fails.
Remove Folder Action Settings The name of the folder (directory) to be deleted, specified by the following:
Path - {localfoldername} data type. Folder name on the device to delete during provisioning. All files in this folder are also deleted.

Managing software on Windows Mobile devices Software package health actions
193
Table 21-1 Action

File System > Rename Folder

Specifies an Install Action that renames a folder on the device. Actions Settings Critical, continue only on success - (default) specifies that subsequent action steps in the package are only run if this step completes successfully. Critical, continue - specifies that subsequent action steps in the package are run regardless of the success or failure of this step. Critical, continue only on error - specifies that subsequent action steps in this package are only run if this step fails.
Rename Folder Action Settings The name of the source folder name (existing folder or directory on the device) and the target folder name (new folder or directory on the device), specified by the following: Source - {existingfoldername} data type. Path existing on the device to be renamed during provisioning. Target - {newfoldername} data type. New folder name not yet existing on device.

Software package health actions

The following table describes the metrics and statistics that can be entered when you configure the health reporting packages.
194
Table 21-2 Action

File Hash
Software package health actions Description and parameters

Specifies a file hash to compare and determine whether provisioning needs to be performed. File Hash Metric Settings File- device file name and the path that is used for comparing the hash value. Hash- MD5 hash value of specified file (Read Only).
Metric Generation Settings Metric Source- file name and path of the server repository source file that is used to derive the file version for comparing to the device file. The device file version must match this file version. The Metric source cannot be manually entered. Folder- path for Metric source file.
CAB File- CAB file containing Metric source file. Virtual File- Metric source file that is contained in the CAB file.
Targeted Device Type CPU- specifies the processor type of a device. OS Major- specifies the major version number of a device OS. OS Platform- mobile operating system of a device.
195
Table 21-2 Action

File Version
Software package health actions (continued) Description and parameters

Specifies a file version to compare and determine whether package provisioning actions need to be run to update a device. File Version Metric Settings Field- file version field that is used as the file version definition. Values are File or Product. The literal file version or a field in the file version set should be used. If the application has an embedded assembly, a sub class of File (file version) or Product (product version) may be specified. File- device file name and the path that is used for comparing the hash value. Operator- comparison operator for file version. Values are equal to (EQ), not equal to (NE), greater than (GT), greater than or equal to (GE), less than (LT), and less than or equal to (LE). Value- file version of specified file (Read Only).
Metric Generation Settings Metric Source- file name and path of the server repository source file that is used to derive the file version for comparing to the device file. The device file version must match this file version. Folder- path for Metric source file.
CAB File- file containing Metric source file. Virtual File- metric source file that is contained in the CAB file.
196
Managing software on Windows Mobile devices Sample AppUpdate runtime substitution tokens
Table 21-2 Action

File Size
Software package health actions (continued) Description and parameters

Specifies the file size to compare and determine whether package provisioning actions need to be run to update a device. File Size Metric Settings Metric Type- file content properties that are used to indicate whether package provisioning actions are run to update or align a parent product. File- device file name and the path that is used for comparison. Operator- comparison operator for file size. Values are equal to (EQ), not equal to (NE), greater than (GT), greater than or equal to (GE), less than (LT), and less than or equal to (LE). Size- size value in bytes (Read Only).
Metric Generation Settings
Metric Source- file name and path of the server repository source file that is used to derive the file version for comparing to the device file. The device file version must match this file version. The Metric source cannot be manually entered.
Sample AppUpdate runtime substitution tokens

The following runtime substitution tokens can be used when you define actions while you create software packages:
{TEMP} - temporary directory on the device. {WINDOWS} - Windows directory on the device. {SYSTEM} - Windows system directory on the device (same as {WINDOWS} on Windows CE).
197
{STARTUP} - startup shortcuts directory on the device. {PROGRAMS} - program files on the device. {DOCUMENTS} - personal documents on the device. {START_MENU} - root start menu on the device. {PROGRAMS_MENU} - programs menu on start menu (same as {START_MENU} on Smartphone) on the device. {DEVICE_ID} - hex device ID (MD5 hash). {DEVICE_ID2} - unique ID algorithm. {DEVICE_ID3} - unique ID algorithm for older devices (pre-Windows Mobile 5). {DEVICE_ID4} - unique ID algorithm that indicates the platform. {DEVICE_CPU} - instruction set (ARMV4, ARMV4I, etc). {DEVICE_OEM} - OEM info string (Windows CE only). {OS_MAJOR} - major OS version (e.g. 4). {OS_MINOR} - minor OS version (e.g. 20). {OS_BUILD} - OS build number. {OS_PLATFORM} - WinCE or Win32. {OS_SHELL} - Standard, PocketPC, or Smartphone. {PRODUCT} - name attribute ({PRODUCT}) of the current package being processed in the Manifest (server-side and device-side). {VERSION} - version attribute ({VERSION}) of the current package being processed in the Manifest (Server-side and Device-side). {SCREEN_CX} - device horizontal resolution. {SCREEN_CY} - device vertical resolution. {Hxxx\yyyy\zzzz...\} - Registry entry value. The first segment of the specification either be a long name or short name of one of the following Root key values: HKEY_CLASSES_ROOT or HKCR HKEY_CURRENT_USER or HKCU HKCU and HKEY_LOCAL_MACHINE or HKLM - Supported value types that can be returned are REG_SZ (string), REG_DWORD (hexadecimal value, preceded with 0x) and REG_BINARY (block of 2-digit hexadecimal values). {MAC_ADDRESS} - device Network Interface Card (NIC) Media Access Layer (MAC) address of the NIC used to retrieve the hosts Manifest XML payload. {APP_MAJOR} - major release number. {APP_MINOR} - minor release number. {APP_BUILD} - build number. {NLS_LCID} - National Language Support table device location identifier. {NLS_OEMCP} - National Language Support table OEM code page. {NLS_ANSICP} - National Language Support table ANSI code page. {BATTERY_LEVEL} - percent of battery charge level on the device. {DEVICE_NAME} - device name. {DEVICE_PHONE} - device phone number. {FREE_SPACE} - available free space on the device.
198
See Creating software packages for Windows Mobile devices on page 176.
Appendix
System requirements and port usage for Symantec Mobile Management 7.2
This appendix includes the following topics:

Mobile Management requirements Network ports used by Mobile Management Supported devices and device operating systems
Mobile Management requirements

The following table describes the requirements of each Mobile Management component:
200
System requirements and port usage for Symantec Mobile Management 7.2 Mobile Management requirements
Table A-1 Component
Mobile Management requirements Requirement and description
Mobile Management Server
Windows Server 2003 and Windows Server 2008 R2 & R2 SP1, 64-bit onlyEnterprise, Standard, and Datacenter editions. Core Edition is not supported. Symantec Management Agent. See Symantec Management Platform 7.1 SP2 Installation Guide for more information about the Symantec Management Agent Web Server (IIS) version corresponding to operating system version. Role defaults plus IIS 6 Management compatibility. .NET Framework corresponding to operating system and IIS version. ASP.NET. Apple Push Notification Service (APNS) certificate. Internet Explorer 7.1, or later Java Runtime Environment See Symantec Management Platform 7.1 SP2 Installation Guide for additional requirements.
Symantec Management Console
Mobile Management Agent
iPhone 3G, 3GS, 4, and 4S running iOS 4.3 or later. Symantec Mobile Management 7.2 supports policy settings on iOS 5 iPod Touch 2nd generation, 3rd generation, and 4th generation running iOS 4.3 or later iPad running iOS 4.3 or later

Android 2.2 or later.
Windows Mobile 6.0, 6.1, and 6.5Professional and Standard Windows CE 4.2 to 6.0

Windows Phone 7.5 Blackberry OS 4.3 - 6.x
System requirements and port usage for Symantec Mobile Management 7.2 Mobile Management requirements
201
Table A-1 Component
Mobile Management requirements (continued) Requirement and description

Windows Server 2008 R2 & R2 SP1, 64-bit only- Enterprise, Standard, and Datacenter editions. Core Edition is not supported. SQL Server 2005 SP2, SP3, SP4 or SQL Server 2008 SP1, SP2, R2, R2 SP1 IIS 7.5 (IIS 6 compatibility)

Symantec Management Platform server
.NET Framework 3.5 SP1
Note: The Windows Communication

Foundation subcomponent is required on the Symantec Management Platform server. See the Symantec Management Platform system requirements for more information.

Microsoft Silverlight 3.x, 4.x, 5.x Symantec Management Platform 7.1 SP1/SP2 See Symantec Management Platform 7.1 SP2 Installation Guide for additional requirements.
Microsoft SQL Server Active Directory LDAP Certificate Authority SCEP Microsoft Exchange ActiveSync
See SQL Server documentation. See Active Directory documentation. See LDAP documentation. See Certificate Authority documentation. See SCEP documentation. Exchange ActiveSync integration software requirements: Microsoft Exchange 2007 SP1 or SP2 with Exchange Server 2007 Management Tools or Microsoft Exchange 2010 Microsoft Windows Management Framework, specifically Windows PowerShell 2.0
See Microsoft Exchange ActiveSync documentation for Exchange ActiveSync requirements.
202
System requirements and port usage for Symantec Mobile Management 7.2 Network ports used by Mobile Management
Table A-1 Component
Mobile Management requirements (continued) Requirement and description

See Apple Push Notification Service documentation. GCM allows you to push data, commands, and actions to Android devices. GCM requires an account with Google. See Google GCM documentationfor more details.
Apple Push Notification Service
Google Cloud Messaging (GCM)
Network ports used by Mobile Management

The following table describes the ports that are used by Mobile Management: Table A-2 Port
80, 443
Network ports used by Mobile Management From

Agent
To
Description
Mobile Management IIS HTTP for agent Server communication, IIS HTTPS for agent communication (optional) Mobile Management Remote control Server connection Apple Push Notification Service APNS communications to Apple by APNS servers APNS communications to agent by APNS servers
7780
Agent
5223
Agent
2195, 2196, 5223
Mobile Management Apple Push Server Notification Service
7778
Mobile Management Remote control Server connection
80
Mobile Management Symantec Server Management Platform Server
IIS HTTP
System requirements and port usage for Symantec Mobile Management 7.2 Supported devices and device operating systems
203
Table A-2 Port

80
Network ports used by Mobile Management (continued) From To Description

Console
Symantec Symantec Management Console Management browser Platform Server
7778
Symantec Mobile Management Remote control Management Console Server connection browser Symantec Management Platform Server Symantec Management Platform Server Microsoft SQL Server Database
Standard SQL ports
50120-50124
Mobile Management SMP Client Task Server Agent communications
Note: If these ports

are not available, the Client Task Agent will fail-over to use HTTP-HTTPS for communications. 5228-5230 Mobile Management Google Cloud Server Messaging (GCM) Google Cloud Messaging (GCM) communications
Supported devices and device operating systems

The following table describes the devices and device operating systems that the Mobile Management components support:
204
System requirements and port usage for Symantec Mobile Management 7.2 Supported devices and device operating systems
Table A-3 Component
Supported devices and device operating systems Requirement and description

Exchange ActiveSync
Apple iOS running iOS 2.x, 3.x, and 4.x Android 2.2 and later Windows Mobile 6.1 and 6.5 Windows Phone 7 Palm WebOS 1.4.5 Nokia (running Mail for Exchange v3.0.50)
Mobile Management Agent
Apple iPhone 3G, 3GS, and 4 running iOS 4.1 or later Apple iPad running iOS 4.2 or later
iPod Touch 2nd generation, 3rd generation, and 4th generation running 4.1 or later Android 2.2 or later

Windows Mobile 2003, 5, 6.1, and 6.5 Windows CE 4.2 to 6.0 Blackberry OS 4.3 to 5.0
Appendix
Mobile device management features

Mobile device features
Mobile device features

Different devices support different Mobile Management features, depending on the device's limitations. The following table outlines the devices that are supported and the available features. Table B-1 Device type
iOS
Mobile device features Available features

Customizable Mobile Management Agent Mobile Library Exchange ActiveSync Configuration profiles Actions Policies Reports Remote wipe Inventory data Event log Provisioning apps from the Apple App store with the Apple Volume Purchase Program
206
Mobile device management features Mobile device features
Table B-1 Device type

Android
Mobile device features (continued) Available features

Customizable Mobile Management Agent Exchange ActiveSync/TouchDown Configuration profiles Actions Policies Reports Remotely trigger alarm Remote wipe and lock Location mapping Inventory data Event log Mobile Management Agent
Windows Mobile
Exchange ActiveSync (except Windows Phone 7) Actions

Policies Reports Inventory data Remote control Software management
See Getting started with Mobile Management on page 14.
Appendix
Creating the in-house Mobile Management Agent application for iOS devices

About the in-house Mobile Management Agent application Creating the in-house Mobile Management Agent application Requirements for creating the in-house Mobile Management Agent application Downloading a WWDR Intermediate Certificate Creating a Developer Certificate Registering an iOS device for testing Setting up an App ID Downloading the project Preparing the iOS device for testing Loading the project Creating and installing a Development Provisioning Profile Customizing the Bundle identifier Customizing the localized string files Customizing the Target settings Building and testing the application
208
Creating the in-house Mobile Management Agent application for iOS devices About the in-house Mobile Management Agent application
Building and distributing the application
About the in-house Mobile Management Agent application

You can create the Mobile Management Agent application for internal deployment and upload it to an internal site for download. After you have created the Agent and uploaded it, users can browse to the internal Web site and download and install the Agent. See About the Mobile Management Agent application on iOS devices on page 141.
Creating the in-house Mobile Management Agent application

You can build and set up the Mobile Management Agent for internal download. The process includes instructions for acquiring certificates and the other resources that are required to build and deploy an application. The first time you build the Mobile Management Agent iOS application, you must complete all of the steps in table Table C-1 and table Table C-2. After you create the application for the first time, you can create another application by completing the steps in table Table C-2. See About the in-house Mobile Management Agent application on page 208. Table C-1 Process for preparing to create the in-house Mobile Management Agent application Action
Make sure that you meet all of the requirements for building and distributing an in-house application.
Step
Step 1
Description
You must ensure that your environment meets the requirements for creating the in-house Mobile Management Agent application. See Requirements for creating the in-house Mobile Management Agent application on page 212.
Creating the in-house Mobile Management Agent application for iOS devices Creating the in-house Mobile Management Agent application
209
Table C-1
Process for preparing to create the in-house Mobile Management Agent application (continued) Action
Log on to your iOS Developer Enterprise Program account.
Step
Step 2
Description
Log on to your iOS Developer Enterprise Program account as the Team Agent entity at the following Web site: https://developer.apple.com/ membercenter/index.action #iPhoneDev
Step 3
Download a WWDR Intermediate The WWDR Intermediate certificate. Certificate tests the authenticity of your other certificates. See Downloading a WWDR Intermediate Certificate on page 212.
Step 4
Create a Developer Certificate.
The Developer Certificate identifies you as the owner of the applications you build. See Creating a Developer Certificate on page 213.
Step 5
Register an iOS device for testing. iOS devices must be registered with Apple before they can be used for testing. See Registering an iOS device for testing on page 213.
Step 6
Set up an App ID.
The App ID is an identifier for any project that is made through Apple. See Setting up an App ID on page 213.
210
Table C-1
Process for preparing to create the in-house Mobile Management Agent application (continued) Action
Download the project.
Step
Step 7
Description
Symantec provides a pre-compiled project to use to develop the agent application. When you install Mobile Management, this template is placed in your Symantec Management Platform Server directory. See Downloading the project on page 214.
Step 8
Prepare an iOS device for testing. You need to prepare your registered Apple testing device for testing. See Preparing the iOS device for testing on page 214.
Table C-2
Process for creating the in-house Mobile Management Agent application Action
Load the project in Xcode.
Step
Step 1
Description
Symantec provides a pre-compiled project to use to develop the agent application. Symantec recommends that you make a copy of the provided project template and make modifications to the copy. See Loading the project on page 215.
Step 2
Create and install a Development Apple uses the Development Provisioning Profile to build and test Provisioning Profile to your application. determine who works on which projects, and on which devices they can test. See Creating and installing a Development Provisioning Profile on page 215.
211
Table C-2
Process for creating the in-house Mobile Management Agent application (continued) Action
Customize the Bundle identifier value.
Step
Step 3
Description
The Bundle identifier is built into the application and attaches to certifications. It allows the device to receive notifications from the Apple Push Notification Service. See Customizing the Bundle identifier on page 216.
Step 4
Customize the localized string files. The string files contain the information that appears in the settings of the application on the device. See Customizing the localized string files on page 217.
Step 5
Customize the Target settings.
The Target settings are the various settings that are set to determine to which devices the agent is delivered. See Customizing the Target settings on page 218.
Step 6
Build the application for testing and To test the application, build it test it. for testing and test it in your device. See Building and testing the application on page 218.
Step 7
Build the application for distribution After you build and test your and set up the download URL. application, it should install and launch on your testing device. After the application installs and launches successfully on your testing device, you can build the application for internal deployment. See Building and distributing the application on page 219.
See About the in-house Mobile Management Agent application on page 208.
212
Creating the in-house Mobile Management Agent application for iOS devices Requirements for creating the in-house Mobile Management Agent application
Requirements for creating the in-house Mobile Management Agent application

You must ensure that your environment meets the requirements for creating the in-house Mobile Management Agent application. This task is a step in the process for preparing to create the in-house Mobile Management Agent application. See Creating the in-house Mobile Management Agent application on page 208. Table C-3 Requirement
Hardware and software requirements
Requirements for creating the application Description

Mac computer running the current version of Mac OS X Current version of Xcode and iOS SDK

At least one iOS device for testing
Membership requirements
iOS Developer Enterprise Program membership You can sign up at the following Web site: http://developer.apple.com/programs/ios /enterprise/
Downloading a WWDR Intermediate Certificate

The WWDR Intermediate Certificate tests the authenticity of your other certificates. This task is a step in the process for preparing to create the in-house Mobile Management Agent application. See Creating the in-house Mobile Management Agent application on page 208. To download a WWDR Intermediate Certificate
Go to the following URL: https://developer.apple.com/ios/manage/certificates/team/index.action
2 3
Click Click here to download now. After the certificate has downloaded, double-click the certificate to add it to your key chain.
Creating the in-house Mobile Management Agent application for iOS devices Creating a Developer Certificate
213
Creating a Developer Certificate

The Developer Certificate identifies you as the owner of the applications you build. The Developer Certificate and the Development Provisioning Profile work together so that you have profiles for development and distribution. This task is a step in the process for preparing to create the in-house Mobile Management Agent application. See Creating the in-house Mobile Management Agent application on page 208. To create a Developer Certificate
Go to the following URL: https://developer.apple.com/ios/manage/certificates/team/howto.action
Follow the instructions for the following:

Generating a Certificate Signing Request Submitting a Certificate Signing Request for Approval Approving Certificate Signing Requests Downloading and Installing Development Certificates
Registering an iOS device for testing

iOS devices must be registered with Apple before they can be used for testing. This task is a step in the process for preparing to create the in-house Mobile Management Agent application. See Creating the in-house Mobile Management Agent application on page 208. To register an iOS device for testing
Go to the following URL: https://developer.apple.com/ios/manage/devices/howto.action

Locating a Unique Device ID Adding Individual Devices
Setting up an App ID
The App ID is an identifier for any project that is made through Apple.
214
Creating the in-house Mobile Management Agent application for iOS devices Downloading the project
This task is a step in the process for preparing to create the in-house Mobile Management Agent application. See Creating the in-house Mobile Management Agent application on page 208. To set up an App ID
Go to the following URL: https://developer.apple.com/ios/manage/bundles/howto.action
Generating an App ID Since the App ID needs to be enabled for APNs, it cannot be a wildcard. Symantec recommends that you use a name like com.<YourCompany>.<YourAppName>. This name is also used in the AthenaFramework-Info.plist file. Registering an App ID for Apple Push Notification Service Configure Development Push SSL certificate
Note: Anytime you change your App ID settings, you must regenerate and replace any existing provisioning profiles that use the App ID.
Downloading the project

Symantec provides a pre-compiled project to use to develop the agent application. When you install Mobile Management, this template is placed in your Symantec Management Platform Server directory. This task is a step in the process for preparing to create the in-house Mobile Management Agent application. See Creating the in-house Mobile Management Agent application on page 208. To download the project
Browse to the following location: C:\Program Files\Altiris\MobileManagement\Agents\iOSAgentFramework
Copy iOSAgentFramework.zip to your desktop.
Preparing the iOS device for testing

You need to prepare your registered Apple testing device for testing.
Creating the in-house Mobile Management Agent application for iOS devices Loading the project
215
This task is a step in the process for preparing to create the in-house Mobile Management Agent application. See Creating the in-house Mobile Management Agent application on page 208. To prepare an iOS device for testing
1 2 3 4 5 6 7
Open Xcode. In the Windows menu, click Organizer. On the Organizer page, in the left pane, expand iPhone Development, and click Provisioning Profiles. Connect your registered iOS device to your Mac computer using a USB cable. In the left pane, expand Devices, and click the registered iOS device. Click Use for Development. Enter your iOS Developer Enterprise Program credentials.
Loading the project

Symantec provides a pre-compiled project to use to develop the agent application. Symantec recommends that you make a copy of the provided project template and make modifications to the copy. This task is a step in the process for preparing to create the in-house Mobile Management Agent application. See Creating the in-house Mobile Management Agent application on page 208. To load the project
1 2 3
Open Xcode and click Open Other. Browse to the Athena Framework project folder and select iOSAgentFramework.zip. Click Open.
Creating and installing a Development Provisioning Profile

Apple uses the Development Provisioning Profile to determine who works on which projects, and on which devices they can test. This task is a step in the process for preparing to create the in-house Mobile Management Agent application.
216
Creating the in-house Mobile Management Agent application for iOS devices Customizing the Bundle identifier
See Creating the in-house Mobile Management Agent application on page 208. To create and install a Development Provisioning Profile
Go to the following URL: https://developer.apple.com/ios/manage/provisioningprofiles/howto.action

Creating a Development Provisioning Profile Installing a Development Provisioning Profile Building and installing your Development Application In step 2, your device will be available from the drop-down menu in the upper-left hand corner. Perform step 5 before step 4. Complete all other steps in order. The Build and Go button that is referenced in step 6 is instead labeled Build and Run.
Warning: Do not attempt to use the Xcode Simulator to test your build. You must perform the tests on an actual device. If you use the Mobile Management Agent template to build applications, they do not load in the simulator. The simulator lacks required functionality, such as the Apple Push Notification Service.
Customizing the Bundle identifier

The Bundle identifier is built into the application and attaches to certifications. It allows the device to receive notifications from the Apple Push Notification Service. This task is a step in the process for preparing to create the in-house Mobile Management Agent application. See Creating the in-house Mobile Management Agent application on page 208. To customize the Bundle identifier
1 2 3
Open your project in Xcode. In the left pane, under Groups & Files, expand athenaFramework-template > Resources > plists, and click AthenaFramework-Info.plist. In the Bundle identifier field, enter the same value as your App ID.
Creating the in-house Mobile Management Agent application for iOS devices Customizing the localized string files
217
Customizing the localized string files

The string files contain the information that appears in the settings of the application on the device. Warning: When you edit LocalizableStrings-en.plist or localize it to a new language, do not change the names of the keys on the left. Change only the string values on the right. This task is a step in the process for preparing to create the in-house Mobile Management Agent application. See Creating the in-house Mobile Management Agent application on page 208. To customize the localized string files
1 2 3 4
Open your project in Xcode. In the left pane, under Groups & Files, expand AthenaFramework-template > Resources > plists, and click LocalizableStrings-en.plist. In the right pane, modify the content of AboutView, EnrollView, HomeView, Preferences, and StatusView. (Optional) If you change the name of the Mobile Management Agent, you need to change the name of the agent in the string files and also in the Target settings.
Action Steps
Change Mobile Management Agent name in the string files In HomeView, change the Agent Title field to the name of your agent. In AboutView, change the Name field to match the name of your agent. ChangeMobile Management Agent name in the Target settings Under Packaging, change Product Name to match the name of your agent. See Customizing the Target settings on page 218.
218
Creating the in-house Mobile Management Agent application for iOS devices Customizing the Target settings
Customizing the Target settings

The Target settings are the various settings that are set to determine to which devices the agent is delivered. This task is a step in the process for preparing to create the in-house Mobile Management Agent application. See Creating the in-house Mobile Management Agent application on page 208. To customize the Target settings
1 2 3 4 5
Open your project in Xcode. Click Project in the left pane. In the middle pane, click the project under Targets. Click Build Settings. Under Architectures, make the following changes:
Set Base SDK according to the target for your application. The minimum value is iOS Device 4.2. You can select newer SDK versions, but not older versions. Under Code Signing, select the previously created provisioning profile. Under Deployment, choose the desired Targeted Device Family. iOS 4.1 is the minimum supported version.
(Optional) If you change the name of the Mobile Management Agent, you need to change the name of the agent in the Target settings. Under Packaging, change Product Name to match the name of your agent.
Building and testing the application

To test the application, build it for testing and test it in your device. If the application installs and launches on your testing device, the application is complete and the project is correct. Warning: Do not to use the Xcode Simulator to test your build. You must perform the tests on an actual device. If you use the Mobile Management Agent template to build applications, they do not load in the simulator. The simulator lacks required functionality, such as the Apple Push Notification Service. This task is a step in the process for preparing to create the in-house Mobile Management Agent application.
Creating the in-house Mobile Management Agent application for iOS devices Building and distributing the application
219
See Creating the in-house Mobile Management Agent application on page 208. To build and test your application
1 2 3 4
Open your project in Xcode. Connect your registered iOS testing device to your Mac computer. In the field in the upper left of the screen, make sure that your testing device is selected. Click the Run button in the top left corner. If the application installs and launches on your testing device, the application is complete and the project is correct.
Building and distributing the application

After you build and test your application, it should install and launch on your testing device. After the application installs and launches successfully on your testing device, you can build the application for internal deployment. The following steps outline the process of building your application and setting up the distribution URL. This task is a step in the process for preparing to create the in-house Mobile Management Agent application. See Creating the in-house Mobile Management Agent application on page 208. To build and distribute your application
Log in to your iOS Developer Enterprise Program account as the Team Agent entity at the following Web site: https://developer.apple.com/membercenter/index.action#iPhoneDev
Go to the following URL: https://developer.apple.com/ios/manage/distribution/index.action

Building your Application with Xcode for Distribution Verifying a Successful Distribution Build Updating your Application
220
Creating the in-house Mobile Management Agent application for iOS devices Building and distributing the application
Appendix
Troubleshooting

KB articles specific to the Symantec Mobile Management 7.2 SP1 release Troubleshooting configuration policy distribution problems Troubleshooting iOS device agent enrollment Troubleshooting Mobile Management Server configurations About troubleshooting errors with the SymantecEASService configuration Verifying that the Push Certificate Subject matches the App ID's Bundle identifier Configuring Mobile Management to work with a development APNS certificate
KB articles specific to the Symantec Mobile Management 7.2 SP1 release

The following table lists the knowledge base articles that address the known issues in this release of Symantec Mobile Management. URL /KB ID#
http://www.symantec.com/docs/ TECH197075
Title
Resetting Exchange ActiveSync blocking solutions after uninstalling or changing the Symantec Management Platform infrastructure Mobile Management logs indicate APNS errors but commands to iOS devices still work as usual Locating the password that was used to lock a mobile device
http://www.symantec.com/docs/ TECH197341 http://www.symantec.com/docs/ TECH197096
222
Troubleshooting KB articles specific to the Symantec Mobile Management 7.2 SP1 release
URL /KB ID#

Title
Exchange Allow/Block/Quarantine (ABQ) rules are still active upon reinstall of Symantec Mobile Management server What do the "ManagementFlags" values mean in the Mobile_ManagedApplicationList_iOS inventory list? Authentication stops working after upgrading to Symantec Mobile Management 7.2 SP1 Devices known to be missing required apps do not appear as non-compliant in reports Logs show many NSE errors after upgrading to Symantec Mobile Management 7.2 SP1 Customizing the email message sent by Exchange for quarantined or blocked devices After enrolling with Symantec Mobile Management, some Android devices appear twice in the Mobile Management Device Inventory Functional limitations for Android devices when using Exchange ActiveSync access control Reporting on non-compliant devices in Symantec Mobile Management 7.2 SP1 Reporting on rooted or jailbroken mobile device in Symantec Mobile Management Cannot download large files from the Symantec Mobile Management Mobile Library 2-way SSL does not work on iOS devices
http://www.symantec.com/docs/ TECH197019 http://www.symantec.com/docs/ TECH196854 http://www.symantec.com/docs/ TECH196793 http://www.symantec.com/docs/ TECH196656 http://www.symantec.com/docs TECH196709
http://www.symantec.com/docs/ TECH196654 http://www.symantec.com/docs/ TECH196517 http://www.symantec.com/docs/ TECH196515 http://www.symantec.com/docs/ TECH196511 http://www.symantec.com/docs/ TECH196509 http://www.symantec.com/docs/ TECH196495 http://www.symantec.com/docs/ TECH196323
Exchange ActiveSync policies are missing after upgrading Symantec Mobile Management After upgrading to Symantec Mobile Management 7.2 SP1, Android device OS information is displayed as "Unknown" Single Android device has two sets of device information in the Resources list
Troubleshooting Troubleshooting configuration policy distribution problems
223
URL /KB ID#

http://www.symantec.com/docs/ TECH191025 http://www.symantec.com/docs/ TECH191123 http://www.symantec.com/docs/ TECH197411
Title
Error downloading from Mobile Library
Reporting frequency default settings per device type Mobile Management server status checks fail to import to Symantec Management Platform SP1
Troubleshooting configuration policy distribution problems

This section outlines troubleshooting steps to go through if the iOS devices in your environment do not receive configuration policies. See About configuration profiles on iOS devices on page 95. To troubleshoot configuration policy distribution problems
Make sure that you turned on the policy. See Assigning policies on page 93.
Make sure that you properly targeted your device. See Assigning policies on page 93.
3 4 5 6
Run the Update Policies action on the device. Make sure that policies are delivered. Check for delivery by sending the Lock Device action to a device you have and see if it locks within a few minutes. Make sure that the APNS ports are open in your environment. Check your MDM Certificate configuration. See Configuring iOS device MDM enrollment on page 58.
7 8
Make sure that you have an MDM profile on your device. Check for this profile by going to Settings > General > Profiles on the device. Make sure that you apply the policies from the correct Mobile Management Server.
Troubleshooting iOS device agent enrollment

You can ensure that the Mobile Management Agent is correctly enrolled by verifying the following things:
224
Troubleshooting Troubleshooting iOS device agent enrollment
You can see the Mobile Library content in the Mobile Management Agent. You can see the MDM profile on the device. You can check this item by going to Settings > General > Profiles on the device. The agent appears on the desktop of the device. The Agent and MDM Enrollment status in the Symantec Management Console are listed as true. You can check this status in the Symantec Management Console. Click the Reports tab and then click All Reports. In the left pane, expand Mobile Management and click Detailed iOS Device Status. Find the device you want to have enrolled and make sure that Agent Enrolled and MDM Enrolled are both True. The Push Certificate Subject matches the App ID's Bundle identifier that is found in the APNS certificate. The device receives notifications from the Symantec Management Platform through APNS.
If one of the preceding items was unverifiable, the Mobile Management Agent was not enrolled correctly. To try to fix the agent enrollment, you can do the following:
Remove the agent and then re-download and re-enroll it. If you are not able to enroll the Mobile Management Agent on an iOS device, you may need to remove any old MDM profiles. The existence of old MDM profiles on the device can cause the installation of the Mobile Management Agent to fail. Remove the Mobile Management Agent and any old MDM profiles. After you have completely removed the agent, re-download and re-enroll it. See Downloading and installing the Mobile Management Agent app on page 39. See Enrolling a mobile device on page 40. Troubleshoot the Mobile Management Server installation. If you get an MDM enrollment error when you attempt to enroll a device your Mobile Management Server configuration may be wrong. See Troubleshooting Mobile Management Server configurations on page 225. After you install the APNS certificate on your Mobile Management Server, you can verify that the Push Certificate Subject matches the App ID's Bundle identifier. See Verifying that the Push Certificate Subject matches the App ID's Bundle identifier on page 226. If your APNS certificate was created for development and not production, you need to make sure that you configure Mobile Management accordingly.
Troubleshooting Troubleshooting Mobile Management Server configurations
225
See Configuring Mobile Management to work with a development APNS certificate on page 226.
Troubleshooting Mobile Management Server configurations

If you suspect that your Mobile Management configuration is incorrect, you can take steps to troubleshoot the problem. You also may need to troubleshoot your Mobile Management Server installation if you receive error messages relating to your Mobile Management Server. See Configuring the site server and enrollment settings on page 53. To troubleshoot Mobile Management Server installations
1 2
Make sure that the APNS certificate is installed on the site server. Make sure that the Mobile Management Server settings are correct. For example, make sure that the server IP or name is properly entered in Site Server Settings. Make sure that the APNS thumbprint matches the APNS certificate. Make sure that the type of APNS certificate is properly selected. Make sure that the SCEP information is properly entered. For example, verify the URL, Subject, and Challenge phr\ase. Make sure that the SCEP service is properly set up. Make sure the Push Certificate Subject matches the APNS certificate.
3 4 5 6 7
About troubleshooting errors with the SymantecEASService configuration

If you get errors with the SymantecEASService, you may need to check your security permissions. The following permissions should be set on the Mobile Management Server:
The eadmin account is a member of the Exchange Organization Administrators tab. The SymantecEASService is running as Exchange Admin. The eadmin has read and write access to %ProgramFiles%\Symantec\Mobile Management\eas\. The SymantecEASPolicyAppPool has a configurable identity.
226
Troubleshooting Verifying that the Push Certificate Subject matches the App ID's Bundle identifier
SYMMOBILE\eadmin is a member of the local IIS_WPG group. The eadmin has read and write access to %SystemRoot%\Temp.
See Setting up Exchange ActiveSync on page 64.
Verifying that the Push Certificate Subject matches the App ID's Bundle identifier
After you install the APNS certificate on your Mobile Management Server, you can verify that the Push Certificate Subject matches the App ID's Bundle identifier. To verify that the Push Certificate Subject matches the App ID's Bundle identifier
1 2 3 4 5 6 7 8 9
Click Start. In the search box, type mmc. Click the mmc.exe. In the MMC console, navigate to File > Add/Remove Snap-in. Select Certificates from the left pane. Click Add and select Computer Account. Click Next, Finish, and then click OK. Next, navigate to Certificates (Local Computer) > Personal > Certificates. Find the certificate you created in the right pane and double-click the certificate. Click on the Details tab and select Subject. example, = com.apple.mgmt.<yourstring>. Record the Bundle Identifier so you can compare it with the one in the Symantec Management Console.
10 Look in the bottom box of the window and locate the Bundle Identifier. For
11 Open the Symantec Management Console. 12 Navigate to Home > Mobile Management > iOS MDM Enrollment
Configuration.
13 The Push Certificate Subject field on the iOS MDM Enrollment page should
match the Bundle Identifier that is recorded from the APNS certificate.
Configuring Mobile Management to work with a development APNS certificate

If your APNS certificate was created for development and not production, you need to configure Mobile Management accordingly.
Troubleshooting Configuring Mobile Management to work with a development APNS certificate
227
See Configuring the site server and enrollment settings on page 53. To configure Mobile Management to work with a development APNS certificate
1 2 3 4 5 6 7
Open the Symantec Management Console and click the Home tab. Expand Mobile Management and click Mobile Management Server Settings. Click the APNS tab, and then check Use Development APNS. Click Save changes. Next, navigate to Home > Mobile Management > iOS MDM Enrollment Configuration. On the iOS MDM Enrollment page, check Use Development APNS. Click Save changes.
228
Troubleshooting Configuring Mobile Management to work with a development APNS certificate
Appendix
Third-Party Attributions

Third-Party Legal Notices jQueryjs 1.4.1 Libjpeg 6b Log4Net 1.2.10 Newlib 1.17.0 ZLib v 1.2.2/1.2.3 NLog Advanced .NET Logging 1.0 QuickLZ SharpZipLib 0.85.4 Silverlight.js 2.0 TBXML 1.4 Windows CE C Library Extensions
Third-Party Legal Notices

This Symantec product may contain third party software for which Symantec is required to provide attribution (Third Party Programs). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. This appendix contains proprietary notices for the Third Party Programs and the licenses for
230
Third-Party Attributions jQueryjs 1.4.1
the Third Party Programs, where applicable. Third-party components included in Symantec Mobile Management include:
jQueryjs 1.4.1
Copyright (c) 2011 John Resig, http://jquery.com/ Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Libjpeg 6b
This software is based in part on the work of the Independent JPEG Group. This software is copyright (C) 1991-2012, Thomas G. Lane, Guido Vollbeding. All Rights Reserved except as specified below.
Log4Net 1.2.10
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for the specific language governing permissions and limitations under the License.
Third-Party Attributions Newlib 1.17.0
231
Newlib 1.17.0
The newlib subdirectory is a collection of software from several sources. Each file may have its own copyright/license that is embedded in the source file. Unless otherwise noted in the body of the source file(s), the following copyright notices will apply to the contents of the newlib subdirectory:
(1) Red Hat Incorporated Copyright (c) 1994-2009 Red Hat, Inc. All rights reserved. This copyrighted material is made available to anyone wishing to use, modify, copy, or redistribute it subject to the terms and conditions of the BSD License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY expressed or implied, including the implied warranties of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. A copy of this license is available at http://www.opensource.org/licenses. Any Red Hat trademarks that are incorporated in the source code or documentation are not subject to the BSD License and may only be used or replicated with the express permission of Red Hat, Inc. (2) University of California, Berkeley Copyright (c) 1981-2000 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimers. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
232
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
(3) David M. Gay (AT&T 1991, Lucent 1998) The author of this software is David M. Gay. Copyright (c) 1991 by AT&T. Permission to use, copy, modify, and distribute this software for any purpose without fee is hereby granted, provided that this entire notice is included in all copies of any software which is or includes a copy or modification of this software and in all copies of the supporting documentation for such software. THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED WARRANTY. IN PARTICULAR, NEITHER THE AUTHOR NOR AT&T MAKES ANY REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR PURPOSE. ------------------------------------------------------------------------------------------------------------------------------------------------The author of this software is David M. Gay. Copyright (C) 1998-2001 by Lucent Technologies All Rights Reserved Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that the copyright notice and this permission notice and warranty disclaimer appear in supporting documentation, and that the name of Lucent or any of its entities not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. LUCENT DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL LUCENT OR ANY OF ITS ENTITIES BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. (4) Advanced Micro Devices Copyright 1989, 1990 Advanced Micro Devices, Inc. This software is the property of Advanced Micro Devices, Inc (AMD) which specifically grants the user the right to modify, use and distribute this software provided this notice is not removed or altered. All other rights are reserved by AMD. AMD MAKES NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THIS SOFTWARE. IN NO EVENT SHALL AMD BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH OR
233
ARISING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS SOFTWARE. So that all may benefit from your experience, please report any problems or suggestions about this software to the 29K Technical Support Center at: 800-29-29-AMD (800-292-9263) in the USA, or 0800-89-1131 in the UK, or 0031-11-1129 in Japan, toll free. The direct dial number is 512-462-4118. Advanced Micro Devices, Inc. 29K Support Products Mail Stop 573 5900 E. Ben White Blvd. Austin, TX 78741 800-292-9263
(5) C.W. Sandmann Copyright (C) 1993 C.W. Sandmann This file may be freely distributed as long as the author's name remains. (6) Eric Backus (C) Copyright 1992 Eric Backus This software may be used freely so long as this copyright notice is left intact. There is no warrantee on this software. (7) Sun Microsystems Copyright (C) 1993 by Sun Microsystems, Inc. All rights reserved. Developed at SunPro, a Sun Microsystems, Inc. business. Permission to use, copy, modify, and distribute this software is freely granted, provided that this notice is preserved. (8) Hewlett Packard (c) Copyright 1986 HEWLETT-PACKARD COMPANY To anyone who acknowledges that this file is provided "AS IS without any express or implied warranty: permission to use, copy, modify, and distribute this file for any purpose is hereby granted without fee, provided that the above copyright notice and this notice appears in all copies, and that the name of Hewlett-Packard Company not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Hewlett-Packard Company makes no representations about the suitability of this software for any purpose. (9) Hans-Peter Nilsson Copyright (C) 2001 Hans-Peter Nilsson Permission to use, copy, modify, and distribute this software is freely granted, provided that the above copyright notice, this notice and the following disclaimer are preserved with no changes. THIS SOFTWARE IS PROVIDED `ÀS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
234
(10) Stephane Carrez (m68hc11-elf/m68hc12-elf targets only) Copyright (C) 1999, 2000, 2001, 2002 Stephane Carrez (stcarrez@nerim.fr) The authors hereby grant permission to use, copy, modify, distribute, and license this software and its documentation for any purpose, provided that existing copyright notices are retained in all copies and that this notice is included verbatim in any distributions. No written agreement, license, or royalty fee is required for any of the authorized uses. Modifications to this software may be copyrighted by their authors and need not follow the licensing terms described here, provided that the new terms are clearly indicated on the first page of each file where they apply. (11) Christopher G. Demetriou Copyright (c) 2001 Christopher G. Demetriou All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE AUTHOR `ÀS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

(12) SuperH, Inc. Copyright 2002 SuperH, Inc. All rights reserved This software is the property of SuperH, Inc (SuperH) which specifically grants the user the right to modify, use and distribute this software provided this notice is not removed or altered. All other rights are reserved by SuperH. SUPERH MAKES NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THIS SOFTWARE. IN NO EVENT SHALL SUPERH BE LIABLE FOR
235
INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH OR ARISING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS SOFTWARE. So that all may benefit from your experience, please report any problems or suggestions about this software to the SuperH Support Center via e-mail at softwaresupport@superh.com . SuperH, Inc. 405 River Oaks Parkway San Jose CA 95134 USA
(13) Royal Institute of Technology Copyright (c) 1999 Kungliga Tekniska Hgskolan (Royal Institute of Technology, Stockholm, Sweden). All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
3. Neither the name of KTH nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS `ÀS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

(14) Alexey Zelkin Copyright (c) 2000, 2001 Alexey Zelkin <phantom@FreeBSD.org> All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
236
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS `ÀS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

(15) Andrey A. Chernov Copyright (C) 1997 by Andrey A. Chernov, Moscow, Russia. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR `ÀS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

(16) FreeBSD Copyright (c) 1997-2002 FreeBSD Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
237

(17) S. L. Moshier Author: S. L. Moshier. Copyright (c) 1984, 2000 S.L. Moshier Permission to use, copy, modify, and distribute this software for any purpose without fee is hereby granted, provided that this entire notice is included in all copies of any software which is or includes a copy or modification of this software and in all copies of the supporting documentation for such software. THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED WARRANTY. IN PARTICULAR, THE AUTHOR MAKES NO REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR PURPOSE. (18) Citrus Project Copyright (c) 1999 Citrus Project, All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS `ÀS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
238
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
(19) Todd C. Miller Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com> All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED `ÀS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

(20) DJ Delorie (i386) Copyright (C) 1991 DJ Delorie All rights reserved. Redistribution and use in source and binary forms is permitted provided that the above copyright notice and following paragraph are duplicated in all such forms.
239
This file is distributed WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
(21) Free Software Foundation LGPL License (*-linux* targets only) Copyright (C) 1990-1999, 2000, 2001 Free Software Foundation, Inc. This file is part of the GNU C Library. Contributed by Mark Kettenis <kettenis@phys.uva.nl>, 1997. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. (22) Xavier Leroy LGPL License (i[3456]86-*-linux* targets only) Copyright (C) 1996 Xavier Leroy (Xavier.Leroy@inria.fr) This program is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License for more details. (23) Intel (i960) Copyright (c) 1993 Intel Corporation Intel hereby grants you permission to copy, modify, and distribute this software and its documentation. Intel grants this permission provided that the above copyright notice appears in all copies and that both the copyright notice and this permission notice appear in supporting documentation. In addition, Intel grants this permission provided that you prominently mark as "not part of the original" any modifications made to this software or documentation, and that the name of Intel Corporation not be used in advertising or publicity pertaining to distribution of the software or the documentation without specific, written prior permission. Intel Corporation provides this AS IS, WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intel makes
240
no guarantee or representations regarding the use of, or the results of the use of, the software and documentation in terms of correctness, accuracy, reliability, currentness, or otherwise; and you rely on the software, documentation and results solely at your own risk. IN NO EVENT SHALL INTEL BE LIABLE FOR ANY LOSS OF USE, LOSS OF BUSINESS, LOSS OF PROFITS, INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES OF ANY KIND. IN NO EVENT SHALL INTEL'S TOTAL LIABILITY EXCEED THE SUM PAID TO INTEL FOR THE PRODUCT LICENSED HEREUNDER.
(24) Hewlett-Packard (hppa targets only) (c) Copyright 1986 HEWLETT-PACKARD COMPANY To anyone who acknowledges that this file is provided "AS IS without any express or implied warranty: permission to use, copy, modify, and distribute this file for any purpose is hereby granted without fee, provided that the above copyright notice and this notice appears in all copies, and that the name of Hewlett-Packard Company not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Hewlett-Packard Company makes no representations about the suitability of this software for any purpose. (25) Henry Spencer (only *-linux targets) Copyright 1992, 1993, 1994 Henry Spencer. All rights reserved. This software is not subject to any license of the American Telephone and Telegraph Company or of the Regents of the University of California. Permission is granted to anyone to use this software for any purpose on any computer system, and to alter it and redistribute it, subject to the following restrictions:
1. The author is not responsible for the consequences of use of this software, no matter how awful, even if they arise from flaws in it. 2. The origin of this software must not be misrepresented, either by explicit claim or by omission. Since few users ever read sources, credits must appear in the documentation. 3. Altered versions must be plainly marked as such, and must not be misrepresented as being the original software. Since few users ever read sources, credits must appear in the documentation. 4. This notice may not be removed or altered.
(26) Mike Barcroft Copyright (c) 2001 Mike Barcroft <mike@FreeBSD.org> All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
241

(27) Konstantin Chuguev (--enable-newlib-iconv) Copyright (c) 1999, 2000 Konstantin Chuguev. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

(28) Artem Bityuckiy (--enable-newlib-iconv)
242
iconv (Charset Conversion Library) v2.0 Copyright (c) 2003, Artem B. Bityuckiy, SoftMine Corporation. Rights transferred to Franklin Electronic Publishers. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

(29) IBM, Sony, Toshiba (only spu-* targets) (C) Copyright 2001,2006, International Business Machines Corporation, Sony Computer Entertainment, Incorporated, Toshiba Corporation, All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Neither the names of the copyright holders nor the names of their contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
243
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
(30) - Alex Tatmanjants (targets using libc/posix) Copyright (c) 1995 Alex Tatmanjants alex@elvisti.kiev.ua at Electronni Visti IA, Kiev, Ukraine. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR `ÀS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

(31) - M. Warner Losh (targets using libc/posix) Copyright (c) 1998, M. Warner Losh <imp@freebsd.org> All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
244

(32) - Andrey A. Chernov (targets using libc/posix) Copyright (C) 1996 by Andrey A. Chernov, Moscow, Russia. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

(33) - Daniel Eischen (targets using libc/posix) Copyright (c) 2001 Daniel Eischen <deischen@FreeBSD.org>. All rights reserved.
245
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

(34) - Jon Beniston (only lm32-* targets) Contributed by Jon Beniston <jon@beniston.com> Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
246
(35) - ARM Ltd (arm and thumb variant targets only) Copyright (c) 2009 ARM Ltd All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
3. The name of the company may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY ARM LTD `ÀS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ARM LTD BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

(36) - Xilinx, Inc. (microblaze-* and powerpc-* targets) Copyright (c) 2004, 2009 Xilinx, Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of Xilinx nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
247
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
(37) Texas Instruments Incorporated (tic6x-* targets) Copyright (c) 1996-2010 Texas Instruments Incorporated http://www.ti.com/ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of Texas Instruments, Incorporated nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NO LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

(38) National Semiconductor (cr16-* and crx-* targets) Copyright (c) 2004 National Semiconductor Corporation The authors hereby grant permission to use, copy, modify, distribute, and license this software and its documentation for any purpose, provided that existing copyright notices are retained in all copies and that this notice is included verbatim in any distributions. No written agreement, license, or royalty fee is required for any of the authorized uses. Modifications to this
248
Third-Party Attributions ZLib v 1.2.2/1.2.3
software may be copyrighted by their authors and need not follow the licensing terms described here, provided that the new terms are clearly indicated on the first page of each file where they apply.
ZLib v 1.2.2/1.2.3
Copyright (C) 1995-2012 Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution.
NLog Advanced .NET Logging 1.0

Copyright (c) 2004-2009, Jaroslaw Kowalski All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of Jaroslaw Kowalski nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
Third-Party Attributions QuickLZ
249
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
QuickLZ
1. GRANT OF LICENSE This commercial license lets you use QuickLZ version 1.0.0 to 1.9.9, both inclusive, for development within the company for any amount of closed source products and product titles with unlimited distribution/sales. The license is persistent, non-exclusive and non-transferable. The license does not cover derived or ported versions created by third parties under GPL. The license does not need to be renewed if the amount of employees increases. 2. APPLICABLE LAW This license shall be deemed to have been made in, and shall be construed pursuant to, the laws of Denmark. 3. DISCLAIMER OF WARRANTIES AND LIMITATION ON LIABILITY 3.1. No warranties. To the maximum extent permitted by applicable law, the software is provided as is without warranty, express or implied, of any kind or nature, including, but not limited to, any warranties of performance or merchantability or fitness for a particular purpose. 3.2. No Liability for Consequential Damages. To the maximum extent permitted by applicable law, in no event shall licensor be liable for any special, incidental, indirect or consequential damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or any pecuniary loss) arising out of the use or inability to use the software, even if licensor has been advised of the possibility of such damages. 4.LIMITEDINTELLECTUALPROPERTYINDEMNIFICATIONLicensor agrees that in the event of any actual or alleged infringement of any patent, copyright, trade secret, trademark, or other proprietary right arising out of licensee's use of the licensed software, licensor shall, at licensee's option and at no charge to licensee, (a) obtain a license so licensee may continue use of the software; (b) modify the software to avoid the infringement; (c) replace the software with a compatible, functionally equivalent and non-infringing product; or if these options are commercially unreasonable (d) refund to licensee the amount paid
250
Third-Party Attributions SharpZipLib 0.85.4
for the software. The foregoing states the entire set of obligations and remedies flowing between licensee and licensor arising from any intellectual property claim by a third party.
SharpZipLib 0.85.4
Copyright (C) 2002 Ben Lowery (blowery@monkey.org) This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution.
Silverlight.js 2.0
Microsoft Public License (Ms-PL) This license governs use of the accompanying software. If you use the software, you accept this license. If you do not accept the license, do not use the software.
1. Definitions The terms "reproduce," "reproduction," "derivative works," and "distribution" have the same meaning here as under U.S. copyright law. A "contribution" is the original software, or any additions or changes to the software. A "contributor" is any person that distributes its contribution under this license. "Licensed patents" are a contributor's patent claims that read directly on its contribution. 2. Grant of Rights (A) Copyright Grant- Subject to the terms of this license, including the license conditions and limitations in section 3, each contributor grants you a non-exclusive, worldwide, royalty-free copyright license to reproduce its
Third-Party Attributions TBXML 1.4
251
contribution, prepare derivative works of its contribution, and distribute its contribution or any derivative works that you create. (B) Patent Grant- Subject to the terms of this license, including the license conditions and limitations in section 3, each contributor grants you a non-exclusive, worldwide, royalty-free license under its licensed patents to make, have made, use, sell, offer for sale, import, and/or otherwise dispose of its contribution in the software or derivative works of the contribution in the software.
3. Conditions and Limitations (A) No Trademark License- This license does not grant you rights to use any contributors' name, logo, or trademarks. (B) If you bring a patent claim against any contributor over patents that you claim are infringed by the software, your patent license from such contributor to the software ends automatically. (C) If you distribute any portion of the software, you must retain all copyright, patent, trademark, and attribution notices that are present in the software. (D) If you distribute any portion of the software in source code form, you may do so only under this license by including a complete copy of this license with your distribution. If you distribute any portion of the software in compiled or object code form, you may only do so under a license that complies with this license. (E) The software is licensed "as-is." You bear the risk of using it. The contributors give no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this license cannot change. To the extent permitted under your local laws, the contributors exclude the implied warranties of merchantability, fitness for a particular purpose and non-infringement.
TBXML 1.4
Copyright 2012 71Squared. All rights reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
252
Third-Party Attributions Windows CE C Library Extensions
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Windows CE C Library Extensions

Copyright (c) 2006, Taxus SI Ltd., http://www.taxussi.com.pl All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Index
A
about actions 92 AutoLock settings on iOS devices 104 available configuration profile settings 103 configuration profiles 95 configuring Mobile Management 51 event logs 113 Exchange ActiveSync 63 in-house Mobile Management Agent application 208 installing Mobile Management 33 inventory data 107 MDM Certificate 25 Mobile Library 127 Mobile Management Agent on iOS devices 141 on Windows Mobile devices 171 policies 92 remotely managing devices 115 reports 110 software management on mobile devices 175 actions about 92 performing 92 Active Directory, requirements 199 adding additional configuration profiles 58 configuration profiles to a policy 101 agent. See Mobile Management Agent Android enrolling with Symantec Mobile Management 40 APNS certificate 226 App ID setting up 213 Apple devices. See iOS devices Apple Push Notification Service network ports used 202 requirements 199 apps pushing to iOS devices 132
AppUpdate, sample runtime subtitution tokens 196 assigning configuration profile policies 102 Mobile Library feed 131 policies 93 AutoLock settings, about 104
B
BlackBerry devices available reports 111 function key mapping during remote sessions 122 remote options 120 building and distributing the in-house Mobile Management Agent application 219 building and testing the in-house Mobile Management Agent application 218 Bundle identifier, customizing 216
C
Certificate Authority requirements 199 setting up 19 certificate request, generating 29 certificates 21 changing, enrollment URL to an email address 144 components, Mobile Management 15 configuration policies, troubleshooting 223 configuration profiles about 95 adding additional 58 adding to a policy 101 assigning 102 available settings 103 creating 96 setting up 96 supported devices 95 configuration schedule, setting 173 configuring iOS device MDM enrollment 58 Mobile Management 52
254
Index
configuring (continued) Mobile Management to work with a development APNS certificate 226 policy security settings 57 software maintenance windows 178 Symantec Managed PKI 60 SymantecEASService NT 67 TouchDown payloads 151 creating configuration profiles 96 Developer Certificate 213 Development Provisioning Profile 215 EULA 145 in-house Mobile Management Agent application 208 Mobile Library feeds 128 policies 93 remote settings for devices 116 software packages 176 customizing Bundle identifier 216 localized string files 217 Target settings 218
enrolling, iOS devices 143 enrollment URL, changing to an email address 144 EULA creating 145 enabling 145 event logs about 113 viewing 113 Exchange ActiveSync about 63 enabling functionality of 66 requirements 199 setting up 64 supported device operating systems 63 supported devices 203 Exchange ActiveSync server, selecting 67 exporting MDM Certificate using a Windows Server 29 MDM Certificate using Mac OS X 28
F
feed targeting 131 feeds adding items to 129 creating 128 publishing existing 131 setting up 128 function key mapping during remote sessions BlackBerry devices 122 Windows Mobile devices 121
D
delivering, software packages 177 Developer Certificate, creating 213 Development Provisioning Profile creating 215 installing 215 devices configuring the site server to communicate with 53 software management 175 downloading Mobile Management Agent app 39 project 214 WWDR Intermediate certificate 212
G
generating, certificate request 29
I
in-house agent application. See Mobile Management Agent installing Development Provisioning Profile 215 MDM Certificate 30 Mobile Management on a new server 37 Mobile Management on an existing Symantec Management Platform Server 37 integrating MDM Certificate 53 inventory data about 107
E
enabling EULA 145 Exchange ActiveSync functionality 66 Encryption Certificate 21 End User License Agreement. See EULA enrolling iOS 40 mobile devices 40
Index
255
inventory data (continued) setting the inventory sechedule iOS devices 109 Windows Mobile devices 108 viewing 108 inventory schedule, setting iOS devices 109 Windows Mobile devices 108 iOS enrolling 40 iOS Developer Enterprise Program membership 27 iOS devices available features 205 available reports 111 configuring MDM enrollment of 58 enrolling 143 preparing for testing 214 registering for testing 213 setting up Mobile Management Agent on 142 supported configuration profiles 95 supported policies 94 troubleshooting agent enrollment 223 items adding to feeds 129 publishing existing 131
L
LDAP, requirements 199 licensing Symantec Mobile Management 45 loading, project 215 localized string files, customizing 217
M
MDM Agreement 27 MDM Certificate about 25 exporting using a Windows Server 29 exporting using Mac OS X 28 installing 30 integrating 53 requirements 27 setting up 26 Microsoft Exchange ActiveSync. See Exchange ActiveSync Microsoft SQL Server. See SQL Server Mobile Device Management Certificate. See MDM Certificate
mobile devices available features 205 remotely wiping 123 Mobile Library about 127 adding items to feeds 129 creating feeds 128 publishing an existing feed or item 131 setting up feeds 128 targeting feed 131 Mobile Management about configuring 51 about installing 33 certificates 21 components 15 configuring 52 deploying to the site server 39 getting started with 14 installing on a new server 37 installing on an existing Symantec Management Platform Server 37 network ports used 202 requirements 199 setting up 19 what's new in 7.1 13 Mobile Management Agent about on iOS devices 141 on Windows Mobile devices 171 about the in-house application 208 building and distributing the in-house application 219 building and testing the in-house application 218 creating the in-house application 208 differences between versions 145 downloading app 39 enrolling 143 in-house application requirements 212 requirements 199 setting the configuration schedule 173 setting up iOS devices 142 Windows Mobile devices 172 supported devices 203 Mobile Management Server network ports used 202 requirements 199 troubleshooting configuration of 225
256
Index
Mobile Management Service Agent, restarting 68 Mobile Management site server. See site server
N
network ports used 199 network ports used by Mobile Management 202
P
Palm devices available reports 111 payloads TouchDown, configuring 151 policies about 92 assigning 93 creating 93 supported 94 policy security, configuring settings of 57 ports usage 199 preparing, iOS devices for testing 214 Profile security 19 project downloading 214 loading 215 Push Certificate Subject, verifying 226 pushing apps to iOS devices 132
remotely managing devices (continued) remote options BlackBerry devices 120 Windows Mobile devices 117 remotely wiping devices 123 starting remote sessions 117 remotely wiping, mobile devices 123 reports about 110 available by device 111 running 111 requirements in-house Mobile Management Agent application 212 MDM Certificate 27 Mobile Management 199 restarting, Mobile Management Service Agent 68 Root Certificate 21 running, reports 111
S
sample AppUpdate runtime substitution tokens 196 SCEP requirements 199 setting up 19 selecting, Exchange ActiveSync server 67 Server Authentication Certificate 21 setting inventory schedule iOS devices 109 Windows Mobile devices 108 Mobile Management Agent configuration schedule 173 setting up App ID 213 Certificate Authority 19 configuration profiles 96 Exchange ActiveSync 64 MDM Certificate 26 Mobile Library feeds 128 Mobile Management 19 Mobile Management Agent iOS devices 142 Windows Mobile devices 172 SCEP 19 Signing Certificate 21 site server about deploying 33
R
registering, iOS devices for testing 213 remote options BlackBerry devices 120 Windows Mobile devices 117 remote sessions function key mapping BlackBerry devices 122 Windows Mobile devices 121 starting 117 remote settings for devices creating 116 remotely managing devices about 115 creating remote settings 116 function key mapping BlackBerry devices 122 Windows Mobile devices 121
Index
257
site server (continued) configuring to communicate with mobile devices 53 deploying 39 software maintenance windows, configuring 178 software package actions 179 software package health actions 193 software packages actions 179 creating 176 delivering 177 health actions 193 SQL Server network ports used 202 requirements 199 SSL Certificate. See Server Authentication Certificate starting, remote sessions 117 Symantec Agent. See Mobile Management Agent Symantec Managed PKI service using with Symantec Mobile Management 60 Symantec Management Console, Mobile Management section 33 Symantec Management Console, requirements 199 Symantec Management Platform installing 37 requirements 199 Symantec Management Platform Server network ports used 202 requirements 199 SymantecEASService troubleshooting errors with 225 verifying configuration of 68 SymantecEASService NT, configuring 67 Symbian devices available reports 111
V
verifying Push Certificate Subject 226 SymantecEASService configuration 68 viewing event logs 113 inventory data 108 Volume Purchase Program, Apple 132
W
Windows Mobile available features 205 Windows Mobile and CE devices available reports 111 supported policies 94 Windows Mobile devices function key mapping during remote sessions 121 remote options 117 setting up Mobile Management Agent on 172 wiping devices, remotely 123 WWDR Intermediate certificate, downloading 212
T
Target settings, customizing 218 targeting Mobile Library feed 131 Third-Party Attributions 229 TouchDown configuring 151 troubleshooting configuration policy distribution problems 223 errors with the SymantecEASService configuration 225 iOS device agent enrollment 223 Mobile Management Server configurations 225

SMM 7.2.SP1.03 Ig

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SMM 7.2.SP1.03 Ig

Hochgeladen von

Copyright:

Verfügbare Formate

Symantec Mobile Management 7.

2 SP1 Implementation Guide

Setting up Symantec Mobile Management 7.2 ................................................................................... 11

Setting up Mobile Management ....................................... 19

Setting up a Mobile Device Management Certificate .......................................................................

Installing Mobile Management ......................................... 33

First-run diagnostic check and status report ................ 43

Licensing Symantec Mobile Management 7.2 .............. 45

Upgrading to Symantec Mobile Management 7.2 ....................................................................................

Configuring Mobile Management .................................... 51

Setting up Exchange ActiveSync ...................................... 63

Configuring multiple domain Active Directory / LDAP authentication .................................................... 83

Configuring Mobile Management to require SSL ...................................................................................

Configuring Mobile Management to require SSL ................................ 87

Using Symantec Mobile Management ............ 89

Using inventory data, reports, and the event log ...................................................................................

Remotely managing devices ............................................ 115

Managing the Mobile Library

......................................... 127 127 128 128 129

Managing iOS devices ............................................. 139

Managing Android devices ................................... 149

Common Android management tasks ........................... 163

Managing Windows devices ................................ 169

Managing software on Windows Mobile devices ........................................................................... 175

Mobile device management features ............................ 205

Troubleshooting ................................................................. 221

Third-Party Attributions ................................................... 229

Index ................................................................................................................... 253

Setting up Symantec Mobile Management 7.2

Introducing Symantec Mobile Management7.2

What's new in Mobile Management 7.2 SP1

Introducing Symantec Mobile Management7.2 Getting started with Mobile Management

Getting started with Mobile Management

Introducing Symantec Mobile Management7.2 Before you begin

See Mobile device features on page 205.

Before you begin

Components of Mobile Management

Introducing Symantec Mobile Management7.2 Components of Mobile Management

Table 1-1 Component

Mobile Management system components (continued) Description Required or optional

Symantec Management Console

Note: You must use Internet

Symantec Management Platform Server

Microsoft SQL Server

Active Directory or LDAP

Introducing Symantec Mobile Management7.2 Components of Mobile Management

Table 1-1 Component

Mobile Management system components (continued) Description Required or optional

Microsoft Exchange ActiveSync

Apple Push Notification Service

Introducing Symantec Mobile Management7.2 Components of Mobile Management

Table 1-1 Component

Mobile Management system components (continued) Description

Mobile Device Management (MDM) Certificate

See Getting started with Mobile Management on page 14.

Setting up Mobile Management

Setting up Mobile Management

Setting up Mobile Management Setting up Mobile Management

Table 2-1 Step

Process for setting up Mobile Management Action

Set up Simple Certificate Enrollment Protocol (SCEP).

(Optional) Setup a Mobile Device Management Certificate.