EM L05 Managing ios and Android Mobile Devices with Symantec Mobile Management Hands-On Lab Description The Symantec Mobile Management platform continues to expand it s offering with new support for native agent based management of Android devices. This lab will give the user hands on experience with configuration and settings required to add these devices to the existing SMM infrastructure. We will examine some of the differences in available actions across supported native agent devices such as Android and understand how the latest offering continues to offer the Enterprise a common platform experience This lab assumes a basic familiarity with SMM 7.1 and the SMP platform. At the end of this lab, you should be able to Understand the improvements in the UI for SMM 7.2 SP1 Be familiar with the process of creating profiles and policies for Android Mobile devices Have an understanding of the differences between managing ios and Android devices Be able to create Mobile Library content and deliver to targeted groups of devices Apply actions to Android mobile devices Be familiar with Mobile Inventory and Reporting capability Notes A brief presentation will introduce this lab session and discuss key concepts. The lab will be directed and provide you with step-by-step walkthroughs of key features. Feel free to follow the lab using the instructions on the following pages. You can optionally perform this lab at your own pace. Be sure to ask your instructor any questions you may have. Thank you for coming to our lab session.
Getting Started Before you begin, you will need to be sure that the SMM-Exchange and SMM-Server virtual machines have been started (in that order). Once the VM s have finished loading, you will be ready to begin. Unless otherwise stated, all of the exercises should be done from the SMM-Server virtual machine. Lets explore some of the new configuraton UI changes in SMM 7.2 SP1 The release of SMM 7.2 SP1 includes native Android agent based management and will continue to improve upon the existing ios management capabilities. The user interface has also been adjusted to make navigating to the areas of most importance easier for administrators. In this exercise we will take a first look at some changes to the console interface. 1. On the SMM-Server, open the Symantec Mangement Console from the desktop shortcut. 2. Select Home > Mobile Management 3. Click on the arrow to expand the options in the Settings tab. Note: This area has been redesigned and separated from the former Configuraton tab. 4. Click on the arrow to expand the options in the Device Management tab. Note: This area has been redesigned and separated from the former Configuraton tab as well and has also added access points accessible from other multi-level selections. 5. Click on the arrow to expand the options in the Overviews and Reports tab. Note: This is a new tab which allows easier access to areas previously contained in the Inventory tab as well as in system reports. Creating this tab allows for quicker access to commonly used areas for reporting. Devices by operating system is the default listed dashboard. Looking at new ios configuration settings 1. Click back on the arrow to expand the options in the Device Management tab. 2. Click on Configuraton Editor 3. In the center column, select the ios Profiles tab if not opened Note: A couple of additional profile configurations have been added for supervised devcies using the Apple configurator utility, there are updated changes to support newer ios functionality. 2 of 12
4. Click on the EAS configuration profile 5. Create a new payload by selecting the yellow asterisk in the right hand column Note: New email security settings like Allow Move and Use Only in Mail allow for new increased security options 6. Click Cancel 7. Under ios Configuration, select the Restrictions profile 8. Create a new payload by selecting the yellow asterisk in the right hand column 9. Select the Device tab Note: Newer settings for control of Siri voice control and other increased options 10. Click on the Security/Privacy tab Note: New security restrictions available 11. Click on the icloud tab Note: Important controls for use of icloud, critical settings for customers. 12. Click on the all new Supervised tab Note: This is new ios6 functionality supported with SP1 13. Click Cancel 14. Under ios Configuration, select the W-Fi profile 15. Create a new payload by selecting the yellow asterisk in the right hand column Note: Newer Auto Join and Proxy configuration settings 16. Under the Proxy setting, use the drop down to select Manual 17. Scroll down to see where additional configuraton entries can be made 18. Change the dropdown to Automatic to note the changes, click Cancel when done. 3 of 12
Creation of Android Settings and Policies Like ios, configuration of Mobile Management Android settings is done in the Symantec Management Console. Android devices are configured using configuration settings, which control specific features of the device. These profiles are composed of Android configuration settings and are delivered to the Android device to configure and manage the device utilizing the available Android APIs by Symantec Mobile Management. Android supports a very small subset of device management options when compared to ios. Android settings are configured in the Configuration Editor page 1. In the Configuration Editor, select the Android Configuration tab in the center column. Note: As with ios, Configuration Editor provides both editing of policies (profiles) and storage of the policies in the Configuration Editor s library of policies. These policies are stored here, but applied in a different configuration UI. Create Android Passcode Profile 1. Under Android Configuration select Passcode. 2. In the right hand pane click on the yellow asterisk at the top New Payload. 3. Input name of new passcode policy called Lab Passcode and a brief description. 4. Set the dropdown under Password Complexity to Alphanumeric. 5. Set Maximum number of failed attempts value to 4. 6. Using the dropdown set the value for Minimum Passcode Length to 5. 7. Click button to Save Changes. View Android Device Options Profile 1. Under Android Configuration select Device Options. 2. In the right hand pane click on the yellow asterisk at the top New Payload. Note: As stated, Android supports a very small subset of device options 3. Click Cancel Exploring further Android Integration with NitroDesk Touchdown The current release is integrated with Nitrodesk s Touchdown email client to enable email setup and selective wipe (Android does not support the former with the native email client). TouchDown runs on your Android phone, and provides you with the ability 4 of 12
to receive and send e-mails, manage your contacts, view your appointments from your company's exchange server. It itegrates with SMM and allows for a common platform control for Android device management not available with native API s. View Touchdown account settings options 1. Under Android Configuration select Touchdown Account. 2. In the right hand pane click on the yellow asterisk at the top New Payload. 3. Scroll to view options for configuration of this account. 4. Click Cancel View Touchdown Policy settings options Using Touchdown allows for a broader range of device controls than are available with native API s. In this section we will explore some of those configuration settings so that you may familiarize yourself with some of the optons available. 1. Under Android Configuration select Touchdown Policy. 2. In the right hand pane click on the yellow asterisk at the top New Payload. 3. Select the Password tab Note: This is similar to the previous passcode options, but is configurable via Touchdown and specific to that application. 4. Click on the Device Options tab. Note: Much greater ability to set and configure device options than what is available natively. Of note are Security and Storage Card Feature settings. 5. Click on the Email tab Note: Email control options include such settings as Disable ability to copy from or paste to an email 6. Click Cancel New server based settings for expanded Mobile device options 1. In the left hand console column, click on the arrow to expand the options in the Settings tab. Note: There are new Enrollment links broken out by device OS with specific enrollment options for that OS as well as General Enrollment 2. Select ios Enrollment Note: New console integration for requesting the signed CSR file for generation of the required Apple APNS certificate. This process is now much more automated with this release and is iniated directly from the SMM console. 5 of 12
Symantec MPKI configuration has been moved from previous config file changes into real console settings in this area as well. 3. Select Android Enrollment Note: GCM integraton is a new for use with Android devices. It is a simple message service that provides for remote actions, similar to what APNS does for ios. Mobile Library Content Creation and New Targeting capabilites The Symantec Mobile Library provides enhanced Enterprise App Store capabilities. The Mobile Library enables companies to deliver content and application listings to their end user Mobile devices via the Mobile Management agent. The Mobile Library is delivered to the agent as a set of RSS feeds. In this exercise we will create Mobile Library content and look at changes in the delivery options within SMM 7.2 SP1 Building a Mobile Library consists of two steps: 1. Building the Mobile Library Feeds. 2. Adding applications and content to a specific Mobile Feed. Building the Mobile Library Feeds 1. Go to Home > Mobile Management > Device Management > Mobile Library Editor. 2. Click on the New Feed button at the top of the Library feed table. 3. Enter a unique integer in Feed ID field as an identifier such as 001. 4. Change Feed Language to the appropriate language for your device. 5. Add a feed with the title New Sales data. 6. Enter a brief Feed Description, e.g. Latest product Sales data. 7. Click OK button. 8. Feed will now appear in the list of Mobile Feeds but is not yet published. Adding Web Content to a specific Mobile Feed 1. Click the ITEMS button at the top of the Mobile Library Editor window. 2. Select New Sales data feed using the dropdown at the top left corner. 3. Select New Item to create content for the feed. Note: The agent supports 3 types of Feeds: Application A commercial or in House application 6 of 12
Document Word documents, PDF s and Excel Spreadsheets Media Video links, MP4, photos, MP3, Web links, etc. File limitations are determined by device capabilities and feed selections will be based upon content created and required usage. 4. Add Item Name Salesforce. 5. Add Item Version 1.1. 6. Add Item Author your name. 7. In Item description add link to Salesforce.com. 8. Select Media in Item Category. 9. Select Other in Item Type. 10. Select Android in Platform Type. 11. Select Recommended in Item Priority. 12. Click on Select Files in right pane and browse to c:\lab Files\Mobile Library Content\salesforce.png. NOTE: Content added to the Mobile Library requires a 57x57 pixel icon in.png format. 13. Click on Upload Files to upload content. 14. Click Close when uploading complete. You will now see that the Item Icon path has been automatically created. 15. Enter http://www.salesforce.com/ in Item Link. 16. Click the Item is Published checkbox to distribute the item to agents. 17. Click OK button to save changes. 18. Click the FEEDS button at the top of the Mobile Library Editor window. 19. Click Green Edit button on right side of the created New Sales Data feed. 20. Click the Feed is Published checkbox to publish the feed content. 21. Click the Is Feed Default checkbox to set this as the default feed. 22. Click OK button to save changes. Create Mobile Configuration Policy and Target delivery of a specific Mobile Feed SMM 7.2 SP1 includes the ability to target mobile library feeds based upon standard SMP groups. Now that you have created Mobile Configuration Profiles, you will need to target them for deployment to devices using a Mobile Configuration Policy. The Mobile Configuration Management page can be accessed via the new UI Device Management > Go to policy management. 7 of 12
Create New Mobile Device Configuration Policy 1. Right mouse click on the Mobile Configuration Policies folder. 2. Select the New> Mobile Device Configuration Policy. 3. Under Configuration settings, click the yellow asterisk. 4. Select the Lab Passcode Profile. 5. Scroll to the bottom and click OK. Profiles selected will now appear in the configuration settings. Now you can use Feed Settings to determine which Mobile library feeds are included with this policy. 1. Under Feed Settings, click the yellow asterisk. 2. Select the lab Mobile Library Feed previously created. 3. Click OK Feeds selected will now appear in the Feed Settings. Next you must create targeting rules to use to determine which mobile devices will be targeted with the policy and Feed. 1. Click on the arrow button at the right side of the Applied To divider. 2. Click on the Apply To button > Mobile Devices, this will open the select resources dialog box. 3. Click the Add rule button. 4. Select exclude resources NOT in from the first dropdown. 5. Select Resource list from the second dropdown. 6. Click the Browse button to search for a device to target with this policy. 7. When the Select Resources page opens use drop down to select Mobile group. 8. Choose the device to target for this policy or search for device name. 9. Use arrow to move selection to the right side Selected resources box. 10. Click OK button at bottom. 11. Click the Update results button to verify which devices are targeted. 12. Click OK button again to save selection. Note: If you wish to apply the policy to all Android agent managed Android devices, you can choose Apply to> Quick Apply > and choose All Android Devices Managed with MDM selection in the menu. 13. Click Save Changes at bottom of screen. 14. At top of Policy Rules/Actions screen toggle red Off button to green On' to enable Policy for distribution. 15. Click Save Changes at bottom of screen. 8 of 12
Note: Policy distribution will not typically happen instantaneously. The policies are rechecked periodically for updates and agents will be notified after the policies have been reevaluated by the server. Force Policy Update on Device 1. From the Symantec Management console choose Device Management > Manage Mobile Devices. 2. Right click device name in right hand pane and select Device Management > Update Policies. 3. Click OK button when prompted to update. 4. Click Close. Applying Actions to Android Devices In this exercise we will examine the area within Symantec Mobile Management to be able to control allowed actions on Android devices. There are a number of allowed actions that can be performed on the device, and there are a number of places within Symantec Mobile Management to perform these actions. 1. In the Symantec Management Console navigate to Device Management > Manage Mobile Devices. 2. Expand the tree in the left pane if not open and select Mobile. 3. In the Mobile Resources pane, right click on an Android device. a. Use user1_acer A100 4. After menu loads move mouse to Device Management. 5. Select Lock Device. 6. Click the OK button to confirm. 7. Click Close. 8. The Android device would now be locked and prompt the user to enter a passcode if a passcode policy is still assigned. Let s look at another area of interest with some additional options 1. Right-click your Android device again. 2. After the menu loads select Device Management > View Device Information toward the bottom. 3. A new page will open showing a new and more user friendly device based overview. Note: This is a new device view page added with the recent SP1 release. View gives an overview of Device Detail, Inventory and Action based information in an easily viewable format. 9 of 12
Using Resource Manager to View Detailed Device Data The Mobile Management Server stores detailed information about managed devices that can be viewed using the Resource Manager. Examples of the information stored are device status, history, and specific Android content data should it be required. In this exercise we will look at some of these attributes. With existing Resource Manager page open, select View > Inventory from the top menu bar, or alternately: 1. In the Symantec Management Console navigate to Device Management > Manage Mobile Devices. 2. In the Mobile Resources pane right click on your Android device. 3. After menu loads move mouse to Resource Manager. 4. Select View > Inventory from the top menu bar. 5. You will see the data about the device configuration. The middle window shows a tree view of different types of data. Click to expand the Mobile Inventory to view mobile device data. Mobile Management Reports Mobile Management Reports provide out of the box reporting on a number of different parameters across the mobile devices being managed. In addition there are new reports added for this release of Symantec Mobile Management 7.2 SP1. Some of the most commonly used reports are now available under the Overviews and Reports dashboard. Looking at new Reports 1. From the Symantec Management Console navigate to Overviews and Reports. 2. Click on the Jailbroken and Rooted Devices report Note: This report contains a view of unauthorized devices across device OS type based upon the listed criteria such as Jailbroken/rooted devices, unsupported OS version, or Unapproved user account. Android Agent and Instructor-Led Demonstration In this exercise we will install the Mobile Management Agent on an Android device and enroll the device for management. Due to limitations in our lab environment, some of this exercise may be an instructor led demonstration. These are the general steps used and may vary slightly from actual based upon the particular Android device used. Note: Before beginning this exercise. Due to limitations in our lab environment, please temporarily disable the public network connection on SMM-SERVER for Local Area Connection 2. This will allow the android virtual machine to connect correctly to our 10 of 12
lab environment. Once the virtual machine has launched you should re-enable the NIC connection. 1. Open the AVD Manager from the shortcut on the SMM-Server desktop. 2. In the Android Virtual Device Manager window, Select the Lab_AVD device 3. Click the Start button on the right hand side. 4. In the Launch Options window, click the Launch button Note: Android emulator is now launching, this may take a minute or two to open. 5. Once the emulator opens, slide the lock icon to the right over the unlock icon to open 6. Click the Apps icon in the bottom center. 7. Click on the Downloads icon. 8. Double Click on the MobileMgmt.apk file to launch. 9. Click Install to install the agent on the device. 10. Once complete, Click open and begin enrollment. 11. In the server settings used for enrollment type http://smmserver.symmobile.local/mobileenrollment/symc-androidenroll.aspx. 12. De-select the checkbox to Require SSL 13. Click the Submit button 14. Click OK to enter credentials 15. In User name type your user name. 16. In Password type any password. Note: If the agent were setup for authentication then these would be valid Domain username and passwords. 17. Click the checkbox indicating if this is a corporate owned device 18. Click on the Submit button. 19. Accept the EULA and click Submit 20. Host service status will change from Inactive to Active 21. If prompted, respond to the Security notice to Activate the device. 22. Click device Home button. Demonstration of applying Android actions 1. In the Symantec Management Console navigate to Device Management > Manage Mobile Devices. 2. In the Manage Mobile Devices pane, right click on an Android device. 3. After menu loads move mouse to Android. 11 of 12
4. Select Lock Device. 5. Click the OK button to confirm. 6. Click Close. 7. The Android device would now be locked. 12 of 12