Dell Management Console Administrator s Guide Version R10 CCM

Dell Management Console Administrator s Guide Version R10 CCM

Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. Copyright 2015 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. Dell and the Dell logo are trademarks of Dell Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. 2015-12 Rev. A00

Contents 1 Introduction...6 Thin Client Requirements... 6 Windows Embedded System Requirements...7 Linux Requirements...8 Mobile Requirements... 8 Android Requirements...8 ios Requirements...9 Mobile Workspace Requirements...9 Dell Wyse Cloud Connect Requirements...9 On Premises Gateway Requirements...9 IoT Gateway Device Requirements... 10 2 About This Guide...12 Technical Support...12 3 Brief Overview of the Management console... 13 Logging In... 13 Changing Your Password...14 Logging Out...14 Functional Areas of the Management Console...14 4 Registering Devices to CCM... 16 Registering Thin client Devices to CCM...16 Registering WES Devices to CCM... 17 Registering Linux Devices to CCM...17 Registering Mobile Devices to CCM... 17 Registering IoT Gateway devices to CCM...18 Discovering the IoT Gateway device on the local network and installing through webdm...18 Installing from Dell Canonical store... 18 Registering IoT Gateway devices to CCM using USB key...19 Registering IoT Gateway devices to CCM through auto discovery (DHCP)... 19 5 CCM Dashboard Overview...20 6 Groups... 21 Alerts... 21 Group Tree Hierarchy...21 Adding a Group...21 3

Editing a Group...23 Removing a Group... 23 Routine Group Tasks...23 7 Managing Group Policies... 26 Mobile Policy Settings...28 Details: IOS Policy Settings... 28 Details: Android Policy Settings...38 Details: Windows Phone Settings...48 Details: Windows 10 Policy Settings...53 Thin Client Policy Settings... 56 Windows Embedded System Policy Settings... 56 Linux Policy Settings...70 WTOS Policy Settings...83 Cloud Connect Policy Settings...92 IoT Gateway Policy Settings... 92 System Personalization... 93 Login Experience...93 Security... 93 Location...93 Other Settings... 94 BYOD Policy Settings...94 Details: Workspace Policy Settings...94 8 Managing Users...97 Adding a User... 98 Inviting a User...99 Viewing and Managing User Details...99 Activating a User... 100 Deactivating a User...100 Deleting a User...100 9 Managing Devices... 102 Adding Devices...103 Viewing and Managing Device Details... 103 10 Apps & Data... 107 Managing Mobile/IoT Gateway Inventory...108 Managing Thin Client Inventory... 109 Managing Mobile/IoT Gateway Policies... 110 Managing Thin Client Policies...110 Managing WES Inventory...111 4

Managing WTOS Inventory...111 Managing WES Image Policies...111 Managing File Repository... 112 Routine File Repository Inventory Tasks...112 Adding or Editing Files to the File Repository Inventory... 112 11 Managing Rules... 114 Adding a Rule...114 12 Managing Jobs... 116 Scheduling a job... 116 13 Events... 117 Displaying a Summary of Events... 117 Displaying an Audit of Events...118 14 Portal Administration...119 Configuring Console Settings... 119 Managing Administrators...119 Generating an APNs Certificate (ios Only)...121 Uploading Windows AET...122 Apple Device Enrollment Program (DEP)... 122 Viewing and Managing Your Apple VPP Subscriptions...124 On Premises Services... 125 Thin Clients...128 IoT Gateway Registration...128 Two-Factor Authentication... 129 Other Settings...129 Configuring Account Settings... 130 Viewing and Managing Your Management Console License Subscriptions...130 Custom Branding...131 5

Introduction 1 The Dell Management Console provides IT administrators a tool which helps to manage and enable corporate access securely to a wide range of solutions and devices including thin clients, zero clients, cloud devices, workspace applications, smart phones, and tablets. It provides visibility to the managed devices, the details of the employees who has used them, the details of the IT assets which have been accessed, and so on. The management console is accessible from any location through standard web browsers over the internet. This guide provides instructions for the management console including Dell Enterprise Mobility Management and Dell Wyse Cloud Client Management solutions. For product and solution details, technical specifications and support, see the following links: Dell Enterprise Mobility Management Solution: www.dellmobilitymanager.com Dell Wyse Cloud Client Management Solution: www.cloudclientmanager.com For device requirements details, see the following sections given here: Thin Client Requirements Windows Embedded System Requirements Linux Requirements Mobile Requirements ios Requirements Android Requirements Mobile Workspace Requirements Dell Wyse Cloud Connect Requirements IoT Gateway Requirements On Premises Gateway Requirements Thin Client Requirements Use of the latest INI parameters, found in the latest client documentation, requires the recommended firmware builds below. Thin Client Device Requirements: 6

5212 (Dell Wyse Thin Client All-in-One, Series 5000 Hardware Platform) running firmware ThinOS 8.0_307 or later versions. C00X (Xenith) running firmware 2.0_021 or later versions. R00LX (Xenith Pro) running firmware 2.0_021 or later versions. 3000-T00X (Xenith 2) running firmware 2.0_021 or later versions. 3002-T00DX (Xenith 3) running firmware 2.0_305 or later versions. 5000-D00DX (Xenith Pro 2) running firmware 2.0_104 or later versions. C10LE running firmware ThinOS 8.0_037 or later versions. R10L running firmware ThinOS 8.0_037 or later versions. T10 running firmware ThinOS 8.0_037 or later versions. T10D running firmware ThinOS 8.0_210 or later versions. D10D running firmware ThinOS 8.0_037 or later versions. D10DP running firmware ThinOS 8.0_117 or later versions. Z10D running firmware ThinOS 8.0_037 or later versions. NOTE: To update 5212 devices, configure to use firmware for D10D/Z10D (ZD10_wnos) on the Firmware Upgrade page in the group policy settings, see Details: Thin Client Policy Settings. We recommend firmware 2.0_305 or later versions for C00X, R00LX, 3000-T00X, 5000- D00DX; firmware 8.0_210 or later versions for C10LE, R10L, T10; firmware 8.0_306 or later versions for T10D; and firmware 8.0_307 or later versions for D10D, D10DP, Z10D. For supported thin clients running earlier versions, a firmware update is required to enable management console connectivity. Updates can be downloaded from the Self-Service Center, see www.dell.com/wyse/support. Important: You must use your ThinOS Maintenance to obtain any available firmware update. You must have received an e-mail from Dell or from your reseller with full instructions. If you did not receive this e- mail, contact your reseller. If you are unfamiliar with updating firmware on your ThinOS cloud client, refer to Knowledge Base Solution #10566 (go to www.dell.com/wyse/knowledgebase and search for 10566). Connectivity Requirements: TCP port 443 (outbound) to https://us1.cloudclientmanager.com TCP port 1883 (outbound) to us1-pns.cloudclientmanager.com Windows Embedded System Requirements OS Version Requirements: WES7 FR3 (830,846) WES7 FR4 (855) WES7 FR5 (858) WES7 FR6 (869) Connectivity requirements: 7

TCP port 443 to https://us1.cloudclientmanager.com TCP port 1883 to us1-pns.cloudclientmanager.com Device Requirements: Z90D7 Z90Q7 D90D7 D90Q7 3290-C90D7 Other Support: Valid CCM server MQTT server Group token Linux Requirements OS Version Requirements: SLETC11 SP2/SP3 MR6(11.x.092) Device Requirements: X50M D50D Z50D D50Q Z50Q Other Support: Valid CCM Server MQTT Server Group Token Mobile Requirements This includes the requirements for ios and Android Devices: Android Requirements Mobile Device Requirements: Devices running Android Version 2.3 and later versions. Connectivity Requirements: TCP port 443 (outbound) to https://us1.cloudclientmanager.com 8

TCP port 1883 (outbound) to us1-pns.cloudclientmanager.com ios Requirements Mobile Device Requirements: iphone, ipad, and ipod Touch running ios Version 5.x and later versions. NOTE: Dell Mobile Management Agent requires ios Version 6.x and later versions. Connectivity Requirements: TCP port 443 (outbound) to https://us1.cloudclientmanager.com TCP port 80 (outbound) to https://us1.cloudclientmanager.com TCP port 8443 (outbound) to https://us1-mdm.cloudclientmanager.com TCP port 5223 (outbound) for Apple Push Notification Service (APNS) MDM Requirements: A Mobile Device Management (MDM) Apple Push Notification Service (APNs) certificate is required for ios device management - this process requires an Apple ID. As the Apple ID account is linked to the APNs certificate, which must be renewed annually, a corporate Apple ID account must be used instead of a personal one. Mobile Workspace Requirements Mobile Device Requirements: Most popular Android devices running Android Version 4.0 and later versions. iphone, ipad, and ipod Touch running ios Version 7.0 and later versions. Other Support: Exchange Server 2010 and later versions. Dell Wyse Cloud Connect Requirements Dell Wyse Cloud Connect devices require a valid management console user account configured as part of the device activation process. Cloud Device Requirements: Devices running Android Version 4.1 and later versions. Connectivity Requirements: TCP port 443 outbound to https://us1.cloudclientmanager.com. TCP port 1883 outbound to https://us1-pns.cloudclientmanager.com. On Premises Gateway Requirements Device Requirements: 9

Windows machine running Windows 2008 R2 and 2012 R2 Minimum CPU requirements: 1 GHz (x86 processor) or 1.4 GHz (x64 processor) Minimum available RAM: 1 GB Minimum Disk Space available for installation and maintaining service operation: 2 GB Connectivity Requirements: TCP port 443 (outbound) to https://us1.cloudclientmanager.com TCP port 1883 (outbound) to us1-pns.cloudclientmanager.com NOTE: The On Premises Gateway must be installed on a server within the DMZ externally accessible, and the fully qualified domain name (FQDN) of the server must be registered in public DNS. IoT Gateway Device Requirements Device requirements: Dell Edge Gateway 5000 The Dell Edge Gateway 5000 is configured and managed through Dell CCM (Cloud Client Manager). Software components requirements: The following software components are required for the IoT Gateway management: Dell Command Monitor for Internet of Things (DCM) Background service, no direct user interaction Supplies various device attribute information to CCM Agent The following are the attributes received from Dell Command Monitor for IoT: * BIOS version * Serial Number * Asset Tag * Device Owner * Manufacturer * Model * Device name/host name * CPU manufacturer * CPU speed * CPU description * Memory size * Location * Health * Primary Status 10

NOTE: All the above attributes will be displayed in the CCM Admin Console. CCM WDA Agent Provides management functions on device. Configuration, control and interaction from CCM Admin Console. 11

About This Guide 2 This guide is intended for administrators. It provides instructions for the management console including the Dell Enterprise Mobility Management and Dell Wyse Cloud Client Management solutions. Finding the Required Information from this Guide You can use either the Search option or the Find toolbar to locate a word, series of words, or a partial word in an active PDF document. To learn how to use these features in detail, refer to the Help option in your PDF reader. Technical Support To access Dell Wyse Cloud Client Management technical resources (self-service portal, knowledge base, software downloads, registration, warranty extensions/rmas, reference manuals, and so on), see http:// www.dell.com/wyse/support. For more information, you can call Customer Support at 1.800.800.9973 (toll free in U.S. and Canada). Hours of operation are from 6:00 A.M. to 5:00 P.M. Pacific Time, Monday through Friday. To access Dell Enterprise Mobility Management technical resources (create a Service Request), see https://support.software.dell.com/create-service-request. NOTE: You need to register with Dell Support to place a service request. Check out the Getting Started section of Dell Software Support at https://support.software.dell.com/essentials/gettingstarted, if you are new to the Dell Software Support. For more information, you can call Technical Support at 1.800.306.9329 (toll free in U.S. and Canada) or 949.754.8000 or 949.754.8080. Hours of operation are from 5:00 A.M. to 5:00 P.M. Pacific Standard Time, Monday through Friday. 12

Brief Overview of the Management console 3 This section provides you the important information on the general features to help you quickly get started as an administrator. Topics include: Logging In This topic provides the basic steps to log in to the management console. Changing Your Password This topic provides the basic steps to change the logon password to the management console. Logging Out This topic provides the basic steps to log off from the management console. Functional Areas of the Management Console This topic gives a brief overview of the functional areas within the management console. Logging In To log in to the management console, ensure that you are using your correct User Name and Password. NOTE: It is recommended that you change your password after logging in for the first time. See "Changing Your Password". NOTE: Use the Forgot Password link to reset a forgotten password. To log in to the management console: 1. Use a supported Web browser on any machine with access to the Internet to log in to the management console. 2. Enter your Username and Password. 3. Click Sign In. NOTE: Defaults are provided to you by your Account Representative. The Dashboard page with important summary of the information for each functional area of the system is displayed. 13

Changing Your Password To change the login password of your account in the management console: 1. Click the Account Link at the upper-right corner of the management console (for example, DellAdmin@Delllab.com), and then click Change Password. 2. Enter your Current Password. 3. Enter a New Password. 4. Enter your new password in the Confirm New Password box. 5. Click Change Password. Logging Out To log out from the management console: Click the Account Link at the upper-right corner of the management console (for example, DellAdmin@Delllab.com), and then click Sign out. Functional Areas of the Management Console The Dell management console has the following functional areas: Dashboard Allows you to quickly view important summary of the information for each functional area of the system. Groups Allows you to view and manage Policy Groups. Users Allows you to view and manage Users and their group membership. Devices Allows you to view and manage Devices, Device Types, and Configuration Apps & Data Allows you to view and manage device Application Inventory and Policies, and File Repository Inventory which lists the different thin client firmware and certificate files. Rules Allows you to add, edit, enable or disable rules. Jobs Allows you to schedule, edit or cancel any jobs. This displays the list of jobs which you have already scheduled. Events Allows you to view and audit system events and alerts. Portal Admin Allows administrators to perform system administration tasks such as manage Administrators, APNs, Active Directory Connector operations, Subscriptions, and other Self-Service settings/agreements out of the system. You can configure on premises services and enable the twofactor authentication here. For more information, see Managing Administrators and Viewers of the Management Console. Each functional area has a set of automated tools that helps you to perform your administrator duties and daily activities. The management console tracks the status of each of the functional areas that are necessary to successfully maintain your environment. NOTE: The management console supports Microsoft Internet Explorer (IE) 8, Google Chrome 20, and Firefox 10; or their later versions. 14

Account Link - Name of your account - this link is always available in the upper-right corner of the management console and it allows you to: Switch to Mobile User View to quickly see mobile user information. Get documentation Help. Change Password. Sign out of the system. Quick Links - (Highlighted in blue throughout the system pages) Allows you to quickly go to the content of that link to view and manage those details. For example, a user name link brings you to the User Details page; a device name link brings you to the Device Details page and so on. 15

Registering Devices to CCM 4 This section describes the procedure to be followed for registering the devices to CCM. The devices can be thin client or mobile devices. It also provides the information about the prerequisites to be considered before registration. Topics include: Registering Thin Client Devices to CCM Registering WES Devices to CCM Registering Linux Devices to CCM Registering Mobile Devices to CCM Registering IoT Gateway Devices to CCM Registering Thin client Devices to CCM Creating a group is a prerequisite for registering the thin client device to the CCM. For more information on how to create a group see Adding a Group. 1. On your supported thin client, open the Central Configuration dialog box. For example, System Settings icon on the Zero Toolbar >Central Configuration, see your client documentation for details on your client/ software build. 2. Ensure that the Enable Cloud Client Manager (CCM) check box is selected, and enter the Group Registration Key as configured for the desired group. 3. Click OK, and then follow the on-screen instructions. 4. When prompted, log in with corporate credentials in order to complete the registration process. NOTE: To verify your entry is correct, you can use the Validate Key. If you see a success message, click OK to restart the device and finish the registration process. If you see a failure message, double check the Group Registration Key you entered and verify you have network connectivity defined in the prerequisites section, see Thin Client Requirements. 5. To verify wether connectivity is OK for Real-Time Commands, go to Devices page of the management console, click the Name link to open the Device Details page for your thin client (see previous step), click Restart. NOTE: Thin client basic connectivity is complete. At this point you have successfully registered and configured your thin client. You can now send real-time commands to the thin clients. You can continue by configuring policies and configurations either at the Group level, see Managing Group Policies or by creating a device specific exception, see Managing Devices. 16

Registering WES Devices to CCM Creating a group is a prerequisite for registering the thin client device to the CCM. For more information on how to create a group see Adding Group. 1. Launch the Wyse Device Agent (WDA). In the Wyse Device Agent window, enter the device registration details. 2. Select CCM from the Management Server drop-down list. 3. Provide the server address and the port number in the respective fields. 4. Provide the MQTT server address and the port number. 5. Provide the group token information. 6. Click the Register button. After the registration is completed, you can view the message as Registered to CCM. Registering Linux Devices to CCM Creating a group is a prerequisite for registering the thin client device to the CCM. For more information on how to create a group see Adding Groups. 1. Launch the Wyse Device Agent (WDA). In the Wyse Device Agent window, enter the device registration details. 2. On the CCM tab, provide the CCM server address in the respective field. 3. Provide the MQTT server address. 4. Provide the group token information. 5. Click the Register button. After the registration is completed, you can view the registration status also. Registering Mobile Devices to CCM For registering mobile devices to the CCM, you have to add users first. For more information about adding users, see Adding a User. NOTE: For (ios devices) generate APNs Certificate, see Generating an APNs Certificate To register (ios or Android devices) with single sign-on credentials: 1. After users have been added to the system, they can register their device. Email invitations can be sent to users providing the instructions to register their device. On the Users page of the management console, select the check box next to the name of the User you want, and then click Invite Users to open and use the Invite Users Email wizard to send Users information about how to register their devices. 2. A set of different template email messages are pre-configured according to your needs. For details, see Inviting Users to Register Devices. NOTE: If corporate email is not configured on the user s device, they can follow the steps described in the email to enroll the device. The email includes the URL address the user needs to navigate to using Safari on the ios device, their login credentials, and the instructions to click the Register ios Device to initiate the registration process from the device. 17

NOTE: Users can also use the Dell Mobile Management Agent for ios downloadable from the Apple App Store to register the device. Registering IoT Gateway devices to CCM Before registering the IoT Gateway devices to CCM, you must discover the devices and install the CCM agent on it. However, you are required to install the Dell Command Monitor for IoT agent before installing the CCM agent. For information about discovering an IoT Gateway device, see Discovering an IoT Gateway device on the local network and installing through webdm. For information about installation of Dell Command Monitor for IoT agent/ Cloud Client Manager (CCM) agent from Dell Canonical store, see Installing from Dell Canonical store. For information about Dell Command Monitor for IoT attributes, see IoT Gateway Requirements. You can register IoT Gateway devices to CCM in any of the following ways: Registering IoT Gateway devices to CCM using USB key. Registering IoT Gateway devices to CCM through auto discovery (DHCP). Discovering the IoT Gateway device on the local network and installing through webdm The IoT Gateway device is pre-installed with webdm. The device includes a service named Avahi that enables easy discovery of the IoT Gateway device on the local network. The hostname of the device is displayed as webdm.local on the local network. Use this following guidelines: There must be a single powered-on Gateway on the LAN subnet. The LAN must be capable of supporting mdns. If not supported, you must install Apple s Bonjour on the PC/Laptop on that particular subnet. Get the IP Address of the Gateway device using a PC/Laptop on the same subnet as the Gateway: $ ping webdm.local. If there is only one Dell Edge Gateway device in the network, then open a browser, and then type URL as webdm.local:4200/store. You can install the CCM WDA and Dell Command Monitor for IoT agent from the web page. Installing from Dell Canonical store You must have a monitor, keyboard, and mouse device connected to the IoT Gateway device. 1. Log in to the IoT Gateway device. The default username is ubuntu, and password is ubuntu. 2. Install the Dell Command Monitor for IoT agent from the store, using the following command: $ sudo snappy install dcm.dell-esg 3. Install the CCM Agent for IoT Gateway device from store, using the following command: $ sudo snappy install ccm-wda.dell 18

Important: Make sure to install Dell Command Monitor for IoT agent before installing the CCM agent. NOTE: snappy search It lists all the available applications in the Snappy store. snappy list It lists all the application installed on the IoT Gateway device. Registering IoT Gateway devices to CCM using USB key 1. Plug in a USB drive into a PC or laptop with which you are logged in to CCM. 2. Create a root-level folder named Config on the USB drive. NOTE: Ensure that the USB drive is FAT formatted. 3. Create another folder named ccm-wda within the Config folder. 4. Go to Portal Admin page, and click IoT Registration under Console Settings section. 5. Click the bootstrap link to download the Bootstrap file for the group to which you want to register the IoT Gateway device. NOTE: If you have multiple groups, select the group to which you want to register the IoT Gateway device. 6. Rename the file to reg.json and place the file inside the ccm-wda folder on the USB drive. NOTE: Ensure the file is named reg.json (case-sensitive), otherwise registration will fail. 7. Eject the USB device and plug in the USB drive into the IoT Gateway device. 8. Restart the IoT Gateway device. Registering IoT Gateway devices to CCM through auto discovery (DHCP) 1. Configure the DHCP server with following option tags: 165 CCM server us1.cloudclientmanager.com 166 MQTT server us1-pns.cloudclientmanger.com:1883 199 Group token key for e.g. demodemodemo 2. Connect the VLAN ethernet cable to the Gateway device, and restart the device. 19

CCM Dashboard Overview 5 The Dashboard page allows you to quickly view important status information about the system and recent events that have been performed within the system. By clicking a link in the Alerts area, you can view details about that item. Links on the Dashboard page include: Alerts This displays the summary of all the alerts. These allow you to quickly go to functional areas of the system that require your attention. It mainly includes the details of : Devices Not Checked In Device Compliance App Compliance Upcoming Remediations Other Alerts Events NOTE: By clicking View All Alerts, you can see the list of all the alerts in detail. This displays the summary of events happened in the last few days. And it also displays the date at which the event had occurred. NOTE: By clicking View All Events, you can see the list of all the events in detail. Users This displays the summary of the details of the users. And it includes the information about: No of Compliant users No of Pending users No of Non-Compliant users Here, you can also view the details of the no of users got registered in to CCM in the last 30 days. Devices This displays the summary of the details of the devices. And it includes the information about how many Compliant, Pending, Non-Compliant devices got added to the CCM. 20

Groups 6 This section describes how to perform routine Policy Group management tasks in the Group management console. The management console allows administrators the flexibility to employ hierarchical Group Policy management. Optionally, sub-groups of the Global Group Policy can be created to segment Users according to corporate standards. For example job functions, device type, bring-your-own-device, and so on. Alerts In the Groups page, below the Alerts section, you can upload the following certificates: Upload an APNS certificate for ios device management. Upload an AET for Windows Application management Enable Exchange Active Sync Management and On Premises for ActiveSync management. Group Tree Hierarchy Group Tree Hierarchy consist of the following options: Add Group Edit Group Remove Group Edit Policies This page displays the defined group policies details also. Adding a Group As an administrator you can add a Group. After a Group is added, you can then add members that is Users. NOTE: Adding multi-level groups is possible under group tree hierarchy. You are allowed to add main groups and sub group level up to 10. To add a group, complete the following steps: 1. In the Groups page, click + icon under the Group Tree Hierarchy. 2. In the Add New Groups dialog box, enter the group information such as Group Name and. 21

Important: You cannot locally change the name and description of a group that has been imported from Active Directory as part of a Manual AD Sync import option (see Active Directory Connector: Importing Existing Active Directory Users into the System. You must use Active Directory to change the name and description of a group, and then synch. 3. On the Registration tab, enter the registration information such as ios, Android and Thin Clients details. ios & Android- You can select any of the following option to generate the passsword. Generate random password per user Create default group password :- if you have enabled this option, you can select the check box if you want to show password. Thin Clients- Select the check box to enable the Thin clients registration. NOTE: Devices can be registered to a group by entering the Group Token found on the device registration screen. 4. In the MDM Permissions tab, enable the permissions you want to allow Administrators to use for client device management from the management console, after a client device is registered by a user. 5. The Administrator permissions allow you to remotely: Query - Query installed configuration profiles, provisioning profiles, installed applications, device restrictions, and security settings. Add/Remove Configuration Profile - Install and remove policy configuration profiles. Add/Remove Provisioning Profile - Install and remove provisioning profiles. Add/Remove Applications - Install and remove device applications. Lock device & Clear Passcode - helps to lock the device and clear the configured device passcode. Remote Wipe - Wipe the device, erasing all data and applications. This sets the device to factory defaults, it is not recommended for employee-owned devices. Managed Settings- This MDM permission allows the management of the following settings: Voice Roaming Personal Hotspot Wallpaper Data Roaming Application Attributes Device Name Language Locale Organization Info MDM Options 6. On the Administration tab, you can select the name of group admin(s), who should manage this group. From the Available Group Admins, select the particular group and click the right arrow to move it to the Assigned Group Admins. To move one group from the Assigned Group Admins to Available Group Admins, do vice versa. 7. Click Save. The Group is added to the list of available Groups on the Groups page. 22

Editing a Group After a Group is added, you can edit it by using the Edit Group option. To edit a group, complete the following steps: 1. In the Groups page, click Edit Group option under the Group Tree Hierarchy. 2. In the Edit Groups dialog box, edit the group information such as Group Name and. You can edit the following information by clicking the appropriate tabs: Registration MDM Permissions Administration 3. Click Save to make the changes. Removing a Group As an administrator you can remove a group from the group hierarchy. To remove a group complete the following steps: 1. In the Groups page, click Remove Group icon under the Group Tree Hierarchy. A warning message is displayed saying this action removes the group(s) from the group tree hierarchy. NOTE: All devices include in the removing group gets moved to the selected target group. 2. Click Remove Group. Routine Group Tasks Table 31 Provides a quick overview of what you can do using the Devices page. Tasks You Can Do How Details Add a Device to the system. View and manage Device details. Devices are added/registered into the management system by the user using the credentials you provided to them on the Registration tab when you added the user into the system. Click a Name link in the Devices page to open and use the Device Details page. See "Adding Devices" and "Adding/Editing Users." NOTE: You can also click the How to Add a Device link to display the help window containing an overview of how to add devices. See "Viewing and Managing Device Details." 23

24 Important: You can also use the Devices page to select the check box next to the names of the Devices you want to manage, click a command button (for example Query), and then confirm. Note however, that only supported commands are performed on a device. Thus, if you select different types of devices (for example, ios devices and thin clients), the unsupported command button will not be available for use on your selections (for example, Restart is supported with thin clients and not supported with ios devices, and therefore, will not be available for use on your mixed selections). NOTE: You can also use the More Actions drop down list to perform management tasks supported on the selected devices. NOTE: The Device Details page allows you to: Query - Send a command to the device to update its information in the system. Clear Passcode - (ios and Android Only) Removes the local passcode on the device (useful for forgotten passcodes). Lock - Locks the device screen (and requires a device passcode to unlock it when a passcode is configured). Restart - (Thin Client Only) Reboot the thin client. Shutdown - (Thin Client Only) Shuts down the thin client. Unregister - Remove the Device from system policies and management. Tip: Recommended to remove users from the system as it does a clearing of only corporate assigned data from employee-owned devices. Delete Device - Deletes the Device from system. Only a device that is not currently registered (does not have a Registered status) can be deleted from the system. A device must be unregistered/deactivated prior to deleting. Wipe - Removes all data and applications from the Device (sets the device to factory defaults not recommended for employee-owned devices). Send Message - Sends a message (128 characters or less) to the device. Change Group (TC) - (Thin Client Only) Change the Group to which the thin client belongs.

View and manage Device details (continued). Republish All (Android) - (Android Only) Republishes all policies applied to selected Android devices. Republish (ios) - (ios Only) Republishes the following policies applied to selected ios devices: Passcode & Restrictions Exchange ActiveSync & Email Wi-Fi Web Clips All Policies Check Update (Cloud Connect) - (Cloud Connect Only) Use this action to remotely request the device to verify if a system update is available. Export Devices to CSV - Use this action to generate a CSV with a list of the asset information for all the devices currently filtered on screen. Summary tab - View and manage information on the Notes, Group Assignment, Alerts, and Device Configuration. System Info tab - View available system information on the device (for example, Terminal Name, Serial Number, IP Address, Hardware and Software information, Installed Certificates, and so on. Events tab - View and manage information on the system events pertaining to a Device (creation, device registration, and various tasks performed by the system and the Device). Installed Apps tab - (Cloud Connect, ios, and Android Only) View information on the programs and Apps installed on the device (versions, App Policies, and so on}. 25

Managing Group Policies 7 Policies are assigned to wide range of organizations on a per-group basis, on a per-user basis, or on a per-device basis. Policies are managed at different levels. Policies are modified on multiple levels and the information will automatically be consolidated into one policy for each User or Device. ios and Android policies can be configured at Global, per Group, per User, and per Device levels. For multi-level groups, you can find the following group policies: Mobile ios Android Windows Phone Windows 10 Thin Client IoT WTOS WES Linux Cloud Connect IoT Gateway Dell Workspace Mobile Workspace Policies are enforced in the following order: Device User Group Global 1. The general guidelines to be followed: a. Device Level Exceptions To configure a Device level policy:. 1. In the Devices page, double-click on the name of the device which you want to configure. 2. Device Details page is opened. Click on the Summary tab. 3. In the Device Configuration section, click Create/Edit Exceptions and select the type of the device for which you want to manage the exceptions. b. User Level Exceptions To configure a User level policy: 1. In the Users page, double-click on the name of the User which you want to configure. 26

2. User Details page is opened. Click on the Summary tab. 3. In the User Configuration section, click Create/Edit Exceptions and select the type of the device for which you want to manage the exceptions NOTE: User Level Exceptions are not applicable for Linux. c. Group Level Policies To configure Group Level Policies: 1. In the Groups page, click the Edit Policies drop-down at the right pane of the following group except Default Policy Group which you want to configure. 2. Select the device which you want to configure from the drop-down menu. 3. The policy settings of respective devices are displayed on the left hand side. 4. Click on any one of the settings and click Configure this item. 5. After configuring, click Save and Publish. You can configure multi-level group polices by using the above mentioned steps. d. Global Level Policies To configure Global Level Policies: 1. In the Groups page, click the Edit Policies drop-down at the right pane of the Default Policy Group. 2. Select the device which you want to configure from the drop-down menu. 3. The policy settings of respective devices are displayed on the left hand side. 4. Click on any one of the settings and click Configure this item. 5. After configuring, click Save and Publish. 2. Policies are inherited in the order they are created. Any settings you configure in a Default Policy Group will be the default in all the policies below that Default Policy Group. Similarly for a Group, all Users and Devices in that Group will have Default Policy Group as their default. 3. You can create an exception for a User or Device in a Group to have a subset of policies to be different from the Group default. You can do this using the User Details page or the Device Details page. These detail pages display the configuration for that asset with details of where configurations are set that is Global, Group, User, and Device levels and allows you the option to create exceptions. 4. When modifying lower-level policies, any policy that is an override to a higher-level policy will be indicated by a bullet symbol to the left of the policy type. For example Passcode, Restrictions, Wi-Fi, and so on. 5. While modifying policies, an asterisk (*) will be placed to the right of the policy types to indicate that there are unsaved or unpublished changes. To review these changes prior to publishing them, click on the View pending changes link at the right of the panel. 6. After changing the Policy Settings, ensure you click Save and Publish option. If a policy configuration has to be prioritized between the different levels the lowest-level policy takes precedence. For example, a Passcode policy is applied at the User and the Passcode policy has different complexities at the Group level. The User level the more detailed level will take precedence over the Group level. After configuring the Policy Settings, the thin-client and mobile devices are notified about the changes in Settings. The changes will take effect immediately in the mobile devices whereas the thin-client devices require a reboot. many thin-client settings force a reboot immediately for the changes to take effect. 27

Mobile Policy Settings This section describes the steps for policy settings for different thin clients. Topics include: ios Policy Settings Android Policy Settings Windows Phone Settings Windows 10 Policy Settings Details: IOS Policy Settings To edit the ios Policy settings of a Group or the Default Policy Group, go to Edit Policies ios Configure this item. After configuring the settings, click Save and Publish NOTE: An ios device can now be configured to be "Supervised, providing enhanced management policies for ios devices. ios devices using ios 5 and later can be designated as supervised when they are enrolled in the Device Enrollment Program (in DEP profile, there is an option to set a device as supervised by default). You can configure a device to be supervised using the Apple Configurator. When a supervised device checks in CCM, it will be tagged as supervised and enhanced policies can be pushed to that device. These policies are Global HTTP Proxy, App Lock Payload (Kiosk mode), Web Content Filtering, Calendar, Contacts, Wallpaper and some restrictions. ios Policy settings include the folowing: Passcode- Use this page to configure Android device passcodes and locking settings. Restrictions- Use this page to configure ios device restrictions such as icloud, applications, Safari options, device functionality, camera use, security and privacy, content ratings, and allowed content ratings. Restrictions (Supervised)- Use this page to configure restriction settings for supervised ios devices. Wi-Fi- Use this page to configure ios device WiFi settings such as functionality, proxy, and security. VPN- Use this page to configure ios VPN settings such as name, server, account, type, and proxy. Email -Use this page to configure ios device Email settings for IMAP or POP email access such as account, incoming mail, and outgoing mail. Exchange ActiveSync- Use this page to configure ios device Exchange server settings such as account, synchronization, and device functionality. Web Clips- Use this page to configure ios device Web Clips settings such as displayed URL information, icons, and Web display functionality. Calendar- Use this page to configure calender settings such as account description, account hostname, account port and principal URL. Contacts- Use this page to configure contacts settings such as account description, account hostname, account port and principal URL. Credentials- Use this page to upload certificates for ios device credential use such as validation and authentication. 28

PocketCloud RDP -Use this page to configure ios device PocketCloud RDP settings such as host address, credentials, display, and device functionality. This setting is only for Dell Management Console Pro Version. AirPlay Devices- Use this page to configure ios device AirPlay settings such as destination device name and password. AirPrint Printers- Use this page to configure ios device AirPrint settings such as printer IP Address and path. Fonts- Use this page to configure ios device font settings. Single Sign-On- Use this page to configure Single Sign-On settings for devices running on ios 7 and later versions. Advanced- Use this page to configure ios device settings to Allow Non-Encrypted Device. Global HTTP Proxy- Use this page to configure global HTTP proxy settings for supervised ios devices. App Lock Payload- Use this page to configure App Lock Payload settings in Kiosk mode. Web Content Filter (Supervised)- Use this page to configure Web Content Filter settings for supervised ios devices. Wallpaper (Supervised)- Use this page to configure wallpaper settings for supervised ios devices. Configuring ios Passcode The Passcode page enables you to configure Android device passcodes and locking settings. Click Passcode > Configure this item in the ios Settings page to configure the Passcode parameters. Configuring ios Passcode Table 1. ios Passcode Settings Setting Allow simple value Require alphanumeric value Minimum passcode length Minimum number of complex characters Maximum passcode age Auto-Lock Select this if you want a simple value for the passcode. You can use repeating, ascending, and descending character sequences. Select this if you want the passcode to have alphanumeric values. The passcode should contain at least one alphabet or one letter. Select the smallest number of passcode characters allowed. Select the smallest number of non-alphanumeric characters allowed. Select the number of days after which you must change the passcode. This is mandatory and you can enter a value between 0 and 730. Select the time period after which the device is automatically locked. You can enter values between 1 and 5 minutes for iphones and values of 2, 5, 10, or 15 minutes for ipads. 29

Passcode history Grace period for device lock Maximum number of failed attempts Enter the number of unique passcodes that you can have before you can begin reusing passcodes. Enter the time period for the device to be locked without prompting for a passcode to unlock. Select number of wrong passcode entry attempts after which the passcode is locked. Configuring ios Restrictions The Restrictions page enables you to configure ios device restrictions such icloud applications, Safari options, device functionality, camera use, security and privacy, content ratings, and allowed content ratings. Configuring ios Restrictions Table 2. ios Restrictions - icloud Settings Setting Allow backup Allow document sync Allow Photo Streaming Allow Shared Photo Stream Allow Keychain Sync Select this to allow the backup of the device contents on icloud. Select this to allow the document on icloud to sync with the device. Select this to save all the photos on the ios device on icloud. If you do not select this, it could cause loss of data. Select this to save all the photos on the ios device on icloud and allow it to be shared across all your ios devices. If you do not select this, then you cannot share the photos across all ios devices. This feature is applicable only to ios 7.0 and above. Select this to your store your account names, passwords, and even credit card numbers on icloud servers. The data is then synced between all authorized ios devices. Configuring ios Wi-Fi Settings Table 3. ios Wi-Fi Settings Setting Service Set Identifier Auto Join Specify the identification of the wireless network to which you want to connect to. This is mandatory Select this if you want the device to automatically connect to the target network specified. 30

Hidden Network Proxy Select this if the target network is not open or broadcasting Select the proxy setting for the Wi-fi connection you are creating. If you select Manual, then you need to specify the Server IP, Port, Username, and Password to connect to the proxy server. If you select Automatic, then you only need to specify the Proxy Server URL. Security Type Select the type of wireless encryption to use while connecting. Configuring ios Wi-Fi Settings Table 4. ios Wi-Fi Settings Setting Service Set Identifier Auto Join Hidden Network Proxy Specify the identification of the wireless network to which you want to connect to. This is mandatory Select this if you want the device to automatically connect to the target network specified. Select this if the target network is not open or broadcasting Select the proxy setting for the Wi-fi connection you are creating. If you select Manual, then you need to specify the Server IP, Port, Username, and Password to connect to the proxy server. If you select Automatic, then you only need to specify the Proxy Server URL. Security Type Select the type of wireless encryption to use while connecting. Configuring ios VPN Settings Table 5. VPN Settings Setting Connection Name Enter a unique name for the VPN connection. This is mandatory. 31

Server Account Connection Type Enter the domain name, or IP address, or the URL of the server. Enter the user account name for authenticating the connection. Select the Connection Type. You can select one of the following options: Cisco AnyConnect SonicWall Mobile Connect Cisco (IPSec) PPTP L2TP The parameters change according to the option you select and you need to specify the parameters as per the option you have selected. Proxy Configure the proxy to be used with the VPN connection. If you select Manual, then you need to specify the Server IP, Port, Username, and Password to connect to the proxy server. If you select Automatic, then you only need to specify the Proxy Server URL. Enable per-app VPN This is applicable only for ios 7 and above Select this to enable VPN connection for each App. Configuring ios Email Settings The Email page enables you to define settings to connect to your POP or IMAP email accounts. 1. To configure VPN parameters, go to Email Configure this item in the ios Settings page. 2. Incoming Mail Settings These parameters under this change as per the selection you have made in the Email Account Settings. 3. Outgoing Mail Settings These parameters under this change as per the selection you have made in the Email Account Settings. Configuring ios Email Settings Table 6. ios Email - Account Settings Setting Account Path Prefix This is applicable only when protocol type is IMAP. Enter the prefix for the account path 32

Dynamic User Info Select this if you want to use the mobile user s account information from the database to be populate the email account. The parameters in Incoming Mail and Outgoing Mail change if you select this. Allow Move Disable Mail Recents Syncing Select this if you want the user to move messages from this account. Select this if you want the account to be excluded from recent address syncing. Configuring ios Exchange ActiveSync Settings The Exchange ActiveSync Settings page enables you to define settings to actively sync with the Exchange Server. To configure the Exchange Active Sync parameters, go to Exchange ActiveSync Settings Configure this item in the ios Settings window. Configuring ios Exchange ActiveSync Settings Table 7. ios Exchange ActiveSync Settings Setting Account Name Exchange Active Sync Host Allow Move Use Only In Mail Use SSL Use S/MIME Domain Dynamin User Info Enter the account name to connect to the Exchange Server. This is mandatory. Enter the hostname of the Microsoft Exchange Server. Select this to enable the user to move messages from this account. Select this if you want to send outgoing mail from this account only from themail App Select this to send all communication through a secured socket layer. Select this to send outgoing mail using S/MIME encryption. Enter the domian for the account. Select this if you want to use the mobile user s account information from the database to be populate the email account. NOTE: If you select this option, then the Username@Domain option is displayed. 33