System Configuration and Deployment Guide

System Configuration and Deployment Guide This guide provides information on...... Configuring an Organization using the Organization Wizard... Setting a default Policy Suite using the Organization Wizard... Setting a default Sync Schedule using the Organization Wizard... Customizing Policy Suites and Sync Schedules using the editors... Adding users manually or via batch import using the Add New User Wizard... Setting up an Organization for Hands-Off Registration... Customizing user information using Custom Columns NotifyMDM Version 1.1.0 Configuring the Organization 1

Table of Contents Configuring the Organization 3 Organization Setup Wizard... 3 Create an Organization using the Organization Setup Wizard... 4 Step 1: Enter an Organization Name and Contact Information... 4 Step 2: Define the Organization s Default Servers... 5 Step 3: Create the Organization s Default Policy Suite... 7 Step 4: Create the Organization s Default Sync Schedule... 8 Managing SMTP, ActiveSync, and Administrative LDAP Servers... 9 Policy Suites 10 Create a New Policy... 11 Policy Suite Editor... 12 Tips on Customizing and Using Policy Suites... 13 Synchronization Schedules 14 Create a New Sync Schedule... 14 Sync Schedule Editor... 16 Tips on Using Sync Schedules... 17 Adding Users 18 Adding Users Manually... 18 Adding Users via Comma Separated Values (CSV) Files... 20 Adding Users via LDAP... 21 Configuring the Organization for Hands-Off Registration... 22 Registering Multiple Devices to a Single Account... 23 Custom Columns... 27 Adding Custom Columns... 27 Modifying Custom Columns... 28 User Registration 29 The NotifyMDM App... 29 Devices without a NotifyMDM App... 29 NotifyMDM Registration for NotifyLink Users... 30 Appendix A: Default Policy Settings 31

Configuring the Organization Organization Setup Wizard The Organization Setup Wizard is a tool used to create an organization on the NotifyMDM server. The organization may be a company or a distinct group of individuals within a company. Each organization consists of: its users/devices one or more Policy Suites that enforce functionality settings and security settings for an organization s fleet of mobile devices one or more Synchronization Schedules that govern when devices synchronize policy setting updates and send device statistics A single application of NotifyMDM software can accommodate just one organization or host multiple organizations. Configuring an organization includes: Entering organization information Defining a default ActiveSync Server (if applicable) for the purpose of user authentication and autoprovisioning. Defining a default Administrative LDAP Server (optional) for the purpose of importing user information to the NotifyMDM server in batches. Defining a default SMTP Server for email communication to and from the NotifyMDM server. Creating a default Policy Suite or for the organization Creating a default Synchronization Schedule or schedules for the organization Adding users The Organization Setup Wizard will step you through each of the above items with the exception of adding users. NotifyMDM Version 1.1.0 Configuring the Organization 3

Create an Organization using the Organization Setup Wizard The Organization Setup Wizard displays automatically when you login into NotifyMDM for the first time. You can also access the wizard via the dashboard. 1. From the NotifyMDM dashboard header, select System Management 2. From the menu panel, select System Administration > Organizations. 3. Click the Add New Organization button. 4. Click Next to begin creating a new organization. Step 1: Enter an Organization Name and Contact Information Enter the following: -Organization name -License key (production releases will require a license key issued by Notify Technology) -Contact name -Contact s primary and secondary e-mail address -Contact s primary and secondary phone number -Select a default ownership for users who are auto-provisioned via Hands-Off registration. -Allow or disallow users with a NotifyMDM app to change device ownership status. If you lock ownership, users who attempt to change their ownership via the NotifyMDM app will experience an invalid credentials error and will not be able to register. If you do not lock ownership globally, you may lock it for individual users. -Choose whether you wish to send an email Welcome Letter to users when they register their device. The letter is associated with the policy suite assigned to the user. To compose or edit the letters, see Organization Management > Policy Suites. -Click Next.

-Choose whether you will allow jailbroken (ios) devices to register against the NotifyMDM server. Step 2: Define the Organization s Default Servers Define the following server credentials for the organization: ActiveSync Server (optional) An ActiveSync server is not required, but for systems utilizing the ActiveSync protocol, NotifyMDM can act as a gateway server. An ActiveSync server allows autoprovisioning of devices, reducing the amount of manual user configuration. In addition, users are authenticated via their ActiveSync server credentials. In this role, polices defined in NotifyMDM, rather than ActiveSync policies, are enforced. ActiveSync Email and PIM traffic are relayed to/from devices by NotifyMDM. -ActiveSync server name -ActiveSync server address -ActiveSync server port -Use SSL -Allow Hands-Off Registration * LDAP Server (optional) Defining an LDAP server allows an administrator to quickly add groups of users to the NotifyMDM server by importing user information from a corporate LDAP directory. -LDAP server name -LDAP server address -LDAP server port -LDAP E-mail Attribute -Use SSL -Use TLS -LDAP username -LDAP password -LDAP Base DN -LDAP Object Class *Enabling Hands-Off Registration via the ActiveSync Server SMTP Server The SMTP server defined here will be used by the NotifyMDM server to send email to administrators and allows the administrators to send email to an individual device or a group of devices. -SMTP server name -SMTP server address -SMTP server port -Use SSL -Use TLS -Use AUTH PLAIN -Username -Password Enabling the Hands-Off Registration option when defining an ActiveSync server, provides a method of autoprovisioning users on the NotifyMDM server. Users registering a device against the NotifyMDM server will be automatically added to the NotifyMDM server, as long as their credentials are recognized by the ActiveSync server. NotifyMDM creates the new account using the ActiveSync user account credentials and the default servers, policy suite, and sync schedule specified for the organization. NotifyMDM Version 1.1.0 Configuring the Organization 5

See related topics: - Configuring the Organization for Hands-Off Registration - Managing SMTP, ActiveSync, and Administrative LDAP Servers ActiveSync Server Administrative LDAP Server SMTP Server

Step 3: Create the Organization s Default Policy Suite Create a default policy suite for the organization. Other policy suites may be created later to accommodate different groups of users. The default policy suite is used for auto-provisioned users. Define a policy name for the organization s default policy suite. Set a corporate policy strength (for devices owned by the company). Set a personal policy strength (for devices owned by the individual). Four Policy Strength Levels Low - No options are restricted on the device. Passwords can be simple. Moderate - No options are restricted on the device. Passwords are strong and password expiration is enforced. Strict - Requires alphanumeric password and encryption on the device and storage card. High Security - Browser and camera are disabled. Requires alphanumeric password and encryption on the device and storage card. To customize the default policy or create additional policies, use the Policy Suites option on the Organization Management page. NotifyMDM Version 1.1.0 Configuring the Organization 7

Step 4: Create the Organization s Default Sync Schedule Create a default Synchronization Schedule for the organization. Other schedules may be created later to accommodate different groups of users. Sync Schedules dictate peak and off-peak times for devices to synchronize. Times can overlap days to cover different work shift situations and special case employees. The default sync schedule is used for auto-provisioned users. Define a schedule name for the organization s default sync schedule. Set a corporate sync schedule (for devices owned by the company). Set a personal sync schedule (for devices owned by the individual). Define the following settings: Corporate Monday through Sunday peak sync ranges Peak sync interval Require direct push for peak time Off-peak sync interval Require direct push for off-peak time Personal Monday through Sunday peak sync ranges Peak sync interval Require direct push for peak time Off-peak sync interval Require direct push for off-peak time Regulating the interval at which devices synchronize should be considered carefully so as to minimize the device battery depletion. The times you define in the schedule grid designate peak sync times. Anything that falls outside the peak sync schedule is off-peak sync time. To edit the default schedule or create additional schedules, use the Sync Schedules option on the Organization Management page.

Managing SMTP, ActiveSync, and Administrative LDAP Servers You may define multiple administrative LDAP or ActiveSync servers for an organization, in addition to the server(s) you defined through the Organization Wizard. You may also edit information for the administrative LDAP, ActiveSync, or SMTP servers defined through the Organization Wizard. Distinguishing between Administrative LDAP Servers and LDAP Servers Administrative LDAP servers defined here is for the purpose of adding users via a batch import from an LDAP directory. User credentials are imported from an LDAP directory and all users imported at one time are assigned the same policy suite, sync schedule, ActiveSync server (if defined), LDAP server (if defined), and carrier (if desired). LDAP servers defined under Corporate Resources are for the purpose of configuring LDAP settings to push out to the device, so the user can access corporate directory information via the device. Define Additional Administrative LDAP or ActiveSync Servers 1. From the NotifyMDM dashboard header, select Organization Management. 2. From the menu panel, select LDAP Servers or ActiveSync Servers. 3. Click the Add LDAP Server or Add ActiveSync Server option. 4. Enter the server credentials: Server Editors: Edit Information for Administrative LDAP, ActiveSync, or SMTP Servers To edit credentials for an existing LDAP, ActiveSync, or SMTP Server: 1. From the NotifyMDM dashboard header, select Organization Management. 2. From the menu panel, select LDAP Servers, ActiveSync Server, or SMTP Servers. 3. For LDAP or ActiveSync servers, select the server you wish to edit from the table. 4. Edit the information and click Save Changes. NotifyMDM Version 1.1.0 Configuring the Organization 9

Policy Suites A policy suite is a set of rules that govern, secure, and monitor the usage of devices in the enterprise. Policies are the heart of the Notify Mobile Device Management system, allowing administrators to manage users operating on a variety of device platforms and enforce policies across all devices as consistently as possible*. For enterprises utilizing the ActiveSync protocol, NotifyMDM acts as a gateway server. NotifyMDM intercepts policy updates sent from the ActiveSync server and instead enforces policies on the device that have been defined in NotifyMDM. *Note: Descriptions of individual policy settings and functionality of settings across device platforms may be found in the Device Platform Comparison chart at: http://mdm.notifylink.com/downloads/mdm%20device%20platform%20comparison.pdf The Policy Wizard guides you through setup of an organization s policy suite(s). Multiple policies can exist and each user/device can be assigned the policy that best suits their role. A policy suite includes settings for both corporate and personal devices. Policy Suite Templates. The Wizard allows an administrator to quickly create a new policy suite either by copying an existing policy suite or by choosing from a number of pre-defined policy suites which reflect four levels of security strength. The administrator can start with one of these templates and use the Policy Suite Editor to customize the settings associated with any of the policy rules. See Appendix A: Default Policy Settings for a comprehensive list the policy suite rules and their default settings. You may also draft a Welcome Letter that will be sent to users associated with a particular policy suite. The letter is sent via email when the user is added to the system. Policy rules are categorized into the following groups: Application Control Audit Tracking Device Control Security Settings SMIME Settings ios Devices App List Permissions

Create a New Policy 1. From the NotifyMDM dashboard header, select Organization Management 2. Select the Policy Suites icon. 3. Click the Create New Policy option. 4. Choose a method for creating a policy suite: Create the initial policy suite using sliders to determine its general policy strength (low, recommended, strict, high security). Create the initial policy suite by copying the settings of an existing policy suite. 5. Use the Policy Suite Editor to customize the new policy. NotifyMDM Version 1.1.0 Policy Suites 11

Policy Suite Editor To edit an existing Policy Suite: 1. From the NotifyMDM dashboard header, select Organization Management. 2. Select the Policy Suites icon. 3. From the menu panel, select the policy you wish to change. 4. Create a Welcome Letter to be emailed to users assigned this policy, when they are added. Note: This must be enabled in the Organization Settings. From the dashboard, select System Management > Organization and check the Send Welcome Letter to Users option. 5. Select the category you wish to edit. 6. Edit the settings and click Save Changes. See Appendix A: Default Policy Settings for a comprehensive list the policy suite rules and their default settings. Descriptions of individual policy settings and functionality of the settings across device platforms may be found in the Device Platform Comparison chart at http://notifymdm.notify.net/downloads/device%20platform%20functionality.pdf

Tips on Customizing and Using Policy Suites You can use Allow All and Deny All buttons to easily allow or deny all settings for corporate and personal devices simultaneously. Some policies determine the options available for other policies. You must specify a policy suite when you add a user. Users added by import methods or Autoprovisioned users will all have the same policy suite. You can push policy changes to users by selecting the Push Policy Suite option. This overrides the sync schedule and forces users to immediately get the changes. You can change an individual user s policy suite in their User Profile. You can assign or change the policy suite for a group of users selected by criteria by selecting the Assign Policy Suite To Users option. Assigning a Policy Suite NotifyMDM Version 1.1.0 Policy Suites 13

Synchronization Schedules The Sync Schedule determines the frequency at which devices synchronize with the NotifyMDM server. The schedule controls when the devices send statistics and may also control when the server sends updates (if the direct push setting in disabled). Regulating the interval at which devices synchronize should be considered carefully so as to minimize the device battery depletion. The Sync Schedule Wizard guides you through setup of an organization s synchronization schedule(s). Multiple schedules may exist and each user (device) may be assigned the appropriate schedule. The Wizard allows an administrator to quickly create a new sync schedule either by choosing from the system default schedules or by copying an existing schedule. The administrator can then use the Sync Schedule Editor to customize the settings associated with each schedule. Each schedule may be customized for corporate owned and personally owned devices. Create a New Sync Schedule 1. From the NotifyMDM dashboard header, select Organization Management 2. Select the Sync Schedules icon. 3. Click the Create New Sync Schedule option. 4. Choose a method for creating a sync schedule: Create a New Sync Schedule - Create the initial schedule using the system defaults. Copy Existing Sync Schedule - Create the initial policy suite by copying the settings of an existing schedule.

Define the following settings: Corporate Monday through Sunday peak sync ranges Peak sync interval Require direct push for peak time Off-peak sync interval Require direct push for off-peak time Personal Monday through Sunday peak sync ranges Peak sync interval Require direct push for peak time Off-peak sync interval Require direct push for off-peak time Regulating the interval at which devices synchronize should be considered carefully so as to minimize the device battery depletion. The times you define in the schedule grid designate peak sync times. Anything that falls outside the peak sync schedule is off-peak sync time. A schedule s peak and off-peak sync intervals define the frequency at which devices synchronize with the server. Peak time is defined as time periods during which device usage is consistently higher than average. Conversely, off-peak time is defined as time periods during which device usage is consistently lower than average. To accommodate the higher traffic, peak sync intervals are usually set at lower values (initiating more frequent synchronizations) than off-peak sync intervals. The Require Direct Push setting determines whether updates from the server are synchronized immediately or during the next scheduled sync session. If this setting is enabled, updates from the server sync to the device as soon as they are available. Synchronizations from the device still occur according to the scheduled sync interval and are not affected by this setting. Note: Remote Wipe commands sent from the server sync immediately, regardless of whether or not Require Direct Push is enabled. NotifyMDM Version 1.1.0 Synchronization Schedules 15

Sync Schedule Editor To edit an existing Sync Schedule: 1. From the NotifyMDM dashboard header, select Organization Management. 2. Select the Sync Schedules icon. 3. From the menu panel, select the schedule you wish to change. 4. Select the Corporate or Personal schedule. 5. Edit the settings and click Save Changes.

Tips on Using Sync Schedules You must specify a sync schedule when you add a user. Users added by import methods or Autoprovisioned users will all have the same sync schedule. You can push sync schedule changes to users by selecting the Push Sync Schedule option. This overrides the sync schedule and forces users to immediately get the changes. You can change an individual user s sync schedule in their User Profile. You can assign or change the sync schedule for a group of users selected by criteria by selecting the Assign Sync Schedule To Users option. Assigning a Sync Schedule NotifyMDM Version 1.1.0 Synchronization Schedules 17

Adding Users Provisioning users for NotifyMDM can be executed in several ways. Add individual users manually Deploy a fleet of devices with batch import methods User credentials are imported from an LDAP directory or via a Comma Separated Values (CSV file. All users imported at one time are assigned the same policy suite, sync schedule, ActiveSync server (if defined), LDAP server (if defined), and carrier (if desired). Configure the organization for Hands-Off Registration To free the administrator from the task of adding users either manually or by batch import, NotifyMDM can auto-provision any user with an account on the corporate ActiveSync server when they register their device against the NotifyMDM server. Users are added with the default device ownership, Policy Suite and Sync Schedule. Adding Users Manually Administrators can add users to an organization manually. Once added, users may register their device against the NotifyMDM server. To Add Users Manually 1. From the NotifyMDM dashboard header, select Smart Devices and Users. 2. Click the Add User option to use the Add New User Wizard. 3. Select Manual from the Add New User Wizard dialog. 4. Enter the user information, then click Finish. * = required field ActiveSync server LDAP Server Device Ownership Lock Ownership User Name * Domain Select the ActiveSync server you wish to associate the user with, from the dropdown list. Select the LDAP server you wish to associate the user with, from the dropdown list. Choose Corporate (user s device is corporate owned) or Personal (user s device personally owned). If locked, user with a NotifyMDM device app will not be allowed to change their ownership. Users who attempt to change their ownership via the NotifyMDM app will experience an invalid credentials error and will not be able to register. For users associated with an ActiveSync server, this should be their ActiveSync account user name. For users on systems that do not use the ActiveSync protocol, enter a unique user name for their NotifyMDM user account. If the ActiveSync server to which the user has been assigned, requires a

Password * E-mail Address * Policy Suite * Sync schedule * Carrier domain, enter it here. This also provides one way to configure the user for registering multiple devices against a single account. (See, Registering Multiple Devices to a Single Account, in this guide.) For users associated with an ActiveSync server, this should be their ActiveSync account password. For users on systems that do not use the ActiveSync protocol, enter a unique password for their NotifyMDM user account. Enter the user s E-mail address. Select the Policy Suite you wish the user to have from the dropdown list. Select the Sync Schedule you wish the user to have from the dropdown list. Enter user s carrier from the dropdown list. NotifyMDM Version 1.1.0 Adding Users 19

Adding Users via Comma Separated Values (CSV) Files An administrator can import a group of users to the NotifyMDM server via a CSV file. All users imported at one time will be assigned the same device ownership, policy suite, sync schedule, ActiveSync server (if defined), LDAP server (if defined), and carrier (if desired). Usernames, email addresses, and passwords of users, are entered into a spreadsheet template. The administrator also chooses the device ownership, policy suite, synchronization schedule, ActiveSync server (if used), and LDAP server (if used), and carrier (if desired) for the group being added. Using the Add New User Wizard, the file is then downloaded to the NotifyMDM server where user credentials from the file and the defaults specified by the administrator are merged to create new NotifyMDM user accounts. Once added, users may register their device against the NotifyMDM server. To Add Users by Importing From CSV Files 1. From the NotifyMDM dashboard header, select Smart Devices and Users. 2. Click the Add User option to use the Add New User Wizard. 3. Select.CSV from the Add New User Wizard dialog. 4. Download the.csv spreadsheet template and save it in the desired location. Enter into the.csv spreadsheet, the usernames, email addresses, and passwords for the users you are adding to MDM. 5. In the Add New User Wizard, select the default information for users in this file: device ownership, ActiveSync Server, LDAP Server, Policy Suite (required), Sync Schedule (required), and Carrier. 6. Upload the.csv file with the users credentials. 7. Click Add Users when the file has finished uploading.

Adding Users via LDAP When an LDAP server(s) is defined for an organization, NotifyMDM can use it to retrieve user information from the corporate LDAP server(s) and use it to add users to MDM. An administrator can import a group of users to NotifyMDM via an LDAP server that has been defined for the organization. All users imported at one time will be assigned the same device ownership, policy suite, sync schedule, ActiveSync server (if defined), LDAP server (if defined), and carrier (if desired). Once added, users may register their device against the NotifyMDM server. To Add Users by Importing From LDAP 1. From the NotifyMDM dashboard header, select Smart Devices and Users. 2. Click the Add User option to use the Add New User Wizard. 3. Select LDAP from the Add New User Wizard dialog. 4. Select the LDAP Server to query. 5. Select the default information for users added via LDAP: device ownership, ActiveSync Server, LDAP Server, Policy Suite (required), Sync Schedule (required), and Carrier. 6. Select the Username Format to be used. Trim e-mail address before @ EX: If e-mail address is jstewart@company.com, username will be jstewart Use entire email address username will be the full e-mail address 7. Click Next to select the users you wish to add from the LDAP server. 8. Click Add Users when you have finished making your selections. NotifyMDM Version 1.1.0 Adding Users 21

Configuring the Organization for Hands-Off Registration Enabling User Self-Registration Enabling the Hands-Off Registration option when defining an ActiveSync server, provides a method of autoprovisioning users on the NotifyMDM server, thus freeing the administrator from the task of adding users either manually or by batch import. Users registering a device against the NotifyMDM server will be automatically added to the NotifyMDM server, as long as their credentials are recognized by the ActiveSync server. NotifyMDM creates the new account using the ActiveSync user account credentials and the default servers, policy suite, and sync schedule specified for the organization. To Enable Hands-Off Registration for an ActiveSync Server 1. From the NotifyMDM dashboard header, select Organization Management. 2. From the menu panel, select ActiveSync Servers. 3. From the table, select an ActiveSync server or create a new ActiveSync server by choosing Add ActiveSync Server. 4. Check the box labeled Allow Hands-Off Registration and click Save Changes.

Registering Multiple Devices to a Single Account On Exchange, Kerio, and Zimbra servers you can configure a user so that multiple devices can be registered to a single account. For example, a user may have a phone, but also use a companion device, such as a tablet or a second device for foreign travel. This is accomplished by two methods, depending on what the mail server supports. You can create multiple users for the individual on the NotifyMDM server using the various types of login usernames. All the usernames reference the same mail server account, thereby making it possible for the individual to register multiple devices. Note: One limitation exists in this scenario: when there are users with the same username or same username@domain, (in the case of On-Demand or multi-tenant servers). Since the full email address is the only unique identifier for each user, you must enter each user s full email address in the username field when creating their individual NotifyMDM users. EX: jsmith@company.com and jsmith@organization.com For this reason, these users will not be able to register multiple devices to one account, unless one agrees to change their email address. A second method it to create alias email addresses on the mail server that uses the same username as the original email address. Note: On NotifyMDM systems set up for self-registration, the user can only self-register one device, You must manually add the other NotifyMDM user(s) to the system before they register companion device(s). Exchange For ActiveSync users on Exchange 2010, 2007, or 2003, you can configure a user so that they may register up to four devices against a single Exchange account. This is accomplished by creating multiple users for the individual on the NotifyMDM server using the various types of usernames that Exchange allows for login. All the usernames reference the same Exchange account, thereby making it possible for the individual to register multiple devices. Step 1: Create up to three users for the individual on the NotifyMDM server. User #1 Enter the user s Exchange username in the User Name field. Enter the user s Exchange email address in the E-mail Address field. User #2 Enter the user s Exchange email address (as defined in the Exchange Active Directory) in the User Name field. Enter the user s Exchange email address in the E-mail Address field. User #3 Enter the user s Exchange username in the User Name field. Enter the Exchange domain name in the Domain field. Enter the user s Exchange email address in the E-mail Address field. User #4 Enter the user s Exchange username@domain in the User Name field. Enter the user s Exchange email address in the E-mail Address field. NotifyMDM Version 1.1.0 Adding Users 23

User #1: User Name User #2: Email Address User #3: User Name and Domain User #4: Username@domain Step 2: Instruct the user to install the NotifyMDM device app on each device. They will register one device using the Exchange username and other devices using the Exchange email address, username and domain, or username@domain. Kerio For ActiveSync users on Kerio systems, you can configure users so that they may register two devices against one account. This is accomplished by creating two users for the individual on the NotifyMDM server using the various types of usernames that Kerio allows for login. The different usernames reference the same Kerio account, thereby making it possible for the individual to register multiple devices. Step 1: Set the AllowUnsupportedDevices option on the Kerio server. Refer to Kerio knowledge base article 547 for instructions. http://support.kerio.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=547

Step 2: Create two users for the individual on the NotifyMDM server. User #1 Enter the user s Kerio username in the User Name field. Enter the user s Kerio email address in the E-mail Address field. User #2 Enter the user s Kerio email address in the field. Enter the user s Kerio email address in the E-mail Address field. User #1: User Name User #2: Email Address Step 3: Instruct the user to install the NotifyMDM device app on each device. They will register one device against the NotifyMDM server using the Kerio username and the other using the Kerio email address. Zimbra For ActiveSync users on Zimbra systems, you can configure users so that they may register multiple devices against one account. The number of companion devices is only limited to the number of aliases you wish to create on the Zimbra server. Method A: Create two users for the individual on the NotifyMDM server using various types of usernames for login. Step 1: Create two users for the individual on the NotifyMDM server. User #1 Enter the user s Zimbra username in the User Name field. Enter the user s Zimbra email address in the E-mail Address field. User #2 Enter the user s Zimbra email address in the User Name field. Enter the user s Zimbra email address in the E-mail Address field. User #1: User Name User #2: Email Address NotifyMDM Version 1.1.0 Adding Users 25

Step 2: Instruct the user to install the NotifyMDM device app on each device. They will register one device against the NotifyMDM server using the Zimbra username and the other using the Zimbra email address. Method B: Create alias email addresses. Step 1: Create alias email addresses on the Zimbra server that target the original email address. Select Aliases > New Step 2: Add another user account to the NotifyMDM server. Enter the alias user name in the User Name field and the target account email address (user s original Zimbra email address) in the E-mail Address field. User with alias user name Step 3: Instruct the user to install the NotifyMDM device app on each device. They will register one device against the NotifyMDM server using the original username and another using the alias username.

Custom Columns Administrators can create user information fields that are specific to their organization, but are not part of the NotifyMDM System base installation. These fields can then be viewed in the User Profile and can be displayed as columns in the user list. There is a limit of ten Custom Columns for each organization. Information for the fields may be one of five types, including an LDAP type field, which will pull information from an LDAP server defined for the organization. The administrator must manually enter values for other field types. The fields types are: Text, Dropdown, Numeric, Date, and LDAP. View of the Custom Columns in the User Profile Adding Custom Columns 1. From the NotifyMDM dashboard header, select Organization Management. 2. From the menu, select Custom Columns. 3. Click the Add Custom Column option. 4. Select the Custom Column Type and the Custom Column Name. 5. The Type you select will determine the parameters you define for the field. Type Text Dropdown Numeric Date LDAP Parameters Maximum length of alphanumeric characters. Enter the choices that will appear in a dropdown list. Minimum and maximum numeric values. None 6. Click the Finish button to save. LDAP attribute and LDAP server (at least one must be defined for the organization). NotifyMDM Version 1.1.0 Adding Users 27

Modifying Custom Columns Custom Columns can be modified after they are defined, but on a limited basis. For example, you cannot change the Type of the column, since this would prevent you from entering correct values in the future. The administrator can modify custom columns in the following ways: Change the custom column name Add values to a dropdown type Decrease minimum values Increase maximum values 1. From the NotifyMDM dashboard header, select Organization Management. 2. From the menu, select Custom Columns. 3. Select the column you wish to modify from the left panel and edit the name of the column or other parameters that are editable. 4. Click Save Changes. Custom Columns Page

User Registration The NotifyMDM App The NotifyMDM device application is available for Android, BlackBerry, and ios 4 users. Direct users to the NotifyMDM portal for instructions on installing the app. http://notifymdm.notify.net/ Android instructions: http://notifymdm.notify.net/downloads/notifymdm%20for%20android.pdf BlackBerry instructions: http://notifymdm.notify.net/downloads/notifymdm%20for%20blackberry.pdf ios 4 instructions: http://notifymdm.notify.net/downloads/notifymdm%20for%20ios%20devices.pdf Devices without a NotifyMDM App Devices for which there is not yet available a NotifyMDM device application may still register against the NotifyMDM server. The devices must have an ActiveSync application. Devices supported for this type of registration include Symbian S60 3 rd edition, webos, Windows Mobile 6.1/6.5, and Windows Phone 7. Functionality Mobile device management functionality for these devices is limited to only the ActiveSync security policies supported by the device platform. Device statistics accessible via the NotifyMDM dashboard display limited information. In addition, there is no audit tracking, or location data available for these devices. Device statistics in the Smart Phones/Users view for these devices are limited to: User Name Ownership Domain Last ActiveSync Sync Active AS Version Policy Suite AS User Agent Sync Schedule Device Type Users with Android, BlackBerry, and ios 4 devices should install the NotifyMDM app. These devices will also be limited to the functionality outlined above without the NotifyMDM app. The Device Type field may display various descriptions based on the model of the device: NotifyMDM Version 1.1.0 User Registration 29

Device platform Symbian S60, 3 rd edition devices webos devices Windows Mobile 6.1/6.5 devices Windows Phone 7 devices Device Type column may display: IMEI####### Palm SP, PPC WP For information on policy functionality, see the Device Platform Comparison chart at: http://notifymdm.notify.net/downloads/device%20platform%20functionality.pdf Instructions for other devices: http://notifymdm.notify.net/downloads/activesync%20device%20registration.pdf NotifyMDM Registration for NotifyLink Users If you are currently using NotifyLink Enterprise Server and have users that are transitioning to NotifyMDM, the following steps are required: 1. Instruct the user to remove the NotifyLink device client or the NotifyLink (Exchange ActiveSync) account from the device. Instructions are available in each of the device user guides, found at http://notifylink.notify.net/deviceclients.asp. 2. For ActiveSync device users, Clear Registration. Select User Administration > (select the user) > Edit User Device. Click the Clear Registration button. For users that have been using the NotifyLink device client, remove their NotifyLink account from the NotifyLink server and add them again with a ActiveSync license. 3. Instruct users to re-register the device with NotifyMDM, using the NotifyLink Username and Authentication Password.

Appendix A: Default Policy Settings NotifyMDM Version 1.1.0 Appendix A: Default Policy Settings 31

Appendix A: Default Policy Settings This chart documents the default settings of the entire NotifyMDM Policy Suite for each security level available in the Create New Policy Suite Wizard. It may also be used as a template for planning any customizations to your policy suites. Print two charts - one for planning a policy suite for corporate devices and one for planning a policy suite for personal devices. Select a security level to start with and then mark the rules you wish to customize. Policy Low Level Moderate Level Strict Level High Level YES NO VALUE YES NO VALUE YES NO VALUE YES NO VALUE Application Control Allow unsigned applications X X X X Allow unsigned installation packages X X X X Whitelist (no defaults) Blacklist (no defaults) Audit Tracking Record files on device X X X X Send file list frequency (in days) 30 14 7 3 Record phone log X X X X Record text message log X X X X Record media on device X X X X Appendix A: Default Policy Settings 1

Policy Low Level Moderate Level Strict Level High Level Record location of device X X X X Device Control Allow Bluetooth Allow browser Allow camera Allowed Allowed Handsfree only Disabled X X X X X X X X Allow infrared X X X X Allow internet sharing from the device X X X X Allow remote desktop X X X X Allow SD card X X X X Allow synchronization from a desktop X X X X Allow text messaging X X X X Allow Wi-Fi X X X X Allow HTML formatted email X X X X Allow consumer email X X X X Allow POP/IMAP email X X X X Maximum email body truncation size (in KB) No Max No Max No Max No Max Maximum HTML email body truncation size (in KB) No Max No Max No Max No Max Maximum calendar age for synchronization (All days) (3 months) (3 months) (3 months) Maximum email age for synchronization (Sync all) (3 weeks) (2 weeks) (1 week) Require manual sync when roaming X X X X Security Require Password X X X X Enable password recovery X X X X Allow simple password X X X X

Policy Low Level Moderate Level Strict Level High Level Require minimum password length X X X X Minimum password length 4 6 8 8 Require alphanumeric password X X X X Minimum number of complex characters 1 if enabled 1 2 3 Require device password expiration X X X X Password expiration in days 30 if enabled 30 30 30 Require device password history X X X X Number of stored passwords 1 if enabled 5 7 10 Enable password echo X X X X Begin password echo after attempts 5 if enabled 5 if enabled 5 if enabled 5 if enabled Require encryption on the device X X X X Require encryption on the SD card X X X X Enable duress notification X X X X Duress notification email Empty Empty Empty Empty Require max inactivity time device lock X X X X Max inactivity timeout (in minutes) 60 if enabled 5 1 1 Require device challenge timeout X X X X Max device challenge timeout 120 if enabled 120 60 30 Enable customizable lock message X X X X Customizable lock message Empty Empty Empty Empty Audible alert on lock X X X X Maximum grace period (in minutes) 5 minutes 1 minute 0 (immediately) 0 (immediately) Wipe device on failed number of unlock attempts X X X X Maximum number of unlock attempts 4 if enabled 10 7 5 Enable emergency calls when locked X X X X Ambulance phone number 911 911 911 911 Appendix A: Default Policy Settings 3

Policy Low Level Moderate Level Strict Level High Level Fire phone number 911 911 911 911 Police phone number 911 911 911 911 Other phone number 911 911 911 911 SMIME Settings Require signed SMIME messages X X X X Require encrypted SMIME messages X X X X Require signed SMIME algorithm SHA1 SHA1 SHA1 SHA1 Require encryption SMIME algorithm TDES TDES TDES TDES Allow SMIME Encryption algorithm negotiation Do not negotiate Do not negotiate Do not negotiate Do not negotiate Allow SMIME soft certs X X X X ios Devices Allow video conferencing X X X X Allow voice dialing X X X X Allow screenshot X X X X Allow explicit content X X X X Allow automatic sync when roaming X X X X Force encrypted backup X X X X Allow application installation X X X X Allow in app purchases X X X X Allow YouTube X X X X Allow itunes X X X X Allow Safari X X X X Accept cookies Always Always From visited sites Never Allow Auto-fill X X X X

Policy Low Level Moderate Level Strict Level High Level Allow JavaScript X X X X Block popups X X X X Force fraud warning X X X X Allow plugins X X X X Rating region US US US US Application ratings Allow All Apps 12+ 12+ Don t Allow Apps Movie ratings Allow All Movies PG-13 Don t Allow Movies Don t Allow Movies TV show ratings Allow All TV Shows TV-14 Don t Allow TV Shows Don t Allow TV Shows App List Permissions X X X X Appendix A: Default Policy Settings 5