Cloud Deployment Guide

(1)

(2)

Introduction – What is the Cloud?

At the most basic level, cloud computing means storing and accessing data and programs over the Internet and is actually just a trendy marketing term for outsourcing. Indeed, "the cloud" is really just a metaphor for the

Internet. It goes back to the days of flowcharts and presentations that would represent the gigantic server-farm infrastructure of the Internet as nothing more than a puffy white cloud, accepting connections and doling out information as it floats.

In its most practical sense, however, the cloud is about not having to install and maintain a dedicated hardware server locally within your enterprise. Hence, in a cloud computing system, there's a significant workload shift. Local servers no longer have to do all the heavy lifting when it comes to running applications.

In fact, cloud computing really comes into focus when you think about what your IT group always needs—a way to increase capacity or add capabilities quickly without investing in new infrastructure, training new personnel, and licensing additional support software.

The Private Cloud

The private cloud refers to an external private cloud that allows your enterprise IT to maintain dedicated

resources while also being able to outsource some or all of the infrastructure. Thus, when it comes to enterprise mobility management, your IT department can now outsource some or all of these resources to a hosting provider—in this case, Good—while maintaining the performance and security of its own dedicated systems.

Good Work in the Cloud

With the ease and simplicity of a Good Work cloud deployment, small and mid-sized organizations can now enjoy the same enterprise-grade security from Good that thousands of global organizations count on.

This guide briefly covers the cloud deployment option for Good Work and is intended for IT managers and administrators with a working knowledge of the Internet and Software as a Service (SaaS) technologies.

(4)

Environment Prerequisites

Because your Good Work infrastructure lives in the cloud, there is virtually zero hardware setup required beyond having a PC/Mac connected to the Internet, and a reliable browser like Chrome or Safari.

For cloud deployments, Good Work currently only supports Microsoft Office 365 (O365). Consequently, you must have an O365 account in order to use the Good Work client. Microsoft O365 accounts can be obtained from MicrosoftHERE.

The Good Work app is supported on iOS and Android devices, available for download from theApp Storeand

Google Play, respectively.

Getting Started

The first step in setting up Good Work in the cloud is to request the trial from Good, which can be done from the following link.

https://community.good.com/gd-app-details.jspa?ID=2842995

Just click Start a Trial to begin.

(5)

A Good account is needed to start the trial. If you already have an account, click Log in on the left to start the trial. If you don't already have an account, fill out the necessary information to create one, then click Start Trial.

Next, select CLOUD, agree to the Terms of Service, and click Continue.

It takes few minutes for the system to set up your cloud environment, and then you'll see:

(6)

Click Open Good Control. On initial launch, an Admin account is automatically created for you based on your Good account credentials.

Click OK and you're ready to log in to your Good Control console.

Click Log In.

You can now add users to your system.

(7)

To add users:

1. Click Add Users under USER ACCOUNTS in the DASHBOARD. 2. For each new user, enter the following information:

a. Email Address (required) b. First Name (optional)

c. Last Name (optional) 3. Click Submit.

Each user added will automatically receive an email notification with provisioning details for the Good Work app.

Accessing Your Cloud Servers

Cloud servers can be accessed from the Good Admin portal at

https://community.good.com/community/administrators-home.

Once you login to the Admin portal, click My Servers and select Manage Servers and Licenses to open a new page listing your cloud servers.

(8)

From here you can add, remove, and edit your cloud servers.

Configuring Your Office 365 Service Account

In order to configure Push Notifications for the Good Work app, you'll need an O365 service account with application impersonation rights.

Before proceeding with the configuration in the Good Cloud, first make sure your O365 account has the proper application impersonation permissions. For more information on how to grant permissions to the O365 service account, please refer toKB2725.

For quick 1-2-3 instructions on creating a Windows Service Account, see theAppendix.

(9)

More briefly, however, for Push Notifications to work properly, you must complete a critical configuration requirement in your Microsoft Exchange 365 account.

To configure Application Impersonation permissions: 1. Log in to your O365 account Admin Console.

2. Click admin > exchange > permissions. 3. Click the plus sign (+).

4. In the new role group window, enter GoodEWS in the Name field, and Good Admin EWS Application Impersonation in the Description field.

5. Click + under Roles and select ApplicationImpersonation. 6. Click + under Members and select GoodAdmin.

7. Click save.

(10)

Configuring Push Notifications

Once your O365 account is configured properly, login to theGood Admin portaland click Configure Push Notifications.

Before proceeding, please make sure you have configured your O365 service account for application impersonation in accordance with the instructions above forConfiguring Your Office 365 Service Account.

(11)

During initial configuration, you will be prompted to create a password for your GEMS cloud account.

Once your password is created, login to your GEMS-Cloud server and enter your O365 service account email address and password.

(12)

Click Test to verify your O365 service account credentials. Once a successful result is confirmed, click Save. Please refer toCloud GC Online Helpfor more complete guidance and instructions for administrators.

(13)

Appendix - Creating a Windows Service Account

To create and manage a Windows service account you will need to belong to one of two administrator roles: domain administrator or service administrator.

The domain administrator can create, administer, and delegate management for managed service accounts in Active Directory Domain Services (AD DS). In addition, any user with Create/Delete

msDS-ManagedServiceAccount permissions can also administer these managed service accounts.

The service administrator installs and manages these accounts on a computer running Windows Server 2008 R2 or Windows Server 2012. A user in this role needs to be a member of the local Administrators group on the computer.

Windows PowerShell cmdlets can be used to create, read, update, and delete managed service accounts on a domain controller.

Service administrators can use Windows PowerShell cmdlets to install and uninstall these accounts and to reset passwords for these accounts on a computer running Windows Server 2008 R2 or Windows Server 2012. After a managed service account has been installed, service administrators can configure a service or application to use this account; they no longer have to specify or change passwords for these services because these account passwords will be automatically maintained by the computer. The service administrator will be able to configure the service principal name (SPN) on the service account without requiring domain administrator privileges. To create a new managed service account (MSA):

1. On the domain controller, select Start > Run. In the Open box, type dsa.msc, and then click OK to open the Active Directory Users and Computers snap-in. Confirm that the Managed Service Account container exists. 2. Select Start > All Programs > Windows PowerShell <2.0 or 3.0>, then click the Windows PowerShell icon. 3. Run the following command:

New-ADServiceAccount [-SAMAccountName <String>] [-Path <String>]

4. Associate the new MSA with the computer account by running the following command: Add-ADComputerServiceAccount [-Identity] <ADComputer> <ADServiceAccount[]>

Note: Optional parameters are indicated with square brackets [], and placeholder values are indicated with angle brackets <>.

To install a managed service account on a local computer:

1. Select Start > All Programs > Windows Powershell <2.0 or 3.0>, then click the Windows Powershell icon.

(14)

Caution:The account name attribute must match the account name in the Security Account Manager (SAM) database. If the account name attribute does not match the corresponding SAM account name, the installation will fail with error 0xC0000225.

To use the Services snap-in console to configure a service to use a managed service account: 1. Click Start, point to Administrative Tools, and then click Services.

2. When prompted for permissions, click Continue.

3. Right-click the name of the service that you want to use, and click Properties.

4. Click the Log On tab, click This account, and type the name of the managed service account in the format

domainname\accountname or click Browse to search for the account. Confirm that the password field is

blank, and then click OK.

5. Select the name of the service, and click Start the service or Restart the service. Confirm that the newly configured account name appears in the Log On As column for the service.

Important:There must be a dollar sign ($) at the end of the account name in the Services snap-in console. When you use the Services snap-in console, the SeServiceLogonRight logon right is automatically assigned to the account. If you use the Sc.exe tool or APIs to configure the account, the account has to be explicitly granted this right by using tools such as the Security Policy snap-in, Secedit.exe, or NTRights.exe.

If a managed service account is no longer being used on this machine, a local administrator may want to uninstall the account from the local computer.

To uninstall a managed service account from a local computer:

1. Select Start > All Programs > Windows PowerShell <2.0 or 3.0>, then click the Windows PowerShell icon. 2. Run the following command:

Uninstall-ADServiceAccount [-Identity] <ADServiceAccount> [-Confirm] [-WhatIf] [-Credential <PSCredential>]

Note: Although managed service account passwords are reset on a regular basis based on the password reset requirements of the domain, a local administrator can still reset the password manually, if needed.

(15)

Legal Notice

This document, as well as all accompanying documents for this product, is published by Good Technology Corporation (“Good”). Good may have patents or pending patent applications, trademarks, copyrights, and other intellectual property rights covering the subject matter in these documents. The furnishing of this, or any other document, does not in any way imply any license to these or other intellectual properties, except as expressly provided in written license agreements with Good. This document is for the use of licensed or authorized users only. No part of this document may be used, sold, reproduced, stored in a database or retrieval system or transmitted in any form or by any means, electronic or physical, for any purpose, other than the purchaser’s authorized use without the express written permission of Good. Any unauthorized copying, distribution or disclosure of information is a violation of copyright laws.

While every effort has been made to ensure technical accuracy, information in this document is subject to change without notice and does not represent a commitment on the part of Good. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those written agreements.

The documentation provided is subject to change at Good’s sole discretion without notice. It is your responsibility to utilize the most current documentation available. Good assumes no duty to update you, and therefore Good recommends that you check frequently for new versions. This documentation is provided “as is” and Good assumes no liability for the accuracy or completeness of the content. The content of this document may contain information regarding Good’s future plans, including roadmaps and feature sets not yet available. It is stressed that this information is non-binding and Good creates no contractual obligation to deliver the features and functionality described herein, and expressly disclaims all theories of contract, detrimental reliance and/or promissory estoppel or similar theories.