Endpoint Manager for Mobile Devices Setup Guide

Endpoint Manager for Mobile Devices

Setup Guide

Contents

Endpoint Manager for Mobile Devices

Setup Guide . . . 1

For Lotus Traveler . . . 3

For Microsoft Exchange. . . 3

Configure Management Extenders dashboard . . . 4

Installing and Configuring . . . 4

Activate Required Analyses . . . 6

Management Extender for Lotus Traveler . . . 6

Management Extender for Microsoft Exchange . . . 9

Management Extender for iOS . . . 9

iOS App Setup . . . 11

Android Agent Setup . . . 11

Warnings . . . 12

Support . . . 13

Notices . . . 13

Endpoint Manager for Mobile Devices Setup Guide

The Endpoint Manager for Mobile Devices (MDM) application manages corporate and employee-owned smartphones and media tablets that access enterprise resources. The application can be used to manage security controls, software and hardware inventory, and application management.

This Setup Guide provides IT managers and system administrators instruction on how to install and configure the application and how to set up your mobile devices to integrate with the application. Specifically, it includes setup instructions for iOS, Android, Lotus Traveler, and Microsoft Exchange. This guide also includes system requirements for each application component, and provides licensing and installation instructions to enable you to deploy Mobile Devices in your

environment.

For information on how to use Endpoint Manager for Mobile Devices, see the

Endpoint Manager for Mobile Devices User’s Guide.

Components

The Mobile Devices application includes the following primary components:

Server – The Endpoint Manager for Mobile Devices server is a database that communicates with the relays and the Tivoli Endpoint Manager console to manage the devices in your deployment.

Relay - Relays are network components designed to distribute the download burden from the Tivoli Endpoint Manager server and compile and compress data received from clients. In MDM, the relays process information from your mobile devices and transmit that information to the TEM server.

Management Extenders – Management Extenders allow devices to be managed without an agent on the device.

Email Servers – Includes Lotus Traveler and Microsoft Exchange servers.

Architecture

The diagram below depicts a visual representation of how Mobile Devices is designed to work in your environment.

Key Features

The following is a list of the most important features of Mobile Devices: v _{Integration with Tivoli Endpoint Manager platform}

v _{Support for basic management of devices using email-based management} v _{Support for advanced management of devices using agent-based management} v _{Device inventory}

v _{Security and password policy management}

v _{Management commands such as wipe, lock, clear-password, deny email access} v _{App Management}

v _{Enterprise access configuration including email, WiFi, and VPN}

Note: Support for these features varies by device, OS, and management method.

System Requirements

General

v _{Tivoli Endpoint Manager version 8.2 or higher must be used}

Note: Before using this application, select an available port for the iOS Management Extender. The default is 443. If you want to use a different port, specify that port in the Configure Management Extender dashboard.

For Lotus Traveler

On Traveler Server:

v _{Domino server must run the Traveler, DIIOP and HTTP tasks.}

v _{HTTP must be listening on ports 80, 443 or both. The URL http(s)://<server>/} diiop_ior.txt must be publicly accessible.

v _{DIIOP must be listening on ports 63148, 63149 or both. For configurations using} port 63149, the SSL certificate must be valid and current, and a TrustedCerts.class file must have been generated in the Domino data folder.

v _{Create an administrative user. The administrative user must have both read and}

edit permissions in the ACL for LotusTraveler.nsf, and must be able to run

restricted and unrestricted Domino commands.

On Management Extender for Lotus Traveler Server:

v _{The plugin must be able to contact the server in one HTTP and one DIIOP port.} If DIIOP listens exclusively on port 63149, the plugin requires the server-specific TrustedCerts.class in its classpath. To do this, include the TrustedCerts.class in a TrustedCerts.jar file and deploy it through the Configure Management Extender dashboard.

v _{The administrative user must have a username and password. Anonymous} connections are not supported.

For Microsoft Exchange

On Exchange Server: v _{Win 2008 Server}

v _{WS-Management protocol} v _WinRM

v _{Exchange Server 2007 or 2010}

On Management Extender for Exchange Server: v _{WS-Management protocol}

v _WinRM

v _{Exchange Management Tools (Exchange 2007 only)}

Note: If you intend to use this Management Extender to connect to a remote 2007 Exchange server, first install Exchange Management Tools on the Management Extender so it connects properly to the remote server.

For Android

v _{Android 2.2+ (Froyo) running on ARM processors} v _{Ability to connect to a TEM server or relay}

Configure Management Extenders dashboard

The Configure Management Extenders dashboard, located in the Setup and Configuration node of the navigation tree, configures your management extenders to enable them to connect to servers.

Click on one of the extenders in the list to select it. Then click Configure. This will open the Configure Extender window for Apple iOS, Lotus Traveler, or Microsoft Exchange. In the Configure Extender window, you can set parameters for the configuration.

Part Two

Installing and Configuring

Prior to beginning the installation and setup of Mobile Devices, you should be familiar with the Tivoli Endpoint Manager console and be logged in. For detailed information about the console, see the Tivoli Endpoint Manager Console

Operator’s Guide.

Setting up the application in your deployment involves the following processes, which will be described in this section:

v _{Activate Analyses}

v _{Setup relays on systems for extenders} v _{Deploy Fixlets for extenders}

v _{Run the dashboard to configure extenders} v _{Set up iOS App}

v _{Set up Android Agent} v _Warnings

The Setup and Configuration node in the navigation tree displays a list of

preliminary actions you need to take before using the Mobile Devices application. These include deploying the Management Extender for Microsoft Exchange and Lotus Traveler.

The Management Extender provides a mechanism for managing the devices in your deployment by interacting with your existing management process.

Note: You cannot have more than one management extender deployed on a system.

Activate Required Analyses

Begin by clicking the Required Analysis node in the navigation tree. Select all analyses in the list, right click to display the drop down menu, and click Activate. After all analyses are activated, you can begin deploying your management extenders.

Management Extender for Lotus Traveler

The Management Extender for Lotus Traveler must be installed on the TEM Server or on a relay. The deploy Fixlet is only relevant for computers with a TEM agent and a relay or server installed.

Deploy the Management Extender Fixlet

Lotus Traveler in the list panel on the right. This opens the Fixlet window below.

Under the Description tab, click the link in the Actions box to execute the action.

Note: The Management Extenders need to connect to the email servers, but they do not need to be installed on the same computer.

After entering the required information in all applicable fields, the Take Action dialog displays. A window displays the results of your completed action.

Configure the Management Extender

Click the Configure Management Extender dashboard located in the Setup and Configuration node. Click on one of the extenders in the list to select it. Then click

Configure.

In the Configure Extender window, manually set refresh intervals.

If you are deploying your extender directly onto your Lotus Traveler server, check the Use Local Connection checkbox. Otherwise, specify your server and credentials. You may also specify an SSL connection type (HTTP, ORB, none, or both). If you select ORB or both, you need to provide a TrustedCerts.jar file. This file is generated on your Lotus Traveler server.

The TrustedCerts.class file is automatically generated by Lotus Domino when SSL configuration is enabled. This file is typically located in the Domino data folder and is regenerated when the Domino server SSL certificates are installed or modified. A TrustedCerts.class file generated by a server is only valid for that particular server. Adding or changing the server certificate will invalidate all previous TrustedCerts.class files from that server.

<project name="Convert" default="go" basedir="."> <target name="go">

<jar destfile="TrustedCerts.jar" basedir="." compress="true"> <include name="TrustedCerts.class" />

</jar> </target> </project>

This script should generate a TrustedCerts.jar file that can be deployed in the plugin.

When you have set all parameters, click Configure Traveler Management Extender. This action takes you to the Take Action dialog, where you can select the server that you want to configure. Click Ok and this will configure the appropriate settings on your extender. After the action completes, you can manage devices enrolled on your Traveler server through the IBM Endpoint Manager.

Management Extender for Microsoft Exchange

The Management Extender for Microsoft Exchange must be installed on the TEM Server or on a relay. The deploy Fixlet is only relevant for computers with a TEM agent and a relay or server installed.

Deploy the Management Extender Fixlet

To deploy the Management Extender for Microsoft Exchange Fixlet, click the link in the Actions box of the task window and follow the same procedure as Lotus Traveler.

Note: Exchange Management Extender supports connections to Exchange 2007 servers. As a prerequisite, Exchange Management tools need to be installed on the systems where the extenders will be deployed.

Configure the Management Extender

Open the Configure Management Extender dashboard and click on the Microsoft Exchange extender. Specify your Exchange server address and your credentials. If you are connecting to an Exchange 2007 server, check the Exchange 2007 checkbox in the Configure Extender dialog.

When you have set all parameters, click Configure Exchange Management Extender. This action takes you to the Take Action dialog, where you can select the server that you want to configure. Click Ok and this will configure the appropriate settings on your extender. After the action completes, you can manage devices enrolled on your Exchange server through the IBM Endpoint Manager.

Management Extender for iOS

The Management Extender for Apple iOS must be installed on the TEM Server or on a relay. The Deploying the Management Extender Fixlet is only relevant for computers with a TEM agent and a relay or server installed.

The Apple iOS devices must be able to connect to the Management Extender (default port 443) at the DNS name/IP address that you specify during installation.

Note: You need to have an Apple ID to complete this process with a valid email address. Create an account that has a non-personal email address to maintain access to the Push Certificate portal in the event of a departure.

Setting up the Management Extender involves three basic steps: v _{Deploying the Management Extender Fixlet}

v _{Obtaining a Certificate}

v _{Configuring the Management Extender}

Deploy the Management Extender Fixlet

1. Open the Deploy Management Extender for Apple iOS Fixlet. The Fixlet is in the Setup and Configuration node in the navigation tree.

2. Click the button in the Fixlet and select the target computer to deploy the Management Extender. If the target computers are not relevant, make sure that the agent and a relay are installed first.

3. When prompted, use a DNS name (or IP address) that the Apple iOS devices can reach.

4. Target the computers to install the Management Extender for Apple iOS. 5. The installation will create a certificate request that must be signed by both

IBM and Apple before you can manage your Apple iOS devices.

Obtain a Certificate

1. Download the CSR file that was generated during the installation by opening https://<dns or IP address>/csr. Save the file.

2. Send an email to [email protected] and attach the push.csr file. Type MDM APNS CSR <organization name> in the subject line. 3. IBM will respond via email with a signed certificate request.

4. Go to https://identity.apple.com/pushcert/

5. Log in with your Apple ID. Consider using a non-personal ID so that other members of the organization can use the Apple ID in the future.

6. Select Create Certificate.

7. Read and agree to the Terms and Conditions.

8. Follow the instructions to upload the certificate file that you received from IBM.

9. Download the new signed push certificate "MDM_IBM Global Engineering Solutions_Certificate.pem" file.

10. If you open the .pem file in a text editor, you should see a base64 encoded certificate that starts with BEGIN CERTIFICATE and has several lines of random characters.

11. Rename the file to push.cer and create a backup copy.

Configure the Management Extender

1. Open the Configure Management Extender dashboard from the Setup and Configuration node in the navigation tree.

2. Select the Management Extender for Apple iOS and click Configure. There will be a delay of a few minutes after deploying the management extender before it will report its configuration information and display in this dashboard.

you to see updated information from your devices faster, but potentially causes more data and battery usage on the device.

4. Select the certificate that you received from Apple in the section above. If you have a push key file (because you generated the CSR and key pair manually), also include that in this section.

5. If you have an HTTPS key and certificate from a trusted source, you can include them in this section. This will replace the self-signed HTTPS certificate and prevent the HTTPS warnings on the devices.

Your Managem ent Extender for Apple iOS is now ready to manage iOS devices (listening on port 443). You can test it by opening your browser and visiting https://<dns or IP address>.

Note: The iOS Management Extender requires direct connection to the Apple Push Notification Server. This interaction occurs over TCP/IP and cannot be proxied via HTTP proxies.

Back up your Apple Push Notification Private Key

After you deploy the Fixlet, back up one of the files to a secure location. The file will likely be in the following path on your management extender:

C:\Program Files (x86)\BigFix Enterprise\Management Extender\MDM Provider\private

The file will be called push_key.pem.

This key is tied to your push certificate, in that if you want to deploy multiple extenders with the same certificate, you need to use the same key for each.

iOS App Setup

To set the mobile client on your iPhone, use the following steps: 1. From your iPhone, open the App Store.

2. Select Search and search for IBM Mobile. 3. Select the IBM Endpoint Manager Mobile Client. 4. Select Free and then Install App.

5. At the Sign In screen, sign in using your existing Apple ID or create a new Apple ID. This will install the mobile client to your device.

6. Launch the app from your device.

7. Enter server address, work email, and device ownership fields. 8. Select Enroll.

Android Agent Setup

To set up your Android agent, use the following steps. You will need an internet-facing relay for this process.

1. Launch the Android market app on your device and search for IBM Endpoint

Manager for Mobile Devices. Select the app and click download. Click Accept and Download.

2. After the application is installed, select Open.

3. Click Activate.

4. Enter the TEM Server address (or internet-facing relay) that you obtained from your administrator and enter your work email address. Select one of the two available options to indicate if the device is personal or enterprise. Click Enroll. 5. If the connection is successful, the message Successful set up of the Mobile Client

will display briefly, and service status will indicate that the service is running.

Note: To uninstall the TEM Android agent, unselect the Device Administrator option under Settings/Location and Security on the device.

Note: To control your device location privacy, deploy the Disable GPS Location

Properties Fixlet under Mobile Device Inventory/Data Configuration.

Warnings

Two possible warning messages will display in the Warnings list panel if they are relevant to your deployment: Android Agent is not marked as a Device Administrator and Proxy Agent Service not Running.

To mark your Android Agent as Device Administrator, go to Settings on your Android device.

If the Proxy Agent Service is not running on a Management Extender, it will not update device information or issue actions to devices. To start the service, click

BES Proxy Agent Service not Running and click in the Actions box to initiate the

action.

Support

Support

To learn, understand, and optimize your use of this product, see the following resources:

v _{Tivoli Endpoint Manager Support site} v _{Knowledge Base}

v _{Forums and Communities}

v _{Endpoint Manager for Mobile Devices Wiki}

Notices

This information was developed for products and services offered in the U.S.A.

IBM®may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing IBM Corporation

North Castle Drive Armonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd.

1623-14, Shimotsuruma, Yamato-shi Kanagawa 242-8502 Japan

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for

convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:

IBM Corporation 2Z4A/101

11400 Burnet Road Austin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

The licensed program described in this document and all licensed material

available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.

Any performance data contained herein was determined in a controlled

environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of

performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary.

This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. The sample programs are provided "AS IS", without warranty of any kind. IBM shall not be liable for any damages arising out of your use of the sample programs.

If you are viewing this information softcopy, the photographs and color illustrations may not appear.

Trademarks

IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the “Web at Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom.

Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.