AirWatch Admin Guide v5 17 - New

AirWatch Admin Guide
For AirWatch 5.17
2011 AirWatch, LLC. All Rights Reserved.

This document, as well as the software described in it, is furnished under license. The information in this manual may only be used in accordance
with the terms of the license. This document should not be reproduced, stored or transmitted in any form, except as permitted by the license or by
the express permission of AirWatch, LLC.
Other product and company names referenced in this document are trademarks and/or registered trademarks of their respective companies.
AirWatch Admin Guide | v.2012.02 | February 2012

Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Table of Contents
Table of Contents ........................................................................................................................1
Systems Overview .......................................................................................................................3
AirWatch Solution Overview ................................................................................................................................... 3
System Requirements ............................................................................................................................................. 4
Web Console Overview ........................................................................................................................................... 5
Setting Up Your MDM Environment ..........................................................................................11

Overview ............................................................................................................................................................... 11
Enabling iOS MDM Support .................................................................................................................................. 11
Location Groups .................................................................................................................................................... 12
Admin Accounts .................................................................................................................................................... 17
User Accounts ....................................................................................................................................................... 19
Device Registration ............................................................................................................................................... 29
Language Management ........................................................................................................................................ 40
Best Practices ........................................................................................................................................................ 44
Device Management .................................................................................................................45

Overview ............................................................................................................................................................... 45
Dashboard Navigation ........................................................................................................................................... 45
Device Control Panel ............................................................................................................................................. 48
Device Search ........................................................................................................................................................ 59
Device Details ........................................................................................................................................................ 60
Device Details Management ................................................................................................................................. 68
End User Self-Service ............................................................................................................................................ 70
Retiring a Device ................................................................................................................................................... 73
Best Practices ........................................................................................................................................................ 73
Profile Management .................................................................................................................74

Profiles Page .......................................................................................................................................................... 74
Creating Profiles .................................................................................................................................................... 75
Device Profile Capabilities..................................................................................................................................... 79
Profile Descriptions ............................................................................................................................................... 82
Creating Wi-Fi Profiles in Bulk ............................................................................................................................... 95
Best Practices ........................................................................................................................................................ 99
Application Management........................................................................................................ 100

Enabling the AirWatch App Catalog .................................................................................................................... 100
Recommending Public Applications .................................................................................................................... 101
Deploying Internal Enterprise Applications ........................................................................................................ 105
Managing Apple VPP Application Orders ............................................................................................................ 110
Best Practices ...................................................................................................................................................... 119
Content Management ............................................................................................................. 120

Publishing an Individual Document .................................................................................................................... 121
Page 1
Publishing Documents in Bulk............................................................................................................................. 125

Creating Document Categories ........................................................................................................................... 127
Managing Documents ......................................................................................................................................... 128
Best Practices ...................................................................................................................................................... 129
Email Management ................................................................................................................. 130

Email Compliance Policies ................................................................................................................................... 131
Email Gateway Dashboard .................................................................................................................................. 137
Best Practices ...................................................................................................................................................... 141
Compliance Engine.............................................................................................................................................. 143
Privacy Policy....................................................................................................................................................... 148
Secure Browser ................................................................................................................................................... 150
Reports and Alerts .................................................................................................................. 153

Reports ................................................................................................................................................................ 153
Alerts ................................................................................................................................................................... 155
Best Practices ...................................................................................................................................................... 157
Enterprise Integration ............................................................................................................. 158

Lightweight Directory Access Protocol (LDAP) and Active Directory (AD) Integration ....................................... 158
User Account & Device Authentication .............................................................................................................. 160
Certificate Infrastructure Integration .................................................................................................................. 165
Email Integration ................................................................................................................................................. 174
SMS Integration................................................................................................................................................... 179
Enterprise Integration Service ............................................................................................................................ 180
Using the AirWatch API ....................................................................................................................................... 182
Best Practices ...................................................................................................................................................... 182

Page 2
Systems Overview
AirWatch Solution Overview
AirWatch offers complete mobility management by enabling organizations to easily leverage and secure the latest mobile
device technology by providing a comprehensive, cross-platform solution for mobile device management.
The AirWatch Web Console provides a central location for administrators to manage smart device fleets regardless of
operating system, carrier, network or location.
From the AirWatch Web Console, administrators can manage any mobile device from anywhere in the world.
Page 3
System Requirements
The following system requirements should be met before using the AirWatch MDM solution.
Supported Browsers
AirWatch is certified to run on the following web browsers:
Internet Explorer 8+
Firefox 3.x+
Google Chrome 11+
Safari 5.x
Comprehensive platform testing has been performed to ensure functionality while using these web browsers. The
AirWatch Web Console may still function in non-certified browsers.
Supported Devices
AirWatch currently supports the following devices:
Android versions 2.2 and above
Blackberry versions 5 and above
iOS versions 4.0 and above
Symbian OS ^3, and S60
Windows Mobile 5/6, and Windows CE 4/5
Windows Phone 7 and 7.5 Mango
Note: Limited support may be available for other devices/Operating Systems. Contact AirWatch Support for more
information.
Technical Requirements
Technical requires vary depending on whether you are using AirWatchs SaaS or On-Premise solutions. For more details
on technical requirements, please refer to the AirWatch Requirements documents for installation and deployment.

Page 4
Web Console Overview

Logging into the Web Console
AirWatch provides administrators with a Web Console URL, username, and password. If you do not have this
information, please contact AirWatch support. Once you have the appropriate credentials, log into AirWatch Web
Console by:
Navigating to the provided URL
Entering in the provided username and password
Navigation Overview
Smart device management with AirWatch is centralized in AirWatch Web Console. Here, administrators have the ability
to manage, monitor, and secure their devices through any browser, anywhere in the world without having to download
or install any additional software.
The Web Console pages are categorized according to their specific device management purpose. The pages can all be
found in the drop down menu found in the upper left hand corner of the Web Console:
From this menu (shown above) administrators can quickly navigate to all of the key pages described below.

Page 5
Dashboard
The Dashboard page is used to manage and monitor devices from top-level groups, down to individual devices.
Reports and Alerts

The reporting page allows administrators to generate custom reports about the status of their device fleet, configure
automatic report subscriptions, and store common reports for future usage. Administrators can also create unique alert
policies to provide immediate notification when a device is compromised or enters another unfavorable state.

Page 6
Profiles and Policies: Profiles

The profiles page allows administrators to create, edit, and remove all of the corporate profiles that are sent over-theair to the smart device fleet. These profiles, allows for devices to automatically receive corporate data such as Wi-Fi
connections, passcode and restrictions policies, corporate Email and calendars, the AirWatch App Catalog, and other
custom data.
Profiles and Policies: Compliance

The compliance page is where administrators can designate rich security policies for their device fleet so that specific
actions can take place when devices fail to meet compliance rules. There are three types of compliance rules that can
be selected: application, device, and Email.

Page 7
Apps
The applications page provides a centralized interface for administrators to recommend public applications and deploy
internal applications to the smart device fleet.
Content
The content management pages allow administrators to upload and manage content for secure deployment to the
smart device fleet.

Page 8
Users
The User Accounts and Admin Accounts pages provide the tools for developing a smart device fleet.
The Admin Accounts page is used to add, modify, or delete AirWatch administrators who use the Web Console
to manage the device fleet.
Lastly, the User Accounts page is used to add, modify, or delete end users of managed devices.
Device
The Device Search and Bulk Management pages allow you to quickly locate a device or manage groups of devices by
name, platform, group, or other criteria.

Page 9
Configuration
The Configuration pages provide a Location and Groups page where the administrator can add, delete or modify the
device grouping structure as needed. The System Settings page provides a centralized location for all of the
configurable settings for initial environment setup and for ongoing customization for end-users and for the AirWatch
Web Console.
Advanced
The Administrator can edit more advanced options, including language settings, custom field definitions, and device
groups in the Advanced Pages.

Page 10
Setting Up Your MDM Environment

Overview
There are a few administrative actions to perform before the end-users can enroll their devices under AirWatch MDM. The
Administrator must first establish the organizational hierarchy for the device fleet by creating three things:
Location Groups to define the different areas of your corporate hierarchy that will manage and utilize MDM.
Admin Accounts to provide Web Console access to all of the administrators of the smart device fleet.
User Accounts to associate corporate users with their managed devices
Enabling iOS MDM Support

Also, in order to manage iOS devices under any MDM platform, your company must first generate an APNs certificate before
you begin.
The Apple Push Notification service (APNs) is used to allow AirWatch or any other MDM vendor to securely
communicate to your devices over-the-air (OTA).
Each organization needs their own APNs certificate to ensure a secure mechanism for their devices to
communicate across Apples push notification network.
AirWatch uses your APNs certificate to send notifications to your devices when the Administrator requests information or
during a defined monitoring schedule. No data is sent through the APNs server, only the notification.
To find out more about how your business can generate and upload an APNs cert for iOS mobile device management, please
navigate to http://www.air-watch.com/solutions/apple-ios#generate-apns to watch the supporting video or download the
supporting document.

Page 11
Location Groups
Within large enterprises, IT departments have to meet the requirements of different users across functional, organizational or
geographical groups. The AirWatch solution to this requirement for multi-tenancy is location groups and locations.
Administrators can create rich location group structures that align with the corporate hierarchical structure to provide
customizable and scalable MDM solutions to corporate users.
Therefore, with an evolving corporate structure comes the need to create additional location groups and locations. The steps
below outline the process of creating a location group and associated location:
Creating Location Groups

To create a location group:
Navigate to ConfigurationLocations & Groups.
Select a Parent Location Group from the list.
The parent location group is the location group that is one hierarchical level up from the one that is being
added. Once complete, the new group will be listed a level below the parent group.

Page 12
Select Add Child Location Group to open the new location group form.
Fill in required location group information:
Location Group Name The display name for the location group that will be shown in the Web Console.
Group ID The activation code used by a device to enroll into this location group. This will dictate what
profiles, applications, and policies are inherited to the device based on what is configured at this location
group. The administrator will need to provide end-users with their group ID in order to complete the
enrollment process.
Check the Add Default Location box, and fill in the required default location information:
Internal Name The unique name that will be internally used to define this location
Display Name The display name of the location that will be shown in the Web Console
When complete, click Save and the new location group and location have been created.
Page 13
Modifying and Deleting Location Groups

Location Group Details provide the ability to modify and delete the location group information including the Group ID.
Navigate to ConfigurationLocations & Groups.
Choose the Location Group you wish to modify or delete

Page 14
Ensure that you have the Location Group Details tab selected, and then modify any of the fields listed
below.
Location Group Name The display name for the location group that will be shown in the Web
Console.
Group ID The activation code used by a device to enroll into this location group. This will dictate what
profiles, applications, and policies are inherited to the device based on what is configured at this
location group. The administrator will need to provide end-users with their group ID in order to
complete the enrollment process.
Location Group Type/Country/Locale Used for internal classification only
Default Location The default location is where devices are automatically assigned when enrolled in
the location group.
To save your modifications choose Save.
To delete the location group choose Delete
Note: To delete a location group, there must not be any child location groups below it. If there are,
delete all child groups from the lowest level up, until you are able to delete the original group.

Page 15
Additional Location Group Details

The administrator can also set several additional fields to provide additional information to the location groups. These
fields have no effect on the operation of the location groups, but can be used to provide additional detailed information
for logging purposes.
Locations are an organizational unit into which enrolled devices are placed. By default, each Location Group will have at
least one Location, known as the default location.
Note: Without a default location, no devices will be able to enroll at that specific location group!
Location types provide the ability to classify Locations based on the corporate structure (for internal use in the
AirWatch Web Console).
Location Status provides the ability to classify if a Location is active or will be in the future (for internal use in the
AirWatch Web Console.

Page 16
Admin Accounts
Management of the smart device fleet often requires several administrators to have access to the AirWatch Web Console, and
it may be necessary to add or remove administrative accounts. The Web Console provides an easy way to create and manage
multiple administrative accounts.
Creating Administrative Accounts

Navigate to UsersAdmin Accounts.
Select a Location Group in the upper left hand corner. This will be the default location group for this administrator
account.
Select the highest level of access that the admin will need. Once logged in, they will have access to all
child location groups that are listed below the one selected.
Click the Add User button
and fill in the required fields.
Input a Username and Password for the admin account
Check the Require password change at next login box to force the administrator to change their password after
the first time they log in.
Fill in the additional Basic Information fields:
First Name Last Name & Email The name, and Email address of the administrator
Primary Role The primary role determines the level of permissions that the new administrator will have.
For instance, if the administrator is a helpdesk operator, then a Helpdesk role with limited access may be
the best fit. The roles are configured separately from administrative accounts.
Default Landing Page The first page that an administrator will view after authenticating into the Web
Console. To change this field, clear the contents and begin typing the name of any Web Console page.
Fill in any additional Details or Notes that will only be visible in the Web Console.
Once complete, click Save to create the new administrative account.

Page 17
Creating Admin Account Roles

Admin roles allow your business to control the security and permissions of your MDM administrators by restricting
access to components of the AirWatch Web Console. You may directly control the administrators access by creating a
new role or editing an existing role. To create or edit admin account roles:
Navigate to UsersAdmin Accounts.
Select Roles in the bottom left corner to edit an existing role or create a new one.
Click Add Role and fill in the form.
Name/Description Choose a descriptive role name so that the role can be easily assigned to a user.
On the left you can select resource categories to define the levels of access that will be available for
different components of the AirWatch Web Console.
You can also click on the name of the resource category to view a list of resources available for each
category on the right.
To quickly locate resources of a specific type, use the search bar in the upper right-hand corner.
When complete, choose Save and the new role will now be available to assign to administrators.
Page 18
User Accounts
User accounts are utilized by end-users of AirWatch to associate devices to their respective corporate users. AirWatch
recommends that for each end-user, an associated user account is created for full scalability. Therefore, as corporate smart
device fleets expand, administrators will need to create additional user accounts regularly. Administrators can quickly
configure and manage user accounts directly in the AirWatch Web Console on the User Accounts Page.
User Account Types

User accounts can be configured in a number of different ways depending on your business requirements, deployment
model, and enterprise infrastructure. The following section will describe the different configurations, and the sections
below will detail how to create user accounts of each type.
Basic authentication can be utilized by any AirWatch architecture, but offers no integration to existing
corporate user accounts.
Pros: Can be used for any deployment method, requires no technical integration, requires no
enterprise infrastructure
Cons: Credentials only exist in AirWatch and do not necessarily match existing corporate credentials.
Offers no federated security or single sign-on. AirWatch stores all username & passwords.
Page 19
Active Directory / LDAP authentication is utilized to integrate user and admin accounts of AirWatch with
existing corporate accounts. However, because this requires the AirWatch server to be in direct contact
with a corporate domain controller, this is typically only recommended for on-premise architectures.
Pros: End-users now authenticate with existing corporate credentials. Secure method of integrating
with LDAP / AD for On-Premise deployments. Standard integration practice.
Cons: Requires an AD or other LDAP server. Only used for On-Premise deployments.
Active Directory / LDAP authentication with AirWatch Enterprise Integration Service provides the same
functionality as traditional AD/LDAP authentication, but allows this model to function across the cloud for
SaaS deployments. The Enterprise Integration Service also offers a number of other integration capabilities
as shown below.
Pros: End-users authenticate with existing corporate credentials. Only requires a single firewall port
opened between the EIS server and AirWatch SaaS (port 443). Transmission of credentials is encrypted
and secure. Also offers secure configuration to other infrastructure such as BES, Microsoft ADCS, SCEP,
SMTP servers.
Cons: Requires the Enterprise Integration Service to be installed behind the firewall or in a DMZ.
Additional configuration.
Page 20
Authentication Proxy is an AirWatch proprietary solution delivering directory services integration across
the cloud or across hardened internal networks. In this model, the AirWatch MDM server communicates
with a publicly facing web server or an Exchange ActiveSync Server that is able to authenticate users
against the domain controller. This method can only be used when organizations have a public-facing web
server with hooks into the corporate domain controller.
Pros: Offers a secure method to integrate with AD/LDAP across the cloud. End-users can authenticate
with existing corporate credentials. Lightweight module that requires minimal configuration.
Cons: Requires a public facing web-server or an Exchange ActiveSync server with ties into an AD/LDAP
server. Only feasible for specific architecture layouts. Much less robust solution than EIS.
SAML 2.0 authentication is a new solution that offers single sign-on support and federated authentication
AirWatch never receives any corporate credentials. If an organization has a SAML Identity Provider
server, SAML 2.0 integration is recommended.
Pros: Offers single-sign on capabilities, authentication with existing corporate credentials, and
AirWatch never receives corporate credentials in plain-text.
Cons: Requires corporate SAML Identity Provider infrastructure.

Page 21
Creating Basic End Users

Navigate to UsersUser Accounts.
Select a home Location Group in the upper left hand corner.
Select the highest level location group under which the user needs to enroll. They will be able to enroll
in all location groups listed below this group if the user enters the appropriate Group ID (Group ID is
configured in Configuration-Locations & GroupsLocation Group Details) during the enrollment
process.
Select
Fill in the required and optional fields of the Add/Edit User Form.
Security Type The type of authentication to be used for this particular user.
o
Basic The default authentication option that uses a basic username and password combination as
determined by this form.
Authentication Proxy Authenticate with directory based credentials by validating against a proxy
server instead of a corporate domain controller. This is the recommended solution for directory based
authentication across the cloud for SaaS customers.
Directory Authenticate with corporate LDAP or AD credentials by validating against a corporate

domain controller.
SAML Authenticate using corporate Security Assertion Markup Language (SAML) credentials.
User Name & Password The username and password credentials that the user will enter during the
enrollment process to enroll their corporate devices. The administrator must provide the end-users
with this information.
Page 22
Select whether to Enable Device StagingA user with device staging enabled will be able to stage
enrollment for other users such that John Doe could enroll himself, and then personally enroll Jane
Doe and John Smiths devices for them.
Select a Message Type for the user to receive notifying them that they can now enroll their devices
under AirWatch MDM. Typically, this is where administrators will provide end-users with the necessary
enrollment credentials (Enrollment URL, Group ID, username and password).
Click Save to complete the user account, or Save and Add Device to complete the user account and
enter in basic details for the users device (device registration).

Page 23
Creating End Users via LDAP / Active Directory

Before end-uses can be created using LDAP / Active Directory, the AirWatch MDM server must be configured and
integrated with the LDAP / AD server. To do this, please see User Account & Device Authentication.
Once Directory authentication has been configured, administrators can create Directory-Based User Accounts by
Navigating to UsersUser Accounts
Selecting
Select Directory as the security type
Enter in all basic fields.
to open the Add User Form
Asterisks denote a required field
Fill in the Domain field if the user belongs to a domain other than the default domain, or if no default
domain was specified.
Fill in the User Principal Name if the User Search Setting described in the Directory Authentication
Configuration will not resolve this user account.
By default, these two fields do not need to be configured unless under special circumstances.
Select Save to complete the process.

Page 24
Creating End Users via Authentication Proxy

Before end-uses can be created Authentication Proxy, the AirWatch MDM server must be configured and integrated
with the public facing web server or EAS server. To do this, please see User Account & Device Authentication.
Once Authentication Proxy authentication has been configured, administrators can create Authentication Proxy-Based
User Accounts by
Navigate to UsersUser Accounts
Selecting
Select Authentication Proxy as the security type
Red stars denote a required field

Page 25
Creating End Users via SAML

Before end-uses can be created using SAML2.0, the AirWatch MDM server must be configured and integrated with the
SAML Identity Provider server. To do this, please see User Account & Device Authentication.
Once SAML authentication has been configured, administrators can create SAML Secured User Accounts by
Navigating to UsersUser Accounts
Selecting
Select SAML as the security type
Asterisks denote a required field
By default, this fields does not need to be configured unless under special circumstances.

Page 26
Creating End Users in Bulk

To save time and effort of importing your MDM end-users into the AirWatch Web Console, administrators can upload
end-users in bulk through end-user batch import.
To create end-user accounts of any type (Basic, Directory based, or Authentication Proxy) in bulk:
Navigate to Users User Accounts.
Click the Batch Import
Enter in the basic information
icon to open the Batch Import Form.
Batch Name The name of the user/device batch for reference in the Web Console
Batch Description A description of the particular user/device batch for Web Console reference.

Page 27
Click the
icon to open up the Bulk Import Help Topic Form.
From here, select the Download Template button to download the Batch Import Template
Enter in all relevant information for each user in the template. Three sample users (one of each Security
Type) have been added to the top of the template for reference on what type of information to put into
each column.
All of the fields in the template are identical to the fields that are used during the User Account Creation
process and the individual device registration process.
Required fields are designated with a *
Column E, Security Type, is used to determine which type of security (Basic, Directory based, or
Authentication Proxy) should be used to create the user account.
To register a device, make sure that Column T, User Only Registration, is set to No.
To register an additional device to the same user account, make sure that all information in Columns
AT are the same. The remaining columns are used to register each additional device.
To store advanced registration information, make sure that Column AA, Store Advanced Device Info, is
set to Yes.
Once complete, save the template as a .CSV file, select Browse from the Batch Import Form, and select
the .csv file that you just created.
When complete, select Save to register all listed users and corresponding devices.

Page 28
Device Registration
Device registration allows both administrators and end-users the ability to enter in information about the specific devices that
are enrolled under mobile device management. This feature also provides an added level of secure authorization so that only
authorized devices can enroll. There are several ways that registration can be accomplished to accommodate different needs
and requirements.
Administrator can register individual devices to add important device and asset information such as Friendly
name (the device name created by the administrator for easy recognition in the AirWatch Web Console), model,
OS, serial number, UDID, and asset number. This process can directly follow User Account creation by selecting
Save and Add Device.
Administrators can register a list of devices (for similar reasons as those listed above) in bulk. This process takes
place during Bulk User Account Creation.
Administrators can invite end-users to register so that they can enter in details about their devices themselves,
and initiate device registration from their end. This process takes places on the end-users device, in the Self
Service Portal.
Admin Registers a Single Device

To register an individual device:
Navigate to UsersUser Accounts and select the Add Device button

account that you want to associate with the device
next to the existing user
OR
Complete the New User Account Creation Process and select Save and Add Device at the end.
This will open the Add Device Form. Fill in the basic information.
Friendly Name The name of the device to be displayed in the Web Console for easy recognition
Ownership Type Specify a device ownership type (Corporate-Dedicated, Corporate-Shared, or

Employee Owned) to distinguish between corporate and employee-owned devices. This will allow the
administrator to customize MDM policies based on ownership type to allow for maximum privacy and
protection.
Message Type: Specify whether the activation message will be sent via SMS or Email.
Page 29
Address / Subject / Message Body The message text that will be sent out to the provided address
after the device is registered. This message usually contains the enrollment link and Group ID.
Check Show Advanced Device Information Options to manually enter additional device information to be
displayed in the AirWatch Web Console.
UDID Universal Device Identifier
Platform / Model / OS Specific device information
SN / IMEI / SIM / Asset Number Specific device reference numbers to distinguish this particular
device.
When complete, click Save to finish the form and send the specified message to end-users.
The end user will receive the message and proceed with enrollment.
Admin Registers a List of Devices
Click the Batch Import
icon to open the Batch Import Form.

Page 30
Enter in the basic information
Batch Name The name of the user/device batch for reference in the Web Console
Batch Description A description of the particular user/device batch for Web Console reference.
Click the
icon to open up the Bulk Import Help Topic Form.
From here, select the Download Template button to download the Batch Import Template
Enter in all relevant information for each device in the template. Three sample users have been added to
the top of the template for reference on what type of information to put into each column.
All of the fields in the template are identical to the fields that are used during the User Account
Creation process, and the individual device registration process.
To register a device, make sure that column T, User Only Registration, is set to No.
To register an additional device to the same user account, make sure that all information in columns A
T is the same. The remaining columns are used to register each additional device.
To store advanced registration information, make sure that column AA, Store Advanced Device Info, is
set to Yes.
Once complete, save the template as a .CSV file, select Browse from the Batch Import Form, and select the
.csv file that you just created.
When complete, select Save to register all listed users and corresponding devices.

Page 31
Administrator Invites Users to Register

If an administrator wishes to have end-users register their own devices, the administrator must notify end-users that
they need to complete the registration process and provide them with the appropriate registration URL and credentials
(please refer to Creating Basic End Users).
There are several ways to notify end-users:
Administrator sends Email or intranet notifications to the entire user group outside of AirWatch with the
registration instructions.
This method is generally used if administrators do not have any user accounts already created for endusers, and they want end users to be able to enroll and register without assistance. For users to be able to
enroll and register their devices without administrative efforts:
o
Enrollment authentication must be enabled for either Active Directory or Authentication Proxy (edit
these settings in ConfigurationSystem SettingsDeviceGeneralEnrollmentAuthentication)
AND
o
Deny Unknown Users under Enrollment Restrictions (edit these settings in ConfigurationSystem
SettingsDeviceGeneralEnrollmentRestrictions) cannot be checked.
Alternatively, administrators can first create user accounts for all of the end-users to register their devices, and
then send User account activation messages to each user containing the registration instructions.
In either case, the administrator must let the end-user know two things:
Where to register End-users can register by navigating to the Self-Service Portal URL.
This url takes the form of https://<AirWatchEnvironment>/MyDevice where <AirWatchEnvironment> is

the enrollment URL.
How to authenticate into the Self-Service Portal This information includes a Location Group (Group ID), and
the Username and Password that users should use to register their device.

Page 32
End User Registration

Once the administrator sends the registration notification to the user (if the administrator does not choose to register
the devices for the users), end-users need to register the device. Use the following steps to help guide end-users
through the registration process.
Navigate to the Self-Service Portal URL (either in the device browser or from any internet browser).
Enter in the provided Group ID, Username, and Password
From the next page, select Register Device to open up the Device Registration Form

Page 33
Fill in the device information fields:
Expected Friendly Name The name of the device that will be shown in the Web Console (the
expected friendly name will also be used to track the device registration status).
o
For example, John Smiths iPad.
Platform / Model / OS The details of the specific device
Device Ownership Select whether the device is a personally owned device.
Message Type Select the message format for the end-user registration confirmation.
Email Address / Phone Number The address or phone number of the recipient of this message.
When complete, click Save to finish the End-User registration process.

Page 34
Device Registration Status

AirWatch enables administrators to track device registration status regardless of whether or not the user has enrolled
the device. Once device registration has been accomplished through any of the processes described above
(Administrator registers a single device , a list of devices, or the administrator enables end-users to register their own
devices), administrators can view the device registration and enrollment status from the Registration Status Tab on the
User Accounts page.
From here, administrators can view the registration details, date, and status of the registration message sent to endusers.

Page 35
Additionally, administrators can manage the registration process through the four registration action buttons at the top
of the page:
Resend Message - Resend the registration message to the devices selected with a checkmark next to their
friendly name.
Revoke Token -Force the registration token status of the devices selected below to expire. This will
essentially prevent these devices from enrolling due to an expired token.
Reset Token If a devices registration token has been revoked or is expired, administrators can click this
button to reactivate the registration token so that enrollment can occur.
Delete Token - This will permanently delete the registration token for the devices selected below so that
they must re-register in order to enroll.

Page 36
Customizing Registration Messages

To customize the registration message sent to end users after they register their devices:
Navigate to ConfigurationSystem SettingsDeviceGeneralMessaging to open up the User and

Device Activation Message Form.
To change the Email Message Templates for user and device activation, select the Email Tab at the top of
the page. Alternatively, select SMS to change the SMS text messages sent to devices.
From either tab, administrators can change the User Account Activation message or the Device Activation
message. Scroll down to the Device Activation section.
Enter in the email or SMS message subject, and body.
When complete, click Save.

Page 37
Using Variables in Registration Messages
While creating the message template for device activation described in the previous section, administrators can
leverage Look-up values to add dynamic content to the device activation message that is particular to the recipient.
From the form shown above, click the

descriptions.
Administrators can then enter any of the listed look-up values into the message body with the {} braces.
Typically end-users must obtain the following from their registration messages:
o
Enrolment URL: {EnrollmentURL}
Group Identifier: {GroupIdentifier}
Username & Password: {EnrollmentUsername} & {EnrollmentPassword}
Token (if token enrolment is being used): {EnrollmentToken}
To embed an enrolment URL with the users group identifier, use the following look-up value:
o
icon to open up a list of possible look-up values and
{EnrollmentUrl}?ac={GroupIdentifier}
Current Lookup Values
Email Domain The domain that the corresponding email user account belongs to.
EmailUserName The name of the email user without the @company.com portion. The user name
associated with a users corporate email.
EmailAddress The full-length email address of the user account
EnrollmentUser The name of the user account
EnrollmentUserId The unique ID of the user account
DeviceUid The Unique Identifier of the device
DynamicScepChallenge A field used in certificate templates to enable SCEP servers to properly integrate
with the solution for dynamic certificate configurations.
GroupIdentifier The group identifier of the location group that a user or device is enrolling into.
SessionToken The unique token that is used during the registration process to associate an enrolling
device with a device that has recently just been registered.
DeviceFriendlyName The friendly name displayed in the Admin Console for a device
Page 38
DeviceSerialNumber The serial number of a device
UserPrincipalName The principal name of the user when users are integrated with directory services.
Potentially used for certificate integration.
DeviceSerialNumberLastFour The last four alphanumeric characters of the device serial number
DevicePlatform The platform of the specific device
DeviceModel The model of the specific device
DeviceOperatingSystem The operating system of the specific device
DeviceUidLastFour The last four alphanumeric characters of the device Unique identifier
DeviceReportedName The reported name of a device that has registered but not yet enrolled
EmailPassword A users password to recover their individual corporate mail.

Page 39
Language Management
AirWatch Web Console can be displayed in a variety of languages, allows the ability to add additional Language Packs, edit
phrases that are used in a specific language, and only change the language for one user if necessary while leaving the language
unchanged for other users.

Page 40
Activating Language Packs

To add an additional language pack to the Web Console, browse to Menu -> Language Management
Select
Choose the language pack you would like to add and press
Click Save

Page 41
Selecting and Changing Language

AirWatch Web Console allows the language to be set both for a specific user and/or a specific location.
To change the language for the user, navigate to Menu ->Admin Accounts
On the Add/Edit user page, change the Locale to the desired language.
Save changes, log off, and log back in to display the new language.

Page 42
Localization Editor
The Localization Editor is used to edit specific words or phrases that do not translate properly to the desired language.
Browse to Menu -> Language Management
is displayed by default.
Choose the Locale you wish to edit and click search
Find the word or phrase that is incorrect and click
Make the desired changes and save.

Page 43
Best Practices
Pay close attention to Location group hierarchy when creating and editing admin accounts. It is important to
enable permissions at the highest location group needed in order to ensure the administrator will have the proper
editing capabilities.
The selected location group will always be displayed in the upper left-hand corner of the AirWatch Web
Console.
There are three pieces of information the administrator needs to communicate to end-users:
AirWatch Enrollment URL (provided by AirWatch) which is the same URL that you use to access the Web
Console.
Group ID to identify the home location group (the Group ID is determined in ConfigurationLocations &
GroupsLocation Group Details)
Username and password unique to the end-user (Username and password are determined in UsersUser
AccountsAdd User or Edit User)
o
Depending on the selected Security Type, the username and password may be created by the administrator
(Basic) or integrated with the Directory, Authentication Proxy, or SAML.
If your organization is using device registration and is in need of assistance, contact AirWatch Support.

Page 44
Device Management
Overview
Smart device management is centralized in the AirWatch Console. From the console, the administrator is able to leverage the
following AirWatch features:
Customize comprehensive asset tracking in the form of real-time device data across the mobile fleet, regardless of
device type, carrier, or location.
Navigate an interactive dashboard of mobile and telecom data to help the organization make more informed
decisions based on actual mobile telecom usage.
Perform remote actions on devices.
Generate a custom library of reports.
Enable proactive alerts for both users and administrators when predetermined thresholds are reached.
Note: This section pertains to iOS, Android, Blackberry, Symbian, and Windows Phone 7 devices. For more
information on managing Windows Mobile devices, please see the Windows Mobile Administration Guide.
The following sections will describe how administrators can leverage the specific pages within AirWatch Web Console to
effectively and efficiently manage smart devices.
Dashboard Navigation
The Dashboard page centralizes smart device monitoring by giving administrators high level views of the entire fleet of mobile
devices with the ability to drill down to the individual device level. To access the Dashboard Page, navigate to
DashboardsDashboard
From here, administrators can see an overview of graphics and statistics for a location group or the entire device fleet, or
quickly locate information on a specific device by clicking on the blue friendly name.

Page 45
Location Group Sidebar

The Location Group Sidebar on the left of the screen allows administrators to view devices belonging to a specific
location group and all of its children groups efficiently. There are also several tools that can be used to find specific
location groups:
Expandable Tree Structure Find location groups and show

lineage from parent to children groups
Search Box Search for specific location groups by name
Expand / Collapse FeatureFully expand or collapse the

location group hierarchy
Pin Feature Pin the location group sidebar back onto the
Dashboard sidebar
Available Views
There are also several Available Views on the Dashboard page that give administrators the ability to view entire listings
of devices based on each of the metrics listed below:
Asset Tracking View devices based on ownership type, platform, and last
seen metrics.
Device Compliance View devices based on their compliance to

compromised device rules, passcode policies, and Apple Data Protection.
Secure Email Gateway View devices that attempt to gain corporate email
access through the Secure Email Gateway, and their status.
Telecom Roaming View devices that have indicated a roaming telecom

status.

Page 46
Graphical Portlets
The Graphical Portlets on the Dashboard page provide relevant statistics as well as providing an easy way to select a
group of devices according to a number of categories (the example below is from the Asset Tracking view)..
To change the view to a selected group of devices (from a graphical portlet):
Click on the graph to highlight the portlet.
Click the Data Group Icon

view.
Select a Data Group. This will modify the dynamic device list to show only the devices belonging to the
specified data group.
in the upper right hand corner of the portlet to toggle the portlet into the other
Dynamic Device List

The Dynamic Device List on the Dashboard page contains a flexible list of devices and associated metrics that pertain to
each view:
There are several ways that an administrator can select, order, and identify specific devices from the Dynamic Device
List page:
Select any of the Available Views.
Click on any of the Data Groups from the Graphical Portlets.
Click on any of the Column Categories (such as Last Seen or Friendly Name) to re-sort the list.
Use any of the additional search and view tools on the upper right hand corner of the list:

Page 47
Device Control Panel

When administrators want to view detailed information or perform remote actions on the individual device level, they can
leverage the Device Control Panel available from the Dashboard page:
To open the Device Control Panel, simply locate an individual device on the Dashboard page by using any of the available
search tools, and then select it. The overlaid Device Control Panel window will appear:
The Device Control Panel contains two primary menus:
A Device Information List to view detailed information and statistics.
A Remote Actions List to perform administrative actions over the air.
Note: Information and actions in the Device Control Panel are subject to availability according to privacy settings
and platform compatibility.

Page 48
Device Information List

The Device Information List shows detailed information related to each of the listed categories. More information
about each device information category is shown below.
Summary
The Summary section shows hardware, MDM, encryption, and passcode compliance, in addition to other general
information:
Hardware Displays device hardware information.
Security Shows device compromised and encryption level data.
Passcode Shows if a passcode is present and whether or not it meets the passcode requirements.
Network Shows network information such as Sim Card and roaming status.
Profiles Shows all profiles and provides profile installation status.
Certificates Shows installed certificates and expiration or near expiration status.
Applications Shows the number of apps currently installed on the device.
Content Shows the number of installed documents and number of assigned documents.

Page 49
Profiles
The Profiles section shows all of the MDM profiles that have been sent to the device and the status of each profile:
Status Shows the profile installation status:
Installed
Pending install
Not installed
Pending removal
Removed
Type Shows the profile type: automatic, optional, or interactive.
Version Shows profile version (how many times the profile has been updated).
Location Group Shows the location group to which the profile is assigned.
ActionsProvides the ability to remotely install or remove the profile.

Page 50
Apps
The Apps section displays all applications that have been installed on the device (subject to privacy settings as specified
in ConfigurationSystem SettingsDeviceGeneralPrivacy).
Please note the following field descriptions:
Status Shows the application installation status:
Installed
Pending install
Not installed
Pending removal
Removed
Type Shows whether it is an internal or public application.
Actions Provides the ability to install or remove the application.
Note for iOS5 only: The apps tab for an iOS5 device will also provide administrators with the ability to install or revoke
managed applications to and from the device over the air.

Page 51
Content
Only applicable to devices equipped with the Secure Content Locker.
The Content section following content details and actions:
Status Shows the application installation status:
Installed
Pending install
Not installed
Pending removal
Removed
Type Document format. Hover over the icon to display the format type.
Name Document name as it appears both in the Web Console and in the Secure Content Locker.
Priority Document priority as specified by the Importance field in ContentContent

ManagementAdd Document or Edit Document.
Deploy There are two options for deployment type:
On Demand End-user must download document.
Automatic Document is automatically downloaded to the end-users device.
Version Shows the document version (based on how many times the document has been updated).
Actions Provides the ability to install or delete content.

Page 52
Certificates
The Certificates section shows all of the certificates currently stored on the device, and provides basic supporting
information
IOS devices should always show atleast one current certificate indicating that they have enrolled their
devices.
User
The User section shows user-specific information (when available and subject to privacy settings as specified in
ConfigurationSystem Settings Device General Privacy) including Name, Status, Username, Email, Group, Email
Username, Security Type, and Contact Number. It also displays a list of all devices that the user has enrolled.

Page 53
GPS
The GPS section shows the GPS coordinates of the device (subject to privacy settings as specified in System Settings
Device General Privacy). The default display is Last Known (most recently received coordinates). To view GPS
coordinates over a select period of time:
Select the time period for which you would like to view GPS coordinates from the Period drop down menu.
Click Search.
The search results will return the entire available trail (breadcrumbs) of GPS coordinates over the requested period.
Additionally, the Play Sound icon is available to help locate a lost device. Click the icon to play a sound on
the device.

Page 54
Event Log
The Event Log contains a comprehensive log of all interactions between the AirWatch Web Console and the device. Click
Refresh Data
following:
to instantly update the Event Log. Important fields to note in the Event Log include the
Direction Shows the direction of the event (device to server or server to device)
Event TypeProvides a brief categorization/summary of the event. Examples of events might include:
Profile list confirmed
Check In
Compromised Status Reported

Page 55
Remote Actions
The Remote Actions List is shown below. With this list, administrators can perform any of the listed actions on the
selected device over-the-air.
Device Query
Manually requests the remote device to send in a comprehensive set of MDM information to the console. This will
override the timed device check-ins with an immediate request.
Clear Passcode
This will clear the passcode on the remote device. This can be leveraged whenever any end-users forget their passcode
or become locked out of accessing their device.
Send Message
This allows administrators to send different types of messages to devices over-the-air.
Email When corporate SMTP settings have been properly configured, administrators will have the ability
to send remote emails to any address.
SMS If a corporation has set up an SMS service account with CellTrust, and if the credentials have been
properly configured, administrators will have the ability to send remote SMS text messages to any phone
number.
APNs For iOS devices that have AirWatch Agent installed, administrators can send Apple Push
Notification messages to an end-user that will display the message body in the notification.

Page 56
Lock Device
This will lock the device so that the device user will have to unlock the device with the appropriate passcode to
continue using it.
Enterprise Wipe
This will remove the device from AirWatch MDM by un-enrolling the device and selectively wiping all of the Enterprise
data contained on the device through MDM profiles, policies, and internal applications.
Device Wipe
This will perform a full wipe of the device (subject to privacy settings as specified in Configuration System Settings
DeviceGeneralPrivacy).
As a security precaution, a confirmation message will remind you of the ownership type of the device to
be wiped.
You must enter the provided key code before performing the device wipe.
Wiping the device will remove all data, email, profiles, and MDM capabilities, and the phone will return to
a factory default state.
Find Device
This functionality will force iOS devices to make a set of audible notification tones so that end-users can locate their
device.

Page 57
Remote View
This provides a remote view of select devices and applications (BlackBerry and Windows Mobile). The capture button
will take a screen capture to preserve any error screens or other issues.
Remote Control
This allows select BlackBerry (through RealVNC integration) and Windows Mobile devices to be remotely controlled in
the AirWatch Web Console by an administrator for immediate remote assistance.

Page 58
Device Search
The AirWatch Web Console allows the administrator to quickly locate a device or group of devices according to the following
search options:
Location Group SidebarClick on a location group to view the devices belonging to that location group and all
child location groups.
Sorted FieldsSort any of the grid columns by clicking on the column name.
Grid CriteriaFilter the grid according to device criteria by selecting the criteria from the drop down menu.
Grid SearchSearch the currently selected grid by typing a search term (such as device friendly name, model,
platform, into the Filter Grid box (shown above).
Advanced SearchSearch the entire AirWatch Web Console by locating the search box at the top right-hand side
of the screen.
Select one of the following search categories from the drop down menu: device, equipment, location,
settings, or user.
Enter the search keyword.
Click Go.
The search keyword will be highlighted in the results. When you perform an advanced search, clicking on the device name will
display the Device Details page instead of the Device Control Panel.

Page 59
Device Details
The administrator can track detailed device information in addition to quickly accessing user and device management actions
by viewing the Device Details. There are two ways to view the Device Details:
Click on the Blue Friendly Name of the device in the device dashboard. When the Device Control Panel appears,
click on the name again.
Or, use any of the available search tools to search for an individual device:

Page 60
From the search results, click on the Blue Friendly Name of the individual device to open up the Device Details
page:
From the Device Details page, administrators can see all of the information presented in the Device Control Panel in
addition to more detailed metrics.
Many of the Device Details are identical to the information in the Device Control Panel. For information on the
Security, Profiles, Apps, Certificates, or Event Log views, please reference the section on the Device Control Panel:
Click on the different Available Views on the left side of the Device Details page to view individual device details
according to the categories described below.

Page 61
Device Information
The Device Information View is shown by default when the Device Details page is first opened, but it can be shown
again by selecting the Information tab under Available Views.
From this view, administrators can see several general statistics about the current device, including:
Device Status and Last Seen.
Phone number (when available and subject to privacy settings as specified in ConfigurationSystem
Settings Device General Privacy).
Platform/Model/OS.
Device Ownership/Device Category/Device Group.
Location Group/Location.
Serial Number/UDID/Asset Number.
Power Status/Physical Memory/Virtual Memory.

Page 62
Device Restrictions
To show the Device Restrictions View, select the Restrictions tab under Available Views.
From here, administrators can see all of the security restrictions that have been placed on the device through the use of
restrictions profiles. This information is organized into four separate views: Device, Apps, Ratings, and Passcode.
Device
The Device tab shows all restrictions in effect for the device from a generic system-wide level. They are not limited in
scope to individual applications or profiles like the other restrictions tabs.

Page 63
Apps
The Apps tab shows the deployed application restrictions for the device.
Allow use of YouTube will remove the YouTube application from the device so that end users cannot use
it.
Allow use of iTunes Music Store and Allow explicit music and podcasts limit these specific features from
within the iTunes applications.
Allows use of Safari, Enable Autofill, Force Fraud Warning, Enable JavaScript, Enable Plugins, Block popups, and Accept Cookies all apply to the Safari Web Browser Application.
Ratings
The Ratings tab shows all the restrictions that determine content control of Movies, TV Shows, and Apps from iTunes
and the App Store. If content filtering is applied, only specific media that has a lesser age rating will be permitted for
download.

Page 64
Passcode
The Passcode tab shows all the current settings of the passcode policy that has been provisioned to the device.
Device Location
To view the current location or location history of a device, select the GPS tab under Available Views.
This shows the GPS coordinates of the device (subject to privacy settings as specified in System Settings Device
General Privacy). The default display is Last Known (most recently received coordinates). To view GPS
coordinates over a select period of time:
Select the time period for which you would like to view GPS coordinates from the Period drop down menu.
Click Search.
The search results will return the entire available trail (breadcrumbs) of GPS coordinates over the requested period.

Page 65
Network Status
To view the current network status of a device, select the Network tab under Available Views.
From here administrators can choose any of the different tabs to view Cellular, Wi-Fi, and Bluetooth network
information.
Alerts
To view all of the alerts that have been triggered by the current device, select the Alerts tab under Available Views.
From here, administrators can see specific alerting details for Severity, Priority, Attributes, Values, Duration, Alert Date,
and Creation Policy.

Page 66
Attachments
To attach images, documents or links that are relevant to the device, select the Attachments tab under Available Views.
There are three views in the attachments tab: Images, Documents, and Links. These categories are only used within the
Web Console to help administrators organize attachments. Examples of relevant device information administrators may
want to include in this area include:
Copies of support tickets regarding the device
Screen shots from the device
Device support documentation
Telecom
To view details about calls by a user, open the Telecom view by selecting the Telecom tab from the left pane. The
Telecom section (information provided is subject to privacy settings as specified in ConfigurationSystem Settings
Device General Privacy) provides details about whether a call was incoming or outgoing, duration of the call, the
phone number and carrier, and the country and roaming status of the phone.

Page 67
Device Details Management

The Device Details Management Menu (located underneath the device friendly name) provides shortcuts to quickly manage
both the device and the user account associated with the device.
Move your mouse over Query, Management, Support, or Admin to see the drop-down menu management options
Query
The Query menu allows the administrator to request information from the device. Click on the category to send a query
to the device. Select Query All to request all of the categories. Or, send individual queries for the following device
information:
Device information
Security
Profiles
Apps
Certificates
Management
The Management menu allows the administrator to instantly perform the following remote device actions (please refer
to the section on Remote Actions for further explanation of the first four options):
Clear Passcode
Lock Device
Enterprise Wipe
Device Wipe
Set Roaming Enable or disable the voice and data roaming options

Page 68
Support
The Support menu provides options to instantly perform the following remote device actions (please refer to the
section on Remote Actions for further explanation of the first three options):
Send Message (Email, SMS, or Push Notification)
Find Device
Remote View
Request Device Check InSend a message to the device requesting a check in

with the AirWatch Agent
Remote Control (only available for Windows Mobile and Blackberry devices)
Remotely control the device
Admin
The Admin menu allows administrators to instantly edit the following device and user settings:
Change Location GroupEdit the device users location group
Edit DeviceEdit the following device settings:
Friendly Name
Device Ownership type
Device Group
Device Category
Delete Device
EnrollEnroll the device in AirWatch MDM

Page 69
End User Self-Service

The AirWatch Self-Service Portal allows end-users to remotely monitor and manage their smart devices.
The Self-Service Portal, shown above, gives administrators the ability to view relevant device information for any of their
enrolled devices, and to perform remote actions such as clear passcode, lock device, or device wipe.

Page 70
Enabling the Self-Service Portal

End-users of iOS and Android devices can access the Self-Service Portal directly from their device.
The advantages of accessing the Self-Service Portal from the managed device include:
End-users can view important compliance information.
End-users can quickly download optional profiles.
End-users can manage multiple managed devices from the Self-Service Portal on one device.
In order for end-users to access the Self-Service Portal from their device, the administrator must first deploy a webclip
(iOS) or bookmark (Android) profile containing the Self-Service Portal web-based application URL. The steps below
outline the process for deploying the Self-Service Portal (Refer to Creating Profiles for instructions on creating a profile):
Navigate to Profiles & PoliciesProfiles.
Select Add.
Enter in Basic Profile Information in the General Settings.
Select the device platform.
Name the profile. Ex: Self-Service Portal Webclip for iOS Devices.
Specify root location groups to manage the profile and be assigned the profile.

Page 71
Select the Webclip (iOS) or Bookmark (Android) icon on the left sidebar
Enter in the Profile Information.
Label The text displayed beneath the webclip icon on an end-users device.
o
URL The URL that the webclip will display.

o
For the Self-Service Portal, use the following URL: http://<Your Enrollment Environment>/mydevice/.
Icon To add a custom icon, select a graphic file in .gif, .jpg, or .png format.
o
For example, AirWatch Self-Service Portal
For best results provide a square image no larger than 400 pixels on each side and less than 1 MB in
size when uncompressed. The graphic will be automatically scaled and cropped to fit, if necessary, and
converted to png format. Web clip icons are 104 x 104 pixels for devices with a Retina display or 57 x
57 pixels for all other devices.
When complete, click Save and Publish to immediately send the profile to all appropriate devices
Privacy Settings Note: Access to information and Remote Actions in the Self-Service Portal is determined by both
Privacy settings (ConfigurationSystem SettingsDeviceGeneralPrivacy) and Role settings (Users Admin
Accounts). If multiple settings are in place, the strictest policy is enforced.

Page 72
Retiring a Device
In the event that a device must be removed from mobile device management, there are several possible methods to unenroll
the device from different sources.
Automatic Unenrollment AirWatch Compliance engine can be configured so that when devices do not comply
with Application or Device compliance policies, they are automatically unenrolled from mobile device
management.
Administrative Unenrollment Administrators can also unenroll devices over the air from the Device Dashboard
page or the Device Details page. From either of these pages, administrators simply need to select Corporate Wipe,
and the device will be removed from mobile device management.
End-User Unenrollment If an end-user decides to opt out of corporate mobile device management, then they
can initiate the Unenrollment process from their own devices. Although the process is different for each
manageable platform, the general process involves removing the administrative privileges of AirWatch, and
removing any AirWatch agents from the device.
Best Practices
Before performing remote actions on a device, take into account the device ownership type.
For example, keep in mind that performing a full device wipe on an employee-owned device will remove all of
the personal data from the device in addition to all corporate data.
Additionally, the administrator may want to use privacy settings (specified in ConfigurationSystem Settings
Device General Privacy) and role permissions (specified in UsersAdmin AccountsRoles) to restrict lowertier administrator access to employee-owned device data.

Page 73
Profile Management
AirWatch enables IT administrators to create and deploy configuration profiles that define enterprise settings, policies, and
restrictions for smart devices without requiring user interaction. AirWatch delivers signed, encrypted, and locked
configuration profiles over-the-air to ensure they are not altered, shared or removed. A single deployed profile is called a
profile payload.
Profiles Page
The Device Profiles page in the Web Console is responsible for managing and pushing profiles
Search BarSearch for a profile based on specific profile attributes.
Active If green/active, the profile will be available to new devices. If red/inactive, the profile is not
available to devices.
Managed Managed profiles are associated directly with AirWatch, therefore if a device is un-enrolled or
retired the managed profiles will be removed. Unmanaged profiles will remain on a device even after
being un-enrolled from AirWatch.
Ownership Shows if a profile is assigned to any device or specifically to corporate owned or employee
owned devices.
Managed By The location group that has access to edit, publish, or delete a profile.
Actions Manage the profile using the following options:
Edit Allows customization of an existing profile.
Copy Allows copying of an existing profile with a new profile name.
View Devices Shows devices that are available for that profile and if the profile is installed
currently.
Publish Pushes out the profile to devices that match the profile criteria.
View XML - View the XML code sent over the air to devices describing the application or profile.
Delete Deletes the profile and removes it from devices.

Page 74
Creating Profiles
In order to deploy profiles to devices using the Device Profiles Page in the Web Console:
Navigate to Profiles & Policies Profiles to open the Device Profiles Page:
Select Add
Choose the Platform that will be associated with the profile

Page 75
General Settings
The first step in creating any profile is configuring the General Settings. The General Settings are overall settings that
will determine how and to whom the profile is deployed.
Name The name of the profile to be displayed in the Web Console.
Description A brief description of what the profile does. This will be displayed on managed devices under
Profile Details.
Platform The platform to which this profile will be deployed (this field is pre-populated based on the platform
selected in the previous step). Profile support varies by platform, and therefore platform choice will determine
which types of profiles can be deployed.
Deployment:
Managed will remove the profile when the device is enrolled
Manual will leave the profile installed when the device is enrolled
Model and Minimum Operating System Enter the specific models and minimum operating systems to which
the profile will be deployed. The profile will only be deployed to devices that meet the specified parameters.
Ownership Specifying a device ownership type (Corporate-Dedicated, Corporate-Shared, or Employee

Owned) will limit profile deployment to only the devices that belong to the specified device ownership group.
Distinguishing between corporate and employee owned devices allows for maximum privacy and protection.
Importance and Sensitivity These are fields used within the Web Console only for additional details and
profile filtering capabilities. They have no effect on how the profiles are deployed.
Allow Removal A security parameter specifying what end-users can do to remove the specific profile from
their device:
Always Users can remove the profile on their own without entering any authorization codes.
With Authorization Users can remove the profile if they correctly enter an authorization code as
created by a Web Console administrator.
Never Users cannot remove the profile unless the device is unenrolled from AirWatch management.
Page 76
Root Location Group The location group that administrators must be associated with in order to edit and
delete this profile. If administrators manage higher location groups than the management group, then they will
also have access to profile management by inheritance.
Assignment Type This determines how the profile is pushed out to devices.
Auto Automatically push out the profile to all devices.
Optional - Manually push the profile to selected devices in the location groups selected in the
assignments box.
Note: When a profile is set to optional, no devices will receive it by default. It must be manually
assigned to each device that will need it.
Location Group The location groups (and all child location groups) that will be configured with this profile.
Any devices that enroll into these groups or their child groups will receive the profile.
Note: Always configure profiles at the Location Group level instead of the Location level.
When the General Settings are complete, select any of the profile types from the list on the left to begin creating
profiles.

Page 77
Navigation
After the General Settings are configured, you can begin creating and deploying other profile types. Here are some
general guidelines for navigating through the profile creation process:
To create a new profile, select the profile type from the left navigation pane and click Configure
Fill in all the profile specific information as needed.
The specific fields used to configure each of the specific profile types are outlined in the section below
called Profile Types.
Once complete, select Save, Save and Publish, or Reset to complete the profile.
Saving the profile will save the profile configuration in the Web Console but will not deploy the profile
to devices due to its unpublished status.
Saving and publishing the profile will save the profile configuration in the Web Console, and publish
the profile so that all appropriate managed devices immediately receive the new profile.
Reset will not save any of the profile configuration and will clear out all changes.
The available profiles are listed in the Add a New Profile navigation pane. The Navigation pane also provides a quick
summary of profile status using the following indicators:
Green indicates that the profile fields under that category are complete
Grey indicates that no profiles of that type have been configured
Example:
Red indicates an error in the profile information fields
Example:
Example:
Numbers next to the profile name indicate the number of profiles created for the selected profile type
Example:
Create Multiple Profiles of One Type
AirWatch profile management allows the administrator to configure multiple profiles for many of the profile categories
(for example, Wi-Fi, Email Settings, or LDAP). To create more than one profile for a select profile type:
Click on the profile name to open the profile editing window (if necessary, click Configure to add the initial
profile)
To add another profile, click on the plus sign (+); To delete the selected profile, click on the minus sign (-)
To scroll through the profiles, click on the arrows. Or, select a specific page by clicking on the corresponding
circle. The example image below shows six circles, each of which represent a profile page:
Note: It is important to distinguish between creating multiple profiles of one type (for example, numerous
Email profiles), which is a recommended practice, and multiple profile payloads (for example, creating an Email
and a Wi-Fi profile at the same time), which is not a recommended practice.
Page 78
Device Profile Capabilities

Profile capabilities vary according to the device type. The tables below provide a summarized description of the profile options
for the device/Operating System:
iOS Profiles
Profile Name
Short Description
Passcode
Passcode profiles require end-users to protect their devices with passcodes each time they return
from idle state. This ensures that all sensitive corporate information on managed devices remains
protected. If multiple profiles enforce separate passcode policies on a single device, the most
restrictive policy will be enforced.
Restrictions
Restrictions profiles limit the features available to users of managed devices by restricting the use of
specific features such as YouTube, the iTunes Store, or the on-device camera.
Wi-FI
Wi-Fi profiles push corporate Wi-Fi settings directly to managed devices for instant access. Take note
of the iOS 5+ only options.
VPN
VPN profiles push corporate virtual private network settings to corporate devices so that users can
securely access corporate infrastructure from remote locations.
Email
Allows the administrator to configure IMAP/POP3 email accounts.
Exchange
ActiveSync
Exchange ActiveSync profiles allow end-users to access corporate push-based email infrastructure.
Please note that there are pre-populated look-up value fields and options that only apply to iOS 5+.
LDAP
LDAP allows configuration with LDAPv3 directory information. The fields in this section support
lookup values. Click on the tool tip for values and definitions.
CalDAV
CAlDAV provides configuration options to allow end-users to sync wirelessly with the enterprise
CalDAV server. The fields in this section support lookup values. Click on the tool tip
for definitions.
Subscribed
Calendars
Subscribed Calendars provides calendar configuration. The fields in this section support lookup
values. Click on the tool tip
for definitions.
CardDAV
CardDAV -This section allows for specific configuration of CardDav services. The fields in this section
support lookup values. Click on the tool tip
for definitions.
Web Clips
Web Clip profiles send down clickable hyperlinks to devices in the form of an icon to provide quick
access to common web resources (for example, you could add the online version of the iPhone User
Guide to the home screen).
Credentials
Credentials profiles deploy corporate certificates to managed devices. If the network supports it, adhoc certificate requests can be configured as well
SCEP
The SCEP payload specifies settings that allow the device to obtain certificates from a CA using Simple
Certificate Enrollment Protocol (SCEP).
Advanced
Advanced profiles allows for advanced access point configuration.
Custom Settings
Custom Setting profiles allow for custom XML profile to be included in the profile payload.

Page 79
Android Profiles
Profile Name
Profile Description
Passcode
protected. If multiple profiles enforce separate passcode policies on a single device, the most
restrictive will be enforced.
Restrictions
Restrictions are available for Samsung phones running Ice Cream Sandwich. These restrictions
include device functionality, Sync and Storage, Bluetooth, Roaming, and Tethering restrictions.
Wi-Fi
Wi-Fi profiles push corporate Wi-Fi settings directly to managed devices for instant access.
VPN
VPN profiles push corporate virtual private network settings to corporate devices so that users can
securely access corporate infrastructure from remote locations.
Email Settings
Email profiles send email configurations directly to devices so that end-users automatically receive
email.
Exchange
ActiveSync
Exchange can now be set up with the native mail client on Samsung devices using the Ice Cream
Sandwich operating system.
Bookmarks
Bookmark profiles work in the same manner as Webclip profiles. Bookmarks are customized web
shortcuts that will be pushed down to the Home screen of the users device. Multiple bookmarks can
be added per profile by clicking on the plus (+) sign in the top right corner of the window.
Credentials
Credentials profiles deploy corporate certificates to managed devices. If the network supports it, adhoc certificate requests can be configured as well. Multiple credential configurations can be added
per profile by clicking on the plus (+) sign in the top right corner of the window.
BlackBerry Profiles
Profile Name
Profile Description
Device
Device profiles determine various device-specific options such as backlight brightness, backlight
timeout, GPS sampling, and GPS sample intervals.
Telecom
Telecom profiles specify various telecom options such as 411 redirections, and SMS sampling
options.
Advanced
Advanced allows for custom configuration of BlackBerry Logs.
Custom Settings
Custom Setting profiles allow custom XML to be included in the profile payload.

Page 80
Symbian Profiles
Profile Name
Profile Description
Passcode
protected. This profile allows for a reset of an administrator-set passcode.
Wi-Fi
Wi-Fi profiles push corporate Wi-Fi settings directly to managed devices for instant access.
Exchange
ActiveSync
The administrator has the option of setting the frequency of syncing calendar and emails on a mobile
device using Microsoft Exchange EAS profiles.
Custom Settings
Custom Setting profiles allow for custom XML profile to be included in the profile payload.
Windows Phone
Profile Name
Profile Description
Passcode
protected.

Page 81
Profile Descriptions
Passcode
Passcode profiles require end-users to protect their devices with a passcode. If multiple profiles enforce separate
passcode policies on a single device, the most restrictive will be enforced.
Require passcode on device Force user to set a passcode on the device
Allow simple value Allows simple password values (for example, 1111 or 1234)
Require alphanumeric value Requires passcode with letters and numbers
Minimum Passcode length Sets a minimum required passcode length
Maximum passcode age (days) Sets the number of days until a password expires
Auto-Lock (min) Sets timeout for the device to automatically lock and require a passcode for entry
Passcode history Sets the number of previous passwords that cannot be reused
Grace period for device lock (min) Time period after device lock where passcode is not required for reentry
Maximum number of failed attempts Number of failed passcode attempts before the device is wiped

Page 82
Restrictions
Restrictions profiles (only available for iOS and Android) limit the features available to users of managed devices by
restricting the use of specific features such as YouTube, the iTunes Store, or the on-device camera.
Device Functionality Determines what functions a device user can perform.
Applications Determines what applications a device user can access.
Ratings Restricts access to Movies, TV Shows, and Apps based on specific ratings.
Note: Additional restrictions profiles are available for iOS 5 devices and Android Samsung devices.

Page 83
Wi-Fi
Wi-Fi profiles push corporate Wi-Fi settings directly to managed devices for instant access to corporate Wi-Fi networks.
Service Set Identifier To configure Wi-Fi profiles, select the appropriate wireless protocols and security
settings for the Wi-Fi network.
Proxy Allows the administrator to configure a proxy server.
Add multiple accounts by clicking the plus (+) button, or create Wi-Fi profiles in bulk by navigating to
Profiles and PoliciesProfiles Bulk Import

Page 84
Email
Email profiles allow the administrator to configure IMAP/POP3 Email accounts for incoming and outgoing mail.
Add multiple accounts by clicking the plus (+) button
Note: Certain iOS Email profile features are only available for iOS 5 devices.
Note: Enhanced Email Settings functionality is available for Android Samsung devices.

Page 85
Exchange ActiveSync
Create a profile for a specific user by specifying the domain name, user name, Email address and
password. Or, leave the password field blank and the users will be prompted for their password (for this
configuration, the username field requires a lookup value).
If certificates are used to validate the ActiveSync connection and you wish to include them in the profile,
select one of the two options listed under Certificate Type.
Uploaded Certificate Upload a certificate and include a passphrase that the user must enter before
receiving the certificate.
Certificate Authority Specify the Certificate Authority in existence on the local network as the source of
the certificate.
Configure multiple Exchange accounts by clicking the Add (+) button.

Page 86
LDAP
LDAP profiles provide easy configuration with LDAPv3 directory information.
The fields in this section support lookup values. Click on the tool tip
for values and definitions.
Add multiple accounts by clicking the plus (+) button.
Please refer to the section on LDAP integration for more information on LDAP.

Page 87
CalDAV
CAlDAV profiles can be configured with information to allow users to sync wirelessly with the enterprise CalDAV server.
for definitions.
Subscribed Calendars
Subscribed Calendars manages corporate calendar integration and subscriptions.
for definitions.

Page 88
CardDAV
CardDAV allows the administrator to configure specific CardDav services.
for definitions.

Page 89
Web Clips
Web Clip profiles send down clickable hyperlinks in the form of an icon onto devices for quick access to common web
resources (For example, to add the online version of the iPhone User Guide to the Home screen, specify the web clip
URL: http://help.apple.com/iphone/). Web Clips are also used to deploy the AirWatch App Catalog and to enable the
Self-Service Portal.
The label will be the name that appears on the screen.
The URL will be the address that the user will be redirected to on the device (can be internal or external).
Removable will specify whether or not the user has the ability to remove the WebClip from their device.
Precomposed Icon Checking this box will stop the device from adding a shine to the icon.
Full Screen specifies that the address will be loaded full screen on the device without the Safari address
bar and borders.
Add Multiple WebClips by clicking on the plus (+) sign.

Page 90
Credentials
Credentials profiles deploy corporate certificates to managed devices.
The Credentials profile also provides a field for configuring Ad-hoc certificate requests (if supported by the
network).
Add multiple credentials configurations by clicking on the plus (+) sign.

Page 91
SCEP
The SCEP payload specifies settings that allow the device to obtain certificates from a CA using Simple Certificate
Enrollment Protocol (SCEP).
For more information on Certificate use and integration, please refer to the section on Certificate
Infrastructure Integration.
Advanced
Advanced profiles allows for advanced Access Point configuration.

Page 92
Custom Settings
Custom Setting profiles allow for custom XML profiles to be included in the profile payload.
Custom Setting profiles allow administrators to directly input the XML code deployed to iOS devices over
the air that define the settings of a configuration profile in the event that new device platform capabilities
are released before the VSDM profile capabilities are updated.
Custom profiles always open and close with the <dict> tags, and contain at a minimum, the following
profile keys:
PayloadDisplayName Optional. Name of the profile to be deployed to the device
PayloadDescription Optional. Description of the profile to be deployed to the device
PayloadVersion The version of the payload to log updates and modifications
PayloadIdentifier A reverse DNS format identifier that is unique to this specific payload
PayloadUUID A globally unique identifier for the payload.
PayloadOrganization Optional. The organization that deployed the profile payload
PayloadType The type of payload that is going to be configured. For example, this defines whether
the payload will be a passcode payload, Wi-Fi payload, or restrictions payload.

Page 93
A sample of how these keys are deployed in the custom profile is shown below.
<dict>
<key>PayloadDescription</key>
<string>Configures 15-min autolock for iPads</string>
<key>PayloadDisplayName</key>
<string>15min AutoLock</string>
<key>PayloadIdentifier</key>
<string>com.autolock.fifteenmin.passcode1</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.mobiledevice.passwordpolicy</string>
<key>PayloadUUID</key>
<string>AA3C17A5-5C62-4295-BE30-920405D53F9D</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
Next, once a PayloadType is defined, administrators must define the specific keys to define the settings for
specific type of profile. These are all dependant on the type of payload that the administrator is trying to
deploy. For iOS devices, a list of all currently available payload specific property keys can be seen here:
http://developer.apple.com/library/ios/#featuredarticles/iPhoneConfigurationProfileRef/Introduction/Intr
oduction.html
Once these payload specific fields are defined, the profile will be ready to deploy. A completed sample
custom profile is shown below to enable 15 minute auto-lock features for iPad passcode profile.
<dict>
<key>PayloadDescription</key>
<string>Configures 15-min autolock for iPads</string>
<key>PayloadDisplayName</key>
<string>15min AutoLock</string>
<key>PayloadIdentifier</key>
<string>com.autolock.fifteenmin.passcode1</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.mobiledevice.passwordpolicy</string>
<key>PayloadUUID</key>
<string>AA3C17A5-5C62-4295-BE30-920405D53F9D</string>
<key>PayloadVersion</key>
<key>forcePIN</key>
<true/>
<key>maxInactivity</key>
</dict>

Page 94
Creating Wi-Fi Profiles in Bulk

Creating Wi-Fi profiles in bulk allows the administrator to publish Wi-Fi profiles to users according to their Location Group. The
Bulk Import feature provides the same Wi-Fi configuration settings as the single Wi-Fi profile provisioning except that it
simultaneous configuration of many profiles across Location Groups. In addition to creating new bulk profiles the bulk upload
feature allows the administrator to perform the following tasks:
Change the Location Group for an existing Wi-Fi profile
Edit existing Wi-Fi profiles
Manage Password settings in bulk
Create Bulk Wi-Fi Profiles

To create Wi-Fi profiles in bulk:
Navigate to Profiles & Policies-> Profiles

Page 95
Click Bulk Import to open the Batch Import Form
Fill in the basic information:
Batch NameThe name of the user or device batch (for reference purposes in the Web Console)
Batch DescriptionA description of the particular user or device batch (for reference purposes)
Batch TypeSelect WiFi Profiles from the menu
Click the
icon to open up the Bulk Import Help Topic Form:

Page 96
From here, select the Download Template button to download the Batch Import Template.
Click Open to open the template.
Enter in all relevant Wi-Fi profile information for each group (defined by Location Group). Five sample
users have been added to the top of the template for reference on what type of information to put into
each column. Required fields are designated with a *.
Please note:
Column A, Use Case, refers to the profile type (Add, Edit, or Change)
o
Change allows the administrator to change the Model (device) and Assigned Location Group fields for
an existing profile.
Add creates a new profile.
Edit allows the administrator to edit an existing profile (creates a new Wi-Fi configuration).
Column E, Location Group, specifies the location group permissions for editing the Wi-Fi profile. Every
administrator placed one level higher than this location group (and above) will be able to edit the
designated Wi-Fi profile.
Column F, Assigned Location Group, designates the location group to which the profile will be
deployed.
Once complete, save the template as a .csv file.
Select Browse from the Batch Import Form, and select the .csv file that was just created from the
template.

Page 97
Manage Bulk Wi-Fi Profiles

View the status of batch profile imports by selecting Batch Status under Available Views on the Profiles page.
This screen displays Batch profile data, including:
Batch Status:
Complete indicates that the batch import was completed successfully.
Error indicates a problem with the batch import.

o
Click on the error icon
under the Action column to view error details.
Action
Blank indicates no pending actions.
An error icon
o
indicates that the batch import did not complete.
Click on the icon to view the errors by row number and error description.

Page 98
Best Practices
The following tips will help administrators more efficiently manage their smart device fleet through the profile management
tools in the AirWatch Web Console:
Pay close attention to the device ownership type (Corporate-Dedicated, Corporate-Shared, or Employee-Owned)
when specifying the profile General Settings.
For example, the administrator may want to deploy more stringent Restrictions profiles to corporate-owned
devices than to employee-owned devices
Profile assignments change with location group assignments.
For example, if you move a user to a new location group, the profiles associated with the original location
group will be removed and the user will inherit the profiles associated with the new location group.
For maximum Email security, use Email profiles in conjunction with the AirWatch Secure Email Gateway.
To quickly create multiple profiles with similar deployment settings, use the Copy action
profile and then make changes where necessary.
to copy the original

Page 99
Application Management
AirWatchs mobile application management solution enables the administrator to wirelessly distribute and manage internal,
public, and purchased apps across the mobile device fleet. Furthermore, the AirWatch Enterprise App Catalog allows the
corporation to build secure business applications, which can be deployed, managed and secured alongside public apps via a
custom app catalog. Through the Application management tools in the AirWatch Web Console, administrators can allow users
to effortlessly view, install, and update both internal and public applications.
Enabling the AirWatch App Catalog

The first step to deploying applications through AirWatch is deploying the Enterprise App Catalog in the form of a
webclip(iOS) or bookmark (Android) profile:
Navigate to Profiles & PoliciesProfiles.
Select Add.
The Select Platform Form will appear. Choose Android or Apple based on the device you would like to
configure.
Configure the profile General Settings.
Select
profile list.
Choose Configure, and fill in all Webclip profile or Bookmark profile parameters.
for iOS or
for Android on the left
Label The name displayed on managed devices for the webclip. For example, AirWatch App Catalog
could be used.
URL The App Catalog URL is in the format of

https://<YourEnvironment>/devicemanagement/AppCatalog?uid={DeviceUid} where
<YourEnvironment> is the enrollment URL assigned to your corporation.
o
Note: If you in Shared SaaS environment, use the convention:

https://dsXX.airwatchportals.com/devicemanagement/AppCatalog?uid={DeviceUid}. For example, if you are in
the CN22 environment, use https://ds22.airwatchportals.com/devicemanagement/AppCatalog?uid={DeviceUid}
Note: You can also change the landing page for the App Catalog. Use the conventions listed below:
Internal: https://YourEnvironment>/devicemanagement/AppCatalog?uid={DeviceUid}&defaultTab=Internal
Public: https://YourEnvironment>/devicemanagement/AppCatalog?uid={DeviceUid}&defaultTab=public
Categories:
https://YourEnvironment>/devicemanagement/AppCatalog?uid={DeviceUid}&defaultTab=categories
Purchased:
https://YourEnvironment>/devicemanagement/AppCatalog?uid={DeviceUid}&defaultTab=purchased
o
Updates: https://YourEnvironment>/devicemanagement/AppCatalog?uid={DeviceUid}&defaultTab=updates
When complete, select Save and Publish to immediately deploy the Web-Based AirWatch App Catalog to
all appropriate devices.

Page 100
Recommending Public Applications

Once AirWatch App Catalog has been successfully deployed to the smart device fleet, administrators can begin recommending
public applications and distributing corporate applications through the Web Console. To recommend public apps to the
AirWatch App Catalog from the Web Console:
Navigate to Apps & Profiles -> Applications.
Select Public from the Applications menu on the left
Select Add Application
Fill in the Add Application Form with all required fields.

Page 101
Managed By Location Group with permission to edit the Application
Platform Apple or Android
Name Name you would like to give the Application
Search Apple Store (iOS only) Searches the Apple store automatically for the Application and populates all app
details in the next form. Android devices will need to fill in this information manually.
Select Continue.

Page 102
If you selected to Search the Apple Store then your profile will already be populated as shown below and you will
only need to put in basic parameters.
Otherwise, your application will look like this and you will need to put in the following information.
Click Upload to select the icon for the application
Enter additional application information:
For iOS devices, use the URL for the specific application in the iTunes Store that is in the format of
http://itunes.apple.com/* where * is specific to the application.

Page 103
If viewed in a browser, the page will look similar to this. In this example, the URL for the Skype iOS application is
http://itunes.apple.com/us/app/skype/id304878510?mt=8
For Android apps, use the URL for the specific app in the Android Market that is in the format of
market://details?id=* where * is the package identifier of the Android App.
To get the package identifier of the Android App, navigate to the Android Market via a web browser at
https://market.android.com/.
Find the application page for the specific Android app you are looking for. For instance,
https://market.android.com/details?id=com.alphonso.pulse for the Pulse News Reader application.
Exchange the https://market.android.com/ section with market://. For the Pulse News Reader example, the
appropriate URL would be market://details?id=com.alphonso.pulse
Comments - The additional comments displayed when end-users click on the recommended app in the App
Catalog
Reimbursal Designates whether or not a corporation will reimburse end-users for the purchase of this app. A
small icon will be shown in AirWatch App Catalog indicating whether or not an app is reimbursed for.
Rank A rating system of 1-5 stars that is displayed in the App Catalog
iOS5 Only. if the application is going to be deployed to iOS5 devices, fill in the following fields:
o
Remove On Unenroll Determines if the application will be removed when a device is unenrolled
Push Mode Determines if the application is automatically or manually installed
When complete, click Save and the recommended app will be added to the App Catalog.
Page 104
Deploying Internal Enterprise Applications

Once AirWatch App Catalog has been successfully deployed to the smart device fleet, administrators can begin recommending
public applications and distributing corporate applications through the Web Console. To distribute corporate applications to
AirWatch App Catalog from the Web Console:
Navigate to Apps & Profiles -> Applications.
Select Internal from the Applications menu on the left
Select Add Application
The Add Application Form will appear. Fill in all general parameters as needed. Some of the fields are highlighted
below.
Managed By - Location Group with permission to edit the Application
Platform Apple or Android
Application File Location of the application file. Apple applications are uploaded in the form of a.ipa file,
and Android applications are uploaded in the form of a .apk file.
Select Continue and fill out all additional fields described below as needed.

Page 105
On the Info tab, fill out the following:
Name - This will be the app name which is displayed on the device
Application ID If you are uploading an Android app, this field must be the applications Package Identifier.
If it an iOS app, this MUSTbe the applications bundle identifier
Version Version of the application
On the Descriptions tab, fill out the following optional details:
Description/Keywords Enter a description about the application to be displayed in the App Catalog
URL - Enter a website address that has more information about the application
Page 106
Support Email/Support Phone Enter contact information for application support
Internal ID/Copyright Used for internal purposes
Images: Optionally upload screenshots of the application in-use to be displayed on the application page along with
the description prior to downloading the application from the App Catalog
EULA: Optionally enter an End User License Agreement you wish to require before installing the application

Page 107
On the Files tab, enter the following:
Application file/Provisioning profile Automatically populated when the application is uploaded.
Application supports APNs States if the application supports Apple Push Notifications Services.
o
If yes, uploading the APNs Certificate is required
Application uses AirWatch SDK States if the application is built using AirWatch Software Development Kit to
increase its functionality inside of AirWatch portal.

Page 108
Lastly, on the Assignments tab, enter the following:
Minumum OS Allows to set the minumum OS requirements for the application
Models Allows to designate the application for only specific models
Device Ownership Assigns the application to devices with a specific owndership
Effective Date/Expiration Date These allow for you to set dates for when the app will either become active,
or expire.
Location Groups -This box contains all the Location Groups that the application will apply to. This is entirely
different from the setting above which simply changes the administrative privileges on the app.
iOS5 Only. if the application is going to be deployed to iOS5 devices, fill in the following fields to enable enhanced
application deployment and management:
Remove on Unenroll Determines if the application is removed when a device is unenrolled
Push Mode - Determines if the application is install automatically or manually
When complete, click Save to deploy the internal application to the AirWatch App Catalog.

Page 109
Managing Apple VPP Application Orders

AirWatch offers a robust solution to Apple Volume Purchase Program application management and distribution. The sections
below will outline how administrators can leverage this new feature with the capabilities of AirWatch mobile device
management to easily manage and distribute iOS application orders to the smart device fleet.
The Apple Volume Purchase Program allows businesses and educational institutions to purchase publically
available applications or specifically developed third-party applications in volume for distribution to
corporate devices.
The process of deploying applications in volume throughout a business or educational institution with the Volume Purchase
Program can be separated into three main components:
VPP Enrollment First, businesses and education institutions must enroll in the program and verify with Apple that they are a
valid business or institution.
To register for the VPP, navigate to http://www.apple.com/business/vpp for businesses, or to

http://www.apple.com/itunes/education/ for education institutions.
More information regarding the Apple Volume Purchase Program, how it works, and program prerequisites can be
found at the links above.
App Purchasing Once enrolled in the Volume Purchase Program, businesses and educational institutions can purchase
applications in bulk through the Volume Purchase Program Website at https://vpp.itunes.apple.com/us/store.
Log in with the VPP Apple ID created during the enrollment process.
Find applications, define the quantity, and purchase with a corporate credit card.
App Deployment Once applications have been purchased, they can be distributed throughout a smart device fleet through
the use of redemption codes. For each application purchase, there is an associated redemption code for end-users to redeem
a single copy of the application.
These redemption codes are managed through a Redemption Code Spreadsheet available at the Volume Purchase
Program Website. This spreadsheet contains details such as the redemption code, redemption status, and most
importantly, a redemption URL that an end-user could use to automatically validate the code and install the
program through the App Store.
It is during this final step, App Deployment, that AirWatch Mobile Device Management can be leveraged to enhance
management and distribution to a corporate smart device fleet. For businesses and educational institutions that do not have
any Mobile Device Management capabilities, Apple provides two solutions to deploying redemption URLs to end-users:
Emailing the redemption URL directly to end-users
Posting the redemption codes and URLS directly to a corporate intranet site
The sections below will describe how AirWatch can be leveraged to automate and simplify this application distribution
process.

Page 110
Uploading an Apple VPP Redemption Code Spreadsheet

The first step to managing and deploying VPP Application Orders through AirWatch is uploading the Apple VPP
Redemption Code Spreadsheet to the AirWatch Web Console. The steps below outline this process:
Navigate to Apps & Profiles -> Orders to open the Orders Page.
Select the Add button in the upper left-hand corner of the page.
This will open the Add Order Form where new VPP Application Orders are first created. Upload the CSV
that you downloaded from the VPP Portal by selecting Choose File
After you have selected the appropriate Apple VPP Redemption Code Spreadsheet, click
continue to the Product Selection Form.
to

Page 111
If the Apple VPP Redemption Code Spreadsheet contains licenses for multiple applications, several
products can be listed on this form. Only one can be selected per new order. Locate the appropriate
product, and then click
to finish uploading the spreadsheet.
You will now be back to the Order Page in the Web Console, and your new Order will be shown with a
New Status. Orders with a New status are not yet activated for distribution and redemption to the device
fleet.
To Activate the New Order, Click on the Blue Order Number

Form.
to open the Order Activation

Page 112
From here, enter in all necessary Order Information. All required fields are denoted with a red asterisk:
Friendly Name The name of the Order that is displayed on the Order Page within AirWatch.
Description A brief description of the order.
PO Number The Purchase Order number
Department The corporate department that this application order will be deployed to.
Cost Center The corporate department responsible for financial information regarding this
application order.
Total Cost The total cost of the application order
Cost Per License The cost per license purchased for this application order.
Once complete, click Save and Approve to approve the order for distribution (recommended), Save to
save the information but keep the Order status as New, or Reset to reset the fields on this form.
Allocating Redemption Codes

Once the Apple VPP Redemption Code Spreadsheet has been uploaded and the order has been approved for
distribution, the administrators can begin allocating the redemption codes for individual application purchases
throughout the device fleet. To do this:
Locate the specific order to be allocated from the Order List by Order number, friendly name, product
name, or order date.
Once the specific order is located, click the Allocate button on the same row.
This will open the Application Assignment form shown below.

Page 113
From here, you can allocate licenses to specific Location Groups and User Accounts by clicking the Add
button
, or you can choose to reserve licenses for later redemption by placing them On-Hold.
To allocate licenses by Location Group:

o
Click Add.
Type and select the name of the Location Group in the text box shown below.
Make sure the All Users button is selected.
To allocate licenses by User Accounts:

o
Click Add.
Type and select the name of the Location Group that the user accounts are created at in the text box
shown below.
Check the Selected Users button.
Click on the blue Selected Users Link that appears to open the User Select form.
From here, select all specific User Accounts on the left, and click
individual redemption code to this specific user.
to provision an

Page 114
When all users have been selected, click
Lastly, enter the number of licenses to allocate to the selected users in the Allocated Text Box.
to return to the Application Assignment Form.
o
o
To allocate a single license to each selected user, type the same number that is shown in the Users
Text Box into the Allocated Text Box. If less are allocated, only the first users to use their redemption
code will be able to install the application.
To save redemption codes for later use by placing them On Hold:

o
Enter the number of redemption codes that you want to place on hold in the On-Hold Text Box
Once all the available licenses have been allocated, click

codes.
to finish allocating the redemption

Page 115
Creating Purchased Application Messages and Notifying Device-Users

Once the VPP application licenses have been allocated, administrators have the ability to notify device-users that their
application download is available by leveraging the device notification capabilities of AirWatch MDM.
By default, AirWatch is configured to send an Email to end-users to notify them that the specific VPP application is
available for download. However, to create custom Purchased Application Messages, or to enable SMS/Push-based
Purchased Application Messages:
Navigate to Configuration -> System Settings.
Select System -> General -> Message Templates from the navigation menu on the left to open up the
Message Template Form.
Click
Fill in all required parameters on the Add/Edit Message Template Form.
to open the Add/Edit Message Template Form.
Subject The subject of the email message, if email is selected as a delivery method
Desciption An internal description of the message used internally by AirWatch to describe this
template.
Category The message template category. For VPP Application Messages select Application.
Type The type of message to be sent; a subcategory of the message template category. For VPP
Application Messages, select Purchased Application.
Device Ownership A parameter to limit the message delivery to only devices belonging to the
specified device ownership category.
Page 116
Primary Delivery Method The main method of message delivery to end-users.
Alternate Delivery Method An additional method of message delivery to end-users. This type of
message will also be sent in addition to the message specified in the primary delivery method.
Effective Date The start-date in which this message template will begin taking precedence over the
default message bodies specified by the AirWatch system.
Expiration Date The end-date in which this message template will stop being delivered to end-users
instead of the default AirWatch system message templates, or other currently effective message
templates.
Select Language A parameter to limit the message delivery to only devices belonging to users who
understand the specified languages.
Email / SMS / Agent Check Boxes Check any of these boxes to enable message configuration for
each respective message type.
Message Bodies The message that will be displayed on end-user devices for any of the respective
message types. Use the {ApplicationName} lookup value to dynamically populate the name of the
application for download in the messages displayed on end-user devices.
Once the form has been completed, select Save to complete the custom Purchased Application Message.
Once the custom purchased application messages have been created, or administrators choose to use the default
purchased application email message template, notifications can be sent out over-the-air to all end-users. To send the
Purchased Application Messages to end-users:
Locate the specific order to be allocated from the Order List by Order number, friendly name, product
name, or order date.
Once the specific order is located, click the Notify button on the same row.

Page 117
Managing the VPP Application Deployment

Once the VPP Application Orders have been allocated to the device fleet, and end-users have been notified, the VPP
Application Deployment will be in effect. During this period, administrators can use the Orders page in the Web Console
to manage and monitor the status of their Application deployment.
From the Orders Page in the Web Console administrators can:
View the Order Status:
- The order has recently been uploaded to AirWatch and is awaiting Approval before
beginning allocation to end-users.
- The order has been approved, but has not been allocated throughout the device fleet or
end-users notified.
- The order has been approved by Apple, allocated to the device fleet, and end-users have
been notified.
View the Order Redemption Status:
See total number of Purchased application vouchers, the number of Redeemed vouchers that have
been used by end-users, and number of Remaining vouchers that end-users can still redeem in the
future.
Reallocate licenses, Renotify end-users, or Delete the VPP Application Order
From the Products View on the Orders Page in the Web Console administrators can:
Activate or Deactivate VPP Product Orders for redemption:
The Green and Red dots in the status category indicate Active and Inactive VPP Product Orders
respectively.
To toggle between an active and inactive status, click on the dots.
Renotify end-users

Page 118
From the Licenses View on the Orders Page in the Web Console administrators can:
View each Individual License Status:
-The license has not been used by the end-user but is available for redemption.
- The license belongs to a VPP Product Order with an Inactive Status. The license
information is still in the AirWatch system and can be set to Active for later redemption.
- The license was redeemed by a device that is not under AirWatch MDM.
- The license was redeemed by a managed device through AirWatch.
View the License User and Date Redeemed:
Licenses with a redeemed status will have fields for Assigned To and Date Redeemed indicating the
User Account who purchased the application, and the date at which he/she purchased it.
Best Practices
To track public applications on employee devices through the Device Details and Device Control Panel, ensure that
the Web Console Privacy Settings (specified in ConfigurationSystem SettingsDeviceGeneralPrivacy) allow
for the collection and display of application data.
Some applications may have specific device prerequisites (for example, iCloud settings) in order to be fully
functional. Investigate application requirements before pushing applications to end-users. Either enable the
appropriate settings for end-users, or inform end-users of any settings requirements.
Use the AirWatch SDK for maximum security and functionality in building secure internal business applications.

Page 119
Content Management
AirWatchs Mobile Content Management solution, Secure Content Locker, allows IT administrators to manage document
distribution and mobile access to corporate documents through a web-based console. Our Secure Content Locker application
enables your employees to securely access corporate resources on-the-go from their mobile devices. Whether your company
is looking to distribute annual reports to shareholders or the latest presentation to the sales force, AirWatch ensures all
corporate information is protected.
Content can be configured to be accessed in online or offline modes and content data is encrypted on the device. The
following document level content is supported in the Secure Content Locker:
iWork: Keynote (including Keynote09), Numbers (including Numbers09), Pages (including Pages09)
MS Office: Excel, PowerPoint and Word
Pictures: JPG and PNG formats
Other: PDF, XML, Text, Rich Text Format (RTF) and HTML
Content is managed at the Location Group level using a new Content

menu/user interface.
Similar to profiles and applications, content is created at a Location Group

but can be assigned to one or many child Location Groups.
Additionally, content can be made available to devices/end users based on

device ownership.

Page 120
Publishing an Individual Document

To distribute a document over-the-air through the AirWatch Secure Content Locker:
Navigate to ContentContent Management.
Select Add Document
Select a Location Group.
Click Upload
to open up the Add Document Form.
and select the document that you want to distribute.
Only the following formats are compatible: PDF, Numbers, Pages, KeyNote, Word, PowerPoint, Excel, HTML,
XML, Text, RTF, JPG, PNG.
Click Continue

Page 121
Enter in all basic information:
Red asterisks denote required fields.
Document Categories are used in the Secure Content Locker application to organize and group documents.
Each document can belong to multiple categories as shown above.
Select the Details Tab to put in more details if needed.
No details are required, but they add additional information about the document that can be shown in the
Secure Content Locker application.

Page 122
Select the Security Tab to configure access control settings.
Check the first two boxes to permit SCL documents to be opened in third party applications or email.
Choose whether the device will be available offline when the device is not communicating with AirWatch.
Select whether to encrypt this document when it has been downloaded on the device.
o
Note: This is recommended for all sensitive corporate material. Only documents that are considered publicfacing should not be encrypted if the administrator wishes to save processing time on all devices while
opening the document.
Lastly, choose whether to allow annotating (commenting and marking up) of PDF documents.
Select the Assignment Tab to filter the recipients of the document.
Select a device ownership to only send the document to devices enrolled under that ownership category.
Assign the document to be deployed to one or more location groups. This is required.
Page 123
Select the Deployment Tab to specify advanced deployment options for the document.
Transfer Method Select whether the document will be sent to the end-user at any moment, or only when
the device is connect to Wi-Fi.
Download Type Select On-Demand to allow the end-user to download the document when they want to, or
Automatic to send the document to the device as soon as it enrolls and downloads the Secure Content Locker
application.
Download Priority The priority in which the file will download if queued with additional documents. For
instance, if two documents are waiting to be downloaded and they have a different download priority, the
higher priority document will download first.
Effective and Expiration Date The dates in which the document will become available and disappear in the
Secure Content Locker application.
Once complete, click Save to finish the process.

Page 124
Publishing Documents in Bulk

In order to upload and distribute multiple documents:
Navigate to ContentContent Management.
Select Bulk Import
Enter in a Batch Name and Batch Description.
to open the Batch Import Form.

Page 125
Click the
button to open up the Content Locker Import Help Topic. From here, download the Content Locker
Import Template.
Enter in all necessary information in the template and save. Make sure to save as a .csv file.
All required fields are denoted with an asterisk *
To select a local copy of a document from your computer enter the FilePathType (Column B) as filepath. To
download the document from a web address, enter http.
Separate multiple categories by a ;
All remaining columns contain fields that have been explained in the single document upload process.
When complete, save the file as a .csv and upload it into the Batch Import Form.

Page 126
Creating Document Categories

Document categories help organize content and group related documents together to simplify and enhance the end-user
experience. In order to create a document category:
Navigate to the Categories View from the Content Page
Select Add Category
to open the Add Category Form.
Fill in all necessary information.
Managed By The location group that can edit, add subcategories, and delete the category.
Name The name of the category.
Description A description of the category.
Click Save to complete the process.

Page 127
Administrators of a managing location group can also create subcategories by:
Selecting the Add
button next to the parent categories name from the Categories View.
Entering in the Name and Description.
Selecting Save to complete the process.
Managing Documents
There are several actions available on the Content Management page that an administrator can perform to manage the
content of the corporate Secure Content Locker.
Edit
Edit any of the details created during the process of adding a new document.
Add Version
If the document is updated, administrators can add a newer version of the document. End
users are automatically notified if there is a new version of a document.
View Devices
Download
Delete -
View a list of the devices that have currently downloaded this document.
Download a local copy of the document to view
Delete the document from the Secure Content Locker

Page 128
Best Practices
Create document categories before you begin uploading documents. Categories are selected during the upload
process but must be created separately.
To create a category, select the Categories setting on the Content Management page, or navigate to Content
ManagementCategories.
Administrators may wish to enable end-users to store and access content locally using third party applications.
If permitted, end-users will be able to download and view a local copy of documents by selecting the
icon.
Enable enhanced MDM functionality through AirWatch Software Development Kit (SDK) integration
Integrating the AirWatch Secure Content Locker with the AirWatch SDK enables the Secure Content Locker to
detect compromised devices and communicate with the corporate MDM server.
Encourage end-users to enable GPS trackingEnd-users can enable location services in the Secure Content Locker
settings to allow administrators to track and access GPS coordinates.

Page 129
Email Management
AirWatch provides administrators with several options for configuring secure integration with corporate Email services. The
most robust and extensible solution is through the AirWatch Secure Email Gateway, which allows the administrator to secure,
monitor and manage both the smart device fleet and corporate Email access, all from the AirWatch Web Console.
AirWatch simplifies and secures Email management by allowing the administrator to perform the following tasks:
Quickly monitor and troubleshoot Email server requests through the Secure Email Gateway Dashboard.
Gain visibility and control on top of the existing corporate Email structure to ensure that corporate Email actions
are secure and compliant.
Create and edit Email Compliance rules, including blacklist and whitelist policies.
Control Email access for both managed devices and unmanaged devices
For devices under AirWatch MDM, the data collected from the Secure Email Gateway can be correlated to the
devices existing record to show you how the managed devices are interacting with your email server.
For devices not under MDM, the data can be viewed on the dashboard to help the administrator track rogue
devices and gain a more complete picture of the mobile email deployment.
Configure integration with a number of corporate Email Services, including: Gmail, Exchange, bPOS, 365,Lotus,
Groupwise versions 8.5+, and others.

Page 130
Email Compliance Policies

Email Compliance policies allow the administrator to block access to corporate Email servers for enhanced Email security
based on pre-defined compliance policies. To configure Email Compliance Policies:
1. Navigate to DashboardsSecure Email Gateway and select Mobile Email Compliance from the Compliance view.
OR
2. Or, navigate to Profiles & PoliciesCompliance and select Email Compliance from the Available Views.

Page 131
There are two categories of compliance policies: General Email Policies and Managed Device Policies. The screen displays a
list of the Current Compliance Policies.
The circles in the Active column indicate whether the policy is active (green circle) or inactive (red circle):
Click the edit button
Click Save to finish editing the policy, or Reset to return the values to the last saved state.
to edit the policy.
General Email Policies

General Email compliance policies are enforced on all devices requesting access to corporate Email through the Secure
Email Gateway.
Managed Device
Open the policy and specify whether to Allow or Block unmanaged devices that attempt to contact
the corporate Email server.

Page 132
Mail Client
Open the policy and click Add Rule.
Select an option from the Client Type drop-down menu:

o
Pre-defined The known mail clients stored in the database.
Discovered The mails clients that connect through the gateway but are not currently stored in the
database.
Custom Specified mail clients (i.e. Apple or Android).
Select the Mail Client from the drop-down menu or choose Custom to enter in a mail client.
Choose to either Allow or Block the specified mail client and type.
Specify the default policy (Allow or Block) for all other mail clients not currently listed (applies to all
known mail clients that are not currently listed in the policy).
Specify the default policy (Allow or Block) for all new or discovered mail clients (applies to all mail
clients that are not currently stored in the database)
Click Save.

Page 133
UserTo block specific users from accessing corporate Email on their mobile device:
Select a User Type from the drop-down menu:

o
AirWatch User Account Select a registered device user from the AirWatch Web Console database.
Discovered The users that connect through the gateway that are not currently stored in the
database.
Custom Specified users.
Select a User Name from the drop-down menu.
Make a selection to Allow/Block/Whitelist the specified user.
Make a selection Allow/Block for the default action for all other user names not currently listed.
Specify the default policy (Allow or Block) for all new or discovered user names not currently listed.

Page 134
Managed Device Policies

Managed Device Policies are only enforced on devices currently enrolled in AirWatch MDM.
Inactivity
Open the policy and specify whether to Allow or Block unmanaged devices that attempt to contact
the mail server.
Enter the number of inactive days to define inactivity.
Device Compromised Compliance
Open the policy and select whether to Allow or Block compromised devices that attempt to contact
the mail server.
Encryption Compliance
Open the policy and select whether to Allow or Block devices that attempt to contact the mail server
and do not have data protection enabled.

Page 135
Platform and Model Compliance
Select an option from the Platform and Model drop down menus.
Make a selection to Allow or Block the specified platform and model.
Specify the default policy (Allow or Block) for all models not currently listed.
Operating System Compliance-Administrators may wish to block a particular version of a mobile device
Operating System that stresses the Email server due to a bug or other technical issues.
Select an option from the Platform drop down menus.
Select the Min OS (Minimum Operating System) and Max OS (Maximum Operating System).
Specify the default policy (Allow or Block) for all OS versions not currently listed.
Apply Email Compliance Policies

After you create or edit Email compliance policies, the policies will be automatically applied when the
Mobile Email Gateway is refreshed (Configure the refresh interval in System SettingsEmailAdvanced ).
To instantly apply the policy, click on the Provision Policy Changes button at the bottom of the Email
Compliance Policies page.

Page 136
Email Gateway Dashboard

Each time a device attempts to connect to your mobile email server through the AirWatch Secure Email Gateway, the
gateway gathers statistics about the request. This information is presented on a dashboard in the AirWatch MDM
console and can be used to assess the health of your mobile email deployment.
To access the Secure Email Gateway Dashboard, navigate to DashboardsSecure Email Gateway.
The basic Secure Email Gateway Dashboard is available as a view under the main dashboard, but it does not
contain the time interval view options or editing capabilities.
Graphs and Grid

The Secure Email Gateway Dashboard view is controlled by the three graphs at the top of the screen, and a grid at the
bottom of the screen that displays the data from the selected graph or data group.
Device Activity The total number of devices communicating through the gateway in addition and the
number of blocked and allowed devices.
Devices The total number of devices communicating through the gateway and the number of managed
and unmanaged devices.
Non-Compliant DevicesThe number of non-compliant devices communicating through the gateway

according to the compliance criteria as specified in Email Compliance Policies.

Page 137
Request Time Views

The Request Time views allow the administrator to adjust the dashboard view for all time periods, or for time intervals
throughout the last 24 hours.
Click on all or select a time interval to update the charts and grids with the time selection.
Email Compliance in the Dashboard

To edit Email Compliance policies, select Mobile Email Compliance from the Compliance view. For further information on
creating Email compliance policies, see Email Compliance Policies.

Page 138
Override an Email Compliance Policy

Once Email compliance policies are in place for the Secure Email Gateway, the administrator may find the need to make
blacklist or whitelist exceptions, or to remove a device from the list of exceptions.
To override a compliance policy:
Select the Policy Override List View to view the current override status for all of the devices that are
communicating through the gateway.
This page also provides the ability to add, remove, or change an override to any of the devices listed.
Select a device from the grid to perform a policy override on that device.
Select a policy action:
WhitelistAllow the device to override compliance policies.
Blacklist-Block the device regardless of any policies which may allow the device.
DefaultRemove the device from the override list and apply the configured compliance policies to the
device.

Page 139
Dashboard Diagnostics and Test Mode

Diagnostic mode can be turned on or off for testing and troubleshooting by selecting a device and
choosing to enable or disable Dx mode.
Test mode allows mobile devices to communicate through the gateway even when restrictive compliance
policies are currently enabled. The dashboard displays the non-compliant reason code(s) for a device to
indicate all applicable restrictions if the test mode was not enabled.
To enable test mode, elect the Enable Test Mode link on the dashboard
When test mode is disabled, the compliance policies are applied again to each device that
communicates through the gateway. The dashboard displays the non-compliant reason code(s) for a
device to indicate all applicable restrictions that are now being applied. To disable test mode, select
the Disable Test Mode link on the dashboard

Page 140
Best Practices
User filter views and search to view devices in the Secure Email Gateway dashboard grid according to compliance
criteria.
The administrator can filter the devices displayed on the grid based upon override status. Select a filter to
view only Blacklisted, Whitelisted, or All devices.
The filter functionality provides the ability to search the grid within the displayed results.
Enter the full or partial search term in the Search box.

Page 141
Security and Compliance

AirWatch uses a customizable compliance engine to allow for robust compliance policy creation and enforcement. The
AirWatch compliance capabilities allow administrators to protect proprietary corporate data from unwanted exposure and to
set rules for handling non-compliant activity on managed devices. These compliance policies are centrally managed in the
Compliance page in the Web Console.
To navigate to the Compliance page, select Profiles & Policies Compliance. From here, the administrator can create several
different types of compliance policies:
Application Compliance Policies
Device Compliance Policies
Email Compliance Policies
Note: Email compliance policies only apply when the Secure Email Gateway is installed in addition to the AirWatch Mobile
Device Management solution.

Page 142
Passcode and Restrictions Profiles Overview

Passcode and device restrictions provide further protection to managed devices. Passcode compliance polices include the
ability to enforce passcodes, set passcode complexity, and manage auto-lock and passcode history settings. Restrictions
profiles allow the administrator to prohibit and control use of device-specific functionality such as app installation, the device
camera, and other similar functionality. To set Passcode and Restrictions profiles on individual devices, please refer to Creating
Profiles.
Compliance Engine
Application Compliance
Application compliance policies restrict access to unauthorized applications on corporate devices. Application
compliance policies allow the administrator to designate blacklisted applications and send a message or wipe the device
if AirWatch detects a blacklisted application. To create or edit an application compliance policy:
On the Compliance page, select the Application Compliance view on the left sidebar of the page:

Page 143
Select Add
to view the Add/Edit Application Rule screen:
Fill in the information fields:
Type The type of application compliance policy. Currently, the only option is Blacklist.
Platform The device platform to which the application compliance policy will apply. Currently, the
only platform options are iOS and Android (or select All to apply the policy to both platforms).
Application Name The name of the application for which you are creating a compliance rule.
Optionally enter the Application ID and Version.

o
Specifying the application ID will allow AirWatch to more accurately detect devices that have the
blacklisted application installed by identifying applications by the exact bundle ID rather than simply
searching for the application name as entered in the Application Name field.
Comments Optionally enter a comment about the compliance policy to share with other Web
Console administrators (comment will only appear in the Web Console).
Action The administrative action that will automatically take place on any devices containing the
named application:
Send SMS Choose the Message Type and enter the message text in the Message Body field.
Enterprise Wipe Perform an Enterprise Wipe upon detection of an application compliance violation.
Wipe Device Perform a Device Wipe upon detection of an application compliance violation.
When complete, click Save to apply the compliance policy.

Page 144
Device Compliance
Device compliance policies can be created to perform administrative actions on managed devices when specific devicebased criteria are met. To create a device compliance policy:
On the Compliance page, select the Device Compliance view on the left sidebar of the page.
Choose one of the device compliance policy types from All Device Policies or Platform Specific Policies.
To select and open a policy, click the Edit
button.
All Device Policies
All Device Policies allows administrators to create and edit policies that apply to all devices regardless of platform. Some
platform specific policies are based on All Device Policies, so it is a good practice to create all device policies before
creating platform specific device compliance settings.
Compromised Device SettingsThe Compromised Device Settings compliance policy applies to all devices
and allows the administrator to:
Perform actions (such as blocking access to profiles and applications) on all device types which have
not reported a compromised status or are detected as compromised (check the box to apply policy).

Page 145
Flag the device as Out of Date if the device has not checked in for a set number of days and establish
Severity Levels based on the duration without check in.
o
The Severity Levels are defined in this box. To edit the rules for each Severity Level, do so in Platform
Specific Policies.
To define Severity Levels, enter the duration for each severity level and choose the metric (days, hours
or minutes) from the drop down menu.
Platform Specific Policies
Platform Specific device compliance policies include the following:
Compromised Device Compliance Perform platform specific actions on devices that have been flagged as
compromised. Currently, this feature only supports the iOS and Android platforms. To create or edit
Compromised Device Compliance policies:
Select the administrative actions to be performed when devices meet the specified criteria.
Compromised Status Out Of Date Level 1, Level 2, and Level 3 Perform actions on iOS devices that are
Out of Date and fall under Severity Level 1, Severity Level 2, or Severity Level 3, as defined in
Compromised Device Settings (refer to All Device Policies above). To edit rules for Compromised Status
devices:
Select and open the desired Compromised Status Out of DateLevel policy.
Click Add Rule
Choose the action (Send push notification, Send Email, Remove EAS profiles) and, if applicable, enter
the Push Notification or Email text.
Operating System Compliance Perform actions on iOS devices that run a specific operating system version
Model Compliance Perform actions on specific models of iOS devices

Page 146
To edit Operating System Compliance and Model Compliance policies:
Select and open the compliance policy you wish to edit and click Add Blacklist Rule.
Specify the OS or Model device criteria for the Blacklist rule.
Specify the administrative actions to perform when the criteria are met:
Send SMS Choose the Message Type and enter the message text in the Message Body field
Enterprise Wipe Perform an Enterprise Wipe upon detection of an operating system or model
compliance violation
Wipe Device Perform a Device Wipe upon detection of an operating system or model compliance
violation
Repeat by adding any additional blacklist rules for the policy.
To finish editing the selected compliance policy, click Save.

Page 147
Privacy Policy
Administrators can set complex privacy policies within the AirWatch Web Console. These policies apply to specific device
ownership types within Location Groups (ownership types are: Corporate Dedicated, "Corporate Shared, Employee
Owned, and Unassigned).
To access privacy policies, navigate to Configuration System Settings Device General Privacy.
For each privacy policy, administrators have three options for handling device information. The policies are defined
by a filled circle, half-circle, or an empty circle top of the screen.
Collect and Display The information is collected by AirWatch and administrators will be able to view the
data.
Collect The information is collected by AirWatch but administrators will not be able to view the data.
Do Not Collect The information is not collected by AirWatch.
To adjust the privacy policy information settings:
Move the mouse over the circle that matches up with the privacy policy and device ownership type. A small
popup menu will appear (as shown below) that displays the privacy setting options.
Click on the appropriate circle.
Click Save to finish the process and immediately apply the settings.

Page 148
Commands Privacy
Additionally, the Commands section at the bottom of the page allows the Administrator to restrict certain commands
based on device ownership type.
A full circle indicates that a command is allowed, while an empty circle indicates that the command is
disabled.
Currently, the only Command that can be allowed or disallowed is Full Wipe.
Click on the appropriate circle to choose the desired permissions.
Click Save to finish the process and immediately apply the settings.
Privacy Settings Note: The Privacy Settings explained above affect whether or not device and user information is
displayed both in the AirWatch Web Console and in the Self-Service Portal. Please be aware of the privacy settings in
place when navigating through user and device information (especially the pages explained in the following sections:
Device Information, Device Details, Remote Actions and Device Details Management)
Many of the Self-Service Portal and Device Wipe settings are determined by both Privacy settings and Role settings
(Users Admin Accounts). If multiple settings are in place, the strictest policy is enforced.

Page 149
Secure Browser
The AirWatch Secure Browser application is available for all iOS devices. The Secure Browser provides a secure alternative to
Safari internet browsing. To configure the Secure Browser:
Navigate to Configuration System Settings
Select Device iOS Secure Browser from the navigation menu on the left to open up the settings page.
Security Settings
To change the basic Security Settings for the Secure Browser, select Security at the top of the page:
From the Security tab, select the appropriate settings:
Disable copy-paste Restricts end-users from copying any content from websites viewed via the Secure
Browser
Disable Printing Restricts end users from printing any content from websites viewed via the Secure
Browser

Page 150
Accept Cookies This drop down menu specifies the default policy (Always or Never) for accepting cookies
from websites viewed via the Secure Browser.
Operation Mode
To change the Operation Mode for the Secure Browser, select Mode at the top of the page:
Select either the Kiosk or Restricted mode option:
Kiosk Kiosk mode designates a homepage for the Secure Browser
Restricted Restricted mode specifies that users can only access certain websites (whitelisted) in the
Secure Browser or it instructs the browser to block certain websites (blacklisted) in the Secure Browser
Kiosk Mode
Kiosk mode designates a specific homepage for the secure browser:
Enter the URL of the desired homepage in the Kiosk Homepage field
Return Home After Inactivity Check this box to require the Secure Browser to return to the Kiosk
Homepage after a period of inactivity

Page 151
Restricted Mode
Restricted mode allows the administrator to allow or deny access to certain websites. Select either Allow or Deny:
Allow stipulates that the Secure Browser can only access the specified (whitelisted) URLs.
Deny causes the Secure Browser to block only the specified URLs; all other sites will be allowed.
To add websites to Allowed Site URLs or Denied Site URLs, click on the plus
icon.
Best Practices
To provide maximum security and data protection for both end-users and the managing enterprise, privacy settings
work in conjunction with Role Configuration. In order to ensure that the configured privacy settings are correctly
implemented, it is recommended that you make a note of the following role settings:
User Role Settings (UsersUser AccountsRoles) control display of user and device data in the Self-Service
Portal.
Administrator Role Settings (UsersAdmin AccountsRoles) control the display of user and device data in
the Web Console, and control the ability to perform a full device wipe.
Be consistent when deploying multiple compliance or passcode policies; if multiple policies are in place, the most
restrictive policy is enforced.
For a top-level view of the status of device compromised, passcode, and encryption policy compliance, navigate to
the Dashboard (DashboardsDashboard) and select Device Compliance from the Available Views.
To more efficiently manage bulk Email accounts, use lookup values whenever possible.
For maximum Email security, use Email profiles in conjunction with the AirWatch Secure Email Gateway.

Page 152
Reports and Alerts

Reports
AirWatch has extensive reporting capabilities that provide administrators with actionable, result-driven statistics about their
device fleets. IT administrators can leverage these pre-defined reports or create custom reports based on specific devices, user
groups, date ranges or file preferences. In addition, the administrator can schedule any of these reports for automated
distribution to a group of users and recipients on either a defined schedule or a recurring basis. These features are all
centralized within the AirWatch Web Console. To access the Reports page:
Navigate to Reports & AlertsReports.
From here, there are several key pieces of functionality that administrators can use to leverage AirWatch reporting capabilities:
Generating Custom Reports
Creating Report Subscriptions
Adding a Report to My Reports
Additional Reporting Tools

Page 153
Generating Reports
Administrators can create custom reports on the fly through AirWatch Web Console. To generate a custom report:
Navigate to the Reports page at Reports & Alerts -> Reports.
Select a pre-defined report template from the list and then click the View button
Specify all of the report parameters. Required field are indicated with a red mark .
Select View Report
Adding a Report to My Reports

Adding a report to My Reports allows administrators to essentially bookmark popular reports that they find
particularly useful. To add a report to My Reports:
Navigate to the Reports page at Reports & Alerts -> Reports.
Select a pre-defined report template from the list and then click the Add to My Reports button
From now on the report will be accessible from the My Reports View on the left side of the Reports page for
quick access.
Creating Report Subscriptions

Report subscriptions can be used to send custom generated reports to specific recipients at a scheduled occurrence. To
subscribe to a report:
Navigate to the Reports page at Reports & Alerts -> Reports
Select a pre-defined report template from the list and then click the Subscribe button
Complete the Report Subscriptions Form with all required information.
General Information The name of the subscription, the email subject, etc
Report Parameters The parameters defining the scope and options of the report
Distribution List The recipients who will receive the custom report whenever the subscription is executed
Execution Schedule The time and schedule at which the custom report is generated
Click Save.
Additional Reporting Tools

There are also several other additional tools that help administrators utilize AirWatch reporting capabilities:
Search Assistance Tools The Report Category Dropdown and Search Box at the top of the reports page make
finding particular reports very simple.
Report Samples Tool To view a sample output from a particular report, click the Sample Button
Report Export Tool To export a report in one of several formats, use the Export Bar on a custom generated
report .
Page 154
Alerts
Alerts provide administrators with the ability to receive immediate notifications when specific events occur across the
managed smart device fleet. They are comprised of two components,
A Creation Policy that describes the criteria that must be met to trigger the alert
And a Routing Policy that describes what devices are being monitored, when, and who will receive the alert.
Creation Policies
In order to create a new creation policy
Navigate to Reports & Alerts -> Alert Setup -> Creation Policy
From here, a list of all available creation policies can be seen.
If any policies are similar to the policy that needs to be created, try editing the policy by selecting the
icon on the left of the row.
Select Add Alert Creation Policy at the bottom to open the Alert Creation Policy Form.
Enter in all required information
Description The name of the creation policy that will be displayed in the Web Console
Resource The type of resource that is going to be monitored. Select device to monitor the smart
device fleet.
Attribute The parameter that will be used to determine whether the alert should go off or not
Comparison Operator The comparison operator to test whether the attribute will set off an alert.
Value The value that will set off the alert when (Attribute) <Comparison Operator> (Value) = True
Duration The duration that the alert will last before stopping.
Click Save to complete the process.

Page 155
Routing Policies
In order to create a routing policy
Navigate to Reports & Alerts -> Alert Setup -> Routing Policy
Select Add Alert Routing Policy to open up the Alert Routing Policy Form.
Enter in all required information
Creation Policy The creation policy that will trigger this alert to go off
Location Group The location group that contains the devices that are being monitored for the
creation policy criteria.
Location The location that contains the devices that are being monitored for the creation policy
criteria. Default is Any
Equipment Any specific equipment that is being monitored for this creation policy. Default is Any
Device Any specific devices that are being monitored for this creation policy. Default is Any
Sample Time and Sample Days The date and time in which this policy is tested on the selected
devices
Severity & Priority - Metrics to organize alerts in terms of priority and several for administrative
purposes.
Consolidation Window The period of time in which only one alert will occur from multiple triggers
of the same creation policy. All alerts that occur within the consolidation window of one another and
stem from the same creation and routing policy are consolidated into a single aler.
Routing Policy Can only be routed to users. Select User Distribution.
Role Alerting Select Add Role and enter in a role and location group so that any administrator with
the listed role / location group combination will receive this alert.
User Alerting Select Add User and enter in an admin user so that he will receive this alert.
Click Save to complete this process.

Page 156
Viewing Alerts
Once alerts have been created, they can be viewed from
My Alerts View alerts by user or role that received the alert.
Device Details Page View alerts by device that triggered the alert.
Best Practices
To enable the highest level of control and security over distribution of report information across the enterprise,
edit role-based access to reports by navigating to UsersUser AccountsAdd Role. Report Access is enabled or
disabled by checking the boxes under Resource Categories.

Page 157
Enterprise Integration
AirWatch has extensive capabilities to help corporations easily integrate the AirWatch solution with existing enterprise
systems. AirWatchs enterprise integration allows users to authenticate using enterprise directory service credentials and
provides even deeper integration with enterprise systems through the use of device management APIs. These APIs can be
integrated into third party or internal applications for an added level of security and management.
Lightweight Directory Access Protocol (LDAP) and Active Directory (AD) Integration
System Authentication
The Authentication page enables the integration of the AirWatch server with a corporate directory services server to
provide directory based admin account access. When creating user accounts, settings can be identical or different
(explained in the next section). To configure LDAP or AD integration:
Navigate to ConfigurationSystem SettingsSystemGeneralAuthentication.

Page 158
The system authentication fields are as follows:
LDAP Server Type Select LDAP for any type of server other than Active Directory.
Server Enter the address of the directory services server.
Encryption Type Select the type of encryption used for directory services communication. The default is None.
Port Enter the TCP port used to communicate with the directory services server. The default for unencrypted DS
communication is 389. Only SaaS environments allow SSL encrypted traffic using port 636 (AirWatch SaaS IP range:
205.139.50.0 /23).
Verify SSL Certificate Select the check box to receive SSL errors when the encryption type is None.
Protocol Version Select the version of the LDAP protocol in use. Active Directory uses LDAP versions 2 or 3.
Bind Authentication Type Select the type of bind authentication that is used in order for the AirWatch server to
communicate with the directory services server.
Bind username & password - Enter the credentials to authenticate with the directory server. This account allows
read access permission on your directory server and binds the connection when authenticating the users.
Base DN Use this field as a test for the connection and to select one of your directory servers base paths.
Default Domain Default domain for any directory based user accounts. If only one domain is used for all directory
user accounts, fill in the field with the domain so that users are authenticated without explicitly stating their
domain.
User Search Filter Enter the search parameter used to associate user accounts with active directory accounts.
The recommended format is <LDAPUserIdentifier>={EnrollmentUser} where <LDAPUserIdentifier> is the parameter
used on the directory services server to identify the specific user.
For AD servers, use samAccountName={EnrollmentUser}
For LDAP servers, use CN={EnrollmentUser} or UID={EnrollmentUser}

Page 159
User Account & Device Authentication

User accounts are used by end-users of AirWatch to associate devices to specific corporate users. The AirWatch software
allows several methods of creating user accounts, from a simple username/password combination, to corporate LDAP
integration through the cloud and SAML integration. For more information please see user account types.
For any user account other than basic authentication, the AirWatch Web Console must first be configured to properly integrate
with the corresponding infrastructure before user accounts can leverage the respective authentication type. These settings can
all be found from the System Settings Device General Enrollment page under the Authentication tab.
The section below will describe how these user account authentication types can be configured to enable use of each security
mechanism.

Page 160
Active Directory / LDAP Enrollment Configuration

In order to enable Active Directory / LDAP User Accounts for use during enrollment:
Ensure that you are at System Settings Device General Enrollment page with the Authentication
tab selected.
Check Directory to expand the Directory Authentication Menu and enter in all appropriate fields
Use Console LDAP Settings Check this to use the LDAP settings that have been configured for Admin
Accounts that log into the Web Console. These settings are configured at System Settings -> System ->
General -> Authentication.
LDAP Server Type Select LDAP for any type of server other than Active Directory
Server The address of the directory services server
Encryption Type The type of encryption used for directory services communication. Default is None.
Port The TCP port used to communicate with the directory services server. Default for unencrypted
DS communication is 389.
Verify SSL Certificate Uncheck this box to ignore SSL errors when the encryption type is other than
none.
Page 161
Protocol Version The version of the LDAP protocol that is being used. Active Directory uses LDAP
versions 2 or 3.
Bind Authentication Type Select the type of bind authentication that must be used for AirWatch
server to communicate with the directory services server.
Resolve DN from User Domain Check this box to resolve the DN field in the directory services server
from the domain associated with the specific AD user account requesting access. If the bind
authentication type is a static username and password or anonymous, this field will have no effect.
Default Domain The default domain of any directory based user accounts. If only one domain is
used for all directory user accounts, populate this field with the domain so that users can authenticate
without explicitly stating their domain.
User Search Settings The search parameter used to associate user accounts with active directory
accounts. The recommended format is <LDAPUserIdentifier>={EnrollmentUser} where
<LDAPUserIdentifier> is the parameter that is used on the directory services server to identify the
specific user.
Search LDAP Users as Database Users Select to search the LDAP users from the database users list.
Use Integrated Authentication Select to use Windows Authentication to search the database
When complete, click Save to save your settings.
Authentication Proxy Enrollment Configuration

In order to enable authentication proxy user accounts for use during enrollment:
tab selected.
Check Authentication Proxy to expand the Authentication Proxy Menu and enter in all appropriate fields
Authentication Proxy URL The URL of the Authentication Proxy Server that prompts the user with
HTTP or EAS authentication
Authentication Method Type The type of Authentication Proxy endpoint. All types other than EAS
endpoints should select HTTP basic.
Page 162
SAML 2.0 Enrollment Configuration

In order to enable SAML 2.0 User Accounts for use during enrollment:
tab selected.
Check SAML 2.0 to expand the SAML 2.0 menu and enter in all appropriate fields
Import Identity Provider Settings This feature allows the administrator to import SAML metadata
obtained from the Identity Provider.
o
Uploading this XML file sets some of the configuration options shown in the SAML settings page, and
most importantly, this file includes the identity providers public key certificate, which is required for
Airwatch to trust the identity provider.
SAML Binding Type This value determines how the identity provider and AirWatch exchange
messages.
Page 163
SAML can be configured to allow the intermediate browser to POST the entire message, or it can send
only a token known as an artifact that represents the data, and then the identity provider will contact
the sender to obtain the message through a process called artifact resolution.
Identity Provider ID - This value specifies a URI that the identity provider uses to identify itself.
AirWatch checks authentication responses to verify that the identity matches the ID provided here.
Service Provider ID - This value specifies a URI with which AirWatch identifies itself to the identity
provider. This value must match the ID that has been configured as trusted by the identity provider.
IDP SSO Post/Artifact - These values specify the identity provider URLs that AirWatch uses to send
requests for each binding type. This value is set automatically from the imported metadata.
IDP Artifact Resolution URL - This value specifies the URL at the identity provider that AirWatch uses
to resolve an artifact response to obtain the actual response message. This value is set automatically
from the imported metadata.
Service Provider Assertion URL - This value specifies the AirWatch URL which should be configured by
the identity provider to direct its authentication responses. Assertions regarding the authenticated
user are included in success responses from the identity provider.
Service Provider Logout URL - This value specifies an AirWatch URL to use for single logout. This
feature is not currently supported in AirWatch 5.16.
Service Provider Error URL - This value specifies an AirWatch URL for displaying an error in the SAML
authentication process. This value can be left blank.
Identity Provider Logout URL - This value specifies an identity providers URL to use for single logout.
This feature is not currently supported in AirWatch 5.16. This value is set automatically from the
imported metadata.
NameID Format - This value specifies the format in which the identity provider should send a NameID
for an authenticated user. This value is not required as AirWatch will obtain the username from the
FriendlyName uid required attribute.
Ignore SSL Errors - This value specifies whether or not AirWatch should check SSL trust for the identity
provider. If SSL errors are ignored, AirWatch will communicate with the identity provider regardless of
any SSL trust issues.
Validate Identity Provider Certificate - This value specifies whether or not AirWatch should check if
authentication responses are signed with the expected identity provider certificate. This value is only
required when using POST as the identity provider may not sign responses using artifact responses.
Identity Provider Certificate - The identity providers public key certificate. This value is set
automatically from the imported metadata.
Authentication Request Security - This value specifies whether or not AirWatch should sign
authentication request messages. This value must be set in order to upload a service provider
certificate.
Service Provider Certificate - A private key certificate used by AirWatch to sign SAML requests and to
decrypt responses.
Export Service Provider Settings - This feature allows AirWatchs SAML metadata to be exported to be
supplied to the identity provider. Similar to the Import Identity Provider Settings, this feature allows
the identity provider to import AirWatchs SAML metadata to build trust.

Page 164
Certificate Infrastructure Integration

AirWatch can integrate with the certificate infrastructure in a way that allows the Enterprise to distribute certificates for
authentication purposes to devices containing corporate data. There are several options for AirWatch certificate infrastructure
integration, but each requires detailed technical information and therefore it is very important that the Certificate
Infrastructure Administrator be involved in this integration.
There are two main ways in which AirWatch integrates:
1. Direct Certificate Authority (CA) integration.
AirWatch can act as a proxy for certificate distribution.

2. Simple Certificate Enrollment Protocol (SCEP) integration.
AirWatch can act as a proxy for certificate distribution.
Can be authenticated from the device.
Navigate to the Certificate Authorities settings by selecting Configuration System Settings Device General
Certificate Authorities.
The Certificate Authorities page allows the AirWatch server to integrate with Microsoft CA, AirWatch CA, or SCEP
certificate services servers. Regardless of the integration type, there are two steps required to configure certificate
integration:
1. Configure the Certificate Authority.

2. Configure the Certificate Template.

Page 165
Direct Certificate Authority Integration

To configure AirWatch integration with Direct Certificate Authority (CA) services server, first configure the Certificate
Authority and then configure the Certificate Template.
CA: Configure the Certificate Authority
First, configure the Certificate Authority in AirWatch. On the Certificate Authorities page, select Add
to open up the Certificate Authority Form.
Fill in the required fields:
Server The server address of the CA server. The CA server needs to be in IP or domain name format
(mycompany.local.com).
Authority Name Refers to the actual name of the instance of the CA on the CA server
Use Passthrough Authentication Passthrough authentication uses the service account running
AirWatch to authenticate with the CA server.
o
This setting should be left off unless the AirWatch server is on the same domain as the enterprise CA
and the service account running AirWatch is a domain administrator.
Admin Username & Password The username and password to authenticate with the CA server. The
username and password need to have the correct permissions on the CA server for the certificate
template being used.
Allow child location groups to use this certificate authority Check the box to allow inheritance by
child location groups
Authority Type The type of certificate authority. For Direct CA integration, choose either:
o
Microsoft Certificate ServicesSupports a Microsoft Certificate Authority on a Windows Server

2003/2008 server
OR
AirWatch Certificate Services Supports an AirWatch-installed certificate service or Generic CA

(which supports the standard CA protocol)
Click Save. Next, configure the CA Certificate Template.

Page 166
CA: Configure the Certificate Template
After the Certificate Authority is configured, configure the Certificate Template so that AirWatch can request a
certificate from the Certificate Authority. To configure a Certificate Template for Direct Certificate Authority integration:
Click on Request Templates:
Select Add
Enter in all required fields.
to open up the Certificate Template Form.
Distinguished Name The fully qualified distinguished name of the certificate. This field supports the
lookup values used in AirWatch so that the certificate name can be unique per user/devices in
AirWatch (for example, CN={EnrollmentUser}).
The distinguished name supports both Crypto API and Netscape formats. The only field required to
create a certificate is the Common Name (CN). The distinguished name should reflect what the
certificate will be authenticating against.
Certificate Authority Specifies the CA that this template is assigned to in AirWatch.
Private Key Length The private key length should match the length of the private key on the
certificate template being used on the CA.
o
Compatibility note: Shorter lengths will be more compatible with older technology and operating
systems.
Private Key Type Determines the type of private key in direct CA integration.
o
The standard setting is Signing & Encryption.

Page 167
Use Existing Key Enable this option to use the existing private key rather than creating a new one.
The CA and Certificate Template must support this option in order for it to work.
Template Name Enter a Template name so this certificate template can be used in the future. The
Template Name will only be used within the AirWatch Web Console.
Store in Active Directory Enable this option to attempt to store the certificate generated into AD
based on the Common Name chosen in the Distinguished Name.
For example, if CN=ADUser, the AirWatch Software will attempt to store the certificate into ADUser.
In order to use this option, AirWatch must be part of your domain and the service account running
AirWatch will need to be a domain administrator.
Additional Attributes This field serves two purposes when configuring the Certificate Authority:
o
First, the Additional Attributes field specifies the Certificate Template on the Certificate Authority. Use
CertificateTemplate to specify which template to use (For example, enter
CertificateTemplate:TemplateName where TemplateName is the name of the template you would like
to use).
Second, the Additional Attributes field allows you to add relevant additional attributes .
When you enter the additional attributes, separate them from the CertificateTemplate with a
backslash n (\n). An example of an additional attribute would be the Subject Alternative Name of the
certificate. In order to specify the Subject Alternative Name, you would set the Additional Attributes
field to: CertificateTemplate:TemplateName\nSAN:Email Address={EmailAddress}.

Page 168
SCEP Integration
The first step in configuring AirWatch integration with a corporate SCEP services server is to configure the Certificate
Authority. The second step is to configure the Certificate Template. To configure the Certificate Authority:
SCEP: Configure the Certificate Authority
Select Add
to open a new Certificate Authority Form or select the edit button
edit an existing certificate.
Fill in all required fields:
(if applicable) to
Server URL The web address of the certificate enrollment URL. This is usually in the format of .EXE
or .DLL depending on the SCEP provider. Below are two examples:
o
If the SCEP provider is Microsoft (MSCEP), the Server should be

https://scepserver.mycompany.com/certsrv/mscep/mscep.dll where scepserver.mycompany.com is
the web address of the SCEP server.
If the SCEP provider is VeriSign the Server should be set to https://onsiteipsec.verisign.com/cgibin/pkiclient.exe .
Authority Name In SCEP integration this field is used by AirWatch to distinguish these settings.
Use Passthrough Authentication Passthrough authentication uses the service account running
AirWatch to authenticate with the SCEP server. This setting should be left off unless the AirWatch
server is on the same domain as the SCEP server and the service account running AirWatch is a
domain administrator.
Admin Username & Password Username and password to authenticate with the SCEP server. The
username and password need to have the correct permissions on the SCEP server along with the
certificate template being used in order to authenticate with them.
Allow child location groups to use this certificate authority Check to allow inheritance.
Authority Type The type of certificate authority; select Simple Certificate Enrollment Protocol
(SCEP) from the drop down menu.
Max Retries When Pending Max Retries determines the number of maximum retries for sending
SCEP enrollment requests. The standard value is 5.
Retry Timeout Retry Timeout determines the amount of time (in minutes) that defines a timeout
during a SCEP request. The recommended value is 30.
Page 169
Challenge Type Challenge Type determines how the page will authenticate the certificate
enrollment URL.
o
Static Challenge is a singular key or password that will always authenticate with the certificate
enrollment URL.
Dynamic Challenge will use AirWatch to pull a challenge key or password from the SCEP provider.
No Challenge means that no challenge is required and this usually involves unsecured SCEP endpoints.
This will only apply in rare circumstances.
SCEP Provider The SCEP provider determines the rest of the configuration and what challenge
options are available.
SCEP Provider: MSCEP
If MSCEP is the SCEP provider, the following options will appear. Please note that some options may vary based on the
selected Challenge type:
SCEP Challenge Phrase (Static Challenge Only) Enter the password or key provided by SCEP.
SCEP Username Is Required (Dynamic Challenge Only) Check this box to require the Dynamic Challenge
web address to require user authentication for access.
SCEP Challenge Length (Dynamic Challenge Only) Enter the challenge length provided by the SCEP
provider.
SCEP Challenge URL (Dynamic Challenge Only) This field should contain the web address of the
challenge URL:
For MSCEP 2003, the challenge URL is the same as the web enrollment URL.
For MSCEP 2008 the challenge URL is typically:

https://scepserver.mycompany.com/certsrv/mscep_admin/ where scepserver.mycompany.com is the
web address of the SCEP server (Note: The trailing / is NOT optional).
SCEP Username & Password Username and password to authenticate with the SCEP challenge URL. The
username and password need to have the correct permissions for both the SCEP server and the certificate
template being used in order to authenticate with them.
Click Save. Now, configure the SCEP Certificate Template.

Page 170
SCEP Provider: VeriSign
If VeriSign is the SCEP provider, the following options will appear. Please note that some options may vary based on the
selected Challenge type:
SCEP Challenge Phrase (Static Challenge Only) Enter the password or key provided by SCEP.
Verisign Passcode Post URL (Dynamic Challenge Only) Enter the dynamic challenge URL. The URL should
look like this: https://onsite-admin.verisign.com/OnSiteHome.htm.
Verisign DNS Post Fix (Dynamic Challenge Only) Enter the domain used to register the relevant mPKI
account.
For example, if the domain was registered with mycompany.com, enter .mycompany.com in this field.
Verisign Certificate Name (Dynamic Challenge Only) This field displays the uploaded certificate used to
authenticate with the VeriSign Cloud.
New Certificate File and Certificate Password (Dynamic Challenge Only) Upload a new certificate into
the SCEP configuration for authentication with the VeriSign Cloud.
Click Browse to upload a new file.
Enter the certificate password.
Click Save. Now, configure the SCEP Certificate Template.

Page 171
SCEP Provider:Basic
Use the Basic option when the provider is not Verisign or Microsoft. In order for the Basic option to be supported, the
Provider must allow for Static Challenge (Dynamic is not allowed in Basic) and provide the standard protocol. Selecting
the Basic SCEP Provider option will require the following fields:
SCEP Challenge Phrase (Static Challenge Only) This field should contain the password or key provided by
SCEP.
SCEP: Configure the Certificate Template
Once the Certificate Authority is configured, configure the Certificate Template so that AirWatch can request a
certificate from the Certificate Authority:
Click on Request Templates:
Select Add
Enter in all required fields.
to open up the Certificate Template Form.
Distinguished Name The fully qualified distinguished name of the certificate. This field supports the
lookup values used in AirWatch so that the certificate name can be unique per user/devices in
AirWatch (for example, CN={EnrollmentUser}).
The distinguished name supports both Crypto API and Netscape formats. The only field required to
create a certificate is the Common Name (CN). The distinguished name should reflect what the
certificate will be authenticating against.
Certificate Authority Specifies the CA that this template is assigned to in AirWatch.

Page 172
Private Key Length The private key length should match the length of the private key on the
certificate template being used on the CA.
o
Compatibility note: Shorter lengths will be more compatible with older technology and operating
systems.
Private Key Type For all SCEP providers this determines the private key usage; the default is always
Signing & Encryption.
o
For MSCEP integration, the private key type determines which template will be used (specified on the
SCEP server).
Use Existing Key Not applicable for SCEP.
Template Name Enter a Template name so this certificate template can be used in the future. The
Template Name will only be used within the AirWatch Web Console.
Store in Active Directory Enable this option to attempt to store the certificate generated into AD
based on the Common Name chosen in the Distinguished Name.
For example, if CN=ADUser, the AirWatch Software will attempt to store the certificate into ADUser.
In order to use this option, AirWatch must be part of the local domain and the service account running
AirWatch will need to be a domain administrator.
Additional Attributes The Additional Attributes field determines additional attributes such as a
Subject Alternative Name:
o
For example, the Additional Attributes field could be set to SAN:Other Name={UserPrincipalName}.

Page 173
Utilizing Certificates for MDM

Once the certificate authority and certificate templates have been properly configured, certificates can be leveraged
within AirWatch for a number of purposes.
Enterprise Wi-Fi, VPN, EAS Authentication
Advanced Wi-Fi, VPN, and EAS configurations can now leverage certificates for authentication in the place of simple
passwords to provide stronger security from unauthorized access. AirWatch can automatically distribute these
authentication certificates down to devices, and configure the device for Wi-Fi, VPN, or EAS access without any user
interaction.
An overview of process is as follows:
Ensure that the Certificate Authority and Certificate Templates are properly configured, then create a
profile for your appropriate platform (iOS or Android for these capabilities)
If you are using a static SSL certificate that will be used for all devices, you may skip this step and
simply upload the certificate into AirWatch for distribution.
Fill out all general profile settings, and then choose either Credentials or SCEP depending on the type of
CA you have previously configured.
From either page, specify all parameters to select the proper certificate to be used for Wi-Fi, VPN, or EAS
authentication.
If you are using a static SSL certificate that does not depend on the user, choose Upload as the
credential source, and upload the certificate.
If you are generating certificates per each user or device from a CA, ensure that your credential source
is Defined Certificate Authority and choose the proper certificate template.
Once you have completed the Credentials or SCEP profile settings, do not Save and Publish. Select another
payload in this profile for Wi-Fi, VPN, or EAS, depending on what the certificate is being used for.

Page 174
Specify all settings for the chosen payload. Ensure that the authentication type utilizes a certificate, and
that the certificate that you deployed in the Credentials or SCEP profile is chosen.
If authentication to the CA requires a trust (typically for internal certificate authorities), also ensure
that you have uploaded and selected to use a CA Root Trust certificate.
When complete, choose Save and Publish.
For additional information or assistance configuring certificates with AirWatch, contact AirWatch Support.

Page 175
S/MIME Email Signing and Encryption
S/MIME is a standard for public key encryption and signing that has become the standard for email signing and
encryption. AirWatch can automatically distribute certificates and configure email or Exchange ActiveSync to utilize
S/MIME signing and encryption without any user interaction.
An overview of the process is as follows:
Ensure that the Certificate Authority and Certificate Templates are properly configured, then create a
profile for your appropriate platform (iOS5 devices only)
If you are using a static SSL certificate that will be used for all devices, you may skip this step and
simply upload the certificate into AirWatch for distribution.
Fill out all general profile settings, and then choose either Credentials or SCEP depending on the type of
CA you have previously configured.
From either page, specify all parameters to select the proper certificate to be used for S/MIME signing or
encryption.
If you are using a static SSL certificate that does not depend on the user, choose Upload as the
credential source, and upload the certificate.
If you are generating certificates per each user or device from a CA, ensure that your credential source
is Defined Certificate Authority and choose the proper certificate template.
Once you have completed the Credentials or SCEP profile settings, do not Save and Publish. Select another
payload in this profile for Email, or EAS, depending on your type of email infrastructure.

Page 176
Specify all settings for the chosen payload, and ensure that Use S/MIME is checked. Also ensure that the
certificate that selected in the credentials or SCEP payload is being used for either signing or encryption as
shown.
When complete, choose Save and Publish.
For additional information or assistance configuring certificates with AirWatch, contact AirWatch Support.

Page 177
Email Integration
Email (SMTP)
Email messages sent from the administrator console are transmitted using the corporate Email gateway defined in the
Email (SMTP) settings menu. Users can receive email notifications for a variety of reasons, including:
Enrollment user & device activation
Report subscriptions
Device messages
Purchased application (VPP) notifications
To configure Email settings:
Navigate to ConfigurationSystem SettingsSystemEmail (SMTP).
The following fields should be defined on the Email (SMTP) settings screen:
Server The address of the corporate Email (SMTP) server.
Enable SSL If checked, the corporate Email server will securely communicate with the AirWatch server over
SSL. The default value is false (un-checked).
Port The port over which the corporate Email server will communicate with the AirWatch server. The default
port is 25.
Requires Credentials If checked, SMTP traffic for the corporate Email server will require authorization. The
username and password fields are not required if authorization is not enabled.
Timeout in Seconds Defined in seconds, this value determines the amount of time before the connection
between the corporate Email server and the AirWatch server times out.
Senders Name The name of the sender that will be displayed on any messages sent from the AirWatch
server.
Senders Email Address The Email address of the sender that will be displayed on any messages sent from the
AirWatch server.
Page 178
SMS Integration
Similar to Email (SMTP), this page will enable the SMS messaging capabilities of the Web Console. However, in order to enable
this functionality, administrators must first purchase a CellTrust Account so that they can provide authentication into the
Celltrust SMS Gateway.
If an account is available, enter in the following fields:
Nickname The Celltrust account nickname.
User Name The Celltrust account username.
Password The Celltrust account Password.

Page 179
Enterprise Integration Service

When using AirWatch in the cloud, all integration to the enterprise systems can be seamlessly encapsulated in encrypted https
traffic relayed by one or more nodes (EIS relay / EIS endpoint).
This includes communications with:
SMTP (Email Relay)
Directory Services (LDAP / AD)
Microsoft Certificate Services (PKI)
Simple Certificate Enrollment Protocol (SCEP PKI)
Exchange Powershell (For certain Secure email gateways)
BES (Sync users and mobile device information)
If using AirWatch in the cloud, setting up an EIS endpoint helps integrate any of the above systems behind your corporate
firewall without the need for VPN tunnels or the need to open network firewall ports to the desired systems.
Configuring EIS
To configure EIS you need:
A server reachable from AirWatch SaaS (allow inbound requests from 205.139.50.0 /23 to port 443).
Internal access to the systems to integrate (connections configured in the corresponding System Settings).
An admin account for EIS (see Error! Reference source not found.). Ensure the accounts role has the permission
to Allow Remote Access located under Remote Services Security.
For installation, use either the files available for download from the System Settings page or files received from
AirWatch support. The Enterprise Integration section of System Settings is automatically configured during the
installation of EIS behind your firewall. Use these settings if you need to adjust anything after the configuration has
been initialized by EIS after installation, or if you cannot follow this automated process. To begin EIS Configuration:
Navigate to ConfigurationSystem SettingsSystemEnterprise Integration.

Page 180
Select Certificate for message-level encryption over https, or add HTTP authentication with a
username/password that can be set here and adjusted on the EIS servers configuration page.
Enable or Disable the services that AirWatch should integrate with through EIS.
Note: AirWatch SaaS already offers email delivery using SMTP, but you can also enable EIS to use your own
SMTP server (done by details entered in the System Settings System Email (SMTP)).
Using the Advanced option, you can restore regular (direct) integration (not using EIS) by disabling certain
portals, including:
Device Services
Self-Service Portal
All Other Components
Note: The certificate generated during auto configuration has the thumbprint located here; it can be cleared and
renewed if needed.
If EIS is unable to connect to the API during installation, generate a configuration script (encrypted):
Generate the certificate, save the page and click refresh.
Export settings for the EIS server (this prompts you to set a password).
Download the XML file and import it into the EIS configuration (this automatically configures the EIS
server).
Page 181
Using the AirWatch API

The API page under System Settings establishes the security of your Location Groups to use certificates. Once this is set up,
integrating systems can use the certificate to securely communicate with your environment through the AirWatch API.
The most common example of an integrating system is the AirWatch Secure Email Gateway. In order to monitor
and control a Secure Email Gateway from a specific location group, an API certificate is required during the
installation process.
To generate an API certificate for your environment:

Navigate to System Settings Location Group
Enter the password into the New Certificate Password field, and then click Generate Client Certificate. The API
certificate is now available.
To use the API certificate in an integrating system (such as the Secure Email Gateway), you need to export it. Reenter the certificate password and click Export Client Certificate.
The certificate is now ready and can be used on your computer and in the integrating system.
Best Practices
As part of the initial AirWatch system setup, administrators must configure several core system settings (in the
System Settings page of the web console) that enable integration between the AirWatch server and corporate
infrastructure. These settings should not be changed once they are configured.

Page 182

AirWatch Admin Guide v5 17 - New

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

AirWatch Admin Guide v5 17 - New

Hochgeladen von

Copyright:

Verfügbare Formate

AirWatch Admin Guide

For AirWatch 5.17

2011 AirWatch, LLC. All Rights Reserved.

AirWatch Admin Guide | v.2012.02 | February 2012

Setting Up Your MDM Environment ..........................................................................................11

Device Management .................................................................................................................45

Profile Management .................................................................................................................74

Application Management........................................................................................................ 100

Content Management ............................................................................................................. 120

Publishing Documents in Bulk............................................................................................................................. 125

Email Management ................................................................................................................. 130

Reports and Alerts .................................................................................................................. 153

Enterprise Integration ............................................................................................................. 158

AirWatch Admin Guide | v.2012.02 | February 2012

Google Chrome 11+

Android versions 2.2 and above

Blackberry versions 5 and above

iOS versions 4.0 and above

Symbian OS ^3, and S60

Windows Mobile 5/6, and Windows CE 4/5

Windows Phone 7 and 7.5 Mango

AirWatch Admin Guide | v.2012.02 | February 2012

Web Console Overview

Navigating to the provided URL

Entering in the provided username and password

AirWatch Admin Guide | v.2012.02 | February 2012

Reports and Alerts

AirWatch Admin Guide | v.2012.02 | February 2012

Profiles and Policies: Profiles

Profiles and Policies: Compliance

AirWatch Admin Guide | v.2012.02 | February 2012

AirWatch Admin Guide | v.2012.02 | February 2012

AirWatch Admin Guide | v.2012.02 | February 2012

AirWatch Admin Guide | v.2012.02 | February 2012

Setting Up Your MDM Environment

User Accounts to associate corporate users with their managed devices

Enabling iOS MDM Support

AirWatch Admin Guide | v.2012.02 | February 2012

Creating Location Groups

Navigate to ConfigurationLocations & Groups.

Select a Parent Location Group from the list.

AirWatch Admin Guide | v.2012.02 | February 2012

Fill in required location group information:

Modifying and Deleting Location Groups

Choose the Location Group you wish to modify or delete

AirWatch Admin Guide | v.2012.02 | February 2012

Location Group Type/Country/Locale Used for internal classification only

To save your modifications choose Save.

To delete the location group choose Delete

AirWatch Admin Guide | v.2012.02 | February 2012

Additional Location Group Details

AirWatch Admin Guide | v.2012.02 | February 2012

Creating Administrative Accounts

Click the Add User button

and fill in the required fields.

Input a Username and Password for the admin account

Fill in the additional Basic Information fields:

Once complete, click Save to create the new administrative account.

AirWatch Admin Guide | v.2012.02 | February 2012

Creating Admin Account Roles

Navigate to UsersAdmin Accounts.

Click Add Role and fill in the form.

User Account Types