Technology Corporation (“Good”). Good may have patents or pending patent applications,
trademarks, copyrights, and other intellectual property rights covering the subject matter in these
documents. The furnishing of this, or any other document, does not in any way imply any license to
these or other intellectual properties, except as expressly provided in written license agreements
with Good. This document is for the use of licensed or authorized users only. No part of this
document may be used, sold, reproduced, stored in a database or retrieval system or transmitted
in any form or by any means, electronic or physical, for any purpose, other than the purchaser’s
authorized use without the express written permission of Good. Any unauthorized copying,
distribution or disclosure of information is a violation of copyright laws.
While every effort has been made to ensure technical accuracy, information in this document is
subject to change without notice and does not represent a commitment on the part of Good. The
software described in this document is furnished under a license agreement or nondisclosure
agreement. The software may be used or copied only in accordance with the terms of those written
agreements.
The documentation provided is subject to change at Good’s sole discretion without notice. It is
your responsibility to utilize the most current documentation available. Good assumes no duty to
update you, and therefore Good recommends that you check frequently for new versions. This
documentation is provided “as is” and Good assumes no liability for the accuracy or completeness
of the content. The content of this document may contain information regarding Good’s future
plans, including roadmaps and feature sets not yet available. It is stressed that this information is
non-binding and Good creates no contractual obligation to deliver the features and functionality
described herein, and expressly disclaims all theories of contract, detrimental reliance and/or
promissory estoppel or similar theories.
Legal Information
© Copyright 2015. All rights reserved. All use is subject to license terms posted at www.good.com/
legal. GOOD, GOOD TECHNOLOGY, the GOOD logo, GOOD FOR ENTERPRISE, GOOD FOR
GOVERNMENT, GOOD FOR YOU, GOOD APPCENTRAL, GOOD DYNAMICS, SECURED BY GOOD,
GOOD MOBILE MANAGER, GOOD CONNECT, GOOD SHARE, GOOD TRUST, GOOD VAULT, and
GOOD DYNAMICS APPKINETICS are trademarks of Good Technology Corporation and its related
Section 1: Good MSM Overview 7
Required Workflow 8
Launching the Admin Console 9
Logging Out of the Admin Console 10
Admin Console Interface 11
Menu Bar 11
System Menu 11
View Menu 12
Tools Menu 13
Help Menu 14
Toolbar 14
Object Control Panel 15
Status Bar 16
Section 2: Mapping Good MSM User Roles 17
Default Windows Authentication to Manage Users 17
Configuring Role-Based Administration 20
Section 3: Configuring the Initial Settings to Run Good MSM 21
Configuration Progress Meter 21
License Details 24
Global Settings 25
SMTP / Email Notifications 25
Active Directory (AD) Syncing 26
User and Group Sync (Optional AD Syncing) 27
Device Management Panel 30
Device Identity Certificates 31
Apple Push Notification Service (APNs) Certificate 32
Android Security Management 33
Importing SSL Certificates 33
Security Management Activation Email 35
Compliance Threshold 36
User Self-Service (USS) Server Configuration 45
USS Device Instructions 48
Enterprise Information Panel 50
Custom Branding 50
Support Contacts 51
Advanced Settings 52
Configuring Remote Log Collectors 53
Using the Template 54
Maintenance Panel 56
Renew SSL Certificate 56
Importing SSL Certificates 56
Renew MDM Host Certificate 58
Renew Internal Certificate 58
Renew DMZ Apache Configuration 59
Section 4: Enabling Data Analysis by Deploying the Good MSM Infrastructure 60
Status Bar 61
Loading Analyzers 62
Unloading Analyzers 63
Section 5: Custom Summary Groups 64
Creating and Modifying Custom Summary Groups 64
Creating Custom Summary Groups 65
Adding Users to Custom Summary Groups 69
Changing Maximum Users Displayed Per Page 70
Tuning Custom Summary Group and User Thresholds 71
Section 6: Managing Summary Group and User Level Notifications 73
Assigning Summary Group and User Level Notifications 73
Assigning E-mail Notifications 74
Example User Level E-mail Notification 76
Assigning SNMP Trap Notifications 77
Assigning HP Operations Manager Notifications 79
Editing E-mail Addresses 82
Managing Notifications for an E-mail Address 83
Removing Notifications for a User/E-mail Address 85
Section 7: Performing Mobile User Component Tuning 87
Assigning System Health Notifications 92
Assigning System Health E-mail Notifications 92
Viewing and Managing System Health Notifications 96
Section 9: SNMP Server Configuration and Interface 98 Section 10: BlackBerry Fix-It Configuration Settings 108
Configuring Fix-It for BES 5.0.4 and Greater 108
Section 11: Configuring Enterprise Certificate Authorities 110
Enterprise Certificate Authority Integration Prerequisites 111
Configuring the Certificate Authority 114
Configure Good MSM to Access your CA 119
Creating an Identity Certificate 120
Creating a Wi-Fi Configuration 121
Creating a VPN Configuration 122
Creating an Exchange ActiveSync Configuration 123
Configuring a Certificate Authority on Windows Server 2008 124
Section 12: Using Maintenance/Holiday Mode (BlackBerry Only) 128
Enabling and Disabling Maintenance/Holiday Modes 129
Using Windows Task Scheduler to Schedule Maintenance/ Holiday Modes 130
Section 13: Installing the Good MSM PING Agent 137
Launching the Good MSM PING Agent on the Device 142
Appendix A: Tuning the Good MSM Environment 148
Tuning BES Group Thresholds 148
Delivery Time to Handheld Ignore 149
Delivery Time to Handheld Sensitivity 149
Percent Time to Handheld (Critical) 150
Hung Threads 150
Remaining Licenses 152
Message Pending Count (Server) 152
Minimum User Count 154
BES To Handheld Flows 154
Minimum Flows Per Hour 155
BES To Handheld Flow Buffer 155
SRP Error Duration 155
Minimum User Percentage with Rescan 157
Percent of Devices Getting CAS Responsiveness Error (Warning) 163
Good Dynamics Good Proxy Servers 173
Good Proxy Server Down Duration Buffer 173
Good Proxy Server Minimum App Requests 173
Samples of Consecutive Zero App Requests 173
Percent of App Servers Failed to Connect (Warning) 174
Percent of App Servers Failed to Connect (Critical) 174
Samples of Over-the-Threshold of Failed App Server Connections 174
Minimum Hourly App Server Connections 174
Good Dynamics Good Proxy Clusters 174
Good Proxy Server Down Duration Buffer 174
Good Dynamics Good Control Servers 175
Good Control Server Down Duration Buffer 175
Good Dynamics Applications 175
Samples of Consecutive Zero App Requests 175
Good Dynamics Minimum App Requests 176
Good Dynamics GEMS Servers 176
Good Enterprise Mobility Server (GEMS) Down Duration Buffer 176
EWS Notification Zero Activity Duration Buffer 177
EWS Notification Minimum Hourly Activity Volume 177
Presence Zero Activity Duration Buffer 177
Appendix B: Using Multiple Admin Services 179
Creating Multiple Admin Services 179
Appendix C: Good MSM Utilities 181
BT-DB-BR: Database Backup and Recovery Utility 181
Backing Up the Database 181
Scheduling Regular Backups 183
Database Recovery 184
Using the Tune.exe Utility 185
GetBTLogs Utility 186
Good MSM Overview
Good MSM is a robust mobile device monitoring system that monitors and reports on ActiveSync, Good, and BlackBerry Enterprise Server use across an enterprise. Good MSM can detect and alert administrators about impending outages, decreased performance, or slowdowns in e-mail systems, and provide cross-tier root cause.
The Configuration and Administration Guide provides system level procedures for deploying and managing Good MSM , including creating custom mobile user groups, setting Service Level Agreements, creating, modifying, and assigning notifications based on real-time monitoring of mobile devices, and configuring associated analyzers to correlate user-level experience to the underlying infrastructure components. This guide contains the following sections:
Good MSM Overview Mapping User Roles
Configuring the Initial Settings to Run Good MSM
Enabling Data Analysis by Deploying the Good MSM Infrastructure Managing Mobile Users
Custom Summary Groups
Managing Summary Group and User Level Notifications Performing Mobile User Component Tuning
Managing System Health Notifications SNMP Server Configurations
Setting BlackBerry Fix-It Configuration Settings Using Maintenance/Holiday Mode
Installing the Good MSM PING Agent
Appendix A: Tuning the Good MSM Environment Appendix B: Using Multiple Admin Services
Good MSM provides an Admin Console as the interface for performing System Administrator tasks. This chapter contains the following sections:
Logging into the Admin Console Logging Out of the Admin Console Admin Console Interface
Required Workflow
Action Step Description Installation
1 Run through the workflow for a single server or dual server installations.
Patch 2 Apply the latest patch from Good MSM . Launch the desktop Admin
Console
3 Open the Admin Console to configure role-based administration. Map user roles 4 Map user roles to Windows Security groups.
Open the Good MSM Web Console
5 Proceed through the workflow based on the modules your corporation has licensed.
Launching the Admin Console
To log into the Good MSM Admin Console:
1. Double-click the Good MSM Admin Console icon .
By default, the Admin Console should launch automatically without requiring AD credentials to gain access. However, if the console does require a login, use pa/admin credentials to log in to the Admin Console.
2. In the Good MSM Admin Console Login window, enter the information from the table below.
Field Description
User Name Administrator’s user name. The default user name is pa. Use this user name when
logging in for the first time.
Note: This user name can be changed to a unique identifier after the initial login.
Password Administrator’s password. The default password is admin. Use this password when
logging in for the first time.
Note: This password can be changed to a unique password after the initial log on.
Domain Name Specifies the location of the Good MSM schema that retains system data.
Note: This field only appears if you are logging into the Admin Console from a user or local machine that is not mapped to the Administrator role. See Chapter 4 for more details.
3. Click the OK button.
!
Note: If you log in and are not a membermachine or domain, a modified login window appears with a Domain Name drop-down list. You must then of the Administrator Group or an administrator on the localLogging Out of the Admin Console
1. Click Exit from the System menu
A Confirmation dialog box opens.
Admin Console Interface
The Admin Console interface conforms to standard Windows Graphical User Interface (GUI) conventions. The following figure shows the Admin Console and its components, which are described in the following sections.
Menu Bar
The Menu bar is located at the top of the Admin Console window. Each item in the menu bar has a pop-up menu associated with it through which System Administrators can perform tasks. The menu bar is composed of the following four menu items:
System Menu View Menu Tools Menu Help Menu
The following table describes the options in the System menu.
Option Description
Refresh Update Good MSM model from Information Database
Settings View the Environment Settings box.
Import Analyzer Import new Analyzers into Good MSM . From the submenu, select either From
Database or From File.
Exit Exit the Good MSM Admin Console.
View Menu
Option Description
Surveyor Show/hide the Surveyor panel.
Status Bar Show/hide the Status bar.
Main Toolbar Show/hide the Main toolbar.
Chart Toolbar Show/hide the Chart toolbar
Zoom Toolbar Show/hide the Zoom toolbar
Layout Toolbar Show/hide the Chart toolbar
Admin Toolbar Show/hide the Admin toolbar.
!
Note: If an option has a check mark to the left of it, it means the item is currently shown.Tools Menu
Use the Tools menu to access the User Control Panel and Notification Control Panel to manage Good MSM user notifications.
The following table describes the options in the Tools menu.
Option Description
Users... Opens the User Control Panel window that lists all users and contact information
used to notify them.
Note: If you are using Windows Authentication to manage users, this option will become unavailable.
Notification... Opens the email addresses window for assigning notification to model objects
Help Menu
Use the Help menu to access information about the Admin Console. .
Click on the About Good MSM Admin Console option to view the About Good MSM Admin Console window.
Toolbar
The Admin Console toolbar, located above the Surveyor Panel, contains shortcut buttons to frequently performed features through the Admin Console menu bar.
Shortcut Button Description
Update the Object Control Panel using the latest information in the Database. Show/hide the Object Control Panel
Expand the tree hierarchy of the Object Control Panel. Collapse the tree hierarchy of the Object Control Panel. Launch the User Control Panel.
Note: If you are using Windows Authentication, this icon will become permanently inactive, since users are managed through Windows. Launch the Map Role window.
Launch the E-mail Addresses window to view and configure a listing of notifications by message recipient.
Launch the Notifications window to view and configure Good MSM System Health notifications.
Launch the System Health HP Notification window to configure notifications to be sent to the HP Operations Manager (HPOM) using the Good MSM /HPOM connector which can be purchased separately.
Note: See Chapter 8 for more information on System Health notifications. Launch the System Health SNMP Notification window to view and configure a listing of SNMP System Health notifications.
Note: See Chapter 8 for more information on System Health notification
Object Control Panel
Using the Object Control Panel, the administrator can perform the following tasks:
Manage mobile users and components.
Deploy and configure analyzers on infrastructure components.
Status Bar
The Status bar, located at the bottom of the Admin Console window, displays the status of the current Admin Console session and its connection to the Good MSM Broker Server.
Mapping Good MSM User Roles
This chapter describes how to manage user access and roles using the Good MSM Admin Console.
Default Windows Authentication to Manage Users
By default, Windows Authentication is automatically enabled to manage users. Instead of manually adding and managing users within the Good MSM system, existing Windows users are mapped to a group as part of a normal workflow to give them access to the Good MSM system. Default Windows Authentication allows multiple approved users to have access to the Administrator role by adding them to an Administrators group (the Good MSM user management system only allows for one administrator user).Additionally, Windows Authentication will leverage your predefined security and password aging policies.
Configuring Role-Based Administration
To map Good MSM roles to Windows Security Groups:
2. In the Mapped Windows Security Group column, click on the Browse button.
3. Enter the name of a group in the field. These groups can be domain groups or local groups comprised of other groups. Click on the Check Names button to check the name of the group.
!
Note: For easier administration, Good MSM recommends using local groups.Add users to the appropriate mapped groups to give them access to Good MSM with the appropriate role.
4. Click OK.
The access privileges associated with each role are defined in the following table. Role Description
Administrator Allows access to all Good MSM consoles and features including the
Admin Console, Ops Console, Ops Dashboard, Help Desk Console, and Analysis Console. Can create users and assign roles to users. The local Administrators group on the Good MSM application server will always have access to this role.
BESOperations Allows access to the Ops Console, Ops Dashboard, Help Desk Console,
and Analysis Console.
AdvancedMessagingDesk Allows full access to the Help Desk Console including the Detail Information and History pages and additional user information (Analysis Console).
MessagingDesk Allows full access to the Help Desk Console including the Detail Information
and History pages.
AssetManager Allows access to the Asset Management reports.
Note: This role only becomes available if the Asset Management component is installed.
HelpDesk Allows access to the Help Desk Console User Diagnostic page.
MobileDeviceUsers Allows Admin users to sync Active Directory user accounts and associate
BES and Good users with AD user accounts.
5. Once you have mapped all roles to Windows groups, click OK.
The Admin Service is stopped and restarted
If you receive a message stating that the Admin services failed to restart, they should be manually restarted for Windows Authentication to take effect.
!
Note: Since Windows Authentication is applied by default, the Policy icon on the toolbar will now be permanently inactive, as user access will now be managed via Windows group membership. The UseWindows Authentication checkbox at the top of the Map Role window will also be inactive.
In the future, when a user logs into the Admin Console, the system will run two tests to decide whether the user should have access:
1. Is the user a member of the mapped Good MSM Admin group?
2. Is the user an administrator on the local machine? Or: Is the user a domain administrator?
If the user passes both of these tests, the Admin Console will open. If the user fails both tests, the following Login window opens.
Configuring the Initial Settings to Run Good
MSM
This section will lead you through the initial settings required to run Good MSM software for the first time. All other settings may be modified or set at a later date.
Though most settings reside within the Good MSM Settings page, some actions such as mapping user/ group roles and loading analyzers must be taken within the Admin Console desktop application. After successfully completing the installation process, configuring Good MSM settings is the next step.
Configuration Progress Meter
As you enable various settings and proceed through the setup, the configuration meter will track the progress in real-time and keep a running list of the settings left to configure. Any setting that has not been edited from the default settings will appear as “Settings Remaining to Complete” to provide the opportunity to completely customize your environment. Each individual panel will also contain a progress bar that indicates the
Panel Progress Bar
Each individual panel will also contain a progress bar that indicates the completion percentage for settings configured in that section. Partially completed sections or sections with incorrect data will not count towards your completion percentage.
Saving Settings
Settings may be modified after the initial configuration. Any updates made must be saved first and then
applied in order to implement the changes. If a setting has been applied, a check mark will appear in front of it. If an asterisk appears in front of the setting, then the setting has been saved. An exclamation indicates an error has been detected in the setting configurations.
Licensing
Upon the first visit to this console, licensing details will be expanded to show the licensed platforms and modules.
Settings Overview
Each tab under settings includes several subsections to be customized. In some instances, the default settings will be acceptable for your enterprise. However, it is important to check that all settings have been configured to best support the needs of your organization.
A progress bar or meter will be located in the right-hand corner of each section to demonstrate the percentage of that section that has been configured.
Global Settings Include
Device Management
Settings configured in this section will affect the types of compliance alerts received and ensure that you have the proper certifications to run Good MSM and connect to the required external resources.
Platform Configurations
In this section you will select servers and set paths to logs to include in monitoring based on the platforms licensed. Settings configured here will be displayed under the Operate Tab.
Service Desk and User Self-Service
Configure settings for the Service Desk and User Self-Service Portal on this page.
Enterprise Information
These are the settings for corporate branding, support contact information and other enterprise settings. Settings configured here will used by various components of Good MSM.
Advanced Settings
License Details
The configurations page will display a summative panel showing the enabled platforms from Good MSM. This panel will only be expanded on the first visit. In subsequent visits to this page, the panel will be contracted. Press edit to disable or enable platforms. In addition to providing an overview of licensing details, use this panel to enter key information provided by Good MSM to access new licensed modules. The licenses enabled in this panel may change the configurations available throughout the MSM Admin page.
License keys from earlier releases may not be reused. Good MSM will issue a new key for any upgrades or licensing changes.
If your licensing changes after installation, use the Change License Key button to update the Good MSM Settings page with the details of your new licensing.
Global Settings
There are three sections to configure within the Global Settings panel. These settings are required and should be configured prior to running Good MSM for the first time.
SMTP / Email Notifications
Active Directory Sync/ User Mapping Group Filters
SMTP / Email Notifications
Upon first login, the Email Notifications window will open. This is a one-time configuration required to issue Good MSM system health alerts and other status notifications based on settings configured on this page. Once a problem is detected, the Good MSM system will send an alert to the email address listed below. System health alerts will range by degree of severity and provide links to detailed system health data and recommendations for issue resolution. Use an email address that is recognized by your system to avoid having health alerts be redirected to a spam folder. To initiate system health notifications, complete the fields below.
1. Enter the SMTP Server host name and TCP Port. By default, Port 25 will be listed in the field below.
2. Choose an email address to receive system health notifications.
3. The system will generate notifications from the email address listed in this field.
Active Directory (AD) Syncing
What do we sync from Active Directory?
Good MSM syncs the AD users and groups required for managing devices and applying policies based on user groups.
This includes:
Recursive AD user objects mapped to the mobile users group.
Basic information for all AD group objects in the forest. The group objects information is required to
populate the group cache so that we can select groups to watch and assign policies.
Full recursive membership information for any group that has a policy assigned to it, or has been
selected as a ‘watch group’.
All Exchange AD objects in the forest to determine exchange server information or configuration. Full AD user information for any user found in the CAS logs.
Sync processes
There are 4 sync processes:
On-demand Sync - Good MSM discovers users on demand when the full sync has not been run Delta Sync – Runs every 5 minutes to detect changes for users, groups, and group filters Full Sync – Runs once a day to sync users, groups, Exchange servers and devices.
Optimized Sync- Expedites the syncing process by only allowing servers and selected user groups
to be included in the sync. In this mode, ActiveSync pairing information is only synchronized for members of the Mobile Device Users role.
Note: Changing the mobile device owner’s group will also initiate a full sync.
Configuration capabilities for the sync
Group filter configuration is the only configuration that is built into the product.
AD attributes included in the sync
a. User – name, domain, SID, GUID, distinguished name, canonical name, organizational unit, san account name, exchange server host name, display name, mail, first name, last name, linked account SID, linked account SAM account name, linked account domain, mail nick name, manager, physical office, principal name, title, company, department, street address, postal code, city, state, country, home phone, mobile phone, legacy exchange DN, when accessed,
User and Group Sync (Requires AD Syncing)
Before proceeding with User and Group sync, ensure that user and group designations have been mapped accordingly. Map user roles through the Admin Console. Immediately following the Good MSM installation, the Admin Console icon will appear on the desktop. Once the Admin icon is pressed, the console will open directly to the Map User Roles window. Create user and group roles before running the sync within the web console. Several licensed modules will require Active Directory (AD) syncing as part of system configuration.
Membership data is cached within Good MSM to view group data and manage group policies. Authorized mobile users from these groups will be synchronized with Good MSM.
While caching, User Sync options will appear as inactive. Once caching completes, the options will return to an active state.
If user roles and group designations need to be modified after the initial setup, return to the Admin Console to adjust the mappings.
User and Group Sync (Optional AD Syncing)
If Active Directory syncing is optional for your environment, caching will commence after the slider is moved to enable syncing.
User and Group assignments and designations should be made using the Admin Console on the application. server. Membership data is cached within Good MSM to view group data and manage group policies.
1. Move the slider from No to Yes.
What is Optimized Active Directory (AD) Sync Mode?
Optimized AD Sync expedites the syncing process by only syncing information that is pertinent for your environment, such as servers and selected user groups. Optimized sync is highly recommended for large deployments without Security Management. In larger deployments, the full sync may take a longer time to complete.
Infrastructure Elements Included in the Sync
Discovered Servers
User and Groups (The groups selected by the IT Admin will be included in the Optimized Sync). This
mode will automatically allow the group cache sync and the exchange server sync to be turned on and complete.
Infrastructure Elements not included in the Sync
Non-Good Work ActiveSync (AS) devices will not be synced with the system even if they are syncing
through CAS
Group details for non VIP Users on Service Desk AS actions are disabled on Service Desk
Reports will not have the data we typically pull from AD
Note: When running Optimized Sync Mode, some information will be limited or unavailable across various dashboards. Device reconciliation may be limited further resulting in incomplete pairings in Service Desk. Devices running Good Dynamics will display all information and remain searchable on Service Desk. This mode will not work for customers with Security Management.
Configuring AD Optimized Sync Mode
To configure AD Optimized Sync Mode, complete the steps below.
1. After Install has completed, open the Command Prompt
2. CD to <install_drive>\Boxtone\utilities\ ADSyncMode
3. Type EnableADOptimizedMode.bat
4. If you wish to enable VIP alerting, map the Mobile Device Users group to your VIP/Monitored users instead of mapping them to all mobile users.
VIP groups will not be included in the sync (and monitoring) unless this option is configured on the System Operations panel.
8. Press Edit
9. Turn VIP User AD Sync on (if disabled) and press Save.
VIP users should be mapped to the Mobile Device Users group instead of the Domain Users group. See Section 5: Creating Custom Groups to learn how to create/edit a VIP Group.
Group Filtering
Group Filtering allows mapped groups to be selected and then cached within Good MSM . The Mobile Device Users Role should have been set within the Admin Console. Group policies, profiles, and app sets can be applied to policy groups. Watch groups will be monitored for data analysis purposes throughout the various Good MSM dashboards. Limit the number of cached groups for usability and performance considerations.
Device Management Panel
There are eight sub-sections to configure within the Device Management panel. Settings available are contingent upon the modules you have licensed from Good MSM .
Security Management Hosts Device Identity Certificates
Apple Push Notification Service Certificate Android Security Management Servers SSL Certificates
Security Management Activation Email Compliance Threshold
Security Management Hosts
To configure Security Management, set up a host for the activation server and a host for the management server. Each host should be configured in the perimeter network if the DMZ setting is there and mapped to a local IP address. Local IP addresses may be selected from the drop-down menu onscreen. This will only be applicable if Security Management has been licensed from Good MSM .
Device Identity Certificates
Device Identity Certificates allow Good MSM to securely identify each device. When a device enrolls in security management, Good MSM uses a device identity certificate to be a unique identifier. The certificate captures device information, company name, and country information.
In most cases, the default entries for this field will be acceptable. However, to modify these entries, use the fields below.
3. Press Save to apply the changes.
Apple Push Notification Service (APNs) Certificate
iOS Device Management requires an APNs certificate to communicate with Apple’s Push Notification Service. This certificate is issued by Apple through the Push Certificates Portal using a Certificate Signing Request (CSR).
Android Security Management
To add a new Android Security Management server, press Add Server. Enter the Host, port, associated email, password and domain for this module.
Importing SSL Certificates
Select a certificate obtained from a trusted certificate authority to be used when a device accesses the activation server. Use the buttons to Import a PKCS #12 file or select Import Separate Files to individually upload the SSL certificate file, key file, and chain file.
Base Requirements for Importing SSLs
The certificate must be issued by a CA trusted by Apple. Click the embedded link onscreen to learn more about trusted CAs (http://support.apple.com/kb/HT5012).
Certificate and Security Management Naming Conventions
The DNS names for the device activation server hostname and device management server hostname depend on your conventions and IT policy for naming hosts. For instance, the device activation server hostname may be Good MSM -dom-enroll.asia.company.com, or similar. Likewise, the device management server hostname may be Good MSM -dom-mdm.asia.company.com. Whoever manages the DNS for the asia.company.
com or company.com domain can probably recommend what hostnames to use. Using a simple <prefix>. asia.company.com DNS name will allow you to use a wildcard SSL certificate for *.asia.company.com for
Passwords
Passwords will always be required for PKCS #12 files. For individual file imports, a password will only be required if an encyrpted key file is uploaded.
The PKCS#12 file must contain a key and the matching certificate. In some instances, it will also include the chain certificate file (a group of intermediate certificates). The chain certificate file is optional because the PKCS #12 typically includes the key and all relevant certificates. If your PKCS#12 file does not include the intermediate certificates, you may import them as a separate chain file using the designated field onscreen.
Security Management Activation Email
The Security Management activation email should serve as an introduction to Security Management services. This email should include instructions for enrollment, a brief description of what Security Management entails, required support contact information, and the URL to visit in order to enroll devices.
Test the URL to ensure the link is active before sending the email to users. Complete the form to provide instructions to users who wish to enroll in Good MSM Security Management.
Compliance Threshold
Compliance alerts provide information about devices that violate the established compliance rules at any point while the device is syncing with system resources.
If this threshold is exceeded, the Compliance Engine and automated compliance actions will be disabled and a system health alert will be triggered.
After adjusting the compliance percentage, press Save to accept the changes.
After arranging thresholds and settings on this screen, you will have access to customize the Compliance rules and corresponding actions to take against a device when it is in violation of the rules. Settings can be adjusted by navigating to the Configure Tab on the web console and pressing Device Configurations on the submenu. Various compliance charts will be available on the Configure Dashboard. Use this page to view real-time compliance data for all devices enrolled in Good MSM
.
DMZ Apache Configuration
If you have licensed the Mobile Device Management module, you must configure the MDM gateway server in the Demilitarized Zone (DMZ) portion of the network. The gateway server provides an additional layer of security by proxying management communication for any devices that are outside of the enterprise firewall (e.g cellular-connected devices).
The following configuration steps are necessary for the MDM gateway server.
installation folder
4. Restart the Apache services
Platform Configuration Panel
There are four sub-sections to configure within the Platform Configuration panel. Settings available are contingent upon the modules you have licensed from Good MSM .
BlackBerry Enterprise Server 5.x Configuration
BlackBerry Configuration Database BlackBerry Enterprise Servers Logs
Good for Enterprise (GFE) Configuration
Good Mobile Control Database (s) Good Mobile Control Web Services
Good Mobile Control Messaging Servers Logs
Good Dynamics Configuration
Good Control Database(s) Good Proxy Logs
Microsoft Exchange ActiveSync Configuration
BlackBerry Enterprise Server (BES) 5 Configuration
gray X. Monitoring for the users and servers in that domain cease once the domain is removed.
BlackBerry Configuration Database Settings
If the desired server does not appear, press Add database and manually enter the Database hostname, the database instance name, the named instance and the port number. Press Save to add a new BES domain to monitoring.
!
Note: If Windows Authentication has been selected, the fields pertaining to SQL Authentication will be not be available.BES Logs
Data captured from monitored logs is used to compile metrics for devices on the BES servers. Log files are monitored in real-time. Servers appearing below have been discovered from your BES Configuration Database. If the log share has not been configured for a particular server, it will not be included in the monitoring.
Additionally, users with devices provisioned to that server will not appear in searches or drill-down results. Ensure that paths to the logs are correct and press Save.
Good Mobile Control Databases
number.
By default, the SQL server database engine will be pre-populated to listen on port 1433. To accommodate dynamic port configurations, clear the pre-populated port number and leave the field blank. Complete the fields for Database Hostname, Name and Instance Name. This action will allow an available port to be dynamically assigned by SQL.
Good Mobile Control Web Services
Good MSM requires the access configurations for GMC Web Services in order to perform Fix-it Actions in Service Desk and User Self-Service. Servers should be auto-discovered from the Good Mobile Control Database. To enter host, port, or user credentials for web services, press the link under GMC Web Services Host.
Data captured from monitored logs is used to compile metrics for devices on the GMM servers. Log files are monitored in real-time. Device limits default to 1000, which is the recommended number per server. The bar graph next to default limit displays the current capacity percentage for each listed server.
Good Dynamics (GD) Server Configuration
Provide information on the GD servers included in Good MSM monitoring. Servers will be auto-discovered by Good MSM .Highlight a server from the list and press add server. If the desired server does not appear, press Add Server and manually enter the database, authentication, Database hostname, the database instance name, the named instance and the port number.
Good Enterprise Mobility Server (GEMS) Configuration
Provide information on the GEMS database host names/instances included in Good MSM monitoring. Servers will be auto-discovered by Good MSM. Highlight a server from the list and press add server. If the desired server does not appear, press Add database and manually enter the database, authentication, Database host name, the database instance name, the named instance and the port number.
In order to provide monitoring of the GEMS application server and detect errors in the notification workflow used to inform users that new messages are available when the Good Work app is in the background, or in a suspended state
Good Proxy Logs
Data captured from monitored logs is used to compile metrics for devices on the GD servers. Log files are monitored in real-time.
If the log share has not been configured for a particular server, it will not be included in the monitoring. Additionally, users with devices provisioned to that server will not appear in searches or drill down results.
Microsoft Exchange Client Access Server Configuration
Good MSM automatically discovers Exchange servers within your environment. If your company has licensed Incident Management, you will be required to use both of the fields below to include servers in monitoring. Configuring monitored CAS servers is a required action that must be completed prior to running Good MSM for the first time. W3SVC is required to monitor the CAS transaction logs. HTTP Error logs are required to provide real-time comprehensive error detection and alerting services. If Incident Management has not been licensed, the HTTPERR log field will not appear in this panel.
The following is required for Good MSM to read the CAS W3SVC and HTTPERR logs:
Microsoft Exchange CAS W3SVC and HTTPERR log folders must be shared (Exchange IIS logs) Good MSM service account requires read access to the log folder
Validate CAS W3SVC and HTTPERR logs are accessible from the Good MSM server Logging should be configured as follows:
o
Format: W3Co
Encoding: UTF-8o
Rollover schedule: Daily!
Note: Fields for HTTPERR Logs Share Path will only appear if Good MSM Incident Management is licensed.Press Save to enforce the settings.
Support Settings Panel
There are two sub-sections to configure within the Service Desk and User Self-Service panel. Settings available are contingent upon the modules you have licensed from Good MSM .
USS Server Configuration & Device Instruction Good Mobile Messaging Load Balancing
User Self-Service (USS) Server Configuration
USS is an online portal that allows users to complete a range of corrective actions on their devices without contacting the Service Desk or a Good MSM Administrator. From this window, establish the host name for USS web services.
Operations Settings
Use this panel to group ActiveSync servers within large deployments or to optimize viewing on the dashboard.
1. To group servers, download the configuration.
2. Next to each server, in the Group_Name column add the group the server belongs to.
3. After you have added all necessary servers and group names, upload the new configuration and close the panel.
Connection Source Monitoring Settings
In the Good MSM settings page, users will now have the option to disable Connection Source monitoring within their environments. It may be advantageous to disabling connection source monitoring in some environments to help minimize load processing on the system. This option is not recommended for Exchange 2013 deployments.
USS Device Instructions
When a user deactivates a corporate-owned device, they will need instructions and procedures for returning and fully decommissioning the device Deactivation instructions should apply to both corporate-owned/managed devices and users with personal devices (BYOD).
However, users with their own devices should only be required to deactivate the device to remove it from monitoring and access to corporate resources.
For other scenarios, Administrators can force devices into retirement and remove them from monitoring. Enter a subject and press save to continue.
GFE Load Balancing
As users are added to GFE, prioritized rules must be configured to determine where the devices will be provisioned.
Preferred Server
Allocate preferred servers for different AD groups and set the priority. Users with several group memberships will be assigned to the server attached to the first group they are listed in.
Preferred Rule
Add preferred rules for watch groups. Watch groups are monitored in dashboards, Service Desk and in available reports. Profiles, policies and app sets applied cannot be applied to Watch groups.
Global Default
If the servers listed above are unavailable, or if the users are not members of any of the groups above, the devices for those users will be provisioned on the server selected below.
Unused Servers
Servers in this category are not governed by any known rules or policies.
Enterprise Information Panel
There are three sub-sections to configure within the Enterprise Information panel. Settings available are contingent upon the modules you have licensed from Good MSM.
Custom Branding Support Contacts User Agreement
Custom Branding
Good MSM USS portal, application catalog and enrollment application can be customized to include your corporate brand colors and logos to create a look that is consistent with your brand identity.
Use the framework below to tailor the user interface on listed applications.
Support Contacts
Advanced Settings
Advanced Log Collection enables large companies to deploy multiple log collectors on remote servers for geographic distribution or to accommodate restricted access.
To create a new/remote instance
1. To add a local instance press the Add Log Collector Instance button
2. To add a remote instance press the Add Remote Log Collector Instance button.
3. Enter an instance name that will be easy for you to remember and recognize.
4. Local instances will also require the domain and user name, in addition to a password. Remote instances just require the name.
Configuring Remote Log Collectors
Use the instructions below to configure your remote log collectors.
!
Note: Remote logs collector must be created prior to configuring the logs.1. Add the remote log collector instances via the Advanced Settings Panel in the Good MSM Admin page.
2. Download the Configuration Template
3. Map the remote instances and provide the log paths
Once the template has been uploaded, the local instances will be configured and restarted
by MSM and they will start reading the configured logs
!
Note:may want to switch and distribute accordingly for performance benefits. You can also create local You can also switch local log collector ownership in this file, due to performance reasons you log collector instances to distribute the load4. For remote instances you need to download the binaries and configure them on the remote server.
5. Download the instances and copy them to remote machine (use the button next to the instance)
!
Note:then will you create log collectors settings that will be inherited.(May not be able to copy within the If you tune your RLCs before this, they will inherit the tuned settings. If you execute Tune.exeDMZ server)
6. Next you will need to create the Good MSM Log Collector service
7. Open the CMD prompt as an Administrator
8. Enter the Change Directory command for the remote log collector folder (sample command below) *<smpl-fldr-RLC is just a place holder for your actual remote log collector folder, enter your RLC folder name>*:
§ cd smpl-fldr-RLC \GoodMSM_Log_CASInstanceSMPL
9. Change directory to bin
§ \smpl-fldr-RLC \GoodMSM_Log_CASInstanceSMPL>cd bin
10. Enter the following command:
§ \smpl-fldr-RLC \GoodMSM_Log_CASInstanceSMPL> bin > install.bat
11. Open BoxTone BES log collector properties in Windows Services panel
12. Navigate to the Log On tab
These files can also be found under \\BoxTone\Utilities\RemoteLogCollectorBinaries folder
If you have RLCs and are applying the latest patch or service release to your system, the patch will place a patch file in zip format which should be extracted on the remote log collectors running on remote servers and they should be restarted.
Using the Template
Mapping Instances
1. Download the template
2. List all instances in the mapping
3. By default, all instances will be mapped to the default instance. Change the instances under the Log_ Collector_Instance column.
4. Save the template, and then upload it.
5. Once new instances have been added, they will now appear in the Log Collector instances Panel featured on the following page.
Removing Instances
1. Press the ‘X’ at the end of the line (in the panel) and this will remove this instance.
Press view all to see the full list of Log Collector Instances. Log Collector instances may not be edited from this panel. To edit or modify log collector instances return to the Advanced Log Collector Settings panel.
Press view all to see the full list of Log Collector Instances. Log Collector instances may not be edited from this panel. To edit or modify log collector instances return to the Advanced Log Collector Settings panel.
Maintenance Panel
To prevent workflow or performance issues due to expired certificates, use the Maintenance panel to replace or renew certificates before they expire. It will not appear in the settings page otherwise. Thirty days before your certificate expires, you will start receiving system health notifications at the email address listed in Global Settings. These notifications will increase in frequency as the expiry date approaches.
!
Note: Even though you may have initially configured your certificates in the Device Management panel, certificate renewals or replacements must be completed in the Maintenance panel.SSL Certificate: This certificate is used during enrollment. Upload a new certificate from the third-party vendor of your choice.
MDM Certificate: This is primarily used for Security Management/Mobile Device Management. It allows the devices to check in. If this certificate is allowed to expire, devices will no longer be managed.
Internal Certificate: Used by internal components on the MSM server. If this certificate is allowed to expire, GFE Fix-It actions will be unavailable in the Service Desk and User Self-Service consoles.
Renew SSL Certificate
Importing SSL Certificates
Select a certificate obtained from a trusted certificate authority to be used when a device accesses the activation server. Use the buttons to Import a PKCS #12 file or select Import Separate Files to individually
about trusted CAs (http://support.apple.com/kb/HT5012).
Select Replace to upload a new certificate. As long as the certification has not already expired, the system will always prompt you with this message before allowing you to upload a new SSL certificate.
After pressing replace, the following screen will appear. Select Import PKCS#12 file or Import Separate Files to continue the process.
Certificate and Security Management Naming Conventions
The DNS names for the device activation server hostname and device management server hostname depend on your conventions and IT policy for naming hosts. For instance, the device activation server hostname may be Good MSM -dom-enroll.asia.company.com, or similar. Likewise, the device management server hostname may be Good MSM -dom-mdm.asia.company.com. Whoever manages the DNS for the asia.company.
com or company.com domain can probably recommend what host names to use. Using a simple <prefix>. asia.company.com DNS name will allow you to use a wildcard SSL certificate for *.asia.company.com for mutiple installs. The common name (CN) and/or subject alternative name of the certificate must include
Passwords will always be required for PKCS #12 files. For individual file imports, a password will only be required if an encrypted key file is uploaded.
The PKCS#12 file must contain a key and the matching certificate. In some instances, it will also include the chain certificate file (a group of intermediate certificates). The chain certificate file is optional because the PKCS #12 typically includes the key and all relevant certificates. If your PKCS#12 file does not include the intermediate certificates, you may import them as a separate chain file using the designated field onscreen. In addition to .pfx and .p12 files, the following certificate file types are also accepted : .pem, .cer, .crt, der, and .key. The permitted files types are listed above each field. If an accepted file type is uploaded to the wrong field, the import will be unsuccessful.
Renew MDM Host Certificate
This certificate allows post-enrollment communication between devices and the MDM server. Should the expiry date on the certificate lapse, enrolled devices will no longer be under management.
Press Generate Certificate to create a new MDM Host Certificate.
Renew Internal Certificate
The Internal server certificate enables communication between different components on the Good MSM server. If this certificate is allowed to lapse, GFE Fix-it Actions in User Self-Service and Service Desk will be unavailable until this certificate is renewed.
If you are using a DMZ, Good MSM recommends updating your DMZ configuration after any of the certification renewals or replacements. To do so, select the Renew DMZ apache configuration files link.
Renew DMZ Apache Configuration
The following configuration steps are necessary for the MDM gateway server.
Use the Good MSM Settings Page to download the Apache configuration files (dmz-server.zip) and copy it to the MDM gateway server.
1. Unzip the DMZ-server.zip Apache file
2. Stop the Apache Service
3. Copy the conf. folder from the DMZ server .zip and replace the conf.folder in the existing Apache installation folder
Enabling Data Analysis by Deploying the
Good MSM Infrastructure
Complete the following steps to load the Mobile User analyzers in the Good MSM infrastructure and enable components to monitor. Loading the analyzers is required to start the analysis process for mobile users and components. After the analyzers are successfully loaded, Good MSM collects information about each mobile user in the environment and performs analyses to identify potential abnormalities with their mobile service.
Using the Object Control Panel, the administrator can perform the following tasks:
Manage mobile users and components.
Deploy and configure analyzers on infrastructure components.
Status Bar
The Status bar, located at the bottom of the Admin Console window, displays the status of the current Admin Console session and its connection to the Good MSM Broker Server.
3. In the Object Panel, right-click the object to be deployed.
4. Click Deploy Infrastructure.
!
Note: Good MSM does not recommend loading all carrier analyzers in large environments, as this willinclude roaming carriers. To optimize the load on the Good MSM System, Good MSM recommends only loading carrier analyzers for the top 10 - 15 carriers in your environment. Good MSM does not
The Analyzer Control View window for the component opens and displays all analyzers.
The following table describes each of the buttons in the Control View window. Component Description
Adjust Variables Adjust the variables for the selected analyzer(s).
Note: This is not used for most analyzers and will be grayed out by default.
Set Sample Rates Set the sample rates for the selected analyzer(s). Good MSM does not recommend updating this value.
Refresh all status Refresh the status of all analyzers in the Analyzer Control View window.
Load All Load all analyzers displayed in the Analyzer Control View window. This deploys all analyzers that monitor mobile users.
Unload All Unload all analyzers displayed in the Analyzer Control View window.
Loading Analyzers
that monitor mobile users.
To load a single analyzer, right-click the row containing the UID of the analyzer and select Load from
the right-click menu.
The status changes from Loading to Loaded when completed.
Unloading Analyzers
Perform one of the following tasks to unload the analyzers:
To unload all analyzers, click the Unload All button.
To unload a single analyzer, right-click the row containing the UID of the analyzer and select Unload
from the right-click context menu. Multiple analyzers can be selected by pressing the <Ctrl> key and left-clicking.
Custom Summary Groups
This chapter describes how to manage summary group users in the Good MSM system. Custom Summary Groups gather mobile users with similar profiles for monitoring purposes into a single object, such as your organization’s “VIP” level executives. A Custom Summary Group can also represent a single mobile user who requires special attention, such as a corporate officer or a member of the Executive Management team. The following tasks are used to manage mobile users through the Mobile Users object in the Object Control Panel.
Creating and Modifying Custom Summary Groups Changing Maximum Users Displayed Per Page Tuning Custom Summary Group and User Thresholds
The Mobile Users object displays under the Enterprise object in the Object Control Panel tree and represents the mobile users in the e-mail network.
Syncing AD Groups
Creating BB Custom Summary Groups
Custom Summary Groups display under the Mobile Users object as shown below.
If you have the Good MSM Asset Management module and enabled the active directory group sync during the installation, Good MSM will automatically create summary groups for you synchronized AD groups.
Creating Custom Summary Groups
To create a Custom Summary Group:
1. In the Object Control Panel, right-click Mobile Users.
2. Point to Add New Object to Mobile users on the right-click menu.
The Create Group window opens.
The following table describes the components of the Create Group window.
Button Description
Edit Menu Edit group properties
Group Name Field Edit group properties to specify the number of users to display in the Users List.
Users List Lists the existing mobile users.
Group Members List Lists the members you add to the new summary group.
Select All Button Selects all user names in a list.
>> Adds users to the Group Members list from the Users list.
<< Removes users from the Group Members list to the Users list.
4. Type a name for the user group in the Group Name field.
5. From the Users List, press the <CTRL> key and select the user names to add to the user group. Once selected, the user names are highlighted in the Users List.
6. Click the Add button.
The selected users are displayed in the Group Members List
7. Click OK to save the Group.
8. Expand the Mobile Users object to view the newly added Custom Summary Group. The newly added Customer Summary Group displays under the Mobile Users object.
!
Note: After a Custom Summary Group is created, the analyzers for the group must be loaded by right-clicking the group and selecting Deploy Infrastructure. See ““Loading Analyzers” for information on howAdding Users to Custom Summary Groups
To add a user to an existing Custom Summary Group:
1. In the Object Control Panel, expand the Mobile Users object to display all users.
2. Right-click on the Custom Summary Group to which you want to add a user.
3. Select Edit Properties and users for…from the right-click menu.
!
Note: When adding users to custom summary groups that were created with AD group sync, these users will remain in the group when the group sync next occurs. Users that are removed will be added back thenext time group sync occurs.
The Edit Group dialog box opens.
4. In the Edit Group dialog box, enter the name or letters in the name in the Name Search field.
5. Click Search.
The Users List is populated with users that match the search criteria .
6. In the Users list, select a user to add to the Group or press the <Ctrl> key and select multiple users to add to the Custom Summary Group.
7. Click the Add button
The users selected appear in the Group Members list.
8. Click OK to save the selected users to the Custom Summary Group.
Changing Maximum Users Displayed Per Page
The number of users that display on a page can be adjusted at any time while creating a new user group, or editing an existing user group.
To adjust the maximum number of users displayed per page:
1. Click on the Edit menu and select Properties
2. In the User Group Properties dialog box, type the maximum number of users to display per page.
3. Click OK. The maximum number of users that display on a page is adjusted.
Tuning Custom Summary Group and User Thresholds
You can tune the thresholds of Custom Summary Groups and individual users.
By default, the thresholds for a user are defined in the default group thresholds set under the All Users group. Any changes made to the All Users group thresholds will affect the user unless the user is added to a Custom Summary Group and the group thresholds are adjusted. At this point, any changes to the All Users group thresholds will no longer affect the user.
!
Note: See Appendix A: Tuning the Good MSM Environment for more information on specific thresholds.To adjust Custom Summary Group thresholds:
1. In the Object Panel, right-click the Custom Summary Group object for which you want to adjust thresholds.
!
Note: To view a description of any of the threshold variables, click on the column name. A descriptiondisplays in the lower section of the Configure Users dialog.
3. In the Value column, click the threshold to change. The thresholds are color-coded.
4. Enter the new value. See Appendix A: Tuning the Good MSM Environment for more information on specific thresholds and scenarios.
Managing Summary Group and User Level
Notifications
This chapter describes how to assign and manage Summary Group and User Level notifications. There are three types of notifications in the Good MSM system, described in the following table.
Types of Good MSM notifications.
Notification Type Description
Summary Group Summary group notifications are sent for objects discovered in Good MSM . There are three default summary groups: BES Summary Group, Carrier Summary Group, and Mail Server Summary Group. Alerts are sent when the state of the summary group degrades based upon the average state of users within the group or specific error events are detected.
User Level These are notifications that are sent for individual users. Good MSM will only send individual notification for users that are members of a Custom Summary Group (see "Creating and Modifying Custom Summary Groups" for more information).
System Health These refer to problems or changes with the Good MSM system itself. When a monitored event is detected, Good MSM sends a system health notification to subscribed users to alert them to the issue. For more information on System Health notifications.
Assigning Summary Group and User Level Notifications
Summary Group and User Level notifications can be configured using the Good MSM Admin Console and sent via three protocols:
Email notifications SNMP Trap Notifications
individual e-mail addresses. You can also assign these notifications to a Custom Summary Group.
Assigning E-mail Notifications
To assign an e-mail notification:
1. From the Object Control Panel, right-click on the object for which you want to add a notification.
!
Note: Groups, Domino Groups, or Exchange Groups. To subscribe to notifications for more than one object at a Objects that you can add notifications for include Custom Summary Groups, BES Groups, Carriertime, select multiple objects by pressing the <Shift> or <Ctrl> keys and left-clicking with your mouse.
2. Click Add Notification
