Introduction to the Secure Email Gateway (SEG) Overview The Secure Email Gateway (SEG) Proxy server is a separate server installed in-line with your existing email server to proxy all email traffic going to devices. Note: The SEG Proxy model requires Exchange ActiveSync infrastructure (For example, Microsoft Exchange 2003/2007/2010/2013, Lotus Traveler and Novell GroupWise Data Synchronizer). Please consult your AirWatch representative for more information. The AirWatch SEG Proxy server is configured to reside in front of your corporate email server. Based on the settings you define in the AirWatch Admin Console, the SEG Proxy server takes allow/block decisions for every mobile device it manages. The SEG Proxy server relays traffic from approved devices and protects corporate email server by not allowing any devices to directly communicate with it. Instead, the SEG Proxy server filters all communication requests to the corporate email server.the SEG provides one more layer of security by controlling how the email attachments and hyperlinks can be viewed. Through SEG, email attachments and hyperlinks are encrypted which can be opened only through Secure Content Locker, thus protecting sensitive information. The SEG server is installed inline with corporate email traffic. It may be installed in a DMZ or behind a reverse proxy server, for example, F5 server. The SEG server must be hosted in the customer data-center, regardless of whether the AirWatch MDM server is in the cloud or on-premise. In This Guide Before You Begin - This section covers the basic requirements and other topics that would help you to get started with the solution. Secure Email Gateway Configuration - This section explains the SEG setup that is supported by AirWatch. Secure Email Gateway Implementation - This section details how to enable SEG in the AirWatch Admin Console. Upgrading Secure Email Gateway - Explains how to upgrade SEG to the latest version. Email Management through the SEG Proxy Integration - This section covers the features available in AirWatch to manage your device fleet effectively with this integration type. 1
Before You Begin Overview The Before you Begin topic provides the information that helps you with the initial setup, configuration, and understanding of the requirements essential for a smooth user experience. In This Section Requirements - Lists all the software, hardware, and network requirements. Prerequisite - Mentions how to enable the API certificate. Recommended Reading - This section provides helpful background and supporting information available from other AirWatch guides. Requirements For a complete listing of all requirements for installing SEG, refer to Prerequisites for SEG Connectivity. Prerequisites Enable the Simple Object Access Protocol (SOAP) Application Programming Interface (API) for the required organization group. To configure the SOAP API URL for your AirWatch environment, navigate to Groups & Settings All Settings System Advanced. The AirWatch Admin Console gets the API certificate from the SOAP API URL that is located on the Site URLs page. For SaaS deployments, use the format asxx.airwatchportals.com. Recommended Reading AirWatch Mobile Email Management Administration Guide - A comprehensive guide to the AirWatch's mobile email management functionality. AirWatch Mobile Device Management Guide - A comprehensive guide to the AirWatch's device management functionality. 2
Prerequisites for SEG Connectivity Status Checkli st Requirement Notes Hardware Requirements VM or Physical Server Without content transformation (attachment handling, hyperlinks security, tagging and so on): 1 CPU Core (2 GB RAM) per 2,000 devices syncing email through the SEG server. Max 8 CPU cores per SEG. With content transformation (attachment handling, hyperlinks security, tagging and so on): 1 CPU Core (2GB RAM) per 1,000 devices syncing email through the SEG server. Max 8 CPU cores per SEG. Load-balanced SEG servers can be deployed with size requirements being cumulative. Note: Sizing estimates vary based on actual email and attachment usage. Add additional SEG servers as necessary. If you are implementing attachment and hyperlinks security, the number of CPU cores needed to support the same number of devices will vary depending on the number of devices. Please contact your AirWatch representative for more details. General Requirements Remote access to Windows Servers available to AirWatch and Administrator rights Recommended to setup Remote Desktop Connection Manager for multiple server management, installer can be downloaded from http://www.microsoft.com/en-us/download/confirmation.aspx?id=21101 See General Requirements. Installation of Notepad++ (Recom mended) Ensure Exchange ActiveSync is enabled for a test account Software Requirements Windows Server 2008 R2 or Windows Server Installer can be downloaded from http://download.tuxfamily.org/notepadplus/6.5.1/npp.6.5.1.installer.exe 3
Status Checkli st Requirement 2012 or Windows Server 2012 R2 Install Role from Server Manager Install Role Services from Server Manager Install Features from Server Manager Install.NET Framework 4.0 Notes IIS 7.0 (Server 2008 R2) IIS 8.0 (Server 2012 or Server 2012 R2) IIS 8.5 (Server 2012 R2 only) Common HTTP Features: Static Content, Default Document, Directory Browsing, HTTP Errors, HTTP Redirection Application Development: ASP.NET,.NET Extensibility, ASP, ISAPI Extensions, ISAPI Filters, Server Side Includes Management Tools: IIS Management Console, IIS 6 Metabase Compatibility Note: Ensure WebDAV is not installed.net Framework 3.5.1 Features: Entire module (.NET Framework 3.5.1, WCF Activation) Message Queuing: Message Queuing Server Telnet Client Download from http://www.microsoft.com/enus/download/confirmation.aspx?id=17718 Note: The SEG Installer installs.net 4.0 if it is not installed beforehand. Externally registered DNS SSL Certificate from trusted third party with Subject or Subject Alternative name of DNS IIS 443 Binding with the same SSL certificate See Server Requirements. Ensure SSL certificate is trusted by all device types being used. (i.e. not all Comodo certificates are natively trusted by Android) Validate that you can connect to the server over HTTPS (https://yourairwatchdomain.com). At this point, you should see the IIS splash page. See Server Requirements. Network Requirements 4
Source Component Destination Component Protocol Port Verification Devices (from Internet and Wi- Fi) AirWatch SEG HTTPS 443 Telnet from Internet to SEG server on port SEG AirWatch SOAP API (DS or CN server) HTTP or HTTPS 80 or 443 Verify that the following URL is trusted from the browser on the SEG server: https://<api URL>/AirWatchServices/ Internal/ActiveSyncIntegrationServiceEndpoint.svc SEG (OPTIONAL) Internal hostname or IP of all other SEG servers HTTP 8090 If you are using SEG Clustering (multiple load balanced SEG servers) The following requirements apply based on the email configuration you are using: SEG Exchange HTTP or HTTPS SEG Lotus Notes HTTP or HTTPS 80 or 443 80 or 443 SEG Google HTTPS 443 SEG Novell Groupwise HTTP or HTTPS 80 or 443 Verify that the following URL is trusted from the browser on the SEG server and gives a prompt for credentials: For Exchange: http(s)://exchange_activesync_fqdn/microsoftserver-activesync For Lotus Notes: http(s)://lotusnotestraveler_fqdn/servlet/traveler/microsoftserver-activesync For Google: https://m.google.com/microsoft-server-activesync For Groupwise (depending on version): http(s): //Groupwise_FQDN/EAS or http(s)://groupwise_fqdn/microsoftserver-activesync Once you enter the credentials, verify that a 501/505 HTTP page displays. General Requirements Remote Access to Servers Ensure that you have remote access to the servers that AirWatch is installed on. Typically, installations are performed remotely over a web meeting or screen share that an AirWatch consultant provides. Some customers also provide AirWatch with VPN credentials to directly access the environment as well. Server Requirements External DNS Name The two main components of AirWatch are the Device Services server and the Console server. In a single server deployment, these reside on the same server, and an external DNS entry needs to be registered for that server. 5
In a multi-server deployment, these are installed on separate servers, and only the device services component requires an external DNS name, while the console component can remain only internally available. SSL Certificate The externally available URL of the AirWatch server must be setup with a trusted SSL certificate. A wildcard or individual website certificate is required. 1. Obtain SSL certificates for each of your external DNS entries. A list of root certificates natively trusted by ios can be found here: http://support.apple.com/kb/ht5012 2. Upload your SSL certificate to the AirWatch server(s). Your certificate provider will have instructions for this process. 3. Once uploaded on your server you can use it to add a 443 binding to the Default Website in IIS. The bindings for a completed server look like the following. Your SSL certificate should appear in the drop down menu of available certificates. 4. Validate that you can connect to the server over HTTPS (https://yourairwatchdomain.com). At this point you should see the IIS splash page. Note: If SSL is used for admin console access, ensure FQDN is enabled or host file is configured. 6
SEG Architecture Overview The section outlines the architecture layout for setting up SEG with your email infrastructure. In This Section Recommended Setup - Explains the required setup and displays a schematic representation of this. Supported Setup - Explains the required setup and displays a schematic representation of this. Recommended Setup: Exchange ActiveSync SEG Configuration This configuration uses a reverse proxy to direct mobile device users to the SEG Proxy while routing browser users directly to their webmail endpoints. Use the following network configuration to set up the reverse proxy to communicate between devices and the SEG using the Exchange ActiveSync (EAS) protocol. Supported Setup: Exchange ActiveSync SEG Configuration AirWatch also supports the following configuration, in which the SEG proxy routes all incoming traffic (including Outlook Web Access). Note: In this setup, make sure to select the Proxy webmail traffic through gateway checkbox during the configuration step of the install wizard. 7
8
SEG Implementation Overview Once you get a good understanding of the ways in which SEG can be configured, you can choose the type that fits your organization's requirements. To implement the SEG proxy server on your chosen mail architecture, follow the below steps. In This Section Prerequisites - Explains the initial setup required to implement SEG. Enabling SEG Proxy - Details the steps required to enable SEG from the AirWatch Admin Console. Downloading Installer - Explains the steps required to download SEG. Installing the SEG - Explains the steps associated with installing SEG. Configuring SEG - Explains the steps associated with configuring SEG. Deploying Email through SEG - It explains how emails are deployed to the devices via SEG. Prerequisites 1. Enable the Simple Object Access Protocol (SOAP) Application Programming Interface (API) for the required organization group. To configure the SOAP API URL for your AirWatch environment, navigate to Groups & Settings All Settings System Advanced. The AirWatch Admin Console gets the API certificate from the SOAP API URL that is located on the Site URLs page. For SaaS deployments, use the format asxx.airwatchportals.com. 2. Create an Exchange Active Sync profile having the Assignment Type as Optional and EAS hostname as the SEG server URL. Step 1: Enabling SEG Proxy on AirWatch Admin Console 1. Navigate to Email Settings in the AirWatch Admin Console and click Configure. The Mobile Email Management Configuration wizard displays. 9
2. In the Mail Platform wizard form: Select the Email Server Type from the drop-down menu and choose a Deployment Type for your selected email architecture, and then click Next. Note: By default, the SEG proxy is deployed for Exchange 2003 / 2007 environments. But, for Exchange 2010 /2013 or Office 365 / BPOS environments, select the deployment type With SEG Proxy. If you wish to deploy the SEG Proxy server for Office365, please contact your AirWatch representative for additional information. 3. In the MEM Deployment wizard form: Enter a friendly name for the SEG deployment. This name gets displayed on the MEM dashboard screen for devices managed by SEG. Enter the URL for the SEG server in the Secure Email Gateway URL field. This URL provisions email policies to the SEG server. You may choose to enable the Ignore SSL Errors between SEG and AirWatch Server check box to ignore Secure Socket Layer (SSL) certificate errors between AirWatch component and SEG server. Note:AirWatch recommends that a valid SSL trust should always be established between AirWatch and SEG server using valid certificates. 10
(Recommended) Select the Use Basic Authentication check box and enter the Gateway Username and Gateway Password in order to authenticate and secure traffic (including policy updates sent to the SEG server) between AirWatch components and SEG. If disabled, anonymous authentication is used. Use the Test Connection option to confirm the validity of the server URL entered. If the test fails, a list of reasons display to help you identify the cause of connection failure. If in the initial setup, this succeeds but other options fail, you can still proceed with the installation. Upon completing the installation, the Test Connection option may be used to verify connectivity across all components and features between AirWatch and the SEG server. Click Next. 4. In the MEM Profile Deployment form: This is highly recommended for new installs and upgrades. Select a device platform from the available list. Select an email client from the available list. Associate an existing profile of the above chosen platform and email client. Please note that only one profile per device type and mail client can be associated. Assign a profile from the displayed list. 11
5. Click Next. The Summary form provides a quick overview of the basic configuration you have just created for the SEG deployment. Save the settings. 6. Optionally, you can configure the advanced settings. To do this, navigate to Email Settings page and then click the icon located on the Email Configuration main screen. By default, the Use Recommended Settings check box is enabled to capture all SEG traffic information from devices. Otherwise, specify what information and how frequently the SEG should log for devices. Select the Enable Real-time Compliance Sync option to enable the AirWatch Admin Console to remotely provision compliance policies to the SEG Proxy server. Enable the Ignore SSL Errors check box to ignore Secure Socket Layer (SSL) certificate errors between SEG and the email server. Enable the Ignore SSL Errors check box to ignore Secure Socket Layer (SSL) certificate errors between AirWatch component and SEG server. KCD authentication - Enable or disable the Cross Domain KCD authentication using the settings available. Required transactions - Enable or disable the required transactions such as Folder Sync, Settings etc. Optional transactions - Enable or disable the optional transactions such as Get attachment, Search, Move Items etc. Diagnostic -Set the number and frequency of transaction for a device. Sizing - Set the frequency of SEG and API server interaction. S/MIME Options - Enable the checkbox to disallow the encryption of attachments and hyperlinks through the SEG. 12
Step 2: Preparing for the Installation 1. Download the SEG Installer from the AirWatch Admin Console to the SEG server attached to your network. To download, navigate to the Email Settings page and click the Download the SEG Installer option. This page is available only upon completion of the Email Configuration steps in the above section. 2. You might need to disable User Account Control (UAC) for the installation process. However, you can re-enable UAC after the installation is complete. This is an environmental consideration that varies depending on the server deployment. 3. In the AirWatch Admin Console, create an admin account for the SEG (this is required for the simple installation wizard). Note: Configure the admin account at an organization group level at or above where you wish to configure the SEG. Step 3: Running the AirWatch SEG 7.2 Installer Run the AirWatch SEG v7.2 installer. 1. Double-click the AirWatch SEG 7.2 Installer.exe file, or right-click to choose Run as Administrator. The Setup dialog box displays, and it is followed by a Welcome dialog box. Click Next. Note: If you receive a Security Warning, choose Run. 2. Accept the End User License Agreement, and then click Next. 3. Specify the Destination Folder to install the SEG. Click Change if you want to modify the destination folder for installing the AirWatch application files. Note: The installer defaults to C:\AirWatch. However, the standard is to install AirWatch on a partition separate from the OS. 4. The AirWatch IIS configuration dialog box appears. Select Default Web Site as the IIS Website location for the SEG to install. 13
5. Click Install to begin the SEG installation. 6. Once the installation process is complete, the SEG Installation Wizard dialog box appears. Click Finish to close the installer. The AirWatch SEG setup shortcut icon is automatically created on the desktop, and the localhost URL opens in Explorer. Step 4: Configuring the SEG with the Setup Wizard Once the installation process is complete, the Secure Email Gateway Setup Wizard auto-launches. If not, double-click the SEG shortcut icon on the desktop to open the wizard. 1. Specify the following information on the Setup page: Enter the AirWatch Server Hostname that contains the API. This is usually the AirWatch API Service URL. Specify the SEG Admin Account Username and Password. This account is used to integrate with the API and should be enabled with the 'Allow Remote Access' role resource in AirWatch Admin Console. Create your SEG Admin Account at that organization group or at a level above the organization group that you wish to configure the SEG for. When complete, choose Next. 14
2. Configure the SEG for your specific deployment. Enter the following information: In the Organization Group field, enter the Group ID for the SEG's Organization Group. Select the MEM configuration from the dropdown. 3. Next,specify the following SEG Configuration settings. This information will be pre-populated with the setting that you have entered on the AirWatch Admin Console. Make any changes as needed, and at the end of the Setup wizard, the changes are automatically reflected in the AirWatch Admin Console. Select the Email Server type, Exchange version, and enter the Email Server Hostname for the AirWatch SEG to communicate with your internal email servers. Optionally, select the check box if you want to proxy webmail traffic in addition to EAS traffic through the SEG. To capture all SEG traffic information from devices, select the Use Recommended Settings check box. Otherwise, 15
specify what information SEG can log for devices and how frequently. Choose whether to ignore SSL errors created by certificates between the SEG and EAS server. Enter the interval time, in minutes,for SEG to refresh rules. Set the transfer rate for the transactions happening between the SEG and the AirWatch Admin Console. Define a Friendly Name to help identify the SEG in the logs. Select Enable Real-time Compliance Sync so that the AirWatch Admin Console can send down compliance updates in a push-based mechanism instead of in a periodically timed poll-based mechanism. This allows your compliance rule set to immediately update when actions occur instead at a specified rate. Specify a Gateway Hostname, the Gateway Hostname is the hostname of the specific SEG Proxy server. Click Next when complete. 4. If you are load balancing multiple SEG servers, select the Enable SEG Clustering checkbox. a. Specify the name you wish to assign to the cluster in the Cluster Directory Name field. b. Define the default port for the SEG servers to communicate with each other. c. Specify the host name of each SEG server in the cluster in the Node Address field. d. Click Next when complete. Note: Any changes that were made to the SEG configuration are automatically updated in the Console settings after the Setup wizard completes. 5. Lastly, the SEG Service Settings screen displays. This screen is a summary page displaying information such as AirWatch Group, API Certificate, Certificate expiry date and the Log level. Select the Log level that the SEG Proxy server uses for troubleshooting purposes. Click Save to automatically restart the Integration service. 16
Step 5: Deploying Mobile Email through the SEG Proxy Now that the SEG is fully configured, it is ready to begin protecting mobile email. To start using SEG, configure all mobile devices to fetch email through the SEG server instead of the EAS server. To do this, deploy an EAS profile to your mobile fleet. 1. Navigate to the Devices Profiles List View page, and then click Add to create a new profile. 2. Select a device platform. Note: If you are leveraging the SEG for multiple device OS s then you must create a similar profile for each platform. 3. On the General tab, enter the information about the profile and assign the profile to the applicable Organization Groups and User Groups. Ensure to keep the assignment type as Automatic or Optional. 17
4. Select Exchange ActiveSync and choose Configure. From here, configure the parameters to access corporate mail through the SEG. Select the Mail Client your organization intends for end users to utilize from the drop-down menu. Ensure that the Exchange ActiveSync Host is the hostname of the SEG server and not the Exchange server. Note: If you have chosen Lotus Notes as your email client then: a. You need to affix your SEG server URL with 'microsoft-server-activesync'. For example, https://.segurl.com/microsoft-server-active-sync. b. For Android Agent 4.2 and above, the end users have to install the Lotus Notes manually. Make sure to leverage lookup values so each user can get their own distinct email. 18
Note: As a best practice, the Password field must be left blank. This prompts the end user to enter their password once the profile is installed on the device. 5. Once complete, choose Save and Publish to begin utilizing secure mobile email. It is recommended to make additional profiles for each device platform for which you wish to provision mobile email. 19
Email Management through the Secure Email Gateway (SEG) Proxy Overview After the SEG proxy integration setup is complete, you can manage the connected device email traffic, set email policies, and take appropriate actions on the devices from the AirWatch Admin console. In This Section Securing with Email Policies - This section covers the features you can configure in AirWatch to provide a deeper level of security for the device fleet. Email Dashboard - This section covers the features available on the Email Dashboard to manage and monitor devices effectively. List View - This section covers the features available from the List View screen that enable you to perform administrative actions on devices. Securing with Email Policies Compliance Policies Enable the below policies from Email Compliance Policies.You can activate or deactivate the policies using the colored buttons under the Active column. Use the edit policy icon under the Actions column to allow or block a policy General Email Policies Sync Settings Prevent the device from syncing with specific EAS folders. Note that AirWatch prevents devices from syncing with the selected folders irrespective of other compliance policies. For the policy to take effect, it is necessary to republish the EAS profile to the devices (this forces devices to re-sync with the email server). Managed Device Restrict email access only to managed devices. Mail Client Restrict email access to a set of mail clients. User Restrict email access to a set of users. EAS Device Type Allow or block devices based on the EAS Device Type attribute reported by the end-user device. Note: The Android Lotus Notes Client does not support the EAS device type policy. Managed Device Policies Inactivity Allows you to prevent inactive, managed devices from accessing email. You can specify the number of days a device shows up as inactive (i.e. does not check-in to AirWatch), before email access is cut off. 20
Device Compromised Allows you to prevent compromised devices from accessing email. Note that this policy does not block email access for devices that have not reported compromised status to AirWatch. Encryption Allows you to prevent email access for unencrypted devices. Note that this policy is applicable only to devices that have reported data protection status to AirWatch. Model Allows you to restrict email access based on the Platform and Model of the device. Operating System Allows you to restrict email access to a set of operating systems for specific platforms. Email Security Policies Attachments (managed devices) Encrypt email attachments of selected file types. These attachments are secured on the device and are only available for viewing on the AirWatch Secure Content Locker. Currently, this feature is only available on managed ios and Android devices with the Secure Content Locker application. For other managed devices, you can choose to either allow encrypted attachments, block attachments, or allow unencrypted attachments. Attachments (unmanaged devices) Allow encrypted attachments, block attachments, or allow unencrypted attachments for un-managed devices. Hyperlink Allow device users to open hyperlinks contained within an email directly with a secure AirWatch application (e.g. AirWatch Browser) present on the device. Based on the application list sample, AirWatch dynamically modifies the hyperlink for the appropriate application on the device. Note: The Android Lotus Notes Client and ios Touchdown presently does not support the attachment encryption security email policy. Email Dashboard Gain visibility into the email traffic and monitor the devices through the AirWatch Email Dashboard. This dashboard gives you a real-time summary of the status of the devices connected to the email traffic. You can access the Dashboard from Email Dashboard. From the Email Dashboard, you can access the List View page which enables you to: Whitelist or blacklist a device to allow or deny access to email respectively. View the devices which are managed, un-managed, compliant, non- compliant, blocked, or allowed. View the device details such as OS, Model, Platform, Phone Number, IMEI, IP address. 21
From the Dashboard, you can also use the available Graphs to filter your search. For example, if you want to view all the managed devices of that organization group, select the Managed Devices graph. This displays the results in the List View screen. List View View all the real-time updates of your end user devices that you are managing with AirWatch MEM. You can access the List View from Email List View. You can view the device or user specific information by switching between the two tabs; Device and User available here. You can change the Layout to either view the summary or the detailed list of the information based on your requirement. The List View screen provides detailed information that include: Last Request - In SEG integration this column shows the last time a device synced mail. User - The user account name. Friendly Name - The friendly name of the device. MEM Config - The configured MEM deployment that is managing the device. Email Address - The email address of the user account. Identifier - The unique alpha-numeric identification code associated with the device. Mail Client - The email client syncing the emails on the device. Last Command - The command triggers the last state change of the device and populates the Last Request column. Last Gateway Server -The server to which the device connected. Status - The real time status of the device and whether email is blocked or allowed on it as per the defined policy. Reason - The reason code for allowing or blocking email on a device. Please note that the reason code displays 'Global' and 'Individual' only when the access state of the email is changed by an entity other than AirWatch (for example, an external administrator). 22
Platform, Model, OS, IMEI, EAS Device Type, IP Address -The device information displays in these fields. Mailbox Identity - The location of the user mailbox in the Active Directory. Filters for Quick Search From here, using the Filter option,you can narrow your device search based on: Last Seen - All, less than 24 hours, 12 hours, 6 hours, 2 hours. Managed - All, Managed, Unmanaged. Allowed - All, Allowed, Blocked. Policy Override - All, Blacklisted, Whitelisted, Default. Policy Violation - Compromised, Device Inactive, Not data Protected/Enrolled/MDM Compliant, Unapproved EAS Device Type/Email Account/Mail Client/Model/OS. MEM Config - Filter devices based on the configured MEM deployments. Performing Actions The Override,Actions,and the Administration dropdown menu provides a single location to perform multiple actions on the device. Note: Please note that these actions once performed cannot be undone. Override Select the check box corresponding to a device to perform actions on it. Whitelist - Allows a device to receive emails. Blacklist - Blocks a device from receiving emails. Default - Allows or blocks a device based on whether the device is compliant or non compliant. Remote Wipe - Resets the device to factory settings. Actions Run Compliance - Triggers the compliance engine to run for the selected MEM configuration. Enable Test Mode - Tests email policies without applying them on devices. Administration Dx Mode On - Runs the diagnostic for the selected user mailbox. Dx Mode Off - Turns off the diagnostic for the selected user mailbox. Update Encryption Key - Resets the encryption and the re-syncs the emails for the selected devices. Delete Unmanaged Devices - Deletes the selected unmanaged device record from the dashboard. Please note that this record may reappear after the next sync. 23
Migrate Devices - Migrates selected device to other chosen MEM configurations by deleting the installed EAS profile and pushing the EAS profile of the chosen configuration on the device. 24
Appendix: Upgrading the SEG Proxy Server Overview The SEG is designed to make the upgrade process quick and easy. Perform the following steps to upgrade the SEG to the latest version. In This Section Preparing for the SEG Upgrade - Details the location and requirements for downloading SEG. Running the SEG Installer - Explains the steps to install SEG to the latest version. Step 1: Preparing for the Upgrade 1. Download the SEG Installer from the AirWatch Admin Console under Email Settings General. Ensure that the environment from where the SEG Installer was downloaded is running AirWatch v7.2. 2. It is recommended to run the MEM Configuration wizard again and associate the existing EAS profile to the SEG deployment. Step 2: Running the AirWatch SEG v7.2 Installer 1. Double-click the AirWatch SEG v7.2 Installer.exe file, or right-click to choose Run as Administrator. Upon opening, the SEG Installer detects if a previous version is installed and verifies if you want to upgrade to the new version. Click Yes, and then click Next. 2. Click Install to begin the upgrade.the SEG Installer automatically performs the SEG upgrade. 3. Once complete, click Finish. 25