Centrify Cloud Management Suite

(1)

Centrify Cloud Management Suite

Installation and Configuration Guide

April 2013

(2)



Legal notice

This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document “as is” without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you.

This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,

electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time.

from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software.

U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government’s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.

Centrify, DirectAudit, DirectControl and DirectSecure are registered trademarks and DirectAuthorize and DirectManage are trademarks of Centrify Corporation in the United States and other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries.

Centrify Suite is protected by U.S. Patents 7,591,005, 8,024,360, and 8,321,523.

(3)

1           

About this guide

Centrify for Mobile and Centrify for SaaS provide the tools for you to centrally secure and manage web applications and mobile devices using your existing Active Directory

infrastructure. With both products, you install the Centrify Cloud Management Suite in your domain to manage communication between your Active Directory data and Centrify Cloud Services. You can use your existing Active Directory information to control and authorize user access to web applications and mobile devices.

Intended audience

This guide contains information for system and network administrators who are responsible for managing access to network resources, particularly access to web applications or access from outside mobile devices.

It is assumed that you know the basics of using Microsoft’s Active Directory and applying group policies. Active Directory is the core of authentication and authorization through Centrify for Mobile and Centrify for SaaS. If you’re using Centrify for Mobile, it is also assumed that you know the basics of mobile device operation, although not much more is necessary than using a web browser and setting controls.

Guide conventions

This guide uses the following conventions:

 Fixed-width font presents sample code, program names or output, file names, and

commands that you type at the command line. When italicized, the fixed-width font indicates variables.

 Bold text emphasizes commands, buttons, or user interface text, and introduces new

terms.

 Italics present book titles and emphasize specific words or terms.  Terms enclosed in [braces] in command syntax are optional.

Where to go for more information

(6)

Contacting Centrify Corporation

Centrify Cloud Management Suite Installation and Configuration Guide 4  Release Notes included on the distribution media or in the download package provide the

most up-to-date information about the current release, including system requirements and supported platforms, and any additional information, specific to this release, that may not be included in other documentation.

 The Centrify Cloud Management Suite Installation and Configuration Guide provides

information related to installing the Centrify Cloud Management Suite, which includes the Centrify cloud proxy server and other components. This guide also provides details for configuring the Centrify cloud proxy server.

 The Centrify for Mobile Evaluation Guide provides the information needed to install the

Centrify Cloud Management Suite, enroll some mobile devices, configure some group policies for those devices, and work with the mobile features in the Centrify Cloud Manager and MyCentrify user portal.

 The Centrify for SaaS Evaluation Guide provides the information needed to install the

Centrify Cloud Management Suite, add and deploy a SaaS application, and work with Centrify Cloud Manager MyCentrify user portal.

 The Cloud Manager online help provides task-oriented information for administrators who

need to modify applications, manage roles and users, and configure settings in the Cloud Manager. To open this help, click Help from the user name menu in the Cloud Manager.

 The Cloud Manager Application Configuration help provides specific details for configuring

each kind of application that Centrify provides—individual SaaS applications for SSO, user-password applications, and mobile applications. To open this help, click the Help link from an application in the App Catalog or an Application Settings dialog box.

 The MyCentrify help provides task-oriented information for users to navigate and launch

their deployed applications, view their activity, manage their own mobile devices, and specify some Active Directory settings. To open this help, click Help from the user name menu in the MyCentrify user portal.

In addition, you can find the answers to common questions, ask new questions, or get best practice guidance by visiting the Centrify Express community site.

Contacting Centrify Corporation

If you have questions or comments, we look forward to hearing from you. For information about contacting Centrify Corporation, visit our website at www.centrify.com. From the website you can get the latest news and information about products, support, services, upcoming events, investor relations, and sales.

For information about purchasing or evaluating Centrify products, send email to

(7)

5

Chapter 1

An Overview of Centrify for SaaS and Centrify for

Mobile

Centrify for SaaS addresses password sprawl by providing single sign-on while also giving organizations centralized control over access to ever-increasing numbers of SaaS

applications. Your users will not only love the single sign-on but also self-service features that let them locate, lock, or wipe their mobile devices and also reset their Active Directory passwords. You will love the easy-to-deploy cloud-based service that delivers access control and visibility to SaaS application usage in addition to seamless integration to Microsoft Active Directory. Centrify for SaaS decreases the cost of rolling out and managing SaaS applications while at the same time improving user adoption, satisfaction, and productivity. Centrify for Mobile is Centrify’s easy-to-deploy, cloud-based service that lets you centrally secure and manage smart phones and tablets using your existing Active Directory

infrastructure. Centrify for Mobile uses familiar Group Policy tools together with the Centrify cloud service to enforce security settings over a trusted, over-the-air connection and to provide secure access to corporate network services.

You can install the Centrify Cloud Management Suite on a computer in your network in a matter of minutes. After a few more minutes of configuring and setting up security policies, device owners can start enrolling mobile devices. After device owners enroll their devices, they can start using your network resources under the full security of Active Directory and Centrify.

How Centrify for SaaS and Centrify for Mobile work

With Centrify for SaaS and Centrify for Mobile, you use Microsoft Active Directory to centrally manage policies and access to web and mobile applications from mobile devices and computers. Centrify is a complete solution for mobile security and single sign-on that is delivered by the Centrify cloud service. Your users launch applications from the

MyCentrify user portal on their computer and also from the MyCentrify application on their mobile devices. Centrify authenticates users and grants them access to applications based on roles, which are comprised of your Active Directory users and groups.

(8)

How Centrify for SaaS and Centrify for Mobile work

The Centrify cloud proxy server seamlessly leverages and extends your Active Directory investment to SaaS and mobile devices by way of the Centrify Cloud Service. The Centrify cloud proxy server is a simple Windows service that runs behind your firewall and provides real-time authentication, policy, and access to user profiles without synchronizing your organization’s data to the cloud. You maintain control of your valuable Active

Directory data while providing a common-sense user experience to your users. When you install the Centrify Cloud Management Suite, you install the cloud proxy server, Active Directory extensions, and group policies for mobile device management.

The Centrify Cloud Manager is a web interface that saves you time and hassle when it comes to managing mobile devices and access to web and mobile applications. The Centrify Cloud Manager provides you a single, clear tool to administer mobile access and SSO, mobile devices, and user profile changes. Also, you can report and monitor all SaaS and mobile activity with one tool. Not only does this improve security and compliance in your organization through improved visibility, but also reduces administrative complexity by reducing the number of solutions with different monitoring and reporting interfaces or integrations. You the administrator can quickly audit all administrative and user activities. In MyCentrify user portal, your users click a simple link to a mobile or SaaS application and the Centrify cloud service logs the users in to the application. MyCentrify provides multiple self-service options for users to update their Active Directory profiles and remotely administer their mobile devices.

(9)

How Centrify for SaaS and Centrify for Mobile work

Chapter 1 • An Overview of Centrify for SaaS and Centrify for Mobile 7

Here’s how the main components in the Centrify for SaaS architecture work together:

The Centrify cloud proxy server is a simple Windows service that runs behind your firewall and provides real-time authentication, policy, and access to user profiles without

synchronizing your organization’s data to the cloud.

(10)

What you install on your internal network

Here’s how the main components in the Centrify for Mobile architecture work together:

What you install on your internal network

You install the Centrify Cloud Management Suite in your network, and this installs the following items for Centrify for SaaS and Centrify for Centrify for Mobile in your internal network:

 Centrify cloud proxy server

 Cloud Proxy Server configuration application

 Active Directory Users and Computers extension for Centrify for Mobile  Mobile Group Policy Management console extension for Centrify for Mobile

(11)

Your tools for managing Centrify for SaaS and Centrify for Mobile

The Centrify Cloud Proxy Server Configuration application provides a user interface that configures the Centrify cloud proxy server.

The Centrify mobile ADUC extension, an Active Directory Users and Computers (ADUC) snap-in that displays mobile-specific device properties for mobile devices and provides mobile device management commands.

The Centrify mobile group policy extension, a Group Policy Management Editor (GPME) extension that offers mobile-specific policies when creating group policies for mobile devices.

After you have installed the above components, you’re ready to access the Cloud Manager.

What you install on your mobile devices

The Centrify mobile components that are installed on a mobile device are as follows:

 Centrify configuration profiles, profiles installed on mobile devices that define

your organization’s security policies on enrolled devices and give the devices access to your internal network resources.

The Centrify cloud service implements Active Directory group policies as configuration profiles that will work on mobile devices and then installs the profiles on enrolled devices.

 Android device owners install the Centrify MobileManager application from

Google Play. This application connects the user to the Centrify cloud service so that user can enroll the device and use the application to access deployed applications.

 iOS device owners install the Centrify MobileManager application from the iOS

store to connect and enroll their device with the Centrify cloud service. iOS device owners separately install the MyCentrify mobile application to access deployed applications.

You can customize the Centrify MobileManager application with your organization’s logo and specific enrollment instructions. The application authenticates the device owner through your network’s Active Directory service and then enrolls the device.

After the mobile device is enrolled, the Centrify MobileManager application downloads the Centrify configuration profiles to the enrolled device. The MobileManager

application handles notifications from the Centrify cloud service and enforces the security policies defined by the configuration profiles. The MobileManager gives a device owner information about enrollment and also allows the device owner to unenroll the device by removing the Centrify configuration profiles.

Your tools for managing Centrify for SaaS and Centrify for Mobile

(12)

Your tools for managing Centrify for SaaS and Centrify for Mobile

Centrify Cloud Management Suite Installation and Configuration Guide 10  Centrify Cloud Proxy Server Configuration application

 Cloud Manager

 Centrify group policies for Centrify for Mobile

The Cloud Proxy Server connects to your existing Active Directory forest. Continue to use Active Directory to create users and groups.

Your users log in to MyCentrify User portal to access their apps, Active Directory account settings, and mobile devices (if you’ve also implemented Centrify for Mobile).

Here’s what the Cloud Proxy Server Configuration application looks like:

To open the Cloud Manager, open the following URL in your web browser: https://cloud.centrify.com/manage

Use the Status tab to see the status of your cloud proxy server, your Centrify Customer ID and account information, and its connection to

the Centrify cloud service. Use the Proxy Server tab to do the following:_{* Configure how often the cloud proxy server} updates settings from the Centrify cloud service * Configure how often the cloud proxy server checks for user account updates in Active Directory

* Restart the cloud proxy server, if needed * Specify auto-update

* Specify web proxy settings, if needed

Use the Logging tab to generate a log file for troubleshooting and specify its location.

Use the Mobile Settings tab to manage who has permission to enroll and manage devices.

(13)

The process of deploying an application

Here’s what you use the Centrify Cloud Manager for:

The process of deploying an application

Deploying single sign-on access to an application is straightforward. Below is a brief overview of the process.

To deploy a web application (an overview) in the Centrify Cloud Manager:

1 In the Cloud Manager Apps page, add the application from the Centrify App catalog. Notice that the application is added to the Apps page in the Ready to deploy state.

2 Modify the application to configure the application settings. Depending on the type of application, the application settings may include the following:

 Application name, description, or icon

Use the Cloud Manager to... • Deploy and configure applications • Assign roles to web applications to control

user access

• Create or edit roles as needed; assign users and groups from your Active Directory infrastructure

• Monitor user and application activity • Manage and monitor devices and device

(14)

Configuring Single Sign-On (SSO)

 Login URL

 User Account mapping. The choices are:

* Active Directory field supplies the user name * Everyone shares the same user name

* Prompt the user for the user name (first log in only) * Use a script to generate the user account login name

 If the web application uses SAML for single sign-on purposes, there are some

additional configuration options to specify. Centrify provides step-by-step instructions for configuring SaaS applications in our catalog. Click the Help link in the Application Settings dialog box or the Centrify App Catalog.

3 Assign one or more roles to the application to control who can access to the application. For each role, you can deploy an application as automatic or optional. An automatic install makes the application appear in the users’ MyCentrify user portal by default. An optional install makes the application available to be added by each user.

Note _{Use the Roles page to create or modify roles. Assign Active Directory users and}

groups to roles as needed.

After you assign roles to the application, the application state changes to deployed and the assigned users can access the application.

Configuring Single Sign-On (SSO)

When you deploy an application, you configure how Centrify grants access to that application for your users. You have some options for how you provide your users single sign-on access to SaaS applications.

User account mapping options

Your first choice involves how your Active Directory accounts are mapped to the application user accounts. Depending on the application, you have the following options:

 Use an Active Directory field: Use this option if the user accounts are based on

Active Directory user names. Specify an Active Directory field such as mail or userPrincipalName.

 Everyone shares the same user name and password: Use this option if you want

to share access to an account but not share the user name and password. For example, some people share an application developer account.

 User provides the user name and password: Use this option if the application

(15)

information so that your user doesn’t have to try to remember it or store it in a non-secure location.

 Login script: You can customize the user account mapping here by supplying a custom

script to generate the user account login name. For example, you could use the following line as a script:

return LoginUser.Get('mail')+'.ad';

The above script instructs the Cloud Manager to set the login user name to the user’s mail attribute value in Active Directory and add ‘.ad’ to the end. So, if the user’s mail attribute value is [email protected] then the Cloud Manager uses

[email protected].

Application types

There are also different kinds of applications that you can add and deploy to your users. The Centrify App Catalog lists the name and application type for each application.

 Web application with user name and password authentication

Some web applications are configured for user name and password authentication only. Use this option if either the application only supports user name and password

authentication or if you don’t want to configure the application for SAML SSO at this time.

 Web application with SAML authentication

Use this option if your application account has SAML SSO as an option and you want to configure the application to use SAML SSO.

 Bookmark application

The MyCentrify user portal provides only a link to the URL of the application but doesn’t provide any login authentication mechanism. You can use a bookmark application to provide a convenient link to an internal application available to your users. Add the Generic Bookmark application to your list of applications, and then configure the application with the desired application URL.

 Mobile application

Mobile applications are available with Centrify for Mobile.

SAML SSO options

For applications that support SAML authentication, you also have some options to choose. Different applications provide different authentication options. The main choices are:

(16)

The Identity Provider (IdP) is a service such as the Centrify Cloud which provides a way to authenticate users securely. A Service Provider (SP) is the provider of the web application, such as Salesforce, Office365, Google Apps; the service provider uses the SAML tokens produced by the IdP.

The following diagram illustrates the main differences between IdP-initiated and SP-initiated SAML SSO.

Centrify for SaaS works with both IdP-initiated and SP-initiated SAML SSO.

If your application provider offers both IdP-initiated and SP-initiated, choose which one you want to use and configure your application accordingly. Here are some things to consider:

 In most cases, if you use IdP-initiated SAML SSO, your users can still access the

application directly using their user name and password.

 If you use SP-initiated SAML SSO, your users are redirected to the MyCentrify user

(17)

15

Chapter 2

Installing and configuring the Centrify Cloud

Management Suite

Setting up your internal network to work with Centrify for SaaS or Centrify for Mobile or both is straightforward. You first use an installer to install the Centrify Cloud Management Suite on a host computer in your network. Once you install the cloud proxy server, you set the server to connect to Centrify cloud services.

Requirements

To install and configure Centrify for SaaS or Centrify for Mobile, you need the following items:

Item Description Centrify customer account with

access to the Centrify customer support portal.

You’ll use this account to register and enable your Centrify cloud proxy server during installation.

If you don’t already have an account, you can sign up for one at

www.centrify.com. Click the “Sign Up” link at the top of the web page and follow the directions.

Centrify Cloud Management Suite installer

This program installs on-premise components in your internal network. The installer file is included in your evaluation download.

host computer You install the Centrify Cloud Management Suite on this computer so that you can connect your Active Directory service to the Centrify cloud service. This computer in your internal network needs to meet or exceed the following requirements: • Windows Server 2008 R2 (64-bit) or Windows 7 (32-bit or 64-bit)

• Joined to the domain in which you want to grant users access to web applications

• Internet access

• Be a server machine that is always running and accessible

• Microsoft .NET version 4.0 or later; if it isn’t already installed, the Centrify installer installs it for you.

user account with administrative access to an Active Directory in your network

The user account that installs the Centrify Cloud Management Suite must have “Modify Permissions” ability. Centrify adds this user automatically to the sysadmin role in the Cloud Manager.

(18)

Requirements

Cloud Management Suite Installation and Configuration Guide 16

Tip _{For information about configuring silent authentication settings on the host computer}

and in your web browsers, see “Configuring silent authentication” on page 54.

Supported web browsers

This version of Centrify for SaaS / Centrify for Mobile has been tested with the following web browsers:

 Internet Explorer:

 version 8 on Windows XP – for MyCentrify user portal only  version 9 and 10 on Windows 7 and Windows 2008R2 server  version 10 on Windows 2012 server and Windows 8

 Mozilla Firefox: version 20  Google Chrome: version 26  Apple Safari: version 6

Tip For silent authentication to work correctly, some web browsers need additional

configuration. For more information, see “Configuring silent authentication” on page 54.

Required Active Directory permissions

To install and administer the Centrify Cloud proxy server, the user account you use to install the Centrify Cloud Management Suite must be allowed access to the advanced “Modify Permissions” permission.

Mobile devices to enroll (an iOS device that may be an iPhone, iPad, or iPod Touch running iOS 4.3 or later, or an Android device running Android 2.3 or later). For the most up-to-date list of tested and certified devices, see the Centrify websiteat http://www.centrify.com/ mobile/directcontrol-for-mobile-supported-platforms.asp.

Apple Account If you plan to enroll iOS devices, a separate Apple account is required to use for creating and updating an Apple Push Notification Service (APNS) certificate from Apple. You need to use this same account annually to renew your APNS certificate. For example, you might find it simpler to create a generic Apple ID to use solely for APNS certificate creation.

Apple App Store account (for iOS devices)

An Apple app store account to download the MyCentrify application on a mobile device.

Google account (for Android devices)

A Google account for the device (typically a gmail account) so that the device can receive notifications from the Centrify cloud service. You’ll find the account listed in the Settings application under Personal > Accounts & Sync. You also use this account to download the Centrify Mobile application from Google Play. Touchdown application (for

Android devices)

If you plan to synchronize mail onto your Android device (a non SAFE API Android device), make sure that the Touchdown application is installed (Touchdown version 7.3.00015 or later). There is an evaluation version of the Touchdown application in Google Play.

(19)

Requirements

Chapter 2 • Installing and configuring the Centrify Cloud Management Suite 17

To add the required permissions to an Active Directory user or group:

1 In Active Directory Users and Computers, make sure that you have Advanced Features enabled (View > Advanced Features).

2 Open the properties for the desired user or group and click the Security tab.

3 In the Security tab, click Advanced.

4 In the Advanced Security Settings dialog box, click Add.

5 Enter the name of the user or service account that you will use to run the Cloud Proxy server, and click OK.

6 In the Permission entry dialog box for the group, click Allow for “Modify Permissions” and click OK.

The Permissions tab of the Advanced Security Settings dialog box lists the specified user with the ability to Modify Permissions.

7 In the Advanced Security Settings dialog box, click OK.

8 In the User or Group Properties dialog box, click OK.

Exchange server requirements

Blocking is available to Exchange 2010 and Office 365 servers. It is not available to Exchange 2007 servers.Exchanges 2010 servers must have SP1 installed.

You must enable Remote PowerShell on the Exchange or Office 365 server. After you enable Remote PowerShell, the Exchange server creates an Internet Information Services (IIS) application named PowerShell. You need to enable an authentication method for this application. (By default no authentication method is selected.) Use the following procedure to enable an authentication method for the PowerShell application.

Note _{The following procedure is required for Exchange Servers only. Skip this procedure if}

you are using an Office 365 server.

To enable authentication method for PowerShell application: 1 Start IIS Manager.

2 On the left pane, select Site > Default Web Site > PowerShell.

3 On the right pane, select IIS > Authentication, right-click, click and select Open

Feature.

4 Select either Windows Authentication or Basic Authentication, right-click, and select Enable.

Note If you select Basic Authentication, be sure to select the check box when you enable

(20)

Installing the Centrify Cloud Management Suite in your network

Cloud Management Suite Installation and Configuration Guide 18 5 Back up your original settings. In this case, you would use a PowerShell script to extract

the original settings.

Re-enrolling devices using different customer IDs

If you have installed multiple proxy servers and are using more than one customer ID, there are some situations where you must either manually move or remove a mobile device before a user can re-enroll the device using a different customer ID. This situation mostly happens when you have multiple proxy servers using more than one customer ID and each proxy server uses a different Active Directory organizational unit to contain the mobile group policies.

For example, this kind of situation can arise if you have a beta deployment in addition to a production deployment.

Note _{If both proxy servers are using the same organizational unit, the user can simply}

unenroll and then re-enroll the device for re-enrolling.

To re-enroll the same mobile device using a different customer ID:

Do one of the following in Active Directory:

 Grant the new proxy server permission to move or remove objects in the original

proxy server’s organizational unit.

 Manually remove the old mobile device object be from the old proxy server

deployment, manually move the mobile device object to the new proxy server’s organizational unit.

Installing the Centrify Cloud Management Suite in your network

The Centrify Cloud Management Suite installer installs Centrify software in your internal network. After the installation completes, the installer launches the Cloud Proxy Server Configuration Wizard to help you configure the installed cloud proxy server.

To run the installer:

1 On your host computer, run the Centrify Cloud Management Suite installer appropriate for your system: Cloud-Mgmt-Suite-<version>-win32.exe for 32-bit Windows or Cloud-Mgmt-Suite-<version>-win64.exe for 64-bit Windows.

If Microsoft .NET version 4.0 or later is not already installed on your computer, the installer installs it for you. Restart your computer after .NET installation and then you can continue the installation of the Cloud Management Suite.

(21)

3 In the Custom Setup dialog box, select the items to install, depending on which product(s) you need:

 Cloud Proxy Server (needed for either Centrify for SaaS and Centrify for Mobile)  Centrify for Mobile Tools (includes AD Users and Computers and Group Policy

Console Extensions)

 Centrify for SaaS (components required for Office365)

You can click Browse to specify a different installation location. Click Next.

4 In the Ready to Install Cloud Management Suite page, click Install to perform the installation.

If you’re upgrading the proxy server and it’s currently running, the installer prompts you to have the installer close the applications that are using files that need to be updated.

5 Select the option to close the applications and click OK.

6 When the installation completes, keep Run Connection Test selected and click

Finish.

A connection test runs to verify that your server is connected properly for the proxy server to run. If any errors are returned, you must fix them before continuing. Click

Close to close the Connection Test dialog box, then the Cloud Proxy Server

Configuration Wizard launches.

Configuring the Cloud Proxy Server

(22)

Tip _{You can run this wizard again by clicking Re-Register in the Cloud Proxy}

Configuration application, Proxy Server tab. Doing this reregisters your proxy server to the Centrify cloud.

To configure the cloud proxy server using the configuration wizard:

1 In the Cloud Proxy Server Configuration Wizard Welcome page, click Next.

2 In the Proxy Configuration page, enter your Centrify account name and password in the account and password fields, and click Advanced.

3 In the Advanced Settings dialog box, verify that cloud.centrify.com is set as the cloud

service address and click OK.

4 Click Next.

5 In the Web Proxy Configuration page, if your network has a web proxy server that you want to use for the connection to the Centrify cloud service, select the Use a web

proxy server... option.

If you do not have a web proxy server, simply click Next without selecting the option; the cloud proxy server won’t connect through the web proxy server.

If you selected the web proxy option, enter the following information:

 Address The URL of the web proxy server.

 Port The port number to use to connect to the web proxy server. 6 Click Next to continue.

The Configuring Mobile Use screen appears.

7 For Centrify for Mobile users, keep the option selected to Configure Centrify for

(23)

Configuring Centrify for Mobile

If you selected the option to Configure Centrify for Mobile, the second Configuring Mobile Use dialog box appears. It allows you to specify the Active Directory groups whose users can enroll devices and the organizational units in which records for these users’ devices are stored.

The user group and organizational unit are specified as a pair. By default, the specified user group is “Domain Users” (which means all Active Directory users can enroll devices) and the organizational unit is “Computers” (which means mobile devices are stored in the same organizational unit as computers).

Note _{The organizational unit that you specify corresponds to the group policy object. Be}

sure to add devices to the organizational unit that you specify here; otherwise, the group policies may not get transferred to the mobile devices.

You can specify multiple pairs if you wish. However, if you use a group, such as the default, “Domain Users”, which includes all domain users, a single entry will allow anyone in your domain to enroll a device.

Tip _{For example, create an organizational unit called “Mobile Devices.”}

1 Do one of the following:

 Click Next to accept the default pair.

 Click the group “Domain Users” in the list, then click Edit to open the Modify

Enrollment Group dialog box and change either the group or the organizational unit to use.

(24)

Cloud Management Suite Installation and Configuration Guide 22  On the Group line, Click Create or Browse to create a new group or browse to an

existing group to select. If you create a new group, you can later add users to it in Active Directory Users and Computers.

 On the Container line, click Browse to browse to an existing organizational unit to

use, or browse to an Active Directory organizational unit, then click Create to create a new container.

3 Click OK when finished.

4 Click Next.

Another Configuring Mobile User dialog box appears. It specifies the user group whose members are allowed to manage enrolled mobile devices — set to “Domain Admins” by default. Although Centrify for Mobile Active Directory extensions appear in ADUC for users who are not members of the specified group, the button operations do not work.

5 You may specify one group only. Do one of the following:

 Click Next to accept the default, Domain Admins, group.

 Click Create or Browse to create or select a different group, then click Next.

Note _{Centrify adds the group you specify to manage enrolled devices automatically to the}

sysadmin role in the Cloud Manager.

Note _{When you complete the configuration wizard, your proxy server will be fully}

functional, users in the specified groups can enroll devices, and administrators in the specified group can track and manage the devices. Keep in mind though that you can run the Centrify Cloud Proxy Configuration application at any time to make changes to the configuration that you have defined in the wizard, including adding, removing, or changing the enrollment and management groups.

6 If this is the first time that you are running the installer in your domain, the Setup Properties page appears. In order to see the Centrify property pages in all Active Directory administration screens, keep the Activate Centrify property pages option selected. Provide user credentials that have Enterprise administrator privilege to Active Directory so that the Active Directory administration screens can be updated.

Completing the Cloud Proxy Server Configuration Wizard

The Starting Cloud Proxy Server dialog box appears while the wizard registers the proxy with the Centrify cloud service and starts the proxy. When setup and startup is complete, the Setup Completed dialog box appears.

 Click Finish to exit the wizard.

(25)

Upgrading your proxy server

In a real installation, you can install multiple proxy servers for automatic failover, each on a different host computer. You use the same customer ID for each newly installed proxy server to identify the installation to which the proxy server belongs. If one proxy server fails, the Centrify cloud service automatically switches to another proxy server to continue service.

Upgrading your proxy server

If you’re upgrading from a previous version of Centrify for Mobile, run the Centrify Cloud Management Suite installer to upgrade the Cloud Proxy server and the Centrify Group Policy Object Extensions (GPOE).

Some Centrify GPOEs have moved in this release. The installer moves your current Exchange ActiveSync or VPN - PPTP policies as follows:

 Exchange ActiveSync policies that apply to all devices or iOS only move to Basic Mobile

Settings > Exchange ActiveSync Settings

 Exchange ActiveSync policies that apply to all devices or Android only devices move to

Touchdown Settings > Exchange ActiveSync Settings

 VPN - PPTP policies that apply to all devices or iOS only move to Basic Mobile Settings

> VPN Settings (with PPTP specified as the protocol)

 VPN - PPTP policies that apply to Android only devices move to Samsung SAFE Settings

> VPN Settings

Automatically updating your proxy server

Starting in Centrify for Mobile 1.1, you can automatically update your proxy server without having to run through a new installer. The proxy server regularly checks to see if there is an update and can automatically run the update.

If you have the Centrify Cloud Proxy Server Configuration application open, however, the proxy server cannot automatically update itself. In this case, run the update manually.

To update the Cloud Proxy Server:

(26)

Installing and configuring additional proxy servers

Cloud Management Suite Installation and Configuration Guide 24 2 In the lower left of the Status pane, right-click the update icon and select Update.

The Cloud Proxy Server updates and then displays a message indicating that the software is up to date.

Installing and configuring additional proxy servers

A single cloud proxy server runs in a forest at any given time to communicate between Active Directory and the Centrify cloud service. However, it is recommended that you configure one or more additional servers to provide fail over in case the running server goes offline for any reason. This section explains how to install and configure additional cloud proxy servers.

Keep in mind that your customer ID uniquely defines your Centrify for Mobile installation. During installation, when you enter your Centrify account information, the cloud proxy server configuration wizard creates a unique customer ID for your account and registers the cloud proxy server with that ID. Later on, when users enroll devices, or administrators manage enrolled devices, the customer ID identifies the correct Centrify for Mobile installation with which to work.

When you set up additional cloud proxy servers in a single Centrify for Mobile installation, you must register all of them using a single existing customer ID. When you enter your Centrify account information during installation, the configuration wizard will prompt you with your existing customer ID.

When you install multiple cloud proxy servers, Centrify for Mobile specifies one of the servers to communicate between the Centrify cloud service and your internal network Active Directory service. The other cloud proxy servers stand by to take over in case of

(27)

failure. If the server in use fails, Centrify for Mobile switches communication to another cloud proxy server running in the installation.

Server configuration within an installation is the same for all cloud proxy servers in the installation. If you change enrollment authorization on one cloud proxy server, for example, to include a new enrollment group and associated organizational unit, the proxy server sends that change to the Centrify cloud service. The cloud service stores the configuration with the customer ID and propagates the configuration to all cloud proxy servers in the installation associated with that ID so that all proxy servers have the same configuration.

To run the installer for additional proxy servers in a single forest

1 On a host computer, run the Centrify Cloud Management Suite installer appropriate for your system: Cloud-Mgmt-Suite-<version>-win32.exe for 32-bit Windows, Cloud-Mgmt-Suite-<version>-win64.exe for 64-bit Windows.

2 Click through the welcome screen (Next) and end-user license agreement (check box and Next).

3 In the Custom Setup dialog box, keep the default component settings, set file location to a different location if desired, then click Next.

4 Click Install to begin the installation and Finish when the wizard completion appears. A connection test runs to verify that your server is connected properly for the proxy server to run.

If any errors are returned, you must fix them before continuing. Click on the link next to any test to see information about the success or failure of a test. For example, if you click the Success, Warning, or Error link for Outbound TCP Port Check, you see each port that was contacted and whether connection was successful for each.

5 Click Close to close the window. The Cloud Proxy Server Configuration Wizard launches automatically. This wizard enables you to perform the initial configuration of the cloud proxy server.

6 Click through the welcome dialog box (Next), then in the Cloud Proxy Configuration dialog box enter your Centrify account name and password in the account and password text boxes.

7 Click Next.

The Web Proxy Configuration dialog box appears.

8 Specify whether you want to use a a web proxy server for a connection to the Centrify cloud service.

(28)

Cloud Management Suite Installation and Configuration Guide 26 9 If you selected the web proxy option, enter the following information:

 Address The URL of the web proxy server.

 Port The port number to use to connect to the web proxy server. 10 Click Next.

The Set Customer ID dialog box appears. It allows you to register the newly created cloud proxy server to an existing customer ID.

11 Select Register an existing Customer ID and select the customer ID from the box. Generally, there should be a single customer ID available in the Customer ID box. If there are multiple entries, be certain to select the one for your current Centrify for Mobile installation.

Note _{Do not select Register a new Customer ID to register a new proxy server to a}

different customer ID in the forest. Each customer ID has its own associated encryption key that encrypts group policy information sent between an installation and its enrolled mobile devices. If you install proxy servers in the same forest using different customer IDs each server will use a different encryption key, causing problems in sending group policy data to enrolled devices.

12 Click Next then Finish to complete installation of the new proxy server.

The Centrify cloud proxy server configuration application starts automatically after the configuration wizard completes. You can check the status of the new server, or make changes if you wish, but you are not required to explicitly configure the new server because it is already configured exactly as the existing server. The cloud service stores the

configuration with the customer ID and propagates the configuration to all cloud proxy servers in the installation associated with that ID so that all proxy servers have the same configuration. If you make changes in one proxy server, for example by changing

(29)

Configuring the Centrify cloud proxy server

Configuring the Centrify cloud proxy server

After you’ve installed the cloud proxy server, you can further configure it using the Centrify Cloud Proxy Server Configuration application. You can also find your newly assigned customer ID here, which is important for later use.

To configure the cloud proxy server:

1 On your host computer, run the Cloud Proxy Server Configuration application from the Start menu, if the application isn’t already running. (It’s in the Centrify folder in All

Programs.)

2 Note the customer ID value in the Status tab.

You’ll need the customer ID later to log into the Centrify Cloud manager. The customer ID uniquely identifies this Centrify for SaaS installation. The rest of the tab reports this server’s name, the Centrify account it’s registered under, and whether the server is started or not.

3 Click the Proxy Server tab to control the server.

(30)

network using the Settings update interval value, and enable or disable automatic updating of the proxy server from the cloud by selecting Enable auto-update.

When auto-update is on, the proxy server checks the Centrify cloud service periodically to see if there is a proxy server update. If there is, the proxy server downloads and installs the update, then restarts. This ensures that proxy server software is up-to-date. It is recommended that you enable this option, which is on by default.

Note _{The Active Directory Integration and Alerts tabs are used in Centrify for Mobile}

only.

4 Click the Logging tab.

(31)

6 In the Browse for folder dialog box, select the desired location and click OK.

(32)

30

Chapter 3

Configuring the cloud proxy server

This chapter explains how to use the cloud proxy server configuration application to configure and monitor your cloud proxy server. It covers the following topics:

 About the Centrify cloud proxy server and configuration application  Status tab

 Proxy Server tab  Mobile Settings tab  The Alerts tab  Logging tab

Launch the cloud proxy server configuration application from the Start menu on the host computer. Modify settings by selecting different tabs in the window. You can see the tabs in the following figure.

About the Centrify cloud proxy server and configuration application

(33)

Status tab

Chapter 3 • Configuring the cloud proxy server 31

Initial configuration of the cloud proxy server follows installation with the cloud proxy server configuration wizard, which launches automatically. To complete the wizard, you must identify a user group whose members can enroll devices and a container that stores accounts for enrolled devices. You must also identify a group whose users have permission to manage enrolled devices and manage the configuration.

The cloud proxy server configuration application allows you to complete the initial configuration, if necessary, to make changes, and to configure additional features such as logging and sending alerts that are set to default values during initial configuration. You can also run this application to monitor the status of your cloud proxy server.

Note _{You can also monitor proxies through the Centrify Cloud Manager web application.}

However, the Cloud Manager only allows you to monitor proxies — it does not allow you to configure a cloud proxy server in any way.

Although you may configure multiple cloud proxy servers for a single Centrify for Mobile installation, only one of them is active at a time — the others stand by in case of failure, in which case one of them takes over. Each server has its own proxy server configuration application that you launch on the computer hosting the proxy server. However, when you make a change to any of the proxy servers in an installation (that is, servers registered to the same customer ID), the changes are propagated to all the servers in the installation to ensure that they are all in sync.

The Centrify cloud proxy server configuration application is installed on any computer where a cloud proxy server is installed. Launch it through the Windows Start menu where it’s located in the Centrify/Cloud Management Suite folder. The application appears as a window with five tabbed panels:

 Status, which reports the status of the proxy server.  Proxy Server, which controls proxy server operation.

 Mobile Settings, which specifies groups allowed to enroll devices, the group allowed

to manage devices, and the interval at which the proxy polls Active Directory.

 Alerts, which specifies if and where to send email alerts when Centrify for Mobile

detects dead mobile devices.

 Logging, which turns logging on and off for this configuration application and for the

ADUC and group policy editor extensions. It also specifies where the log file is stored.

Status tab

The Status tab displays the following read-only information about the proxy server:

 Server name displays the assigned name of this cloud proxy server.

 Customer ID displays the customer ID under which this cloud proxy server is

(34)

Proxy Server tab

using this ID to create stand by proxy servers in case of failure. Only one proxy server runs at a time.

Note _{The Centrify cloud service assigns the customer ID when you register the cloud}

proxy server (during installation) by using the cloud proxy server configuration wizard. Although you can change the customer ID in the Proxy Server tab, you should never do so unless instructed to do so by Centrify customer support.

 Centrify Account displays the Centrify customer account name under which this

installation was registered.

 Cloud Proxy Server is started|stopped Shows whether the cloud proxy server is

started (running) or not.

 Connection to Centrify Cloud Service Shows the date, time, and result of the last

connection to the Centrify cloud service.

Proxy Server tab

The Proxy Server tab reports the customer ID under which the proxy server is registered and whether or not the server is started. It also offers the following controls:

 The Re-register button starts the Centrify cloud proxy server configuration wizard

and allows you to re-register this cloud proxy server. Generally, you re-register the proxy under the same customer ID, and then only if the proxy is having difficulty communicating with the Centrify Cloud service and customer support recommends that you re-register to address the issue.

Note _{Re-registering under a different ID can destabilize your environment and should be}

done only after consulting with Centrify customer support. Changing the ID moves the proxy server from one installation to another. If the proxy server is the only server in an installation, removing the server from the installation will cause any device enrollment to the installation to fail, and enrolled devices will no longer receive policy changes.

 Click Start to start the cloud proxy server if it’s stopped.  Click Stop to stop the cloud proxy server if it’s running.

 Click View Log to view the proxy server log. Note that this is not the same as the proxy

server configuration log viewed under the Logging tab. The proxy server log is turned on at all times and records all actions taken by the proxy server. The proxy server configuration log is not turned on by default. When it is on, it records proxy server configuration activities taken using this application, not the actions of the proxy server.

 Use the Settings update interval text box to set the number of minutes this proxy

server takes between checks on proxy settings with the Centrify cloud service.

(35)

Mobile Settings tab

new settings reported from any of the other proxy servers in the installation, the checking proxy downloads and accepts those settings. This ensures that all proxies in an installation have the same settings.

 Use the Active Directory user verification interval text box to set the number of

minutes this proxy server takes between checks for active AD user accounts. When the proxy server checks AD user accounts, it contacts Active Directory to see if the user account listed for each enrolled device is active. If a device’s associated user account is not active (is disabled or removed), Centrify for Mobile unenrolls the device.

 Select the Enable auto-update check box to turn the proxy server’s auto update on

(when checked) or off (when unchecked). When auto-update is on, the proxy server checks the Centrify cloud service periodically to see if there is a proxy server update. If there is, the proxy server downloads and installs the update, then restarts. This ensures that proxy server software is up-to-date. We recommend that you enable this option, which is on by default.

 Select Use a web proxy server for Centrify Cloud Service connection check

box if your network is configured with a web proxy server that you want to use to connect to the Centrify cloud service. Note that the web proxy must support HTTP 1.1 for a successful connection to the Centrify cloud service. The environment must also keep outbound TCP ports 9350 through 9354 open. After you select this option, enter the following information to enable the web proxy connection:

 Address is the URL of the web proxy server.

 Port is the port number to use to connect to the web proxy server.

Mobile Settings tab

The Mobile Settings tab has three panels:

 The Enrollment Authorization panel specifies user group/container pairs that

define which Active Directory user groups may enroll mobile devices and where records for those devices are stored.

 The Group Policy panel specifies, in minutes, how often the cloud proxy server polls

Active Directory for changes in mobile group policies.

 The Management Authorization panel specifies which user group has mobile

device management authorization through Active Directory or through the Centrify cloud manager.

Enrollment authorization

(36)

Mobile Settings tab

enrolled in Centrify for Mobile and a container where the enrolled devices’ records are stored.

The proxy server stores this user group/container pair list. When a user requests to enroll a mobile device, Centrify for Mobile reads through the list and looks for a user group that the requesting user belongs to. When it comes to a pair that contains a user group that the requestor belongs to, the proxy server enrolls the device and puts the device record in the container specified by the pair. The proxy server stops reading through the list after that, so if the user is a member of a user group specified in a later pair, the later pair has no effect on enrollment.

The panel has a set of buttons that control the list entries:

 Move up moves the selected pair up in the list.  Move down moves the selected pair down in the list.

 Add opens the Add Joined Group dialog box where the user can create a new group/

container pair. The dialog box contains standard Active Directory controls that allow you to create a new user group or browse for an existing user group, and to browse for an existing container.

 Edit opens the Modify Joined Group dialog box where the user can modify the selected

pair. This dialog box has the same controls as the Add Joined Group dialog box with one difference: there are already values filled in that define the group and container.

 Remove deletes the selected pair from the list.

Group policy polling

The Group Policy panel has a single control:

 The Polling interval text box accepts an integer value that sets the number of minutes

between Active Directory polls. The cloud proxy server polls Active Directory regularly to look for new and modified iOS group policies.

Management authorization

The Management Authorization panel displays the Active Directory user group currently authorized to manage mobile devices through Active Directory or the Centrify cloud manager. It has two buttons you can use to specify a new user group:

 Create lets you create a new Active Directory user group and authorize its members to

manage mobile devices.

 Browse lets you browse through existing Active Directory user groups and select a new

(37)

The Alerts tab

The Alerts tab

The Alerts tab enables you to turn on email notification for dead mobile devices and to configure the email address and server for receiving the notifications. To turn on email notification for dead devices, select Send email notification for dead devices.

Note The Centrify cloud service pings enrolled devices once every 24 hours to verify that

they are active. If a device does not respond to the ping message within five days, it is considered ‘dead’ and the Centrify cloud service changes its state to ‘terminated’. If the device reconnects after that time, the Centrify cloud service changes its state back to GPApplied and activates the device in Active Directory.

After enabling email notification, enter the following information to specify the notification email address and subject, and to specify the email address to receive the notification:

 From address Specify the “from” address supplied in the email notification. This value

is required.

 To address Specify the address to which to send the notification. This value is required.  The Mail subject Specify the subject line for the email notification. This value is

optional.

 SMTP server Specify the SMTP server used to send the email notification. This value is

required.

 SMTP port Specify the port number used to connect to the SMTP server. This is an

optional value.

 Use SSL Select this to specify that the Centrify cloud service use an SSL connection to

connect to the SMTP server.

 Use SMTP authentication Select this to specify that the Centrify cloud service

provide a user name and password for SMTP server authentication when connecting to the SMTP server.

 User name and Password If Use SMTP authentication is selected, you must

provide the user name and password for this authentication.

Click the Test button to verify your notification setup by sending a test notification email using all provided notification values. If sending mail fails, a notification box appears. Note that this button is unavailable until all required notification values are filled in.

Logging tab

(38)

Logging tab

Centrify Cloud Management Suite Installation and Configuration Guide 36 To enable logging:

1 Select Enable logging.

2 Click Browse to browse for a folder in which to write log entries.

The application writes three separate log files. Click View Log to see the proxy server configuration log, or ADUC log or GPOE log to see the log for these mobile

(39)

37

Chapter 4

Setting security group policies

This chapter introduces the Centrify, mobile-specific group policies and explains how to set them in a group policy object.

Centrify for Mobile includes a group policy extension that adds a wide variety of policies you can use to manage mobile devices. You installed the mobile device group policy extension when you installed the cloud proxy server.

To use these policies, open the Microsoft Group Policy Management Editor (often referred to as GPOE) to create a group policy object (GPO) for the mobile devices and enable the policies you need. Then, you link the GPO to the Active Directory organizational unit that contains the mobile devices.

The Centrify cloud proxy server builds a set of profiles for each type of device (iOS-, Android-, or OS X-based) and installs the appropriate profiles for the device when the user enrolls the device. The profiles are automatically updated on a periodic basis. You can also force an update from Active Directory Users and Computers and the Cloud Manager.

Notes

You set the polling interval in the Cloud Proxy Server Configuration program in the Mobile Settings tab. It can take up to 10 minutes after polling for the proxy server to update the devices.

If you make a lot of changes (for example, more that 20), the proxy server may issue the updates to the devices in multiple batches rather than all at once.

The profiles are listed on Android devices in the MyCentrify Policies screen and in iOS and OS-X devices in the Settings application General/Profiles screen.

The mobile device group policies overview

(40)

The mobile device group policies overview

Centrify Cloud Management Suite Installation and Configuraiton Guide 38

figure illustrates the list of the Centrify Cloud Management Settings group policies you see in Group Policy Management Editor..

Notes

If you do not see the cloud management settings branches when you open the Group Policy Management Editor it means your computer needs to have both the Centrify Cloud Proxy Server AD Users and Computers and Group Policy Console extensions installed.

To install the extension, run the proxy server installer on the computer and select just the Active Directory Users and Computers Console and Group Policy Console extensions.

To install Active Directory Users and Computers and Group Policy extensions:

1 On your computer, run the Centrify Cloud Management Suite installer appropriate for your system: Cloud-Mgmt-Suite-<version>-win32.exe for 32-bit Windows or Cloud-Mgmt-Suite-<version>-win64.exe for 64-bit Windows.

If Microsoft .NET version 4.0 or later is not already installed on your computer, the installer installs it for you. Restart your computer after .NET installation and then you can continue the installation of the Cloud Management Suite.

Centrify Cloud Management Suite