Symantec App Center
™
4.0 Admin Documentation
Administration Guide
Table of Contents
About the Symantec App Center ... 4
Symantec Products Overview ...4
Deployment Options ...6
Public Cloud/SaaS... 6
On-Premise (Red Hat/CentOs) ... 7
Setting Up Your App Center ... 9
Getting started with the deployment of your App Center ...9
Getting Started with the Public Cloud/SaaS Option ... 9
Getting Started with the On-Premise (Red Hat/CentOs) Option ... 9
Integrating with Identity Provider Solutions ... 10
SAML ... 10
Active Directory / LDAP ... 12
Inside the Admin Console ... 12
Login Screen ... 12
The Home Page ... 12
The Apps Page ... 13
The App Policy Page ... 16
The Content Page ... 18
The Content Policy Page ... 20
The Users Page ... 21
Onboarding Users ... 21
The Devices Page ... 23
The Device Policy Page ... 24
The Downloads Page ... 25
The Account Page ... 26
The Reports Page ... 27
Standard Reports ... 27
The Settings Page ... 29
User Authentication ... 30
iOS Client ... 31
Android Client ... 31
Mobile User Invitation Email ... 31
External Identity Provider ... 31
Device Management ... 34
Notifications ... 36
Android Keystore Certificates ... 37
Apple/iOS Certificates ... 37
Standard/Enterprise Edition ... 38
Branding ... 40
International ... 41
Metadata ... 41
BlackBerry ... 43
Roles & Permissions ... 43
Google GCM ... 44
iOS Certs and App Center Client ... 45
About the iOS Certs and App Center Client ... 45
Apple’s Licensing Approach ... 45
Creating an App ID Push Certificate ... 46
Creating an MDM Certificate ... 47
Adding Certificates to the Key Chain ... 48
Creating a Mobile Provisioning Profile ... 48
Creating an App Center Client ... 49
Keys Management and Security Options ... 49
Apple / iOS Certificates ... 49
User Passwords ... 50
Appendix A: FAQ ... 51
Apps/Content ... 51
Web clip client/Native client ... 52
Admin Console ... 53
Physical installation and configuration ... 54
About the Symantec App Center
This guide provides basic operations information to assist administrators in the setup and deployment of Symantec‟s products. It provides an overview of administration of Symantec App Center, Symantec Content Center, and the methods of deploying and securing enterprise apps, data, and content.
The reader is assumed to have a basic knowledge of enterprise network configuration, including, but not limited to, knowledge of identity management, web setups, load-balancers, network traffic topologies, configuration of typical enterprise network architectures.
Additionally, the reader will require access to resources such as the Apple Enterprise License Certificate, and the ability to create new provisioning profiles for iOS. It is recommended that access to staff or resources with a working knowledge of relevant development environments (Apple‟s Xcode and Android) be available.
Symantec Products Overview
Symantec App Center (formerly Nukona App Center) has been designed from the ground up to allow enterprises to reliably deploy apps to their employees that are using either iOS or Android devices for work purposes. Unlike competitive products, Symantec‟s products allow Enterprise IT to set the policies and information assurance they care about without requiring any modifications to the source code of apps.
This approach was taken by Symantec to ensure that apps deployed by Enterprise IT are not reliant on internal or third-party app developers to be compliant with the policies and compliance needs of the organization. This approach also allows organizations to apply policy across hundreds, if not thousands of apps being that are being deployed across multiple geographic regions to thousands of employees. A change in policy or an update to app logic can be deployed to the entire employee community with a simple push of a button from the management console.
1) In the above diagram, an app is developed, sourced, or modified. If the app is coming from a developer, the new app is delivered to the appropriate IT administrator with a simple notification. If the app is sourced, the IT administrator can simply upload the app directly.
2) The IT administrator creates sets of policies and selects the appropriate policy set to be applied to the app based on the target audience and the information that the app accesses. A Symantec Policy Container is invoked around the app logic and the app is provisioned in the Enterprise App Center to be accessed by employees and other approved users.
3) When installed on the user‟s device, the wrapped or “containerized” app is subject to the policy controls set by Enterprise IT, both at launch-time and while it is running.
Using this model, all manner of policies can be set, from simple access and authentication policies, to keys management strategies, offline access policies, re-authentication and refresh policy, and even policies related to single-sign on for related productivity apps.
Since the container controlling the policy is delivered with the app and any data written locally on the device is being policy-managed, an enterprise can immediately support “BYOD” (Bring Your Own Device) using this approach. The corporate policy-managed apps and data can be co-resident on a device with personal apps and data.
This basic “secure, deploy, manage” model can also be applied to content, such as PDF‟s, videos, ePub documents, etc., with Symantec Content Center, and both products are included in this manual.
Deployment Options
This section provides a guide for administrators on the deployment options available to set up a Symantec App Center either as a SaaS service or on-premise. The goal is to provide sufficient background information to allow administrators to select the optimal deployment option for their organization.
There are two primary deployment options for Symantec App Center:
Public Cloud/SaaS - Deployment using Symantec‟s public cloud
On-Premise (Red Hat/CentOs) - On-premise deployment in a Red Hat Enterprise Linux (RHEL) or CentOS environment
Each option is detailed below along with the advantages and disadvantages of each approach.
Public Cloud/SaaS
Advantages Disadvantages Quick and easy to get started
No capacity planning is required
No operations or administrative overheads
Multi-tenant environment Lack of performance guarantees
Requires external connectivity to corporate identity provider environment (e.g., Active Directory) May not meet infosec / policy requirements
On-Premise (Red Hat/CentOs)
App Center‟s browser and client interactions are 100% REST (HTTPS) based. Many IT departments have standardized the deployment of Red Hat Enterprise Linux or CentOS on top of VMware. Management and monitoring capability is often pre-loaded onto specific Red Hat/CentOS VM template images. Because of this, all App Center servers can be deployed as a software install on top of Red Hat Enterprise Linux 5.x (64-bit guest OS formats are supported).
For a high-scale deployment, most IT departments will choose to deploy multiple App Center front-end application servers behind a load-balancer. With such a deployment, the front-end servers all connect to a customer-supplied database server or cluster.
As noted in the Network Deployment Options, the App Center servers may optionally be located in the DMZ, in which case the proxy becomes optional.
Advantages Disadvantages
If VMware infrastructure in place, quick and easy to provision
May be preferred by infosec / policy Scales to large number of users
Requires VMware operations involvement Requires Database administrator involvement Use of VMware tools for backup and HA IT is responsible for server hardening
With the on-premise option, administrators need to determine where the App Center servers sit within the organization‟s network topology. There are three main options:
Intranet-only deployment DMZ deployment Proxy-based deployment Intranet-Only Deployment
App Center can be deployed entirely within the corporate network if desired. This is more secure at the expense of usability, as mobile devices are often most valuable in the field. Additionally, device management may not be possible with this deployment scenario.
DMZ Deployment
App Center can be deployed inside the DMZ. Care must be taken to ensure a secure DMZ environment. Deployment in the DMZ allows users on-the-go to access App Center capability without requiring them to login to the corporate VPN.
Proxy-based Deployment
A more secure deployment scenario that gives the same capabilities as the DMZ deployment is to have a reverse-proxy deployed in the DMZ that can initiate connections to App Center within an isolated sub-network of the intranet. In such a deployment, there can be no direct connections between attackers and App Center, greatly increasing security.
Setting Up Your App Center
Getting started with the deployment of your App Center
There are two options for getting started with your App Center, depending on what deployment option you chose in the previous section. Please see one of the following sections for instructions:
Getting started with the Public Cloud/SaaS option
Getting started with the On-Premise (Red Hat/CentOs) option
Getting Started with the Public Cloud/SaaS Option
If you have not already signed up for your own App Center, you can start the process by registering at:
www.appcenterhq.com/registration. This form gathers relevant information from you in order to set up a tenant in Symantec‟s Amazon EC2 cloud.
Form Field Description
Account URL This URL is the name of the App Center you want to create. As an example, if you worked for the company Acme and wanted to create a MagicWidget Enterprise App Center, you would type MagicWidget in the Account URL field. The URL of your new app center would be MagicWidget.appcenterhq.com
Administrator Details You must specify a first and last name, the email address is where the registration email will be sent, a phone number, and information about your organization. You must also choose your user name and password. Once you have logged in for the first time, you can add additional administrators if required.
Ensure that this is email is correct, and you have access to the email. You will not be able to complete the registration process without access to the email address you enter here.
Software License In order to complete the set up of a new tenant, you are required to accept the Terms and Conditions of using the Symantec software.
Completing Registration After you have submitted the form, you‟ll see a success message. An email will be in your inbox shortly. To finish registration, click on the link within the email. It will bring you to your new Symantec App Center at https://<my_url>.appcenterhq.com , where <my_url> is the name that you chose for your App Center.
You will need to login with the user name and password you entered above.
Getting Started with the On-Premise (Red Hat/CentOs) Option
After your On-Premise App Center has been deployed, you can configure App Center using exactly the same interface that is used for the SaaS version of App Center:
Connect to the deployed App Center using HTTPS (e.g., https://myappcenter.company.com). Login using the user name and password supplied during the provisioning step.
You are now logged into the App Center administrative console. You can add other administrators and users, upload apps, and configure the App Center on the Settings tab. Please read the “Getting Started” section on the Home tab.
Your App Center is fully operational.
Changing the GCM settings after initial provisioning in this release will require a reboot of the FE.
If you need to modify the email settings after the initial provisioning step, this can only be done via the command line.
Note: Regardless of SaaS or On-Premise deployment model, the Android and iOS devices will need to be able to be accessed by Google and Apple messaging services.
If you are using the App Center Client on devices on the corporate network, the following needs to be configured outbound for devices:
TCP/UDP 5228 for Android MDM TCP/UDP 5223 for iOS MDM
Integrating with Identity Provider Solutions
This section covers one of the important elements for setting up users in the App Center -- integrating with identity provider solutions.
Symantec provides a simple, local Identity Provider (IDP) as a standard part of App Center and Content Center. It is easy to use, requires no integration, and is ideal for small user environments such as trials. However, for production
environments, almost all implementations are likely to require integration with external IDP‟s.
When using an external IDP, you get the advantage of centralized user management as well as easily tying into an
established corporate identity framework. When enabled, this allows regular users as well as administrators to authenticate to App Center using the external identity provider. App Center currently supports three commonly deployed technologies: SAML and AD/LDAP.
SAML
SAML is a Single-Sign On (SSO) technology used by many organizations including large corporations such as Google and Facebook. In SAML parlance, App Center is a Service Provider. A Service Provider establishes a relationship with a SAML Server (an IDP in SAML parlance), and, once established, the Service Provider forwards users to the SAML server for authentication. Once the SAML server has authenticated the user, the server forwards the user back to the Service Provider with a token, which the user uses to authenticate to the service provider.
native client to redirect to the SAML server. When done authenticating to the SAML server, the server automatically redirects the user back to App Center.
To configure SAML, in the App Center Admin Console, go to the “Settings > External Identity Provider” tab, and follow the setup screens.
On the first screen under „Server Configuration‟, select „SAML‟ from the drop-down list. The remainder of the page will change, and ask for the following information:
Field Notes
Name This is a user-defined name to reference the SAML server. This name will appear in various links. For example, in the admin login screen, a new link will appear that administrators can use to login via SAML. The name will be used in this link. IDP Metadata Each SAML server can (and does) distribute its information via a single file, usually
referred to as the metadata-file. This file is in XML format and contains all the information needed to connect to it as well as any information needed to authenticate and parse the SAML replies.
Simply get this metadata file from the SAML server and upload it here.
SP Partner ID Some SAML servers need extra information in the SAML request forwarded to them. Enter this information here.
SP Entity ID Some SAML servers require extra information included in the URL used to forward the request. Enter the SPEntityID data here.
Click „Save‟ to continue to the next page.
On the second screen, fill in the mappings between what the SAML server will return as „Attributes‟ to what we need to identify the user:
Field
Notes
Username Attribute This is the string that will identify the user name in the SAML reply. In some cases, this might be the email address field (see „Allow Email Address as username‟ in “Settings > User Authentication”).
For example: EMailAddress or User name
First Name Attribute This is the field that will contain the user‟s first name. Last Name Attribute This is the field that will contain the user‟s last name.
Email Attribute This is the field that will contain the user‟s email address. Even if the user name field will be derived from the email address, this must still be filled in.
On the third screen, you can configure group mappings. These are currently not used by App Center to SAML. Click „Save‟ to continue to the next page.
You are now configured. Click on the „Enable IDP‟ button to enable SAML authentication for all users. To disable at any time, simply click the „Disable IDP‟ button. You can enable and disable at any time without having to reconfigure the SAML server.
Active Directory / LDAP
The most common external IDP is Microsoft‟s Active Directory (AD). App Center supports AD as an IDP via LDAP and also can support any other type of IDP that exposes an LDAP interface. App Center can reference an external IDP for authentication only, or App Center can use an IDP‟s groups to drive app and device policy within App Center. See the Settings > External Identity Provider section of this document for instructions and more information.
Inside the Admin Console
Login Screen
If you have not yet performed the customization step to brand your App Center, the login screen appears. Type in your user name and password, and then click Login.
If you have already branded the App Center, then your own logo and name for the App Center will appear on this screen. You can also customize the support URL by filling it in on the Settings > Branding page in the Admin Console.
If this is the first time setting up the App Center and you are the first administrator, these credentials will be the ones that you selected when provisioning the App Center. If this step has already been done, the credentials will either be:
a) The user name and password that you selected when onboarded via email b) The user name and password that the original administrator assigned to you
c) Your email address and password that you were assigned – the option of using email addresses for login is enabled in the Settings > User Authentication tab (see below)
d) Your Active Directory (or other external identity provider) credentials – see the Settings > External Identity Provider section below
The Home Page
After successfully logging in, the App Center administrator will be taken to the Home tab. This screen contains introductory information and links that can assist with getting started.
The following tabs can be selected: Apps App Policy Content Content Policy Users Devices Device Policy Downloads Account Reports Settings About
The Apps Page
The Apps tab displays the list of available apps and allows the administrator to add, remove, and manage apps. The apps list can be narrowed by selecting only to see the apps for the specific operating systems (iOS, Android, Blackberry). The administrator can also search for specific apps.
Adding an App
To add an app to the enterprise app center, click the “Add App…” button. This will bring up a dialog allowing you to choose which type of app you want to add.
There are four types of apps that can be added:
App Type Notes
Native App This is an app that has been designed to run specifically on the operating system used on mobile devices. Simply drag and drop the relevant file or use the “Browse” button to select the file. The file should be an .ipa file for iOS (see note below), an .apk file for Android, or a .zip file for Blackberry.
Web App Any web app can be included in the App Center. A “web clip” will be created whereby the user will see an icon on their mobile device that will launch a browser and navigate to the provided URL. The default browser on the device (e.g., Safari, Chrome) will be used.
Secure Web App A secure web app has two differences from a standard web app: an app policy is applied to the app (see “Policy Management”), and the app is distributed and launched in a policy-constrained browser. For iOS, App Center will actually create a native app in order to do this. An app distribution certificate (mobile provisioning file) is required for each app. See note below.
External Store App Any app from the Apple App Store or Android Market can be included in your enterprise app center. Simply navigate to the appropriate web page that describes the app along with its screenshots, copy this URL, and paste it into the URL box in the dialog. App Center will import all the relevant information.
Note, however, that these are actually just links to the external store and the apps themselves are not actually uploaded into your App Center. When a user installs these apps they will download from the external store.
Per Apple‟s licensing, apps which are available from the Apple App Store may not be distributed through any other means, including Symantec App Center. App Center performs checks prior to an app being uploaded to ensure that the .ipa file is valid for redistribution.
Please see the following overview for the steps you need to take and options available to ensure compliance Apple's approach:
http://developer.apple.com/library/ios/#documentation/ToolsLanguages/Conceptual/DevPortalGuide/Introduction/Introdu ction.html#//apple_ref/doc/uid/TP40011159-CH1-SW1
So to support the enterprise distribution model within your organization, you will need to:
1. Sign up for the iOS Developer Enterprise Program. http://developer.apple.com/programs/ios/enterprise. 2. Follow the process for distributing apps to your enterprise.
http://developer.apple.com/library/ios/#featuredarticles/FA_Wireless_Enterprise_App_Distribution/Introduction/I
ntroduction.html.
If you are not able to go down this path (or want to get started prior to Apple granting you the certificate), then you can use the ad hoc provisioning model with just a Developer license. In particular, you will need to gather the UDID's of any of the devices that you intend to install the app on.
http://developer.apple.com/library/ios/#documentation/ToolsLanguages/Conceptual/DevPortalGuide/Designatingi OSDevicesforDevelopmentandUserTesting/DesignatingiOSDevicesforDevelopmentandUserTesting.html#//apple _ref/doc/uid/TP40011159-CH30-SW1
App Center makes gathering the UDID's easy – you can look at the "Devices" tab in the Admin Portal and any of your users that have been onboarded will have the device information there.
Publishing Apps
Apps can be published to two sets of users: Production and Beta. Since each app can have several versions, at any given time one version may be made available as Production and another as Beta. Each version is installable by a separate set of users. It‟s also possible to have just one published version or none at all.
Any Publisher (see Roles descriptions) has permission to publish an app version. The version is either provided by the Publisher or has been submitted for publish by a Developer.
When a Publisher is providing the version, the standard add app process is used. Select the “Apps” tab, then click the “Add App...” button. A dialog appears with the options to upload an app bundle or specify a web app URL. After choosing one of the options, the dialog presents an edit interface for the app details such as title and screenshots. On the right side of the edit view is a panel that controls the publish options.
By default, “Not Publishing” is selected and two other options are present: “Publish as Production” and “Publish as Beta”. If “Not Publishing” is kept, the app will simply be added to App Center‟s Admin Console, but not made available to any users. At a later time, the publisher can select the version and publish it.
Selecting either of the publish options will reveal a control that allows the publisher to specify which users will have access. By default, “Everyone” is allowed access, but the version can be restricted to a set of Groups and/or individual users. Simply select any number of groups, and/or use the search box to find users.
Once the entitlements are set, click “Save” and the version will become immediately available to the specified groups/users.
Note that entitlements will be remembered across versions, so the next version published as Production will automatically be configured to be available to the same set of users as the previous Production version. Also, since only one version may be published in the given Production or Beta slot, the act of publishing a new version will unpublish any existing version in that slot.
It‟s also possible to publish a version that was submitted by a developer. In this case, a yellow dot appears in the top right corner of each app listed on the “Apps” page that has a submitted version not yet published.
The unpublished version is clearly labeled and has a yellow striped header. The Publisher can review the app metadata and choose to “Publish” or “Reject”. If Rejected the app will return to the Developer, who can make modifications and then re-submit. If Publish is selected, an edit interface like the one described above will appear and the remainder of the process is the same.
Administrators may update the users or groups of users entitled to download the app at any time. Simply choose the “Edit…” button associated with the version (production, beta, or developer) and update the authorized users.
When adding a native app or a secure web app, a policy can be applied (see “Policy Management”) and there are options to associate data with the app in order to provide the users with relevant information when browsing the app center including app descriptions and phone and/or tablet screenshots.
Rescinding and Updating Apps
A published app (production or beta) can be rescinded, meaning that it is no longer available for download. To update an app, simply select the “Replace…” button associated with the version and either upload the new file for a native app or enter the new URL for a web app, secure web app, or external store app.
App Version Types
Apps can be set as a production, beta, or development versions at any time by selecting the “Set…” button.
Application policies (see The App Policy Page section below) are applied to production, beta, and development versions of applications. However, each type of application will respond differently to a policy. For example, policies will never affect development apps. The policy will be applied to beta apps but the forced update policy will never apply.
Also, development apps are never listed in the Top Apps section of App Center. To see them, you need to look in Categories or do a search.
The App Policy Page
App Policies control the execution of an application or secure web app. The app policy is the set of rules that is applied to a running application or secure web app. App Policy is not the set of entitlements that governs distribution, download, and installation of applications and content. Those rules are set in the group mapping in the Apps or Content tabs.
App Policy is associated with an application, with the association set in the Apps tab, per application. You can assign, view, or change the app policy that is associated with an app under the App tab.
Managing App Policies
When a policy is selected the list of apps associated with the policy is displayed. To create a new policy, use the “New Policy” button.
To delete a policy, use the Delete button. There is no undoing this action. You cannot delete a policy as long as any app is using the policy. Each app using the policy must be examined individually to change its policy. To edit an existing policy, use the Edit button.
When a policy is assigned to an app, or when the policy associated with an app is changed and saved, the app is updated with the new policy. Users are then notified that a new version of the app is available. The app update process may take a few minutes depending on the number of apps and system load.
Note that policy is applied statically to the application and policy is not updated in a running app. This means that you must redistribute the app if the associated policy is updated.
Policy Overview
When creating a new policy, there are a number of policy options that can be selected.
Note that unless otherwise stated, all of the options on this page get automatically updated on the device the next time the user logs in. The user does not have to do software update to receive policy changes. However, if User Authentication Required is not checked, the user has to update the app to receive policy changes.
Policy Notes
User authentication required
When the app is started, a user authentication screen will appear on the device and request user name and password.
The user name and password are validated on the server; the app can only be used online.
Storage encryption works with or without authentication; however, without authentication the encrypted storage is only available for the duration of the app execution and it not available in subsequent runs.
Re-authentication required every X minutes
Will force the user to authenticate periodically based on the time entered.
Note that the App Center considers being run in the background as an idle state. So, if the App Center is running in the background for the configured number of
minutes the user will have to re-login the next time they bring the App Center to the foreground.
Offline authentication permitted
Can configure offline authentication.
Destroy data and disable app upon password lockout
If you have password lockout enabled then you have option of revoking the device upon password lockout.
On-device storage On-device storage may be allowed. If on-device storage is not allowed, every attempt by the application to write data to the device is blocked.
Encryption required Encryption may be required if on-device storage is allowed. If so, app files created and subsequently accessed by the application will be encrypted.
The encryption covers files that are shared, for example, for printing or upload.
Persistent encrypted data requires that user authentication be required. The user-authentication exchanges information with the server to persist encrypted data.
Storage encryption without authentication is suitable for apps that cache their data. For example, a web app.
If want to require encryption but do not want to use user authentication you are forced to use clear data on app close (see below).
Clear data on app close Clear data on app close causes all app-created data to be removed on app close. Because apps often do not exit and are killed when the system is shutdown or memory becomes scarce, this option also removes all app-created data to be removed on app start up.
This option is useful, for example, with an unauthenticated secure web app that is caching files.
Permit SDcard storage Permit SD card storage. Block inter-app document
sharing
The iOS document interaction controller provides in-app support for managing user interactions with files in the local system. For example, an email program might use this class to allow the user to preview attachments and open them in other apps. Use this option to prevent an application from previewing, opening, copying, or printing files.
Block clipboard copy operations
If the user attempts to copy text from an application or file, they will be unable to paste the text.
Destroy data and disable app on jailbroken or rooted devices
If the user attempts to install the App Center on a jailbroken iOS device or rooted Android device, the App Center is revoked. Revocation destroys all data and disables the application.
Block iTunes file sharing Prevents an application from sharing any files with iTunes. Without this option, application files in <Application_Home>Documents directory may be backed up and shared to iTunes.
Block iCloud file sharing In iOS 5 and later, an application can tag files for cloud storage that are synced to the user's iCloud account. This option prevents document syncing, uploading, and downloading with iCloud.
If the client is removed or MDM is disabled
The app policy can be configured to allow, block, or revoke the Android app if the user either removes the App Center client from the device or removes the App Center client as a Security Administrator (MDM) on the device.
Poll server The only times apps talk to the server are when the user logs in or puts the app in background or foreground. However, if you turn on poll server, the app will poll the server according to your configuration whether a user is using the app or not. Fail-Safe revocation timer If the server has not heard from the app in x hours, it will revoke the app. Force upgrade on new
versions
If x amount of time passes after a new version of the app is released, the user will be forced to upgrade and re-login.
The Content Page
This section covers how to manage content with Symantec Content Center and the Content add-on for Symantec App Center.
For encrypted previews, the following file types are allowed: .doc, .docx, .xls, .xlsx, .ppt, .pptx, and .pdf.
Currently the Content Center accepts any type of file from the administrator and pushes the file down to the client. For content types that can be previewed, the Content Center will render a PDF version of the file and push both the
pre-rendered PDF and original file to the client. The Content Center client will then use the PDF version for in-client preview, and will retain the original for open-in.
To successfully convert Microsoft Office documents to PDF, Microsoft fonts must be present on the system.
Unfortunately, these fonts are not included with Linux distributions. You can find the font package at the following Web site: http://corefonts.sourceforge.net/
Alternatively, if you already have the fonts, ensure that they are in the following directory: /usr/share/fonts/
To control which types of users can download and view a document, a new Content Policy must be created first as described in the “Policy Management” section.
Adding Content
Follow these steps to add new content to the Content Center:
Select the “Content” tab from the left menu then select “Add Content”.
Browse to the location of the document you wish to share. It may take a moment for the file to upload to the server depending on the size.
If you wish, change the name of the document that will be displayed in the store. By default this will be the file name.
To provide users with relevant information about the content, you may add a short description of the app to the subtitle field and a longer description to the description field.
Select a category that this document will appear under in the portal and on the users‟ mobile clients. Creation of categories is discussed in “Settings – Standard/Enterprise Edition”.
Select a policy.
Optionally you may create a version number for this document (e.g., “1.0”).
In the right panel, you can select user groups that can download this document. Select All to make the document viewable by anyone, or you may also restrict access to Administrators, Developers, Managers or Publishers. Click “Save” to make the document available in the Symantec Content Center.
Managing Content
You may change the document‟s information by clicking “Edit” in the top right corner.
To permanently remove this document, select “Delete”. You may also remove the public availability of this document by selecting “Unpublish”.
Content may be updated to a newer version by selecting “Add Version...”.
Select the updated file from your file system, follow the previous steps above, but increment the version number accordingly (e.g., “2.0”). Previous versions will not be deleted from the server, but only the most current version will be available to users in the Content Store.
To revert a document to an older version, select Re-Publish Old Version, and then select the version you wish to revert to from the list of available versions.
The Content Policy Page
Content Policy is associated with content, such as PDF‟s, videos, ePub documents, etc. The association is set in the Content tab, per item. The Content Policy tab is used to define policy.
Managing Content Policies
You can assign, view, or change the content policy that is associated with an item under the Content tab. You can select a policy in the Content Policy tab to see the list of items associated with the policy. To create a new policy, use the New Policy button.
To delete a policy, use the Delete button. There is no undoing this action. You cannot Delete a policy as long as any content item is using the policy. Each content item using the policy must be examined individually to change its policy.
To edit an existing policy, use the Edit button. Policy Overview
When creating a new policy, there will be a number of policy options that can be selected. The initial policies are:
Policy Notes
Encryption required Encrypts content. Also enables preview and disables sharing.
For iOS 6 users, only the following content formats are supported when an encryption policy is applied:
PDF Excel Word PPT
Allow offline access Allows users to access content offline.
Allow content preview Allows users to view the content in the App Center Client. Prevent sharing of content
with other iOS apps
Prevent sharing of content with other iOS apps will cause the document to be displayed only in a Symantec managed viewer, and that viewer will not allow the document to be shared, exported, or printed.
Prevent content downloads to a desktop via the User Portal
Prevent content downloads to a desktop will prevent users with access to the web portal from downloading documents.
Automatically connect to the server to check for updates
This allows the App Center to automatically check the server for updates every x hours, as configured on this page.
Fail-Safe Revocation Timer This option will automatically destroy content if the App Center does not contact the server in the configured number of hours.
Automatically push download of new versions
This option will force the download of new versions of content if the user does not download it in the configured number or hours.
The Users Page
Onboarding Users
This section covers the various options for enabling users to access App Center resources. There are three choices:
Email invites
Adding a Single User Adding Bulk Users Email Invites
The simplest way to onboard new users is with the Email Invite feature. Select the “Users” tab, and on the right side of the screen, there is a text box where you can enter email addresses.
Each invited user will receive an email with instructions on how to setup their account. The content of this email can be customized by changing the text in the box immediately below the email address entry box.
Invited users must choose their user name and password, and these cannot be initially assigned by the administrator who sends the invite. Additionally, the first and last names for each user will not be filled in.
Invited users cannot be assigned to Groups until they‟ve chosen a user name and password and logged in.
An administrator can browse the list of invited users and see the status of each invite by simply viewing the group named “invited”.
Invites can be resent by re-entering the user‟s email address in the invite box or by viewing the invite status and clicking Resend Invite.
Adding a Single User
Adding a single user creates an account without sending an email invite. Select the “Users” tab, and then click the “Add a New User” button.
The administrator creating the account must provide an email address, user name and initial password for the user. First and last names may optionally be provided. Finally, the administrator can assign the new user to Groups at the time of account creation.
NOTE: If you use SaaS, you must provide a first name and last name if the user that you are creating will be the primary contact for the Business Account. Otherwise, that user will be unable to register licenses.
App Center will not automatically notify the user of their new account. However, there are a couple of ways that App Center can help communicate to the user.
Enter the user‟s email address in the invite box, and it will send them a welcome message that directs them to App Center. However, the email will not communicate the user‟s user name or password, so those must still be communicated offline.
Reset the user‟s password using the Reset Password button on the user detail page. This will direct the user to choose a new password, but it will not communicate their user name, which still needs to be communicated offline. The reset password email will also not include any direction for how to login and download the App Center client.
Adding Bulk Users
Add Bulk Users provides a way to add many users at once, like invite, but also provide user names, first and last names, and optionally one group assignment.
Users must be listed in a Comma Separated Values (CSV) file, which can be easily made using Excel. The CSV file must start with a header row, and the first four columns must be: Username, First Name, Last Name, Email. An optional fifth column can specify a Group name that the user should be assigned to (the Group will be created if no matching group name is found).
When the CSV file is uploaded, it will add any user that does not already exist in App Center and will ignore rows that don‟t match the previously specified format. For files with international characters, the file must be encoded in UTF-8 character encoding.
To use Add Bulk Users, select the “Users” tab, and then click the “Upload Users CSV” button.
Use the file selection control to browse for and choose your CSV file, then click Upload Users (Step 1 of 2), which will take you to a confirmation screen where you can review the upload before actually committing the changes. On the confirmation screen, any ignored or duplicate rows will be listed, along with the first several rows that will be imported. To add the new users, click Add New Users (Step 2 of 2). Upon success, you will be returned to the main Users tab, and can browse through the all group or use search to inspect the newly created user accounts.
Communication to the users about their usernames and the requirement to reset passwords must be handled offline. Users can optionally be sent a Reset Password email since their newly created accounts do not have passwords. This email is turned off by default because it can cause confusion absent any other communication about usernames or App Center in general.
On the Users page, you can create groups and assign roles. Groups are the bins that contain members. Roles define the permissions those members have. If you specify permission for a role to View all Devices or View all Users, the Admin Scope box lets you specify which devices and/or users the members of this group have rights to view.
You can edit existing roles and create new roles and edit existing groups and create new groups. For instructions on editing roles, see The Settings Page section of this document.
To edit a group, click on the group and click edit. To add a new group, click Add New Group. Both options will take you to the screen where you can name the group and assign roles and members.
The Devices Page
The devices identified on the Devices tab are populated automatically when users are onboarded. For any given device, the following information is captured and displayed:
Product (e.g., Apple iPhone 4) OS (e.g., iOS 6)
UDID – Unique Device Identifier Wifi MAC Address
Date and time of last contact with App Center Whether Notifications are enabled
Whether Notifications are verified
If an MDM policy is applied (and which one)
Whether the device is in compliance with the MDM policy Whether compliance has been checked on the device
Whether the user has accepted the MDM terms and conditions A list of the apps installed (via App Center)
If the app was installed via MDM, then a button to uninstall the app is made available. If the app has had an app policy applied, then the app can be:
Blocked – The app remains resident on the device, but the user may not launch the app.
Revoked –The app is sent a “poison pill” message and will destroy itself and all associated data.
Specific commands can be sent to the device by pressing the Commands button. This list will vary dependent on the specific OS, device characteristics, and whether MDM is enabled.
Commands that can be sent to the device include:
Dissociate - Each device is linked to one user; you can dissociate this device from its user, making it available for another user.
Lock – The device is locked until the administrator unlocks. Wipe – All the apps and data on the device are wiped clean. Reset Password – The device password is reset.
Ping – A test message is sent to the device.
Revoke All Apps – Send a poison pill to all the apps delivered via App Center to destroy all apps and associated data (leaves personal apps and data untouched).
The Device Policy Page
Mobile Device Management (MDM) allows administrators to set device policies to be applied to their users‟ mobile devices.
Tasks which can be performed include:
Remote data wipe Device lock Password reset
Password length and quality enforcement On-device storage encryption
App or device feature blocking (iOS only)
As some organizations will be using external MDM solutions, this capability is disabled by default. To enable MDM, click on Go to Settings and see the Settings > Device Management section.
New device policies can be created by hitting the New Policy button. After naming the policy, choose:
Which groups the policy should apply to
Select the device policies that will apply to all devices o Password Quality
o Password Expiry
o Device Lock / Wipe if multiple failed logins o Storage Encryption
Select the device policies that will apply to iOS devices
o Time interval before requiring user to enter their passcode o Ability to disable push messages when the device is roaming o Allow app installation from the iTunes App Store
o Allow the camera to be used
o Allow Explicit Content (as marked by content providers such as record labels) o Allow screenshots
o Allow the YouTube app o Allow the iTunes app
o Force iTunes Password Entry o Allow the Safari browser
o Allow Untrusted TLS Prompt - can automatically reject untrusted HTTPS certificates without prompting the user
o Allow iCloud Backup
o Allow iCloud Document Sync o Allow iCloud Key-Value Sync o Allow Photo Stream
With MDM enabled, when a user logs in to the App Center using the mobile device, if MDM is not already enabled on the device, the user will be prompted to enable the feature and become compliant to the policy assigned to the device. Devices that are not compliant are denied access to the App Center.
When multiple device policies are in effect, they are applied in the order in which they are listed on the Device Policies tab.
For example, if a user is in the group “administrators” and the device policy “Acme Default Policy” is listed first, then this will be the policy applied to the user, even if they are also in a group that has a different policy associated which is further down the list.
To change the priorities of the various policies, hit the Change Priorities button and move the relevant policies up or down, using the appropriate buttons and then click Save.
For more information, see the Creating an MDM Certificate section of this document.
The Downloads Page
The following are the software downloads available on the Downloads tab:
Android Native Client The Android native client presents a marketplace interface to mobile users, showing new and updated applications that are available for download from your App Center. The native client also implements Android notifications and device management commands.
Mobile users typically download the mobile client using a link in the invitation email they receive when they are added to the system.
You can rebrand the Android native client with a custom icon and title.
iOS Native Client The iOS native client runs on iPhone, iPad, and iPod to bring the full App Center experience to mobile users.
Android Sample App The Android Sample App is a simple application that you can use to upload to your App Center. You may use your own app, but in case you don't have one, we have provided this one.
After you perform an upgrade on the server, you must rebuild your clients. Otherwise, clients do not receive the new client-side features and enhancements. You can rebuild your clients from the Downloads page. Download the App Center Builder to the system that you used to build the previous version. Launch it, fill in the information as appropriate, and submit it as you did when you originally built the client.
The Account Page
Licensing:Symantec App Center uses the following types of licenses:
Trial All features are enabled. Basic
(subscription and perpetual)
All features are enabled except app and content wrapping.
If you have applied only a Basic license, a message appears on the App Policy and Content pages to indicate that these features are unavailable.
Standard (subscription and perpetual)
All features are enabled except MDM.
If you have applied only a Basic license, a message appears on the Device Policy page to indicate that this feature is unavailable.
Enterprise (subscription and perpetual)
All features are enabled.
Storage add-on Users receive 4 GB of storage for free. The storage add-on license adds additional storage space.
Note: Used storage space is calculated based on all of the files (apps and content) that you upload.
The Account > Licensing page not only lets you add licenses, but it shows the status of your licenses and which licenses have been applied. When a license is valid and in good standing, the data in the Used column appears in green. When the license is in a warning state (i.e., the tenant is within 10% of the licensed user count, the storage is 200 MB away from the licensed storage limit, or the license is close to expiring), the data in the Used column appears in yellow. When the tenant exceeds the licensed user count, exceeds the storage limit, or the license has expired, this data appears in red.
When a license enters a warning state or has exceeded its limit or expired, a message appears in the banner of the Admin Console. If you click the banner, you are automatically taken to the Account > Licensing page. Symantec App Center can also send you notifications about licensing issues. For more information, see Licensing Notifications.
Before you can add a license, you must first obtain the license serial number from Symantec. The computer on which you run the App Center Admin Console must also have access the Symantec licensing server.
To add a new license:
1. On the Account > Licensing page, click Add new license. 2. In the Serial number box, type the serial number.
3. Click Add.
If the license is successfully applied, a message appears and the newly applied license appears under the Applied license heading.
Personal:
Specify the user‟s name, email address, user name, password, and preferred language. This information can be updated with the Edit button, and the administrator‟s personal password can be changed.
Business:
Specify the business‟s legal entity, primary contact, phone number, and address. With the exception of the Account Type, this information can be updated with the Edit button.
The Reports Page
This section covers the options available to administrators for reporting, either using the Standard Reports available directly from App Center or by utilizing the Data API for custom reporting.
Standard Reports
An administrator can generate various reports on App Center usage from “Reports” menu of the Admin Portal. The following table outlines the standard reports that are available. The administrator can customize the report data for specific User Groups by selecting the appropriate check box and for specific periods by selecting a date range prior to clicking the “Create Report” button.
Report Notes
All Apps A list of all apps, their title, packbund ('package ID' (iOS) or 'bundle ID' (Android)), platform, and when it was last published.
App Downloads by Category Creates a pie chart with the total number of app downloads by category. The categories are admin-defined – creation of categories is discussed in “Settings – Standard/Enterprise Edition.”
App Downloads by Platforms and OS Version
Creates a pie chart.
App Downloads Per Week Shows the total number of app downloads per week, sorted by operating system.
App Feedback A list of all reviews that have been submitted for an app. The app name, app version, reviewer user name, star rating, and the full text of the review are shown.
App Inventory History A list of apps that have inventory management enabled. The list shows the App title, Inventory Code, Installation status, user who used the code, device the app was installed on, and date this happened (date consumed).
App Inventory Status Related to App Inventory History, it shows a list of apps with inventory management enabled, the code, how many are still available, how many consumed (i.e., used) and how many are reserved (used, but not yet installed).
App Popularity by Install Count Creates a chart showing popular apps based on install count. Associated Users per App A list of apps and users that can administrate each app. Shows the
app name, app platform, group association, and user's full name. Blacklisted Devices A list of devices that have been blacklisted. Shows the Device name,
the MAC address, the user associated with the device, and that user's email address.
Device Details A list of all devices in the system. Shows the name of the user, the name of the device, the manufacturer, the OS version, the type (phone or tablet), the UDID (if available), the MAC address (if available), whether the device is marked as 'corporate owned' in the DB, and the MDM policy (labeled Policy Name) that applies to this device.
Devices by Platform & OS Versions Creates a pie chart with data showing the device categorized by Platform and OS versions.
Groups With a Single User Displays a list of all groups that only have a single user present. The user's username, full name, and email address are included.
MDM Compliance Status Shows a list of all devices and their current MDM compliance status. Green rows are compliant; red rows are non-compliant. Other available information may include the device name, the date the user first accepted the terms and conditions of MDM, the date the user was last known to be compliant, the device policy name, and the reason for any non-compliance.
New Users Per Week Shows the number of new users that have been on boarded. Operating System by User Creates a list of all devices and their operating system. Other
included details are username, first name, last name, device name, and group association.
Sessions Per Week Three separate reports are available on the number of logins per week for:
User Portal
Mobile Clients / Web Clips Portal
System Status Statistics Provides the status of number Active Users, Apps, Devices and App Versions.
Third Party Installed Apps Shows a list of devices and the third party apps that are installed. Third party apps are apps that have not been distributed through the App Center, but rather through the App Store or Google Play. Note that this information is only available for devices using a Device Policy with 'Collect App Information' enabled.
User App Access A list of apps and users. Shows which apps users have installed. Shows the App title, the version of the app (called 'App Pointer') that is installed, the user name, the user's name, and the user's email. Users Per App A list indicating which apps a user has installed, which platform they are using, and what group they belong to. Report shows the
date the app was installed, the app title, the bundle or package identifier of the app (labeled 'Bundle'), the version of the Bundle, the platform the bundle is built for, and information about the user, including the user's group(s).
Users and Devices per App Version Similar to Users Per App, but searchable by specific apps and app versions, and shows the device name.
Users by Group A list of users and the groups they belong to. Shows one row per user per group.
Downloading Reports
Any generated report can be downloaded as a CSV file by clicking the “Download CSV” button on the Report menu.
The Settings Page
The “Settings” tab has the following menu items: User Authentication
o Password Lockout o Admin Password Policy o User Password Policy o Offline PIN Policy iOS Client
Android Client
Mobile User Invitation Email External Identity Provider
o Server Configuration o Authentication Options o Group Options
Device Management Notifications
Android Keystore Certificates Apple/iOS Certificates Standard/Enterprise Edition o Enhanced Store o End-User Portal APIs Branding International Inventory Management Metadata o App Versions o Content Versions
Blackberry
Roles & Permissions Google GCM
Each is covered on the following pages.
User Authentication
Setting Notes
Use Email Address as username Email addresses are used for login instead of user names, which eliminates the need for users to remember user names.
Have mobile login screens remember usernames
Ability to search for any term related to apps in all relevant fields (e.g., app title, app description, etc.).
Screenshots The mobile client login screens will pre-fill the username or email address. This is a convenience to end-users, who then only need to enter their password in order to authenticate.
Allow mobile client download without authentication
Some organizations are comfortable with anonymous users downloading their App Center mobile clients, as the clients themselves require user
authentication. Enabling this feature will allow any user to visit the App Center URL and download App Center client apps without that user being
authenticated. Password reset requests expire after
x days
User password reset requests expire after x days.
Use ReCaptcha for increased security in password resets
This will force users to enter a Captcha when resetting their password.
The Local Identity Provider (Local IDP) authenticates users against the App Center database rather than Active Directory. If you are using Local IDP, you have the ability to apply the following user authentication features.
Password Lockout Admin Password Policy
If you change the password strength, the user will be forced to change their password the next time they login. The password strength is determined by the number of eligible check boxes are checked (eligible checkboxes include require uppercase, require lowercase, require numbers, require non-alpha, first three unique) or if the minimum password length is increased.
If you enable either MDM or an App Policy for the admin, all options on the Admin Password Policy will be checked and the minimum pass length will be set to 8.
User Password Policy
If you change the password strength the user will be forced to change their password the next time they login. The password strength is determined by the number of eligible check boxes are checked (eligible checkboxes include require
uppercase, require lowercase, require numbers, require non-alpha, first three unique) or if the minimum password length is increased.
Offline PIN Policy
This setting is associated with the offline authentication on wrapped apps or iOS native App Center clients.
If you change the password strength the user will be forced to change their password the next time they login. The password strength is determined by the number of eligible check boxes are checked (eligible checkboxes include require uppercase, require lowercase, require numbers, require non-alpha, first three unique) or if the minimum password length is increased.
iOS Client
You have two options for the mobile client program on iOS, web clip and native.
The web clip client is easy to get started with because it does not require any special certificates or customization. While the web clip is simple to set up, it lacks features such as push notifications and custom branding. The web clip is always up-to-date because it is served by App Center.
The native app client supports notifications and branding. There is up-front work to create the native app, which requires you to create an in-house distribution certificate using your Apple Enterprise Developer account. The native app is created using the Symantec branding tool to create and update the native app.
Limited Use Tokens
When this is checked, users can only use certain buttons/tokens once. Ex. Install. If it is not checked, users can use tokens as many times as they want in a 24 hour period.
See “Creating an App Center Client” section in this document.
Android Client
If Usage Restrictions is selected, the App Center will not run on rooted Android devices.
Mobile User Invitation Email
One of the options for onboarding users is to send an email to the user with instructions on how to get started. The administrator can customize the message. For more information, see “The Users Page”.
External Identity Provider
Symantec App Center provides a simple local Identity Provider (IDP) as a standard part of App Center and Content Center. It is easy to use and requires no integration, so it is ideal for small user environments such as trials. However, for production environments, almost all implementations are likely to require integration with external IDP‟s.
When using an external IDP, you get the advantage of centralized user management, as well as easily tying into an
established corporate identity framework. When enabled, this allows regular users as well as administrators to authenticate to App Center using the external identity provider.
Basic configuration of AD/LDAP is accomplished by a step-by-step flow. This section will walk you step-by-step through AD/LDAP configuration. This section assumes that you already have AD Domain Controllers (DCs) (or other IDP) with LDAP enabled.
If you plan on using AD/LDAP groups within App Center, the best practice is to create the needed groups within App Center before starting the AD/LDAP configuration process. You can always add more group mappings later, but having the initial set of groups already created in App Center makes configuration more straightforward.
Often the corporate IDP has many more groups (hundreds or thousands) than are required for implementing app or device policy. To make group management less cumbersome, App Center imports AD/LDAP groups and allows you to map these AD/LDAP groups to App Center groups. In the end, AD/LDAP groups can be used to drive policy, and App Center is much easier to manage.
To add groups to App Center, use the “Add New Group” button on the “Users” tab.
Server Configuration
To start the configuration process, use the “Sever Configuration” sub-panel.
You will need to enter the server URI (URL), and also the administrator user name/password. Symantec recommends that you create an external-IDP account with only enough privilege to perform the needed LDAP queries, and then use the user name/password from that external-IDP account in this form. Symantec also recommends that you always use SSL.
App Center will attempt to automatically verify the connection whenever this form is changed. After the green light indicates that the connection is verified, press the “Save” button.
Authentication Options
After the server connection has been configured, the next step is to configure authentication options. To do this, use the “Authentication Options” sub-panel.
Enter the search base DN. For our test DC, the correct string is:
OU=employees, OU=Domain Controllers, DC=nukona, DC=com
The value of the search base DN is driven by the setup of you IDP, which will be different.
Enter user name, first name, last name and email attributes names. The defaults presented are typical for AD. After all is entered, you will want to perform a test authentication before moving forward. Unlike the test that was performed during server configuration, this is a simulation of an actual end-user authentication. Click the “Test” button, enter an end-user user name and password, then click the “Test” button on the dialog box.
If all has been configured correctly, you will see a green light and “authentication verified” displayed at the bottom of the panel.
Click “Save” and move to the “Group Options” sub-panel. Group Options
If you want AD/LDAP groups to drive policy within App Center, then you need to import LDAP groups and then map some of the LDAP groups to App Center groups. On the “Group Options” sub-panel, specify the search base DN, group attribute type and group type. For our test DC, the correct search base DN is:
OU=employees, OU=Domain Controllers, DC=symantec, DC=com
This value will be different for your DC. After the form is completed, App Center will perform a query and load the list of attributes.
You will see the LDAP groups on the left-hand side. If you want to map groups, select the corresponding App Center groups on the right-hand side, and click “Save.”
Subgroups by OU
If you are using Active Directory as your external IDP, you can create subgroups. You can add one level of subgroups to any mapped OU from AD to organize your users. Though the subgroup functionality is limited, it creates a way to mimic the AD tree locally.
Note that you cannot create subgroups in subgroups. Only one level of subgroups is allowed.
In the screenshot to the right, you can see how you can select groups and/or subgroups throughout the console once subgroups are created.
Enable IDP
You are almost done! After configuring group options and clicking “Save”, you are brought back to the “External Identity Provider” panel. Click “Enable IDP”.
The App Center internal IDP still plays a role, even when an external IDP is enabled. All authentications are processed against the external IDP first, and then against the internal IDP in the case of failure.
It is critical to have administrative accounts configured within the App Center IDP, even when relying on an external IDP for authentications. In the event that the external IDP is malfunctioning or otherwise unavailable, the administrative accounts in the local IDP will allow you administrative access to App Center.
Device Management
App Center allows the administrator to control Android and iOS devices, performing such tasks as:
Remote data wipe Device lock Password reset
Password length and quality enforcement Enable device management
To enable device management, check the box and save the form. Immediately after saving this form, MDM is required for all devices going forward. Mobile users will not be able to access App Center until their devices comply with the required policy.
Policies are defined on the Device Policy tab. These policies are associated with groups, and the policies are applied to devices belonging to users in the associated group.
Groups and policies can be combined such that a single device may have several available policies associated with it. In that case, the highest priority policy is associated with the device (according to the Device Policy tab).
The device management box can be unchecked and saved, and MDM will no longer be required. However, MDM is not automatically uninstalled from user devices.
iOS Settings
For iOS Device Management, you must generate and upload an MDM Certificate with the correct appids. MDM certificates are created in the iOS Provisioning Portal and uploaded to App Center.
See “Creating an MDM App ID and Certificate” section in “Symantec iOS Certs and App Center Client” document. For iOS 5 and later devices, App Center can install native and web clip apps using the MDM protocol. Apps installed using this method can be removed without user consent by clicking on an "Uninstall" button within the App Center Admin Portal.
The options that can be selected are:
Install iOS native apps via MDM (for devices running iOS 5.x and later) Install iOS web clip apps via MDM
Allow devices that do not have remote management capabilities
App Center can be configured to allow or deny access to Android devices that do not support device management. You can choose to allow these devices access to App Center even though they can't do remote management.
Checking policy and reporting problems
App Center will poll registered devices on a regular schedule to ensure that the device is under management. The frequency of the check can be configured.
