Beruflich Dokumente
Kultur Dokumente
Table of Contents
Table of Contents ........................................................................................................................1
Systems Overview .......................................................................................................................3
AirWatch Solution Overview ................................................................................................................................... 3
System Requirements ............................................................................................................................................. 4
Web Console Overview ........................................................................................................................................... 5
Page 1
Page 2
Systems Overview
AirWatch Solution Overview
AirWatch offers complete mobility management by enabling organizations to easily leverage and secure the latest mobile
device technology by providing a comprehensive, cross-platform solution for mobile device management.
The AirWatch Web Console provides a central location for administrators to manage smart device fleets regardless of
operating system, carrier, network or location.
From the AirWatch Web Console, administrators can manage any mobile device from anywhere in the world.
AirWatch Admin Guide | v.2012.02 | February 2012
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 3
System Requirements
The following system requirements should be met before using the AirWatch MDM solution.
Supported Browsers
AirWatch is certified to run on the following web browsers:
Internet Explorer 8+
Firefox 3.x+
Safari 5.x
Comprehensive platform testing has been performed to ensure functionality while using these web browsers. The
AirWatch Web Console may still function in non-certified browsers.
Supported Devices
AirWatch currently supports the following devices:
Note: Limited support may be available for other devices/Operating Systems. Contact AirWatch Support for more
information.
Technical Requirements
Technical requires vary depending on whether you are using AirWatchs SaaS or On-Premise solutions. For more details
on technical requirements, please refer to the AirWatch Requirements documents for installation and deployment.
Page 4
Navigation Overview
Smart device management with AirWatch is centralized in AirWatch Web Console. Here, administrators have the ability
to manage, monitor, and secure their devices through any browser, anywhere in the world without having to download
or install any additional software.
The Web Console pages are categorized according to their specific device management purpose. The pages can all be
found in the drop down menu found in the upper left hand corner of the Web Console:
From this menu (shown above) administrators can quickly navigate to all of the key pages described below.
Page 5
Dashboard
The Dashboard page is used to manage and monitor devices from top-level groups, down to individual devices.
Page 6
Page 7
Apps
The applications page provides a centralized interface for administrators to recommend public applications and deploy
internal applications to the smart device fleet.
Content
The content management pages allow administrators to upload and manage content for secure deployment to the
smart device fleet.
Page 8
Users
The User Accounts and Admin Accounts pages provide the tools for developing a smart device fleet.
The Admin Accounts page is used to add, modify, or delete AirWatch administrators who use the Web Console
to manage the device fleet.
Lastly, the User Accounts page is used to add, modify, or delete end users of managed devices.
Device
The Device Search and Bulk Management pages allow you to quickly locate a device or manage groups of devices by
name, platform, group, or other criteria.
Page 9
Configuration
The Configuration pages provide a Location and Groups page where the administrator can add, delete or modify the
device grouping structure as needed. The System Settings page provides a centralized location for all of the
configurable settings for initial environment setup and for ongoing customization for end-users and for the AirWatch
Web Console.
Advanced
The Administrator can edit more advanced options, including language settings, custom field definitions, and device
groups in the Advanced Pages.
Page 10
Location Groups to define the different areas of your corporate hierarchy that will manage and utilize MDM.
Admin Accounts to provide Web Console access to all of the administrators of the smart device fleet.
The Apple Push Notification service (APNs) is used to allow AirWatch or any other MDM vendor to securely
communicate to your devices over-the-air (OTA).
Each organization needs their own APNs certificate to ensure a secure mechanism for their devices to
communicate across Apples push notification network.
AirWatch uses your APNs certificate to send notifications to your devices when the Administrator requests information or
during a defined monitoring schedule. No data is sent through the APNs server, only the notification.
To find out more about how your business can generate and upload an APNs cert for iOS mobile device management, please
navigate to http://www.air-watch.com/solutions/apple-ios#generate-apns to watch the supporting video or download the
supporting document.
Page 11
Location Groups
Within large enterprises, IT departments have to meet the requirements of different users across functional, organizational or
geographical groups. The AirWatch solution to this requirement for multi-tenancy is location groups and locations.
Administrators can create rich location group structures that align with the corporate hierarchical structure to provide
customizable and scalable MDM solutions to corporate users.
Therefore, with an evolving corporate structure comes the need to create additional location groups and locations. The steps
below outline the process of creating a location group and associated location:
The parent location group is the location group that is one hierarchical level up from the one that is being
added. Once complete, the new group will be listed a level below the parent group.
Page 12
Select Add Child Location Group to open the new location group form.
Location Group Name The display name for the location group that will be shown in the Web Console.
Group ID The activation code used by a device to enroll into this location group. This will dictate what
profiles, applications, and policies are inherited to the device based on what is configured at this location
group. The administrator will need to provide end-users with their group ID in order to complete the
enrollment process.
Check the Add Default Location box, and fill in the required default location information:
Internal Name The unique name that will be internally used to define this location
Display Name The display name of the location that will be shown in the Web Console
When complete, click Save and the new location group and location have been created.
AirWatch Admin Guide | v.2012.02 | February 2012
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 13
Page 14
Ensure that you have the Location Group Details tab selected, and then modify any of the fields listed
below.
Location Group Name The display name for the location group that will be shown in the Web
Console.
Group ID The activation code used by a device to enroll into this location group. This will dictate what
profiles, applications, and policies are inherited to the device based on what is configured at this
location group. The administrator will need to provide end-users with their group ID in order to
complete the enrollment process.
Default Location The default location is where devices are automatically assigned when enrolled in
the location group.
Note: To delete a location group, there must not be any child location groups below it. If there are,
delete all child groups from the lowest level up, until you are able to delete the original group.
Page 15
Note: Without a default location, no devices will be able to enroll at that specific location group!
Location types provide the ability to classify Locations based on the corporate structure (for internal use in the
AirWatch Web Console).
Location Status provides the ability to classify if a Location is active or will be in the future (for internal use in the
AirWatch Web Console.
Page 16
Admin Accounts
Management of the smart device fleet often requires several administrators to have access to the AirWatch Web Console, and
it may be necessary to add or remove administrative accounts. The Web Console provides an easy way to create and manage
multiple administrative accounts.
Select a Location Group in the upper left hand corner. This will be the default location group for this administrator
account.
Select the highest level of access that the admin will need. Once logged in, they will have access to all
child location groups that are listed below the one selected.
Check the Require password change at next login box to force the administrator to change their password after
the first time they log in.
First Name Last Name & Email The name, and Email address of the administrator
Primary Role The primary role determines the level of permissions that the new administrator will have.
For instance, if the administrator is a helpdesk operator, then a Helpdesk role with limited access may be
the best fit. The roles are configured separately from administrative accounts.
Default Landing Page The first page that an administrator will view after authenticating into the Web
Console. To change this field, clear the contents and begin typing the name of any Web Console page.
Fill in any additional Details or Notes that will only be visible in the Web Console.
Page 17
Select Roles in the bottom left corner to edit an existing role or create a new one.
Name/Description Choose a descriptive role name so that the role can be easily assigned to a user.
On the left you can select resource categories to define the levels of access that will be available for
different components of the AirWatch Web Console.
You can also click on the name of the resource category to view a list of resources available for each
category on the right.
To quickly locate resources of a specific type, use the search bar in the upper right-hand corner.
When complete, choose Save and the new role will now be available to assign to administrators.
AirWatch Admin Guide | v.2012.02 | February 2012
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 18
User Accounts
User accounts are utilized by end-users of AirWatch to associate devices to their respective corporate users. AirWatch
recommends that for each end-user, an associated user account is created for full scalability. Therefore, as corporate smart
device fleets expand, administrators will need to create additional user accounts regularly. Administrators can quickly
configure and manage user accounts directly in the AirWatch Web Console on the User Accounts Page.
Basic authentication can be utilized by any AirWatch architecture, but offers no integration to existing
corporate user accounts.
Pros: Can be used for any deployment method, requires no technical integration, requires no
enterprise infrastructure
Cons: Credentials only exist in AirWatch and do not necessarily match existing corporate credentials.
Offers no federated security or single sign-on. AirWatch stores all username & passwords.
AirWatch Admin Guide | v.2012.02 | February 2012
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 19
Active Directory / LDAP authentication is utilized to integrate user and admin accounts of AirWatch with
existing corporate accounts. However, because this requires the AirWatch server to be in direct contact
with a corporate domain controller, this is typically only recommended for on-premise architectures.
Pros: End-users now authenticate with existing corporate credentials. Secure method of integrating
with LDAP / AD for On-Premise deployments. Standard integration practice.
Cons: Requires an AD or other LDAP server. Only used for On-Premise deployments.
Active Directory / LDAP authentication with AirWatch Enterprise Integration Service provides the same
functionality as traditional AD/LDAP authentication, but allows this model to function across the cloud for
SaaS deployments. The Enterprise Integration Service also offers a number of other integration capabilities
as shown below.
Pros: End-users authenticate with existing corporate credentials. Only requires a single firewall port
opened between the EIS server and AirWatch SaaS (port 443). Transmission of credentials is encrypted
and secure. Also offers secure configuration to other infrastructure such as BES, Microsoft ADCS, SCEP,
SMTP servers.
Cons: Requires the Enterprise Integration Service to be installed behind the firewall or in a DMZ.
Additional configuration.
AirWatch Admin Guide | v.2012.02 | February 2012
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 20
Authentication Proxy is an AirWatch proprietary solution delivering directory services integration across
the cloud or across hardened internal networks. In this model, the AirWatch MDM server communicates
with a publicly facing web server or an Exchange ActiveSync Server that is able to authenticate users
against the domain controller. This method can only be used when organizations have a public-facing web
server with hooks into the corporate domain controller.
Pros: Offers a secure method to integrate with AD/LDAP across the cloud. End-users can authenticate
with existing corporate credentials. Lightweight module that requires minimal configuration.
Cons: Requires a public facing web-server or an Exchange ActiveSync server with ties into an AD/LDAP
server. Only feasible for specific architecture layouts. Much less robust solution than EIS.
SAML 2.0 authentication is a new solution that offers single sign-on support and federated authentication
AirWatch never receives any corporate credentials. If an organization has a SAML Identity Provider
server, SAML 2.0 integration is recommended.
Pros: Offers single-sign on capabilities, authentication with existing corporate credentials, and
AirWatch never receives corporate credentials in plain-text.
Page 21
Select the highest level location group under which the user needs to enroll. They will be able to enroll
in all location groups listed below this group if the user enters the appropriate Group ID (Group ID is
configured in Configuration-Locations & GroupsLocation Group Details) during the enrollment
process.
Select
Fill in the required and optional fields of the Add/Edit User Form.
Security Type The type of authentication to be used for this particular user.
o
Basic The default authentication option that uses a basic username and password combination as
determined by this form.
Authentication Proxy Authenticate with directory based credentials by validating against a proxy
server instead of a corporate domain controller. This is the recommended solution for directory based
authentication across the cloud for SaaS customers.
SAML Authenticate using corporate Security Assertion Markup Language (SAML) credentials.
User Name & Password The username and password credentials that the user will enter during the
enrollment process to enroll their corporate devices. The administrator must provide the end-users
with this information.
AirWatch Admin Guide | v.2012.02 | February 2012
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 22
Select whether to Enable Device StagingA user with device staging enabled will be able to stage
enrollment for other users such that John Doe could enroll himself, and then personally enroll Jane
Doe and John Smiths devices for them.
Select a Message Type for the user to receive notifying them that they can now enroll their devices
under AirWatch MDM. Typically, this is where administrators will provide end-users with the necessary
enrollment credentials (Enrollment URL, Group ID, username and password).
Click Save to complete the user account, or Save and Add Device to complete the user account and
enter in basic details for the users device (device registration).
Page 23
Selecting
Fill in the Domain field if the user belongs to a domain other than the default domain, or if no default
domain was specified.
Fill in the User Principal Name if the User Search Setting described in the Directory Authentication
Configuration will not resolve this user account.
By default, these two fields do not need to be configured unless under special circumstances.
Page 24
Selecting
Fill in the Domain field if the user belongs to a domain other than the default domain, or if no default
domain was specified.
Page 25
Selecting
Fill in the Domain field if the user belongs to a domain other than the default domain, or if no default
domain was specified.
By default, this fields does not need to be configured unless under special circumstances.
Page 26
Batch Name The name of the user/device batch for reference in the Web Console
Batch Description A description of the particular user/device batch for Web Console reference.
Page 27
Click the
From here, select the Download Template button to download the Batch Import Template
Enter in all relevant information for each user in the template. Three sample users (one of each Security
Type) have been added to the top of the template for reference on what type of information to put into
each column.
All of the fields in the template are identical to the fields that are used during the User Account Creation
process and the individual device registration process.
Column E, Security Type, is used to determine which type of security (Basic, Directory based, or
Authentication Proxy) should be used to create the user account.
To register a device, make sure that Column T, User Only Registration, is set to No.
To register an additional device to the same user account, make sure that all information in Columns
AT are the same. The remaining columns are used to register each additional device.
To store advanced registration information, make sure that Column AA, Store Advanced Device Info, is
set to Yes.
Once complete, save the template as a .CSV file, select Browse from the Batch Import Form, and select
the .csv file that you just created.
When complete, select Save to register all listed users and corresponding devices.
Page 28
Device Registration
Device registration allows both administrators and end-users the ability to enter in information about the specific devices that
are enrolled under mobile device management. This feature also provides an added level of secure authorization so that only
authorized devices can enroll. There are several ways that registration can be accomplished to accommodate different needs
and requirements.
Administrator can register individual devices to add important device and asset information such as Friendly
name (the device name created by the administrator for easy recognition in the AirWatch Web Console), model,
OS, serial number, UDID, and asset number. This process can directly follow User Account creation by selecting
Save and Add Device.
Administrators can register a list of devices (for similar reasons as those listed above) in bulk. This process takes
place during Bulk User Account Creation.
Administrators can invite end-users to register so that they can enter in details about their devices themselves,
and initiate device registration from their end. This process takes places on the end-users device, in the Self
Service Portal.
OR
Complete the New User Account Creation Process and select Save and Add Device at the end.
This will open the Add Device Form. Fill in the basic information.
Friendly Name The name of the device to be displayed in the Web Console for easy recognition
Message Type: Specify whether the activation message will be sent via SMS or Email.
AirWatch Admin Guide | v.2012.02 | February 2012
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 29
Address / Subject / Message Body The message text that will be sent out to the provided address
after the device is registered. This message usually contains the enrollment link and Group ID.
Check Show Advanced Device Information Options to manually enter additional device information to be
displayed in the AirWatch Web Console.
SN / IMEI / SIM / Asset Number Specific device reference numbers to distinguish this particular
device.
When complete, click Save to finish the form and send the specified message to end-users.
The end user will receive the message and proceed with enrollment.
Page 30
Batch Name The name of the user/device batch for reference in the Web Console
Batch Description A description of the particular user/device batch for Web Console reference.
Click the
From here, select the Download Template button to download the Batch Import Template
Enter in all relevant information for each device in the template. Three sample users have been added to
the top of the template for reference on what type of information to put into each column.
All of the fields in the template are identical to the fields that are used during the User Account
Creation process, and the individual device registration process.
To register a device, make sure that column T, User Only Registration, is set to No.
To register an additional device to the same user account, make sure that all information in columns A
T is the same. The remaining columns are used to register each additional device.
To store advanced registration information, make sure that column AA, Store Advanced Device Info, is
set to Yes.
Once complete, save the template as a .CSV file, select Browse from the Batch Import Form, and select the
.csv file that you just created.
When complete, select Save to register all listed users and corresponding devices.
Page 31
Administrator sends Email or intranet notifications to the entire user group outside of AirWatch with the
registration instructions.
This method is generally used if administrators do not have any user accounts already created for endusers, and they want end users to be able to enroll and register without assistance. For users to be able to
enroll and register their devices without administrative efforts:
o
Enrollment authentication must be enabled for either Active Directory or Authentication Proxy (edit
these settings in ConfigurationSystem SettingsDeviceGeneralEnrollmentAuthentication)
AND
o
Deny Unknown Users under Enrollment Restrictions (edit these settings in ConfigurationSystem
SettingsDeviceGeneralEnrollmentRestrictions) cannot be checked.
Alternatively, administrators can first create user accounts for all of the end-users to register their devices, and
then send User account activation messages to each user containing the registration instructions.
In either case, the administrator must let the end-user know two things:
Where to register End-users can register by navigating to the Self-Service Portal URL.
How to authenticate into the Self-Service Portal This information includes a Location Group (Group ID), and
the Username and Password that users should use to register their device.
Page 32
Navigate to the Self-Service Portal URL (either in the device browser or from any internet browser).
From the next page, select Register Device to open up the Device Registration Form
Page 33
Expected Friendly Name The name of the device that will be shown in the Web Console (the
expected friendly name will also be used to track the device registration status).
o
Message Type Select the message format for the end-user registration confirmation.
Email Address / Phone Number The address or phone number of the recipient of this message.
Page 34
From here, administrators can view the registration details, date, and status of the registration message sent to endusers.
Page 35
Additionally, administrators can manage the registration process through the four registration action buttons at the top
of the page:
Resend Message - Resend the registration message to the devices selected with a checkmark next to their
friendly name.
Revoke Token -Force the registration token status of the devices selected below to expire. This will
essentially prevent these devices from enrolling due to an expired token.
Reset Token If a devices registration token has been revoked or is expired, administrators can click this
button to reactivate the registration token so that enrollment can occur.
Delete Token - This will permanently delete the registration token for the devices selected below so that
they must re-register in order to enroll.
Page 36
To change the Email Message Templates for user and device activation, select the Email Tab at the top of
the page. Alternatively, select SMS to change the SMS text messages sent to devices.
From either tab, administrators can change the User Account Activation message or the Device Activation
message. Scroll down to the Device Activation section.
Page 37
While creating the message template for device activation described in the previous section, administrators can
leverage Look-up values to add dynamic content to the device activation message that is particular to the recipient.
Administrators can then enter any of the listed look-up values into the message body with the {} braces.
Typically end-users must obtain the following from their registration messages:
o
To embed an enrolment URL with the users group identifier, use the following look-up value:
o
{EnrollmentUrl}?ac={GroupIdentifier}
Email Domain The domain that the corresponding email user account belongs to.
EmailUserName The name of the email user without the @company.com portion. The user name
associated with a users corporate email.
DynamicScepChallenge A field used in certificate templates to enable SCEP servers to properly integrate
with the solution for dynamic certificate configurations.
GroupIdentifier The group identifier of the location group that a user or device is enrolling into.
SessionToken The unique token that is used during the registration process to associate an enrolling
device with a device that has recently just been registered.
DeviceFriendlyName The friendly name displayed in the Admin Console for a device
AirWatch Admin Guide | v.2012.02 | February 2012
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 38
UserPrincipalName The principal name of the user when users are integrated with directory services.
Potentially used for certificate integration.
DeviceSerialNumberLastFour The last four alphanumeric characters of the device serial number
DeviceUidLastFour The last four alphanumeric characters of the device Unique identifier
DeviceReportedName The reported name of a device that has registered but not yet enrolled
Page 39
Language Management
AirWatch Web Console can be displayed in a variety of languages, allows the ability to add additional Language Packs, edit
phrases that are used in a specific language, and only change the language for one user if necessary while leaving the language
unchanged for other users.
Page 40
Select
Choose the language pack you would like to add and press
Click Save
Page 41
On the Add/Edit user page, change the Locale to the desired language.
Save changes, log off, and log back in to display the new language.
Page 42
Localization Editor
The Localization Editor is used to edit specific words or phrases that do not translate properly to the desired language.
Browse to Menu -> Language Management
is displayed by default.
Page 43
Best Practices
Pay close attention to Location group hierarchy when creating and editing admin accounts. It is important to
enable permissions at the highest location group needed in order to ensure the administrator will have the proper
editing capabilities.
The selected location group will always be displayed in the upper left-hand corner of the AirWatch Web
Console.
There are three pieces of information the administrator needs to communicate to end-users:
AirWatch Enrollment URL (provided by AirWatch) which is the same URL that you use to access the Web
Console.
Group ID to identify the home location group (the Group ID is determined in ConfigurationLocations &
GroupsLocation Group Details)
Username and password unique to the end-user (Username and password are determined in UsersUser
AccountsAdd User or Edit User)
o
Depending on the selected Security Type, the username and password may be created by the administrator
(Basic) or integrated with the Directory, Authentication Proxy, or SAML.
If your organization is using device registration and is in need of assistance, contact AirWatch Support.
Page 44
Device Management
Overview
Smart device management is centralized in the AirWatch Console. From the console, the administrator is able to leverage the
following AirWatch features:
Customize comprehensive asset tracking in the form of real-time device data across the mobile fleet, regardless of
device type, carrier, or location.
Navigate an interactive dashboard of mobile and telecom data to help the organization make more informed
decisions based on actual mobile telecom usage.
Enable proactive alerts for both users and administrators when predetermined thresholds are reached.
Note: This section pertains to iOS, Android, Blackberry, Symbian, and Windows Phone 7 devices. For more
information on managing Windows Mobile devices, please see the Windows Mobile Administration Guide.
The following sections will describe how administrators can leverage the specific pages within AirWatch Web Console to
effectively and efficiently manage smart devices.
Dashboard Navigation
The Dashboard page centralizes smart device monitoring by giving administrators high level views of the entire fleet of mobile
devices with the ability to drill down to the individual device level. To access the Dashboard Page, navigate to
DashboardsDashboard
From here, administrators can see an overview of graphics and statistics for a location group or the entire device fleet, or
quickly locate information on a specific device by clicking on the blue friendly name.
Page 45
Pin Feature Pin the location group sidebar back onto the
Dashboard sidebar
Available Views
There are also several Available Views on the Dashboard page that give administrators the ability to view entire listings
of devices based on each of the metrics listed below:
Asset Tracking View devices based on ownership type, platform, and last
seen metrics.
Secure Email Gateway View devices that attempt to gain corporate email
access through the Secure Email Gateway, and their status.
Page 46
Graphical Portlets
The Graphical Portlets on the Dashboard page provide relevant statistics as well as providing an easy way to select a
group of devices according to a number of categories (the example below is from the Asset Tracking view)..
Select a Data Group. This will modify the dynamic device list to show only the devices belonging to the
specified data group.
in the upper right hand corner of the portlet to toggle the portlet into the other
There are several ways that an administrator can select, order, and identify specific devices from the Dynamic Device
List page:
Click on any of the Column Categories (such as Last Seen or Friendly Name) to re-sort the list.
Use any of the additional search and view tools on the upper right hand corner of the list:
Page 47
Note: Information and actions in the Device Control Panel are subject to availability according to privacy settings
and platform compatibility.
Page 48
The Summary section shows hardware, MDM, encryption, and passcode compliance, in addition to other general
information:
Passcode Shows if a passcode is present and whether or not it meets the passcode requirements.
Network Shows network information such as Sim Card and roaming status.
Content Shows the number of installed documents and number of assigned documents.
Page 49
Profiles
The Profiles section shows all of the MDM profiles that have been sent to the device and the status of each profile:
Installed
Pending install
Not installed
Pending removal
Removed
Version Shows profile version (how many times the profile has been updated).
Location Group Shows the location group to which the profile is assigned.
Page 50
Apps
The Apps section displays all applications that have been installed on the device (subject to privacy settings as specified
in ConfigurationSystem SettingsDeviceGeneralPrivacy).
Installed
Pending install
Not installed
Pending removal
Removed
Note for iOS5 only: The apps tab for an iOS5 device will also provide administrators with the ability to install or revoke
managed applications to and from the device over the air.
Page 51
Content
Installed
Pending install
Not installed
Pending removal
Removed
Type Document format. Hover over the icon to display the format type.
Name Document name as it appears both in the Web Console and in the Secure Content Locker.
Version Shows the document version (based on how many times the document has been updated).
Page 52
Certificates
The Certificates section shows all of the certificates currently stored on the device, and provides basic supporting
information
IOS devices should always show atleast one current certificate indicating that they have enrolled their
devices.
User
The User section shows user-specific information (when available and subject to privacy settings as specified in
ConfigurationSystem Settings Device General Privacy) including Name, Status, Username, Email, Group, Email
Username, Security Type, and Contact Number. It also displays a list of all devices that the user has enrolled.
Page 53
GPS
The GPS section shows the GPS coordinates of the device (subject to privacy settings as specified in System Settings
Device General Privacy). The default display is Last Known (most recently received coordinates). To view GPS
coordinates over a select period of time:
Select the time period for which you would like to view GPS coordinates from the Period drop down menu.
Click Search.
The search results will return the entire available trail (breadcrumbs) of GPS coordinates over the requested period.
Additionally, the Play Sound icon is available to help locate a lost device. Click the icon to play a sound on
the device.
Page 54
Event Log
The Event Log contains a comprehensive log of all interactions between the AirWatch Web Console and the device. Click
Refresh Data
following:
to instantly update the Event Log. Important fields to note in the Event Log include the
Direction Shows the direction of the event (device to server or server to device)
Event TypeProvides a brief categorization/summary of the event. Examples of events might include:
Check In
Page 55
Remote Actions
The Remote Actions List is shown below. With this list, administrators can perform any of the listed actions on the
selected device over-the-air.
Device Query
Manually requests the remote device to send in a comprehensive set of MDM information to the console. This will
override the timed device check-ins with an immediate request.
Clear Passcode
This will clear the passcode on the remote device. This can be leveraged whenever any end-users forget their passcode
or become locked out of accessing their device.
Send Message
Email When corporate SMTP settings have been properly configured, administrators will have the ability
to send remote emails to any address.
SMS If a corporation has set up an SMS service account with CellTrust, and if the credentials have been
properly configured, administrators will have the ability to send remote SMS text messages to any phone
number.
APNs For iOS devices that have AirWatch Agent installed, administrators can send Apple Push
Notification messages to an end-user that will display the message body in the notification.
Page 56
Lock Device
This will lock the device so that the device user will have to unlock the device with the appropriate passcode to
continue using it.
Enterprise Wipe
This will remove the device from AirWatch MDM by un-enrolling the device and selectively wiping all of the Enterprise
data contained on the device through MDM profiles, policies, and internal applications.
Device Wipe
This will perform a full wipe of the device (subject to privacy settings as specified in Configuration System Settings
DeviceGeneralPrivacy).
As a security precaution, a confirmation message will remind you of the ownership type of the device to
be wiped.
You must enter the provided key code before performing the device wipe.
Wiping the device will remove all data, email, profiles, and MDM capabilities, and the phone will return to
a factory default state.
Find Device
This functionality will force iOS devices to make a set of audible notification tones so that end-users can locate their
device.
Page 57
Remote View
This provides a remote view of select devices and applications (BlackBerry and Windows Mobile). The capture button
will take a screen capture to preserve any error screens or other issues.
Remote Control
This allows select BlackBerry (through RealVNC integration) and Windows Mobile devices to be remotely controlled in
the AirWatch Web Console by an administrator for immediate remote assistance.
Page 58
Device Search
The AirWatch Web Console allows the administrator to quickly locate a device or group of devices according to the following
search options:
Location Group SidebarClick on a location group to view the devices belonging to that location group and all
child location groups.
Sorted FieldsSort any of the grid columns by clicking on the column name.
Grid CriteriaFilter the grid according to device criteria by selecting the criteria from the drop down menu.
Grid SearchSearch the currently selected grid by typing a search term (such as device friendly name, model,
platform, into the Filter Grid box (shown above).
Advanced SearchSearch the entire AirWatch Web Console by locating the search box at the top right-hand side
of the screen.
Select one of the following search categories from the drop down menu: device, equipment, location,
settings, or user.
Click Go.
The search keyword will be highlighted in the results. When you perform an advanced search, clicking on the device name will
display the Device Details page instead of the Device Control Panel.
Page 59
Device Details
The administrator can track detailed device information in addition to quickly accessing user and device management actions
by viewing the Device Details. There are two ways to view the Device Details:
Click on the Blue Friendly Name of the device in the device dashboard. When the Device Control Panel appears,
click on the name again.
Or, use any of the available search tools to search for an individual device:
Page 60
From the search results, click on the Blue Friendly Name of the individual device to open up the Device Details
page:
From the Device Details page, administrators can see all of the information presented in the Device Control Panel in
addition to more detailed metrics.
Many of the Device Details are identical to the information in the Device Control Panel. For information on the
Security, Profiles, Apps, Certificates, or Event Log views, please reference the section on the Device Control Panel:
Click on the different Available Views on the left side of the Device Details page to view individual device details
according to the categories described below.
Page 61
Device Information
The Device Information View is shown by default when the Device Details page is first opened, but it can be shown
again by selecting the Information tab under Available Views.
From this view, administrators can see several general statistics about the current device, including:
Phone number (when available and subject to privacy settings as specified in ConfigurationSystem
Settings Device General Privacy).
Platform/Model/OS.
Location Group/Location.
Page 62
Device Restrictions
To show the Device Restrictions View, select the Restrictions tab under Available Views.
From here, administrators can see all of the security restrictions that have been placed on the device through the use of
restrictions profiles. This information is organized into four separate views: Device, Apps, Ratings, and Passcode.
Device
The Device tab shows all restrictions in effect for the device from a generic system-wide level. They are not limited in
scope to individual applications or profiles like the other restrictions tabs.
Page 63
Apps
The Apps tab shows the deployed application restrictions for the device.
Allow use of YouTube will remove the YouTube application from the device so that end users cannot use
it.
Allow use of iTunes Music Store and Allow explicit music and podcasts limit these specific features from
within the iTunes applications.
Allows use of Safari, Enable Autofill, Force Fraud Warning, Enable JavaScript, Enable Plugins, Block popups, and Accept Cookies all apply to the Safari Web Browser Application.
Ratings
The Ratings tab shows all the restrictions that determine content control of Movies, TV Shows, and Apps from iTunes
and the App Store. If content filtering is applied, only specific media that has a lesser age rating will be permitted for
download.
Page 64
Passcode
The Passcode tab shows all the current settings of the passcode policy that has been provisioned to the device.
Device Location
To view the current location or location history of a device, select the GPS tab under Available Views.
This shows the GPS coordinates of the device (subject to privacy settings as specified in System Settings Device
General Privacy). The default display is Last Known (most recently received coordinates). To view GPS
coordinates over a select period of time:
Select the time period for which you would like to view GPS coordinates from the Period drop down menu.
Click Search.
The search results will return the entire available trail (breadcrumbs) of GPS coordinates over the requested period.
Page 65
Network Status
To view the current network status of a device, select the Network tab under Available Views.
From here administrators can choose any of the different tabs to view Cellular, Wi-Fi, and Bluetooth network
information.
Alerts
To view all of the alerts that have been triggered by the current device, select the Alerts tab under Available Views.
From here, administrators can see specific alerting details for Severity, Priority, Attributes, Values, Duration, Alert Date,
and Creation Policy.
Page 66
Attachments
To attach images, documents or links that are relevant to the device, select the Attachments tab under Available Views.
There are three views in the attachments tab: Images, Documents, and Links. These categories are only used within the
Web Console to help administrators organize attachments. Examples of relevant device information administrators may
want to include in this area include:
Telecom
To view details about calls by a user, open the Telecom view by selecting the Telecom tab from the left pane. The
Telecom section (information provided is subject to privacy settings as specified in ConfigurationSystem Settings
Device General Privacy) provides details about whether a call was incoming or outgoing, duration of the call, the
phone number and carrier, and the country and roaming status of the phone.
Page 67
Move your mouse over Query, Management, Support, or Admin to see the drop-down menu management options
Query
The Query menu allows the administrator to request information from the device. Click on the category to send a query
to the device. Select Query All to request all of the categories. Or, send individual queries for the following device
information:
Device information
Security
Profiles
Apps
Certificates
Management
The Management menu allows the administrator to instantly perform the following remote device actions (please refer
to the section on Remote Actions for further explanation of the first four options):
Clear Passcode
Lock Device
Enterprise Wipe
Device Wipe
Set Roaming Enable or disable the voice and data roaming options
Page 68
Support
The Support menu provides options to instantly perform the following remote device actions (please refer to the
section on Remote Actions for further explanation of the first three options):
Find Device
Remote View
Remote Control (only available for Windows Mobile and Blackberry devices)
Remotely control the device
Admin
The Admin menu allows administrators to instantly edit the following device and user settings:
Friendly Name
Device Group
Device Category
Delete Device
Page 69
The Self-Service Portal, shown above, gives administrators the ability to view relevant device information for any of their
enrolled devices, and to perform remote actions such as clear passcode, lock device, or device wipe.
Page 70
The advantages of accessing the Self-Service Portal from the managed device include:
End-users can manage multiple managed devices from the Self-Service Portal on one device.
In order for end-users to access the Self-Service Portal from their device, the administrator must first deploy a webclip
(iOS) or bookmark (Android) profile containing the Self-Service Portal web-based application URL. The steps below
outline the process for deploying the Self-Service Portal (Refer to Creating Profiles for instructions on creating a profile):
Select Add.
Name the profile. Ex: Self-Service Portal Webclip for iOS Devices.
Specify root location groups to manage the profile and be assigned the profile.
Page 71
Select the Webclip (iOS) or Bookmark (Android) icon on the left sidebar
Label The text displayed beneath the webclip icon on an end-users device.
o
For the Self-Service Portal, use the following URL: http://<Your Enrollment Environment>/mydevice/.
Icon To add a custom icon, select a graphic file in .gif, .jpg, or .png format.
o
For best results provide a square image no larger than 400 pixels on each side and less than 1 MB in
size when uncompressed. The graphic will be automatically scaled and cropped to fit, if necessary, and
converted to png format. Web clip icons are 104 x 104 pixels for devices with a Retina display or 57 x
57 pixels for all other devices.
When complete, click Save and Publish to immediately send the profile to all appropriate devices
Privacy Settings Note: Access to information and Remote Actions in the Self-Service Portal is determined by both
Privacy settings (ConfigurationSystem SettingsDeviceGeneralPrivacy) and Role settings (Users Admin
Accounts). If multiple settings are in place, the strictest policy is enforced.
Page 72
Retiring a Device
In the event that a device must be removed from mobile device management, there are several possible methods to unenroll
the device from different sources.
Automatic Unenrollment AirWatch Compliance engine can be configured so that when devices do not comply
with Application or Device compliance policies, they are automatically unenrolled from mobile device
management.
Administrative Unenrollment Administrators can also unenroll devices over the air from the Device Dashboard
page or the Device Details page. From either of these pages, administrators simply need to select Corporate Wipe,
and the device will be removed from mobile device management.
End-User Unenrollment If an end-user decides to opt out of corporate mobile device management, then they
can initiate the Unenrollment process from their own devices. Although the process is different for each
manageable platform, the general process involves removing the administrative privileges of AirWatch, and
removing any AirWatch agents from the device.
Best Practices
Before performing remote actions on a device, take into account the device ownership type.
For example, keep in mind that performing a full device wipe on an employee-owned device will remove all of
the personal data from the device in addition to all corporate data.
Additionally, the administrator may want to use privacy settings (specified in ConfigurationSystem Settings
Device General Privacy) and role permissions (specified in UsersAdmin AccountsRoles) to restrict lowertier administrator access to employee-owned device data.
Page 73
Profile Management
AirWatch enables IT administrators to create and deploy configuration profiles that define enterprise settings, policies, and
restrictions for smart devices without requiring user interaction. AirWatch delivers signed, encrypted, and locked
configuration profiles over-the-air to ensure they are not altered, shared or removed. A single deployed profile is called a
profile payload.
Profiles Page
The Device Profiles page in the Web Console is responsible for managing and pushing profiles
Active If green/active, the profile will be available to new devices. If red/inactive, the profile is not
available to devices.
Managed Managed profiles are associated directly with AirWatch, therefore if a device is un-enrolled or
retired the managed profiles will be removed. Unmanaged profiles will remain on a device even after
being un-enrolled from AirWatch.
Ownership Shows if a profile is assigned to any device or specifically to corporate owned or employee
owned devices.
Managed By The location group that has access to edit, publish, or delete a profile.
View Devices Shows devices that are available for that profile and if the profile is installed
currently.
Publish Pushes out the profile to devices that match the profile criteria.
View XML - View the XML code sent over the air to devices describing the application or profile.
Page 74
Creating Profiles
In order to deploy profiles to devices using the Device Profiles Page in the Web Console:
Navigate to Profiles & Policies Profiles to open the Device Profiles Page:
Select Add
Page 75
General Settings
The first step in creating any profile is configuring the General Settings. The General Settings are overall settings that
will determine how and to whom the profile is deployed.
Description A brief description of what the profile does. This will be displayed on managed devices under
Profile Details.
Platform The platform to which this profile will be deployed (this field is pre-populated based on the platform
selected in the previous step). Profile support varies by platform, and therefore platform choice will determine
which types of profiles can be deployed.
Deployment:
Manual will leave the profile installed when the device is enrolled
Model and Minimum Operating System Enter the specific models and minimum operating systems to which
the profile will be deployed. The profile will only be deployed to devices that meet the specified parameters.
Importance and Sensitivity These are fields used within the Web Console only for additional details and
profile filtering capabilities. They have no effect on how the profiles are deployed.
Allow Removal A security parameter specifying what end-users can do to remove the specific profile from
their device:
Always Users can remove the profile on their own without entering any authorization codes.
With Authorization Users can remove the profile if they correctly enter an authorization code as
created by a Web Console administrator.
Never Users cannot remove the profile unless the device is unenrolled from AirWatch management.
AirWatch Admin Guide | v.2012.02 | February 2012
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 76
Root Location Group The location group that administrators must be associated with in order to edit and
delete this profile. If administrators manage higher location groups than the management group, then they will
also have access to profile management by inheritance.
Assignment Type This determines how the profile is pushed out to devices.
Optional - Manually push the profile to selected devices in the location groups selected in the
assignments box.
Note: When a profile is set to optional, no devices will receive it by default. It must be manually
assigned to each device that will need it.
Location Group The location groups (and all child location groups) that will be configured with this profile.
Any devices that enroll into these groups or their child groups will receive the profile.
Note: Always configure profiles at the Location Group level instead of the Location level.
When the General Settings are complete, select any of the profile types from the list on the left to begin creating
profiles.
Page 77
Navigation
After the General Settings are configured, you can begin creating and deploying other profile types. Here are some
general guidelines for navigating through the profile creation process:
To create a new profile, select the profile type from the left navigation pane and click Configure
The specific fields used to configure each of the specific profile types are outlined in the section below
called Profile Types.
Once complete, select Save, Save and Publish, or Reset to complete the profile.
Saving the profile will save the profile configuration in the Web Console but will not deploy the profile
to devices due to its unpublished status.
Saving and publishing the profile will save the profile configuration in the Web Console, and publish
the profile so that all appropriate managed devices immediately receive the new profile.
Reset will not save any of the profile configuration and will clear out all changes.
The available profiles are listed in the Add a New Profile navigation pane. The Navigation pane also provides a quick
summary of profile status using the following indicators:
Green indicates that the profile fields under that category are complete
Example:
Example:
Example:
Numbers next to the profile name indicate the number of profiles created for the selected profile type
Example:
AirWatch profile management allows the administrator to configure multiple profiles for many of the profile categories
(for example, Wi-Fi, Email Settings, or LDAP). To create more than one profile for a select profile type:
Click on the profile name to open the profile editing window (if necessary, click Configure to add the initial
profile)
To add another profile, click on the plus sign (+); To delete the selected profile, click on the minus sign (-)
To scroll through the profiles, click on the arrows. Or, select a specific page by clicking on the corresponding
circle. The example image below shows six circles, each of which represent a profile page:
Note: It is important to distinguish between creating multiple profiles of one type (for example, numerous
Email profiles), which is a recommended practice, and multiple profile payloads (for example, creating an Email
and a Wi-Fi profile at the same time), which is not a recommended practice.
AirWatch Admin Guide | v.2012.02 | February 2012
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 78
iOS Profiles
Profile Name
Short Description
Passcode
Passcode profiles require end-users to protect their devices with passcodes each time they return
from idle state. This ensures that all sensitive corporate information on managed devices remains
protected. If multiple profiles enforce separate passcode policies on a single device, the most
restrictive policy will be enforced.
Restrictions
Restrictions profiles limit the features available to users of managed devices by restricting the use of
specific features such as YouTube, the iTunes Store, or the on-device camera.
Wi-FI
Wi-Fi profiles push corporate Wi-Fi settings directly to managed devices for instant access. Take note
of the iOS 5+ only options.
VPN
VPN profiles push corporate virtual private network settings to corporate devices so that users can
securely access corporate infrastructure from remote locations.
Exchange
ActiveSync
Exchange ActiveSync profiles allow end-users to access corporate push-based email infrastructure.
Please note that there are pre-populated look-up value fields and options that only apply to iOS 5+.
LDAP
LDAP allows configuration with LDAPv3 directory information. The fields in this section support
lookup values. Click on the tool tip for values and definitions.
CalDAV
CAlDAV provides configuration options to allow end-users to sync wirelessly with the enterprise
CalDAV server. The fields in this section support lookup values. Click on the tool tip
for definitions.
Subscribed
Calendars
Subscribed Calendars provides calendar configuration. The fields in this section support lookup
values. Click on the tool tip
for definitions.
CardDAV
CardDAV -This section allows for specific configuration of CardDav services. The fields in this section
support lookup values. Click on the tool tip
for definitions.
Web Clips
Web Clip profiles send down clickable hyperlinks to devices in the form of an icon to provide quick
access to common web resources (for example, you could add the online version of the iPhone User
Guide to the home screen).
Credentials
Credentials profiles deploy corporate certificates to managed devices. If the network supports it, adhoc certificate requests can be configured as well
SCEP
The SCEP payload specifies settings that allow the device to obtain certificates from a CA using Simple
Certificate Enrollment Protocol (SCEP).
Advanced
Custom Settings
Custom Setting profiles allow for custom XML profile to be included in the profile payload.
Page 79
Android Profiles
Profile Name
Profile Description
Passcode
Passcode profiles require end-users to protect their devices with passcodes each time they return
from idle state. This ensures that all sensitive corporate information on managed devices remains
protected. If multiple profiles enforce separate passcode policies on a single device, the most
restrictive will be enforced.
Restrictions
Restrictions are available for Samsung phones running Ice Cream Sandwich. These restrictions
include device functionality, Sync and Storage, Bluetooth, Roaming, and Tethering restrictions.
Wi-Fi
Wi-Fi profiles push corporate Wi-Fi settings directly to managed devices for instant access.
VPN
VPN profiles push corporate virtual private network settings to corporate devices so that users can
securely access corporate infrastructure from remote locations.
Email Settings
Email profiles send email configurations directly to devices so that end-users automatically receive
email.
Exchange
ActiveSync
Exchange ActiveSync profiles allow end-users to access corporate push-based email infrastructure.
Exchange can now be set up with the native mail client on Samsung devices using the Ice Cream
Sandwich operating system.
Bookmarks
Bookmark profiles work in the same manner as Webclip profiles. Bookmarks are customized web
shortcuts that will be pushed down to the Home screen of the users device. Multiple bookmarks can
be added per profile by clicking on the plus (+) sign in the top right corner of the window.
Credentials
Credentials profiles deploy corporate certificates to managed devices. If the network supports it, adhoc certificate requests can be configured as well. Multiple credential configurations can be added
per profile by clicking on the plus (+) sign in the top right corner of the window.
BlackBerry Profiles
Profile Name
Profile Description
Device
Device profiles determine various device-specific options such as backlight brightness, backlight
timeout, GPS sampling, and GPS sample intervals.
Telecom
Telecom profiles specify various telecom options such as 411 redirections, and SMS sampling
options.
Advanced
Custom Settings
Custom Setting profiles allow custom XML to be included in the profile payload.
Page 80
Symbian Profiles
Profile Name
Profile Description
Passcode
Passcode profiles require end-users to protect their devices with passcodes each time they return
from idle state. This ensures that all sensitive corporate information on managed devices remains
protected. This profile allows for a reset of an administrator-set passcode.
Wi-Fi
Wi-Fi profiles push corporate Wi-Fi settings directly to managed devices for instant access.
Exchange
ActiveSync
The administrator has the option of setting the frequency of syncing calendar and emails on a mobile
device using Microsoft Exchange EAS profiles.
Custom Settings
Custom Setting profiles allow for custom XML profile to be included in the profile payload.
Windows Phone
Profile Name
Profile Description
Passcode
Passcode profiles require end-users to protect their devices with passcodes each time they return
from idle state. This ensures that all sensitive corporate information on managed devices remains
protected.
Page 81
Profile Descriptions
Passcode
Passcode profiles require end-users to protect their devices with a passcode. If multiple profiles enforce separate
passcode policies on a single device, the most restrictive will be enforced.
Allow simple value Allows simple password values (for example, 1111 or 1234)
Maximum passcode age (days) Sets the number of days until a password expires
Auto-Lock (min) Sets timeout for the device to automatically lock and require a passcode for entry
Passcode history Sets the number of previous passwords that cannot be reused
Grace period for device lock (min) Time period after device lock where passcode is not required for reentry
Maximum number of failed attempts Number of failed passcode attempts before the device is wiped
Page 82
Restrictions
Restrictions profiles (only available for iOS and Android) limit the features available to users of managed devices by
restricting the use of specific features such as YouTube, the iTunes Store, or the on-device camera.
Ratings Restricts access to Movies, TV Shows, and Apps based on specific ratings.
Note: Additional restrictions profiles are available for iOS 5 devices and Android Samsung devices.
Page 83
Wi-Fi
Wi-Fi profiles push corporate Wi-Fi settings directly to managed devices for instant access to corporate Wi-Fi networks.
Service Set Identifier To configure Wi-Fi profiles, select the appropriate wireless protocols and security
settings for the Wi-Fi network.
Add multiple accounts by clicking the plus (+) button, or create Wi-Fi profiles in bulk by navigating to
Profiles and PoliciesProfiles Bulk Import
Page 84
Email
Email profiles allow the administrator to configure IMAP/POP3 Email accounts for incoming and outgoing mail.
Note: Certain iOS Email profile features are only available for iOS 5 devices.
Note: Enhanced Email Settings functionality is available for Android Samsung devices.
Page 85
Exchange ActiveSync
Exchange ActiveSync profiles allow end-users to access corporate push-based email infrastructure.
Create a profile for a specific user by specifying the domain name, user name, Email address and
password. Or, leave the password field blank and the users will be prompted for their password (for this
configuration, the username field requires a lookup value).
If certificates are used to validate the ActiveSync connection and you wish to include them in the profile,
select one of the two options listed under Certificate Type.
Uploaded Certificate Upload a certificate and include a passphrase that the user must enter before
receiving the certificate.
Certificate Authority Specify the Certificate Authority in existence on the local network as the source of
the certificate.
Page 86
LDAP
LDAP profiles provide easy configuration with LDAPv3 directory information.
The fields in this section support lookup values. Click on the tool tip
Please refer to the section on LDAP integration for more information on LDAP.
Page 87
CalDAV
CAlDAV profiles can be configured with information to allow users to sync wirelessly with the enterprise CalDAV server.
The fields in this section support lookup values. Click on the tool tip
for definitions.
Subscribed Calendars
Subscribed Calendars manages corporate calendar integration and subscriptions.
The fields in this section support lookup values. Click on the tool tip
for definitions.
Page 88
CardDAV
CardDAV allows the administrator to configure specific CardDav services.
The fields in this section support lookup values. Click on the tool tip
for definitions.
Page 89
Web Clips
Web Clip profiles send down clickable hyperlinks in the form of an icon onto devices for quick access to common web
resources (For example, to add the online version of the iPhone User Guide to the Home screen, specify the web clip
URL: http://help.apple.com/iphone/). Web Clips are also used to deploy the AirWatch App Catalog and to enable the
Self-Service Portal.
The URL will be the address that the user will be redirected to on the device (can be internal or external).
Removable will specify whether or not the user has the ability to remove the WebClip from their device.
Icon To add a custom icon, select a graphic file in .gif, .jpg, or .png format.
For best results provide a square image no larger than 400 pixels on each side and less than 1 MB in
size when uncompressed. The graphic will be automatically scaled and cropped to fit, if necessary, and
converted to png format. Web clip icons are 104 x 104 pixels for devices with a Retina display or 57 x
57 pixels for all other devices.
Precomposed Icon Checking this box will stop the device from adding a shine to the icon.
Full Screen specifies that the address will be loaded full screen on the device without the Safari address
bar and borders.
Page 90
Credentials
Credentials profiles deploy corporate certificates to managed devices.
The Credentials profile also provides a field for configuring Ad-hoc certificate requests (if supported by the
network).
Page 91
SCEP
The SCEP payload specifies settings that allow the device to obtain certificates from a CA using Simple Certificate
Enrollment Protocol (SCEP).
For more information on Certificate use and integration, please refer to the section on Certificate
Infrastructure Integration.
Advanced
Page 92
Custom Settings
Custom Setting profiles allow for custom XML profiles to be included in the profile payload.
Custom Setting profiles allow administrators to directly input the XML code deployed to iOS devices over
the air that define the settings of a configuration profile in the event that new device platform capabilities
are released before the VSDM profile capabilities are updated.
Custom profiles always open and close with the <dict> tags, and contain at a minimum, the following
profile keys:
PayloadIdentifier A reverse DNS format identifier that is unique to this specific payload
PayloadType The type of payload that is going to be configured. For example, this defines whether
the payload will be a passcode payload, Wi-Fi payload, or restrictions payload.
Page 93
A sample of how these keys are deployed in the custom profile is shown below.
<dict>
<key>PayloadDescription</key>
<string>Configures 15-min autolock for iPads</string>
<key>PayloadDisplayName</key>
<string>15min AutoLock</string>
<key>PayloadIdentifier</key>
<string>com.autolock.fifteenmin.passcode1</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.mobiledevice.passwordpolicy</string>
<key>PayloadUUID</key>
<string>AA3C17A5-5C62-4295-BE30-920405D53F9D</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
Next, once a PayloadType is defined, administrators must define the specific keys to define the settings for
specific type of profile. These are all dependant on the type of payload that the administrator is trying to
deploy. For iOS devices, a list of all currently available payload specific property keys can be seen here:
http://developer.apple.com/library/ios/#featuredarticles/iPhoneConfigurationProfileRef/Introduction/Intr
oduction.html
Once these payload specific fields are defined, the profile will be ready to deploy. A completed sample
custom profile is shown below to enable 15 minute auto-lock features for iPad passcode profile.
<dict>
<key>PayloadDescription</key>
<string>Configures 15-min autolock for iPads</string>
<key>PayloadDisplayName</key>
<string>15min AutoLock</string>
<key>PayloadIdentifier</key>
<string>com.autolock.fifteenmin.passcode1</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.mobiledevice.passwordpolicy</string>
<key>PayloadUUID</key>
<string>AA3C17A5-5C62-4295-BE30-920405D53F9D</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>forcePIN</key>
<true/>
<key>maxInactivity</key>
<integer>15</integer>
</dict>
Page 94
Page 95
Batch NameThe name of the user or device batch (for reference purposes in the Web Console)
Batch DescriptionA description of the particular user or device batch (for reference purposes)
Click the
Page 96
From here, select the Download Template button to download the Batch Import Template.
Enter in all relevant Wi-Fi profile information for each group (defined by Location Group). Five sample
users have been added to the top of the template for reference on what type of information to put into
each column. Required fields are designated with a *.
Please note:
Column A, Use Case, refers to the profile type (Add, Edit, or Change)
o
Change allows the administrator to change the Model (device) and Assigned Location Group fields for
an existing profile.
Edit allows the administrator to edit an existing profile (creates a new Wi-Fi configuration).
Column E, Location Group, specifies the location group permissions for editing the Wi-Fi profile. Every
administrator placed one level higher than this location group (and above) will be able to edit the
designated Wi-Fi profile.
Column F, Assigned Location Group, designates the location group to which the profile will be
deployed.
Select Browse from the Batch Import Form, and select the .csv file that was just created from the
template.
Page 97
Batch Status:
Action
An error icon
o
Click on the icon to view the errors by row number and error description.
Page 98
Best Practices
The following tips will help administrators more efficiently manage their smart device fleet through the profile management
tools in the AirWatch Web Console:
Pay close attention to the device ownership type (Corporate-Dedicated, Corporate-Shared, or Employee-Owned)
when specifying the profile General Settings.
For example, the administrator may want to deploy more stringent Restrictions profiles to corporate-owned
devices than to employee-owned devices
For example, if you move a user to a new location group, the profiles associated with the original location
group will be removed and the user will inherit the profiles associated with the new location group.
For maximum Email security, use Email profiles in conjunction with the AirWatch Secure Email Gateway.
To quickly create multiple profiles with similar deployment settings, use the Copy action
profile and then make changes where necessary.
Page 99
Application Management
AirWatchs mobile application management solution enables the administrator to wirelessly distribute and manage internal,
public, and purchased apps across the mobile device fleet. Furthermore, the AirWatch Enterprise App Catalog allows the
corporation to build secure business applications, which can be deployed, managed and secured alongside public apps via a
custom app catalog. Through the Application management tools in the AirWatch Web Console, administrators can allow users
to effortlessly view, install, and update both internal and public applications.
Select Add.
The Select Platform Form will appear. Choose Android or Apple based on the device you would like to
configure.
Select
profile list.
Choose Configure, and fill in all Webclip profile or Bookmark profile parameters.
for iOS or
Label The name displayed on managed devices for the webclip. For example, AirWatch App Catalog
could be used.
Note: You can also change the landing page for the App Catalog. Use the conventions listed below:
Internal: https://YourEnvironment>/devicemanagement/AppCatalog?uid={DeviceUid}&defaultTab=Internal
Public: https://YourEnvironment>/devicemanagement/AppCatalog?uid={DeviceUid}&defaultTab=public
Categories:
https://YourEnvironment>/devicemanagement/AppCatalog?uid={DeviceUid}&defaultTab=categories
Purchased:
https://YourEnvironment>/devicemanagement/AppCatalog?uid={DeviceUid}&defaultTab=purchased
Icon To add a custom icon, select a graphic file in .gif, .jpg, or .png format.
o
Updates: https://YourEnvironment>/devicemanagement/AppCatalog?uid={DeviceUid}&defaultTab=updates
For best results provide a square image no larger than 400 pixels on each side and less than 1 MB in
size when uncompressed. The graphic will be automatically scaled and cropped to fit, if necessary, and
converted to png format. Web clip icons are 104 x 104 pixels for devices with a Retina display or 57 x
57 pixels for all other devices.
When complete, select Save and Publish to immediately deploy the Web-Based AirWatch App Catalog to
all appropriate devices.
Page 100
Page 101
Search Apple Store (iOS only) Searches the Apple store automatically for the Application and populates all app
details in the next form. Android devices will need to fill in this information manually.
Select Continue.
Page 102
If you selected to Search the Apple Store then your profile will already be populated as shown below and you will
only need to put in basic parameters.
Otherwise, your application will look like this and you will need to put in the following information.
For iOS devices, use the URL for the specific application in the iTunes Store that is in the format of
http://itunes.apple.com/* where * is specific to the application.
Page 103
If viewed in a browser, the page will look similar to this. In this example, the URL for the Skype iOS application is
http://itunes.apple.com/us/app/skype/id304878510?mt=8
For Android apps, use the URL for the specific app in the Android Market that is in the format of
market://details?id=* where * is the package identifier of the Android App.
To get the package identifier of the Android App, navigate to the Android Market via a web browser at
https://market.android.com/.
Find the application page for the specific Android app you are looking for. For instance,
https://market.android.com/details?id=com.alphonso.pulse for the Pulse News Reader application.
Exchange the https://market.android.com/ section with market://. For the Pulse News Reader example, the
appropriate URL would be market://details?id=com.alphonso.pulse
Comments - The additional comments displayed when end-users click on the recommended app in the App
Catalog
Reimbursal Designates whether or not a corporation will reimburse end-users for the purchase of this app. A
small icon will be shown in AirWatch App Catalog indicating whether or not an app is reimbursed for.
Rank A rating system of 1-5 stars that is displayed in the App Catalog
iOS5 Only. if the application is going to be deployed to iOS5 devices, fill in the following fields:
o
Remove On Unenroll Determines if the application will be removed when a device is unenrolled
When complete, click Save and the recommended app will be added to the App Catalog.
AirWatch Admin Guide | v.2012.02 | February 2012
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 104
The Add Application Form will appear. Fill in all general parameters as needed. Some of the fields are highlighted
below.
Application File Location of the application file. Apple applications are uploaded in the form of a.ipa file,
and Android applications are uploaded in the form of a .apk file.
Select Continue and fill out all additional fields described below as needed.
Page 105
Name - This will be the app name which is displayed on the device
Application ID If you are uploading an Android app, this field must be the applications Package Identifier.
If it an iOS app, this MUSTbe the applications bundle identifier
Description/Keywords Enter a description about the application to be displayed in the App Catalog
URL - Enter a website address that has more information about the application
AirWatch Admin Guide | v.2012.02 | February 2012
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 106
Images: Optionally upload screenshots of the application in-use to be displayed on the application page along with
the description prior to downloading the application from the App Catalog
EULA: Optionally enter an End User License Agreement you wish to require before installing the application
Page 107
Application supports APNs States if the application supports Apple Push Notifications Services.
o
Application uses AirWatch SDK States if the application is built using AirWatch Software Development Kit to
increase its functionality inside of AirWatch portal.
Page 108
Effective Date/Expiration Date These allow for you to set dates for when the app will either become active,
or expire.
Location Groups -This box contains all the Location Groups that the application will apply to. This is entirely
different from the setting above which simply changes the administrative privileges on the app.
iOS5 Only. if the application is going to be deployed to iOS5 devices, fill in the following fields to enable enhanced
application deployment and management:
When complete, click Save to deploy the internal application to the AirWatch App Catalog.
Page 109
The Apple Volume Purchase Program allows businesses and educational institutions to purchase publically
available applications or specifically developed third-party applications in volume for distribution to
corporate devices.
The process of deploying applications in volume throughout a business or educational institution with the Volume Purchase
Program can be separated into three main components:
VPP Enrollment First, businesses and education institutions must enroll in the program and verify with Apple that they are a
valid business or institution.
More information regarding the Apple Volume Purchase Program, how it works, and program prerequisites can be
found at the links above.
App Purchasing Once enrolled in the Volume Purchase Program, businesses and educational institutions can purchase
applications in bulk through the Volume Purchase Program Website at https://vpp.itunes.apple.com/us/store.
Log in with the VPP Apple ID created during the enrollment process.
Find applications, define the quantity, and purchase with a corporate credit card.
App Deployment Once applications have been purchased, they can be distributed throughout a smart device fleet through
the use of redemption codes. For each application purchase, there is an associated redemption code for end-users to redeem
a single copy of the application.
These redemption codes are managed through a Redemption Code Spreadsheet available at the Volume Purchase
Program Website. This spreadsheet contains details such as the redemption code, redemption status, and most
importantly, a redemption URL that an end-user could use to automatically validate the code and install the
program through the App Store.
It is during this final step, App Deployment, that AirWatch Mobile Device Management can be leveraged to enhance
management and distribution to a corporate smart device fleet. For businesses and educational institutions that do not have
any Mobile Device Management capabilities, Apple provides two solutions to deploying redemption URLs to end-users:
Posting the redemption codes and URLS directly to a corporate intranet site
The sections below will describe how AirWatch can be leveraged to automate and simplify this application distribution
process.
Page 110
Navigate to Apps & Profiles -> Orders to open the Orders Page.
Select the Add button in the upper left-hand corner of the page.
This will open the Add Order Form where new VPP Application Orders are first created. Upload the CSV
that you downloaded from the VPP Portal by selecting Choose File
After you have selected the appropriate Apple VPP Redemption Code Spreadsheet, click
continue to the Product Selection Form.
to
Page 111
If the Apple VPP Redemption Code Spreadsheet contains licenses for multiple applications, several
products can be listed on this form. Only one can be selected per new order. Locate the appropriate
product, and then click
You will now be back to the Order Page in the Web Console, and your new Order will be shown with a
New Status. Orders with a New status are not yet activated for distribution and redemption to the device
fleet.
Page 112
From here, enter in all necessary Order Information. All required fields are denoted with a red asterisk:
Friendly Name The name of the Order that is displayed on the Order Page within AirWatch.
Department The corporate department that this application order will be deployed to.
Cost Center The corporate department responsible for financial information regarding this
application order.
Cost Per License The cost per license purchased for this application order.
Once complete, click Save and Approve to approve the order for distribution (recommended), Save to
save the information but keep the Order status as New, or Reset to reset the fields on this form.
Navigate to Apps & Profiles -> Orders to open the Orders Page.
Locate the specific order to be allocated from the Order List by Order number, friendly name, product
name, or order date.
Once the specific order is located, click the Allocate button on the same row.
Page 113
From here, you can allocate licenses to specific Location Groups and User Accounts by clicking the Add
button
, or you can choose to reserve licenses for later redemption by placing them On-Hold.
Click Add.
Type and select the name of the Location Group in the text box shown below.
Click Add.
Type and select the name of the Location Group that the user accounts are created at in the text box
shown below.
Click on the blue Selected Users Link that appears to open the User Select form.
From here, select all specific User Accounts on the left, and click
individual redemption code to this specific user.
to provision an
Page 114
Lastly, enter the number of licenses to allocate to the selected users in the Allocated Text Box.
o
o
To allocate a single license to each selected user, type the same number that is shown in the Users
Text Box into the Allocated Text Box. If less are allocated, only the first users to use their redemption
code will be able to install the application.
Enter the number of redemption codes that you want to place on hold in the On-Hold Text Box
Page 115
Select System -> General -> Message Templates from the navigation menu on the left to open up the
Message Template Form.
Click
Subject The subject of the email message, if email is selected as a delivery method
Desciption An internal description of the message used internally by AirWatch to describe this
template.
Category The message template category. For VPP Application Messages select Application.
Type The type of message to be sent; a subcategory of the message template category. For VPP
Application Messages, select Purchased Application.
Device Ownership A parameter to limit the message delivery to only devices belonging to the
specified device ownership category.
AirWatch Admin Guide | v.2012.02 | February 2012
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 116
Alternate Delivery Method An additional method of message delivery to end-users. This type of
message will also be sent in addition to the message specified in the primary delivery method.
Effective Date The start-date in which this message template will begin taking precedence over the
default message bodies specified by the AirWatch system.
Expiration Date The end-date in which this message template will stop being delivered to end-users
instead of the default AirWatch system message templates, or other currently effective message
templates.
Select Language A parameter to limit the message delivery to only devices belonging to users who
understand the specified languages.
Email / SMS / Agent Check Boxes Check any of these boxes to enable message configuration for
each respective message type.
Message Bodies The message that will be displayed on end-user devices for any of the respective
message types. Use the {ApplicationName} lookup value to dynamically populate the name of the
application for download in the messages displayed on end-user devices.
Once the form has been completed, select Save to complete the custom Purchased Application Message.
Once the custom purchased application messages have been created, or administrators choose to use the default
purchased application email message template, notifications can be sent out over-the-air to all end-users. To send the
Purchased Application Messages to end-users:
Navigate to Apps & Profiles -> Orders to open the Orders Page.
Locate the specific order to be allocated from the Order List by Order number, friendly name, product
name, or order date.
Once the specific order is located, click the Notify button on the same row.
Page 117
- The order has recently been uploaded to AirWatch and is awaiting Approval before
beginning allocation to end-users.
- The order has been approved, but has not been allocated throughout the device fleet or
end-users notified.
- The order has been approved by Apple, allocated to the device fleet, and end-users have
been notified.
See total number of Purchased application vouchers, the number of Redeemed vouchers that have
been used by end-users, and number of Remaining vouchers that end-users can still redeem in the
future.
From the Products View on the Orders Page in the Web Console administrators can:
The Green and Red dots in the status category indicate Active and Inactive VPP Product Orders
respectively.
Renotify end-users
Page 118
From the Licenses View on the Orders Page in the Web Console administrators can:
-The license has not been used by the end-user but is available for redemption.
- The license belongs to a VPP Product Order with an Inactive Status. The license
information is still in the AirWatch system and can be set to Active for later redemption.
- The license was redeemed by a device that is not under AirWatch MDM.
Licenses with a redeemed status will have fields for Assigned To and Date Redeemed indicating the
User Account who purchased the application, and the date at which he/she purchased it.
Best Practices
To track public applications on employee devices through the Device Details and Device Control Panel, ensure that
the Web Console Privacy Settings (specified in ConfigurationSystem SettingsDeviceGeneralPrivacy) allow
for the collection and display of application data.
Some applications may have specific device prerequisites (for example, iCloud settings) in order to be fully
functional. Investigate application requirements before pushing applications to end-users. Either enable the
appropriate settings for end-users, or inform end-users of any settings requirements.
Use the AirWatch SDK for maximum security and functionality in building secure internal business applications.
Page 119
Content Management
AirWatchs Mobile Content Management solution, Secure Content Locker, allows IT administrators to manage document
distribution and mobile access to corporate documents through a web-based console. Our Secure Content Locker application
enables your employees to securely access corporate resources on-the-go from their mobile devices. Whether your company
is looking to distribute annual reports to shareholders or the latest presentation to the sales force, AirWatch ensures all
corporate information is protected.
Content can be configured to be accessed in online or offline modes and content data is encrypted on the device. The
following document level content is supported in the Secure Content Locker:
iWork: Keynote (including Keynote09), Numbers (including Numbers09), Pages (including Pages09)
Other: PDF, XML, Text, Rich Text Format (RTF) and HTML
Page 120
Click Upload
Only the following formats are compatible: PDF, Numbers, Pages, KeyNote, Word, PowerPoint, Excel, HTML,
XML, Text, RTF, JPG, PNG.
Click Continue
Page 121
Document Categories are used in the Secure Content Locker application to organize and group documents.
Each document can belong to multiple categories as shown above.
No details are required, but they add additional information about the document that can be shown in the
Secure Content Locker application.
Page 122
Check the first two boxes to permit SCL documents to be opened in third party applications or email.
Choose whether the device will be available offline when the device is not communicating with AirWatch.
Select whether to encrypt this document when it has been downloaded on the device.
o
Note: This is recommended for all sensitive corporate material. Only documents that are considered publicfacing should not be encrypted if the administrator wishes to save processing time on all devices while
opening the document.
Lastly, choose whether to allow annotating (commenting and marking up) of PDF documents.
Select a device ownership to only send the document to devices enrolled under that ownership category.
Assign the document to be deployed to one or more location groups. This is required.
AirWatch Admin Guide | v.2012.02 | February 2012
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 123
Select the Deployment Tab to specify advanced deployment options for the document.
Transfer Method Select whether the document will be sent to the end-user at any moment, or only when
the device is connect to Wi-Fi.
Download Type Select On-Demand to allow the end-user to download the document when they want to, or
Automatic to send the document to the device as soon as it enrolls and downloads the Secure Content Locker
application.
Download Priority The priority in which the file will download if queued with additional documents. For
instance, if two documents are waiting to be downloaded and they have a different download priority, the
higher priority document will download first.
Effective and Expiration Date The dates in which the document will become available and disappear in the
Secure Content Locker application.
Page 124
Page 125
Click the
button to open up the Content Locker Import Help Topic. From here, download the Content Locker
Import Template.
Enter in all necessary information in the template and save. Make sure to save as a .csv file.
To select a local copy of a document from your computer enter the FilePathType (Column B) as filepath. To
download the document from a web address, enter http.
All remaining columns contain fields that have been explained in the single document upload process.
When complete, save the file as a .csv and upload it into the Batch Import Form.
Page 126
Managed By The location group that can edit, add subcategories, and delete the category.
Page 127
button next to the parent categories name from the Categories View.
Managing Documents
There are several actions available on the Content Management page that an administrator can perform to manage the
content of the corporate Secure Content Locker.
Edit
Edit any of the details created during the process of adding a new document.
Add Version
If the document is updated, administrators can add a newer version of the document. End
users are automatically notified if there is a new version of a document.
View Devices
Download
Delete -
View a list of the devices that have currently downloaded this document.
Download a local copy of the document to view
Page 128
Best Practices
Create document categories before you begin uploading documents. Categories are selected during the upload
process but must be created separately.
To create a category, select the Categories setting on the Content Management page, or navigate to Content
ManagementCategories.
Administrators may wish to enable end-users to store and access content locally using third party applications.
If permitted, end-users will be able to download and view a local copy of documents by selecting the
icon.
Enable enhanced MDM functionality through AirWatch Software Development Kit (SDK) integration
Integrating the AirWatch Secure Content Locker with the AirWatch SDK enables the Secure Content Locker to
detect compromised devices and communicate with the corporate MDM server.
Encourage end-users to enable GPS trackingEnd-users can enable location services in the Secure Content Locker
settings to allow administrators to track and access GPS coordinates.
Page 129
Email Management
AirWatch provides administrators with several options for configuring secure integration with corporate Email services. The
most robust and extensible solution is through the AirWatch Secure Email Gateway, which allows the administrator to secure,
monitor and manage both the smart device fleet and corporate Email access, all from the AirWatch Web Console.
AirWatch simplifies and secures Email management by allowing the administrator to perform the following tasks:
Quickly monitor and troubleshoot Email server requests through the Secure Email Gateway Dashboard.
Gain visibility and control on top of the existing corporate Email structure to ensure that corporate Email actions
are secure and compliant.
Create and edit Email Compliance rules, including blacklist and whitelist policies.
Control Email access for both managed devices and unmanaged devices
For devices under AirWatch MDM, the data collected from the Secure Email Gateway can be correlated to the
devices existing record to show you how the managed devices are interacting with your email server.
For devices not under MDM, the data can be viewed on the dashboard to help the administrator track rogue
devices and gain a more complete picture of the mobile email deployment.
Configure integration with a number of corporate Email Services, including: Gmail, Exchange, bPOS, 365,Lotus,
Groupwise versions 8.5+, and others.
Page 130
OR
2. Or, navigate to Profiles & PoliciesCompliance and select Email Compliance from the Available Views.
Page 131
There are two categories of compliance policies: General Email Policies and Managed Device Policies. The screen displays a
list of the Current Compliance Policies.
The circles in the Active column indicate whether the policy is active (green circle) or inactive (red circle):
Click Save to finish editing the policy, or Reset to return the values to the last saved state.
Managed Device
Open the policy and specify whether to Allow or Block unmanaged devices that attempt to contact
the corporate Email server.
Page 132
Mail Client
Discovered The mails clients that connect through the gateway but are not currently stored in the
database.
Select the Mail Client from the drop-down menu or choose Custom to enter in a mail client.
Choose to either Allow or Block the specified mail client and type.
Specify the default policy (Allow or Block) for all other mail clients not currently listed (applies to all
known mail clients that are not currently listed in the policy).
Specify the default policy (Allow or Block) for all new or discovered mail clients (applies to all mail
clients that are not currently stored in the database)
Click Save.
Page 133
UserTo block specific users from accessing corporate Email on their mobile device:
AirWatch User Account Select a registered device user from the AirWatch Web Console database.
Discovered The users that connect through the gateway that are not currently stored in the
database.
Make a selection Allow/Block for the default action for all other user names not currently listed.
Specify the default policy (Allow or Block) for all new or discovered user names not currently listed.
Page 134
Inactivity
Open the policy and specify whether to Allow or Block unmanaged devices that attempt to contact
the mail server.
Open the policy and select whether to Allow or Block compromised devices that attempt to contact
the mail server.
Encryption Compliance
Open the policy and select whether to Allow or Block devices that attempt to contact the mail server
and do not have data protection enabled.
Page 135
Select an option from the Platform and Model drop down menus.
Specify the default policy (Allow or Block) for all models not currently listed.
Operating System Compliance-Administrators may wish to block a particular version of a mobile device
Operating System that stresses the Email server due to a bug or other technical issues.
Select the Min OS (Minimum Operating System) and Max OS (Maximum Operating System).
Specify the default policy (Allow or Block) for all OS versions not currently listed.
To instantly apply the policy, click on the Provision Policy Changes button at the bottom of the Email
Compliance Policies page.
Page 136
To access the Secure Email Gateway Dashboard, navigate to DashboardsSecure Email Gateway.
The basic Secure Email Gateway Dashboard is available as a view under the main dashboard, but it does not
contain the time interval view options or editing capabilities.
Device Activity The total number of devices communicating through the gateway in addition and the
number of blocked and allowed devices.
Devices The total number of devices communicating through the gateway and the number of managed
and unmanaged devices.
Page 137
Click on all or select a time interval to update the charts and grids with the time selection.
Page 138
Select the Policy Override List View to view the current override status for all of the devices that are
communicating through the gateway.
This page also provides the ability to add, remove, or change an override to any of the devices listed.
Select a device from the grid to perform a policy override on that device.
Blacklist-Block the device regardless of any policies which may allow the device.
DefaultRemove the device from the override list and apply the configured compliance policies to the
device.
Page 139
Test mode allows mobile devices to communicate through the gateway even when restrictive compliance
policies are currently enabled. The dashboard displays the non-compliant reason code(s) for a device to
indicate all applicable restrictions if the test mode was not enabled.
To enable test mode, elect the Enable Test Mode link on the dashboard
When test mode is disabled, the compliance policies are applied again to each device that
communicates through the gateway. The dashboard displays the non-compliant reason code(s) for a
device to indicate all applicable restrictions that are now being applied. To disable test mode, select
the Disable Test Mode link on the dashboard
Page 140
Best Practices
User filter views and search to view devices in the Secure Email Gateway dashboard grid according to compliance
criteria.
The administrator can filter the devices displayed on the grid based upon override status. Select a filter to
view only Blacklisted, Whitelisted, or All devices.
The filter functionality provides the ability to search the grid within the displayed results.
Page 141
To navigate to the Compliance page, select Profiles & Policies Compliance. From here, the administrator can create several
different types of compliance policies:
Note: Email compliance policies only apply when the Secure Email Gateway is installed in addition to the AirWatch Mobile
Device Management solution.
Page 142
Compliance Engine
Application Compliance
Application compliance policies restrict access to unauthorized applications on corporate devices. Application
compliance policies allow the administrator to designate blacklisted applications and send a message or wipe the device
if AirWatch detects a blacklisted application. To create or edit an application compliance policy:
On the Compliance page, select the Application Compliance view on the left sidebar of the page:
Page 143
Select Add
Type The type of application compliance policy. Currently, the only option is Blacklist.
Platform The device platform to which the application compliance policy will apply. Currently, the
only platform options are iOS and Android (or select All to apply the policy to both platforms).
Application Name The name of the application for which you are creating a compliance rule.
Specifying the application ID will allow AirWatch to more accurately detect devices that have the
blacklisted application installed by identifying applications by the exact bundle ID rather than simply
searching for the application name as entered in the Application Name field.
Comments Optionally enter a comment about the compliance policy to share with other Web
Console administrators (comment will only appear in the Web Console).
Action The administrative action that will automatically take place on any devices containing the
named application:
Send SMS Choose the Message Type and enter the message text in the Message Body field.
Enterprise Wipe Perform an Enterprise Wipe upon detection of an application compliance violation.
Wipe Device Perform a Device Wipe upon detection of an application compliance violation.
Page 144
Device Compliance
Device compliance policies can be created to perform administrative actions on managed devices when specific devicebased criteria are met. To create a device compliance policy:
On the Compliance page, select the Device Compliance view on the left sidebar of the page.
Choose one of the device compliance policy types from All Device Policies or Platform Specific Policies.
button.
All Device Policies allows administrators to create and edit policies that apply to all devices regardless of platform. Some
platform specific policies are based on All Device Policies, so it is a good practice to create all device policies before
creating platform specific device compliance settings.
Compromised Device SettingsThe Compromised Device Settings compliance policy applies to all devices
and allows the administrator to:
Perform actions (such as blocking access to profiles and applications) on all device types which have
not reported a compromised status or are detected as compromised (check the box to apply policy).
Page 145
Flag the device as Out of Date if the device has not checked in for a set number of days and establish
Severity Levels based on the duration without check in.
o
The Severity Levels are defined in this box. To edit the rules for each Severity Level, do so in Platform
Specific Policies.
To define Severity Levels, enter the duration for each severity level and choose the metric (days, hours
or minutes) from the drop down menu.
Compromised Device Compliance Perform platform specific actions on devices that have been flagged as
compromised. Currently, this feature only supports the iOS and Android platforms. To create or edit
Compromised Device Compliance policies:
Select the administrative actions to be performed when devices meet the specified criteria.
Compromised Status Out Of Date Level 1, Level 2, and Level 3 Perform actions on iOS devices that are
Out of Date and fall under Severity Level 1, Severity Level 2, or Severity Level 3, as defined in
Compromised Device Settings (refer to All Device Policies above). To edit rules for Compromised Status
devices:
Select and open the desired Compromised Status Out of DateLevel policy.
Choose the action (Send push notification, Send Email, Remove EAS profiles) and, if applicable, enter
the Push Notification or Email text.
Operating System Compliance Perform actions on iOS devices that run a specific operating system version
Page 146
Select and open the compliance policy you wish to edit and click Add Blacklist Rule.
Specify the administrative actions to perform when the criteria are met:
Send SMS Choose the Message Type and enter the message text in the Message Body field
Enterprise Wipe Perform an Enterprise Wipe upon detection of an operating system or model
compliance violation
Wipe Device Perform a Device Wipe upon detection of an operating system or model compliance
violation
Page 147
Privacy Policy
Administrators can set complex privacy policies within the AirWatch Web Console. These policies apply to specific device
ownership types within Location Groups (ownership types are: Corporate Dedicated, "Corporate Shared, Employee
Owned, and Unassigned).
To access privacy policies, navigate to Configuration System Settings Device General Privacy.
For each privacy policy, administrators have three options for handling device information. The policies are defined
by a filled circle, half-circle, or an empty circle top of the screen.
Collect and Display The information is collected by AirWatch and administrators will be able to view the
data.
Collect The information is collected by AirWatch but administrators will not be able to view the data.
Move the mouse over the circle that matches up with the privacy policy and device ownership type. A small
popup menu will appear (as shown below) that displays the privacy setting options.
Click Save to finish the process and immediately apply the settings.
Page 148
Commands Privacy
Additionally, the Commands section at the bottom of the page allows the Administrator to restrict certain commands
based on device ownership type.
A full circle indicates that a command is allowed, while an empty circle indicates that the command is
disabled.
Currently, the only Command that can be allowed or disallowed is Full Wipe.
Click Save to finish the process and immediately apply the settings.
Privacy Settings Note: The Privacy Settings explained above affect whether or not device and user information is
displayed both in the AirWatch Web Console and in the Self-Service Portal. Please be aware of the privacy settings in
place when navigating through user and device information (especially the pages explained in the following sections:
Device Information, Device Details, Remote Actions and Device Details Management)
Many of the Self-Service Portal and Device Wipe settings are determined by both Privacy settings and Role settings
(Users Admin Accounts). If multiple settings are in place, the strictest policy is enforced.
Page 149
Secure Browser
The AirWatch Secure Browser application is available for all iOS devices. The Secure Browser provides a secure alternative to
Safari internet browsing. To configure the Secure Browser:
Select Device iOS Secure Browser from the navigation menu on the left to open up the settings page.
Security Settings
To change the basic Security Settings for the Secure Browser, select Security at the top of the page:
Disable copy-paste Restricts end-users from copying any content from websites viewed via the Secure
Browser
Disable Printing Restricts end users from printing any content from websites viewed via the Secure
Browser
Page 150
Accept Cookies This drop down menu specifies the default policy (Always or Never) for accepting cookies
from websites viewed via the Secure Browser.
Operation Mode
To change the Operation Mode for the Secure Browser, select Mode at the top of the page:
Restricted Restricted mode specifies that users can only access certain websites (whitelisted) in the
Secure Browser or it instructs the browser to block certain websites (blacklisted) in the Secure Browser
Kiosk Mode
Enter the URL of the desired homepage in the Kiosk Homepage field
Return Home After Inactivity Check this box to require the Secure Browser to return to the Kiosk
Homepage after a period of inactivity
Page 151
Restricted Mode
Restricted mode allows the administrator to allow or deny access to certain websites. Select either Allow or Deny:
Allow stipulates that the Secure Browser can only access the specified (whitelisted) URLs.
Deny causes the Secure Browser to block only the specified URLs; all other sites will be allowed.
To add websites to Allowed Site URLs or Denied Site URLs, click on the plus
icon.
Best Practices
To provide maximum security and data protection for both end-users and the managing enterprise, privacy settings
work in conjunction with Role Configuration. In order to ensure that the configured privacy settings are correctly
implemented, it is recommended that you make a note of the following role settings:
User Role Settings (UsersUser AccountsRoles) control display of user and device data in the Self-Service
Portal.
Administrator Role Settings (UsersAdmin AccountsRoles) control the display of user and device data in
the Web Console, and control the ability to perform a full device wipe.
Be consistent when deploying multiple compliance or passcode policies; if multiple policies are in place, the most
restrictive policy is enforced.
For a top-level view of the status of device compromised, passcode, and encryption policy compliance, navigate to
the Dashboard (DashboardsDashboard) and select Device Compliance from the Available Views.
To more efficiently manage bulk Email accounts, use lookup values whenever possible.
For maximum Email security, use Email profiles in conjunction with the AirWatch Secure Email Gateway.
Page 152
From here, there are several key pieces of functionality that administrators can use to leverage AirWatch reporting capabilities:
Page 153
Generating Reports
Administrators can create custom reports on the fly through AirWatch Web Console. To generate a custom report:
Select a pre-defined report template from the list and then click the View button
Specify all of the report parameters. Required field are indicated with a red mark .
Select a pre-defined report template from the list and then click the Add to My Reports button
From now on the report will be accessible from the My Reports View on the left side of the Reports page for
quick access.
Select a pre-defined report template from the list and then click the Subscribe button
General Information The name of the subscription, the email subject, etc
Report Parameters The parameters defining the scope and options of the report
Distribution List The recipients who will receive the custom report whenever the subscription is executed
Execution Schedule The time and schedule at which the custom report is generated
Click Save.
Search Assistance Tools The Report Category Dropdown and Search Box at the top of the reports page make
finding particular reports very simple.
Report Samples Tool To view a sample output from a particular report, click the Sample Button
Report Export Tool To export a report in one of several formats, use the Export Bar on a custom generated
report .
AirWatch Admin Guide | v.2012.02 | February 2012
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 154
Alerts
Alerts provide administrators with the ability to receive immediate notifications when specific events occur across the
managed smart device fleet. They are comprised of two components,
A Creation Policy that describes the criteria that must be met to trigger the alert
And a Routing Policy that describes what devices are being monitored, when, and who will receive the alert.
Creation Policies
In order to create a new creation policy
Navigate to Reports & Alerts -> Alert Setup -> Creation Policy
If any policies are similar to the policy that needs to be created, try editing the policy by selecting the
icon on the left of the row.
Select Add Alert Creation Policy at the bottom to open the Alert Creation Policy Form.
Description The name of the creation policy that will be displayed in the Web Console
Resource The type of resource that is going to be monitored. Select device to monitor the smart
device fleet.
Attribute The parameter that will be used to determine whether the alert should go off or not
Comparison Operator The comparison operator to test whether the attribute will set off an alert.
Value The value that will set off the alert when (Attribute) <Comparison Operator> (Value) = True
Duration The duration that the alert will last before stopping.
Page 155
Routing Policies
In order to create a routing policy
Navigate to Reports & Alerts -> Alert Setup -> Routing Policy
Select Add Alert Routing Policy to open up the Alert Routing Policy Form.
Creation Policy The creation policy that will trigger this alert to go off
Location Group The location group that contains the devices that are being monitored for the
creation policy criteria.
Location The location that contains the devices that are being monitored for the creation policy
criteria. Default is Any
Equipment Any specific equipment that is being monitored for this creation policy. Default is Any
Device Any specific devices that are being monitored for this creation policy. Default is Any
Sample Time and Sample Days The date and time in which this policy is tested on the selected
devices
Severity & Priority - Metrics to organize alerts in terms of priority and several for administrative
purposes.
Consolidation Window The period of time in which only one alert will occur from multiple triggers
of the same creation policy. All alerts that occur within the consolidation window of one another and
stem from the same creation and routing policy are consolidated into a single aler.
Role Alerting Select Add Role and enter in a role and location group so that any administrator with
the listed role / location group combination will receive this alert.
User Alerting Select Add User and enter in an admin user so that he will receive this alert.
Page 156
Viewing Alerts
Once alerts have been created, they can be viewed from
Device Details Page View alerts by device that triggered the alert.
Best Practices
To enable the highest level of control and security over distribution of report information across the enterprise,
edit role-based access to reports by navigating to UsersUser AccountsAdd Role. Report Access is enabled or
disabled by checking the boxes under Resource Categories.
Page 157
Enterprise Integration
AirWatch has extensive capabilities to help corporations easily integrate the AirWatch solution with existing enterprise
systems. AirWatchs enterprise integration allows users to authenticate using enterprise directory service credentials and
provides even deeper integration with enterprise systems through the use of device management APIs. These APIs can be
integrated into third party or internal applications for an added level of security and management.
Lightweight Directory Access Protocol (LDAP) and Active Directory (AD) Integration
System Authentication
The Authentication page enables the integration of the AirWatch server with a corporate directory services server to
provide directory based admin account access. When creating user accounts, settings can be identical or different
(explained in the next section). To configure LDAP or AD integration:
Page 158
LDAP Server Type Select LDAP for any type of server other than Active Directory.
Encryption Type Select the type of encryption used for directory services communication. The default is None.
Port Enter the TCP port used to communicate with the directory services server. The default for unencrypted DS
communication is 389. Only SaaS environments allow SSL encrypted traffic using port 636 (AirWatch SaaS IP range:
205.139.50.0 /23).
Verify SSL Certificate Select the check box to receive SSL errors when the encryption type is None.
Protocol Version Select the version of the LDAP protocol in use. Active Directory uses LDAP versions 2 or 3.
Bind Authentication Type Select the type of bind authentication that is used in order for the AirWatch server to
communicate with the directory services server.
Bind username & password - Enter the credentials to authenticate with the directory server. This account allows
read access permission on your directory server and binds the connection when authenticating the users.
Base DN Use this field as a test for the connection and to select one of your directory servers base paths.
Default Domain Default domain for any directory based user accounts. If only one domain is used for all directory
user accounts, fill in the field with the domain so that users are authenticated without explicitly stating their
domain.
User Search Filter Enter the search parameter used to associate user accounts with active directory accounts.
The recommended format is <LDAPUserIdentifier>={EnrollmentUser} where <LDAPUserIdentifier> is the parameter
used on the directory services server to identify the specific user.
Page 159
The section below will describe how these user account authentication types can be configured to enable use of each security
mechanism.
Page 160
Ensure that you are at System Settings Device General Enrollment page with the Authentication
tab selected.
Check Directory to expand the Directory Authentication Menu and enter in all appropriate fields
Use Console LDAP Settings Check this to use the LDAP settings that have been configured for Admin
Accounts that log into the Web Console. These settings are configured at System Settings -> System ->
General -> Authentication.
LDAP Server Type Select LDAP for any type of server other than Active Directory
Encryption Type The type of encryption used for directory services communication. Default is None.
Port The TCP port used to communicate with the directory services server. Default for unencrypted
DS communication is 389.
Verify SSL Certificate Uncheck this box to ignore SSL errors when the encryption type is other than
none.
AirWatch Admin Guide | v.2012.02 | February 2012
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 161
Protocol Version The version of the LDAP protocol that is being used. Active Directory uses LDAP
versions 2 or 3.
Bind Authentication Type Select the type of bind authentication that must be used for AirWatch
server to communicate with the directory services server.
Resolve DN from User Domain Check this box to resolve the DN field in the directory services server
from the domain associated with the specific AD user account requesting access. If the bind
authentication type is a static username and password or anonymous, this field will have no effect.
Default Domain The default domain of any directory based user accounts. If only one domain is
used for all directory user accounts, populate this field with the domain so that users can authenticate
without explicitly stating their domain.
User Search Settings The search parameter used to associate user accounts with active directory
accounts. The recommended format is <LDAPUserIdentifier>={EnrollmentUser} where
<LDAPUserIdentifier> is the parameter that is used on the directory services server to identify the
specific user.
Search LDAP Users as Database Users Select to search the LDAP users from the database users list.
Use Integrated Authentication Select to use Windows Authentication to search the database
Ensure that you are at System Settings Device General Enrollment page with the Authentication
tab selected.
Check Authentication Proxy to expand the Authentication Proxy Menu and enter in all appropriate fields
Authentication Proxy URL The URL of the Authentication Proxy Server that prompts the user with
HTTP or EAS authentication
Authentication Method Type The type of Authentication Proxy endpoint. All types other than EAS
endpoints should select HTTP basic.
AirWatch Admin Guide | v.2012.02 | February 2012
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 162
Ensure that you are at System Settings Device General Enrollment page with the Authentication
tab selected.
Check SAML 2.0 to expand the SAML 2.0 menu and enter in all appropriate fields
Import Identity Provider Settings This feature allows the administrator to import SAML metadata
obtained from the Identity Provider.
o
Uploading this XML file sets some of the configuration options shown in the SAML settings page, and
most importantly, this file includes the identity providers public key certificate, which is required for
Airwatch to trust the identity provider.
SAML Binding Type This value determines how the identity provider and AirWatch exchange
messages.
AirWatch Admin Guide | v.2012.02 | February 2012
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 163
SAML can be configured to allow the intermediate browser to POST the entire message, or it can send
only a token known as an artifact that represents the data, and then the identity provider will contact
the sender to obtain the message through a process called artifact resolution.
Identity Provider ID - This value specifies a URI that the identity provider uses to identify itself.
AirWatch checks authentication responses to verify that the identity matches the ID provided here.
Service Provider ID - This value specifies a URI with which AirWatch identifies itself to the identity
provider. This value must match the ID that has been configured as trusted by the identity provider.
IDP SSO Post/Artifact - These values specify the identity provider URLs that AirWatch uses to send
requests for each binding type. This value is set automatically from the imported metadata.
IDP Artifact Resolution URL - This value specifies the URL at the identity provider that AirWatch uses
to resolve an artifact response to obtain the actual response message. This value is set automatically
from the imported metadata.
Service Provider Assertion URL - This value specifies the AirWatch URL which should be configured by
the identity provider to direct its authentication responses. Assertions regarding the authenticated
user are included in success responses from the identity provider.
Service Provider Logout URL - This value specifies an AirWatch URL to use for single logout. This
feature is not currently supported in AirWatch 5.16.
Service Provider Error URL - This value specifies an AirWatch URL for displaying an error in the SAML
authentication process. This value can be left blank.
Identity Provider Logout URL - This value specifies an identity providers URL to use for single logout.
This feature is not currently supported in AirWatch 5.16. This value is set automatically from the
imported metadata.
NameID Format - This value specifies the format in which the identity provider should send a NameID
for an authenticated user. This value is not required as AirWatch will obtain the username from the
FriendlyName uid required attribute.
Ignore SSL Errors - This value specifies whether or not AirWatch should check SSL trust for the identity
provider. If SSL errors are ignored, AirWatch will communicate with the identity provider regardless of
any SSL trust issues.
Validate Identity Provider Certificate - This value specifies whether or not AirWatch should check if
authentication responses are signed with the expected identity provider certificate. This value is only
required when using POST as the identity provider may not sign responses using artifact responses.
Identity Provider Certificate - The identity providers public key certificate. This value is set
automatically from the imported metadata.
Authentication Request Security - This value specifies whether or not AirWatch should sign
authentication request messages. This value must be set in order to upload a service provider
certificate.
Service Provider Certificate - A private key certificate used by AirWatch to sign SAML requests and to
decrypt responses.
Export Service Provider Settings - This feature allows AirWatchs SAML metadata to be exported to be
supplied to the identity provider. Similar to the Import Identity Provider Settings, this feature allows
the identity provider to import AirWatchs SAML metadata to build trust.
Page 164
Navigate to the Certificate Authorities settings by selecting Configuration System Settings Device General
Certificate Authorities.
The Certificate Authorities page allows the AirWatch server to integrate with Microsoft CA, AirWatch CA, or SCEP
certificate services servers. Regardless of the integration type, there are two steps required to configure certificate
integration:
Page 165
First, configure the Certificate Authority in AirWatch. On the Certificate Authorities page, select Add
to open up the Certificate Authority Form.
Server The server address of the CA server. The CA server needs to be in IP or domain name format
(mycompany.local.com).
Authority Name Refers to the actual name of the instance of the CA on the CA server
Use Passthrough Authentication Passthrough authentication uses the service account running
AirWatch to authenticate with the CA server.
o
This setting should be left off unless the AirWatch server is on the same domain as the enterprise CA
and the service account running AirWatch is a domain administrator.
Admin Username & Password The username and password to authenticate with the CA server. The
username and password need to have the correct permissions on the CA server for the certificate
template being used.
Allow child location groups to use this certificate authority Check the box to allow inheritance by
child location groups
Authority Type The type of certificate authority. For Direct CA integration, choose either:
o
OR
Page 166
After the Certificate Authority is configured, configure the Certificate Template so that AirWatch can request a
certificate from the Certificate Authority. To configure a Certificate Template for Direct Certificate Authority integration:
Select Add
Distinguished Name The fully qualified distinguished name of the certificate. This field supports the
lookup values used in AirWatch so that the certificate name can be unique per user/devices in
AirWatch (for example, CN={EnrollmentUser}).
The distinguished name supports both Crypto API and Netscape formats. The only field required to
create a certificate is the Common Name (CN). The distinguished name should reflect what the
certificate will be authenticating against.
Private Key Length The private key length should match the length of the private key on the
certificate template being used on the CA.
o
Compatibility note: Shorter lengths will be more compatible with older technology and operating
systems.
Private Key Type Determines the type of private key in direct CA integration.
o
Page 167
Use Existing Key Enable this option to use the existing private key rather than creating a new one.
The CA and Certificate Template must support this option in order for it to work.
Template Name Enter a Template name so this certificate template can be used in the future. The
Template Name will only be used within the AirWatch Web Console.
Store in Active Directory Enable this option to attempt to store the certificate generated into AD
based on the Common Name chosen in the Distinguished Name.
For example, if CN=ADUser, the AirWatch Software will attempt to store the certificate into ADUser.
In order to use this option, AirWatch must be part of your domain and the service account running
AirWatch will need to be a domain administrator.
Additional Attributes This field serves two purposes when configuring the Certificate Authority:
o
First, the Additional Attributes field specifies the Certificate Template on the Certificate Authority. Use
CertificateTemplate to specify which template to use (For example, enter
CertificateTemplate:TemplateName where TemplateName is the name of the template you would like
to use).
Second, the Additional Attributes field allows you to add relevant additional attributes .
When you enter the additional attributes, separate them from the CertificateTemplate with a
backslash n (\n). An example of an additional attribute would be the Subject Alternative Name of the
certificate. In order to specify the Subject Alternative Name, you would set the Additional Attributes
field to: CertificateTemplate:TemplateName\nSAN:Email Address={EmailAddress}.
Page 168
SCEP Integration
The first step in configuring AirWatch integration with a corporate SCEP services server is to configure the Certificate
Authority. The second step is to configure the Certificate Template. To configure the Certificate Authority:
SCEP: Configure the Certificate Authority
Select Add
to open a new Certificate Authority Form or select the edit button
edit an existing certificate.
(if applicable) to
Server URL The web address of the certificate enrollment URL. This is usually in the format of .EXE
or .DLL depending on the SCEP provider. Below are two examples:
o
Authority Name In SCEP integration this field is used by AirWatch to distinguish these settings.
Use Passthrough Authentication Passthrough authentication uses the service account running
AirWatch to authenticate with the SCEP server. This setting should be left off unless the AirWatch
server is on the same domain as the SCEP server and the service account running AirWatch is a
domain administrator.
Admin Username & Password Username and password to authenticate with the SCEP server. The
username and password need to have the correct permissions on the SCEP server along with the
certificate template being used in order to authenticate with them.
Allow child location groups to use this certificate authority Check to allow inheritance.
Authority Type The type of certificate authority; select Simple Certificate Enrollment Protocol
(SCEP) from the drop down menu.
Max Retries When Pending Max Retries determines the number of maximum retries for sending
SCEP enrollment requests. The standard value is 5.
Retry Timeout Retry Timeout determines the amount of time (in minutes) that defines a timeout
during a SCEP request. The recommended value is 30.
AirWatch Admin Guide | v.2012.02 | February 2012
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 169
Challenge Type Challenge Type determines how the page will authenticate the certificate
enrollment URL.
o
Static Challenge is a singular key or password that will always authenticate with the certificate
enrollment URL.
Dynamic Challenge will use AirWatch to pull a challenge key or password from the SCEP provider.
No Challenge means that no challenge is required and this usually involves unsecured SCEP endpoints.
This will only apply in rare circumstances.
SCEP Provider The SCEP provider determines the rest of the configuration and what challenge
options are available.
If MSCEP is the SCEP provider, the following options will appear. Please note that some options may vary based on the
selected Challenge type:
SCEP Challenge Phrase (Static Challenge Only) Enter the password or key provided by SCEP.
SCEP Username Is Required (Dynamic Challenge Only) Check this box to require the Dynamic Challenge
web address to require user authentication for access.
SCEP Challenge Length (Dynamic Challenge Only) Enter the challenge length provided by the SCEP
provider.
SCEP Challenge URL (Dynamic Challenge Only) This field should contain the web address of the
challenge URL:
For MSCEP 2003, the challenge URL is the same as the web enrollment URL.
SCEP Username & Password Username and password to authenticate with the SCEP challenge URL. The
username and password need to have the correct permissions for both the SCEP server and the certificate
template being used in order to authenticate with them.
Page 170
If VeriSign is the SCEP provider, the following options will appear. Please note that some options may vary based on the
selected Challenge type:
SCEP Challenge Phrase (Static Challenge Only) Enter the password or key provided by SCEP.
Verisign Passcode Post URL (Dynamic Challenge Only) Enter the dynamic challenge URL. The URL should
look like this: https://onsite-admin.verisign.com/OnSiteHome.htm.
Verisign DNS Post Fix (Dynamic Challenge Only) Enter the domain used to register the relevant mPKI
account.
For example, if the domain was registered with mycompany.com, enter .mycompany.com in this field.
Verisign Certificate Name (Dynamic Challenge Only) This field displays the uploaded certificate used to
authenticate with the VeriSign Cloud.
New Certificate File and Certificate Password (Dynamic Challenge Only) Upload a new certificate into
the SCEP configuration for authentication with the VeriSign Cloud.
Page 171
SCEP Provider:Basic
Use the Basic option when the provider is not Verisign or Microsoft. In order for the Basic option to be supported, the
Provider must allow for Static Challenge (Dynamic is not allowed in Basic) and provide the standard protocol. Selecting
the Basic SCEP Provider option will require the following fields:
SCEP Challenge Phrase (Static Challenge Only) This field should contain the password or key provided by
SCEP.
Once the Certificate Authority is configured, configure the Certificate Template so that AirWatch can request a
certificate from the Certificate Authority:
Select Add
Distinguished Name The fully qualified distinguished name of the certificate. This field supports the
lookup values used in AirWatch so that the certificate name can be unique per user/devices in
AirWatch (for example, CN={EnrollmentUser}).
The distinguished name supports both Crypto API and Netscape formats. The only field required to
create a certificate is the Common Name (CN). The distinguished name should reflect what the
certificate will be authenticating against.
Page 172
Private Key Length The private key length should match the length of the private key on the
certificate template being used on the CA.
o
Compatibility note: Shorter lengths will be more compatible with older technology and operating
systems.
Private Key Type For all SCEP providers this determines the private key usage; the default is always
Signing & Encryption.
o
For MSCEP integration, the private key type determines which template will be used (specified on the
SCEP server).
Template Name Enter a Template name so this certificate template can be used in the future. The
Template Name will only be used within the AirWatch Web Console.
Store in Active Directory Enable this option to attempt to store the certificate generated into AD
based on the Common Name chosen in the Distinguished Name.
For example, if CN=ADUser, the AirWatch Software will attempt to store the certificate into ADUser.
In order to use this option, AirWatch must be part of the local domain and the service account running
AirWatch will need to be a domain administrator.
Additional Attributes The Additional Attributes field determines additional attributes such as a
Subject Alternative Name:
o
For example, the Additional Attributes field could be set to SAN:Other Name={UserPrincipalName}.
Page 173
Advanced Wi-Fi, VPN, and EAS configurations can now leverage certificates for authentication in the place of simple
passwords to provide stronger security from unauthorized access. AirWatch can automatically distribute these
authentication certificates down to devices, and configure the device for Wi-Fi, VPN, or EAS access without any user
interaction.
An overview of process is as follows:
Ensure that the Certificate Authority and Certificate Templates are properly configured, then create a
profile for your appropriate platform (iOS or Android for these capabilities)
If you are using a static SSL certificate that will be used for all devices, you may skip this step and
simply upload the certificate into AirWatch for distribution.
Fill out all general profile settings, and then choose either Credentials or SCEP depending on the type of
CA you have previously configured.
From either page, specify all parameters to select the proper certificate to be used for Wi-Fi, VPN, or EAS
authentication.
If you are using a static SSL certificate that does not depend on the user, choose Upload as the
credential source, and upload the certificate.
If you are generating certificates per each user or device from a CA, ensure that your credential source
is Defined Certificate Authority and choose the proper certificate template.
Once you have completed the Credentials or SCEP profile settings, do not Save and Publish. Select another
payload in this profile for Wi-Fi, VPN, or EAS, depending on what the certificate is being used for.
Page 174
Specify all settings for the chosen payload. Ensure that the authentication type utilizes a certificate, and
that the certificate that you deployed in the Credentials or SCEP profile is chosen.
If authentication to the CA requires a trust (typically for internal certificate authorities), also ensure
that you have uploaded and selected to use a CA Root Trust certificate.
For additional information or assistance configuring certificates with AirWatch, contact AirWatch Support.
Page 175
S/MIME is a standard for public key encryption and signing that has become the standard for email signing and
encryption. AirWatch can automatically distribute certificates and configure email or Exchange ActiveSync to utilize
S/MIME signing and encryption without any user interaction.
An overview of the process is as follows:
Ensure that the Certificate Authority and Certificate Templates are properly configured, then create a
profile for your appropriate platform (iOS5 devices only)
If you are using a static SSL certificate that will be used for all devices, you may skip this step and
simply upload the certificate into AirWatch for distribution.
Fill out all general profile settings, and then choose either Credentials or SCEP depending on the type of
CA you have previously configured.
From either page, specify all parameters to select the proper certificate to be used for S/MIME signing or
encryption.
If you are using a static SSL certificate that does not depend on the user, choose Upload as the
credential source, and upload the certificate.
If you are generating certificates per each user or device from a CA, ensure that your credential source
is Defined Certificate Authority and choose the proper certificate template.
Once you have completed the Credentials or SCEP profile settings, do not Save and Publish. Select another
payload in this profile for Email, or EAS, depending on your type of email infrastructure.
Page 176
Specify all settings for the chosen payload, and ensure that Use S/MIME is checked. Also ensure that the
certificate that selected in the credentials or SCEP payload is being used for either signing or encryption as
shown.
For additional information or assistance configuring certificates with AirWatch, contact AirWatch Support.
Page 177
Email Integration
Email (SMTP)
Email messages sent from the administrator console are transmitted using the corporate Email gateway defined in the
Email (SMTP) settings menu. Users can receive email notifications for a variety of reasons, including:
Report subscriptions
Device messages
The following fields should be defined on the Email (SMTP) settings screen:
Enable SSL If checked, the corporate Email server will securely communicate with the AirWatch server over
SSL. The default value is false (un-checked).
Port The port over which the corporate Email server will communicate with the AirWatch server. The default
port is 25.
Requires Credentials If checked, SMTP traffic for the corporate Email server will require authorization. The
username and password fields are not required if authorization is not enabled.
Timeout in Seconds Defined in seconds, this value determines the amount of time before the connection
between the corporate Email server and the AirWatch server times out.
Senders Name The name of the sender that will be displayed on any messages sent from the AirWatch
server.
Senders Email Address The Email address of the sender that will be displayed on any messages sent from the
AirWatch server.
AirWatch Admin Guide | v.2012.02 | February 2012
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 178
SMS Integration
Similar to Email (SMTP), this page will enable the SMS messaging capabilities of the Web Console. However, in order to enable
this functionality, administrators must first purchase a CellTrust Account so that they can provide authentication into the
Celltrust SMS Gateway.
If an account is available, enter in the following fields:
Page 179
If using AirWatch in the cloud, setting up an EIS endpoint helps integrate any of the above systems behind your corporate
firewall without the need for VPN tunnels or the need to open network firewall ports to the desired systems.
Configuring EIS
To configure EIS you need:
A server reachable from AirWatch SaaS (allow inbound requests from 205.139.50.0 /23 to port 443).
Internal access to the systems to integrate (connections configured in the corresponding System Settings).
An admin account for EIS (see Error! Reference source not found.). Ensure the accounts role has the permission
to Allow Remote Access located under Remote Services Security.
For installation, use either the files available for download from the System Settings page or files received from
AirWatch support. The Enterprise Integration section of System Settings is automatically configured during the
installation of EIS behind your firewall. Use these settings if you need to adjust anything after the configuration has
been initialized by EIS after installation, or if you cannot follow this automated process. To begin EIS Configuration:
Page 180
Select Certificate for message-level encryption over https, or add HTTP authentication with a
username/password that can be set here and adjusted on the EIS servers configuration page.
Enable or Disable the services that AirWatch should integrate with through EIS.
Note: AirWatch SaaS already offers email delivery using SMTP, but you can also enable EIS to use your own
SMTP server (done by details entered in the System Settings System Email (SMTP)).
Using the Advanced option, you can restore regular (direct) integration (not using EIS) by disabling certain
portals, including:
Device Services
Self-Service Portal
Note: The certificate generated during auto configuration has the thumbprint located here; it can be cleared and
renewed if needed.
If EIS is unable to connect to the API during installation, generate a configuration script (encrypted):
Export settings for the EIS server (this prompts you to set a password).
Download the XML file and import it into the EIS configuration (this automatically configures the EIS
server).
AirWatch Admin Guide | v.2012.02 | February 2012
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 181
The most common example of an integrating system is the AirWatch Secure Email Gateway. In order to monitor
and control a Secure Email Gateway from a specific location group, an API certificate is required during the
installation process.
Enter the password into the New Certificate Password field, and then click Generate Client Certificate. The API
certificate is now available.
To use the API certificate in an integrating system (such as the Secure Email Gateway), you need to export it. Reenter the certificate password and click Export Client Certificate.
The certificate is now ready and can be used on your computer and in the integrating system.
Best Practices
As part of the initial AirWatch system setup, administrators must configure several core system settings (in the
System Settings page of the web console) that enable integration between the AirWatch server and corporate
infrastructure. These settings should not be changed once they are configured.
Page 182