System Configuration and Deployment Guide

(1)

NotifyMDM Version 1.1.0 Configuring the Organization •••• 1

System Configuration and Deployment Guide

This guide provides information on . . .

(2)

Configuring the Organization

3

Organization Setup Wizard... 3

Create an Organization using the Organization Setup Wizard ... 4

Step 1: Enter an Organization Name and Contact Information ... 4

Step 2: Define the Organization’s Default Servers ... 5

Step 3: Create the Organization’s Default Policy Suite ... 7

Step 4: Create the Organization’s Default Sync Schedule ... 8

Managing SMTP, ActiveSync, and Administrative LDAP Servers ... 9

Policy Suites

10

Create a New Policy ... 11

Policy Suite Editor ... 12

Tips on Customizing and Using Policy Suites ... 13

Synchronization Schedules

14

Create a New Sync Schedule ... 14

Sync Schedule Editor ... 16

Tips on Using Sync Schedules ... 17

Adding Users

18

Adding Users Manually ... 18

Adding Users via Comma Separated Values (CSV) Files ... 20

Adding Users via LDAP ... 21

Configuring the Organization for Hands-Off Registration... 22

Registering Multiple Devices to a Single Account ... 23

Custom Columns ... 27

Adding Custom Columns ... 27

Modifying Custom Columns ... 28

User Registration

29

The NotifyMDM App ... 29

Devices without a NotifyMDM App... 29

NotifyMDM Registration for NotifyLink Users ... 30

(3)

Configuring the Organization

Organization Setup Wizard

The Organization Setup Wizard is a tool used to create an organization on the NotifyMDM server. The organization may be a company or a distinct group of individuals within a company. Each organization consists of:

• its users/devices

• one or more Policy Suites that enforce functionality settings and security settings for an organization’s fleet of mobile devices

• one or more Synchronization Schedules that govern when devices synchronize policy setting updates and send device statistics

A single application of NotifyMDM software can accommodate just one organization or host multiple organizations.

Configuring an organization includes: • Entering organization information

• Defining a default ActiveSync Server (if applicable) for the purpose of user authentication and auto-provisioning.

• Defining a default Administrative LDAP Server (optional) for the purpose of importing user information to the NotifyMDM server in batches.

• Defining a default SMTP Server for email communication to and from the NotifyMDM server. • Creating a default Policy Suite or for the organization

• Creating a default Synchronization Schedule or schedules for the organization • Adding users

(4)

Create an Organization using the Organization Setup Wizard

The Organization Setup Wizard displays automatically when you login into NotifyMDM for the first time. You can also access the wizard via the dashboard.

1. From the NotifyMDM dashboard header, select System Management 2. From the menu panel, select System Administration > Organizations. 3. Click the Add New Organization button.

4. Click Next to begin creating a new organization.

Step 1: Enter an Organization Name and Contact Information

Enter the following: -Organization name

-License key (production releases will require a license key issued by Notify Technology) -Contact name

-Contact’s primary and secondary e-mail address -Contact’s primary and secondary phone number

-Select a default ownership for users who are auto-provisioned via Hands-Off registration.

-Allow or disallow users with a NotifyMDM app to change device

ownership status. If you lock ownership, users who attempt to

change their ownership via the NotifyMDM app will experience an

invalid credentials error and will not be able to register. If you do not

(5)

NotifyMDM Version 1.1.0 Configuring the Organization •••• 5 -Choose whether you will allow jailbroken (iOS) devices to register against the NotifyMDM server.

Step 2: Define the Organization’s Default Servers

Define the following server credentials for the organization:

ActiveSync Server (optional)

An ActiveSync server is not required, but for systems utilizing the

ActiveSync protocol, NotifyMDM can act as a gateway server. An ActiveSync server allows auto-provisioning of devices, reducing the amount of manual user configuration. In addition, users are authenticated via their ActiveSync server credentials. In this role, polices defined in NotifyMDM, rather than ActiveSync policies, are enforced. ActiveSync Email and PIM traffic are relayed to/from devices by NotifyMDM. -ActiveSync server name -ActiveSync server address -ActiveSync server port -Use SSL

-Allow Hands-Off Registration

*

LDAP Server (optional)

Defining an LDAP server allows an administrator to quickly add groups of users to the NotifyMDM server by importing user information from a corporate LDAP directory. -LDAP server name -LDAP server address -LDAP server port -LDAP E-mail Attribute -Use SSL

-Use TLS

-LDAP username -LDAP password -LDAP Base DN -LDAP Object Class

SMTP Server

The SMTP server defined here will be used by the NotifyMDM server to send email to administrators and allows the administrators to send email to an individual device or a group of devices. -SMTP server name -SMTP server address -SMTP server port -Use SSL -Use TLS

-Use AUTH PLAIN -Username -Password

*

Enabling Hands-Off Registration via the ActiveSync Server

Enabling the Hands-Off Registration option when defining an ActiveSync server, provides a method of auto-provisioning users on the NotifyMDM server.

(6)

See related topics:

- Configuring the Organization for Hands-Off Registration

- Managing SMTP, ActiveSync, and Administrative LDAP Servers

ActiveSync Server

(7)

Step 3: Create the Organization’s Default Policy Suite

Create a default policy suite for the organization. Other policy suites may be created later to accommodate different groups of users. The default policy suite is used for auto-provisioned users.

Define a policy name for the organization’s default policy suite. Set a corporate policy strength (for devices owned by the company). Set a personal policy strength (for devices owned by the individual).

Four Policy Strength Levels

• Low - No options are restricted on the device. Passwords can be simple.

• Moderate - No options are restricted on the device. Passwords are strong and password expiration is enforced.

• Strict - Requires alphanumeric password and encryption on the device and storage card.

• High Security - Browser and camera are disabled. Requires alphanumeric password and encryption on the device and storage card.

(8)

Step 4: Create the Organization’s Default Sync Schedule

Create a default Synchronization Schedule for the organization. Other schedules may be created later to accommodate different groups of users. Sync Schedules dictate peak and off-peak times for devices to synchronize. Times can overlap days to cover different work shift situations and special case employees. The default sync schedule is used for auto-provisioned users.

Define a schedule name for the organization’s default sync schedule. Set a corporate sync schedule (for devices owned by the company). Set a personal sync schedule (for devices owned by the individual).

Define the following settings: Corporate

Monday through Sunday peak sync ranges Peak sync interval

Require direct push for peak time Off-peak sync interval

Require direct push for off-peak time

Personal

Regulating the interval at which devices synchronize should be considered carefully so as to minimize the device battery depletion.

The times you define in the schedule grid designate peak sync times. Anything that falls outside the peak sync schedule is off-peak sync time.

(9)

Managing SMTP, ActiveSync, and Administrative LDAP

Servers

You may define multiple administrative LDAP or ActiveSync servers for an organization, in addition to the server(s) you defined through the Organization Wizard.

You may also edit information for the administrative LDAP, ActiveSync, or SMTP servers defined through the Organization Wizard.

Distinguishing between Administrative LDAP Servers and LDAP Servers

Administrative LDAP servers defined here is for the purpose of adding users via a batch import from an LDAP directory. User credentials are imported from an LDAP directory and all users imported at one time are assigned the same policy suite, sync schedule, ActiveSync server (if defined), LDAP server (if defined), and carrier (if desired).

LDAP servers defined under Corporate Resources are for the purpose of configuring LDAP settings to push out to the device, so the user can access corporate directory information via the device.

Define Additional Administrative LDAP or ActiveSync Servers

1. From the NotifyMDM dashboard header, select Organization Management. 2. From the menu panel, select LDAP Servers or ActiveSync Servers.

3. Click the Add LDAP Server or Add ActiveSync Server option. 4. Enter the server credentials:

Server Editors: Edit Information for Administrative LDAP, ActiveSync, or SMTP Servers To edit credentials for an existing LDAP, ActiveSync, or SMTP Server:

1. From the NotifyMDM dashboard header, select Organization Management.

(10)

Policy Suites

A policy suite is a set of rules that govern, secure, and monitor the usage of devices in the enterprise. Policies are the heart of the Notify Mobile Device Management system, allowing administrators to manage users operating on a variety of device platforms and enforce policies across all devices as consistently as possible*.

For enterprises utilizing the ActiveSync protocol, NotifyMDM acts as a gateway server. NotifyMDM intercepts policy updates sent from the ActiveSync server and instead enforces policies on the device that have been defined in NotifyMDM.

*Note: Descriptions of individual policy settings and functionality of settings across device platforms may be found in the Device Platform Comparison chart at:

http://mdm.notifylink.com/downloads/MDM%20Device%20Platform%20Comparison.pdf

The Policy Wizard guides you through setup of an organization’s policy suite(s). Multiple policies can exist and each user/device can be assigned the policy that best suits their role. A policy suite includes settings for both corporate and personal devices.

Policy Suite Templates. The Wizard allows an administrator to quickly create a new policy suite either by copying an existing policy suite or by choosing from a number of pre-defined policy suites which reflect four levels of security strength. The administrator can start with one of these templates and use the Policy Suite Editor to customize the settings associated with any of the policy rules.

See Appendix A: Default Policy Settings for a comprehensive list the policy suite rules and their default settings.

You may also draft a Welcome Letter that will be sent to users associated with a particular policy suite. The letter is sent via email when the user is added to the system.

Policy rules are categorized into the following groups: • Application Control • Audit Tracking • Device Control • Security Settings • SMIME Settings • iOS Devices

(11)

NotifyMDM Version 1.1.0 Policy Suites •••• 11

Create a New Policy

1. From the NotifyMDM dashboard header, select Organization Management 2. Select the Policy Suites icon.

3. Click the Create New Policy option.

4. Choose a method for creating a policy suite:

• Create the initial policy suite using sliders to determine its general policy strength (low, recommended, strict, high security).

(12)

Policy Suite Editor

To edit an existing Policy Suite:

1. From the NotifyMDM dashboard header, select Organization Management. 2. Select the Policy Suites icon.

3. From the menu panel, select the policy you wish to change.

4. Create a Welcome Letter to be emailed to users assigned this policy, when they are added. Note: This must be enabled in the Organization Settings. From the dashboard, select

System Management > Organization and check the Send Welcome Letter to Users option.

5. Select the category you wish to edit. 6. Edit the settings and click Save Changes.

See Appendix A: Default Policy Settings for a comprehensive list the policy suite rules and their default settings.

Descriptions of individual policy settings and functionality of the settings across device platforms may be found in the Device Platform Comparison chart at

(13)

NotifyMDM Version 1.1.0 Policy Suites •••• 13

Tips on Customizing and Using Policy Suites

• You can use Allow All and Deny All buttons to easily allow or deny all settings for corporate and personal devices simultaneously.

• Some policies determine the options available for other policies.

• You must specify a policy suite when you add a user. Users added by import methods or Auto-provisioned users will all have the same policy suite.

• You can push policy changes to users by selecting the Push Policy Suite option. This overrides the sync schedule and forces users to immediately get the changes.

• You can change an individual user’s policy suite in their User Profile.

• You can assign or change the policy suite for a group of users selected by criteria by selecting the Assign Policy Suite To Users option.

(14)

Synchronization Schedules

The Sync Schedule determines the frequency at which devices synchronize with the NotifyMDM server. The schedule controls when the devices send statistics and may also control when the server sends updates (if the direct push setting in disabled). Regulating the interval at which devices synchronize should be considered carefully so as to minimize the device battery depletion.

The Sync Schedule Wizard guides you through setup of an organization’s synchronization schedule(s). Multiple schedules may exist and each user (device) may be assigned the appropriate schedule. The Wizard allows an administrator to quickly create a new sync schedule either by choosing from the system default schedules or by copying an existing schedule. The administrator can then use the Sync Schedule Editor to customize the settings associated with each schedule. Each schedule may be customized for corporate owned and personally owned devices.

Create a New Sync Schedule

1. From the NotifyMDM dashboard header, select Organization Management 2. Select the Sync Schedules icon.

3. Click the Create New Sync Schedule option. 4. Choose a method for creating a sync schedule:

• Create a New Sync Schedule - Create the initial schedule using the system defaults.

(15)

NotifyMDM Version 1.1.0 Synchronization Schedules •••• 15 Define the following settings:

Corporate

Personal

Regulating the interval at which devices synchronize should be considered carefully so as to minimize the device battery depletion.

The times you define in the schedule grid designate peak sync times. Anything that falls outside the peak sync schedule is off-peak sync time.

A schedule’s peak and off-peak sync intervals define the frequency at which devices synchronize with the server. Peak time is defined as time periods during which device usage is consistently higher than average. Conversely, off-peak time is defined as time periods during which device usage is consistently lower than average. To accommodate the higher traffic, peak sync intervals are usually set at lower values (initiating more frequent synchronizations) than off-peak sync intervals.

The Require Direct Push setting determines whether updates from the server are synchronized immediately or during the next scheduled sync session. If this setting is enabled, updates from the server sync to the device as soon as they are available. Synchronizations from the device still occur according to the scheduled sync interval and are not affected by this setting.

(16)

Sync Schedule Editor

To edit an existing Sync Schedule:

1. From the NotifyMDM dashboard header, select Organization Management. 2. Select the Sync Schedules icon.

3. From the menu panel, select the schedule you wish to change. 4. Select the Corporate or Personal schedule.

(17)

NotifyMDM Version 1.1.0 Synchronization Schedules •••• 17

Tips on Using Sync Schedules

• You must specify a sync schedule when you add a user. Users added by import methods or Auto-provisioned users will all have the same sync schedule.

• You can push sync schedule changes to users by selecting the Push Sync Schedule option. This overrides the sync schedule and forces users to immediately get the changes.

• You can change an individual user’s sync schedule in their User Profile.

• You can assign or change the sync schedule for a group of users selected by criteria by selecting the Assign Sync Schedule To Users option.

(18)

Adding Users

Provisioning users for NotifyMDM can be executed in several ways. • Add individual users manually

• Deploy a fleet of devices with batch import methods – User credentials are imported from an LDAP directory or via a Comma Separated Values (CSV file. All users imported at one time are assigned the same policy suite, sync schedule, ActiveSync server (if defined), LDAP server (if defined), and carrier (if desired).

• Configure the organization for Hands-Off Registration – To free the administrator from the task of adding users either manually or by batch import, NotifyMDM can auto-provision any user with an account on the corporate ActiveSync server when they register their device against the NotifyMDM server. Users are added with the default device ownership, Policy Suite and Sync Schedule.

Adding Users Manually

Administrators can add users to an organization manually. Once added, users may register their device against the NotifyMDM server.

To Add Users Manually

1. From the NotifyMDM dashboard header, select Smart Devices and Users. 2. Click the Add User option to use the Add New User Wizard.

3. Select Manual from the Add New User Wizard dialog.

4. Enter the user information, then click Finish. * = required field

ActiveSync server Select the ActiveSync server you wish to associate the user with, from the dropdown list.

LDAP Server Select the LDAP server you wish to associate the user with, from the dropdown list.

Device Ownership Choose Corporate (user’s device is corporate owned) or Personal (user’s device personally owned).

Lock Ownership If locked, user with a NotifyMDM device app will not be allowed to change their ownership. Users who attempt to change their ownership via the

NotifyMDM app will experience an invalid credentials error and will not be

able to register.

User Name * For users associated with an ActiveSync server, this should be their ActiveSync account user name.

(19)

NotifyMDM Version 1.1.0 Adding Users •••• 19 domain, enter it here. This also provides one way to configure the user for registering multiple devices against a single account. (See,

Registering Multiple Devices to a Single Account, in this guide.) Password * For users associated with an ActiveSync server, this should be their

ActiveSync account password.

For users on systems that do not use the ActiveSync protocol, enter a unique password for their NotifyMDM user account.

E-mail Address * Enter the user’s E-mail address.

Policy Suite * Select the Policy Suite you wish the user to have from the dropdown list.

Sync schedule * Select the Sync Schedule you wish the user to have from the dropdown list.

(20)

Adding Users via Comma Separated Values (CSV) Files

An administrator can import a group of users to the NotifyMDM server via a CSV file. All users imported at one time will be assigned the same device ownership, policy suite, sync schedule, ActiveSync server (if defined), LDAP server (if defined), and carrier (if desired).

Usernames, email addresses, and passwords of users, are entered into a spreadsheet template. The

administrator also chooses the device ownership, policy suite, synchronization schedule, ActiveSync server (if used), and LDAP server (if used), and carrier (if desired) for the group being added. Using the Add New User

Wizard, the file is then downloaded to the NotifyMDM server where user credentials from the file and the

defaults specified by the administrator are merged to create new NotifyMDM user accounts. Once added, users may register their device against the NotifyMDM server.

To Add Users by Importing From CSV Files

3. Select .CSV from the Add New User Wizard dialog.

4. Download the .CSV spreadsheet template and save it in the desired location. Enter into the .CSV spreadsheet, the usernames, email addresses, and passwords for the users you are adding to MDM. 5. In the Add New User Wizard, select the default information for users in this file: device ownership,

ActiveSync Server, LDAP Server, Policy Suite (required), Sync Schedule (required), and Carrier. 6. Upload the .CSV file with the users’ credentials.

(21)

NotifyMDM Version 1.1.0 Adding Users •••• 21

Adding Users via LDAP

When an LDAP server(s) is defined for an organization, NotifyMDM can use it to retrieve user information from the corporate LDAP server(s) and use it to add users to MDM.

An administrator can import a group of users to NotifyMDM via an LDAP server that has been defined for the organization. All users imported at one time will be assigned the same device ownership, policy suite, sync schedule, ActiveSync server (if defined), LDAP server (if defined), and carrier (if desired).

Once added, users may register their device against the NotifyMDM server.

To Add Users by Importing From LDAP

3. Select LDAP from the Add New User Wizard dialog. 4. Select the LDAP Server to query.

5. Select the default information for users added via LDAP: device ownership, ActiveSync Server, LDAP Server, Policy Suite (required), Sync Schedule (required), and Carrier.

6. Select the Username Format to be used.

• Trim e-mail address before ‘@’ – EX: If e-mail address is [email protected], username will be jstewart

• Use entire email address – username will be the full e-mail address 7. Click Next to select the users you wish to add from the LDAP server.

(22)

Configuring the Organization for Hands-Off Registration

Enabling User Self-Registration

Enabling the Hands-Off Registration option when defining an ActiveSync server, provides a method of auto-provisioning users on the NotifyMDM server, thus freeing the administrator from the task of adding users either manually or by batch import.

Users registering a device against the NotifyMDM server will be automatically added to the NotifyMDM server, as long as their credentials are recognized by the ActiveSync server. NotifyMDM creates the new account using the ActiveSync user account credentials and the default servers, policy suite, and sync schedule specified for the organization.

To Enable Hands-Off Registration for an ActiveSync Server

1. From the NotifyMDM dashboard header, select Organization Management. 2. From the menu panel, select ActiveSync Servers.

3. From the table, select an ActiveSync server or create a new ActiveSync server by choosing Add ActiveSync Server.

(23)

Registering Multiple Devices to a Single Account

On Exchange, Kerio, and Zimbra servers you can configure a user so that multiple devices can be registered to a single account. For example, a user may have a phone, but also use a companion device, such as a tablet or a second device for foreign travel.

This is accomplished by two methods, depending on what the mail server supports.

• You can create multiple users for the individual on the NotifyMDM server using the various types of login usernames. All the usernames reference the same mail server account, thereby making it possible for the individual to register multiple devices.

Note: One limitation exists in this scenario: when there are users with the same username or same username@domain, (in the case of On-Demand or multi-tenant servers). Since the full email address is the only unique identifier for each user, you must enter each user’s full email address in the username field when creating their individual NotifyMDM users. EX:

[email protected] and [email protected] For this reason, these users will not be

able to register multiple devices to one account, unless one agrees to change their email address.

• A second method it to create alias email addresses on the mail server that uses the same username as the original email address.

Note: On NotifyMDM systems set up for self-registration, the user can only self-register one device, You must manually add the other NotifyMDM user(s) to the system before they register companion device(s).

Exchange

For ActiveSync users on Exchange 2010, 2007, or 2003, you can configure a user so that they may register up to four devices against a single Exchange account. This is accomplished by creating multiple users for the individual on the NotifyMDM server using the various types of usernames that Exchange allows for login. All the usernames reference the same Exchange account, thereby making it possible for the individual to register multiple devices.

Step 1: Create up to three users for the individual on the NotifyMDM server. User #1 Enter the user’s Exchange username in the User Name field.

Enter the user’s Exchange email address in the E-mail Address field.

User #2 Enter the user’s Exchange email address (as defined in the Exchange Active Directory) in the User Name field.

Enter the user’s Exchange email address in the E-mail Address field. User #3 Enter the user’s Exchange username in the User Name field.

Enter the Exchange domain name in the Domain field.

Enter the user’s Exchange email address in the E-mail Address field. User #4 Enter the user’s Exchange username@domain in the User Name field.

(24)

User #1: User Name _{User #2: Email Address}

User #3: User Name and Domain _{User #4: Username@domain}

Step 2: Instruct the user to install the NotifyMDM device app on each device. They will register one device using the Exchange username and other devices using the Exchange email address, username and

domain, or username@domain.

Kerio

For ActiveSync users on Kerio systems, you can configure users so that they may register two devices against one account. This is accomplished by creating two users for the individual on the NotifyMDM server using the various types of usernames that Kerio allows for login. The different usernames reference the same Kerio account, thereby making it possible for the individual to register multiple devices.

(25)

NotifyMDM Version 1.1.0 Adding Users •••• 25 Step 2: Create two users for the individual on the NotifyMDM server.

User #1 Enter the user’s Kerio username in the User Name field. Enter the user’s Kerio email address in the E-mail Address field. User #2 Enter the user’s Kerio email address in the field.

Enter the user’s Kerio email address in the E-mail Address field.

User #1: User Name User #2: Email Address

Step 3: Instruct the user to install the NotifyMDM device app on each device. They will register one device against the NotifyMDM server using the Kerio username and the other using the Kerio email address.

Zimbra

For ActiveSync users on Zimbra systems, you can configure users so that they may register multiple devices against one account. The number of companion devices is only limited to the number of aliases you wish to create on the Zimbra server.

Method A: Create two users for the individual on the NotifyMDM server using various types of usernames for login.

Step 1: Create two users for the individual on the NotifyMDM server. User #1 Enter the user’s Zimbra username in the User Name field.

Enter the user’s Zimbra email address in the E-mail Address field. User #2 Enter the user’s Zimbra email address in the User Name field.

Enter the user’s Zimbra email address in the E-mail Address field.

(26)

Step 2: Instruct the user to install the NotifyMDM device app on each device. They will register one device against the NotifyMDM server using the Zimbra username and the other using the Zimbra email address. Method B: Create alias email addresses.

Step 1: Create alias email addresses on the Zimbra server that target the original email address. Select Aliases > New

Step 2: Add another user account to the NotifyMDM server. Enter the alias user name in the User Name field and the target account email address (user’s original Zimbra email address) in the E-mail Address field.

User with alias user name

(27)

Custom Columns

Administrators can create user information fields that are specific to their organization, but are not part of the

NotifyMDM System base installation. These fields can then be viewed in the User Profile and can be

displayed as columns in the user list.

There is a limit of ten Custom Columns for each organization. Information for the fields may be one of five types, including an LDAP type field, which will pull information from an LDAP server defined for the

organization. The administrator must manually enter values for other field types. The fields types are: Text, Dropdown, Numeric, Date, and LDAP.

View of the Custom Columns in the User Profile

Adding Custom Columns

1. From the NotifyMDM dashboard header, select Organization Management. 2. From the menu, select Custom Columns.

3. Click the Add Custom Column option.

4. Select the Custom Column Type and the Custom Column Name. 5. The Type you select will determine the parameters you define for the field.

Type Parameters

Text Maximum length of alphanumeric characters.

Dropdown Enter the choices that will appear in a dropdown list.

Numeric Minimum and maximum numeric values.

Date None

LDAP LDAP attribute and LDAP server (at least one must be defined for the organization).

(28)

Modifying Custom Columns

Custom Columns can be modified after they are defined, but on a limited basis. For example, you cannot change the Type of the column, since this would prevent you from entering correct values in the future. The administrator can modify custom columns in the following ways:

• Change the custom column name • Add values to a dropdown type • Decrease minimum values • Increase maximum values

1. From the NotifyMDM dashboard header, select Organization Management. 2. From the menu, select Custom Columns.

3. Select the column you wish to modify from the left panel and edit the name of the column or other parameters that are editable.

4. Click Save Changes.

(29)

NotifyMDM Version 1.1.0 User Registration •••• 29

User Registration

The NotifyMDM App

The NotifyMDM device application is available for Android, BlackBerry, and iOS 4 users.

Direct users to the NotifyMDM portal for instructions on installing the app. http://notifymdm.notify.net/

Android instructions: http://notifymdm.notify.net/downloads/NotifyMDM%20for%20Android.pdf

BlackBerry instructions: http://notifymdm.notify.net/downloads/NotifyMDM%20for%20BlackBerry.pdf iOS 4 instructions: http://notifymdm.notify.net/downloads/NotifyMDM%20for%20iOS%20Devices.pdf

Devices without a NotifyMDM App

Devices for which there is not yet available a NotifyMDM device application may still register against the

NotifyMDM server. The devices must have an ActiveSync application. Devices supported for this type of

registration include Symbian S60 3rd edition, webOS, Windows Mobile 6.1/6.5, and Windows Phone 7.

Functionality

Mobile device management functionality for these devices is limited to only the ActiveSync security policies supported by the device platform. Device statistics accessible via the NotifyMDM dashboard display limited information. In addition, there is no audit tracking, or location data available for these devices.

Device statistics in the Smart Phones/Users view for these devices are limited to:

• User Name • Ownership

• Domain • Last ActiveSync Sync

• Active • AS Version

• Policy Suite • AS User Agent

• Sync Schedule • Device Type

Users with Android, BlackBerry, and iOS 4 devices should install the NotifyMDM app. These devices will also be limited to the functionality outlined above without the NotifyMDM app.

(30)

Device platform Device Type column may display: Symbian S60, 3rd edition devices IMEI#######

webOS devices Palm

Windows Mobile 6.1/6.5 devices SP, PPC Windows Phone 7 devices WP

For information on policy functionality, see the Device Platform Comparison chart at: http://notifymdm.notify.net/downloads/Device%20Platform%20Functionality.pdf

Instructions for other devices:

http://notifymdm.notify.net/downloads/ActiveSync%20Device%20Registration.pdf

NotifyMDM Registration for NotifyLink Users

If you are currently using NotifyLink Enterprise Server and have users that are transitioning to NotifyMDM, the following steps are required:

1. Instruct the user to remove the NotifyLink device client or the NotifyLink (Exchange ActiveSync) account from the device. Instructions are available in each of the device user guides, found at http://notifylink.notify.net/deviceclients.asp .

2. For ActiveSync device users, Clear Registration. Select User Administration > (select the user) > Edit User Device. Click the Clear Registration button.

For users that have been using the NotifyLink device client, remove their NotifyLink account from the NotifyLink server and add them again with a ActiveSync license.

(31)

NotifyMDM Version 1.1.0 Appendix A: Default Policy Settings •••• 31

(32)

Appendix A: Default Policy Settings

This chart documents the default settings of the entire NotifyMDM Policy Suite for each security level available in the Create New Policy Suite Wizard. It may also be used as a template for planning any customizations to your policy suites. Print two charts - one for planning a policy suite for corporate devices and one for planning a policy suite for personal devices. Select a security level to start with and then mark the rules you wish to customize.

Policy Low Level Moderate Level Strict Level High Level

YES NO VALUE YES NO VALUE YES NO VALUE YES NO VALUE

Application Control

Allow unsigned applications X X X X

Allow unsigned installation packages X X X X

Whitelist (no defaults) Blacklist (no defaults)

Audit Tracking

Record files on device X X X X

Send file list frequency (in days) 30 14 7 3

Record phone log X X X X

Record text message log X X X X

(33)

Record location of device X X X X

Device Control Allow Bluetooth

Allowed Allowed Handsfree only Disabled

Allow browser

X X X X

Allow camera

X X X X

Allow infrared X X X X

Allow internet sharing from the device

X X X X

Allow remote desktop

X X X X

Allow SD card

X X X X

Allow synchronization from a desktop

X X X X

Allow text messaging

X X X X

Allow Wi-Fi

X X X X

Allow HTML formatted email

X X X X

Allow consumer email X X X X

Allow POP/IMAP email

X X X X

Maximum email body truncation size (in KB)

No Max No Max No Max No Max

Maximum HTML email body truncation size (in

KB) No Max No Max No Max No Max

Maximum calendar age for synchronization

(All days) (3 months) (3 months) (3 months)

Maximum email age for synchronization

(Sync all) (3 weeks) (2 weeks) (1 week)

Require manual sync when roaming X X X X

Security

Require Password X X X X

Enable password recovery X X X X

(34)

Require minimum password length X X X X

Minimum password length 4 6 8 8

Require alphanumeric password X X X X

Minimum number of complex characters 1 if enabled 1 2 3

Require device password expiration X X X X

Password expiration in days 30 if enabled 30 30 30

Require device password history X X X X

Number of stored passwords 1 if enabled 5 7 10

Enable password echo X X X X

Begin password echo after attempts 5 if enabled 5 if enabled 5 if enabled 5 if enabled

Require encryption on the device X X X X

Require encryption on the SD card X X X X

Enable duress notification X X X X

Duress notification email Empty Empty Empty Empty

Require max inactivity time device lock X X X X

Max inactivity timeout (in minutes) 60 if enabled 5 1 1

Require device challenge timeout X X X X

Max device challenge timeout 120 if enabled 120 60 30

Enable customizable lock message X X X X

Customizable lock message Empty Empty Empty Empty

Audible alert on lock X X X X

Maximum grace period (in minutes) 5 minutes 1 minute 0 (immediately) 0 (immediately)

Wipe device on failed number of unlock attempts

X X X X

Maximum number of unlock attempts 4 if enabled 10 7 5

Enable emergency calls when locked X X X X

(35)

Fire phone number 911 911 911 911

Police phone number 911 911 911 911

Other phone number 911 911 911 911

SMIME Settings

Require signed SMIME messages X X X X

Require encrypted SMIME messages X X X X

Require signed SMIME algorithm SHA1 SHA1 SHA1 SHA1

Require encryption SMIME algorithm TDES TDES TDES TDES

Allow SMIME Encryption algorithm negotiation

Do not negotiate Do not

negotiate

Do not negotiate Do not negotiate

Allow SMIME soft certs X X X X

iOS Devices

Allow video conferencing X X X X

Allow voice dialing X X X X

Allow screenshot X X X X

Allow explicit content X X X X

Allow automatic sync when roaming X X X X

Force encrypted backup X X X X

Allow application installation X X X X

Allow in app purchases X X X X

Allow YouTube X X X X

Allow iTunes X X X X

Allow Safari X X X X

Accept cookies Always Always From visited sites Never

(36)

Allow JavaScript X X X X

Block popups X X X X

Force fraud warning X X X X

Allow plugins X X X X

Rating region US US US US

Application ratings Allow All Apps 12+ 12+ Don’t Allow Apps

Movie ratings Allow All Movies PG-13 Don’t Allow Movies Don’t Allow Movies

TV show ratings Allow All TV

Shows

TV-14 Don’t Allow TV

Shows

Don’t Allow TV Shows

System Configuration and Deployment Guide