Centrify Cloud Management Suite

Transcription

1 Centrify Cloud Management Suite Installation and Configuration Guide April 2013 Centrify Corporation

2 Legal notice This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document as is without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time Centrify Corporation. All rights reserved. Portions of Centrify DirectControl are derived from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R (for Department of Defense (DOD) acquisitions) and 48 C.F.R and (for non-dod acquisitions), the government s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Centrify, DirectAudit, DirectControl and DirectSecure are registered trademarks and DirectAuthorize and DirectManage are trademarks of Centrify Corporation in the United States and other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries. Centrify Suite is protected by U.S. Patents 7,591,005, 8,024,360, and 8,321,523. The names of any other companies and products mentioned in this document may be the trademarks or registered trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies, organizations, domain names, people and events herein are fictitious. No association with any real company, organization, domain name, person, or event is intended or should be inferred.

3 Contents About this guide 3 Intended audience Guide conventions Where to go for more information Contacting Centrify Corporation Chapter 1 An Overview of Centrify for SaaS and Centrify for Mobile 5 How Centrify for SaaS and Centrify for Mobile work What you install on your internal network What you install on your mobile devices Your tools for managing Centrify for SaaS and Centrify for Mobile The process of deploying an application Configuring Single Sign-On (SSO) User account mapping options Application types SAML SSO options Chapter 2 Installing and configuring the Centrify Cloud Management Suite 15 Requirements Supported web browsers Required Active Directory permissions Exchange server requirements Re-enrolling devices using different customer IDs Installing the Centrify Cloud Management Suite in your network Configuring the Cloud Proxy Server Configuring Centrify for Mobile Completing the Cloud Proxy Server Configuration Wizard Upgrading your proxy server Automatically updating your proxy server Installing and configuring additional proxy servers Configuring the Centrify cloud proxy server

4 Chapter 3 Configuring the cloud proxy server 30 About the Centrify cloud proxy server and configuration application Status tab Proxy Server tab Mobile Settings tab Enrollment authorization Group policy polling Management authorization The Alerts tab Logging tab Chapter 4 Setting security group policies 37 The mobile device group policies overview Using the Basic Mobile Settings Using the OS X Settings Using the Samsung KNOX Settings Using the Samsung SAFE Settings Using Touchdown Settings Enabling policies Configuring Exchange ActiveSync Settings profiles Configuring VPN settings profiles Configuring Wi-Fi Settings Creating a KNOX container Appendix A Multiple proxy installation scenario 49 Installing and configuring multiple installations for one account Appendix B Uninstalling the Centrify Cloud Management Suite 53 Appendix C Configuring silent authentication 54 Configuring silent authentication for Centrify for SaaS (an overview) Configuring Firefox to allow silent authentication Configuring Internet Explorer security zones Enabling Integrated Windows Authentication Adding a web site to the local intranet security zone Configuring Google Chrome on Windows for silent authentication Configuring Apple Safari on a Mac for silent authentication Centrify Cloud Management Suite Installation and Configuration Guide 2

5 About this guide Centrify for Mobile and Centrify for SaaS provide the tools for you to centrally secure and manage web applications and mobile devices using your existing Active Directory infrastructure. With both products, you install the Centrify Cloud Management Suite in your domain to manage communication between your Active Directory data and Centrify Cloud Services. You can use your existing Active Directory information to control and authorize user access to web applications and mobile devices. Intended audience This guide contains information for system and network administrators who are responsible for managing access to network resources, particularly access to web applications or access from outside mobile devices. It is assumed that you know the basics of using Microsoft s Active Directory and applying group policies. Active Directory is the core of authentication and authorization through Centrify for Mobile and Centrify for SaaS. If you re using Centrify for Mobile, it is also assumed that you know the basics of mobile device operation, although not much more is necessary than using a web browser and setting controls. Guide conventions This guide uses the following conventions: Fixed-width font presents sample code, program names or output, file names, and commands that you type at the command line. When italicized, the fixed-width font indicates variables. Bold text emphasizes commands, buttons, or user interface text, and introduces new terms. Italics present book titles and emphasize specific words or terms. Terms enclosed in [braces] in command syntax are optional. Where to go for more information The documentation set for Centrify for Mobile and Centrify for SaaS includes several sources of information: 3

6 Contacting Centrify Corporation Release Notes included on the distribution media or in the download package provide the most up-to-date information about the current release, including system requirements and supported platforms, and any additional information, specific to this release, that may not be included in other documentation. The Centrify Cloud Management Suite Installation and Configuration Guide provides information related to installing the Centrify Cloud Management Suite, which includes the Centrify cloud proxy server and other components. This guide also provides details for configuring the Centrify cloud proxy server. The Centrify for Mobile Evaluation Guide provides the information needed to install the Centrify Cloud Management Suite, enroll some mobile devices, configure some group policies for those devices, and work with the mobile features in the Centrify Cloud Manager and MyCentrify user portal. The Centrify for SaaS Evaluation Guide provides the information needed to install the Centrify Cloud Management Suite, add and deploy a SaaS application, and work with Centrify Cloud Manager MyCentrify user portal. The Cloud Manager online help provides task-oriented information for administrators who need to modify applications, manage roles and users, and configure settings in the Cloud Manager. To open this help, click Help from the user name menu in the Cloud Manager. The Cloud Manager Application Configuration help provides specific details for configuring each kind of application that Centrify provides individual SaaS applications for SSO, user-password applications, and mobile applications. To open this help, click the Help link from an application in the App Catalog or an Application Settings dialog box. The MyCentrify help provides task-oriented information for users to navigate and launch their deployed applications, view their activity, manage their own mobile devices, and specify some Active Directory settings. To open this help, click Help from the user name menu in the MyCentrify user portal. In addition, you can find the answers to common questions, ask new questions, or get best practice guidance by visiting the Centrify Express community site. Contacting Centrify Corporation If you have questions or comments, we look forward to hearing from you. For information about contacting Centrify Corporation, visit our website at From the website you can get the latest news and information about products, support, services, upcoming events, investor relations, and sales. For information about purchasing or evaluating Centrify products, send to info@centrify.com. Centrify Cloud Management Suite Installation and Configuration Guide 4

7 An Overview of Centrify for SaaS and Centrify for Mobile Chapter 1 Centrify for SaaS addresses password sprawl by providing single sign-on while also giving organizations centralized control over access to ever-increasing numbers of SaaS applications. Your users will not only love the single sign-on but also self-service features that let them locate, lock, or wipe their mobile devices and also reset their Active Directory passwords. You will love the easy-to-deploy cloud-based service that delivers access control and visibility to SaaS application usage in addition to seamless integration to Microsoft Active Directory. Centrify for SaaS decreases the cost of rolling out and managing SaaS applications while at the same time improving user adoption, satisfaction, and productivity. Centrify for Mobile is Centrify s easy-to-deploy, cloud-based service that lets you centrally secure and manage smart phones and tablets using your existing Active Directory infrastructure. Centrify for Mobile uses familiar Group Policy tools together with the Centrify cloud service to enforce security settings over a trusted, over-the-air connection and to provide secure access to corporate network services. You can install the Centrify Cloud Management Suite on a computer in your network in a matter of minutes. After a few more minutes of configuring and setting up security policies, device owners can start enrolling mobile devices. After device owners enroll their devices, they can start using your network resources under the full security of Active Directory and Centrify. How Centrify for SaaS and Centrify for Mobile work With Centrify for SaaS and Centrify for Mobile, you use Microsoft Active Directory to centrally manage policies and access to web and mobile applications from mobile devices and computers. Centrify is a complete solution for mobile security and single sign-on that is delivered by the Centrify cloud service. Your users launch applications from the MyCentrify user portal on their computer and also from the MyCentrify application on their mobile devices. Centrify authenticates users and grants them access to applications based on roles, which are comprised of your Active Directory users and groups. The Centrify cloud service is a cloud service that provides secure communication from your on-premise computer with Active Directory to your SaaS and mobile applications accessed from the MyCentrify user portal. The Centrify cloud service facilitates secure single sign-on (SSO) and controls access to your organization s applications by acting as a security token service. As a security token service, the Centrify cloud service authenticates users to the MyCentrify user portal with Kerberos, SAML, or an Active Directory user name and password. To ensure security, the Centrify cloud service communicates over secure channels with cloud proxy servers on your premises. 5

8 How Centrify for SaaS and Centrify for Mobile work The Centrify cloud proxy server seamlessly leverages and extends your Active Directory investment to SaaS and mobile devices by way of the Centrify Cloud Service. The Centrify cloud proxy server is a simple Windows service that runs behind your firewall and provides real-time authentication, policy, and access to user profiles without synchronizing your organization s data to the cloud. You maintain control of your valuable Active Directory data while providing a common-sense user experience to your users. When you install the Centrify Cloud Management Suite, you install the cloud proxy server, Active Directory extensions, and group policies for mobile device management. The Centrify Cloud Manager is a web interface that saves you time and hassle when it comes to managing mobile devices and access to web and mobile applications. The Centrify Cloud Manager provides you a single, clear tool to administer mobile access and SSO, mobile devices, and user profile changes. Also, you can report and monitor all SaaS and mobile activity with one tool. Not only does this improve security and compliance in your organization through improved visibility, but also reduces administrative complexity by reducing the number of solutions with different monitoring and reporting interfaces or integrations. You the administrator can quickly audit all administrative and user activities. In MyCentrify user portal, your users click a simple link to a mobile or SaaS application and the Centrify cloud service logs the users in to the application. MyCentrify provides multiple self-service options for users to update their Active Directory profiles and remotely administer their mobile devices. Each mobile device has the Centrify MobileManager application, which your end users open to enroll the device into Centrify for Mobile and access their web and mobile applications. Centrify Cloud Management Suite Installation and Configuration Guide 6

9 How Centrify for SaaS and Centrify for Mobile work Here s how the main components in the Centrify for SaaS architecture work together: The Centrify cloud proxy server is a simple Windows service that runs behind your firewall and provides real-time authentication, policy, and access to user profiles without synchronizing your organization s data to the cloud. In Centrify for Mobile, you also use Active Directory extensions and group policies to manage your mobile ios and Android devices. Chapter 1 An Overview of Centrify for SaaS and Centrify for Mobile 7

10 What you install on your internal network Here s how the main components in the Centrify for Mobile architecture work together: What you install on your internal network You install the Centrify Cloud Management Suite in your network, and this installs the following items for Centrify for SaaS and Centrify for Centrify for Mobile in your internal network: Centrify cloud proxy server Cloud Proxy Server configuration application Active Directory Users and Computers extension for Centrify for Mobile Mobile Group Policy Management console extension for Centrify for Mobile The Centrify cloud proxy server is a process that runs on a host computer with internal connections to your Active Directory server and external internet connections. This server manages communications between Active Directory and the Centrify cloud service. Centrify Cloud Management Suite Installation and Configuration Guide 8

11 Your tools for managing Centrify for SaaS and Centrify for Mobile The Centrify Cloud Proxy Server Configuration application provides a user interface that configures the Centrify cloud proxy server. The Centrify mobile ADUC extension, an Active Directory Users and Computers (ADUC) snap-in that displays mobile-specific device properties for mobile devices and provides mobile device management commands. The Centrify mobile group policy extension, a Group Policy Management Editor (GPME) extension that offers mobile-specific policies when creating group policies for mobile devices. After you have installed the above components, you re ready to access the Cloud Manager. What you install on your mobile devices The Centrify mobile components that are installed on a mobile device are as follows: Centrify configuration profiles, profiles installed on mobile devices that define your organization s security policies on enrolled devices and give the devices access to your internal network resources. The Centrify cloud service implements Active Directory group policies as configuration profiles that will work on mobile devices and then installs the profiles on enrolled devices. Android device owners install the Centrify MobileManager application from Google Play. This application connects the user to the Centrify cloud service so that user can enroll the device and use the application to access deployed applications. ios device owners install the Centrify MobileManager application from the ios store to connect and enroll their device with the Centrify cloud service. ios device owners separately install the MyCentrify mobile application to access deployed applications. You can customize the Centrify MobileManager application with your organization s logo and specific enrollment instructions. The application authenticates the device owner through your network s Active Directory service and then enrolls the device. After the mobile device is enrolled, the Centrify MobileManager application downloads the Centrify configuration profiles to the enrolled device. The MobileManager application handles notifications from the Centrify cloud service and enforces the security policies defined by the configuration profiles. The MobileManager gives a device owner information about enrollment and also allows the device owner to unenroll the device by removing the Centrify configuration profiles. Your tools for managing Centrify for SaaS and Centrify for Mobile When administering Centrify for SaaS, you use the following tools: Chapter 1 An Overview of Centrify for SaaS and Centrify for Mobile 9

12 Your tools for managing Centrify for SaaS and Centrify for Mobile Centrify Cloud Proxy Server Configuration application Cloud Manager Centrify group policies for Centrify for Mobile The Cloud Proxy Server connects to your existing Active Directory forest. Continue to use Active Directory to create users and groups. Your users log in to MyCentrify User portal to access their apps, Active Directory account settings, and mobile devices (if you ve also implemented Centrify for Mobile). Here s what the Cloud Proxy Server Configuration application looks like: Use the Status tab to see the status of your cloud proxy server, your Centrify Customer ID and account information, and its connection to the Centrify cloud service. Use the Proxy Server tab to do the following: * Configure how often the cloud proxy server updates settings from the Centrify cloud service * Configure how often the cloud proxy server checks for user account updates in Active Directory * Restart the cloud proxy server, if needed * Specify auto-update * Specify web proxy settings, if needed Use the Logging tab to generate a log file for troubleshooting and specify its location. Use the Mobile Settings tab to manage who has permission to enroll and manage devices. Use the Alerts tab to customize notifications for non-responsive mobile devices. To open the Cloud Manager, open the following URL in your web browser: Centrify Cloud Management Suite Installation and Configuration Guide 10

13 The process of deploying an application Here s what you use the Centrify Cloud Manager for: Use the Cloud Manager to... Deploy and configure applications Assign roles to web applications to control user access Create or edit roles as needed; assign users and groups from your Active Directory infrastructure Monitor user and application activity Manage and monitor devices and device activity The process of deploying an application Deploying single sign-on access to an application is straightforward. Below is a brief overview of the process. To deploy a web application (an overview) in the Centrify Cloud Manager: 1 In the Cloud Manager Apps page, add the application from the Centrify App catalog. Notice that the application is added to the Apps page in the Ready to deploy state. 2 Modify the application to configure the application settings. Depending on the type of application, the application settings may include the following: Application name, description, or icon Chapter 1 An Overview of Centrify for SaaS and Centrify for Mobile 11

14 Configuring Single Sign-On (SSO) Login URL User Account mapping. The choices are: * Active Directory field supplies the user name * Everyone shares the same user name * Prompt the user for the user name (first log in only) * Use a script to generate the user account login name If the web application uses SAML for single sign-on purposes, there are some additional configuration options to specify. Centrify provides step-by-step instructions for configuring SaaS applications in our catalog. Click the Help link in the Application Settings dialog box or the Centrify App Catalog. 3 Assign one or more roles to the application to control who can access to the application. For each role, you can deploy an application as automatic or optional. An automatic install makes the application appear in the users MyCentrify user portal by default. An optional install makes the application available to be added by each user. Note Use the Roles page to create or modify roles. Assign Active Directory users and groups to roles as needed. After you assign roles to the application, the application state changes to deployed and the assigned users can access the application. Configuring Single Sign-On (SSO) When you deploy an application, you configure how Centrify grants access to that application for your users. You have some options for how you provide your users single sign-on access to SaaS applications. User account mapping options Your first choice involves how your Active Directory accounts are mapped to the application user accounts. Depending on the application, you have the following options: Use an Active Directory field: Use this option if the user accounts are based on Active Directory user names. Specify an Active Directory field such as mail or userprincipalname. Everyone shares the same user name and password: Use this option if you want to share access to an account but not share the user name and password. For example, some people share an application developer account. User provides the user name and password: Use this option if the application user accounts are not related to Active Directory and each user has their own login information. The user enters the user name and password the first time that he launches the application from MyCentrify. The Centrify Cloud Service retains the login Centrify Cloud Management Suite Installation and Configuration Guide 12

15 Configuring Single Sign-On (SSO) information so that your user doesn t have to try to remember it or store it in a nonsecure location. Login script: You can customize the user account mapping here by supplying a custom script to generate the user account login name. For example, you could use the following line as a script: return LoginUser.Get('mail')+'.ad'; The above script instructs the Cloud Manager to set the login user name to the user s mail attribute value in Active Directory and add.ad to the end. So, if the user s mail attribute value is Adele.Darwin@centrify.com then the Cloud Manager uses Adele.Darwin@centrify.com.ad. Application types There are also different kinds of applications that you can add and deploy to your users. The Centrify App Catalog lists the name and application type for each application. Web application with user name and password authentication Some web applications are configured for user name and password authentication only. Use this option if either the application only supports user name and password authentication or if you don t want to configure the application for SAML SSO at this time. Web application with SAML authentication Use this option if your application account has SAML SSO as an option and you want to configure the application to use SAML SSO. Bookmark application The MyCentrify user portal provides only a link to the URL of the application but doesn t provide any login authentication mechanism. You can use a bookmark application to provide a convenient link to an internal application available to your users. Add the Generic Bookmark application to your list of applications, and then configure the application with the desired application URL. Mobile application Mobile applications are available with Centrify for Mobile. SAML SSO options For applications that support SAML authentication, you also have some options to choose. Different applications provide different authentication options. The main choices are: Identity Provider (IdP)-initiated only Service Provider (SP)-initiated only IdP-initiated or SP-initiated Chapter 1 An Overview of Centrify for SaaS and Centrify for Mobile 13

16 Configuring Single Sign-On (SSO) The Identity Provider (IdP) is a service such as the Centrify Cloud which provides a way to authenticate users securely. A Service Provider (SP) is the provider of the web application, such as Salesforce, Office365, Google Apps; the service provider uses the SAML tokens produced by the IdP. The following diagram illustrates the main differences between IdP-initiated and SPinitiated SAML SSO. Centrify for SaaS works with both IdP-initiated and SP-initiated SAML SSO. If your application provider offers both IdP-initiated and SP-initiated, choose which one you want to use and configure your application accordingly. Here are some things to consider: In most cases, if you use IdP-initiated SAML SSO, your users can still access the application directly using their user name and password. If you use SP-initiated SAML SSO, your users are redirected to the MyCentrify user portal if they attempt to log in directly to the web application. Some applications prevent user name and password logins. Centrify Cloud Management Suite Installation and Configuration Guide 14

17 Chapter 2 Installing and configuring the Centrify Cloud Management Suite Setting up your internal network to work with Centrify for SaaS or Centrify for Mobile or both is straightforward. You first use an installer to install the Centrify Cloud Management Suite on a host computer in your network. Once you install the cloud proxy server, you set the server to connect to Centrify cloud services. Requirements To install and configure Centrify for SaaS or Centrify for Mobile, you need the following items: Item Centrify customer account with access to the Centrify customer support portal. Centrify Cloud Management Suite installer host computer user account with administrative access to an Active Directory in your network Web Proxy Server (optional) Description You ll use this account to register and enable your Centrify cloud proxy server during installation. If you don t already have an account, you can sign up for one at Click the Sign Up link at the top of the web page and follow the directions. This program installs on-premise components in your internal network. The installer file is included in your evaluation download. You install the Centrify Cloud Management Suite on this computer so that you can connect your Active Directory service to the Centrify cloud service. This computer in your internal network needs to meet or exceed the following requirements: Windows Server 2008 R2 (64-bit) or Windows 7 (32-bit or 64-bit) Joined to the domain in which you want to grant users access to web applications Internet access Be a server machine that is always running and accessible Microsoft.NET version 4.0 or later; if it isn t already installed, the Centrify installer installs it for you. The user account that installs the Centrify Cloud Management Suite must have Modify Permissions ability. Centrify adds this user automatically to the sysadmin role in the Cloud Manager. A web proxy server in your internal network. If your network is configured with a web proxy server that you want to use to connect to the Centrify cloud service, you can specify this server during the installation process. You should know the URL and port number to use,. The environment must also keep outbound TCP ports 9350 through 9355 open, or outbound TCP port 443 open, or outbound TCP 80 open if you use a proxy (a 1.1 HTTP compliant proxy is required). 15

18 Requirements Item Mobile devices to enroll Apple Account Apple App Store account (for ios devices) Google account (for Android devices) Touchdown application (for Android devices) Description (an ios device that may be an iphone, ipad, or ipod Touch running ios 4.3 or later, or an Android device running Android 2.3 or later). For the most up-to-date list of tested and certified devices, see the Centrify website at mobile/directcontrol-for-mobile-supported-platforms.asp. If you plan to enroll ios devices, a separate Apple account is required to use for creating and updating an Apple Push Notification Service (APNS) certificate from Apple. You need to use this same account annually to renew your APNS certificate. For example, you might find it simpler to create a generic Apple ID to use solely for APNS certificate creation. An Apple app store account to download the MyCentrify application on a mobile device. A Google account for the device (typically a gmail account) so that the device can receive notifications from the Centrify cloud service. You ll find the account listed in the Settings application under Personal > Accounts & Sync. You also use this account to download the Centrify Mobile application from Google Play. If you plan to synchronize mail onto your Android device (a non SAFE API Android device), make sure that the Touchdown application is installed (Touchdown version or later). There is an evaluation version of the Touchdown application in Google Play. Tip For information about configuring silent authentication settings on the host computer and in your web browsers, see Configuring silent authentication on page 54. Supported web browsers This version of Centrify for SaaS / Centrify for Mobile has been tested with the following web browsers: Internet Explorer: version 8 on Windows XP for MyCentrify user portal only version 9 and 10 on Windows 7 and Windows 2008R2 server version 10 on Windows 2012 server and Windows 8 Mozilla Firefox: version 20 Google Chrome: version 26 Apple Safari: version 6 Tip For silent authentication to work correctly, some web browsers need additional configuration. For more information, see Configuring silent authentication on page 54. Required Active Directory permissions To install and administer the Centrify Cloud proxy server, the user account you use to install the Centrify Cloud Management Suite must be allowed access to the advanced Modify Permissions permission. Cloud Management Suite Installation and Configuration Guide 16

19 Requirements To add the required permissions to an Active Directory user or group: 1 In Active Directory Users and Computers, make sure that you have Advanced Features enabled (View > Advanced Features). 2 Open the properties for the desired user or group and click the Security tab. 3 In the Security tab, click Advanced. 4 In the Advanced Security Settings dialog box, click Add. 5 Enter the name of the user or service account that you will use to run the Cloud Proxy server, and click OK. 6 In the Permission entry dialog box for the group, click Allow for Modify Permissions and click OK. The Permissions tab of the Advanced Security Settings dialog box lists the specified user with the ability to Modify Permissions. 7 In the Advanced Security Settings dialog box, click OK. 8 In the User or Group Properties dialog box, click OK. Exchange server requirements Blocking is available to Exchange 2010 and Office 365 servers. It is not available to Exchange 2007 servers.exchanges 2010 servers must have SP1 installed. You must enable Remote PowerShell on the Exchange or Office 365 server. After you enable Remote PowerShell, the Exchange server creates an Internet Information Services (IIS) application named PowerShell. You need to enable an authentication method for this application. (By default no authentication method is selected.) Use the following procedure to enable an authentication method for the PowerShell application. Note The following procedure is required for Exchange Servers only. Skip this procedure if you are using an Office 365 server. To enable authentication method for PowerShell application: 1 Start IIS Manager. 2 On the left pane, select Site > Default Web Site > PowerShell. 3 On the right pane, select IIS > Authentication, right-click, click and select Open Feature. 4 Select either Windows Authentication or Basic Authentication, right-click, and select Enable. Note If you select Basic Authentication, be sure to select the check box when you enable the Exchange server in the Cloud Manger settings. Chapter 2 Installing and configuring the Centrify Cloud Management Suite 17

20 Installing the Centrify Cloud Management Suite in your network 5 Back up your original settings. In this case, you would use a PowerShell script to extract the original settings. Re-enrolling devices using different customer IDs If you have installed multiple proxy servers and are using more than one customer ID, there are some situations where you must either manually move or remove a mobile device before a user can re-enroll the device using a different customer ID. This situation mostly happens when you have multiple proxy servers using more than one customer ID and each proxy server uses a different Active Directory organizational unit to contain the mobile group policies. For example, this kind of situation can arise if you have a beta deployment in addition to a production deployment. Note If both proxy servers are using the same organizational unit, the user can simply unenroll and then re-enroll the device for re-enrolling. To re-enroll the same mobile device using a different customer ID: Do one of the following in Active Directory: Grant the new proxy server permission to move or remove objects in the original proxy server s organizational unit. Manually remove the old mobile device object be from the old proxy server deployment, manually move the mobile device object to the new proxy server s organizational unit. Installing the Centrify Cloud Management Suite in your network The Centrify Cloud Management Suite installer installs Centrify software in your internal network. After the installation completes, the installer launches the Cloud Proxy Server Configuration Wizard to help you configure the installed cloud proxy server. To run the installer: 1 On your host computer, run the Centrify Cloud Management Suite installer appropriate for your system: Cloud-Mgmt-Suite-<version>-win32.exe for 32-bit Windows or Cloud-Mgmt-Suite-<version>-win64.exe for 64-bit Windows. If Microsoft.NET version 4.0 or later is not already installed on your computer, the installer installs it for you. Restart your computer after.net installation and then you can continue the installation of the Cloud Management Suite. 2 In the Centrify Cloud Management Suite installer, click through the welcome screen (Next) and end-user license agreement (check box and Next). Cloud Management Suite Installation and Configuration Guide 18

21 Installing the Centrify Cloud Management Suite in your network 3 In the Custom Setup dialog box, select the items to install, depending on which product(s) you need: Cloud Proxy Server (needed for either Centrify for SaaS and Centrify for Mobile) Centrify for Mobile Tools (includes AD Users and Computers and Group Policy Console Extensions) Centrify for SaaS (components required for Office365) You can click Browse to specify a different installation location. Click Next. 4 In the Ready to Install Cloud Management Suite page, click Install to perform the installation. If you re upgrading the proxy server and it s currently running, the installer prompts you to have the installer close the applications that are using files that need to be updated. 5 Select the option to close the applications and click OK. 6 When the installation completes, keep Run Connection Test selected and click Finish. A connection test runs to verify that your server is connected properly for the proxy server to run. If any errors are returned, you must fix them before continuing. Click Close to close the Connection Test dialog box, then the Cloud Proxy Server Configuration Wizard launches. Configuring the Cloud Proxy Server When installing the Cloud Management Suite, the Cloud Proxy Server Configuration Wizard opens automatically. Chapter 2 Installing and configuring the Centrify Cloud Management Suite 19

22 Installing the Centrify Cloud Management Suite in your network Tip You can run this wizard again by clicking Re-Register in the Cloud Proxy Configuration application, Proxy Server tab. Doing this reregisters your proxy server to the Centrify cloud. To configure the cloud proxy server using the configuration wizard: 1 In the Cloud Proxy Server Configuration Wizard Welcome page, click Next. 2 In the Proxy Configuration page, enter your Centrify account name and password in the account and password fields, and click Advanced. 3 In the Advanced Settings dialog box, verify that cloud.centrify.com is set as the cloud service address and click OK. 4 Click Next. 5 In the Web Proxy Configuration page, if your network has a web proxy server that you want to use for the connection to the Centrify cloud service, select the Use a web proxy server... option. If you do not have a web proxy server, simply click Next without selecting the option; the cloud proxy server won t connect through the web proxy server. If you selected the web proxy option, enter the following information: Address The URL of the web proxy server. Port The port number to use to connect to the web proxy server. 6 Click Next to continue. The Configuring Mobile Use screen appears. 7 For Centrify for Mobile users, keep the option selected to Configure Centrify for Mobile and continue to Configuring Centrify for Mobile. Otherwise, deselect the option and continue to Completing the Cloud Proxy Server Configuration Wizard. Cloud Management Suite Installation and Configuration Guide 20

23 Installing the Centrify Cloud Management Suite in your network Configuring Centrify for Mobile If you selected the option to Configure Centrify for Mobile, the second Configuring Mobile Use dialog box appears. It allows you to specify the Active Directory groups whose users can enroll devices and the organizational units in which records for these users devices are stored. The user group and organizational unit are specified as a pair. By default, the specified user group is Domain Users (which means all Active Directory users can enroll devices) and the organizational unit is Computers (which means mobile devices are stored in the same organizational unit as computers). Note The organizational unit that you specify corresponds to the group policy object. Be sure to add devices to the organizational unit that you specify here; otherwise, the group policies may not get transferred to the mobile devices. You can specify multiple pairs if you wish. However, if you use a group, such as the default, Domain Users, which includes all domain users, a single entry will allow anyone in your domain to enroll a device. Tip For example, create an organizational unit called Mobile Devices. 1 Do one of the following: Click Next to accept the default pair. Click the group Domain Users in the list, then click Edit to open the Modify Enrollment Group dialog box and change either the group or the organizational unit to use. Click Add to add a new group and organizational unit pair. 2 If you selected Edit or Add, do one or both of the following: Chapter 2 Installing and configuring the Centrify Cloud Management Suite 21

24 Installing the Centrify Cloud Management Suite in your network On the Group line, Click Create or Browse to create a new group or browse to an existing group to select. If you create a new group, you can later add users to it in Active Directory Users and Computers. On the Container line, click Browse to browse to an existing organizational unit to use, or browse to an Active Directory organizational unit, then click Create to create a new container. 3 Click OK when finished. 4 Click Next. Another Configuring Mobile User dialog box appears. It specifies the user group whose members are allowed to manage enrolled mobile devices set to Domain Admins by default. Although Centrify for Mobile Active Directory extensions appear in ADUC for users who are not members of the specified group, the button operations do not work. 5 You may specify one group only. Do one of the following: Click Next to accept the default, Domain Admins, group. Click Create or Browse to create or select a different group, then click Next. Note Centrify adds the group you specify to manage enrolled devices automatically to the sysadmin role in the Cloud Manager. Note When you complete the configuration wizard, your proxy server will be fully functional, users in the specified groups can enroll devices, and administrators in the specified group can track and manage the devices. Keep in mind though that you can run the Centrify Cloud Proxy Configuration application at any time to make changes to the configuration that you have defined in the wizard, including adding, removing, or changing the enrollment and management groups. 6 If this is the first time that you are running the installer in your domain, the Setup Properties page appears. In order to see the Centrify property pages in all Active Directory administration screens, keep the Activate Centrify property pages option selected. Provide user credentials that have Enterprise administrator privilege to Active Directory so that the Active Directory administration screens can be updated. Completing the Cloud Proxy Server Configuration Wizard The Starting Cloud Proxy Server dialog box appears while the wizard registers the proxy with the Centrify cloud service and starts the proxy. When setup and startup is complete, the Setup Completed dialog box appears. Click Finish to exit the wizard. The cloud proxy server is now installed and running. The Centrify cloud proxy server configuration application starts automatically. Cloud Management Suite Installation and Configuration Guide 22

25 Upgrading your proxy server In a real installation, you can install multiple proxy servers for automatic failover, each on a different host computer. You use the same customer ID for each newly installed proxy server to identify the installation to which the proxy server belongs. If one proxy server fails, the Centrify cloud service automatically switches to another proxy server to continue service. Upgrading your proxy server If you re upgrading from a previous version of Centrify for Mobile, run the Centrify Cloud Management Suite installer to upgrade the Cloud Proxy server and the Centrify Group Policy Object Extensions (GPOE). Some Centrify GPOEs have moved in this release. The installer moves your current Exchange ActiveSync or VPN - PPTP policies as follows: Exchange ActiveSync policies that apply to all devices or ios only move to Basic Mobile Settings > Exchange ActiveSync Settings Exchange ActiveSync policies that apply to all devices or Android only devices move to Touchdown Settings > Exchange ActiveSync Settings VPN - PPTP policies that apply to all devices or ios only move to Basic Mobile Settings > VPN Settings (with PPTP specified as the protocol) VPN - PPTP policies that apply to Android only devices move to Samsung SAFE Settings > VPN Settings Automatically updating your proxy server Starting in Centrify for Mobile 1.1, you can automatically update your proxy server without having to run through a new installer. The proxy server regularly checks to see if there is an update and can automatically run the update. If you have the Centrify Cloud Proxy Server Configuration application open, however, the proxy server cannot automatically update itself. In this case, run the update manually. To update the Cloud Proxy Server: 1 Open the Centrify Cloud Proxy Configuration application. Chapter 2 Installing and configuring the Centrify Cloud Management Suite 23

26 Installing and configuring additional proxy servers 2 In the lower left of the Status pane, right-click the update icon and select Update. Right-click the update icon and select Update to manually update the Cloud Proxy Server. The Cloud Proxy Server updates and then displays a message indicating that the software is up to date. Installing and configuring additional proxy servers A single cloud proxy server runs in a forest at any given time to communicate between Active Directory and the Centrify cloud service. However, it is recommended that you configure one or more additional servers to provide fail over in case the running server goes offline for any reason. This section explains how to install and configure additional cloud proxy servers. Keep in mind that your customer ID uniquely defines your Centrify for Mobile installation. During installation, when you enter your Centrify account information, the cloud proxy server configuration wizard creates a unique customer ID for your account and registers the cloud proxy server with that ID. Later on, when users enroll devices, or administrators manage enrolled devices, the customer ID identifies the correct Centrify for Mobile installation with which to work. When you set up additional cloud proxy servers in a single Centrify for Mobile installation, you must register all of them using a single existing customer ID. When you enter your Centrify account information during installation, the configuration wizard will prompt you with your existing customer ID. When you install multiple cloud proxy servers, Centrify for Mobile specifies one of the servers to communicate between the Centrify cloud service and your internal network Active Directory service. The other cloud proxy servers stand by to take over in case of Cloud Management Suite Installation and Configuration Guide 24

27 Installing and configuring additional proxy servers failure. If the server in use fails, Centrify for Mobile switches communication to another cloud proxy server running in the installation. Server configuration within an installation is the same for all cloud proxy servers in the installation. If you change enrollment authorization on one cloud proxy server, for example, to include a new enrollment group and associated organizational unit, the proxy server sends that change to the Centrify cloud service. The cloud service stores the configuration with the customer ID and propagates the configuration to all cloud proxy servers in the installation associated with that ID so that all proxy servers have the same configuration. To run the installer for additional proxy servers in a single forest 1 On a host computer, run the Centrify Cloud Management Suite installer appropriate for your system: Cloud-Mgmt-Suite-<version>-win32.exe for 32-bit Windows, Cloud- Mgmt-Suite-<version>-win64.exe for 64-bit Windows. 2 Click through the welcome screen (Next) and end-user license agreement (check box and Next). 3 In the Custom Setup dialog box, keep the default component settings, set file location to a different location if desired, then click Next. 4 Click Install to begin the installation and Finish when the wizard completion appears. A connection test runs to verify that your server is connected properly for the proxy server to run. If any errors are returned, you must fix them before continuing. Click on the link next to any test to see information about the success or failure of a test. For example, if you click the Success, Warning, or Error link for Outbound TCP Port Check, you see each port that was contacted and whether connection was successful for each. 5 Click Close to close the window. The Cloud Proxy Server Configuration Wizard launches automatically. This wizard enables you to perform the initial configuration of the cloud proxy server. 6 Click through the welcome dialog box (Next), then in the Cloud Proxy Configuration dialog box enter your Centrify account name and password in the account and password text boxes. 7 Click Next. The Web Proxy Configuration dialog box appears. 8 Specify whether you want to use a a web proxy server for a connection to the Centrify cloud service. If you do, select Use a web proxy server and go to the next step. If you don t, click Next and go to Step 10. Chapter 2 Installing and configuring the Centrify Cloud Management Suite 25

28 Installing and configuring additional proxy servers 9 If you selected the web proxy option, enter the following information: Address The URL of the web proxy server. Port The port number to use to connect to the web proxy server. 10 Click Next. The Set Customer ID dialog box appears. It allows you to register the newly created cloud proxy server to an existing customer ID. 11 Select Register an existing Customer ID and select the customer ID from the box. Generally, there should be a single customer ID available in the Customer ID box. If there are multiple entries, be certain to select the one for your current Centrify for Mobile installation. Note Do not select Register a new Customer ID to register a new proxy server to a different customer ID in the forest. Each customer ID has its own associated encryption key that encrypts group policy information sent between an installation and its enrolled mobile devices. If you install proxy servers in the same forest using different customer IDs each server will use a different encryption key, causing problems in sending group policy data to enrolled devices. 12 Click Next then Finish to complete installation of the new proxy server. The Centrify cloud proxy server configuration application starts automatically after the configuration wizard completes. You can check the status of the new server, or make changes if you wish, but you are not required to explicitly configure the new server because it is already configured exactly as the existing server. The cloud service stores the configuration with the customer ID and propagates the configuration to all cloud proxy servers in the installation associated with that ID so that all proxy servers have the same configuration. If you make changes in one proxy server, for example by changing enrollment authorization to include a new enrollment group and associated organizational unit, the proxy server sends that change to the Centrify cloud service. Cloud Management Suite Installation and Configuration Guide 26

29 Configuring the Centrify cloud proxy server Configuring the Centrify cloud proxy server After you ve installed the cloud proxy server, you can further configure it using the Centrify Cloud Proxy Server Configuration application. You can also find your newly assigned customer ID here, which is important for later use. To configure the cloud proxy server: 1 On your host computer, run the Cloud Proxy Server Configuration application from the Start menu, if the application isn t already running. (It s in the Centrify folder in All Programs.) 2 Note the customer ID value in the Status tab. You ll need the customer ID later to log into the Centrify Cloud manager. The customer ID uniquely identifies this Centrify for SaaS installation. The rest of the tab reports this server s name, the Centrify account it s registered under, and whether the server is started or not. 3 Click the Proxy Server tab to control the server. You can start or stop the server using the Start and Stop buttons, control how frequently the proxy server is updated to match other cloud proxy servers in your Chapter 2 Installing and configuring the Centrify Cloud Management Suite 27

30 Configuring the Centrify cloud proxy server network using the Settings update interval value, and enable or disable automatic updating of the proxy server from the cloud by selecting Enable auto-update. When auto-update is on, the proxy server checks the Centrify cloud service periodically to see if there is a proxy server update. If there is, the proxy server downloads and installs the update, then restarts. This ensures that proxy server software is up-to-date. It is recommended that you enable this option, which is on by default. Note The Active Directory Integration and Alerts tabs are used in Centrify for Mobile only. 4 Click the Logging tab. 5 Select Enable logging, and click Browse... to choose a directory where you want logging data to be written. Cloud Management Suite Installation and Configuration Guide 28

31 Configuring the Centrify cloud proxy server 6 In the Browse for folder dialog box, select the desired location and click OK. 7 Click Close to save your changes and close the application. Chapter 2 Installing and configuring the Centrify Cloud Management Suite 29

32 Chapter 3 Configuring the cloud proxy server This chapter explains how to use the cloud proxy server configuration application to configure and monitor your cloud proxy server. It covers the following topics: About the Centrify cloud proxy server and configuration application Status tab Proxy Server tab Mobile Settings tab The Alerts tab Logging tab Launch the cloud proxy server configuration application from the Start menu on the host computer. Modify settings by selecting different tabs in the window. You can see the tabs in the following figure. About the Centrify cloud proxy server and configuration application The cloud proxy server runs on a host computer and manages communications between Active Directory and the Centrify Cloud service. It specifies groups whose members can enroll devices and a group whose members can manage devices. It also monitors Active Directory for group policy changes, which it sends to the Centrify Cloud service to update enrolled devices. 30

33 Status tab Initial configuration of the cloud proxy server follows installation with the cloud proxy server configuration wizard, which launches automatically. To complete the wizard, you must identify a user group whose members can enroll devices and a container that stores accounts for enrolled devices. You must also identify a group whose users have permission to manage enrolled devices and manage the configuration. The cloud proxy server configuration application allows you to complete the initial configuration, if necessary, to make changes, and to configure additional features such as logging and sending alerts that are set to default values during initial configuration. You can also run this application to monitor the status of your cloud proxy server. Note You can also monitor proxies through the Centrify Cloud Manager web application. However, the Cloud Manager only allows you to monitor proxies it does not allow you to configure a cloud proxy server in any way. Although you may configure multiple cloud proxy servers for a single Centrify for Mobile installation, only one of them is active at a time the others stand by in case of failure, in which case one of them takes over. Each server has its own proxy server configuration application that you launch on the computer hosting the proxy server. However, when you make a change to any of the proxy servers in an installation (that is, servers registered to the same customer ID), the changes are propagated to all the servers in the installation to ensure that they are all in sync. The Centrify cloud proxy server configuration application is installed on any computer where a cloud proxy server is installed. Launch it through the Windows Start menu where it s located in the Centrify/Cloud Management Suite folder. The application appears as a window with five tabbed panels: Status, which reports the status of the proxy server. Proxy Server, which controls proxy server operation. Mobile Settings, which specifies groups allowed to enroll devices, the group allowed to manage devices, and the interval at which the proxy polls Active Directory. Alerts, which specifies if and where to send alerts when Centrify for Mobile detects dead mobile devices. Logging, which turns logging on and off for this configuration application and for the ADUC and group policy editor extensions. It also specifies where the log file is stored. Status tab The Status tab displays the following read-only information about the proxy server: Server name displays the assigned name of this cloud proxy server. Customer ID displays the customer ID under which this cloud proxy server is registered. Provide this ID to users to for enrolling mobile devices. You also use this ID to log into the Centrify cloud manager. You can install multiple cloud proxy servers Chapter 3 Configuring the cloud proxy server 31

34 Proxy Server tab using this ID to create stand by proxy servers in case of failure. Only one proxy server runs at a time. Note The Centrify cloud service assigns the customer ID when you register the cloud proxy server (during installation) by using the cloud proxy server configuration wizard. Although you can change the customer ID in the Proxy Server tab, you should never do so unless instructed to do so by Centrify customer support. Centrify Account displays the Centrify customer account name under which this installation was registered. Cloud Proxy Server is started stopped Shows whether the cloud proxy server is started (running) or not. Connection to Centrify Cloud Service Shows the date, time, and result of the last connection to the Centrify cloud service. Proxy Server tab The Proxy Server tab reports the customer ID under which the proxy server is registered and whether or not the server is started. It also offers the following controls: The Re-register button starts the Centrify cloud proxy server configuration wizard and allows you to re-register this cloud proxy server. Generally, you re-register the proxy under the same customer ID, and then only if the proxy is having difficulty communicating with the Centrify Cloud service and customer support recommends that you re-register to address the issue. Note Re-registering under a different ID can destabilize your environment and should be done only after consulting with Centrify customer support. Changing the ID moves the proxy server from one installation to another. If the proxy server is the only server in an installation, removing the server from the installation will cause any device enrollment to the installation to fail, and enrolled devices will no longer receive policy changes. Click Start to start the cloud proxy server if it s stopped. Click Stop to stop the cloud proxy server if it s running. Click View Log to view the proxy server log. Note that this is not the same as the proxy server configuration log viewed under the Logging tab. The proxy server log is turned on at all times and records all actions taken by the proxy server. The proxy server configuration log is not turned on by default. When it is on, it records proxy server configuration activities taken using this application, not the actions of the proxy server. Use the Settings update interval text box to set the number of minutes this proxy server takes between checks on proxy settings with the Centrify cloud service. When any proxy server in an installation changes its settings, it sends those settings to the cloud service. When a proxy server checks settings with the cloud service, if there were Centrify Cloud Management Suite Installation and Configuration Guide 32

35 Mobile Settings tab new settings reported from any of the other proxy servers in the installation, the checking proxy downloads and accepts those settings. This ensures that all proxies in an installation have the same settings. Use the Active Directory user verification interval text box to set the number of minutes this proxy server takes between checks for active AD user accounts. When the proxy server checks AD user accounts, it contacts Active Directory to see if the user account listed for each enrolled device is active. If a device s associated user account is not active (is disabled or removed), Centrify for Mobile unenrolls the device. Select the Enable auto-update check box to turn the proxy server s auto update on (when checked) or off (when unchecked). When auto-update is on, the proxy server checks the Centrify cloud service periodically to see if there is a proxy server update. If there is, the proxy server downloads and installs the update, then restarts. This ensures that proxy server software is up-to-date. We recommend that you enable this option, which is on by default. Select Use a web proxy server for Centrify Cloud Service connection check box if your network is configured with a web proxy server that you want to use to connect to the Centrify cloud service. Note that the web proxy must support HTTP 1.1 for a successful connection to the Centrify cloud service. The environment must also keep outbound TCP ports 9350 through 9354 open. After you select this option, enter the following information to enable the web proxy connection: Address is the URL of the web proxy server. Port is the port number to use to connect to the web proxy server. Mobile Settings tab The Mobile Settings tab has three panels: The Enrollment Authorization panel specifies user group/container pairs that define which Active Directory user groups may enroll mobile devices and where records for those devices are stored. The Group Policy panel specifies, in minutes, how often the cloud proxy server polls Active Directory for changes in mobile group policies. The Management Authorization panel specifies which user group has mobile device management authorization through Active Directory or through the Centrify cloud manager. Enrollment authorization The Enrollment Authorization panel contains a list of one or more user group/containers (organizational unit) pairs. Each pair specifies a user group whose mobile devices may be Chapter 3 Configuring the cloud proxy server 33

36 Mobile Settings tab enrolled in Centrify for Mobile and a container where the enrolled devices records are stored. The proxy server stores this user group/container pair list. When a user requests to enroll a mobile device, Centrify for Mobile reads through the list and looks for a user group that the requesting user belongs to. When it comes to a pair that contains a user group that the requestor belongs to, the proxy server enrolls the device and puts the device record in the container specified by the pair. The proxy server stops reading through the list after that, so if the user is a member of a user group specified in a later pair, the later pair has no effect on enrollment. The panel has a set of buttons that control the list entries: Move up moves the selected pair up in the list. Move down moves the selected pair down in the list. Add opens the Add Joined Group dialog box where the user can create a new group/ container pair. The dialog box contains standard Active Directory controls that allow you to create a new user group or browse for an existing user group, and to browse for an existing container. Edit opens the Modify Joined Group dialog box where the user can modify the selected pair. This dialog box has the same controls as the Add Joined Group dialog box with one difference: there are already values filled in that define the group and container. Remove deletes the selected pair from the list. Group policy polling The Group Policy panel has a single control: The Polling interval text box accepts an integer value that sets the number of minutes between Active Directory polls. The cloud proxy server polls Active Directory regularly to look for new and modified ios group policies. Management authorization The Management Authorization panel displays the Active Directory user group currently authorized to manage mobile devices through Active Directory or the Centrify cloud manager. It has two buttons you can use to specify a new user group: Create lets you create a new Active Directory user group and authorize its members to manage mobile devices. Browse lets you browse through existing Active Directory user groups and select a new user group whose members are authorized to manage mobile devices. Note that only one user group may be authorized to manage mobile devices. Centrify Cloud Management Suite Installation and Configuration Guide 34

37 The Alerts tab The Alerts tab Logging tab The Alerts tab enables you to turn on notification for dead mobile devices and to configure the address and server for receiving the notifications. To turn on notification for dead devices, select Send notification for dead devices. Note The Centrify cloud service pings enrolled devices once every 24 hours to verify that they are active. If a device does not respond to the ping message within five days, it is considered dead and the Centrify cloud service changes its state to terminated. If the device reconnects after that time, the Centrify cloud service changes its state back to GPApplied and activates the device in Active Directory. After enabling notification, enter the following information to specify the notification address and subject, and to specify the address to receive the notification: From address Specify the from address supplied in the notification. This value is required. To address Specify the address to which to send the notification. This value is required. The Mail subject Specify the subject line for the notification. This value is optional. SMTP server Specify the SMTP server used to send the notification. This value is required. SMTP port Specify the port number used to connect to the SMTP server. This is an optional value. Use SSL Select this to specify that the Centrify cloud service use an SSL connection to connect to the SMTP server. Use SMTP authentication Select this to specify that the Centrify cloud service provide a user name and password for SMTP server authentication when connecting to the SMTP server. User name and Password If Use SMTP authentication is selected, you must provide the user name and password for this authentication. Click the Test button to verify your notification setup by sending a test notification using all provided notification values. If sending mail fails, a notification box appears. Note that this button is unavailable until all required notification values are filled in. Use the Logging tab to enable logging for the proxy configuration application, the ADUC, and the group policy editor extension. Chapter 3 Configuring the cloud proxy server 35

38 Logging tab To enable logging: 1 Select Enable logging. 2 Click Browse to browse for a folder in which to write log entries. The application writes three separate log files. Click View Log to see the proxy server configuration log, or ADUC log or GPOE log to see the log for these mobile extensions. Note that the proxy server configuration log is not the same as the proxy server log viewed under the Proxy Server tab. The proxy server configuration log reports only proxy server configuration actions taking using this configuration application. The proxy server log reports actions taken by the proxy server. Centrify Cloud Management Suite Installation and Configuration Guide 36

39 Chapter 4 Setting security group policies This chapter introduces the Centrify, mobile-specific group policies and explains how to set them in a group policy object. Centrify for Mobile includes a group policy extension that adds a wide variety of policies you can use to manage mobile devices. You installed the mobile device group policy extension when you installed the cloud proxy server. To use these policies, open the Microsoft Group Policy Management Editor (often referred to as GPOE) to create a group policy object (GPO) for the mobile devices and enable the policies you need. Then, you link the GPO to the Active Directory organizational unit that contains the mobile devices. The Centrify cloud proxy server builds a set of profiles for each type of device (ios-, Android-, or OS X-based) and installs the appropriate profiles for the device when the user enrolls the device. The profiles are automatically updated on a periodic basis. You can also force an update from Active Directory Users and Computers and the Cloud Manager. Notes You set the polling interval in the Cloud Proxy Server Configuration program in the Mobile Settings tab. It can take up to 10 minutes after polling for the proxy server to update the devices. If you make a lot of changes (for example, more that 20), the proxy server may issue the updates to the devices in multiple batches rather than all at once. The profiles are listed on Android devices in the MyCentrify Policies screen and in ios and OS-X devices in the Settings application General/Profiles screen. The mobile device group policies overview The Centrify cloud service group policies are displayed along with the Windows Computer Configuration group policies when you open to edit a group policy object. The following 37

40 The mobile device group policies overview figure illustrates the list of the Centrify Cloud Management Settings group policies you see in Group Policy Management Editor.. Notes If you do not see the cloud management settings branches when you open the Group Policy Management Editor it means your computer needs to have both the Centrify Cloud Proxy Server AD Users and Computers and Group Policy Console extensions installed. To install the extension, run the proxy server installer on the computer and select just the Active Directory Users and Computers Console and Group Policy Console extensions. To install Active Directory Users and Computers and Group Policy extensions: 1 On your computer, run the Centrify Cloud Management Suite installer appropriate for your system: Cloud-Mgmt-Suite-<version>-win32.exe for 32-bit Windows or Cloud-Mgmt-Suite-<version>-win64.exe for 64-bit Windows. If Microsoft.NET version 4.0 or later is not already installed on your computer, the installer installs it for you. Restart your computer after.net installation and then you can continue the installation of the Cloud Management Suite. 2 In the Centrify Cloud Management Suite installer, click through the welcome screen (Next) and end-user license agreement (check box and Next). Centrify Cloud Management Suite Installation and Configuraiton Guide 38

41 The mobile device group policies overview 3 In the Custom Setup dialog box all of the components are selected by default. To select just the two extensions do the following: a Select Cloud Proxy Server and click Entire feature will be unavailable. b Select Centrify for SaaS and click Entire feature will be unavailable. Only the Centrify for Mobile Tools should be selected You can click Browse to specify a different installation location. 4 Click Next. 5 Click Install. 6 Click Finish. The mobile device policies are organized into the following nodes in the Centrify Cloud Management Settings branch: Basic Mobile Settings: Group policies for either or both ios- or Android-based devices that manage communications services such as VPN and Wi-Fi settings and mail including Exchange ActiveSync, calendar, and contacts setting. This branch also includes Chapter 4 Setting security group policies 39

42 The mobile device group policies overview nodes with policies you can use to manage passcode properties and login attempts and to restrict the use of specific device features. OS X Settings: Group policies for Macintosh computers enrolled in the Centrify cloud service. Samsung KNOX Settings: Group policies that apply to applications running in the Samsung KNOX container. This branch includes policies to control VPN, Exchange ActiveSync, and IMAP/POP behaviors and additional nodes that control application, browser, , and firewall settings as well. These policies have no effect on applications running outside of the KNOX container. The KNOX container policies require a valid license. If the license expires, the KNOX policies and settings are not enforced. Samsung SAFE Settings: Group policies for devices that provide Samsung SAFE support. These policies parallel and extend the basic mobile settings. This branch includes policies to control VPN, Exchange ActiveSync, and IMAP/POP behaviors and additional nodes with policies that control application, browser, , and firewall settings as well. These policies have no effect on applications running inside the KNOX container or on devices that do not include SAFE support. The SAFE policies require a valid license. If the license expires, the SAFE policies and settings are not enforced. Touchdown Settings: A group policy you use to configure Exchange ActiveSync communications on Android devices that use the Touchdown application. Using the Basic Mobile Settings The following tables summarize what the policies and policy nodes in Basic Mobile Settings do. See the Explain tab for each policy for the full description. Group policies Calendar settings Contacts settings Encrypt/don t encrypt device storage Exchange ActiveSync Settings LDAP settings Mail settings To do this Synchronize calendar data on ipad, iphone, and ipod touch devices. Synchronize contact data on ipad, iphone, and ipod touch devices. Automatically encrypt the storage area on non-safe Android devices. Configure the Exchange ActiveSync profiles for server communications and account synchronization for ios devices. Configure contact information profiles for LDAP servers communications for ios devices. Configure account profiles for IMAP and POP mail servers for ios and OS X devices. Centrify Cloud Management Suite Installation and Configuraiton Guide 40

43 The mobile device group policies overview Group policies VPN settings Wi-Fi Settings To do this Configure VPN profiles for ios devices. Configure Wi-Fi profiles for ios and Android devices other than Samsung SAFE and KNOX devices. Group policy branches Passcode Settings Restrictions Settings To do this Set the rules governing passcode use for example, the maximum number of failed attempts, minimum passcode length, and maximum passcode age. In most cases, these policies apply to ios and Android devices. Set rules governing the use of device features for example, permitting or prohibiting camera use and reporting or not reporting the device location. Most of these policies are applicable to ios devices only. Using the OS X Settings The OS X settings apply to all Mac computers enrolled. There is one Restrictions setting Permit/prohibit System Preferences items and two nodes with policies for applications and media. Use the Permit/prohibit System Preferences items policy to enable or disable each system preference (for example, Bluetooth, dock, sharing, and sound among others) on the Mac computers. The following table summarizes the groups of policies in Basic Mobile Settings. See the Explain tab for each policy for the configuration instructions. Group policy branches Applications Media To do this Define the folders from which users can or cannot launch applications. Note: You must enable the Restrict applications policy to define the folders Enable or disable user access to device media for example, DVDs, external disks, and recordable discs. Note If you have an OS X-based device that is enrolled in the Centrify cloud service and joined to your domain controller using Centrify for Servers, you can have security profiles with different settings for the same policy. (Centrify for Servers is an on-premise authentication, SSO, access control, and audit solution for mixed Windows, Mac, UNIX, and Linux enterprise networks.) For example, the policy for on-premise use could allow DVD access while the off-premise policy setting prohibits DVD access. When the device is both joined and enrolled, the policy set for on-premise use, not the policy setting in the Centrify Cloud Management Settings, is enforced. Using the Samsung KNOX Settings The Samsung KNOX Settings group policies control KNOX container behavior, including enabling the device owner to create the container after enrolling the device and Chapter 4 Setting security group policies 41

44 The mobile device group policies overview automatically deleting the container when the device is unenrolled and configuring the communications for the applications running within the container. See Creating a KNOX container on page 47 for the procedures you can use to enable the user to create a KNOX container. The following tables summarize the policies and policy nodes in Samsung KNOX Settings. See the Explain tab for the policy for the configuration instructions. Group policies Create/Don t create container at enrollment Delete/Don t delete container on unenroll Enable/don t enable start VPN automatically for packages Exchange ActiveSync Settings IMAP/POP Settings VPN Settings To do this Enable the user to create a KNOX container after the user enrolls the device. This policy does not actually create the KNOX container. After you enable it and set it to true, the device displays the KNOX automatically icon in the status bar after the user enrolls the device. If you set it false, the icon is not displayed after the user enrolls. Alternatively, you can enable the user to create a KNOX container using the Active Directory Users and Computers and Cloud Manager Create Container commands. Uses can also enable it themselves using the MyCentrify user portal Create Container command. Delete the KNOX container when the user or the cloud administrator unenrolls the device. All applications installed in the KNOX container are uninstalled and any data files are lost when the container is deleted. Start a VPN automatically when an application is launched. You can specify multiple VPN and application pairs. You configure each VPN in the VPN Settings policy. Configure the Exchange ActiveSync profiles for server communications and account synchronization for the application running in the KNOX container. Configure account profiles for IMAP and POP mail servers. Configure VPN profiles. Group policy branches Application Management Browser Settings Settings Firewall Settings To do this Define which applications are allowed to use single sign-on (SSO). Control browser behavior for example, enable or disable pop-up windows, cookies, and JavaScript Control application behavior for example, prohibit adding new accounts and forwarding through a personal account. Configure URL filtering and iptable allow and deny rules. Centrify Cloud Management Suite Installation and Configuraiton Guide 42

45 The mobile device group policies overview Group policy branches Passcode Settings Restriction Settings To do this Configure rules governing passcode properties (for example, minimum length, character occurrence, and sequence length) and usage (for example, number of failed attempts, visibility, and history) Permit or prohibit use of device features, such as the camera, screen capture, and share via list. Using the Samsung SAFE Settings You use the policies in this node to set group policies that govern mobile device VPN, Wi- Fi, and Exchange ActiveSync communications for devices implementing Samsung SAFE. The following tables summarize the policies and policy nodes in Samsung SAFE Settings. See the Explain tab for each policy for the configuration instructions. Group policy Exchange ActiveSync Settings VPN settings Wi-Fi Settings To do this Configure the Exchange ActiveSync profiles for server communications and account synchronization for the application running on a SAFE-enabled device. Configure VPN profiles for SAFE devices. Configure Wi-Fi profiles for SAFE devices. Group policy branches Application Management Bluetooth Settings Device Inventory Settings Firewall Settings Password Settings Restriction Settings To do this Define an array of application usage restrictions including applications the user can or cannot install, launch, or stop; application permissions; and applications white- and blacklist. Configure the device s Bluetooth interface Enable or disable the device s logs (for example, call information, Wi-Fi network data bytes, and data network usage). Configure URL filtering and iptable allow and deny rules. Set the rules governing password use in Samsung SAFE devices for example, forbidden strings, password pattern enforcement, and minimum number of changed characters in a new password. This node also includes policies that manage other password-related behaviors including password and screen lock visibility and wiping external storage in the event the user fails to enter the correct password. Set rules governing the use of device features. There s a long list of policies available to enable or disable such features as varied as Bluetooth access, Android and S Beam use, audio recording, and home key functionality. Note: You enable or disable Wi-Fi and VPN using the policies in this group policy branch. However, you define the Wi-Fi and VPN profiles in separate nodes. Chapter 4 Setting security group policies 43

46 Enabling policies Group policy branches Roaming Settings Security Settings VPN Settings Wi-Fi Settings To do this Enable or disable device operation in roaming mode. Enable or disable enrollment with an MDM server and encrypt or not encrypt the external storage. Configure to allow only IPsec or SSL/TLS VPN connections. Configure a wide variety of Wi-Fi network access point properties and user privileges. Using Touchdown Settings You use this Exchange ActiveSync Settings to define the Exchange ActiveSync profile on Android devices that use the Touchdown application to interface with the Exchange servers. Enabling policies To define the group policies for your mobile devices, you enable mobile policy settings within an existing group policy object (GPO) or create a new GPO specifically for mobile devices. In either case, be certain that the GPO is linked to the Active Directory organizational unit that contains the enrolled mobile devices. You can have mixes of policies that apply to Android, ios, and Samsung SAFE devices in the same GPO. The Centrify cloud service application running on the device can identify the policies that apply to that type of device. The only time you need a separate GPO is if you need to apply the same policy differently to different sets of like devices. For example, if you have one group of ios devices that require the Exchange ActiveSync settings to be set one way and another group that requires a different Exchange ActiveSync setting, you need to put each group in a separate organizational unit. By default all Centrify group policies are set to Not Configured. A policy can be set to Enabled, True, False, or Disabled. These settings are defined as follows: Not Configured: If you leave the policy in this state, the device remains in its default setting until the user (using the device s Settings application, for example) or a group policy object (for example, a GPO linked to a parent organizational unit) modifies it. The default setting can be different for different device vendors. Disabled: When you set the policy to this state, the device reverts to its default setting. The default setting can be different for different device vendors. Enabled: This means that you are actively setting that device property. However, Enabled has different options, depending upon the policy. For many policies, it means that you are turning on this feature and setting the properties governing its use. For example, you Enable passcode history so that the device saves the passcodes over time and then set how many passcodes you want to save. For other policies, you enable the Centrify Cloud Management Suite Installation and Configuraiton Guide 44

47 Configuring Exchange ActiveSync Settings profiles policy and then determine if it is True or False. The True or False setting is typically an option for Restrictions policies that either permit or prohibit a feature or behavior. True: This means that you are going to impose this policy and you are going to allow it. For example, you enable Bluetooth access policy to say I care about this policy and then set it to True to allow it. False: This means that you are going to impose this policy and you are not going to allow it. For example, you enable Bluetooth access policy to say I care about this policy and then set it to False to stop the user from using Bluetooth. Note If you created hierarchical organizational units for your mobile devices and linked different GPOs to each organizational unit, use the following table to determine which policy setting is in effect: To enable a Centrify group policy setting Parent Setting 1 Select the GPO, right click and select Edit to open the group policy object editor. 2 Double-click the setting and select Enabled. Enabled Disabled Not Configured Child Setting Enabled Enabled Enabled Enabled Disabled Disabled Disabled Disabled Not Configured Enabled Disabled Not Configured 3 Select the options and enter or select the required values. 4 Click OK or Apply to save the setting. Not all mobile policy settings are available on all mobile platforms. Android, for example, does not have a VPN policy nor offer many of the Restrictions Settings available to ios devices. In addition, you need to set the same policies separately for different types of devices. For example, you need to set the Exchange ActiveSync Settings separately if the organizational unit contains ios, Samsung SAFE, and Touchdown devices. Note Always click the Explain tab to see which devices and software versions the policy applies to. Configuring Exchange ActiveSync Settings profiles You use the Exchange ActiveSync Settings policy to configure profiles that are downloaded to devices by the Centrify cloud service. Each profile defines the security and synchronization properties assigned to a specific Exchange ActiveSync server. Chapter 4 Setting security group policies 45

48 Configuring VPN settings profiles You configure the Exchange ActiveSync server profile separately for each type of device in the organizational unit linked to the GPO. For example, if the GPO is linked to an organizational unit that has SAFE-enabled devices, KNOX-enabled devices, ios devices, and devices that use Touchdown, you would define profiles in the following nodes: Basic Mobile Settings for the ios devices Samsung KNOX Settings for the devices that have a KNOX container Samsung SAFE Settings for the devices that are SAFE enabled. Touchdown Settings for the devices that use Touchdown to communicate with the Exchange ActiveSync server. If a device links to more than one Exchange server, you create a separate profile for each server. Note Do not create multiple profiles for any one platform (ios, SAFE, KNOX or Touchdown) in the same GPO unless each profile applies to a different Exchange server. Configuring VPN settings profiles You use the VPN Settings policy to configure profiles that are downloaded to devices by the Centrify cloud service. Each profile defines a connection name, the server name, VPN type (PPTP, IPsec, third party VPN), and properties. You configure a VPN server profile separately for each type of device in the organizational unit linked to the GPO. For example, if the GPO is linked to an organizational unit that has SAFE-enabled devices, KNOX-enabled devices, and ios devices, you would define profiles in the following nodes: Basic Mobile Settings for the ios devices. Samsung KNOX Settings for the devices that have a KNOX container. Samsung SAFE Settings for the devices that are SAFE enabled. Do not define multiple profiles for the same VPN server for the same device type. Configuring Wi-Fi Settings You use the Wi-Fi Settings policy to configure the profiles that are downloaded to devices by the Centrify cloud service. Each profile defines the security type (for example WPA or WEP) protocol, and other properties for an SSID. You configure an SSID profile separately for each type of device in the organizational unit linked to the GPO. For example, if the GPO is linked to an organizational unit that has SAFE-enabled devices, KNOX-enabled devices, Android devices, and ios devices, you would define profiles in the following nodes: Basic Mobile Settings for the ios and Android devices. Centrify Cloud Management Suite Installation and Configuraiton Guide 46

49 Creating a KNOX container Samsung KNOX Settings for the devices that have a KNOX container. Samsung SAFE Settings for the devices that are SAFE enabled. Do not define multiple profiles for the Wi-Fi SSID for a specific device type. Creating a KNOX container Samsung KNOX devices let the user create a secure container on the device. Only the user can create the KNOX container, however the user cannot create the container until it has been enabled. The administrator can issue a Create Container command from Active Directory Users and Computers and Cloud Manager that enable the user to create the container. In addition, the user can issue a Create Container command from the MyCentrify user portal. After the command has been received by the device, a yellow notification icon is posted to the device s status bar. The user cannot create a KNOX container until the icon is displayed. See MyCentrify help for the end user create container instructions. To enable a user to create a K NOX container in the group policy object: 1 Open the Group Policy Management console and edit the group policy object for the Samsung KNOX devices. 2 Expand to Computer Configuration > Policies > Centrify Cloud Management Settings > Samsung KNOX Settings. 3 Double-click Create/Don t create container at enrollment. 4 Select Enabled and click OK. After the group policy is updated, the notification icon is displayed. To enable the user to create a KNOX container from Active Directory Users and Computers 1 Open Active Directory Users and computers and select the Samsung KNOX device. 2 Right-click the device and expand the All Tasks menu. 3 Expand the Container Management menu and select Create Container. 4 Click Yes to confirm. 5 Click OK to complete. The Centrify cloud service sends the command to the device and the notification icon is displayed in the status bar. To enable the user to create a KNOX container from Centrify Cloud Manager: 1 Open Cloud Manager and select the Devices page. Chapter 4 Setting security group policies 47

50 Creating a KNOX container 2 Select the Samsung KNOX device. 3 Click the Create Container command. The Centrify cloud service sends the command to the device and the notification icon is displayed in the status bar. Centrify Cloud Management Suite Installation and Configuraiton Guide 48

51 Appendix A Multiple proxy installation scenario This appendix describes how to install multiple proxy-server installations for a single Centrify account. Although this is not a typical installation, it may be appropriate if you want to maintain separate Centrify for Mobile installations in multiple forests but manage them through a single Centrify account. For instructions on installing a single proxy server (the first proxy server in your environment), see Installing the Centrify Cloud Management Suite in your network on page 18. For instructions on installing multiple proxy servers in one installation, see Installing and configuring additional proxy servers on page 24. Installing and configuring multiple installations for one account Generally, you set up a single Centrify for Mobile installation for one Centrify account, that is, you may have multiple proxy servers, but they are all installed through a single Centrify account and registered through the same customer ID. However, for a large, multi-forest environment, you may want to install and configure multiple, standalone Centrify for Mobile installations. In this case, you create a new customer ID for each installation. You can then install additional cloud proxy servers under each customer ID for redundancy. Each installation has its own customer ID and associated proxy server configuration. If you reconfigure one proxy server in an installation, all other proxy servers in the installation are configured the same way. And if you install a new proxy server in an installation, it s automatically configured the same way as the rest of the servers in the installation. When you run the Cloud Management Suite installer for the first time, it creates a customer ID for you and associates the ID with your Centrify account. When you run the installer again to create a new proxy server, after you provide your Centrify account information, you are prompted to register the new proxy with your existing customer ID or with a new one. At this point, you can choose the option to register to a new ID. Note Do not install multiple proxy servers in the same forest using different customer IDs. Each customer ID has its own associated encryption key that encrypts group policy information sent between an installation and its enrolled mobile devices. If you install proxy servers in the same forest using different customer IDs each server will use a different encryption key, causing problems in sending group policy data to enrolled devices. Be very careful about changing a proxy server s customer ID, which moves the server from one installation to another. If the proxy server is the only server in an installation, removing 49

52 Installing and configuring multiple installations for one account the server from the installation will cause any device enrollment to the installation to fail, and enrolled devices will no longer receive policy changes. To run the installer for additional proxy servers in a single forest 1 On a host computer, run the Centrify Cloud Management Suite installer appropriate for your system: Cloud-Mgmt-Suite-<version>-win32.exe for 32-bit Windows, Cloud- Mgmt-Suite-<version>-win64.exe for 64-bit Windows. 2 Click through the welcome screen (Next) and end-user license agreement (check box and Next). 3 In the Custom Setup dialog box, keep the default component settings, set file location to a different location if desired, then click Next. 4 Click Install to begin the installation and Finish when the wizard completion appears. A connection test runs to verify that your server is connected properly for the proxy server to run. If any errors are returned, you must fix them before continuing. Click on the link next to any test to see information about the success or failure of a test. For example, if you click the Success, Warning, or Error link for Outbound TCP Port Check, you see each port that was contacted and whether connection was successful for each. 5 Click Close to close the window. The Cloud Proxy Server Configuration Wizard launches automatically. This wizard enables you to perform the initial configuration of the Cloud Proxy Server. 6 Click through the welcome dialog box (Next), then in the Cloud Proxy Configuration dialog box enter your Centrify account name and password in the account and password text boxes. 7 Click Next. The Web Proxy Configuration dialog box appears. 8 Specify whether you want to use a a web proxy server for a connection to the Centrify cloud service. If you do, select Use a web proxy server and go to the next step. If you don t, click Next and go to Step If you selected the web proxy option, enter the following information: Address The URL of the web proxy server. Port The port number to use to connect to the web proxy server. User name The user name of a user with access permission for the web proxy server. Password The password for the account. 10 Click Next. Centrify Cloud Management Suite Installation and Configuration Guide 50

53 Installing and configuring multiple installations for one account The Set Customer ID dialog box appears. It allows you to register the newly created cloud proxy server to an existing customer ID or new customer ID. 11 Select Register a new Customer ID. Note Be certain that you are installing the proxy server on a host that is in a different forest from other proxy servers linked to your customer ID. If you register multiple proxy servers to different IDs in the same forest you will destabilize your Centrify for Mobile environment. 12 Click Next. The Configuring Mobile Use dialog box appears. It allows you to specify the Active Directory groups whose users can enroll devices and the organizational units in which records for these users devices are stored. The user group and organizational unit are specified as a pair. By default, the specified user group is Domain Users (which means all Active Directory users can enroll devices) and the organizational unit is Computers (which means mobile devices are stored in the same organizational unit as computers). You can specify multiple pairs if you wish. However, if you use a group, such as the default, Domain Users, which includes all domain users, a single entry will allow anyone in your domain to enroll a device. Do one of the following: Click Next to accept the default pair. Click the group Domain Users in the list, then click Edit to open the Modify Enrollment Group dialog box and change either the group or the organizational unit to use. Click Add to add a new group and organizational unit pair. 13 If you selected Edit or Add, do one or both of the following: Appendix A Multiple proxy installation scenario 51