System Requirements. Version Mobile Service Manager

(1)

Version 8.2.0.1.1072

(2)

marks, copyrights, and other intellectual property rights covering the subject matter in these

docu-ments. The furnishing of this, or any other document, does not in any way imply any license to these

or other intellectual properties, except as expressly provided in written license agreements with

Good. This document is for the use of licensed or authorized users only. No part of this document

may be used, sold, reproduced, stored in a database or retrieval system or transmitted in any form

or by any means, electronic or physical, for any purpose, other than the purchaser’s authorized use

without the express written permission of Good. Any unauthorized copying, distribution or disclosure

of information is a violation of copyright laws.

While every effort has been made to ensure technical accuracy, information in this document is

subject to change without notice and does not represent a commitment on the part of Good. The

software described in this document is furnished under a license agreement or nondisclosure

ment. The software may be used or copied only in accordance with the terms of those written

agree-ments.

The documentation provided is subject to change at Good’s sole discretion without notice. It is your

responsibility to utilize the most current documentation available. Good assumes no duty to update

you, and therefore Good recommends that you check frequently for new versions. This

documenta-tion is provided “as is” and Good assumes no liability for the accuracy or completeness of the

con-tent. The content of this document may contain information regarding Good’s future plans, including

roadmaps and feature sets not yet available. It is stressed that this information is non-binding and

Good creates no contractual obligation to deliver the features and functionality described herein,

and expressly disclaims all theories of contract, detrimental reliance and/or promissory estoppel or

similar theories.

Legal Information

© Copyright 2015. All rights reserved. All use is subject to license terms posted at www.good.com/

legal. GOOD, GOOD TECHNOLOGY, the GOOD logo, GOOD FOR ENTERPRISE, GOOD FOR

GOVERNMENT, GOOD FOR YOU, GOOD APPCENTRAL, GOOD DYNAMICS, SECURED BY GOOD,

GOOD MOBILE MANAGER, GOOD CONNECT, GOOD SHARE, GOOD TRUST, GOOD VAULT, and

GOOD DYNAMICS APPKINETICS are trademarks of Good Technology Corporation and its related

entities. All third-party technology products are protected by issued and pending U.S. and foreign

patents.

(3)

System Requirements/Prerequisites 4

Server Hardware Requirements 4

File System Configuration 4

Core System Requirements 5

Good Dynamics Requirements 9

Monitored Exchange Requirements 10

Exchange Management Tools 11

Good Mobile Messaging Prerequisites 12

BlackBerry Enterprise Server Requirements 13

BES One-Click Fix-It Requirements (Optional) 14

GFE and BlackBerry User Self-Service (USS) 14

Good MSM Security Management Module 15

(4)

System Requirements/Prerequisites

This section outlines the minimum requirements and lists other provisions necessary to complete your Good MSM installation. Good MSM strongly recommends reviewing the requirements before proceeding with the installation. The following prerequisites are recommendations to build your Good MSM servers. Noncompliance with system requirements could result in compromised system performance or an unsuccessful installation.

!

Note: Though BoxTone is now officially Good Mobile Service Manager, some of the content in this guide _{will still reference BoxTone to remain consistent with system file, server, account, and directory names.}

Server Hardware Requirements

Below are the minimum hardware requirements to operate Good MSM in your environment. Use the table to determine the proper hardware configurations for your enterprise.

File System Configuration

The recommended file system configuration will optimize Good MSM system performance. RAID 10 or SAN storage are recommended for Database Storage and Redo logs. Deployments with more than 5,000 devices are required to use a dual server configuration. For large deployments exceeding 20K devices, please call Good MSM Client Services to assist with your installation.

The file system configurations shown below are recommendations. The “XX” signifies the letter(s) of the drive. Monitored

Devices Server #CPU Core CPU GHz RAM Recommended File System _{Configuration}

1-2,000 App/Database 8 2.66GHz 8GB XX: - Windows OS:40 GB XX: - Good MSM App: 30 GB XX: - Good MSM DB: 200 GB

2,000-5,000 App/Database 8 2.66GHz 16GB XX: - Windows OS: 40 GB XX: - Good MSM App: 30 GB XX: - Good MSM DB: 200 GB

(5)

Installation Guide 55

Prerequisite Requirement

Operating System Good MSM supports the following operating systems (English version): Windows Server 2008 R2

Windows Server 2012 R2 Standard

Note: The most recent service pack should be installed on the server.

Note: There is an issue that causes IP addresses on a single network adapter to be registered improperly within DNS. The following Microsoft hotfix should be applied.

Windows 2008 SP2:

http://support.microsoft.com/kb/975808 Windows 2008 R2:

http://support.microsoft.com/kb/2386184

Region/Location Settings The Region and Location Format (Control Panel -> Region and Language -> Formats) must be set to “United States”.

Anti-Virus Scanning Must be disabled during the installation and for all Good MSM application and database directories during operation.

Monitored

Devices Server #CPU Core CPU GHz RAM Recommended File System

Configuration

5,000-15,000 Database 8 2.66GHz 16GB XX: - Windows OS:40GB XX: - Good MSM App: 20 GB XX: - Good MSM DB Storage: 300 GB XX:-Redo logs : 10GB App 8 2.66GHz 16GB XX:- Win OS: 40 GB

XX: -Good MSM App: 50 GB

15,000-20,000 Database 8 2.66GHz 32GB XX: - Win OS: 40GB XX: - DB App: 20 GB XX: - DB Storage: 500 GB XX: - Redo logs: 10 GB

App 8 2.66GHz 32GB XX:- Win OS: 40 GB XX: - Good MSM App: 50 GB 20,000+ Please consult your Good Sales Engineer or TAM

Optional Remote Log

Collector 4 2.66GHz 4GB XX:- Win OS: 40 GB _{XX: - Good MSM App: 20 GB}

Core System Requirements

Section 3: Run the Prerequisite Check Utility to

Verify System Requirements

(6)

Server Service Ports Remotely Accessible

Listen Outbound Local

TCP Ports

App Broker Service 28080 4445 4446 X

App Action Gateway Note: In a dual-server deployment, the Good MSM repository server must be able to connect to the Good MSM

application server on this port.

25050

X

App Log Collector 32001 X

App HTTP Load Balancing Service

4925

X

App Collector Server 5354 X

App Admin Services 19190 19290 X

App WMI Gateway Service 8825 X

App Console 80 443 X X

Repository Oracle Repository 1521 5500 _X _X

2484 7777 _X _X

App Integrator 80 389 443 636 X

App Broker (BES/GFE/GD _{User Sync} 1433 X

App BBUAT 1433 _X

App GFE Web Services 19005 X

App Log Collector 135-139 445 X

App WMI Gateway 135 X

App SCOM Connector (Optional/BES Only)

5724

(7)

File System Backups Must be disabled on all Good MSM application and database directories. Good MSM Backup Utility will be installed during Good MSM implementation for environment backup.

Internet Information Services (IIS) IIS Services must NOT be installed or enabled on the Good MSM Server. Servers must not have the ‘Web Server’ role enabled to avoid port conflicts with Good MSM consoles.

Microsoft PowerShell Microsoft PowerShell v2 or greater

Disk Contention Good MSM recommends that each logical drive (C:, D:, E:, etc) be on separate physical arrays to maximize disk I/O performance, and minimize contention among BoxTone services.

Temp Directory At least 20GB of free space must be available on the drive of the temp directory (typically C:) prior to installation of Good MSM.

Data Retention Policy File system requirements listed above assume you are using the default Good MSM data retention settings. Additional space may be required if the data retention policies are changed.

Service Account Service Account (BTAdmin) is required to run Good MSM services Domain User

_{Local Administrator on Good MSM Server}

_{Local Security Policy – Requires the following privileges:} o ‘Log on as a service’

o ‘Log on as a batch job’

o ‘Log on locally’

IPv6 IPv6 Support must be disabled on the Good MSM server

Static IP Address The core Good MSM installation requires a static IP address. Additional IP addresses may be required if additional modules are enabled. (See requirements sections for modules being installed).

.NET Framework .NET Framework 2.0 or greater with the latest published service pack.

Virtualization When running Good MSM on a VM, it is recommended that 75% of the RAM required for your implementation (see Server Hardware Requirements table above) be reserved/dedicated on the host.

Adobe Flash Adobe Flash v10 or greater is required to access Good MSM’s web consoles. It may be necessary to manually enable the Flash plugin on the newest Firefox releases.

(8)

Web Browser The following web browsers are certified in Good MSM 8.2: Internet Explorer 9 & 11.x

_{Chrome (Latest Version)} _{Firefox (Latest Version)}

Mobile Device Users Group An AD group should exist that contains all users who have a mobile device associated with your environment. This group will be mapped to the MobileDeviceUsers role in Good MSM. If this AD group does not exist in your environment, create it before proceeding to installation. The MDU group should only be mapped to all mobile users in

deployments with Security Management. If AD Optimal Sync Mode is enabled, the MDU must be mapped to monitored/VIP users.

If Full AD Sync is enabled (required for Security Management/MDM), a se-curity group,( in Active Directory or a local Windows Group on the MSM App Server) must be created. This group must include all users that have or will have a monitored mobile device. If Optimal AD Sync is enabled, then an Active Directory or a local Windows Group must be created that includes all users for which VIP monitoring is desired.

(9)

Good Dynamics Requirements

Please review the monitored GD Prerequisites to ensure you have assigned the proper roles and permissions and obtained the certified software versions for all associated GD requirements.

Good Control (GC) SQL Database Access

Good MSM requires read access to the Good Control database (GC). This requirement can be met via one of the following:

o Windows Integrated Authentication - The Service Account must be granted the db_datareader role within the database.

o SQL Authentication - Provide a SQL account that has the db_datareader role within the database.

_{Identify the port (default=1433) and instance that the GC SQL database is bound to.} _{Ensure the database has remote IP access enabled.}

Good Proxy (GP)

Service Monitoring The Service Account must be a member of Administrators group on each monitored GP and GC _{to monitor service status via WMI.}

* Monitoring via WMI is optional.

GP Log Monitoring _{The following are required for Good MSM to monitor Good Dynamics application information via}

log files:

_{The log folder must be shared on the Good Proxy Server ( \GPSLogs)} _{The Service Account requires read access to the shared log directory}

GP App Name

Discovery (Optional) In order to discover the common names of Good Dynamics applications, it is necessary to _{connect to the Good Dynamics NOC. This connection is made on port 443 to the following host}

gdmdc.good.com

This connection must be unproxied.

Good Dynamics

Software Version The following Good Dynamics software versions are supported in Good MSM 8.2:

Good Control

2.0+ (certified) 1.10+

_1.9+

Good Proxy

2.0+ (certified) 1.10+

(10)

GEMS EWS

Database Access Good MSM requires read access to the GEMS EWS database (EWS). This requirement can be

met via one of the following:

_{Identify the port (default=1433) and instance that the GEMS EWS database is bound} to.

Ensure the database has remote IP access enabled.

GEMS Service

Monitoring The Service Account must be a member of Administrators group on each monitored GEMS to _{monitor service status via WMI.}

GEMS Log

Monitoring The following are required for Good MSM to monitor GEMS information via log files: The GEMS log folder must be shared and will typically appear in one of the following

locations.

_{GEMS 1.4 and below: \Program Files\Good Technology\Good Enterprise Mobility}

Server\Good Server Distribution\gems-karaf-1.X.X\data\log.

GEMS 1.5 : \Program Files\Good Technology\Good Enterprise Mobility Server\

Good Server Distribution\gems-quickstart-1.5.XX\data\log

_{The Service Account requires read access to the shared log directory}

Good Enterprise Mobility Server Version

The following GEMS version(s) are supported in Good MSM 8.2: _{1.5+ (certified)}

_1.4+ 1.3+

(11)

Exchange Requirements

Please review the Exchange Requirements to ensure you have allowed access to logs and assigned the proper ports, roles, and permissions as required.

Service Monitoring _{For Exchange 2007 and Exchange 2010 the Service Account must be a member of}

the local Administrators group on each server with the Client Access role to monitor service availability via WMI.For Exchange 2013 the Service Account must be a member of the local Administrator group on each server with the Mailbox role to monitor service availability via WMI.

Exchange Version Good MSM Supports Exchange 2007, 2010, 2013 with the latest service pack installed.

Log Monitoring The following is required for Good MSM to read the IIS transaction (W3SVC) and HTTPERR logs:

_{Microsoft Exchange CAS, Mailbox (Exchange 2013 only) and HTTPERR log} folders must be shared (default locations are listed below).

a. HTTPERR: C:\Windows\System32\LogFiles\HTTPERR b. CAS: C:\inetpub\logs\LogFiles\W3SVC1

c. Mailbox (Exchange 2013 only): C:\inetpub\logs\LogFiles\W3SVC2

The service account requires read access to the log folder Validate that logs are accessible from the Good MSM server _{Logging should be configured as follows:}

o Format: W3C

o Encoding: UTF-8

o Rollover schedule: Daily

BoxTone Service Account The BoxTone Service Account must have the following roles to collect ActiveSync connected device information from the Exchange environment.

o Exchange 2007 – View-Only Exchange Administrator Role

o Exchange 2010 - View-Only Organization Management Role

o Exchange 2013 - View-Only Organization Management Role

The PowerShell RemoteSigned Execution policy must be in place. To check, run the following in PowerShell:

1. get-executionpolicy

2. if RemoteSigned is not returned, run the following command to set the policy to RemoteSigned

(12)

Exchange Management Tools

Please review the corresponding versions of the Exchange Management Tools based upon the version(s) of Exchange that will be monitored.

Exchange Environment Exchange Management Shell (EMS) Tools

required

Exchange 2007 EMS 2007

Exchange 2010 n/a

Exchange 2013 n/a

Exchange 2007 and Exchange 2010 EMS 2007 Exchange 2010 and Exchange 2013 n/a Exchange 2007 and Exchange 2013 EMS 2007

To learn more about the Microsoft Exchange Tools, select one of the links below.

The following Microsoft Knowledge Base (KB) articles provide details about the installation of these tools:

(13)

Good Mobile Messaging Prerequisites

Please review the monitored Good Mobile Messaging requirements to ensure you have assigned the proper roles and permissions and met registry key requirements.

Prerequisite Requirement GMC SQL Database

Access Good MSM requires read access to the Good Mobile Control database (GMCDB) This

requirement can be met via one of the following:

_{Identify the port (default=1433) and instance that the Good SQL database is bound} to.

GMM Log Monitoring The following is required for BoxTone to monitor GMM server health and mail flow via log files.

_{GMM log folder must be shared}

Service Account requires read access to the shared log directory GMM Service

Monitoring

Service Account must be a member of Administrators group on each monitored GMM to monitor service status via WMI.

GMM server registry keys

The following registry keys are required on any monitored Good Mobile Messaging server. All keys will be located in HKLM\SYSTEM\CurrentControlSet\Services\GoodLinkServer\ parameters\diagnostics.

NOTE: If the “Diagnostics” key does not exist, you must create it and then create the appropriate string values as stated below: To decrypt the log files and ensure they flush in real-time, set the following registry values.

“encrypt”=0 _{“expand”=1} _{“cachesize”=0}

GFE One-Click Fix It The Service Account should be added to the Service Administrator role on the GMC.

_{Port 19005 must be open on the GMC to allow the Good MSM Service Account to} communicate with web services for GFE Fix-It.

(14)

BlackBerry Enterprise Server Requirements

Please review the BlackBerry Enterprise Server Guidelines below to ensure you have assigned the proper roles and permissions as required.

BES Version The following BES versions are certified in Good MSM 8.2: _{BES 5.0.4}

BES SQL Server Access _{Good MSM requires read access to the BlackBerry Configuration Database}

(BESMgmt). This requirement can be met via one of the following:

o SQL Authentication - Provide a SQL account that has the db_ datareader role within the database.

_{Please be sure to identify the port (default=1433) and instance that the BES} Configuration Database (BESMgmt) is bound to.

BES Service Monitoring The Service Account must be a member of Administrators group on each monitored BES to monitor service status via WMI.

BES Log Monitoring The following bullets are required for Good MSM to read the BES Logs: _{BlackBerry Enterprise Server log directory must be shared} _{Service Account requires read access to the shared log directory} BES Log Levels must be set DEBUG on BES 5.0.4

The following BES logs must be set to debug -MAGT

-SYNC -POLC -DISP -CTRL

(15)

BES One-Click Fix-It Requirements (Optional)

Please review the Good MSM One-Click Fix-It requirements below to download and install the BES User Administration tool. Once installed, ensure that the proper roles and permissions have been assigned.

Good MSM BES Fix-It Requirements

Requirement

BES 5.0.4 Domain To configure Good MSM One-Click Fix-It, download the BlackBerry Enterprise Server User Administration Tool. This download is available from http://www. blackberry.com/BRK. Ensure the version that you download matches your BES version.

Good MSM requires BlackBerry Enterprise Server Resource Kit version 5.0 Service Pack 4.

Install the BlackBerry Enterprise Server User Administration Tool on the Good MSM Server. The Service Account should be given the proper permissions on the BES SQL Server (One-Click Fix-it requires the Enterprise Administrator role.)

The BlackBerry Administration Service (BAS) must be listening on the default TCP Port (443). One-Click Fix-It is not supported with other port configurations.

GFE and BlackBerry User Self-Service (USS)

DNS Entry for Cross-Plat-form USS

A DNS entry should be created for the USS hostname that will point to the core IP ad-dress of the BoxTone server.

Please Note: BlackBerry User Self-Service (BB USS) is featured in BoxTone versions prior to 7.5. Customers upgrading to 8.2 may continue to use their previous versions of BB USS. How-ever, only Cross-Platform USS will be licensed for new installations of Good MSM 8.2.

(16)

Security Management Module (MDM)

DNS and Static IP The Good MSM Server requires 2 additional Static IP addresses.

_{1 static IP for Device Enrollment} _{1 static IP for Device Management}

DNS entries must also be made for IP address to hostname mapping on internal networks. Example:

_{enroll.<company>.com and mdm.<company>.com}

Port Requirements The following ports are required to be open on the Good MSM Server.

_{Outbound – Port 2195 – Send requests to Apple Push Notification Service}

(APNS)

In an Exchange 2010 environment, TCP Port 80 is required to be open for

outbound connections between the Good MSM server and all Exchange 2010 mailbox servers in order to retrieve device information: For details, see http:// technet.microsoft.com/en-us/library/dd297932(v=exchg.141).aspx

SSL Certificate for Security Management

Good MSM 8.1 requires the purchase of an SSL Certificate for use with the Activation Application. This SSL Certificate must be purchased from an

Apple-recognized certificate vendor. Additional details can be found in the Configuration and Administration Guide.

Generate an APNs Certificate

This is required for Good MSM Security Management.

Service Account The following permissions are required for the service account to perform Exchange Actions:

_{Exchange 2007}

o Local Administrator on each of the 2007 Exchange servers

o Exchange View-Only Administrator Role

o Exchange Recipient Management Role (required to enable or disable ActiveSync)

o Exchange Server Administrator on all Exchange Mailbox Servers (required to wipe device)

_{Exchange 2010}

o View-Only Organization Administrator Role

o Exchange Recipient Management Role (required to enable or disable ActiveSync & wipe device)

(17)

Non-Exchange Environments

To enable ActiveSync email configuration within non-Exchange environments, the following must be configured:

Users must authenticate utilizing Active Directory credentials.

o The Users’ primary SMTP address must populated in the AD attribute “mail”

Volume Purchasing Program (VPP)

In order to utilize the VPP distribution capabilities of Good MSM, a valid Apple VPP for Business account must be set-up. Please refer to Apple’s Volume Purchasing Program for Business guide found at http://www.apple.com/business/vpp for details.

Certificate Authorities To enable Good MSM to distribute identity certificates from a Microsoft Certificate Authority, please set-up permissions and templates as outlined in the document Good MSM Certificates Technical Overview which can be found in the \Good MSM\ Documentation directory on your server.

(18)

MDM Gateway Server Demilitarized Zone (DMZ) Requirements

If MDM is being used with externally connected iOS devices (via cellular or remote Wi-Fi access points), a separate MDM Gateway Server in the perimeter network/Demilitarized Zone (DMZ) is strongly recommended.

MDM Gateway Server Hardware Requirements

The Good MDM Gateway Server accepts inbound connections from MDM devices. Hardware requirements are listed below:

_{4 CPU Core @ 2.66 GHz} _{4 GB RAM}

_{Recommended File System Configuration:} o C: - Windows OS 40 GB

o D: - Apache App 40 GB

DNS and Static IP The Good MDM Gateway Server requires 2 Static IP addresses in the DMZ.

1 static IP for device enrollment 1 static IP for device management

These IP addresses must be publicly routable or must have publicly routable IP addresses referencing them via NAT.

DNS Entries must also be made for IP address to hostname mappings to public Internet and to Internal Network. Good MSM recommends the following naming scheme:

Device Enrollment IP Address: enroll.<company>.com Device Management IP Address: mdm.<company>.com Port requirements – Public

Internet to DMZ

The following ports are required to be open from the public Internet to IP addresses on the Good MDM Gateway Server

enroll.<company>.com o 80 and 443 – HTTP(S)

_{mdm.<company>.com} o 443 – HTTPS

Port requirements – DMZ to Internal Network

The following ports are required to be open from the DMZ server to the Good MSM server on the internal network.

_{80 and 443 – HTTP(S)} _{28009 – AJP/SCEP}

Good MSM requires allowing traffic on these ports from all IP address on the DMZ server to both Security Management IP address (Enroll and MDM) on the internal server.

(19)

Port requirements – Internal Server to Apple

The following ports are required to be open for outbound connections from the Good MSM server on the internal network to Apple’s network (17.0.0.0/8)

_{2195 – APNs}

Apache Download The Good MDM Gateway Server requires the most recent 2.2 release version of Apache HTTP Server with OpenSSL to be installed. As of the writing of this document this is 2.2.29 openssl-0.9.8t.msi).

http://www.apachehaus.com/cgi-bin/download.plx#APACHE22VC09 Download “Apache HTTP Server (httpd) Win32 binary includingOpenSSL

(20)

Version 8.2

Trademarks

Good is a registered trademark of Good Technology Incorporated.

Microsoft and Microsoft Windows are registered trademarks of Microsoft Corporation. All other product names used are trademarks of their respective owners.

Notice

The material in this document is for information only and is subject to change without notice. While reasonable efforts have been made in the preparation of this document to assure its accuracy, Good Technology Inc. assumes no liability resulting from errors or omissions in this document, or from the use of the information contained herein. Good Technology Inc. reserves the right to make changes in the product design without reservation and without notification to its users.

Edition