Professional Documents
Culture Documents
2 MR1Quick-start Guide
Legal Notice
Copyright 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party (Third Party Programs). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1
Technical Support
Symantec Technical Support maintains support centers globally. Technical Supports primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantecs support offerings include the following:
A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services
For information about Symantecs support offerings, you can visit our Web site at the following URL: www.symantec.com/business/support/ All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.
Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description:
Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes
Customer service
Customer service information is available at the following URL: www.symantec.com/business/support/ Customer Service is available to assist with non-technical questions, such as the following types of issues:
Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs, DVDs, or manuals
Before you begin Running the Symantec Mobile Management Prerequisite Check Utility Downloading and installing Symantec Mobile Management 7.2 Rolling out and configuring the site server Downloading the Mobile Management agent to a mobile device Enrolling a mobile device Managing a mobile device
Getting started with Symantec Mobile Management 7.2 Before you begin
You have a working instance of Symantec Management Platform installed on qualified equipment. For more information about the system requirements and other installation topics for Symantec Management Platform, see the Symantec Management Platform Installation Guide at http://www.symantec.com/docs/DOC4798. Your instance of the platform includes Microsoft .NET 3.5. Note: The prerequisite checker for Mobile Management 7.2 requires .NET 3.5. You have either a commercial certificate authority or a self-administered certificate authority available to generate the necessary trust certificates. For more information, see Symantec Mobile Management certificate distribution in the Symantec Mobile Management 7.2 Implementation Guide at http://www.symantec.com/docs/DOC3493. Note: Root certificates are only required when you use a non-commercial certificate authority. If you choose to use SSL, you must have the Server Authentication Certificate or root certificate installed. The following table lists the trust certificates that are required for each component. Component
Symantec Mobile Management Server
Certificates
Root certificate
Apple Push Notification Service (APNS). For more information about APNS, see the Apple Developers article, Apple Push Notification System at http://developer.apple.com/library/ mac/#documentation/ NetworkingInternet/Conceptual/ RemoteNotificationsPG/ApplePushService/ ApplePushService.html
Getting started with Symantec Mobile Management 7.2 Before you begin
Component
iOS Devices
Certificates
Root certificate
The SCEP server instance is configured to provide the Network Device Enrollment Service (NDES) role or Symantec MPKI. Make sure that your network conforms to the following additional requirements:
The server is joined to an Active Directory domain and the domain has a Certificate Authority available. You have reconfigured the server role to use the Network Device Enrollment Service (NDES) role (and not the Certificate Authority role service). You have installed IIS, which is required for the NDES. The NDES user account is established in the local IIS_IUSERS group. Establishing this account is a prerequisite for making the NDES account assignment. You restart the server after you make the configuration changes.
For instructions to set up SCEP for use by Symantec Mobile Management, see the Symantec Knowledge Base article How to set up a SCEP Server for use by Mobile Management Solution 7.1 at http://www.symantec.com/docs/HOWTO64210. For more information about implementing NDES/SCEP on Windows Server 2008 R2, see the Microsoft SCEP Implementation Whitepaper at http://www.microsoft.com/download/en/details.aspx?id=1607.
To manage iOS 5 devices, you have SSL configured in your environment and have set up a Mobile Device Management Certificate. Observe the following additional requirements:
You can use a commercial certificate (CA) or a certificate generated in-house. You must use a CA server to generate an in-house certificate.
10
Getting started with Symantec Mobile Management 7.2 Running the Symantec Mobile Management Prerequisite Check Utility
The name of the certificate must match the URL that the iOS device uses for communication.
Enrolling iOS5 with Symantec Mobile Management using SSL at http://www.symantec.com/docs/HOWTO74478 Generating a Certificate Signing Request (CSR) at http://www.symantec.com/docs/TECH180137
1 2 3
Navigate to http://www.symantec.com/docs/HOWTO77182 and download PrerequisiteVerification.ZIP. Follow the on-screen instructions to run the checker. Correct any flagged requirements or configuration upgrades.
1 2
Start the Symantec Installation Manager (Start > All Programs > Symantec > Symantec Installation Manager) On the Install New Products page, set the view filters to Suites and then in the Available products list, select Symantec Mobile Management 7.2.
Getting started with Symantec Mobile Management 7.2 Rolling out and configuring the site server
11
3 4
Accept the terms of the license agreement and click Next. Follow the instructions that are provided in the wizard to complete the installation.
1 2 3
In Symantec Management Console, navigate to Home > Mobile Management > Settings > Mobile Management Server Settings. Under Site Server Rollout and Settings, on the toolbar, click New. Enter the name and IP address of the site server computer, and then click Save changes. Note: Site server computers must have the Symantec Management Agent installed and have Microsoft Message Queuing (MSMQ) services enabled.
Highlight the server you added in Step 3, and in the Mobile Management Server Settings pane select the options you require, as follows:
Enable Authentication Check. If you check this option, you must enter your server information. The server information is used to validate the user name and password from the agents enrollment page. If you do not check this option, users without credentials can enroll their device and access content and information in the Mobile Management Agent. You can also enter a list of Allowed Groups. The allowed groups are AD or LDAP groups. If you enter a list of groups in this field, only users in those groups can enroll. Enter the groups with a pipe character between them; for example, Sales|Engineering|Marketing. Allow Jailbroken Devices. If you check this option, any device that fails the jailbreak test during enrollment is not managed. Jailbroken devices can enroll, but they cannot see content in the Mobile Library. Require EULA acceptance. If you check this option, any user who does not accept the End User Licensing Agreement (EULA) is not enrolled. Therefore, the server does not manage that user. Minimum OS Version. Devices with operating system versions that are earlier than the values in the fields on this page are not allowed to enroll. These fields default to the earliest OS version of each OS that are supported by Mobile Management. You can only set a single value for all devices of
12
Getting started with Symantec Mobile Management 7.2 Rolling out and configuring the site server
each operating system. Leaving the fields empty defaults the configuration to the earliest supported version of each operating system.
Non-approved Platforms. If you enter values in this field, the device platforms that you enter are blocked from registering. Separate multiple entries with the pipe character.
Configure APNS
1 2 3
In Symantec Management Console, navigate to Home > Mobile Management > Settings > Mobile Management Server Settings. Click the APNS tab. Enter the APNS Push Certificate Thumbprint for your company-specific Apple Push Notification Certificate.
In Symantec Management Console, navigate to Home > Mobile Management > Settings > Mobile Management Server Settings and click the Profile Security tab. Optionally enter one or more of the following:
Profile Signing CertThumbprint. The thumbprint of the certificate that is used for signing the Mobile Management server personal store. Profile Encryption Cert Thumbprint. The thumbprint of the certificate that is used for encryption on the Mobile Management server personal store. Device Decryption Cert Config. The credential payload that is placed on devices for decryption. Device Signing Validation Cert Config. The credential payload that is placed on devices to validate signing. Device Signing/Encryption Root Cert Config. The credential payload that is placed on devices to complete the certificate chain for the decryption and signing validation certificates.
Getting started with Symantec Mobile Management 7.2 Downloading the Mobile Management agent to a mobile device
13
1 2
In Symantec Management Console, navigate to Home > Mobile Management > Settings > iOS MDM Enrollment Configuration. In the Push Certificate Subject field, enter the subject of the Apple Push Notification Service certificate that is used for MDM. For more information, see the Apple MDM integration document, Deploying iPhone and iPad Mobile Device Management at http://images.apple.com/ipad/business/docs/iOS_MDM_Mar12.pdf. If you use a development MDM Certificate and not a production certificate, select the Use Development APNS Server. Warning: The state of the checkbox must match the state of the checkbox for Use DevelopmentAPNS on the APNS tab of the Mobile Management server settings.
3 4 5
In the Cryptographic credential used for authentication field, choose the SCEP credential for Mobile Management. Under Additional Configuration Profiles to include, click the yellow star and add the Root CA certificate. Click Save changes.
iOS- Apple App Store Android- Android Market Windows- Windows Phone Marketplace
14
Getting started with Symantec Mobile Management 7.2 Enrolling a mobile device
For Android devices only, first set your device's app installation settings to Allow Installation of non Market Applications and to allow Unknown Sources. Go to the app store for your device and download the Symantec Mobile Managment Agent app. Note: Search for Symantec MGMT or Symantec Mobile Agent
Follow the procedure for your mobile device to install the app.
1 2
On your mobile device, start the Symantec Mobile Management Agent app. On the enrollment screen, provide the following information:
For Android, go to: [server]/Mobile Enrollment/SYMC-androidenroll.aspx For iOS, go to: [server]/Mobile Enrollment/SYMC-iOSenroll.aspx
For Windows Phone, go to: [server]/Mobile Enrollment/SYMC-WPenroll.aspx Where [server] is the name of the site server computer that you want the device to enroll with.
The agent app indicates the status of the connection to the server. If the server is not available, a message appears to indicate a failed server connection and prompts you to try again at a later time.
Getting started with Symantec Mobile Management 7.2 Managing a mobile device
15
You can also set up DNS to allow iOS users to enter an email address instead of the URL. Android users can enter the domain name for the Mobile Management server. For example, if the URL for your installation is mobileserver.yourcorp.com, then the user can enter yourcorp.
16
Getting started with Symantec Mobile Management 7.2 Managing a mobile device