Good Share Server Installation and Administration Guide

Good Share Server Installation and Administration Guide Product Version: 3.1.3 Doc Rev 3.4 Last Updated: 30-Jun-15 Good Share TM

Legal Notice This document, as well as all accompanying documents for this product, is published by Good Technology Corporation ( Good ). Good may have patents or pending patent applications, trademarks, copyrights, and other intellectual property rights covering the subject matter in these documents. The furnishing of this, or any other document, does not in any way imply any license to these or other intellectual properties, except as expressly provided in written license agreements with Good. This document is for the use of licensed or authorized users only. No part of this document may be used, sold, reproduced, stored in a database or retrieval system or transmitted in any form or by any means, electronic or physical, for any purpose, other than the purchaser s authorized use without the express written permission of Good. Any unauthorized copying, distribution or disclosure of information is a violation of copyright laws. While every effort has been made to ensure technical accuracy, information in this document is subject to change without notice and does not represent a commitment on the part of Good. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those written agreements. The documentation provided is subject to change at Good s sole discretion without notice. It is your responsibility to utilize the most current documentation available. Good assumes no duty to update you, and therefore Good recommends that you check frequently for new versions. This documentation is provided as is and Good assumes no liability for the accuracy or completeness of the content. The content of this document may contain information regarding Good s future plans, including roadmaps and feature sets not yet available. It is stressed that this information is non-binding and Good creates no contractual obligation to deliver the features and functionality described herein, and expressly disclaims all theories of contract, detrimental reliance and/or promissory estoppel or similar theories. Legal Information Copyright 2015. All rights reserved. All use is subject to license terms posted at www.good.com/legal. GOOD, GOOD TECHNOLOGY, the GOOD logo, GOOD FOR ENTERPRISE, GOOD FOR GOVERNMENT, GOOD FOR YOU, GOOD APPCENTRAL, GOOD DYNAMICS, SECURED BY GOOD, GOOD MOBILE MANAGER, GOOD CONNECT, GOOD SHARE, GOOD TRUST, GOOD VAULT, and GOOD DYNAMICS APPKINETICS are trademarks of Good Technology Corporation and its related entities. All third-party technology products are protected by issued and pending U.S. and foreign patents. Good Share ii

Table of Contents Overview 1 Requirements 1 Installation Prerequisites 2 Upgrade Compatibility with Earlier Versions 2 Administrator Privileges 2 Platform Requirements 2 Database Requirements 3 Server Hardware Requirements (POC) 3 Server Software and Operating System Requirements 3 Enabling the IIS Role 4 Software Restrictions 6 Client Device Requirements 6 Installing Your Good Share Server 7 Server Configuration 7 Accessing the Good Share Console 8 Adding Users to the Good Share Console 8 Configuring Good Control for Good Share 9 Adding Good Share Servers 9 Configuring Server Affinity 10 Configuring the Good Mobile Control Console 11 Provisioning Users 12 Activating the Good Share App on a Mobile Device 13 Upgrading the Good Share Server 13 Server Upgrade 13 App Upgrade 14 Working with the Good Share Console 14 Changing the Default Firewall Port Number 15 Viewing and Working with a List of Users 15 Good Share iii

Working with Policies 16 Creating a New Policy 16 Auto-Add Users to Policy 17 Editing Policies 17 Sharing Files for File Shares (Admin-Defined) 18 Adding Private File Shares to a Policy 18 Adding Public File Shares to a Policy 20 Sharing Files for a SharePoint Site (Admin-Defined) 21 Adding Sites via URL 21 Adding Sites via MySite 22 Sharing Files for File Shares and SharePoint Sites(User-Defined) 22 Access 23 Data Sources 23 Permissions 24 Screening Files by App 24 Accessing and Configuring the Server Settings 24 Security Settings 25 Server Settings 26 Audit Settings 26 Audit Logs 26 Administration Roles 27 Self-Service Console 28 Add Data Source 28 Add Mapped Drives 28 Support for SharePoint Online (Hosted SharePoint) 29 Deployment Prerequisites 29 Authentication Setup 29 ADFS Version and Location 29 ADFS HTTPS Certificate 30 Configuring Good Share for SharePoint Online Users 30 Good Share iv

Local Folder Synchronization 31 Windows Folder Redirection (Native) 31 Offline Folders (Native) 33 Appendix A Good Share Scalability Guidelines 37 Good Share Scalability with SharePoint Only 37 Good Share Server Integration with GEMS 38 Note about Performance Testing 38 Appendix B Troubleshooting 39 Error 404: Connecting to Good Share Server 39 Appendix C Configuring KCD for Good Share 41 Glossary 50 Good Share v

Overview Overview Note: This document is primarily written to help with the initial installation of the Good Share server. However, if you are upgrading, skip ahead to Upgrading the Good Share Server. Good Share provides a secure mobile collaboration solution that allows mobile workers to access, sync, and share their file server and SharePoint documents natively without requiring VPN software, firewall reconfiguration, or duplicate data stores. Good Share provides the following capabilities to balance the needs of a mobile workforce with the needs of enterprise security: Access to data that may be in multiple places such as a file server or SharePoint site Synchronization across multiple devices that connect only intermittently Data ownership for separating corporate data from personal data without using duplicate storage on the cloud Data security through protection mechanisms that span multiple layers to prevent unauthorized access or leakage Data governance with robust policy management and a full audit trail to meet compliance standards Complete control by the enterprise IT admin over a mobile document s life cycle, the app, and the stored data on the mobile device. This document organizes the installation and configuration process for Good Share server and the Good Share app into the following general steps: 1. Server-side requirements verification. 2. Client-side device requirements verification. 3. Selecting, installing, and configuring a database appropriate for your enterprise. 4. Downloading and running the Good Share Server installer. 5. Configuring the Good Share server. 6. Configuring Good Control. 7. Configuring Good Mobile Control (if you also use GFE). 8. Provisioning user devices for the Good Share application. 9. Downloading the Good Share app to the device and activating it. Requirements Check to make sure you meet the following requirements before you begin the installation. If you do not meet the requirements, the GS Server installation can fail. Good Share 1

Installation Prerequisites Installation Prerequisites Check to make sure your supporting infrastructure and environment meets the following Good Share prerequisites before you begin the installation. These include: Upgrade considerations Platform requirements Database requirements Hardware requirements Software and OS requirements Client device requirements Important: Administrator privileges are required for the host machine on which you will install Good Share. If you do not install the required software or fail to configure the requirements correctly prior to beginning installation of Good Share, the server may fail or behave in an unexpected manner. Upgrade Compatibility with Earlier Versions Note: Never uninstall the old version of the product until you have verified that your new Good Share Server deployment is operating properly. Before you upgrade a production system, validate it in a test environment first. Upgrading to Good Server 3.1 from the following versions is fully supported: 2.8.4 3.0 3.0.1 Good Share 3.1 clients (ios and Android) are backward compatible with the same Good Share Server versions listed above. Administrator Privileges The person who installs the Good Share server must have administrative privileges on the host machine otherwise the installer issues an error message. Platform Requirements The following software must be installed and configured before you install the Good Share Server software: The Good Dynamics platform with Good Control Server 1.5.33.x or later. A Microsoft Active Directory domain which consists of either a single-domain forest or a multi-domain forest in which two-way trusts exist between domains. Good Share 2

Installation Prerequisites Database Requirements A Microsoft SQL Enterprise Server 2012 (x64) Express, Standard, or Enterprise edition database or Microsoft SQL Server 2008 (x64 or x86), Express, Standard, or Enterprise edition database. Note: Good Share no longer supports a Postgres database. If you are currently using a Postgres database, create a new database using SQL Server. There is currently no automatic migration from Postgres. These instructions assume that you have a working knowledge of both Microsoft Windows Server and Microsoft SQL Server. MS SQL Server must be installed and working properly prior to Good Share installation. The Good Share server must have network and firewall access to the MS SQL Server if it is installed on another server or at another location. For POC purposes, download MS SQL Server 2008 R2 Express directly from Microsoft. Otherwise, download Microsoft SQL Server 2008 R2 SP 3. SQL Server Management Studio is bundled with the SQL Server 2008 R2 Express download, and is required to correctly set up the Good Share database. If your current SQL Server installation does not include the SQL Server Management Studio, click here to download it. Server Hardware Requirements (POC) Minimum hardware requirements for the Good Share Server host include: Processor: One 2 GHz CPU RAM: 2 GB if the host machine is connecting to an enterprise database, 4 GB if you opt to run the database locally Hard Drive Space: minimum 50 GB free. Server Software and Operating System Requirements The requirements cited here apply to the machine on which the Good Share Configuration Console is installed, not for other server components comprising Good Dynamics. It is recommended that you run Good Share and Good Control on separate machines, although for POC (non-production) purposes, both GC and the Good Share Configuration Console running on a single machine is supported. Operating System: o Microsoft Windows Server 2012 R2 o Microsoft Windows Server 2012 o Microsoft Windows Server 2008 (64-bit) or Microsoft Windows Server 2008 R2 Windows Role and Feature Requirements: o o.net Framework 4.0 or higher. Windows Installer 4.5 Redistributable Good Share 3

Installation Prerequisites Internet Information Services (IIS): The IIS role must be installed on the Docs machine in order to install the web console. This role is added using Server Manager > Add Roles > IIS. Enable the following role features: o o o o o Static Content Default Document ASP.NET Extensibility ASP IIS Management Console See Enabling the IIS Role for Windows 2012 guidance. Important: Make sure you are a member of the Web Server Administrator IIS role on the Docs Configuration Console host. Network capabilities and resources: o o o o The server must be a domain member and have access to Active Directory Network shares must be accessible from the server SharePoint sites must be accessible from the server Good Share Configuration Console users must be in the Allow Logon Locally local security policy or Group Policy. Enabling the IIS Role For supported versions of Windows Server 2008, IIS 7.x configuration is based on the existing.net Framework configuration store, which lets you store IIS configuration settings alongside ASP.NET configuration settings in Web.config files. IIS 7.x also offers compatibility with other technologies such as Active Server Pages (ASP), Common Gateway Interface (CGI), and Internet Server API (ISAPI). Most settings can be configured at the local level (Web.config) and also at the global level (ApplicationHost.config), with redirect settings (Redirection.config) to configuration files and schema located on another computer. Visit Microsoft's IIS Learning Center for a complete introduction to IIS features and capabilities. You can install IIS 7.5 by using the Add Roles and Features wizard in Server Manager or by using the command line. Specifically in Windows 2012: 1. Open Add Roles and Features, then select Server Roles and enable the checkbox for Application Server in the Roles list. Good Share 4

Installation Prerequisites 2. Click Next. 3. Under Application Server, select Roles Services, then add.net Framework 4.5, Web Server (IIS) Support, and HTTP Activation by enabling each respective checkbox in the Roles Services list. Good Share 5

Installation Prerequisites 4. Click Next. 5. Under Web Server Role (IIS), select Role Services, then expand Application Development and enable.net Extensibility 4.5, ASP, ASP.NET 4.5, along with ISAPI Extensions and Filters. 6. Click Next. Important: The account under which the Docs Service application pool will run must belong to the Local Administrators group. 7. Continue to click the Next button until the Install button is enabled, then click it to complete IIS role configuration for the Docs Service. Software Restrictions Do not install the Good Share Server on an Active Directory Domain Controller. Client Device Requirements Devices running the Good Share client app must meet the following minimum requirements: Minimum ios version: 6.0 Minimum Android version: Ice Cream Sandwich 4.0 Good Share 6

Installing Your Good Share Server Installing Your Good Share Server To install and launch the Good Share server: 1. Download the Good Share installer from Good Technical Resources. Note: Make sure the logged on user has sysadmin permissions on the SQL Server. 2. Launch the installation wizard and follow the prompts for: a. Welcome b. License Agreement c. Customer Information d. Specify your installation location and select your options: Default or Custom Installation (choose the components you wish to install Good Share Server or Web Console or both; by default, both components will be installed) Database Server Name. This can be local or remote using the syntax <server_name>\<instance_ name>, <port_number>. Authentication Credentials. Choose Windows Authentication if the logged on user has sysadmin privileges on the SQL Server. If not, choose SQL Server Authentication and specify your sa account credentials. Database and Log Location. Specify the location for the database and log files. Make sure these paths exist on your local or remote instance of SQL server. Service Account. Specify the service account which will be used to run the Good Share Server Service (e.g., GoodAdmin). This service account will be given db_owner privileges to the Good Share database. Management Console Settings: o Web site the web site under which the Good Share management console will be installed. o HTTPS Port the port which the Good Share management console will use. The default is 443. o o SSL Certification select A new Self-Signed Certificate. The certificate can be changed after installation using the IIS Management Console. Process Identity the account under which the Good Share application pool will run. 3. When the InstallShield Wizard completes the installation, the Good Share Server management console is launched automatically. Server Configuration After successfully installing your Good Share server, you will need to: Access the Good Share console Add users Good Share 7

Server Configuration Configure Good Control Configure GMC Accessing the Good Share Console To access the Good Share Console: 1. Open a new browser window or tab and enter the URL corresponding to your environment; i.e., https://<goodshareserverfqdn>/goodshareconsole. 2. Supply the service account credentials you specified under Installing Your Good Share Server. The Good Share SERVER STATISTICS panel contains the following details: License expires this date is not currently being used for app enforcement and licensing. User Licenses Good Share Server licensing is set to a significantly large number; the number of licenses is currently not being used for enforcement and licensing. Users number of active users currently using the Good Share Server. Policies number of policies created for Good Share users. File Shares number of total file shares in all policies. SharePoint Sites number of SharePoint sites in all policies. Adding Users to the Good Share Console 1. Open/launch the Good Share console as described under Accessing the Good Share Console above. 2. Click Users in the navigation pane, then click the Options list box and choose Add. 3. To add an individual new user, specify the user s Active Directory username and domain, then open the Policy list box and select the appropriate option. Click Save to commit. Good Share 8

Server Configuration 4. To import users, specify the requisite AD credentials and filtering options, then click Find Now and select any user from the Active Directory lookup. Click Add User to add the user to the Users list. If you do not want to manually add users, see Auto-Add Users to Policy for guidance on setting up users automatically based on membership in a security group. Note: Any user can be removed in the future without impacting configuration. 5. Click the Options list box, click Save, then choose Save Config and save this configuration file to your Desktop or a shared location. 6. Open the configuration file using a text editor and copy the contents of the configuration file to the clipboard for the next task, Configuring Good Control. 7. After a user has been added, mark the checkbox in the corresponding user row and click Edit. This opens the User Edit window. one for General Settings (username, domain, and policy), and the second for Data Sources, listing all data sources for this user. Here, for admin-defined data sources, you can optionally enter an Override Path by selecting a data source from the list and clicking Edit. In the popup displayed, click Override Path for this user to specify an alternate path. Configuring Good Control for Good Share Good Control (GC) is the management and configuration component of the Good Dynamics platform. Adding Good Share Servers Follow the steps here to configure Good Control (GC) connectivity and communication with the Good Share server. To configure one or more servers in Good Control: 1. Launch a web browser and use the https://localhost address to access the GC console if the browser is on the same machine as the GC server. If the browser is on a different machine, use https://<gc_host_ name>.<domain_name>. 2. When the console opens, click Manage Applications under APPLICATIONS and verify that Good Share is registered as a Good application. Consult the Good Control OLH for general details on registering and managing Good Dynamics apps. 3. Click Good Share or click the pencil icon under Actions. 4. Click the Servers tab. 5. In the Host Name field, enter the Good Share server FQDN. Important: Make sure the FQDN is entered in lower case. Good Control will not accept upper case characters. Good Share 9

Server Configuration 6. In the Port field, enter the server port (default = 9999), then click under Actions. 7. Paste the contents of the clipboard you copied in Step 6 of Adding Users to the Good Share Console into the Configuration field and click Submit. Configuring Server Affinity Caution: When a distributed computer system is truly load balanced, each request is routed to a different server. This load balancing approach is diminished when server affinity techniques are applied. Be aware that once you set affinity, it takes precedence. To enable server affinity for Good Share clients: 1. In the Good Control console navigator, click Policy Sets, then locate the policy you want to apply and click it. 2. Click the APPLICATION POLICIES tab. 3. Scroll down to Good Share and click it, then click the Server Configuration tab. Good Share 10

Server Configuration 4. In the Good Share Preferred Servers field, enter in the FQDN of your GEMS host and a colon, followed by the desired port. Again, if no port is specified, default port 9999 is assumed. Add more servers separated by a comma with no space. 5. Click Update. Configuring the Good Mobile Control Console Complete the instructions in this section if your users are going to provision their devices for both Good Share and Good For Enterprise. To configure GMC for Good Share: 1. Launch a web browser and use the https://localhost address to access the GMC console if the browser is on the same machine as the GMC server. If the browser is on a different machine, use the Good Share server's https://gmc_host_name.domain_name address instead. 2. Click the Settings tab. 3. Click Third-Party Applications. 4. Click Add, then apply the following configuration settings: Platform: select ios. Application Name = Good Share. Application ID = com.good.goodshare Note: (the Application ID is case sensitive so be sure to enter it exactly as shown) 5. Repeat Step for Android. Good Share 11

Provisioning Users To modify the appropriate policies that enable import/export between Good and third-party applications: 1. Click the Policies tab. 2. Click the policy desired. 3. Click File Handling on the left. 4. Turn on either the Enable importing/exporting between Good and third-party applications or the Enable importing to Good Only radio button. If you select Enable importing to Good Only, add Good Share to the list of trusted external applications. 5. Click Add Apps and select Good Share ios and Good Share Android from the drop-down menu. Provisioning Users To grant users permission to provision their devices with the Good Share app. 1. Launch the Good Control console in a web browser and use the https://localhost address to access the GC console if the browser is on the same machine as the GC server. If the browser is on a different machine, use the https://gc_host_name.domain_name address instead. 2. Under USER ACCOUNTS, click Manage Users. If no users are present in the system, click Add Users and then search for a user by their Active Directory username. Good Share 12

Activating the Good Share App on a Mobile Device 3. Select a user and then click the Applications tab. Verify that the user has Good Share listed under Allowed Applications. If not, click Add More and add Good Share. 4. Click the Access Keys tab. 5. Select 1 access key and then click Provision to generate one an access key for this user. This access key is sent to the user s email address to use during app activation on a mobile device. This allows the Good Share app to connect to the Good Technology NOC. Activating the Good Share App on a Mobile Device To quickly install the Good Share app on a mobile device: 1. Download an install Good Share from the App Store or Google Play, respectively. 2. Launch the app. 3. As prompted, enter an email address and access key, or choose another GD app to provide the key, if GD's Easy Activation feature is been enabled. 4. Create an app password and confirm it. 5. When prompted, enter your Active Directory credentials. Note: You must have manually added users in Good Share Server or configured policies to auto-add users based on security groups in order for users to access their data sources. See the respective client user guide for additional details: Good Share Client User Guide for ios Good Share Client User Guide for Android Upgrading the Good Share Server Important: Good Share no longer supports a Postgres database. If you are currently using a Postgres database, create a new database using SQL Server. There is currently no automatic migration from Postgres. This following topics outline the steps to upgrade an existing instance of the Good Share Server to the latest version. Note: Good Share is designed to be backwards compatible. In other words, the app functions correctly even if end-users update the app before the server is upgraded. There may be instances, however, where end-users will not be able to take advantage of certain new features until the server is also upgraded. Server Upgrade The server upgrade binaries are typically made available one week before the app upgrade is published in the Apple App Store or Google Play. Good Share 13

Working with the Good Share Console Important: If you are upgrading your server from version 2.8.x, you must run the installer a second time in order to select the option to install the Good Share Web Console. To upgrade from a supported earlier version of Good Share: 1. Download the latest version of the Good Share server software. 2. Copy this file over to your existing Good Share server machine. 3. Make sure the account with which you re logged in to the Good Share Server has administrative privileges. 4. Double-click on the executable and choose the Upgrade option when prompted. 5. The installer performs the necessary upgrade steps automatically. App Upgrade The app upgrades can be downloaded from their respective app store and installed by the end-users. The endusers are not required to perform any steps upon upgrade. Working with the Good Share Console The Good Share administration console runs as an application on the Good Share Server. You can launch it by going to Start > Programs > Good Technology > Good Share Server. This Good Share console opens and displays a toolbar along with server statistics which detail the following: The Good Share SERVER STATISTICS panel contains the following details: License expires this date is not currently being used for app enforcement and licensing. User Licenses Good Share Server licensing is set to a significantly large number; the number of licenses is currently not being used for enforcement and licensing. Users number of active users currently using the Good Share Server. Good Share 14

Working with the Good Share Console Policies number of policies created for Good Share users. File Shares number of total file shares in all policies. SharePoint Sites number of SharePoint sites in all policies. Changing the Default Firewall Port Number The Good Share Server only uses port 9999 if it is on the enterprise network. This port can be changed from the Server Settings menu. Make sure that the Good Proxy server is able to communicate with the Good Share Server on Port 9999, or the port specified. If you change the default port number, you must update the Good Control server with the new port number. Viewing and Working with a List of Users You can view a list of users by clicking Users in the Good Share console s tool bar. Add more users via the Options list box as follows: Select Add for a single new user Select Import to add users from the Active Directory. Note: If you do not want to manually add users, refer to Section Auto-Add Users to Policy on how to setup users to automatically be configured in a policy based on their security group members. Click the list box on the right to filter the list of users based on the policy to which they belong. You can also search for a particular user by entering the user name in the search field. This will search for users that have already been added to the Good Share database. Select a user to access additional command buttons: Good Share 15

Working with the Good Share Console Click: Edit to specify the user s override path or change the user s policy Delete to remove a user Move to Policy to move a list of users to a selected policy Assign Roles to give the user an additional role such as Default Admin, Compliance Officer. By default, all users are assigned the Default User role. Working with Policies Policies contain a list of shares and permissions that are applied to all the end-users assigned to that policy. Policies can be defined on a departmental level or a site-level, depending on the use-case that best serves the organization. Policy Name and Description No. of Users = number of users belong to that policy. No. of File Shares = number of public share paths that belong to this policy. No. of SharePoint sites = number of SharePoint sites that belong to the policy. Each policy is then associated with the specified File Shares, SharePoint Sites, User Defined Shares, and trusted apps (under the Open In tab). Creating a New Policy To create a new policy: Good Share 16

Working with the Good Share Console 1. Click the Options list box and then select Add. The Policy dialog box opens. 2. Enter the new policy name and description under the General Settings tab. Auto-Add Users to Policy Optionally, you can also link this new policy to a Security Group in Active Directory to enable auto-addition of users to the Good Share console. Users in this Security Group are automatically added to the Good Share admin console and assigned to the respective policy. To auto-add users to policies based on their security group membership: 1. Open the Security Groups tab. 2. Enable the Link to Active Directory check box. 3. Select the appropriate security group. If there are none listed, click the Add Security Groups button to see a list of available security groups. Select the appropriate group and click Add. 4. Select the security group you wish to associate with the policy and click Save. Editing Policies Click the check box next to a listed policy to activate the additional Edit, Delete, and Duplicate command buttons. Good Share 17

Working with the Good Share Console Sharing Files for File Shares (Admin-Defined) Good Share allows sharing private and public file shares for groups of users. Private shares have a path that has a unique user specific attribute, whereas public shares have a static path. Support for Active Directory wildcard attributes enable the configuration of multiple private shares. For instance, a user's home directory can be setup using an Active Directory wildcard. File Shares are added as data sources in policy. Users in a policy have access to the data sources added in the policy. Adding Private File Shares to a Policy To add multiple file shares for a particular user, defined by using a variety of wild cards from the user s AD profile: 1. Click the policy name you name you want. 2. Click Options > Add Home Directory. Good Share 18

Working with the Good Share Console Enter the following information: Display Name name displayed on the end user s mobile device for the share. Path specified using the complete path to the private shares or wild cards from the user s AD profile. For instance, if you enter the wild card <homedirectory>, the path is automatically populated from the user s home directory attribute in their AD profile. Similarly, admins can also specify a base folder followed by the AD name wild card. Thus, if Path = \\fileserver1\files\<user_login_name>, this makes the home directory for user jdoe= \\fileserver1\files\jdoe Keep Synchronized with mobile device forces all contents within this folder to be cached locally to the end-user s device. This folder is automatically synchronized between the app with the backend once every 24 hours. Users also have the ability to manually sync from the app. Permissions restricts the operations an end-user can perform when accessing network resources from the Good Share application. These permissions will act on top of the inherent AD permissions. Note: The same permissions can be defined at a per data source level or at a per policy level. SharePoint data sources will have the added option to restrict Check In/Check Out of documents. List (Browse) allows end-users to list files. Delete Files allow end-user to delete files. Read (Download) allows end-users to download files to the mobile device. This file is stored in the secure container and is deleted as soon as the user browses to a different location or exits the app (unless it is a Keep In Sync data source). Write (Upload) allows end-users to upload and overwrite existing files. Good Share 19

Working with the Good Share Console Cache (Favorites) allows end-users to cache files and subfolders to be saved locally on the mobile device for offline availability. Allow Native Email allows end-users to use the native email on their mobile device, but this means the document will no longer be in the secure container. If GFE is installed on the device, users can click the Mail option and the document will be sent to GFE automatically. Open In allows end-users to open files in other 3rd party applications. Create Folder allows end-users to create new folders. Print allows end-users to use the native air-print option on their mobile device. The document will no longer be in the secure container. When available, they can also use a GD-enabled app like Breezy to securely print documents. Copy/Paste allows end-users to copy/paste contents from files to the local clipboard. Adding Public File Shares to a Policy Public shares are folders shared between a set of users. To add public file shares to a policy: 1. Click on the Policy Name. then click on Options and then click Add. Note: The status icon reflects the permissions of the currently logged on user on the share specified. This may not display a checkbox if the logged on user does not have permissions to view the share. This will not have any functional impact on the app as long as the end-user has the necessary permissions to view the contents of the path specified. Good Share 20

Working with the Good Share Console 2. Add appropriate policy details for the selected public shares. Display Name sets the name displayed on an end user s mobile device for the share. Path sets the path to the public share. Keep Synchronized with mobile device forces all contents within this folder to be cached locally to the end-user s device. This folder is automatically synchronized to the app with the backend once every 24 hours. Users also have the ability to force sync. You also have the ability to add a particular file share to different policies, if appropriate. To copy a File Share to other policies: 1. Click on the check box next to the public share and select Add To Policies. 2. Select the policies to which you want to add this public share, then hit Apply. Note: This option is also available for adding a particular SharePoint site to multiple policies. Sharing Files for a SharePoint Site (Admin-Defined) Good Share allows SharePoint sites to be added in two different ways: 1. Specifying the URL to the site for which a particular set of users have access 2. Integration with SharePoint s MySite feature, providing access to a user s personal site. Adding Sites via URL To specify the URL of a site to which a particular set of users will have access: 1. Click on the Policy Name, then open the SharePoint Sites tab. The folders listed under SharePoint Sites can be viewed by all users assigned to the policy. Good Share 21

Working with the Good Share Console 2. Enter the following information in the field indicated: SharePoint Site URL sets the URL of the SharePoint site in the following format: http://mysharepointurl/default.aspx = http://mysharepointurl Also, make sure the URL is pointing to a site, rather than a document library or a list. Display Name sets the name displayed on an end user s mobile device for the share. Adding Sites via MySite To add a share using MySite: 1. Click on Options > Add. 2. Specify a wild card in brackets ("<>"). If you want to use the Active directory username attribute, specify it as <username> in the SharePoint Site URL path; e.g., https://mysitehost/my/<username>. Sharing Files for File Shares and SharePoint Sites (User-Defined) You can enable users to add their own File Shares or SharePoint sites. There are three ways end-users can add User-Defined Shares. These include: Good Share 22

Working with the Good Share Console 1. Login to the self-service web console to add File Shares or SharePoint sites. On Microsoft Windows PC s, users can use the Map My Drives feature to easily add mapped drives to mobile on the IE browser with a few clicks. 2. Use the mobile app to add file shares or SharePoint sites. 3. Users can simply Follow sites on SharePoint and they will show up on mobile. Shares added automatically show up on each of a user s devices. As the admin, you can also set Permissions around these shares just as you do for administrator-defined shares. The following steps explain how to set these options. To set user-defined shares permissions: 1. Click on the Policy Name. 2. Click on the User Defined Shares tab. Access You have three options for permitting user access to data sources: 1. Check Enable User Defined Shares to allow users to add their own data sources. 2. Automatically add those sites followed by users. This option takes advantage of the followed site feature in SharePoint. Admins can define a parent site, and then enable this option. All sub-sites within the primary site that end-users have chosen to follow will automatically appear on their mobile device. 3. Allow Web Services to Add User Defined Shares. Good Share exposes several REST APIs which can be integrated into existing consoles and work flows used by the enterprise. These APIs allow Web Server to enable Add User Defined Shares. Contact Good Technology Support for more information on integrating these APIs with Good Share. Data Sources The following settings allow you to control which repositories end-users are allowed to add with the self-service console. Good Share 23

Working with the Good Share Console Allow File Shares permits end-users to add file shares. Allow SharePoint sites permits end-users to enter SharePoint sites. Permissions User-defined permissions work the same way Permissions work for admin-defined shares. Screening Files by App To allow or block a user s ability to open files based on the app used: 1. Click the Policy Name, then click the Open In tab. 2. Select from the following options: Good Dynamics Apps only permits users to open files in GD-enabled apps only. Any app permits users to open their files in any app. Good Dynamics apps plus whitelisted apps permits users to open their files in GD-enabled apps as well as select whitelisted non-gd applications. 3. Click How to retrieve an App IDto view instructions on retrieving an application's App ID. Once a whitelisted app has been added to a policy, you can apply it to other policies by checking the box next to the app and clicking Add to Policies. Accessing and Configuring the Server Settings To access your Good Share server s settings, click Settings console tool bar. Good Share 24

Working with the Good Share Console Security Settings The Security settings are organized into the following three groups: 1. Kerberos Constrained Delegation a. Enable or disable Kerberos constrained delegation. b. Specify the FQDN of the Good Proxy server. Note: Certain environmental configurations need to be performed by the administrator before enabling this option. Please contact Good Technology Support for assistance. 2. Auto Add User and Home Directory a. Enable/disable the automatic addition of users through the app. This setting is used in combination with the linking policies to Active Directory. See Working with Policies. b. If the user s home directory is not recorded in the Default attribute in AD, you can specify the appropriate attribute. 3. General a. Allow or block preview of media files on ios devices. This file is unencrypted on the ios devices for the duration of playback. b. Enable/disable the app from remembering the user s password. c. Enable/Disable the display of event details for SharePoint Calendar alerts. d. Force User to save Pending Uploads. Because there may be instances where a user works on an offline version of a file and does not have the necessary network coverage to upload the file to the backend repository, the user can save the file to the local Pending Files container within the app. For compliance reasons, enterprises may not want data to reside in this offline location for an indeterminate amount of time. The next time the user launches the application and has network connectivity, they will be greeted with a prompt window asking them to upload the pending file. They will then be prompted to take an action based to the following settings: Unchecked user receives the prompt to upload but has the option to cancel the prompt. They will get this prompt again every 24 hours when the app is launched and the device has network connectivity. Good Share 25

Working with the Good Share Console This will continue as long as the file resides in the Pending Files container. Checked user receives the prompt but is not given the option to cancel the upload. The user is forced to upload the file before continuing to use the application. Server Settings The Server settings screen displays a list box of available Good Share servers. Select a server from this list box to see the server s associated port number for apps that are inside the enterprise network and the location of the server s log files. Audit Settings The Audit settings screen provides options for managing audit log operations and the number of audit log records in the database. Every operation from every app can be recorded to an audit report. These records are stored in the Good Share database and can be used to meet compliance and e-discovery requirements. Check Enable Audit Logs to enable the audit operations selected. Audit Logs You can choose to record every operation that is performed by users with the Good Share application. You can then access these records from the Good Share console by selecting File > Audit Log Reports. For generating audit reports, the following filters are available : Date sets the time frame for which you want to generate the reports. Operation sets the operations for which you want to generate a report. Users filters the report by specific users, displaying only users who have actually used the application. Search full or partial file name (key-word search) to filter which users have accessed a particular file. Good Share 26

Working with the Good Share Console Administration Roles Because Good Share supports role-based administration, enterprises wishing to have well-defined, tiered administration can choose from the existing predefined roles or create their own roles with specific functions. Good Share ships with three predefined roles, including: Compliance Officer this role can change audit settings and run audit reports. Default Admin this role can perform all available operations within the Good Share Management Console. Default User this role only permits end-user permissions, able to view the drives that are available to them via the policy assigned by the administrator. By default, all users are assigned this role. As mentioned, admins can also create enterprise-defined roles by choosing the Options list box, selecting Addand then defining the specific operations permitted by that role. An example of an IT Helpdesk role is pictured here. Of special significance here is the permission called Good Share Admin API Access. When this permission is granted, it enables the role to add user-defined data sources with REST API calls. Good Share 27

Working with the Good Share Console Self-Service Console An end-user can log into the self-service console to view the list of their data sources. Users with the Default User role will only be able to see this screen when they log into the web console. If the admin has chosen to allow end-users to add their own Data Sources according to Sharing Files for File Shares and SharePoint Sites(User- Defined), the Options tab will also be visible. End-users can click this listbox and select from two options: either Add Data Sourceor Add Mapped Drives, defined as follows: Add Data Source This option allows end-users to choose between adding a File Share and a SharePoint Site. The user can type in the respective UNC path or a URL and assign a Display Name for the data source to make it available across all devices running Good Share for this particular user. However, to view the contents of the share, the user must have corresponding AD permissions to the share. Add Mapped Drives Used to automatically add the drives currently mapped on the user s PC, making them accessible via the Good Share app, this option requires an ActiveX Control to be enabled on the browser used and is only available on Windows machines. Here, clicking on Option presents the user with a selection of currently mapped drives. The drives desired can then be selected. Good Share 28

Support for SharePoint Online (Hosted SharePoint) Support for SharePoint Online (Hosted SharePoint) Good Share Server 3.1.351 or above can support SharePoint Online as a data source. SharePoint Online locations can be added to policies in the Good Share Console just like an on-premise SharePoint site. Both administrator-defined and user-defined data sources are supported. SharePoint Online furnishes two different ways for on-premises Active Directory (AD) users to authenticate and perform normal SharePoint operations. These include: DirSync with Password Hash wherein users and their passwords on AD are synchronized with Office 365 (O365). Users are presented with a login page where they can enter their credentials to access SharePoint Online. Active Directory Federation Service (ADFS) wherein ADFS serves as a Secure Token Service. Behind the scenes (in background), users are redirected to ADFS for authentication and are issued security tokens that are then used by SharePoint Online to sign in. SharePoint Online users will not need to enter credentials when accessing from the corporate network, which typically enables SSO scenarios. Either authentication mechanisms is supported by Good Share. Deployment Prerequisites All preparations are server side only. No device changes are required. Here, the prerequisite is that SharePoint Online is already deployed based on either of the authentication mechanisms DirSync with Password Hash or ADFS. Consult Microsoft O365 resources regarding SharePoint Online deployment for details and procedures. Authentication Setup For Kerberos Constrained Delegation (KCD), which allows for Single Sign-On credential-less access to network resources from devices, only ADFS authentication to SharePoint Online is supported. To help with configuring KCD, please follow the procedure specified in Good Share KCD Authentication Instructions. Contact your Good representative for a copy of this document. Note: When adding Kerberos delegation constraints for Good Share process users, add the ADFS server HTTP service. Do not attempt to add SharePoint Online servers for delegation here. For non-kcd configurations in which users must enter their credentials on the device both DirSync with Password Hash and ADFS authentication mechanisms to SharePoint Online are supported. No extra authentication-related steps are needed to use this configuration. ADFS Version and Location Good recommends ADFS 2.0. ADFS may be installed on either Windows 2008 R2 or Windows 2012. The ADFS server is automatically identified by Good Share based on the SharePoint Online location and therefore does not need to be specified. Good Share 29

Support for SharePoint Online (Hosted SharePoint) ADFS HTTPS Certificate If your ADFS server uses a self-signed certificate for HTTPS communication, the certificate must be added as a trusted CA on the Good Share server machine. To add the certificate, navigate to IIS Manager on the ADFS machine, then go to Server Certificates and export the certificate to a file. Next, on the Good Share Server machine, import this certificate into the trusted CA list. Once you have deployed SharePoint Online, you re ready to configure Good Share for your SharePoint Online users. Configuring Good Share for SharePoint Online Users To configure SharePoint Online for Good Share: 1. Click Settings, then select Security. 2. Add one or more SharePoint Online Domains in the field provided, separated by commas. 3. Save your changes. Good Share 30

Local Folder Synchronization Local Folder Synchronization Users who work remotely on content creation and save files locally for offline access, can now access these files on-the-go from their mobile devices without having to open their local machine. Good Share provides authorized users access to their Home Directory hosted on NAS shares and exposed through Active Directory. However, this synchronization feature synching folders on the user s remote laptop or desktop with their home directory is only available on local machines running Microsoft Windows. Windows Folder Redirection (Native) This feature gives administrators the ability to redirect the path of a folder to a new location, which can be on the local computer or a directory on a network file share. Users can work with documents on a server as if the documents were based on a local drive. The documents in the folder are available to the user from any computer on the network. Folder Redirection is located under Windows Settings in the console tree when you edit domain-based Group Policy by using the Group Policy Management Console (GPMC). The path is [Group Policy Object Name]\User Configuration\Policies\Windows Settings\Folder Redirection. Offline File technology (turned on by default) gives users access to the folder even when they are not connected to the network, and is especially useful on laptops and mobile devices. Offline folders do not, however, work out of the box with Samba network drives. See Offline Folders (Native) below for details. Otherwise, Windows Folder Redirection can be enabled for any of the predefined folders in the Group Policy Management Editor as pictured next. In Windows Server 2008, a total of 13 different folders can be redirected. Pictured above, these include: AppData(Roaming) Music Saved Games Good Share 31

Local Folder Synchronization Desktop Start Menu Documents Pictures Favorites Contacts Downloads Links Searches Videos As an administrator, you will need to create the root folder for the destination location. This folder can be created on a local or remote machine (NAS), but it is important that all members of the group who will have Windows Folder Redirection enabled are given full access to the root folder. To enable Folder Redirection and configure access: 1. Create a root folder (e.g., RedirectShare) for the redirect destination. 2. In the Group Policy Management Editor, select a specific folder (e.g., Documents) and add one or more rules to determine which users/groups can redirect the selected folder to the root folder. 3. Set an environment variable %USERNAME% to the path [Root]\<username>\Documents\. The tree structure of the root for example, RedirectShare will look something like: Now the user s folder has exclusive user permissions. No other user can see the files. The user can update these files, add new files, and delete files. Then, when the user connects to the corporate network again, the files are automatically synchronized with the redirected location. If modifications are attempted on the same file in both locations at the same time, an alert is issued (pictured next), and the user is responsible for resolving the conflict; i.e., keep source, keep destination, keep both files). Good Share 32

Local Folder Synchronization Thus, if a user uploads a file through the Good Share mobile app directly to the share, it will be visible on the local PC in the Documents folder. Moreover, when the Good Share server is configured with User Private Shares pointing to the redirected root folder e.g., C:\RedirectShare\ users can automatically use their own folders inside the Good Share app from the Home Directory on their phone or tablet. Note: For users with their home folder defined in AD, Folder Redirection works when the redirection path is the same as the user s home folder in AD. Offline Folders (Native) When you select a network file or folder to make it available offline, Windows automatically creates a copy of that file or folder on your computer. Thereafter, any time you reconnect to the network folder, Windows synchronizes these files with those in the network folder. You can also synchronize them manually any time you want. As pointed out above, this feature does not work out of the box with a Samba network drive, and workarounds are not currently supported by Microsoft. Otherwise, the feature can be enabled from Windows Explorer and used for any shared folder as pictured. Now that the shared folder is available offline, it can be used offline. Users can even make a shortcut to the shared folder on their desktop for convenience. Moreover, when working offline and changes are made to offline Good Share 33

Local Folder Synchronization files in a network folder, Windows automatically syncs the changes the very next time you connect to that network folder. You can also manually sync changes by clicking the Sync Center tool. Additionally, there are more advanced sync scheduling controls available in the Windows Sync Center. If the user is working offline while someone else changes a file in a shared network folder, Windows syncs those changes with the offline file on the local computer the next time it connects to that network folder. If a sync conflict occurs meaning changes were made to both the network and offline versions of the file between syncups Windows will prompt the user to decide which change takes precedence. Files that were cached automatically are removed on a least-recently used basis once the maximum cache size is reached. Files cached manually are never removed from the local cache. When the total cache size limit is reached and all files that were cached automatically have already been removed, files cannot be made available offline until you specify a new limit or delete files from the local cache by using the Offline Files control panel applet (pictured below). Good Share 34

Local Folder Synchronization The default size limit for the Offline Files cache is 25-percent of the total disk space of the drive where the cache is located. The cache size can be configured through the Group Policy by setting the limit on disk space used by Offline Files go to Computer Configuration > Policies > Administrative Templates > Network > Offline Files on each client separately. Synchronization takes place a few minutes after the user logs in and connects/opens a shared network folder containing offline files and is schedule- or event-based. However, this must still be enabled manually by each user. Even so, through the Group Policy editor, the domain administrator can set various synchronization triggers; e.g., On Logon, On Logoff, Sync Interval, etc. Pictured above, these settings are available in User Configuration\Administrative Templates\ Network\Offline Files and in Computer Configuration\Administrative Templates\Network\Offline Files in the Group Policy Object Editor snap-in. For more information about policy settings, see the Explain tab on the Properties page of each policy. Good Share 35

Local Folder Synchronization See also Configuring Group Policy for Offline Files on Technet. These options Folder Redirection and Offline Folders offer these advantages compared to a proprietary laptop/desktop agent furnished by Good: IT does not have to manage and deploy another desktop agent Microsoft Folder Redirection is integrated with GPO and manages conflicts Existing compliance tools and processes govern the data. Again, once the files are synchronized to the Home Directory, IT administrators can make use of the Good Share Private Share functionality to expose the user s Home Directory to the Good Share App running on provisioned mobile devices. It is also important to remember that for users who have their home folder defined in AD, Folder Redirection works when the folder redirection path is the same as the user s home folder in AD. Good Share 36

Appendix A Good Share Scalability Guidelines Appendix A Good Share Scalability Guidelines Scalability of the Good Share Server is strongly influenced by maximum peak concurrency and end-user mobile usage patterns. Accordingly, Good s guidelines for scalability are based on three concurrency profiles: High, Medium, and Low. As a baseline for the Medium concurrency profile we assume maximum peak concurrency of 10%, which is based on Microsoft s Capacity Planning for Windows SharePoint Services guide and uses a maximum peak concurrency assumption of 10%, inclusive of both mobile and web traffic. We then conservatively assume that a High concurrency system will have greater mobile usage concurrency than Microsoft s guidelines, while the Low concurrency system will have lower mobile usage concurrency than Microsoft s guidelines. In practice, we do expect that mobile usage will have generally lower maximum peak concurrency than the overall SharePoint system, since the latter includes both mobile and web traffic. Based on this approach and assumptions, the Good Share scalability guidelines are set forth below. When planning their individual deployments, we recommend that customers measure their actual current SharePoint maximum peak concurrency and then use that as the baseline for determining which of these concurrency profiles best fits their environment. Published Good Share Scalability Numbers Concurrency # of users per server Max concurrent users High (12%) 5,000 600 Medium (10%) 6,000 600 Low (8%) 7,500 600 Good Share Scalability with SharePoint Only The scalability of a Good Share Server running only a SharePoint environment influences the maximum peak concurrency. Similar assumptions can be made based on the same three-concurrency profiles as above: High, Medium and Low. Stress testing the Good Share Server running only SharePoint showed Max Concurrent users to be greater than the standard Good Share Scalability above. Good Share running a SharePoint-only environment increases the maximum concurrent users to 750. The same concurrency profiles of High (12%), Medium (10%) and Low (8%) assume greater maximum concurrent users, allowing for more total users per server. SharePoint-Only Scalability Numbers Concurrency # of users per server Max concurrent users High (12%) 6,250 750 Medium (10%) 7,500 750 Low (8%) 9,375 750 Good Share 37

Appendix A Good Share Scalability Guidelines Good Share Server Integration with GEMS Planned integration of the Good Share Server within the Good Enterprise Mobility Server (GEMS) as a Document Service (using the service-based architecture of GEMS) will reduce the Total Cost of Ownership (TCO) of our solution. This is targeted for General Availability in Q4, 2014. Our long-term target in GEMS is to achieve 1,200 concurrent connections for the Document Service that can support from 10,000 users to 15,000 users per server, depending on the concurrency mode assumptions. We will make incremental progress towards this and plan to achieve this goal by end of 2015. The targets may change based on technical complexities and other findings. GEMS can run multiple services on the same server and the actual capacity planning will involve planning across all the services being deployed in a given environment. These targets are for supporting GEMS Documents service without other services. We will provide capacity planning tools to guide customers through this process. Targeted Goal for GEMS Docs Service Scalability by 2015 Year-End Concurrency # of users per server Max concurrent users High (12%) 10,000 1,200 Medium (10%) 12,000 1,200 Low (8%) 15,000 1,200 As more social capabilities are added and File Explorer is made to work across multiple Good Dynamics apps, customers which enable these features or use apps that leverage the file explorer service may see higher concurrency for the Documents service. Overall, we believe that the new application service architecture should significantly lower the TCO of our solution. Note about Performance Testing In running performance tests we use simulation clients. These simulation clients open a connection to the Good Share server (8 Core, 20 GB RAM, Windows 2008 R2) and execute the same operations a mobile device would execute Upload/Download/Browse Files/Browse Folders/Delete Files/Update Files. All these operations are done at a variable and random time gap from 5 to 15 seconds. The test data uses files of 1KB, 5KB, 50KB, 100KB, 500KB, 10 MB and 100 MB with the total size of the data set being 1.34 GB. The SharePoint tests are performed on a SharePoint farm with two SharePoint 2013 Servers talking to same remote SQL Server 2008 Server. The pseudo user profiles are added to Active Directory and divided into security groups with 100 users in each group. On the Good Share server, the users/user groups are divided into 4 policies. The SQL Server used by the Good Share server is on a remote machine. Good Share 38

Appendix B Troubleshooting Appendix B Troubleshooting Major errors and the recommended fixes are discussed here on an advisory basis. For additional troubleshooting resources and support, please visit Good's Public KB. Remember to check back often for updates to this list. Error 404: Connecting to Good Share Server Situation Unable to connect to Good Share Server. Receiving Error 404 after IIS HTTPS Bindings changed from Port 443 to Port 5443. Issue Trying to install Good Share on the same server as Good Dynamics. When we attempt to launch the Good Share Console via IE, we get a 404 error. Cause The root issue is a result of IIS HTTPS Bindings changes made because Good Share is on the same host server as your Good Control (GD) and Good Proxy servers, which means you'll need to bind IIS to a port other than 443 as Good Control will be using that with Apache. Go to a command prompt and type netstat -ab and pipe the output to a text file to identify what is using 443. Solution Good Dynamics listens on port 443 and 80. If you try to enable IIS on a GD server, Windows will let you add it; however, the default Web Site in IIS will not start. The reason for this is because IIS's default website is configured to listen on port 80, which creates a conflict with GD. But no worries. After you enable IIS, just open the IIS manager and change the binding port to something other than 80. For example, 81. After you do this, IIS will let you start the default website. Start -> Administrative Tools -> Internet Information Services Manager Expand the Server name, then click on Default Web Site. On the right, click on Binding. By default, GS's web console UI wants to use port 443, but as we noted earlier, GD is already using port 443. Once again, no worries. When you install GS, the installer will give you an option to change the default port. Change it to something other than 443 ( 5443 is a safe choice) and the installer will take care of the rest. You should be good to go after this. If not, and you continue receiving Error 404 after changing IIS HTTPS Bindings, you probably need to reinstall the GS Web Console. Here's how: Uninstall the Web Console 1. Run the installer package. 2. Select Modify. Good Share 39

Appendix B Troubleshooting 3. In the drop-down list for Web Console, select This feature will not be available. 4. Click Next. 5. Select Update. 6. Uncheck Launch Good Share Server, then click Finish. Reinstall the Web Console 1. Run the installer package. 2. Select Modify. 3. On the drop-down list for Web Console, select This feature and all subfeatures will be installed on local hard drive. 4. Click Next. 5. Make sure that Windows Authentication using the current user's credentials is selected and click Next. 6. For HTTPS port, enter 5443. 7. Enter your UID and PWD (no need for domain) and click Next. 8. Click Update. 9. Click Finish. Good Share 40

Appendix C Configuring KCD for Good Share Appendix C Configuring KCD for Good Share Kerberos Constrained Delegation (KCD) authenticates user access to both Files Shares and SharePoint sites without requiring an Active Directory password. Requirements To implement KCD for the Good Share, your environment must meet the following prerequisites: Your Good Dynamics infrastructure must meet the version requirements specified under Good Dynamics Requirements. Your Good Share Server will need the following additional inbound ports available (not blocked by any firewall): o o 17080 to the Good Proxy server 17433 to the Good Proxy server Kerberos authentication must be enabled in SharePoint. IP addresses cannot be used when referring to SharePoint URLs and file shares. Summary of Process Enabling KCD authentication for accessing SharePoint sites and File Shares using Good Share entails three primary steps: 1. Finding the Application Pool Identity and port number for each SharePoint web application. 2. Creating the Service Principal Names (SPN) in Active Directory. 3. Adding KCD constraints in Active Directory. Finding the Application Pool Identity and Port Number To determine the Application Pool ID and port number for all the web applications containing SharePoint sites that will be made available to share: 1. Create a list of all web apps that need to be shared through Good Share. 2. Open IIS Manager on each SharePoint server. If a web application was extended to create alternate access mappings, it may not include any additional unique port numbers. 3. Find the Application Pool Identity in the Application Pools list view (pictured) or in Central Administration > Security > Configure service accounts. Good Share 41

Appendix C Configuring KCD for Good Share Caution: For KCD to work properly in most instances, the Application Pool Identity user must be the same for all application pools whose applications will be accessed by Good Share. This means you cannot have different application pools running under different users. 4. Find the port numbers for each of the web apps listed in the Web Applications view (pictured next). You can also look in the Alternate Access Mappings view. 5. Navigate to Central Administration > Application Management, choose the web application, then click Authentication Providers in the ribbon bar. Make sure that the authentication type for each web application is set to Windows and that Kerberos is enabled. Authentication Type is set/verified as pictured next. Enable Kerberos as pictured next if NTLM was selected before. Good Share 42

Appendix C Configuring KCD for Good Share Note: In certain scenarios, switching to Negotiate (Kerberos)may also require enabling Kernel-mode authentication in IIS for the corresponding IIS site. For additional information, see MSDN's SPN Checklist for Kerberos Authentication. Creating Service Principal Names (SPNs) in Active Directory To create SPNs in AD for the SharePoint locations and the Good Share user: 1. Create a dedicated user that will run as Good Share. In the example here, the user is <domain>\good ShareUser. 2. Set the password for GoodShareUser to not expire and do not require a password change for logging on. 3. Create a Service Principal Name (SPN) for each web application that will need to be shared using cmdlets like the following: setspn S HTTP/SPHOST:PORT domain\apppooluser setspn S HTTP/SPHOST.FQDN:PORT domain\apppooluser setspn S HTTP/SPHOST domain\apppooluser setspn S HTTP/SPHOST.FQDN domain\apppooluser If the port is a default port (80 or 443), omit the first two lines above. Note: Some lines only need a host name while others need a fully qualified host name. If the application pool identity is for a built-in user such as Network Service, then specify the host name instead of domain\apppooluser as follows: setspn S HTTP/SPHOST:PORT domain\sphost setspn S HTTP/SPHOST.FQDN:PORT domain\sphost setspn S HTTP/SPHOST domain\sphost setspn S HTTP/SPHOST.FQDN domain\sphost Important: If you are using SSL, the SPN must refer to HTTPS, rather than HTTP. 4. Create a SPN for the Good Share process user as follows: setspn S HTTP/GSSHOST domain\gemsdocsuser setspn S HTTP/GSSHOST.FQDN domain\gemsdocsuser Good Share 43

Appendix C Configuring KCD for Good Share Here, <GSSHOST> is the host name of the Good Share server. Note: An HTTP service (IIS, etc.) need not be running on the GSS machine, and the lines above are strictly needed to enable the Delegation tab in the User s Properties tab in Active Directory. Adding Kerberos Delegation Constraints in Active Directory To create Kerberos constrained delegations for the GoodShareUser for each SPN: 1. Open the AD Users and Computers manager and look under Users to find GoodShareUser. 2. Right-click GoodShareUser and select Properties. 3. Click the Delegation tab. 4. Enable both Trust this user for delegation to specified service only and Use any authentication protocol, then click Add. Good Share 44

Appendix C Configuring KCD for Good Share 5. Click Users or Computers in the Add Services pop-up. 6. In the Select users or Computers pop-up, enter the SharePoint Application Pool Identity user name and click OK. 7. Select all the services corresponding to the SharePoint web applications running under the username entered in Step 6, omitting the HTTP service, and click OK. Good Share 45

Appendix C Configuring KCD for Good Share You'll now see the services to which GEMSDocsUser can provide delegated credentials listed in DelegationUser Properties. 8. Click Add and repeat steps 2 through 7 above, although instead of choosing the application pool identity user, choose the computer account for the SharePoint server. When you choose the services, select HOST and http as shown below and click OK to add each computer account to the list of services. Good Share 46

Appendix C Configuring KCD for Good Share The delegated services are now listed in the DelegationUser Properties window. You're now ready to repeat Steps 4 through 8 for each SPN in Active Directory. Adding Kerberos Constraints for File Shares The main difference between sharing files and sharing SharePoint sites consists of delegation to the Good Share computer account and not to the Good Share process user; i.e., GoodShareUser. To add Kerberos contraints for a user's file shares: 1. Under Computers in AD's Users and Computers, right-click the Good Share computer, select Properties, then open the Delegation tab. Good Share 47

Appendix C Configuring KCD for Good Share 2. Click Add, then click the Users or Computers button, enter the name of the server containing the file share requiring access and click OK. Then in the list of services, select cifs and click OK. Repeat for each File Share server requiring access via KCD. 3. To make these configuration changes take effect right away, reboot any servers with network shares. Note: Since Kerberos tokens are cached, rebooting is the only sure way to make sure all delegation changes are received on the machines. In lieu of a reboot, you will have a wait of up to ten hours for the changes to propagate to all the needed servers. Enabling KCD on the Good Share Server To enable Kerberos constrained delegation on the machine hosting Good Share: 1. Open Settings, open the Security Settings tab, then enable KCD and enter the Good Proxy location. 2. Grant the Act as part the operating system privilege to GoodShareUser in the Local Security Setting tab. Good Share 48

Appendix C Configuring KCD for Good Share For comprehensive guidance from Microsoft, see Kerberos Constrained Delegation for Windows Server. Good Share 49

Glossary Glossary A Access Key Part of the activation key that is different for every GD application activation. Access keys consist of 15 letters and numbers. Access keys are generated by the enterprise GC server. Activation Key All the credentials necessary for activation of a GD application for an end user. The necessary credentials are a provisioning ID and an access key. AD Active Directory ADSI Active Directory Services Interface ADT Plugin Android Development Tools Plugin Affinities The feature that enables enterprises to allocate their GP servers between their GC servers and their application servers. Allocation can be an absolute division, or based on a priority order, or both. Application Policies The feature that enables GD application developers to add policies that are specific to their application to a GC server. Application policies are defined by developers, using an XML file format. Application-Based Service A GD shared service that is provided by GD applications. An application-based service uses Good Dynamics AppKinetics for communication. Authentication Delegation The feature for transferring authentication of the end user from one application to another. An application for which authentication is delegated does not display its unlock screen, and does not have its own security password. Authentication delegation can be used between two GD applications, and between GD applications and the GFE mobile client. Authentication delegation is controlled by the enterprise administrator through the management console of the respective software product, either GC or GFE Good Mobile Control. Good Share 50

Glossary C CLI Command Line Interface COTS Commercial Off the Shelf HTTP Proxy D DC Direct Connect DMZ Demilitarized Zone DMZ proxy for Direct Connect HTTP proxy in the enterprise perimeter network that relays DC connections. G GC GD Good Control server. The GD server component which hosts the web-enabled Good Control management console, or GC console, for managing permissions and settings for Good Dynamics applications. GC resides on a machine belonging to your organization. Good Dynamics. Good product that gives companies a set of development tools to create their own secure apps built on the technology used to create GFE. GD Application ID The unique identifier used throughout GD to identify the application for the purposes of entitlement, publishing and service provider registration. GD Authentication Token mechanism A token-based single sign-on feature that enables an end user to be authenticated by an application server without the need for entry of any further credentials. GD Direct Connect The feature for relaying GD communication through a proxy in the enterprise perimeter network (also known as DMZ or demilitarised zone) instead of through the GD NOC. This feature also Good Share 51

Glossary enables GP servers to be deployed in the enterprise perimeter network, instead of behind the firewall. GD Enterprise Servers Two GD components installed behind the enterprise firewall: Good Control (GC) and Good Proxy (GP). GD NOC Good Dynamics Network Operations Centre - provides a secure communications infrastructure between the GD Runtime on the mobile device and the GD enterprise servers behind the firewall. GD Runtime The component that is embedded in a mobile application to enable its connection to the GD platform and container. Every GD application includes an instance of the Good Dynamics Runtime. Alternative form: Good Dynamics Runtime GD SDK Good Dynamics Software Development Kit. The products that enable developers to build GD applications from source code in the native programming languages of the mobile platform. Native source code includes, for example, Objective-C on ios, and Java on Android. Other forms: Good Dynamics SDK Good Dynamics Software Development Kit GD Shared Services Framework for collaboration that includes Application-Based Services and Server- Based Services. Both types of service use a consumer-provider model. The consumer is always a GD application. The provider of an application-based service will also be a GD application. The provider of a server-based service will be an application server. Alternative forms: GD Shared Services Good Dynamics Shared Services Framework GD Shared Services Framework Shared Services Framework GD Wrapped Application An application in which the GD Runtime has been embedded by using the GD Wrapping process. Other form: Good Dynamics Wrapped Application GD Wrapping The product for embedding the GD Runtime in a mobile application executable without requiring access to application source code. Other form: Good Dynamics Wrapping GDN Good Developer Networking. A web portal to support app development. Download the Good Dynamics SDK Download the Good Dynamics Servers Access technical support, the Good Good Share 52

Glossary Community, and other resources Get notifications for technical updates Get access to Good Dynamics enabled applications Connect with developers and Good ISV partners GFE Good for Enterprise GNP Good Notification Push. Protocol that allows notification messages to be pushed from an application server to GD app. Good Dynamics AppKinetics Mechanism for secure exchange of application data between two mobile applications on the same mobile device. AppKinetics data exchange uses a consumer-provider model. One application in the exchange provides a service that is consumed by the other. GP Good Proxy. The GD server component which provides a secure bridge between the GC server and your enterprise application servers, if any exist, and delivers messages to and from GD applications. GP resides on a machine belonging to your organization. GRP Good Relay Protocol. Protocol for end-to-end secure communications between the GD app and the GP server. GW Good Wrapping. The GD server component which can be used to wrap non-gd ios applications with GD technology, allowing you to secure your applications without the need for additional programming or access to source code. GW resides on a machine belonging to your organization. H HTML/CSS/JS Hypertext Markup Language, Cascading Style Sheet, and JavaScript, which are the languages used to code applications in the Adobe PhoneGap MEAP. I IDE Integrated Development Environment Good Share 53

Glossary ISV Indepdent Software Vendor - a third-party software developer or reseller who has executed a partnership agreement with Good. J JSON JavaScript Object Notation, the format used for AppKinetics service definitions files. JSON is a standard. K KCD Kerberos Constrained Delegation. A single sign-on feature that enables an end user to be authenticated by an application server that uses Kerberos, without the need for entry of further credentials. KDC Key Distribution Center. A logical component of the Kerberos infrastructure M MAM Mobile Application Management O OWA Outlook Web Access P Provisioning ID Part of the activation key that is the same for all GD applications activated by the same end user at the same enterprise. The provisioning ID is typically the end user s enterprise email address. R Relay Server Server in the NOC that provides communications between the GD app and GP servers. Good Share 54

Glossary Repository In GEMS-Docs, a repository is shared data source designated by a Display Name, a Storage Type (File Share or SharePoint), and a Path. Each repository is defined with user access permissions. Repositories can be further organized into Lists. When a repository is member of a list, it can inherent the user access permissions defined for the whole list. RTT Round trip time S SDK Software Development Kit. Typically a set of software development tools that allows for the creation of applications for a certain software package, software framework, hardware platform, computer system, video game console, operating system, or similar platform. Server Clustering A feature within GD that enables enterprises to deploy groups of servers as single nodes in their GD infrastructure. The following servers can be deployed in clusters using this feature: GP, GC, application servers. Server-Based Service A GD shared service that is provided by application servers. A server-based service could use any communication technology, including HTTP or TCP sockets. Service Discovery Feature that enables a prospective consumer of a shared service to query for available providers of the service. The result of a service discovery query will be a list of GD applications, for an application-based service, or a list of servers, for a server- based service. Alternative forms: AppKinetics Service Discovery Service provider registration Activity of adding a GD application or application server to the list of providers of a particular service. The list of service providers is hosted in the GD NOC. Share In GEMS-Docs, a share is synonomous with a repository and can be one of two storage types: File Share or SharePoint. See Repository. SPN Service Principal Name Good Share 55

Glossary U UI User Interface UPN - User Principal Name In Active Directory, this is the name of the system user in email address format UX User Experience Good Share 56