Sophos Mobile Control Installation guide Product version: 2.5 Document date: July 2012
Contents 1 Introduction... 3 2 The Sophos Mobile Control server... 4 3 Set up Sophos Mobile Control... 13 4 Running the Sophos Mobile Control Service as a limited user... 33 5 Updating Sophos Mobile Control... 34 6 Apple Push Notification service... 35 7 Technical support... 39 8 Legal notices... 40 utimaco com
Installation guide 1 Introduction Sophos Mobile Control is a web based mobile device management platform for administrating smartphones and mobile devices. It consists of a server and a client component. The server handles the central management of data and devices. The client takes on communication with the server on each end user device and executes the transferred commands. Sophos Mobile Control helps to keep corporate data safe by managing apps and security. Sophos Mobile Control is easily installed and managed with over-the air setup and configuration through the Sophos Mobile Control web console. With the Sophos Mobile Control Self Service Portal for your users, you can reduce IT efforts by allowing users to register their own devices and carry out other tasks without having to contact the helpdesk. This guide describes the installation steps for the Sophos Mobile Control server (SMC server). 1.1 Access data The access data for the system is saved in a database that can be extended later on. All installation steps have to be executed as an administrator of Microsoft Windows Server 2003/2008 or as a user of the relevant group. The database user needs sysadmin rights. 1.2 Licenses To use Sophos Mobile Control you need a valid license. After purchasing the software, you receive a license file named license.sql. It must be placed in the same directory as the setup file during installation. Note: If there is no valid license available, the SMC server can be installed, but you cannot register any mobile devices in the Sophos Mobile Control web console. 3 3
Sophos Mobile Control 2 The Sophos Mobile Control server The SMC server is a dispersed system that consists of the following components: JBoss SQL database server SMC server provided as Java-Enterprise-Archive inside JBoss Directory Service Redistributable package The individual components communicate either through the database or through the J2EE-standarddesignated interfaces. In this case, no further exchange files are necessary. It is required, that the server scripts and property data are configured and that they work with the single server operation. If changes are necessary, the single setting parameters have to be modified. 2.1 Install the operating system One possible server operating system is Microsoft Windows Server 2003. For installation, you can refer to the relevant documentation. In addition, the following packages have to be installed manually: Microsoft SQL Server Version 9.0 or higher Java JDK (including JRE) Version 1.6/5.0 or higher If JDK is not contained in the installation package, you may have to download it. 2.2 Install Java JDK6 When you install Java JDK6, do not install demos and samples. Install Java JRE in its complete version. 4
Installation guide 2.3 Install the database server Microsoft SQL Server We recommend Microsoft SQL Server 2008 Express Edition for Windows with installer. The following description shows the installation process for Microsoft SQL Server 2008 R2 RTM Express. 1. Execute the installer and select New installation or add features to an existing installation. 5 5
Sophos Mobile Control 2. The Setup Support Rules dialog is displayed. Here problems that might occur when you install SQL Server Setup support files are identified. If problems have occurred, make the necessary changes to solve them and click Next. 3. In the License Terms dialog, select I accept the license terms and click Next. 6
Installation guide 4. In the Feature Selection dialog, select SQL Server Replication and SQL Client Connectivity SDK. If necessary, modify the installation directory. Click Next. 5. In the Instance Configuration dialog, change the instance name, if necessary. Click Next. 7 7
Sophos Mobile Control 6. In the Server Configuration dialog select NT_AUTHORITY\System for SQL Server Database Engine and click Next. 7. In the Database Engine Configuration dialog, select Mixed Mode (SQL Server authentication and Windows authentication). Define a strong password for the system administrator account and click Next. 8
Installation guide 8. SQL Server 2008 R2 installation is now complete. In the Complete dialog, click Close to close the Setup wizard. You can also close the SQL Server Installation Center now. 9 9
Sophos Mobile Control 9. Before Sophos Mobile Control can be installed, the TCP/IP Protocol for the SQL Server needs to be enabled and the TCP port needs to be set to 1433. Open the Start Menu and select All Programs > Microsoft SQL Server 2008 R2 > Configuration Tools and click SQL Server Configuration Manager. In the SQL Server Configuration Manager, go to to Protocols for SQLEXPRESS and double-click TCP/IP. 10
Installation guide 10. In the Protocol tab of the TCP/IP Properties dialog, set Enabled to Yes and click the IP Addresses tab. 11 11
Sophos Mobile Control 11. In the IP Addresses tab of the TCP/IP Properties dialog, click TCP Dynamic Ports and make sure that the field is empty to disable this function. Now click TCP Port, enter 1433 and click OK to apply your settings. 12. For the new settings to take effect, the server needs to be restarted. Click SQL Server 2008 Services, right-click SQL Server (SQLEXPRESS) and select Restart. 12
Installation guide 3 Set up Sophos Mobile Control The key steps are: Execute the Sophos Mobile Control Installer. Carry out the configuration steps in the Sophos Mobile Control Configuration Wizard. If you want to configure the EAS Proxy server separately, execute the Sophos Mobile Control EAS Proxy installer, see Install external EAS Proxy server (page 28). As a super administrator create a customer (a tenant for which devices are managed) in the Sophos Mobile Control administration web console. For further information on this setup step, refer to the Sophos Mobile Control super administrator guide. 3.1 Install and configure Sophos Mobile Control Prerequisite: Before you execute the Sophos Mobile Control installer, put the license file license.sql for the operation of the SMC server in the directory where the setup file is located. 1. Execute the Sophos Mobile Control installer, review and agree to the License Agreement. The System Property Checks dialog is displayed. To check that the system environment fulfills all necessary requirements for Sophos Mobile Control installation, click Check. If you want to generate a system check report after the check has been run, click Report. 13 13
Sophos Mobile Control 2. If all requirements are fulfilled, click Next. The Choose Install Location dialog is displayed. Choose the destination folder and click Install to start installation. 3. After the installation process the Sophos Mobile Control Configuration Wizard welcome dialog is displayed. Click Next. 4. In the Database selection dialog, select Use Microsoft SQL Server as database and click Next. 14
Installation guide 5. In the next step, you specify server information and logon credentials in the Database Settings dialog. To use the user credentials specified during SQL server installation, select Use SQL Server Authentication with the following credentials and enter the required user name and password. Click Next to continue. 6. In the next step, you select the database. In the Database Selection dialog, select Create a new database named, enter a name (for example SMCDB) and click Next. 15 15
Sophos Mobile Control The Database Configuration dialog is displayed. It shows the relevant progress messages. After the database has been successfully created and populated, click Next. 7. In the next step, you can select optional setup steps in the Choose setup steps dialog. Setup steps that are mandatory for initial configuration are preselected and greyed out. You can select the following two optional steps: Configure user interface access IP range In this step, you can configure an IP range white list to manage access to the Sophos Mobile Control web console and the Self Service Portal. Configure Exchange ActiveSync Proxy This step is preselected, but you can deactivate it. With this step you set up the standard embedded EAS Proxy. If you want to set up EAS Proxy separately with several instances (for example for load balancing), run the separate EAS Proxy setup. For further information,see Install external EAS Proxy server (page 28). Note: The EAS Proxy configuration step is necessary for configuring compliance check settings in the next step. If you run the separate EAS Proxy setup and need to configure compliance check settings, leave this step selected. Select the required optional steps and click Next. 16
Installation guide 8. In the next step, you configure a super administrator account. The super administrator you create in this dialog has specific rights and tasks and is primarily used for customer management. In Sophos Mobile Control, customers are the tenants that manage the devices of their users. The super administrator logs on to a super administrator customer and can, for example, predefine settings for new customers and push settings and configuration to existing customers. For further information, refer to the Sophos Mobile Control super administrator guide. In the Create super admin account dialog, enter the Super admin customer (the customer the super administrator will log on to), the Super admin login (the super administrator login name) and a Super admin password. Confirm the password and click Next. Note: These credentials are required for logging on to the Sophos Mobile Control web console. Note: The super administrator should not be used in productive operation, but only for administrative purposes. The super administrator is primarily intended for customer management. 17 17
Sophos Mobile Control 9. If you have selected the optional setup step Configure user interface access IP range in Choose setup steps, you can configure an IP range white list for user interface access in the next step. In Administration Interface, enter the white list for the Sophos Mobile Control administrator web console. In Self Service Portal, enter the white list for the Sophos Mobile Control Self Service Portal. Follow the instructions for entering IP addresses shown in the dialog. After you have entered all required information, click Next. 18
Installation guide 10. In the next step, you enter SMTP information and logon credentials. Note: This is required to enable emails to be sent to new users to provide them with logon credentials. In the Configure SMTP dialog, enter the SMTP information and click Next. 19 19
Sophos Mobile Control 11. If you have left the option Configure Exchange ActiveSync Proxy in the Choose setup steps dialog selected, you configure the Exchange Active Sync (EAS) Proxy information in the next step. Note: The EAS Proxy configuration step is necessary for configuring compliance check settings in the next step. If you run the separate EAS Proxy setup (for example for load balancing), enter nonapplicable information here. Note: If you want to use Lotus Traveller, you need to set up an external EAS Proxy server. For further information on how to set up an external EAS Proxy server, see Install external EAS Proxy server (page 28). Enter the relevant EAS-Proxy information and select Use SSL. Under Default mail access for new devices under management, specify how email access should be checked and handled: Select Compliance check controlled email access for an ongoing automatic check if devices comply with your corporate rules for mobile access. If devices are not compliant, further email access through EAS proxy may be denied depending on the compliance settings specified in the Sophos Mobile Control web interface. Select Allow email access if all new managed devices are to be granted email access through EAS proxy. The administrator has to deny access individually. Select Deny email access to deny new managed devices email access through EAS proxy. The administrator has to grant access individually. Click Next. 20
Installation guide 12. If you have configured the EAS Proxy setup in the last step you can configure the compliance check in the next step. Note: If you have chosen to configure the EAS Proxy Setup separately (see Install external EAS Proxy server (page 28)), the Configuration Wizard continues with the server certificate configuration. For compliance check, you can configure the following: In the Compliance check interval (in minutes) field, enter the time interval in which the check is to be performed. In the Device sync interval (in minutes) field, enter the time interval after which the device synchronizes with the server. Note: The value you set in this field only applies to ios devices. For Android and Windows Mobile devices a default of 24 hours applies. To define a different interval for these device types, use the command package Set MDM Sync Interval (in minutes). Click Next. 21 21
Sophos Mobile Control 13. In the next step, a certificate for the secure (HTTPS) access to the web server needs to be created or imported. If you do not have a trusted certificate yet, select Create self signed certificate, click Next and continue with step 15. If you have a trusted certificate, click Import a certificate from a trusted issuer, select PKCS12 with certificate, private key and certificate chain (intermediate and CA) from the dropdown list, click Next and continue with step 16. You can also select Separate files for certificate, private key, intermediate and CA from the dropdown list, click Next and continue with step 17. 22
Installation guide 14. If you have selected Create self signed Certificate, the following dialog is shown. Enter the appropriate certificate information. After you have entered all necessary information click Next to review and confirm the creation. 23 23
Sophos Mobile Control 15. If you have selected PKCS12 with certificate, private key and certificate chain (intermediate and CA) under Import a certificate from a trusted issuer, the following dialog is shown. Select the appropriate file and enter a password. Click Next to review and confirm the import. 24
Installation guide 16. If you have selected Separate files for certificate, private key, intermediate and CA under Import a certificate from a trusted issuer, the following dialog is shown. Select the appropriate files and enter a password. Click Next to review and confirm the import. 25 25
Sophos Mobile Control 17. In the next step, you verify the license information. Click Next to confirm the licensing and configuration process. 18. Configuration is now complete. Click Finish to close the Configuration Wizard. Sophos Mobile Control is installed. 26
Installation guide 19. After installation has finished, the Sophos Mobile Control - Installation finished dialog is displayed. Make sure that the check box Start Sophos Mobile Control server now is selected and click Finish to start the Sophos Mobile Control server for the first time. If you have selected SQL server authentication during installation, the SMCSVC service is started automatically and the Sophos Mobile Control server is executed. If you have selected Windows authentication, you first have to enter logon details in the service and start it afterwards. Note: After the service has been started it can take a few minutes before the web interface is available. Note: If a different language than English is used for the SQL login, an error occurs and an error message is displayed. To solve this problem, first stop the SMCSVC service. Then open SQL Management Studio on the server, set the language used for login to English and start the SMCSVC service again. Continue with the following configuration steps: In the Configuration Wizard, you have now created a super administrator and a super administrator customer. This setup does not support the LDAP connection to a directory service such as Active Directory and the self-registration of end users with the Self Service Portal. To support these features, a customer must be created by the super administrator. For further information, refer to the Sophos Mobile Control super administrator guide. If you have selected to configure the EAS Proxy server separately, configure the EAS Proxy now, see Install external EAS Proxy server (page 28). 27 27
Sophos Mobile Control 3.2 Install external EAS Proxy server The external EAS Proxy server should be used, if one of the following scenarios or setups are required: Lotus Notes with Traveler usage Load balancing Failover scenarios Multi-tenant setup Separation of the server load between SMC server and EAS Proxy Higher performance for EAS Proxy Sophos Mobile Control offers a separate EAS Proxy installer for this purpose. Prerequisite: Sophos Mobile Control has been installed and set up, see Install and configure Sophos Mobile Control (page 13). To configure the EAS Proxy server separately: 1. Execute the Sophos Mobile Control EAS Proxy Setup.exe. The Sophos Mobile Control EAS Proxy Setup welcome dialog is displayed. Click Next. 2. In the License Agreement dialog, review the license terms and click I Agree. 3. In the Choose Install Location dialog, choose the destination folder and click Install to start installation. 28
Installation guide 4. After Sophos Mobile Control EAS Proxy has been installed, the EAS Proxy Configuration Wizard welcome dialog is displayed. Click Next. 5. In the Database selection dialog, select Use Microsoft SQL Server as database and click Next. 29 29
Sophos Mobile Control 6. In the next step, you specify server information and logon credentials in the Database Settings dialog. To use the user credentials specified during SQL server installation, select Use SQL Server Authentication with the following credentials and enter the required user name and password. Click Next to continue. 30
Installation guide 7. In the next step, you select the database. In the Database Selection dialog, select the database created for SMC by the SMC server setup and click Next. 8. In the next step, you configure the EAS Proxy instances. In the EAS Proxy instance setup dialog enter an Instance name, the relevant Server port and the ActiveSync Server. After entering the instance information, click Add to add the instance to the Instances list. After you have configured the EAS Proxy instances, click Save to save your changes. Click Next. Note: To edit instances, click the relevant instance in this list. 31 31
Sophos Mobile Control 9. Configuration is now complete. Click Finish to close the Configuration Wizard. The Sophos Mobile Control EAS Proxy server is installed. 10. After installation has finished, the Sophos Mobile Control EAS Proxy Installation finished dialog is displayed. Make sure that the check box Start Sophos Mobile Control EAS Proxy server now is selected and click Finish to start the Sophos Mobile Control EAS Proxy server for the first time. The Sophos Mobile Control EAS Proxy server has been installed and configured. 32
Installation guide 4 Running the Sophos Mobile Control Service as a limited user For security reasons, you may want to run the SMC service as a limited user instead of an administrator. Note: If you use Windows Authentication for database access, you only have to carry out step 3 of the following description. 1. On the computer, on which Sophos Mobile Control is running, create a local, regular Windows user with a password that does not expire. 2. Remove this user from all groups. (By default, the user is in the users group.) 3. Grant this user full access to the Sophos Mobile Control installation directory (C:\Programs\Sophos\Sophos Mobile Control) including all subdirectories. 4. In the SMCSVC service properties, change the user to this user with the relevant password. 33 33
Sophos Mobile Control 5 Updating Sophos Mobile Control 5.1 Updating from version 1.x to 2.5 SMC Server installations version 1.x cannot be updated directly to version 2.5. Version 1.0 has to be updated to version 1.1 and then to version 2.0 first. 5.2 Updating from version 2.0 to 2.5 To update your SMC Server installation to version 2.5, execute the Sophos Mobile Control 2.5 installer. The installer automatically detects that an existing installation is to be updated to version 2.5. The administrator is asked whether the service should be stopped. The database is updated automatically. 34
Installation guide 6 Apple Push Notification service To use the built-in Mobile Device Management (MDM) protocol of devices running Apple ios 4 (or higher), Sophos Mobile Control must use Apple s Push Notification service (APNs) to trigger the ios devices. The following sections describe the requirements that have to be fulfilled and the steps you must take to get access to the APNs servers with your own client certificate. Note: Please do NOT use the Internet Explorer for any Apple websites. Apple recommends their own Safari browser, but Mozilla Firefox, Opera or Google Chrome also work. 6.1 Requirements For silent operations, all devices must have at least ios version 4 installed. A free update is available from Apple for iphone 3G, 3GS, 4 ipad ipod touch 3rd or 4th generation To notify ios devices, the Sophos Mobile Control server needs to connect to the Apple Push Notification service. The notifications are sent SSL-encrypted to gateway.push.apple.com:2195 TCP (17.0.0.0/8) ios devices with Wifi only need a connection to the APNs Wifi ios device *.push.apple.com:5223 TCP (17.0.0.0/8) 6.2 Getting your APNs certificate for Sophos Mobile Control 1. Install Sophos Mobile Control on the server as described in this installation guide. The scripts required for getting your APNs certificate are installed as part of the Sophos Mobile Control installation. 2. On the Sophos Mobile Control server in the directory %MDM_HOME%\tools\CreateApnsCert_AppleID (for example: C:\Program Files\Sophos\ Sophos Mobile Control\tools\CreateApnsCert_AppleID), double-click the file step1_create_csr.bat as an administrator. The batch file is started. Note: The scripts can also be started on any other computer. Just copy the files from the installation directory. 35 35
Sophos Mobile Control 3. Enter the required data for the (company and country) as shown in the following screenshot. These are the Sophos data required for the Certificate Signing Request. The file APNsCertificateSigningRequest.csr is generated. This is your Certificate Signing Request (CSR). 4. Send the file APNsCertificateSigningRequest.csr to Sophos or your Sophos sales partner for processing. Note: According to Apple regulations, only Sophos can directly process your CSR, not a partner. 5. Sophos signs the APNsCertificateSigningRequest.csr file with their MDM key and sends a signed CSR (AppleMDMVendorPushCert.plist) back to you. This is the required format for the upload to the Apple Portal. Save this file in a location of your choice. 6. Go to the Apple APNs portal https://identity.apple.com/pushcert/. Note: We recommend that you do NOT use Internet Explorer or Firefox for accessing the Apple Portal as this may cause severe problems. We recommend using the latest versions of Safari as the best option or Google Chrome. Note: If you do not have an Apple ID, you can create one free of charge here: http://appleid.apple.com/. 7. On the Get Started page, click Create a Certificate. 8. On the Terms of Use page, accept Apple s terms of use. 9. On the Create a New Push Certificate page, browse for the AppleMDMVendorPushCert.plist and click Upload. When the new certificate has been created successfully, a Confirmation is displayed. Note: If you receive an invalid format error message, check whether you have used version 2 of the tools and confirm with your Sophos contact that the same version was used for processing your CSR. If you still receive an error message after that, contact Sophos support. 36
Installation guide 10. On the Confirmation page, click Download to download the file MDM_ Sophos Limited_Certificate.pem. Save this file in %MDM_HOME%\Sophos\Sophos Mobile Control\tools\CreateApnsCert_AppleID. 11. In %MDM_HOME%\Sophos\Sophos Mobile Control\tools\CreateApnsCert_AppleID, doubleclick the batch file step2_convert_pkcs12.bat as an administrator to convert the APNs certificate for Sophos Mobile Control. When prompted, enter a password. This password is required for uploading the certificate to Sophos Mobile Control. The file mdm_apns_certificate.pkcs12 is generated. Note: Store the entered password and the resulting.pkcs12 file in a safe location as they are both required for uploading the certificate to Sophos Mobile Control. 12. Log in to the Sophos Mobile Control admin web console, click the Settings button and go to the ios APNs tab. 13. Browse for the file mdm_apns_certificate.pkcs12, enter the password and click Upload. After the file has been uploaded successfully, a confirmation message is displayed. 14. Click Save. Note: When creating a new customer as a super administrator, the APNs certificate can also be inherited by the new customer. 37 37
Sophos Mobile Control 6.3 Migrating APNs certificates from the ios Developer Enterprise Program Certificates created with the ios Developer Enterprise Program (idep) cannot be renewed from within the idep anymore. If you have created your MDM APNs certificates with idep and they are about to expire, you have to migrate them to the new method described in section Getting your APNs certificate for Sophos Mobile Control (page 35). To renew a certificate: 1. Go to https://identity.apple.com/pushcert/ and log in with your idep Apple ID that you used to create your existing APNs certificate. You can now see the MDM certificates already migrated by Apple. 2. Carry out the following steps. For details on individual steps, see Getting your APNs certificate for Sophos Mobile Control (page 35). Create a CSR. Let Sophos sign the CSR. Click the Renew button and upload the signed CSR. Download the certificate. Convert the APNs Certificate for Sophos Mobile Control. 38
Installation guide 7 Technical support You can find technical support for Sophos products in any of these ways: Visit the SophosTalk forum at http://community.sophos.com/ and search for other users who are experiencing the same problem. Visit the Sophos support knowledgebase at http://www.sophos.com/support/. Download the product documentation at http://www.sophos.com/support/docs/. Send an email to support@sophos.com, including your Sophos software version number(s), operating system(s) and patch level(s), and the text of any error messages. 39 39
Sophos Mobile Control 8 Legal notices Copyright 2011-2012 Sophos Ltd. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner. Sophos is a registered trademark of Sophos Ltd. All other product and company names mentioned are trademarks or registered trademarks of their respective owners. 40