Create a default Synchronization Schedule for the organization. Other schedules may be created later to accommodate different groups of users. Sync Schedules dictate peak and off-peak times for devices to synchronize. Times can overlap days to cover different work shift situations and special case employees.
The default sync schedule is used for auto-provisioned users.
Define a schedule name for the organization’s default sync schedule.
Set a corporate sync schedule (for devices owned by the company).
Set a personal sync schedule (for devices owned by the individual).
Define the following settings:
Corporate
Monday through Sunday peak sync ranges Peak sync interval
Require direct push for peak time Off-peak sync interval
Require direct push for off-peak time
Personal
Monday through Sunday peak sync ranges Peak sync interval
Require direct push for peak time Off-peak sync interval
Require direct push for off-peak time
Regulating the interval at which devices synchronize should be considered carefully so as to minimize the device battery depletion.
The times you define in the schedule grid designate peak sync times.
Anything that falls outside the peak sync schedule is off-peak sync time.
To edit the default schedule or create additional schedules, use the Sync Schedules option on the Organization Management page.
NotifyMDM Version 1.1.0 Configuring the Organization •••• 9
Managing SMTP, ActiveSync, and Administrative LDAP Servers
You may define multiple administrative LDAP or ActiveSync servers for an organization, in addition to the server(s) you defined through the Organization Wizard.
You may also edit information for the administrative LDAP, ActiveSync, or SMTP servers defined through the Organization Wizard.
Distinguishing between Administrative LDAP Servers and LDAP Servers
Administrative LDAP servers defined here is for the purpose of adding users via a batch import from an LDAP directory. User credentials are imported from an LDAP directory and all users imported at one time are assigned the same policy suite, sync schedule, ActiveSync server (if defined), LDAP server (if defined), and carrier (if desired).
LDAP servers defined under Corporate Resources are for the purpose of configuring LDAP settings to push out to the device, so the user can access corporate directory information via the device.
Define Additional Administrative LDAP or ActiveSync Servers
1. From the NotifyMDM dashboard header, select Organization Management.
2. From the menu panel, select LDAP Servers or ActiveSync Servers.
3. Click the Add LDAP Server or Add ActiveSync Server option.
4. Enter the server credentials:
Server Editors: Edit Information for Administrative LDAP, ActiveSync, or SMTP Servers To edit credentials for an existing LDAP, ActiveSync, or SMTP Server:
1. From the NotifyMDM dashboard header, select Organization Management.
2. From the menu panel, select LDAP Servers, ActiveSync Server, or SMTP Servers.
3. For LDAP or ActiveSync servers, select the server you wish to edit from the table.
4. Edit the information and click Save Changes.
Policy Suites
A policy suite is a set of rules that govern, secure, and monitor the usage of devices in the enterprise.
Policies are the heart of the Notify Mobile Device Management system, allowing administrators to manage users operating on a variety of device platforms and enforce policies across all devices as consistently as possible*.
For enterprises utilizing the ActiveSync protocol, NotifyMDM acts as a gateway server. NotifyMDM intercepts policy updates sent from the ActiveSync server and instead enforces policies on the device that have been defined in NotifyMDM.
*Note: Descriptions of individual policy settings and functionality of settings across device platforms may be found in the Device Platform Comparison chart at:
http://mdm.notifylink.com/downloads/MDM%20Device%20Platform%20Comparison.pdf
The Policy Wizard guides you through setup of an organization’s policy suite(s). Multiple policies can exist and each user/device can be assigned the policy that best suits their role. A policy suite includes settings for both corporate and personal devices.
Policy Suite Templates. The Wizard allows an administrator to quickly create a new policy suite either by copying an existing policy suite or by choosing from a number of pre-defined policy suites which reflect four levels of security strength. The administrator can start with one of these templates and use the Policy Suite Editor to customize the settings associated with any of the policy rules.
See Appendix A: Default Policy Settings for a comprehensive list the policy suite rules and their default settings.
You may also draft a Welcome Letter that will be sent to users associated with a particular policy suite. The letter is sent via email when the user is added to the system.
Policy rules are categorized into the following groups:
• Application Control
• App List Permissions
NotifyMDM Version 1.1.0 Policy Suites •••• 11
Create a New Policy
1. From the NotifyMDM dashboard header, select Organization Management 2. Select the Policy Suites icon.
3. Click the Create New Policy option.
4. Choose a method for creating a policy suite:
• Create the initial policy suite using sliders to determine its general policy strength (low, recommended, strict, high security).
• Create the initial policy suite by copying the settings of an existing policy suite.
5. Use the Policy Suite Editor to customize the new policy.
Policy Suite Editor
To edit an existing Policy Suite:
1. From the NotifyMDM dashboard header, select Organization Management.
2. Select the Policy Suites icon.
3. From the menu panel, select the policy you wish to change.
4. Create a Welcome Letter to be emailed to users assigned this policy, when they are added.
Note: This must be enabled in the Organization Settings. From the dashboard, select System Management > Organization and check the Send Welcome Letter to Users option.
5. Select the category you wish to edit.
6. Edit the settings and click Save Changes.
See Appendix A: Default Policy Settings for a comprehensive list the policy suite rules and their default settings.
Descriptions of individual policy settings and functionality of the settings across device platforms may be found in the Device Platform Comparison chart at
http://notifymdm.notify.net/downloads/Device%20Platform%20Functionality.pdf
NotifyMDM Version 1.1.0 Policy Suites •••• 13
Tips on Customizing and Using Policy Suites
• You can use Allow All and Deny All buttons to easily allow or deny all settings for corporate and personal devices simultaneously.
• Some policies determine the options available for other policies.
• You must specify a policy suite when you add a user. Users added by import methods or Auto-provisioned users will all have the same policy suite.
• You can push policy changes to users by selecting the Push Policy Suite option. This overrides the sync schedule and forces users to immediately get the changes.
• You can change an individual user’s policy suite in their User Profile.
• You can assign or change the policy suite for a group of users selected by criteria by selecting the Assign Policy Suite To Users option.
Assigning a Policy Suite
Synchronization Schedules
The Sync Schedule determines the frequency at which devices synchronize with the NotifyMDM server. The schedule controls when the devices send statistics and may also control when the server sends updates (if the direct push setting in disabled). Regulating the interval at which devices synchronize should be considered carefully so as to minimize the device battery depletion.
The Sync Schedule Wizard guides you through setup of an organization’s synchronization schedule(s).
Multiple schedules may exist and each user (device) may be assigned the appropriate schedule. The Wizard allows an administrator to quickly create a new sync schedule either by choosing from the system default schedules or by copying an existing schedule. The administrator can then use the Sync Schedule Editor to customize the settings associated with each schedule. Each schedule may be customized for corporate owned and personally owned devices.
Create a New Sync Schedule
1. From the NotifyMDM dashboard header, select Organization Management 2. Select the Sync Schedules icon.
3. Click the Create New Sync Schedule option.
4. Choose a method for creating a sync schedule:
• Create a New Sync Schedule - Create the initial schedule using the system defaults.
• Copy Existing Sync Schedule - Create the initial policy suite by copying the settings of an existing schedule.
NotifyMDM Version 1.1.0 Synchronization Schedules •••• 15 Define the following settings:
Corporate
Monday through Sunday peak sync ranges Peak sync interval
Require direct push for peak time Off-peak sync interval
Require direct push for off-peak time
Personal
Monday through Sunday peak sync ranges Peak sync interval
Require direct push for peak time Off-peak sync interval
Require direct push for off-peak time
Regulating the interval at which devices synchronize should be considered carefully so as to minimize the device battery depletion.
The times you define in the schedule grid designate peak sync times.
Anything that falls outside the peak sync schedule is off-peak sync time.
A schedule’s peak and off-peak sync intervals define the frequency at which devices synchronize with the server. Peak time is defined as time periods during which device usage is consistently higher than average.
Conversely, off-peak time is defined as time periods during which device usage is consistently lower than average. To accommodate the higher traffic, peak sync intervals are usually set at lower values (initiating more frequent synchronizations) than off-peak sync intervals.
The Require Direct Push setting determines whether updates from the server are synchronized immediately or during the next scheduled sync session. If this setting is enabled, updates from the server sync to the device as soon as they are available. Synchronizations from the device still occur according to the scheduled sync interval and are not affected by this setting.
Note: Remote Wipe commands sent from the server sync immediately, regardless of whether or not Require Direct Push is enabled.
Sync Schedule Editor
To edit an existing Sync Schedule:
1. From the NotifyMDM dashboard header, select Organization Management.
2. Select the Sync Schedules icon.
3. From the menu panel, select the schedule you wish to change.
4. Select the Corporate or Personal schedule.
5. Edit the settings and click Save Changes.
NotifyMDM Version 1.1.0 Synchronization Schedules •••• 17
Tips on Using Sync Schedules
• You must specify a sync schedule when you add a user. Users added by import methods or Auto-provisioned users will all have the same sync schedule.
• You can push sync schedule changes to users by selecting the Push Sync Schedule option. This overrides the sync schedule and forces users to immediately get the changes.
• You can change an individual user’s sync schedule in their User Profile.
• You can assign or change the sync schedule for a group of users selected by criteria by selecting the Assign Sync Schedule To Users option.
Assigning a Sync Schedule
Adding Users
Provisioning users for NotifyMDM can be executed in several ways.
• Add individual users manually
• Deploy a fleet of devices with batch import methods – User credentials are imported from an LDAP directory or via a Comma Separated Values (CSV file. All users imported at one time are assigned the same policy suite, sync schedule, ActiveSync server (if defined), LDAP server (if defined), and carrier (if desired).
• Configure the organization for Hands-Off Registration – To free the administrator from the task of adding users either manually or by batch import, NotifyMDM can auto-provision any user with an account on the corporate ActiveSync server when they register their device against the NotifyMDM server. Users are added with the default device ownership, Policy Suite and Sync Schedule.
Adding Users Manually
Administrators can add users to an organization manually. Once added, users may register their device against the NotifyMDM server.
To Add Users Manually
1. From the NotifyMDM dashboard header, select Smart Devices and Users.
2. Click the Add User option to use the Add New User Wizard.
3. Select Manual from the Add New User Wizard dialog.
4. Enter the user information, then click Finish. * = required field
ActiveSync server Select the ActiveSync server you wish to associate the user with, from the dropdown list.
LDAP Server Select the LDAP server you wish to associate the user with, from the dropdown list.
Device Ownership Choose Corporate (user’s device is corporate owned) or Personal (user’s device personally owned).
Lock Ownership If locked, user with a NotifyMDM device app will not be allowed to change their ownership. Users who attempt to change their ownership via the NotifyMDM app will experience an invalid credentials error and will not be able to register.
User Name * For users associated with an ActiveSync server, this should be their ActiveSync account user name.
For users on systems that do not use the ActiveSync protocol, enter a unique user name for their NotifyMDM user account.
NotifyMDM Version 1.1.0 Adding Users •••• 19 domain, enter it here. This also provides one way to configure the user for registering multiple devices against a single account. (See,
Registering Multiple Devices to a Single Account, in this guide.) Password * For users associated with an ActiveSync server, this should be their
ActiveSync account password.
For users on systems that do not use the ActiveSync protocol, enter a unique password for their NotifyMDM user account.
E-mail Address * Enter the user’s E-mail address.
Policy Suite * Select the Policy Suite you wish the user to have from the dropdown list.
Sync schedule * Select the Sync Schedule you wish the user to have from the dropdown list.
Carrier Enter user’s carrier from the dropdown list.
Adding Users via Comma Separated Values (CSV) Files
An administrator can import a group of users to the NotifyMDM server via a CSV file. All users imported at one time will be assigned the same device ownership, policy suite, sync schedule, ActiveSync server (if defined), LDAP server (if defined), and carrier (if desired).
Usernames, email addresses, and passwords of users, are entered into a spreadsheet template. The
administrator also chooses the device ownership, policy suite, synchronization schedule, ActiveSync server (if used), and LDAP server (if used), and carrier (if desired) for the group being added. Using the Add New User Wizard, the file is then downloaded to the NotifyMDM server where user credentials from the file and the defaults specified by the administrator are merged to create new NotifyMDM user accounts.
Once added, users may register their device against the NotifyMDM server.
To Add Users by Importing From CSV Files
1. From the NotifyMDM dashboard header, select Smart Devices and Users.
2. Click the Add User option to use the Add New User Wizard.
3. Select .CSV from the Add New User Wizard dialog.
4. Download the .CSV spreadsheet template and save it in the desired location. Enter into the .CSV spreadsheet, the usernames, email addresses, and passwords for the users you are adding to MDM.
5. In the Add New User Wizard, select the default information for users in this file: device ownership, ActiveSync Server, LDAP Server, Policy Suite (required), Sync Schedule (required), and Carrier.
6. Upload the .CSV file with the users’ credentials.
7. Click Add Users when the file has finished uploading.
NotifyMDM Version 1.1.0 Adding Users •••• 21
Adding Users via LDAP
When an LDAP server(s) is defined for an organization, NotifyMDM can use it to retrieve user information from the corporate LDAP server(s) and use it to add users to MDM.
An administrator can import a group of users to NotifyMDM via an LDAP server that has been defined for the organization. All users imported at one time will be assigned the same device ownership, policy suite, sync schedule, ActiveSync server (if defined), LDAP server (if defined), and carrier (if desired).
Once added, users may register their device against the NotifyMDM server.
To Add Users by Importing From LDAP
1. From the NotifyMDM dashboard header, select Smart Devices and Users.
2. Click the Add User option to use the Add New User Wizard.
3. Select LDAP from the Add New User Wizard dialog.
4. Select the LDAP Server to query.
5. Select the default information for users added via LDAP: device ownership, ActiveSync Server, LDAP Server, Policy Suite (required), Sync Schedule (required), and Carrier.
6. Select the Username Format to be used.
• Trim e-mail address before ‘@’ – EX: If e-mail address is [email protected], username will be jstewart
• Use entire email address – username will be the full e-mail address 7. Click Next to select the users you wish to add from the LDAP server.
8. Click Add Users when you have finished making your selections.
Configuring the Organization for Hands-Off Registration
Enabling User Self-Registration
Enabling the Hands-Off Registration option when defining an ActiveSync server, provides a method of auto-provisioning users on the NotifyMDM server, thus freeing the administrator from the task of adding users either manually or by batch import.
Users registering a device against the NotifyMDM server will be automatically added to the NotifyMDM server, as long as their credentials are recognized by the ActiveSync server. NotifyMDM creates the new account using the ActiveSync user account credentials and the default servers, policy suite, and sync schedule specified for the organization.
To Enable Hands-Off Registration for an ActiveSync Server
1. From the NotifyMDM dashboard header, select Organization Management.
2. From the menu panel, select ActiveSync Servers.
3. From the table, select an ActiveSync server or create a new ActiveSync server by choosing Add ActiveSync Server.
4. Check the box labeled Allow Hands-Off Registration and click Save Changes.
NotifyMDM Version 1.1.0 Adding Users •••• 23
Registering Multiple Devices to a Single Account
On Exchange, Kerio, and Zimbra servers you can configure a user so that multiple devices can be registered to a single account. For example, a user may have a phone, but also use a companion device, such as a tablet or a second device for foreign travel.
This is accomplished by two methods, depending on what the mail server supports.
• You can create multiple users for the individual on the NotifyMDM server using the various types of login usernames. All the usernames reference the same mail server account, thereby making it possible for the individual to register multiple devices.
Note: One limitation exists in this scenario: when there are users with the same username or same username@domain, (in the case of On-Demand or multi-tenant servers). Since the full email address is the only unique identifier for each user, you must enter each user’s full email address in the username field when creating their individual NotifyMDM users. EX:
[email protected] and [email protected] For this reason, these users will not be able to register multiple devices to one account, unless one agrees to change their email address.
• A second method it to create alias email addresses on the mail server that uses the same username as the original email address.
Note: On NotifyMDM systems set up for self-registration, the user can only self-register one device, You must manually add the other NotifyMDM user(s) to the system before they register companion device(s).
Exchange
For ActiveSync users on Exchange 2010, 2007, or 2003, you can configure a user so that they may register up to four devices against a single Exchange account. This is accomplished by creating multiple users for the individual on the NotifyMDM server using the various types of usernames that Exchange allows for login. All the usernames reference the same Exchange account, thereby making it possible for the individual to register multiple devices.
Step 1: Create up to three users for the individual on the NotifyMDM server.
User #1 Enter the user’s Exchange username in the User Name field.
User #1 Enter the user’s Exchange username in the User Name field.