Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect



Similar documents
How To Use A Microsoft Mobile Security Software For A Corporate Account On A Mobile Device

McAfee Enterprise Mobility Management 11.0 Software

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

McAfee Enterprise Mobility Management 12.0 Software

Mobile Device Management Solution Hexnode MDM

McAfee Enterprise Mobility Management

Mobile Device Management Version 8. Last updated:

Sophos Mobile Control SaaS startup guide. Product version: 6

What We Do: Simplify Enterprise Mobility

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Copyright 2013, 3CX Ltd.

McAfee Enterprise Mobility Management 11.0 Software

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

Configuration Guide BES12. Version 12.2

Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...

Advanced Configuration Steps

McAfee Enterprise Mobility Management Performance and Scalability Guide

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

Configuration Guide BES12. Version 12.1

Feature List for Kaspersky Security for Mobile

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

CA Mobile Device Management 2014 Q1 Getting Started

Symantec Mobile Management Suite

1. Introduction Activation of Mobile Device Management How Endpoint Protector MDM Works... 5

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Configuration Guide BES12. Version 12.3

Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...

Troubleshooting BlackBerry Enterprise Service 10 version Instructor Manual

SysAid MDM User Guide for Android

How To Manage A Corporate Device Ownership (Byod) On A Corporate Network (For Employees) On An Iphone Or Ipad Or Ipa (For Non-Usenet) On Your Personal Device

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

When enterprise mobility strategies are discussed, security is usually one of the first topics

Sophos Mobile Control Startup guide. Product version: 3.5

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android with TouchDown

User Manual for Version Mobile Device Management (MDM) User Manual

Telstra Mobile Device Management (T MDM) Getting Started Guide

MaaS360 Mobile Device Management (MDM) Administrators Guide

Sophos Mobile Control Startup guide. Product version: 3

Configuration Guide. BES12 Cloud

Advanced Administration

FileCloud Security FAQ

Apps. Devices. Users. Data. Deploying and managing applications across platforms is difficult.

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android

Mobility Manager 9.5. Users Guide

Google Identity Services for work

Kaspersky Lab Mobile Device Management Deployment Guide

AirWatch Solution Overview

Vodafone Secure Device Manager Administration User Guide

Symantec Mobile Management for Configuration Manager 7.2

Ensuring the security of your mobile business intelligence

McAfee Enterprise Mobility Management Versus Microsoft Exchange ActiveSync

Building a BYOD Program Using the Casper Suite. Technical Paper Casper Suite v9.4 or Later 17 September 2014

Symantec Mobile Management 7.2

Sophos Mobile Control Administrator guide. Product version: 3

Sophos Mobile Control Administrator guide. Product version: 3.6

GO!Enterprise MDM Device Application User Guide Installation and Configuration for ios with TouchDown

Mobile device and application management. Speaker Name Date

Introduction to Mobile Application Management (MAM)

ManageEngine Desktop Central. Mobile Device Management User Guide

Symantec Mobile Management 7.2 SP3 MR1 Release Notes

COMMUNITAKE TECHNOLOGIES MOBILE DEVICE MANAGEMENT FROM BELL USER GUIDE

The User is Evolving. July 12, 2011

GETS AIRWATCH MDM HANDBOOK

Administrator's Guide

Mobile Iron User Guide

Company Facts. 1,800 employees. 150 countries. 12,000 customers and growing. 17 languages. 11 global offices

Mobile Device Management for CFAES

Compliance Rule Sets in MaaS360

ForeScout MDM Enterprise

Sophos Mobile Control Installation guide. Product version: 3.5

The ForeScout Difference

Manage Mobile Devices

RFI Template for Enterprise MDM Solutions

MaaS360 Cloud Extender

Kaspersky Security for Mobile Administrator's Guide

ipad in Business Mobile Device Management

MaaS360 On-Premises Cloud Extender

Kaspersky Security for Mobile

MDM Mobile Device Management

Quick Start Guide. Version R9. English

Preparing for GO!Enterprise MDM On-Demand Service

APPENDIX B1 - FUNCTIONALITY AND INTEGRATION REQUIREMENTS RESPONSE FORM FOR A COUNTY HOSTED SOLUTION

IBM United States Software Announcement , dated February 3, 2015

GO!Enterprise MDM Device Application User Guide Installation and Configuration for ios Devices

iphone in Business Mobile Device Management

Administration Guide BES12. Version 12.3

Auditing the Security and Management of Smart Devices. ISACA Dallas Meeting February 13, 2014

Answers to these questions will determine which mobile device types and operating systems can be allowed to access enterprise data.

AVG Business SSO Partner Getting Started Guide



Sophos Mobile Control as a Service Startup guide. Product version: 3.5

BlackBerry Enterprise Service 10. Version: Configuration Guide

Sophos Cloud Help Document date: January 2016

Transcription:

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment Paul Luetje Enterprise Solutions Architect

Table of Contents Welcome... 3 Purpose of this document... 3 Legacy EMM compared to epo Managed EMM... 3 Management Differences... 3 EMM Enhancements... 4 Legacy EMM (10.x) Architecture... 5 epo Managed EMM (12.x) Architecture... 6 Client Side Changes... 7 Migration to epo managed EMM... 8 Parallel EMM Infrastructure... 8 Portal SSL Certificate... 9 Apple MDM Certificate... 9 DNS Server Changes... 9 Client-side experience... 9 McAfee Enterprise Mobility Management Migration Page 2

Welcome Purpose of this document McAfee s release of a McAfee epolicy Orchestrator (epo) managed version of Enterprise Mobility Management (EMM) brings the goal of ubiquitous end point management another step closer. Taking the leap into epo involves significant transparent client side changes as well as some slight architectural or infrastructure changes. The goal of this document is to outline and explain moving from a legacy standalone EMM environment to an epo managed EMM environment. Many enhancements and improvements have been made to EMM as a result of epo becoming the management platform along with changes that have been made regarding device profiles. However, there is no direct upgrade from EMM 10.2 or earlier to EMM 12.x (epo Managed version of EMM). This document describes the changes and offers best practices for migrating from a legacy stand-alone EMM environement to an epo managed EMM environment. Legacy EMM compared to epo Managed EMM The largest change when moving from Legacy EMM to an epo Managed EMM is the administrative interface. Aside from requiring a McAfee epo Server and less EMM server components, the overall basic architecture is identical to that of a Legacy EMM implementation. The EMM DMZ server running the EMM Portal, Proxy, and Push Notifier components is still required. The internal EMM server now runs only the EMM Hub component and the McAfee epo Console replaces the older EMM Console. Management Differences The following table outlines where management logistics have changed between the Legacy EMM Console and the McAfee epo Console. EMM Console Query Wipe Delete Email & PIM Data Uninstall Lock Reset Password Compliance Override Change Ownership Delete Unlock Users Reports Policy Settings McAfee epo Console Actions->Agent->Wake Up Agents Actions->Mobile->Wipe Actions->Mobile->Wipe Corporate Data Actions->Mobile->MDM Uninstall Actions->Mobile->Lock Actions->Mobile->Unlock epo Policy setting epo Tags Action->Directory Management->Delete Menu->User Management->Locked Users epo Queries and Reports epo Policy Catalog McAfee Enterprise Mobility Management Migration Page 3

EMM Enhancements Several improvements and enhancements have been made to EMM since moving to epo as the management platform. For example, policies and administrative permissions are more granular, and policy changes no longer require end user interaction as profiles are now asynchronous (see Client Side Changes below). Key features of McAfee EMM 12.0 include: Android Security Enhancements Managed McAfee VirusScan Mobile Security (VMS). o o Optionally enforce the use of VMS in order to sync corporate data and block devices with malware, or out of date scans or DATs. Malware events are reported as Threat Events in epo. Android app reputation, using the McAfee Mobile Cloud and Global Threat Intelligence (GTI), provides an extra layer of protection against malicious and suspicious Android apps. EMM 12 gives the enterprise total control with report only capabilities, and local white and black lists. ios Enhancements IT can specify which apps can be used to open attachments to corporate email on ios devices, providing security and separation of personal and work data on the device Certificate management and distribution (PKI), for ios VPN and WiFi profiles makes connecting to corporate networks more secure and easy. Single sign-on to corporate managed apps or URLs simplifies the end user experience when connecting to corporate assets by allowing them to type in their credentials just one time in order to access multiple apps or URLs. New mobile Threat Events for improved situational awareness and remediation Mobile events such as a jailbroken or rooted device, malware detection, malicious, suspicious, or blacklisted app detected are now epo Threat Events so they can be rolled into broader Threat Event Logs, dashboards, and reports along with other endpoint events and take advantage of epo automation. Improved user experience End users receive more specific alerts and remediation information on compliance events. Administrators can now see the reason for non-compliance when viewing a user s device details in the epo system tree. Continuing Benefits from the May 2013 EMM 11.0 release include: Policy management, configuration, and security of mobile devices, laptops, and desktop PCs in the same console (epo) Granular policy options including per user, device, and operating system Flexible, role-based administration including mobile specific permissions Drag-and-drop dashboards for mobile or all managed systems (standard and custom) for inventory management, situational awareness, compliance reporting, and IT audits Over-the-air enrollment and policy delivery Enforcement of authentication and encryption. McAfee Enterprise Mobility Management Migration Page 4

Partial or full wiping of lost or stolen devices to prevent corporate data loss. Remote device locking for lost devices Hosting and distribution of commercial and enterprise apps, including support for Apple s Volume Purchase Program. Legacy EMM (10.x) Architecture The architecture outlined in Figure 1 is a typical high level Enhanced Security Model deployment of EMM 10.x. The design of this architecture scales horizontally to accommodate redundancy, scaling, or both by placing either the EMM DMZ or EMM Hub servers behind one or more network load balancers. Figure 1 McAfee Enterprise Mobility Management Legacy Architecture (Enhanced Security Model) McAfee Enterprise Mobility Management Migration Page 5

epo Managed EMM (12.x) Architecture Deploying an epo managed EMM environment, such as EMM 12.x, is not that different from a legacy EMM environment when it comes to the number of servers and where they sit in the network. Comparing Figure 2 to Figure 1, you will notice there is still an EMM DMZ and Hub Server deployed in the Enhanced Security Model. The biggest difference between each deployment is that now EMM does require a McAfee epo server, which replaces the EMM Console. Policies are now created, stored, and assigned from within the epo Console and communicated to the McAfee EMM Hub server for delivery to the devices. Reporting data is now stored inside the epo database. In order to accomplish all of this, there is trusted bi-directional communication between the McAfee epo and EMM Hub server. EMM 12.x also introduces a PKI extension installed into McAfee epo. Connecting EMM to an internal PKI infrastructure is now done through a registered Simple Certificate Enrollment Protocol (SCEP) server in epo which requires a Microsoft NDES server to connect to. Communication to and from smartphones or tablets remains the same leveraging established messaging services such as Apple Push Notification Service (APNS) and Google Cloud Messaging (GCM). Google deprecated their Cloud-to-Device Messaging (C2DM) service in 2012. EMM no longer supports C2DM and therefore requires a GCM Sender ID and Token in order to connect to Google. Figure 2 McAfee Enterprise Mobility Management epo Managed Architecture (Enhanced Security Model) McAfee Enterprise Mobility Management Migration Page 6

Client Side Changes McAfee EMM still requires the McAfee EMM App from the Google Play Store or Apple App Store to enroll a device. There are some notable differences in the client side experience when moving from Legacy EMM to an epo Managed EMM. For the most part these changes are transparent to the user, but are still important to understand. McAfee has addressed some client-side challenges such as policy changes removing email from a device as well as forcing a device re-enrollment every time the Portal SSL certificate was renewed/replaced. Changes are most noticeable on Apple ios devices. Previously, ios devices had a Mobile Device Management profile along with one single Enterprise Activation Profile which contained several configuration profiles (See Figure 3). The epo Managed EMM enrollment process now generates a profile signing certificate unique to every ios device at the time of enrollment. The Mobile Device Management profile still exists, but now EMM delivers asynchronous managed config profiles for individual settings such as Passcode, Restrictions, Email, and more (See Figure 4). These managed config profiles are signed using the profile signing certificate. Figure 3 Legacy EMM ios Profiles Figure 4 epo Managed EMM ios Profiles By signing and delivering these individual managed config profiles, it is now possible to make a change to one security settings, such as making the Passcode stronger, and it will not adversely affect the Email profile. As a result of these changes, it is now possible to update and renew the Portal SSL certificate without requiring the re-enrollment of every ios device. Additionally, McAfee has improved the messaging around non-compliance to Android and ios devices. Better communication to the user of the device will reduce Helpdesk calls and allow the users to resolve their non-compliance issues. In order to take advantage of these new enhancements, it will be necessary for devices currently enrolled in a Legacy EMM environment to re-enroll their device into the new epo managed EMM environment. The steps will be outlined later in this document. McAfee Enterprise Mobility Management Migration Page 7

Migration to epo managed EMM Due to the significant changes outlined in this document for both server and client components, McAfee recommends migrating from a Legacy EMM environment to a McAfee epo Managed EMM environment by deploying a parallel EMM environment running the latest McAfee EMM product offering. Once deployed, devices that are enrolled into the new McAfee EMM environment will re-send device information which will now be stored into epo. Security and compliance settings defined in a McAfee EMM epo policy will be enforced and delivered to the device. Moving to the new McAfee epo managed EMM environment will require a bit of planning before bringing it online and enrolling devices. Here are some recommended steps to follow: - Obtain new SSL certificate (if necessary) to reflect new external connection - Build out a parallel EMM environment - Modify My Default EMM policies for each mobile OS platform in McAfee epo to match default policy settings from the Legacy EMM environment - Test a few devices to ensure everything is working o Requires entering new EMM Server URL into the McAfee EMM App during enrollment - Once testing is completed, modify SRV record in DNS to reflect new URL - Instruct users to re-enroll devices Parallel EMM Infrastructure Building out a parallel McAfee epo managed EMM environment is fairly straight forward. External communications to push messaging services are the same, so firewall rules will still apply. Common servers such as ActiveSync\Traveler, Active Directory\Notes Directory, and SQL can be used by both environments at the same time (See Figure 5). Communication from devices will need to be directed to a new external URL (i.e.; emm2.company.com) in order to enroll into the new EMM environment. During any pilot or testing phase this may require manually entering this URL into the EMM Server field of the McAfee EMM App until the SRV record(s) are changed in DNS. Figure 5 McAfee Enterprise Mobility Management Parallel Architecture Devices that are still enrolled into the Legacy EMM environment will continue to receive email and report into the previous EMM servers until the user performs a device re-enrollment. McAfee Enterprise Mobility Management Migration Page 8

Portal SSL Certificate If your organization is currently leveraging a wild card SSL certificate securing the external EMM connection, it may not be necessary to obtain a new SSL certificate. You can reuse the wild card certificate in the parallel EMM environment assuming you a copy of the certificate in PFX format complete with the full chain and private key. Reference the PFX file during the installation of the new EMM DMZ server components. If you are not using a wild card certificate, every SSL certificate is unique to the common name specified at the time of generating the Certificate Signing Request (CSR). This field typically is the URL for which devices are going to resolve. For this reason, it will be necessary to obtain a new SSL certificate for the secondary URL (i.e., emm2.company.com). Apple MDM Certificate The current Apple MDM certificate can be reused in the new McAfee epo Managed EMM environment. There is no need to regenerate a new certificate request. Make sure you have the Apple MDM certificate in PFX format ready at the time of installation. DNS Server Changes The McAfee EMM App running on ios and Android devices leverages a DNS Service Record (SRV) associated with the email domain of the user that enrolled the device. This is done to automatically direct the connection of the device towards the EMM DMZ Server for device enrollment. Every time a user signs into the McAfee EMM App it will look up this record and reference that URL specified in the SRV record. By changing this, it will allow any new device enrollments to begin being directed to the new EMM environment. Client-side experience Device enrollment into the new McAfee epo Managed EMM environment will require existing devices to re-enroll. The steps for these users are simple and easy to follow. ios Users: 1. Remove the MDM Profile a. Click on Settings->General->Profiles->Mobile Device Management b. Click Remove 2. Click Home Button 3. Launch McAfee EMM App and sign-in 4. Click Update Configuration 5. Follow the prompts to enroll the device Android Users: 1. Launch McAfee EMM App and sign-in 2. Click Update Configuration 3. Follow the prompts to enroll the device Windows Phone Users: 1. Modify the Server setting of the Exchange ActiveSync account to now reflect the new EMM Proxy URL (i.e.;mdm2.company.com) 2. Alternatively, the user can delete the account on the device and create a new Exchange ActiveSync account referencing the new EMM Proxy URL in the Server field. McAfee Enterprise Mobility Management Migration Page 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information