Configuration and Maintenance

Transcription

1 Cortado Corporate Server Version 6.1 Configuration and Maintenance Cortado AG Alt-Moabit 91 a/b Berlin Germany/ Alemania Cortado, Inc Grandview Avenue Suite 200 Denver, Colorado USA/EEUU Cortado Pty. Ltd. Level 20, The Zenith Centre, Tower A 821 Pacific Highway Chatswood, NSW 2067 Australia [email protected] Web: Issued: April 2, 2013 (v213)

2 Notes Copyright This document is the intellectual property of Cortado AG. This document may be copied in whole or in part, provided this Copyright notice is included in every copy. Registered trade marks All hardware and software names mentioned in this document are the registered trademarks of their respective companies or should be regarded as such. Safety warning All Cortado products are pure software solutions. Please note the safety warnings in the technical documentation from your hardware vendor and from the manufacturer of each device and component. Before beginning installation, we recommend closing all windows and applications and deactivating any virus scanner. 2 Configuration Manual Cortado Corporate Server

3 Contents Introduction... 7 Precondition... 7 Overview management console... 7 Preparatory work for MDM... 9 BlackBerry... 9 Android... 9 Apple ios Requesting and installing Apple Push certificates SCEP server installation User access Via Apple ios, Android and BlackBerry HTML5 Client User Management User Import Defining import source Selection of users and Import User Configuration Overview Configure network drives User settings Mobile printing Assigning predefined printers Assigning Network printer Assigning mobile printer (Wi-Fi, Bluetooth) Removing printers Target folders for print jobs Policies Cortado Corporate Server Configuration Manual 3

4 Contents Managing devices Device information (Details) Device functions Device protection (Lock Screen+ Wipe) Clear Passcode - ios only Remove a device (Remove) Locate a device (Locate) Merging multiple-displayed devices (Merge) Applications (Apps) Policies Certificates Wi-Fi Profiles Reports Overview Examples Managing apps Assigning apps stored by default Adding new apps Storing apps as a link (Define App) Importing apps Managing intranet apps Define a link Assigning links Managing certificates Overview Encryption between browser (end device) and server Encryption between the Cortado app (end device) and server Groups of certificates Types of Cortado certificates Cortado Corporate Server websites Cortado server addressing Configuration Manual Cortado Corporate Server

5 Contents HTTPS encryption between the Cortado app and server In detail Setting up root and server certificates for Cortado Corporate Server Establishing client certificates (optional) Managing Policies Define a policy Assigning policies to users or devices Wi-Fi Profiles Creating a Wi-Fi profile Assigning Wi-Fi profiles Sending Welcome Purpose Procedure Global Settings User Self Service Portal First Steps Wizard Apps Intranet Apps Setup Personal Printing What is Personal Printing? Opening the configuration console Settings ADAM Service Account Print Job Storage Authentication Setting up printers Personal Printer for Windows machines Cortado Corporate Server Configuration Manual 5

6 Contents Setting up Personal Printers for Mac and Linux machines (optional) Setting up target printers Font management Activating authentication methods Configuring authentication devices for encryption (SSL) Configuration for each user Configure each user separate Appendix Mail directory on Apple and Android devices Creating a.csv file for importing users Creating files for importing apps Intranet App: Define Cortado server as a proxy Configure file types Cortado server ports Cortado app is inactive Testing the client certificates in the DMZ User management using PowerShell Update to Uninstalling the Cortado Corporate Server Additional sources Customer service and technical support Abbreviations Configuration Manual Cortado Corporate Server

7 Introduction Introduction The consumerization of IT and the growing number of various devices used in the enterprise means that cross-platform, high-performance mobile device management (MDM) is essential. The use of mobile devices in companies can only increase productivity and add optimal capacity to perform outside of traditional office settings when access to key corporate resources and comprehensive file management functions are guaranteed. The most important prerequisite for this is Cortado Corporate Server. The world's first solution to combine powerful MDM with a unique cloud-desktop approach. Whether ipad, iphone, Android, BlackBerry devices or PCs and Macs, all devices can be seamlessly, securely and efficiently integrated into the corporate IT environment as well as be professionally managed. Mobile Application Management (MAM) facilitates the management and administration of enterprise applications such as intranet and internet applications, as well as other apps. In addition apps can be recommended and cross-platform links to the respective app stores deployed to users. At the same time, employees benefit from mobile corporate access and thanks to full desktop capabilities, can work on the go with their mobile device just as productively as in a traditional office setting. The solution is complemented by a comprehensive security concept, which ensures maximum security and control on the mobile device, the server and during data transfer. Thanks to Cortado Corporate Server, Apple ios, Android and BlackBerry users can access through their smartphones or tablets information anytime and anywhere, documents can be viewed on site, copied, printed, faxed, ed or shared. A further option is the secure connection to the HTML5 client which can be established from any desktop while offering all the benefits of Cortado Corporate Server. The result is a complete solution for all mobility, bring your own device (BYOD) and consumerization challenges. Precondition The Installation and initial setup manual shows you how to install and initially configure Cortado Corporate Server. In this manual, you will learn how to configure Cortado Corporate Server and adjust it to the specific needs of your company. For further manuals see Page 133. You have already pre-configured Cortado Corporate Server with the Configuration Assistant (see Installation and initial setup manual, Page 133). However, before the user can use the full range of functions in Cortado Corporate Server, further steps are necessary. Overview management console From a workstation, open the following website: An HTML5-enabled browser is needed to this. Log in to the web-based configuration console of the Cortado server with the same user account (CortadoService account) used for the installation (Illus. 1). Cortado Corporate Server Configuration Manual 7

8 Introduction Illus. 1 Illus. 1 Login of the web based Cortado server s Configuration Console In the Cortado Console you can, amongst other things: import users and assign them certificates and policies assign predefined printers and drives enable Cortado functions make the Cortado app available on mobile devices assign apps to mobile devices block access to mobile devices that are lost delete company data from mobile devices reset factory settings on devices locate devices. Illus. 2 Illus. 2 Control panel of Cortado Corporate Server s Console: Overview 8 Configuration Manual Cortado Corporate Server

9 Preparatory work for MDM As an example of user management, we explain the Cortado Management Console, in which the user can manage, as well as other things, the devices, printers and certificates. You reach the CONTROL PANEL by clicking on CONTROL PANEL (right arrow in Illus. 2) and here you can select, for example, user management (USERS) (left arrow in Illus. 2). This opens the summary page of the Cortado Management Console (Illus. 3). It is divided into two display columns and two editing columns. In the first column, the items from the selected module are displayed, for example users, devices or certificates. If you highlight at least one of these items, there appear in the corresponding editing column (= second column), actions that you can carry out, e.g. import, add or remove. The data sets of those items selected in the first column are displayed in the third column, and these can, in turn, be edited in the fourth column. Illus. 3 Illus. 3 Cortado Management Console: User management (example) You can also select other aspects from the tabs in column three, e.g. NETWORK DRIVES, PRINTERS, SETTINGS. Preparatory work for MDM BlackBerry See the BlackBerry configuration manual (Page 133). Android In order that you are able to manage the devices of your Android users (MDM), it is necessary for them to enter the Cortado server, rather than the exchange server, as their mail server in the set up of their company accounts (Exchange Active- Sync account). Inform your users of this. They must enter the Cortado server address instead of the Exchange server address (Illus. 4). Tell the users this information. Once the Cortado server s address is set up, the users receive the automatically created configuration (see Page 92). Cortado Corporate Server Configuration Manual 9

10 Preparatory work for MDM Illus. 4 Illus. 4 Setting up the Exchange ActiveSync account (example for Android left and for iphone right) You can use the same account settings on the ios devices. So if for example, a device is lost, the account can be blocked (see Page 40). For how to do so, see the chapter First Steps Wizard on Page 96. Apple ios For mobile device management with ios devices you require, in addition to the already installed and configured Cortado components: an Apple issued Push certificate on the Cortado server (see below) an SCEP 1 server to automatically issue SSL certificates (see Illus. 5 and Page 17) 1 SCEP/NDES: Simple Certificate Enrollment Protocol and Network Device Enrollment Service 10 Configuration Manual Cortado Corporate Server

11 Preparatory work for MDM Illus. 5 Illus. 5 Mobile device management with Cortado and SCEP server Requesting and installing Apple Push certificates To use Apple ios mobile device management for Cortado, you must install an SSL certificate provided by Apple on your Cortado server. This certificate enables you to communicate securely with the Apple Push Notification Service. Before you can request an SSL certificate from Apple, you first have to run a Certificate Signing Request (CSR) on the Cortado server (see below). If your Cortado server wants to establish a connection to an ios device, it sends a notification to the device via the Apple Push Notification Service. This notification prompts a log on to the server. So no information is transmitted. The Apple Push Notification Service only wakes the device from hibernation, so that it can be logged on to the Cortado server. All configuration information, settings and requests go via an (encrypted) SSL connection directly from the Cortado server to the ios devices (Illus. 1). In order that your users' ios devices can communicate with the Cortado server, the devices must be registered there. Note! Please note that your network must also be prepared for Apple ios Mobile Device Management. Particularly Apple uses the following TCP ports: 80, 2195, 2196 and See table with Cortado ports on Page 126. More information about Apple can be found here: Cortado Corporate Server Configuration Manual 11

12 Preparatory work for MDM 1. For CSR, select: CERTIFICATES APPLE PUSH CERTIFICATE (Illus. 6 and 7) in the Cortado Management Console. Illus. 6 Illus. 7 Illus. 6 Control Panel: Select CERTIFICATES Illus. 7 Requesting a certificate from Cortado server 2. Click on GENERATE CERTIFICATE REQUEST (arrow in Illus. 7). 12 Configuration Manual Cortado Corporate Server

13 Preparatory work for MDM 3. Fill out the form (any text), and confirm with OK (Illus. 8). Illus. 8 Illus. 8 Fill out the request form 4. Click on DOWNLOAD CERTIFICATE REQUEST to save the certificate request (Illus. 9 and 10). Illus. 9 Illus. 10 Illus. 9 Saving the certificate request Illus. 10 Saved certificate request Cortado Corporate Server Configuration Manual 13

14 Preparatory work for MDM 5. Send this certificate request for signing by to: Your certificate request will then be signed by Cortado and sent back to you (Illus. 11). Illus. 11 Illus. 11 Signed certificate request received 6. Then go to the Apple website ( and log in using your Apple ID. Click on CREATE A CERTIFICATE (Illus. 12), select your signed certificate request, and upload it (Illus. 13). Shortly after, you can download your SSL certificate in.pem format (Illus. 14 and 15). Illus. 12 Illus. 13 Illus. 12 Create a certificate by using the request Illus. 13 Uploading a Cortado-signed certificate request 14 Configuration Manual Cortado Corporate Server

15 Preparatory work for MDM Illus. 14 Illus. 15 Illus. 14 Downloading the certificate Illus. 15 Push certificate downloaded from the Apple website 7. Using UPLOAD APPLE CERTIFICATE you can now upload your certificate onto the Cortado server (Illus. 16 and 17). Illus. 16 Illus. 16 Loading the Apple Push certificate onto the Cortado server Cortado Corporate Server Configuration Manual 15

16 Preparatory work for MDM Illus. 17 Illus. 17 Select certificate 8. Save a backup of the certificate in.pfx format with EXPORT APPLE PUSH CERTIF- ICATE (Illus. 18 and 19). With this version of the certificate, you can avoid future need for the procedure described above. Using IMPORT APPLE PUSH CERTIFICATE you can install it again anytime onto the Cortado server. Illus. 18 Illus. 18 Installed push certificate save backup copy Illus. 19 Illus. 19 Apple Push certificate backup copy saved 16 Configuration Manual Cortado Corporate Server

17 Preparatory work for MDM SCEP server installation The following steps can serve for a Proof of Concept (because the installation of a Standalone CA is desribed here). For productive environments we recommend the use of descriptions from Microsoft instead (because the installation of an Enterprise CA is desribed there). 1. If possible, select a new server 2 to install as SCEP server (recommended: Windows Server 2008 R2 Enterprise). This server must be accessible for ios devices and be located in the same domain as the Cortado server. 2. Set up a local user account 2 (here: NDESadmin), and include it in the Certificate Service DCOM Access, Cryptographic Operators and IIS_IUSRS groups (Illus. 20). Illus. 20 Illus. 20 Create local user account and include in three groups 2 If you are using two certificate servers (which is recommended in productive environments), use a domain account (domain user) instead of a local user account. Log on as a domain administrator once onto the SCEP server. Then open the Certificate Templates snap-in in the MMC as shown in Illus. 32 on Page 24. Cortado Corporate Server Configuration Manual 17

18 Preparatory work for MDM 3. Open the Server Manager, and add the role ACTIVE DIRECTORY CERTIFICATE SER- VICES (Illus. 21). Illus. 21 Illus. 21 Add ACTIVE DIRECTORY CERTIFICATES SERVICES role 4. Select CERTIFICATION AUTHORITY as role service (Illus. 22). Illus. 22 Illus. 22 Select role service CERTIFICATION AUTHORITY 18 Configuration Manual Cortado Corporate Server

19 Preparatory work for MDM 5. Select the setup type STANDALONE (Illus. 23). Illus. 23 Illus. 23 Select setup type STANDALONE 6. Select CREATE A NEW PRIVATE KEY in the SET UP PRIVATE KEY menu (Illus. 24). Illus. 24 Illus. 24 Select CREATE A NEW PRIVATE KEY Cortado Corporate Server Configuration Manual 19

20 Preparatory work for MDM 7. Select MICROSOFT STRONG CRYPTOGRAPHIC PROVIDER in the CONFIGURE CRYPTO- GRAPHY FOR CA menu (Illus. 25). Illus. 25 Illus. 25 Select MICROSOFT STRONG CRYPTOGRAPHIC PROVIDER 8. Accept the suggested default values in all the remaining windows and start the installation by clicking on INSTALL (Illus. 26). Illus. 26 Illus. 26 Begin installation of the ACTIVE DIRECTORY CERTIFICATE SERVICES role 20 Configuration Manual Cortado Corporate Server

21 Preparatory work for MDM 9. Then select NETWORK DEVICE ENROLLMENT SERVICE as an additional service of the same role (Illus. 27). Illus. 27 Illus. 27 Add NETWORK DEVICE ENROLLMENT SERVICE 10. Assign the user account (here: NDESadmin) that you created above (Illus 20 and 28). Illus. 28 Illus. 28 Enter NDESadmin as user Cortado Corporate Server Configuration Manual 21

22 Preparatory work for MDM 11. As before, accept the suggested default values in all the remaining windows, and start the installation by clicking on INSTALL (Illus. 29). Illus. 29 Illus. 29 Start installation of the role service NDES 12. Note that the following registry key must be set to 1 (default): hkey_local_machine\software\microsoft\cryptography\mscep\enforcepassword\enforcepassword (Illus. 30) Confirm with OK. Illus. 30 Illus. 30 Set registry entry EnforcePassword at 1 22 Configuration Manual Cortado Corporate Server

23 Preparatory work for MDM 13. In the Microsoft Management Console (MMC), open the snap-in CERTIFICATION AUTHORITY. In the properties of the CA (certificate authority), select: POLICY MOD- ULE PROPERTIES FOLLOW THE SETTINGS IN THE CERTIFICATE TEMPLATE, IF APPLI- CABLE. OTHERWISE, AUTOMATICALLY ISSUE THE CERTIFICATE (Illus. 31). Confirm with OK. Illus. 31 Illus. 31 Select... AUTOMATICALLY ISSUE THE CERTIFICATE Cortado Corporate Server Configuration Manual 23

24 Preparatory work for MDM 14. Then, in the properties of the CA (snap-in CERTIFICATION AUTHORITY) select the tab SECURITY and add the account with which you installed the Cortado Corporate Server software i.e. the recommended CortadoService and give it the permission MANAGE CA (Illus. 32). Illus. 32 Illus. 32 Add CortadoService account and select Manage CA [Alternatively for Enterprise CAs, set the following as the domain admin: In the MMC, switch to the snap-in CERTIFICATE TEMPLATES, and add the account (Illus. 20) created above to the template IPSEC (OFFLINE REQUEST), and give it the permission ENROLL. (Illus. 33).] 24 Configuration Manual Cortado Corporate Server

25 Preparatory work for MDM Illus. 33 Illus. 33 [for Enterprise CAs: Add user account NDESadmin to the certificate template IPSEC (OFFLINE REQUEST)] 15. Restart first the certificate authority and then the IIS. 16. In the browser (IE) go to the following address: (e.g.: Authenticate yourself with the login details for the CortadoService account. The thumbprint of the root certificate and a challenge password are displayed here (Illus. 34). Illus. 34 Illus. 34 Network Device Enrollment Service in your browser Cortado Corporate Server Configuration Manual 25

26 Preparatory work for MDM The challenge password is generated by the server and is only valid for a limited time. The Cortado server accesses the above URL and enters the password into the MDM profile, as it delivers it to the ios device. The user can't install the same profile more than once. As soon as the step ENROLLING CERTIFICATE is completed on the ios device, the password expires. The number of challenge passwords that can be valid simultaneously, and the duration of their validity, is limited by the server. To change these values, you can enter the following registry keys: HKLM:Software\Microsoft\Cryptography\MSCEP\PasswordValidity\Password- Validity (DWORD: validity of the password in minutes) HKLM:Software\Microsoft\Cryptography\MSCEP\PasswordMax\PasswordMax (DWORD: number of simultaneously valid passwords) 17. In the Cortado Management Console, select: CONTROL PANEL GLOBAL SETTINGS CONFIGURE CORTADO PUSH SERVER (Illus. 35). SCEP SERVER URL: Enter here the URL for MSCEP.DLL in the newly installed SCEP server: Example for Microsoft SCEP server: SCEP SERVER CHALLENGE URL: Enter here the URL, from which the challenge password will be read: (Example: SCEP SERVER CHALLENGE PATTERN: This is a search pattern for retrieving the challenge passwords. Keep the default values. Confirm with OK. Illus. 35 Illus. 35 Register SCEP server in Management Console 26 Configuration Manual Cortado Corporate Server

27 User access Note! Please check, if the root certificate of the NDES server is located in the Trusted Root Store of the Cortado server. User access Via the Cortado app and the HTML5 client you can enable your users to access network drives and use various file options (printing, faxing, edit, export etc.). Learn how to assign all those options to the users after the following short survey of the user access. Via Apple ios, Android and BlackBerry The Cortado app is available for Apple-iOS-, Android-OS- and BlackBerry-OS devices (Illus. 36). After installation and configuration of the App in the User Self Service Portal (see Page 96) all enabled options are available for the users (see Page 39). Illus. 36 Illus. 36 Cortado app: start page on different mobile devices: (from left to right: Apple iphone, Android, BlackBerry) User guides for the Cortado apps on mobile devices can be found on our website under SUPPORT GUIDES & MANUALS CORTADO CORPORATE SERVER USER GUIDES. HTML5 Client With the HTML5 client, users are able to access shared corporate network drives, to edit files and folders, from any HTML5 supporting browser 3. The HTML5 client is accessible via following link: (exam- Cortado Corporate Server Configuration Manual 27

28 User access ple: This link is part of the welcome (Page 92). Note! If your Cortado server uses a self-signed certificate (created from Cortado during installation) or an existing, but self-created certificate, The users will see a warning message in the browser when following this link for the first time. They can ignore this message by ciicking on CONTINUE TO THIS WEBSITE. Alternatively use a certificate from a Certification Authority. Users may utilize all options you assigned for them via the HTML5 client (Page 39). A user guide for the HTML5 client can be found on our website under SUPPORT GUIDES & MANUALS CORTADO CORPORATE SERVER USER GUIDES. Illus. 37 Illus. 37 Login to HTML5 client 3 For example: Safari v5.1.2 or later, Internet Explorer v9 or later, Firefox v8 or later, Google Chrome v16 or later. 28 Configuration Manual Cortado Corporate Server

29 User Management User Management User Import To enable users for Cortado, open CONTROL PANEL USERS the following window will open (Illus. 38): Illus. 38 Illus. 38 Starting the import wizard To import the users, click on the plus sign (arrow in Illus. 38), the IMPORT WIZ- ARD will start (Illus. 39). Defining import source Here you will chose the source from which the users should be imported 4 : Illus. 39 Illus. 39 Selecting import source ACTIVE DIRECTORY We recommend this type of data import for environments in which Apple or Android devices are in use or in environments in which BlackBerry devices communicate via BIS (when no BES server is available). For more, see Import from Active Directory, Page 30). 4 To import users from different sources, just start Import Wizard several times Cortado Corporate Server Configuration Manual 29

30 User Management COMMA SEPARATED VALUE (CSV) FILE The users to be imported can be read from a.csv file you have created. This type of data import can be used as an alternative to Active Directory import. Under Import from.csv file (Page 31) you will learn which additional settings to make for the data import. Information on creating a.csv file can be found in the appendix (Creating a.csv file for importing users, Page 111). BLACKBERRY CONFIGURATION DATABASE You can select this option in either a pure BES environment or one for your BlackBerry users. Here the BlackBerry users are selected from the BES database. Read more on this in the BlackBerry configuration manual, Page 133. Note! Importing user data uses one Cortado Corporate Server user license per user. Installing the Cortado Corporate Server automatically installs five demo licenses. The licenses are for user and devices, so every access to the Cortado server by either a device or the HTML5 client, uses up one license. In the Licensing documentation, you will find details about license activation and update subscription (Page 133). Import from Active Directory If you have selected ACTIVE DIRECTORY as the import source (Illus. 39), another window opens, in which you can select a domain where the desired users will be found. Click to mark the desired domain (Illus. 40). If you enable the checkbox in front of the domain name (left arrow in Illus. 40) and then click on NEXT all existing users will be displayed in the next window. Alternatively, if you click on the small arrow on the right (right arrow in Illus. 40) you will go to any existing subfolders. Illus. 40 Illus. 40 Selecting domain 30 Configuration Manual Cortado Corporate Server

31 User Management Now the users selected to be imported are displayed (Illus. 41). Illus. 41 Illus. 41 Users that can be imported from the AD Proceed as described in Selection of users and Import on Page 32. Import from.csv file If you have selected COMMA SEPARATED VALUE (CSV) FILE as the import source, the window in Illus. 42 opens. Illus. 42 Illus. 42 Selecting.csv file For how to create a.csv file, refer to the appendix on Page 111. Cortado Corporate Server Configuration Manual 31

32 User Management Via SELECT FILE (left arrow in Illus. 42) you specify the path and file name of the previously created.csv file (Illus. 43). Illus. 43 Illus. 43 Select.csv file Then click OPEN (arrow in Illus. 43). Afterwards click LOAD FILE (right arrow in Illus. 42). Now the users selected to be imported are displayed (Illus. 44). Illus. 44 Illus. 44 Users that can be imported from the.csv file Selection of users and Import In Illus. 41 and Illus. 44 the selected users from the AD, or else the.csv file are displayed. Decide whether all or only certain users are to be imported. To do so, place a checkmark by the corresponding users, or select all users (left arrow in Illus. 45). 32 Configuration Manual Cortado Corporate Server

33 User Management Illus. 45 Illus. 45 Selecting users Then click IMPORT (right arrow in Illus. 45). Illus. 46 Illus. 46 Users successfully imported (green dot) If a user has been successfully imported, a green dot appears in the status column. (upper arrow in Illus. 46). In addition, the information bar at the bottom of the window (lower arrow in Illus. 46) displays the number of imported users. If the user could not be imported because, for example, no licenses are available, a red dot is displayed. If you roll over it with the mouse, the corresponding error message will be displayed. (Illus. 47). Cortado Corporate Server Configuration Manual 33

34 User Management Illus. 47 Illus. 47 Users not imported (red dot) When you close the Import Wizard, the successfully imported users will be listed in user management (USERS) (Illus. 48). They are now enabled for use by Cortado Corporate. Illus. 48 Illus. 48 Imported users in user management (USERS) When there are a large number of users, it is recommended to use PowerShell for the import (see Page 130). How to assign users with various drives is explained under Configure network drives (Page 35). In chapter User settings you will find information on special changes in the user management (Page 39). How to make additional printers available to the users is explained under Mobile printing (Page 43). How you can manage your users' devices, read under Managing devices (Page 56). Read how to manage your users' certificates under Managing certificates (Page 76). How you use Cortado Corporate together with Personal Printing Essentials, read under Personal Printing (Page 98). 34 Configuration Manual Cortado Corporate Server

35 User Management User Configuration Overview Now under CONTROL PANEL USERS, you can further configure and manage settings of the successfully imported users. Illus. 49 Illus. 49 User management with various actions (example: user1) The following options are available if you have marked at least one user (Illus. 49): REMOVE: Here you can remove selected user from Cortado user management. In doing so, the user will not be deleted from AD. The license previously used by this user is then immediately free and can be made available for another user. GET SETTINGS: With this action, you can assign to a user, another user s settings (network drives, printers, settings, max device count, apps, intranet apps and policies). SEND With this action, users will be sent a welcome . It contains important informations for the users. There is more on this in the chapter Sending Welcome (Page 90). SET MAX DEVICE COUNT: By default, one device per user is designated. You can increase that number here. If a user logs in with another device, he will be denied access to the Cortado app. Note! We recommend that the number of devices per user (MAX DEVICE COUNT) should always be set a bit higher than the number of devices available. This is because devices are occasionally listed twice, for instance if a user started the configuration twice. You can consolidate the duplicate devices later (see Page 61). Configure network drives The users can directly access shared folders on the company network using their Cortado app. The user s access rights are completely carried over from the AD. So that the user can see a shared drive in their Cortado app, create an AD group for Cortado users (type: global, example: CORTADO USERS) an. Share the drive for this group (see PROPERTIES SHARING) and grant FULL CONTROL (see Illus. 50, left). Add the same group also to PROPERTIES SECURITY. Grant at least reading rights (see Illus. 50, right). Cortado Corporate Server Configuration Manual 35

36 User Management Illus. 50 Illus. 50 Minimum share rights of a drive for user access The shared network drives will be shown to the users on their mobile devices (or in HTML5 client) under HOME DRIVE (Illus. 55). Caution! With drive-access users can access your company data with their mobile devices. Please calculate a potential security risk. To give users access to network drives, mark one or more users in User Management (USERS) (arrow in Illus. 49). Then select under NETWORK DRIVES ADD in the context menu (arrow in Illus. 51). Illus. 51 Illus. 51 Managing network drives Assign drives Enter the drive name under LABEL (freely selectable, see Illus. 52, right) and under PATH specify the path to the desired share. Alternatively you can enter a drive letter. Note the following notation style: S_ (see arrow in Illus. 52, right). 36 Configuration Manual Cortado Corporate Server

37 User Management Illus. 52 Illus. 52 Add network drive (example - left: drive name, right: drive letter) Repeat the procedure for all desired network drives. If the users have a Home Folder (Home Directory) in the AD, it can also be made available. For this purpose, enter one of the following variables under PATH: %HOMEDIR% (for home folder in Active Directory), %USERUPN% (for UPN) or %USERNAME% (for Sam-Account-Name) (Illus. 53). Illus. 53 Illus. 53 Add Home Folder (Example) These network drives are now displayed with network path and the corresponding drive label under USERS NETWORK DRIVES (Illus. 54). Illus. 54 Illus. 54 Network drives of user1 (example) Cortado Corporate Server Configuration Manual 37

38 User Management The users now have the configured drives available in the Cortado app on their mobile devices (Illus. 55). Illus. 55 Illus. 55 Network drives under HOME DRIVE on iphone (example) Editing shared drives EDIT: If you want to make changes to a shared drive, highlight it and click EDIT (Illus. 56). REMOVE: If you want to delete a shared drive, highlight it and click REMOVE (Illus. 56). Illus. 56 Illus. 56 Created network shares displayed User Storage Directories created in this way can now be found again in the root directory of the Cortado Corporate Server (here: C:\User Storage, see Illus. 57). Illus. 57 Illus. 57 User directories in the User Storage 38 Configuration Manual Cortado Corporate Server

39 User Management In the Cortado Corporate Server s USER STORAGE, one folder per user is created with the shared AD network drives. Note! If you later change the path to the user storage (for example, while running the Configuration Assistant again), the network drives defined here will be lost. Furthermore, a personal folder (MY DOCUMENTS) is provided for each user on his mobile device (see Illus. 55). The files which were stored there will also be stored in the respective user folders in USER STORAGE on the Cortado server (Illus. 57 and Illus. 87). User settings To configure the users' access rights of the users, highlight one or more users in the user management (CONTROL PANEL USERS, left arrow in Illus. 58). Then select SETTINGS EDIT in the context menu (right arrow in Illus. 58). Illus. 58 Illus. 58 Edit user settings Cortado Corporate Server Configuration Manual 39

40 User Management Now you can make changes to the default rights settings for the selected users. By default all the settings are checked, except for REPORT GPS DATA, FORCE OFFLINE PASSWORD and FORCE DOWNLOAD AS PDF (Illus. 59). Illus. 59 Illus. 59 Default user settings General Account enabled. By removing this checkmark, you deny the users access to the company drives via the Cortado app. (see Illus. 60). Illus. 60 Illus. 60 Access denied to HOME DRIVE(S) (corporate drives) on the iphone Microsoft Exchange. By removing this checkmark, you deny the users the use of Microsoft Exchange, provided that in the configuration of the Exchange account on the mobile device, the name of the Cortado server, rather than the Exchange server is specified (see Page 9). This has the advantage that if the device is lost or stolen, the account of the user can be blocked on the mobile device. 40 Configuration Manual Cortado Corporate Server

41 User Management Report GPS data. With a checkmark placed here, the GPS data can be used to help locate a mobile device (see the selection Locate a device (Locate) on Page 59). Password You can choose here from two options: Force offline password 5. If this option is enabled, the user may not save the password for the Cortado app (see Illus. 61, left). Additionally, he must, even in offline mode, enter the password to gain access to the Local and the Secure drive 6 of the cortado app. Allow local password storage. If this option is enabled, the user may save the password for the Cortado app. (see Illus. 61, right). Illus. 61 Illus. 61 Left: Password entry necessary at each opening of the Cortado app; right: Option REMEMBER PASSWORD activated (iphone) Caution! Storing passwords holds a security risk. If a mobile device gets lost unauthorized persons can access company data. Allowed features Display network drives. By removing this checkmark, you deny the users access to the company's shared network drives (see the chapter Network drives on Page 36). Furthermore, you can withdraw other rights from users to use and edit files located there: 5 When reconfiguring the Cortado app on an ios device (such as when passing the device on to another user), local files are only deleted when this option is enabled. 6 The protected drive is only available for Android devices OS 4 or later Cortado Corporate Server Configuration Manual 41

42 User Management Send files by Allows the sending of files by (see Illus. 62, left). Delete files: Allows deleting of files (see Illus. 62, left). Upload files to Cortado server: Allows the uploading of files to the Cortado server. Please note, that if you eliminate this option for users, they can no longer save s or attachments on the company server. Furthermore, the users can neither print nor fax files stored only on the mobile device. The file will first need to be uploaded onto the server. Download files from Cortado server: Allows the downloading of files from the Cortado server. Force download as PDF: If this option is enabled, downloaded files will only be displayed in PDF format. Files such as.txt or.zip files, won't be downloaded. Preview: Allows a preview of a file to be created. (see Illus. 62, left, icon: eye). Export files: Allows exporting files in ZIP or in PDF format. (see Illus. 62, left). Auto Up-/Download 7 : By removing this checkmark, you prevent the users from receiving automatic folder and file updates (see Illus. 62, right). Note! For Android users to be able to use the Auto Up/Download feature, password saving must be allowed. Fax. By removing this checkmark, you prevent the users from sending files via fax. (see Illus. 62, left). (You'll find more information on faxing in the manual Installation and initial configuration, see Page 133). Printing. By removing this checkmark, you prevent the users from printing files (see Illus. 62, left, icon: printer). Wi-Fi printing: By removing this checkmark, you prevent the users from searching for printers via Wi-Fi. Illus. 62 Illus. 62 Left: various file options, right: Auto Download folder (Cortado-App on Android device) 7 The feature Auto Up-/Download is currently available for Android devices only. 42 Configuration Manual Cortado Corporate Server

43 Mobile printing Secure browser. By removing this checkmark, you prevent the users from making use of SECURE BROWSERS (see Illus. 63, left). This browser is for intranet apps (see Page 72). Embedded browser 8. By removing this checkmark, you prevent the users from making use of the internet browser integrated into the Cortado app. (see Illus. 63, right). Illus. 63 Illus. 63 SECURE BROWSER (left) and integrated default browser (right) in the Cortado app on an iphone Account directory So long as only one user is selected (Illus. 58, left arrow) you also have the option, under ACCOUNT DIRECTORY (Illus. 59) to change the path to the user directory (User Storage) of that user. If more than one user is selected, this path can only be changed by running the Configuration Assistant again (see the chapter User Storage on Page 38). Mobile printing Without any further setup on the server, smartphone users have access to direct printing, within the company and also when outside. With the Cortado app on the mobile device, printers can be searched for locally, i.e. printers that can be found in the same network (Wi-Fi). These can then be printed to via Wi-Fi (see Illus. 64). Furthermore a connection to a Bluetooth 9 printer can be established via the Cortado app. 8 This feature is available for ios users only. 9 Bluetooth printing is for BlackBerry and Android devices only. Cortado Corporate Server Configuration Manual 43

44 Mobile printing Illus. 64 Illus. 64 Via Wi-Fi or Bluetooth detected printer (example for Android device) Universal drivers are installed on the server with the Cortado installation, allowing problem free printing to most printers. A precondition is that during installation, the checkmark has not been removed from the checkbox DOWNLOAD DEFAULT PRINTER DRIVERS (see Installation and initial setup manual). If a special driver or a particular printing function is required, install the necessary original drivers as well on the Cortado server. Without these drivers, the universal driver will always be used, even when mobile users select the original driver from the list. If you install original drivers for certain printers, they will be used instead of the universal drivers. User guides for the Cortado app on mobile devices can be found on our website under SUPPORT GUIDES & MANUALS CORTADO CORPORATE SERVER USER GUIDES. Assigning predefined printers In addition to the option described above, you can relieve the users from printer searching. Specific users can be allocated printers, which will display immediately on the mobile (Illus. 65). The advantages: printer searching on the mobile is no longer required network and AD printers can be predefined it can store printer templates with specific settings and drivers that facilitate Bluetooth or Wi-Fi printing 44 Configuration Manual Cortado Corporate Server

45 Mobile printing Illus. 65 Illus. 65 Preset printers (example for Android device) How to print? The Cortado server prints directly onto the network printers. The mobile device only initiates the print job; the rendering is done on the Cortado server or a print server. Using printers outside the company network (via Wi-Fi or Bluetooth), the print data that was rendered on the Cortado server is forwarded to the printer via the mobile device. This ensures that the print data is always rendered with the preferred driver and prints in original format. See also the scenarios on pages 50 to 51. You can search here for the following printers: printers listed in the AD: Active Directory, Page 47 printers shared on a print server: Single print server, Page 48 printers shared on a print server: Single printer, Page 48 (network) printers installed on Cortado server: Server-attached printer, Page 49 Printer templates created on the Cortado server: Mobile printer, Page 50 Pre-setting printers on the server 1. In CONTROL PANEL USERS, select the tab PRINTERS (Illus. 66, top arrow) and select the users for whom you want to set printers. 2. Select PRINTERS ADD on the right (Illus. 66, bottom arrow). Illus. 66 Illus. 66 Add printers for one or more users Cortado Corporate Server Configuration Manual 45

46 Mobile printing 3. The following dialog opens (Illus. 67). Illus. 67 Illus. 67 ADD PRINTER dialog Assigning Network printer If you click NETWORK PRINTER (Illus. 67), you can select following shared printers (Illus. 68): Illus. 68 Illus. 68 ADD PRINTER dialog Shared printer Under SHARED PRINTER you will find the following printer (Illus. 69): 46 Configuration Manual Cortado Corporate Server

47 Mobile printing Illus. 69 Illus. 69 SHARED PRINTER dialog Active Directory printer. If you select ACTIVE DIRECTORY in Illus. 69 you will find the printers listed in the AD. Their print jobs are sent from the print server to the network printer (Illus. 70). Illus. 70 Illus. 70 Shared Printer: Print jobs are rendered on the print server, where the drivers are installed and sent to the network printer (blue arrow) The AD printers appear when NETWORK PRINTER SHARED PRINTER ACTIVE DIREC- TORY is selected (see Illus. 71). Enable the checkbox of your preferred printers and confirm with ADD and CLOSE. Illus. 71 Illus. 71 Select printers in AD shared Cortado Corporate Server Configuration Manual 47

48 Mobile printing The AD printers selected here will be assigned to the selected users as their preferred printers (see Illus. 72). Requirement: The option LIST IN DIRECTORY has already been enabled on the print server for each printer share. Illus. 72 Illus. 72 AD printers on the mobile device (example for Android) Single print server. If you select SINGLE PRINT SERVER (Illus. 69 on Page 47) you can allocate the shared printers of a print server to users, even if the printers aren't listed in the AD. The print server prints also to the network printer (see Illus. 70). After selecting NETWORK PRINTER SHARED PRINTER SINGLE PRINT SERVER, you can enter the name of the print server directly (Illus. 73). Illus. 73 Illus. 73 Searching for shared printers: enter the print server name All the shared printers appear. Select the preferred printer shares and confirm with NEXT, ADD and CLOSE (Illus. 74). Illus. 74 Illus. 74 Selecting shared printers 48 Configuration Manual Cortado Corporate Server

49 Mobile printing The shared printers selected here will be assigned to the selected users as their preferred network printers (see Illus. 75): Illus. 75 Illus. 75 Shared printer on mobile device (example for Android) Single printer. Under Single printer (Illus. 69 on Page 47) you can allocate the shared printers of a print server to users, even if the printers aren't listed in the AD. Here, printing will also go from the print server to the network printer (see Illus. 70). Unlike with the option SINGLE PRINT SERVER, here you can enter a direct path to the printer share. If you select NETWORK PRINTER SHARED PRINTER SINGLE PRINTER, you can enter the path to the printer share (Illus. 76). Illus. 76 Illus. 76 Enter the path to the printer Confirm your entry with ADD. Close the confirmation message with CLOSE. This assigns the printer share to the selected users as preferred network printer (see Illus. 75 on Page 49). Note! All printer drivers of network printers that should be used by users on their end devices must be installed on the Cortado Corporate Server. It is enough to manually connect as an administrator from the Cortado server with the relevant network printer (\\servername\sharename). This installs the driver automatically or you will be prompted to select the appropriate driver. Server-attached printer (TCP/IP, USB) These printers appear when NETWORK PRINTER (Illus. 67) SERVER-ATTACHED PRINTER is selected. Furthermore, you can assign users with printers that were created on the Cortado server and which print via Windows provided printing ports, such as Standard TCP/IP port including the Personal Printer (see the chapter Personal Printing, Page 98). Here, Cortado server prints directly to the printer (Illus. 77). Cortado Corporate Server Configuration Manual 49

50 Mobile printing Illus. 77 Illus. 77 Server-attached printer: Printing with printers created on Cortado server, directly to the printer (blue arrow) All printers created locally on the Cortado server that are not connected to a CORTADO PRINT PORT are now displayed (Illus. 78). Select the relevant printer and click ADD to confirm. Illus. 78 Illus. 78 Server-attached printer: Select printers on the Cortado server These printers appear on the mobile device as NETWORK PRINTERS (see Illus. 79). Illus. 79 Illus. 79 Server-attached printer on mobile device (example for Android device) Assigning mobile printer (Wi-Fi, Bluetooth) 10 MOBILE PRINTER is particularly suitable for printers outside the company, and with which the user is already familiar 11. MOBILE PRINTER (WI-FI, BLUETOOTH) (Illus This option is available for Android and BlackBerry devices.only 50 Configuration Manual Cortado Corporate Server

51 Mobile printing on Page 46) are printers that can be accessed by the mobile device via Bluetooth or WiFi, and for which preferences can be set on the server, using printer templates. You can then print from the Cortado server via the mobile device (Illus. 80, blue arrows). Illus. 80 Illus. 80 Mobile Printer: Printing from Cortado server via the mobile device with Wi-Fi or Bluetooth For printing via Bluetooth and Wi-Fi universal drivers were installed during the installation routine. If you use printers which need special drivers or on which you wish to make settings (color, duplex...), these still have to be set up on the Cortado server. First create the desired printer in the Cortado server s Printers folder and attach it to a CORTADO PRINT PORT (example in Illus. 81). Illus. 81 Illus. 81 Connecting a printer to Cortado Print Ports 11 For unknown printers, we recommend instead, the printer search integrated into the app on the mobile device, where a suitable driver is selected manually. Cortado Corporate Server Configuration Manual 51

52 Mobile printing If you assign specific properties to the newly created printer objects (for example duplex printing) these will then be transferred. The user that selects thus printer object on his/her mobile device will then also be able to print in duplex format. Enable the function ENABLE PRINTER POOLING and confirm with APPLY (arrow in Illus. 82). So you can attach a printer to more than one CORTADO PRINT PORT and thus it s not necessary to create an own printer port for each printer. Illus. 82 ILLUS. 82 ENABLE PRINTER POOLING The printer objects set up (in) this way will be displayed in MOBILE PRINTER (WI-FI, BLUETOOTH) (see Illus. 67 on Page 46) and can be assigned to the users. Illus. 83 Illus. 83 Select shared printers 52 Configuration Manual Cortado Corporate Server

53 Mobile printing Users select on the Android or BlackBerry device this printers in PRESET PRINTERS (Illus. 84 left). Illus. 84 Illus. 84 Shared printers on the mobile device (example for Android) Removing printers For each user, the assigned printers will be displayed in the light gray field. To delete a printer (or rather, its assignment to a user), select the user first, and then the printer or printers (check box). Then click on REMOVE on the right (arrow in Illus. 85). Illus. 85 Illus. 85 Remove predefined printer for selected user Target folders for print jobs Some printers of ThinPrint Server Engine and Personal Printing store their jobs automatically to the Cortado server s User Storage. So, the users can view or print the respective files with their mobile devices (see also Illus. 86): Personal Printer (from Personal Printing, see Page 111) Print-to-Cloud (from Personal Printing or ThinPrint Server Engine, see the ThinPrint Server Engine manual, Page 133) Print-to-ePaper (from Personal Printing or ThinPrint Server Engine Cortado Corporate Server Configuration Manual 53

54 Mobile printing Illus. 86 Illus. 86 Cortado server s printers folder (example) The jobs of the following printers are sent directly to the user s subfolders.print and.printvp (cp. Illus. 87): Printer Subfolder in the user s directory Displayed in the Cortado app Personal Printer.print Print-to-Cloud.print Print Jobs Print-to-ePaper.printVP epaper Further subfolders are:.mail (mail attachments and bodies, Page 111).proxy (Intranet apps, Page 72).tpm (configuration files for Cortado Explorer, see User Self Service Portal manual, Page 133) Illus. 87 Illus. 87 User Storage and the respective Cortado app menu 54 Configuration Manual Cortado Corporate Server

55 Mobile printing You can create printer objects of the type Print-to-Cloud and Print-to-ePaper either on a print server (see the manual ThinPrint Server Engine, Page 133) or directly on the Cortado server. On the Cortado server add an Output Gateway printer manually in the printers folder, name it Print-to-Cloud or Print-to-ePaper and connect it to a new Print-to-Cloud port, which is configured for Print-to-Cloud or Print-to-ePaper respectively (see Illus. 88). Illus. 88 Illus. 88 Print-to-Storage Port with Print-to-Cloud printer on the Cortado server Policies Under CONTROL PANEL POLICIES you can create policies for individual users, e.g. allocating devices (see chapter Managing Policies on Page 85). Under CONTROL PANEL USERS POLICIES you can get an overview of which policies are assigned to which users (Illus. 89). You also have the option here to assign policies to more users. Illus. 89 Illus. 89 USERS POLICIES: a policy assigned to a user Cortado Corporate Server Configuration Manual 55

56 Managing devices For this, you select the desired user (left arrow in Illus. 90) and click on ASSIGN POLICY (right arrow in Illus. 90). Now all available policies are displayed. Select one or more and confirm with OK. Illus. 90 Illus. 90 Unter CONTROL PANEL POLICIES assigning an established policy to more users Managing devices Device information (Details) In device management you can manage the devices of Cortado users (Illus. 91). Select CONTROL PANEL DEVICES. All the devices which have been imported via user management (see menu USERS, Page 29) will be displayed. For BlackBerry users, these appear immediately after the user was imported from BES. For Android and Apple devices, interaction on the mobile device is first required: For Android, the account has to be switched over to Cortado and for Apple the MDM profile must be downloaded. 12 Then the devices appear here automatically, in the device manager (on the left in Illus. 91). 12 see the user guide for User Self Service Portal on the Cortado website 56 Configuration Manual Cortado Corporate Server

57 Managing devices Illus. 91 Illus. 91 DEVICES DETAILS: Android device information, including user Device functions Device protection (Lock Screen+ Wipe) If a device has been lost or stolen, you have the options to (Illus. 92): Illus. 92 Illus. 92 Device functions (ios): REMOVE, LOCK SCREEN, CLEAR PASSCODE, WIPE and LOCATE Note! The options LOCK SCREEN, CLEAR PASSCODE and LOCATE are only available on ios devices if you are using Apple Mobile Device Management (see Page 10). Cortado Corporate Server Configuration Manual 57

58 Managing devices LOCK SCREEN (ios only) Screen will be locked (see Illus. 93, left), and can only be unlocked again with a Passcode (see Illus. 93, right), provided that the device is protected with a password. WIPE FULL Delete all data from the device (= restored to factory settings) WIPE PARTIAL (Cortado app only, ios and Android only) Deny access to company drives (HOME DRIVE(S), see Illus. 94). Delete data in LOCAL DRIVE (ios) and SECURE DRIVE (Android). All other data stored locally on the device (or on SD cards) will be retained. Note! On Android devices, no data will be deleted from the LOCAL DRIVE. So make sure that sensitive data is always stored on SECURE DRIVE. Illus. 93 Illus. 94 Illus. 93 LOCK SCREEN: Screen is locked (left), to unlock a passcode must be entered (right) (option is available only for ios devices) Illus. 94 WIPE PARTIAL: Drives in the Cortado app (left); access to corporate drives (HOME DRIVES) is not possible after partial wipe (right). Example on Android device. 58 Configuration Manual Cortado Corporate Server

59 Managing devices Clear Passcode - ios only If the user forgets the passcode for his ios device, you can remove it with a click on CLEAR PASSCODE (Illus. 92). After that the device can be used without a passcode. Remove a device (Remove) With REMOVE (top arrow in Illus. 92) the device is deleted from the database. It makes sense to clean up the Cortado database if devices are located there, that no longer exist, or that have a new user. If a device is deleted with REMOVE but still has, or establishes, an active connection with the Cortado server, it will be added to the list again after a few minutes. If you want to delete data from the device, use WIPE instead (see above). Note! A device must removed here if an ios user has removed the MDM profile from her/his device. In this case, remove the device here and ask the user for rerunning the First Steps Wizard (Page 96). Illus. 95 Illus. 95 Deactivated Cortado app on the iphone Locate a device (Locate) If a mobile device has been lost or stolen, you can discover its current location via LOCATE (bottom arrow in Illus. 92). This is providing that the option REPORT GPS DATA has been enabled for the selected device in CONTROL PANEL USERS SETTINGS (Page 39). Cortado Corporate Server Configuration Manual 59

60 Managing devices Illus. 96 Illus. 96 Device located at Cortado AG by the river Spree Select a device on the left. The LOCATE button (Illus. 92) only appears if the device is turned on as well as GPS and with Android Google s Location Service is enabled on the device. For ios devices it is important to note that at SET- TINGS PRIVACY LOCATION SERVICE CORTADO, the location service is enabled (arrow in Illus. 97). Additionally, the Cortado app must be restarted, after enabling the location service on the ios device. The Cortado ball icon is displayed on the map, at the location where the mobile device is currently located (Illus. 96). Illus. 97 Illus. 97 Activated location service of the Cortado app on an iphone 60 Configuration Manual Cortado Corporate Server

61 Managing devices Merging multiple-displayed devices (Merge) If a device shows two listings, for example if a user has run the configuration twice, you can checkmark both devices (Illus. 98 left arrow) and merge them with MERGE (right arrow), so the device is again displayed only once in the list. Caution! If your Cortado server requires a client certificate for the https communication to the end devices (Illus. 135) and for this purpose you distributed a global certificate to all devices (Page 83), after merging devices you must reimport the client certificate (Illus. 138) and the users must rerun the First Steps Wizard (Page 96). Illus. 98 Illus. 98 Merge twice-listed devices merged Applications (Apps) In the APPS tab, you can see the apps that are installed on the selected devices (Illus. 99). For how to add more apps to devices, read Adding new apps (Page 69). Illus. 99 Illus. 99 DEVICES APPS: applications installed on an Android device Policies Under CONTROL PANEL POLICIES you can create policies and allocate to individual users or devices (see chapter Managing Policies on Page 85). Cortado Corporate Server Configuration Manual 61

62 Managing devices Under CONTROL PANEL DEVICES POLICIES you can get an overview of which policies are assigned to which devices (Illus. 100). You also have the option here to assign policies to more devices. Illus. 100 Illus. 100 DEVICES POLICIES: policy assigned to an ios device For this, you select the desired device (left arrow in Illus. 101) and click on ASSIGN POLICY (right arrow in Illus. 101). Now all available policies are displayed. Select one or more and confirm with OK. Illus. 101 Illus. 101 Under CONTROL PANEL POLICIES assigning an established policy to another device Certificates The client certificates that were generated with the function CONTROL PANEL CER- TIFICATES CHANGE CERTIFICATE MODE and were automatically assigned (Page 82) are shown here. When required, a new certificate for a particular device can be generated with NEW, or deleted with REMOVE (on the right in Illus. 102). 62 Configuration Manual Cortado Corporate Server

63 Managing devices Note! If a new certificate is generated, the relevant user must select his device in the USER SELF SERVICE PORTAL at SETUP DEVICE MANAGEMENT and rerun the CLIENT CONFIGURATION to upload the new certificate with the automatically modified configuration file to his device. Illus. 102 Illus. 102 DEVICES CERTIFICATES: device certificate assigned to an iphone Wi-Fi Profiles Select an ios device on the left and click on ASSIGN WI-FI PROFILES (right in Illus. 103). You can assign profiles created under WI-FI PROFILES 13 (Page 89) to individual devices. To do this, Wi-Fi must be enabled on the device. You can determine this by the green dot in the Wi-Fi indicator (Illus. 91). This indicator displays as follows: green dot: Wi-Fi is performing normally and is enabled on the device gray dot: Wi-Fi is performing normally but is disabled on the device gray checkmark: Wi-Fi is performing normally, but the state of the device is unknown 13 This feature is available for ios users only Cortado Corporate Server Configuration Manual 63

64 Reports Illus. 103 Illus. 103 DEVICES WI-FI PROFILES: Wi-Fi configured for an iphone Reports Overview With CONTROL PANEL REPORTS you will find clearly displayed data of all mobile devices in use in your environment. The overview in detail: Device platforms such as BlackBerry, Android and ios (Illus. 104) Device models such as iphone and HTC (Illus. 105) Apps installed on the devices with ios only apps which were downloaded from the Apple App Store (Illus. 106) Device s hardware equipment, e.g., Bluetooth, Wi-Fi or front camera (Illus. 107) ROAMING Devices with SIM cards which are currently in their registered country have the status NOT ROAMING. Devices with SIM cards which are currently abroad have the status ROAMING (ILLUS. 108). Device s memory usage (STORAGE) broken down by memory types (Illus. 109) 64 Configuration Manual Cortado Corporate Server

65 Reports Examples PLATFORMS Illus. 104 Illus. 104 Device platforms as a pie-chart DEVICES Illus. 105 Illus. 105 Device models as a bar chart Cortado Corporate Server Configuration Manual 65

66 Reports APPS Illus. 106 Illus. 106 Installed or downloaded apps HARDWARE PROPERTIES Illus. 107 Illus. 107 Device s hardware equipment ROAMING Illus. 108 Illus. 108 Is a device abroad? 66 Configuration Manual Cortado Corporate Server

67 Managing apps STORAGE Illus. 109 Illus. 109 Device s memory or storage usage Managing apps Here you can provide in-house apps respectively apps that have been written for your users. Furthermore you can provide links to web sites (e.g. to an App store), from which users can download apps. The users can access the User Self Service Portal(see Page 96) via the mobile device s browser. There they can download the provided apps on their devices. Furthermore you can define the OS version of the devices that are to get these apps. In Cortado Management Console, you can allocate individual apps to particular users and devices. To do so, first select CONTROL PANEL APPS (Illus. 110). Illus. 110 Illus. 110 Select APPS Cortado Corporate Server Configuration Manual 67

68 Managing apps Assigning apps stored by default You can assign one of the available apps (links in Illus. 111) to your users. These apps are saved in the form of links to the app store. Select the desired app (left arrow in Illus. 111), noting the platform (Android or ios) and the minimum required OS version. Illus. 111 Illus. 111 Assigning apps to users Then click on ASSIGN USERS (middle arrow in Illus. 111). Select the desired users (right arrow in Illus. 111) and click on ASSIGN. Users will now find the assigned apps in the USER SELF SERVICE PORTAL 14 under APPS (Illus. 112). Illus. 112 Illus. 112 Saved apps in the User Self Service Portal, under Apps (example on the iphone) 14 see Page 96 and the user guide User Self Service Portals (Page 133) 68 Configuration Manual Cortado Corporate Server

69 Managing apps The user selects the app, and is directed to the app in the app store and can install it on his (Illus. 113). Illus. 113 Illus. 113 The app can be installed by the user (example: App Store on the iphone) Adding new apps Click on the plus icon (Illus. 114), to add more apps. Illus. 114 Illus. 114 Adding apps In the following dialog (Illus. 115), select whether you want to import the app (IMPORT APP, Page 71) or save it as a link (DEFINE APP, see below). For all app store apps, select DEFINE APP, to save the app as a link. Select IMPORT APP only for those apps you have programmed yourselves, or those that have been developed for your company. Cortado Corporate Server Configuration Manual 69

70 Managing apps Illus. 115 Illus. 115 App Wizard: Importing apps or storing links Storing apps as a link (Define App) Select DEFINE APP (Illus. 115). The dialog in Illus. 116 opens. Name and description are arbitrary. The minimum and maximum OS version is optional; it can contain digits and dots, but not letters. If the versions are entered, the app will only be made available to those devices with an operating system that meets these requirements. Under URL enter a link to the applicable app store. Select the appropriate platform. At the bottom, select an icon in.png or.jpg file format with a maximum size of 100 KB. Illus. 116 Illus. 116 Enter name, URL, OS version, platform and icon for a new app 70 Configuration Manual Cortado Corporate Server

71 Managing apps An example of a successfully imported app (Illus. 117): Illus. 117 Illus. 117 Successfully imported app, (as a link) For how to allocate this app to the users, read Page 68. Importing apps Here you can import those apps that aren't found in any app store. For apps in a store, we recommend saving as a link (see above). Click on the plus icon (Illus. 114) and select IMPORT APP (Illus. 115) In the following dialog (Illus. 118), specifying the minimum and maximum operating system version of the mobile device is optional. It can contain digits and dots, but not letters. If versions are entered, the app will only be made available to those devices with an operating system version that meets these requirements. Illus. 118 Illus. 118 Selecting the app to be imported and (optionally) indicating the OS version of the mobile device The following apps can be made available here (Illus. 118): for Apple devices Here you can store apps which you have developed yourselves, or that have been developed for your company, for ios devices. for BlackBerry devices Create a.zip file from BlackBerry.cod and.alx files. for Android devices Here you can store apps which you have developed yourselves, or that have been developed for your company, for Android devices. Cortado Corporate Server Configuration Manual 71

72 Managing intranet apps In each case, the app needs to be zipped. For Apple and Android apps you need a special.cclx file. For how to create these files, read Page 112. Select the app with the SELECT FILE (arrow in Illus. 118) button and click on IMPORT. You can see successfully imported apps in the Management Console (Illus. 119). Illus. 119 Illus. 119 Imported app (example Cortado Explorer for BlackBerry) For how to allocate this app to the users, read Page 68. Then the users find the apps located in the USER SELF SERVICE PORTAL 15 under APPS and can download them there (Illus. 120). Illus. 120 Illus. 120 An app as software for downloading in the User Self Service Portal (on a Black- Berry) Managing intranet apps Intranet apps are website bookmarks that you can distribute to mobile devices. So you can make important in-house sites (e.g. time management, Intranet) available for mobile devices. These apps are listed in the Cortado Secure Browser inside the Cortado app. To access intranet apps from outside the company, IIS settings on the Cortado server have to be made. Specify a rule to use the Cortado server as a proxy. This is described in the appendix (Page 114). 15 see Page 96 and the user guide User Self Service Portals (Page 133) 72 Configuration Manual Cortado Corporate Server

73 Managing intranet apps Select CONTROL PANEL INTRANET APPS (Illus. 121). Illus. 121 Illus. 121 Open Intranet Apps Define a link Click on the plus sign (arrow in Illus. 122), to add intranet apps. Illus. 122 Illus. 122 Add Intranet Apps The following dialog opens: Illus. 123 Illus. 123 Setting Intranet apps for mobile devices Cortado Corporate Server Configuration Manual 73

74 Managing intranet apps Enter any name and description and the redirected URL you defined in IIS (Page 114). If you want the intranet app to be available only when the mobile device is connected to the company's Wi-Fi, enter instead the usual URL of the website (see Illus. 124, example: Onexma). MANDATORY: Select this option (upper arrow in Illus. 123), if you want the intranet app mandatorily distributed to mobile devices. The intranet app then turns up as a bookmark in Secure Browser of the Cortado app, as soon as you have assigned it to the desired users (Illus. 126). OPTIONAL: If you select this option (lower arrow in Illus. 123) the intranet app also turns up as a bookmark in Secure Browser in the Cortado app, once you have assigned it to the desired users (Illus. 126). However, here the users have the option of disabling the intranet app in the USER SELF SERVICE PORTAL 16 (see Illus. 127). The icon of the website (favorite icon or favicon) will normally be inserted automatically, so long as there is an internet connection. If that's not the case, you can select an icon, using the.jpeg,.jpg or.png format, which may not exceed the size of 80 x 80 pixels and max 100 KB. Assigning links Select the intranet app(s) that you want to assign to the users and then click on ASSIGN USERS (Illus. 124). Illus. 124 Illus. 124 Assigning intranet apps to individual users 16 see the user guide User Self Service Portals (Page 133) 74 Configuration Manual Cortado Corporate Server

75 Managing intranet apps Now select the desired users and then click on ASSIGN (Illus. 125). Illus. 125 Illus. 125 Assigning intranet apps to individual users The users will now find the intranet apps in the Secure Browser of the Cortado app (Illus. 126): Illus. 126 Illus. 126 Intranet Apps im Secure Browser der Cortado-App auf dem iphone If the intranet app was assigned as OPTIONAL (lower arrow in Illus. 123), the users have the option of disabling it in the USER SELF SERVICE PORTAL 17 (Illus. 127). 17 see the user guide User Self Service Portals (Page 133) Cortado Corporate Server Configuration Manual 75

76 Managing certificates Illus. 127 Illus. 127 deactivate Intranet app in the User Self Service Portal (example for iphone) Managing certificates Overview Certificates serve to authenticate servers and devices to each other, in order to establish a safe connection between them. They may contain a key, with which the encryption of data to be transmitted is made possible. These keys are protected by a password, which is also stored in the certificate. The certificate received from the server now has to be checked for trustworthiness by the mobile device. To do so, it can use either the corresponding root certificate or the key of the server certificate. Encryption between browser (end device) and server Illus. 128 shows how the browser of an end device requests an https page in order, for example, to reach the User Self Service Portal in Cortado Corporate Server and also shows how the Cortado server responds by sending its certificate to initiate an SSL-encrypted connection. Illus. 128 Illus. 128 Example of the use of a server certificate The certificate received from the server now has to be checked for trustworthiness by the mobile device. To do so, it must use the corresponding root certificate. If neither 76 Configuration Manual Cortado Corporate Server

77 Managing certificates of these is located on the device (or if the specified server address does not match that written on the certificate), the user receives an error message. This could be worded as follows: This connection is untrusted (Firefox) or There is a problem with this website s security certificate (Internet Explorer) Then the user can simply click on: I understand the risks (Firefox) or Continue to this website (not recommended) (Internet Explorer) In order to avoid these certificate errors and to ensure a secure connection, Cortado Corporate Server ensures the root certificate is downloaded by the users themselves with the FIRST STEPS WIZARD in the User Self Service Portal (Illus. 129). The same applies to the use of the HTML5 client in a browser. The root certificate can also be downloaded here to the respective device. 18 Illus. 129 Illus. 129 User Self Service Portal: Downloading the root certificate in the First Steps Wizard (example for Apple ios) Encryption between the Cortado app (end device) and server An SSL-encrypted connection is also established between the Cortado app on the end device and the Cortado server. This connection enables secure communication via https including user name and password queries. For this, the key of the server certificate rather than the root certificate is used. This key is transferred to the end device when the user downloads the configuration file (.tpm) from the User Self Service Portal. If additional authentication of end devices with a client certificate is required then further information can be found at Page Downloading the root certificate to the end device is necessary especially when using self-signed certificates. Officially-issued root certificates are usually already present on the devices. Cortado Corporate Server Configuration Manual 77

78 Managing certificates Groups of certificates Certificates purchased from a public certification authority (e.g. VeriSign or Comodo) Self generated certificates from a proprietary certification authority from Cortado Corporate Server (SELF SIGNED) Types of Cortado certificates Root certificate... represents a certification authority (those computers that generate other certificates). Root certificates are only for testing the authenticity of server, user or client certificates. Server certificate... is used by the client to identify the server (here: Cortado server to an end device). Client certificate... is used by the server to identify the client (here: of the user or the end device with the Cortado server, depending on the selected mode) Cortado Corporate Server websites User Self Service Portal Cortado Management Console HTML5 client In addition, the Cortado apps (= Cortado Explorer) communicate with the Cortado server via https. Cortado server addressing Examples: HTTPS encryption between the Cortado app and server Identification of the server by the end device with the server certificate (including query user name / password) additional authentication with client certificate: a global certificate for all devices of all users one certificate per user (= for all devices of a user) one certificate per device In detail Setting up root and server certificates for Cortado Corporate Server Both server and client certificates can be obtained from a public certification authority. This has the advantage that their root certificates are already recognized by all servers and end devices. Thus, there are no certificate errors (as described above). 78 Configuration Manual Cortado Corporate Server

79 Managing certificates Regardless of whether the certificates have been purchased, or generated by one's own certification authority, they can be set up for Cortado Corporate Server in two ways: with the Configuration Assistant CERTIFICATES BROWSE (Illus. 130) or with the Cortado Management Console CONTROL PANEL CERTIFICATES SERVER CERTIFICATES (Illus. 131) Illus. 130 Illus. 131 Illus. 130 Configuration Assistant Left: Import (BROWSE) or create root certificate Right: Import (BROWSE) or create server certificate Illus. 131 Cortado Management Console Above right: Create, import or export root certificate Centre right: Create, import or export server certificate Cortado Corporate Server generates a new root certificate automatically, if you: select the option GENERATE NEW SELF SIGNED ROOT CERTIFICATE in Configuration Assistant (Illus. 130) or select the option GENERATE ROOT CERTIFICATE in Cortado Management Console (Illus. 131) Cortado Corporate Server Configuration Manual 79

80 Managing certificates Caution! All other certificates as well as all.tpm files are recreated automatically if you generate a new root certificate. Afterwards all users must run the First Steps Wizard again to download the new certificate and the new configuration (.tpm file) to the device. Cortado Corporate Server automatically generates a new server certificate, when you: select the option GENERATE NEW SELF SIGNED SERVER CERTIFICATE in Configuration Assistant (Illus. 130) or select the option GENERATE SERVER CERTIFICATE (SSL) in Cortado Management Console (Illus. 131) Note! The server certificate which is created here (if necessary) contains the server address which you have specified in the Configuration Assistant s EXTERNAL CONNECTION SETTINGS menu (arrow in Illus. 132) or as the CORTADO SERVER ADDRESS in the Management Console s GLOBAL SETTINGS (arrow in Illus. 133). Make sure that on the one hand this address is reachable from the devices and on the other hand the users use exactly this address for connections to the USER SELF SERVICE PORTAL as well as to the HTML5 client. Otherwise certificate errors can occur in the device s Internet browsers (Page 76). Illus. 132 Illus. 132 Connection settings in the Configuration Assistant 80 Configuration Manual Cortado Corporate Server

81 Managing certificates Illus. 133 Illus. 133 Connection settings in the Cortado Management Console In addition, the root certificate and the server certificate can be exported with the options EXPORT ROOT CERTIFICATE and EXPORT SERVER CERTIFICATE (SSL) (as a.pfx file) (Illus. 131). Note! When using self-signed certificates, please note the following: If you also use a ThinPrint Engine and the Print-to-Cloud and Print-to-ePaper features, then the root certificate of the Cortado server must be imported to the terminal or print server where the ThinPrint Engine is installed. Import it with the key in the container (MMC) CONSOLE ROOT CERTIFICATES (LOCAL COM- PUTER) TRUSTED ROOT CERTIFICATION AUTHORITIES CERTIFICATES. For the option APPLE PUSH CERTIFICATE see the chapter Preparatory work for MDM (Page 10). Establishing client certificates (optional) The connection between the Cortado app on the end devices and the Cortado server is SSL encrypted. The server encrypts communication and therefore enables a secure connection via https (including user name and password queries). This mode is always enabled. Additionally, to further increase security, client certificates can also be used. When using client certificates the identity of the end device is ensured additionally by a certificate that is already known to the server. If you would already like to test the client certificates in the DMZ, proceed as described on Page 128. Cortado Corporate Server Configuration Manual 81

82 Managing certificates Illus. 134 Illus. 134 Example of the setup for a client certificate For the Cortado server to request client certificates at all (Illus. 134), this function must have been previously enabled in it's IIS Manager. So, in IIS Manager, select Cortado server and then the path SITES CORTADO CC (for Cortado client) and there, REQUIRE SSL as well as CLIENT CERTIFICATES REQUIRE (Illus. 135). Don t forget an IIS reset afterwards. Illus. 135 Illus. 135 Enabling client certificate authentication in the IIS Manager Client certificate modes Select in the Cortado Management Console: CONTROL PANEL CERTIFICATES CERTIFICATE MODE (left arrow in Illus. 138) and then on CHANGE CERTIFICATE MODE (right arrow in Illus. 138). 82 Configuration Manual Cortado Corporate Server

83 Managing certificates Illus. 136 Illus. 136 Cortado Management Console: change client certifikate mode You can either create new client certificates (CREATE CERTIFICATE) or use existing ones (USE CERTIFICATE) (Illus. 137). Illus. 137 Illus. 137 Cortado Management Console: generating or selecting client certificates Create Certificate. You can create your own client certificates here, providing the root certificate that you want to use has been self-generated by Cortado server or with its own certification authority. Otherwise, use the USE CERTIFICATE. There are three client certificate modes available. Either one certificate per user (= for all the end devices of a user) For this, select ONE CERTIFICATE FOR EACH USER WILL BE CREATED (Illus. 138) and click OK. This means certificate mode 1 (Illus. 140). Or one certificate per end device For this, select ONE CERTIFICATE FOR EACH USER DEVICE WILL BE CREATED (Illus. 138) and click OK. This means certificate mode 2 (Illus. 140). Or one global certificate for every end device of all users For this, select ONE CERTIFICATE FOR ALL USERS WILL BE CREATED (Illus. 138) and click OK. This means certificate mode 3 (Illus. 140). Cortado Corporate Server Configuration Manual 83

84 Managing certificates Illus. 138 Illus. 138 Create Certificate: select certificate mode 1 (example) Use Certificate. You can use existing client certificates here, i.e. purchased from an official certification authority, or self-signed client certificates (.pfx files). You have two client certificate modes available. Either one certificate per user (= for all the end devices of a user) For this, select ONE CERTIFICATE FOR EACH USER WILL BE USED. o Then enter the path to the folder that contains the client certificates (Illus. 139). This means certificate mode 1 (Illus. 140). Illus. 139 Illus. 139 Use Certificate: select certificate mode 1 (example.) Or one global certificate for every end device of all users For this, select ONE CERTIFICATE FOR ALL USERS WILL BE USED. Then select the path to the client certificate (.pfx file) and enter the certificate password (Illus. 139). This means certificate mode 3 (Illus. 140). Then in the first line of the certificate overview, you can read the certificate mode (arrow in Illus. 140). Illus. 140 Illus. 140 Information of certificate mode The client certificate (with the password-protected private key) is saved in the configuration file (.tpm). 84 Configuration Manual Cortado Corporate Server

85 Managing Policies The users must then: 1. download the.tpm file of their device from the User Self Service Portal again (because it contains the client certificate) 2. enter the certificate password (arrow in Illus. 141). Illus. 141 Illus. 141 Certificate password request You find the certificate password here: CONTROL PANEL USERS CERTIFICATES (arrow in Illus. 142). Tell it to the users in person or in a phone call. Illus. 142 Illus. 142 Reading the certificate password of a user s end device Managing Policies Define the policies (group policies), that you can assign to users or mobile devices. To do this, the requirements described under Preparatory work for MDM on Page 9, must have been fulfilled. This applies particularly to Apple devices, where the Apple Push certificate must firstly be uploaded. Cortado Corporate Server Configuration Manual 85

86 Managing Policies Select CONTROL PANEL POLICIES (Illus. 143). Illus. 143 Illus. 143 Select POLICIES Define a policy Click on the plus sign, to create a new policy (Illus. 144). Illus. 144 Illus. 144 Creating a new policy The dialog Add Policy opens (Illus. 145). Illus. 145 Illus. 145 Select policy method Policies for Android devices For Android policies select ACTIVE SYNC POLICIES (first option on the left in Illus. 145) and then assign them to users or devices, as described below. Be aware that the assignment of Android policies depends on the respective ActiveSync client of each of the mobile devices, over which Cortado has no influence. 86 Configuration Manual Cortado Corporate Server

87 Managing Policies To ensure that all policies are effective we recommend the Active Sync client NitroDesk TouchDown (available for purchase, see Illus. 114 on Page 69). Policies for Apple ios devices With Apple policies you can select one of the following methods (with the first method you get the less options, with the third the most ones): ACTIVE SYNC POLICIES (configured with Cortado Management Console) 19 APPLE POLICIES (= Apple MDM, configured with Cortado Management Console) IPCU (To use Apple ios Mobile Device Management for Cortado, first install the Apple configuration program iphone Configuration Utility onto the Cortado Server. This program can be downloaded here: With the help of this program, create a configuration profile and then upload the file (*.mobileconfig) by clicking on SELECT FILE. Please note that when using APPLE POLICIES that the user will be automatically prompted to create a 4 digit passcode for device access if one does not already exist. This is independent of whether changes have been made at PASSWORD (see center tab on Illus. 146). Policies for BlackBerry devices For BlackBerry policies select GO TO BLACKBERRY MANAGER (Illus. 145, last option in the left column). You will be redirected to the website BLACKBERRY ADMINISTRATION SERVICE, where you make your settings as usual. There are special Cortado policies required for BlackBerry, which you can copy under GLOBAL SETTINGS (see Page 92) and apply in BLACKBERRY ADMINISTRATION SER- VICE. See the manual BlackBerry configuration (Page 133). Assigning policies to users or devices First enter a name for the policy in the field below (lower arrow in Illus. 146) and select the desired permission(s), in the example, the checkbox ALLOW CAM- ERA has been disabled (upper arrow in Illus. 146). Illus. 146 Illus. 146 Give the policy a name 19 Providing that in the settings for the company account (Exchange Active Sync account) on the ios devices, Cortado server rather than the Exchange server was entered as mail server (see Page 10). Cortado Corporate Server Configuration Manual 87

88 Managing Policies has been enabled. You can download Note! Please note that the policies marked with an asterisk, as well as KIOSK MODE (Illus. 146) are only available for ios devices (from ios 6.0) on which, with the help of the configuration program APPLE CONFIGURATOR the option SUPERVISING has been enabled. You can download APPLE CONFIGURATOR in the MAC APP STORE. Once created, this policy can now be assigned to a device (ASSIGN DEVICES) or a user (ASSIGN USERS) (arrow in Illus. 147). Illus. 147 Illus. 147 Assigning a policy to a device or a user Be sure to assign each policy only to devices and users with the corresponding platform (Android/Apple). The policies for devices will be effective immediately, while those for users can take several minutes. This depends on the refresh time setting under Event Log (Page 95). Now, the mobile s camera will no longer be available (Illus. 148). Illus. 148 Illus. 148 Remove CAMERA icon using a policy 88 Configuration Manual Cortado Corporate Server

89 Wi-Fi Profiles Wi-Fi Profiles You can manage your Wi-Fi profiles in Cortado Management Console for ios devices. To do so, enter your Wi-Fi profile(s) here and then assign them to the mobile devices. This has the benefit that the devices will already recognize this Wi-Fi. To do this, start by selecting CONTROL PANEL WI-FI PROFILES (Illus. 149). Illus. 149 Illus. 149 Select WI-FI PROFILES Creating a Wi-Fi profile Click on the plus icon (Illus. 150), in order to set up a new Wi-Fi profile. Illus. 150 Illus. 150 Add Wi-Fi profile In the dialogue that follows (Illus. 151) enter the Wi-Fi hotspot s name and network ID/device number (SSID), as well as the Wi-Fi password and the Wi-Fi encryption protocol. Cortado Corporate Server Configuration Manual 89

90 Sending Welcome Illus. 151 Illus. 151 Enter Wi-Fi profile Assigning Wi-Fi profiles These Wi-Fi profiles can be assigned to mobile devices via CONTROL PANEL DEVICES ASSIGN WI-FI PROFILES (see Page 63). Please note that for this: On this device, Wi-Fi must be switched on (green dot next to WI-FI, at DEVICES DETAILS, see Illus. 91 on Page 57). Sending Welcome Purpose Send a welcome to your users when you have completed all necessary settings and configuration. The welcome template (Illus. 152) contains: a link to User Self Service Portal (see Page 96) a prompt to start there the First Steps Wizard (see Page 96) the link to the HTML5 client (see Page 27) advice for Android users, to reconfigure their accounts (Exchange Active- Sync) (see Page 9) Illus. 152 Illus. 152 Welcome (example on the iphone) 90 Configuration Manual Cortado Corporate Server

91 Global Settings Procedure Before you can send the welcome to your users, you must enter the sender's address. To do this, click on SETTINGS under CONTROL PANEL GLOBAL SETTINGS. Then proceed as described in the chapter settings on Page 92. You can also edit the text field of the template there. Under CONTROL PANEL USERS (Illus. 2, on Page 8) select one or more users and click on SEND (arrow in Illus. 153). Illus. 153 Illus. 153 Send Global Settings Here you can find an overview of licenses and license usage and you can manage the following settings: Cortado server including TCP ports Settings of other involved servers (mail server, BES, SCEP server) including TCP ports Creating password policies for users Configuration and welcome s Event log settings Setting up ActiveSync Select CONTROL PANEL GLOBAL SETTINGS. Locate the server (left arrow in Illus. 154). To make changes, select CONFIGURE (right arrow in Illus. 154). Illus. 154 Illus. 154 Global Settings: manage server and global settings Cortado Corporate Server Configuration Manual 91

92 Global Settings This opens the following dialogue (Illus. 123). On the left you can select menu items which are described below. Illus. 155 Illus. 155 Change mail server settings Mail Server Settings BlackBerry Enterprise Server Cortado Push Server Settings Here you can make adjustments if something has changed with your mail server, if you have a new mail server or you're using a different mail server system. If something changes with your BES, or if you newly incorporate a BES, enter it here. For details, see BlackBerry configuration manual (Page 133). Specify the BES server as follows: BESserver.domain.local:3443 If you want to incorporate Apple mobile devices, you need an SCEP server for Apple Mobile Device Management (this is a server role with Microsoft servers). Enter all SCEP server details here, as described on Page 26. Enter here the sender of the welcome- and of the configuration- . Furthermore you can edit here the standard text of both s (Illus. 156). Illus. 156 Illus Settings: edit welcome mail and configuration mail Sender name. Enter the sender s name here (user defined). 92 Configuration Manual Cortado Corporate Server

93 Global Settings Sender address. Enter the sender address of the s. Use an already existing account that is the reply-to-address). Use authentication for outgoing s. Enable this checkbox, if your Exchange mail is set to require authentication by the sender of an (default setting for Exchange). Username. Enter a user account here in order to send the configured s below. Use an already existing account too. Password. Enter the corresponding password here. body for automatically generated configuration . Apple users receive this automatically generated configuration , after downloading the root certificate and the profile for Apple MDM (see Page 10) Android users receive this , after having reconfigured their account (see Page 9). This configuration contains: the name of the configuration file (.tpm) to be employed by the user (CORTADO CLIENT CONFIGURATION, see Page 97) a link to the User Self Service Portal (see Page 96) a link to the HTML5 client (Page 27) advice for Android users, to reconfigure their accounts (Exchange Active- Sync) (see Page 9) body for Send . Here, you can find the standard text for the welcome . Further information concerning the welcome in chapter Sending Welcome on Page 90. Connection Settings Here you can change the incoming and outgoing ports of the Cortado server (Illus. 157). See also Cortado server ports on Page 126. Illus. 157 Illus. 157 CONNECTION SETTINGS: https and http addressing for the Cortado server Cortado Corporate Server Configuration Manual 93

94 Global Settings We distinguish between external and internal connections. EXTERNAL. The external connections settings correspond to the default settings for mobile devices (e.g. telephone or internet). USE SSL (RECOMMENDED): Because mobile devices externally connect to the Cortado server, we recommend protecting the data transmission with SSL encryption. Uncheck the checkbox only if you do not want to use the SSL protocol for external connections, for example if you are using a VPN. CORTADO SERVER ADDRESS: Here you are prompted to enter the external host name or the external IP address (URL) or the Fully Qualified Domain Name (FQDN) of the Cortado server. For this, please note the chapter Managing certificates on Page 76. Furthermore, the following TCP port is required: CLIENT COMMUNICATION PORT: The default port for encrypted connections from the smartphones via https to the Cortado server is 443. This is the mandatory port for BlackBerries in BIS environments (default from RIM). Printing with https also takes place via this port. Note! Please note that your company s firewall must be configured accordingly for the external connections. Open the firewall for all incoming connections on the port 443 that is required for Cortado Corporate Server. See also Cortado ports on Page 126. INTERNAL. The smartphones use internal connections, as if located in an internal corporate Wi-Fi. USE SSL (RECOMMENDED): Even in a company's internal Wi-Fi network, we recommend using SSL-encryption to protect data transmission. CORTADO SERVER ADDRESS: Enter FQDN, host name or IP address of the Cortado server. The offered address can be accepted. Furthermore the following TCP ports are required: SERVER COMMUNICATION PORT: This Port (81) is used only for software internal connections. CLIENT COMMUNICATION PORT: The default port for mobile device connections to the Cortado server is 443. If these TCP ports are occupied by other applications select different ones. Note! As soon as changes are made to the server settings, the users automatically receive a new configuration . In this they find a link to the User Self Service Portal where they open the configuration file (.tpm) via DEVICE MANAGEMENT CORTADO APP CONFIGURATION (see Page 97). Subsequently the Cortado app will be re-configured. Cortado Password Here you can define the password policies for a Cortado password, if your users are not to use the domain password to log on to their mobile device s Cortado app. This 94 Configuration Manual Cortado Corporate Server

95 Global Settings could be on security grounds for example, or because one can quite easily make repeated typing errors on mobiles. Illus. 158 Illus. 158 Set Cortado password First place a checkmark by CORTADO PASSWORD ENABLED (upper arrow in Illus. 158) so, in the User Self Service Portal 20 all users can change their password which they use to log on to the Cortado app. If a user logs on to the User Self Service Portal the first time s/he will be prompted to change her/his password. The password change affects only the Cortado app. The password for logging on to the User Self Service Portal can t be changed. If you define number of MAXIMUM FAILED LOGON ATTEMPTS for users (lower arrow in Illus. 158), a user will be deactivated for Cortado, as soon as he repeatedly, mistype his Cortado password You can reactivate him subsequently for Cortado by selecting the user in CONTROL PANEL USERS highlighting the Checkbox ACCOUNT ENABLED in SETTINGS EDIT (see Page 40). Event Log Here you can configure the CORTADO EVENT LOG SYNCHRONIZATION SERVICE which writes the Cortado specific entries into the Cortado database. These entries are the basis for all statistics, for example on the homepage (DASHBOARD) of the management console and for all statistics under Reports (Page 64). As well, this service supplies device information, as found in the modules User Management on Page 29 and Managing devices (Page 56). Furthermore it controls the frequency of the push services. Other Settings Here you can set up ActiveSync. If you check this box, you will enable Cortado users who were not allowed to do so previously to receive s on their mobile devices. By deactivating users for Cortado Corporate Server, the users will not be able to receive s on their mobile devices any longer. Additionally, you can change the path to the user directory (BASIC PATH). You can find more information about the user directory on Page 38 and Page See the User Self Service Portal user guide (Page 133). Cortado Corporate Server Configuration Manual 95

96 User Self Service Portal User Self Service Portal The User Self Service Portal allows users to install and configure the Cortado app on their mobile devices (Apple ios, Android OS, BlackBerry OS 21 ), change the password, locate the device and delete content on the device. The Cortado app also provides the users with further apps and links to intranet websites that you have made available for them. A link to the user guide for the User Self Service Portal can be found under Additional sources (Page 133). The portal is available for users via the following link address: This link is included in the welcome , which you have sent to users (see Page 90). The users log into the portal with their address and domain password. The following window then opens (Illus. 159): Illus. 159 Illus. 159 Start page of the User Self Service Portal (from left to right: ios, Android OS and BlackBerry OS) First Steps Wizard Apple ios When using Apple Mobile Device Management for managing ios devices (see Page 10), we recommend using the FIRST STEPS WIZARDS in the User Self Service Portal (Illus. 159, left). Users are guided here through the installation of the root certificate, the Apple MDM profile as well as the installation and configuration of the Cortado app. If in addition you also wish to change the setting for the user's account (Exchange ActiveSync) on the ios devices (see Page 40), then only undertake this configuration when the steps in the FIRST STEPS WIZARD have been completed. Otherwise the device will be registered twice in the MANAGEMENT CONSOLE under CON- TROL PANEL DEVICES or at CONTROL PANEL USERS DEVICES. 21 For BlackBerry we recommend distributing the software for the Cortado app and the configuration file via BES (Page 133). Using the User Self Service Portal is only possible from BlackBerry 6 OS and higher. 96 Configuration Manual Cortado Corporate Server

97 User Self Service Portal Android OS Users of Android devices are also guided with the FIRST STEPS WIZARDS through the installation and configuration of the Cortado app. Additionally, the root certificate will be installed so that a trusted connection over https can be created from the Cortado server to the User Self Service Portal website. Note! In order to use Mobile Device Management for Android devices, it is necessary to change the settings for the user's account (Exchange ActiveSync) on the mobile device. More information can be found on Page 9. Please note here that it is essential that the installation procedure outlined in the FIRST STEPS WIZARD must be followed. First let the user make the changes to the account and then configure the Cortado app. Otherwise the device will be registered twice in the MANAGEMENT CONSOLE under CONTROL PANEL DEVICES or at CON- TROL PANEL USERS DEVICES. Apps Here users can find apps which you have made available for them at Managing apps (see Page 67). Intranet Apps Here users can find links to intranet websites which you have made optionally available for them at Managing intranet apps (see Page 72). Setup Set Password Users can change their Cortado password for the Cortado app here if you have made this option available for them at Page 94 (see Page 94). Device Management Here, users are displayed all their devices that are recognized by the Cortado server. For Apple devices, this is the case as soon as the root certificate and the MDM profile have been downloaded by the user. Android devices are recognized by the Cortado server as soon as the server address of the Cortado server has been entered in the device's account (in place of the Exchange server). BlackBerry devices must be imported from the BES to be listed here. In DEVICE MANAGEMENT of the User Self Service Portal, users can select a device and are then presented with options which are available on the Cortado server at DEVICES (see Page 56). Users can locate their lost or stolen devices (LOCATE DEVICE), delete the data of the Cortado app (WIPE DEVICE PARTIAL) or delete the entire contents of the device (WIPE DEVICE FULL). For lost or stolen Apple devices, the option LOCATE DEVICE is also available. With this option, the screen of the ios device can be remotely locked and a pass code is required to unlock it. Additionally, users can find here the user- and device-specific configuration file (CORTADO APP CONFIGURATION) for the Cortado app. Cortado Corporate Server Configuration Manual 97

98 Personal Printing At DEVICE MANAGEMENT BASIC CONFIGURATION (Illus. 160, left) there is an additional configuration file. Should you plan not to manage users' ios and Android devices via MDM, then this configuration file should be used to configure the Cortado app. Illus. 160 Illus. 160 Configuration file for the Basic CONFIGURATION of the Cortado app Certificate management Apple ios device users can find the root certificate and the MDM profile downloaded and installed during the FIRST STEPS WIZARD at Apple Mobile Device Management (see Page 10). Android users can also find the certificate from the FIRST STEPS WIZ- ARD here. BlackBerry users will find a certificate here for the authentication of the devices against the Cortado server. This certificate can also be distributed through the BES. Personal Printing What is Personal Printing? You can print on the Personal Printer from any application. If you want to retrieve a print job, you can go to any network printer within your company, authenticate yourself there with your tablet or smartphone (Android or BlackBerry) or your chip card (smartcard), together with optional PIN entry, and print out the document. To be able to print with Personal Printing, you must make some settings both on the server (see below) and on printers and devices. The printer and device settings depend on the method how your users will authenticate at the printers; this is described in the Personal Printing Essentials manual (Page 133). Opening the configuration console On the Cortado server, select: PERSONAL PRINTING ESSENTIALS (Illus. 161). 98 Configuration Manual Cortado Corporate Server

99 Personal Printing Illus. 161 Illus. 161 Open the Personal Printing console Then, select THINPRINT PERSONAL PRINTING (arrow in Illus. 162). With first opening the Personal Printing configuration, a message will appear that no connection could be established to the ADAM instance. After closing this message a window will appear where you can change these settings (Illus. 164). Illus. 162 Illus. 162 ADAM message with first opening Cortado Corporate Server Configuration Manual 99

100 Personal Printing Settings For settings, usually go to EDIT SETTINGS (on the right in Illus. 163). Illus. 163 Illus. 163 Select EDIT SETTINGS A window will open with the following three tabs: Print Job Storage ADAM Service Account Authentication 100 Configuration Manual Cortado Corporate Server

101 Personal Printing ADAM Service Account An account must be specified here, with which Personal Printing can communicate with the Active Directory. This must be the same account with which the Cortado Corporate Server software was installed i.e. the recommended account Cortado- Service (Illus. 164). Illus. 164 Illus. 164 Define the CortadoService-Account as the ADAM ACCOUNT The LDAP URL is used to logon to Cortado server. This is the default, and doesn t need to be changed. Print Job Storage For users which use Personal Printing exclusively: In the PRINT JOB STORAGE tab you can select the directory in which users print jobs will be saved. You also have to specify an account which is used by the Personal Printing software to store or read the users print jobs in this folder and its subfolders (Illus. 165). You can also store the Personal Printing jobs on any other server assuming that this server is a domain member (= Active Directory member). This directory has to be shared there. Additionally a domain user has to be assigned which has full control of this directory (we recommend the use of said CortadoService account). Note! For users which use both Personal Printing and Cortado Corporate: The print jobs are stored to the User Storage (see Page 53). Cortado Corporate Server Configuration Manual 101

102 Personal Printing Illus. 165 Illus. 165 Print Job Storage on the Cortado server Directory. Specify a root directory for Personal Printing print jobs. Subfolders for each user will be created automatically in this directory. Use for connected drives the following denomination: For connected drives use the following syntax: driver_letter:\directory_name (Illus. 165) and for directories on another server the following UNC path: \\server_name\share_name (Illus. 166) Caution! If you change the path to the print job folder later on, only the new users, who were enabled for Personal Printing after the change, can print in this folder. All the print jobs of users enabled before the change are still saved in the old folder. Therefore, do not delete the old folder. Folder encryption. You can also encrypt the directory in which the print jobs are stored. See the Personal Print Essentials manual. Account and password. Specify an account (name and password), that has access to the folder with the print jobs. If you want to assign network printers or store the print jobs on another server the user account has to be a domain member (= Active Directory member). Use the recommended CortadoService account: domain_name\account_name (Illus. 166). 102 Configuration Manual Cortado Corporate Server

103 Personal Printing Illus. 166 Illus. 166 Storing the print jobs on a remote machine Maximum print job storage (time). Print jobs remain in users folders until collected at the printer or deleted using JobViewer (see Personal Print Essentials manual). To prevent that this data takes up too much space on the hard disk, you can specify a period after which they will be deleted (in minutes). The default value is 0 (zero); this means that print jobs are never deleted. If the maximum print job storage time limit for a specific print job has expired, then Personal Printing will delete it the next time the user authenticates at one of the printers. To enable the maximum print job storage time restart the IIS Admin Service. Authentication See the chapter Activating authentication methods on Page 107. Cortado Corporate Server Configuration Manual 103

104 Personal Printing Setting up printers Personal Printer for Windows machines The Personal Printer installed and shared on the Cortado server (by the installer) is designed for printing from Windows applications (it uses the virtual printer driver Cortado Output Gateway, Illus. 167). Illus. 167 Illus. 167 Personal Printer (here, on the Cortado server) Setting up Personal Printers for Mac and Linux machines (optional) See the Personal Print Essential manual (Page 133). Setting up target printers The (physical) printers in your company which are intended for use with Personal Printing have to be set up in its configuration console as follows: With ENABLE PRINTERS (Illus. 163) you can select the printers that Personal Printing uses to print with. A dialog opens (Illus. 168). Illus. 168 Illus. 168 Select printer type Network printers Here: printer shares in the domain (Active Directory) Select NETWORK PRINTER (Illus. 168). 104 Configuration Manual Cortado Corporate Server

105 Personal Printing A window will open, with which you can search in the specified domain (first line) for printers; specific criteria can be used. You can highlight several printers simultaneously, as shown in Illus Select neither Cortado Output Gateway nor a Personal Printer but physical printers in your company. Illus. 169 Illus. 169 Selecting shared printers for Personal Printing Note! Here, select only printers with native drivers. In other words: Do not select TP Output Gateway print objects here (Illus. 169). Local printers Printers that were created locally on the Cortado server (that will be printed to via Standard-TCP/IP or LPR/LPD). Generally they are physical network printers. Select LOCAL PRINTER (Illus. 168). You can select the printers by highlighting them (even several at once, as in Illus. 170). Select neither an Output Gateway printer nor a Personal Printer. Illus. 170 Illus. 170 Selecting locally installed printers for Personal Printing Result After that, the selected printers can be seen in the MMC where they automatically receive a printer ID (Illus. 171, arrow on the left). Cortado Corporate Server Configuration Manual 105

106 Personal Printing Illus. 171 Illus. 171 Changing Printer IDs On the right of the printer list (Illus. 171) you can change IDs or disable printers: Change ID. The printers listed here, which you previously selected for Personal Printing, receive an ID automatically. If you wish to change this, select CHANGE ID and enter a new one. Disable Printers. Here you can remove from the list, printers that you selected for Personal Printing. You don t delete printers with this, but merely disable Personal Printing for these printers. Font management To avoid incorrect characters or fonts in print output follow the instructions in the Solving problems with fonts white paper on SUPPORT WHITE PAPERS 106 Configuration Manual Cortado Corporate Server

107 Personal Printing Activating authentication methods With EDIT SETTINGS AUTHENTICATION (right in Illus. 163) you set up the methods of authentication that will be used throughout your company. Illus. 172 Illus. 172 Authentication settings for Personal Printing Methods and PINs Here you set up the methods of authentication that will be used throughout your company. You can use different methods of authentication in parallel (Illus. 172). That means that some Personal Printing users can authenticate themselves with smartphones, and others with smartcards. Furthermore it is possible to assign both authentication methods (chipcard and smartphone) to every user. Please note though, that only one smartcard type is possible per user. In addition, either method can require a PIN to be entered (but for TPR-10). All PINs on this tab are freely selectable. Default user PIN (optional). Here, enter a PIN if multiple or all users are to use the same one. Make a note of the PIN for later use! Case 1: no PIN entry A DEFAULT USER PIN (maximum 255 digits) is useful if the user is not required to enter an individual PIN, i.e. there is no PIN pad on the card reader or no PIN entry should be made on the BlackBerry. Case 2: with PIN entry Leave this field blank and assign individual PINs for your users (Page 109). Select the authentication method(s), that you want to use throughout your company. Later, in the user configuration, (Illus. 174 on Page 109) only those authentication methods that you have chosen here will be active. Cards with preset PIN. Cards with fixed card numbers (e.g., Seccos or Mifare cards), which can t be changed. Cortado Corporate Server Configuration Manual 107

108 Personal Printing Select this option also for GemClub Memo cards if you want to assign an already set up card to a user without re-writing it. So it will be possible to enter the User PIN (Illus. 174). GemClub Memo Cards (customizable). A GemClub Memo card is a writable smartcard. That means that the card is blank when you buy it, and you write a card number to it before the first time you use it. You can do that here with the Personal Printing software. For GemClub Memo cards which are already set up select the CARD WITH PRESET ID option (see above). The card reader appears automatically under CARD READER. It must be connected to the Cortado server via USB, and is used to write to the blank cards (Illus. 172). Assign a(ny) MASTER PIN for initializing the GemClub Memo cards (maximum 8 digits). The Master PIN is the same for every card, make a note of this PIN for later use. This field need not be filled. At DEFAULT CARD PIN enter a PIN that you have thought of which will be written onto the smartcard to personalize (maximum 8 digits). This PIN is entered once here and once again on the authentication box. Make a note of the PIN for later use. This PIN is used to identify the card to the card reader. Scan barcode using smartphone. Select this option, if the users are to authenticate themselves on the printer with their BlackBerries or Androids, and then specify the address of your mail server as well as the URL of your Cortado server. Since communication between the Cortado server and the mobile devices is encrypted by default (see also CLIENT COMMUNICATION PORT in Illus. 157), you enter here the Cortado server's https address in PERSONAL PRINTING SERVER URL (arrow in Illus. 172). As well, you can determine whether FORCE PIN ENTRY ON SMARTPHONE will be set by default to on or off for all users by setting the checkmark accordingly. Note! Note that at PERSONAL PRINTING SERVER URL (example for authentication with smartphones in Illus. 172), the same addressing (e.g. IP address or FQDN) is used as on the Cortado Server (see Management Console at GLOBAL SETTINGS CONFIGURE CONNECTION SETTINGS (see Illus. 157). Configuring authentication devices for encryption (SSL) Since the transmission of data (user ID, password etc.) is encrypted (SSL) during the retrieval of print jobs from the authentication devices (TPR-10, Lexmark printer, BlackBerry or Android smartphone) to the Cortado server, firstly the root certificate must be stored on the authentication devices, and secondly the URL of the Cortado server stored as an http address. For further information see the Personal Printing Essentials manual. 108 Configuration Manual Cortado Corporate Server

109 Personal Printing Configuration for each user Configure each user separate In the Personal Printing configuration, you also can find the domain users who print with Personal Printing, under ACTIVE DIRECTORY USERS AND COMPUTERS domain USERS (Illus. 173). Illus. 173 Illus. 173 Configuring users for Personal Printing If you double click on a user here, the user configuration will open in Active Directory, where you will find the register PERSONAL PRINTING (Illus. 174). Illus. 174 Illus. 174 Activating and configuring Personal Printing for users First, select ENABLE PERSONAL PRINTING for the nominated user (Illus. 174). Then, the authentication methods that you have previously set under server settings will be offered (Illus. 172). If there is a method missing for a user, it must first be activated in the server settings. Only methods selected there are available here for the users. Note, that only one chipcard and/or smartphone (BlackBerry or Android) per user is possible for authentication. Cortado Corporate Server Configuration Manual 109

110 Personal Printing With click on APPLY a message will appear as a reminder that the PERSONALIZE button must be clicked afterwards (Illus. 175). Illus. 175 Illus. 175 Message after clicking APPLY Select PERSONALIZE (Illus. 176). In case of GemClub Memo card this will write the data into the card. In case of barcode scan the data entered here will be sent to the user in the form of a configuration . Illus. 176 Illus. 176 Click PERSONALIZE to send the settings to the user (via ) or to her/his GemClub Memo card (in the card reader) The Personal Printing settings can be checked in the Management Console s USERS menu. Here, the User PIN can be changed if necessary (arrow in Illus. 177). Illus. 177 Illus. 177 Personal Printing settings in the User Management 110 Configuration Manual Cortado Corporate Server

111 Appendix For further information see the Personal Printing Essentials manual. Appendix Mail directory on Apple and Android devices If Apple and Android users want to save their attachments to the Cortado server, they need to send them to an address provided by you. These attachments can then be found by the user on the Cortado app in the MAIL folder (see Illus. 178). With SMTP the address to where the users send their attachments is comprised from the following standardized scheme: of virtual domain 22 See CONFIGURATION ASSISTANT ACCOUNT AND SETTINGS VIRTUAL DOMAIN (in the Installation and initial setup manual, Page 133). When using MAPI instead of SMTP, the users have to be send their attachments for this purpose to the Cortado mailbox account. See CONFIGURATION ASSIS- TANT ACCOUNT AND SETTINGS CORTADO MAILBOX ACCOUNT. Illus. 178 Illus. 178 Directory MAIL for Mail attachments and text Creating a.csv file for importing users The following explains how to create a.csv file for importing users (see Import from.csv file, Page 31) with the editor of your choice. Structure of the file The first line contains a header which provides the column names. All other lines of the file contain user properties. Separate both the header columns and the individual values of the user lines with a comma. In order to identify a user, merely the address is required. 22 Corresponding to the connector name at Microsoft Exchange, the Foreign Domain at Lotus Domino or the Internet Agent at Novell Groupwise Cortado Corporate Server Configuration Manual 111

112 Appendix Generating the file You create a.csv file depending on the information from the AD as follows: 1. Click START CONTROL PANEL ADMINISTRATIVE TOOLS ACTIVE DIRECTORY USER AND COMPUTERS. 2. Right-click the appropriate organization unit and select ADD/REMOVE COLUMNS. 3. Add the column ADDRESS to the end of the column list. Click OK to confirm. 4. Expand the domain tree and then select the organization unit where the users are located, example: OurDomain/Users. Right-click the organization unit and then select EXPORT LIST. 5. Now select the users who are to be exported in the.csv file. 6. Change the value SAVE AS TYPE to TEXT (COMMA DELIMITED) (*.CSV) and enter a valid file name. Select a target folder and enable the option SAVE ONLY SELECTED ROWS, if you would like to export selected users only. Click SAVE to confirm. 7. Right-click the appropriate organization unit and select ADD/REMOVE COLUMNS. Remove the column ADDRESS from the column list and click OK to confirm. 8. Open the program Microsoft Excel or OpenOffice Calc. In the new, empty workbook, click DATA IMPORT EXTERNAL DATA IMPORT DATA. 9. Select the.csv file you previously created and then click OPEN. 10. Check whether in the dialog box Text Import Wizard Step 1 of 3 as original file type (ORIGINAL DATA TYPE) DELIMITED is selected, START IMPORT AT ROW has the value 1, and (FILE ORIGIN) WINDOWS (ANSI) is selected as the file source. Click NEXT. 11. So that the preview can correctly display the data, enable in the dialog box Text Import Wizard Step 2 of 3 COMMA under DELIMITERS. Click NEXT. 12. In the dialog box Text Import Wizard Step 3 of 3 select for each existing column TEXT as COLUMN DATA FORMAT. Then click FINISH. 13. In the dialog box Import Data select EXISTING WORKSHEET and click OK. 14. Save the file in the Excel format. 15. Remove all columns except for the ADDRESS column. 16. The ADDRESS column must now be renamed as Now save the file under a valid name in the.csv format. Confirm the subsequent messages with OK and YES. Creating files for importing apps The app is saved in.apk (Android) or.ipa/.plist (Apple) format in a folder, into which an XML file is placed and in which the file has been entered as a reference. Then the folder is imported as a.zip into the Cortado console (see Page 71). 112 Configuration Manual Cortado Corporate Server

113 Appendix 1. Create an XML file with the following content (example 1 for Android, example 2 for Apple). You can quickly copy the lines from here: example 1 for Android Example 1 for Apple <loader version="3.1"> <application id="mobilecb"> <name>cortado App</name> <description>cortado App Android</description> <version>1.1</version> <vendor>cortado AG</vendor> <copyright>copyright 2012 Cortado</copyright> <devicetype>android</devicetype> <icon>icon.png</icon> <fileset> <directory/> <files>ccjmexplorer.apk</files> </fileset> </application> </loader> <loader version="1.0"> <application id="mobilecb"> <name>cortado App</name> <description>cortado App for ios</description> <version>3.0.39</version> <vendor>cortado AG</vendor> <copyright>copyright 2012 Cortado</copyright> <devicetype>apple</devicetype> <icon>icon.jpg</icon> <fileset> <directory/> <files>cortado.ipa</files> <files>cortado.plist</files> <files>cortadolarge.png</files> <files>cortadosmall.png</files> <files>adhoc.mobileprovision</files> </fileset> </application> </loader> 2. Replace the file name under <files> with that of your app:.apk for Android and.ipa and.plist for Apple. Inclusion of an icon is optional. 3. Save the newly created XML file in the Cortado.cclx file format. Make sure that the.apk file and the.cclx file have the same file name. 4. Pack the.cclx file together with the app file/s in a folder and zip it. The.zip file can then be imported from the Cortado server, to be distributed to the users. Cortado Corporate Server Configuration Manual 113

114 Appendix Illus. 179 Illus. 179 Zip-Datei für App-Import erstellen Intranet App: Define Cortado server as a proxy To provide a secure connection from the mobile device to your intranet, the Cortado server is used as a proxy server. This is explained below. Create a subfolder with any name (here: ZMI, see Illus. 180) in Cortado Corporate Server s installation folder: <InstallationFolder CCS>\WebApps\proxy Every intranet app needs its own folder. Illus. 180 Illus. 180 Creating a subfolder in the proxy folder Open IIS Manager. You will see your created folder (here: zmi) under <server>/sites/cortado/.proxy. In this subfolder, select URL REWRITE (Illus. 181, below). 114 Configuration Manual Cortado Corporate Server

115 Appendix Illus. 181 Illus. 181 IIS Manager: select URL REWRITE in the new subfolder Under INBOUND RULES (upper table), there are five rules. Delete all of them except CLEARACCEPTENCODING. Then add a new one for the redirection by clicking ADD RULE(S) (Illus. 182, right). Illus. 182 Illus. 182 IIS: URL Rewrite: delete four rules and add a new one Select INBOUND RULES: BLANK RULE (Illus. 183). Cortado Corporate Server Configuration Manual 115

116 Appendix Illus. 183 Illus. 183 IIS: add new inbound rule In the next window, you can define the rule. Enter the following: NAME: enter any rule name (here: ZMI redirection) PATTERN: enter the following string: (.*) SERVER VARIABLES: click ADD... button and enter: 1. SERVER VARIABLE NAME: ORIG_REF_URL 2. VALUE: /.proxy/foldername/ here: /.proxy/zmi/; don t forget the slash at the end 3. uncheck REPLACE THE EXISTING VALUE ACTION: ACTION PROPERTIES enter the intranet site s URL whereto the request should lead, including port number and the extension /{R:1}, here as an example: Confirm your settings with APPLY (above right). The result is shown in Illus Configuration Manual Cortado Corporate Server

117 Appendix Illus. 184 Illus. 184 IIS: edit role for redirection (Edit Inbound Rule) By clicking BACK TO RULES (above right), you will see: Illus. 185 Illus. 185 IIS: role for redirection applied successfully Now change to the management console of Cortado Corporate Server and go to INTRANET APPS. Enter the URL as shown; take care of the dot before proxy and the slash at the end (Illus. 186): folder>/ example: Cortado Corporate Server Configuration Manual 117

118 Appendix Illus. 186 Illus. 186 enter the redirection in the Cortado management console Configure file types If you want to make the functions View, Print, Fax, Export, and Present-to-Screen available for s, attachments, and documents from the file system, an application capable of printing each file type must be placed on the Cortado server. For example, a PDF reader is required for.pdf files, and a word processor program for.doc or.rtf files. Applications can be divided into three groups based on the type of installation: 1. Applications that are automatically installed with Windows 2. Applications that are automatically installed with the Cortado Corporate Server installation program (see Cortado Corporate Server: Installation and initial setup manual, Page 133) 3. Applications that are installed manually before or after Cortado Corporate Server installation Displaying file types Open the Configuration Console on the Cortado Corporate Server via START PRO- GRAMS CONFIGURATION CONSOLE. Select CONFIGURE FILE TYPES under ACTIONS (arrow in Illus. 187). Illus. 187 Illus. 187 Configuration Console of the Cortado Corporate Server (detail): Selecting CONFIGURE FILE TYPES A window opens and displays all the file types and extensions created during Cortado Corporate Server installation (Illus. 188). 118 Configuration Manual Cortado Corporate Server

119 Appendix The following file types can be used immediately: Extension Associated application for file type.pdf CCPDF PDF files.csv,.doc,.docm,.docx,.dot,.dotm,.dotx,.odb,.odf,.odg,.odm,.odp,.ods,.odt,.rtf,.ppt,.pps,.xls,.docx,.pptx,.xlsx and others CCOOW Office files like text, PowerPoint, and Excel files.bmp,.gif,.jpeg,.jpg,.png,.tif,.tiff ImageFile images.tsf SFXPrint faxes.log,.scp,.txt,.wtx WordPad text and other plain text files.vcf,.vcs VCFSPrint calendar entries and contacts accdb, mdb CCMSOW Microsoft database files.htm,.html,.eml,.mht,.mhtml CCHTMLPrint HTML files and s Adding file types Use ADD (arrow in Illus. 188) to add more file types from the operating system. Only file types which support a print command (Print or Printto) are listed. Illus. 188 Illus. 188 Add file type In the list that opens, select the desired file type and click ADD again (example in Illus. 189). Cortado Corporate Server Configuration Manual 119

120 Appendix Illus. 189 Illus. 189 Adding file types from the operating system (example WMF file) Setting up new file types Use NEW (arrow in Illus. 190) to create new file types that support a print command (Printto) and for which no Windows application has been installed so far. Illus. 190 Illus. 190 Set new file type Please note that before setting up the file type you must install an application in the configuration console that can print the desired file type, for example, IrfanView for the file type.eps. Name the file type (example EPS file in Illus. 191). 120 Configuration Manual Cortado Corporate Server

121 Appendix Illus. 191 Illus. 191 Name a new file type Select ACTIONS NEW (Illus. 191) to set up the standard print action (printto). Another window opens in which you must enter the print command under APPLICATION USED TO PERFORM ACTION (Illus. 192). Illus. 192 Illus. 192 Setting up action printto Cortado Corporate Server Configuration Manual 121

122 Appendix Use BROWSE (Illus. 192) to find and open the application from which to print (example in Illus. 193). Illus. 193 Illus. 193 Selecting a print application (example IrfanView) Because the print command is called up with parameters, you must add at least two parameters (Illus. 194). You can copy these from an already existing print command of another application (see Illus. 188, under COMMAND) (see complete print command in Illus. 195). Illus. 194 Illus. 194 Incomplete print command 122 Configuration Manual Cortado Corporate Server

123 Appendix Illus. 195 Illus. 195 Complete print command You can now confirm your entries with OK or select the following options: USE DDE: Some applications require communication via DDE (Dynamic Data Exchange). Enter the necessary settings here. SET AS TEMPORARY DEFAULT PRINTER: There are applications that can only print to standard Windows printers under certain conditions. For this case, the selected printer can be made temporarily into a standard Windows printer for each print process. Use the checkbox to enable this function. USE PRINTER SHARE NAME: When network printers are used, sometimes the printer name must be used instead of the share name. In this case, disable the USE PRINTER SHARE NAME option. WORK WITH TEMPORARY COPY OF FILE: Enabling this option creates temporary copies of the files from all functions (such as printing and faxing). Disable this option if you will be working generally with original files. With WAIT FOR FINISH (MS), you set the time to be used for performing the action (List or Export). The default setting is 3000 ms. Confirm your entries with OK. Now the file extensions must be added. Click NEW under EXTENSIONS (Illus. 196). Cortado Corporate Server Configuration Manual 123

124 Appendix Illus. 196 Illus. 196 Defining extensions Another window opens. Enter the desired file extensions here (Illus. 197). Illus. 197 Illus. 197 Entering file extensions Editing file types EDIT (arrow in Illus. 198) allows you to edit the file extensions and actions per each assigned application (example for CCOOW_list in Illus. 199). 124 Configuration Manual Cortado Corporate Server

125 Appendix Illus. 198 Illus. 198 File types and their extensions already set up by Cortado Corporate Server (sample) Illus. 199 Illus. 199 Editing file extensions Cortado Corporate Server Configuration Manual 125

126 Appendix Cortado server ports Find here an overview of TCP ports used by Cortado. You can see which ports are essential, which ones are optional and which port number can be changed. One can also see if there is an incoming or outgoing connection. Port In Out Web Int Ess. Opt Conf Description 25 Connection to mail server (SMTP) 80 (ios only) Connection with mobile device (HTTP) or connection to Apple service (APNS) 82 Connection with mobile device 443 Connection with mobile device (HTTPS) 444 Website CortadoPushService (SNPP) 445 Connection to file and print server (SMB/CIPS and SAM/LSA) 1433 SQL port for database request 2195 (ios only) 2196 (ios only) Apple service (APNS), push notification Apple service (APNS), feedback service 9100 Direct printing to network printer 5223 (ios only) Apple service (APNS), Connection ios device with Apple server In: incoming connection Out: outgoing connection Web: communication to/from internet Int: internal communication within LAN or datacenter Ess.: ports need to be opened as they are essential for usage Opt: ports need to be opened if the respective Cortado function is to be used Conf: port number is configurable and can be changed to another free port ios only: only needed when using Apple end devices Cortado app is inactive The Cortado app will be locked by default if the device is either offline or is switched off for three days (72 hours) (ios devices), or if the app is not used for three days (Android devices) 23. This period can be extended, or the function can be switched 126 Configuration Manual Cortado Corporate Server

127 Appendix off completely. Both will be explained in the following. As well, you can read how a locked device can be re-enabled. App should never be disabled Re-enable a locked device To do this you have to run a Cortado tool once. On the Cortado webseite, go to SUPPORT SOFTWARE TOOLS and install the program ClearMaxInactivityTime.exe. After this file has been run on Cortado Server the apps will no longer be disabled on ios or on Android devices. Please note that if you rerun the Configuration Assistant, this program will need to be rerun as well. If the Cortado app on a device is locked (disabled), you can re-enable it by clicking on the button UNLOCK CORTADO APP under DEVICES (Illus. 200). Please note that the user then needs to start the app within the refresh time i.e. the refresh interval set under EVENT LOG (Page 95). This is usually ten minutes (default value). Illus. 200 Illus. 200 Gesperrtes Gerät wieder aktivieren: Unlock Cortado App App should remain enabled longer To change the pre-set period of three days, open ADSI EDIT on the Cortado server. Then click in the menu on ACTIONS CONNECT TO. In the following window, enter under CONNECTION POINT: DC=ThinPrint and under COMPUTER: localhost (Illus. 201). Confirm with OK. Illus. 201 Illus. 201 ADSI Edit: edit connection Now, you can change the value for THINPRINT-CCMAXINACTIVITYTIME (indicated in minutes) in DEFAULT NAMING CONTEXT DC=THINPRINT CN=CONFIGURATIONS CN=GLOBAL CN=DEVICEMANAGEMENT, as in Illus To switch this function off completely (= apps are never disabled), select the value If the Cortado server is entered as the mail server (Exchange ActiveSync) in the settings, then ActiveSync will be blocked. Users can therefore no longer access their s. Cortado Corporate Server Configuration Manual 127

128 Appendix Illus. 202 Illus. 202 Increase of inactivity timeout intervals Testing the client certificates in the DMZ You can check the client certificates if you have already installed them on users' mobile devices (see Page 81) in the DMZ (demilitarized zone). In such instances, Cortado Corporate Server is located behind the company s firewalls. In the DMZ, the Cortado library TPCCFILESRV has to be installed and IIS needs to be configured accordingly. This library receives the requests from the mobile devices and routes them to Corporate Server (Illus. 203). It is also necessary to import the Cortado root certificate and depending on the certificate mode (see chapter Client certificate modes on Page 82), to import all user root certificates to the server's certificate management in the DMZ. The client certificates themselves may not be imported. Illus. 203 Illus. 203 Check client certificates in the DMZ Import root certificate You can find the Cortado root certificate on the Cortado server in the MMC in the container CONSOLE ROOT CERTIFICATES (LOCAL COMPUTER) TRUSTED ROOT CERTIFI- CATION AUTHORITIES CERTIFICATES (Illus. 204). 128 Configuration Manual Cortado Corporate Server

129 Appendix Illus. 204 Illus. 204 MMC Cortado server: export Cortado root certificate If you use a certificate mode, in which individual client certificates are used per user or device (see Page 82), the corresponding user root certificates must also be imported to the server in the DMZ. You will find this in the MMC of the Cortado server in the container CONSOLE ROOT CERTIFICATES (LOCAL COMPUTER) PERSONAL CERTIFICATES (see Illus. 205). Illus. 205 Illus. 205 MMC Cortado server: export user root certificate If you use purchased certificates from an official certification authority, you must also import them on the server in the DMZ. Be sure to import the entire parent certificate chain for the client certificates. Configure server DMZ server configuration is described below. 1. Copy the Cortado file TPCCFILESRV.DLL 24 into any DMZ server directory 2. Register the dll in the command line with regsvr32 TPCCFileSrv.dll 24 In the Cortado program directory, per default: C:\ PROGRAM FILES CORTADO CORPORATE SERVER IIS CC Cortado Corporate Server Configuration Manual 129

130 Appendix 3. Verify if IIS was installed. If not, install it now. The following options need to be installed in IIS as Role Service: ISAPI Extension and ISAPI Filters at WEBSERVER APPLICATION DEVELOPMENT Basic Authentication at SECURITY 4. Open IIS Manager with START ADMINISTRATIVE TOOLS INTERNET INFORMA- TION SERVICES (IIS) MANAGER 5. Add a website at SITES with the name CORTADO. Specify the path to TPC- CFileSrv.dll file and select a protocol type, IP address and port number. 6. For this new website, add an ISAPI filter (SITES: CORTADO ISAPI FILTERS ADD). Chose CORTADO as a name and specify the path to TPCCFileSrv.dll once more. 7. In the CORTADO site s context menu select ADD APPLICATION... and enter CC at ALIAS. Specify the path to TPCCFileSrv.dll again. 8. CC now appears at SITES CORTADO. For cc, select HANDLER MAPPINGS, then, on the right: EDIT FEATURE PERMISSIONS. Place a checkmark at EXECUTE. 9. On the left, go to the (root) server and select ISAPI AND CGI RESTRICTIONS, then ADD... Enter the path to TPCCFileSrv.dll again. You can enter CORTADO as a description. Put a checkmark at ALLOW EXTENSION PATH TO EXECUTE. 10. Make sure that on the website CORTADO and in the subordinated application CC, only ANONYMOUS AUTHENTICATION is enabled under AUTHENTICATION. 11. Set two registry value here HKEY_LOCAL_MACHINE\SOFTWARE\ThinPrint\TPCCFileSrv - ProxyMode (Reg_dword): set to 1 - CCServer (Reg_sz): Enter the URL with the Cortado Corporate Server port number using the following syntax: http(s)://cortadoserveraddress:portnumber Example: Add the account IIS APPPOOL\CORTADO (see step 5) to the parent registry key HKEY_LOCAL_MACHINE\SOFTWARE\ThinPrint and provide it with full access rights. Restart IIS, for example with iisreset in the command line. User management using PowerShell When there are a large number of users, it is recommended to use PowerShell for user management. That way it is possible, using self-created scripts to, among other things, import or remove users, allocate them network drives or printers, or change password settings. Set the rights to import the PowerShell modules with the command: Set-ExecutionPolicy remotesigned and then import the modules with the command: Import-module ccspowershell Then provide the access credentials as recommended for installation and configuration of CortadoService accounts with the command: $ccscred =Get-Credential [email protected] 130 Configuration Manual Cortado Corporate Server

131 Appendix As an example, to import a user, use the following command chain (pipe): Connect-CCSFarm -CCSUrl -PSCredential $ccscred Add-CCSUser -SamAccountName user12 You will find a list of all PowerShell commands for the Cortado server here: Cmdlet Range Function Add-CCSGroup Global Imports an AD group Add-CCSLocalPrinter User based Adds a local installed network printer Add-CCSNetworkFolder User based Adds a network folder Add-CCSNetworkPrinter User based Adds a connection to a printer share Add-CCSSharedPrinter User based Adds a connection to a printer share including path Add-CCSUser Global Imports a user Connect-CCSFarm Global Connects PowerShell with the Cortado Server Disable-CCSUser User based Deactivates user access for the Cortado app Enable-CCSUser User based Activates a user for the Cortado app Get-CCSGroupUsers Global Lists imported AD group users (partial command for pipe) Get-CCSUser Global Lists a CCS user (partial command for pipe) Get-CCSUsers Global Lists all CCS users (partial command for pipe) New-CCSCertificate User based Creates a new certificate Remove-CCSLocalPrinter User based Removes a local printer Remove-CCSNetworkFolder User based Removes a network folder Remove-CCSNetworkPrinter User based Removes a network printer Remove-CCSSharedPrinter User based Removes a printer share Remove-CCSUser User based Removes a user from Cortado Corporate Server Send-CCSConfigurationMail User based Sends a configuration Cortado Corporate Server Configuration Manual 131

132 Appendix Cmdlet Range Function Set-CCSPasswordChangeInterval User based Sets the interval for changing the Cortado password Set-CCSPasswordMinLength User based Sets the minimum length of the Cortado password Set-CCSPasswordRetryCount User based Sets the number of failed attempts for the Cortado password Set-CCSPasswordSettings User based Sets the Cortado password Update-CCSPassword User based Password will be reset For further information on using PowerShell go to our technical information: Configure Cortado with PowerShell (see Page 133). Update to 6.1 If you want to update from Cortado Corporate Server 5.3, 5.5 or 6.0 to , you could use the installation program Setup.exe. This uninstalls the old version and then installs the new. All settings are retained. Please note that the structure of the database has changed in version 6.1 and must therefore be adjusted to the new version. During installation select in the Setup Type window the option CORTADO CORPORATE SERVER 6.1 WITH SQL DATABASE 26 (see Illus. 206). The contents of your database will not be overwritten. Illus. 206 Illus. 206 install Cortado with database 25 Windows Server 2008 R2 only 26 This relates not to the Microsoft SQL Server 2008 R2 Express (x64), software, but to the database itself. 132 Configuration Manual Cortado Corporate Server

133 Appendix Note! Users of Apple Mobile Device Management must change some settings on the SCEP Server (see chapter SCEP server installation auf Page 17) ios users must then rerun the FIRST STEPS WIZARD in the USER SELF SERVICE PORTAL to download the new MDM profile (see Page 96). For updates to Cortado Corporate Server that are older than one year, valid license keys are required. These license keys can be purchased via the Update Subscription Program. Please visit Cortado Enterprise Portal: Uninstalling the Cortado Corporate Server To uninstall Cortado Corporate Server go to START CONTROL PANEL PRO- GRAMS UNINSTALL A PROGRAM. Click on CORTADO CORPORATE SERVER and select UNINSTALL using right click. Once Cortado Corporate is uninstalled, all printers connected to CortadoPorts will automatically be connected to another printer port. Please note that only Cortado Corporate Server will be uninstalled and that AD LDS Instance and other software components will remain installed. Restart Windows. Additional sources Further information about Cortado can be downloaded from our website. Manuals The following manuals are available at SUPPORT MANUALS CORTADO CORPORATE SERVER: Cortado Corporate Server: Installation and initial setup Cortado Corporate Server: Quick Installation for ipad and HTML5 Browsers Cortado Corporate Server: User Self Service Portal Configure Cortado with PowerShell Personal Printing Essentials: Secure Printing 2.0 HTML5 client for Cortado Corporate Server Under PRODUCTS OVERVIEW SERVER ENGINE MANUALS, or TECHNICAL INFORMATION the following documents are available: ThinPrint Server Engine manual Licensing: Using License Manager for ThinPrint and Cortado licenses User Guides for the Cortado apps User guides for the Cortado apps on mobile devices can be found on our website under SUPPORT GUIDES & MANUALS CORTADO CORPORATE SERVER USER GUIDES. Cortado Corporate Server Configuration Manual 133

134 Appendix Customer service and technical support Customer Service Abbreviations AD ADAM BES BIS Bluetooth printing CN COM CSR.csv DC DCOM Device ID DFS DNS FQDN GB HTTP ID IIS IMEI ios IP IT LAN MB MDM MMC NDES NTLM PIN RAM RIM Active Directory Active Directory Application Mode BlackBerry Enterprise Server BlackBerry Internet Service printing with mobile devices via a local interface like Bluetooth, infrared, or Wi-FI Common Name Component Object Model Certificate Signing Request Comma separated value Domain Controller/Domain Component Distributed Component Object Model Identification number (of a device) Distributed File System Domain Name System Fully Qualified Domain Name Gigabyte Hypertext Transfer Protocol Identification number Internet Information Services International Mobile Equipment Identity Mobile device s operating system (Apple) see TCP/IP Information technology Local Area Network Megabyte Mobile Device Management Microsoft Management Console Network Device Enrollment Service (Microsoft) NT LAN Manager Personal Identification Number Random Access Memory Research in Motion 134 Configuration Manual Cortado Corporate Server

135 Appendix SCEP SD card SP SQL SSID SSL TCP/IP TLS TP UNC UPN URL Simple Certificate Enrollment Protocol Secure Digital (Memory) Card Service Pack Structured Query Language Server Set Identifier Secure Sockets Layer Transport Control Protocol / Internet Protocol Transport Layer Security ThinPrint Universal Naming Convention User Principle Name Universal Resource Locator (Internet address) Cortado Corporate Server Configuration Manual 135