Symantec Mobile Security Manager Administration Guide

Transcription

1 Symantec Mobile Security Manager Administration Guide

2 Symantec Mobile Security Manager The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version: Legal Notice Copyright 2008 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, LiveUpdate, Symantec AntiVirus, Symantec Client Firewall, and Symantec Security Response are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. Symbian and Symbian OS are registered trademarks of Symbian Software Ltd. Windows is a registered trademark of Microsoft Corporation. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR and subject to restricted rights as defined in FAR Section "Commercial Computer Software - Restricted Rights" and DFARS , "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement. Symantec Corporation Stevens Creek Blvd. Cupertino, CA

3 Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization A telephone and web-based support that provides rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program Advanced features, including Technical Account Management For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: Contacting Technical Support Select your country or language under Global Support. The specific features that are available may vary based on the level of maintenance that was purchased and the specific product that you are using. Customers with a current maintenance agreement may access Technical Support information at the following URL: Select your region or language under Global Support. Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem.

4 When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: Select your region or language under Global Support, and then select the Licensing and Registration page. Customer service information is available at the following URL: Select your country or language under Global Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about the Symantec Value License Program

5 Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals Maintenance agreement resources Additional Enterprise services If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan: Europe, Middle-East, and Africa: North America and Latin America: Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions Managed Security Services Consulting Services Educational Services These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs.

6 To access more information about Enterprise services, please visit our Web site at the following URL: Select your country or language from the site index.

7 Contents Technical Support... 3 Chapter 1 Symantec Mobile Security Manager Overview About this document About Symantec Mobile Security Manager About Symantec Mobile Security Suite management options How Symantec Mobile Security Manager works with Symantec System Center How Symantec Mobile Security Manager works with other Mobile Device Management systems Starting Symantec Mobile Security Manager About the Symantec Mobile Security Manager window Main menu Main toolbar Status bar Chapter 2 Mobile Security concepts Understanding entities Linking devices and device states Device state Users User groups About entity relationships About policy packages and policies Enterprise default package Policies Firewall policies Security Manager policies Integrity Manager policies Intrusion detection policies Policy rules defined About policy package inheritance Eligibility Deploy Reissue... 25

8 8 Contents Chapter 3 Managing users and devices by using the Entity Manager About the Entity Manager Managing entities from the tree view window Managing entities from the grid view window Manually adding user groups, users, and devices About entities Adding user groups and users Transferring users to user groups Adding devices Changing the linking of linked or unliked devices Deleting entities Device registration Device states Setting the device state for auto-linking devices Viewing aggregate license and device information Changing the device state of a linked device Changing the device state of an unlinked device Locking and unlocking the linking Chapter 4 Import Wizards Adding users with the User Import and LDAP Import Wizards About using the User Import Wizard User Import file requirements Preparing your import file Importing users from an external file Specifying import options Specifying user group import options Specifying error handling options Handling error conditions Approving import records Viewing the import results Adding users from a Microsoft Active Directory with the LDAP Import Wizard Connecting to a Microsoft Active Directory Mapping LDAP properties to database fields Specifying error handling and user groups Handling error conditions Reviewing importable users Viewing the import results Refreshing users from a Microsoft Active Directory... 57

9 Contents 9 Chapter 5 Managing policy packages About policy packages Package manager functions Package Manager icons Package Manager right-click menu Package properties Policy properties Using the Package Manager Opening the Package Manager Packages grid Setting the enterprise default package Creating, cloning, and modifying packages Deleting packages Retiring packages Viewing policies that are not part of a package Symantec policy packages Chapter 6 Managing policies About managing policies Policy properties About Firewall policies About Firewall rules Modifying, cloning, and creating Firewall policies Defining Firewall policy properties Defining a stateful Firewall policy Adding rules by selecting existing rules Adding and customizing rules Creating new firewall base rules Customizing rules Setting the order of Firewall rules and deleting rules Creating a security policy General PIN and password settings PIN settings Password settings Device feature blocking Idle timeout Resetting the encryption key Secure folders Modifying security policies Predefined policies... 85

10 10 Contents Chapter 7 Deploy Manager About the Deploy Manager About assigning a policy package Assigned and deployed packages Policy package inheritance Assigning policy packages with the Deploy Manager Assigning packages from the Entity Manager Viewing information in the Deploy Manager Removing package assignments About deploying packages Deploying all assigned packages simultaneously Deploying packages to selected entities Deploying by package Reissuing modified deployed packages Tracking package event history Chapter 8 Viewing, reporting, and charting events About viewing, reporting, and charting events About event logs About the Event View Manager Creating, modifying, and deleting event view specifications Loading events Grouping and sorting the event view results Searching event view results Exporting event logs Deleting events About the Reports Manager Report specifications Creating reports Modifying reports Using the filter form Printing and exporting reports Locking reports Deleting reports Charts Manager Running charts Saving charts Chapter 9 Admin tools About administrator tools Devices

11 Contents 11 Device statistics Linked devices Unlinked devices Preferences Agent configuration file Help Desk users Creating authorized users Modifying passwords for authorized users Deleting authorized users Device password override process Enterprise Help Desk user password policy Upload history Package history Reissuing policy packages AWOL linked devices Services Manager

12 12 Contents

13 Chapter 1 Symantec Mobile Security Manager Overview This chapter includes the following topics: About this document About Symantec Mobile Security Manager Starting Symantec Mobile Security Manager About the Symantec Mobile Security Manager window About this document This guide explains how to perform the mobile security administration tasks of Symantec Mobile Security Suite that are managed by the Symantec Mobile Security Manager. It assumes that you have read the Symantec Mobile Security Suite Implementation Guide. The implementation guide explains how to install all of the management components, including Symantec Mobile Security Manager. About Symantec Mobile Security Manager Symantec Mobile Security Manager is the central console for managing the firewall and encryption functionality of Symantec Mobile Security Suite. You can also manage device feature access, create and deploy policy packages, and monitor events by using a range of reporting functions. Symantec Mobile Security Manager requires SQL server. It operates together with a Web server and Windows services. However, you use a different system to manage AntiVirus and LiveUpdate. The following sections explain your options.

14 14 Symantec Mobile Security Manager Overview About Symantec Mobile Security Manager About Symantec Mobile Security Suite management options Symantec Mobile Security Suite allows you to manage the devices in your organization in different ways. These depend on how you manage your network generally, and on the tools that you choose to use. The following table shows the different management components that are available with Symantec Mobile Security Suite. Component Table 1-1 Manages Symantec Mobile Security Suite management components Works with Symantec Mobile Security Manager Symantec System Center tools Wireless administration tools Events, security policies, and device information AntiVirus and LiveUpdate AntiVirus and LiveUpdate Symantec System Center or other Mobile Device Management system Symantec System Center; Symantec Mobile Security Manager Symantec System Center or other Mobile Device Management system; Symantec Mobile Security Manager You use Symantec Mobile Security Manager together with Symantec System Center or another Mobile Device Management system. You can install and run the wireless administration tools on either Symantec System Center or another system. How Symantec Mobile Security Manager works with Symantec System Center You use Symantec System Center together with either set of Symantec Mobile Security Suite tools to manage AntiVirus and LiveUpdate on your organization s mobile devices. You use Symantec Mobile Security Manager to manage the security policies for the devices. How Symantec Mobile Security Manager works with other Mobile Device Management systems You use your Mobile Device Management system or custom tools together with the wireless administration tools to manage Antivirus and LiveUpdate on your organization s mobile devices. You use Symantec Mobile Security Manager to manage the security policies for the devices.

15 Symantec Mobile Security Manager Overview Starting Symantec Mobile Security Manager 15 Starting Symantec Mobile Security Manager Symantec Mobile Security Manager supports a single active session. Within this session, only one instance of each window can be open at any time. To start Symantec Mobile Security Manager On the desktop navigate to Start > Programs > Symantec > Symantec Mobile Security Manager. About the Symantec Mobile Security Manager window The Symantec Mobile Security Manager window includes the following components: The main menu See Main menu on page 15. The main toolbar See Main toolbar on page 16. The status bar See Status bar on page 16. Main menu The following options are available from the main menu: File View Admin Tools Entities Exit from Symantec Mobile Security Manager. Display or hide the Toolbar and Status Bar. Access the Admin Tools window to view device information; set Enterprise preferences; save Agent configuration files; create authorized help desk users; view Upload history, Package history and AWOL devices; and access the Services Manager. Access the Entity Manager window to manage Users, User Groups, and Devices. Add new users from file, add new users from an LDAP Data Source or refresh users from an LDAP Data Source. Export a list of all Devices.

16 16 Symantec Mobile Security Manager Overview About the Symantec Mobile Security Manager window Policies Reports Window Help Access the Package Manager, Packages Grid and Deploy Manager. Reissue Modified Deployed Packages and Reissue All Deployed Packages. Access the Event View Manager, Reports Manager, and Charts Manager. Organize the display of open windows or close all windows. Open the online documentation. Main toolbar The following options are available from the main toolbar: Admin Tools Entity Manager: Tree View Entity Manager: User Groups Entity Manager: Users Entity Manager: Linked Devices Entity Manager: Unlinked Devices Package Manager. Deploy Manager Event View Manager Reports Manager Charts Manager Opens the Admin Tools window. Opens the Entity Manager in tree view mode. Opens the Entity Manager in grid view mode with User Groups displayed. Opens the Entity Manager in grid view mode with Users displayed. Opens the Entity Manager in grid view mode with Linked Devices displayed. Opens the Entity Manager in grid view mode with Unlinked Devices displayed. Opens the Package Manager Opens the Deploy Manager. Opens the Event View Manager. Opens the Reports Manager. Opens the Charts Manager. Status bar The following options are available from the status bar: Services Manager Opens the Services Manager window.

17 Symantec Mobile Security Manager Overview About the Symantec Mobile Security Manager window 17 Upload Download Web Server Starts or Stops the Upload Manager. Starts or Stops the Download Manager. Starts or Stops the Symantec web server.

18 18 Symantec Mobile Security Manager Overview About the Symantec Mobile Security Manager window

19 Chapter 2 Mobile Security concepts This chapter includes the following topics: Understanding entities About entity relationships About policy packages and policies Policies Understanding entities An entity is a single User Group, User, or Device. The Enterprise administrator can create, modify, and delete entities; determine the relationship between entities; and assign and deploy Policy Packages to entities. Entities are managed in the Entity Manager and also in the Deploy Manager. Administrators cannot manually add unlinked Devices. Only User Groups, Users, and Linked Devices can be assigned a Policy Package. Only active Linked Devices are eligible for deploy. Linking devices and device states Devices are classified as Linked or Unlinked within Symantec Mobile Security Manager. A Linked Device is a device that has been added to the Symantec Mobile Security Manager database (registered) and linked to a single, existing User. Devices register when they are manually added by the administrator, or automatically when the device communicates with Symantec Mobile Security Manager (Auto-Registration via Mobile Connect). Auto-Registering devices automatically link to an existing User when the linking value on the registering device matches the of an existing User (Auto-Linking). Auto-Linked devices begin with a Device State

20 20 Mobile Security concepts Understanding entities of either Active or Pending depending on the Enterprise-wide preference setting set by the administrator. Unlinked Device - An Unlinked Device is a device that has Auto-Registered but does not have a linking value which matched an existing User. Unlinked Devices must be linked to a single, existing User before they can receive a package in a deploy and have their Event Logs available for viewing. Device state Devices are further classified by Device State. Device States are described below: Active Device Pending Device Rejected Device Suspended Device An Active Device is a Linked Device that has been explicitly set to active (activated) by the administrator or a device that was automatically set to active when it Auto-Linked to an existing User. Active Devices can receive Packages in a Deploy and their Event Logs are available for viewing. A Pending Device is a Linked Device that was automatically set to pending when it Auto-Linked to an existing User. Pending Devices must be set to active (activated) by the administrator in order to receive Policy Packages in a deploy and have their Event Logs available for viewing. A Rejected Device is a Linked or Unlinked Device that has been explicitly set to the rejected Device State by the administrator. A Rejected Device, like all non-active Devices, cannot receive Policy Packages in a deploy and have its Event Logs available for viewing. A Suspended Device is a Linked Device that has been explicitly set to the suspended Device State by the administrator. A Suspended Device, like all non-active Devices, cannot receive Policy Packages in a deploy and have its Event Logs available for viewing. Users A User is a person in the mobile community who owns (or potentially owns) a device. A single User can be added to the database using the Enterprise-wide preference setting Add User window. Multiple Users can be added using the Import Users from File Wizard or from a Microsoft Active Directory with the LDAP Import Wizard. A User can own (be linked to) more than one device, but every Linked Device belongs to one and only one User. When a User is added to the database, the User must be designated as the member of a User Group. A User, or multiple Users, can be transferred to a different User Group at any time, but a User belongs to only one User Group at a given time.

21 Mobile Security concepts About entity relationships 21 User groups A User Group is a collection of Users. The primary function of a User Group is to facilitate assigning and deploying Policy Packages to devices according to the rules of Policy Package inheritance. About entity relationships User Groups, Users and linked Devices are structured in a hierarchical parent to child relationship. This relationship facilitates assigning and deploying Policy Packages. In this relationship, a User Group is the parent to one or more Users and a User is the parent to one or more Linked Devices. Although Unlinked Devices are defined as entities, they are outside the deploy hierarchy. When adding entities to your database, the following rules apply: A Linked Device must belong to a single User A User must belong to a single User Group Multiple, Linked Devices can belong to a single User Multiple Users can belong to a single User Group As you define your entities, particularly User Groups, consider that child entities inherit the Policy Package assigned to the parent entity. For more information on Policy Package inheritance, see the next section, Understanding Policy Packages and Policies. About policy packages and policies Symantec Mobile Security software protects the device in four key categories of security; Firewall, Security Management, Intrusion Detection and Integrity Management. Each category is represented by one or more policies in Symantec Mobile Security Manager. A Policy Package is a complete group of all four categories of policies, seven policies in all. There are four Firewall Policies, one Security Manager Policy, one Intrusion Detection Policy and one Integrity Manager Policy. Packages are assigned to entities, creating an inheritance hierarchy that reaches all the way to the device. After deployment, packages are picked up by the device via Mobile Connect.

22 22 Mobile Security concepts Policies Enterprise default package A Default Policy Package is in force when the Agent software is first installed on the device. Custom packages can later be created, assigned to entities and deployed to the device. The Mobile Security Enterprise Agent Software is installed with a predefined, default package, which includes seven policies for each of the four defined categories. After installation, the policies are automatically enforced until a new package is deployed to the device. During setup you are required to designate an existing package (Mobile Security Stateful Default) as your Enterprise Default Package (EDP). Alternately, you can create a new package during setup, and designate that package as the EDP. The EDP then becomes the default package for all the devices in your organization that have not received a specific package via deploy. It is copied to a special area on the web server for pickup and generates a package event in Admin Tools/Package History. The default location of the file is C:\Symantec\Download\Common\bfp.bfp. The EDP can be also assigned to entities for deploy just like any other package. This has two advantages. If you decide to designate a different Package as your Enterprise Default. No reassignment is necessary for any entities assigned the EDP. There is an immediate and automatic deploy to all devices who are targeted to receive the EDP. Each time the Enterprise Default Package is redesignated or the Agent configuration settings are modified, the default file updates. New devices and devices targeted to receive the Enterprise Default Package automatically download the updated version of the file. The Enterjprise Default Package is typically distributed with the Agent software so that the device will use your organization s policies and configuration settings for communicating with the Enterprise via Mobile Connect. If the Agent software is installed without this file, a Symantec-defined package called "Mobile Security Stateful Default" package will go into effect. Policies A policy is a collection of one or more rules, such as "block network traffic on port 80" or "require an eight digit PIN for authentication". Within Symantec Mobile Security Manager, rules are grouped into one of four policy types: Firewall, Security, Integrity Management and Intrusion Detection. Within the firewall

23 Mobile Security concepts Policies 23 Firewall policies category, four firewall policies are specified for the four security levels available on the Agent. A Firewall policy consists of one or more Firewall rules, and is created in the Firewall Policy editor. Firewall policies are defined by: Setting the policy properties Adding firewall rules Security Manager policies Integrity Manager policies Setting rule values (also known as rule customization) Setting the order of the rules Intrusion detection policies Rules are added to a firewall policy in two ways, either by selecting rules from another firewall policy (or the All Firewall Rules ruleset), or by creating the rule directly by specifying rule protocol, action and port value. The Security policy specifies the settings for basic authentication (PIN or password); blocking of various device features; the behavior of the device when it becomes idle; device PIN or password reset by device user; and how the Symantec software handles encrypted folders. The Integrity Manager monitors the state of the device and alerts against integrity violations, which are defined as changes to the device s core system files, registry entries and directories. Integrity Manager Policies are predefined. The administrator selects the predefined policy to be included in a package. If a violation is detected, the Integrity Manager takes some desired action, event logging or device quarantine, based on the action code set in the policy. The Intrusion Detection Policy watches for certain types of suspicious network traffic. This policy is currently built-in and cannot be modified with a Policy editor.

24 24 Mobile Security concepts Policies Policy rules defined Firewall policies consist of one or more customized firewall rules. Customized rules are instances of firewall base rules which have additional values specified for logging, user-defined event severity, IP range and direction. The event logging option allows the Administrator to toggle event logging on or off for a particular rule, controlling log size on the device. Severity level is used to categorize firewall events at a level determined by the Administrator. Severity level can be set to Low, Medium or High or No severity. Severity levels can be filtered in any combination when viewing Event Logs in the Event Log Viewer. Firewall Rule Base Rule Customized Rule Security Manager Rule Intrusion Detection Rule Integrity Manager Rule A filter that blocks or allows network packets through defined ports, protocols, IP ranges and direction. A generic firewall rule in which the event logging and severity options are not specified. Base Rules define standard protocols and ports on which network traffic is blocked or allowed. When an instance of a base rule is added to an actual firewall policy, values for logging and severity level must be specified prior to saving the Firewall policy. A library of Base Rules is packaged with Symantec Mobile Security Manager and the administrator may also add new Base Rules. A Firewall rule that is part of a Firewall policy. An instance of a Firewall Base Rule that has been customized with a value for event logging and severity. Additionally, an IP range can be specified for the rule, and the rule can be set to inbound only or outbound only. Uni-directional rules is not a common use case. A Security Manager rule controls device authentication or behavior of the device. An Intrusion Detection rule defines behavior and actions for intrusive network traffic. Intrusion Detection rules are predefined and cannot be edited. An Integrity rule defines behavior and actions for events that affect the integrity of the device. Integrity Manager rules are predefined and cannot be edited. About policy package inheritance Policy Packages can be assigned to any entity at any level; User Group, User or linked device. To achieve total flexibility in a deployment, different Policy Packages may be assigned to Users within the same User Group or even to different devices for the same User.

25 Mobile Security concepts Policies 25 When the Administrator assigns a Policy Package to a User Group, all devices linked to Users who belong to the User Group will inherit that Package. No further assignments are necessary unless the Administrator chooses override the User Group's Package by assigning directly at the user or device level. Policy Package assignments can be changed at any time and new packages can be deployed at any time. Eligibility Deploy Reissue A device that would receive a new package in the event of a complete deploy is said to be an eligible device or eligible for deploy. Devices become eligible when the following two conditions are met: The device is active The device is assigned or inherits a package other than the package currently deployed to the device Initiating a deploy creates a package file for each eligible device. The package files are available for download from the Enterprise web server. Devices periodically look for new packages. When the new package is installed on the device, the polices go into effect immediately. A deploy is triggered when the Enterprise Default Package is changed. The command Reissue All Deployed Packages causes a package file to be regenerated on the Enterprise server for every device which has previously received a package. A complete reissue is necessary only in special cases. Application-defined data, such as event types, have changed when the Enterprise itself has been upgraded. The Agent Configuration File has changed. Since the Agent Configuration file is distributed only within a package, this necessitates a reissue. A new Agent license file must be redistributed. Since the Agent license file is distributed only within a package, this necessitates a reissue. The first two cases above trigger an automatic reissue, which occurs without Administrator intervention. The third case requires the Admin to execute the

26 26 Mobile Security concepts Policies command, Reissue All Deployed Packages, which is available in the main menu under Policies. The command Reissue Modified Deployed Packages is used to update devices which have received an older revision of the package. When the rules in a package change, or the selection of policies in a package change, the package is said to have been critically modified. Devices that have already received the package are not eligible to receive it as defined above, but need the new revision. The command Reissue Modified Deployed Package is located in the main menu under Policies. This causes a package file to be regenerated for every device which needs the latest revision of its package. Note: When a package is critically modified, the Administrator is prompted to reissue that package. In addition, all packages which are eligible for deploy or need reissue can be identified in the Deploy Manager (Packages view). Note: When a critically modified package is deployed, its revision is incremented and an XML snapshot of that package is automatically taken to preserve a strict audit trail of every rule in every revision of every package.

27 Chapter 3 Managing users and devices by using the Entity Manager This chapter includes the following topics: About the Entity Manager Manually adding user groups, users, and devices About the Entity Manager Entities are defined as Users, Devices, or User Groups. Together they represent the mobile user community in the organization. The Entity Manager allows logical grouping of entities and definition of entity hierarchies. Entities are managed through the Entity Manager interface. In the Entity Manager you can do the following: Add, modify and delete entities View entity details Identify Users assigned to each User Group Transfer Users to different User Groups Identify Devices assigned to each User Lock or Unlock the linking for a Device View entities and the Policy Packages that have been Assigned or Deployed to them Import Users from a file Import Users from Microsoft Active Directory

28 28 Managing users and devices by using the Entity Manager About the Entity Manager Export a list of Devices The Entity Manager provides a comprehensive picture of all entities in your Enterprise database through two separate views: grid view and tree view. The grid view displays a spreadsheet-like display of all entities for a given entity type. The tree view shows the hierarchical relationship between User Groups, Users and Linked Devices. Both views provide options to add, modify, and delete entities, and allow you to refresh displayed information to reflect updates due to Auto-Registration, the import of data from a file, or action taken by the Enterprise administrator. Options in the grid view, tree view or in both views include: Expand/Contract Tree View: Expands or contracts the details for all entities in the tree. (This icon functions only in tree view and is grayed out in grid view.) Modify Entity: Opens the Modify User Group, Modify User, Modify Device, or Modify Unlinked Device window depending on the current selection. Add Entity: Opens the Add User Group, Add User, or Add Device window depending on the current selection. Delete Entity: Deletes the selected User Group, User, or Device. Multiple entities can also be selected in a grid and then deleted using the Delete Entity icon. Refresh from Database: Refreshes the displayed information when new entities have been added externally (for instance, through auto-registration) during the Entity Manager session. Restore Grid to Default: The Restore Grid to Default icon will return the column order and the width of each column in the grid to the default settings. (This icon functions only in grid view and is grayed out in tree view.) Managing entities from the tree view window The Entity Manager: tree view window displays entities, and the relationships between them, in a hierarchical format based on their User Group assignment, including details about each User Group, User or Device in your Enterprise database. To open the Entity Manager: tree view window Do one of the following: InSymantec Mobile Security Manager, click the Entity Manager: tree view Icon Click Ctrl+H Click Entities Entity Manager: tree view from menu bar

29 Managing users and devices by using the Entity Manager About the Entity Manager 29 From the expanded Entity Manager: tree view window, click the Expand/Contract tree view toolbar icon Click the Expand/Contract tree view right-click menu option From the Entity Manager: grid view window, click either Ctrl+H or the tree view radio button or the Locate in Tree View button When the Entity Manager: tree view window initially displays, all User Groups will be listed in the left pane in their collapsed or contracted state. Note: Unlinked device information is not accessible from the Entity Manager: tree view window. Use the Entity Manager: grid view window. From within the collapsed or contracted Entity Manager: tree view window you can: View all User Groups See the name, description and deployed Policy Package for each User Group See the total number of Users in each User Group Access a series of right-click menus that will allow you to expand or contract the tree view: modify, add or delete entity information for the selected entity: or refresh the available data from a Microsoft Active Directory or other external database Choose from a set of toolbar icons including Expand/Contract tree view, Modify Entity, Add Entity, Delete Entity and Refresh From Database Switch to the Entity Manager: grid view window by clicking the grid view radio button or, if a choice is highlighted in the left pane, by clicking the Locate in Grid button. When the tree view window is in the collapsed state, the left pane lists all existing User Groups. If you click on a User Group in the left pane, the status bar at the base of the window will show the User Group name and the number of Users in the User Group. The right pane will also display the name of the selected User Group, along with any available description of the User Group, and the name of the User Group s Assigned or Deployed Policy Package, if one exists. Note: In the Entity Manager, both the tree view and grid view windows have radio buttons that allow you to switch between the two windows with a single click. You can also click the Locate in Grid button in the tree view window to switch to the grid view, and you can click the Locate in tree view button in the grid view window to switch to the tree view.

30 30 Managing users and devices by using the Entity Manager About the Entity Manager The contracted Entity Manager: tree view window has a right-click menu that will allow you to expand or contract the tree view window. From this menu you can also open the Modify or the Add User Group windows, delete a selected User Group, or refresh the User data from a Microsoft Active Directory or other database. The tree view can be expanded so that each User in each User Group, and each Device assigned to a User is displayed. A plus sign next to a User Group indicates that one or more Users are assigned to that Group. A plus sign next to a User indicates one or more Devices are assigned to that User. To expand or contract an individual User Group, double-click the name of the User Group in the left pane or click the plus sign next to the name. Only Users assigned to the selected User Group is displayed. To expand or contract the list of devices assigned to a specific User, click the plus or minus sign next to the User s name, or double-click on the User s name. To view the details of an entity, click on the desired entity in the left pane. Detailed information will display in the Entity Details pane. Information about the selected entity will appear in the status bar at the base of the window. Clicking the Locate in Grid button will switch to the Entity Manager: grid view window, and will automatically display information about the highlighted entity. Managing entities from the grid view window The Entity Manager: grid view window allows you to view and manage entities in a grid format, displaying records in list form for each entity type (User Groups, Users, and Linked and Unlinked Devices). Unlike the tree view, which shows the relationship between the various types of entities, the grid view lets you see all of the information associated with entities of one type. Within the Entity Manager: grid view window you can: View a list of User Groups, Users, Linked Devices, or Unlinked Devices View Active, Pending, Rejected or Suspended Devices by selecting among display controlling filters View aggregate information about Linked, Unlinked and Active Devices View detail information about User Groups, Users, Linked Devices, and Unlinked Devices Sort and group entity details by column headers Access right-click menus that allow you to edit or refresh entity information from a Microsoft Active Directory or other database

31 Managing users and devices by using the Entity Manager Manually adding user groups, users, and devices 31 Choose from a set of toolbar icons including Add Entity, Modify Entity, Delete Entity, Refresh from Database and Restore Grid to Default Modify the grouping of information and the display order of columns Restore the grid view display to its default settings with a single click Switch to the Entity Manager: tree view window by clicking the tree view radio button To open the Entity Manager: grid view window 1 In Symantec Mobile Security Manager, press Ctrl+G or select Entities Entity Manager: Grid View from the main menu or 2 From the Symantec Mobile Security Manager main menu, select from the User Groups, Users, Linked Devices, or Unlinked Devices icons. The Entity Manager window displays information about the entity type you selected or 3 Click the grid view radio button or the Locate in Grid button from the Entity Manager: tree view window. Sorting and grouping with column headers In the right pane of the grid view you can group rows by one or more column header and customize the order of the headers. To group displayed data by a given column header, click the column header for the data you want to group and drag it to the dark gray area in the right pane where it says Drag a column header here to group by that column. In the following Figure, Linked Devices have been grouped first by User Name, then by Device State. To sort the list in ascending or descending order by any column, click the desired column header. An arrow in each column header indicates if the column is in ascending or descending order. To change the order of columns, drag and drop a column header to a new position. To restore the view to the default setting, click the Restore Grid to Default icon. Manually adding user groups, users, and devices This section describes how to manually add User Groups, Users and Devices to your Enterprise database.

32 32 Managing users and devices by using the Entity Manager Manually adding user groups, users, and devices Note: To facilitate deployments where large volumes of Users are being managed, you can add multiple Users from an external file with the User Import Wizard or from a Microsoft Active Directory with the LDAP Import Wizard. About entities Clicking Entities in the menu bar of Symantec Mobile Security Manager opens a dropdown menu that includes options to access User Groups, Users and Devices. When highlighted, each of these choices offers an Add selection that opens the appropriate window to add the designated entity to the database. When entered manually, entities can be added from either the grid view or the tree view window. Since each of these methods opens the same Add <Entity> window, this section will focus on adding entities from the grid view. User groups, users and devices linked to those users form a hierarchy which makes assigning and deploying packages efficient and logical. Devices can register automatically when they communicate with the Enterprise, or they can be added manually by the Administrator. Users can be added manually or imported in bulk. User Groups are always added manually. Devices added manually must be linked to an existing user and users added manually must specify an existing user group. It is impossible to manually add a device not linked to user or to have a user who does not belong to a user group. For all Add <Entity> windows, required fields are marked with an asterisk. Data for some fields must also be unique within the database. For each window, you will be notified if you have not met the data requirements. The Add User Group, Add User, and Add Device windows all contain an optional field for Assigned Package. This option lets you choose the assigned Policy Package to be deployed to this entity. Symantec Mobile Security Manager includes a policy inheritance model that is tied to the entity hierarchy. While this field is optional, it can be used to save steps later in the deployment process. Note: For more information on Policy Package inheritance, see the Managing Policy Packages and Managing Policies chapters. Adding user groups and users Users must be assigned to a User Group and can belong to only one User Group. Users can be transferred to a different User Group at any time

33 Managing users and devices by using the Entity Manager Manually adding user groups, users, and devices 33 To manually add a User Group 1 Select User Groups in the left pane of the grid view window, 2 Click the Add Entity icon, or right-click and select Add User Group... 3 Enter the User Group Name. The User Group name is a required field and must be unique within the database. 4 You can add an optional Description of the User Group name. 5 You can select an Assigned Package. The Assigned Package is used to assign a Policy Package to the User Group. See the section, Understanding Policy Package Inheritance for more information on assigning Policy Packages to User Groups. 6 Click the Save button. To manually add a new User 1 Select Users in the left pane of the grid view window. 2 Click the Add Entity icon, or right-click and select Add Users... from the dropdown menu. 3 Enter the required fields listed below: Note: A User Group may be added at this point without closing the Add User window. Once the User Group information is saved, the User Group name will be available for selection. 4 Click the Save button. Note: Multiple Users can be added in bulk using the User Import or LDAP Import Wizard. See Adding Users with the User Import Wizard, and the section dealing with adding Users from a Microsoft Active Directory with the LDAP Import Wizard for more information. Transferring users to user groups You can transfer users to different user groups. To manually transfer a user to a different user group 1 Highlight Users in the left pane of the grid view. 2 Highlight one or more rows of Users to transfer. Use the Shift or Ctrl key to select multiple rows.

34 34 Managing users and devices by using the Entity Manager Manually adding user groups, users, and devices Adding devices 3 Select Transfer Selected Users to User Group, from the right-click menu. 4 Select the desired target User Group from the dropdown list. In this example, because Accounting was selected from the dropdown list, Accounting is shown as the target transfer group in the status bar. 5 Click Transfer Users. In addition to automatic device registration, devices can be added manually to Symantec Mobile Security Manager. Device ID and User information are required to manually enter a device. Device ID User Any Windows Mobile-based device has a unique identifier called the Universal Unique Identifier (UUID). The UUID is a 32-character, industry standard identifier that is stored on the device. This ID is unique across device manufacturers. All devices must have an associated User. A device can belong to only one User, but one User can be associated with multiple devices. Changing the linking of linked or unliked devices Both the Modify Device and Modify Unlinked Device windows let you link a user to a device in the database. If a user has more than one device, that user can be manually linked to multiple devices. To manually link a user to one or more devices from the Modify Device window 1 From the Entity Manager: grid view window, right-click the Linked Device you wish to associate with a user and select Modify Device from the popup menu. The Modify Device window will open. 2 Next, select the user you wish to link to the device you selected. To do this, at the User: line you can either click Add to bring up the Add User window where you can enter information about a new user and save that information to the Enterprise database, or you can click the dropdown arrow to select from the existing users in the Enterprise database. When you highlight to select a user from the dropdown list, the Linking Mismatch window will open. 3 Of you click to select the Change link to <user> radio button and click OK, the device you selected will be linked to the indicated user. 4 If you click to select the Keep link to <user> radio button and click OK, or if you click the Cancel button, no change will be made in the Enterprise database.

35 Managing users and devices by using the Entity Manager Manually adding user groups, users, and devices 35 Deleting entities A User Group cannot be deleted if it contains users. Users can be sorted by user group in the users grid, selected, and then transferred to a different user group by right-clicking and choosing "Transfer Selected Users to User Group..." After the transfer, a user group can be deleted. Users can be deleted in two different modes. The Administrator can specify that devices linked to those users should also be deleted, or the Admin can specify that devices linked to those users should be retained and returned to the unlinked state. In either case a record of the deletion is recorded in the Archive\Users and the Archive\Devices directory. See below for the effect of deleting a user s device. Note: Hold down the control key to delete a user s devices while deleting users. Deleting a device also deletes the device s events, package history and upload history. A record of the deletion is recorded in the Archive\Devices directory Note: The primary use cases for deleting entities is to remove sample data (for example, after an evaluation), or to remove obsolete Devices. If deleted unlinked Devices continue to communicate with the Enterprise, they will auto-register and reappear in the database. A different approach is to set the Devices to "Rejected" status and hide them from view. Device registration To delete entities from the grid view window: 1 Open the Entity Manager: grid view window. 2 Select the entity type that you wish to delete by clicking in the left-hand pane. 3 Highlight the rows in the grid to select the entities to be deleted. Select multiple entities by holding down the Shift or Ctrl key. 4 Click the Delete Entity icon, use the Delete key on your keyboard, or select Delete Selected Entities from the right-click menu. Registration means entering device information into the database. Individual devices can be registered manually through Symantec Mobile Security Manager. Auto-Registration permits large-scale, Enterprise-wide device registration with no intervention required on the part of the administrator.

36 36 Managing users and devices by using the Entity Manager Manually adding user groups, users, and devices Note: The value in the device field is used to link the device to a User with a matching value in the User s field. This value can be a unique value such as an employee ID, though an address is typically used. When Mobile Security Enterprise Agent software is run on a device, information about that device, including the value in the device field, is automatically collected. Note: The device registration information will be rejected as invalid if the address or other linking value contains C-style comments, semi-colon, apostrophe, double-dash, or beginning of string or after a space. Device auto-registration Auto-Registration permits large-scale, Enterprise-wide device registration with no intervention required on the part of the Enterprise administrator. Auto-Registration does the following: Automatically collects data from a Device with Agent software installed Automatically imports a Device into the Enterprise database Auto-Registration takes place when a device communicates with the Enterprise through Mobile Connect. The information collected from a device during auto-registration includes the device UUID, model number, agent version number, device telephone number and the device-owner's address, if available. The UUID is used in the Device ID field of the database to identify the device from all others. The value in the field is used by the Auto-Linking feature. Device states The possible Device States are: Active: An Active Device is a device that has been linked to a User. Active status is either assigned automatically during the Auto-Registration process, or is set following approval by the Enterprise administrator. Active Devices can receive Policy Packages, and their logs can be viewed in the Event Viewer. Pending: Pending status applies to devices that are linked to a User, but have a registration that has not yet been approved by the Enterprise administrator. A device will have a Device State of Pending if the Auto-Linking Devices start as Active checkbox in the Admin Tools window s License and Devices tab is not selected. In this case, the Enterprise administrator must approve Active status for each eligible device.

37 Managing users and devices by using the Entity Manager Manually adding user groups, users, and devices 37 Note: Devices with a Device State of Pending are not eligible to receive Policy Packages and their log files cannot be viewed in the Event Viewer. In order to receive Policy Packages and to upload log files, a device must have a Device State of Active. Rejected: The Enterprise administrator must take an action to set a device to the Rejected Device State, or to remove the Rejected Device State once it has been applied. Both Linked and Unlinked Devices may be set to a Rejected Device State. An unlinked Device with a Rejected Device State cannot be linked to a User until the Rejected Device State has been removed. Unlinked: Unlinked status is applied to devices that have Agent software installed and have Auto-Registered, but have not been linked to a User. The Enterprise administrator may want to manually link a device to a User or change an Unlinked Device to a Device State of Rejected in order to prevent activation. Note: Only Active Devices can upload Event Logs or receive Policy Packages. Setting the device state for auto-linking devices You can set preferences for Symantec Mobile Security Manager so that the Device State for Auto-linking Devices is either Active or Pending. If you choose to set the Device State to Active, all Auto-Linking Devices will be set to an Active Device State when they are added to the Enterprise database. To choose either of these options, start at the Symantec Mobile Security Manager menu, and click Admin Tools > Preferences. Click the checkbox next to Auto-linking Devices start as Active (uncheck for start as Pending) to set the Device State to Active for all Auto-Linking Devices when they are added to the Enterprise database. Leave the checkbox blank to set the Device State to Pending for all Auto-Linking Devices when they are added to the Enterprise database. This window also has a checkbox that will allow you to select or deselect the Automatically Deploy to newly activated Devices functionality. Viewing aggregate license and device information You can review aggregate license and Device information, such as the total number of Linked and Unlinked Devices, from the License and Devices tab in the Admin Tools window.

38 38 Managing users and devices by using the Entity Manager Manually adding user groups, users, and devices To access the License and Devices tab, click Admin Tools from the Symantec Mobile Security Manager menu, and then click License and Devices. Clicking Refresh updates the displayed information. Changing the device state of a linked device For a Linked Device, you can choose among the Devices States of Active, Suspended or Rejected. To change the device state 1 Open the Entity Manager: grid view window. 2 Click to highlight Devices, Linked in the left pane, and click the Modify Entity icon in the tool bar or 3 Right-click on the highlighted Devices, Linked list item to open the right-click menu and select Modify Device. 4 Click the Device State dropdown menu. 5 Click to select from the Device State options of Active, Suspended or Rejected. 6 Click the Save button. You can see that the Device State changed in the Entity Manager: grid view window. Changing the device state of an unlinked device For an Unlinked Device, you can choose among the Device States of Unlinked or Rejected. To change the Device State of an Unlinked Device: Open the Entity Manager: grid view window. Click to highlight Devices, Unlinked in the left pane, and click the Modify Entity icon in the tool bar or right-click on the highlighted Devices, Unlinked list item to open the right-click menu, and select Modify Unlinked Device... Click to select the Device State dropdown menu and choose from the Device State options of Unlinked or Rejected. Click the Save button. You can see that the Device State changed in the Entity Manager: grid view window. Note: You cannot delete Unlinked Devices because, with Auto Registration, they would continue to re-register. However, you can choose to set the State of Unlinked Devices to a State of Rejected in order to hide them from view.

39 Managing users and devices by using the Entity Manager Manually adding user groups, users, and devices 39 Locking and unlocking the linking Locking the address of an Unlinked Device from within the Entity Manager protects it from being overwritten with new data. This can be an issue in situations where a device connecting to Symantec Mobile Security Manager has incorrect linking information. In most instances this is not the case. The administrator could also link the correct address to a User. To lock or unlock the linking of an unlinked device: From the Entity Manager: grid view window, click in the left pane to select Devices, Unlinked. In the right pane, click to select the device on which you would like to lock or unlock the linking . Use Ctrl or Shift to select multiple devices by clicking in multiple rows. In the right pane, right-click a highlighted device, and click Lock on Selected Devices or Unlock on Selected Devices. You can view or change the locked status of a device in the grid view or from the Modify Unlinked Device window which is accessible by right-clicking on an Unlinked Device in the Entity Manager: grid view window.

40 40 Managing users and devices by using the Entity Manager Manually adding user groups, users, and devices

41 Chapter 4 Import Wizards This chapter includes the following topics: Adding users with the User Import and LDAP Import Wizards Adding users from a Microsoft Active Directory with the LDAP Import Wizard Adding users with the User Import and LDAP Import Wizards User Import is a feature that lets administrators bulk load User information from an external file. Use the User Import Wizard to import the Users. It is accessed from Symantec Mobile Security Manager by clicking the Entities > Add New Users From File. The User Import Wizard can be used to import or update multiple Users from a delimited text file. The imported information must adhere to specific data and formatting requirements as outlined later in this chapter. The import process includes the following steps: Specify Import Parameters Specify Import Fields Specify User Groups that imported Users will be Assigned to Specify Error Handling Handle Error Conditions Approve Import Records View and Save Import Results

42 42 Import Wizards Adding users with the User Import and LDAP Import Wizards About using the User Import Wizard The Import Wizard can be used to add new Users, or to update existing Users. To import data, you must have database owner privileges for your Enterprise database. Before using the Import Wizard, you should be familiar with the location, format and content of your import file, and review the User Import File Requirements section of this chapter. User Import file requirements The User import file can be created manually, but it is recommended that the file be created by exporting data from an existing database. The following tables list all of the fields in the Symantec Mobile Security Manager user grid to which data can be imported, and their corresponding field sizes. You can import data to any of these fields as long as the data and field size requirements are met. Table 4-1lists the data requirements for the user import file. Table 4-1 Data File type Header Required fields Import File Data Requirements Data requirement Delimited, plain text file First row can be column headers. Column headers are user-defined but cannot exceed a length of 255 characters. First Name Last Name address Column order Field delimiters No order restriction Commas Semicolons Tabs Pipes (Vertical Bars) Data quotes Double Quotes Single Quotes No Quotes End of line Carriage return line feed

43 Import Wizards Adding users with the User Import and LDAP Import Wizards 43 Note: The field in the Symantec Mobile Security Manager database is typically used for linking devices to users records. However, you can link a device to a user record by using any unique value from an external source, such as an employee ID.The only requirement is that the device field match the value of the field in the user record. Table 4-2 lists the size limits for each field in the user import file. Table 4-2 Field First Name Middle Initial Last Name User Login Department Location Cost Center Telephone Telephone 2 Cell Phone 2 Address Address 2 City State Zip Code Import File Field Size Limits Maximum Field Size Preparing your import file Before creating a User import file, determine if your data contains any of the following characters as field or data delimiters:

44 44 Import Wizards Adding users with the User Import and LDAP Import Wizards Field Delimiters (commas, semicolons, tabs, or pipes/vertical bars) Data Delimiters (double quotes, single quotes, or no quotes) If your data contains any of the field delimiters listed here, use a different character as a field delimiter. For example, if your data contains commas, use semicolons as the field delimiter, or delimit your data with single or double quotes. For example, assume your data contains commas in the address field, e.g., 123 Main Street, Suite 134. You should use semicolons as the field delimiter, or use single or double quotes as a data delimiter. Correct formatting You can format your data using semicolons as the field delimiter (spaces between fields are used for legibility but are not necessary and not recommended): Joe; Smith; [email protected]; 123 Main Street, Suite 134; Tech Support Sue; Thomas; [email protected]; 3480 E. Elm, 4th Floor; Sales You can format your data using commas as the field delimiter, but use quotes as data delimiters (spaces between fields are used for legibility but are not necessary and not recommended): Joe, Smith, [email protected], 123 Main Street, Suite 134, Tech Support Sue, Thomas, [email protected], 3480 E. Elm, 4th Floor, Sales Importing users from an external file You can import new users from an external file. To import new Users from an external file 1 Open the User Import Wizard form within Symantec Mobile Security Manager by clicking Entities Add New Users from File. 2 Specify the location of your import file. Click the My Import File is here button. 3 Navigate to the location of your import file. 4 Highlight the file and click Open. The path and file name will display in the text field. 5 Select the character used to delimit (separate) the columns in the import file by clicking in the My data fields (columns) are delimited with: dropdown list. 6 Review the settings. The Summary of the import file section of the window will update with each of the selected parameters. 7 Edit the settings or click Next.

45 Import Wizards Adding users with the User Import and LDAP Import Wizards 45 Specifying import options The Specify Import Fields window is used to map columns in the import file to columns in the User table. The left pane in the window lists the column headers from the import file. The right pane lists the columns in the User table. You can also select a data column that can be used as an identifier to assign Users to particular User Groups. To begin mapping columns in the import file to columns in the User table 1 Highlight a column header from the left pane. 2 Click the corresponding User table column in the right pane. The User table column will be added next to the column header in the left pane, with an arrow pointing to it. 3 Repeat steps 1 and 2until all desired fields in the import file are mapped to a corresponding field in the User table, keeping in mind that unmapped fields are ignored. 4 To designate a file column with values that will be mapped to User Groups, highlight the appropriate choice in the left pane, and click User Group Identifier in the right pane. For more information, see the section, Importing Users to Multiple User Groups. 5 When all fields are mapped, click the Next button. Note: You can map only one field from the import file to one field in the User table. Note: You must map to the "First Name", "Last Name", and " " columns in the right pane in order to proceed. Mapping any additional columns is optional. Specifying user group import options The Specify User Group Import window provides two options for assigning Users to User Groups. You can assign all Users in the import file to one User Group, or assign Users to different User Groups if a User Group Identifier was created. Each method is explained below.

46 46 Import Wizards Adding users with the User Import and LDAP Import Wizards The bottom section of the window contains two panes: the User Group Identifier values on the left, and the Existing User Groups on the right. Note: If you did not designate one of the import file fields to be used as the User Group Identifier in Step 2, you must import Users to a single User Group. To assign all imported Users to the same User Group 1 Click the Import all my users to this group: option. With this option selected, the bottom section of the screen is grayed out. 2 Select a User Group from the dropdown list. Note: Even if you designated a User Group Identifier in step 2, you can still map to a single User Group, in which case the values in the User Group Identifier column will be ignored. 3 If you need to add a new User Group, click the Add New User Group button above the right pane of the bottom section of the window and add a new User Group from the Add User Group window. 4 Click Save. The new User Group will be added to the list. 5 Select the new User Group from the dropdown list. 6 Click the Next button to proceed to Step 4, Specify Error Handling. Note: If you are unsure what group you would like to commit new Users to, create a catchall User Group that you can review once the import is complete. At that point you can manually transfer Users to any of the available User Groups. Importing users to multiple user groups Importing Users to multiple User Groups requires that one of the columns in your user import file be mapped to the User Group Identifier. (Refer to Specify Import Fields.) Any field from the import file can be designated as the User Group Identifier. Of course, the values should support logical groupings of Users and may reflect how Users are categorized within your organization. User Group information facilitates assigning and deploying Policy Packages to logical groupings within you organization.

47 Import Wizards Adding users with the User Import and LDAP Import Wizards 47 To assign new Users to different User Groups 1 Click I will use User Group Identifiers to specify my User Groups. With this option selected, the bottom section of the screen is activated, and if you specified a User Group Identifier, it will be selected automatically. 2 Select a User Group Identifier from the User Group Identifier pane. 3 Select a User Group from the Existing User Groups pane. The User Group Identifier is mapped to the existing User Group and is updated in the window. Note: An existing User Group can be mapped to more than one User Group Identifier. 4 If you need to add a new User Group, click the Add New User Group button above the right pane of the bottom section of the window and add a new User Group from the Add User Group window. 5 Click Save. The new User Group will be added to the list. 6 Select the new User Group from the dropdown list. 7 Click Next. Specifying error handling options The Specify Error Handling window allows you to truncate data overflow errors found in your import file. Setting this option will automatically truncate any data in your file if it exceeds the maximum allowable field length in the User table. You can also select the Overwrite existing user data on import option. Doing so will result in a complete record overwrite. Note: The Truncate my data on Import option applies the data overflow error rule to all applicable records in the import file without your intervention. The next step identifies specific records that contain errors and allows you to address any fixable errors on an individual basis. Note: The Overwrite existing user data on import option results in a complete record overwrite, so all fields will be overwritten, not just the fields with changes. If you have null values in the data file, the null values will overwrite existing values.

48 48 Import Wizards Adding users with the User Import and LDAP Import Wizards To set the option for data overflow errors for all rows that can be truncated in the import file 1 Click the checkbox next to Truncate my data on import. 2 Click Next to proceed to Step 5. To set the option for Overwrite existing user data on import in the import file 1 Click the checkbox next to Overwrite existing user data on import. 2 Click Next. Handling error conditions The Import Wizard runs additional validation on the import file to ensure it meets requirements. If errors are found, they are displayed in a grid in the Handle Error Conditions window. The Handle Error Conditions window lists one column for each field found in the import file, and has an error description column. Rows are designated by a line number, include a description of what caused each error, and state if each error is fatal or fixable. Checkbox filters in the View: row near the top of the window allow the window to show or hide Fatal Errors. An example of a Fatal Error would be if a required field in the import file contained no data. Checkboxes are also available to show or hide Fixable Errors. There are two types of Fixable Errors: Fixable Errors that occur because data in an imported field exceeds the maximum allowable size and therefore must be truncated The Fixable Error of attempting to import a User that already exists in the database if the Overwrite existing data on import checkbox was not selected in the Specify Error Handling Fixable Errors window. Note: The Truncation condition fields display in blue when selected in the Handle Error Conditions window. If the list is empty, no errors were found in the data. Note: The Handle Error Conditions window has a right-click menu shown in the following figure.

49 Import Wizards Adding users with the User Import and LDAP Import Wizards 49 Fatal errors Fatal errors cannot be repaired. If a fatal error occurs, the record is not imported. Fatal errors can be caused by: Missing data in one or more of the three required fields: First Name, Last Name, . Duplicate address. The address must be unique for each imported User. Each address in the file is checked against addresses in the database. You are not allowed to truncate the field. Since the field allows up to 100 characters in length, this is not likely to be an issue. Fixable errors Fixable errors can be repaired. If a fixable error occurs, the record can be corrected in the User Import Wizard. Fixable data overflow errors are caused by data exceeding the maximum allowable field lengths as detailed earlier in this chapter. To correct a fixable data overflow error 1 At the top of the Handle Error Conditions window, the View row includes three checkboxes that act as filters so that you can quickly select specific groups of records. 2 You can also manually click on a row at any time to have that record toggle between being selected or unselected. 3 If one or more fixable data overflow errors are selected and the Approve Selected button is clicked, truncated data up to the maximum allowable field size will import automatically, overwriting the information that caused the error. 4 The Handle Error Conditions window includes a right-click menu. From this menu, you can select all records with truncation errors, or select all existing Users. You may then truncate the selected records or import the selected Users. 5 You can continue to highlight records individually or in groups and then click Approve Selected to approve those records without exiting the Handle Error Conditions window.

50 50 Import Wizards Adding users with the User Import and LDAP Import Wizards 6 Records with fatal errors cannot be imported, and truncation is not an available option for the field. The field can accept addresses up to 100 characters in length. 7 Click Next. Note: Truncation is not allowed in the data field. Approving import records The Approve Import Records window shown in the following Figure allows you to review all data in your import file before it is imported to the database. To complete the import 1 Verify that the data matches the fields in your input file. 2 If you need to make changes, use the Back button. 3 If you are satisfied with the data file, click Finish. 4 Click Yes to add the new Users to the database. Note: Once you click Yes in the Final Commit (No Undo) message, the records will be added to the database. You cannot undo this action. However, you can delete Users from the database as described in the section Deleting Entities. Viewing the import results The summary report shows aggregate information including: The time at which the import took place The number of Devices that were automatically linked, if any. If at least one Device was automatically linked, the Devices Linked button will be enabled The number of lines successfully imported The number of lines not imported The columns that were mapped Note: Clicking Devices Linked will display detailed information about each device that was automatically linked, and will allow you to save this information to a file for later review.

51 Import Wizards Adding users from a Microsoft Active Directory with the LDAP Import Wizard 51 To switch between the View Summary and View Details Reports, and save the results 1 Click the View Details button to see record-by-record information about imported Users and non-imported Users, if any. 2 Click the View Summary button if you wish to return to the Summary view to see only aggregate information. 3 Click the Save button to bring up the Save As window which allows you to save the import results report of your choice. 4 When you have reviewed and saved the import results, click Finish to exit the User Import Wizard. Note: If you save the View Details report, the Summary Report aggregate information will be automatically included in the saved file. Adding users from a Microsoft Active Directory with the LDAP Import Wizard The Entity Manager s LDAP (Lightweight Directory Access Protocol) Import Wizard allows the import of Users from a Microsoft Active Directory. The process of adding Users from a Microsoft Active Directory with the LDAP Import Wizard is designed to be efficient and to eliminate unnecessary management of Users by the Enterprise administrator. To add Users from a Microsoft Active Directory with the LDAP Import Wizard, a connection must be established with the data source and the data must be properly mapped. Once this is done, subsequent lookups can be quickly and easily managed from the Entity Manager menu, and the Refresh Users from LDAP option will be available by using the Refresh Users from LDAP function. A User is imported only if the value that was mapped from the Active Directory field to the User field matches the value in the field of an Unlinked Device. If a match is found, the User will be imported and the matching device(s) will be automatically linked to the User(s). Setting up an import from a Microsoft Active Directory has the following steps: Connect to a Microsoft Active Directory. Map LDAP Properties to Database Fields. Specify Error Handling and User Group. Handle Error Conditions.

52 52 Import Wizards Adding users from a Microsoft Active Directory with the LDAP Import Wizard Review Importable Users. View and Save Import Results in a Summary or Detail Format. Refresh Users from a Microsoft Active Directory, if desired. Connecting to a Microsoft Active Directory To connect to a Microsoft Active Directory 1 In Symantec Mobile Security Manager, click Entities Add New Users from LDAP Data Source. 2 The Set Path to LDAP Data Source window will display. If the information is not stored from a previous use of the LDAP Import Wizard, you must enter Search Base, select your Scope, and enter Host Server and Base DN information as depicted in the following figure: 3 Complete the required fields, and then click SetADsPath to establish a connection to a Microsoft Active Directory. Mapping LDAP properties to database fields The Map LDAP Properties to Database Fields will open. It is used to select properties from the Microsoft Active Directory, and map those properties to corresponding columns in the User table. The left pane of the window displays all of the single value properties found in the Active Directory file. The right pane lists the columns in the User table. Select LDAP properties fields in the left pane to map to corresponding User table columns in the right pane.

53 Import Wizards Adding users from a Microsoft Active Directory with the LDAP Import Wizard 53 To select LDAP properties 1 Click once to highlight the desired left pane property. 2 Click once on the desired right pane column. The selected column will display next to the property in the left pane, with an arrow between them. 3 Each properties field can map to only one User table column. Note: The screenshots that follow show a portion of the standard list of Microsoft Active Directory properties in the left pane. The LDAP properties list associated with your data source may be different. Note: You must map to the "First Name", "Last Name", and " " columns in the right pane User table in order to proceed, and the data found in the field mapped to will be used to determine if a device will be linked. Mapping additional columns is optional. There is a Use Last Mapping button at the base of the Map LDAP Properties to Database Fields window. If mapping choices that were selected during a previous use of the LDAP Import Wizard are still in memory and you click the Use Last Mapping button, those mapping choices will appear at the top of the left pane. Also, any unmapped properties from the data in memory will appear below the previously mapped properties as shown in the previous figure. If you fail to map to one of the required columns, a caution message will display. Two additional mapping options available in the right-click menu of the Map LDAP Properties to Database Fields window are Restore Saved Mapping and Hide Unmapped Properties. In situations where there are many possible mapping fields to review, these menu choices will allow you to quickly select and view your most recently used mapping selections. Selecting Restore Saved Mapping activates the most recently saved mapping format. In the example here, givenname is mapped to First Name, sn, (which stands for surname), is mapped to Last Name, and userprincipalname is mapped to . By selecting Hide Unmapped Properties, the view in the left pane displays only mapped fields.

54 54 Import Wizards Adding users from a Microsoft Active Directory with the LDAP Import Wizard Specifying error handling and user groups In the Specify Error Handling and User Group window you can specify how to handle fixable error conditions, set the target User Group, and add new User Groups. There is a fixable error handling checkbox in the Specify Error Handling and User Group window with text that reads Truncate my data on import. Do not treat data overflow as an error. Selecting this checkbox will automatically truncate any fixable errors that occur on import due to field size. However, truncation will never be applied to the field. The field allows for addresses up to 100 characters in length. If the unlikely event that an address is longer than 100 characters, a fatal error will result and the record will not be imported. Note: You can click Back buttons to return to the Specify Error Handling and User Group window and amend selections at any time prior to final import, though selections made in subsequent windows may be lost. To import Users to a specific User Group 1 Click the dropdown menu next to I am importing users to this User Group, and highlight your desired choice. 2 If only one User Group is available, all Users will be imported to that User Group. To create a new User Group as a destination for imported Users 1 Click Add New User Group in the lower half of the Specify Error Handling and User Group window. The Add User Group window will display. 2 Enter a unique User Group Name. If the User Group Name you select is already in use, you will be prompted to amend your choice. 3 The Description field is optional. 4 The Assigned Package field can be used to automatically assign a Policy Package to the User Group.

55 Import Wizards Adding users from a Microsoft Active Directory with the LDAP Import Wizard 55 5 Click Save. The new User Group will now be available in the dropdown list under I am importing users to this User Group. 6 When you are finished making choices in the Specify Error Handling and User Group window, click Next to proceed to step 4: Handle Error Conditions. Note: If you are unsure which group you want to commit new Users to, create a catch-all User Group that you can review once the import is complete. Users can be reassigned to any Group. Handling error conditions If no errors were found, the Handle Error Conditions window will be empty, and you should click Next to continue to step 5. To fix errors Reviewing importable users 1 If fixable errors were identified, they will display in the Handle Error Conditions window. 2 Right-click in the window to display a menu that can assist with the correction of fixable truncation errors. 3 If you choose Select All Records with Truncation Errors, all fixable truncation errors will be highlighted. 4 You may then click on highlighted rows one at a time if you wish to toggle between selecting and de-selecting individual records. 5 You have the option to click the Back button and return to the Specify Error Handling and User Group: Fixable Errors window, but if you do, any changes you may have made in the Handle Error Conditions window will not be preserved, and you will receive a warning message. 6 When you have selected the available records with fixable truncation errors that you want to import, click Next and proceed to step 5. Review Importable Users displays a list of all Users in the Active Directory that are about to be imported into the database. To complete the review of importable Users 1 Examine the data in the grid to verify that the data is mapped correctly. 2 If you need to make changes, use the Back button.

56 56 Import Wizards Adding users from a Microsoft Active Directory with the LDAP Import Wizard Viewing the import results 3 If you are satisfied with the data, click Finish. The Import to Database Final Commit (No Undo) window will open. 4 When the new Users are ready to be committed to the Users table in the database, click Yes. The LDAP Import Wizard View Import Result window can switch between displaying a Summary and a Detail report. The View Import Results Summary report provides aggregate information including: The time at which the import took place The number of Devices that were automatically linked, if any. If at least one Device was automatically linked, the Devices Linked button will be enabled The number of lines successfully imported The number of lines not imported The columns that were mapped Note: Clicking the Devices Linked button will cause information about devices that were automatically linked to be included in the report if the Summary or Details reports are saved. To switch between the View Summary and View Details Reports and save the results 1 Click the View Details button to see record-by-record information about imported Users and Users that were not imported, if any. 2 Click the View Summary button if you wish to return to the Summary view to see only aggregate information. 3 Click the Save button to bring up the Save As window which allows you to save the import report of your choice. 4 When you have reviewed and saved the import results, click Finish to exit the User Import Wizard. Note: If you save the View Details report, the Summary Report aggregate information will be automatically included in the saved file.

57 Import Wizards Adding users from a Microsoft Active Directory with the LDAP Import Wizard 57 Refreshing users from a Microsoft Active Directory If you have made a connection and successfully added Users from a Microsoft Active Directory with the LDAP Import Wizard, you can start the retrieve information about any additional new Users from the same data source with a single click of the mouse. If this is done, any importable new User data will be added, but existing User information will not be overwritten. There are a variety of ways that you can access the Refresh Users from LDAP menu option, including the following: In Symantec Mobile Security Manager, click Entities > Refresh Users from LDAP or Right-click in either pane of the Entity Manager grid view or tree view window and select Refresh Users from LDAP from the right-click menu Note: You must connect to a Microsoft Active Directory via the LDAP Import Wizard before using the Refresh Users from LDAP option. Once the Refresh Users from LDAP option has been selected, any new Users that match Unlinked Devices and that have the proper data format will be automatically imported from the LDAP Data Source that was most recently accessed. Dialog boxes will tell you: If no Users were found to link to Devices If Users were found who matched Unlinked Devices, but were not imported due to fixable import errors The number of Users found who matched Unlinked Devices but were not imported due to fatal import errors The number of Users found who matched unlinked Devices, had the proper data format, and were successfully imported If at least one User was found and successfully imported, a dialog box will appear requiring you to click Yes in order to save the new information to the database. Once you have completed the import of any new Users, click the Refresh from Database icon in either the tree view or grid view window in order to display the updated information.

58 58 Import Wizards Adding users from a Microsoft Active Directory with the LDAP Import Wizard

59 Chapter 5 Managing policy packages This chapter includes the following topics: About policy packages Using the Package Manager About policy packages Packages consist of the following seven policies: Four Firewall policies One Security Manager policy One Integrity Manager policy One Intrusion Detection (IDS) policy. Packages are defined by selecting the policies that they contain. The Mobile Security Security Stateful Default package contains a selection of firewall policies suitable for devices that use the stateful firewall. The Mobile Security Legacy Package contains a selection of firewall policies suitable for devices that use the old, non-stateful firewall. These built-in packages and their policies are frozen and cannot be modified. Therefore, the built-in packages must be cloned to create new packages or policies based on them, such as changing firewall rules. Packages can be assigned and deployed to specific devices, users or user groups. This model provides flexibility in setting different security rules for different users or devices as needed. Packages are assigned and deployed to entities using the Deploy Manager. Packages which have been deployed cannot be deleted. However, it is possible to retire packages and hide them from view. Retired packages can later be unretired, if desired.

60 60 Managing policy packages About policy packages Package manager functions Package Manager icons Two types of language support are also provided; enterprise-wide support and package level support. Enterprise-wide language support allows the administrator to set up one language (Japanese, Simplified Chinese, or Traditional Chinese) in addition to English during initial setup. Package level language support allows administrators to include up to two additional languages for individual packages. Packages and policies are managed in the Package Manager: View the properties of active and retired packages and policies. Modify, clone, create new, delete, retire and unretire packages and policies. Edit the name and description properties of packages and policies within a package. View policies that are not currently part of any package. Access Firewall and Security Policy editors. Access the Firewall Base Rule editor. Save an XML snapshot of a package. Toolbar options within the Package Manager include the following: Expand/Contract. Expand to show packages and policies, or contract to show packages only. View Packages Grid. Open the Packages Grid. Modify Package or Policy. Open the Policy Selector, Firewall Policy editor or Security Policy editor in modify mode. Clone Package or Policy. Open the Policy Selector, Firewall Policy editor or Security Policy editor in clone mode (work on an independent, exact copy). Create New Package or Policy. Open the Policy Selector, Firewall Policy editor or Security Policy editor in create new mode. Delete Package or Policy. Deletes the selected package or policy which is not part of a package. Refresh From Database. Refreshes the displayed information from the database. View Retired. Toggles the display of retired packages and other policies which are retired.

61 Managing policy packages About policy packages 61 Package Manager right-click menu Package properties The Package Manager has a right-click menu which provides quick access to many of the most commonly used Package Manager functions. From the Package Manager right-click menu you can: Modify, clone, create or delete a package. Designate a package as the Enterprise Default Package. Retire or Unretire a Package. View/Hide Retired Packages and Policies. Create New Policies and Firewall Base Rules. Reissue Modified Deployed Packages. Refresh from Database. Package properties include the following: Package Name Package Description Last Modified Date Last Deployed Date Deploy State Pre-deploy Deploy Staged Deployed Failed The package name can be up to 100 characters long and can contain alphanumeric characters, underscores, internal space, dash, front slash, colon and comma characters. Package names must be unique, but the name can be changed. Changing the name does not constitute a critical change to the package. Package description contains notes or comments related to the package. Changing the package description does not constitute a critical change to the package. The read-only date and time the package was last modified. The read-only date and time the package was last deployed. The state of deployment for the package. One of five deploy states apply to a package. The package has never been deployed. The package deploy process has been initiated but is not yet complete. The deploy process is complete. There was an error in the deploy and the deploy process did not complete successfully.

62 62 Managing policy packages About policy packages Reissue Required Lock State Deploy Revision Active or Retired status The package has been flagged for reissue. It needs to be reissued to every device which has previously received it. The Mobile Security Stateful Default is the only locked package. All other packages are modifiable. Each time a previously deployed package is critically modified and then reissued or deployed, its deploy revision number is incremented. In addition, an automatic XML snapshot of the package is taken which records the state of the package down to the rule level. This provides a complete audit trail for each revision. Indicates if the selected package has been retired. Packages can be retired and unretired. Note: Although the Mobile Security Stateful Default is locked and cannot be modified, it can be retired and hidden from view if desired. Policy properties In the following procedure, if there are any retired packages and a check is placed in the View Retired checkbox, you will be able to see retired packages displayed below the Retired Packages icon. The Enterprise Default Package is displayed with a gold package icon. To view package properties 1 From the menu select Policies Package Manager. 2 Highlight a package. The properties of a policy include: Policy Name: The policy name can be up to 100 characters long and can contain alphanumeric characters, underscores, internal space, dash, front slash, colon and comma characters. Policy names must be unique, but the name can be changed. Changing the policy name does not constitute a critical change to the policy. Policy Description: Policy description contains notes or comments related to the policy. Changing the policy description does not constitute a critical change to the policy. Recommended For: This field indicates what firewall security level a firewall policy is recommended for. The field is only visible when a firewall policy has been selected.

63 Managing policy packages Using the Package Manager 63 Security Level in Package: This field indicates the firewall security level that is associated with the selected policy within the selected package. Policy Type: Indicates if the selected policy is a firewall, security, integrity or intrusion detection policy. Lock State: Default policies included with the Mobile Security Stateful Default are locked and cannot be modified. All other polices are modifiable. Deploy Revision: Each time a policy is critically modified and deployed with a package its revision number increments. Policy Retired: Indicates if the selected policy is retired. Retired policies can be unretired. Retiring a package does not retire the polices it contains. In the following procedure, the policy properties will be displayed at the bottom in the right-hand pane of the Package Manager beneath the containing package s properties. If there are any policies that are not part of a current package, you can view those policies by clicking the Other Polices icon in the Policy Packages window. To view policy properties 1 From the menu select Policies Package Manager. 2 Highlight a policy. Using the Package Manager You first create or clone policies and then select the desired set of policies to be included in the package. Policies are selected for a package in the Policy Selector. Opening the Package Manager To open the Package Manager 1 From the main menu select Policies Package Manager, or 2 Click the Package Manager icon, in the toolbar, or 3 Press Ctrl+P Only one instance of the Package Manager can be open at a time. The Package Manager is a tree view and contains two panes within the window. The left pane lists all packages; the right pane provides details of the selected package or policy and its properties.

64 64 Managing policy packages Using the Package Manager When opened, the tree view displays the list of packages in alphabetical order by name The packages display in contracted state so that the policies are not visible. To view retired package the View Retired checkbox must be checked. Policies that are not currently part of any package may be viewed under the Other Policies icon. To view the policies within the package, click on a package name. The expanded package will display seven policy names prefixed by the following icons: FW1 FW2 FW3 FW4 SEC INT IDS This policy contains firewall rules that correspond to the first security level on the Mobile Security Enterprise Agent, Trust No One. This policy contains firewall rules that correspond to the second security level on the Mobile Security Enterprise Agent, Paranoid. This policy contains firewall rules that correspond to the third security level on the Mobile Security Enterprise Agent, Cautious. This policy contains firewall rules that correspond to the fourth security level on the Mobile Security Enterprise Agent, Trust All. This policy contains rules that manage authentication and security settings on the Mobile Security Enterprise Agent. This policy contains Integrity Manager rules. This policy contains Intrusion Detection rules. Packages grid The Packages Grid provides another view of package information in tabular format. The Packages Grid allows you to see package names, the policies within a package, package revision numbers and (optionally) policy descriptions of each policy in a package. Information about retired packages can also be displayed at the Administrator s option. To open the packages grid 1 From the main menu select Policies Packages Grid or 2 Select the View Packages Grid icon, from within the Package Manager. Setting the enterprise default package The package designated as the Enterprise Default Package can be changed at any time to reference a different, existing package. All entities that are explicitly assigned the special value, "Enterprise Default Package" will then receive the new

65 Managing policy packages Using the Package Manager 65 package. No re-assignment of the package is necessary. It will automatically deploy to every device targeted to receive the Enterprise Default Package. To designate a different Enterprise Default Package 1 In the left pane of the Package Manager, right-click on the desired package and select: Set as Enterprise Default Package. 2 A message will display indicating that changing the Enterprise Default Package will trigger an immediate deploy to all entities that are assigned the Enterprise Default Package. You must select Yes in order to proceed. 3 In the left-hand pane of the Package Manager the new Enterprise Default Package will display a gold package icon. The package details in the right pane will also reflect the change. Creating, cloning, and modifying packages There are two methods used to create a new package: Create a new package Clone a package Note: The default IDS policy is automatically included with every package. To create a new package 1 Select any package and click the Create New icon in the Package Manager, or select Create New Package from the Package Manager right-click menu. 2 Click on the Firewall Policies tab. You will see four dropdown selection boxes, one for each security level on the Agent interface. 3 Select the desired Firewall policy for each of the four security levels on the Agent. 4 On the Other Policies tab, select the Security and Integrity policy for the package. 5 Click Save Package when you have completed making your selections. The package will be added to the package list. Cloning packages Cloning allows you to use an existing package and replicate it for modification. This is useful if you want to create new packages that vary only slightly from an existing package, or that will use a similar set of rules or policies. For example, you can use the same Firewall policies but incorporate different Security policies.

66 66 Managing policy packages Using the Package Manager Deleting packages To clone a package 1 Highlight an existing package in the Package Manager. 2 Click the Clone icon. 3 Modify the package name and description. 4 Complete the steps for creating a package. Modifying packages The Name and Description fields for each package contain noncritical information which can be changed at any time in the Package Manager or in the Policy Selector. Changing the selection of policies within a package constitutes a critical modification. When a critical change is made to a package which has been previously deployed, the Administrator will be prompted to reissue the package to all devices which received an older version of the package. When a critically modified package is subsequently deployed or reissued, an XML snapshot of the package is automatically generated for the revision. To modify a package 1 In the Package Manager, right-click the Package to be modified, and select Modify Package. 2 In the Policy Selector, modify the package properties. 3 Modify the Selected Policies and Lauguage Support fields as desired. 4 Select new policy sets for Firewall, Security and Integrity policies as desired. The dropdown boxes to the right of the policy name allow you to modify, clone and create new policies. 5 Click Save Package when you have finished modifying the package. Packages can be deleted if they are not locked and have never been deployed. To delete a package 1 In the Package Manager or packages grid, highlight the selected package in the package list. 2 If you are in the Package Manager, right-click and select Delete Package or use the Delete icon. 3 If the package is not deletable, delete will be disabled or a message will display indicating that the package cannot be deleted.

67 Managing policy packages Using the Package Manager 67 Retiring packages 4 If the package is deletable, a message will display asking you to confirm deletion of the selected package. 5 Click Yes to delete the package or No to cancel the operation. 6 If you click Yes, a message will display confirming that the package was successfully deleted. Packages can be retired. Retired packages are not deleted but are simply hidden from view at the Administrator s discretion. Retired packages cannot be assigned to entities and do not deploy. To retire a package 1 In the Package Manager, highlight the selected package in the package list. 2 Right-click and select Retire Package. If the selected package is assigned to at least one entity for deploy, a Retire Package window will display and you must either remove all of its current assignments or change its assignments to another package. 3 Make a selection from the Reassign To: dropdown list and click OK to continue. 4 Click Yes to continue and the package will be retired. Unretiring packages Since retired packages are not deleted they can be unretired from the Package Manager. Unretiring a package returns the package to the list of packages available for assignment and deployment. To unretire a package 1 In the Package Manager be sure the View Retired checkbox is selected so that you will be able to see all retired packages. Retired packages will be listed below the Retired Packages icon and will display the retired package icon 2 Highlight the package you wish to unretire, right-click and select Unretire Package from the right-click menu. Viewing policies that are not part of a package You can view any saved policies that are not part of any package from the Package Manager. These policies appear in the Package Manager under the Other Policies icon.

68 68 Managing policy packages Using the Package Manager Symantec policy packages To view the other policies that are not part of a package 1 Open the Package Manager from the main menu by selecting Policies Package Manager, or click the Package Manager icon, in the toolbar, or press Ctrl+P 2 If in a contracted state, click the Other Policies icon in the Policy Packages pane. The Other Polices list will expand and you will be able to view all policies that are not part of any package. 3 If you click on one of the expanded policies in the Other Polices list, details about that policy will appear in the Package and Policy Details pane of the Package Manager window. The Mobile Security Legacy Package (Legacy Package) and the Mobile Security Stateful Default package (Stateful Default package) are provided with Symantec Mobile Security Manager. The Legacy Package is provided for those mobile devices that do not contain the stateful firewall. The Stateful Default package contains firewall policies that pertain to the stateful firewall. Both of these packages contain policies that are locked and cannot be modified. To view the firewall and security rules, use the Firewall Policy editor and Security Policy editor, respectively. The policies within the Mobile Security Stateful Default package are described, as follows: FW1 FW2 Firewall Level 1: Deny All, Default. Blocks all inbound and outbound traffic, including desktop synchronization through ActiveSync or Windows Mobile Device Center. All blocked traffic is logged. It is assigned to the Trust No One security level on the mobile device. Firewall Level 2: Allow HTTP/S, VPN, , ActiveSync, DHCP, FTP/S, DNS - Stateful, Paranoid Default. Is the default firewall level that is active when Norton Smartphone Security is first installed. It allows user-initiated TCP or UDP network connections, such as Web browsing and using . DHCP, DNS name resolution, IPsec VPN traffic, FTP/FTPS file transfer, and desktop synchronization through ActiveSync or Windows Mobile Device Center are allowed. NETBIOS Datagram and NETBIOS Name Service are blocked. All allowed traffic is logged, except desktop synchronization. Blocked traffic is logged, except NETBIOS traffic. It is assigned to the Paranoid security level on the mobile device.

69 Managing policy packages Using the Package Manager 69 FW3 FW4 SEC INT IDS Firewall Level 3: Allow DHCP, Ping, ActiveSync, User-initiated TCP/UDP - Stateful, Cautious Default. Allows all user-initiated TCP and UDP connections, including desktop synchronization through ActiveSync or Windows Mobile Device Center. Allows inbound and outbound DHCP and pings for testing network connectivity. Blocks NETBIOS Datagram and NETBIOS Name Service. Allowed traffic is not logged, except for DHCP and ping. Blocked traffic is logged, except NETBIOS traffic. Firewall Level 4: Allow All, Default. Allows all inbound and outbound traffice, and does not log events. Whatever value set for logging will be inherited by the inbound packet. It is recommended that logging be set to Off to maintain smaller log sizes. It is assigned to the Trust All security level on the mobile device. Security Default. Requires the mobile device user to set a four-digit numeric PIN with a minimum of two unique digits. It sets the Idle Timeout feature to five minutes with no user control, forces the device user to authenticate on power-up, and does not allow the user to reset the PIN from the authentication screen. It also allows Secure Folders to be created on storage cards, allows the user to set a Secure Folder encryption key (minimum of six characters; one alpha, one numeric), and specifies that the mobile device be wiped after 10 failed login attempts. The PIN is also set to Never Expires. Integrity Default. Monitors key system assets and logs an event if an integrity violation is detected. IDS Default. Monitors network packets to detect LAN spoof attacks. IDS rules are statically defined within the device, and are not configurable or selectable from the Security Manager. The policies within the Mobile Security Legacy Package are described, as follows: FW1 FW2 Firewall Level 1: Deny All, Default. Blocks all inbound and outbound traffic, including desktop synchronization through ActiveSync or Windows Mobile Device Center. All blocked traffic is logged. It is assigned to the Trust No One security level on the mobile device. Firewall Level 2: Pre-stateful, Paranoid Default. Allows DHCP, DNS, HTTP, HTTP Proxy (8080 and 8008), HTTPS, IPSEC NAT-T 10000, and 4500, 4502, IKE, and L2TP/IPSEC network traffic. It is assigned to the Paranoid security level on the mobile device. This policy logs all events.

70 70 Managing policy packages Using the Package Manager FW3 FW4 SEC INT IDS Firewall Level 3: Pre-stateful, Cautious Default. Allows DHCP, DNS, HTTP, HTTP Proxy (8080 and 8008), HTTPS, POP3, SMTP, Ping, IPSEC NAT-T 10000, and 4500, 4502, IKE, and L2TP/IPSEC network traffic. It is assigned to the Cautious security level on the mobile device. This policy logs all events. Firewall Level 4: Allow All, Default. Allows all inbound and outbound traffice, and does not log events. It is assigned the Trust All security level on the mobile device. Security Default. Requires the mobile device user to set a four-digit numeric PIN with a minimum of two unique digits. It also specifies that the mobile device be wiped after 10 failed login attempts. The PIN is also set to Never Expires. Integrity Default. Monitors key system assets and logs an event if an integrity violation is detected. IDS Default. Monitors network packets to detect LAN spoof attacks. IDS rules are statically defined within the device, and are not configurable or selectable from the Security Manager.

71 Chapter 6 Managing policies This chapter includes the following topics: About managing policies Modifying, cloning, and creating Firewall policies Creating a security policy Modifying security policies Predefined policies About managing policies Seven policies are contained within a policy package: four Firewall policies, one Security policy, one Integrity policy and one Intrusion Detection policy. Each policy defines specific policy rules which are enforced on the device. Firewall and Security policies can be modified, cloned and created in their respective editors. Their rules are likewise modifiable. Integrity policies and their rules are predefined and cannot be modified. Symantec Mobile Security Manager includes two predefined Integrity policies that can be selected from within the policy selector. The Intrusion Detection policy is also predefined, but allows no administrative control. It is automatically included with every package. Symantec Mobile Security Manager includes several predefined Firewall and Security policies that can be cloned and modified.

72 72 Managing policies About managing policies Policy properties Every policy has a set of properties. To view policy properties, click on the policy name in the left-hand pane of the Package Manager. The policy properties will display in the right-hand pane. Policy Properties: Policy Name Description Recommended for (Firewall only) Security Level in Package (Firewall only) Policy Type Lock State Deploy Revision Policy Retired About Firewall policies The following Policy Properties fall under the Administrator s control, except in the case of locked policies: Policy Name: A unique name given to the policy. The policy name can be up to 100 characters long and can contain alphanumeric characters, underscores, internal space, dash, front slash, colon and comma characters. Description: The description allows you to document pertinent information about the policy. The description can contain up to 128 characters and can contain alphanumeric characters, spaces and special characters. Recommended For (Firewall Only): This field lets you recommend the security level for which the firewall policy would be most appropriate. However, you are not restricted to using the policy at that level. A Firewall policy consists of one or more Firewall rules, and is created in the Firewall Policy editor. Firewall policies are defined by: Setting the policy properties. Adding firewall rules. Setting rule values (also known as rule customization). Setting the order of the rules.

73 Managing policies About managing policies 73 About Firewall rules The firewall is considered a stateful firewall, which allows inbound packets that are recognized as being a response to a recently sent outbound TCP or UDP packet. To be recognized as a response, the IP address, protocol, and remote port of the inbound packet must all match the corresponding values from the outbound packet. As a stateful firewall, it is now easier to define firewall policies and to increase safety. Rules are added to a firewall policy in two ways. The first way is to copy rule values from All Firewall Rules (Base Rules) or from another firewall policy. The second way is to create a single rule directly, by specifying rule protocol, action and port values in the Firewall Rule editor. When creating a rule directly, once the protocol, action, and ports are specified, the rule editor automatically determines the underlying base rule to which it maps. If there is no existing base rule for the port values specified, a new base rule is added automatically. Use the create new icon to create a rule for the policy directly in the Firewall Rule editor. Firewall Rule: A filter that blocks or allows network packets through defined ports, protocols, IP ranges and direction. Customized Firewall Rule: A firewall rule that is part of an actual firewall policy. A firewall rule in a firewall policy is an instance of a firewall base rule which has been customized with a value for event logging and severity. Additionally, an IP range can specified for the rule, and the rule can be set to inbound only or outbound only. However, the need for uni-directional rules is not a common use case. Firewall Base Rule: A generic firewall rule specifying standard protocols and ports upon which network traffic is blocked or allowed. Event logging, severity options and IP range are not specified in base rules. Thus, when values from a base rule are copied to an actual firewall policy, values for logging and severity must also be specified (customization) before saving the policy. A library of Symantec-defined base rules comes with Symantec Mobile Security Manager and the administrator may also add new rules. Administrator-added base rules may be renamed by opening the Firewall Base Rule editor from the right-click menu in the Package Manager. Administrators should follow the same naming convention that Symantec uses, beginning base rule names with "Allow" or "Block". Base rules are mapped to application-defined event types which appear in the firewall logs uploaded to the Enterprise.

74 74 Managing policies Modifying, cloning, and creating Firewall policies Protocol: Specifies the protocol for the rule. Available protocols include TCP, UDP, IP, ICMP and IGMP. Admin-added firewall base rules will be TCP or UDP, only. Remote Port: Indicates the port on the remote machine with which the device is communicating. An asterisk indicates all ports. Local Port: Indicates the port on the device with which a remote machine is communicating. An asterisk indicates all ports. Direction: Specifies a rule as Inbound, Outbound or Both. Most firewall rules will be Both. IP Range: Specifies the operative IP range for the rule. The default is all IP addresses ( to ). Modifying, cloning, and creating Firewall policies A Firewall policy consists of several properties and one or more Firewall rules. A firewall policy is modified, cloned or created using the Firewall Policy editor: To access the editor from the Package Manager Right-click a firewall policy, and select Create New Policies & Rules > Firewall Policy. To access the editor from the Policy Selector Defining Firewall policy properties Click the Modify, Clone or Create New button next to one of four firewall policy dropdown boxes. The following firewall policy properties are available: Policy Name: Edit the name of the policy. Description: Edit the description of the policy. Recommended For: Select the security level for which the policy is recommended. For example, if the policy rules are very restrictive and allows only minimal traffic, you may consider the policy appropriate for the "Paranoid" security level. Setting this property is informational only, and has no impact on the execution of the policy on the device. Set to Active or Retired: New policies will normally be created as active.

75 Managing policies Modifying, cloning, and creating Firewall policies 75 Defining a stateful Firewall policy The stateful firewall works only for TCP and UDP protocols. Traffic over any other protocol must be explicitly allowed. Any mobile device with Windows Mobile 5.1 or higher supports the stateful firewall. The Mobile Security Stateful Default package contains firewall policies designed for the stateful firewall. It can be used as is, or it can be cloned or modified. The following example items can be set to take advantage of a stateful firewall: Allow Ping (Direction=Both): Allows the mobile device to ping other systems and allows other systems to ping the device. Allow All (Direction=Outbound): Allows all user-initiated TCP and UDP traffic. Whatever value set for logging is inherited by the inbound packet. It is recommended that logging be set to Off to maintain smaller log sizes. Allow DHCP Client (Direction=Both): Allows DHCP traffic. Allow desktop synchronization: Specify the set of ActiveSync rules with restricted IP ranges. These rules may be copied from the application-defined policy, All ActiveSync Only, or the entire policy may be cloned. In addition, the Allow ActiveSync Sample policy may be modified or cloned. The ActiveSync rules also allow synchronization using Mobile Device Center. Adding rules by selecting existing rules The drop down box and the grid under "Existing Rules and Polices" found on the right side of the Firewall Policy editor can display All Firewall Rules (Base Rules) or every rule in any existing firewall policy. Toggle between All Firewall Rules and the rules in an existing policy by making a selection in the drop down box. Once the rules from the selected rule set load into the grid below the drop down box, they may be selected and copied into the new policy using the Arrow button. Details of the selected rule may be viewed by scrolling in the grid or in the small sub-window at the bottom of the policy editor. The initial rule set displayed in the drop down is All Firewall Rules (Base Rules). Rules copied from All Firewall Rules have no defined value for logging or severity and will say "Not Set" for those values when copied into the policy. This indicates that the Administrator needs to set values before saving the policy. New base rules can be permanently added to the All Firewall Rules set. Rules copied from an existing firewall policy into the new policy, inherit settings for logging, severity, IP range and direction. However, those values may not appropriate for the new policy and may need to be changed. The easiest way to change the settings for logging and severity is to multi-select rules in the "Rules In This Policy" sub-window and use the buttons within

76 76 Managing policies Modifying, cloning, and creating Firewall policies "Transform Selected Rows". The buttons allow the Admin to set logging On or Off and to set the severity to High, Medium, Low or None (Observational). The Admin can also multi-select rules in "Rules In This Policy" and set values by loading the Firewall Rule editor. The Firewall Rule editor also permits setting values for IP Range and rule direction as well as logging and severity. Adding and customizing rules To directly add a rule to the policy without first selecting an existing rule, click the "Create New" button in the toolbar. This will load the Firewall Rule editor in a special mode which allows the Admin to add a rule simply by specifying the action (Allow or Block), protocol and port values. The underlying base rule for that combination is then be computed or created automatically by the rule editor. This mode is shown in figure To modify multiple rules with the same settings for logging, severity, rule direction and IP range, multi-select the rules from the "Rules In This Policy" sub-window and click the "Modify" button in the toolbar. The Firewall Rule editor will open in modify mode and allow you to set the values for the selected rules simultaneously. About Desktop Synchronization The Symantec Agent Firewall blocks Desktop Synchronization by default. To create a firewall policy that allows Desktop Synchronization, you must include some or all of the following Desktop Synchronization rules. Alternately, you may assign the "Allow All" firewall policy to the Trust All security level or any other security level which should allow Desktop Synchronization. The exact number of rules required depends on the device settings. The following table lists the firewall base rule names. Table 6-1 Firewall base rule names Firewall Base Rule Name Usage Protocol Dest Port Source Port Note: these are all pre-defined Allow Desktop Synchronization HeartBeat UDP HeartBeat UDP 5679 * Allow Desktop Synchronization HeartBeat TCP Heartbeat TCP * 5679

77 Managing policies Modifying, cloning, and creating Firewall policies 77 Table 6-1 Firewall base rule names (continued) Firewall Base Rule Name Usage Protocol Dest Port Source Port Note: these are all pre-defined Allow Desktop Synchronization Wcescomm Wcescomm TCP * 7438 Allow Desktop Synchronization RNDIS DHCP Server RNDIS DHCP UDP Allow Desktop Synchronization Rapi Request WM5 Rapi Requests TCP * 990 Allow Desktop Synchronization Rapi Request WM2003 Rapi Requests TCP 990 * Allow Desktop SynchronizationTime Server Time Server TCP * 999 Allow Desktop Synchronization Sync Info Legacy Replication TCP * 5678 Allow Desktop Synchronization Passthrough Passthrough TCP * 5721 Allow Desktop Synchronization Airsync Airsync TCP * Creating new firewall base rules Use the Firewall Base Rule editor to permanently add to the set All Firewall Rules (Base Rules). There are three ways to access the Firewall Base Rule editor.

78 78 Managing policies Modifying, cloning, and creating Firewall policies From the Package Manager, right-click and select Create New Policies & Rules > Firewall Base Rule. If not currently editing a Firewall Policy, you will also be allowed to rename Admin-defined base rules in addition to creating new ones. Click the Create New Firewall Base Rule button from the Firewall Policy editor. Click the Create New Firewall Base Rule button from the Firewall Rule editor while creating a firewall rule directly, as described above. To create new firewall base rules 1 Open the Firewall Base Rule editor. 2 Select the underlying event type for the rule which will determine the protocol, either TCP or UDP. 3 Set port values for either the inbound or outbound packet direction. The other direction will automatically fill in. 4 Name the rule. Allow rules should be begin with "Allow", block rules should begin with "Block". Rules can be renamed later, but not while editing a firewall policy. 5 Save the rule. A prompt will display asking if you wish to save another base rule. If currently editing a policy, the newly saved base rule will appear in "All Firewall Rules (Base Rules)" and will be available to be copied into the policy. Customizing rules When rules have been added to the new policy by copying from "All Firewall Rules (Base Rules)" or from an existing policy, they may need to have values set or changed for logging, severity, IP range and direction. This process is referred to as customization. Customization includes: Setting the logging option on the rule Setting the severity level on the rule Setting an IP range that the rule applies to Setting the direction of the rule Note: Logs can grow to considerable size on the device when the Logging Option is set to On. If you set Logging to On, every packet allowed on Port 80 would be recorded as an event in the Event Log. Carefully consider the events you want to track before setting this option. The Mobile Security Manager will automatically warn you if logging for the Allow All rule is set to On.

79 Managing policies Creating a security policy 79 To customize rules that have been added to the policy 1 Select the rules in the "Rules In This Policy" sub-window. The selected rules will be customized together. 2 If you only need to set values for logging and severity, use the buttons found in "Transform Selected Rules". If you need to set additional values then proceed to step 3. 3 Click the modify button in the toolbar to load the Firewall Rule editor. 4 In the Firewall Rule editor set controls as desired for logging, severity, IP range and direction. Click save. The selected rules in "Rules In This Policy" will refresh to display the new values. Setting the order of Firewall rules and deleting rules Firewalls are order dependent. The firewall matches rules to detected events in the order in which they appear in the policy (i.e. from sequence number 1 to the final sequence number). When an event matches a firewall rule, the firewall takes the appropriate action immediately, and does not consider rules which occur later in the sequence. Therefore, you may need to adjust the order of your rules for optimum protection. For instance, if you added "Allow All" as the first rule in your policy, the firewall would always match that rule, and no subsequent rule would ever match. Use the toolbar found in "Transform Selected Rules" to change the order of the rules or delete rules in your firewall policy. Delete is also available from the right-click menu. Note: The special, terminating rule, Deny All, is automatically added to every firewall policy as the last rule (i.e. the rule with the highest sequence number). Deny All should appear only once in the policy and should always be the last rule in the set. The Policy editor, itself, will enforce this. Creating a security policy The Security policy specifies the settings for basic authentication (PIN or password); blocking of various device features; the behavior of the device when it is idle; device PIN or password reset by device user; and how the Symantec software handles encrypted folders. There is also an optional feature which permits encrypted folders created on device storage cards to be decrypted by an Enterprise security administrator.

80 80 Managing policies Creating a security policy The Symantec Mobile Security Manager administrator establishes the authentication parameters to which the user must adhere when defining the device PIN or password requirements. The Security policy is enforced on the device when the Policy Package has been deployed and picked up by the device. The device user has the flexibility to define any PIN or password within the guidelines of the Security policy rules. Note: A default Security policy is enforced immediately upon installation of the Mobile Security Enterprise Agent software, unless a custom policy overrides it at the time of installation. The default rules enforce a four-digit PIN that must contain at least two unique digits. Security policy rules are defined in the Security Policy editor which contains three tabs: General PIN and Password: This tab sets general authentication rules. PIN: This tab sets parameters for PIN authentication. Password: This tab sets parameters for password authentication. Storage Card Recovery: This tab allows the Enterprise security administrator to set a storage card recovery key and specify the Enterprise-wide recovery key policy. To create a Security policy 1 In the right pane of the Package Manager right-click and select Create Policies & Rules Security Policy. The Security Policy editor will display. 2 Enter a policy name and description. 3 Set the rules in each of the tabs. A description of each rule follows, along with minimum, maximum and default values (where applicable). 4 Click Save when you have completed the policy. The new Security policy will be created. General PIN and password settings The General PIN and Password tab is the first tab in the Security Policy editor. These rules set the device authentication type and action taken on failed login attempts. A definition of each setting follows.

81 Managing policies Creating a security policy 81 Authentication Type Required field. Allows you to select the authentication policy type to enforce on the device. Options: Numeric PIN or Alphanumeric Password Reenter Delay Defines the time delay, in seconds, to invoke next password prompt after an invalid authentication attempt. Successive Delay Increment Default value is 0 (zero). Minimum value is 0 (zero). Maximum value is 120. Defines the incremental time delay, in seconds, to invoke password prompt after each invalid authentication attempt. Default value is 0 (zero). Minimum value is 0 (zero). Maximum value is 120. Maximum Failures Allowed Defines the maximum number of failed login attempts allowed before the Failure policy is invoked (see below). Default value is 10. Minimum value is 3. Maximum value is 20. Failure Policy Defines the action to be taken if the password or PIN is entered incorrectly beyond the Maximum Failure attempts allowed. Default value is Device Wipe. This value is fixed and cannot be edited. Logging Options Defines the logging action for authentication events. Default value is Log Authentication Successes and Log Authentication Failures. You can use the checkboxes to log just authentication successes, just authentication failures, both authentication successes and authentication failures, or leave both checkboxes empty to turn logging off. PIN settings PIN settings are defined in the PIN tab. This tab is only active if Numeric PIN is selected as the Authentication Type in the General PIN and Password tab. A definition of each setting follows.

82 82 Managing policies Creating a security policy PIN Minimum Length Sets the minimum length for the PIN. Default value is 4. Minimum value is 4. Maximum value is 16. PIN Minimum Unique Digits Sets the minimum number of unique digits within the PIN. Default value is 2. Minimum value is 2. Maximum value cannot exceed PIN Minimum Length of 16. PIN Maximum Age Sets the maximum number, in days, after which the PIN will expire. The device user will be required to enter a new PIN.. Default value is 0 (zero), which indicates that the PIN never expires. Minimum value with expiration is 1. Maximum value is 255. Remember Previous PINs Remembers the last eight PINs entered and prevents the user from resetting the PIN to the eight previously used PINs. Password settings Password settings are defined in the Password tab. This tab is only available if Alphanumeric Password is selected as the authentication type in the General PIN and Password tab. A definition of each setting follows. Password Minimum Length Sets the minimum length for the Password. Default value is 7. Minimum value is 4. Maximum value is 32. Password Minimum Numeric Characters Sets the minimum number of numeric characters required within the Password. Default value is 1. Minimum value is 1. Maximum value 30, or cannot exceed Password length when combined with other rules.

83 Managing policies Creating a security policy 83 Password Minimum Alphabetic Characters Sets the minimum number of alpha characters required within the Password. Default value is 1. Minimum value is 1. Maximum value 31, or cannot exceed Password length when combined with other composition rules. Password Mixed Case Required When checked, sets the requirement to include both uppercase and lowercase characters within the Password. Default value is unchecked. Password Minimum Special Characters Sets the minimum number of special characters required within the Password. Default value is 0 (zero). Minimum value is 0 (zero). Maximum value cannot exceed Password length when combined with other composition rules. Password Maximum Age (Days) Sets the maximum number, in days, after which the Password will expire. The device user will be required to enter a new Password. Default value is 0 (zero), which indicates that the PIN never expires. Minimum value is 0. Maximum value is 255. Remember Previous Passwords Automatically set to remember the last eight passwords. This setting is designed to prevent device users from re-setting the password to one of the eight most recently used passwords. Device feature blocking Policies may be set to block various device features. Before the new blocking policy takes effect a soft reset may be necessary on the device. When this soft reset occurs is also controlled by policy. Any combination of the following features can be blocked: Speaker and Wired Headphones Microphone Infrared (IR)

84 84 Managing policies Creating a security policy USB Camera Bluetooth Add-on Storage Cards ActiveSync Block SMS/MMS Soft Reset Policy options: Reset immediately after blocking policy is applied Warn user, reset after delay (delay interval is also specified) Inform user, but do not reset Idle timeout Both an idle timeout interval and the behavior of the device upon authentication are controlled by policy. The timeout interval can varying from one minute to one day, and specifies whether the device user is allowed to reset the interval to some other value. Resetting the encryption key Secure folders Allowing the device user to reset his own password by answering one or more questions is controlled by policy. The encryption key reset rule specifies whether the reset feature is allowed, and, if allowed, the number of questions which must be correctly answered to reset the password. The value ranges from 1 to 8 questions. In addition, a minimum answer length is also specified. The range for minimum answer length ranges from 6 to 12 characters. Allowing secure folders on storage cards is controlled by policy. The choices are: Allow secure folders Do not allow secure folders Allow folders only with a storage card recovery key

85 Managing policies Modifying security policies 85 In addition, authentication for secure folders is controlled by policy. The choices are identical to the choices for basic authentication (PIN or Password), except that the default length for password is 6 characters rather than 7. Modifying security policies Security policies, except for the policy, Security Default, can be modified. If you modify a policy, it will be automatically modified in all Policy Packages that contain it. If you make a critical change to a Security Policy which has been previously deployed, you will be prompted to reissue all the Packages which contain it. To modify a security policy 1 Open the Package Manager window. 2 Expand a Package that contains the policy you want to modify. 3 Right-click directly on the Security policy and select Modify Policy or Clone Policy. The modify option will not be available if the policy is locked. 4 Make the necessary changes in the Security Policy editor. See the section, Creating a Security Policy, for a description of each setting. 5 Click Save. Predefined policies Symantec Mobile Security Manager includes a number of predefined polices that can be used as templates. Some of these policies are included in the Default Package installed with the Agent. Predefined policies include the following: Allow All Allow HTTP/HTTPS Only Allow HTTP/HTTPS, POP3 Only This policy allows all network traffic into and out of the device. It is typically assigned to the Trust All security level on the device. This policy allows HTTP or HTTPS network traffic into and out of the device. This policy allows HTTP, HTTPS or POP3 network traffic into and out of the device. Allow HTTP/HTTPS, POP3, SMTP Only This policy allows HTTP, HTTPS, POP3 or SMTP network traffic into and out of the device.

86 86 Managing policies Predefined policies Firewall Level 1 Default Firewall Level 2 Default Firewall Level 3 Default Firewall Level 4 Default Deny All, Default. Blocks all inbound and outbound traffic, including desktop synchronization through ActiveSync or Windows Mobile Device Center. All blocked traffic is logged. It is assigned to the Trust No One security level on the mobile device. Allow HTTP/S, VPN, , ActiveSync, DHCP, FTP/S, DNS - Stateful, Paranoid Default. Is the default firewall level that is active when Norton Smartphone Security is first installed. It allows user-initiated TCP or UDP network connections, such as Web browsing and using . DHCP, DNS name resolution, IPsec VPN traffic, FTP/FTPS file transfer, and desktop synchronization through ActiveSync or Windows Mobile Device Center are allowed. NETBIOS Datagram and NETBIOS Name Service are blocked. All allowed traffic is logged, except desktop synchronization. Blocked traffic is logged, except NETBIOS traffic. It is assigned to the Paranoid security level on the mobile device. Allow DHCP, Ping, ActiveSync, User-initiated TCP/UDP - Stateful, Cautious Default. Allows all user-initiated TCP and UDP connections, including desktop synchronization through ActiveSync or Windows Mobile Device Center. Allows inbound and outbound DHCP and pings for testing network connectivity. Blocks NETBIOS Datagram and NETBIOS Name Service. Allowed traffic is not logged, except for DHCP and ping. Blocked traffic is logged, except NETBIOS traffic. Allow All, Default. Allows all inbound and outbound traffice, and does not log events. Whatever value set for logging will be inherited by the inbound packet. It is recommended that logging be set to Off to maintain smaller log sizes. It is assigned to the Trust All security level on the mobile device. Integrity Manager policies include the following: Integrity Default. This policy monitors key system assets and logs an event if an integrity violation is detected. This policy is included in the Default Package. Tamper Protection - Core. This policy monitors key system assets. If an integrity violation is detected, an event will be logged and the device will be quarantined. Security Policies include the following:

87 Managing policies Predefined policies 87 Security Default. This policy sets the requirement for the Device user to set a four-digit numeric PIN, with a minimum of two unique digits. This policy will wipe the Device after ten failed attempts, and it does not expire. This policy is included in the Default Package.

88 88 Managing policies Predefined policies

89 Chapter 7 Deploy Manager This chapter includes the following topics: About the Deploy Manager About assigning a policy package About the Deploy Manager When the Agent software is installed on a device, a default package is enforced. This default package will either be the built-in default package (Mobile Security Stateful Default), or a package of your choosing, if one accompanies the software at install time (i.e. the package designated as the Enterprise Default Package). However, any package may be assigned and deployed to any device with complete flexibility, using the Deploy Manager. When a package is complete, i.e., all policy rules have been defined, it is ready to be deployed. Deploying a package consists of the following steps: Assign the package, either directly or indirectly to a device. An indirect assignment is an assignment to the user group or user which is an ancestor of the device in the deploy hierarchy. Deploy. Deploy may be by package, or may be a selective deploy, to specific entities. Different packages can assigned and deployed to any User Group, User or Device. For example, you can assign packages with stricter authentication rules to individuals who carry confidential company data on their device, or you can restrict network access for individuals who find themselves in highly exposed areas, such as airports or hotels.

90 90 Deploy Manager About assigning a policy package Packages, ultimately, are deployed only to active devices eligible to receive a new package. The Administrator can deploy to all eligible devices with one click, deploy one or more of the packages that are assigned to eligible devices, or deploy to a selection of entities. When deploying to a selection of entities or previewing entities that have been selected to receive a package, the selection limit is 500 entities. However, you can carry out multiple deployments or you can deploy to an entity such as user groups that may include many more than 500 devices. In the Deploy Manager you can do the following: Select packages to assign to User Groups, Users, and Devices Assign different packages to selected User Groups, Users and Devices Preview aggregate information about entities that are eligible for deploy and packages ready for Deploy Preview detailed Information about User Groups, Users and Devices that are eligible for deploy Preview package inheritance information prior to deploy Use right-click menus for each entity type to assign and deploy packages Use the Deploy All button to Deploy to all eligible Devices with a single click Use Reissue Modified Deployed Packages, available from the right-click menu in the left pane of the Deploy Manager, to update all the package files that have been critically modified since the last deploy or reissue. Deploy to selected User Groups, Users and Devices Retrieve Aggregate and Detailed Information about the most recently completed Deploy There are two ways to open the Deploy Manager window: From Symantec Mobile Security Manager, click the Deploy Manager toolbar icon or In the Symantec Mobile Security Manager menu, click Policies > Deploy Manager About assigning a policy package The Deploy Manager allows great flexibility in assigning packages to entities. Packages can be assigned to a broad base such as a users group, or they can be targeted to specific entities such as a group of devices or even a single device. Once entities and packages have been created the next step is to assign the package. Assignment of the packages must take place before they can be deployed.

91 Deploy Manager About assigning a policy package 91 From within the Deploy Manager, the package assignment process consists of three steps depicted in the following Figure: Packages can be assigned to User Groups, Users, or Devices. This allows flexibility in deploying packages to the desired entity level. Packages can also be assigned through the Entity Manager when adding or modifying entities. Once an Add or Modify Entity window has been opened, simply select from the available packages listed in the Assigned Package dropdown menu, and click the Save button, saving the modified entity. In this method, the first two steps described above are switched. Assigned and deployed packages Policy package inheritance All entities begin with "Default Package" as the deployed package when they are added to the database. Any subsequent packages that are associated with an entity are categorized either as assigned or deployed. The Assigned Package is the package that is assigned for deployment to the User Group, User, or Device. The Deployed Package is the package that was most recently deployed to the User Group, User, or Device from the Enterprise. When a new package is deployed to an entity, the deployed package value is updated. Policy package assignments follow a hierarchical structure that is aligned with entity relationships. entities are structured in parent-child relationships where User Groups are parents to Users, and Users are parents to Devices. The inheritance model gives precedence to the most particular package assignment. This allows a child entity s assignment to override the entity assignment of its parent or grandparent. Therefore, a package assigned to a device takes precedence over a package assigned to the device s user; and a package assigned to a device s user takes precedence over a package assigned to the user s user group. To help clarify this important distinction, consider a hypothetical situation in which a single user has two devices. Assume that one device is only used in the more secure environment of the home office, while the second device is sometimes used in less secure environments, such as in an airport or hotel. An Enterprise administrator might decide to assign and deploy a more secure package to the device that is sometimes used outside of the home office. Since the

92 92 Deploy Manager About assigning a policy package user has a parent relationship with the two child devices, a package deployed to the user will be prevented from overriding a package specially deployed to a child device. The converse is also true. If a new package is deployed to a child device, it will override a package that the device inherited from a parent entity. When assigning and deploying a package to an entity: The most common way to assign and deploy a package is to assign and deploy a package to a user group. When this is done, the assigned package will be deployed to all members of the user group, except those users or devices which have their own package assignments. Those users and devices will receive their own packages. A package assigned to a parent entity will be deployed to all child entities, unless those child entities have their own packages assignments. In that case, the more specific child packages override the parent s assigned packages. The assign and deploy hierarchy is structured so that when a relationship exists, User Groups are parents to users and devices, and users are parents to devices. The Deploy Manager can be used to assign and deploy multiple packages to different entities Both the Deploy Manager and the Entity Manager can be used to assign a single package to a single entity Assigning policy packages with the Deploy Manager The Deploy Manager provides a powerful set of tools for assigning packages to multiple entities. You can also use the Deploy Manager to preview information about assigned packages or to review information about assigned and deployed packages in a grid or summary format. The assignment process consists of first selecting the package you wish to assign, and then selecting the entity or entities you want to assign that package to. Note: You can assign packages to or remove package assignments from up to 1,000 entities of a specific entity type at a time. To select a package to Assign from the Deploy Manager window 1 FromSymantec Mobile Security Manager, click Policies > Deploy Manager. 2 Choose the package you wish to assign from the Select Package to Assign: dropdown menu. 3 From the Deploy View frame on the left side of the Deploy Manager window, select the entity type to which you would like to assign the selected package, or

93 Deploy Manager About assigning a policy package 93 4 From the Assign and Deploy pane, click an entity or entities to which you would like to assign the selected package 5 Click Assign Package when you are satisfied with the choices made, or 6 Right-click in the device information display area and select Assign Package to Selected. Note: If prior to deployment you decide you want to remove an assigned package from an entity, highlight that entity and click the Remove Package button in the Deploy Manager window, or right-click on the entity and select Remove Package from Selected. Assigning packages from the Entity Manager A package can be assigned through the Entity Manager when individual entities are added or modified. To assign a package in the Entity Manager, you must first open the desired Add or Modify entity window. To access the appropriate Add or Modify entity window 1 Access the Entity Manager: grid view or tree view window by clicking one of the Entity Manager s toolbar icons: tree view, User Groups, Users, or Linked Devices. 2 From either the Entity Manager: grid view or the Entity Manager: tree view window, right--click and select Add Entity or Modify Entity from the available menu to open the appropriate window. 3 In the Add or Modify Entity window, select from the available packages in the Assigned Package dropdown menu, and click Save. The package you select will be viewable in the Assigned Package column of the Deploy Manager. Viewing information in the Deploy Manager The Deploy Manager allows you to view aggregate and detailed information about entities, assigned and deployed packages, and package inheritance. For example, if the View Deploy Summary checkbox is selected, the Deploy Summary tab will appear. If you click the Deploy Summary tab and select an entity category in the Deploy View pane, aggregate information about User Groups and Users with devices eligible for deploy, and packages ready for deploy will display.

94 94 Deploy Manager About assigning a policy package When a deployment is completed, the Load Last Deploy Result button is enabled. Click Load Last Deploy Result to review details of the most recent package deployment, including package inheritance information. If you click the Assign and Deploy Grids tab, two radio buttons are enabled: Show all <Entity> and Show all <Entity> eligible for Deploy. The radio buttons will display the indicated information for User Groups, Users or Devices, according to the entity selected in the Deploy View pane. In the Deploy View pane, if you click User Groups, Users, or Devices, there is a counter at the base of the Deploy Manager window. If you double-click in the counter, the counter will toggle between displaying entities that are Eligible for Deploy and a display showing the total number of all active User Groups, Users and Devices. The same row also shows what package has been selected as the Enterprise Default Package and the number of entities that have been selected in the Show All <Entity> window. If at least one entity type is eligible for deploy, the tree view icon will appear in the Deploy View pane next to the text, Entities eligible for Deploy. If you click Entities eligible for Deploy, you can click to drill down through the listed categories, and information about the entity level that you select will display in the Deploy Summary pane. In the following example, since a specific Device ID was selected in the Deploy View pane, information about the selected device and all parent entities associated with that device appears in the Deploy Summary pane. If you click Packages in the Deploy View pane, and click the Assign and Deploy Grids tab in the Grids and Summary pane, information about packages targeting devices eligible for deploy will display, including package name, package last deploy date, package revision and package status. The Mobile Security Stateful Default is the only locked package. All other packages are modifiable. Default policies included with the Mobile Security Stateful Default are locked and cannot be modified. All other polices are modifiable. If an attempt to deploy a package fails, that information appears in the Package State column. Information associated with a failed deployment is accessible from Symantec Mobile Security Manager by clicking Admin Tools Package History. Removing package assignments Prior to deployment, a package assignment can easily be removed from an entity. Change via right-click menu or via the Modify <Entity> window in Entity Manager by selecting a new package from the Assigned Package dropdown menu and selecting None.

95 Deploy Manager About assigning a policy package 95 If prior to deployment you decide you want to remove an assigned package from an entity, highlight that entity and click the Remove Package button in the Deploy Manager window, or right-click on the entity and select Remove Package from Selected from the right-click menu. To remove a package 1 From Symantec Mobile Security Manager, click Policies > Deploy Manager. 2 In the Deploy View pane, click User Groups, Users, Devices or one of the entities listed under Entities eligible for Deploy so that the entity level with the package you wish to remove appears in the Assigned Package column of the Assigned and Deployed Grids tab display. Note: Clicking the Show Devices eligible for deploy radio button in the Assign and Remove Grids tab window will limit the displayed list of devices to just the devices that are eligible for deploy will show. 3 Click to select the entity or entities with the assigned package that you wish to remove. 4 Click the Remove Package button or right-click in the Assign and Deploy Grids tab display and select Remove Package from Selected. Note: If you remove an assigned package from an entity, devices hierarchically below that entity may no longer be eligible to receive a package and may no longer be shown in the grid or the tree view. About deploying packages Packages are deployed from the Deploy Manager. From the Deploy Manager you can: Deploy all assigned packages with a single click Deploy to all eligible with a single click Deploy selected packages (with reissue) Reissue selected packages Deploy to up to 500 selected entities of a given entity type The Deploy All option is used when you want to simultaneously deploy all assigned packages.

96 96 Deploy Manager About assigning a policy package The option to Deploy to a selected Entity or Entities is used when you want to target specific entities for deploy, e.g., ensure that specific Users, User Groups or Devices receive a specifically assigned package. Note: The selection of an entity or entities to target with a package is handled during the package assignment process covered earlier in this section. The rules of package inheritance, also discussed earlier in this section, determine which package takes precedence for each target entity according to a parent child hierarchy. When a package is successfully deployed, the following package properties are updated: Deploy Date: The deploy date is updated to reflect the date and time of deployment. Deploy State: The deploy state is updated from Assigned or Pre-deployed to Deployed. A deploy state of Deployed indicates that the package was packaged and is ready for download. Additional deploy information is displayed in the Package History window, which is accessible from the Admin Tools menu. See the Admin Tools section for more information on Package history. Deploying all assigned packages simultaneously You can simultaneously deploy all assigned packages. To deploy all assigned packages 1 From Symantec Mobile Security Manager, click Policies > Deploy Manager. 2 Click the Deploy All button near the top of the Deploy Manager window. 3 A Deploy All confirmation will open. Click Yes to deploy all assigned packages. The deployment will be executed and the Deploy All (Complete Deploy to all Eligible Devices) window will open. Note: Deploying a package by package, including "Deploy All", always includes reissuing the package. There is never a deploy of a package without a simultaneous reissuing of the package to all devices which need the latest revision of the package.

97 Deploy Manager About assigning a policy package 97 Deploying packages to selected entities Deploying to entities allows you to target specific User Groups, Users or Devices for deploy. Deploying to entities is useful when you want to target specific entities, deploy to an individual entity, or deploy to all the children of a parent entity. For example, if a new User is added to an existing User Group, and the assigned package for that User Group has already been deployed, you can isolate deployment to the new User or to that User s Devices. Note: The selection of an entity or entities to target with a package is handled during the package assignment process. Deploying by package To deploy a package to selected entities 1 From Symantec Mobile Security Manager, click Policies > Deploy Manager. 2 In the Deploy View pane, click to select the entity type to which you want to deploy a package. 3 If you want to deploy assigned packages to only some of the members of the entity type you selected in the Deploy View pane, Ctrl-click in the Assign and Deploy Grids pane to select those specific entities. 4 Click the Deploy to Selected <Entity> button in the Assign and Deploy Grids tab or right-click in the Assign and Deploy Grids tab window and select Deploy to Selected <Entity>. 5 You will be prompted with the question, Deploy to selected <Entity> now? Click Yes. The package will deploy and the Results window will open. When a package has been assigned and targets devices that have not already received the package, then those devices are eligible to receive the package in a deployment. If a previously deployed package has been critically modified, then the devices which received it previously need the latest revision of the package. Providing the latest revision of the package to those devices is known as reissuing the package. The Administrator can view the state of all packages with respect to eligibility and need for reissue in the Deploy Manager, Packages View. From Packages View, the Admin can select packages and reissue (only), or can deploy packages (with reissue).

98 98 Deploy Manager About assigning a policy package Note: Deploying a package by package always includes reissuing the package. There is never a deployment of a package without a simultaneous reissuing of the package to all devices which need the latest revision of the package. To deploy or reissue modified packages by package from the Deploy Manager: 1 From Symantec Mobile Security Manager, click Policies > Deploy Manager. 2 In the left-hand pane under "Deploy View", click the Packages icon. 3 In the right-hand pane, in the packages grid select the packages that you wish to deploy or reissue. The status column in the grid will indicate whether the package targets devices eligible for deploy, the package needs to be reissued, or both. 4 To deploy the selected packages (with reissue) click the "Deploy, with Reissue Modified" button or select "Deploy Selected Packages" in the right-click menu. To reissue packages that have been modified since the last deploy, without also deploying them to eligible users, click the button, "Reissue Modified (Only)". 5 A message will display listing the package or packages that will be deployed or reissued. Click yes to close the message and execute the deploy or the reissue. Reissuing modified deployed packages The Administrator can use the right-click menu under "Deploy View" to reissue all packages which have been critically modified since their last deploy. Executing this command is identical to selecting "Reissue Modified Deployed Packages" from the main menu under "Policies". After executing this command, every device which needs the latest revision of its deployed package will receive the latest revision. To reissue all modified deployed packages from the Deploy Manager: 1 From Symantec Mobile Security Manager, click Policies > Deploy Manager. 2 Right-click in the left-hand pane under "Deploy View" and select "Reissue Modified Deployed Packages". 3 A confirmation window will appear. Click "Yes" and the reissue will begin. Tracking package event history When a deployment is executed, Symantec Mobile Security Manager records events that reflect the state of the package deployment. This information can be

99 Deploy Manager About assigning a policy package 99 accessed from Symantec Mobile Security Manager by clicking Admin Tools > Package History.

100 100 Deploy Manager About assigning a policy package

101 Chapter 8 Viewing, reporting, and charting events This chapter includes the following topics: About viewing, reporting, and charting events About the Reports Manager Charts Manager About viewing, reporting, and charting events Symantec Mobile Security Manager includes reporting capabilities that can be customized by the administrator. Frequently occurring events are spotted with charts and statistical reports. Detailed Event Logs can be viewed or exported for additional data mining. Three operator-configurable reporting tools are provided: Event View Manager: Use the Event View Manager to view and export Event Log details. Reports Manager: Use the Reports Manager to view and export event statistics. Charts Manager: Use the Charts Manager to view and print events in bar chart format. The administrator can customize reports, charts, and event views with easy-to-use filters. Customized report specifications and event views can be saved for subsequent use.

102 102 Viewing, reporting, and charting events About viewing, reporting, and charting events About event logs Event Logs are created by the Agent and capture key firewall, integrity and security events on the device. Event Logs are transferred directly from the Agent to Symantec Mobile Security Manager via the Mobile Connect feature. Event Logs are stored in the Symantec Mobile Security Manager database where they can be accessed for reporting or exported to other reporting software for additional data manipulation. Event Logs for registered, Active Devices are loaded into the Symantec Mobile Security Manager database. Event Logs for Pending, Rejected, or Inactive Devices are held on the system but are not loaded into the database until the device is Active. About the Event View Manager The Event View Manager lets you create views of Event Log data based on operator-defined parameters. View specifications can be saved and used again to produce result sets within the defined parameters. The Event View Manager provides options to select categories of data, sort the result set and export the result set to a file. An Event View result set is displayed in a separate window in grid format with one event per row. Details about each event are listed. Creating, modifying, and deleting event view specifications This section contains instructions on how to manage views. The Event Views, Reports and Charts window will open to the Event View Manager. In the main Event View form you can: Create a new view specification Save a view specification Delete a view specification Load a view specification Sort existing view specifications Set view parameters The top section of the Event View Manager windows contains the saved event view specifications. The bottom section contains functions for managing views, and configurable parameters for an event view, e.g., category and date range filters.

103 Viewing, reporting, and charting events About viewing, reporting, and charting events 103 You must first create a view specification and set parameters before loading the result set for the viewing. The result set is displayed in a separate window. To open the Event View Manager Click the Event View Manager icon, from the Symantec Mobile Security Manager main toolbar. Creating event view specifications You can create an event view specification. The view specification will be added to the list in alphabetical order by name. The view specification can now be loaded or directly exported to a file by using the right-click menu. To create a new event view 1 Click the Create New View button in the Event View Manager. A default name NewEventView_1 will display in the name field. 2 Enter a Name (required) and Description (optional) for the Event View specification. 3 From the Category dropdown select the type of events to display. You can select Firewall events, Integrity events, Security events, or Agent Events, All Categories. 4 In the Page Size text box enter the number of records to display for each page. This is the number of records that will display on one screen. The default page size is 5000 records; minimum is Select a Sort field from the dropdown list on which to sort the data. The choice of sort fields depends on the category selected (see Loading Events section below for more information). The data can be sorted in either Ascending or Descending order. 6 Specify a date range. Choose either the Use Relative Date Range or Use Absolute Date Range option. 7 For the relative date range, select a value from the dropdown list. For the absolute date range, specify a starting and ending date and time. You can use the dropdown to view a calendar or manually modify the values in the field. 8 Select the severity levels to include in the view. Click the checkboxes to include desired severity. 9 Click the Save View button. Modifying event view specifications You can modify any parameter for an event view specification (see note below). Modifications can be made to a saved or unsaved specification. If you are working

104 104 Viewing, reporting, and charting events About viewing, reporting, and charting events on a specification and have not yet saved it, you can adjust the parameters as needed. Note: The category parameter cannot be modified for a saved event view specification. You can modify event view parameters in the main Event View Manager window or in the result set of the loaded event view. However, the category parameter cannot be modified from the result window. By default, the parameters are hidden when the window first displays. The default setting for hiding and showing parameters in the result set can be changed in the in Admin Tools form. To modify parameters for a saved event view specification 1 Click on the event view specification to be modified. 2 Change the parameter settings. 3 Click Save. 4 You will be prompted to overwrite the saved event view specification with the new parameters. 5 Click Yes to save the new parameters. To modify parameters from the displayed result set 1 If the parameter controls are hidden, click the Show Parameters button. 2 The parameter controls will display in the bottom of the window. 3 Change the parameter settings as desired. 4 If you want to change the category, go to the main event view window and select a new category (unsaved Views only). 5 Click Reload View to display the new list of events. The new events will display, or a message will display indicating no new events were detected. 6 You can save the modified event view specification by clicking thesave button. The event view specification will save with the new events, or a message will display indicating that no new events were detected. Deleting event view specifications You can delete event view specifications.

105 Viewing, reporting, and charting events About viewing, reporting, and charting events 105 Loading events To delete an event view specification 1 Highlight the desired view from the list of event views. 2 Click Delete View. The Load View button will load events based on selected parameters. These events will be loaded into a separate window than the main Event View tab as shown in the following Figure. This window represents the result set of the view parameters. We will refer to this window as the Event View Results to distinguish it from the main Event View Manager window. In the Event View Results window you can: Sort and group data by column headers Display and modify view parameters Reload the view result Save the view Export the event view result to a tab delimited file Navigate in multiple pages of a view result Depending on the category selected for the view, different columns of data will display. Table Loading events describes the category columne headers. Table 8-1 Category Column Headers EVENT CATEGORY Agent Events, All Categories RESULT SET Firewall, Integrity and Security events. COLUMNS Date Device ID Event Name Event Type Severity Time User

106 106 Viewing, reporting, and charting events About viewing, reporting, and charting events Table 8-1 Category Column Headers (continued) EVENT CATEGORY Firewall Events Integrity Events Security Events RESULT SET Firewall events Integrity Manager events. Security events. COLUMNS Attacker IP Address Attacker MAC Address Attacker Port Attack Protocol Date Device ID Event Name Severity Service Time User Victim IP Address Victim MAC Address Victim Port Date Device ID Event Name Severity Target Object Time User Date Device ID Event Name Package Severity Time User Version

107 Viewing, reporting, and charting events About viewing, reporting, and charting events 107 The events will display in the result window with a title of Event View: <Event View Name>. The sort sequence is listed. The number of events in the result set is displayed in the status bar. If the number of events in the result set exceeds the number of events specified in the page size, events will display on more than one page. To view a different page of events, enter the desired page number in the page text box then click Go. To load an event view 1 Select an existing event view from the list or create a new view. 2 Click Load View from the main Event View Manager form. Grouping and sorting the event view results Events displayed in the event view result window can be sorted and grouped by column header if the number of pages does not exceed one. Note: If the results display in more than one page and you want to sort or group data, increase the number of records for page size in the parameter settings, then reload the event view. Searching event view results To sort the events in the list by column click the desired column header. The events will display in ascending or descending order. To group the events by column header, click and drag the desired column header to the gray area above the columns. The example in the following Figure shows the events grouped by the User column. You can group by multiple columns. You can expand and contract the list of events for each grouping by clicking the plus or minus sign next to the grouping. To ungroup the columns, click and drag the column headers back to their original location. In addition to grouping and sorting event data, the event view result window includes a search function to locate specific data.

108 108 Viewing, reporting, and charting events About viewing, reporting, and charting events Exporting event logs To find data in the result set 1 With the cursor in the result set window, select Find in Grid from the right-click menu. 2 Select the data to find by choosing a column from the dropdown list next to Find Next. The list of columns will vary based on the category specified in the parameters. 3 Select a search logic, e.g., Is Equal To or Contains. 4 Enter a value in the Value1 field, e.g., "login". 5 Select the search direction by clicking the Search Down or Search Up buttons. 6 Click Find. The next record that meets the search criteria will be highlighted. If no matching results are found, a message displays. You may need to view, aggregate or manipulate Event Log data outside of Symantec Mobile Security Manager. Events can be exported through the Event View Manager to a tab-delimited file. The file format is fixed and cannot be customized. Event data will be saved in a file with an extension of.tab. The data does not contain quotes. Column headers will appear in the file in the same order as they display in the Event View window. If you are exporting from the main Event View Manager form, then the default field order is used. Each event category has specific data associated with it. See the Category Column Headers Table above. To create an export file 1 Open the Event View Manager and specify the view parameters. 2 Select the view. 3 Select Immediate Export to File (no view) from the right-click menu to export the result set without first viewing it. 4 Click Load View if you want to display the result set before you export. 5 Click Export. A message will prompt you to confirm the export. 6 Click Yes. 7 Navigate to the location where the file will be saved. 8 Enter a file name in the File Name field. 9 Click Save.

109 Viewing, reporting, and charting events About the Reports Manager 109 Deleting events Events can be permanently deleted from the Enterprise database using the Event View Manager or a loaded Event View. The deleted events are archived to a tab delimited file. To delete events 1 Open the Event View Manager and set the controls to specify the events that you want to delete. Optional, but recommended, click the button Load View to preview the events to be deleted in a loaded event view. Load View may also be selected from the right-click menu. 2 If the preview is satisfactory, begin the delete by clicking the button Delete Events and Archive to File. 3 A final warning is issued, exactly specifying the events you are deleting. Click Yes to continue. The delete is based on the state of the controls in the loaded Event View or the Event View Manager at the time of the delete. 4 A dialog box to save the archive file will load with an automatically generated, self-describing name. Click Save. 5 The Events are deleted from the database and archived to the specified file. About the Reports Manager The Reports Manager lets you create, run and export statistical data about events based on operator-defined parameters. Reports can be saved and used again to produce result sets within the defined parameters. The report can be run ad hoc or saved to a report specification for future use. Several predefined reports are installed with Symantec Mobile Security Manager. You can run these at any time or modify them to create custom reports. For purposes of explanation, reports are referred to in terms of the report specification, which includes the report parameters, and the report, which is the result set. To access the Reports Manager 1 Click the Reports Manager icon, or 2 Select Reports Reports Manager from the main menu, or 3 Press Ctrl + R. The Reports, Charts and Event Views window will open to the Reports Manager tab.

110 110 Viewing, reporting, and charting events About the Reports Manager Report specifications Report specifications are listed in the top section of the Reports Manager window. The second section of the tab displays report parameters along with functions to run, save, create and delete reports. When a new report specification is created and saved, it will be added to the list. The result set will reflect the most recent data in the database at the time the report is run. The specification can be locked so that further modifications cannot be made. This means that the parameters of the report cannot be changed. Report parameters allow you to customize and refine your report results within the Reports Manager. The report parameters you can define include: Creating reports Report name Report description Event category Date range Sort Filters To view the report parameters for an existing report, click on the desired report in the list. The current parameters for that report will be displayed in the Set Report Parameters section of the window. You can create, modify, and save a report with the parameters you define. Once saved, the report can be run again. You can also print and export reports. To create a new report 1 Click the Create New Report button. The Set Report Parameters section will clear and NewReport_1 will display as the default report name. 2 In the Report Name field enter a new name for the report. 3 Select a category from the dropdown list and choose the event type on which the report will be run. 4 Select either the Use Relative Date Range or Use Absolute Date Range option and set the desired dates.

111 Viewing, reporting, and charting events About the Reports Manager 111 Modifying reports Using the filter form 5 Click the checkbox under Show to activate the subcategory parameters. You can choose up to three subcategories within the report. 6 Select the # of Records from the dropdown list. 7 Select First, Second, and/or Third Level Subcategory from the dropdown list. 8 If you want to sort the report by frequency, i.e., the occurrences of events for selected categories and subcategories, click the Sort on Frequency option. 9 Click the Add Filters button to add more data filters. 10 Click the Save Report button to save this report for future use. The report name will display in the report specifications list. 11 Click the Run Report button to run the report. The report will display in a separate window. Operator-defined reports that are not locked can be modified. If you attempt to modify a locked report, a copy of the report will be created. The predefined reports are locked by default and cannot be unlocked. To modify an existing operator-defined report 1 Select the report you want to modify from the report specification list. 2 Unlock the report if it is locked by removing the checkmark next to Locked. 3 Change the parameter settings as desired. If you change the parameter settings for a locked report, the report will be copied and _Copy[n] will display as the report name. 4 Click the Save Report button. The new report name will display in the report specifications list. 5 Click the Run Report button. The report results will display in a separate window. The filter form allows you to add more data filters by including or excluding data. You can set filters for the following fields: Severity User Name User Group Device ID

112 112 Viewing, reporting, and charting events About the Reports Manager Device Type Two options are provided for filtering the data in each of the above fields: Include. Select the include option to return data for events that contain the selected values, and exclude data for all other items in the list. Exclude. Select the exclude option to not return data for events that contain the selected values, and include data for all other items in the list. Selected options for this report are: Include high severity events. Include the first four Device types on the list. Exclude the accounting and sales User Groups The report results will include: Events with a high severity level that belong to one of the four device types selected if the event occurred on a device that belongs to someone in the IT, management, or new User Groups, i.e., not in the accounting or sales User Groups. When you use include or exclude, these filters function like an AND condition. Therefore, when you select more than one filter, you are indicating that all filters must be true to return a result set. By choosing the wrong combination of filters, you may inadvertently exclude data you intended to include, or vice-versa. For instance, consider the following example: You have decided to run a report that lists all events for User Jill Johnson or for User Group IT. In the filters form you specify: User Name: Include option with Johnson selected from the list AND User Group: Include option with IT selected from the list. When you run the report, the result set is empty. The reason is that Jill Johnson is in the Management group, which you excluded by choosing to include only the IT group. Choosing to include only Jill Johnson excluded all other Users from any group, therefore, no data displayed. In other words, you excluded all other Users when you chose to include only Jill, but you also excluded Jill by excluding her User Group. To add filters to your reports 1 Click the Add Filters button from the Reports Manager form. The Filter form displays. 2 Click to Include or Exclude from each of the five available filters.

113 Viewing, reporting, and charting events About the Reports Manager Click the specific values you want to include or exclude. 4 Click OK. 5 Click the Modify Filters button if you want to change report filter settings. Printing and exporting reports Locking reports When you run a report, the results will display in a separate window. From within this window you can print a report, and/or export and save the report in any of the following formats: PDF Text File HTML RTF To print a report 1 Click the Run Report button from the Reports Manager. 2 The report results will display in a separate window. 3 Click the print button from the main toolbar. 4 Follow the directions in your printer interface to print the report. To export a report 1 Click the Run Report button from the Reports Manager. The report results will display in a separate window. 2 Click the PDF Export, Text File Export, or HTML or RTF Export buttons. 3 Choose a location and name for the report in the Save As form and click Save. Locking a report prevents the parameters of the report from being modified. Only User-defined reports can be locked and unlocked. To lock a report 1 Select the report you want to lock in the reports specification list. 2 Check the Locked option in the parameters section. You will be asked if you want to save the report. 3 The report will not be locked until you choose the Save option.

114 114 Viewing, reporting, and charting events Charts Manager Deleting reports 4 Click Yes. This saves the parameters and filters applied to the report. 5 Check the locked option to remove the checkmark and unlock a report. Report specifications can be deleted if they are not locked. To delete a report 1 Select the report you want to delete in the reports specification list. 2 Click the Delete Report button. You will be asked to confirm the deletion. 3 Click Yes. Charts Manager The Charts Manager displays events in a graphical report. Three predefined charts are provided. You can specify a date filter for the result set. The charts will display the top twenty event types based on frequency. Note: You must be running Internet Explorer 5.5 or later to view charts in the Charts Manager. Running charts Run a chart by using the Charts Manager. To open the Charts Manager 1 Select Reports > Charts Manager from the main menu. 2 On the Charts Manager tab, select the chart you want to run. 3 Set the date parameters. You can enter a relative date or specific date range. 4 Click the Display Chart button. Saving charts Charts can be saved in bitmap (bmp) or jpeg (jpg) format. To save a chart 1 Select File Save As. 2 Specify a location to save the file.

115 Viewing, reporting, and charting events Charts Manager Specify a file name and choose a file type. 4 Click Save.

116 116 Viewing, reporting, and charting events Charts Manager

117 Chapter 9 Admin tools This chapter includes the following topics: About administrator tools Devices Preferences Agent configuration file Help Desk users About administrator tools Symantec Mobile Security Manager provides tools and auditing capabilities for administrators. Within the Admin Tools window, the Administrator can perform the following functions: View the number of devices in the Enterprise Set Enterprise preferences Create a new Agent Configuration File Enter or Update the IP Address or Fully Qualified Domain Name of the Symantec Mobile Security Manager server Enter or Update the SSL Port Manage authorized help desk users View Upload history View Package history

118 118 Admin tools Devices View a report of devices that have not communicated with Symantec Mobile Security Manager within a defined date range Manage Symantec Mobile Security Manager services and database Devices The Devices tab of the Admin Tools window provides a summary view of all devices associated with Symantec Mobile Security Manager. To open the Devices tab From Symantec Mobile Security Manager, select Admin Tools. Device statistics Linked devices All devices associated with Symantec Mobile Security Manager fall into one of two main categories: Linked or Unlinked. Each of these categories contains sub-categories to further classify the devices. The License and Devices tab displays a total device count for each of these categories, as well as their sub-categories. The View buttons next to Total Linked and Total Unlinked open the Entity Manager from which you can manage all devices. Devices are considered Linked if they are associated to a specific User in Symantec Mobile Security Manager. Linked Devices can also be classified into the following categories: Active: Active Devices can fully communicate with Symantec Mobile Security Manager. Policy Packages can be assigned and deployed to Active Devices, and their Event Logs can be uploaded and processed. Only Active Devices count against the license. Suspended: If an Active Device becomes lost, stolen, quarantined, or is suspect for any reason, it may become necessary to temporarily prevent the device from communicating with Symantec Mobile Security Manager. Suspended Devices are Linked, but cannot receive Policy Packages. Event Logs can upload from Suspended Devices; however the logs will not be processed until the device is returned to an Active state. Rejected: Rejected Devices are linked to a User, but have been prevented from communicating with Symantec Mobile Security Manager by the administrator. Rejected Devices cannot receive Policy Packages, and their uploaded Event Logs cannot be processed.

119 Admin tools Preferences 119 Pending: Pending Devices are linked to a User, but are awaiting manual approval from the Symantec Mobile Security Manager administrator. Policy Packages cannot be assigned or deployed to Pending Devices. Event Logs can be uploaded but will not be processed until the device becomes Active. Unlinked devices Preferences If the owner s for a device is missing or does not match the of a User in Symantec Mobile Security Manager, the device will not be associated with a User and will remain Unlinked. Unlinked Devices cannot receive Policy Packages, nor upload log files. Administrators can also set Unlinked Devices to a Device State of rejected. The Preferences tab of the Admin Tools window provides user interface controls and options for establishing the behavior of Auto-Linking and Newly Activated devices. From the Preferences tab you can also determine if the control panel will be visible when loading Event Views, and if alternating row background colors will be visible in grids that can display them. You can also select an Enterprise-wide default language for Policy Packages.

120 120 Admin tools Preferences To set Preferences 1 From the main menu click Admin Tools > Preferences. 2 Check or uncheck the boxes to set the following preferences: Start Auto-linking Devices as Active Automatically deploy to newly activated devices Hide the control panel when loading Event Views Show grid colors Place a checkmark in this box to allow Auto-Linking devices to start as Active. Uncheck the box to start the devices as Pending. The default setting is checked. Place a checkmark in this box to enable the most recently assigned Policy Package to be automatically deployed to newly activated devices. The default setting is checked. Place a checkmark in this box to hide the control panel within an Event View when event records are loaded. If left unchecked, the control panel will display with each loaded view. The default setting is checked. You may also show and hide these parameters from the loaded Event View. Un-checking the Show Grid Colors checkbox removes the alternating row background colors from the grids that display them. This includes the Entity Manager grids, the Reports and Charts grids, and the Packages grids. Removing the alternating row background colors improves the display quality on certain terminal emulators such as Windows Remote Desktop. Some windows maintain grid information in files. If the preference is changed while these windows are open, the administrator may have to click the Restore Grid to Default toolbar icon or button in the displayed window to effect the change. Hide the storage card recovery feature Default language for Policy Packages Hide the storage card recovery feature in the Security Policy editor. Only customers who need the special ability to decrypt Symantec secure folders on external storage cards will uncheck this preference. For more information on the storage card recovery feature, contact your Symantec sales representative. English is included as a default language in every Policy Package. The Default Language for Policy Packages allows you to select an Enterprise-wide default language in addition to English for inclusion in all Policy Packages. Changing the Enterprise-wide default language canuse an automatic reissue of every deployed package. If you make a selection that changes the Enterprise-wide default language, you receive a message to confirm the change. Selecting Yes causes an automatic reissue of all previously deployed Policy Packages to support the new language. A message also displays to indicate if the reissue was successful.

121 Admin tools Agent configuration file 121 Agent configuration file The Mobile Connect feature allows devices to connect directly to Symantec Mobile Security Manager server. When using the Mobile Connect feature, devices with Agent software installed communicate directly with Symantec Mobile Security Manager. In order to implement the Mobile Connect feature you must create an Agent Configuration File that establishes the parameters to be used for communication between the Agent and Symantec Mobile Security Manager. To generate a new Agent Configuration File 1 From the main menu click Admin Tools > Agent Configuration File 2 Enter values for all parameters. Parameters are defined in the Agent Configuration File Parameters table. Note: You will experience enhanced network efficiency if the same time interval is used for both Check for Packages and Upload Logs settings. 3 Click the Save Agent Configuration File button. A new Agent Configuration File is created and will be included in all subsequent packages deployed to a device. Table 9-1 Agent Configuration File Parameters SETTING Allow/Do Not Allow Mobile Connect DESCRIPTION Click the desired option to allow or not allow devices with Agent software installed to communicate directly with Symantec Mobile Security Manager. Note: The Do Not Allow Mobile Connect option should only be used if third party integration software will be used to transfer files to and from the device. SYSTEM DEFAULT Allow Mobile Connect

122 122 Admin tools Agent configuration file Table 9-1 Agent Configuration File Parameters (continued) Check for Packages Upload Logs Sleep after Symantec Mobile Security Manager Connection Failure Sleep after Symantec Mobile Security Manager System Failure Activation Date Enter the number and time interval, in seconds, minutes, hours or days. This setting determines when the Agent will open a connection with Symantec Mobile Security Manager to check for, and download, updated Policy Packages. Enter the number and time interval, in seconds, minutes, hours or days. This setting determines how often the Agent will open a connection with Symantec Mobile Security Manager to upload Event Logs. Enter the number and time interval, in seconds, minutes, hours or days. This setting determines how long the Agent will wait before requesting a connection with Symantec Mobile Security Manager after a connection failure has been detected. This setting overrides the setting for Check for Packages and Upload Logs. Enter the number and time interval, in seconds, minutes, hours or days. This setting determines how long the Agent will wait before requesting a connection with Symantec Mobile Security Manager after a system failure has been detected. This setting comes into play when a network connection is successful but Symantec Mobile Security Manager is unable to service the Agent. This setting overrides the Check for Packages and Upload Logs settings. Enter the activation date and time for the Agent Configuration File. The settings within the file will become effective at this time. 5 minutes 5 minutes 2 minutes 5 minutes Current date at 12:00 AM

123 Admin tools Help Desk users 123 Table 9-1 Agent Configuration File Parameters (continued) Expiration Date Never expires Enter the expiration date for the new Agent Configuration File. This option prevents the new Agent Configuration File from expiring. Never Expires (see below) Always checked Help Desk users Symantec Mobile Security Manager provides a help desk function to support Agent users who may have lost or forgotten the password to their device. This password override function is accessed through a web browser using a secure connection to the server. Help desk users must first be authorized by the Symantec Mobile Security Manager administrator, who establishes logins for each user. An authorized help desk user must have: A valid login and password A browser Network access to Symantec Mobile Security Manager The password override feature produces a code that the Agent user enters to gain access to the device. This feature is dependent on an interactive communication session between the device user and the help desk user. The device user must obtain and enter the access code within one hour after the challenge code is displayed. Expired access codes are reported as invalid codes. The password override feature can only be used for devices that are active, i.e., have previously communicated with Symantec Mobile Security Manager. Note: If the user enters an invalid access code, for example, the length is too short or a typo is entered, the entry is counted as an invalid login attempt. If the user exceeds the maximum allowed login attempts set by the security policy, user-defined data and applications loaded on the device will be erased. Creating authorized users The Help Desk Users tab of the Admin Tools window allows the administrator to define authorized help desk users. The administrator is the only person who can authorize help desk users to access the password override interface.

124 124 Admin tools Help Desk users To add authorized help desk users 1 From the main menu click Admin Tools > Help Desk Users Authorized for Password Override. 2 Click the Add option. 3 In the New User Name field enter a help desk user name. Note that the user name can contain letters, numbers, spaces, underscores, hyphens and apostrophes. 4 In the Enter Password field enter a password. The password can contain only letters and numbers. 5 In the Reenter Password field retype the password. 6 Click Add Help Desk User. A message will display confirming the addition of the new user. 7 You can view the new user by clicking the dropdown box next to the Existing Help Desk Users field. Modifying passwords for authorized users Deleting authorized users To modify authorized help desk users 1 In the Help Desk Users tab of the Admin Tools window click the Modify option. 2 Select a user from the dropdown box next to the Existing Help Desk Users field. 3 In the Password field enter the new Password. 4 In the Re-type Password field reenter the new Password. 5 Click Modify Help Desk User To delete authorized help desk users 1 In the Help Desk Users tab of the Admin Tools window click the Delete option. 2 In the Existing Help Desk Users field select a User from the dropdown box. 3 Click Delete Help Desk User. A message will display asking you to confirm that you want to delete this user. 4 Click Yes. View the list of users in the dropdown box to verify that the user was deleted.

125 Admin tools Help Desk users 125 Device password override process The password override process consists of the following: A user forgets his device password and taps the I FORGOT button on the primary authentication (login) screen. The user is presented with a password override dialog screen. The screen contains a three-line challenge code containing twenty numbers each. The user then call the organization s support line/ help desk. An authorized help desk user starts the password override interface by entering the following URL: or Server name>:<port#>/pwoverride where IP and port # are the IP Address for Symantec Mobile Security Manager and the port # is the port over which devices communicate with Symantec Mobile Security Manager. Note that the port number need only be entered if the default SSL port (443) is not used for communicating to Symantec Mobile Security Manager. The device user reads the challenge code to the authorized help desk user. The help desk user enters his login, password and the challenge code in the password override interface. A sixteen-digit response code is returned. The help desk user reads it to the device user. The device user enters the code into the dialog screen on the device and taps OK on the device to unlock it. The device user is then requested to reset a new PIN or password based on the policy enforced. Enterprise Help Desk user password policy The Enterprise security administrator can set or modify an Enterprise-wide help desk user password policy. Only the administrator with responsibility for application security should use this feature. To set or modify the enterprise help desk user password policy 1 From the main menu click Admin Tools > Help Desk Users Authorized for Password Override. 2 The administrator-configurable criteria are listed in the Enterprise Help Desk User Password Policy section of the window. Select from the available settings as described in the following table.

126 126 Admin tools Help Desk users Table 9-2 Enterprise Help Desk User Password Policy File Parameters SETTING Password Minimum Length Password Minimum Numeric Characters Password Minimum Alphabetic Characters Mixed Case Required DESCRIPTION Determines the required length of the enterprise help desk user password. The allowable range is from 4 to 32 characters. The enterprise help desk user password must have at least one numeric character. The maximum allowable number of numeric characters is 31. The enterprise help desk user password must have at least one alphabetic character. The maximum allowable number of alphabetic characters is 31. If the administrator places a check in this field, the enterprise help desk user password must have at least one lower-case and one upper-case character in the password. SYSTEM DEFAULT 8 characters 1 character 1 character Mixed case not required When the Enterprise administrator enters a value: Values go into effect immediately and are automatically saved Only alphanumeric characters may be used in passwords. Upload history The Upload History tab in the Admin Tools window provides information on successful and attempted uploads of log files to the database. Upload History displays the following types of events: Device activations Status of Event Log uploads into the database Upload attempts from inactive Devices

127 Admin tools Help Desk users 127 Upload History can display up to 99 days of upload activity. To view upload history 1 From the main menu click Admin Tools > Upload History. 2 Enter the number of days of history you want to view in the Go Back (days): box. 3 Click the Refresh button to display the result set. One row will be displayed for every upload event. 4 To group the list, drag the column header you want to group by to the grayed box above the list. 5 To sort the list, click on the column headers. You can also sort on multiple columns using the group by feature. 6 To change the order of columns, drag and drop a column header to a new position. 7 You can use the Restore Grid to Default button to reset the grid back to its default column, sort, and group settings. Each column in the grid is defined below: Event Type Upload events are classified as Warning, Info, or Error.Upload events with a Warning event type indicate that an upload was attempted and there was a non-fatal error, e.g., Event Logs were blocked from a linked or unlinked device. Warning events are not recorded for events categorized as file. See Event Category below. Upload events with an Info event type are informational events, such as a successful load of an Event Log into the database.upload events with an Error event type indicate that an error occurred during the upload process, e.g., an Event Log file was quarantined or rejected because there was a problem with the Event Log. Event Date-Time Event Category This is the date and time the event occurred. Event categories are defined as file or entity. Upload events with a File category provide information about Event Log file processing. Upload events with an Entity category provide information or warnings about entities (Devices) that are attempting to communicate with Symantec Mobile Security Manager but are not linked or are linked but blocked.

128 128 Admin tools Help Desk users Event Class File Event: Inserted into DB (database) indicates that the events were loaded into the database. Received indicates that the file was received by Symantec Mobile Security Manager. Rejected Files indicates a bad file name, the file is malformed, the file contains invalid data, or the file is from an unknown device. Quarantined indicates that the Event Log file was quarantined. See the sub-class for more classifications of quarantined files. Entity Event: Device indicates that the event was associated with a device. Event Sub-Class File Event: Success indicates that the Event Log was successfully received or loaded into the database. Entity Event: Duplicate indicates that the Event Log is a duplicate of a log already received by Symantec Mobile Security Manager. This sub-class is defined for the quarantine class of a file event. Key Constraint Violation indicates that invalid data was detected in the file. This sub-class is defined for the quarantine class of a file event. Invalid Password indicates that the password is invalid. In most cases, this is caused by an invalid Enterprise ID. Malformed indicates that the file is not in the expected format. This sub-class is defined for the quarantine class of a file event. New Device detected indicates that a new device has been detected and added to the group of Unlinked Devices. Violated DB Integrity indicates that invalid data was detected in the file. This sub-class is defined for the quarantine class of a file event. A quarantine event may be caused by a malformed or duplicate Event Log file. A duplicate Event Log file is a file that has already been processed and archived. Device Id User Name File Name This is the Device associated with the event. This is the User associated with the Device at the time of the event. This is the file name of the Event Log file.

129 Admin tools Help Desk users 129 Package history The Package History tab in the Administrator window allows administrators to track the status of Policy Package deployments. The overall state of a package is tracked, as well as the specific deployment of the package to a device. Since multiple devices can be targeted for deployment, the overall package status will show deployed only after every device targeted for deployment has a package ready to be picked up. A successful Policy Package deployment cycle will show package deployment status in this order: Deploy Staged the packaging process has begun Download Ready the packaging process has completed Deployed the package is ready to be picked up Confirmed the package was received and processed on the Device Note: The confirmed status will change when the Event Log containing that event is received at Symantec Mobile Security Manager. For each device, a successful Policy Package deployment cycle will show deployment status in this order: Deploy Staged the packaging process has begun for the particular device Download Ready the packaging process has completed for the particular device Confirmed the package was received and processed on the device Note: You can view the Policy Package deployment state in the Device Entity grid. To view Policy Package deployment history 1 From the main menu click Admin Tools > Package History. 2 Enter the number of days of history you want to view in the Go Back (days): box. 3 Click Refresh. All events within the past number of specified days will display. 4 Package deployment history is updated in real-time but you must click the Refresh button to load events that occurred since the window was opened.

130 130 Admin tools Help Desk users 5 To group data in the grid, click and drag a column header to the darker gray area above the column headings. 6 Click on the desired column header to sort in ascending or descending order. You can also sort on multiple columns using the group by feature. 7 To change the order of columns, drag and drop the column header to a new position. 8 You can use the Restore Grid to Default button to bring the grid back to its default column, sort and group settings. Each column in the grid is defined below: Event Type Event Date-Time Event Category A package event type is classified as Warning, Info or Error. This is the date and time the event occurred. Different events for the same time period may get loaded at different times due to scheduling of log uploads. The event category indicates whether the event was a Package, Entity, or File event.

131 Admin tools Help Desk users 131 Event Class Package Events: Blank indicates that the Policy Package has been deployed. Common Default indicates that the default Policy Package has been deployed. Enterprise Package indicates that the Enterprise Default Package has been deployed to all entities that have been assigned the Enterprise Default Package. Event-Sub Class Admin-initiated Change indicates that the Agent Configuration File was changed by the administrator. Full Deploy indicates that a Policy Package has been deployed to all eligible entities. Selective Deploy indicates that a Policy Package has been deployed to selected entities via the Deploy Target form. File Events: Blank indicates the Policy Package is ready for download. Common Default indicates that the default Enterprise Default Package has been deployed. Compiler indicates that the Firewall policy creation failed. Missing indicates that an Error has occurred in assembling the policy because a file is missing. Rejected Files indicates that an Error has occurred in assembling the Policy Package because a file is invalid. Superseded indicates that this package is not the latest package deployed to a given device, so the file will not be placed in the download area. Entity Events: Device indicates that the Policy Package has been confirmed. Event Sub-Class is used for File events only and identifies whether or not an error occurred. Package is the name of the Policy Package deployed. Version is the version of the Policy Package deployed. The version reflects the database version from which the Policy Package was produced. The Policy Package version number is located on the first line of the package contents file on the device.

132 132 Admin tools Help Desk users Package State This column indicates the status of the Policy Package deployment. Different statuses are used to describe the event for a file vs. a Policy Package. Deploy Staged This state indicates that the packaging process has begun. One event is recorded for each Policy Package in progress. Download Ready This state indicates that newly created Policy Package files are available for download. One event is recorded for each targeted device. Deployed This state indicates that newly created Policy Package files are available for download for all targeted devices. One event is recorded for each Policy Package. Confirmed This state indicates that the Policy Package has been received and becomes the effective Policy Package for that device. The confirmed status will change when the Event Log containing that event is uploaded to Symantec Mobile Security Manager. Note: It is possible for multiple confirmed events to occur as this type of event is recorded each time a device is soft reset. Failed This state is used for an Error event and indicates that the Policy Package was not deployed. Check the Event Class, Event Sub-Class and File Name columns to determine the source of the error. Redeploy Required indicates the Policy Package was flagged for reissue as a result of an update to the database, or because the Agent Configuration File changed, or data changes occurred that affected the Policy Package. New Enterprise Default indicates a new or different Package has been designated as the Enterprise Default. This will be followed by an automatic deploy to entities that have been assigned the "Enterprise Default" Package. Device Id User Name File Name This is the Device to which the Policy Package was deployed. This is the User to which the Device is assigned at the time of the deployment. This is the name of the Policy Package file. Reissuing policy packages A Policy Package will be reissued automatically, and without intervention from the administrator when an update to Symantec Mobile Security Manager is performed. Updates to any component of the Policy Package that are system-defined (for example, updates to default rules, event types or policies)

133 Admin tools Help Desk users 133 AWOL linked devices Services Manager may occur during a software update and after custom Policy Packages have been deployed to Users. Changing the Agent Configuration File will also trigger a reissue of Policy Packages. When Policy Packages are reissued, the Package History is updated with an event record for each package. NO ELIGIBLE OR CRITICAL UP HERE Manually reissuing policy packages The Reissue Deployed Packages option, which is accessible by clicking Policies in the main menu, allows the administrator to manually reissue all deployed Policy Packages with a single mouse click. Reissue Modified Deployed Packages reissues all critically modified deployed packages that are eligible for deploy with a single mouse click. The AWOL Linked Devices tab of the Admin Tools window displays a list of Users and Devices that have not communicated Symantec Mobile Security Manager within a specified time period. The AWOL Linked Devices grid displays the User, Device Id, the last upload date and the current status of the Device. To view the AWOL Linked Devices list 1 From the main menu click Admin Tools AWOL Linked Devices 2 Enter the start and end dates to review a list of Users and Devices that have not uploaded an Event Log during that time. You can click the arrows to select a date from the calendar or manually change the date and time. 3 Click View. 4 To group data in the grid, click and drag a column header to the darker gray area above the column headings. 5 To sort the list, click on the column headers. You can also sort on multiple columns using the group by feature. 6 To change the order of columns, drag and drop the column header to a new position. 7 You can return the column order to its default setting by clicking the Restore Grid to Default button. The Services Manager lets you control services used by Symantec Mobile Security Manager. Generally, these services should never be shut down or Policy Package

134 134 Admin tools Help Desk users deployments and Event Log uploads will be interrupted. All services are started after installation and set to run automatically at startup. A description of each service follows. Upload Manager: The Upload Manager controls Event Log uploads from Active Devices. This service must be running for Event Logs to be processed and loaded to the database. Download Manager: The Download Manager controls Policy Package downloads to Active Devices. This service must be running for Policy Packages to be downloaded to the Device. Additionally, you can attach or detach the Enterprise Database from within the Services Manager. Except for managing services, the database must be attached to perform any function within the user interface. After the initial installation, the database is not attached. When you start Symantec Mobile Security Manager, you are prompted to attach the database and select the correct database instance. Once you have attached the database, it automatically attaches upon each subsequent access to Symantec Mobile Security Manager. The Services Manager lists Symantec Mobile Security Manager services and their current status. The square button next to each service will display a blue square if the service is running, or a blue arrow if the service is not running. To use the Services Manager 1 From the main menu click Admin Tools Services Manager. 2 To stop a service or detach the database, click the square next to the item. 3 To start a service or attach the database, click the arrow next to the item. 4 Use the Stop All or Start All buttons to stop or start all services simultaneously. To change the SQL Server instance 1 Click Detach Database. After the database detaches the button captions will change to "Open MS SQL Server Instances" 2 Click Open MS SQL Server Instances to open the MS SQL Server Instances window.

135 Admin tools Help Desk users Select the appropriate SQL Server Instance and follow the instructions on the screen about providing a path to the database file and the database log file on the machine that is hosting the instance. 4 Click Test, if desired, to test connectivity to the instance. Click Apply to bind the database to that instance. Upon success, a message will display asking if you wish to restart the Symantec services which were shut down in order to detach the database

136 136 Admin tools Help Desk users