CA Mobile Device Management 2014 Q1 Installing

CA Mobile Device Management 2014 Q1 Installing

This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy. The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION AS IS WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. The use of any software product referenced in the Documentation is governed by the applicable license agreement and such license agreement is not modified in any way by the terms of this notice. The manufacturer of this Documentation is CA. Provided with Restricted Rights. Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 1212, 5227-14, and 5227-19(c)(1) - (2) and DFARS Section 25227-7014(b)(3), as applicable, or their successors. Copyright 2014 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. Installing 2

Table of Contents Installation Prerequisites... 9 System Requirements... 9 Understanding CA MDM Installation Image... 10 CA MDM Server Requirements... 10 Administrator Console Requirements... 13 CA MDM Administrator Server Requirements... 13 CA MDM Administrator Browser Requirements... 16 Database Requirements... 16 Enrollment Server Requirements... 17 Enrollment Server Resource Recommendations... 19 Self-Service Portal Server Requirements... 19 Relay Server Requirements... 21 Access Control Requirements... 22 Package Server Requirements... 24 SMS Gateway Requirements... 26 Device Requirements... 26 Android... 26 ios... 28 BlackBerry... 30 Windows... 31 ios Components Requirements... 33 Certificate Authority... 34 Language Code Key... 36 Language Support for Devices Matrix... 37 Create the Domain User Account... 38 Update Passwords and Domain User Accounts for CA MDM... 39 Estimate the Size of Your Database... 39 Prepare SQL Server Database... 40 Configuring the SQL Server Database for Operations... 41 Generate an APNS Certificate for CA MDM... 41 How to Obtain an APNS Certificate for CA MDM... 42 Verify Prerequisites... 44 Obtaining Root and Intermediate Certificates... 44 Create a Certificate Signing Request... 44 Get Your CSR Signed... 45 Upload Signed CSR to Apple Push Certificate Portal... 46 Complete the CSR and Export the APNS Certificate... 46 Upload MDM APNS Certificate to CA MDM Server... 47 Obtain Google API Key... 48 Installing 3

Obtain End-User Acceptance Message Details... 48 Installation and Configuration... 50 Enter Your License Key... 50 Install and Configure CA MDM Server... 51 Configure LDAP Information... 52 Configure Active Directory Information... 53 Basic Rights for Active Directory User... 54 Install CA MDM Server in a Farm Environment... 54 Configure CA MDM Server Farm... 55 Install and Configure CA MDM API Service and Administrator... 55 Verify CA MDM Administrator IIS Settings... 56 Modify IIS Connection Timeout Values... 57 Enable 32-bit Application Pool for CA MDM Administration and Self-Service Portal... 57 Install and Configure Access Control for Email... 57 Install Access Control for Email... 59 Set Up Access Control for Email Using Exchange PowerShell Commandlets... 59 Access Control for Local Email... 61 Access Control Components... 61 Access Control Configurations for Microsoft Exchange... 61 Access Control Configurations for IBM Lotus Domino... 63 Set Up Access Control for Local Email... 66 Configure the CA MDM Filter Listener... 66 Configure Relay Server for Access Control... 67 Configure Exchange ActiveSync for ios Devices... 68 Edit the Registry to Create Extra Logs... 68 Examples for Using Substitution Variables When Creating or Editing an Android or ios Configuration Policy... 68 Manually Configure an E-mail Application for Android Devices While Using an Access Control Policy... 69 Install ISAPI Filter Component... 70 Install the PowerShell Service Component... 71 Files Installed and Generated by the CA MDM Filter... 72 Install and Configure CA MDM Server Messaging... 73 Addresses and Routing for CA MDM SMS and SMTP Messages... 74 SMS Gateway... 74 Install SMS Gateway... 75 CA MDM Third-Party Component Dependency Reference... 76 Configure CA MDM Server for SMS Gateway... 77 Set Up SMS Modem... 78 Set Up SMPP Service... 79 Configure SSL Connections for SMS Gateway... 79 Set Up SMTP... 80 Installing 4

Install and Configure Enrollment Server... 80 Install Enrollment Server-Basic... 81 Configure CA MDM Server for Basic Enrollment Server... 82 Configure CA MDM Server for Enrollment Codes... 83 Configure Certificate Authority... 84 Configure an Enterprise Root Certificate Authority... 84 Add the ADCS Rolecze... 84 Add the NDES Role... 85 Tune the Certificate Authority for CA MDM... 86 Configure Certificate Authority Profiles... 87 Associate Certificate Authorities for Enrollment and Package Servers... 88 Import Apple Root and Intermediate Certificates for MDM Management... 88 Configure CA MDM Server for ios Notifications... 89 Configure SSL Connections for Enrollment Server... 90 Add ios MDM Payload Signing for ios... 91 Import Apple Root and Intermediate Certificates for MDM Payload Signing... 92 ios MDM Payload Signing Certificate Requirements... 92 Reinstall the Enrollment Server for ios MDM Payload Signing... 93 Configure CA MDM Server for ios MDM Payload Signing... 93 Configure the Relay Server for Certificate Authority and Enrollment Server Connections... 94 Install and Configure Package Server... 94 Install Portal Package Server... 94 Configure CA MDM Server for Package Server... 95 Configure SSL Connections for Package Server... 96 Install and Configure Self-Service Portal... 96 Preparing to Install Self-Service Portal... 97 Install the Self-Service Portal... 97 CA MDM Self-Service Portal Address... 98 Configure Enrollment Codes for Self-Service Portal... 99 Configure CA MDM Server for Self-Service Portal Acceptance Message... 100 Configure CA MDM Server for Self-Service Portal Request Timeout... 100 Edit Enrollment Codes for Self-Service Portal... 101 Remove Association of Enrollment Codes from Self- Service Portal... 101 Configure Self-Service Portal ios Consolidated Authentication... 101 Use ios Consolidated Authentication with User Group Assignments... 102 Install and Configure Relay Server... 104 Relay Server Executable Components... 106 Set Up Relay Server for Basic Operations... 107 Set Up Relay Server for Basic Operations with IIS 7.5... 107 Copying Relay Server Files... 107 Configure IIS 7.5 for Relay Server Basic Operations... 108 Create Relay Server Application Pool on IIS 7.5... 108 Create a Web Application for the Relay Server on IIS 7.5... 109 Add ISAPI extensions for Relay Server Operations... 110 Update the Relay Server IIS Configuration... 111 Installing 5

Edit Relay Server Configuration File... 111 Configure File Definitions for Basic Operations with IIS 7.5... 112 Install Relay Server Host as a Windows Service... 113 Set Up Relay Server for Basic Operations with IIS 6.0... 114 Copy Relay Server Files... 114 Configure IIS 6.0 for Relay Server Basic Operations... 115 Register the IIS User Account with ASP.NET on IIS 6.0... 115 Create a Server Application Pool on IIS 6.0... 116 Create a Client Application Pool on IIS 6.0... 116 Add Web Service Extensions on IIS 6.0... 117 Update the Relay Server IIS Configuration... 118 Edit the Relay Server Configuration File... 118 Configure File Definitions for Basic Operations... 119 Restart the Relay Server Host... 120 Relay Server Support for Server Components... 121 Relay Server Configuration File Examples... 122 Configure Relay Server for CA MDM Server... 123 Relay Server Bypass... 124 Configure Relay Server for Enrollment Server... 125 Configure Relay Server for Certificate Authority... 126 Configure Relay Server for Access Control... 126 Configure Relay Server for Package Server... 127 Launch Relay Server Outbound Enabler... 128 Install the Relay Server Outbound Enabler as a Windows Service... 129 Relay Server with SSL... 130 Enable Relay Server Logging... 131 Post-Installation Tasks... 133 Verify CA MDM Server Setting for Device Communication... 133 Log in to CA MDM Administrator... 133 Stop, Start, or Restart the CA MDM Server... 134 Post Installation Configuration for CA MDM Server Farm Environment... 134 Configure Disaster Recovery... 135 Assumptions... 136 Backup plan... 136 How to Back up... 136 CA MDM Server... 136 Relay Server Outbound Enablers... 138 Database... 138 Restore the Stand-alone Server... 138 Database... 138 CA MDM Server... 138 Relay Server Outbound Enablers... 139 Installing 6

Considerations for the CA MDM Farms... 139 Farm Server... 139 Verify CA MDM Server Settings After Installation... 140 Upgrading... 141 Preparing for Upgrade... 141 Upgrade CA MDM Server... 141 Upgrade CA MDM Server in a Farm Environment... 142 Upgrade Relay Server... 142 Uninstall CA MDM Components... 144 Uninstalling CA MDM Server... 144 Installing 7

Installing Installing section contains information on how to install and configure CA MDM. Installation Prerequisites Installation and Configuration Post-Installation Tasks Upgrading Uninstall CA MDM Components Installing 8

Installation Prerequisites Verify that the configuration and software prerequisites are satisfied before installing CA MDM components. Review the following topics: System Requirements Create the Domain User Account Estimate the Size of Your Database Prepare SQL Server Database Generate an APNS Certificate for CA MDM Obtain Google API Key Obtain End-User Acceptance Message Details System Requirements Review the following topics about the standard system requirements for CA MDM components. Understanding CA MDM Installation Image CA MDM Server Requirements Administrator Console Requirements Database Requirements Enrollment Server Requirements Self-Service Portal Server Requirements Relay Server Requirements Access Control Requirements Package Server Requirements SMS Gateway Requirements Device Requirements ios Components Requirements Language Code Key Language Support for Devices Matrix Installing 9

Understanding CA MDM Installation Image The CA MDM product image includes the following folders. Important! Do not access the folders marked by an asterisk(*). These folders are reserved for the setup program. AdminUI* contains the CA MDM Administrator Console installation files. AfariaServiceHost* contains the CA MDM API host service files. Clients contain the Android CA MDM Client binaries. The client binaries must be hosted in a network location accessible by CA MDM end users on their mobile devices. Documents the folder contains the product documentation. EUSSP* contains the CA MDM Self-Service Portal installation files. iphoneserver* contains Administrationthe files for installing the CA MDM Enrollment Server. The enrollment server is a required component for enrolling devices and for ios operations. ISAPI* (32-bit version) or ISAPI_x64* (64-bit version) allows you to install and register the CA MDM ISAPI filter and supporting files on the Internet Information Services (IIS) server of Microsoft Exchange servers. The filter is a required component of the optional CA MDM Access Control for the Email feature set. PackageServer* indicates that it contains the CA MDM Package Server installation files. Redistributables DotNet allows you to install Microsoft.NET Framework Runtime on 32- and 64-bit environments. DotNet contains the third-party file that is required for installation. VC_RunTime, VC_RunTime_2008 allows you to install the install Microsoft Visual C++ Runtime. Windows Installer allows you to install Microsoft Windows Installer. XML allows you to install Microsoft XML Core Services (MSXML). Relay_server allows you to install and operate an optional Relay Server. Server* indicates that it contains the CA MDM Server installation files. Utility* allows you to verify the missing prerequisites on servers and network connectivity issues. Utility contains the utility program. GETUIPushNotificationGateway contains the GetUI binaries. CA MDM Server Requirements Installing 10

CA MDM Server Requirements This setup assumes that you are installing your CA MDM Server and CA MDM Administrator within same TCP/IP network. The recommended setup is for 50 to 300 concurrent device sessions. Component Description Operating System The following Windows 64-bit operating systems are supported: Windows Server 2008 R2 Set Up Mode Full Windows Server 2008 Standard Edition R2 with Service Pack 1 Windows Server 2008 Enterprise Edition R2 with Service Pack 1 Windows Server 2008 Datacenter Edition R2 with Service Pack 1 Note: We recommend that you install your operating system on NTFS rather than FAT3 Processor Minimum: 4 GHz (x64 processor) Recommended: 0 GHz or higher RAM The minimum RAM size must be 4 GB. Disk Space Minimum: 10 GB Recommended: 40 GB or greater Relay Server Supported for connections from: Devices CA MDM Access Control for the Email components Database The CA MDM Server must be configured for the same time zone as the database server. Note: Multiple Administrator and API installations for same server farm are not currently supported. Connectivity The server requires outbound connectivity to the CA MDM database, which is configurable for each supported database type. Inbound ports 8085, 8086, 8087 The server listens for incoming requests from other CA MDM Server components for CA MDM outbound notification services to devices. Installing 11

Component Description Inbound port 8089 Reserved for the internal communication. DCOM Relay Server Android GCM Device Types Access Control Inbound port 135 Listening port. The server manages incoming DCOM calls from other CA MDM Server components using Distributed Computing Environment Remote Procedure Calls (DCE/RPC). Port range Ports are reserved for, and managed by, the DCOM services. With Outbound port 80 (HTTP) or 443 (HTTPS) If the Relay Server Outbound Enabler (RSOE, rsoe.exe) resides on the server, the server uses ports to connect to the Relay Server. If the RSOE resides on a different server, the server uses the ports to connect to the RSOE. Without Inbound port 80 (HTTP) or 443 (HTTPS) The server uses the port to accept a communication from devices. Outbound port 443 - for Google Cloud Messaging (GCM), requires the connectivity to https://android.apis.google.com/gcm/send. For GCM Android, navigate to GCM Android, Additional Requirements for Features and Components, GCM. Navigate to ios Components, General Requirements, Connectivity. Windows, Android, BlackBerry - devices require the connectivity to the server or its optional relay server proxy. The server connectivity requirements must meet the following features as appropriate for your enterprise environment. The SQL credentials Same-domain residency Cross-domain trusting A shared workgroup (Hosted) Outbound port 443 (HTTPS) Hosted email requires the connectivity to the hosting email servers, and is defined on the Microsoft Exchange 365 configuration page. Installing 12

Component Description Directory and Authentication Review the following supported directory and authentication services: LDAPv3 Novell edirectory Microsoft Active Directory Netscape Directory Server Windows NTLM Client Communication The trusted Certificate Authority or a trusted self-signed Certificate Authority signs SSL protocol v3 using certificate x.509. Note: Multiple Administrator and API installations for the same server farm are not currently supported. Additional Requirements The Internationalized domain names (IDN) are not supported for any CA MDM component. The Installation path must contain only ASCII characters. Microsoft Windows Installer Microsoft XML Core Services 6.0. Microsoft.NET Framework Runtime 4.5 Microsoft Visual C++ Runtime 2012, 32-and 64-bit Note: The preceding prerequisite software is supplied on the CA MDM product image. Administrator Console Requirements Contents CA MDM Administrator Server Requirements CA MDM Administrator Server Requirements CA MDM Administrator Browser Requirements This section describes the CA MDM Administrator Requirements. This recommended setup assumes that you install CA MDM Server and CA MDM Administrator within the same TCP/IP network. Installing 13

Component Description Operating System The following Windows 64-bit operating systems are supported: Windows Server 2008 R2 Set Up Mode Full Windows Server 2008 Standard Edition R2 with Service Pack 1 Windows Server 2008 Enterprise Edition R2 with Service Pack 1 Windows Server 2008 Datacenter Edition R2 with Service Pack 1 Windows Server 2008 Web Server Edition R2 with Service Pack 1 Note: We recommend that you install your operating system on NTFS rather than FAT3 Processor Minimum: 1 GHz (x86 processor) or 4 GHz (x64 processor) Recommended: 0 GHz or higher RAM The minimum RAM size must be 4 GB. Disk Space Minimum: 10 GB Recommended: 40 GB or greater Database The Administrator console must be configured for the same time zone as the database server. Connectivity For enrollment services configuration and using Google APIs, connect to https://developers.google.com. For obtaining an Android application information in portal application packages, connect to Google Play at https://market.android.com and https://play.google.com/store. Outbound port 80. For the enrollment services configuration, use TinyURLs. Note: For more information about How to create TinyURLs, see TinyURL.com. For obtaining an ios application information in portal application packages, connect to Apple App Store at http://itunes.apple.com. The following features meet the connectivity requirements appropriate for your enterprise environment. The database credentials Installing 14

Component Description Same-domain residency Cross-domain trusting A shared workgroup, Inbound port 7982 The Inbound port 7892 is the listening port for API service calls from the optional CA MDM Self-Service Portal. Outbound port 135 The Outbound port 135 is the DCOM calling port. The server makes calls to the CA MDM Servers DCOM services. DCOM port range The DCOM port range is the ports that are reserved for, and managed by, DCOM services. (Without Relay Server) Inbound port 80 (HTTP) or 443 (HTTPS) The server uses the port to accept a communication from devices. Outbound port The server requires outbound connectivity to the CA MDM database, which is configurable for each supported database type. Outbound port 44 Additional Requirements The Internationalized domain names (IDN) are not supported for any CA MDM component. The Installation path and virtual directory must contain only ASCII characters. Microsoft Windows Installer The Microsoft Windows Installer 1 is supplied on the CA MDM product image. See the CA MDM-supplied prerequisites. Microsoft.NET Framework Runtime 4.5 Microsoft Visual C++ Runtime 2012, 32-and 64-bit Note: This prerequisite software is supplied on the CA MDM product image. Microsoft Internet Information Server (IIS) 7.5 Install IIS before you install.net components. Internet Explorer 8 or 9 To access a single CA MDM Server, use a single tab or window instance. Installing 15

CA MDM Administrator Browser Requirements The following components must be set up on the computer that you use to access the CA MDM Administrator. Component Description Supported Browsers You can access only a single CA MDM Server. Microsoft Internet Explorer - 8 or 9 IE9: The Enhanced security configuration setting is not supported for CA MDM console access. CA MDM does not support running IE in Compatibility View. Mozilla Firefox - 6 or current version Google Chrome - current version Apple computers or ipads, Safari - current version Connectivity In an Active Directory environment, the browsing computer must be defined as a logon workstation. Define logon workstation for the user account that you use to install and operate the CA MDM. Note: For more information about Defining the User Account, see Create the Domain User Account. Outbound port 80 The computer requires outbound connectivity to the CA MDM Administrator. Database Requirements Configure your database on a server other than your CA MDM Server. For more information about configuring your database and estimating your database size requirements, see Create the Domain User Account. CA MDM supports the following databases in a production environment: Microsoft SQL Server 2008 R2 Enterprise Edition Microsoft SQL Server 2008 R2 Standard Edition Microsoft SQL Server 2008 R2 Datacenter Edition Microsoft SQL Server 2008 R2 Parallel Data Warehouse Edition Microsoft SQL Server 2008 SP1 Enterprise Edition Installing 16

Microsoft SQL Server 2008 SP1 Standard Edition Microsoft SQL Server 2005 Enterprise Edition (SP1, SP2, SP3) Microsoft SQL Server 2005 Standard Edition (SP1, SP2, SP3) Collations for the CA MDM operations - CA MDM requires case insensitive collations, rather than binary collations, such as: (SQL Server 2008 R2) Latin1_General_CP1_CI_AS (SQL Server 2005) SQL_Latin1_General_CP1_CI_AS Regional time zone The CA MDM database must be configured for the same time zone as the CA MDM Server components it supports. Enrollment Server Requirements The Enrollment Server is required for managing ios devices and using enrollment policies. The following requirements are the recommended setup for 200 through 500 concurrent device sessions. Component Description Operating System The following Windows 64-bit operating systems are supported: Windows Server 2008 R2 Set Up Mode Full Windows Server 2008 Standard Edition R2 with Service Pack 1 Windows Server 2008 Enterprise Edition R2 with Service Pack 1 Windows Server 2008 Datacenter Edition R2 with Service Pack 1 Processor Minimum: 1 GHz (x86 processor) or 4 GHz (x64 processor) Recommended: 0 GHz or higher RAM The minimum RAM size must be 4 GB. Disk Space Minimum: 10 GB Recommended: 40 GB or greater Database The server must be configured for the same time zone as the database server. Installing 17

Component Description Connectivity Outbound port 135 DCOM calling port. The server makes calls to the DCOM services of CA MDM Server. DCOM port range Ports that are reserved for, and managed by, the DCOM services. Outbound to CA MDM Server ports 8085, 8086, or 8087 The server sends requests to the CA MDM Server for outbound client notifications. Outbound port The server requires outbound connectivity to the CA MDM database, which is configurable for each supported database type. (With Relay Server) Outbound port 80 (HTTP) or 443 (HTTPS) If the Relay Server Outbound Enabler (RSOE, rsoe.exe) resides on the server, the server uses the ports to connect to the Relay Server. If the RSOE resides on a different server, the server uses the ports to connect to the RSOE. (Without Relay Server) Inbound port 80 (HTTP) or 443 (HTTPS) The server uses the port to accept the communication from devices. (ios with the certificate authority challenge phrase enabled) Outbound to the Certificate Authority address The server requires outbound connectivity to the Certificate Authority address, as defined on the Provisioning Server page. This page includes any relay server address. Port 7007 Reserved for an internal communication. Devices require a connectivity to the server or its optional relay server proxy. The following features meet connectivity requirements appropriate for your enterprise environment. Same-domain residency Cross-domain trusting A shared workgroup Additional Requirements Internationalized domain names (IDN) are not supported for any CA MDM component. The Installation path and virtual directory must contain only ASCII characters. Microsoft Internet Information Server (IIS) 5.0, 6.0, or 7.5, as appropriate for the operating system. Windows Server 2003 installations require Microsoft ASP.NET. Install IIS before you install.net components. Microsoft Windows Installer Installing 18

Component Description Note: This item is supplied on the CA MDM product image. Microsoft.NET Framework Runtime 4.5 For 32-bit environments, this item is supplied on the CA MDM product image. For 64-bit environments, use the Windows Role Management Tool to install this item from a Microsoft source. The version that is supplied on the CA MDM product image is only for 32-bit environments. Microsoft Visual C++ Runtime 2012, 32-and 64-bit Note: This item is supplied on the CA MDM product image. Enrollment Server Resource Recommendations The system resource demands for CA MDM resources can vary greatly by installation and are highly dependent on several factors. CA MDM enrollment server resource recommendations are based on concurrent device sessions and session duration. The following factors affect the session duration: Device response time Number of the device enrollment requests Number of ios configuration policies Number of settings within ios configuration policies Connection speed IIS server request processing capacity Self-Service Portal Server Requirements The CA MDM Self-Service Portal is for the deployment inside the enterprise firewall with an internet-facing Microsoft Forefront Threat Management Gateway instance in the DMZ. The Microsoft Forefront (TMG) is configured to accept device connections and pass traffic to the internal portal. Component Description Operating System The following Windows 64-bit operating systems are supported: Windows Server 2008 R2 Set Up Mode Full Windows Server 2008 Standard Edition R2 with Service Pack 1 Windows Server 2008 Enterprise Edition R2 with Service Pack 1 Installing 19

Component Description Windows Server 2008 Datacenter Edition R2 with Service Pack 1 Windows Server 2008 Web Server Edition R2 with Service Pack 1 Note: We recommend that you install your operating system on NTFS rather than FAT3 Processor Minimum: 1 GHz (x86 processor) or 4 GHz (x64 processor) Recommended: 0 GHz or higher RAM The minimum ram size must be 2 GB. Disk Space Minimum: 10 GB Recommended: 40 GB or greater Database The server must be configured for the same time zone as the database server. Connectivity Outbound port 135 The DCOM calling port. The server makes calls to the DCOM services of the CA MDM Server. DCOM port range The ports that are reserved for, and managed by, the DCOM services. Outbound to a CA MDM Server port 8085 The server that sends requests to the CA MDM Server for outbound device notifications. Outbound port The server that requires outbound connectivity to the CA MDM database, which is configurable for each supported database type. Inbound port 80 (HTTP) or 443 (HTTPS) is the server that listens for traffic from either of the following options: (Recommended) Microsoft Forefront (TMG) is configured to accept device connections and pass traffic to the internal CA MDM Self-Service Portal. Devices Outbound port 7982 The server that requires outbound connectivity to the CA MDM Administrator, which hosts the CA MDM API services. Devices require the connectivity to the server or its gateway. The following features meet the connectivity requirements appropriate for your enterprise environment. Installing 20

Component Description Same-domain residency Cross-domain trusting A shared workgroup Additional Requirements The user commands on the portal's Manage My Devices page require CA MDM messaging infrastructure. The CA MDM messaging infrastructure such as for SMS messages or Google Android Cloud to Device Messaging (C2DM) services. Internationalized domain names (IDN) are not supported for any CA MDM component. The installation path and virtual directory must contain only ASCII characters. Microsoft Internet Information Server (IIS) 7.5. For user browsers, the CA MDM Self-Service Portal site must be a member of a Web browser security zone. The Web browser security zone enables active scripting. Install IIS before you install.net components. Microsoft Windows Installer Note: This item is supplied on a CA MDM product image. Microsoft.NET Framework Runtime 4.5 Relay Server Requirements Relay Server is an optional component that is included with the CA MDM product on the product installation image. Component Description CA MDM Server Components CA MDM supports using relay server for connections to these CA MDM Server components: Note: The relay server is not supported for outbound initiated connections to a Windows client. CA MDM Server- used for device connections or CA MDM Access Control for the Email connections The CA MDM enrollment server CA MDM package server The Certificate Authority for the CA MDM operations Installing 21

Component Description Web Server The web server supports IIS 7.5 or 6.0 on Windows OS. Relay Server 16 10.1 10.1 Additional Requirements All Relay Server Outbound Enabler (rsoe.exe) instances in CA MDM must be of same version. CA MDM uses rsoe.exe in the following locations: CA MDM Server <ServerInstallDirectory>\bin\RSOutboundEnabler\ Enrollment server user-defined Certificate Authority user-defined Package server user-defined Relay Server on IIS can coexist with other IIS applications. Relay Server can coexist with other virtual web server under the same IIS installation. Relay Server can coexist with other web site (or directory) under the same logical web server. Relay Server web server extensions can coexist with other web server extensions sharing application pool. However, application pool properties are then limited to being Relay Server compatible (turn off all worker recycling options). Access Control Requirements For the CA MDM Access Control for Email feature, CA MDM filter components are available in 32-bit and 64-bit versions. These components are designed to run on operating systems with the same bit level. Component Description Email Server The access Control for email supports one or more of these servers in a single domain: Microsoft Exchange Server with ActiveSync or compatible mobile clients Microsoft Exchange Server 2010 Microsoft Exchange Server 2007 Installing 22

Component Description Microsoft Exchange Server 2003 SP2 IBM Lotus Domino 8.5.1 with Lotus Notes Traveler mobile clients Hosted Mail Microsoft Office 365 Microsoft Proxy Server Microsoft Forefront Threat Management Gateway 2010 Microsoft Internet Security and Acceleration Server 2006 IIS Server of Microsoft Exchange Server For the Exchange environments only: Microsoft Exchange Management Console - required for the CA MDM wipe feature. CA MDM The IIS server must run on a server that is separate from the server that hosts the CA MDM Administrator. The administrator user account credentials that you supply for running the CA MDM filter as a service must be a member of the following servers: Exchange Organization Administrators (2007, 2010) Exchange Full Administrator (2003) group of IIS server The Administrators group on both the IIS server and any associated Exchange server. PowerShell Host Server Microsoft PowerShell Version 0 The user account credentials that you supply for running the PowerShell component of the filter must be a member of the same domain as the email server. If it is not, contact CA Technical Support. Note: Microsoft PowerShell is native to some server environments and available to others as a plug-in from Microsoft. More requirements Microsoft Data Access Components (MDAC) 8. Connectivity The server that hosts the PowerShell component requires the following server: The Outbound connectivity to the CA MDM Server. Optional relay server proxy. Outbound port 3012 Installing 23

Component Description When the filter components are installed on separate servers, the PowerShell component host requires outbound connectivity to the ISAPI filter component host. Package Server Requirements The recommended set up for package server requirements are as follows: Component Description Operating System The following Windows 64-bit operating systems are supported: Windows Server 2008 R2 Set Up Mode Full Windows Server 2008 Standard Edition R2 with Service Pack 1 Windows Server 2008 Enterprise Edition R2 with Service Pack 1 Windows Server 2008 Datacenter Edition R2 with Service Pack 1 Note: The operating system must be installed in full, rather than the minimal installation. Processor Minimum: 1 GHz (x86 processor) or 4 GHz (x64 processor) Recommended: 0 GHz or higher RAM The minimum RAM size must be 4 GB. Disk Space Minimum: 10 GB Recommended: 40 GB or greater Database The server must be configured for the same time zone as the database server. Connectivity Outbound port 135 DCOM calling port. The server makes calls to the DCOM services of CA MDM. DCOM port range Ports that are reserved for, and managed by the DCOM services. Outbound to CA MDM server ports 8085, 8086, or 8087 The server sends requests to the CA MDM server for outbound device notifications. Installing 24

Component Description Outbound port The server requires outbound connectivity to the CA MDM database, which is configurable for each supported database type. (With Relay Server) Outbound port 80 (HTTP) or 443 (HTTPS) If the Relay Server Outbound Enabler is resident on the server, the server uses the ports to connect to the Relay Server. If the RSOE resides on a different server, the server uses the ports to connect to the RSOE. (Without Relay Server) Inbound port 80 (HTTP) or 443 (HTTPS) The server uses the port to accept the communication from devices. (Application onboarding certificate provisioning) Outbound to the certificate authority address The server requires outbound connectivity to the Certificate Authority address, as defined on the Package Server page. This page includes any relay server address. Port 8080 Reserved for the internal communication. Devices require a connectivity to the server or its optional relay server proxy. The following features meet the connectivity requirements as appropriate for your enterprise environment. Same-domain residency Cross-domain trusting A shared workgroup Additional Requirements Internationalized domain names (IDN) are not supported for any CA MDM component. The Installation path and virtual directory must contain only ASCII characters. Microsoft Internet Information Server (IIS) 7.5. Install IIS before you install.net components. Microsoft Windows Installer[1] Microsoft.NET Framework Runtime 4.5 The application packages, the enterprise application size limit varies by the following database type: Microsoft SQL Server 2 GB Microsoft Visual C++ Runtime 2012, 32-and 64-bit Note: This prerequisite software is supplied on the CA MDM product image. Installing 25

SMS Gateway Requirements For more information about installation instructions of Server Messaging, see Install and Configure CA MDM Server Messaging. Third-Party Components specifies the Cygwin Unix-emulating environment. The SMS Gateway operations use only some of the components of the Cygwin product. Therefore, the installation for the CA MDM SMS Gateway requires a manual process. Other specifies the short Message Peer-to-Peer (SMPP) v4 protocol support. All SMS gateway configuration settings on the CA MDM Server must contain only ASCII characters. Device Requirements Android Contents Android ios BlackBerry Windows This section describes the device requirements for the CA MDM for different operating systems. Notes: The current version of a CA MDM supports ios, Android, BlackBerry, and the Windows clients. The current version of a CA MDM does not support LG Android Devices. The following table defines the recommended set-up for Android: Component Description Operating System The CA MDM application works with the following Android OS versions: 4.4 4.3 4.2 Installing 26

Component Description 4.1 4.0.x Note: CA MDM supports Android 4 devices to the same extent that it supports Android 1 devices. CA MDM does not include features that are specific to Android 4 devices. x x x Note: Update 20.A955.Verizon.en.UK due to a known issue with the security features for update. This update is not supported for security features of CA MDM. The CA MDM features include device lock, unlock, and password enforcement. See www.droidforums.net. Core Features Self-Service Portal Enrollment Access Control for Email Device Validation Note: For a device validation, the server checks that the device has a valid, unexpired certificate. Server Validation Note: For a server validation, the device checks for the following criteria: The server must have a valid certificate. The server must have an unexpired certificate. The server address must match the certificate identity. Device Activity Collection Note: Inventory Manager license includes the CA MDM Device Activity collection. Security Action for Wipe or Delete Data Policies Application Policy Configuration Policy Enrollment Policy Session Policy Installing 27

Component Description Supported Languages English(en) German (de) French(fr) Italian (it) Spanish (es, us) Thai (THI) Japanese (ja) Korean (ko) Portuguese (pt) Simplified Chinese (zh_cn) Traditional Chinese (zh_tw) ios The following table defines the recommended set-up for ios: Component Description Operating System On iphone, itouch, and ipad devices: ios 7.1 ios 7 ios 6.1 for iphone 4S Devices ios 6.1, 6.0.1, 6.0.2 ios 4.3 ios 5.1, 5 Note: Once enrolled in CA MDM control, ios 5 devices require HTTPS on all connections. The secure connection can occur either at the optional relay server or the enrollment server. Core Features Self-Service Portal Enrollment Access Control for Email Installing 28

Component Description Security Action for Wipe or Delete Data Server Validation Note: For a server validation, the device checks for the following criteria: The server must have a valid certificate. The server must have an unexpired certificate. The server address must match the certificate identity. Device Activity Collection Note: Inventory Manager license includes the CA MDM Device Activity collection. Policies Enrollment Policy Application Policy Note: For ios 4.x and 5, enterprise and commercial applications are supported. For ios x, only commercial applications are supported. Configuration Policy Note: A Microsoft Windows Server 2003 certificate authority environment does not support using of the CA MDM Configuration SCEP policies. Supported Languages English(en) German (de) French(fr), Italian (it) Spanish (es, us) Thai (THI) Japanese (ja) Korean (ko) Portuguese (pt) Simplified Chinese (zh_cn) Traditional Chinese (zh_tw) Installing 29

BlackBerry The following table defines the recommended set-up for BlackBerry: Component Description Operating System 7 6 5 Advisory Advisory for SSL and schedule monitors Secure connections require user interaction to negotiate the communication handshake. The device prompts the user to enter a portion of the thumbprint of a certificate. A CA MDM monitor executes without user intervention. If a CA MDM schedule monitor is paired with an established connection action, the connection fails. The connections fail because the connection requires user input. Core Features Security Action for Wipe or Delete Data Self-Service Portal Enrollment Note: This feature is not supported or available for double-byte character environments. Note: Device Validation For a device validation, the server checks that the device has a valid, unexpired certificate. The BlackBerry platform requires users to interact with their device to facilitate the device authentication. Test devices in your environment to understand the user requirements. Server Validation Note: For a server validation, the device checks for the following criteria: The server must have a valid certificate. The server must have an unexpired certificate. The server address must match the certificate identity. Device Activity Collection Note: Inventory Manager License includes the CA MDM Device Activity collection. Installing 30

Component Description Polices Configuration Policy Enrollment Policy Session Policy Licensable Components Inventory Manager Note: Inventory Manager License includes the CA MDM Device Activity collection. Session Manager Client Notification to Connect Short Message Service (SMS)Data service Windows The following table defines the recommended set-up for Windows: Component Description Operating System Windows Phone 8 The following Windows 64-bit operating systems are supported: Windows 8 Windows 7 Windows Server 2008 R2 The following Windows 32-bit operating systems are supported: Windows 8 Windows 7 Windows Server 2008 Windows Vista Business Windows Vista Enterprise Windows Vista Home Ultimate Windows Vista Business SP1, SP2 Installing 31

Component Description Windows Vista Enterprise SP1, SP2 Windows Vista Home Ultimate SP1, SP2 Windows XP SP3 Windows XP SP2 Windows Server 2003 R2 SP2 Windows Server 2003 SP2 Windows Server 2003 Processor 500 MHz or higher, Intel Pentium III or compatible. RAM The RAM size is 256 MB for the OS versions Windows 7, Server 2008, and Vista; 128 MB for others. Disk Space The minimum required disk space for the installation is 12 MB, more space is required for channel data. Browser Supports 7.0, 8.0, 9.0 Internet Explorer. Protocol Support XNET, XNETS, HTTP, HTTPS Additional Requirements Microsoft Windows Installer 1 Core Features Device Validation Note: For a device validation, the server checks that the device has a valid, unexpired certificate. Server Validation Note: For a server validation, the device checks for the following criteria: The server must have a valid certificate. The server must have an unexpired certificate. The server address must match the certificate identity. Policies Configuration Policy Installing 32

Component Description Enrollment Policy Session Policy ios Components Requirements The following components are the general requirements for ios devices. Component Description ios MDM Require the following certificates from the Apple Root Certification Authority site: Root Apple Inc. Root Certificate (.cer) Intermediate Application Integration (.cer) ios requires an Apple Push Notification Service (APNS) certificate (.pfx). Before you obtain an APNS certificate, obtain a CA signed Apple Certificate Signing Request (CSR) from CA Technical Support. For more information about obtaining certificates, see Generate an APNS Certificate for CA MDM. CA MDM ios Mobile Device Management (MDM) is enforced on all ios 4.0 and later devices. Apple, Inc. does not support MDM on x devices. Configuration Utility CA MDM creates configuration policies that comply with the Apple iphone Configuration Utility policies, as distributed by Apple, Inc.: 4, as the base for CA MDM 2011_06 and CA MDM 3, as the base for CA MDM 2011_05 for VPN, Restriction 2 1 0, as the base for CA MDM 6.6 FP1 2, as the base for CA MDM 6.6 1 CA MDM Enrollment Server The CA MDM enrollment server is required for ios operations. For more information about the enrollment server, see Install and Configure for Enrollment Components. Installing 33

Component Description SMS Messaging Not required for ios 4.0 and later devices that are enrolled with enrollment policies. Required for ios x devices. The SMS messaging must be either the CA MDM SMS gateway (recommended) or the CA MDM-configured SMTP server. Relay Server Optional for communications between the enrollment server and device. Optional for communications between Certificate Authority and device. Connectivity Your enterprise firewall must allow connections to Apple Push Notification Server (APNS) and feedback server. For example, 17.149.*. The DNS resolution is subject to change without notice, according to Apple ios Developer Program. Outbound to gateway.push.apple.com:2195 The CA MDM Server requires outbound connectivity to the APNS server. Outbound to feedback.push.apple.com:2196 The CA MDM Server requires outbound connectivity to the feedback server. (With Relay Server) Outbound port 80 (HTTP) or 443 (HTTPS) If the Relay Server Outbound Enabler (RSOE, rsoe.exe) is resident on the server, the server uses the ports to connect to the Relay Server. If the RSOE resides on a different server, the server uses the ports to connect to the RSOE. (Without Relay Server) Inbound port 80 (HTTP) or 443 (HTTPS) The server uses the port to accept a communication from devices. (Android C2DM) Outbound port 443 For Google Cloud to Device Messaging (C2DM), requires a connectivity to https://android.apis.google.com/c2dm/send. (ios devices using Wi-Fi) Outbound to gateway.push.apple.com:5223 The device requires outbound connectivity to the APNS server. Certificate Authority The CA MDM ios features require a Microsoft Certificate Authority as part of the implementation. Include the following features as a part of the CA MDM ios implementation for your enterprise. Optional ios payload signing Optional secure connections as part For more information about how to set up your Certificate Authority, see Microsoft documentation resources. The certificate Authority must comply with the following requirements. Installing 34

Component Description Operating System Microsoft Windows Server 2008 Enterprise or Windows Server 2008 R2 Enterprise with: IIS Active Directory Certificate Services (ADCS) role Network Device Enrollment Service (NDES) role Microsoft Windows Server 2003 Enterprise with:iis Note: A Microsoft Windows Server 2003 certificate authority environment does not support issuing CA MDM ios configuration policies with the SCEP payloads. Active Directory Certificate Services (ADSC) role Network Device Enrollment Service (NDES) role Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services, as distributed by Microsoft, Inc. with the following points: Install using a local user account with administrative privileges. During the installation, enable the challenge phrase option. The option is enabled by default and is recommended for the security. For more information about configuring your Certificate Authority, see Configuring Certificate Authority for ios Devices in Install and Configure Enrollment Server. For more information about adding roles and using the New Role Wizard, see the Microsoft Windows Server and Microsoft Server Manager (administrative tool) product documentation. Relay Server The Relay Server is not Supported. For Reference The Microsoft SCEP Implementation White Paper is available at www.microsoft.com/download/en/details.aspx?id=1607. Connectivity (Without the CA MDM SCEP plug-in module) The CA server does not require connectivity to any CA MDM component server. (With the CA MDM SCEP plug-in module) Outbound port The server requires outbound connectivity to the CA MDM database. The outbound connectivity is configurable for each supported database type. (With Relay Server) Outbound port 80 (HTTP) or 443 (HTTPS) If the Relay Server Outbound Enabler (RSOE, rsoe.exe) is resident on the server, the server uses the ports to connect to the Relay Server. If the RSOE resides on a different server, the server uses the ports to connect to the RSOE. Installing 35

Component Description (Without Relay Server) Inbound port 80 (HTTP) or 443 (HTTPS) The server uses the port to accept a communication from devices. Devices require the connectivity to the server or its optional relay server proxy. The following features meet the connectivity requirements as appropriate for your enterprise environment. The database credentials Same-domain residency Cross-domain trusting A shared workgroup Additional Requirements ios devices require a verification of the complete chain of trust. Ensure that the entire authority chain is online for ios device connections. The identity credentials that are used for the Certificate Authority IIS SCEP application pool, must match the credentials on the enrollment server configuration page. The CA MDM SCEP plug-in is available in 32- and 64-bit versions. The plug-in is designed to run on operating systems with the same bit level. The SCEP add-on of Microsoft for Windows Server 2003 is not available in a 64-bit version. Therefore, installing the CA MDM SCEP plug-in on a Windows Server 2003 64-bit server is not supported. Language Code Key The Language codes represent supported languages for the CA MDM devices. Language Code Language EN English ZH_CN Simplified Chinese ZH_TW Traditional Chinese DE German Installing 36

Language Code Language THI Thai AS, US Spanish FIR French IT Italian JA Japanese KO Korean PT Portuguese Note: Canadian French and Latin-American Spanish are not supported. Language Support for Devices Matrix The following table illustrates the language support for the various device types. X indicates that the feature is supported. CA MDM Android Device Supported Languages ZH_CN ZH_CT DE EN AS, US FR THI JA KO PT Operating System Language X X X X X X X X X X CA MDM UI X X X X X X X X X X CA MDM ios Device Supported Languages ZH_CN ZH_CT DE EN AS, US FR THI JA KO PT Installing 37