Dell Mobile Management for Dell Enterprise Mobility Management Android Administrator Guide
Contents Introduction... 3 Quick Setup... 4 Configure Device: Basic (Non-AFW BYOD or COD)... 5 Configure Device: Android for Work BYOD (OS5+)... 10 Configure Device: AFW COD as Single App/KIOSK... 16 Policies Overview... 25 Groups... 25 Configure and Manage Policies... 25 Global- or Group-Level Policies... 26 User-Level Exceptions... 26 Device-Level Exceptions... 26 Android Policy Settings... 27 Configure Android Passcode... 29 Two-Factor Authentication... 31 Configure Android Restrictions... 32 Configure Android Restrictions (Android for Work)... 34 Configure Android Restrictions (Company Owned Devices)... 35 Configure Android Wi-Fi... 37 Configure Android VPN... 38 Configure Android E-mail Instructions... 40 Configure Android Advanced Settings... 41 Configure Enable Android For Work BYOD (OS5+)... 42 Apps & Data... 43 Manage Application Inventory and Policies... 44 Add Applications to the System Inventory... 46 Add Enterprise Applications to System Inventory... 47 Configure Application Policies... 48 Manage File Repository Inventory... 49 Routine File Repository Inventory Tasks... 49 Add Files to the File Repository Inventory... 50 Remote Commands... 51 Devices Screen... 51 Device Details Screen... 52 ii Dell Mobile Management
Introduction Dell Mobile Management (DMM) provides IT administrators with a tool to help securely manage and enable corporate access to a wide range of solutions and devices including thin clients, zero clients, cloud devices, workspace applications, smartphones, and tablets. DMM provides visibility not only into managed devices, but also insight into which employees have used them and what IT assets have been accessed. DMM is available from any location through standard Web browsers over the Internet. This guide provides instructions for configuring the Android Group Policy settings in Dell Mobile Management included with the Dell Enterprise Mobility Management. More detailed and in-depth instructions about the general, non-product-specific administrative tasks available in DMM are provide in the Dell Wyse CMM R9 Admin Guide. For details on how to set up DMM quickly, see the Dell Mobile Management Quick Start Guide. Throughout this document, select the DMM URL for your region: https://us1.cloudclientmanager.com for the US/Caribbean region or https://eu1.dellmobilitymanager.com for the EMEA region. Android Admin Guide 3
Quick Setup There are two roles involved in getting your organization set up in the Dell Mobile Management: the Global Admin and the Group Admin. The Global Admin is the highest level of administrative functionality and security and is identified and assigned at the time of DMM delivery. Among other responsibilities, the Global Admin creates the needed groups and then creates a Group Admin for each group (Steps 1 and 2 below). From there, either the Global Admin or, preferably, the Group Admin completes the remaining steps. The steps necessary to get set up quickly are: Step 1: Global Admin creates the first group Step 2: Global Admin creates the Group Admin Step 3: Group Admin add users Step 4: Global Admin completes APNS Certificate Management Step 5: Group Admin invites users to register devices Step 6: Group Admin adds devices Step 7: Global Admin adds apps Step 8: Group Admin assigns policies Step 9: User installs app and registers device For specific, step-by-step instructions for completing the Quick Setup steps, see the Dell Mobile Management Quick Start Guide. The remainder of this document guides you through both installing the app on an Android device and the administrator tasks required to configure the Android-specific Group Policy settings in Dell Mobile Management. 4 Dell Mobile Management
Configure Device: Basic (Non-AFW BYOD or COD) Follow this process to download and install the Dell Mobile Management app on your Android device and set up MDM policies (non-android for Work and non-company Owned Devices). 1. Open a browser on your device and go to play.google.com and search for Dell Mobile Management (https://play.google.com/store/search?q=dell%20mobile%20managem ent). 2. Under Apps, tap the Dell Mobile Management icon. 3. Tap Install. 4. On your device, locate and tap the Dell Management icon. 5. On the initial Mobile Management screen, tap INSTALL at the bottom right of your screen. Android Admin Guide 5
Dell Mobile Management installs the app and displays an Application Installed screen to let you know the installation is finished. 6. Tap OPEN. 7. Enter your corporate Username and tap Next. 8. Enter your corporate Password and tap Done. 6 Dell Mobile Management
9. Tap REGISTER DEVICE. Dell Mobile Management displays a progress screen that reads Registering device to Cloud Client Manager. 10. The app then displays the DELL Device Administration screen. Tap ACTIVATE. Android Admin Guide 7
When completed, the app displays the home screen with the message at the bottom indicating that your registration completed successfully. If your device does not read compliant, simply tap and hold the Checkin Policy tab, drag it down slightly, then release it. The following shows how the Mobile Management tabs relate to DMM. Your device is compliant Indicates you device is compliant with all of your company policies. Admins can also manage device compliance through the use of rules: (Rules > Add Rule). The compliance rules are: Max Device Per User Sets limit for number of devices that can be registered per user. Minimum OS Version Sets minimum OS allowed for registration. Passcode Compliance Sets maximum number of days for user to comply with the passcode requirement before device is wiped, unregistered, or reset passcode and locked. Mandatory apps Compliance Sets maximum number of days for user to download/install mandatory app(s) before device is wiped, unregistered, or reset passcode and locked. Restricted apps Compliance Sets maximum number of days for user to remove restricted app(s) before device is wiped, unregistered, or reset passcode and locked. Jailbreak or rooted Compliance Sets maximum number of days for user to remove a jailbroken or rooted device before the device is wiped, unregistered, or reset passcode and locked. Encryption Compliance Sets maximum number of days for user to comply with the encryption policy before the device is wiped, unregistered, or reset passcode and locked. Device check-in Compliance Sets maximum number of days for user to check in before device is unregistered. 8 Dell Mobile Management
Checkin Policy States your company check-in policy and indicates if your device is compliant with that policy. In DMM, you can configure how many days can pass before the device is required to check in again. This is configured in Portal Admin > Other Settings. Set the number of days that can pass before DMM triggers a Not Checked In alert. Only the Global Admin can set this number. Apps Policy States your company apps policy and indicates if there are mandatory apps available for you to install and if there are restricted apps. In DMM, use Apps & Data > Mobile > Add Apps to add apps and set the app s level of availability (Mandatory, Restricted, or Recommended). Encryption Policy States your company encryption policy and indicates if your device is compliant with that policy. In DMM, this is configured in Groups > name of Group > Edit Policies > Android > Advanced > Configure this item. Here, you can enforce the data encryption level, geolocation data, allow rooted devices, or restrict activesync connections. Passcode Policy States your company passcode policy and indicates if your device is compliant with that policy. In DMM, this is configured in Groups > name of Group > Edit Policies > Android > Passcode > Configure this item. Here, you can enforce the use of a PIN, Password, or Pattern on the device. Root Policy States your company policy on rooted devices and indicates if your device is compliant with that policy. In DMM, you can allow rooted devices to be compliant. Configure this in Groups > name of Group > Edit Policies > Android > Advanced > Allow Rooted Devices. Home Tap this icon to return to the Mobile Management home screen and check compliance. Applications Tap this icon to open the Applications area where you can see and/or download the Mandatory, Restricted, and Recommended applications available to your device. Email Settings Tap this icon to display the instructions for setting up your email account. Account Tap this icon to display your Account information, Profiles, and General settings. Tap Account to add/change your picture on the device from DMM. Android Admin Guide 9
Configure Device: Android for Work BYOD (OS5+) Android For Work (AFW) provides enhanced Mobile Device Management technology for configuring Bring Your Own Device (BYOD) devices. IMPORTANT: When you enable Android For Work BYOD, normaly registered devices will become AFW BYOD devices. Company Owned devices will work as expected through the configurations steps listed in a later section. Use the following configuration process for setting up AFW BYOD on Android 5.0 + devices. Google certifies that the following features work on newer Nexus devices. Other manufacturers may not work; please check first. Steps FIRST: Prepare the Android for Work (AFW) device Android For Work BYOD (OS5+) BYOD devices will be configured over the air with Dell Mobile Management console. Create a group that has the following Android settings enabled by navigating to Groups, Select a Group, and choose Android. Then, find the following option on the bottom. Make sure your users are associated with the appropriate groups. Instruct the users to download the Dell Mobile Management App from the Google Play Store. Have the user log in to the Dell Mobile Management Agent app and enter their username and password. This initializes the device as an AFW device. *The instructions will be provided to the user under the Users tab with the Invite User command. 10 Dell Mobile Management
Steps SECOND: Encrypt the device Android For Work BYOD (OS5+) Once the AFW feature is started through the Dell Mobile Management system, the device will begin the AFW set up and prompt the user to encrypt the device. You will see a screen similar to this: Tap SET UP. Android Admin Guide 11
Steps Android For Work BYOD (OS5+) Tap ENCRYPT. 12 Dell Mobile Management
Steps Android For Work BYOD (OS5+) The user will complete the encryption. Android Admin Guide 13
Steps THIRD: Register the user and the device Android For Work BYOD (OS5+) On the AFW BYOD device you will see new apps that are installed with the work profile. You will also see a second Dell Mobile Management Agent: 14 Dell Mobile Management
Steps Android For Work BYOD (OS5+) Select the new Dell Mobile Management Agent with the briefcase icon. Enter the user name and password. Tap REGISTER DEVICE. The device will complete the device registration. Android Admin Guide 15
Configure Device: AFW COD as Single App/KIOSK Android For Work (AFW) provides enhanced Mobile Device Management technology for configuring Company Owned Devices (COD) as a Single App/Kiosk. Use the following configuration process for setting up AFW COD as Single App/Kiosk on Android 5.0 + devices. Google certifies that the following features work on newer Nexus devices. Other manufacturers may not work; please check first. Steps FIRST: Prepare the Android for Work (AFW) device Company Owned Device as Single App/Kiosk Company Owned Devices must be configured with an NFC transfer from a set-up device. Select a device that has NFC capabilities as your set-up device. Select your COD and perform a factory reset. This will remove all of the data from the device. Make sure the COD has completed the factory reset, and is turned on to the very first screen. DO NOT set up the COD device past the language select. Plug the COD in and make sure it is fully charged. Install the Dell Mobile Management app on the set-up device. DO NOT register or log in with any credentials. On the top right corner of the DMM App, you will see a gear. Tap the gear then tap AFW Provisioning. 16 Dell Mobile Management
Steps Company Owned Device as Single App/Kiosk When you see the following screen, touch the back of this phone to the COD. Android Admin Guide 17
Steps Company Owned Device as Single App/Kiosk When the devices make an NFC connection, the device makes a sound and the App will shrink like this: Tap Touch to Beam. 18 Dell Mobile Management
Steps SECOND: Encrypt the device Company Owned Device as Single App/Kiosk Once the COD feature is transferred from the set-up device, the COD will begin the AFW set up and prompt the user to encrypt the device. You will see a screen similar this: Android Admin Guide 19
Steps Company Owned Device as Single App/Kiosk If the device is not charged and plugged in, the device will display this screen: 20 Dell Mobile Management
Steps THIRD: Register the user and the device Company Owned Device as Single App/Kiosk Launch the Dell Mobile Management app on the device. Android Admin Guide 21
Steps Company Owned Device as Single App/Kiosk Enter the user name and password. The device will complete the device registration. Set up Single App / Kiosk In order to set up a Single App/Kiosk device, a special app is required. The developer must use the screen pinning API provided by Google. Check with the developer to make sure the App is configured to be a Single App/Kiosk. 22 Dell Mobile Management
Steps Company Owned Device as Single App/Kiosk From the group Android Settings on the DMM console, click Kiosk Mode (Company Owned Devices). In the Kiosk App section, click Select App. Click on the app you want to select as the single app then click Done. Click Save & Publish. Android Admin Guide 23
Steps Company Owned Device as Single App/Kiosk The app will be pinned to the screen and the only button that will be available is the Back button. 24 Dell Mobile Management
Policies Overview Groups Normally, you use the Groups functions of DMM to perform routine group policy management tasks. DMM gives administrators (both Global and Group) the flexibility to employ hierarchical Group Policy management (with the highest group policy level being the Default Group Policy). Optionally, sub-groups of the Default Group Policy can be created to segment users according to corporate standards; for example, job functions, device type, bring-yourown-device, and so on. Configure and Manage Policies Android group policies can be managed at many different levels. DMM gives you the ability to nest Groups up to nine deep, as shown in the following example. To create a subgroup, simply select the desired group then click the Add Group (+) icon and follow the on-screen prompts. Policies can be assigned organization-wide, on a per-group basis, on a per-user basis, or on a per-device basis. If a policy configuration has conflicts between the different levels (for example, a passcode policy is applied at the User and Group levels with different passcode complexities) the lowest-level (most-detailed level) policy takes precedence (in our example case, the User level (the more detailed level) will take precedence over the Group level). Policies are enforced in the following order: 1. Device (see Device Level Exceptions) 2. User (see User Level Exceptions) 3. Group (see Group Level Policies) 4. Global (see Global Level Policies) Use the following general guidelines when working with policies Policies can be modified on multiple levels and the information will automatically be consolidated into one policy for each User/Device. Android policies can be configured at Global, Per Group, Per User, and Per Device levels. Policies are inherited in the order they are created. Any settings you configure in a Default Policy Group will be the default in all the policies below that Default Policy Group (likewise for a Group all Users and Devices in that Group have the Default Policy Group as their default). Android Admin Guide 25
You can always create an exception for a User/Device in a Group to have a subset of policies to be different than the Group default. You can do this using the User Details page or the Device Details page. These detail pages display the configuration for that asset with details of where configurations are set (Global, Group, User, Device levels) and allows you the option to create exceptions. When modifying lower-level policies, any policy that is an override to a higher-level policy will be indicated by a bullet symbol to the left of the policy type; for example, Passcode, Restrictions, Wi-Fi, and so on. While modifying policies, an asterisk (*) is placed to the right of the policy types to indicate that there are unsaved (and unpublished) changes. To review these changes prior to publishing them, click on the View pending changes link at the right of the panel. As soon as you click Save & Publish, the devices are notified about the changes and the changes will take effect based on the behavior of the devices (that is, mobile devices always apply changes immediately while thin client changes usually occur after a reboot; many thin client settings force a reboot immediately to apply your changes). Global- or Group-Level Policies Generally, you will use the following steps to configure the settings of a policy at the Global level. 1. Click the Edit Policies link of the Default Policy Group or other named group. 2. From the drop-down list, select Android. 3. In the Settings section on the left side of the screen, click the settings you want. 4. Click Configure this item to open and use the settings page to configure your settings. 5. Click Save & Publish. User-Level Exceptions To configure a policy at the User level, 1. Click the Users tab to open the Users page. 2. Click a Name link to open the User Details page. 3. Click the Summary tab, scroll to the User Configuration section, and click Create/Edit Exceptions. 4. Select the device type for which you want to manage the exceptions from the menu to open and use the User Level Exceptions page. 5. Click Save & Publish. Device-Level Exceptions To configure a policy at the Device level, 1. Click the Devices tab to open the Devices page. 2. Click a Name link to open the Device Details page. 3. Click the Summary tab, scroll to the Device Configuration section, and click Create/Edit Exceptions. 4. Select the device type for which you want to manage the exceptions from the menu to open and use the Device Level Exceptions page. 5. Click Save & Publish. 26 Dell Mobile Management
Android Policy Settings To edit any of the Android Policy settings* using the DMM console, follow these generic steps for all available policy settings. 1. Click the Groups tab then click the Edit Policies link of a Group or the Default Policy Group. Only the Global Admin can add/edit Default Policy Group policies. 2. Select Android from the menu. DMM displays the Android Settings in a list on the left side of the screen. 3. In the Android Settings column on the left, click the Android Settings option that you want then click Configure this item to open and use the settings page. 4. When you have selected/unselected/entered the desired settings for that selection, click Save & Publish. DMM adds a bullet beside the setting(s) you change as a quick visual indication of which settings have changed. Android Admin Guide 27
Android Settings include the following (refer to the graphic following the list): Passcode Used to specify passcode policies. Applies to all registered Android devices. Restrictions Use this section to specify settings related to application and content restrictions. Applies to registered Android for Work (BYOD) and Company Owned Devices (COD). Requires the Android For Work (AFW) profile to be installed. Restrictions (Android for Work) Used to specify settings related to application and content restrictions. Restrictions (Company Owned Devices) Used to specify restrictions that applies only to Android for Work Company Owned Devices. Applies to registered Company Owned Devices (COD). COD devices must be set up with an NFC device transfer. An AFW profile is not required. Wi-Fi Used to configure how the device connects to wireless networks, including the necessary authentication information. Applies to all registered Android devices. VPN Used to configure how the device connects to wireless networks via VPN, including the necessary authentication information. Applies to all registered Android devices. Email Instructions Used to enter the instructions to the user on how to configure his e-mail account on the device. Applies to all registered Android devices. Advanced Used to configure advanced policies. Applies to all registered Android devices. Enable Android for Work BYOD (OS5+) Used to set up the Android for Work (AFW) BYOD profile configuration for AFW BYOD devices. Required to be able to push AFW Restrictions. Kiosk Mode (Company Owned Devices) Used to configure Kiosk Mode on Android for Work Company Owned Devices only (device lock down to a single app). Applies to registered Company Owned Devices. This feature requires special Kiosk apps. Details on configuring Android basic devices, Android for Work BYOD, and Android for Work COD as Single App/KIOSK, are provided in their specific sections of this document. *The Group Administrator can view the Default Policy Group policies but cannot edit (change) them. Only the Global Administrator can edit the policies of the Default Policy Group. The Global Administrator can, however, edit the policies of any group. 28 Dell Mobile Management
Configure Android Passcode Use this screen to specify passcode policies. Users are unable to modify these settings once the configuration profile is installed. 1. In DMM, click the Groups tab then, under Group Tree Hierarchy on the left, click the name of the group for which you want to configure polices. 2. On the right side of the screen, click Edit Policies then select Android. 3. In the Android Settings column on the left, click Passcode then click Configure this item. The system displays the Passcode window. 4. Select or enter the policies you want to support. Various additional options display depending on your selections. 5. Click Save & Publish. Android Admin Guide 29
Setting Require Passcode Enforce PIN with Numeric complexity (OS5+) Require Alphabetic or Numeric Require Alphabetic Require Complex Passcode Max Grace Period for Device Lock Number of Failed Attempts Before Wipe Max Passcode Age Number of Historical Passcodes Description Select this to enforce the use of PIN, Password, or Pattern on the device. When you select the checkbox, the remaining policies display. Select this checkbox to enforce PINs without repetitive or sequential number patterns. Select this if the passcode should contain at least on alphabetic and one numeric value on the device. Select this to require the user to enter a password with at least one alphabetic character. Select this to require the user to enter a password with at least one alpha character, one numeric character, and one symbol. If you select this option, DMM displays additional password parameters: Minimum Passcode length Minimum number of letters Minimum number of lower-case letters Minimum number of upper-case letters Minimum number of numbers Minimum number of symbols From the drop-down list, select the desired maximum amount of time the user can configure for the device to be locked without prompting for passcode to unlock. From the drop-down list, select the number of passcode entry attempts allowed before all data on device will be erased. Enter the maximum number of days after which the passcode must be changed (0-730). This is a required field. Enter the number of unique passcodes that the user must configure before he can reuse a previously-used passcode. Accepted values are 0-50. 30 Dell Mobile Management
Two-Factor Authentication Two-factor authentication provides an additional layer of security for you and your admins. It requires a second authentication factor using a one-time passcode for the admin to successfully sign in to DMM. To enable two-factor authentication, you must have at least two active Global Administrators in the system. The Enable two-factor authentication checkbox is disabled until you create one or more additional Global Administrators. Once you have created at least one additional Global Administrator, the red Note no longer displays and the Enable two factor authentication is unlocked. 1. In DMM, click the Groups tab then, under Group Tree Hierarchy on the left, click the name of the group for which you want to configure polices. 2. On the right side of the screen, click Edit Policies then select Android. 3. To enable two-factor authentication, check the Enable two factor authentication checkbox. 4. Click Save Settings. DMM emails a one-time passcode to the admin s email address on file after the admin s first sign-in using username and password. Eight attempts are provided to verify the one-time passcode; after which the account is locked. Only Global Administrators can unlock locked accounts. Android Admin Guide 31
Configure Android Restrictions Use the Restrictions page to configure Android device application and content restrictions, such as use of camera, YouTube, Browser, Google Play, and Facebook. 1. In DMM, click the Groups tab then, under Group Tree Hierarchy on the left, click the name of the group for which you want to configure polices. 2. On the right side of the screen, click Edit Policies then select Android. 3. In the Android Settings column on the left, click Restrictions then click Configure this item. DMM displays the Restrictions policies page. 4. Select the policies you want to support. 5. Click Save & Publish. Setting Allow Camera Allow YouTube Allow Browser Allow Google Play Allow Facebook Allow keyguard customization Keyguard Restriction Level Allow Widgets Allow Secure Camera Allow Fingerprint Sensor (OS5+) Allow Trust Agent (OS5+) Description Select this to allow the use of the camera on the device. Select this to allow connecting to YouTube from the device. Select this to allow launching a browser on the device. Select this to connect to Google Play from the device. Select this to connect to Facebook from the device. If selected, lets you configure Keyguard features Select the restrictions to be applied to the Android Keyguard. If selected, disables Widgets on Keyguard. If selected, allows secure camera. If selected, enables the fingerprint sensor on Keyguard for OS5+ devices. If selected, enables the Trust Agent on Keyguard for OS5+ devices. 32 Dell Mobile Management
Setting Allow Showing Unredacted Notifications (OS5+) Allow Showing Notification (OS5+) Description If selected, the device shows the content of the notification when it is displayed on Keyguard. If selected, enables the display of all notifications on Keyguard. Android Admin Guide 33
Configure Android Restrictions (Android for Work) Use this page to configure device restrictions on Android devices that belong to the employee or end user. These restrictions apply to both Android for Work DMM Profile and Android for Work Company Owned Devices. 1. In DMM, click the Groups tab then, under Group Tree Hierarchy on the left, click the name of the group for which you want to configure polices. 2. On the right side of the screen, click Edit Policies then select Android. 3. In the Android Settings column on the left, click Restrictions (Android for Work) then click Configure this item. The system displays the Restrictions (Android for Work) policy page in two sections: Hardware and User Specific. All of the policies, except Mute master volume, are selected by default. 4. Select or unselect the policies you want to support. 5. Click Save & Publish. 34 Dell Mobile Management
Configure Android Restrictions (Company Owned Devices) Use this page to configure device restrictions on Android Devices that are owned, operated, and configured by the corporate IT administrator. These restrictions apply only to Android for Work Company Owned Devices. 1. In DMM, click the Groups tab then, under Group Tree Hierarchy on the left, click the name of the group for which you want to configure polices. 2. On the right side of the screen, click Edit Policies then select Android. 3. In the Android Settings column on the left, click Restrictions (Company Owned Devices) then click Configure this item. DMM displays the Restrictions (Company Owned Devices) policy page with two sections: a general section at the top and the User Specific settings. 4. Select or unselect the policies you want to support. 5. Click Save & Publish. Android Admin Guide 35
36 Dell Mobile Management
Configure Android Wi-Fi Use this screen to configure how the device connects to wireless networks, including the necessary authentication information. Use this page to configure Android device WiFi settings such as functionality, network, and security. 1. In DMM, click the Groups tab then, under Group Tree Hierarchy on the left, click the name of the group for which you want to configure polices. 2. On the right side of the screen, click Edit Policies then select Android. 3. In the Android Settings column on the left, click Wi-Fi then click Configure this item. DMM displays the Wi-Fi policy screen. 4. Select the Wi-Fi policies you want to support. Additional options will display depending on which Security Type you select. 5. Click Save & Publish. Setting Service Set Identifier Hidden Network Security Type Description Enter the identification of the wireless network to connect to. This field is mandatory. Select this option if the network you are connecting to is not an open or broadcasted network. Select the type of wireless network encryption to use while connecting. If you select WEP or WPAMP2 PSK, the system displays the Password field. Enter the password used to authenticate to the wireless network. If you select a Security Type of 802.1x EAP, the system displays the 802.1X EAP section with additional fields. Click the Protocols tab then select the: EAP Method The authentication protocol supported on target network. If you select PEAP or TTLS you can select the Phase 2 Authentication type. Click the Authentication tab then enter the: User Name Anonymous Identity Password Click the Trust tab then select the CA Certificate (Android OS 4.0+). Only certificates uploaded to File Repository are shown. NOTE: This Initiates certificate installation on the device and requires user interaction to complete install. Android Admin Guide 37
Configure Android VPN Use this screen to configure how the device connects to wireless networks via VPN, including the necessary authentication information. 1. In DMM, click the Groups tab then, under Group Tree Hierarchy on the left, click the name of the group for which you want to configure polices. 2. On the right side of the screen, click Edit Policies then select Android. 3. In the Android Settings column on the left, click VPN then click Configure this item. DMM displays the VPN policy screen. 4. Select the VPN policies you want to support. Additional options display depending on which Connection Type you select. 5. Click Save & Publish. Setting Connection Name Server Connection Type Use AnyConnect Certificate Username Password Realm Description Enter a unique name for the VPN connection. This is mandatory. Enter the domain name, or IP address, or the URL of the server. Select the Connection Type. If you select Dell SonicWall Mobile Connect, you must enter the following details: Username - The user name for the connection. Password - The password for the connection. Realm - The realm or area used for the VPN connection profile. Domain - The domain used for the VPN connection profile. This is enabled if you select Cisco AnyConnect as the connection type. Only certificates uploaded to File Repository are shown. This field displays only if you select a Connection Type of Dell SonicWALL Mobile Connect. Enter the desired username for this connection. This field displays only if you select a Connection Type of Dell SonicWALL Mobile Connect. Enter the desired password for this connection. This field displays only if you select a Connection Type of Dell SonicWALL Mobile Connect. Enter the Realm used for the VPN connection profile; for example, Series connections only. 38 Dell Mobile Management
Setting Domain Description This field displays only if you select a Connection Type of Dell SonicWALL Mobile Connect. Enter the Domain used for the VPN connection profile (SRA & UTM connection only). Android Admin Guide 39
Configure Android E-mail Instructions 1. In DMM, click the Groups tab then, under Group Tree Hierarchy on the left, click the name of the group for which you want to configure polices. 2. On the right side of the screen, click Edit Policies then select Android. 3. In the Android Settings column on the left, click E-mail Instructions then click Configure this item. DMM displays the Email policy screen. 4. In the textbox provided, enter instructions that explain how mobile users can gain access to your companies e- mail. Depending on the device, this can include instructions on configuring the Gmail or E-mail app (Account Type, Incoming mail server, Outgoing mail server, Logon information, etc.). This is the text that will display on the user s Android device when the user taps the Email icon. 5. Click Save & Publish. 40 Dell Mobile Management
Configure Android Advanced Settings Use the Advanced page to configure settings to allow non-encrypted devices. 1. In DMM, click the Groups tab then, under Group Tree Hierarchy on the left, click the name of the group for which you want to configure polices. 2. On the right side of the screen, click Edit Policies then select Android. 3. In the Android Settings column on the left, click Advanced then click Configure this item. DMM displays the Advanced policies page. 4. Select the Advanced policies you want to support. 5. Click Save & Publish. Setting Data Encryption Management Level Enable devices to send geolocation data Allow Rooted Devices Restrict active-sync connections to devices under management (requires AD proxy-configurations) Description Select an option to specify if the device secure storage area should be encrypted. None: The default and indicates that devices that are not encrypted are allowed. Warning: Flag devices where encryption is not enabled as "Not Compliant" Enforced: Enable encryption on device Select this to enable the devices to send their geographical location to the server. Select this option if you do not want to consider the Rooted status of the devices for compliance. Rooted devices are those devices where the users have privileged control over the devices sub-system. Select the device types to restrict active-sync connections. None Enrolled Devices Enrolled and Compliant Devices Active-sync connections require AD proxy-configuration. Android Admin Guide 41
Configure Enable Android For Work BYOD (OS5+) Use this page to set up the Android for Work (AFW) profile configuration for the device. 1. In DMM, click the Groups tab then, under Group Tree Hierarchy on the left, click the name of the group for which you want to configure polices. 2. On the right side of the screen, click Edit Policies then select Android. 3. In the Android Settings column on the left, click Enable Android For Work BYOD (OS5+) then click Configure this item. 4. The Enforce checkbox is checked by default. To disable this policy, uncheck the Enforce enterprise account and DMM profile on devices running Android 5.0 and above checkbox. When this option is enabled, upon registration, the system will set up the enterprise account and Dell Mobile Management (DMM) profile on personal devices running Android 5.0 and above.this option has no effect on devices running older operating systems or on Company Owned Devices. IMPORTANT: When you enable Android For Work BYOD, new, normaly registered devices will become AFW BYOD devices. Company Owned devices will work as expected through the configurations steps listed in a later section. This will not affect already-registered devices. To apply this policy to already-registered devices, the devices must be re-registered. 5. Click Save & Publish. 42 Dell Mobile Management
Apps & Data This section describes how to perform routine device Application (Inventory and Policies) and File Repository Inventory management tasks using DMM. IMPORTANT: Application Policies are Global and per-group: Application policies are currently assigned at the Global and Group levels; however, in subsequent DMM releases, they will be manageable at the User and Device levels as well. Note that Default Policy Group is considered a stand-alone policy group for Application Policies. Therefore, assigning an application policy at the Default Policy Group will only apply to Mobile Users assigned directly to this group. To assign to all groups, all groups must be selected when configuring the policy. Android Requirements Devices must have access to Google Play for non-customized applications. To install applications from Google Play, the user must have a Google account configured on the device. To install paid applications, the user must enter their own payment information from the device. Android Admin Guide 43
Manage Application Inventory and Policies The Application Inventory page (Apps & Data > App Inventory) and the Application Policies page (Apps & Data > App Policies) allow you to quickly view and manage the device Application Inventory and Policies that are available. NOTE: Managing application policies is a two-step process: First, the application must be added to the application inventory. Second, policies must be applied to applications within the inventory. Mobile Inventory Mobile Policies The following table provides a quick overview of what you can do using the Application Inventory page and the Application Policies page. 44 Dell Mobile Management
Tasks you can do How Details Add an Application to the system inventory. View Application details Configure an Application Policy in the system On the Application Inventory page (Apps & Data > App Inventory), click Add Apps to open and use the Application Inventory page or click Add Enterprise Apps to open and use the Add Enterprise App wizard. On the Application Inventory page (Apps & Data > App Inventory), click the Name link of the App you want to open and view the Application Detail page. On the Application Policies page (Apps & Data > App Policies), scroll to the application you want to manage, select the option you want (Not Managed, Restricted, or Mandatory), and then click Save & Publish. For Applications from the Google Play Store or the Apple App Store, see Add Applications to the System Inventory (Google Play or Apple App Store). NOTE: You can view Application Name, Version, Application ID, Price, Supported Devices, and Bundle ID. For Enterprise Apps, you can also view the File Name (for example TanalyticsBeta1v21.ipa) or URL (for example, https://myserver/myapp.plist). NOTE: The Application Policies page allows you to select the following: Not Managed - Simply keep the application in your application inventory (you can configure the policies you want to apply for application use at a later time). Restricted - Application is restricted from installation and use. If this application is detected on a device, an Alert will be raised and the device will be flagged as Non Compliant. Recommended Application is recommended for download/ installation but not required. Mandatory - Application is forced onto all supported devices that are registered and compliant. Delete an Application from the system On the Application Inventory page (Apps & Data > App Inventory), select the checkbox next to the application you want to delete, click the Remove Apps button, and confirm the deletion. The Application is deleted and is no longer shown in the list of available applications on the Application Inventory page. IMPORTANT: Only applications that are Not Managed can be deleted. Android Admin Guide 45
Add Applications to the System Inventory 1. In DMM, click Apps & Data then, under App Inventory, click Mobile. 2. Click Add Apps. 3. In the Search Type drop-down list, select which type of search you want to perform: Application Name or Developer Name. 4. In the Name field enter the name of the application or developer you want to search for. 5. In the Device Type drop-down list, select Android. 6. In the Country drop-down list, accept the default of US or select the name of the country to which the application belongs. 7. Click Search to search the application store that supports the Device Type you selected. 8. On the Results page, select the application you want then click Add to Inventory. The Application will display on the Application Inventory page (Apps & Data > App Inventory) or simply click Back to Inventory. You can now configure the policies you want to apply for app use. 46 Dell Mobile Management
Add Enterprise Applications to System Inventory 1. In DMM, click Apps & Data then, under App Inventory, click Mobile. 2. Click Add Enterprise Apps to open the Add Enterprise App window. 3. Use the one of the two options: Upload Application to Repository - Click Browse to locate and select an enterprise app (.apk) to upload to the Application Inventory, click Next, then follow the wizard to enter the App Icon. Link to Enterprise Application - Enter the link to the secure Web server hosting your enterprise Android app (link to.apk file), click Next, then follow the wizard to enter the App Name, App ID, Version, Supported Devices, and App Icon. 4. Click Save. The system displays the Apps & Data list or simply click Back to Inventory. You can now configure the policies you want to apply for app use. Android Admin Guide 47
Configure Application Policies Use this process to configure the application policies. 1. In DMM, click Apps & Data then, under App Policies, click Mobile. 2. Check the checkbox next to the app you want to edit then click Edit Policy to open the Edit App Policy page. 3. Select one of the following options: Not Managed - Select if you want the application to simply remain in your application inventory (you can configure the policies you want to apply for application use at a later time). Restricted - Select if you want the application to be restricted from installation and use. If this application is detected on a device, an Alert will be raised, and the device will be flagged as Non Compliant. Recommended Select if you want to recommend but not require the application to be installed on the device. Mandatory - Select if you want the application to be forced onto all supported devices that are registered and compliant. IMPORTANT: The Mandatory option will install the App, regardless of the install App options on the Dell Cloud Connect device. 4. Click Save to enforce your inventory policies. 48 Dell Mobile Management
Manage File Repository Inventory The File Repository Inventory page (Apps & Data > File Repository Inventory) allows you to quickly view and manage the File Repository Inventory (thin client firmware and certificate files) that are available (see the Routine File Repository Inventory Tasks table). Routine File Repository Inventory Tasks The following table provides a quick overview of what you can do using the File Repository Inventory page. Tasks you can do How Details Add a file to the File Repository inventory. Edit a file in the File Repository. Delete a file from the File Repository. On the File Repository Inventory page (Apps & Data > File Repository > Inventory), click Add File to open and use the Add File page. On the File Repository Inventory page (Apps & Data > File Repository > Inventory), select the checkbox next to the file you want to edit, click Edit File, then make your changes. On the File Repository Inventory page (Apps & Data > File Repository > Inventory), select the checkbox next to the application you want to delete, click Remove File and confirm the deletion. The file is deleted and is no longer shown in the list of available files on the File Repository Inventory page. See Add Apps to the System Inventory. IMPORTANT: Only files that are Not Assigned to a policy group or a device can be deleted. Android Admin Guide 49
Add Files to the File Repository Inventory Whatever you add to DMM and then make available to your Groups is known as inventory. Here, you will add certain files that pertain to functionality and look of DMM. 1. In DMM, click Apps & Data. 2. Under File Repository on the left, click Inventory then click Add File. 3. In the File Name field, click Browse to locate and select the file you want to add to your inventory. 4. In the Type drop-down list, select which type of file you are uploading: Firmware used for thin client applications Certificate used to upload your SMA certificate Wallpaper used to change the look of your desktop Logo used to add your company or organization logo to the DMM sign in window; supports.ico,.bmp,.jpg, and.gif formats. Recommended size is 100H x 360W. EULA Text File used to add your company or organization EULA; supports plain text only; limited to 100 KB size 5. In the Description text box, enter a brief but clear description of the file you are uploading (required). 6. If a file by the same name already exists and you want to replace it with this file, check the Override Existing File checkbox. 7. Click Upload to upload the file to the File Repository Inventory. NOTE: This will add a file to the repository, but will not assign it to any group or devices. For ThinOS firmware images, the file version and platform will be detected automatically. You can assign files to policy groups or to devices from either the Groups page (Android for Dell Wyse Cloud Connect or ThinOS/Xenith for thin client) or from the Device Details page by assigning an exception at the device level. Note that the policy assignments can be reviewed from the File Repository Inventory page. The number of policy groups and devices (device-level exceptions) that each file has been assigned to is displayed in the assignments column. By hovering over the number next to Groups or Devices you can display the names of the policy groups and devices. 50 Dell Mobile Management
Remote Commands DMM gives Administrators additional functions to help manage devices. Most of these functions are located on both the Devices tab and on the Device Details screen in DMM. Some commands are available only on certain devices; for example, the Start Ringing command can be sent to a Windows Phone but not to an Android phone. Devices Screen Query Sends a DeviceInformation command to the selected device(s). When you query the device, The device checks in with the DMM server and the check-in time on the server is updated. The device reports back all the updated device information to the server (e.g., system info, apps installed on the device.) However, GPS location is not updated. GPS location is only updated when a manual or automatic check-in is performed from the DMM agent installed on the device. Clear Passcode Sends a ClearPasscode command to the selected device(s). This forces the user to enter a new passcode at the next attempted use. Reset Passcode Sends a ResetPasscode command to the selected device(s).you must give the user a temporary passcode. Lock Sends a Lock command to the selected device(s). This forces the device(s) to enter into a locked state and requires the user to enter a PIN at the next attempted use. Unregister Sends an Unregister command to the selected device(s). The user will then have to re-register the device on DMM. More Actions Wipe Removes all data and applications from the device (sets the device to factory defaults not recommended for employee-owned devices). Send Message Sends an alert message (up to 128 characters) to the selected device(s). Republish All (Android) Republishes all policies to the selected Android device(s). Republish All Apps Republishes all applications to the selected device(s). Export Devices to CSV To export all of your device data to an Excel spreadsheet, click More Actions > Export Devices to CSV. DMM converts the device summary to a.csv file and, depending on your browser, saves and/or opens the file in Excel. Android Admin Guide 51
Device Details Screen Query Sends a DeviceInformation command to the selected device(s). When you query the device, The device checks in with the DMM server and the check-in time on the server is updated. The device reports back all the updated device information to the server (e.g., system info, apps installed on the device.) However, GPS location is not updated. GPS location is only updated when a manual or automatic check-in is performed from the DMM agent installed on the device. Reset Passcode Sends a ResetPasscode command to the selected device(s). If you select an Android device, you must give the user a temporary passcode. Lock Sends a Lock command to the selected device(s). This forces the device(s) to enter into a locked state and requires the user to enter a PIN at the next attempted use. Unregister Sends an Unregister command to the selected device(s). The user will then have to re-register the device on DMM. Wipe Removes all data and applications from the device (sets the device to factory defaults not recommended for employee-owned devices). More Actions Send Message Sends an alert message (up to 128 characters) to the selected device(s). Change Device Name Changes the device name that displays in DMM not the actual name of the device. You must provide a new name in the New Device Name textbox. Republish All (Android) Republishes all policies to the selected Android device(s). 52 Dell Mobile Management
Copyright Dell Mobile Management R9 Android Admin Guide V2.0 November 2015 2015, Dell, Inc. All Rights Reserved. This document and the software and firmware described in it are copyrighted. You may not reproduce, transmit, transcribe, store in a retrieval system, or translate into any language or computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual or otherwise, any part of this publication without prior, written permission. End User License Agreement ( License ) A copy of the End User License Agreement is included in the software and provided for your reference only. The License at http://www.dell.com/wyse/licenses as of the purchase date is the controlling licensing agreement. By copying, using, or installing the software or the product, you agree to be bound by those terms. A copy of the licensee agreement can be found on the web (for individuals) or in the signed written agreement between you, or your company, and Dell, Inc. (and/or its resellers and distributors). Trademarks Dell, Dell Mobile Management, and DMM are trademarks of Dell, Inc. All other product or company names may be trademarks of their respective owners. The Dell logo is a trademark of Dell Inc. Other product names mentioned herein are for identification purposes only and may be trademarks and/or registered trademarks of their respective companies. Specifications subject to change without notice. Restricted Rights You acknowledge that the Software is of U.S. origin. You agree to comply with all applicable international and national laws that apply to the Software, including the U.S. Export Administration Regulations, as well as end-user, end-use and country destination restrictions issued by U.S. and other governments. For additional information on exporting the Software, see http://www.microsoft.com/exporting. Ordering Information For availability, pricing, and ordering information in the United States and Canada, call 1-800-438-9973 or visit us at Dell.com. In all other countries, contact your sales representative. About this Guide This guide is intended for system administrators. It provides instructions for using Dell Mobile Management R9 included with the Dell Enterprise Mobility Management solution. This guide is a companion document to the more comprehensive and detailed Dell Mobile Management Administrator Guide. Technical Support To access Dell Enterprise Mobility Management technical resources (create a Service Request), visit https://support.software.dell.com/create-service-request. NOTE: You will need to register with Dell Support to place a service request. New to Dell Software Support? Check out the Getting Started section of Dell Software Support at https://support.software.dell.com/essentials/gettingstarted. Android Admin Guide 53
If you still need help, you can call Technical Support at 1-800-306-9329 (toll free in U.S. and Canada) or 949-754- 8000 or 949-754-8080. Hours of operation are from 5:00 A.M. to 5:00 P.M. Pacific Standard Time, Monday through Friday. Technical support is available to customers who have purchased Dell software with a valid maintenance contract and to customers who have trial versions. To access the Support Portal, go to http://software.dell.com/support/. The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. In addition, DMM provides direct access to product support engineers through an online Service Request system. The site enables you to: About Dell Create, update, and manage Service Requests (cases) View Knowledge Base articles Obtain product notifications Download software. For trial software, go to Trial Downloads. View how-to videos Engage in community discussions Chat with a support engineer Dell listens to customers and delivers worldwide innovative technology, business solutions and services they trust and value. For more information, visit www.software.dell.com. For more information on DMM, visit our support portal at http://software.dell.com/products/mobile-management/. Contacting Dell Technical Support: Online Support Product Questions and Sales: (800) 306-9329 Email: info@software.dell.com 54 Dell Mobile Management