Sophos Mobile Control Installation guide Product version: 3.5 Document date: July 2013
Contents 1 Introduction...3 2 The Sophos Mobile Control server...4 3 Set up Sophos Mobile Control...10 4 External EAS Proxy server...29 5 Running the Sophos Mobile Control Service as a limited user...37 6 Updating Sophos Mobile Control...38 7 Apple Push Notification service...39 8 Technical support...42 9 Legal notices...43 2
Installation guide 1 Introduction Sophos Mobile Control is a device management solution for mobile devices like smartphones and tablets. Sophos Mobile Control helps to keep corporate data safe by managing apps and security. The Sophos Mobile Control system consists of a server and a client component which communicate through data connections and text messages. The Sophos Mobile Control client is easily installed and managed with over-the air setup and configuration through the Sophos Mobile Control web console. With the Sophos Mobile Control Self Service Portal for your users, you can reduce IT efforts by allowing users to register their own devices and carry out other tasks without having to contact the helpdesk. This guide describes: How to carry out preparatory measures for the Sophos Mobile Control Server How to request an SSL certificate for Sophos Mobile Control with the SSL Certificate Wizard How to install and set up the Sophos Mobile Control server (SMC server) How to install the external EAS Proxy server How to run the Sophos Mobile Control Service as a limited user How to update Sophos Mobile Control How to create and upload an APNs certificate 1.1 Access data The access data for the system is saved in a database that can be extended later on. All steps have to be executed as an administrator of Microsoft Windows Server or as a user of the relevant group. The database user needs sysadmin rights. 1.2 Licenses To use Sophos Mobile Control you need a valid license. After purchasing the software, you receive a license file named license.sql. You must place this file in the same directory as the setup file during installation. 3
Sophos Mobile Control 2 The Sophos Mobile Control server The SMC server is a dispersed system that consists of the following components: JBoss SQL database server MSQL SMC server provided as Java-Enterprise-Archive inside JBoss Directory Service Redistributable package The individual components communicate either through the database or through the J2EE-standard-designated interfaces. In this case, no further exchange files are necessary. It is required, that the server scripts and property data are configured and that they work with the single server operation. If changes are necessary, the single setting parameters have to be modified. Note: The zipped server log files are not cleared automatically and can become very extensive. To prevent problems caused by this, delete the log files manually. 2.1 Install the operating system One possible server operating system is Microsoft Windows Server 2008 R2. For installation, refer to the relevant documentation. In addition, you have to install the following packages manually: Microsoft SQL Server: Choose one of the following packages: Microsoft SQL 2008, Microsoft SQL 2008 R2, Microsoft SQL 2012, Microsoft SQL 2012 Express or MSQL Java JDK (including JRE): Version 7u21 or higher MySQL 5.5 with InnoDB support If JDK is not contained in the installation package, you may have to download it. 4
Installation guide 2.2 Install the database server Microsoft SQL Server We recommend Microsoft SQL Server 2012 Express Edition for Windows with installer. The following description shows the installation process for Microsoft SQL Server. 1. Execute the installer and select New SQL Server stand-alone installation or add features to an existing installation. 2. If any problems occur, the Setup Support Rules dialog is displayed. Here problems that might occur when you install SQL Server Setup support files are identified. If problems have occurred, make the necessary changes to solve them and click Next. 3. In the License Terms dialog, select I accept the license terms and click Next. 4. If any updates are available, the Product Updates dialog is displayed. If you select Include SQL Server product updates in this dialog, updates will be installed automtically after you click Next. 5. In the Feature Selection dialog, select Database Engine Service. If necessary, modify the installation directory. Note: If you have downloaded the setup including the management tools, the tools should also be installed. To do so, select Management Tools - Basic. Click Next. 6. In the Instance Configuration dialog, change the instance name, if necessary. Click Next. 7. In the Server Configuration dialog, select NT_AUTHORITY\System for SQL Server Database Engine and click Next. 8. In the Database Engine Configuration dialog, select Mixed Mode (SQL Server authentication and Windows authentication). Define a strong password for the system administrator account and click Next. 9. SQL Server 2012 R2 installation is now complete. In the Complete dialog, click Close to close the Setup wizard. You can also close the SQL Server Installation Center now. 5
Sophos Mobile Control 10. Before Sophos Mobile Control can be installed, the TCP/IP Protocol for the SQL Server needs to be enabled and the TCP port needs to be set to 1433. Open the Start menu, select All Programs > Microsoft SQL Server 2012 R2 > Configuration Tools and click SQL Server Configuration Manager. In the SQL Server Configuration Manager, go to to Protocols for SQLEXPRESS and double-click TCP/IP. 6
Installation guide 11. In the Protocol tab of the TCP/IP Properties dialog, set Enabled to Yes and click the IP Addresses tab. 7
Sophos Mobile Control 12. In the IP Addresses tab of the TCP/IP Properties dialog, click TCP Dynamic Ports and make sure that the field is empty to disable this function. Now click TCP Port, enter 1433 and click OK to apply your settings. 13. For the new settings to take effect, the server needs to be restarted. Click SQL Server Services, right-click SQL Server (SQLEXPRESS) and select Restart. 2.3 Install Java JDK7 When you install Java JDK7, source code does not have to be installed. Install Java JRE in its complete version. Note: When you update Sophos Mobile Control from an older version, you may need to update Java, if you still use JDK 1.6. To do so, uninstall the old Java version and install the new one. You also need to manually adjust the environment variables. 2.4 Install MySQL Server To install MySQL Server by using MSI Windows installer for MySQL Community Server 5.5x: 1. Double-click the installer and install MYSQL Server 5.5x. After the installation has been completed the MySQL Server Instance Configuration Wizard is started. 8
Installation guide 2. Follow the wizard steps and and select the following options in the individual dialogs: a) Select Detailed Configuration. b) Select Server Machine. c) Select Multifunctional Database. d) Select the standard installation path. e) Select Decision Support (DSS)/OLAP. f) Make sure that Enable TCP/IP Networking is selected and port 3306 is selected in the Port Number field. Make sure that the Enable Strict Mode field is selected. Click Next. g) Select Best Support For Multilingualism. h) Select Install As Windows Service. Make sure that Launch the MySQL Server automatically is selected. Select Include Bin Directory in Windows PATH. i) Make sure that Modify Security Settings is selected and define a strong root password. j) Install the MySQL GUI Tools. Use Custom installation. Note: You do not have to install the Workbench Migration Toolkit. 3. Add the following line to the my.ini file: wait_timeout=86400. 4. Restart the MySQL service. 9
Sophos Mobile Control 3 Set up Sophos Mobile Control The key steps are: Request an SSL Certificate Execute the Sophos Mobile Control installer. Carry out the configuration steps in the Sophos Mobile Control Configuration Wizard. If you want to configure the EAS Proxy server separately, execute the Sophos Mobile Control EAS Proxy installer, see External EAS Proxy server (section 4). As a super administrator create a customer (a tenant for which devices are managed) in the Sophos Mobile Control administration web console. For further information on this setup step, refer to the Sophos Mobile Control super administrator guide. 3.1 Request an SSL certificate for Sophos Mobile Control For setting up Sophos Mobile Control, you need an SSL webserver certificate. In the setup process, you can select between creating a self-signed certificate and using a PKCS12 with certificate, private key and certificate chain. For further information, see Install and set up the Sophos Mobile Control Server (section 3.2). Your Sophos product delivery includes an SSL Certificate Wizard that you can use to request your certificate for Sophos Mobile Control. To request your SSL certificate: 1. Start the SSL Certificate Wizard by double-clicking the file Sophos Mobile Control SSL Certificate Wizard.exe. The Certificate Wizard welcome dialog is displayed. 2. Click Next. The License Agreement dialog is displayed. 3. Click I Agree. The Create Certificate Signing Request dialog is displayed. 4. Enter the Server Name (FQDN), the Company, City, State and Country code (for example US or UK). These fields are mandatory. 5. Click Next. The Upload CSR dialog is displayed. 10
Installation guide 6. In this step, you upload the Certificate Signing Request to the Certificate Authority (CA) for signing. Follow the instructions in the dialog: a) Go to the website of your Certificate Authority and log in. b) Upload the file ServerCertificateSigningRequest.csr from the folder indicated on the Upload CSR dialog of the SSL Certificate Wizard. Note: If your certificate vendor supports copy and paste, you can open the.csr file with the Open CSR button in the Upload CSR dialog. c) Save the certificate issued by the CA in Base 64 format (*.pem, *cer, *crt) in the folder indicated in the Upload CSR dialog. d) Download the certificate chain and CA certificate of your certificate authority. e) Click Next in the Upload CSR dialog. The Import Certificate Files dialog is displayed. 7. In the Import Certificate Files dialog, you import the intermediate certificates file (depending on your CA vendor???) and the downloaded CA certificate. You also need to define a password for the server certificate (PKCS12) that is to be created : a) In the Select intermediate certificates file, field browse for the intermediate certificate. b) In the Select CA certificate file field, browse for the downloaded CA certificate. c) In the Password for private key field, enter a password for the server certificate to be created. Confirm the password. d) Click Next. The Certificate created dialog is displayed. 8. In the Certificate created dialog, the location of the certificate created is shown. You can use it when setting up Sophos Mobile Control, see Install and set up the Sophos Mobile Control Server (section 3.2). Note: Create a backup of the folder containing the certificate files. Click Next. The Sophos Mobile Control - SSL Certificate Wizard finished dialog is displayed. 9. Click Finish. 3.2 Install and set up the Sophos Mobile Control Server Prerequisites: Before you execute the Sophos Mobile Control installer, put the license file license.sql for the operation of the Sophos Mobile Control Server in the directory where the setup file is located. 11
Sophos Mobile Control If you want to use the database type MySQL, the MySQL JDBC driver is required. Download this driver from http://www.mysql.com/downloads/connector/j/ and save it on the server. You need to select it during Sophos Mobile Control configuration. If the database is not held locally, you need access to the TCP Port 3306. In addition, you need an admin account that can log in from the Sophos Mobile Control Server. 1. Execute the Sophos Mobile Control installer, review and agree to the License Agreement. The System Property Checks dialog is displayed. To check that the system environment fulfills all necessary requirements for Sophos Mobile Control installation, click Check. If you want to generate a system check report after the check has been run, click Report. 12
Installation guide 2. If all requirements are fulfilled, click Next. The Choose Install Location dialog is displayed. Choose the destination folder and click Install to start installation. 3. After the installation process the Sophos Mobile Control Configuration Wizard welcome dialog is displayed. Click Next. 4. In the Database selection dialog you can select: Use Microsoft SQL Server Use MySQL For this option, the MySQL JDBC driver is required. Select Use MySQL and browse for the driver you have downloaded. 13
Sophos Mobile Control Click Next to specify server information and logon credentials in the Database Settings dialog. This dialog offers the required options according to the database type you have selected. 5. If you have selected Use Microsoft SQL Server in the Database selection dialog, the Database Settings dialog offers the following options. To use the user credentials specified during SQL server installation, select Use SQL Server Authentication with the following credentials and enter the required user name and password. Click Next to continue. 14
Installation guide 6. If you have selected, Use MySQL in the Database selection dialog, the Database Settings dialog offers the following options: Select Use MySQL Authentication with the following credentials and enter the required user name and password. Click Next to continue. 7. In the next step, you create the database. In the Database Selection dialog, select Create a new database named, enter a name (for example SMCDB) and click Next. The Database Configuration dialog is displayed. It shows the relevant progress messages. After the database has been successfully created and populated, click Next. 15
Sophos Mobile Control 8. In the next step, you can select optional setup steps in the Choose setup steps dialog. Setup steps that are mandatory for initial configuration are preselected and greyed out. You can select the following optional steps: Configure user interface access IP range In this step, you can configure an IP range white list to manage access to the Sophos Mobile Control web console and the Self Service Portal. Configure Exchange ActiveSync Proxy This step is preselected, but you can deactivate it. With this step you set up the standard embedded EAS Proxy. If you want to set up EAS Proxy separately with several instances (for example for load balancing), run the separate EAS Proxy setup. For further information, see External EAS Proxy server (section 4). Note: The EAS Proxy configuration step is necessary for configuring compliance check settings. If you run the separate EAS Proxy setup and need to configure compliance check settings, leave this step selected. Configure HTTP proxy If you use a corporate HTTP proxy, select this option to enter the relevant server details and configure Sophos Mobile Control accordingly. Enable SCEP (Simple Certificate Enrollment Protocol for ios devices) Select this option to enable SCEP support for ios devices. By configuring SCEP support you allow devices to obtain certificates from a Certificate Authority by using SCEP. All required settings for SCEP can be configured by a super administrator in the Sophos Mobile 16
Installation guide Control web console. For further information, see the Sophos Mobile Control super administrator guide. Select the required optional steps and click Next. 9. In the next step, you configure a super administrator account. The super administrator you create in this dialog has specific rights and tasks and is primarily used for customer management. In Sophos Mobile Control, customers are the tenants that manage the devices of their users. The super administrator logs on to a super administrator customer and can, for example, predefine settings for new customers and push settings and configurationssuper to existing customers. For further information, refer to the Sophos Mobile Control super administrator guide. In the Configure super admin account dialog, enter the Super admin customer (the customer the super administrator will log on to), the Super admin login (the super administrator login name) and a Super admin password. Confirm the password and click Next. Note: These credentials are required for logging on to the Sophos Mobile Control web console. Note: The super administrator should not be used in productive operation, but only for administrative purposes. The super administrator is primarily intended for customer management. 17
Sophos Mobile Control 10. If you have selected the optional setup step Configure user interface access IP range in Choose setup steps, you can configure an IP range white list for user interface access in the next step. In Administration Interface, enter the white list for the Sophos Mobile Control administrator web console. In Self Service Portal, enter the white list for the Sophos Mobile Control Self Service Portal. Follow the instructions for entering IP addresses shown in the dialog. After you have entered all required information, click Next. 18
Installation guide 11. In the next step, you enter SMTP information and logon credentials. Note: This is required to enable emails to be sent to new users to provide them with logon credentials. In the Configure SMTP dialog under Enter SMTP server information, enter the SMTP information and click Next. Under Enter Sophos Mobile Control server email information, enter the email information for exception and report mails (for example for an expired APNs certificate). 19
Sophos Mobile Control 12. If you have left the option Configure Exchange ActiveSync Proxy in the Choose setup steps dialog selected, you configure the Exchange Active Sync (EAS) Proxy information in the next step. Note: The EAS Proxy configuration step is necessary for configuring compliance check settings in the next step. If you run the separate EAS Proxy setup (for example for load balancing), enter non-applicable information here. Note: If you want to use Lotus Traveler and connect Android devices to Traveler, you need to set up an external EAS Proxy server. For further information on how to set up an external EAS Proxy server, see Install external EAS Proxy server (section 4.1). Note: EAS Proxy log files are not cleared automatically and can become very extensive. To prevent problems caused by this, delete the log files manually. Enter the relevant EAS-Proxy information and select Use SSL, if required. Under Default mail access for new devices under management, specify how email access should be checked and handled: Select Compliance check controlled email access for an ongoing automatic check if devices comply with your corporate rules for mobile access. If devices are not compliant, further email access through EAS proxy may be denied depending on the compliance settings specified in the Sophos Mobile Control web interface. Select Allow email access if all new managed devices are to be granted email access through EAS proxy. The administrator has to deny access individually. Select Deny email access to deny new managed devices email access through EAS proxy. The administrator has to grant access individually. 20
Installation guide Click Next. 13. If you have configured the EAS Proxy setup in the last step you can configure the compliance check in the next step. For compliance check, you can configure the following: In the Compliance check interval (in minutes) field, enter the time interval in which the check is to be performed. In the Device sync interval (in minutes) field, enter the time interval after which the device synchronizes with the server. Note: The value you set in this field only applies to ios devices. For Android and Windows Mobile devices a default of 24 hours applies. To define a different interval for these device types, use the command package Set MDM Sync Interval (in minutes). Click Next. 21
Sophos Mobile Control 14. In the next step, a certificate for the secure (HTTPS) access to the web server needs to be created or imported. Note: Your Sophos product delivery includes an SSL Certificate Wizard that you can use to request your SSL certificate for Sophos Mobile Control. For further information, see Request an SSL certificate for Sophos Mobile Control (section 3.1). If you do not have a trusted certificate yet, select Create self signed certificate, click Next and continue with step 15. If you have a trusted certificate, click Import a certificate from a trusted issuer, select PKCS12 with certificate, private key and certificate chain (intermediate and CA) from the dropdown list, click Next and continue with step 16. You can also select Separate files for certificate, private key, intermediate and CA from the dropdown list, click Next and continue with step 17. 22
Installation guide 15. If you have selected Create self signed Certificate, the following dialog is shown. Enter the appropriate certificate information. After you have entered all necessary information click Next to review and confirm the creation. 16. If you have selected PKCS12 with certificate, private key and certificate chain (intermediate and CA) under Import a certificate from a trusted issuer, the following dialog is shown. Select the appropriate file and enter the password. Click Next to review and confirm the import. 23
Sophos Mobile Control 17. If you have selected Separate files for certificate, private key, intermediate and CA under Import a certificate from a trusted issuer, the following dialog is shown. Select the appropriate files and enter the password for the private key. Click Next to review and confirm the import. 24
Installation guide 18. If you have selected the optional setup step Configure HTTP proxy in Choose setup steps, you can enter your HTTP proxy configuration details in the next step. In the HTTP Proxy Setup dialog, enter your Proxy Host and Proxy Port. Note: If proxy is defined in Windows Internet Explorer, the information automatically transferred to the HTTP Proxy Setup dialog. 19. In the next step, you verify the license information. Click Next to confirm the licensing and configuration process. 25
Sophos Mobile Control 20. Configuration is now complete. 26
Installation guide 21. After installation has finished, the Sophos Mobile Control - Installation finished dialog is displayed. Make sure that the check box Start Sophos Mobile Control server now is selected and click Finish to start the Sophos Mobile Control server for the first time. Note: If you have used MS authentication, do not select the checkbox Start the Sophos Mobile Control server now. If you have selected SQL server authentication during installation, the SMCSVC service is started automatically and the Sophos Mobile Control server is executed. If you have selected Windows authentication, you first have to enter logon details in the service and start it afterwards. Note: After the service has been started it can take a few minutes before the web interface is available. Note: If a different language than English is used for the SQL login, an error occurs and an error message is displayed. To solve this problem, first stop the SMCSVC service. Then open SQL Management Studio on the server and select Security followed by Logins. Edit the properties of the user that is used to start the SMC server and set the Default language for this acccount to English. Click OK and start the SMCSVC service again. 27
Sophos Mobile Control Continue with the following configuration steps: In the Configuration Wizard, you have now created a super administrator and a super administrator customer. This setup does not support the LDAP connection to a directory service such as Active Directory and the self-registration of end users with the Self Service Portal. To support these features, a customer must be created by the super administrator. For further information, refer to the Sophos Mobile Control super administrator guide. If you have selected to configure the EAS Proxy server separately, configure the EAS Proxy now, see External EAS Proxy server (section 4). 28
Installation guide 4 External EAS Proxy server With Sophos Mobile Control you can set up an external EAS Proxy server with several instances. Sophos Mobile Control offers a separate EAS Proxy installer for this purpose. Features Besides the features of the internal EAS Proxy, the external EAS Proxy offers the following features: Lotus Traveler client support (which is not ActiveSync) Support for multiple Microsoft Exchange and Lotus Traveler servers (one instance per mail server, one TCP port per instance) Usage scenarios Note: For Sophos Mobile Control as a Service, the following scenarios do not apply. In this scenario, the EAS Proxy server is suitable for installation in your own environment because the EAS Proxy communicates through HTTPS with the Sophos Mobile Control Server. An external EAS Proxy server should be used for the following scenarios: You use Lotus Traveler for non-ios devices. The internal EAS Proxy cannot handle this scenario as Active Sync is not used here. The internal EAS Proxy supports ios devices for Lotus Traveler as Traveler supports ActiveSync for ios. So for ios devices you do not need to use the external EAS Proxy. For other platforms (for example, Android or Windows Mobile), Lotus Notes Traveler is supported by the external EAS Proxy. For these platforms, a dedicated Traveler client software is required. This software is available through <traveler-server>/servlet/traveler or the Traveler file system. Sophos Mobile Control can install and uninstall the client software. Configuration has to be done manually. 29
Sophos Mobile Control You want to support multiple backend servers. With the external EAS Proxy you can set up multiple instances of backend mail systems. Each instance needs an incoming TCP port. Each port can connect to a different backend. You need one URL per EAS instance. 30
Installation guide You want to set up load balancing for EAS For this scenario an existing load balancer for http is required. You set up the external EAS Proxy on different machines. Setup The following applies to installation and setup: The external EAS Proxy can be installed on the same server, but needs to listen on different ports. 31
Sophos Mobile Control The external EAS Proxy can run on different (virtual and physical) machines. Simple Windows setup 4.1 Install external EAS Proxy server Prerequisite: Sophos Mobile Control has been installed and set up, see Install and set up the Sophos Mobile Control Server (section 3.2). If the EAS Proxy is to be installed on a separate machine, Java JRE needs to be installed. To configure the EAS Proxy server separately: 1. Execute the Sophos Mobile Control EAS Proxy Setup.exe. The Sophos Mobile Control EAS Proxy Setup welcome dialog is displayed. Click Next. 2. In the License Agreement dialog, review the license terms and click I Agree. 3. In the Choose Install Location dialog, choose the destination folder and click Install to start installation. 4. After Sophos Mobile Control EAS Proxy has been installed, the EAS Proxy Configuration Wizard welcome dialog is displayed. Click Next. 32
Installation guide 5. In the SMC Server configuration dialog, select the SMC Server to be used. Optionally, select Use SSL for incoming connections (Clients to EAS Proxy). Click Next. 6. If you have selected Use SSL for incoming connections (Clients to EAS Proxy), the Import Certificate Files dialog is displayed. Select the appropriate files and enter the password for the private key. Click Next. 33
Sophos Mobile Control 7. In the next step, you configure the EAS Proxy instances. In the EAS Proxy instance setup dialog, enter an Instance name, the relevant Server port (incoming traffic) and the ActiveSync Server (target). Select Enable traveler client access to enable Lotus Traveler client access. After entering the instance information, click Add to add the instance to the Instances list. After you have added the instance the following message is displayed: Click OK. A window with the certificate that needs to be uploaded to Sophos Mobile Control opens. 8. In the next step, you need to upload the certificate in the Sophos Mobile Control web console as a super administrator. For further information on Sophos Mobile Control super administrators, see the Sophos Mobile Control super administrator guide. a) Log on to the Sophos Mobile Control web console as a super administrator. b) In the web console menu bar, go to Settings and click System setup. c) In the EAS Proxy tab, browse for the certificate and click Upload. 34
Installation guide The certificate is uploaded and shown in the EAS Proxy tab. d) Click the Save button. Note: The certificate needs to be uploaded before the server is started. Otherwise Sophos Mobile Control rejects the server and the service will not be started. 9. In the EAS Proxy instance setup dialog of the EAS Proxy Configuration Wizard, click Next. The server port you entered is checked and the Sophos Mobile Control EAS Proxy Configuration Wizard finished dialog is displayed. 10. Configuration is now complete. Click Finish to close the Configuration Wizard. The Sophos Mobile Control EAS Proxy server is installed. 35
Sophos Mobile Control 11. After installation has finished, the Sophos Mobile Control EAS Proxy Installation finished dialog is displayed. Make sure that the check box Start Sophos Mobile Control EAS Proxy server now is selected and click Finish to start the Sophos Mobile Control EAS Proxy server for the first time. The Sophos Mobile Control EAS Proxy server has been installed and configured. Note: EAS Proxy log files are not cleared automatically and can become very extensive. To prevent problems caused by this, delete the log files manually. 36
Installation guide 5 Running the Sophos Mobile Control Service as a limited user For security reasons, you may want to run the SMC service as a limited user instead of an administrator. Note: If you use Windows Authentication for database access, you only have to carry out step 3 of the following description. 1. On the computer, on which Sophos Mobile Control is running, create a local, regular Windows user account with a password that does not expire. 2. Remove this user account from all groups. (By default, the user is in the users group.) 3. Grant this user account full access to the Sophos Mobile Control installation directory (C:\Programs\Sophos\Sophos Mobile Control) including all subdirectories. 4. In the SMCSVC service properties, change the user to this user account with the relevant password. 37
Sophos Mobile Control 6 Updating Sophos Mobile Control Note: When you update Sophos Mobile Control from an older version, you may need to update Java, if you still use JDK 1.6. To do so, uninstall the old Java version and install the new one. You also need to manually adjust the environment variables. 6.1 Updating from version 1.x to 3.5 SMC Server installations version 1.x cannot be updated directly to version 3.5. Version 1.0 has to be updated to version 1.1 and then to version 2.5 first. 6.2 Updating from version 2.5 or 3.0 to 3.5 To update your SMC Server installation to version 3.5, execute the Sophos Mobile Control 3.5 installer. The installer automatically detects that an existing installation is to be updated to version 3.5. The administrator is asked whether the service should be stopped. The database is updated automatically. If you use SQL authentication, you have to specify the super administrator account when you upgrade to change the existing SQL users and passwords. 38
Installation guide 7 Apple Push Notification service To use the built-in Mobile Device Management (MDM) protocol of devices running Apple ios 4 (or higher), Sophos Mobile Control must use Apple s Push Notification service (APNs) to trigger the ios devices. The following sections describe the requirements that have to be fulfilled and the steps you must take to get access to the APNs servers with your own client certificate. Sophos Mobile Control offers an APNs Certificate Wizard for creating your APNs certificate. The wizard is included in your product delivery. It is also available for download in the web console. Note: Do NOT use the Internet Explorer for any Apple websites. Apple recommends their own Safari browser, but Mozilla Firefox, Opera or Google Chrome also work. 7.1 Requirements For silent operations all devices must have at least ios version 4 installed. A free update is available from Apple for iphone 3G, 3GS, 4 ipad ipod touch, 3rd or 4th generation To notify ios devices, the Sophos Mobile Control server needs to connect to the Apple Push Notification service. The notifications are sent SSL-encrypted to gateway.push.apple.com:2195 TCP (17.0.0.0/8) ios devices with Wifi only need a connection to the APNs Wifi ios device -> *.push.apple.com:5223 TCP (17.0.0.0/8) 7.2 Create and upload an APNs certificate To create an APNs certificate, you use the APNs Certificate Wizard. The wizard is included in your product delivery. It is also available for download in the web console. In the web console menu bar, go to Settings click System Setup and go to the ios APNS tab. To download the wizard, click the available download link. 1. Start the APNs Certificate Wizard by doubleclicking the file APNs Certificate Wizard.exe. The APNs Certificate Wizard welcome dialog is shown. 2. Click Next. The Create CSR dialog is shown. 39
Sophos Mobile Control 3. Enter your Company Name and your Country code (for example US). These fields are mandatory. Note: Below these fields, the dialog shows where all data of the process is stored. Make a note of this information. 4. Click Next. The Upload PLIST dialog is displayed. 5. In this step, you upload the Certificate Signing Request to Apple. Follow the instructions in the dialog: a) Open the Apple site indicated in the dialog in your browser. Note: Do not use Internet Explorer to open the Apple site as this may cause problems. Use Firefox, Chrome or Safari instead. We recommend to use the latest browser versions. b) Log in with your Apple ID. If you do not have an Apple ID, create one. c) In the first dialog of the Apple Push Certificates Portal, click Create a Certificate. d) Accept the terms and conditions. e) Browse for your Certificate Signing Request (*.plist) and click Upload. You find the file name and the path in the Upload PLIST dialog of the Sophos APNs Certificate Wizard. Your Apple push certificate is created. f) Save the certificate file (*.pem) in the directory indicated in the Upload PLIST dialog. 6. Click Next. The Create P12 dialog is displayed. 7. In this step, you create your APNs certificate for Sophos Mobile Control. Enter a password for the APNs certificate. You need this password later, when you upload the.p12 certificate file to Sophos Mobile Control. Note: The Create P12 dialog shows the directory the certificate will be stored in. Make a note of this information. We recommend that you create a backup of the folder that contains the certificate files. 8. Click Next. The Sophos Mobile Control APNs Certificate Wizard finished dialog is displayed. 9. Click Finish. 10. In the Sophos Mobile Control web console, click the Settings button and go to the ios APNS tab. 40
Installation guide 11. Browse for the.p12 certificate file you have created, enter your password and click Upload. After the file has been uploaded successfully, a confirmation message is displayed. 12. Click Save. 7.3 Migrating APNs certificates from the ios Developer Enterprise Program Certificates created with the ios Developer Enterprise Program (idep) cannot be renewed from within the idep anymore. If you have created your MDM APNs certificates with idep and they are about to expire, you have to migrate them to the new method described in Create and upload an APNs certificate (section 7.2). To renew a certificate: 1. Go to https://identity.apple.com/pushcert/ and log in with your idep Apple ID that you used to create your existing APNs certificate. 2. Carry out the following steps. For details on individual steps, see Create and upload an APNs certificate (section 7.2). a) Create a CSR. b) Let Sophos sign the CSR. c) Click the Renew button and upload the signed CSR. d) Download the certificate. e) Convert the APNs Certificate for Sophos Mobile Control. 41
Sophos Mobile Control 8 Technical support You can find technical support for Sophos products in any of these ways: Visit the SophosTalk community at http://community.sophos.com/ and search for other users who are experiencing the same problem. Visit the Sophos support knowledgebase at http://www.sophos.com/en-us/support.aspx. Download the product documentation at http://www.sophos.com/en-us/support/documentation.aspx. Send an email to support@sophos.com, including your Sophos software version number(s), operating system(s) and patch level(s), and the text of any error messages. 42
Installation guide 9 Legal notices Copyright 2011-2013 Sophos Ltd. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner. Sophos is a registered trademark of Sophos Ltd. All other product and company names mentioned are trademarks or registered trademarks of their respective owners. 43