Zenprise Device Manager 6.1.5

Zenprise Device Manager 6.1.5 CLIENT GUIDE Rev 6.1.50

Introduction 2 ZENPRISE DEVICE MANAGER 6.1 CLIENT GUIDE 2011 Zenprise, Inc. All rights reserved. This manual, as well as the software described in it, is furnished under license and may be used or copied only in accordance with the terms of such license. The content of this manual is furnished for informational use only, is subject to change without notice, and should not be construed as a commitment by Zenprise, Incorporated. Zenprise Incorporated assumes no responsibility or liability for any errors or inaccuracies that may appear in this book. Except as permitted by such license, no part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, without prior written permission of Zenprise, Incorporated. Any references to company names, organizations, persons, or places are for demonstrations purposes only and are not intended to refer to any actual company, organization, person or place. REVISION NUMBER: 6.1.50

Contents Introduction 3 1 Introduction... 4 1.1 Subjects Covered... 4 1.2 Other Documents... 4 1.3 Document Conventions... 5 2 About Device Manager Client... 6 2.1 Supported Device Types and Features... 6 3... 7 3.1 General Characteristics... 7 3.2 Installing the Device Manager Agent on Android Devices... 7 3.3 Installing the Device Manager Agent on ios Devices... 10 3.4 How to Enroll ios devices via SMS, EMail or Web... 15 3.5 Installing the Device Manager Agent on Windows Mobile Devices... 17 3.6 Installing the Device Manager Agent on Symbian Devices... 20 3.7 Other Methods of Agent Installation... 22 3.8 Device Manager Client Authentication... 23 3.9 Upgrading Device Manager Client... 24 3.10 Removing the Device Manager Agent... 24 4 Using Data Provided by the Agent... 25 4.1 Management of Device Configurations... 25

Introduction 4 1 INTRODUCTION This document describes the Zenprise Device Manager software component installed on individual hand held devices. Each mobile device must run the application and enroll to the Device Manager server in order to receive deployment packages from the Device Manager server and host remote support sessions initiated by IT technical staff. 1.1 SUBJECTS COVERED The content herein is intended for administrators responsible for the mobile management application, IT support staff, and others responsible for setup, provisioning and use of hand held digital devices. The document is organized as follows: Chapter 1, Introduction, provides the scope and purpose of the document. Chapter 2, About the Device Manager Client, provides a general description of the agent software and its features. Chapter 3, Installing the Device Manager Client, describes how to install the software on Android, ios, and Windows Mobile/CE devices. Chapter 4, Using Data Provided by the Agent, briefly outlines the information the agent provides about the hand held device 1.2 OTHER DOCUMENTS Other documents available in regard to Zenprise Device Manager include the following: Device Manager Quick Start Guide summarizes the steps required to establish a basic functional configuration of the Device Manager server, create basic device Configuration Policies, device Deployment Packages, establish a Remote Support Client session, and work with devices. Device Manager Installation Guide provides the procedures to install and/or upgrade the Device Manager server product. Device Manager System Administration Guide provides details about configuring the application and essential steps required to register devices, users, policies, files, and deployment packages. Device Manager s integrated reporting subsystem is also discussed. Device Manager Client Guide - describes installation and use of the device client for Windows Mobile, Android and ios devices. Device Manager F5 High Availability Guide provides the procedures to setup the Device Manager server product in high availability mode with an F5 network load balancer appliance.

Introduction Device Manager Mobile Application Gateway Setup Guide describes the setup and use of the Mobile Application Gateway to control ActiveSync mobile device traffic, as well as application Whitelist/Blacklist filtering, and specific device & user filtering options available when integrated with a Microsoft ISA 2006 or TMG 2010 server firewall. Device Manager Remote Support User s Guide discusses using Device Manager s remote control features to work with devices on behalf of users in the field. Apple APNS Certificate Setup Guide provides the procedures to acquire and setup the required Apple APNS certificate for use with Zenprise Device Manger server to manage and support ios devices. 5 1.3 DOCUMENT CONVENTIONS The following conventions are used throughout the document: Notes and Warning Notes and other information topics are emphasized as follows: Note: you can also use CTRL- Q to quit. Warning convey limits, negative impacts or other important information as follows: Note: Do not close the window before the process ends. Application Elements Window names, field labels, and other elements are italicized. Code Samples Scripts, program source code, configuration files and the like are handled in this fashion: AddObjectProperty attributemap {element: value, element, value} User Entry Things you type including user names, passwords, responses and commands are shown in bold.

About Device Manager Client 6 2 ABOUT DEVICE MANAGER CLIENT 2.1 SUPPORTED DEVICE TYPES AND FEATURES Three platforms are supported by Device Manager. Apple handheld devices (iphone, ipad) using ios 3.0 or higher Handheld devices using Android 1.5 or higher Microsoft Windows Mobile and its derivatives, including Smartphone and PocketPC o o o Windows Mobile 5.x or 6.x (PocketPC or Smartphone Edition) Pocket PC 2003 Windows CE 4.x, 5.x or 6.x Note: Windows Phone 7 support is not available in Device Manager 6.0. Due to platform restrictions or security features, not all features are supported on all platforms. The following table summarizes the features available by platform. Feature Windows Mobile Android ios Devices Remote client installation (OTA) ü ü ü Provisioning of devices & users ü ü ü Hardware Inventory ü ü ü Software Inventory ü ü ü Security Jailbreak detection ü ü ü Remote wipe & lock ü ü ü Software download & install ü ü ü File transfer ü ü ü Device Remote Control ü ü ü Application Tunneling Mobile SSL VPN ü ü - - Roaming Management ü ü - - Business Process Scripting ü - - - - Reports (activity & devices inventory) ü ü ü Strong authentication (device/server) ü ü ü Local device data encryption (option) ü - - - - Table 1 - Device Manager Client features by device type

7 3 INSTALLING DEVICE MANAGER CLIENT 3.1 GENERAL CHARACTERISTICS The Device Manager client (also called the Device Manager Agent) is available in an installable format suited to each of the supported platforms. The Agent is approximately 500KB when downloaded OTA (over the air) and installs at less than 1MB on the hand- held device. The agent software automatically installs and prompts the hand- held s user to connect the Device Manager server to authenticate. In the case of Android or ios devices, the agent may be acquired from the public application market for those platforms Android Market and itunes AppStore, respectively. The agent software may be installed on hand held devices via a physical connection (cable) or via a wireless channel (WiFi or cellular data network). The following sections describe the installation sequence for each platform assuming a wireless channel. 3.2 INSTALLING THE DEVICE MANAGER AGENT ON ANDROID DEVICES Note: Before you begin, be sure to have on hand at least one user account name and password from the Users tab in the Device Manager administrative console. It is recommended to download the Android agent from the Google Android Market older Android devices may not accept apps installed outside of the Market. On an Android device, acquire the downloadable APK file from either of the following sources: Google s Android Market 1 Your organization s Device Manager server 2 (depicted at right) Figure 1 - Android / Browse to URL 1 http://market.android.com/search?q=zenprise 2 Use a URL of this format http://<server.domain.com>/zdm/setup/ replacing <server.domain.com> with your server s hostname or IP address.

8 On the Google Android Market search for the Zenprise for Employees application. Download and install the free app. Figure 2 - Android / Download installer Tap OK to accept the new application permissions and allow the app to be downloaded and installed. Figure 3 - Android / Ready to install When prompted tap the Activate button and then the Continue button. Figure 4 - Androind / Agent installation and activation

9 Enter the desired user account and password for device enrollment. Figure 5 - Android / Authentication Enter the Device Manager server instance, server domain name, and connection port. Tap Save and Connect. Figure 6 - Android / Authentication Verify the connection by inspecting the agent page. A good connection is indicated by a solid green ball in the Connection status row. Figure 7 - Android / Zenprise Agent page

3.3 INSTALLING THE DEVICE MANAGER AGENT ON IOS DEVICES 10 Note: before you begin, be sure to have on hand at least one LDAP integrated group added or a single user account name and password from the Users tab in the Device Manager administrative console. On the ios device, browse to Apple s itunes App Store and access the free ZP MDM application. Tap the Free button, then tap the Install button. Launch the Zenprise app and tap Enroll iphone when prompted. Figure 8 - Zenprise for Employees Enter your registration information: Device Manager server DNS name Username & Password (typically your AD or Email user account and password) After filling out your corporate credentials and then tap Enroll. Note: also use this process for ipad devices. Figure 9 - ios / Starting enrollment

11 The next steps will begin the secure Device Certificate enrollment and the Personal Profile. Tap Install Corporate Certificate. Tap Install. Figure 10 - ios / Enrollment Step 1. Tap Install. Figure 11 - ios / Prompt to install

12 Tap Done. Figure 12 - ios / Zenprise Corporate Enrollment Tap Install Personal Profile. Figure 13 - ios / Install root certificate Tap Install. Figure 14 - ios / Certificate warning

13 Verify the certificate installation by inspecting the green icon. Tap Done. Figure 15 - ios / Certificate installed Verify the certificate installation by inspecting the green icon. Tap Done. Figure 16 - ios / Install Personal Profile Tap Install. Figure 17 - ios / Install warning

14 Verify the profile installation by inspecting the green icon. Tap Done. Zenprise Enrollment is now Complete. Figure 18 - ios / Install complete Verify enrolment. Tap the Home button on the ios device to return to home state. Figure 19 - ios / Zenprise agent page

15 3.4 HOW TO ENROLL IOS DEVICES VIA SMS, EMAIL OR WEB On the ios device, browse to Apple s itunes App Store and access the free ZP MDM application. Tap the Free button, then tap the Install button. Figure 20 ZP MDM App Construct a URL with the following format: Example 1: zenprisedm://?server=servername.server. com&user=username Example 2: Populates the server and port # and specified Zenprise instance with a username zenprisedm://?server=servername.server. com:port#/instance&user=username Example 3: Populates the server and port # and specified Zenprise instance zenprisedm://?server=servername.server. com:port#/instance

16 Send the link to users via SMS, Email, or post it on a website. Figure 21 - Example of SMS link Direct the user to click on the link. Upon clicking the link, the ZP MDM app will launch and the user will be prompted with the introductory screen The user should click ENROLL. The enrollment screen will appear with pre- populated server and/or username values. The user should enter their password and click Enroll. The user should follow the instructions above in section 3.3 for installing certificates and the MDM profile.

3.5 INSTALLING THE DEVICE MANAGER AGENT ON WINDOWS MOBILE DEVICES 17 Note: before you begin, be sure to have on hand at least one user account name and password from the Users tab in the Device Manager administrative console. On a Windows Mobile or CE device, browse to the DeviceManger URL for your organization. Figure 22 - Windows Mobile / Browse to URL

18 Fill Open file after download. Click Yes. Figure 23 - Windows Mobile / Download installer Figure 24 - Windows Mobile / Installer progress The agent installation beings automatically. Figure 25 - Windows Mobile / Agent installation

19 A reboot notice appears. Figure 26 - Windows Mobile / Restart notice Type the User account name and Password. Tap Done. Figure 27 - Windows Mobile / Authentication Verify the connection by inspecting the agent page. A good connection is indicated by a solid green ball in the page heading area. Figure 28 Windows Mobile / Zenprise Agent page

3.6 INSTALLING THE DEVICE MANAGER AGENT ON SYMBIAN DEVICES 20 On the Symbian device, open a web browser and browse to the Zenprise Device Manager Enrollment URL. For example, http://server.com/zdm/setup. The screen to the right will appear. Click OK. The installation will proceed.

21 The installation will complete. Click YES to launch Zenprise. Enter username, password, and server information. Click OK.

22 There will be another prompt asking to enter the code for the server. Enter 2831 Connection information will appear. Click Options to review details. Click Close to finish setup. 3.7 OTHER METHODS OF AGENT INSTALLATION In addition to wireless download and installation, the Device Manager agent may also be installed on hand- held devices in the following ways: FTP transfer the installation package is retrieved by the hand- held via FTP after receiving an SMS message containing a link to the FTP server.

PC provisioning utility the Device Manager provisioning utility (EveryWAN Device Provisioning.exe) is used in conjunction with a mobile device docking station connected via USB to a PC. This can be useful when pre- configuring in batch mode a large number of devices requiring substantially the same configuration. SD card installation package may be deployed via an SD card, among other application software. This method, however, may require manual configuration of settings such as registry keys, depending on the platform. Consult Zenprise technical Support before committing to this deployment model. 23 3.8 DEVICE MANAGER CLIENT AUTHENTICATION After Device Manager agent has been downloaded and installed, the mobile device reboots. The Device Manager icon appears at the top of the screen, and the device attempts to connect to the Device Manager server. (This is indicated when the application icon is replaced by two, opposed vertical arrows.) The authentication sequence begins automatically. 3.8.1 WEAK AUTHENTICATION The user enters the user name (User field) and password (Password field) received from the administrator. This information must correspond to a user profile created by the administrator on the Device Manager server web- based administration console. 3.8.2 STRONG AUTHENTICATION (STRONGID) Note: this option is available only with the Device Manager Secure Device option. Refer to the document Device Manager Secure Device User s Guide to learn more about this capability. 3.8.3 ANONYMOUS MODE If the User/Password pair is unknown to the server, the Device Manager agent can connect in Anonymous mode. The following applies to this situation: The Device Manager icon on the mobile device displays a question mark. The window immediately reappears in which the User and Password are entered. The device can only use tunnels authorized in Anonymous mode and receives the configuration that the administrator has associated with this mode. Anonymous mode can prove useful when administrators need to configure mobile devices used by different users (e.g., a self- service mobile device pool). Additionally. Administrative or support staff can configure remote devices themselves in this mode, since they can take remote control via the Device Manager Remote Support application (device verification, user name/password entered by the administrator, configuration of a screen less embedded device, etc.).

Note: The anonymous mode is possible in strong authentication mode only if the device and the server have authenticated each other (entry of StrongID and exchange of certificates). 24 3.9 UPGRADING DEVICE MANAGER CLIENT New versions of the agent can be deployed in two ways manual update or automatic update. 3.9.1 MANUAL UPDATE Manual upgrades are similar to initial installations down over the wire. The new installation files should be staged on an available HTTP server and the user population invited to update via email message or SMS text containing the appropriate link. 3.9.2 AUTOMATIC UPDATE The updated agent software may be delivered as part of a Device Manager deployment package configured through the Device Manager administrative console. Platforms that support remote requests to connect can be directed to connect and receive the package. 3.10 REMOVING THE DEVICE MANAGER AGENT 3.10.1 ANDROID DEVICES Like other Android application, the agent uninstallation is done with the application manager. To remove the agent, do the following: 1. On the home screen, tap Menu > Parameters > Applications > Manage Applications. 2. Tap the Device Manager icon to uninstall it. 3.10.2 IOS DEVICES Like other Apple applications, remove the agent by long- pressing the icon and tapping the X element.

Using Data Provided by the Agent 25 4 USING DATA PROVIDED BY THE AGENT Unless configured to be hidden, the Device Manager agent icon appears at the top of the mobile device screen. To obtain information on the device, tap on the Device Manager agent icon and then tap Details. The information displayed on the Connection tab shows which connection type is active. On some platforms, Device Manager agent icon can also be accessed from Applications or Programs in the mobile device s Start menu, even if the icon has been configured to be hidden on the device s taskbar. 4.1 MANAGEMENT OF DEVICE CONFIGURATIONS Each time the Device Manager Agent connects to the Device Manager server, it transmits the following data about the mobile device: System information (operating system, connection, etc.) Installed version of the Device Manager agent List of installed programs As needed, Device Manager Server can return the registry keys and XML files to the mobile device. Also, if required, required programs can be reinstalled, should they have been uninstalled by the user (in accordance with the configuration defined under the Policies tab of the Device Manager Administration Console) Due to the built- in configuration enforcement features defined by the administrator on the Device Manager Administration Console, all setting and secure rules override any changes that users may introduce in their mobile devices. For example, Device Manager Server verifies at each connection that the configuration on the mobile device is consistent with the configuration rules defined by the administrator. If they aren t, the Device Manager Server retransmits the configurations each time it connects to the mobile device.