UP L18 Enhanced MDM and Updated Email Protection Hands-On Lab

UP L18 Enhanced MDM and Updated Email Protection Hands-On Lab Description The Symantec App Center platform continues to expand it s offering with new enhanced support for native agent based device management (MDM) of Android and IOS devices. In addition, we are pleased to be able to showcase enhanced email management capabilities not previously possible through native email clients alone. This lab will give the user hands on experience with configuration of policy settings, MDM command functionality and controlled email integration using the latest Symantec secure email client and App Center 4.1 At the end of this lab, you should be able to Be familiar with the enhanced MDM capabilities for ios and Android Be familiar with the set up and usage of Symantec Secure Email for email configuration Understand how policy configurations can be used and configured Be familiar with the updated reporting capabilities of this latest release Understand how the End-User Portal can be installed and configured Notes A brief presentation will introduce this lab session and discuss key concepts. The lab will be directed and provide you with step-by-step walkthroughs of key features. Feel free to follow the lab using the instructions on the following pages. You can optionally perform this lab at your own pace. Be sure to ask your instructor any questions you may have. Thank you for coming to our lab session.

Getting Started Before you begin, make sure the SMM-Exchange and AppCenter41-1 virtual machines are started and running. Unless otherwise specified lab exercises will be performed on the AppCenter41-1 virtual machine. Prepare Lab Accounts for AD integration and Usage For portions of our lab we will use a specific user account to access our App Center environment. Our App Center has been pre-configured to authenticate to our Lab AD server. In this exercise we will create a test user account and make the necessary final adjustments. This exercise will be performed on the SMM-Exchange virtual machine. 1. From the SMM-Exchange virtual machine, open the Active Directory Users and Computers shortcut on the desktop 2. Right-click the App Center Users OU and Select New > User 3. Create a new user account as noted a. User logon name appuser1 b. Password symc4now c. User cannot change password d. Password never expires 4. Right-click on the newly created user and select properties 5. Make the user account a Member of the AppCenterAdmins Group AND the AppDevelopers group 2 of 16

1. Click OK 2. The required test user account has now been created and added to our test Group and OU. Next we will create a mailbox for our lab user 1. 2. 3. 4. 5. 6. 7. 8. 9. Open the Exchange Management Console from the shortcut on the task bar In the Exchange Management Console, expand the Recipient Configuration directory. Right-click Mailbox and select New Mailbox. Verify that User mailbox is selected, click Next. Select the Existing Users radio button and click Add. Select the appuser1 account and click OK Click Next. Enter a mailbox alias name of appuser1 In the mailbox settings page, click the checkbox for Exchange ActiveSync mailbox Policy 10. Use the browse button and select the Default policy for these users. 11. Click Next 12. Click New to create the mailbox 13. Click Finish 14. Open a browser and navigate to https://smm-exchange.symmobile.local/owa 3 of 16

Note: this is https not http 15. Accept the certificate warning and continue to the website. 16. Sign into Outlook Web Access with the following credentials SYMMOBILE\administrator Password: symc4now 17. Click OK to accept default settings 18. Send a test email message to our lab user account. 19. Sign out of Outlook Web Access and log back in as appuser1 to verify receipt of message. Preparing for MDM management and device enrollment In this exercise we will make some final configuration changes to prepare for device enrollment and MDM management Upload Symantec Secure Email to App Center 1. Switch to the App Center 41-1 virtual machine 2. Log into the server using the following credentials Username symantec Password symc4now 3. Launch the App Center console by navigating to Applications > Internet > Firefox Web Browser 4. Navigate to https://appcenter41-1.symmobile.net/admin 5. Click the link to Log in to local IDP 6. Log in using the following credentials Username appcenter Password symc4now 7. In the App Center console navigate to Apps > Add App.. 8. Click the Browse button and navigate to /home/symantec/desktop/app\ Center\ Resources/apps/ 4 of 16

9. Click the nitroid-symantec.apk file under Name 10. Click Open 11. Click the radio button next to Publish as Production and click Save Allow for rooted device access 1. 2. 3. In the App Center console navigate to Settings > Device Clients > Android Client De-select the Usage Restrictions checkbox This will allow our rooted Android emulator to enroll to our environment Click the Save button Allow the Android client to rebuild Set GCM communication access 1. 2. 3. 4. 5. In the App Center console navigate to Settings > Google GCM Input the included lab GCM Project ID and API key from the text file found in the App Center Resources folder on the desktop GCM_account file Copy and paste the values into App Center Click the Save button Click Continue when prompted to Rebuild the Android Client Enable Device Management 1. 2. 3. 4. 5. 6. In the App Center console navigate to Settings > Device Management Select the checkbox to Enable device management Scroll down to see some specific settings that can be modified or are specific by mobile OS Note: MDM management for ios devices requires the use of an MDM certificate Click the Save button Rename the Default Policy to Admin Policy and target it to the administrators group using the checkbox Leave all other settings as default and click the Save button Open the Device Policy setting page to verify the creation of this new policy Note: We will spend more time looking at some of the policy settings in an exercise later on in this lab 5 of 16

Creating the Android AVD File 1. Start a terminal session by navigating to Applications > Accessories > Terminal 2. Type android and press enter. This will launch the Android SDK Manager. 3. In the Android SDK Manager navigate to Tools > Manage AVDs This will launch the Android Virtual Device Manager 4. In the Android Virtual Device Manager, click New 5. Give the AVD a name, in this example we will use LabAVD 6. Click the dropdown next to device and select Nexus S 7. Click the dropdown next to Target and select Google APIs (Google Inc.) API Level 17 8. Change the VM Heap setting to 64 9. Next to Internal Storage, enter 300 MiB 10. Next to SD Card, click the radio button next to Size and enter 300 MiB 11. Click OK 12. Click OK again. The Android AVD has been built but it now needs to be configured to communicate with App Center. We will do this in the next section. 13. Click the X in the upper right corner of the Android Virtual Device Manager to close it. 14. Click the X in the upper right corner of the Android SDK Manager to close it. 6 of 16

Configuring the Android AVD File for Communication with App Center 1. Start a terminal session by navigating to Applications > Accessories > Terminal (if not still running) 2. Type emulator avd LabAVD and press enter. This will start the Android avd file named LabAVD. Give the emulator a minute to start. Leave this window running in the background. Do not close or ctrl-c the terminal Window or it will cancel the emulator loading. 3. Open a new terminal window by navigating to Applications > Accessories > Terminal 4. Type adb remount and press enter Emulator will need a minute to load, you will see remount succeeded when completed successfully, try again if you see an error 5. Start a new terminal session by navigating to Applications > Accessories > Terminal 6. Change the directory to the /etc directory by tying cd /etc 7. Type adb push hosts /system/etc This will allow us to push a hosts file to the emulator device to allow us to connect with our lab App Center environment emulator may take a couple of minutes to fully launch Testing the Android emulator 1. Switch to the Android emulator console and on the home screen it should say Make yourself at home. Click the OK button in the bottom right of the screen. 2. Click the blue globe icon in the bottom right of the emulator. This is the web browser. 3. Click the URL bar at the top of the browser and enter https://appcenter41-1.symmobile.net (if not already set) and press enter. If the URL loads, then the host file was loaded correctly. If it says webpage unavailable, repeat steps 3 6 in the section above and try again. 4. When the App Center page loads, enter your lab AD username, appuser1 5. Enter the password which is symc4now 6. Click the Login button 7. Click the Download App Center button 8. After a moment, an arrow pointing down will appear in the notification bar, click the notification bar and drag it down. 9. When it says Download Complete, click the AppCenter-appcenter4.1.apk file 7 of 16

10. A dialog box asking and stating, Do you want to install this application? It will get access to: will appear. Note the permissions and click Next 11. Click Install 12. Click Open App Center login screen will open 13. Under username, enter appuser1 14. Under password, enter symc4now 15. Click Submit and App Center will perform several actions such as posting device information and retrieving settings. 16. Click the Accept button to activate Device Administrator Note: This is required for MDM management of the device 17. Secure Email application previously installed will display upon login 18. Open the App Center console and navigate to Devices 19. Select your enrolled device and click the Settings link and note the Admin Policy now targeted to your device Creating and Understanding the Settings Catalog, MDM Policies and Commands App Center 4.1 includes functional enhancements to the previous MDM capabilities in the product providing a much more feature rich set of controls for both ios and Android device management. We have briefly looked at the modification of the default device policy when installing Device Management. In this exercise we will create a new device policy adding functionality for our lab device and explore some of the new MDM policy capabilities. App Center 4.1 contains a new way of working with Policy options called the Settings Catalog. Individual controls configurations can be set up once in the Settings Catalog and then used in multiple policies. Policies then contain a bundle of settings from the catalog. We will configure a new policy using the Settings Catalog 1. From the App Center console navigate to Device Policy 2. Click the Settings Catalog tab 3. Click the + sign next to Android Password 4. In the Edit Setting Details page we will configure the following passcode requirements: 8 of 16

5. Click the Save button when complete 6. Click the + sign next to Touchdown 7. In the Edit Setting Details page we will configure the following Account requirements: 8. Scroll down and select the checkbox to Allow self-signed server certificates 9. Click the Save button when complete Take some time to open some of the other configuration settings. Some are universal (such as Touchdown) and others are ios or Android specific. Of special note are the 9 of 16

differences in the Restrictions available between ios and Android. These are limited based upon available operating system level APIs. Apple provides a much more feature rich set of native APIs than are available with the native Google APIs alone. Next, we will create a new lab Policy using configuration settings from our catalog 1. Select the Device Policies tab 2. Click the button New Policy to create a new lab policy 3. Give your policy a name, e.g. Lab User Policy and a description 4. Under Group Selection, Target this policy to the administrators group Note: We are purposefully targeting this policy to the same group that has the Admin Policy in order to show what happens when multiple policies are targeted to the same group 5. Under the General Settings section, check the boxes to Collect App Information and Device Location 6. Expand the arrow next to the TouchDown Email Settings 7. Use the Dropdown to select the Touchdown configuration previously created in the Settings Catalog Note: If not previously created, you could also create New here, or Edit the previous configuration 8. Expand the arrow next to Android Settings 9. Use the Dropdown to select the Passcode configuration previously created in the Settings Catalog Note: If not previously created, you could also create New here, or Edit the previous configuration 10. Click the Save button to save the policy 11. Navigate to the Devices page 12. Select your enrolled device and click the Settings link again and note that the Lab User Policy is now targeted to your device Understanding Policy Priorities and Precedence When a user belongs to multiple groups, each with their own policy, the policy that is applied is determined by the order of precedence within App Center. In this exercise we will take a closer look at how this works and adjust the order of Policy Precedence. 1. Edit the Lab Users Policy, changing the target from administrators to the developers group 2. Edit the Admin Policy again targeting it to the administrators group 3. Navigate to the Devices page 4. Select your enrolled device and click the Settings link again and note that the Admin Policy is now targeted to your device 10 of 16

5. Navigate back to the Device Policy page 6. Click on the Change Priorities button Note: The message indicates the order in which polices are applied. A user who is targeted by multiple policies will receive the policy that FIRST applies to that user 7. Choose the Lab User Policy and move it UP in priority Our test user, appuser1, is a member of both the administrators and developers groups and is therefore targeted by both policies. The Lab User Policy is the more restrictive, containing email configuration as well as a passcode device policy from the Settings Catalog. You may also choose to think of this order as needing to go from Most Restrictive to Least Restrictive in order to assure that users in multiple groups receive the correct policy. 8. Click the Save button to save your changes 9. Navigate to the Devices page 10. Select your enrolled device and click the Settings link again and note that the Lab User Policy is now targeted to your device Using MDM Commands In this next exercise we will use MDM commands to test our enrollment and update our enrolled device with the latest policy 1. From the Devices Screen, select the Commands.. button Note: The information on the top of the Device Commands page, commands contain a brief description of their use 2. Click the Lock button to send a Lock command to your device, say Yes when asked to confirm Lock status will change from Pending to Successful 11 of 16

3. Click the close button 4. Switch to the AVD to view the locked screen state of the device 5. In the App Center console, select the Commands button again 6. Scroll down and click the Fetch button to force the device to retrieve the latest policy Note: This command works differently on ios and Android. Use of this command on Android requires that the device is push verified and that the user is logged into app center. 7. Fetch status will change to Fetch Successful with a green circle similar to the view above 8. Click the Close button 9. Click the Command History button to view the command history and status 10. Switch back to the AVD and open App Center, login if required or click Refresh in the app menu to update 11. You should now receive a prompt to update your passcode based upon our new Lab Policy being applied 12. Click Continue 13. Select a PIN passcode and choose your new passcode 12 of 16

14. Click Continue when the policy has completed updating 15. Click the emulator Menu button 16. Select Settings > View Policy to see the latest policy settings now applied Working with Symantec Secure Email App Center 4.1 is integrated with the new Symantec Secure email client for Android and IOS. Secure Email is a Symantec branded OEM version of Nitrodesk TouchDown which runs on your mobile phone, and provides you with the ability to receive and send e- mails, manage your contacts, view your appointments from your company's exchange server. Touchdown application configuration can be managed from within the Settings Catalog and applied to device policies, allowing for a common platform control for device management not available with native API s. In this exercise we will explore some of those configuration settings so that you may familiarize yourself with some of the options available. 1. From the AVD, open App Center (log in if required) 2. Open Apps and install the Secure Email Application previously posted to your App Center 3. Click Next when prompted to grant access to the device 4. Click the Open button when installation is complete 5. Accept the EULA 6. Click the Home button on your device 7. Open App Center from the Applications device menu Circle with 6 dots in the bottom center of the emulator home screen 8. From the Top apps page, click the device Menu button. Log out and back in to App Center to force an update to the policy 9. You will be prompted that Email Setup is Required This is in response to our Touchdown Policy targeted to the device 10. Select the notification from the top of your device screen and drag down with your mouse to reveal the notification 13 of 16

11. Click the notification to complete Touchdown configuration 12. Input your lab user account AD credentials as below User ID appuser1 Password symc4now Email Address appuser1@symmobile.local 13. Click the Next button Touchdown will initialize the Exchange connection 14. Click Close when configuration is complete 15. Click the Email icon in Touchdown to view your mail messages Previous message sent from the administrator should now be visible, you may need to use the Sync icon at the top of the screen to complete mailbox sync End User Portal App Center 4.1 contains an optional end user portal that allows user to access configurable command settings for their enrolled mobile device. Users can be allowed access for common administrative access such as password reset or view required application information. In this exercise we will view the End User Portal and examine options available for our device. 1. In the App Center console, select the link to Logout 2. Log back into the portal as your lab user, appuser1 3. In the App Center console, select the link to navigate to the End-User Portal 14 of 16

4. Click on the Devices link at the top of the page to see the device view 5. Click on the now available Commands button to view available end user commands End-User has access to only some of the available commands End User Portal 6. Select Commands the command to Unmanage the device 7. Click yes to Confirm Admin View Device Commands 8. Open Secure Email on your device to confirm the settings for your account are now removed Applcation can be accessed through device applications menu, dragging menu to the left 9. Open the App Center app to confirm that the agent is no longer working 10. Open the Admin Console > Devices view and view the Command History 15 of 16

Note the Revoke Agent and Selective Wipe commands have completed 11. Finally open the Commands button and view the commands available when MDM has been removed 16 of 16