Copyright © 2002-2013, LANDesk Software, Inc. and its affiliates. All rights reserved. LANDesk and its logos are registered trademarks or trademarks of LANDesk Software, Inc. and its affiliates in the United States and/or other countries. Other brands and names may be claimed as the property of others.
LANDesk does not warrant that this document is error free and retains the right to make changes to this document or related product specifications and descriptions at any time without notice. LANDesk does not assume any obligation to update the information contained herein. This document is provided “AS IS” and without any guaranty, warranty, or license, express or implied, including but not limited to: fitness for a particular purpose, merchantability, non infringement of intellectual property, or other rights of any third party. Any LANDesk products referenced in this document are not intended for use in medical, life saving, or life sustaining applications. Third parties may have intellectual property rights relevant to this document and the technologies discussed herein.
Contents
Contents 3
Welcome to LANDesk Mobility Manager 4
Getting started with Mobility Manager 5
Working with managed mobile devices 6
Enrolling mobile devices 6
Un-enrolling mobile devices 7
Viewing mobile devices 7
Scan a mobile device 9
Remove a mobile device's passcode 9
Update a mobile device 9
Lock a mobile device 9
Wipe a mobile device 10
LANDesk Portal 13
Adding apps, docs, and links to the Portal app 13
Installing and using the LANDesk LD Portal app on mobile devices 14
Configuring LANDesk Mobility Manager 15
Configuring the mobility mail server connections 15
Discovering mobile devices 16
Welcome to LANDesk Mobility Manager
LANDesk Mobility Manager helps you take control of the mobile devices used in your company. It simplifies device provisioning, helps enforce corporate policies, and allows an administrator to lock or wipe lost or stolen devices.
LANDesk Mobility Manager adds these tools to the Management Suite console:
l Mobile inventory: An addition to your inventory that lists mobile devices that are under management
or , if you set up device discovery, devices that have connected to your Exchange/BlackBerry server.
l Mobility tool: The Mobility tool (also known as Avalanche) allows you to create mobile device payload
configurations that you can add to mobile profiles. These profiles then get deployed to the mobile devices you select.
l LANDesk Portal: Use this app to manage content (such as documents or links) and make it available
to the device user. The Mobility tool manages content that appears in the Portal app.
In addition to these tools, there are certain tasks added to the LDMS console that can be performed using your Microsoft Exchange Server (EAS 2007 or 2010) or BlackBerry Enterprise Server (BES):
l Discover devices. Configure your server to report a list of devices that have connected. Use the list of
discovered devices to determine devices that need to be under management.
l Wipe devices. Use a command sent through the EAS/BES to wipe a device that connects to your
server. This wipe is a factory reset.
l Create connection rules (Exchange 2010 only). Connection rules determine which device types can
access mailboxes.
Getting started with Mobility Manager
When you enroll devices in Mobility Manager, you can perform actions to manage them, and also send profiles to the devices. Mobile device profiles allow you to provision devices with software, links, certificates, or Exchange, VPN, and Wi-Fi credentials. You can also require a passcode on the device or restrict what can be used on the device.
To manage devices using Mobility Manager, perform the following tasks:
1. Create enrollment rules. Enrollment rules allow devices to connect to the server and display devices in the right folders. An enrollment rule contains an ID, password, and the Smart device folder that devices using the rule are placed in. For information about creating enrollment rules, seeCreating Enrollment Rules for Smart Devicesin the Avalanche help.
2. Enroll devices. For information on enrolling devices, see "Enrolling mobile devices" on page 6. After devices are enrolled, you can apply profiles to them and perform actions such as wipe or locate. 3. Manage devices by users. If you want to manage devices based on the user, the User Tree organizes
devices based on people and organization units according to your LDAP server. For information on managing the User Tree, seeEditing the User Treein the Avalanche help.
Working with managed mobile devices
When you send a command to a mobile device, such as scan now, it can take several seconds or more for the device to receive it. How quickly a device will respond to a remote command depends on your core and network configuration, the level of network congestion, and the phone's data capabilities, among other things.
Enrolling mobile devices
Enrolling a device allows you to manage settings, apps, and other content on the device.
IMPORTANT: You must use the Mobility tool to create an enrollment rule before devices can enroll. For
information on creating an enrollment rule, seeCreating Enrollment Rules for Smart Devicesin the Avalanche help.
The method for enrolling a device depends on the operating system running on the device:
l If the device is using Android, you must install the LANDesk Agent on the device and configure it with
the enrollment information.
l If the device is using iOS, you must use the browser on the device to navigate to the enrollment page
and enroll the device using the enrollment information.
NOTE: For devices that are unenrolled but they connect to the Exchange Server or BlackBerry Server, you can
only perform device discovery and wipe.
An administrator must create at least one enrollment rule before users can connect mobile devices to Mobility Manager. The device must be configured with the enrollment ID and password in order to connect to the server. For information about creating enrollment rules, seeCreating Enrollment Rules for Smart Devicesin the Avalanche help.
Before devices are enrolled, administrators can create mobile device payloads and profiles and deploy them to Active Directory users. When a device enrolls, it automatically downloads the profiles assigned to the device user.
Once a user enrolls their mobile device, that device appears in the Network View under Devices > Mobile and you can view the device's inventory information.
To enroll an Android device
1. Download the LANDesk agent from the Google Play store by navigating to the URL below:
https://play.google.com/store/apps/details?id=com.wavelink.android
2. From the device Notifications, tap the application to install it.
4. The app asks if you want to allow the application to be a device administrator. Tap Activate. 5. The Settings page appears. Type the Enrollment ID and Password in the text boxes and tap
Register.
The device is placed in the Smart device folder associated with the enrollment rule and receives the Smart mobile device profile applied to the folder.
To initiate an update from an Android device that has already enrolled, launch the LANDesk Agent, navigate to the Maps tab and tap Sync.
To enroll an iOS device
1. From the device, use a browser to navigate to the Enrollment page:
https://sds.aod.wavelink.com/mdm/wam/enroll.faces
2. Provide the enrollment ID and password. If desired, provide the Microsoft Exchange username and email address.
3. Click Enroll.
4. The device is placed in the Smart device folder associated with the enrollment rule and receives the Smart mobile device profile applied to the folder.
This process can also be used to initiate an update from an iOS device as long as the device is not moved to a different folder after it is enrolled.
To use the LANDesk Portal app
1. Download and install the LANDesk Portal app from the App Store or Play Store. 2. Open the Portal app.
3. Enter your company network login credentials and tap Sign In.
4. Once logged in, use the app to access the content made available for your account by an administrator.
Un-enrolling mobile devices
If a user wants to remove his mobile device from management, he can uninstall the Agent (Android only) and Portal apps just as he would any app. Users who have iOS devices that are being managed need to go into
Settings > General > Profiles and remove the Wavelink MDM profile. If the profile is password protected,
the user is prompted for the password in order to remove the profile.
When a user uninstalls the apps, it does not remove the device from the Network view or the Mobility tool.
Viewing mobile devices
To make it easier to find devices in the devices list, use the Find box, located directly above the device list. You can use this tool to locate and display devices by typing one or more keywords and specifying the columns to search in.
Mobile device discovery
The Mobile device discovery tree lists devices that are associated with EAS wipe or discovery commands. You can also use it to refer to the discovery and/or wipe history of one or more devices.
l EAS Wipe pending: Displays a list of any devices that have been set to be wiped via Exchange
ActiveSync, but which have not yet sync'd with the Microsoft Exchange server. Devices in this list can have their wipe command canceled as described in "Wipe a mobile device" on page 10.
l EAS Wiped: Displays a list of all devices that have been wiped via Exchange ActiveSync.
l Commands history > Device discovery: Keeps a record of all discovery commands that have been
scheduled, when they were issued, the server type, how many devices were discovered, the user that executed the discovery, and whether or not the command was executed successfully. The data remains in the system until it is deleted.
l Commands history > Wiped device history: Keeps track of all devices that have been wiped using
Scan a mobile device
Managed devices are configured to connect to the server every 24 hours. If you want to scan a device immediately to update the displayed information, use the Scan Now command from the LANDesk console.The command requests the device to connect and pull any updates available, and it updates the device information shown in the LANDesk console.
To run an on-demand inventory scan
1. Find the device in the Network view.
2. Right-click it and click Scan now. The device is requested to connect. The command is only sent once, so if the device is unreachable at the time the command is sent, the device waits until its scheduled update time.
Remove a mobile device's passcode
If a user forgets the passcode for his managed mobile device, you can remotely remove it. If a restriction payload applied to the device requires a passcode, users will be prompted to create a new passcode.
To remove a device's passcode
1. Find the device in the Network view.
2. Right-click it and click Unlock/Reset passcode. The device's passcode is removed and the user can unlock the device. The command is only sent once, so if the device is unreachable at the time the command is sent, the device passcode is not removed.
Update a mobile device
You can force a managed mobile device to check in and update its mobile payloads. This is useful if you make a profile or payload configuration change and you want it applied immediately to a particular mobile device. Managed mobile devices automatically check for updates once a day, so you don't have to do manual updates unless you want a change applied immediately.
To update a mobile device's policies
1. Find the device in the Network view.
2. Right-click it and click Update policies. The device is requested to connect. The command is only sent once, so if the device is unreachable at the time the command is sent, the device waits until its scheduled update time.
Lock a mobile device
You can remotely lock managed mobile devices if they are stolen or lost. The mobile user will need to enter their passcode to unlock the device. If the device doesn't have a passcode, users can unlock the device without entering a passcode.
To lock a mobile device
1. Find the device in the Network view. 2. Right-click it and click Lock.
Wipe a mobile device
When a device is lost, stolen, or assigned to a new user, you may want to wipe the device to remove any personal or sensitive information.
There are two methods for wiping a device, depending on whether the device is enrolled or only discovered.
l Enrolled devices are wiped through the Mobility tool. l Discovered devices are wiped through the EAS/BES.
Wiping a managed device using the Mobility tool
There are three wipe options for managed devices:
l Selective wipe/Unmanage.Removes all the data associated with the Mobility payloads on the
device. For example, a selective wipe would remove app restrictions or WiFi passwords.
l Selective wipe/Delete. Remove the data associated with the Mobility payloads and also deletes the
device from the inventory.
l Wipe. Removes all personal files and applications from the device and restores the device to its
factory settings. This option removes the LANDesk Agent from the device, but it does not remove the device from the inventory.
When you send a wipe command, it is sent through either GCM or APNS (depending on whether it is an Android or an iOS device). The command is only sent once, so if the device is unreachable at the time the command is sent, the device does not get wiped.
To execute the wipe command
1. Find the device in the Network view.
2. Right-click it and click Wipe.... Then select the type of wipe you want to perform. You are prompted to proceed with the command.
Wiping a discovered device using the EAS/BES
The wipe command is executed differently depending on the type of server performing the wipe.
Blackberry Enterprise server (BES)
Microsoft Exchange server (EAS)
On a Microsoft Exchange server, the wipe is associated with both the user and the device. Once the wipe command is sent to the server, the device's status in the Mobility management tool is set to "Wipe pending". The next time the device attempts to log in, the wipe command will execute and the device will be wiped immediately. Because the wipe does not actually occur until the next time the device logs in, the wipe command can be canceled at any time (see below).
To execute the wipe command
1. Find the device in the Network view.
2. Right-click it and click Wipe. You are prompted to proceed with the command.
IMPORTANT: Before wiping devices, it is important to understand how the wipe command is executed on a
Canceling a wipe
LANDesk Portal
See the following topics for more information on configuring mobile LANDesk Portal content.
Adding apps, docs, and links to the Portal app
If you want to password-protect access to certain managed content, you can specify in a payload that the content should be delivered to the Portal app. When an app, doc, or link payload is associated with the Portal app, the device user must log in to the Portal app using his network credentials in order to access the content. Depending on the type of content, use aDocument/Mediapayload,Linkpayload, orSoftwarepayload. For more information on creating payloads and profiles, see Managing Smart Mobile Device Profilesin the Avalanche help.
Document / Media payloads in the Portal app
When you distribute media using a Document / Media payload, make sure the device has an app that can open the filetype.
The default supported file types for iOS are:
l iWork documents
l Microsoft Office documents (Office ‘97 and newer) l Rich Text Format (RTF) documents
l PDF files l Images
l Text files whose uniform type identifier (UTI) conforms to the public.text type l Comma-separated value (csv) files
l H.264 Baseline Profile Level 3.0 video, up to 640 x 480 at 30 fps. (The Baseline profile does not support
B frames.)
l MPEG-4 Part 2 video (Simple Profile .mov, .mp4, mpv, .3gp)
Link payloads in the Portal app
Links sent to the device are opened with the device's default browser. When linking to a Web-based application, make sure that the application is supported by the browser.
Software payloads in the Portal app
You can make two types of apps available to mobile devices:
l Apps available from an app store such as Google Play or iTunes.
l Enterprise apps developed internally, such as a company-specific sales or inventory app.
Updating mobile device content
Installing and using the LANDesk LD Portal app on mobile
devices
The LANDesk Portal app is available from the Apple App Store and Google Play store. For users to access information through the Portal, they must enroll their devices and then download and install the Portal app. Once the app is installed, they can log in using their Active Directory credentials.
Once you've installed and logged in to the app, you can do the following:
l Select a content category to view l Download an app
l View a document or media l View a link
l Check for portal content updates
l Update applications you've installed through the portal
To use the LANDesk Portal app
1. Open the LD Portal app.
2. Enter your credentials and click Sign In. Your username should include the domain: domain\username 3. Once logged in, you can navigate the app and access content made available for your account through
Configuring LANDesk Mobility Manager
See the following topics for information on configuring LANDesk Mobility Manager from the LDMS console. For information on managing the user tree in the Mobility tool, seeEditing the User Treein the Avalanche help. For information about configuring payloads for devices, seeManaging Smart Mobile Device Profilesin the Avalanche help.
Configuring the mobility mail server connections
To use your Exchange or BlackBerry servers for mobile device discovery, you first need to configure Mobility Manager so it can authenticate to the Exchange or BlackBerry server in your environment. This allows you to t to discover mobile devices and manage their access to the servers.
To provide the server authentication information
1. Click Tools > Mobility > Mobile inventory. 2. Click Configure on the toolbar.
3. In the left panel, select the type of server (BlackBerry, Exchange 2007, or Exchange 2010).
For BlackBerry servers
1. Click New.
2. In the BES Credentials dialog box, specify the server address, login method, and credentials. 3. Click Test connection to verify the credentials work.
4. Click Save.
For Exchange 2007 servers
1. Make sure the Microsoft Exchange Server 2007 Management Tools are installed on your core server. 2. Specify the login credentials.
3. Click Test connection to verify the credentials work. 4. Click OK.
For Exchange 2010 servers
1. Specify the server domain\server name and login credentials. 2. Click Test connection to verify the credentials work.
3. Click OK.
NOTE: You can configure more than one BlackBerry server; Microsoft Exchange is currently limited to one server
per version (2007 and 2010).
Discovering mobile devices
To discover devices connecting to your servers that are not currently being managed, Mobility Manager uses mobile device connection information from the Exchange and BlackBerry mail servers. Agentless discovery doesn't require any communication with the actual mobile device, but only mobile devices that have
connected to a corporate mail box can be discovered.
To discover mobile devices
1. Click Tools > Mobility > Mobile disdcovery. 2. Click Configure on the toolbar.
3. In the left pane, click Discovery options.
4. Change the "Recently discovered" limit if you want to. 5. Click Schedule discovery.
6. In the Schedule task dialog box, click Schedule task.
7. Click Start now. Or, click Start later and specify the date and time when you want the discovery to take place. You can also specify a repeat interval and number of retries (optional).
8. Click Save to initiate the discovery scan.
NOTE: Device discovery history is available from the Commands history folder in the Mobile Discovery tree.
Connection rules
See the following topics for more information on configuring mobility connection rules for mobile devices.
Mobile device connection rules
If your company uses Microsoft Exchange 2010, you can use Mobility Manager connection rules that allow you to configure what devices can connect to a Microsoft Exchange 2010 mailbox. Microsoft Exchange 2007 and BlackBerry Enterprise Server environments don't support mobility connection rules. Connection rules are used to allow or deny connections for specific device types.
Since the Apple mobile device model list is fairly small, it's easy to identify the devices you're interested in managing:
l iOS l iPad l iPhone
Android is more complicated because there are so many manufacturers providing Android devices. With Android devices, you'll need to pay more attention to the much larger variety of device types that exist in the Android ecosystem.
Fortunately, it's fairly easy to find out a device's type. When a user tries accessing their Exchange mailbox from a mobile device that is blocked by a connection rule, that user receives an email with information about why the mobile device was denied access. Included in that email is the mobile device's device type. Administrators can use the information from this email to add the blocked device type to an exception list if they want to allow that device model access.
Apply mobile device connection rules
Once you've configured a Mobility Manager connection to a Microsoft Exchange 2010 server, you can then configure ActiveSync connection rules.
There are three connection rules you can apply:
l Do not allow mobile devices to connect: Mobile devices can't access an Exchange mailbox. l Allow all mobile devices to connect (default): Any user can access an Exchange mailbox from a
mobile device. You can refine this rule by creating exceptions for certain mobile device types (iOS devices, for example).
l Allow only managed devices to connect: Mobile devices that are enrolled in Mobility Manager can
access an Exchange mailbox. You can refine this rule by creating exceptions for certain mobile device types (iOS devices, for example).
The default device list already includes some common device types. If you don't see the device type you want to manage in the list, you can add new device types.
To apply connection rules
1. Click Tools > Mobility > Mobile discovery. 2. In the toolbar, click Configure.
3. In the navigation tree, click Exchange 2010 Server. 4. Select the connection rule you want.
5. Enter Notification custom text that you want. This text appears in the quarantine email that users get when they try to connect. Sample text might be instructions on how to submit a request to enable email access. HTML is allowed, so you could include a hyperlink to a web page with more information. If you're pasting text or HTML into the text box, make sure it's all on a single line. If you paste a block of text or HTML code with line breaks, only the first line will be pasted.
6. If necessary, add or select the devices you want the connection rule applied to. 7. Click OK.
Grandfathering mobile devices
You can grandfather all mobile devices that connected to your Exchange 2010 server in the past.
