Using Devices. Chapter 3

(1)

26 26 26 26 Chapter 3

Using Devic

Using Devices

es

The Devices page lists all the devices you have enrolled in the Centrify identity platform and lets you send commands to the devices.

Device related tasks that you can perform on the Centrify user portal are:

"Adding a device" on page 3-27

"Viewing your device information" on page 3-31 "Using the primary device" on page 3-33 "Sending commands to devices" on page 3-34

The Devices page is blank until you enroll a device.

(2)

Adding a device

Chapter 3 Chapter 3 Chapter 3

Chapter 3 • Using Devices 27272727

Adding a

Adding a device

device

You add a device by installing the Centrify application on the device and then use this application to enroll the device in the identity platform. After you enroll the device, it is listed on the user portal Devices page and remains enrolled until you or your IT

administrator unenrolls it. Keep the following in mind:

You may have a limit on the number and types of devices you can add. Your IT

administrator can set a policy that, for example, limits you to adding 2 devices only and does not allow you to add an iOS device. Contact your IT administrator for the details.

If you enroll multiple devices, the first device is designated as the primary device.

Designating the primary device is important when you use the Mobile Authenticator for multifactor authentication. See "Using multi factor authentication" on page 1-3 for the details on Mobile Authenticator and multifactor authentication. See "Using the primary device" on page 3-33 for the details on the primary device.

If you are enrolling an iOS device that was assigned to the Apple Device Enrollment

Program, go to "Using Apple device enrollment" on page 3-30 to install the Centrify application.

Installing the

Installing the Centrify application

Centrify application

The easiest way to install the Centrify application to you device is to click Add Devices on the Devices page and then select a method.

You can install the Centrify application using the following methods:

Send a SMS text message to the device. The text message contains a link you tap to

proceed—see "Using a text message" on page 3-28.

Send an email to the device. The email message contains a link you tap to proceed—see

"Using an email message" on page 3-28.

Use the camera on your device and a QR code reader application—see "Using the QR

code" on page 3-29 for the details.

The Google Play and App Store links are provided if you want to review the application description in the catalog before installing it on the device. You can also use them to download the application. You must have an Google Play or Apple App Store account to use these options.

Notes Notes Notes Notes

If you have a Samsung KNOX device that has the Universal MDM Client (UMC), you

(3)

Adding a device

User portal user’s guide 28282828

An iOS device must have iOS version 6 or later and an Android device must have

Android 2.3.4 or later.

If you are enrolling an OS X-based computer, you do not install the Centrify application.

Go to "To enroll an OS X device:" on page 8-90 for the procedure.

Using a

Using a text message

text message

You can send a text message to the device to download the Centrify application to your device and then install it from the Downloads the folder.

To initiate device enrollment using a text message:

1111 Open the user portal, click Devices, and Add Devices. This opens the Add Devices pop up window.

2222 In the Send SMS area, confirm the phone number then click Send. The text message is sent.

3333 On the device, open the text message.

4444 Tap the link in the message.

5555 Authorize application download.

On an Android device, tap OK to allow download of the file. This downloads the application file to your Downloads folder.

On an iOS device, tap Open to open the application page in the Apple App Store and tap

Install. This downloads and installs the application on your home screen. Skip the next

step and go to “Enrolling an iOS device” on page 74 to complete enrollment.

6666 Android devices only: Open the Downloads folder on the device and tap the Centrify application file just downloaded.

This initiates application installation. Go to "Enrolling an Android device" on page 6-47 to complete enrollment.

Using an

Using an email message

email message

You can send an email to the device to download the Centrify application to your device and then install it from the Downloads folder.

To initiate device enrollment using an email message:

(4)

Adding a device

2222 In the Send email to devices area, confirm the email address then click Send. The email is sent.

3333 On the device, open the email application.

4444 Tap the message.

On an Android device, tap OK to allow download of the file. This downloads the application file to your Downloads folder.

On an iOS device, tap Open to open the application page in the Apple App Store and tap

Install. This downloads and installs the application on your home screen. Skip the next

step and go to “Enrolling an iOS device” on page 74 to complete enrollment.

This initiates application installation. Go to "Enrolling an Android device" on page 6-47 to complete enrollment.

Using the

Using the QR code

QR code

You must have a QR code reader application to download the Centrify application using the QR code.

Many devices come equipped with a QR code reader application. If your device does not have one by default, there are many free apps you can install from Google Play or the Apple Apps Store.

To install the Centrify application by using the QR code:

1111 Open the user portal, click the Devices page, and click Add Devices.

2222 On the device, use the camera to scan the QR code.

On an Android device, tap Go to Website and then tap OK to allow download of the file. This downloads the application file to your Downloads folder.

On an iOS device, tap Install. This downloads and installs the application on your home screen. Skip the next step and go to "Enrolling an iOS device" on page 7-76 to complete the enrollment phase.

(5)

Adding a device

Using

Using Apple device enrollment

Apple device enrollment

The Apple Device Enrollment Program is a service provided by Apple. It is designed to help businesses and education institutions easily deploy and manage iPads, iPhones, and Macs. It provides a fast, streamlined way to deploy company owned iPad and iPhone devices and Mac computers that your IT department purchased directly from Apple.

If you have a device assigned to the Apple Device Enrollment Program (DEP) enrolling the device is a two-part process:

First, you enroll the device in the Apple DEP program.

Second, you use the Centrify application to enroll the device in the Centrify identity

platform.

The first procedure depends upon how your IT department configured the device. However, it does have the following basic steps:

1111 Set up the device communications.

The device will need to connect to the Apple server. Your IT department will provide the information you need.

2222 Enter your login user name and password.

This may be the user name and password you use to log in to your network or another set of credentials. Your IT department will provide these to you too.

3333 Perform the initial configuration tasks.

These vary depending upon your organization’s security policies and can include prompts, for example, to setup a passcode, enable or disable location tracking, or set up Siri.

(6)

Viewing your device information

Viewing your

Viewing your device information

device information

When you open the Devices tab, the screen lists all of the devices that you have enrolled in the Centrify identity platform, including devices that have been unenrolled.

The listings indicate which device is the Primary and the status of each device. A device can have the following statuses:

Enrolled: The device is enrolled and in communication with the identity platform. Unenrolled: The device was enrolled at one time but has since been unenrolled from the

identity platform.

Unreachable: The device has not communicated with the identity platform for a period

of time. That period of time is set by your IT administrator.

Enrolling: The device is in the process of enrolling with the identity platform. This is

typically a short-term state.

The map shows the location of all the devices you have at one time been enrolled. For unreachable devices, the map shows the last known location. Click on the device’s arrow to center the focus on that device.

The map device locations are only shown if your organization is using the Centrify identity platform for mobile device management and you have enabled device tracking on the device and in the Centrify user portal.

By default, location tracking is enabled in the Centrify user portal. To configure location tracking, see "Disabling device location tracking" on page 1-6.

In the Centrify application on iOS devices, location tracking uses the significant-change location service which, unlike the GPS location tracking, is very battery friendly. It is not perpetually trying to determine the device location. Note that the Apple Location icon does not differentiate between the different types of location services.

Similarly, the Centrify application for Android is configured for low power consumption. Open Location in the device Settings to see the battery use for the Centrify application. If the location does not seem correct, click the Find Now button to ensure that you have the most recent GPS location data. You may need to reload the browser page to display a location change.

Using the device

Using the device details pages

details pages

Click a device to display device-specific information.

The Overview page shows the last-updated location of the device and current battery and storage levels. You can scroll down for network and operating system details.

Click the Actions button to send a command to the device—see "Sending commands to devices" on page 3-34.

(7)

Viewing your device information

Overview: Last-updated location, current batter and storage levels, and network and

OS details.

Details: The full details about the device, operating system, and carrier and network. Device Applications: Shows the applications that are targeted for this device, the

application version, the installation type (automatic or optional), and the application statuses (Installed or Not Installed). You can export the information to CSV and Excel

(8)

Using the primary device

Using the

Using the primary device

primary device

If you enroll multiple devices, the first one you enroll is designated as the primary device. If you unenroll the primary device, the second device you enrolled automatically becomes the primary. As long as you have a device enrolled, at least one of them is the primary.

The primary device is the device you must use with the Mobile Authenticator for

multifactor authentication (see "Using multi factor authentication" on page 1-3). When you choose Mobile Authenticator as the secondary form of authentication for access to the user portal, you use the Centrify application on the primary device to display the authentication code.

Note Note Note

Note You cannot use an OS X device as a primary device.

To change the primary device:

1111 Open the user portal and select Devices.

2222 Right click the device listing in the left pane for the device you want designated as the primary.

3333 Click Set As Primary Device.

(9)

Sending commands to devices

Sending

Sending commands to devices

commands to devices

The Centrify identity platform provides self-service commands you can send to the device. Send commands by doing one of the following in the Centrify user portal:

Right-click the device in the Devices screen.

The Centrify user portal displays a drop-down list with the commands.

Open the device details page and click the Actions button.

The pop-up menu lists the commands available for this device. The available commands depend upon the following:

Whether your organization is using the Centrify identity platform for mobile device

management.

The type of device you have enrolled.

The device policies that your IT administrator has enabled for you.

The following table lists all of the Centrify identity platform commands for all devices. If the command is not displayed in the pop up menu, it is not available for that device.

Command Command Command

Command PurposePurposePurposePurpose

Delete Remove the device listing.

If you are using the Centrify identity platform for device management, this command is available only for unreachable and unenrolled devices. When the device is enrolled, this command is not displayed.

Deleting a device does not remove the Centrify application or mobile applications that you installed using the Centrify application. If you try to open the Centrify application after deleting the device, it prompts you to enter your login credentials to enroll the device again. Update Policies Update your device with the latest mobile device policies.

Reset Password Reset the passcode that opens the device. Use this command to create a new passcode if you have forgotten it.

Notes: Notes: Notes: Notes:

• The use of this command is controlled by your IT administrator. This command may not be available to you.

• This command cannot be used to override a remote lock and is not available for OS X devices.

(10)

Lock Screen Lock the mobile device screen so a user cannot access it (for example, if you fear another person has your phone). Remote lock is identical to locking it manually on the device. You unlock the device by entering the passcode.

For OS X users only For OS X users only For OS X users only For OS X users only

The Lock Screen command only works when the current OS X version has a recovery partition. When you issue the Lock Screen command to an OS X device, a pop up window is displayed by Centrify application prompting you to enter a 6-digit PIN code, and the computer is rebooted. Create a code that is all numbers, no alphabetic or special characters can be used. After the reboot, you are prompted on the computer to enter the PIN. This unlocks the computer.

Wipe Device Remove all user data and restore the device to its shipping default state.

Note:Note:Note:Note: The use of this command is controlled by your IT administrator. This command may not be available to you.

For OS X users only

The Wipe Device command only works when the current OS X version has a recovery partition.

When you issue the Wipe Device command to an OS X device, a pop up window is displayed by Centrify application prompting you to enter a 6-digit PIN code, and the computer is rebooted. Create a code that is all numbers, no alphabetic or special characters can be used. After the reboot, you are prompted on the computer to enter the PIN. This unlocks the computer, performs another reboot, and displays the OS install screen.

Unenroll Device Remove all mobile device policies from the device and change the state to Unenrolled. To use the Centrify identity platform again, you must re-enroll the device.

Note: Note: Note:

Note: The use of this command is controlled by your IT administrator. This command may not be available to you.

Lock Client App Locks the Centrify application on the device.

This command is only available on iOS and Android devices. Reset Client App

Resets the passcode for the Centrify application on the device. This command is useful when you forget your passcode.

This command is only available on iOS and Android devices.

Disable SSO Disable single sign-on (SSO) for web applications listed in the Centrify application and, on KNOX Workspace devices, in Centrify for KNOX and the mobile applications that use the Samsung KNOX SSO service.

You would use this command, for example, if your device is lost or stolen to prevent someone else from logging in to your applications.

After this command is sent, an error message is displayed on the device to indicate that single sign-on is not available. The user cannot log in to any application that requires authentication until single sign-on is enabled again.

Enable SSO Enable single sign-on (SSO) for the web applications listed in the Centrify application and, for KNOX Workspace devices, mobile applications that use the Samsung KNOX SSO service. By default, SSO is turned on. You would only need to use this command if you had previously used the Disable SSO to turn off single sign-on.

(11)

Samsung KNOX Samsung KNOX Samsung KNOX

Samsung KNOX device commandsdevice commandsdevice commandsdevice commands

The following commands are only displayed if you are using a Samsung KNOX device and the licenses are valid.

Command PurposePurposePurposePurpose All Samsumg KNOX devices All Samsumg KNOX devices All Samsumg KNOX devices All Samsumg KNOX devices Force Password

change

Force a device password change. The first prompt requires you to enter your current password before creating a replacement. If you do not know your password, use the Reset Passcode command instead.

Device Lockout Lock down the device.

This command lets you define a passcode that must be entered to unlock the device. In addition, the command lets you specify a lockout message that is displayed on the device.

Power off Device Turn off the device.

Reboot Device Force the device to reboot.

Reset Call Counts Reset the call counts. Reset Data Usage

Count

Reset the count of cellular data network bytes received and sent. Samsung KNOX Workspace devices only

Samsung KNOX Workspace devices only Samsung KNOX Workspace devices only Samsung KNOX Workspace devices only

Remove container Delete the container.

Note: All applications in the container are uninstalled and all data in the container are erased. Lock Container Lock the container. The container cannot be opened after receiving the Disable Container

command until the device receives a Enable Container command.

Unlock Container Unlock the container. A container locked with the Disable Container command cannot be opened until the device receives the Enable Container command.

Re-authenticate SSO

Prompt you to enter your credentials the next time you open a mobile application that uses the Samsung KNOX container’s single sign-on feature (not all mobile applications installed in the container use this feature).

Reset Container Password