The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Documentation version: 5.10.00.00
Legal Notice
Copyright © 2008 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, LiveUpdate, Symantec AntiVirus, Symantec Client Firewall, and Symantec Security Response are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
Symbian and Symbian OS are registered trademarks of Symbian Software Ltd. Windows is a registered trademark of Microsoft Corporation.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Support’s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.
Symantec’s maintenance offerings include the following:
■ A range of support options that give you the flexibility to select the right amount of service for any size organization
■ A telephone and web-based support that provides rapid response and up-to-the-minute information
■ Upgrade insurance that delivers automatic software upgrade protection
■ Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program
■ Advanced features, including Technical Account Management
For information about Symantec’s Maintenance Programs, you can visit our Web site at the following URL:
www.symantec.com/techsupp/
Select your country or language under Global Support. The specific features that are available may vary based on the level of maintenance that was purchased and the specific product that you are using.
Contacting Technical Support
Customers with a current maintenance agreement may access Technical Support information at the following URL:
www.symantec.com/techsupp/
Select your region or language under Global Support.
Product release level
■ Hardware information
■ Available memory, disk space, and NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical support Web page at the following URL:
www.symantec.com/techsupp/
Select your region or language under Global Support, and then select the Licensing and Registration page.
Customer service
Customer service information is available at the following URL:
www.symantec.com/techsupp/
Select your country or language under Global Support.
Customer Service is available to assist with the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade insurance and maintenance contracts
Maintenance agreement resources
If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows:
■ Asia-Pacific and Japan:[email protected]
■ Europe, Middle-East, and Africa:[email protected]
■ North America and Latin America:[email protected]
Additional Enterprise services
Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following:
These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Symantec Early Warning Solutions
These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats.
Managed Security Services
Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources.
Consulting Services
www.symantec.com
Technical Support
... 3Chapter 1
Symantec Mobile Security Manager Overview
... 13About this document ... 13
About Symantec Mobile Security Manager ... 13
About Symantec Mobile Security Suite management options ... 14
How Symantec Mobile Security Manager works with Symantec System Center ... 14
How Symantec Mobile Security Manager works with other Mobile Device Management systems ... 14
Starting Symantec Mobile Security Manager ... 15
About the Symantec Mobile Security Manager window ... 15
Main menu ... 15
Main toolbar ... 16
Status bar ... 16
Chapter 2
Mobile Security concepts
... 19Understanding entities ... 19
Linking devices and device states ... 19
Device state ... 20
Users ... 20
User groups ... 21
About entity relationships ... 21
About policy packages and policies ... 21
Enterprise default package ... 22
Policies ... 22
Firewall policies ... 23
Security Manager policies ... 23
Integrity Manager policies ... 23
Intrusion detection policies ... 23
Policy rules defined ... 24
About policy package inheritance ... 24
Eligibility ... 25
Deploy ... 25
Chapter 3
Managing users and devices by using the Entity
Manager
... 27About the Entity Manager ... 27
Managing entities from the tree view window ... 28
Managing entities from the grid view window ... 30
Manually adding user groups, users, and devices ... 31
About entities ... 32
Adding user groups and users ... 32
Transferring users to user groups ... 33
Adding devices ... 34
Changing the linking email of linked or unliked devices ... 34
Deleting entities ... 35
Device registration ... 35
Device states ... 36
Setting the device state for auto-linking devices ... 37
Viewing aggregate license and device information ... 37
Changing the device state of a linked device ... 38
Changing the device state of an unlinked device ... 38
Locking and unlocking the linking email ... 39
Chapter 4
Import Wizards
... 41Adding users with the User Import and LDAP Import Wizards ... 41
About using the User Import Wizard ... 42
User Import file requirements ... 42
Preparing your import file ... 43
Importing users from an external file ... 44
Specifying import options ... 45
Specifying user group import options ... 45
Specifying error handling options ... 47
Handling error conditions ... 48
Approving import records ... 50
Viewing the import results ... 50
Adding users from a Microsoft Active Directory with the LDAP Import Wizard ... 51
Connecting to a Microsoft Active Directory ... 52
Mapping LDAP properties to database fields ... 52
Specifying error handling and user groups ... 54
Handling error conditions ... 55
Reviewing importable users ... 55
Viewing the import results ... 56
Chapter 5
Managing policy packages
... 59About policy packages ... 59
Package manager functions ... 60
Package Manager icons ... 60
Package Manager right-click menu ... 61
Package properties ... 61
Policy properties ... 62
Using the Package Manager ... 63
Opening the Package Manager ... 63
Packages grid ... 64
Setting the enterprise default package ... 64
Creating, cloning, and modifying packages ... 65
Deleting packages ... 66
Retiring packages ... 67
Viewing policies that are not part of a package ... 67
Symantec policy packages ... 68
Chapter 6
Managing policies
... 71About managing policies ... 71
Policy properties ... 72
About Firewall policies ... 72
About Firewall rules ... 73
Modifying, cloning, and creating Firewall policies ... 74
Defining Firewall policy properties ... 74
Defining a stateful Firewall policy ... 75
Adding rules by selecting existing rules ... 75
Adding and customizing rules ... 76
Creating new firewall base rules ... 77
Customizing rules ... 78
Setting the order of Firewall rules and deleting rules ... 79
Creating a security policy ... 79
General PIN and password settings ... 80
PIN settings ... 81
Password settings ... 82
Device feature blocking ... 83
Idle timeout ... 84
Resetting the encryption key ... 84
Secure folders ... 84
Modifying security policies ... 85
Chapter 7
Deploy Manager
... 89About the Deploy Manager ... 89
About assigning a policy package ... 90
Assigned and deployed packages ... 91
Policy package inheritance ... 91
Assigning policy packages with the Deploy Manager ... 92
Assigning packages from the Entity Manager ... 93
Viewing information in the Deploy Manager ... 93
Removing package assignments ... 94
About deploying packages ... 95
Deploying all assigned packages simultaneously ... 96
Deploying packages to selected entities ... 97
Deploying by package ... 97
Reissuing modified deployed packages ... 98
Tracking package event history ... 98
Chapter 8
Viewing, reporting, and charting events
... 101About viewing, reporting, and charting events ... 101
About event logs ... 102
About the Event View Manager ... 102
Creating, modifying, and deleting event view specifications ... 102
Loading events ... 105
Grouping and sorting the event view results ... 107
Searching event view results ... 107
Exporting event logs ... 108
Deleting events ... 109
About the Reports Manager ... 109
Report specifications ... 110
Creating reports ... 110
Modifying reports ... 111
Using the filter form ... 111
Printing and exporting reports ... 113
Locking reports ... 113
Deleting reports ... 114
Charts Manager ... 114
Running charts ... 114
Saving charts ... 114
Chapter 9
Admin tools
... 117About administrator tools ... 117
Device statistics ... 118
Linked devices ... 118
Unlinked devices ... 119
Preferences ... 119
Agent configuration file ... 121
Help Desk users ... 123
Creating authorized users ... 123
Modifying passwords for authorized users ... 124
Deleting authorized users ... 124
Device password override process ... 125
Enterprise Help Desk user password policy ... 125
Upload history ... 126
Package history ... 129
Reissuing policy packages ... 132
AWOL linked devices ... 133
Symantec Mobile Security
Manager Overview
This chapter includes the following topics:
■ About this document
■ About Symantec Mobile Security Manager
■ Starting Symantec Mobile Security Manager
■ About the Symantec Mobile Security Manager window
About this document
This guide explains how to perform the mobile security administration tasks of Symantec Mobile Security Suite that are managed by the Symantec Mobile Security Manager. It assumes that you have read the Symantec Mobile Security Suite
Implementation Guide. The implementation guide explains how to install all of
the management components, including Symantec Mobile Security Manager.
About Symantec Mobile Security Manager
Symantec Mobile Security Manager is the central console for managing the firewall and encryption functionality of Symantec Mobile Security Suite. You can also manage device feature access, create and deploy policy packages, and monitor events by using a range of reporting functions.
Symantec Mobile Security Manager requires SQL server. It operates together with a Web server and Windows services.
However, you use a different system to manage AntiVirus and LiveUpdate. The following sections explain your options.
1
About Symantec Mobile Security Suite management options
Symantec Mobile Security Suite allows you to manage the devices in your organization in different ways. These depend on how you manage your network generally, and on the tools that you choose to use. The following table shows the different management components that are available with Symantec Mobile Security Suite.
Table 1-1 Symantec Mobile Security Suite management components Works with
Manages Component
Symantec System Center or other Mobile Device Management system Events, security policies, and device information
Symantec Mobile Security Manager
Symantec System Center; Symantec Mobile Security Manager
AntiVirus and LiveUpdate Symantec System Center tools
Symantec System Center or other Mobile Device
Management system; Symantec Mobile Security Manager AntiVirus and LiveUpdate
Wireless administration tools
You use Symantec Mobile Security Manager together with Symantec System Center or another Mobile Device Management system. You can install and run the wireless administration tools on either Symantec System Center or another system.
How Symantec Mobile Security Manager works with Symantec System
Center
You use Symantec System Center together with either set of Symantec Mobile Security Suite tools to manage AntiVirus and LiveUpdate on your organization’s mobile devices. You use Symantec Mobile Security Manager to manage the security policies for the devices.
How Symantec Mobile Security Manager works with other Mobile
Device Management systems
Starting Symantec Mobile Security Manager
Symantec Mobile Security Manager supports a single active session. Within this session, only one instance of each window can be open at any time.
To start Symantec Mobile Security Manager
◆ On the desktop navigate to Start > Programs > Symantec > Symantec Mobile
Security Manager.
About the Symantec Mobile Security Manager window
The Symantec Mobile Security Manager window includes the following components:
■ The main menu
See“Main menu”on page 15.
■ The main toolbar
See“Main toolbar”on page 16.
■ The status bar
See“Status bar”on page 16.
Main menu
The following options are available from the main menu:
Exit from Symantec Mobile Security Manager. File
Display or hide the Toolbar and Status Bar. View
Access the Admin Tools window to view device information; set Enterprise preferences; save Agent configuration files; create authorized help desk users; view Upload history, Package history and AWOL devices; and access the Services Manager.
Admin Tools
Access the Package Manager, Packages Grid and Deploy Manager. Reissue Modified Deployed Packages and Reissue All Deployed Packages. Policies
Access the Event View Manager, Reports Manager, and Charts Manager.
Reports
Organize the display of open windows or close all windows.
Window
Open the online documentation. Help
Main toolbar
The following options are available from the main toolbar:
Opens the Admin Tools window. Admin Tools
Opens the Entity Manager in tree view mode. Entity Manager: Tree View
Opens the Entity Manager in grid view mode with User Groups displayed.
Entity Manager: User Groups
Opens the Entity Manager in grid view mode with Users displayed.
Entity Manager: Users
Opens the Entity Manager in grid view mode with Linked Devices displayed.
Entity Manager: Linked Devices
Opens the Entity Manager in grid view mode with Unlinked Devices displayed.
Entity Manager: Unlinked Devices
Opens the Package Manager Package Manager.
Opens the Deploy Manager. Deploy Manager
Opens the Event View Manager. Event View Manager
Opens the Reports Manager. Reports Manager
Opens the Charts Manager. Charts Manager
Status bar
The following options are available from the status bar:
Starts or Stops the Upload Manager. Upload
Starts or Stops the Download Manager. Download
Mobile Security concepts
This chapter includes the following topics:
■ Understanding entities
■ About entity relationships
■ About policy packages and policies
■ Policies
Understanding entities
An entity is a single User Group, User, or Device. The Enterprise administrator can create, modify, and delete entities; determine the relationship between entities; and assign and deploy Policy Packages to entities.
Entities are managed in the Entity Manager and also in the Deploy Manager. Administrators cannot manually add unlinked Devices. Only User Groups, Users, and Linked Devices can be assigned a Policy Package. Only active Linked Devices are eligible for deploy.
Linking devices and device states
Devices are classified as Linked or Unlinked within Symantec Mobile Security Manager.
A Linked Device is a device that has been added to the Symantec Mobile Security Manager database (registered) and linked to a single, existing User. Devices register when they are manually added by the administrator, or automatically when the device communicates with Symantec Mobile Security Manager (Auto-Registration via Mobile Connect). Auto-Registering devices automatically link to an existing User when the linking email value on the registering device matches the email of an existing User (Auto-Linking). Auto-Linked devices begin with a Device State
2
of either Active or Pending depending on the Enterprise-wide preference setting set by the administrator.
Unlinked Device - An Unlinked Device is a device that has Auto-Registered but does not have a linking email value which matched an existing User. Unlinked Devices must be linked to a single, existing User before they can receive a package in a deploy and have their Event Logs available for viewing.
Device state
Devices are further classified by Device State. Device States are described below:
An Active Device is a Linked Device that has been explicitly set to active (activated) by the administrator or a device that was automatically set to active when it Auto-Linked to an existing User. Active Devices can receive Packages in a Deploy and their Event Logs are available for viewing.
Active Device
A Pending Device is a Linked Device that was automatically set to pending when it Auto-Linked to an existing User. Pending Devices must be set to active (activated) by the administrator in order to receive Policy Packages in a deploy and have their Event Logs available for viewing.
Pending Device
A Rejected Device is a Linked or Unlinked Device that has been explicitly set to the rejected Device State by the administrator. A Rejected Device, like all non-Active Devices, cannot receive Policy Packages in a deploy and have its Event Logs available for viewing. Rejected Device
A Suspended Device is a Linked Device that has been explicitly set to the suspended Device State by the administrator. A Suspended Device, like all non-Active Devices, cannot receive Policy Packages in a deploy and have its Event Logs available for viewing. Suspended Device
Users
A User is a person in the mobile community who owns (or potentially owns) a device. A single User can be added to the database using the Enterprise-wide preference setting Add User window. Multiple Users can be added using the Import Users from File Wizard or from a Microsoft Active Directory with the LDAP Import Wizard. A User can own (be linked to) more than one device, but every Linked Device belongs to one and only one User.
User groups
A User Group is a collection of Users. The primary function of a User Group is to facilitate assigning and deploying Policy Packages to devices according to the rules of Policy Package inheritance.
About entity relationships
User Groups, Users and linked Devices are structured in a hierarchical parent to child relationship. This relationship facilitates assigning and deploying Policy Packages.
In this relationship, a User Group is the parent to one or more Users and a User is the parent to one or more Linked Devices. Although Unlinked Devices are defined as entities, they are outside the deploy hierarchy.
When adding entities to your database, the following rules apply:
■ A Linked Device must belong to a single User
■ A User must belong to a single User Group
■ Multiple, Linked Devices can belong to a single User
■ Multiple Users can belong to a single User Group
As you define your entities, particularly User Groups, consider that child entities inherit the Policy Package assigned to the parent entity. For more information on Policy Package inheritance, see the next section, Understanding Policy Packages and Policies.
About policy packages and policies
Symantec Mobile Security software protects the device in four key categories of security; Firewall, Security Management, Intrusion Detection and Integrity Management. Each category is represented by one or more policies in Symantec Mobile Security Manager.
A Policy Package is a complete group of all four categories of policies, seven policies in all. There are four Firewall Policies, one Security Manager Policy, one Intrusion Detection Policy and one Integrity Manager Policy.
A Default Policy Package is in force when the Agent software is first installed on the device. Custom packages can later be created, assigned to entities and deployed to the device.
The Mobile Security Enterprise Agent Software is installed with a predefined, default package, which includes seven policies for each of the four defined categories. After installation, the policies are automatically enforced until a new package is deployed to the device.
Enterprise default package
During setup you are required to designate an existing package (Mobile Security Stateful Default) as your Enterprise Default Package (EDP). Alternately, you can create a new package during setup, and designate that package as the EDP. The EDP then becomes the default package for all the devices in your organization that have not received a specific package via deploy. It is copied to a special area on the web server for pickup and generates a package event in Admin
Tools/Package History. The default location of the file is C:\Symantec\Download\Common\bfp.bfp.
The EDP can be also assigned to entities for deploy just like any other package. This has two advantages.
If you decide to designate a different Package as your Enterprise Default.
■ No reassignment is necessary for any entities assigned the EDP.
■ There is an immediate and automatic deploy to all devices who are targeted to receive the EDP.
Each time the Enterprise Default Package is redesignated or the Agent configuration settings are modified, the default file updates. New devices and devices targeted to receive the Enterprise Default Package automatically download the updated version of the file.
The Enterjprise Default Package is typically distributed with the Agent software so that the device will use your organization’s policies and configuration settings for communicating with the Enterprise via Mobile Connect. If the Agent software is installed without this file, a Symantec-defined package called "Mobile Security Stateful Default" package will go into effect.
Policies
category, four firewall policies are specified for the four security levels available on the Agent.
Firewall policies
A Firewall policy consists of one or more Firewall rules, and is created in the Firewall Policy editor.
Firewall policies are defined by:
■ Setting the policy properties
■ Adding firewall rules
■ Setting rule values (also known as rule customization)
■ Setting the order of the rules
Rules are added to a firewall policy in two ways, either by selecting rules from another firewall policy (or the All Firewall Rules ruleset), or by creating the rule directly by specifying rule protocol, action and port value.
Security Manager policies
The Security policy specifies the settings for basic authentication (PIN or password); blocking of various device features; the behavior of the device when it becomes idle; device PIN or password reset by device user; and how the Symantec software handles encrypted folders.
Integrity Manager policies
The Integrity Manager monitors the state of the device and alerts against integrity violations, which are defined as changes to the device’s core system files, registry entries and directories.
Integrity Manager Policies are predefined. The administrator selects the predefined policy to be included in a package.
If a violation is detected, the Integrity Manager takes some desired action, event logging or device quarantine, based on the action code set in the policy.
Intrusion detection policies
Policy rules defined
Firewall policies consist of one or more customized firewall rules. Customized rules are instances of firewall base rules which have additional values specified for logging, user-defined event severity, IP range and direction. The event logging option allows the Administrator to toggle event logging on or off for a particular rule, controlling log size on the device. Severity level is used to categorize firewall events at a level determined by the Administrator. Severity level can be set to Low, Medium or High or No severity. Severity levels can be filtered in any combination when viewing Event Logs in the Event Log Viewer.
A filter that blocks or allows network packets through defined ports, protocols, IP ranges and direction.
Firewall Rule
A generic firewall rule in which the event logging and severity options are not specified. Base Rules define standard protocols and ports on which network traffic is blocked or allowed. When an instance of a base rule is added to an actual firewall policy, values for logging and severity level must be specified prior to saving the Firewall policy. A library of Base Rules is packaged with Symantec Mobile Security Manager and the administrator may also add new Base Rules.
Base Rule
A Firewall rule that is part of a Firewall policy. An instance of a Firewall Base Rule that has been customized with a value for event logging and severity. Additionally, an IP range can be specified for the rule, and the rule can be set to inbound only or outbound only. Uni-directional rules is not a common use case.
Customized Rule
A Security Manager rule controls device authentication or behavior of the device.
Security Manager Rule
An Intrusion Detection rule defines behavior and actions for intrusive network traffic. Intrusion Detection rules are predefined and cannot be edited.
Intrusion Detection Rule
An Integrity rule defines behavior and actions for events that affect the integrity of the device. Integrity Manager rules are predefined and cannot be edited.
Integrity Manager Rule
About policy package inheritance
When the Administrator assigns a Policy Package to a User Group, all devices linked to Users who belong to the User Group will inherit that Package. No further assignments are necessary unless the Administrator chooses override the User Group's Package by assigning directly at the user or device level.
Policy Package assignments can be changed at any time and new packages can be deployed at any time.
Eligibility
A device that would receive a new package in the event of a complete deploy is said to be an eligible device or eligible for deploy.
Devices become eligible when the following two conditions are met:
■ The device is active
■ The device is assigned or inherits a package other than the package currently deployed to the device
Deploy
Initiating a deploy creates a package file for each eligible device. The package files are available for download from the Enterprise web server. Devices periodically look for new packages. When the new package is installed on the device, the polices go into effect immediately. A deploy is triggered when the Enterprise Default Package is changed.
Reissue
The command Reissue All Deployed Packages causes a package file to be regenerated on the Enterprise server for every device which has previously received a package.
A complete reissue is necessary only in special cases.
■ Application-defined data, such as event types, have changed when the Enterprise itself has been upgraded.
■ The Agent Configuration File has changed. Since the Agent Configuration file is distributed only within a package, this necessitates a reissue.
■ A new Agent license file must be redistributed. Since the Agent license file is distributed only within a package, this necessitates a reissue.
command, Reissue All Deployed Packages, which is available in the main menu under Policies.
The command Reissue Modified Deployed Packages is used to update devices which have received an older revision of the package.
When the rules in a package change, or the selection of policies in a package change, the package is said to have been critically modified. Devices that have already received the package are not eligible to receive it as defined above, but need the new revision. The command Reissue Modified Deployed Package is located in the main menu under Policies. This causes a package file to be regenerated for every device which needs the latest revision of its package.
Note: When a package is critically modified, the Administrator is prompted to reissue that package. In addition, all packages which are eligible for deploy or need reissue can be identified in the Deploy Manager (Packages view).
Managing users and devices
by using the Entity Manager
This chapter includes the following topics:
■ About the Entity Manager
■ Manually adding user groups, users, and devices
About the Entity Manager
Entities are defined as Users, Devices, or User Groups. Together they represent the mobile user community in the organization. The Entity Manager allows logical grouping of entities and definition of entity hierarchies.
Entities are managed through the Entity Manager interface. In the Entity Manager you can do the following:
■ Add, modify and delete entities
■ View entity details
■ Identify Users assigned to each User Group
■ Transfer Users to different User Groups
■ Identify Devices assigned to each User
■ Lock or Unlock the linking email for a Device
■ View entities and the Policy Packages that have been Assigned or Deployed to them
■ Import Users from a file
■ Import Users from Microsoft Active Directory
3
■ Export a list of Devices
The Entity Manager provides a comprehensive picture of all entities in your Enterprise database through two separate views: grid view and tree view. The grid view displays a spreadsheet-like display of all entities for a given entity type. The tree view shows the hierarchical relationship between User Groups, Users and Linked Devices. Both views provide options to add, modify, and delete entities, and allow you to refresh displayed information to reflect updates due to
Auto-Registration, the import of data from a file, or action taken by the Enterprise administrator.
Options in the grid view, tree view or in both views include:
■ Expand/Contract Tree View: Expands or contracts the details for all entities in the tree. (This icon functions only in tree view and is grayed out in grid view.)
■ Modify Entity: Opens the Modify User Group, Modify User, Modify Device, or Modify Unlinked Device window depending on the current selection.
■ Add Entity: Opens the Add User Group, Add User, or Add Device window depending on the current selection.
■ Delete Entity: Deletes the selected User Group, User, or Device. Multiple entities can also be selected in a grid and then deleted using the Delete Entity icon.
■ Refresh from Database: Refreshes the displayed information when new entities have been added externally (for instance, through auto-registration) during the Entity Manager session.
■ Restore Grid to Default: The Restore Grid to Default icon will return the column order and the width of each column in the grid to the default settings. (This icon functions only in grid view and is grayed out in tree view.)
Managing entities from the tree view window
The Entity Manager: tree view window displays entities, and the relationships between them, in a hierarchical format based on their User Group assignment, including details about each User Group, User or Device in your Enterprise database.
To open the Entity Manager: tree view window
◆ Do one of the following:
■ InSymantec Mobile Security Manager, click the Entity Manager: tree view Icon
■ Click Ctrl+H
■ From the expanded Entity Manager: tree view window, click the Expand/Contract tree view toolbar icon
■ Click the Expand/Contract tree view right-click menu option
■ From the Entity Manager: grid view window, click either Ctrl+H or the tree view radio button or the Locate in Tree View button
When the Entity Manager: tree view window initially displays, all User Groups will be listed in the left pane in their collapsed or contracted state.
Note: Unlinked device information is not accessible from the Entity Manager: tree view window. Use the Entity Manager: grid view window.
From within the collapsed or contracted Entity Manager: tree view window you can:
■ View all User Groups
■ See the name, description and deployed Policy Package for each User Group
■ See the total number of Users in each User Group
■ Access a series of right-click menus that will allow you to expand or contract the tree view: modify, add or delete entity information for the selected entity: or refresh the available data from a Microsoft Active Directory or other external database
■ Choose from a set of toolbar icons including Expand/Contract tree view, Modify Entity, Add Entity, Delete Entity and Refresh From Database
■ Switch to the Entity Manager: grid view window by clicking the grid view radio button or, if a choice is highlighted in the left pane, by clicking the Locate in Grid button.
When the tree view window is in the collapsed state, the left pane lists all existing User Groups. If you click on a User Group in the left pane, the status bar at the base of the window will show the User Group name and the number of Users in the User Group. The right pane will also display the name of the selected User Group, along with any available description of the User Group, and the name of the User Group’s Assigned or Deployed Policy Package, if one exists.
The contracted Entity Manager: tree view window has a right-click menu that will allow you to expand or contract the tree view window. From this menu you can also open the Modify or the Add User Group windows, delete a selected User Group, or refresh the User data from a Microsoft Active Directory or other database.
The tree view can be expanded so that each User in each User Group, and each Device assigned to a User is displayed.
A plus sign next to a User Group indicates that one or more Users are assigned to that Group. A plus sign next to a User indicates one or more Devices are assigned to that User.
To expand or contract an individual User Group, double-click the name of the User Group in the left pane or click the plus sign next to the name. Only Users assigned to the selected User Group is displayed.
To expand or contract the list of devices assigned to a specific User, click the plus or minus sign next to the User’s name, or double-click on the User’s name. To view the details of an entity, click on the desired entity in the left pane. Detailed information will display in the Entity Details pane. Information about the selected entity will appear in the status bar at the base of the window.
Clicking the Locate in Grid button will switch to the Entity Manager: grid view window, and will automatically display information about the highlighted entity.
Managing entities from the grid view window
The Entity Manager: grid view window allows you to view and manage entities in a grid format, displaying records in list form for each entity type (User Groups, Users, and Linked and Unlinked Devices). Unlike the tree view, which shows the relationship between the various types of entities, the grid view lets you see all of the information associated with entities of one type.
Within the Entity Manager: grid view window you can:
■ View a list of User Groups, Users, Linked Devices, or Unlinked Devices
■ View Active, Pending, Rejected or Suspended Devices by selecting among display controlling filters
■ View aggregate information about Linked, Unlinked and Active Devices
■ View detail information about User Groups, Users, Linked Devices, and Unlinked Devices
■ Sort and group entity details by column headers
■ Choose from a set of toolbar icons including Add Entity, Modify Entity, Delete Entity, Refresh from Database and Restore Grid to Default
■ Modify the grouping of information and the display order of columns
■ Restore the grid view display to its default settings with a single click
■ Switch to the Entity Manager: tree view window by clicking the tree view radio button
To open the Entity Manager: grid view window
1
In Symantec Mobile Security Manager, press Ctrl+G or select Entities Entity Manager: Grid View from the main menu or2
From the Symantec Mobile Security Manager main menu, select from the User Groups, Users, Linked Devices, or Unlinked Devices icons. The Entity Manager window displays information about the entity type you selected or3
Click the grid view radio button or the Locate in Grid button from the Entity Manager: tree view window.Sorting and grouping with column headers
In the right pane of the grid view you can group rows by one or more column header and customize the order of the headers.
To group displayed data by a given column header, click the column header for the data you want to group and drag it to the dark gray area in the right pane where it says Drag a column header here to group by that column.
In the following Figure, Linked Devices have been grouped first by User Name, then by Device State.
To sort the list in ascending or descending order by any column, click the desired column header. An arrow in each column header indicates if the column is in ascending or descending order.
To change the order of columns, drag and drop a column header to a new position. To restore the view to the default setting, click the Restore Grid to Default icon.
Manually adding user groups, users, and devices
Note: To facilitate deployments where large volumes of Users are being managed, you can add multiple Users from an external file with the User Import Wizard or from a Microsoft Active Directory with the LDAP Import Wizard.
Clicking Entities in the menu bar of Symantec Mobile Security Manager opens a dropdown menu that includes options to access User Groups, Users and Devices. When highlighted, each of these choices offers an Add selection that opens the appropriate window to add the designated entity to the database.
When entered manually, entities can be added from either the grid view or the tree view window. Since each of these methods opens the same Add <Entity> window, this section will focus on adding entities from the grid view.
About entities
User groups, users and devices linked to those users form a hierarchy which makes assigning and deploying packages efficient and logical. Devices can register automatically when they communicate with the Enterprise, or they can be added manually by the Administrator. Users can be added manually or imported in bulk. User Groups are always added manually.
Devices added manually must be linked to an existing user and users added manually must specify an existing user group. It is impossible to manually add a device not linked to user or to have a user who does not belong to a user group. For all Add <Entity> windows, required fields are marked with an asterisk. Data for some fields must also be unique within the database. For each window, you will be notified if you have not met the data requirements.
The Add User Group, Add User, and Add Device windows all contain an optional field for Assigned Package. This option lets you choose the assigned Policy Package to be deployed to this entity. Symantec Mobile Security Manager includes a policy inheritance model that is tied to the entity hierarchy. While this field is optional, it can be used to save steps later in the deployment process.
Note: For more information on Policy Package inheritance, see the Managing Policy Packages and Managing Policies chapters.
Adding user groups and users
To manually add a User Group
1
Select User Groups in the left pane of the grid view window,2
Click the Add Entity icon, or right-click and select Add User Group...3
Enter the User Group Name. The User Group name is a required field and must be unique within the database.4
You can add an optional Description of the User Group name.5
You can select an Assigned Package. The Assigned Package is used to assign a Policy Package to the User Group. See the section, Understanding Policy Package Inheritance for more information on assigning Policy Packages to User Groups.6
Click the Save button. To manually add a new User1
Select Users in the left pane of the grid view window.2
Click the Add Entity icon, or right-click and select Add Users... from the dropdown menu.3
Enter the required fields listed below:Note: A User Group may be added at this point without closing the Add User window. Once the User Group information is saved, the User Group name will be available for selection.
4
Click the Save button.Note: Multiple Users can be added in bulk using the User Import or LDAP Import Wizard. See Adding Users with the User Import Wizard, and the section dealing with adding Users from a Microsoft Active Directory with the LDAP Import Wizard for more information.
Transferring users to user groups
You can transfer users to different user groups. To manually transfer a user to a different user group
1
Highlight Users in the left pane of the grid view.3
Select Transfer Selected Users to User Group, from the right-click menu.4
Select the desired target User Group from the dropdown list. In this example, because Accounting was selected from the dropdown list, Accounting is shown as the target transfer group in the status bar.5
Click Transfer Users.Adding devices
In addition to automatic device registration, devices can be added manually to Symantec Mobile Security Manager. Device ID and User information are required to manually enter a device.
Any Windows Mobile-based device has a unique identifier called the Universal Unique Identifier (UUID). The UUID is a 32-character, industry standard identifier that is stored on the device. This ID is unique across device manufacturers.
Device ID
All devices must have an associated User. A device can belong to only one User, but one User can be associated with multiple devices. User
Changing the linking email of linked or unliked devices
Both the Modify Device and Modify Unlinked Device windows let you link a user to a device in the database. If a user has more than one device, that user can be manually linked to multiple devices.
To manually link a user to one or more devices from the Modify Device window
1
From the Entity Manager: grid view window, right-click the Linked Device you wish to associate with a user and select Modify Device from the popup menu. The Modify Device window will open.2
Next, select the user you wish to link to the device you selected. To do this, at the User: line you can either click Add to bring up the Add User window where you can enter information about a new user and save that information to the Enterprise database, or you can click the dropdown arrow to select from the existing users in the Enterprise database. When you highlight to select a user from the dropdown list, the Linking Email Mismatch window will open.3
Of you click to select the Change link to <user> radio button and click OK, the device you selected will be linked to the indicated user.Deleting entities
A User Group cannot be deleted if it contains users. Users can be sorted by user group in the users grid, selected, and then transferred to a different user group by right-clicking and choosing "Transfer Selected Users to User Group..." After the transfer, a user group can be deleted.
Users can be deleted in two different modes. The Administrator can specify that devices linked to those users should also be deleted, or the Admin can specify that devices linked to those users should be retained and returned to the unlinked state. In either case a record of the deletion is recorded in the Archive\Users and the Archive\Devices directory. See below for the effect of deleting a user’s device.
Note: Hold down the control key to delete a user’s devices while deleting users.
Deleting a device also deletes the device’s events, package history and upload history. A record of the deletion is recorded in the Archive\Devices directory
Note: The primary use cases for deleting entities is to remove sample data (for example, after an evaluation), or to remove obsolete Devices. If deleted unlinked Devices continue to communicate with the Enterprise, they will auto-register and reappear in the database. A different approach is to set the Devices to "Rejected" status and hide them from view.
To delete entities from the grid view window:
1
Open the Entity Manager: grid view window.2
Select the entity type that you wish to delete by clicking in the left-hand pane.3
Highlight the rows in the grid to select the entities to be deleted. Select multiple entities by holding down the Shift or Ctrl key.4
Click the Delete Entity icon, use the Delete key on your keyboard, or select Delete Selected Entities from the right-click menu.Device registration
Note: The value in the device email field is used to link the device to a User with a matching value in the User’s email field. This value can be a unique value such as an employee ID, though an email address is typically used. When Mobile Security Enterprise Agent software is run on a device, information about that device, including the value in the device email field, is automatically collected.
Note: The device registration information will be rejected as invalid if the email address or other linking value contains C-style comments, semi-colon, apostrophe, double-dash, or beginning of string or after a space.
Device auto-registration
Auto-Registration permits large-scale, Enterprise-wide device registration with no intervention required on the part of the Enterprise administrator.
Auto-Registration does the following:
■ Automatically collects data from a Device with Agent software installed
■ Automatically imports a Device into the Enterprise database
Auto-Registration takes place when a device communicates with the Enterprise through Mobile Connect.
The information collected from a device during auto-registration includes the device UUID, model number, agent version number, device telephone number and the device-owner's email address, if available. The UUID is used in the Device ID field of the database to identify the device from all others. The value in the email field is used by the Auto-Linking feature.
Device states
The possible Device States are:
■ Active: An Active Device is a device that has been linked to a User. Active status is either assigned automatically during the Auto-Registration process, or is set following approval by the Enterprise administrator. Active Devices can receive Policy Packages, and their logs can be viewed in the Event Viewer.
Note: Devices with a Device State of Pending are not eligible to receive Policy Packages and their log files cannot be viewed in the Event Viewer. In order to receive Policy Packages and to upload log files, a device must have a Device State of Active.
■ Rejected: The Enterprise administrator must take an action to set a device to the Rejected Device State, or to remove the Rejected Device State once it has been applied. Both Linked and Unlinked Devices may be set to a Rejected Device State. An unlinked Device with a Rejected Device State cannot be linked to a User until the Rejected Device State has been removed.
■ Unlinked: Unlinked status is applied to devices that have Agent software installed and have Auto-Registered, but have not been linked to a User. The Enterprise administrator may want to manually link a device to a User or change an Unlinked Device to a Device State of Rejected in order to prevent activation.
Note: Only Active Devices can upload Event Logs or receive Policy Packages.
Setting the device state for auto-linking devices
You can set preferences for Symantec Mobile Security Manager so that the Device State for Auto-linking Devices is either Active or Pending.
If you choose to set the Device State to Active, all Auto-Linking Devices will be set to an Active Device State when they are added to the Enterprise database. To choose either of these options, start at the Symantec Mobile Security Manager menu, and click Admin Tools > Preferences.
Click the checkbox next to Auto-linking Devices start as Active (uncheck for start as Pending) to set the Device State to Active for all Auto-Linking Devices when they are added to the Enterprise database. Leave the checkbox blank to set the Device State to Pending for all Auto-Linking Devices when they are added to the Enterprise database. This window also has a checkbox that will allow you to select or deselect the Automatically Deploy to newly activated Devices functionality.
Viewing aggregate license and device information
To access the License and Devices tab, click Admin Tools from the Symantec Mobile Security Manager menu, and then click License and Devices. Clicking Refresh updates the displayed information.
Changing the device state of a linked device
For a Linked Device, you can choose among the Devices States of Active, Suspended or Rejected.
To change the device state
1
Open the Entity Manager: grid view window.2
Click to highlight Devices, Linked in the left pane, and click the Modify Entity icon in the tool bar or3
Right-click on the highlighted Devices, Linked list item to open the right-click menu and select Modify Device.4
Click the Device State dropdown menu.5
Click to select from the Device State options of Active, Suspended or Rejected.6
Click the Save button. You can see that the Device State changed in the Entity Manager: grid view window.Changing the device state of an unlinked device
For an Unlinked Device, you can choose among the Device States of Unlinked or Rejected.
To change the Device State of an Unlinked Device: Open the Entity Manager: grid view window.
Click to highlight Devices, Unlinked in the left pane, and click the Modify Entity icon in the tool bar or right-click on the highlighted Devices, Unlinked list item to open the right-click menu, and select Modify Unlinked Device...
Click to select the Device State dropdown menu and choose from the Device State options of Unlinked or Rejected.
Click the Save button. You can see that the Device State changed in the Entity Manager: grid view window.
Locking and unlocking the linking email
Locking the email address of an Unlinked Device from within the Entity Manager protects it from being overwritten with new data. This can be an issue in situations where a device connecting to Symantec Mobile Security Manager has incorrect linking email information. In most instances this is not the case. The administrator could also link the correct email address to a User.
To lock or unlock the linking email of an unlinked device:
From the Entity Manager: grid view window, click in the left pane to select Devices, Unlinked.
In the right pane, click to select the device on which you would like to lock or unlock the linking email. Use Ctrl or Shift to select multiple devices by clicking in multiple rows.
In the right pane, right-click a highlighted device, and click Lock Email on Selected Devices or Unlock Email on Selected Devices.
Import Wizards
This chapter includes the following topics:
■ Adding users with the User Import and LDAP Import Wizards
■ Adding users from a Microsoft Active Directory with the LDAP Import Wizard
Adding users with the User Import and LDAP Import
Wizards
User Import is a feature that lets administrators bulk load User information from an external file. Use the User Import Wizard to import the Users. It is accessed from Symantec Mobile Security Manager by clicking the Entities > Add New Users From File.
The User Import Wizard can be used to import or update multiple Users from a delimited text file. The imported information must adhere to specific data and formatting requirements as outlined later in this chapter.
The import process includes the following steps:
■ Specify Import Parameters
■ Specify Import Fields
■ Specify User Groups that imported Users will be Assigned to
■ Specify Error Handling
■ Handle Error Conditions
■ Approve Import Records
■ View and Save Import Results
4
About using the User Import Wizard
The Import Wizard can be used to add new Users, or to update existing Users. To import data, you must have database owner privileges for your Enterprise database. Before using the Import Wizard, you should be familiar with the location, format and content of your import file, and review the User Import File Requirements section of this chapter.
User Import file requirements
The User import file can be created manually, but it is recommended that the file be created by exporting data from an existing database.
The following tables list all of the fields in the Symantec Mobile Security Manager user grid to which data can be imported, and their corresponding field sizes. You can import data to any of these fields as long as the data and field size requirements are met.
Table 4-1lists the data requirements for the user import file. Table 4-1 Import File Data Requirements
Data requirement Data
Delimited, plain text file File type
First row can be column headers. Column headers are user-defined but cannot exceed a length of 255 characters.
Header First Name Last Name Email address Required fields No order restriction Column order Commas Semicolons Tabs
Pipes (Vertical Bars) Field delimiters
Double Quotes Single Quotes No Quotes Data quotes
Note: The email field in the Symantec Mobile Security Manager database is typically used for linking devices to users records. However, you can link a device to a user record by using any unique value from an external source, such as an employee ID.The only requirement is that the device email field match the value of the email field in the user record.
Table 4-2lists the size limits for each field in the user import file. Table 4-2 Import File Field Size Limits
Maximum Field Size Field 31 First Name 1 Middle Initial 32 Last Name 100 E-mail 20 User Login 50 Department 50 Location 50 Cost Center 50 Telephone 50 Telephone 2 50 Cell Phone 100 E-mail 2 50 Address 50 Address 2 50 City 2 State 10 Zip Code
Preparing your import file
■ Field Delimiters (commas, semicolons, tabs, or pipes/vertical bars)
■ Data Delimiters (double quotes, single quotes, or no quotes)
If your data contains any of the field delimiters listed here, use a different character as a field delimiter. For example, if your data contains commas, use semicolons as the field delimiter, or delimit your data with single or double quotes. For example, assume your data contains commas in the address field, e.g., 123 Main Street, Suite 134. You should use semicolons as the field delimiter, or use single or double quotes as a data delimiter.
Correct formatting
You can format your data using semicolons as the field delimiter (spaces between fields are used for legibility but are not necessary and not recommended):
Joe; Smith; [email protected]; 123 Main Street, Suite 134; Tech Support Sue; Thomas; [email protected]; 3480 E. Elm, 4th Floor; Sales
You can format your data using commas as the field delimiter, but use quotes as data delimiters (spaces between fields are used for legibility but are not necessary and not recommended):
‘Joe’, ‘Smith’, ‘[email protected]’, ‘123 Main Street, Suite 134’, ‘Tech Support’ ‘Sue’, ‘Thomas’, ‘[email protected]’, ‘3480 E. Elm, 4th Floor’, ‘Sales’
Importing users from an external file
You can import new users from an external file. To import new Users from an external file
1
Open the User Import Wizard form within Symantec Mobile Security Manager by clicking Entities Add New Users from File.2
Specify the location of your import file. Click the My Import File is here button.3
Navigate to the location of your import file.4
Highlight the file and click Open. The path and file name will display in the text field.5
Select the character used to delimit (separate) the columns in the import file by clicking in the My data fields (columns) are delimited with: dropdown list.6
Review the settings. The Summary of the import file section of the window will update with each of the selected parameters.Specifying import options
The Specify Import Fields window is used to map columns in the import file to columns in the User table.
The left pane in the window lists the column headers from the import file. The right pane lists the columns in the User table.
You can also select a data column that can be used as an identifier to assign Users to particular User Groups.
To begin mapping columns in the import file to columns in the User table
1
Highlight a column header from the left pane.2
Click the corresponding User table column in the right pane. The User table column will be added next to the column header in the left pane, with an arrow pointing to it.3
Repeat steps1and2until all desired fields in the import file are mapped to a corresponding field in the User table, keeping in mind that unmapped fields are ignored.4
To designate a file column with values that will be mapped to User Groups, highlight the appropriate choice in the left pane, and click User Group Identifier in the right pane. For more information, see the section, Importing Users to Multiple User Groups.5
When all fields are mapped, click the Next button.Note: You can map only one field from the import file to one field in the User table.
Note: You must map to the "First Name", "Last Name", and "E-mail" columns in the right pane in order to proceed. Mapping any additional columns is optional.
Specifying user group import options
The Specify User Group Import window provides two options for assigning Users to User Groups.
The bottom section of the window contains two panes: the User Group Identifier values on the left, and the Existing User Groups on the right.
Note: If you did not designate one of the import file fields to be used as the User Group Identifier in Step 2, you must import Users to a single User Group.
To assign all imported Users to the same User Group
1
Click the Import all my users to this group: option. With this option selected, the bottom section of the screen is grayed out.2
Select a User Group from the dropdown list.Note: Even if you designated a User Group Identifier in step 2, you can still map to a single User Group, in which case the values in the User Group Identifier column will be ignored.
3
If you need to add a new User Group, click the Add New User Group button above the right pane of the bottom section of the window and add a new User Group from the Add User Group window.4
Click Save. The new User Group will be added to the list.5
Select the new User Group from the dropdown list.6
Click the Next button to proceed to Step 4, Specify Error Handling.Note: If you are unsure what group you would like to commit new Users to, create a catchall User Group that you can review once the import is complete. At that point you can manually transfer Users to any of the available User Groups.
Importing users to multiple user groups
Importing Users to multiple User Groups requires that one of the columns in your user import file be mapped to the User Group Identifier. (Refer to Specify Import Fields.)
Any field from the import file can be designated as the User Group Identifier. Of course, the values should support logical groupings of Users and may reflect how Users are categorized within your organization.
To assign new Users to different User Groups
1
Click I will use User Group Identifiers to specify my User Groups. With this option selected, the bottom section of the screen is activated, and if you specified a User Group Identifier, it will be selected automatically.2
Select a User Group Identifier from the User Group Identifier pane.3
Select a User Group from the Existing User Groups pane. The User Group Identifier is mapped to the existing User Group and is updated in the window.Note: An existing User Group can be mapped to more than one User Group Identifier.
4
If you need to add a new User Group, click the Add New User Group button above the right pane of the bottom section of the window and add a new User Group from the Add User Group window.5
Click Save. The new User Group will be added to the list.6
Select the new User Group from the dropdown list.7
Click Next.Specifying error handling options
The Specify Error Handling window allows you to truncate data overflow errors found in your import file.
Setting this option will automatically truncate any data in your file if it exceeds the maximum allowable field length in the User table. You can also select the Overwrite existing user data on import option. Doing so will result in a complete record overwrite.
Note: The Truncate my data on Import option applies the data overflow error rule to all applicable records in the import file without your intervention. The next step identifies specific records that contain errors and allows you to address any fixable errors on an individual basis.
To set the option for data overflow errors for all rows that can be truncated in the import file
1
Click the checkbox next to Truncate my data on import.2
Click Next to proceed to Step 5.To set the option for Overwrite existing user data on import in the import file
1
Click the checkbox next to Overwrite existing user data on import.2
Click Next.Handling error conditions
The Import Wizard runs additional validation on the import file to ensure it meets requirements. If errors are found, they are displayed in a grid in the Handle Error Conditions window.
The Handle Error Conditions window lists one column for each field found in the import file, and has an error description column. Rows are designated by a line number, include a description of what caused each error, and state if each error is fatal or fixable.
Checkbox filters in the View: row near the top of the window allow the window to show or hide Fatal Errors. An example of a Fatal Error would be if a required field in the import file contained no data.
Checkboxes are also available to show or hide Fixable Errors. There are two types of Fixable Errors:
■ Fixable Errors that occur because data in an imported field exceeds the maximum allowable size and therefore must be truncated
■ The Fixable Error of attempting to import a User that already exists in the database if the Overwrite existing data on import checkbox was not selected in the Specify Error Handling Fixable Errors window.
Note: The Truncation condition fields display in blue when selected in the Handle Error Conditions window. If the list is empty, no errors were found in the data.
Fatal errors
Fatal errors cannot be repaired. If a fatal error occurs, the record is not imported. Fatal errors can be caused by:
■ Missing data in one or more of the three required fields: First Name, Last Name, E-mail.
■ Duplicate email address. The email address must be unique for each imported User. Each email address in the file is checked against email addresses in the database.
■ You are not allowed to truncate the email field. Since the email field allows up to 100 characters in length, this is not likely to be an issue.
Fixable errors
Fixable errors can be repaired. If a fixable error occurs, the record can be corrected in the User Import Wizard.
Fixable data overflow errors are caused by data exceeding the maximum allowable field lengths as detailed earlier in this chapter.
To correct a fixable data overflow error
1
At the top of the Handle Error Conditions window, the View row includes three checkboxes that act as filters so that you can quickly select specific groups of records.2
You can also manually click on a row at any time to have that record toggle between being selected or unselected.3
If one or more fixable data overflow errors are selected and the Approve Selected button is clicked, truncated data up to the maximum allowable field size will import automatically, overwriting the information that caused the error.4
The Handle Error Conditions window includes a right-click menu. From this menu, you can select all records with truncation errors, or select all existing Users. You may then truncate the selected records or import the selected Users.6
Records with fatal errors cannot be imported, and truncation is not an available option for the email field. The email field can accept email addresses up to 100 characters in length.7
Click Next.Note: Truncation is not allowed in the E-mail data field.
Approving import records
The Approve Import Records window shown in the following Figure allows you to review all data in your import file before it is imported to the database. To complete the import
1
Verify that the data matches the fields in your input file.2
If you need to make changes, use the Back button.3
If you are satisfied with the data file, click Finish.4
Click Yes to add the new Users to the database.Note: Once you click Yes in the Final Commit (No Undo) message, the records will be added to the database. You cannot undo this action. However, you can delete Users from the database as described in the section Deleting Entities.
Viewing the import results
The summary report shows aggregate information including:
■ The time at which the import took place
■ The number of Devices that were automatically linked, if any. If at least one Device was automatically linked, the Devices Linked button will be enabled
■ The number of lines successfully imported
■ The number of lines not imported
■ The columns that were mapped
