CA Mobile Device Management 2014 Q1 Installing

(1)

CA Mobile Device

(2)

This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA.

If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.

The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.

TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.

The use of any software product referenced in the Documentation is governed by the applicable license agreement and such license agreement is not modified in any way by the terms of this notice.

The manufacturer of this Documentation is CA.

Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors.

(3)

Installation Prerequisites ... 9

System Requirements ... 9

Understanding CA MDM Installation Image ... 10

CA MDM Server Requirements ... 10

Administrator Console Requirements ... 13

CA MDM Administrator Server Requirements ... 13

CA MDM Administrator Browser Requirements ... 16

Database Requirements ... 16

Enrollment Server Requirements ... 17

Enrollment Server Resource Recommendations ... 19

Self-Service Portal Server Requirements ... 19

Relay Server Requirements ... 21

Access Control Requirements ... 22

Package Server Requirements ... 24

SMS Gateway Requirements ... 26 Device Requirements ... 26 Android ... 26 iOS ... 28 BlackBerry ... 30 Windows ... 31

iOS Components Requirements ... 33

Certificate Authority ... 34

Language Code Key ... 36

Language Support for Devices Matrix ... 37

Create the Domain User Account ... 38

Update Passwords and Domain User Accounts for CA MDM ... 39

Estimate the Size of Your Database ... 39

Prepare SQL Server Database ... 40

Configuring the SQL Server Database for Operations ... 41

Generate an APNS Certificate for CA MDM ... 41

How to Obtain an APNS Certificate for CA MDM ... 42

Verify Prerequisites ... 44

Obtaining Root and Intermediate Certificates ... 44

Create a Certificate Signing Request ... 44

Get Your CSR Signed ... 45

Upload Signed CSR to Apple Push Certificate Portal ... 46

Complete the CSR and Export the APNS Certificate ... 46

Upload MDM APNS Certificate to CA MDM Server ... 47

(4)

Obtain End-User Acceptance Message Details ... 48

Installation and Configuration ... 50

Enter Your License Key ... 50

Install and Configure CA MDM Server ... 51

Configure LDAP Information ... 52

Configure Active Directory Information ... 53

Basic Rights for Active Directory User ... 54

Install CA MDM Server in a Farm Environment ... 54

Configure CA MDM Server Farm ... 55

Install and Configure CA MDM API Service and Administrator ... 55

Verify CA MDM Administrator IIS Settings ... 56

Modify IIS Connection Timeout Values ... 57

Enable 32-bit Application Pool for CA MDM Administration and Self-Service Portal ... 57

Install and Configure Access Control for Email ... 57

Install Access Control for Email ... 59

Set Up Access Control for Email Using Exchange PowerShell Commandlets ... 59

Access Control for Local Email ... 61

Access Control Components ... 61

Access Control Configurations for Microsoft Exchange ... 61

Access Control Configurations for IBM Lotus Domino ... 63

Set Up Access Control for Local Email ... 66

Configure the CA MDM Filter Listener ... 66

Configure Relay Server for Access Control ... 67

Configure Exchange ActiveSync for iOS Devices ... 68

Edit the Registry to Create Extra Logs ... 68

Examples for Using Substitution Variables When Creating or Editing an Android or iOS Configuration Policy ... 68

Manually Configure an E-mail Application for Android Devices While Using an Access Control Policy ... 69

Install ISAPI Filter Component ... 70

Install the PowerShell Service Component ... 71

Files Installed and Generated by the CA MDM Filter ... 72

Install and Configure CA MDM Server Messaging ... 73

Addresses and Routing for CA MDM SMS and SMTP Messages ... 74

SMS Gateway ... 74

Install SMS Gateway ... 75

CA MDM Third-Party Component Dependency Reference ... 76

Configure CA MDM Server for SMS Gateway ... 77

Set Up SMS Modem ... 78

Set Up SMPP Service ... 79

Configure SSL Connections for SMS Gateway ... 79

(5)

Install and Configure Enrollment Server ... 80

Install Enrollment Server-Basic ... 81

Configure CA MDM Server for Basic Enrollment Server ... 82

Configure CA MDM Server for Enrollment Codes ... 83

Configure Certificate Authority ... 84

Configure an Enterprise Root Certificate Authority ... 84

Add the ADCS Rolecze ... 84

Add the NDES Role ... 85

Tune the Certificate Authority for CA MDM ... 86

Configure Certificate Authority Profiles ... 87

Associate Certificate Authorities for Enrollment and Package Servers ... 88

Import Apple Root and Intermediate Certificates for MDM Management ... 88

Configure CA MDM Server for iOS Notifications ... 89

Configure SSL Connections for Enrollment Server ... 90

Add iOS MDM Payload Signing for iOS ... 91

Import Apple Root and Intermediate Certificates for MDM Payload Signing ... 92

iOS MDM Payload Signing Certificate Requirements ... 92

Reinstall the Enrollment Server for iOS MDM Payload Signing ... 93

Configure CA MDM Server for iOS MDM Payload Signing ... 93

Configure the Relay Server for Certificate Authority and Enrollment Server Connections ... 94

Install and Configure Package Server ... 94

Install Portal Package Server ... 94

Configure CA MDM Server for Package Server ... 95

Configure SSL Connections for Package Server ... 96

Install and Configure Self-Service Portal ... 96

Preparing to Install Self-Service Portal ... 97

Install the Self-Service Portal ... 97

CA MDM Self-Service Portal Address ... 98

Configure Enrollment Codes for Self-Service Portal ... 99

Configure CA MDM Server for Self-Service Portal Acceptance Message ... 100

Configure CA MDM Server for Self-Service Portal Request Timeout ... 100

Edit Enrollment Codes for Self-Service Portal ... 101

Remove Association of Enrollment Codes from Self- Service Portal ... 101

Configure Self-Service Portal iOS Consolidated Authentication ... 101

Use iOS Consolidated Authentication with User Group Assignments ... 102

Install and Configure Relay Server ... 104

Relay Server Executable Components ... 106

Set Up Relay Server for Basic Operations ... 107

Set Up Relay Server for Basic Operations with IIS 7.5 ... 107

Copying Relay Server Files ... 107

Configure IIS 7.5 for Relay Server Basic Operations ... 108

Create Relay Server Application Pool on IIS 7.5 ... 108

Create a Web Application for the Relay Server on IIS 7.5 ... 109

Add ISAPI extensions for Relay Server Operations ... 110

(6)

Edit Relay Server Configuration File ... 111

Configure File Definitions for Basic Operations with IIS 7.5 ... 112

Install Relay Server Host as a Windows Service ... 113

Set Up Relay Server for Basic Operations with IIS 6.0 ... 114

Copy Relay Server Files ... 114

Configure IIS 6.0 for Relay Server Basic Operations ... 115

Register the IIS User Account with ASP.NET on IIS 6.0 ... 115

Create a Server Application Pool on IIS 6.0 ... 116

Create a Client Application Pool on IIS 6.0 ... 116

Add Web Service Extensions on IIS 6.0 ... 117

Update the Relay Server IIS Configuration ... 118

Edit the Relay Server Configuration File ... 118

Configure File Definitions for Basic Operations ... 119

Restart the Relay Server Host ... 120

Relay Server Support for Server Components ... 121

Relay Server Configuration File–Examples ... 122

Configure Relay Server for CA MDM Server ... 123

Relay Server Bypass ... 124

Configure Relay Server for Enrollment Server ... 125

Configure Relay Server for Certificate Authority ... 126

Configure Relay Server for Access Control ... 126

Configure Relay Server for Package Server ... 127

Launch Relay Server Outbound Enabler ... 128

Install the Relay Server Outbound Enabler as a Windows Service ... 129

Relay Server with SSL ... 130

Enable Relay Server Logging ... 131

Post-Installation Tasks ... 133

Verify CA MDM Server Setting for Device Communication ... 133

Log in to CA MDM Administrator ... 133

Stop, Start, or Restart the CA MDM Server ... 134

Post Installation Configuration for CA MDM Server Farm Environment ... 134

Configure Disaster Recovery ... 135

Assumptions ... 136

Backup plan ... 136

How to Back up ... 136

CA MDM Server ... 136

Relay Server Outbound Enablers ... 138

Database ... 138

Restore the Stand-alone Server ... 138

Database ... 138

CA MDM Server ... 138

(7)

Considerations for the CA MDM Farms ... 139

Farm Server ... 139

Verify CA MDM Server Settings After Installation ... 140

Upgrading ... 141

Preparing for Upgrade ... 141

Upgrade CA MDM Server ... 141

Upgrade CA MDM Server in a Farm Environment ... 142

Upgrade Relay Server ... 142

Uninstall CA MDM Components ... 144

(8)

Installing

Installing section contains information on how to install and configure CA MDM.

Installation Prerequisites Installation and Configuration Post-Installation Tasks Upgrading

(9)

Installation Prerequisites

Verify that the configuration and software prerequisites are satisfied before installing CA MDM components. Review the following topics:

System Requirements

Create the Domain User Account Estimate the Size of Your Database Prepare SQL Server Database

Generate an APNS Certificate for CA MDM Obtain Google API Key

Obtain End-User Acceptance Message Details

System Requirements

Review the following topics about the standard system requirements for CA MDM components.

Understanding CA MDM Installation Image CA MDM Server Requirements

Administrator Console Requirements Database Requirements

Enrollment Server Requirements Self-Service Portal Server Requirements Relay Server Requirements

Access Control Requirements Package Server Requirements SMS Gateway Requirements Device Requirements

iOS Components Requirements Language Code Key

(10)

Understanding CA MDM Installation Image

The CA MDM product image includes the following folders.

Do not access the folders marked by an asterisk(*). These folders are Important!

reserved for the setup program.

contains the CA MDM Administrator Console installation files. AdminUI*

contains the CA MDM API host service files. AfariaServiceHost*

contain the Android CA MDM Client binaries. The client binaries Clients

must be hosted in a network location accessible by CA MDM end users on their mobile devices.

the folder contains the product documentation. Documents

contains the CA MDM Self-Service Portal installation files. EUSSP*

contains Administrationthe files for installing the CA MDM iPhoneServer*

Enrollment Server. The enrollment server is a required component for enrolling devices and for iOS operations.

allows you to install ISAPI* (32-bit version) or ISAPI_x64* (64-bit version)

and register the CA MDM ISAPI filter and supporting files on the Internet Information Services (IIS) server of Microsoft Exchange servers. The filter is a required component of the optional CA MDM Access Control for the Email feature set.

indicates that it contains the CA MDM Package Server PackageServer*

installation files. Redistributables

allows you to install Microsoft .NET Framework Runtime on DotNet

32- and 64-bit environments. DotNet contains the third-party file that is required for installation.

allows you to install the install VC_RunTime, VC_RunTime_2008

Microsoft Visual C++ Runtime.

allows you to install Microsoft Windows Installer. Windows Installer

allows you to install Microsoft XML Core Services (MSXML). XML

allows you to install and operate an optional Relay Server. Relay_server

indicates that it contains the CA MDM Server installation files. Server*

allows you to verify the missing prerequisites on servers and Utility*

(11)

CA MDM Server Requirements

This setup assumes that you are installing your CA MDM Server and CA MDM Administrator within same TCP/IP network.

The recommended setup is for 50 to 300 concurrent device sessions. Component Description

Operating System

The following Windows 64-bit operating systems are supported: Windows Server 2008 R2 Set Up Mode Full

Windows Server 2008 Standard Edition R2 with Service Pack 1 Windows Server 2008 Enterprise Edition R2 with Service Pack 1 Windows Server 2008 Datacenter Edition R2 with Service Pack 1

We recommend that you install your operating system on NTFS rather than FAT32. Note:

Processor Minimum: 1.4 GHz (x64 processor) Recommended: 2.0 GHz or higher

RAM The minimum RAM size must be 4 GB.

Disk Space Minimum: 10 GB

Recommended: 40 GB or greater

Relay Server Supported for connections from: Devices

CA MDM Access Control for the Email components

Database The CA MDM Server must be configured for the same time zone as the database server. Multiple Administrator and API installations for same server farm are not currently Note:

supported.

Connectivity The server requires outbound connectivity to the CA MDM database, which is configurable for each supported database type.

Inbound ports 8085, 8086, 8087

(12)

Component Description

Inbound port 8089

Reserved for the internal communication. DCOM

Inbound port 135

Listening port. The server manages incoming DCOM calls from other CA MDM Server components using Distributed Computing Environment Remote Procedure Calls (DCE/RPC).

Port range

Ports are reserved for, and managed by, the DCOM services. Relay Server

With Outbound port 80 (HTTP) or 443 (HTTPS)

If the Relay Server Outbound Enabler (RSOE, rsoe.exe) resides on the server, the server uses ports to connect to the Relay Server. If the RSOE resides on a different server, the server uses the ports to connect to the RSOE.

Without Inbound port 80 (HTTP) or 443 (HTTPS)

The server uses the port to accept a communication from devices. Android GCM

Outbound port 443 - for Google Cloud Messaging (GCM), requires the connectivity to https://android.apis.google.com/gcm/send. For GCM Android, navigate to GCM Android, Additional Requirements for Features and Components, GCM.

Device Types

Navigate to iOS Components, General Requirements, Connectivity.

Windows, Android, BlackBerry - devices require the connectivity to the server or its optional relay server proxy.

The server connectivity requirements must meet the following features as appropriate for your enterprise environment.

The SQL credentials Same-domain residency Cross-domain trusting A shared workgroup Access Control

(Hosted) Outbound port 443 (HTTPS)

(13)

Directory and Authentication

Review the following supported directory and authentication services: LDAPv3

Novell eDirectory

Microsoft Active Directory Netscape Directory Server Windows NTLM

Client

Communication

The trusted Certificate Authority or a trusted self-signed Certificate Authority signs SSL protocol v3 using certificate x.509.

Multiple Administrator and API installations for the same server farm are not Note:

currently supported.

Additional Requirements

The Internationalized domain names (IDN) are not supported for any CA MDM component. The Installation path must contain only ASCII characters.

Microsoft Windows Installer 3.1. Microsoft XML Core Services 6.0. Microsoft .NET Framework Runtime 4.5

Microsoft Visual C++ Runtime 2012, 32-and 64-bit

The preceding prerequisite software is supplied on the CA MDM product image. Note:

Administrator Console Requirements

Contents

CA MDM Administrator Server Requirements CA MDM Administrator Browser Requirements

This section describes the CA MDM Administrator Requirements.

CA MDM Administrator Server Requirements

(14)

Operating System

Windows Server 2008 Standard Edition R2 with Service Pack 1 Windows Server 2008 Enterprise Edition R2 with Service Pack 1 Windows Server 2008 Datacenter Edition R2 with Service Pack 1 Windows Server 2008 Web Server Edition R2 with Service Pack 1

Processor Minimum: 1 GHz (x86 processor) or 1.4 GHz (x64 processor) Recommended: 2.0 GHz or higher

Database The Administrator console must be configured for the same time zone as the database server.

Connectivity For enrollment services configuration and using Google APIs, connect to https://developers.google.com.

For obtaining an Android application information in portal application packages, connect to Google Play at https://market.android.com and

https://play.google.com/store. Outbound port 80.

For the enrollment services configuration, use TinyURLs.

For more information about How to create TinyURLs, see TinyURL.com. Note:

For obtaining an iOS application information in portal application packages, connect to Apple App Store at http://itunes.apple.com.

The following features meet the connectivity requirements appropriate for your enterprise environment.

(15)

Same-domain residency Cross-domain trusting A shared workgroup, Inbound port 7982

The Inbound port 7892 is the listening port for API service calls from the optional CA MDM Self-Service Portal.

Outbound port 135

The Outbound port 135 is the DCOM calling port. The server makes calls to the CA MDM Servers DCOM services.

DCOM port range

The DCOM port range is the ports that are reserved for, and managed by, DCOM services. (Without Relay Server) Inbound port 80 (HTTP) or 443 (HTTPS)

The server uses the port to accept a communication from devices. Outbound port

The server requires outbound connectivity to the CA MDM database, which is configurable for each supported database type. Outbound port 443.

The Internationalized domain names (IDN) are not supported for any CA MDM component. The Installation path and virtual directory must contain only ASCII characters.

Microsoft Windows Installer 3.1.

The Microsoft Windows Installer 3.1 is supplied on the CA MDM product image. See the CA MDM-supplied prerequisites.

Microsoft .NET Framework Runtime 4.5

This prerequisite software is supplied on the CA MDM product image. Note:

Microsoft Internet Information Server (IIS) 7.5 Install IIS before you install .NET components.

Internet Explorer 8 or 9

(16)

CA MDM Administrator Browser Requirements

The following components must be set up on the computer that you use to access the CA MDM Administrator.

Supported Browsers

You can access only a single CA MDM Server. Microsoft Internet Explorer - 8 or 9

IE9: The Enhanced security configuration setting is not supported for CA MDM console access.

CA MDM does not support running IE in Compatibility View. Mozilla Firefox - 3.6 or current version

Google Chrome - current version

Apple computers or iPads, Safari - current version

Connectivity In an Active Directory environment, the browsing computer must be defined as a logon workstation. Define logon workstation for the user account that you use to install and operate the CA MDM.

For more information about Defining the User Account, see

Note: Create the Domain User

Account.

The computer requires outbound connectivity to the CA MDM Administrator.

Database Requirements

Configure your database on a server other than your CA MDM Server.

For more information about configuring your database and estimating your database size requirements, see Create the Domain User Account.

CA MDM supports the following databases in a production environment: Microsoft SQL Server 2008 R2 Enterprise Edition

Microsoft SQL Server 2008 R2 Standard Edition Microsoft SQL Server 2008 R2 Datacenter Edition

(17)

Microsoft SQL Server 2008 SP1 Standard Edition

Microsoft SQL Server 2005 Enterprise Edition (SP1, SP2, SP3) Microsoft SQL Server 2005 Standard Edition (SP1, SP2, SP3) Collations for the CA MDM operations - CA MDM requires case insensitive collations, rather than binary collations, such as:

(SQL Server 2008 R2) Latin1_General_CP1_CI_AS (SQL Server 2005) SQL_Latin1_General_CP1_CI_AS Regional time zone

The CA MDM database must be configured for the same time zone as the CA MDM Server components it supports.

Enrollment Server Requirements

The Enrollment Server is required for managing iOS devices and using enrollment policies.

The following requirements are the recommended setup for 200 through 500 concurrent device sessions.

Operating System

(18)

Connectivity Outbound port 135

DCOM calling port. The server makes calls to the DCOM services of CA MDM Server. DCOM port range

Ports that are reserved for, and managed by, the DCOM services. Outbound to CA MDM Server ports 8085, 8086, or 8087

The server sends requests to the CA MDM Server for outbound client notifications. Outbound port

The server requires outbound connectivity to the CA MDM database, which is configurable for each supported database type.

(With Relay Server) Outbound port 80 (HTTP) or 443 (HTTPS)

If the Relay Server Outbound Enabler (RSOE, rsoe.exe) resides on the server, the server uses the ports to connect to the Relay Server. If the RSOE resides on a different server, the server uses the ports to connect to the RSOE.

(Without Relay Server) Inbound port 80 (HTTP) or 443 (HTTPS) The server uses the port to accept the communication from devices.

(iOS with the certificate authority challenge phrase enabled) Outbound to the Certificate Authority address

The server requires outbound connectivity to the Certificate Authority address, as defined on the Provisioning Server page. This page includes any relay server address. Port 7007

Reserved for an internal communication.

Devices require a connectivity to the server or its optional relay server proxy. The following features meet connectivity requirements appropriate for your enterprise environment. Same-domain residency Cross-domain trusting A shared workgroup Additional Requirements

Internationalized domain names (IDN) are not supported for any CA MDM component. The Installation path and virtual directory must contain only ASCII characters. Microsoft Internet Information Server (IIS) 5.0, 6.0, or 7.5, as appropriate for the operating system.

Windows Server 2003 installations require Microsoft ASP.NET. Install IIS before you install .NET components.

(19)

This item is supplied on the CA MDM product image. Note:

For 32-bit environments, this item is supplied on the CA MDM product image. For 64-bit environments, use the Windows Role Management Tool to install this item from a Microsoft source. The version that is supplied on the CA MDM product image is only for 32-bit environments.

Microsoft Visual C++ Runtime 2012, 32-and 64-bit This item is supplied on the CA MDM product image. Note:

Enrollment Server Resource Recommendations

The system resource demands for CA MDM resources can vary greatly by installation and are highly dependent on several factors. CA MDM enrollment server resource recommendations are based on concurrent device sessions and session duration. The following factors affect the session duration:

Device response time

Number of the device enrollment requests Number of iOS configuration policies

Number of settings within iOS configuration policies Connection speed

IIS server request processing capacity

Self-Service Portal Server Requirements

The CA MDM Self-Service Portal is for the deployment inside the enterprise firewall with an internet-facing Microsoft Forefront Threat Management Gateway instance in the DMZ. The Microsoft Forefront (TMG) is configured to accept device

connections and pass traffic to the internal portal. Component Description

Operating System

(20)

Windows Server 2008 Datacenter Edition R2 with Service Pack 1 Windows Server 2008 Web Server Edition R2 with Service Pack 1

RAM The minimum ram size must be 2 GB.

Database The server must be configured for the same time zone as the database server.

The DCOM calling port. The server makes calls to the DCOM services of the CA MDM Server.

DCOM port range

The ports that are reserved for, and managed by, the DCOM services. Outbound to a CA MDM Server port 8085

The server that sends requests to the CA MDM Server for outbound device notifications.

Outbound port

The server that requires outbound connectivity to the CA MDM database, which is configurable for each supported database type.

is the server that listens for traffic from Inbound port 80 (HTTP) or 443 (HTTPS)

either of the following options:

(Recommended) Microsoft Forefront (TMG) is configured to accept device connections and pass traffic to the internal CA MDM Self-Service Portal. Devices

The server that requires outbound connectivity to the CA MDM Administrator, which hosts the CA MDM API services.

Devices require the connectivity to the server or its gateway.

(21)

Component Description Same-domain residency Cross-domain trusting A shared workgroup Additional Requirements

The user commands on the portal's Manage My Devices page require CA MDM messaging infrastructure. The CA MDM messaging infrastructure such as for SMS messages or Google Android Cloud to Device Messaging (C2DM) services. Internationalized domain names (IDN) are not supported for any CA MDM component.

The installation path and virtual directory must contain only ASCII characters. Microsoft Internet Information Server (IIS) 7.5.

For user browsers, the CA MDM Self-Service Portal site must be a member of a Web browser security zone. The Web browser security zone enables active scripting. Install IIS before you install .NET components.

Microsoft Windows Installer 3.1.

This item is supplied on a CA MDM product image. Note:

Relay Server Requirements

Relay Server is an optional component that is included with the CA MDM product on the product installation image.

CA MDM Server Components

CA MDM supports using relay server for connections to these CA MDM Server components: The relay server is not supported for outbound initiated connections to a Windows Note:

client.

CA MDM Server- used for device connections or CA MDM Access Control for the Email connections

The CA MDM enrollment server CA MDM package server

(22)

Web Server The web server supports IIS 7.5 or 6.0 on Windows OS.

Relay Server 16

12.0.1 11.0.1

All Relay Server Outbound Enabler (rsoe.exe) instances in CA MDM must be of same version. CA MDM uses rsoe.exe in the following locations:

CA MDM Server – <ServerInstallDirectory>\bin\RSOutboundEnabler\ Enrollment server – user-defined

Certificate Authority – user-defined Package server – user-defined

Relay Server on IIS can coexist with other IIS applications.

Relay Server can coexist with other virtual web server under the same IIS installation.

Relay Server can coexist with other web site (or directory) under the same logical web server.

Relay Server web server extensions can coexist with other web server extensions sharing application pool. However, application pool properties are then limited to being Relay Server compatible (turn off all worker recycling options).

Access Control Requirements

For the CA MDM Access Control for Email feature, CA MDM filter components are available in 32-bit and 64-bit versions. These components are designed to run on operating systems with the same bit level.

Email Server The access Control for email supports one or more of these servers in a single domain: Microsoft Exchange Server with ActiveSync or compatible mobile clients Microsoft Exchange Server 2010

(23)

Microsoft Exchange Server 2003 SP2

IBM Lotus Domino – 8.5.2.1 with Lotus Notes Traveler mobile clients

Hosted Mail Microsoft Office 365

Microsoft Proxy Server

Microsoft Forefront Threat Management Gateway 2010 Microsoft Internet Security and Acceleration Server 2006

IIS Server of Microsoft Exchange Server

For the Exchange environments only:

Microsoft Exchange Management Console - required for the CA MDM wipe feature.

CA MDM

The IIS server must run on a server that is separate from the server that hosts the CA MDM Administrator.

The administrator user account credentials that you supply for running the CA MDM filter as a service must be a member of the following servers:

Exchange Organization Administrators (2007, 2010) Exchange Full Administrator (2003) group of IIS server

The Administrators group on both the IIS server and any associated Exchange server.

PowerShell Host Server

Microsoft PowerShell Version 2.0

The user account credentials that you supply for running the PowerShell component of the filter must be a member of the same domain as the email server. If it is not, contact CA Technical Support.

Microsoft PowerShell is native to some server environments and available to others Note:

as a plug-in from Microsoft.

– Microsoft Data Access Components (MDAC) 2.8. More requirements

Connectivity The server that hosts the PowerShell component requires the following server: The Outbound connectivity to the CA MDM Server.

(24)

When the filter components are installed on separate servers, the PowerShell component host requires outbound connectivity to the ISAPI filter component host.

Package Server Requirements

The recommended set up for package server requirements are as follows: Component Description

Operating System

The operating system must be installed in full, rather than the minimal installation. Note:

Database The server must be configured for the same time zone as the database server.

DCOM calling port. The server makes calls to the DCOM services of CA MDM. DCOM port range

Ports that are reserved for, and managed by the DCOM services. Outbound to CA MDM server ports 8085, 8086, or 8087

(25)

Outbound port

The server requires outbound connectivity to the CA MDM database, which is configurable for each supported database type.

If the Relay Server Outbound Enabler is resident on the server, the server uses the ports to connect to the Relay Server. If the RSOE resides on a different server, the server uses the ports to connect to the RSOE.

(Without Relay Server) Inbound port 80 (HTTP) or 443 (HTTPS) The server uses the port to accept the communication from devices.

(Application onboarding certificate provisioning) Outbound to the certificate authority address

The server requires outbound connectivity to the Certificate Authority address, as defined on the Package Server page. This page includes any relay server address. Port 8080

Reserved for the internal communication.

Devices require a connectivity to the server or its optional relay server proxy. The following features meet the connectivity requirements as appropriate for your enterprise environment. Same-domain residency Cross-domain trusting A shared workgroup Additional Requirements

Internationalized domain names (IDN) are not supported for any CA MDM component. The Installation path and virtual directory must contain only ASCII characters.

Microsoft Internet Information Server (IIS) 7.5. Install IIS before you install .NET components. Microsoft Windows Installer[1] 3.1.

The application packages, the enterprise application size limit varies by the following database type:

Microsoft SQL Server 2 GB

(26)

SMS Gateway Requirements

For more information about installation instructions of Server Messaging, see Install

.

and Configure CA MDM Server Messaging

Third-Party Components specifies the Cygwin Unix-emulating environment. The SMS Gateway operations use only some of the components of the Cygwin product. Therefore, the installation for the CA MDM SMS Gateway requires a manual process.

Other specifies the short Message Peer-to-Peer (SMPP) v3.4 protocol support. All SMS gateway configuration settings on the CA MDM Server must contain only ASCII characters.

Device Requirements

Contents Android iOS BlackBerry Windows

This section describes the device requirements for the CA MDM for different operating systems.

Notes:

The current version of a CA MDM supports iOS, Android, BlackBerry, and the Windows clients.

The current version of a CA MDM does not support LG Android Devices.

Android

The following table defines the recommended set-up for Android: Component Description

Operating System

The CA MDM application works with the following Android OS versions: 4.4

(27)

Component Description 4.1 4.0.x

CA MDM supports Android 4 devices to the same extent that it supports Android 3.1 Note:

devices. CA MDM does not include features that are specific to Android 4 devices. 3.x

2.3.x 2.2.x

Update 2.2.20.A955.Verizon.en.UK – due to a known issue with the security features for Note:

update. This update is not supported for security features of CA MDM. The CA MDM features include device lock, unlock, and password enforcement. See www.droidforums.net.

Core Features

Self-Service Portal Enrollment Access Control for Email Device Validation

For a device validation, the server checks that the device has a valid, unexpired Note:

certificate.

Server Validation

For a server validation, the device checks for the following criteria: Note:

The server must have a valid certificate. The server must have an unexpired certificate.

The server address must match the certificate identity. Device Activity Collection

Inventory Manager license includes the CA MDM Device Activity collection. Note:

Security Action for Wipe or Delete Data

Policies Application Policy

(28)

Component Description Supported Languages English(en) German (de) French(fr) Italian (it) Spanish (es, us) Thai (THI) Japanese (ja) Korean (ko) Portuguese (pt) Simplified Chinese (zh_CN) Traditional Chinese (zh_TW)

iOS

The following table defines the recommended set-up for iOS: Component Description

Operating System

On iPhone, iTouch, and iPad devices: iOS 7.1

iOS 7

iOS 6.1.1 for iPhone 4S Devices iOS 6.1, 6.0.1, 6.0.2

iOS 4.3 iOS 5.1, 5

Once enrolled in CA MDM control, iOS 5 devices require HTTPS on all connections. The Note:

secure connection can occur either at the optional relay server or the enrollment server.

Core Features

(29)

Security Action for Wipe or Delete Data Server Validation

Inventory Manager license includes the CA MDM Device Activity collection. Note:

Policies Enrollment Policy

Application Policy

For iOS 4.x and 5, enterprise and commercial applications are supported. For iOS 3.x, Note:

only commercial applications are supported. Configuration Policy

A Microsoft Windows Server 2003 certificate authority environment does not support Note:

using of the CA MDM Configuration SCEP policies.

Supported Languages

(30)

BlackBerry

The following table defines the recommended set-up for BlackBerry: Component Description Operating System 7 6 5

Advisory Advisory for SSL and schedule monitors – Secure connections require user interaction to negotiate the communication handshake. The device prompts the user to enter a portion of the thumbprint of a certificate.

A CA MDM monitor executes without user intervention. If a CA MDM schedule monitor is paired with an established connection action, the connection fails. The connections fail because the connection requires user input.

Core Features

Security Action for Wipe or Delete Data Self-Service Portal Enrollment

This feature is not supported or available for double-byte character environments. Note:

Device Validation Note:

For a device validation, the server checks that the device has a valid, unexpired certificate.

The BlackBerry platform requires users to interact with their device to facilitate the device authentication. Test devices in your environment to understand the user requirements.

Server Validation

(31)

Polices Configuration Policy

Enrollment Policy Session Policy

Licensable Components

Inventory Manager

Inventory Manager License includes the CA MDM Device Activity collection. Note:

Session Manager

Client Notification to Connect

Short Message Service (SMS)Data service

Windows

The following table defines the recommended set-up for Windows:

Operating System Windows Phone 8

The following Windows 64-bit operating systems are supported: Windows 8

Windows 7

Windows Server 2008 R2

The following Windows 32-bit operating systems are supported: Windows 8

Windows 7

(32)

Windows Vista Enterprise SP1, SP2 Windows Vista Home Ultimate SP1, SP2 Windows XP SP3

Windows XP SP2

Windows Server 2003 R2 SP2 Windows Server 2003 SP2 Windows Server 2003

Processor 500 MHz or higher, Intel Pentium III or compatible.

RAM The RAM size is 256 MB for the OS versions Windows 7, Server 2008, and Vista; 128 MB for others.

Disk Space The minimum required disk space for the installation is 12 MB, more space is required for channel data.

Browser Supports 7.0, 8.0, 9.0 Internet Explorer.

Protocol Support XNET, XNETS, HTTP, HTTPS

Microsoft Windows Installer 3.1

Core Features Device Validation

For a device validation, the server checks that the device has a valid, unexpired Note:

certificate.

Server Validation

The server address must match the certificate identity.

(33)

Enrollment Policy Session Policy

iOS Components Requirements

The following components are the general requirements for iOS devices. Component Description

iOS MDM Require the following certificates from the Apple Root Certification Authority site: Root – Apple Inc. Root Certificate (.cer)

Intermediate – Application Integration (.cer)

iOS requires an Apple Push Notification Service (APNS) certificate (.pfx). Before you obtain an APNS certificate, obtain a CA signed Apple Certificate Signing Request (CSR) from CA Technical Support.

For more information about obtaining certificates, see Generate an APNS Certificate

.

for CA MDM

CA MDM iOS Mobile Device Management (MDM) is enforced on all iOS 4.0 and later devices. Apple, Inc. does not support MDM on 3.x devices.

Configuration Utility

CA MDM creates configuration policies that comply with the Apple iPhone Configuration Utility policies, as distributed by Apple, Inc.:

3.4, as the base for CA MDM 2011_06 and CA MDM 3.3, as the base for CA MDM 2011_05 for VPN, Restriction 3.2

3.1

3.0, as the base for CA MDM 6.6 FP1 2.2, as the base for CA MDM 6.6 2.1

CA MDM Enrollment Server

The CA MDM enrollment server is required for iOS operations.

For more information about the enrollment server, see Install and Configure for Enrollment

.

(34)

SMS Messaging

Not required for iOS 4.0 and later devices that are enrolled with enrollment policies. Required for iOS 3.x devices.

The SMS messaging must be either the CA MDM SMS gateway (recommended) or the CA MDM-configured SMTP server.

Relay Server Optional for communications between the enrollment server and device. Optional for communications between Certificate Authority and device.

Connectivity Your enterprise firewall must allow connections to Apple Push Notification Server (APNS) and feedback server. For example, 17.149.*. The DNS resolution is subject to change without notice, according to Apple iOS Developer Program.

Outbound to gateway.push.apple.com:2195

The CA MDM Server requires outbound connectivity to the APNS server. Outbound to feedback.push.apple.com:2196

The CA MDM Server requires outbound connectivity to the feedback server. (With Relay Server) Outbound port 80 (HTTP) or 443 (HTTPS)

If the Relay Server Outbound Enabler (RSOE, rsoe.exe) is resident on the server, the server uses the ports to connect to the Relay Server. If the RSOE resides on a different server, the server uses the ports to connect to the RSOE.

(Without Relay Server) Inbound port 80 (HTTP) or 443 (HTTPS) The server uses the port to accept a communication from devices. (Android C2DM) Outbound port 443

For Google Cloud to Device Messaging (C2DM), requires a connectivity to https://android.apis.google.com/c2dm/send.

(iOS devices using Wi-Fi) Outbound to gateway.push.apple.com:5223 The device requires outbound connectivity to the APNS server.

Certificate Authority

The CA MDM iOS features require a Microsoft Certificate Authority as part of the implementation. Include the following features as a part of the CA MDM iOS implementation for your enterprise.

Optional iOS payload signing Optional secure connections as part

(35)

Operating System

Microsoft Windows Server 2008 Enterprise or Windows Server 2008 R2 Enterprise with: IIS

Active Directory Certificate Services (ADCS) role Network Device Enrollment Service (NDES) role Microsoft Windows Server 2003 Enterprise with:IIS

A Microsoft Windows Server 2003 certificate authority environment does not support Note:

issuing CA MDM iOS configuration policies with the SCEP payloads. Active Directory Certificate Services (ADSC) role

Network Device Enrollment Service (NDES) role

Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services, as distributed by Microsoft, Inc. with the following points:

Install using a local user account with administrative privileges.

During the installation, enable the challenge phrase option. The option is enabled by default and is recommended for the security.

For more information about configuring your Certificate Authority, see Configuring Certificate Authority for iOS Devices in Install and Configure Enrollment Server.

For more information about adding roles and using the New Role Wizard, see the Microsoft Windows Server and Microsoft Server Manager (administrative tool) product documentation.

Relay Server The Relay Server is not Supported.

For Reference The Microsoft SCEP Implementation White Paper is available at www.microsoft.com/download/en/details.aspx?id=1607.

Connectivity (Without the CA MDM SCEP plug-in module)

The CA server does not require connectivity to any CA MDM component server. (With the CA MDM SCEP plug-in module) Outbound port

The server requires outbound connectivity to the CA MDM database. The outbound connectivity is configurable for each supported database type.

(36)

(Without Relay Server) Inbound port 80 (HTTP) or 443 (HTTPS)

The server uses the port to accept a communication from devices. Devices require the connectivity to the server or its optional relay server proxy.

The following features meet the connectivity requirements as appropriate for your enterprise environment.

The database credentials Same-domain residency Cross-domain trusting A shared workgroup

iOS devices require a verification of the complete chain of trust. Ensure that the entire authority chain is online for iOS device connections.

The identity credentials that are used for the Certificate Authority IIS SCEP

application pool, must match the credentials on the enrollment server configuration page.

The CA MDM SCEP plug-in is available in 32- and 64-bit versions. The plug-in is designed to run on operating systems with the same bit level.

The SCEP add-on of Microsoft for Windows Server 2003 is not available in a 64-bit version. Therefore, installing the CA MDM SCEP plug-in on a Windows Server 2003 64-bit server is not supported.

Language Code Key

The Language codes represent supported languages for the CA MDM devices. Language Code Language

EN English

ZH_CN Simplified Chinese

ZH_TW Traditional Chinese

(37)

Language Code Language THI Thai AS, US Spanish FIR French IT Italian JA Japanese KO Korean PT Portuguese

Canadian French and Latin-American Spanish are not supported. Note:

Language Support for Devices Matrix

The following table illustrates the language support for the various device types. X indicates that the feature is supported.

CA MDM Android Device

Supported Languages

ZH_CN ZH_CT DE EN AS, US FR THI JA KO PT

Operating System Language X X X X X X X X X X

CA MDM UI X X X X X X X X X X

CA MDM iOS Device

Supported Languages

(38)

1. 2. 3. 4. a. b. Supported Languages

CA MDM UI X X X X X X X X X X

Windows PC Clients

Supported Languages

ZH_CN ZH_CT DE EN AS, US FR THI JA KO PT

CA MDM UI NA NA NA X NA NA NA NA NA NA

Create the Domain User Account

To install the CA MDM Server, farm server, and related servers, create a domain windows account. The domain windows account is also used to run the Windows service.

The main CA MDM Server, farm servers, and related components must use the same domain user account name and password.

If you install SSP with LDAP, ensure that the created domain user has Note:

permission to access the Active Directory server. Follow these steps:

Create a Windows domain user account on the planned server. Add the domain user as an administrator in the user group. Record the account credentials.

The account credentials are same as the credentials used when you install the CA MDM Server, and its components.

For the Active Directory environment - On the domain controller, update the user account properties to ensure the following points:

(39)

1. 2.

1.

2.

3.

Update Passwords and Domain User Accounts for CA MDM

You can change the domain user account and password of the CA MDM Server service. You can also change the user password of the database. The main CA MDM Server and all farm servers must use the same user account name and password. Updating the user account and password on a CA MDM Server, CA MDM setup program accepts parameters in any order.

Follow these steps:

Close all CA MDM programs.

To change the service account or password, run the setup program with parameters in the command line.

To view the installation errors, see the C:\silent.log. Examples:

Setup -Maintenance -DatabasePassword="password"

Setup -Maintenance -ServiceAccount="name" -ServicePassword="password" Setup -Maintenance -DatabasePassword="password"

-ServicePassword="password2"

Estimate the Size of Your Database

The CA MDM Server uses a database to log system activity and data. Unless you install the CA MDM Appliance, all servers in a farm access the same database. Install and configure your database before installing the CA MDM Server. The CA MDM Appliance includes database installation and configuration.

The product supports Microsoft SQL Server as the CA MDM database. For more information about the database support information, see Database

.

Requirements

To understand your weekly disk space requirements for operations with all logging enabled, estimate your database size. Plan the disk availability that is based on requirements.

Estimate the values:

Number of sessions per day Average session size

Apply the estimates to the daily formula for estimated growth per day. (# of sessions per day) * (average session size) = estimated Daily Formula:

growth per day.

(40)

3.

1. 2. 3.

Apply the daily estimate to the weekly formula for estimated growth per week.

(estimated growth per day) * 7 = estimated growth per Weekly Formula:

week.

: Determine the weekly disk space growth for 1000 daily sessions with an Example

average session size of 60- KB. The estimated growth per week is: (1000 sessions per day) * (60- KB average session size) * 7 days = 420- MB. The estimated database growth is 420 -MB per week.

Consider the following items for calculating estimates:

Add 1- MB of data per week to the estimate for each device that reports inventory.

The Session channels with 100 events add an average of 40- KB in database growth per session in log data.

Prepare SQL Server Database

For Microsoft SQL Server database operations with CA MDM, create the database and an associated user. Creation of database and an associated user provides a user context to access the database.

The database name must be same throughout the CA MDM Server installation and configuration process.

Create a database with Datafiles and Transaction log attributes. Create a role with execute right. For Example, "db_executor".

For the user who uses the CA MDM operations with database, ensure that the user has the following attributes:

dbo Default schema – db_ddladmin Role – db_datawriter Role – db_datareader Role – db_executor Role –

does not contain the semicolon (;) character. Password –

: The script creates a role with the execute rights for a database that is Example

(41)

1. 2. 3.

--For a database named CA MDM and a login that is named JBrowne, create

a User that is named JBrowne and grant appropriate rights. USE CA MDM

GO

--Create a role for executing stored procedures

CREATE ROLE db_executor

--Grant stored procedure execute rights to the role

GRANT EXECUTE TO db_executor GO

--Assign user to dbo and required roles

IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name =N'JBrowne')

BEGIN

CREATE USER [JBrowne] FOR LOGIN [JBrowne] WITH DEFAULT_SCHEMA =dbo

EXEC sp_addrolemember db_ddladmin, JBrowne EXEC sp_addrolemember db_datawriter, JBrowne

EXEC sp_addrolemember db_datareader, JBrowne EXEC sp_addrolemember db_executor, JBrowne

END;

If you select the SQL authentication database while installing a CA MDM Server, use the credentials mentioned in step 3.

If you use the Windows-integrated authentication, then the Windows user requires the same rights and roles.

Configuring the SQL Server Database for Operations

For the Microsoft SQL Server operations, prepare your database environment. Verify that the logs are truncated on a checkpoint as follows:

Right-click the database, and select Properties. Click Options, Model.

Select Simple in the Recovery section.

Generate an APNS Certificate for CA MDM

Contents

How to Obtain an APNS Certificate for CA MDM Verify Prerequisites

Obtaining Root and Intermediate Certificates Create a Certificate Signing Request

(42)

Upload Signed CSR to Apple Push Certificate Portal Complete the CSR and Export the APNS Certificate Upload MDM APNS Certificate to CA MDM Server

To manage iOS devices using CA MDM, the following certificates are required. An Apple Push Notification Service (APNS) certificate.

An Apple, Inc. root certificate.

An Apple Application Integration certificate.

The apple certificates allow CA MDM to perform the following tasks: To communicate securely with iOS devices.

Uniquely identify your enterprise CA MDM installation as a trusted vendor for the mobile device management (MDM).

Install the certificate for CA MDM operations when an enterprise uses a Macintosh or Windows OS, and the Apple Push Certificates. The Apple Push Certificates Portal obtains the push, root, and application integration certificates.

How to Obtain an APNS Certificate for CA MDM

The Apple Push Notification Service (APNs) gives the ability to perform the following tasks securely:

Enroll iOS Devices in an enterprise environment. Monitor compliance with corporate policies Remotely wipe or lock managed iOS Devices.

To deliver the CA MDM commands such as device lock or wipe, use an APNS certificate. For a system tenant or a non-system tenant, obtain an APNS Certificate to validate the iOS MDM request to the APNS service. System tenant is the machine name where you have installed the CA MDM application. A non-system tenant is the tenant where the administrator manually adds the tenant.

Obtain a certificate that is based on the CA MDM tenant implementation:

If you are an enterprise using single or multiple system tenants to separate operations, obtain an Apple Push Certificate.

(43)

(44)

1. 2. 3. 4. 5. 1. 2. 3.

To obtain an APNS Certificate for CA MDM, perform the following tasks:

Verify Prerequisites

Create a Certificate Signing Request Get Your CSR Signed

Upload Signed CSR to Apple Push Certificate Portal Complete the CSR and Export the APNS Certificate

Verify Prerequisites

Verify the following prerequisites before obtaining an APNS certificate:

Obtain root and application integration certificates from the Apple Root Certification Authority site.

Windows server with administrator rights.

Installation of Mozilla Firefox, Safari, or the Google Chrome Web browser. Apple issues Apple ID that is assigned to your enterprise or to you. To associate with the certificates, use the Apple ID.

To obtain an Apple ID, an Apple iOS Developer Program membership Note:

is not required.

Obtaining Root and Intermediate Certificates

For each CA MDM environment, obtain the root and application integration certificate. Obtain these certificates so that installation of any APNS certificates has a valid chain to the root. Install the certificates when you install and configure the Enrollment Server for iOS operations.

Go to the Apple Root Certification Authority site at

http://www.apple.com/certificateauthority.

Download the Apple Inc. Root Certificate. Download Application Integration.

Create a Certificate Signing Request

You can create a certificate signing request either on a Windows server or a Macintosh server.

Valid on Windows

(45)

1. 2. 3. 4. 5. 6. 7. 8. 1. 2. 3. 4. 5. 6.

Click Start, Internet Information Services (IIS) Manager.

Select the server from the Connections column, and navigate to Server Certificates in the IIS section.

Click Create Certificate Request and provide the details.

defines the name of the person generating the Common name

request. Click Save.

Select Microsoft RSA SChannel in the Cryptographic Service Provider. Select 2048 or greater Bit length.

Enter the file name for the certificate request. Click Finish.

The CSR request is created on Windows and is ready for signing. Valid on Macintosh

On any Macintosh server in your enterprise, use the Keychain Access utility to create your CSR.

Open Applications, Utilities, and Keychain Access on your server. Select Keychain, Login and Category, Certificates in the left pane.

Select Keychain Access, Certificate Assistant, and Request a Certificate from a Certificate Authority.

Enter the email address and common name.

Select Save to disk, and Let me specify key pair information, and click .

Continue

Save the file (.CSR) and record the location.

The CSR request is created on Macintosh and is ready for signing.

Get Your CSR Signed

As a required part of the Apple certificate process, CA Technologies must sign your enterprise CSR.

(46)

1. 2. 3. 4. 5. 6. 1. 2. 3. 4.

To complete the process of getting your CSR signed, contact

Note: CA Technical

.

Support

Upload Signed CSR to Apple Push Certificate Portal

You can install the APNS certificate in CA MDM to authorize the CA MDM-based Apple Push Notification Service requests. To install the APNS certificate, obtain an Apple-signed APNS certificate.

Log in to Apple Push Certificates Portal using the following URL: .

http://identity.apple.com/pushcert

Click Create a Certificate.

Read and Accept the End-user License Agreement. Click Choose File and select the signed CSR (.SCSR). Click Upload.

A new Apple-signed push certificate for the mobile device appears on the Certificates for the Third-Party Servers page.

Click Download.

The certificate is saved in the .PEM format.

The APNS certificate has been obtained from the Apple Portal. Complete the downloaded certificate on the server that originated the CSR.

Complete the CSR and Export the APNS Certificate

Complete the request and export the APNS certificate for CA MDM operations on to the Macintosh or Windows Server.

Valid on Windows

On the Windows server that originated the CSR, complete the request and export the APNS certificate for CA MDM operations.

Click Start, Administrative Tools, Internet Information Services (IIS) .

Manager

Select the server from the Connections column, and navigate to Server in the IIS section.

Certificates

Click Complete Certificate Request.

(47)

5. 6. 7. 8. 1. 2. 3. 4. 5. 6. 7. 1. 2.

Enter a common name for tracking the certificate and click OK.

To export the APNS certificate to the correct format, right-click the certificate and select Export.

Save the certificate file in .pfx or p12 format. Enter a password, and then click OK. Valid on Macintosh

On the Macintosh server that originated the CSR, complete the request and export the APNS certificate for CA MDM operations.

On your server, locate the APNS certificate file (.PEM), as downloaded from the Apple Push Certificates Portal.

Double-click the .PEM file.

Select Keychain, Login and Category, Keys in the Keychain Access utility. Verify that the certificate, that the common name identifies, appears with a key value in the Kind column.

Right-click the private key and select Export. Save the file in .p12 or .pfx or p12 format.

To export the certificate, enter and note the password.

You now have an MDM APNS certificate from Apple that can be added to the CA MDM Server.

Upload MDM APNS Certificate to CA MDM Server

Once the CSR is completed, export the APNS Certificate to .pfx or p12 format. Later, upload the MDM APNS certificate to CA MDM Server.

Log in to the CA MDM Administrator Console, navigate to Server, .

Configuration, Component, iOS Notification

Fill in the details for APNS Push Certificate (for Mobile Device Management). displays the push service name.

Push Service For example,

com.apple.mgmt.External.22721840-3c25-46bb-b611-c12d51f439ad. allows you to browse for the certificate file in .pfx or p12 format. File

defines the password that you used during exporting the Password

(48)

3. 1. 2. 3. 4. 5. 6. Click Install.

The certificate is installed to the personal certificate on the CA MDM Server. The MDM certificate name populates the page.

(System tenant) If your Apple root and intermediate certificates are not installed, the interface prompts you to install them.

(The nonsystem tenant) If Apple root and intermediate certificates are not installed, the interface opens an error. Notify your system tenant

administrator.

The MDM APNS certificate is successfully uploaded to the CA MDM Server. You have successfully obtained an APNS certificate to support Apple iOS devices.

Obtain Google API Key

To create enrollment policies for CA MDM device enrollment, an API key

accompanies the Google URL Shortener API. The Google URL Shortener identifies your organization as the calling entity.

If you plan to use TinyURL as your only URL shortening service, you must have a Google API key.

Go to developers.google.com.

Click API Console in the Developer Tools group. Create an API project or using an existing project.

Navigate to the list of all services, and activate the URL Shortener API. Navigate to the API Access page and, locate the Simple API Access item. Record the API key for use in the CA MDM configuration for enrollment codes.

Notes:

Refer for Google APIs.

Refer https://developers.google.com/apis/url-shortener/v1/getting_started for getting started with Google URL Shortener API.

Obtain End-User Acceptance Message Details

(49)

(50)

1. 2. 3.

4.

Installation and Configuration

Install CA MDM with a separately installed database, CA MDM Server, and the CA MDM Administrator Console. A standard environment is appropriate for installation with one or multiple CA MDM servers.

Enter Your License Key

Install and Configure CA MDM Server

Install CA MDM Server in a Farm Environment

Install and Configure CA MDM API Service and Administrator Install and Configure Access Control for Email

Install and Configure CA MDM Server Messaging Install and Configure Enrollment Server

Install and Configure Package Server Install and Configure Self-Service Portal Install and Configure Relay Server

Review System Requirements from the Installation Prerequisites section.

Enter Your License Key

Enter or update your license key when you receive a new key. The license defines the CA MDM setup menu options available during the installation.

Start the CA MDM setup program and click License Key. Enter your license key.

(Optional) Click Licensing Details to review your licensing information. The maximum number of concurrent sessions that are supported per Note:

server depends on your licensing. The concurrent sessions also depend on the available memory, the speed, and the number of processors on your server.

Click Apply.

(51)

1. 2. 3. 4. 5. 6.

Install and Configure CA MDM Server

Contents

Configure LDAP Information

Configure Active Directory Information Basic Rights for Active Directory User

Install the CA MDM Server as the first server component in your CA MDM

installation. To upgrade an existing version of CA MDM Server, follow the steps from

Preparing for Upgrade.

This procedure assumes that you have reviewed the Installation Prerequisites

section.

Start the CA MDM setup program and click Install, CA MDM Server. Read EULA and, click Yes.

Configure the Microsoft SQL database setup for CA MDM. Enter the following information:

Select a SQL Server

Specify the IP address of the installed CA MDM Server. For example, 172.16.0.0.

Windows Authentication

Specify the use of a Windows administrator account with SQL Server privileges.

SQL Server Authentication

Specify the use of the SQL Server account with its associated password that you set up for CA MDM.

SQL Server Database

Specify the database that you configured for CA MDM. Enter the full path of the installation folder.

For example, on 64-bit operating systems the default installation folder is C:\Program Files(x86)\CAMDM\.

Enter the Server Account Name and Password.

CA Mobile Device Management 2014 Q1 Installing

CA Mobile Device

Table of Contents

Installation Prerequisites ... 9

Installation and Configuration ... 50

Post-Installation Tasks ... 133

Upgrading ... 141

Uninstall CA MDM Components ... 144

Installing

Installation Prerequisites

System Requirements

Understanding CA MDM Installation Image

CA MDM Server Requirements

Administrator Console Requirements

CA MDM Administrator Server Requirements

CA MDM Administrator Browser Requirements

Database Requirements

Enrollment Server Requirements

Enrollment Server Resource Recommendations

Self-Service Portal Server Requirements

Relay Server Requirements

Access Control Requirements

Package Server Requirements

SMS Gateway Requirements

Device Requirements

Android

iOS

BlackBerry

Windows

iOS Components Requirements

Certificate Authority

Language Code Key

Language Support for Devices Matrix

Create the Domain User Account

Update Passwords and Domain User Accounts for CA MDM

Estimate the Size of Your Database

Prepare SQL Server Database

Configuring the SQL Server Database for Operations

Generate an APNS Certificate for CA MDM

How to Obtain an APNS Certificate for CA MDM

Verify Prerequisites

Obtaining Root and Intermediate Certificates

Create a Certificate Signing Request

Get Your CSR Signed

Upload Signed CSR to Apple Push Certificate Portal

Complete the CSR and Export the APNS Certificate

Upload MDM APNS Certificate to CA MDM Server

Obtain Google API Key

Obtain End-User Acceptance Message Details

Installation and Configuration

Enter Your License Key

Install and Configure CA MDM Server