Cloud Services MDM. Management Admin Guide

(1)

Cloud Services

10/27/2014

MDM

(2)

EMAIL MANAGEMENT

MDM provides administrators with several options for configuring secure integration with corporate email services. The most robust and extensible solution is through the Secure Email Gateway, which allows the administrator to secure, monitor, and manage both the smart device fleet and corporate email access, all from the Admin Console.

MDM simplifies and secures Email management by allowing the administrator to perform the following tasks:

• Quickly monitor and troubleshoot email server requests through the Secure Email Gateway

Dashboard.

• Gain visibility and control on top of the existing corporate email structure to ensure that corporate email actions are secure and compliant.

• Create and edit email compliance rules, including Blacklist and Whitelist policies.

(4)

• Control email access for both managed devices and unmanaged devices.

o For devices under MDM, the data collected from the Secure Email Gateway can be correlated to the device’s existing record to show you how the managed devices are interacting with your email server.

o For devices not under MDM, the data can be viewed on the dashboard to help the administrator track rogue devices and gain a more complete picture of the mobile email deployment.

• Configure integration with a number of corporate email services, including (but not limited to): o o Microsoft Exchange

o Google Apps for Business o Microsoft BPOS

o Microsoft Office365 o Lotus

o Novell Groupwise versions 8.5+

EMAIL COMPLIANCE POLICIES

Email compliance policies allow the administrator to block access to corporate email servers for

enhanced email security based on pre-‐defined compliance policies. You can configure email compliance policies in either of the two following ways:

• Navigate to Dashboards ► Email Management and then select Email Policies on the left.

• Navigate to Profiles & Policies ► Compliance and then select Email Policies from the

Compliance view on the left.

(5)

EMAIL POLICIES

Depending upon your Mobile Email Management (MEM) deployment, the Email Policies screen

provides three categories of compliance policies: General Email Policies, Managed Device Policies, and

Attachment Security Policies. Within each category, there is a list of current compliance policies (shown

below).

NOTE: Email Policies can be configured only at the Location Group at which MEM is configured. By default, all child Location Groups inherit the created policies.

• The circles under the Active column indicate whether the policy is active (green) or inactive (red).

• Checking the Disable Compliance option forces Mobile Email Management (MEM) to function in

Bypass mode. This option is applicable for all the MEM configuration models (i.e., for Proxy,

PowerShell, and Google).

NOTE: In Bypass mode, no compliance policy will be applied against the devices.

• To make changes to a policy, hover over the pencil icon under the Actions column and click Edit

Policy.

• If a window is open, click [Save] to finish editing the policy, or [Cancel] to return the values to the last saved state.

General Email Policies

General Email Policies are applicable to MEM deployments involving the Secure Email Gateway (SEG) and the PowerShell Integration.

(6)

Managed Device

This policy allows you to determine the outcome if an unmanaged device attempts to contact the corporate email server.

1. Open the policy and specify whether to Allow or Block an unmanaged device. 2. Click [Save].

Mail Client

This policy allows you to control email access to a list of mail clients. 1. Open the policy and click [Add Rule].

2. Select an option from the Client Type drop-‐down menu:

• Pre-‐Defined – The known mail clients stored in the MDM database.

• Discovered – The mail clients that connect through the gateway, but are not currently stored in the MDM database.

• Custom – Specified mail clients (i.e., Apple or Android).

3. Select the Mail Client from the drop-‐down menu; if you selected Custom, enter the mail client in the field.

4. Choose to either Allow or Block the specified mail client and type.

5. Specify the default policy (Allow or Block) for all other mail clients not currently listed. This applies to all known mail clients that are not currently listed in the policy.

6. Specify the default policy (Allow or Block) for all new or discovered mail clients not currently listed.

This applies to all mail clients that are not currently stored in the MDM database. 7. Click [Save].

(7)

User

This policy allows you to list specific users who are allowed or denied access to the email server and receive corporate email on their mobile device.

1. Select a User Type from the drop-‐down menu:

o User Account – Select a registered device user from the Admin Console database. o Discovered – Choose the users that are connecting through the gateway and are not

currently stored in the database. o Custom – Choose the specific users. 2. Select a User Name from the drop-‐down menu.

3. Make a selection to Allow, Block, or Whitelist the specified user.

4. Specify a default policy (Allow or Block) the default action for all other usernames not currently listed. This applies to all known usernames that are not currently listed in the policy.

5. Specify the default policy (Allow or Block) for all new or discovered usernames not currently listed. This applies to all usernames that are not currently stored in the MDM database. 6. Click [Save].

Managed Device Policies

Managed Device Policies are only enforced on devices currently enrolled in MDM.

Inactivity

This policy allows you to specify if you allow or deny inactive devices to access the email server, as well as the policy for the number of days a device has not been managed before it is considered inactive.

1. Open the policy and specify whether to Allow or Block inactive devices from connecting to the email server.

(8)

Device Compromised Compliance

This policy allows you to determine the outcome if a compromised device attempts to contact the corporate email server.

1. Open the policy and select whether to Allow or Block compromised devices to access their email server.

2. Click [Save].

Encryption Compliance

This policy allows you to determine the outcome if a device does not have data protection turned On while attempting to access the corporate email server.

1. Open the policy and select whether to Allow or Block devices that do not data protection enabled.

2. Click [Save].

Platform/Model Compliance

This policy allows you to define which platforms and models you want to either access or be blocked from the corporate email server.

1. Open the policy and click [Add Rule].

2. Select an option from the Platform and Model drop-‐down menus. 3. Make a selection to Allow or Block the specified platform and model.

4. Specify the default policy (Allow or Block) for all platforms and models not currently listed. 5. Click [Save].

(9)

Operating System Compliance

Administrators might want to block a version of an OS used by a particular mobile device for many different reasons.

• For example, an admin might decide to temporarily block an OS (until the admin can resolve the problem) because it is stressing an email server due to a bug or other technical issue. • Another scenario might be to only allow specific platforms and OS(s) ranges that you want

to access the corporate email server, and block all others from receiving their email.

1. Open the policy and click [Add Rule].

2. Select the type of device from the Platform drop-‐down menu.

3. Select the minimum and the maximum operating system for the device from the Min OS and

Max OS drop-‐downs.

4. Specify the default policy (Allow or Block) for all OS versions not currently listed. 5. Click [Save].

ATTACHMENT SECURITY POLICIES

Attachment Security Policies are used to secure email attachments being downloaded onto mobile devices. Attachment Security is available for deployments involving the SEG proxy server. In order to prevent misuse of corporate email attachments, MDM’s SEG has been enhanced to encrypt and secure individual attachment files. These security policies ensure that only compliant devices enabled with the Secure Content Locker (SCL) application can decrypt and view the attachment.

Managed Devices

Managed Device policies are enforced only on devices that are enrolled in MDM. You can configure the file attachments that need to be encrypted and secured via SCL and set policies that can be enforced on files that cannot be viewed on the SCL via the console.

• Select iOS Devices to configure attachment settings for iOS devices. OR

Select Other Devices to configure attachment settings for Android devices.

(10)

The following screen illustrates the features available for configuring the email attachment security policy for managed iOS devices.

• Use Recommended Settings – Enabling this option defaults the policy to the recommended

settings, where pre-‐defined settings are enforced on devices. You may choose to customize the policy based on your corporate requirements.

• Actions on Specific file types – Selecting the radio buttons facilitates MDM to communicate with the SEG the actions to be performed on attachments of specific file types.

o Encrypt & Allow Attachments – Implies that the SEG will encrypt attachments of specific file type(s), and these can be decrypted and read only via the SCL application on the device.

o Block Attachments – Implies that the SEG will block attachments of the specific file type(s).

o Allow Attachments without Encryption – Implies that the SEG will allow attachments of the specific file type without encryption. The attachments can be opened/saved/edited on the device through the native readers.

(11)

• Select the radio button actions under the Other Files area to update settings for the file types

other than the standard file categories that are currently supported.

o You can exclude specific file types from MDM's email attachment setup under the

Exclusion section.

§ For example, you can block all other file types while excluding AUTOCAD files of type .dwg.

o You can also set a message to be displayed in emails on devices for the blocked attachments file types under the Custom Message for Blocked section.

§ For example, "One or more email attachments have been blocked per Acme's corporate policy."

ATTACHMENT SECURITY POLICIES – OTHER DEVICES

The below screen describes the features available for the configuring email attachment security policy for other managed devices.

NOTE: With the Encrypt & Allow Attachments option, attachments downloaded on other managed devices will be encrypted, but cannot be viewed on the device. However, the device users will be able to forward these emails with the encrypted attachment from their devices.

(12)

UNMANAGED DEVICES

Unmanaged Device policies are enforced only on devices that are not enrolled and managed in MDM.

• Use Recommended Settings – Enabling this option defaults the policy to MDM recommended settings, where pre-‐defined settings are enforced on devices. You may choose to customize the policy based on your corporate requirements.

• Actions on Specific file types – Selecting the radio buttons facilitates MDM to communicate with the SEG the actions needed on attachments of specific file types.

o Encrypt & Allow Attachments – Implies that the SEG will encrypt attachments of specific file type(s), and these can be decrypted and read only via the SCL application on the device. o Block Attachments – Implies that the SEG will block attachments of the specific file type(s). o Allow Attachments without Encryption – Implies that the SEG will allow attachments of

the specific file type without encryption. The attachments can be opened/saved/edited on the device through the native readers.

• You can exclude specific file types from MDM's email attachment setup under the Exclusion section. • You can also set a message to be displayed in emails on devices for the blocked attachments file

types under the Custom Message for Blocked section.

Apply Email Compliance Policies

(13)

EMAIL ATTACHMENT CONTROL

MDM offers complete email control as an option for all devices accessing corporate email. This aspect of mobile email access allows organizations advanced security settings otherwise unavailable through native email clients. More than simply denying access to send and receive attachments, you can manage email attachment settings with flexible encryption and access policies based on file type, including the option to decrypt and open securely in the Content Locker. Manage all of these attachment settings from the Admin Console.

Prerequisites

MDM's email attachment control features leverage two aspects of MDM. The following prerequisites must be in place:

• Secure Email Gateway (SEG) v6.3 or higher: The SEG allows a secure connection from internal mail servers and each mobile device.

• Content Locker v1.6 or higher: The Content Locker serves as the secure area for viewing and managing attachments. Upon receiving an email, the Content Locker detects attachment presence and immediately sends the content to the secure viewing area.

o To begin, purchase the MDM Mobile Content Management module. o Then deploy the Content Locker as a public managed application.

Accessing Attachment Settings

Once the SEG and Content Locker infrastructure is properly established, manage email attachments settings alongside all other MDM features and settings in the Admin Console.

• Create customized email attachment settings for both managed and unmanaged devices by navigating to Profiles & Policies ► Compliance ► Email Policies.

• Select the Edit Policy option to the right of each device type in the Attachment Security Policies area. For more details on configuring email attachment settings, refer to Email Compliance Policies.

Accessing Protected Email Attachments

Once Email Attachment Protection has been enabled, end-‐users are able to access attachments as established in the Admin Console. These options include the following:

Allowed & Unencrypted

Attachments – Attachments display

normally within the mailbox.

Blocked Attachments –

Attachments are removed and replaced with a message notifying the user that the attachments have been blocked.

Encrypted Attachments –

(14)

Opening Encrypted Email Attachments

To open encrypted email attachments in the Content Locker:

1. Select the email attachment.

2. Select Open in Content Locker.

3. Authenticate with corporate credentials.

The attachment automatically decrypts and opens.

NOTE: The file cannot be opened or transferred outside of the Content Locker.

EMAIL MANAGEMENT DASHBOARD

Each time a device attempts to connect to your mobile email server through the Secure Email Gateway (SEG), the gateway gathers statistics about the request. This information is presented on a dashboard in the MDM console and can be used to assess the health of your mobile email deployment. To access the

Email Management Dashboard, do the following:

1. Navigate to Dashboards ► Email Management.

2. Click the Location Group drop-‐down and select the group that connects to the SEG in your corporate environment.

3. Click All under Request Time.

(15)

Graphs and Grid

The Email Management Dashboard view is controlled by the three graphs at the top of the screen and a grid below the graphs, which display the data from the selected graph or data group.

Device Activity —The total number of devices communicating through the gateway and the number of

blocked and allowed devices.

Devices —The total number of devices communicating through the gateway and the number of

managed and unmanaged devices.

Non-‐Compliant Devices—The number of noncompliant devices communicating through the gateway

according to the compliance criteria, as specified in Email Compliance Policies.

Grid —The devices that have accessed the SEG.

Request Time Views

The Request Time views allow the administrator to adjust the dashboard view for all time periods, or for time intervals throughout the last 24 hours.

• Click All or select a time interval to update the charts and grids with the time selection.

Email Compliance in the Dashboard

To edit email compliance policies, click Email Policies.

(16)

Override an Email Compliance Policy

After email compliance policies are in place for the Secure Email Gateway, the administrator may find the need to make Blacklist or Whitelist exceptions, or to remove a device from the list of exceptions.

To override a compliance policy:

1. Select Policy Override List to view the current override status for all of the devices that are communicating through the gateway.

This page also provides the ability to add, remove, or change an override to any of the devices listed in the grid.

2. Select a device from the grid to perform a policy override on that device by checking the box on the left.

The device selected in the screen is a Whitelisted device.

3. Click any one of the following to override the current policy:

• Whitelist — Allow the device to override email compliance policies.

• Blacklist — Block the device, even if there are policies that allow (or whitelist) the device. • Default — Remove the device from the override list and apply the configured email

compliance policies to that device.

Dashboard Test Mode

Test mode allows mobile devices to communicate through the gateway even when restrictive

(17)

KEEP IN MIND...

Use filter views and searches to view devices in the Secure Email Gateway dashboard grid according to compliance criteria.

• The administrator can filter the devices displayed on the grid based upon override status. Select a filter to view Blacklisted, Whitelisted, or All devices.

• The filter functionality provides the ability to search the grid within the displayed results.