Symantec Mobile Management 7.

2 MR1Quick-start Guide

Symantec Mobile Management 7.2 MR1 Quick-start Guide

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version: 7.2.1

Legal Notice
Copyright 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party (Third Party Programs). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1

Technical Support
Symantec Technical Support maintains support centers globally. Technical Supports primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantecs support offerings include the following:

A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services

For information about Symantecs support offerings, you can visit our Web site at the following URL: www.symantec.com/business/support/ All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.

Contacting Technical Support

Customers with a current support agreement may access Technical Support information at the following URL: www.symantec.com/business/support/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available:

Product release level

Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description:

Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes

Licensing and registration

If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/business/support/

Customer service
Customer service information is available at the following URL: www.symantec.com/business/support/ Customer Service is available to assist with non-technical questions, such as the following types of issues:

Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs, DVDs, or manuals

Support agreement resources

If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows:
Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America customercare_apac@symantec.com semea@symantec.com supportsolutions@symantec.com

Getting started with Symantec Mobile Management 7.2

This document includes the following topics:

Before you begin Running the Symantec Mobile Management Prerequisite Check Utility Downloading and installing Symantec Mobile Management 7.2 Rolling out and configuring the site server Downloading the Mobile Management agent to a mobile device Enrolling a mobile device Managing a mobile device

Before you begin

This Quick-start Guide provides basic instructions for setting up an instance of the Symantec Mobile Management solution. The Symantec Mobile Management 7.2 Implementation Guide provides detailed instructions to help you install, configure, and manage mobile devices with Symantec Mobile Management 7.2. The latest version of the guide is available atwww.symantec.com/docs/DOC5662 This document may be updated to improve quality and accuracy. For the latest version of this document, go to http://www.symantec.com/docs/DOC5665 This guide makes the following assumptions:

Getting started with Symantec Mobile Management 7.2 Before you begin

You have a working instance of Symantec Management Platform installed on qualified equipment. For more information about the system requirements and other installation topics for Symantec Management Platform, see the Symantec Management Platform Installation Guide at http://www.symantec.com/docs/DOC4798. Your instance of the platform includes Microsoft .NET 3.5. Note: The prerequisite checker for Mobile Management 7.2 requires .NET 3.5. You have either a commercial certificate authority or a self-administered certificate authority available to generate the necessary trust certificates. For more information, see Symantec Mobile Management certificate distribution in the Symantec Mobile Management 7.2 Implementation Guide at http://www.symantec.com/docs/DOC3493. Note: Root certificates are only required when you use a non-commercial certificate authority. If you choose to use SSL, you must have the Server Authentication Certificate or root certificate installed. The following table lists the trust certificates that are required for each component. Component
Symantec Mobile Management Server

Certificates

Certificate Authority: Server Authentication (SSL) Certificate

Root certificate

Profile Security: Signing Certificate with public and private keys.

Encryption Certificate with public keys.

Apple Push Notification Service (APNS). For more information about APNS, see the Apple Developers article, Apple Push Notification System at http://developer.apple.com/library/ mac/#documentation/ NetworkingInternet/Conceptual/ RemoteNotificationsPG/ApplePushService/ ApplePushService.html

Symantec Management Platform Server

Certificate Authority: Root certificate

Getting started with Symantec Mobile Management 7.2 Before you begin

Component
iOS Devices

Certificates

Certificate Authority: Server Authentication (SSL) Certificate

Root certificate

Profile Security: Signing Certificate with public and private keys.

Encryption Certificate with public keys.

Note: Symantec Mobile Management Server and

Symantec Management Platform Server provide the tickets.

The SCEP server instance is configured to provide the Network Device Enrollment Service (NDES) role or Symantec MPKI. Make sure that your network conforms to the following additional requirements:

The server is joined to an Active Directory domain and the domain has a Certificate Authority available. You have reconfigured the server role to use the Network Device Enrollment Service (NDES) role (and not the Certificate Authority role service). You have installed IIS, which is required for the NDES. The NDES user account is established in the local IIS_IUSERS group. Establishing this account is a prerequisite for making the NDES account assignment. You restart the server after you make the configuration changes.

For instructions to set up SCEP for use by Symantec Mobile Management, see the Symantec Knowledge Base article How to set up a SCEP Server for use by Mobile Management Solution 7.1 at http://www.symantec.com/docs/HOWTO64210. For more information about implementing NDES/SCEP on Windows Server 2008 R2, see the Microsoft SCEP Implementation Whitepaper at http://www.microsoft.com/download/en/details.aspx?id=1607.

To manage iOS 5 devices, you have SSL configured in your environment and have set up a Mobile Device Management Certificate. Observe the following additional requirements:

You can use a commercial certificate (CA) or a certificate generated in-house. You must use a CA server to generate an in-house certificate.

10

Getting started with Symantec Mobile Management 7.2 Running the Symantec Mobile Management Prerequisite Check Utility

The name of the certificate must match the URL that the iOS device uses for communication.

For more information, see the following articles:

Enrolling iOS5 with Symantec Mobile Management using SSL at http://www.symantec.com/docs/HOWTO74478 Generating a Certificate Signing Request (CSR) at http://www.symantec.com/docs/TECH180137

Running the Symantec Mobile Management Prerequisite Check Utility

The Symantec Mobile Management Prerequisite Check Utility verifies that the system requirements and other prerequisites are met before the application is installed. The prerequisite checker requires Microsoft .NET 3.5, which is usually part of your Symantec Management Platform instance. Make sure that .NET 3.5 is installed before you attempt to download and install the check utility. To run the Symantec Mobile Management Prerequisite Check Utility

1 2 3

Navigate to http://www.symantec.com/docs/HOWTO77182 and download PrerequisiteVerification.ZIP. Follow the on-screen instructions to run the checker. Correct any flagged requirements or configuration upgrades.

Downloading and installing Symantec Mobile Management 7.2

You download the Symantec Mobile Management software through the Symantec Installation Manager. The installation manager is provided with Symantec Management Platform. To download and install Symantec Mobile Management 7.2

1 2

Start the Symantec Installation Manager (Start > All Programs > Symantec > Symantec Installation Manager) On the Install New Products page, set the view filters to Suites and then in the Available products list, select Symantec Mobile Management 7.2.

Getting started with Symantec Mobile Management 7.2 Rolling out and configuring the site server

11

3 4

Accept the terms of the license agreement and click Next. Follow the instructions that are provided in the wizard to complete the installation.

Rolling out and configuring the site server

These procedures establish the site server for Mobile Security. Roll out the site server

1 2 3

In Symantec Management Console, navigate to Home > Mobile Management > Settings > Mobile Management Server Settings. Under Site Server Rollout and Settings, on the toolbar, click New. Enter the name and IP address of the site server computer, and then click Save changes. Note: Site server computers must have the Symantec Management Agent installed and have Microsoft Message Queuing (MSMQ) services enabled.

Highlight the server you added in Step 3, and in the Mobile Management Server Settings pane select the options you require, as follows:

Enable Authentication Check. If you check this option, you must enter your server information. The server information is used to validate the user name and password from the agents enrollment page. If you do not check this option, users without credentials can enroll their device and access content and information in the Mobile Management Agent. You can also enter a list of Allowed Groups. The allowed groups are AD or LDAP groups. If you enter a list of groups in this field, only users in those groups can enroll. Enter the groups with a pipe character between them; for example, Sales|Engineering|Marketing. Allow Jailbroken Devices. If you check this option, any device that fails the jailbreak test during enrollment is not managed. Jailbroken devices can enroll, but they cannot see content in the Mobile Library. Require EULA acceptance. If you check this option, any user who does not accept the End User Licensing Agreement (EULA) is not enrolled. Therefore, the server does not manage that user. Minimum OS Version. Devices with operating system versions that are earlier than the values in the fields on this page are not allowed to enroll. These fields default to the earliest OS version of each OS that are supported by Mobile Management. You can only set a single value for all devices of

12

Getting started with Symantec Mobile Management 7.2 Rolling out and configuring the site server

each operating system. Leaving the fields empty defaults the configuration to the earliest supported version of each operating system.

Non-approved Platforms. If you enter values in this field, the device platforms that you enter are blocked from registering. Separate multiple entries with the pipe character.

Configure APNS

1 2 3

In Symantec Management Console, navigate to Home > Mobile Management > Settings > Mobile Management Server Settings. Click the APNS tab. Enter the APNS Push Certificate Thumbprint for your company-specific Apple Push Notification Certificate.

Configure Profile Security

In Symantec Management Console, navigate to Home > Mobile Management > Settings > Mobile Management Server Settings and click the Profile Security tab. Optionally enter one or more of the following:

Profile Signing CertThumbprint. The thumbprint of the certificate that is used for signing the Mobile Management server personal store. Profile Encryption Cert Thumbprint. The thumbprint of the certificate that is used for encryption on the Mobile Management server personal store. Device Decryption Cert Config. The credential payload that is placed on devices for decryption. Device Signing Validation Cert Config. The credential payload that is placed on devices to validate signing. Device Signing/Encryption Root Cert Config. The credential payload that is placed on devices to complete the certificate chain for the decryption and signing validation certificates.

Click Save changes.

Getting started with Symantec Mobile Management 7.2 Downloading the Mobile Management agent to a mobile device

13

Configure iOS MDM enrollment

1 2

In Symantec Management Console, navigate to Home > Mobile Management > Settings > iOS MDM Enrollment Configuration. In the Push Certificate Subject field, enter the subject of the Apple Push Notification Service certificate that is used for MDM. For more information, see the Apple MDM integration document, Deploying iPhone and iPad Mobile Device Management at http://images.apple.com/ipad/business/docs/iOS_MDM_Mar12.pdf. If you use a development MDM Certificate and not a production certificate, select the Use Development APNS Server. Warning: The state of the checkbox must match the state of the checkbox for Use DevelopmentAPNS on the APNS tab of the Mobile Management server settings.

3 4 5

In the Cryptographic credential used for authentication field, choose the SCEP credential for Mobile Management. Under Additional Configuration Profiles to include, click the yellow star and add the Root CA certificate. Click Save changes.

Downloading the Mobile Management agent to a mobile device

You download the Mobile Management Agent app to your mobile device from the app venue that is appropriate for the mobile device. After the app is installed, it is used to enroll the device so that it can accept and enact management polices on the mobile device. Download the app from one of the following locations:

iOS- Apple App Store Android- Android Market Windows- Windows Phone Marketplace

14

Getting started with Symantec Mobile Management 7.2 Enrolling a mobile device

To download the Mobile Management agent to a mobile device

For Android devices only, first set your device's app installation settings to Allow Installation of non Market Applications and to allow Unknown Sources. Go to the app store for your device and download the Symantec Mobile Managment Agent app. Note: Search for Symantec MGMT or Symantec Mobile Agent

Follow the procedure for your mobile device to install the app.

Enrolling a mobile device

Managing mobile devices with Symantec Mobile Managment requires that they are enrolled with the Symantec Mobile Managment server. To enroll a mobile device

1 2

On your mobile device, start the Symantec Mobile Management Agent app. On the enrollment screen, provide the following information:

The URL of the management server.

For Android, go to: [server]/Mobile Enrollment/SYMC-androidenroll.aspx For iOS, go to: [server]/Mobile Enrollment/SYMC-iOSenroll.aspx

For Windows Phone, go to: [server]/Mobile Enrollment/SYMC-WPenroll.aspx Where [server] is the name of the site server computer that you want the device to enroll with.

Your domain user name and password.

Note: URLs are not case sensitive.

Tap Enroll to complete the enrollment process.

The agent app indicates the status of the connection to the server. If the server is not available, a message appears to indicate a failed server connection and prompts you to try again at a later time.

Getting started with Symantec Mobile Management 7.2 Managing a mobile device

15

You can also set up DNS to allow iOS users to enter an email address instead of the URL. Android users can enter the domain name for the Mobile Management server. For example, if the URL for your installation is mobileserver.yourcorp.com, then the user can enter yourcorp.

Managing a mobile device

When a mobile device enrolls with the Moblie Management server, a default policy is provided to the device to establish the default management profile. You create new policies or edit existing policies to achieve your device management goals. Refer to the Symantec Mobile Management 7.2 Implementation Guide for cormprehensive information about managing mobile devices, policies, and the Symantec Mobile Management infrastructure. The latest version of the guide is available atwww.symantec.com/docs/DOC5662

16

Getting started with Symantec Mobile Management 7.2 Managing a mobile device