Cloud Services MDM. Application Management Admin Guide

Cloud Services MDM Application Management Admin Guide 10/24/2014

CONTENTS Application Management... 2 Using the Applications Page... 2 Enabling the Book Catalog... 9 Application Wrapping Android Apps... 12 Recommending Public Applications... 15 Deploying Internal Enterprise Applications... 17 Advanced Application Assignment... 21 Application Version Management... 23 Application Notifications... 24 Notifying Devices... 26 Terms of Use (EULA) Notifications for Apps... 27 Managing User Feedback and Ratings... 28 Google Play (Android Market) Integration... 30 Customizing Application Profiles... 31 Managing Apple VPP Applications... 33 Manage the VPP Application Deployment... 41 Manage Apple VPP ibooks... 42 Additional Information... 44 Application Workflow... 45 Implementing Application Workflow... 45 Enabling Application Workflow... 46 Workflow Process... 47 Recommended Applications... 51 Keep in Mind...... 53 1

Application Management is one of nine sections of the overall Admin Guide for Mobile Device Manager. The following is the complete list of MDM Admin Guide components: MDM Overview and Setup Device Management Profile Management Geofencing Application Management Content Management Email Management Telecom Management Reports and Alerts APPLICATION MANAGEMENT MDM's mobile Application Management solution enables the administrator to wirelessly distribute and manage internal, public, and purchased apps to ios and Android devices across the mobile fleet. Furthermore, the Enterprise App Catalog allows the corporation to build secure business applications, which can be deployed, managed, and secured alongside public apps via a custom app catalog. Through the Application Management tools in the Admin Console, administrators can allow users to effortlessly view, install, and update both internal and public applications. USING THE APPLICATIONS PAGE The Applications page on the Admin Console is responsible for managing and pushing applications to end- user devices over- the- air. It provides detailed list of Internal, public, and purchased applications that have been created or recommended for the specified location groups or child location groups. It is the centralized interface for you to recommend public applications and deploy internal or purchased applications to your smart device fleet. To access the Applications page, navigate to Catalog Applications. 2

From here, you can view all the Applications that are being managed in the Admin Console. You can categorize applications within four Admin Console groups Internal, Public, Purchased, and Application groups, as well as determine how to distribute those applications as described in Advanced Application Assignment. Navigating the Applications Page There are several ways for you to select, order, identify, find, filter (and more) specific applications within the Admin Console. This section is divided into the following: Search Bar Grid Icons Search Bar Platform Search for applications based on the device platform. Status Search for applications based on the activity status of a device. Select All, Active, Retired, or Inactive for Public and Purchased (with the addition of Retired for Internal). This is not available in Groups. Categories Search for Applications only within Internal based on the category assigned to it by you in the Info screen prior to uploading the application into the Admin Console. Type Search for Applications only within Application Groups that meet a specific type defined by you. Select All, Whitelist, Blacklist, or Required. Search Search for specific application by name, partial name, or keyword. Enter any keyword in the Filter Grid field and press <Enter>. The grid re- sorts and only displays those devices that contain the keyword(s) entered. 3

Multiple Criteria Search Using Only the Search Bar: In this scenario, the search criteria used is Platform: Apple ios and Status: Active; Categories: All and Search: sales. The result for this multiple criteria is shown in the grid below: Grid The grid displays sortable and non- sortable columns within each of the four groups Internal, Public, Purchased, and Application Groups. Depending on which group you view, the column(s) change. A description of the sortable columns in all four groups: Assignment The combination of the Device Ownership and Managed By selections made by you when the application was assigned. Comments The comments entered by you in the Comments field when the application was assigned. Description The description entered by you in the Description field when the application was assigned. Name The name of the application entered in the Name field when the application was assigned. Platform The platform (e.g., Apple) on which the application runs. Platform / OS / Model Provides information on the platform, the operating system, and model. Status Indicates whether the application is Active, Inactive, or Not Assigned. Type Indicates applications as Whitelisted, Blacklisted, or Required. Uses SDK Indicates which applications are using the Software Developers Kit (SDK). Available only for Internal applications. Version Is the version entered by you in the Version field when the application was assigned. Available only for Internal applications. NOTE: Actions, Applications, Category, Icon, Installed/Assigned, Managed By, Rank, and Reimbursable are not sortable columns. 4

Icons There are icons throughout the page that when either hovered over or clicked provides more features or perform functions. They are as follows: Tiles and Lists Click Tiles in the upper right corner screen displays application icons in the far left column, as illustrated in the example below: Click List in the upper right corner the screen displays all information textually without any graphical representations, as illustrated in the example below: Refresh Click Refresh the grid refreshes to display the default Available Columns layout, as well as all device data based on any search criteria in the Filter drop- down and Filter Grid field, as illustrated in the example below: 5

Export All Click Export All below: the data in the grid exports into an Excel spreadsheet, as illustrated in the example Actions Click Actions to manage the application using the following options listed in the Action menu: View Allows you to view the application assignment. You can also edit the assignment from this screen. Edit Allows you to edit information about the existing application assignment. Edit Assignment Allows you to edit the existing application assignment. View Devices Shows devices that are available for that application. Publish Pushes out the application to devices that match the profile criteria. Notify Devices Allows you to notify the device users about the apps. Add Version Allows you to upload the latest version of the application. Retire Allows you to remove the previous version of the application from the device and exists in the Admin Console as Retired. Deactivate Allows you to keep the application, but deactivate it. Activate Allows you to keep the application active. User Ratings Allows you to view both the admin ratings as well as user ratings. Unretire Allows you to push the already retired application to the device. Delete Deletes the application and removes it from devices. 6

Enabling the App Catalog The first step to deploying applications through MDM is deploying the Enterprise App Catalog in the form of a Web Clip (ios) or Bookmark (Android) profile: 1. Navigate to Profiles & Policies Profiles. 2. Select [Add]. The Select Platform form displays. 3. Choose Android or Apple based on the device you would like to configure. 4. Configure the Profile General Settings (see Creating Profiles). 5. Select Web Clips for ios devices or Bookmarks for Android devices from the left profile list. 6. Click the [Configure] button and enter all Web Clip/Bookmark profile parameters. Label The name displayed on managed devices for the Web Clip/Bookmark. For example, App Catalog could be used. URL The App Catalog URL is in the following format: https://<environment>/devicemanagement/appcatalog?uid={deviceuid}, where <Environment> is the URL to your MDM Server. In a multi- server on- premise deployment, this URL is your Device Services server URL. NOTE: If you are in Shared SaaS environment, use the following convention: https://dsxx.<mdmenvironment>/devicemanagement/appcatalog?uid={deviceuid}. For example, if you are in the CN22 environment, use the following: https://ds22.<mdmhenvironment>/devicemanagement/appcatalog?uid={deviceuid} 7

NOTE: You can also change the landing page for the App Catalog. Use the conventions listed below: o o o o o Internal: https://<mdmenvironment>/devicemanagement/appcatalog?uid={deviceuid}&defaulttab=internal Public: https://<mdmenvironment>/devicemanagement/appcatalog?uid={deviceuid}&defaulttab=public Categories: https://<mdmenvironment>/devicemanagement/appcatalog?uid={deviceuid}&defaulttab=categories Purchased: https://<mdmenvironment>/devicemanagement/appcatalog?uid={deviceuid}&defaulttab=purchased Updates: https://<mdmenvironment>/devicemanagement/appcatalog?uid={deviceuid}&defaulttab=updates Icon To add a custom icon, select a graphic file in.gif,.jpg, or.png format. o For best results provide a square image no larger than 400 pixels on each side and less than 1 MB in size when uncompressed. The graphic is automatically scaled and cropped to fit, if necessary and converted to.png format. Web clip icons are 104 x 104 pixels for devices with a Retina display or 57 x 57 pixels for all other devices. Show as web app in the app catalog Enable this option for the device users to use Web Clip profiles on the app catalog as web applications. NOTE: Administrators can assign and manage on- demand web applications in the App Catalog, which allows the device users to navigate and install the web applications from App Catalog. 7. When complete, click [Save & Publish] to immediately deploy the Web- Based App Catalog to all appropriate devices. Advanced Authentication for App Catalog Administrators can allow the users to use App Catalog by assigning user name and password. 1. Navigate to System Settings Applications App Catalog. 2. Authentication: Enable the Require Authentication for Application Catalog checkbox to prompt the device user to enter the user name and password to authenticate the App Catalog. Select an option under the Default tab to make it display as the first tab in the App Catalog. 3. App Catalog without MDM: Enable the App Catalog without MDM checkbox to prevent the user from enrolling into MDM. In this case, the user can have access to applications assigned to the location group through a separate App Catalog. Enable the Allow New User Registration checkbox to allow the new users to register to have access to the App Catalog. Enter a title for the App Catalog Web Clip. Upload an image for the App Catalog. 4. Click [Save]. 8

ENABLING THE BOOK CATALOG Identical to App Catalog, the first step to deploy ibooks through MDM is deploying the Enterprise Book Catalog in the form of a Web Clip (ios) or Bookmark (Android) profile: 1. Navigate to Profiles & Policies Profiles. The Device Profiles page displays. 2. Select [Add]. The Select Platform form displays. 3. Choose Android or Apple based on the device you would like to configure. 4. Configure the Profile General Settings. 5. Select Web Clips for ios devices or Bookmarks for Android devices from the left profile list. 6. Click the [Configure] button and enter all of the Web Clip/Bookmark profile parameters. Label The name displayed on managed devices for the Web Clip/Bookmark. For example, MDM Book Catalog could be used. URL The Book Catalog URL format: https://<environment>/devicemanagement/appcatalog/bookcatalog?uid={deviceuid}, where <Environment> is the URL to your MDM Server. In a multi- server on- premise deployment, this URL is your Device Services server URL. Precomposed Icon To add a custom icon, select a graphic file in.gif,.jpg, or.png format. o For best results provide a square image no larger than 400 pixels on each side and less than 1 MB in size when uncompressed. The graphic is automatically scaled and cropped to fit, if necessary and converted to.png format. Web clip icons are 104 x 104 pixels for devices with a Retina display or 57 x 57 pixels for all other devices. 7. When complete, click [Save & Publish] to immediately deploy the Web- Based Book Catalog to all appropriate devices. 9

Application Categories MDM provides the administrators to have their own application categories and to filter the applications by those categories. Administrators can create, view, edit, delete, and assign one or more categories to both public and internal applications for a selected location group. These categories are also displayed on the App Catalog allowing the end- users to browse and filter the applications by category. To create an application category: 1. Navigate to Catalog Applications page. 2. Select Application Categories from the Configuration menu on the left. Name Name of the category. Description Description of the category. Category Type Indicates whether the category is added in the system as seed data (System type) or added by an admin user (Custom type). Only the Custom categories can be edited. Managed By The location group at which the category is created. By default, the categories of System type are assigned to all the managed and its lower location groups. 3. Click [Add Category] to create a new category to assign for applications for a selected location group. 4. Fill in the Add Category form with all required fields. Category Name Enter the name for the category. Category Description Enter a short description for the category. 5. Click [Save]. The Category gets saved as Custom category. 6. Click the Actions menu located on the right for editing, viewing, or deleting the application categories. NOTE: The Resources need to be added to enable the administrators with the roles to view, add, delete, or edit an application category. 10

Assigning Custom Category to Apps The administrator can assign or un- assign categories to internal and public apps. To assign a category: 1. Navigate to Catalog Applications page. 2. Select either Internal or Public from the Applications menu on the left. 3. Click [Add Application] and fill in the form with all required fields. Categories While adding a new internal or public application, the system automatically looks up all the existing seeded system categories and selects the one that matches the application as received from the app store. To add multiple categories, select from the lower portion of the Categories list. When a match is selected, the category moves into the selected (upper half) portion of the list. 4. Click [Save and Assign]. 11

APPLICATION WRAPPING ANDROID APPS Application Wrapping (or App Wrapping) is the process of providing a management layer to internal Android apps without requiring changes to the source code of the existing application. App Wrapping allows administrators to set and expose certain functionality elements that can be applied to an application or group of applications. The functionality elements can include the following: The user authentication is required for a specific app An app can run on a rooted device To allow copy and paste or file sharing The camera is enabled Bluetooth is enabled App Wrapping allows administrators to associate extra security and management features to an existing app and then re- deploy that app to an enterprise app store. App Wrapping Process The administrator must perform the two processes below for wrapping and publishing an Android wrapped application. Creating an App Wrapping Profile The administrator has to create a Wrapping Profile to configure a wrapped internal app from the console. 1. Navigate to the Applications page. 2. Select Profiles from the Configuration list on the left side of the page. 3. Click [Add Profile] and then select App Wrapping Profile as the configuration type. The Add a New Profile page displays. 4. Enter the Name, Description for an app wrapping profile, and the location group that manages it in the General payload profile. 5. Click Authentication payload and enter the following information: Enable the Require Authentication checkbox to prompt the user to authenticate before launching the app. The users can use the same credentials used during enrollment. 12

6. Enable the Require Passcode checkbox to allow the user to create a password for the app. Enter the minimum passcode length, the complexity for the passcode (Simple/Complex), and the minimum number of complex characters that are to be included while setting a passcode. 7. Click the Restrictions payload to set certain restrictions for the wrapped app. Enter the following information: Enable the Detect Compromised Device checkbox and set an action that has to be performed on the device when found compromised. The actions can require the end- user to exit the app, wipe app content, or remove app from the device. Enable other checkboxes to prevent copying content from the app and/or to enable Bluetooth and camera. 8. Click [Save] to preserve the profile in the console. 13

Creating a Wrapped Internal App 1. Login to the Console. 2. Navigate to Application Internal Add Internal Application screen. 3. Upload an APK file for an internal Android app. For more information, refer to Deploying Internal Enterprise App. 4. Navigate to the Wrapping tab in the Add Application screen. 5. Check the Enable App Wrapping option to enable the application for wrapping and to associate the wrapped app with the wrapping profile. Below is the screen that interacts with the Wrapping Engine to perform the actual wrapping process. 6. Click [Save]. When saving, the console puts the APK file and the request in the internal queue. Upon successful wrapping, the Internal Application page displays the status as Application Successfully Wrapped. NOTE: If you want to wrap an application that has already been distributed, you need to upload a new version of the app and wrap it before saving and assigning it. 14

RECOMMENDING PUBLIC APPLICATIONS Once the App Catalog is successfully deployed to your smart device fleet, you can begin Recommending Public Applications and distributing corporate applications through the Admin Console. To recommend public apps to the App Catalog from the Admin Console: 1. Select Public from the Applications menu on the left. 2. Click [Add Application]. 3. Fill in the Add Application form with all required fields. Managed By Enter the Location Group with permission to edit the application. Platform Enter Apple, Android, or Windows Phone/Windows Phone 8. Name Name for the Application as it appears in the App Catalog. Search App Store Select the check box to automatically search the Apple App Store, the Google Play Store (Android Market), or the Microsoft Windows Phone Store for the Application, and populate all app details. NOTE: In order to search the Google Play Store, a Google Account must first be integrated with the MDM environment. See Google Play (Android Market) Integration for more information. 4. Select [Next]. View the returned search results. 5. Click [Select] to the left of the desired listing. 15

Most of the application information automatically populates for Apple ios, Android, and Windows Mobile devices. Info: o o o o URL MDM populates the URL for Android, Apple ios, and Windows Phone devices. Comments Creates commentary that displays in "additional comments" in the App Catalog. Reimbursable Designates whether or not a corporation reimburses end- users for the app purchase. A small icon in the App Catalog indicates if an app is reimbursable. Rating Rates apps with 1-5 stars and displays the rating in the App Catalog. NOTE: Comments and rating capabilities are added from the console for public applications by the administrators, and can view the user ratings of all other apps. o Categories Determines the application type which is displayed in the App Catalog. Deployment: o Push Mode Determines if the application is installed automatically (auto) or manually (on demand) by the user through the App Catalog. o Remove On Unenroll Determines if the application is removed when a device is unenrolled. Add Exceptions Enables customized application deployment by creating specific exceptions to the options located under the Deployment view. o Push Mode o Remove on Unenroll o Prevent Application Backup NOTE: This is helpful for deploying the same applications to different groups of users with unique security and deployment requirements. For example, you may wish to push a certain application to one group of users as an "auto" installed application while sending the app to another group of users as an "on- demand" application. 6. Select the app specific Terms of Use. 7. When complete, click [Save and Assign] to proceed to the application assignment options. For more information on Application Terms of Use, refer to Terms of Use Notification under Application Notifications. 16

DEPLOYING INTERNAL ENTERPRISE APPLICATIONS Once the App Catalog is successfully deployed to the smart device fleet, begin recommending internal applications and distributing corporate applications through the Admin Console. The following platforms support internal corporate applications: Apple ios Android Symbian Windows Phone 8 (WP8) To distribute corporate applications to the App Catalog from the Admin Console: 1. Navigate to Catalog Application. 2. Select Internal from the Applications menu on the left. NOTE: Internal is selected by default. 3. Click [Add Application]. The Add Application form appears. 4. Fill in general parameters as needed. Some of the fields include: Managed By Specifies the Location Group with permission to edit the application. Application File Specifies the Location of the application file. Apple applications are uploaded in an.ipa file, Android apps are in an.apk file, Symbian apps are in.sis and.sisx files, and WP8 apps are in a.xap file. NOTE 1: On the Symbian platform, only internal applications are pushed over- the- air. No other applications, including public and purchased apps can be pushed. For WP8, both public and internal applications can be pushed. 17

NOTE 2: The.sis and.sisx files are either self- signed or Symbian- signed. Self- signed files generate a notification and are installed via the Device Notification tab. Symbian- signed files are installed in the phone memory without displaying a notification. NOTE 3: In certain cases, the application does not get pushed onto the device or show a notification. For example, when the application is already installed on the device, the app does not push or display a notification. 5. Select [Continue] and fill out additional fields as needed. 6. On the Info tab, fill out the following: Name The app name displayed on the device. Managed By The location group where the application is managed. Application ID The information entered in this field changes by platform. o For Android apps, enter the application s package identifier. o For ios apps, enter the application s bundle identifier. Actual File Version The application version recorded in the file. These fields are automatically populated with the detected application data. Version Update application information when uploading a new version of a managed app. Logging these changes in the Change Log is optional. NOTE: For more information on deploying different versions of the same application, see Application Version Management. 7. On the Descriptions tab, fill out the following optional details. 18

Description/Keywords Enter a description about the application to be displayed in the App Catalog. URL Enter a website address that has more information about the application. Support Email/Support Phone Enter contact information for internal application support. Internal ID/Copyright Used for internal purposes. Developer/Developer Email/Developer Phone Enter the name of the developer responsible for developing the application along with email and contact information. Cost Center Enter the cost center that the developer providing the application belongs to. Cost Enter the cost for developing the application. Currency Enter the currency value. 8. Images (Optional) Upload screenshots and a description of the app prior to downloading from the App Catalog. The uploads display on the Application page. 19

9. Terms of Use (Optional) Enter an End- user License Agreement as a pre- installation application requirement. 10. Required EULA Select the app- specific Terms of Use (EULA). NOTE: For more information on Application Terms of Use, refer Terms of Use Notification under Application Notifications. 11. On the Files tab, enter the following: Application file/provisioning profile Populates automatically when the application is uploaded. Application Supports GCM Enables the Admin to send push notifications to Android devices if Yes is selected. Google IDs are required for GCM communication with devices. Google Account/Password Enter the Google account and password. 12. Finally, on the Deployment tab, fill out the additional criteria to determine which users/devices receive the application. Effective Date/Expiration Date Set dates for when the app becomes active or expires. Remove on Unenroll Determines if the application is removed when a device is unenrolled. 20

Select Add Exception to include: o User Groups (Optional) Select User Groups if you are leveraging User Groups in MDM as an additional assignment filter for the application. o Device Ownership Assign the application to devices with a specific ownership type. o Push Mode Determine if the application is installed automatically (auto) or manually (on demand). 13. When complete, click [Save and Assign] to proceed to the Advanced Application Assignment options. ADVANCED APPLICATION ASSIGNMENT MDM offers advanced application management techniques for organizations wishing to further customize application assignment through advanced and facilitated application testing. After completing the basic deployment and assignment information for either an internal or public application (see Deploying Internal Enterprise Applications or Recommending Public Applications), you have the option to add more advanced assignment criteria by clicking [Save and Assign] at the bottom of the Add Application screen (you can also edit this advanced information by selecting the Actions menu Edit Assignment). Or, you can proceed with assigning the application based only on the information on the Assignment tab by going to the advanced assignment screen and clicking [Next]. NOTE: If any editing settings are grayed out, that means that full editing permissions are not permitted at this level (If you believe that you should have editing permissions, please ensure that Override is selected as the current setting). Criteria The Criteria window allows you to use the Admin Console to determine which device users have access to a Public application by assigning that app based on many factors, such as, location groups, device owners, user groups, and many more options (including exclusions). 1. Select the Location Group radio button that applies. If you chose Selected Location Groups, you can drill down to select which location group(s) has 21

access to that application. 2. Check the appropriate Ownership checkbox to specify the owner of the devices. You may check one or more checkboxes. 3. Choose the User Group radio button that applies. The selection applies to only those devices within the specified location group. For example, if the app is only for ios devices then only ios devices in that location group have access to the application. 4. To further customize the deployment settings, do the following: Add Operating System criteria by clicking [Add Criteria]. Add Model criteria by clicking [Add Criteria]. Add Location Group criteria by clicking [Add Include Set]. You may click this as many times as needed to define an assignment exception to include additional devices down to a granular level, regardless of any other specified criteria for that Location Group. Exclude Location Group criteria by clicking [Add Exclude Set]. You may click this as many times as needed to define an assignment exception to exclude certain devices down to a granular level, regardless of any other specified criteria for that Location Group. 5. Select the appropriate Child Permission radio button to either Inherit only or Inherit or Override the selections you made. 6. Click [Next]. 22

Devices The screen below displays all the devices that have access to that Public application (e.g., Salesforce for ipad) based on the selections you made in the previous Criteria screen. If you review the list of device users and want more or less users to have access to this application, then do the following: 1. Click [Previous] to go back to the previous Criteria page. 2. Modify the Criteria page by making selections that redefines the assignment of the application. 3. Click [Next] to view the Devices page. 4. When you are satisfied with the application assignment, click [Finish] to save all changes and close this window. APPLICATION VERSION MANAGEMENT You can leverage the application management tools in MDM to manage different versions of the same internal application. This feature is especially useful for application testing as you may wish to upload a "beta" version of an application update to deploy to specific users for testing purposes while still deploying the current version of the application to all other users. Once the testing is complete, you can replace the existing version of all devices with the newest version of the application. To manage application versions: 1. Navigate to the internal applications page and select the Actions menu for the application. 2. Click [Add Version]. Or, simply upload the new version of the application and MDM detects if that it is a newer version of an existing application. Fill in the version and optionally add internal notes in the Change Log. 23

3. Upload the new application file and specify the settings: Check the box to retire the previous version of the application on the specified devices and replace it with the newer version. o There is an option to Retire Previous Version the application on the Application Actions menu, so if you do not wish to immediately retire the previous version of the application you have the option to do so at a later time. Check the box to copy the application assignment for the previous version. 4. If necessary, enter the new assignment criteria. 5. Click [Save] or [Save and Assign] to proceed with publishing or editing the application assignment. APPLICATION NOTIFICATIONS Custom Notification for New and Updated Apps MDM allows the administrators to notify the end- users about the new and updated apps through messages. MDM provides the administrators with few in- built message templates and allows them to send messages via email, SMS, or push notifications. A message template can be customized to include application name, description, image, and version information. The administrator can edit the message templates to have a lookup value for the URL for the application page on the Application Catalog to be referenced. MDM also allows the administrator to notify all devices having the assigned app installed/not installed. To send an application install notification message: 1. Navigate to Configuration System settings and select Message Templates from the System menu on the left. 2. Click [Add]. The Add/Edit Message Template form displays. 24

3. Fill in the required information. Name Name of the template. Description Short description of the template. Category Select Application. Type Select the type of notification. The types include Purchased Application, Application Notification, and Application EULA Final Notification. Message Type Enable the type of message that admin wants to send. The options are Email, SMS, and Push. 4. In the Email template, select the Email format and enter the subject and message body for the template. 5. Enter the lookup values in the message body. The lookup values that are available are shown in the below image. NOTE: If the lookup value is used in the Application Notification template type, while delivering the message the look up value gets replaced by the actual value for the application. 25

NOTIFYING DEVICES The administrator can select Notify Devices from the Action menu on the Application page to notify devices that have the application assigned to them. The Send Message form displays. 1. Enter in all the mandatory fields. Message Type Select the type of the notification that is to be sent to the devices. Message Template Select the template for sending the message Status Select the status of the device. This includes All, Installed, and Not Installed. By default, the Status filter on the device list is in Not Installed status. 2. Click [Send]. NOTE: Based on the Status selected, the device list indicates whether or not the notification message is sent to the devices. 26

TERMS OF USE (EULA) NOTIFICATIONS FOR APPS MDM allows the administrator to notify end- users about the availability of updated App Terms of Use. The administrator should send the Terms of Use notifications in the following cases: Notifying end- users when the latest Terms of Use for an installed application has not been accepted. Distributing updated Terms of Use with newer version and prompting the user to accept the Terms of Use from App Catalog each time while logging into App Catalog. Removing the apps when the Terms of Use is not accepted within the given grace period and when the Terms of Use is rejected. To send or edit Terms of Use 1. Navigate to Catalog Application. 2. Select Internal from the Applications menu on the left (this is selected by default). 3. Click Add Application and select Terms of Use tab. When no Terms of Use are selected, a Terms of Use are not defined for this application message is displayed. If no Terms of Use exist, the admin can create a new Terms of Use by clicking Manage Terms. The Admin then navigates to System settings Terms of Use page where a new one can be created. 27

When the admin wants to edit the selected Terms of Use: click the Edit icon next to Manage Terms. This navigates to the Terms of Use page and the Admin can edit the Terms of Use. 4. Click [Save]. MANAGING USER FEEDBACK AND RATINGS MDM aids the administrators to view feedbacks from the users on internal, public, and purchased applications published to them. This allows the administrators to make future decisions related to the specific application. For example, redeployment of the application with better capabilities, rolling out the application to more users, or scrapping specific features because the users did not find any value in them, etc. These feedbacks are in the form of user ratings and comments for individual applications. To view user ratings and comments 1. Navigate to Catalog Applications. 2. Click the Internal, Public, or Purchased Application link on the left side of the page. NOTE: The count of number of ratings (star icons) indicates the average/effective rating. The User Rating indicates the number of users who provided the ratings for the app and is used to calculate the effective rating. 28

3. To access the rating comments, administrators can either click the User Rating or select the User Rating option on the Action menu on the right side of the page. The User Ratings page displays. Effective Rating The average of the total number of user ratings. User Group Filters the comments based on a specific User Group. NOTE: Only for the internal apps, the administrator can filter the comments based on the Version of the application on the User Ratings page. To delete the user comments On the User Ratings page, click the Management Delete option provided at the top- left corner of the page to delete a specific rating. Once deleted from the console, the change gets reflected on the App Catalog. NOTE: Only for the public apps, the administrator can edit Ratings for the app. To edit, click the Edit option from the Action menu on the Public Application page. 29

GOOGLE PLAY (ANDROID MARKET) INTEGRATION You must configure a connection between the MDM environment and the Google Play Store before they can use the Search App Store feature for Android apps. 1. To add a Google Account, navigate to Configuration System Settings Device Android Android Market Integration and complete the form provided: Username Google Account username. Password Google Account password. Android Device ID Enter in a valid Android Device ID. o It is highly recommended that a device ID from a tablet is used (as opposed to a device ID from a smart phone) as this provides the system with access to all apps in the Google Play Store and not just those available for smart phones. 2. Click [Test] after filling out the form to see if the system can connect to the Google Play Store using the supplied credentials. NOTE: To find the DeviceID of your Android device, download the Device ID application from the Google Play Store. 3. When complete, click [Save] to proceed. 30

CUSTOMIZING APPLICATION PROFILES MDM enables you to customize internal enterprise applications for ios devices developed with the SDK in addition to MDM applications such as the Secure Content Locker or the Browser. Using these advanced customization tools available in the Admin Console, you can further enforce corporate branding, compliance policies and actions, and other application settings to create a truly unique and secure corporate application experience. To access the Application Profile settings: 1. Navigate to Apps Applications. 2. Locate the Application Settings menu on the left- hand side of the screen. 3. Select Profiles Application/SDK Profiles. 4. Click Add Application Profile to open the application profile creation window (or, to edit an existing application profile, click the Actions menu next to the profile and select [Edit]). 5. Select from the views on the left to edit the associated application area. General Fill in the general application settings, including the Name and Description of the profile for reference in the Admin Console. Credentials Configuration Type For application profiles, the configuration type by default is set to Application Profile and for the SDK profile it set to SDK Profile. Platform Select the platform to which the custom application settings are to be deployed. Root Location Group Select the root location group from which the application profile is to be managed. Credential Source Select None, Upload, or Define Certificate Authority. Authentication Authentication settings enable you to establish authentication requirements for the application to further secure internal applications that may contain proprietary corporate data. The three authentication options are None, Passcode, and Username and Password. None Select None if no authentication is required to access the application. Passcode Select Passcode to you require a user- created passcode to be present on the application in order to open the app. Fill in the Passcode requirement fields to establish complexity, length, character, age in days, auto- lock, grace period, and history requirements. All of these additional custom fields are optional. o Check the boxes to allow or disallow Single Sign- On and the use of the same passcode for all applications. o Maximum number of failed attempts and action of exceeded: Select the maximum failed attempts allowed and then proceed to customize the action taken if the failed attempts reaches this threshold. 31

o o Actions if maximum number of failed attempts exceeded. Click Add Action to create custom actions to take place if the number of failed attempts exceeds the specified limit. The options are to Display Message (you can specify a custom message), Lock User, Wipe Application (removes the application from the device), or Restrict Access. Add as many additional actions as necessary. For example, you may want to both lock out a user who has exceeded the maximum allowable attempts and display a message to inform the user that the user must contact you for further assistance. Username and Password Select Username and Password from the drop- down menu if you require the username and password authentication in order to access the application. o Specify the grace period (in minutes) until the device locks. o Check the box to allow or deny Single Sign- On. o Select the maximum number of failed attempts and the custom actions to perform if this number is exceeded. Access Control Check the boxes to allow or disallow Offline Mode (prohibiting offline access allows for more continuous compliance checking when the application is active) and specify whether or not to Require MDM Enrollment in order to access the application. You can further restrict offline access by entering the maximum number offline uses (when Allow Offline Mode is enabled). If Require MDM Enrollment is enabled, you can specify custom actions to be performed in order to notify the user or perform actions if the device is not enrolled. Compliance Check the boxes to allow or disallow Compromised devices from accessing the application, and to Prevent restoring backup to another device. If either of these compliance options is enabled, you can specify custom actions to be performed in order to notify the user or perform actions regarding the device compliance status. Branding Customize the application with corporate or other unique color identifiers. Enter the correlating Hex codes in the labeled fields to customize application background colors and text. Custom Enter (or paste) XML into the box to further customize the application settings. When you are finished filling out the application profile fields, click [Save]. 32

MANAGING APPLE VPP APPLICATIONS MDM offers a robust solution to Apple Volume Purchase Program (VPP) application management and distribution. The sections below outline how you can leverage this new feature with the capabilities of MDM to easily manage and distribute ios application orders to the smart device fleet. The Apple Volume Purchase Program allows businesses and educational institutions to purchase publicly available applications or specifically developed third- party applications in volume for distribution to corporate devices. NOTE: The Apple Volume Purchase Program is currently only available in Australia, Canada, France, Germany, Italy, Japan, New Zealand, Spain, the United Kingdom, and the United States. The process of deploying applications in volume throughout a business or educational institution with the Volume Purchase Program can be separated into three main components: VPP Enrollment First, businesses and education institutions must enroll in the program and verify with Apple that they are a valid business or institution. o To register for the VPP, navigate to http://www.apple.com/business/vpp for businesses, or to http://www.apple.com/itunes/education for education institutions. o More information regarding the Apple Volume Purchase Program, how it works, and program prerequisites can be found at the links above. App Purchasing Once enrolled in the Volume Purchase Program, businesses and educational institutions can purchase applications in bulk through the Volume Purchase Program Website at https://vpp.itunes.apple.com/us/store. o Log in with the VPP Apple ID created during the enrollment process. o Find applications, define the quantity and purchase with a corporate credit card. App Deployment Once applications have been purchased, they can be distributed throughout a smart device fleet through the use of redemption codes. For each application purchase, there is an associated redemption code for end- users to redeem a single copy of the application. o These redemption codes are managed through a Redemption Code Spreadsheet available at the Volume Purchase Program Website. This spreadsheet contains details such as the redemption code, redemption status and most importantly, a redemption URL that an end- user could use to automatically validate the code and install the program through the App Store. It is during this final step, App Deployment, that Mobile Device Management can be leveraged to enhance management and distribution to a corporate smart device fleet. For businesses and educational institutions that do not have any Mobile Device Management capabilities, Apple provides two solutions to deploying redemption URL s to end- users: Emailing the redemption URL directly to end- users. Posting the redemption codes and URLs directly to a corporate intranet site. 33

The section below describes how MDM can be leveraged to automate and simplify this application distribution process. Upload the Apple VPP Redemption Code Spreadsheet to MDM The first step to manage and deploy VPP Application Orders through MDM is by uploading the Apple VPP Redemption Code Spreadsheet to the Admin Console. The steps listed below outline this process: 1. Navigate to Apps Orders to open the Orders page. 2. Click [Add]. The Add Order form displays. 3. Create the VPP Application Order first. To do so, upload the.csv file that you downloaded from the VPP Portal by selecting [Choose File]. 4. Once you have selected the appropriate Apple VPP Redemption Code Spreadsheet, click [Save] to continue to the Product Selection form. If the Apple VPP Redemption Code Spreadsheet contains licenses for multiple applications, several products can be listed on this form. Only one can be selected per new order. 34

5. Locate the appropriate product and then click [Select] to finish uploading the spreadsheet. You are now directed back to the Order page in the Admin Console and your new order displays with a New status. Orders with a New status are not yet activated for distribution and redemption to the device fleet. 6. To activate the new order, click the Blue Order Number. This opens the Order Activation form. 7. From here, enter in all necessary order information. (Required fields are denoted with a red asterisk.) * Friendly Name The name of the order that is displayed on the Order page within MDM. Description A brief description of the order. PO Number The Purchase Order number. Department The corporate department to which this application order is deployed. Cost Center The corporate department responsible for financial information regarding this application order. Total Cost The total cost of the application order. Cost Per License The cost per license purchased for this application order. 8. Click the Licenses tab, to view all the other order numbers assigned to this product. 9. Once complete, click [Save and Approve] to approve the order for distribution. 35

Actions Click Actions to manage the order using the following options listed in the Action menu: Delete Deletes the order from the console. Edit Assignment Allows you to edit the existing order by assigning it to users or devices. Allocating Redemption Codes Once the Apple VPP Redemption Code Spreadsheet has been uploaded and the order has been approved for distribution, you can begin allocating the redemption codes for individual application purchases throughout the device fleet: 1. Navigate to Apps Orders to open the Orders page. 2. Locate the specific order to be allocated from the list by Order Number, Friendly Name, Product Name, or Order Date. 3. Once the order is located, click the Edit Assignment icon under Actions on the right. The Application Assignment screen displays: 36

From this page you can allocate licenses to specific Location Groups and User Account: Click [Add], or you can choose to reserve licenses for later redemption by placing them On- Hold. To allocate licenses by Location Group: 1. Click [Add]. 2. Enter and select the name of the Location Group: 3. Make sure the All Users option is selected. To allocate licenses by User Accounts: 1. Click [Add]. 2. Enter and select the name of the Location Group: 3. Check Selected Users. 4. Click the blue Selected Users link to access the User Select form. 5. From here, select all specific User Accounts on the left and click [Add] to provision an individual redemption code to this specific user. 37

6. When all users have been selected, click [OK] to return to the Application Assignment form. 7. Enter the number of licenses to allocate to the selected users in the Allocated text box. 8. To allocate a single license to each selected user, type the same number that is shown in the Users text box into the Allocated text box. If fewer are allocated, only the first users to use their redemption code can install the application. 9. To save redemption codes for later use, select On Hold: 10. Enter the number of redemption codes that you want to place on hold in the On- Hold text box. 11. Assignment Type Select the appropriate option if the application is installed automatically (Auto) or manually (On Demand). NOTE: When Assignment Type is Auto, only eligible ios5 devices receive the App automatically. NOTE: Removing an app when a device is unenrolled does not recover the redeemed license. When installed, the app is associated to the user's App Store account. 12. Once all the available licenses have been allocated, click [Save] to finish allocating the redemption codes. 38

13. Now navigate to the Products page. 14. Click the Actions menu and then select the Publish option to deploy the application. This lets the device user know about the application deployment on their device. 15. Navigate to the License page to view all application licenses and manage redemption. 16. Click the Make Available option on the Action icon to receive the application and to redeem it. NOTE: You can also delete individual redemption codes or make unavailable. Create Purchased Application Messages and Notify Device-Users Once the VPP application licenses have been allocated, you have the ability to notify device- users that their application download is available by leveraging the device notification capabilities of MDM. By default, MDM is configured to send an email to end- users to notify them that the specific VPP application is available for download. To create custom Purchased Application Messages, or to enable SMS/Push- based Purchased Application Messages: 1. Navigate to Configuration System Settings. 2. Select System General Message Templates from the navigation menu on the left to open the Message Template form. 39

3. Click [Add] to open the Add/Edit Message Template form. 4. Fill in all required parameters on the Add/Edit Message Template form. Subject The subject of the email message, if email is selected as a delivery method. Description An internal description of the message used internally by MDM to describe this template. Category The message template category. For VPP Application Messages, select Application. Type The type of message to be sent; a subcategory of the message template category. For VPP Application Messages, select Purchased Application. Device Ownership A parameter to limit the message delivery to only devices belonging to the specified device ownership category. Primary Delivery Method The main method of message delivery to end- users. Alternate Delivery Method An additional method of message delivery to end- users. This type of message is also sent in addition to the message specified in the primary delivery method. Effective Date The start- date in which this message template begins taking precedence over the default message bodies specified by the MDM system. Expiration Date The end- date in which this message template stops being delivered to end- users instead of the default system message templates, or other currently effective message templates. Select Language A parameter to limit the message delivery to only devices belonging to users who understand the specified languages. Email / SMS / Agent Check Boxes Check any of these boxes to enable message configuration for each respective message type. Message Bodies The message that is displayed on end- user devices for any of the respective message types. Use the {ApplicationName} lookup value to dynamically populate the name of the application for download in the messages displayed on end- user devices. Once the form has been completed, select [Save] to complete the custom Purchased Application Message. 40

Once the custom purchased application messages have been created, or you choose to use the default purchased application email message template, notifications can be sent out over- the- air to all end- users. To send the Purchased Application Messages to end- users: 1. Navigate to Catalog Applications to open the Purchased page. 2. Locate the specific order to be allocated from the order list by Order Number, Friendly Name, Product Name, or Order Date. 3. Once the specific order is located, click Notify Devices under the Actions menu on the right. MANAGE THE VPP APPLICATION DEPLOYMENT Once the VPP Application Orders have been allocated to the device fleet and end- users have been notified, the VPP Application Deployment is in effect. During this period, you can use the Orders page in the Admin Console to manage and monitor the status of their application deployment. From the Orders page in the Admin Console you can: View the Order Status: View the Order Redemption Status: The order has recently been uploaded to MDM and is awaiting approval before beginning allocation to end- users. The order has been approved, but has not been allocated throughout the device fleet or end- users notified. The order has been approved by Apple, allocated to the device fleet and end- users have been notified. See total number of Purchased application vouchers, the number of Redeemed vouchers that have been used by end- users and number of Remaining vouchers that end- users can still redeem in the future. Reallocate licenses, Re- notify end- users, or Delete the VPP Application Order. 41

From the Products View on the Orders page in the Admin Console you can: Activate or Deactivate VPP Product Orders for redemption: o The Green and Red dots in the status category indicate Active and Inactive VPP Product Orders respectively. To toggle between an active and inactive status, click the dots. Re- notify end- users. From the Licenses view on the Orders page in the Admin Console you can: View each Individual License Status: The license has not been used by the end- user but is available for redemption. The license belongs to a VPP Product Order with an Inactive status. The license information is still in the MDM system and can be set to Active for later redemption. The license was redeemed by a device that is not under MDM. The license was redeemed by a managed device through MDM. View the License User and Date Redeemed: Licenses with a redeemed status have the fields for Assigned To and Date Redeemed indicating the User Account who purchased the application and the date at which he/she purchased it. MANAGE APPLE VPP IBOOKS MDM offers a robust solution to Apple Volume Purchase Program (VPP) for ibooks management and distribution. The administrators of educational institutions can purchase books as ibook titles through Apple's VPP program and provide access to these purchased ibook to their students of correct User Groups and devices. The process of leveraging to automate and simplify the ibook distribution process is same as the process involved in distributing applications. The process of getting an ibook order approved for distribution and its license for allocation is same as the process involved for Apple VPP Applications. 42

The below instructions provide you an overview for deploying a purchased ibook to the device fleet. 1. Navigate to Catalog Applications and select Purchased from the menu on the left. 2. Click [Add Order]. The Add Order screen appears. 3. Select the product type as Book. The Add Order form displays asking you to upload an order.csv file provided by Apple. NOTE: The Add Order screen can be launched from Add Order action on the Purchased Book screen or the Orders screen. 4. Once you have uploaded appropriate.csv file, click [Save] to proceed to the Product Selection form. 43

Once the.csv file is validated for the correct ibook, information such as description, image thumbnail, price, version, and category is pulled using the search/lookup API for the product purchased through Apple s VPP program. 5. Click Edit Assignment from the Actions menu on the Orders page and fill in the required fields in the form. Location Group Admin can add one or more location groups to which the purchased books need to be assigned. Licenses Enter the number of licenses that need to be allocated. Deployment The deployment can be configured either to Auto or On- Demand mode. NOTE: The total of all allocated licenses across all location groups cannot exceed total licenses available. If the On Demand deployment method is selected and the Selected User option is activated, the admin can specify one or more users in the location group to which the ibook needs to be assigned. ADDITIONAL INFORMATION Administrator can upload a.csv file for a new ibook VPP order from Apple and select the appropriate ibook for assignment to one or more location groups. Administrator can assign an ibook order across multiple location groups using Auto deployment mode. Administrator can assign an ibook order across multiple locations groups using On Demand deployment mode and select a set of users for each location group who need to download the ibook. To clearly distinguish the products for applications and ibooks and to have the accessibility to view, edit, and delete ibooks, the administrator can use Books page by navigating to Catalog Books. o All the orders associated with ibooks are identified with a unique order type called Books. o All the products associated with ibooks are identified with a unique product type called Books. 44

APPLICATION WORKFLOW Application workflow simplifies the internal app deployment process for organizations developing their own apps. It allows organizations to delegate key steps in the process to administrators who are responsible for individual parts. Some of the key benefits of this feature include: Clear separation of responsibility Automated notifications for completed steps Console badging to highlight pending workflow items IMPLEMENTING APPLICATION WORKFLOW To bring the application workflow into process, four different administrator user accounts have to be created. Each of the created user accounts must have different administrator workflow permissions assigned under a specific location group. Refer to Admin Accounts for creating admin/user accounts and assigning permissions/roles. Roles involved in Application Lifecycle Workflow There are four major admin roles participating in the application lifecycle at various stages. The responsibilities of each of the roles are listed below. Admin Role Developer Reviewer Assigner Publisher Description of Responsibility Is responsible for developing internal applications and revising them based on the analysis of performance and feedback provided by reviewer, publisher, or sponsor. Is responsible for reviewing a new application created by developer, and assigning it an appropriate description, screen shots, and Terms of Use. Reviewer also looks at the change log provided by the developer for the application to determine if the application is eligible for promoting to assignment or needs rework. Is responsible for assigning the application to location group(s)/user group(s)/smart group(s) and promoting it to a full rollout based on whether the application meets the required criteria. Assigner accordingly makes recommendations to the publisher. Is responsible for reviewing the assignment criteria for application configured by the assigner and determines whether the right set of devices are being provided the application. Publisher can also republish the application to devices that were assigned but have not installed the application. Below is the screen to assign resources to administrator workflow permissions (navigate to Administrators Roles and then click Add Roles). 45

ENABLING APPLICATION WORKFLOW To configure workflow on the console: 1. Navigate to System Settings Application Application Workflow. 2. Select the Enable Work Flow for Applications checkbox. Separate sections are created for each workflow actions to Add Application, Review Application, Assign Application, and Publish Application. The Role selection box defines the admin role that can perform the workflow action. Select a message template to notify the users within the role when an application becomes available for performing the workflow action. NOTE: Upon saving the values, the selected roles from the menu that already have the associated resources become enabled. If any role for any of the actions is changed, the corresponding role resources are disabled for the previous role and regular application permissions are re- enabled. 46

WORKFLOW PROCESS Step 1: Add Application An administrator assigned to the Add Application step of the workflow process has access create and submit an application for review. A red badge on the left side of the page displays the number of applications that are in Created workflow status. Created workflow status allows the Add Application administrator to edit and/or promote the application to the next step within the application workflow process. The admin can also add a new application through which the user can promote the application to the next workflow status of In Review by clicking [Submit for Review], as shown in the image below: Clicking the [Submit for Review] button sends an email alert to all users in the location group that belong to the role assigned to the workflow action of Review Application in the System Settings Configuration page. Clicking the [Save] button saves the application in Created status Clicking [Cancel] discards the changes made to an application. 47

Step 2: Review Application An administrator assigned to the Review Application step has access to review an application in the workflow process. A red badge displays the number of applications that are in In Review workflow status, which the user can edit and promote to the next step for assigning an application. By default, the workflow status filter is set to In Review and lists all the applications available to the location group in In Review workflow status. When an administrator selects an application from the application list, all the tabs that display on the Edit Application screen. The user can modify any of the fields within each tab and save the info. Clicking the [Save] button saves the changes made in the session without changing the workflow status of the application. Clicking the [Submit for Assignment] button updates the workflow status of the application to To be Assigned status. o Clicking this button also sends an email alert to all users in the location group that belong to the role assigned to a workflow action of Assign Application in the System Settings Configuration page. Clicking [Cancel] button discards any changes made to an application. 48

Step 3: Assign Application An administrator assigned to the Assign Application step has access to assign an application in the workflow process. A red badge displays the number of applications that are in To be Assigned workflow status, which the user can edit and promote to the next level for publishing an application. By default, the workflow status filter is set to To be Assigned and lists all the applications available to the location group in the To be Assigned workflow status. The admin can change the filter to view applications in all workflow statuses. An admin can select an application to view the Edit Assignment page to edit/add criteria, include sets, and/or exclude sets. Clicking the [Save] button saves the changes made in the session without changing the workflow status of the application. Clicking the [Cancel] button discards the changes made to the application. 49

Clicking the [Next] button takes the user to the next tab (Devices), where the devices for the location group satisfying the criteria display. Clicking the [Previous] button takes the user back to the Criteria tab. Clicking the [Save] button saves the changes in the session without changing the workflow status of the application. Clicking [Submit for Publishing] button updates the workflow status of the application to To be Published. o Clicking this button sends an email alert to all users in the location group that belong to the role assigned to workflow action of Publish Application in the System Settings Configuration page. Clicking the [Cancel] button discards any changes made to the application. Step 4: Publish Application An administrator assigned to the Publish Application role has access to publish an application in the workflow process. A badge displays the number of applications that are in To be Published workflow status, which the user can edit and promote to qualified devices. By default, the workflow status filter is set to To be Published and displays all the applications available to the location group in the To be Published workflow status. The admin can change filter to view applications in all workflow statuses. 50

The admin can select an application to view the page shown below: Clicking the [View Assignment] button takes the user to the smart groups Configuration screen, which displays the criteria to which the devices correspond. Clicking the [Save] button saves the changes made without changing the workflow status of the application. Clicking the [Publish] button updates the workflow status of the application to Published status. Clicking the [Cancel] button discards any changes made to the application in the session. RECOMMENDED APPLICATIONS The following applications are recommended in order to take full advantage of the MDM environment. All of these apps have been designed by to work directly with the Agent and give you additional control and settings options for managing your device fleet. These are all available for download from the itunes App Store or the Google Play Store. The Secure Content Locker (Available for ios devices) For more information on the Secure Content Locker, see Content Management. The Browser (Available for ios and Android devices) The Browser application provides a secure alternative to open internet browsing. There are two modes of operation for the Browser, Restricted and Kiosk: 51

Restricted mode: Depending on how you have chosen to configure this feature, the Browser may operate very much like standard internet browser, or it may be more restricted. Typical restrictions might include: o Whitelist: Your administrator may limit browsing to a list of allowed websites. Attempts to navigate to a website that is not whitelisted fail. o Blacklist: There may be a list of blacklisted websites. In this case, surfing is permitted anywhere except to a blacklisted website. Kiosk mode: In this mode, the secure browser defaults to a specified home screen after a period of inactivity (determined by your administrator). Additional restrictions may be applied to the Browser, such as limiting the ability to copy/paste, or disabling the ability to print a web page. The Secure Launcher App (Available for Android Devices) The Secure Launcher App must be installed (and running) on a user's device in order to use the Launcher Mode Profile. The Telecom Service App (Available for Android Devices) The Telecom Service App allows you to capture detailed telecom information from managed Android devices. This includes information such as: Call Logs SMS Logs Cellular Data Usage NOTE: In order to collect this data, you must first make sure that the appropriate data collection settings are enabled. To adjust these settings, navigate to System Settings Devices Android Agent Settings and look for the Telecom settings. 52

KEEP IN MIND... To track public applications on employee devices through the Device Details and Device Control Panel, ensure that the Admin Console Privacy Settings (specified in Configuration System Settings Device General Privacy) allow for the collection and display of application data. Some applications may have specific device prerequisites (e.g., icloud settings) in order to be fully functional. Investigate application requirements before pushing applications to end- users. Either enable the appropriate settings for end- users, or inform end- users of any settings requirements. Use the SDK for maximum security and functionality in building secure internal business applications. When deploying multiple versions of the same internal application, retire previous versions of the application after the old versions are no longer needed for testing or backup purposes (see Application Version Management). When creating advanced deployment settings for applications (such as Push Mode) ensure that the end- user's device supports the specified deployment setting. 53