Admin Guide

Transcription

Admin Guide

Vodafone Secure Device Manager
Admin Guide
March 2013
© 2013 Vodafone Group Services Ltd. All rights reserved.
This document comprises proprietary and confidential information and copyright material belonging to Vodafone Ltd.
It must not be reproduced, used, published, or disclosed to third parties without the prior written consent of Vodafone
Ltd. The information in this document is subject to change without notice.
All trademarks acknowledged.
Contents
1
Systems Overview ......................................................................................................................................................... 9
1.1
Vodafone Solution Overview ................................................................................................................................................... 9
1.2 System Requirements ............................................................................................................................................................... 9
1.2.1
Supported Browsers ..................................................................................................................................................... 10
1.2.2
Supported Devices ....................................................................................................................................................... 10
1.2.3
Technical Requirements ............................................................................................................................................ 10
1.3 Vodafone Secure Device Manager Overview .................................................................................................................. 10
1.3.1
Log in to the VSDM ....................................................................................................................................................... 10
1.3.2
VSDM Overview .............................................................................................................................................................. 11
1.3.3
Navigation Overview .................................................................................................................................................... 11
2
Setting Up Your VSDM.................................................................................................................................................18
2.1
Overview ...................................................................................................................................................................................... 18
2.2 Introducing the Getting Started Wizard ............................................................................................................................ 18
2.2.1
Prerequisites ................................................................................................................................................................... 18
2.2.2
Using the Getting Started Wizard ............................................................................................................................ 19
2.2.3
Use the Setup Checklist ............................................................................................................................................. 20
2.3
3
Enabling iOS MDM Support ................................................................................................................................................... 22
Location Groups and User Groups Overview .......................................................................................................23
3.1.1
Location Groups ............................................................................................................................................................ 23
3.1.2
Create a New Location Group ................................................................................................................................... 23
3.1.3
Modify and Delete a Location Group...................................................................................................................... 25
3.1.4
Additional Location Group Details .......................................................................................................................... 26
3.2 User Groups ................................................................................................................................................................................ 27
3.2.1
Transitioning to User Groups .................................................................................................................................... 27
3.2.2
Set Up User Groups in the VSDM ............................................................................................................................. 28
3.2.3
Edit User Group Settings and Management Permissions ............................................................................... 29
3.2.4
User Information Actions and Updates ................................................................................................................. 30
3.2.5
Edit User Group Permissions ..................................................................................................................................... 31
3.2.6
Assign Resources to User Groups ........................................................................................................................... 32
4
5
3.3
Migrate Basic Users to Directory Users ............................................................................................................................. 32
3.4
Bulk Import User Groups ........................................................................................................................................................ 33
VSDM Best Practice ......................................................................................................................................................34
4.1
Location Groups ........................................................................................................................................................................ 34
4.2
User Groups ................................................................................................................................................................................ 34
4.3
Transition Options for Best Practices................................................................................................................................. 34
4.4
User Management Changes for Directory Users ........................................................................................................... 35
4.5
User Storage in the VSDM ...................................................................................................................................................... 35
Administrative Accounts ...........................................................................................................................................36
Vodafone Secure Device Manager R3 - Admin Guide
© 2013 Vodafone Group Services
Page 2 of 249
5.1 Create an Admin Account Manually .................................................................................................................................. 36
5.1.1
Import an admin user from Active Directory ....................................................................................................... 37
5.1.2
Create Admin Account Roles.................................................................................................................................... 37
5.1.3
Create Administrators in Bulk ................................................................................................................................... 38
6
User Accounts ...............................................................................................................................................................41
6.1.1
User Account Security Types.................................................................................................................................... 41
6.1.2
Creating (Single) End Users ....................................................................................................................................... 44
6.1.3
Create End Users in Bulk ............................................................................................................................................ 47
6.2 Device Registration .................................................................................................................................................................. 48
6.2.1
Administrator Registers a Single Device ............................................................................................................... 49
6.2.2
Administrator Registers a List of Devices ............................................................................................................. 50
6.2.3
Invites Users to Register ............................................................................................................................................. 52
6.2.4
End User Registration .................................................................................................................................................. 53
6.3
Device Staging ........................................................................................................................................................................... 55
6.4 Language Management ......................................................................................................................................................... 56
6.4.1
Activating Language Packs........................................................................................................................................ 56
6.4.2
Selecting and Changing Language......................................................................................................................... 57
6.4.3
Localisation Editor ........................................................................................................................................................ 58
6.5
7
Important VSDM Setup considerations............................................................................................................................. 59
Device Management ....................................................................................................................................................60
7.1
Overview ...................................................................................................................................................................................... 60
7.2 Dashboard Navigation ............................................................................................................................................................. 60
7.2.1
Location Group Sidebar .............................................................................................................................................. 60
7.2.2
Dashboard Views ........................................................................................................................................................... 61
7.2.3
Advanced Views ............................................................................................................................................................. 61
7.2.4
Graphical Portlets ......................................................................................................................................................... 62
7.2.5
Dynamic Device List ..................................................................................................................................................... 63
7.3 Device Control Panel ............................................................................................................................................................... 66
7.3.1
Device Information Menu .......................................................................................................................................... 66
7.3.2
Remote Actions Menu................................................................................................................................................. 73
7.4 Device Search............................................................................................................................................................................. 75
7.4.1
Device Search - Left Panel ......................................................................................................................................... 75
7.4.2
Device Search - Top Panel ......................................................................................................................................... 77
7.4.3
Device Search - Main Panel ....................................................................................................................................... 78
7.5 Device Details............................................................................................................................................................................. 78
7.5.1
Device Information ....................................................................................................................................................... 79
7.5.2
Device Activity................................................................................................................................................................ 83
7.5.3
Configuration.................................................................................................................................................................. 83
7.6 Device Details Management ................................................................................................................................................. 83
7.6.1
Query ................................................................................................................................................................................. 84
7.6.2
Management .................................................................................................................................................................. 84
7.6.3
Support ............................................................................................................................................................................. 84
7.6.4
Admin ................................................................................................................................................................................ 85
7.7
Administration Event Log ...................................................................................................................................................... 85
7.8 End User Self-Service .............................................................................................................................................................. 86
7.8.1
Enabling the SSP ........................................................................................................................................................... 87
Vodafone Secure Device Manager R3 – Admin Guide
Page 3 of 249
7.9
Retiring a Device ....................................................................................................................................................................... 89
7.10 BYOD Configuration Best Practices .................................................................................................................................... 90
7.10.1 Assign Profiles and Policies by Ownership Type ................................................................................................ 90
7.10.2 Configure Privacy Settings......................................................................................................................................... 90
7.10.3 Isolate Corporate Content ......................................................................................................................................... 91
7.11 Important Device Management Considerations............................................................................................................ 91
8
Profile Management ....................................................................................................................................................92
8.1
Overview ...................................................................................................................................................................................... 92
8.2 Profiles Page ............................................................................................................................................................................... 92
8.2.1
Toggling Profile Views for Assignment Testing.................................................................................................. 93
8.3 Creating Profiles ........................................................................................................................................................................ 94
8.3.1
General Settings ............................................................................................................................................................ 94
8.3.2
Create and deploy the profile payloads ................................................................................................................ 96
8.4 Device Profile Capabilities ..................................................................................................................................................... 98
8.4.1
iOS Profiles ...................................................................................................................................................................... 99
8.4.2
Mac OS Profiles ............................................................................................................................................................100
8.4.3
Android Profiles ...........................................................................................................................................................100
8.4.4
Blackberry Profiles* ....................................................................................................................................................101
8.4.5
Symbian Profiles..........................................................................................................................................................101
8.4.6
Windows Mobile...........................................................................................................................................................102
8.4.7
Windows Phone and Windows Phone 8* ............................................................................................................102
8.5 Profile Payload Descriptions ...............................................................................................................................................103
8.5.1
Passcode ........................................................................................................................................................................103
8.5.2
Restrictions ...................................................................................................................................................................104
8.5.3
Wi-Fi..................................................................................................................................................................................106
8.5.4
VPN...................................................................................................................................................................................107
8.5.5
Email ................................................................................................................................................................................107
8.5.6
Exchange ActiveSync/Web Services ....................................................................................................................108
8.5.7
LDAP ................................................................................................................................................................................109
8.5.8
CalDAV ............................................................................................................................................................................109
8.5.9
Subscribed Calendars ................................................................................................................................................109
8.5.10 CardDAV .........................................................................................................................................................................109
8.5.11 Web-Clips/Bookmarks ..............................................................................................................................................110
8.5.12 Android Launcher Mode ...........................................................................................................................................111
8.5.13 Credentials ....................................................................................................................................................................111
8.5.14 SCEP.................................................................................................................................................................................112
8.5.15 Advanced .......................................................................................................................................................................112
8.5.16 Custom Settings ..........................................................................................................................................................112
8.5.17 Global HTTP Proxy ......................................................................................................................................................115
8.5.18 App Lock.........................................................................................................................................................................115
8.5.19 Dock* ...............................................................................................................................................................................116
8.5.20 Time Sync* ....................................................................................................................................................................116
8.6 Geofencing................................................................................................................................................................................117
8.6.1
Creating a Geofence Area ........................................................................................................................................117
8.7
Time Schedules .......................................................................................................................................................................118
8.8 Creating Wi-Fi Profiles in Bulk .............................................................................................................................................120
8.8.1
Create Bulk Wi-Fi Profiles..........................................................................................................................................120
8.8.2
Manage Bulk Wi-Fi Profiles .......................................................................................................................................122
Page 4 of 249
8.9
9
Important Profile Management Considerations ..........................................................................................................123
Application Management........................................................................................................................................ 124
9.1 Using the Applications Page ...............................................................................................................................................124
9.1.1
Navigating the Applications Page .........................................................................................................................124
9.2
Enabling the App Catalogue ...............................................................................................................................................127
9.3
Advanced Authentication for App Catalogue** ...........................................................................................................128
9.4
Enabling Book Catalogue** ................................................................................................................................................130
9.5 Application Categories** .....................................................................................................................................................131
9.5.1
Assigning Custom Category to Apps**................................................................................................................132
9.6
Recommending Public Applications ...............................................................................................................................132
9.7
Deploying Internal Enterprise Applications ..................................................................................................................135
9.8 Advanced Application Assignment ..................................................................................................................................139
9.8.1
Criteria .............................................................................................................................................................................140
9.8.2
Devices............................................................................................................................................................................141
9.9
Application Version Management ....................................................................................................................................142
9.10 Application Notifications......................................................................................................................................................142
9.10.1 Notifying Devices ........................................................................................................................................................144
9.10.2 Terms of Use (EULA) Notifications for Apps* ....................................................................................................145
9.11 Managing User Feedback and Ratings** ........................................................................................................................145
9.11.1 View user ratings and comments ..........................................................................................................................146
9.11.2 Delete the user comments......................................................................................................................................146
9.12 Google Play (Android Market) Integration .....................................................................................................................147
9.13 Customising Application Profiles ......................................................................................................................................147
9.14 Managing Apple VPP Applications **...............................................................................................................................149
9.14.1 Upload the Apple VPP Redemption Code Spreadsheet to the VSDM ......................................................150
9.14.2 Actions ............................................................................................................................................................................152
9.14.3 Allocating Redemption Codes ...............................................................................................................................153
9.14.4 Create Purchased Application Messages and Notify Device-Users...........................................................156
9.14.5 Manage the VPP Application Deployment.........................................................................................................157
9.15 Managing Apple VPP iBooks** ...........................................................................................................................................159
9.15.1 Additional Information ..............................................................................................................................................160
9.16 Application Workflow* ..........................................................................................................................................................161
9.16.1 Implementing Application Workflow ...................................................................................................................161
9.16.2 Enabling Application Workflow ..............................................................................................................................162
9.16.3 Workflow Process ........................................................................................................................................................163
9.17 Recommended Applications ..............................................................................................................................................165
9.17.1 The Vodafone Secure Content Locker ................................................................................................................166
9.17.2 Vodafone Managed Browser ...................................................................................................................................166
9.17.3 Vodafone Launcher App ...........................................................................................................................................166
9.17.4 Vodafone Telecom Service App.............................................................................................................................166
9.18 Important Application Management Considerations ................................................................................................ 167
10 Content Management .............................................................................................................................................. 168
11 Managing and Distributing Content..................................................................................................................... 169
Page 5 of 249
11.1 Creating Document Categories .........................................................................................................................................169
11.2 Publishing an Individual Document .................................................................................................................................170
11.3 Uploading and Distributing Multiple Documents .......................................................................................................174
11.4 Important Content Locker considerations ....................................................................................................................175
11.5 Using the Content Repository............................................................................................................................................176
11.5.1 Navigating Content in Repository Folders .........................................................................................................178
11.6 Managing Documents ...........................................................................................................................................................178
12 Content Security and Analytics ............................................................................................................................ 179
12.1 Configure Content Security Settings ...............................................................................................................................179
12.2 Content Analytics ...................................................................................................................................................................180
12.3 Best Practice .............................................................................................................................................................................180
13 Email Management................................................................................................................................................... 181
13.1 Email Compliance Policies ..................................................................................................................................................182
13.1.1 Email Policies ...............................................................................................................................................................182
13.1.2 General Email Policies ...............................................................................................................................................183
13.1.3 Managed Device Policies..........................................................................................................................................185
13.1.4 Attachment Security Policies* ...............................................................................................................................187
13.1.5 Apply Email Compliance Policies ..........................................................................................................................190
13.2 Email Attachment Control* ................................................................................................................................................190
13.2.1 Prerequisites .................................................................................................................................................................190
13.2.2 Accessing Attachment Settings ............................................................................................................................190
13.2.3 Accessing Protected Email Attachments ...........................................................................................................191
13.2.4 Open Encrypted Email Attachments ...................................................................................................................191
13.3 Email Management Dashboard .........................................................................................................................................191
13.3.1 Graphs and Grid............................................................................................................................................................191
13.3.2 Request Time Views ...................................................................................................................................................192
13.3.3 Email Compliance in the Dashboard ....................................................................................................................192
13.3.4 Override an Email Compliance Policy ..................................................................................................................192
13.3.5 Dashboard Test Mode................................................................................................................................................193
13.4 Important Email Management Considerations ............................................................................................................193
14 Telecom Management** ......................................................................................................................................... 195
14.1 Enabling Telecom Setting ...................................................................................................................................................195
14.2 Creating and Managing Telecom Plans ..........................................................................................................................195
14.2.1 Create a Telecom Plan ..............................................................................................................................................195
14.2.2 Dynamic Assignment.................................................................................................................................................196
14.2.3 Assign a Rule to a Plan ..............................................................................................................................................197
14.2.4 Edit an Assignment.....................................................................................................................................................197
14.3 Dashboard Usage ....................................................................................................................................................................198
14.3.1 Telecom Usage ............................................................................................................................................................198
14.3.2 Telecom Roaming ......................................................................................................................................................199
15 Certificate Management .......................................................................................................................................... 200
15.1 Benefits of Using Certificates .............................................................................................................................................200
15.2 Manage Certificates on the Certificate Dashboard .....................................................................................................200
Page 6 of 249
15.3 Certificate Infrastructure Integration...............................................................................................................................201
15.3.1 Direct Certificate Authority Integration ..............................................................................................................202
15.3.2 Simple Certificate Enrolment Protocol (SCEP) Integration..........................................................................203
15.4 Certificate Template Configuration .................................................................................................................................206
15.4.1 For a Microsoft Certificate Authority ....................................................................................................................207
15.4.2 For a Verisign Certificate Authority .......................................................................................................................208
15.4.3 For a Symantec Certificate Authority ...................................................................................................................209
15.4.4 For a OpenTrust Certificate Authority ..................................................................................................................209
15.4.5 For a Entrust Certificate Authority ........................................................................................................................210
15.5 Utilising Certificates for VSDM ...........................................................................................................................................211
15.5.1 Enterprise Wi-Fi, VPN, and EAS Authentication.................................................................................................211
15.5.2 S/MIME Email Signing and Encryption................................................................................................................212
16 Security and Compliance ........................................................................................................................................ 215
16.1 Passcode and Restrictions Profiles Overview ...............................................................................................................215
16.2 Building Device Compliance Policies ..............................................................................................................................216
16.2.1 Define Rules ..................................................................................................................................................................216
16.2.2 Actions ............................................................................................................................................................................217
16.2.3 Assignment ...................................................................................................................................................................218
16.3 Application Groups and Policies ........................................................................................................................................220
16.3.1 Define Application Groups .......................................................................................................................................220
16.3.2 Android Application Restriction Profiles .............................................................................................................222
16.4 Secure Channel Certificate .................................................................................................................................................223
16.5 Privacy Policy ...........................................................................................................................................................................224
16.5.1 Commands Privacy .....................................................................................................................................................224
16.6 Important Security and Compliance Considerations .................................................................................................225
17 Reports and Alerts .................................................................................................................................................... 226
17.1 Reports .......................................................................................................................................................................................226
17.1.1 Generate Custom Reports .......................................................................................................................................226
17.1.2 Add a Report to My Reports ....................................................................................................................................226
17.1.3 Create Report Subscriptions ...................................................................................................................................227
17.1.4 Additional Reporting Tools......................................................................................................................................227
17.2 Alerts ...........................................................................................................................................................................................227
17.2.1 Creation Policies..........................................................................................................................................................228
17.2.2 Routing Policies...........................................................................................................................................................228
17.2.3 View Alerts .....................................................................................................................................................................230
17.3 Important Report and Alert considerations...................................................................................................................230
17.4 Syslog .........................................................................................................................................................................................230
17.5 Integrate Syslog ......................................................................................................................................................................230
17.5.1 Schedule Logging Frequency.................................................................................................................................232
18 Enterprise Integration ............................................................................................................................................. 234
18.1 Lightweight Directory Access Protocol (LDAP) and Active Directory (AD) Integration ..................................234
18.1.1 System Authentication .............................................................................................................................................234
18.2 User Account & Device Authentication ..........................................................................................................................239
18.2.1 Active Directory / LDAP Enrolment Configuration .........................................................................................239
Page 7 of 249
18.2.2
18.2.3
Authentication Proxy Enrolment Configuration ..............................................................................................239
SAML 2.0 Enrolment Configuration......................................................................................................................240
18.3 Advanced Enrolment Settings ...........................................................................................................................................242
18.3.1 Location Group* ..........................................................................................................................................................242
18.3.2 Restrictions ...................................................................................................................................................................243
18.4 Email Integration ....................................................................................................................................................................244
18.4.1 Email (SMTP) .................................................................................................................................................................244
18.4.2 Configure Email Settings..........................................................................................................................................244
18.5 Enterprise Integration Service............................................................................................................................................245
18.5.1 Configuring EIS ............................................................................................................................................................246
18.6 SMS Integration .......................................................................................................................................................................247
18.6.1 Configure SMS Settings ............................................................................................................................................247
18.7 Use the VSDM API ...................................................................................................................................................................248
18.8 Important Enterprise Integration Considerations .......................................................................................................249
Page 8 of 249
1
Systems Overview
1.1
Vodafone Solution Overview
Vodafone offers complete mobility management, enabling organisations to easily use and
secure the latest mobile device technology by providing a comprehensive cross-platform
solution for mobile device management.
The Vodafone Secure Device Manager (VSDM) provides a central location for administrators to
manage smart device fleets regardless of operating system, carrier, network or location.
From the VSDM, administrators can manage any mobile device from anywhere in the world.
1.2
System Requirements
The following system requirements should be met before using the VSDM solution.
Page 9 of 249
1.2.1
Supported Browsers
VSDM is certified to run on the following web browsers:
 Internet Explorer 8+.
 Firefox 3.x+.
 Google Chrome 11+.

Safari 5.x.
Comprehensive platform testing has been performed to ensure functionality while using these
Web browsers. The VSDM may still function in non-certified browsers.
1.2.2
Supported Devices
Vodafone currently supports the following devices:
 Android versions 2.2 and above.
 Blackberry versions 5 and above.
 iOS versions 4.0 and above.
 Mac OSX 10.7+.
 Symbian OS ^3 and S60.
 Windows Mobile 5/6 and Windows CE 4/5.
 Windows Phone 7 and 7.5 Mango.
 Windows Phone 8.
Note: Limited support may be available for other devices/Operating Systems. Contact Vodafone
Support for more information.
1.2.3
Technical Requirements
Technical requirements vary depending on whether you are using Vodafone’s SaaS or OnPremise solutions. For more details on technical requirements, please refer to the VSDM
Requirements documents for installation and deployment.
1.3
Vodafone Secure Device Manager Overview
1.3.1
Log in to the VSDM
Vodafone provides administrators with a VSDM URL, username, and password. If you do not have
this information, please contact Vodafone support.
Once you have the appropriate credentials, log into the VSDM by:
1. Navigating to the provided URL.
2. Entering in the provided username and password.
Page 10 of 249
1.3.2
VSDM Overview
Manage, monitor, and secure your Enterprise's devices in the VSDM.
Menu
Use the Menu for comprehensive access to all VSDM features. Hover over the Menu dropdown
located in the upper left-hand corner of the VSDM for a top-level view of all available pages. The
VSDM pages are categorised according to their specific device management purpose.
1.3.3
Navigation Overview
Smart device management with Vodafone is centralised in VSDM. Here, administrators have the
ability to manage, monitor, and secure their devices through any browser, anywhere in the world
without having to download or install any additional software.
Add
To the right of the Menu dropdown, is the Add dropdown. Hovering over it, displays five
selections that allow you to quickly access options needed to add applications, policy, content,
Page 11 of 249
profile, or device. All of these options are available from the Menu dropdown. This dropdown
gives you single-click access to those frequently used options.
My Favorites
Use the My Favorites section to create bookmarks within VSDM to your most frequently used
Menu items.
Dashboard
The Dashboard page is used to manage and monitor devices from top-level groups down to
individual devices.
Reports and Alerts
The Reports page allows administrators to:
 Generate custom reports about the status of their smart device fleet.
 Configure automatic report subscriptions.
 Store common reports for future usage.
Administrators can also create unique alert policies to provide immediate notification when a
device is compromised or enters an unfavourable status.
Page 12 of 249
Profiles and Policies: Profiles
The Profiles page allows administrators to create, edit, and remove all of the corporate profiles
that are sent over-the-air to their smart device fleet. These profiles allow devices to automatically
receive corporate data such as:
 Wi-Fi connections.
 Passcode and restrictions policies.
 Corporate email and calendars.
 The Vodafone App Catalogue.
 Other custom data.
Profiles and Policies: Compliance
The Compliance page is where administrators can designate security policies for their device
fleet so that specific actions take place when devices fail to meet compliance rules. There are
many types of compliance rules that can be selected, but the rules can be divided into three
categories:
 Application Rules.
 Device Rules.
 Email Rules.
Page 13 of 249
Profiles and Policies: Certificates
The Certificates page is where administrators can:
 View a list of all certificates available to devices managed by the VSDM.
 Determine the status of a certificate.
 Determine when a certificate expires.

Revoke a certificate.
Profiles and Policies: WinMo Provisioning
The WinMo Provisioning page is where administrators can provision and create custom variables
used to manage Windows Mobile devices from the VSDM.
Page 14 of 249
Apps
The Applications page provides a centralised interface for administrators to:
 Recommend public applications and deploy internal applications to their smart device
fleet.
 View Volume Purchase Program (VPP) purchases and licences.
 Create Software Development Kit (SDK) profiles for applications.
 Gather analytics on all applications managed in the VSDM.
Currently, the VPP and SDK are only available on iOS devices.
Content
The Content management pages allow administrators to upload and manage content for secure
deployment to the smart device fleet using the Secure Content Locker (SCL). Currently, the SCL
is only available on iOS and Android devices.
Administration - User and Admin Accounts
The User Accounts and Administrator Accounts pages provide tools for developing a smart
device fleet that is managed by the VSDM.
 The User Account page is used to add, modify, or delete device users.
 The Admin Account page is used to add, modify, or delete Vodafone administrators who
use the VSDM to manage the device fleet.
Page 15 of 249
Administration Event Log
The Event Log pages allow administrators to view logs that are generated by devices and the
VSDM. The Event Log tracks all history of device and VSDM activity. Use the dropdown menus at
the top of the page to sort logs based on date, severity, category types, and VSDM modules.
Device Search
The Device Search and Bulk Management pages allow you to quickly locate one or more
devices or manage groups of devices by name, platform, group, or other criteria. Device Search
also provides the administrator with features such as Warm Boot, finding a device using GPS,
Device Wipe, etc.
Configuration - Locations and Groups
Use the Location Group Configuration page to create an organisational hierarchy for managing
your devices. From this page, add, delete, or modify the device grouping structure as needed, as
well as add Child Location Groups.
Configuration - System Settings
The System Settings page provides a centralised location for all of the configurable settings for
initial environment setup and for ongoing customisation for end-users and for the VSDM.
Page 16 of 249
Advanced
The Advanced page gives the administrator the ability to edit advanced options, including:
 Language settings.
 Custom field definitions.
 Device groups.
Page 17 of 249
2
Setting Up Your VSDM
2.1
Overview
There are a few administrative actions to perform before the end-users can enrol their devices
under VSDM. The Administrator must first establish the organisational hierarchy for the device
fleet by creating three things:
 Location Groups to define the different areas of your corporate hierarchy that manages
and utilises VSDM.
 Admin Accounts to provide VSDM access to all of the administrators of the smart device
fleet.
 User Accounts to associate corporate users with their managed devices.
A collection of useful links for setting up your VSDM can be found on the VSDM by navigating to
Configuration > System Settings > Installation > Getting Started. From here, you will find
links to the following sections within the VSDM:
 Device Enrolment/Authentication Settings.
 SMS/Email Message Settings.
 Location Groups Setup.
 User Accounts Settings.
 Enrolment Messaging Settings.
 Terms of Use Settings.
 VSDM Branding Settings.
 APNs Certificate Settings.
 Device Scheduler Information.
2.2
Introducing the Getting Started Wizard
The Getting Started Wizard displays a customised welcome page the first time you log in to the
VSDM. This walks you through the entire mobile device lifecycle process from deployment to
security, monitoring, management, and support. At the end of the process you are able to install
and manage your smart device fleet.
2.2.1
Prerequisites
In most cases, there are no prerequisites required to use the Getting Started Wizard, by default
this is enabled for all SaaS customers. However, if you are On-Premise and you want the
Welcome page to display the first time you log in, then you need to enable the wizard from the
System Settings page.
Navigate to System Settings > Getting Started and select the Show Welcome Page option.
Page 18 of 249
2.2.2
Using the Getting Started Wizard
Once you have the appropriate VSDM URL and credentials, login as follows:
1. Select the VSDM URL link provided.
2. Enter the provided Username and Password.
3. The Getting Started Wizard starts automatically when you log in to the VSDM for the first
time. In addition, you can access the Welcome page to view the Getting Started options.
Page 19 of 249
2.2.3
Use the Setup Checklist
If you are a first-time user, it is recommended that you follow the guidelines listed in the Setup
Checklist. If you are an advanced user, simply select Skip Getting Started.
On the Welcome page, click Use Setup Checklist to configure the VSDM settings.
Note: You are sequentially guided through each section from beginning to end to complete the
process. Each section contains a series of questionnaire and your answers precede the wizard to
automatically configure your VSDM by navigating to specific pages.
Setup
You can manage your Apple devices using VSDM by generating an Apple Push Notification
service (APNs) certificate. You can also define different system settings such as Terms of Service
and/or Privacy Policies.
Enrol
You can configure settings such as the general settings, authentication settings, and restrictions
on the device.
Secure
You can define policies and restrictions for your devices. Furthermore, you can assign security
policies to your device so that specific actions can take place when devices fail to meet
compliance rules.
Configure
You can create and deploy the corporate profiles based on the platform.
Manage
You are directed to the Dashboard page. Here, you can manage and monitor devices from toplevel groups down to individual devices.
Note: The entire setup status is shown by the progress indicator in the left panel.
Click Next Steps, to configure other advanced settings and also edit more options for your device
in the VSDM.
Page 20 of 249
Customisation
You can customise the look of the VSDM as per your organisation's need.
Advanced Device Settings
You can configure settings for device enrolment, device restrictions, and privacy. In addition, you
can add name to a device to recognise it easily, including language settings, custom field
definitions for the look up fields and device groups in the Advanced pages.
Enterprise Integration
The VSDM securely integrates with AD/LDAP, Certificate Authorities, Email infrastructures, and
other enterprise systems. This is automatically configured during the EIS installation behind your
firewall. You can still modify anything on this page such as certificates for access to corporate
Email, Wi-Fi, VPN networks, and more when the configuration has been initialised by EIS after
installation.
App Management
You can view, manage, push, recommend the public applications, and deploy internal or
purchased applications to your device over-the-air.
Content Management
You can configure the content so that it can be accessed in online or offline modes based on the
device ownership, location groups. Enable EIS integration to provide users with direct links to
folders, network drives, or even SharePoint directories containing various documents to upload
into the Secure Content Locker. Currently, Content Management is an additional product.
Availability may vary, depending on your local market.
Email Management
You can restrict corporate Email access for both managed and unmanaged devices. You can also
troubleshoot Email server requests through the Secure Email Gateway Dashboard.
Page 21 of 249
The initial configuration is now complete. Once you have finished setting up, click Menu and
begin using the VSDM.
2.3
Enabling iOS MDM Support
The Apple Push Notification service (APNs) is used to allow Vodafone or any other MDM
vendor to securely communicate to your devices over-the-air (OTA). Each organisation needs
their own APNs certificate to ensure a secure mechanism for their devices to communicate
across Apple’s push notification network. Vodafone uses your APNs certificate to send
notifications to your devices when the Administrator requests information or during a defined
monitoring schedule.
Run this wizard by navigating to System Settings > Device > iOS > APNs for MDM. For
additional help, see the Generating an APNs Certificate for MDM in v6.1 SP1 and Greater
document.
Page 22 of 249
3
Location Groups and User Groups
Overview
VSDM offers organisations several options to manage and organise their users:
 Location Groups – With Location Groups, users can be organised into hierarchical units
that may represent physical location divisions and/or organisational structures.
 User Groups – User Groups are tied directly to an organisation's existing Active Directory
structure. You can assign resources and manage the permissions of users based on their
assigned Directory User Groups.
When used conjunctionally, Location Groups and User Groups can allow administrators to fully
optimise and leverage their VSDM.
Note: User Groups can only be used if your organisation is currently using LDAP/Active Directory.
3.1.1
Location Groups
Within large enterprises, IT departments have to meet the requirements of different users across
functional, organisational, or geographical groups. One of VSDM's solutions to this requirement
for multi-tenancy is Location Groups.
You can create rich location group structures that align with the corporate hierarchical structure
to provide customised and scalable MDM solutions for corporate users.
Note: If your organisation is currently using Active Directory to manage its employees on the
network, you should look to leverage User Groups integration (See "User Groups") in conjunction
with Location Groups. This maximises the control over your VSDM setup (See "VSDM Best
Practice").
With an evolving corporate structure comes the need to create additional location groups and
locations. The steps below outline the process of creating a location group and associated
location.
3.1.2
Create a New Location Group
Complete the following steps to create a location group:
Page 23 of 249
1. Navigate to Configuration > Locations & Groups.
2. Select a Parent Location Group from the list.
o The parent location group is the location group that is one hierarchical level up from
the one that is being added. Once complete, the new group is listed a level below the
parent group.
3. Select Add Child Location Group to open the new location group form. Once complete,
the new group is listed a level below the parent group.
4. Complete the required location group information.
o Location Group Name - The display name for the location group that is shown in the
VSDM.
o Group ID - The activation code used by a device to enrol into this location group. This
dictates what profiles, applications, and policies are inherited to the device based on
what is configured at this location group. The administrator needs to provide end-users
with their group ID in order to complete the enrolment process. Administrators can
leverage See "User Groups" to automatically assign Group IDs and role based on user
group membership.
Page 24 of 249
 To configure the VSDM to automatically select a user's group ID based on user
group membership (Directory Services integration must be set up), navigate to the
Enrolment page under System Settings and choose Automatically Select under
group assignment mode.
5. Select the Add Default Location box and fill in the required default location information:
o Display Name - The display name of the location is shown in the VSDM.
o Internal Name - The unique name that is internally used to define this location.
6. Click Save. The new location group and location have been created.
3.1.3
Modify and Delete a Location Group
Location Group Details provide the ability to modify and delete the location group information
including the Group ID.
Use the following steps to modify or delete a Location Group:
1. Navigate to Configuration > Locations & Groups.
2. Choose the Location Group you wish to modify or delete.
3. Ensure that you have the Location Group Details tab selected and then modify any of the
fields listed below.
o Location Group Name - The display name for the location group that is shown in the
VSDM.
o Group ID - The activation code used by a device to enrol into this location group. This
dictates what profiles, applications, and policies are inherited to the device based on
what is configured at this location group. The administrator needs to either provide
end-users with their group ID or configure the VSDM to automatically select Group ID
based on user group role in order to complete the enrolment process.
o Location Group Type/Country/Locale - Used for internal classification only.
o Default Location - The default location is where devices are automatically assigned
when enrolled in the location group.
4. Save to save your modifications.
5. Delete to delete the location group.
Page 25 of 249
Note: To delete a location group, there must not be any child Location Groups below it. If there
are, delete all child groups from the lowest level up, until you are able to delete the original
group.
3.1.4
Additional Location Group Details
The administrator can also set several additional fields to provide additional information to the
location groups. These fields have no effect on the operation of the location groups, but can be
used to provide additional detailed information for logging purposes.
Locations are an organisational unit into which enrolled devices are placed. By default, each
Location Group has at least one Location, known as the Default Location.
Note: Without a default location, devices cannot be enrolled at that specific location group.
Location types provide the ability to classify Locations based on the corporate structure (for
internal use in the VSDM).
Location Statuses provide the ability to classify if a Location is active or is in the future (for
internal use in the VSDM).
Page 26 of 249
3.2
User Groups
User Group integration allows you to further streamline the VSDM management by leveraging
existing LDAP/AD user groups in VSDM.
Once successfully integrated into the VSDM, user groups act as filters (in addition to location
groups) for assigning profiles, applications, and policies. After implementing user group
integration, you can more easily perform tasks in the following areas:
 User Management - You can more closely align users in the VSDM with their pre-existing
LDAP/AD user associations, making it easier for you to streamline user management.
 Profile and Policy Assignment - Assign profiles, applications, content, and compliance
policies to groups of users according to the existing groups and distribution lists.
 Integrated Updates - Instruct the VSDM to automatically update assignments based on
directory user group changes. You also have the ability to request approval if the number of
changes exceeds a specified threshold.
 User Group Management Permissions - Set advanced management permissions to only
allow approved administrators to change VSDM assignments for certain user groups.
 Enrolment - Allow all users to enrol in the VSDM using the same group ID (Location Group)
even though their devices may receive different corporate resources.
3.2.1
Transitioning to User Groups
Both new and existing VSDM customers with an LDAP/AD infrastructure can easily leverage their
LDAP/AD groups in the VSDM.
Prerequisite
Before beginning the user group transition process, Directory Services (See "Lightweight
Directory Access Protocol (LDAP) and Active Directory (AD) Integration" and Enterprise
Integration Services' (EIS), when used) must be enabled in the VSDM at the level of the root
location group.
For example, if the root location group is Internal and EIS integration is in place, EIS integration
should be enabled with the Internal location group selected on the left-hand side of the screen,
as shown below.
Page 27 of 249
Note: It is important to note that the existing assignment is not affected when you import user
groups. In order to facilitate the transition process and ensure that your users do not experience
any disruption to their current configurations, the administrator must manually apply policies to
user groups as needed.
3.2.2
Set Up User Groups in the VSDM
Regardless of whether or not you have existing location groups in the VSDM, it is easy to leverage
both user groups and location groups. To set up user groups, first ensure that the EIS
prerequisites (when EIS is used) are satisfied.
User groups can be set up one group at a time or the administrator can use the User Group bulk
import feature to add multiple user groups at same time.
Use the following steps to set up single user group associations in the VSDM based on AD/LDAP
groups:
1. Navigate to Users > User Accounts > User Groups.
2. Go to the Location Group menu on the left and designate an existing location group as the
primary root location group from which the administrator manages devices and users.
3. Click Add. The Add Directory form displays.
4. Enter the user group key words in the Search Text field and click Search.
5. Select the desired directory groups from the search results. The Add Directory Group
screen displays and you can proceed with mapping your existing LDAP/AD group
assignments with your new user groups.
Page 28 of 249
6. Tick the Auto Sync and Auto Merge Checkboxes - When you initially import user groups,
they automatically sync and merge with the existing user group assignments. You should
tick these boxes to ensure that your user group assignments are updated on a regular basis.
o Auto Sync - The Auto Sync feature collects changes in LDAP group membership
(without taking any action on those changes).
o Auto Merge - The Auto Merge feature saves any of the changes detected from the
Auto Sync process and merges them into user groups.
7. Enter a number in the Maximum Allowable Changes box when you add a directory group
to establish the maximum allowable number of group membership changes to be merged
into VSDM. You can edit this number in the User Group Settings.
3.2.3
Edit User Group Settings and Management Permissions
An additional benefit of user group integration in VSDM is increased management flexibility
enabled by user group settings for automatic updates and editing permissions.
Edit User Group Settings
User group settings can be configured to automatically detect each time a user leaves or joins a
group. The administrator can set a maximum allowable number of automatic changes, and any
changes that exceed this threshold require administrator approval.
Use the following steps to edit User Group Settings:
1. Navigate to Accounts > Users > User Groups.
2. Ensure that the root location group for your device fleet has been selected if
management permissions are required.
Page 29 of 249
3. Select the Actions menu next to the user group and click Edit. The General tab displays by
default.
4. Define the following:
o Type - By default, Directory is selected.
o Group Name - The User Group name.
o Distinguished Name - The distinguished name of the User Group.
o Relative Distinguished Name - The relative distinguished name of the User Group.
o Managed By - The Location Group under which the User Group is added.
o Auto Sync With Directory - Auto syncs the users in the group as per addition or
deletion of users on the LDAP/AD server.
o Auto Merge Changes - Applies the changes to the User Groups without the need for
administrator approval. For example, when a user is moved to a different User Group,
the Auto merge option reflects this change on the VSDM.
o Add Group Members automatically - Allows group members to be extracted from
Active Directory automatically for the creation of user accounts.
o Group Assignment - Click the link to set the default role, ownership, and action for
users . You can also map User Groups to that of the directory.
3.2.4
User Information Actions and Updates
The VSDM syncs with the LDAP/AD database on a regular basis to retrieve updates to group
membership. The VSDM automatically performs the following actions when changes in user
attributes or user group membership are detected:

Updates user attributes that are changed in LDAP/AD.
 Performs an enterprise wipe on the device when a user is deactivated in LDAP/AD.
 Enforces roles and permissions for administration based on LDAP/AD user group.
Page 30 of 249
Additionally, the VSDM has the option to automatically assign Group IDs and roles based on user
group membership, and the ability to enforce enrolment restrictions by user group. These
options further streamline the enrolment process.
To configure enrolment restrictions (such as the maximum number devices per user), navigate to:
Configuration > System Settings > Device > General > Enrolment.
3.2.5
Edit User Group Permissions
User groups allow corporations to re-consider who within the organisation has permission to edit
specific groups. For example, if an organisation has a user group for company executives, they
may not want lower level administrators to have management permissions for that user group.
Use the Permissions page to control who can manage specific user groups and who can assign
profiles, compliance policies and applications to user groups.
1. Navigate to Users > User Accounts > User Groups.
o If management permissions are required, ensure the root location group for your
device fleet has been selected.
2. Select the Actions menu next to the user group you wish to edit.
3. Select the Permissions tab and specify the following permissions:
4. Select the Location Group for which you would like to define permissions.
5. Define the following:
o Permissions - Use this option to determine the permissions an administrator can
perform on the User Groups.
 Manage Group (Edit/Delete) - Allows administrators to edit or delete any group.
 Manage Users Within Group and Allow Enrolment - Allows the administrators to
allow enrolment of the users, and edit or delete any user under that group.
 Use Group for Assignment - Allows the administrator to assign profiles, apps,
content, and compliance policies to the User Group.
Page 31 of 249
o Scope
 Administrator Only - Applies the above mentioned permissions to only the
administrator of this specific Location Group.
 All Administrators at or below the location - Applies the above mentioned
permissions to the administrator of this specific Location Group as well as the child
Location Groups.
3.2.6
Assign Resources to User Groups
User groups, when integrated with VSDM, provide additional criteria for assigning profiles,
compliance policies, applications, and content.
User Groups appear as an assignment field for these VSDM resources. The user group name is
followed by the @ symbol then the name of the Location group at which the user group was
created.
Use the following steps to navigate to the appropriate editing page, and then continue to the
instructions for assigning the VSDM policy to user groups.
1. Navigate to the appropriate page in the VSDM. You can assign existing resources to user
groups by selecting the appropriate policy and selecting the Edit from the Actions menu.
If it is a New assignment, create or upload the profile, policy, content, or application and fill
in the assignment fields to deploy the resource to a user group.
2. Select the appropriate Location Group field, select the appropriate assigned location
group.
3. Select one or more User Groups to receive the resource.
4. Click Save and publish the form.
Policy Assignment Notes
If the administrator assigns something to both a location group and a user group, the system uses
the user group as an additional filter for assigning the profile.
Even if you select a very large location group, the system only applies the policy to the users who
are a member of the user group and have a device that is in the assigned location group.
The administrator may wish to use both location groups and user groups to configure more
advanced settings.
3.3
Migrate Basic Users to Directory Users
Administrators that have enabled AD/LDAP integration and wish to leverage user groups in the
VSDM can easily migrate their existing users from Basic Users to Directory Users.
Page 32 of 249
Use the following steps to begin the user migration process:
1.
Navigate to Accounts > Users.
2. Go to the System Settings view on the left-hand side of the page, select User Migration.
3. Select the Basic users to migrate.
4. Click Migrate.
3.4
Bulk Import User Groups
To save time and effort when importing your LDAP/AD User Groups into the Vodafone Secure
Device Manager, administrators can upload user groups in bulk through the batch import feature.
Use the following steps to upload user groups in bulk:
1. Navigate to Accounts > Users > User Groups.
2. Click Batch Import to open the Batch Import Form.
3. Enter the basic information:
o Batch Name - The name of the user group batch for reference in the VSDM.
o Batch Description - A description of the particular user group batch for reference.
4. Click
to open up the Bulk Import Help Topic Form.
5. Select Download Template to download the Batch Import Template.
6. Save the template as a CSV file.
7. Enter the required user group information in the template. The template information is the
same as the fields required when setting up an individual user group. For more information
on these user group settings, such as Auto Sync and Auto Merge.
8. Click Browse to upload the CSV file containing your user group information.
If the Batch Import does not complete successfully, view, and troubleshoot errors by selecting
Batch Status (under System Activity on the User Accounts page). Select Actions>View
Errors to view the specific batch import errors.
Page 33 of 249
4
VSDM Best Practice
4.1
Location Groups
When configuring your VSDM, it is recommended that Location Groups be used to define
hierarchical organisational units and physical location divisions.
Location groups alone in the VSDM control the following capabilities:
 Asset Tracking - Location groups define which business units the devices live at, so be
sure to consider the device groupings you wish to view on the VSDM dashboards. Location
Groups are still the primary filter on all pages for all dashboards and views.
 System Settings - System settings are tied to Location groups. You must define different
location groups if you need different system settings, such as Enterprise Integration Server
settings, EULAs and/or Privacy Policies.
Location Groups can also be used to accomplish the following:
 Setting Permissions - Use Location Groups to set administration management
permissions in the VSDM. Administrators can leverage user groups to automatically assign
user and administrator roles in the VSDM.
 Assigning profiles, policies, content and applications - While it is possible to assign
these resources to User Groups, it is also possible to just assign them to Location Groups.
4.2
User Groups
When configuring your VSDM, it is recommended that User Groups be used to define Security
Groups and/or Business Roles within your organisation.
It is also recommended that User Groups be used to assign Profiles, Compliance Policies,
Content, and Applications to users/devices.
4.3
Transition Options for Best Practices
If you have previously defined Location Groups to represent user Security Groups and are now
considering the use of User Groups, one of the following options may help you streamline your
VSDM:
Reconfigure your system to associate Profiles, Applications and/or Enrolment
Restrictions with User Groups:
 Assign each profile, app, and enrolment restriction to the appropriate User Group(s).
 Change the Location Group assignment to a Location Group one level up.
 Add the User Group assignment.
You may choose to reconfigure your hierarchy to remove old or unused Location Groups
(keep in mind that location groups still serve several purposes in the VSDM):
 Move devices to a Location Group one level up.
 Delete the old Location Group(s).
You can choose to leave your structure as-is:
Page 34 of 249
 The Location Group can be considered the 'Primary Security Group' of the device.
 The User Groups are used for assigning profiles and policies.
 The old, unused Location Groups can remain for asset tracking purposes.
4.4
User Management Changes for Directory Users
In addition to the integration of user groups into the VSDM, there are a few changes to user
management for Directory authentication type users. If you currently use Directory Services in
the VSDM, please note the following:
 Directory users can now only be created at the same level as the one where directory
services settings are enabled.
o In order to delete or edit a user account, you must be at the same level as the directory
services settings.
o To add a device to an existing VSDM user account, you must be at a lower level than
the root location group where Directory Services are enabled.
 There is now only one location in the VSDM System Settings for Directory Services (called
Directory Services). The same directory settings are used for both enrolling and logging
into the VSDM.
 Directory Service settings now allow the administrator to configure custom mapping of
user attributes in the VSDM to LDAP user attributes.
4.5
User Storage in the VSDM
The addition of user groups also has an impact on where directory users are stored in the VSDM.
Once you have completed the transition to user groups, the VSDM performs the following
actions:
 Directory users are moved to the level where directory service settings are in the VSDM.
You still see them at the Location Group level where they have a device enrolled, but the
users can only be managed at the same level as the directory service settings.
 After the upgrade to user groups, the VSDM runs a migration process that migrates the
Distinguished Name of existing directory users into the VSDM.
Page 35 of 249
5
Administrative Accounts
Management of the smart device fleet often requires several administrators to have access to the
VSDM and it may be necessary to add or remove administrative accounts. The VSDM provides an
easy way to create and manage multiple administrative accounts.
5.1
Create an Admin Account Manually
Use the following steps to create an administrative account manually
1. Navigate to Account > Administrators.
2. Select a Location Group in the upper left-hand corner. This is the default location group
for this administrator account. Make sure to select the highest level of access that the
administrator needs. Once logged in, they will have access to all child Location Groups that
are listed below the one selected.
3. Click Add User. The Add/Edit User form displays:
4. Select Basic to manually create the Admin user or select Directory to import the user info
from an Active Directory account.
5. Enter a Username and Password for the admin account.
6. Tick the Require password change at next login checkbox to force the administrator to
change their password after the first time they log in.
7. Complete the additional Basic Information fields:
a. First Name Last Name and Email - The name and Email address of the administrator.
b. Primary Role - The primary role determines the level of permissions that the new
administrator holds. For instance, if the administrator is a helpdesk operator, then a
Page 36 of 249
Helpdesk role with limited access may be the best fit. The roles are configured
separately from the administrative accounts.
c. Default Landing Page - The first page that an administrator views after authenticating
into the VSDM. To change this field, clear the contents and begin typing the name of any
VSDM page.
8. Complete any additional Details or Notes that are visible in the VSDM.
9. Click Save to create the new administrative account.
5.1.1
Import an admin user from Active Directory
Before you begin, you must have already configured Directory Services within the VSDM.
Use the following steps to create an administrative account by importing an admin user from
Active Directory:
1. Navigate to Accounts > Administrator.
2. Select a Location Group in the upper left-hand corner. This is the default location group
for this administrator account. Make sure to select the highest level of access that the
administrator needs. Once logged in, they will have access to all child Location Groups that
are listed below the one selected.
3. Click Add User and complete the required fields.
4. Select Directory to import the user information from an Active Directory account.
o Select the appropriate directory.
o Enter in the user's username from AD and click Check User.
5. Complete the remaining fields as required.
6. Click Save to create the new administrative account.
5.1.2
Create Admin Account Roles
Admin roles allow your business to control the security and permissions of your VSDM
administrators by restricting access to components of the VSDM. You can directly control the
administrator’s access by creating a new role or editing an existing role.
Use the following steps to create admin account roles:
1. Navigate to Accounts > Administrators.
2. Select Roles in the bottom left corner to edit an existing role or create a new one.
3. Click Add Role and complete the form.
Page 37 of 249
o Name/Description - Choose a descriptive role name so that the role can be easily
assigned to a user.
o
Select Resource Categories to define the level of access that is available for different
components of the VSDM. Click the name of the resource category to view a list of
resources available for each category on the right.
o To quickly locate resources of a specific type, use the search bar in the upper righthand corner.
4. Click Save and the new role is available to assign to administrators.
5.1.3
Create Administrators in Bulk
In an effort to streamline the process of importing your administrators into the VSDM,
administrators can upload other administrators in bulk using the Admin Accounts batch import
feature.
Use the following steps to create end-user accounts of any type (Basic, Directory based, or
Authentication Proxy) in bulk:
1. Navigate to Accounts > Administrators.
Page 38 of 249
o Batch Name - The name of the user/device batch for reference in the VSDM.
o Batch Description - A description of the particular user/device batch for the VSDM
reference.
4. Click
5. Select the Download Template to download the Batch Import Template.
6. Enter all relevant information for each user in the template. A sample user has been added
to the top of the template for reference on what type of information to put into each
column.
Note: Mandatory fields are designated with *. Also, you can use the Show Time Zone and Show
Culture Code on the template download popup to view the available values for these fields.
o All of the fields in the template are identical to the fields that are used during the
Admin Account Creation process.
7. Save the template as a .CSV file.
Page 39 of 249
8. Select Browse from the Batch Import Form and select the .csv file that was created.
9. Click Save, to register all listed users and corresponding devices.
Page 40 of 249
6
User Accounts
User accounts are utilised by end-users of the VSDM to associate devices to their respective
corporate users. Vodafone recommends that for each end-user, an associated user account is
created for full scalability. Therefore, as corporate smart device fleets expand, administrators
need to periodically create additional user accounts. Administrators can quickly configure and
manage user accounts directly in the VSDM on the Users page.
6.1.1
User Account Security Types
User accounts can be configured in a number of different ways depending on your business
requirements, deployment model, and enterprise infrastructure. The following section describes
the different configurations and further sections detail how to create user accounts of each type.
Basic authentication
Basic Authentication can be utilised by any VSDM architecture, but offers no integration to
existing corporate user accounts.
 Pros – Can be used for any deployment method, requires no technical integration, requires
no enterprise infrastructure
 Cons – Credentials only exist in VSDM and do not necessarily match existing corporate
credentials. Offers no federated security or single sign-on. Vodafone stores all usernames
and passwords. Administrators do not benefit from the use of User Groups when setting up
their VSDM environment.
Page 41 of 249
Active Directory / LDAP authentication
Active Directory/LDAP authentication is used to integrate user and admin accounts of the VSDM
with existing corporate accounts. However, because this requires the VSDM server to be in direct
contact with a corporate domain controller, this is typically only recommended for on-premise
architectures.
 Pros - End-users now authenticate with existing corporate credentials. It is a secure
method of integrating with LDAP / AD for On-Premise deployments. Standard integration
practice.
 Cons - Requires an AD or other LDAP server. Only used for On-Premise deployments.
Page 42 of 249
Active Directory / LDAP authentication with Vodafone Enterprise Integration
Service
Active Directory/LDAP authentication with Enterprise Integration Service provides the same
functionality as traditional AD/LDAP authentication, but allows this model to function across the
cloud for SaaS deployments. The Enterprise Integration Service also offers a number of other
integration capabilities as shown below.
 Pros –End-users authenticate with existing corporate credentials. Only requires a single
firewall port opened between the EIS server and Vodafone SaaS (port 443). Transmission of
credentials is encrypted and secure. It also offers secure configuration to other
infrastructure such as BES, Microsoft ADCS, SCEP, SMTP servers.
 Cons –Requires the Enterprise Integration Service to be installed behind the firewall or in a
DMZ. Additional configuration is required.
Authentication Proxy
Authentication Proxy is a unique proprietary solution delivering directory services integration
across the cloud or across hardened internal networks. In this model, the VSDM server
communicates with a publicly facing web server or an Exchange ActiveSync Server that is able to
authenticate users against the domain controller. This method can only be used when
organisations have a public-facing web server with hooks into the corporate domain controller.
 Pros – Offers a secure method to integrate with AD/LDAP across the cloud. End-users can
authenticate with existing corporate credentials. Lightweight module that requires minimal
configuration.
 Cons – Requires a public facing web-server or an Exchange ActiveSync server with ties into
an AD/LDAP server. Only feasible for specific architecture layouts. Much less robust
solution than EIS.
Page 43 of 249
Note: Authentication Proxy is available for on-premise customers only.
SAML 2.0 Authentication
SAML 2.0 Authentication is a new solution that offers single sign-on support and federated
authentication – Vodafone never receives any corporate credentials. If an organisation has a
SAML Identity Provider server, SAML 2.0 integration is recommended.
 Pros – Offers single-sign on capabilities, authentication with existing corporate credentials
and Vodafone never receives corporate credentials in plain-text.
 Cons – Requires corporate SAML Identity Provider infrastructure.
6.1.2
Creating (Single) End Users
Use the following steps to create single End Users:
1. Navigate to Users > Users Accounts.
Page 44 of 249
2. Select the highest level Location Group under which the user needs to enrol from the
dropdown menu in the upper left-hand corner. They are now able to enrol in all location
groups listed below this group if the user enters the appropriate Group ID (see Location
Groups) during the enrolment process.
3. Click Configuration > Add User.
4. Use the dropdown at the top of the form to select the Security Type. This determines the
type of authentication to be used for this particular user.
o Basic - The default authentication option that uses a basic username and password
combination as determined by this form.
o Directory - Authenticate with corporate LDAP or AD credential by validating against a
corporate domain controller.
o Authentication Proxy - Authenticate with directory based credentials by validating
against a proxy server instead of a corporate domain controller. This is the
recommended solution for directory based authentication across the cloud for SaaS
customers.
o SAML - Authenticate using corporate Security Assertion Markup Language (SAML)
credentials.
5. Refer to the appropriate sub-section below to complete the remaining fields for the
security type selected.
Basic
Once Basic has been selected as the Security Type, continue to define the following criteria:
1. Enter the User Name & Password - The username and password credentials that the user
enters during the enrolment process to enrol their corporate devices. The administrator
must provide the end-users with this information.
2. Select whether or not to Enable Device Staging - A user with device staging enabled is
able to stage enrolment for other users such that John Doe could enrol himself and then
personally enrol Jane Doe and John Smith’s devices for them (See "Device Staging").
3. Select whether to enable Enrolment Restrictions for users. Once enabled, enter the
authorised Location Group. This restricts the user from enrolling to locations not specified
in the authorised Location Group.
4. Select a Message Type for the user to receive notifying them that they can now enrol their
devices under the VSDM. Typically, this is where administrators provide end-users with the
necessary enrolment credentials (Enrolment URL, Group ID, username and password).
5. Click Save to complete the user account, or Save and Add Device to complete the user
account and enter in basic details for the user’s device.
LDAP/Active Directory
Before end-users can be created using LDAP / Active Directory, the VSDM server must be
configured and integrated with the LDAP/AD server. To do this, please see User Account & Device
Authentication. Once Directory authentication has been configured, administrators can create
Directory-Based User Accounts by following the steps above and then:
Page 45 of 249
1. Enter the user's username as it displays in Active Directory, and then click Check User. If
the user exists in Active Directory, the remainder of the fields appear with values prepopulated from Active Directory.
2. Complete any remaining information as needed.
Mandatory fields are designated with a red asterisk *.
Complete the Domain field if the user belongs to a domain other than the
default domain or if no default domain was specified.
Enter the User Principal Name if the User Search Setting described in the
Directory Authentication Configuration this does not resolve this user account.
By default, these two fields do not need to be configured unless under special
circumstances.
3. Select whether or not to Enable Device Staging - A user with device staging enabled is
able to stage enrolment for other users such that John Doe could enrol himself and then
personally enrol Jane Doe and John Smith’s devices for them.
devices under the VSDM. Typically, this is where administrators provide the end-users with
the necessary enrolment credentials (Enrolment URL, Group ID, username and password).
Authentication Proxy
Before end-users can be created via Authentication Proxy, the VSDM server must be configured
and integrated with the public facing web server or EAS server. To do this, please see User
Account & Device Authentication. Once Authentication Proxy authentication has been
configured, administrators can create Authentication Proxy-Based User Accounts by following the
steps above and then:
1. Complete all the basic fields. Mandatory fields are designated with a red asterisk. *
2. Complete the Domain field if the user belongs to a domain other than the default domain,
or if no default domain was specified.
3. Select whether to Enable Device Staging - A user with device staging enabled is able to
stage enrolment for other users such that John Doe could enrol himself and then
4. Select whether to enable Enrolment Restrictions for users. Once enabled, enter the
authorised Location Group. This restricts the user from enrolling to locations not specified
in the authorised Location Group.
devices under the VSDM. Typically, this is where administrators provide the end-users with
the necessary enrolment credentials (Enrolment URL, Group ID, username and password).
Page 46 of 249
SAML
Before end-users can be created using SAML 2.0, the VSDM server must be configured and
integrated with the SAML Identity Provider server. To do this, please see User Account & Device
Authentication. Once SAML authentication has been configured, administrators can create SAML
Secured User Accounts by following the steps above and then:
1. Complete all basic fields. Mandatory fields are designated with a red asterisk. *
Complete the Domain field if the user belongs to a domain other than the
default domain, or if no default domain was specified. By default, this fields does not
need to be configured unless under special circumstances.
2. Select whether to Enable Device Staging - A user with device staging enabled is able to
stage enrolment for other users such that John Doe could enrol himself and then
devices under the VSDM. Typically, this is where administrators provide end-users with the
necessary enrolment credentials (Enrolment URL, Group ID, username and password).
6.1.3
Create End Users in Bulk
To save time and effort when importing Mobile Device Management (MDM) end-users into the
VSDM, administrators can upload end-users in bulk through end-user batch import.
Use the following steps to create end-user accounts of any type (Basic, Directory based, or
Authentication Proxy) in bulk:
1. Navigate to Accounts > Users.
o Batch Name – The name of the user/device batch for reference.
Page 47 of 249
o Batch Description – A description of the particular user/device batch for reference.
4. Click
6. Enter all the relevant information for each user in the template. Three sample users have
been added to the top of the template as an example of the type of information to put into
each column.
All of the fields in the template are identical to the fields that are used during the User
Account Creation process and the individual device registration process.
Mandatory fields are designated with a red asterisk. *
o Column E, Security Type, is used to determine which type of security (Basic, Directory
based, or Authentication Proxy) should be used to create the user account.
o To register a device, make sure that Column T, User Only Registration, is set to No.
o To register an additional device to the same user account, make sure that all
information in Columns A–T are the same. The remaining columns are used to
register each additional device.
o To store advanced registration information, make sure that Column AA, Store
Advanced Device Info, is set to Yes.
9.
Select Browse from the Batch Import Form and select the .csv file that was just created.
10. Click Save, to register all listed users and corresponding devices.
6.2
Device Registration
Device registration allows both administrators and end-users the ability to enter in information
about the specific devices that are enrolled under mobile device management. This feature also
provides an added level of secure authorisation so that only authorised devices can enrol. There
are several ways that registration can be accomplished to accommodate different needs and
requirements.
Page 48 of 249
 Administrators can register individual devices to add important device and asset
information such as Friendly name (the device name created by the administrator for easy
recognition in the VSDM, model, OS, serial number, UDID and asset number. This process
can directly follow User Account creation by selecting Save and Add Device.
 Administrators can register a list of devices (for similar reasons as those listed above) in
bulk. This process takes place during Bulk User Account Creation.
 Administrators can invite end-users to register so that they can enter in details about
their devices themselves and initiate device registration from their end. This process takes
places on the end-user’s device, in the Self Service Portal.
6.2.1
Administrator Registers a Single Device
Use the following steps to register an individual device:
1. Open the Add Device form using one of the methods below:
o Navigate to Accounts > Users and select Add Device from the Actions next to the
existing user account that you want to associate with the device. The Add Device form
displays.
o Complete the New User Account Creation Process, and then click Save and Add
Device at the end. The Add Device form displays:
Page 49 of 249
2. Complete the General information and Message information sections.
o Friendly Name - The name of the device to be displayed in the VSDM for easy
recognition.
o Location Group - Specifies the location that manages the device.
o Ownership Type - Specify a device ownership type (Corporate-Dedicated, CorporateShared or Employee Owned) to distinguish between corporate and employee-owned
devices. This allows the administrator to customise MDM policies based on ownership
type to allow for maximum privacy and protection.
o Tick the Show Advanced Device Information Options box to manually enter
additional device information to be displayed in the VSDM.
 UDID - Universal Device Identifier
 Platform/Model/OS - Specific device information
 SN/IMEI/SIM/Asset Number - Specific device reference numbers to distinguish
this particular device
o Message Type - Specify whether the activation message is sent via SMS or Email.
o Address/Subject/Message Body - The message text that is sent out to the provided
address after the device is registered. This message usually contains the enrolment
link and Group ID.
3. Click Save to finish the form and send the specified message to end-users. The end user
receives the message and proceeds with enrolment.
6.2.2
Administrator Registers a List of Devices
Use the following steps to register a list of devices by batch import:
Page 50 of 249
o Batch Name - The name of the user/device batch for reference in the VSDM.
o Batch Description - A description of the particular user/device batch for VSDM
reference.
3. Click
to open the Bulk Import Help Topic Form.
5. Enter all relevant information for each device in the template. Three sample users have
been added to the top of the template as an example of the type of information to put into
each column. All of the fields in the template are identical to the fields that are used during
the User Account Creation process and the individual device registration process.
o To register a device, make sure that column T, User Only Registration, is set to No.
Page 51 of 249
o To register an additional device to the same user account, make sure that all
information in columns A - T is the same. The remaining columns are used to register
each additional device.
o To store advanced registration information, make sure that column AA, Store
Advanced Device Info, is set to Yes.
7. Select Browse from the Batch Import Form and select the .CSV file that was just created.
8. Select Save to register all listed users and corresponding devices.
6.2.3
Invites Users to Register
If an administrator wishes to have end-users register their own devices, the administrator must
notify end-users that they need to complete the registration process and provide them with the
appropriate registration URL and credentials (please refer to Creating Basic End Users).
Following are the two ways to notify end-users. In either case, the administrator must let the enduser know two things:
 Where to register - End-users can register by navigating to the Self-Service Portal URL.
This url takes the form of https://<VodafoneEnvironment>/MyDevice where
http://<VodafoneEnvironment> is the enrolment URL.
 How to authenticate into the Self Service Portal - This information includes a Location
Group (Group ID) and the Username and Password that users should use to register their
device.
To notify users:
1. Enable Enrolment authentication for either Active Directory or Authentication Proxy
(edit these settings in Configuration > System Settings > Device > General >
Enrolment> Authentication).
2. Restrict Enrolment To Known Users under Enrolment Restrictions (edit these settings
in Configuration > System Settings > Device > General > Enrolment> Restrictions).
3. Send an Email or intranet notification to the entire user group outside of the VSDM with the
registration instructions. This method is generally used if administrators do not have any
user accounts already created for end-users and they want end users to be able to enrol
and register without assistance. For users to be able to enrol and register their devices
without administrative efforts.
Page 52 of 249
Alternatively, administrators can first create user accounts for all of the end-users to register their
devices and then send User account activation messages to each user containing the registration
instructions.
6.2.4
End User Registration
Once the administrator sends the registration notification to the user (if the administrator does
not choose to register the devices for the users), end-users need to register the device. Use the
following steps to help guide end-users through the registration process.
1. Navigate to the Self-Service Portal URL (either in the device browser or from any internet
browser).
2. Enter the provided Group ID, Username, and Password.
3. Click Register Device to open the Device Registration Form.
Page 53 of 249
,
4. Complete the device information fields:
o Expected Friendly Name - The name of the device that is shown in the VSDM (the
expected friendly name is also used to track the device registration status). For
example, 'John Smith’s iPad'.
o Platform / Model / OS - The details of the specific device.
o Device Ownership - Select whether or not the device is a personally owned.
o Message Type - Select the message format for the end-user registration confirmation.
o Email Address / Phone Number - The address or phone number of the recipient of
this message.
5. Click Save, to complete the End-User registration process.
Page 54 of 249
6.3
Device Staging
Device staging allows one user (IT Admin User) within a company to enrol a device on behalf of
another user (End User). Companies may find this feature useful if they wish to provide
employees with pre-enrolled devices, thus saving the employee the trouble of enrolling the
device themselves.
Before a user can enrol a device on behalf of another user, device staging must first be enabled
on their account.
Use the following steps to enable Device Staging:
1. Navigate to the User Accounts page.
2. Find the User who needs to enrol the devices (IT Admin User), then click Edit User in the
Actions on the right.
3. Scroll down and tick the Show advanced user details.
4. Tick the Enable Device Staging box.
5. Click Save.
Now that Device Staging has been enabled, the IT Admin User may proceed to enrolling other
Users' devices.
Use the following steps to enrol user devices:
1. On the device that is going to the End User, open the browser (or open the VSDM agent)
and enter the enrolment URL.
2. Enter the appropriate Group ID for that device (See 'Device Registration' for more
information on device enrolment).
Page 55 of 249
3. Enter user credentials (for IT Admin User).
4. Go to the Next page and enter the Username of the User that owns this device (End User).
5. Confirm/Update the user's information.
6. Accept the Customer EULA when prompted.
7. Tap Install Now to complete the enrolment process.
6.4
Language Management
The VSDM can use a variety of in built display languages. It also has the option to incorporate
additional Language Packs and edit phrases that are used in a specific language. The Language
option can be changed for a specific individual while leaving the default language unchanged for
other users.
6.4.1
Activating Language Packs
Use the following steps to incorporate an additional language pack in the VSDM:
1. Navigate to Advanced > Language Management.
Page 56 of 249
2. Select Language Activation.
3. Choose the language pack you would like to add and click the arrow to add it to the Active
Locales list.
4. Click Save to finish and add the language pack to the VSDM language options.
Note: This feature is for on-premise customers only.
6.4.2
Selecting and Changing Language
The VSDM allows the language to be set both for a specific user and/or a specific location.
Use the following steps to change the language for the user:
1. Navigate to Menu > Administrators > Admin Accounts. The Add/Edit user page displays
2. Change the Locale to the desired language.
3. Save the changes.
4. Log off and log back in to display the new language.
Page 57 of 249
6.4.3
Localisation Editor
The Localisation Editor is used to edit specific words or phrases that do not translate properly to
the desired language.
Use the following steps to customise words or phrases:
1. Navigate to Menu > Language Management. The Localisation Editor is displayed by
default.
2. Choose the Locale you wish to edit, and click Search.
3. Find the word or phrase that is incorrect and click the Actions menu.
4. Select Create Override. The Custom Text screen displays.
5. Make the desired changes and click Save to apply the language override.
Page 58 of 249
6.5
Important VSDM Setup considerations
 Pay close attention to Location Group hierarchy when creating and editing administrator
accounts. It is important to enable permissions at the highest Location Group needed in
order to ensure the administrator has the proper editing capabilities.
o The selected Location Group is always displayed in the upper left-hand corner of the
VSDM.
 There are three pieces of information the administrator needs to communicate to endusers:
o The VSDM Enrolment URL which is the same URL that you use to access the VSDM.
o Group ID to identify the home Location Group (the Group ID is determined in
Configuration > Locations & Groups > Location Group Details).
o Username and password unique to the end-user (Username and password are
defined in Users > User Accounts > Add User or Edit User).
 Depending on the selected Security Type, the username and password may be
created by the administrator (Basic) or integrated with the Directory,
Authentication Proxy, or SAML.
 If your organisation is using device registration and is in need of assistance, contact
Vodafone Support.
Page 59 of 249
7
Device Management
7.1
Overview
Smart device management is centralised in the VSDM. From the VSDM, the administrator is able
to leverage the following VSDM features:
 Customise comprehensive asset tracking in the form of real-time device data across the
mobile fleet, regardless of device type, carrier or location.
 Navigate an interactive dashboard of mobile and telecom data to help the organisation
make more informed decisions based on actual mobile telecom usage.
 Perform remote actions on devices.
 Generate a custom library of reports.
 Enable proactive alerts for both users and administrators when predetermined
thresholds are reached.
The following sections describe how administrators can utilize the specific pages within the VSDM
to effectively and efficiently manage smart devices.
7.2
Dashboard Navigation
The Dashboard page centralises smart device monitoring by giving administrators high-level
views of their entire fleet of mobile devices with the ability to drill down to the individual device
level. To access the Dashboard page, navigate to: Dashboards > Dashboard.
From the Dashboard, administrators can see an overview of graphics and statistics for a particular
location group or for an entire device fleet, or they can quickly locate information on a specific
device by clicking the Friendly Name highlighted in red.
7.2.1
Location Group Sidebar
The Location Group Sidebar on the left of the screen allows administrators to view devices
belonging to specific location groups, as well as all of its Children Groups. Administrators can also
use the Search field to find specific Location Groups:
Page 60 of 249
 Expandable Tree Structure - Find location groups and show lineage from parent to
children groups.
 Search Box - Search for specific location groups by name, partial name, or keyword.
 Expand/Collapse Feature - Fully expand or collapse the Location Group hierarchy.
 Pin Feature - Pin
7.2.2
the location group sidebar back onto the Dashboard sidebar.
Dashboard Views
There are also several views available on the Dashboard page, that give administrators the ability
to view entire listings of devices based on each of the metrics listed below:
 Asset Tracking - View devices based on ownership type, platform, and last seen metrics.
 Device Compliance - View devices based on their device rules compliance status,
passcode policy compliance, and data encryption status.
 Enrolment Status - View devices and track the complete enrolment lifecycle from
registration to end-of-life, as well as identify devices that are pending device wipe.
 Email Management - View devices that attempt to gain corporate email access through
the Secure Email Gateway (SEG) and their status.
 Telecom - Roaming - View devices that have indicated a roaming telecom status.
7.2.3
Advanced Views
There are also several Advanced views available that give administrators the ability to view entire
listings of devices based on each of the metrics listed below:
Page 61 of 249
 Device Groups - View all devices, statistics (i.e. total number of devices per group and
percent of devices in that group).
 Location Groups - View the number of inactive and active devices within each Location
Group.
7.2.4
Graphical Portlets
The Graphical Portlets on the Dashboard page display relevant statistics, as well as providing
an easy way to select a group of devices according to a number of categories. The example below
is from the Asset Tracking view.
The Asset Tracking default screen graphically represents Device Ownership, Platforms, and
Last Seen data above the grid. The two icons in the right hand corner of the graphical
representation box, when clicked, displays the data graphically or in a textual table.
Toggle between graphical and textual representation of data as follows:
1. Click
to view the data graphically (pie or bar chart).
2. Click Data Group
to view data in a textual table.
3. While in textual mode, click any Data Group and the grid below begins to reload and
display the information based on that specific data group. This feature is only available in
this mode.
Page 62 of 249
7.2.5
Dynamic Device List
The Dynamic Device List on the Dashboard page contains a flexible list of devices and
associated metrics that pertain to each view:
There are several ways for an administrator to select, order, identify, find, filter, etc. specific
devices from the Dynamic Device List page:
 Select any of the Device Details. For example, graphical or textual tables shown above the
grid.
 Click any of the Data Groups from the Graphical Portlets. For example, when in textual
table format, click any line item to display data.
 Click any of the Column Categories to re-sort the list. For example, clicking Last Seen resorts the grid to either the oldest or latest seen devices.
 On the top, right side of the grid, there are four more icons that provide additional sort,
search, export, and display tools that perform in the following ways:
o Change any one of the three graphical (e.g. pie chart) representations of data (portlets)
above the grid from graphical to textual table and the Filter dropdown changes to
represent your selection, as shown in the example below:
Page 63 of 249
o Enter in the Filter Grid field any keyword(s) and then press Enter. The grid re-sorts and
only displays those devices that contain the keyword(s) you entered, as shown in the
example below:
o Click Refresh , the grid refreshes to display the default Available Columns layout, and
all device data based on any search criteria in the Filter dropdown and Filter Grid field, as
shown in the example below:
o Click Export All
example below:
, the data in the grid exports into an Excel spreadsheet, as shown in the
o Click Hide Chart
displays.
, to hide all graphical and textual table portlet data so that only the grid
o Click Tools (Hammer and Wrench)
to display Available Columns which you can use to
customise device data that displays in the grid. The example below displays when in the
Asset Tracking view. The Available Columns change depending on the Dashboard view
selected.
Page 64 of 249
Page 65 of 249
7.3
Device Control Panel
Use the Device Control Panel from the Dashboard page, to view detailed information or
perform remote actions on individual devices. To open the Device Control Panel, locate an
individual device on the Dashboard page by using any of the available search tools, and select it.
The overlaid Device Control Panel window displays:
The Device Control Panel contains two primary menus:
 A Device Information Menu to view detailed information and statistics.
 A Remote Actions Menu to perform administrative actions over the air.
Note: Information and actions in the Device Control Panel are subject to
availability according to privacy settings and mobile OS platform compatibility.
7.3.1
Device Information Menu
The Device Information Menu shows detailed information related to each of the listed
categories. More information about each device information category is shown below.
Summary
The Summary section shows hardware, MDM, encryption, and passcode compliance, in addition
to other general information:
Page 66 of 249
 Hardware - Displays device hardware information.
 Security - Shows device compromised and encryption level data.
 Passcode - Shows if a passcode is present and whether or not it meets the passcode
requirements.
 Network - Shows network information such as SIM Card and roaming status.
 Profiles - Shows all profiles and profile installation status.
 Certificates - Shows installed certificates and expiration or near expiration status.
 Applications - Shows the number of apps currently installed on the device.
 Content - Shows a configurable view of repositories and content.
Compliance
The Compliance view shows the compliance status of the device, including the name and level
of all the compliance policies in effect. Additionally, the administrator can see the current level of
compliance actions and the next level of action that is performed if the device continues to be
non-compliant.
Profiles
The Profiles section shows all of the VSDM profiles that have been sent to the device and the
status of each profile.
Page 67 of 249
 Status - Shows the profile installation status:
o
Installed.
o
Pending install.
o
Not installed.
o
Pending removal.
o
Removed.
o
Blocked (due to Compliance Settings).
o
Failed for latest version.
Note: Profile installation is blocked due to Compliance Settings. A failed status is
reported when the installed profile is out-of-date.
 Type - Shows the profile type: automatic, optional or interactive.
 Location Group - Shows the Location Group to which the profile is assigned.
 Actions - Provides the ability to remotely install or remove the profile.
Apps
The Apps section displays all applications that have been installed on the device.
Page 68 of 249
Following are the field descriptions for apps:
 Status - Shows the application installation status:
o
Installed.
o
Pending install.
o
Not installed.
o
Pending removal.
o
Removed.
o
Blocked.
 Type - Shows whether it is an internal or public application.
 Actions - Provides the ability to install or remove the application.
Note: Application installation is blocked due to Compliance Settings.
Content
The Content section is only applicable to devices equipped with the Secure Content Locker.
Page 69 of 249
The Content section displays information about the content available in the Secure Content
Locker.
 All Content - Displays information about all available content.
o Active - Tap the grey circles to make the document available (left/green) or not
available (right/red).
o Type - Displays the document format; hover over the icon to display the format type.
o Name - Shows the document name as it displays both in the VSDM and in the Secure
Content Locker.
o Priority - Displays the level of priority of the document.
o Deploy - Displays the deployment method.
o Actions - Provides the ability to install or delete content.
Settings
The Settings section displays information on device settings.
 Categories - Shows the file system for the content.
 Content Repository - Links to repositories and displays document ownership.
 User Storage - Shows the amount of storage available to and used by each device.
Certificates
The Certificates section shows all of the certificates currently stored on the device and provides
basic supporting information.
Page 70 of 249
Note: iOS devices should always show at least one current certificate for the MDM to identity the
certificate issued during enrolment.
User
The User section shows user-specific information including Name, Status, Username, Email,
Group, Email Username, Security Type, and Contact Number. It also displays a list of all devices
that the user has enrolled.
GPS
The GPS section shows the GPS co-ordinates of the device. The default display is 'Last Known'
which is the most recently received coordinates. To view GPS co-ordinates over a select period of
time:
Use the following steps to view GPS co-ordinates over a specific period of time:
1. Select the time span to view GPS co-ordinates from the Period dropdown menu.
2. Click Search. The search results return the entire available GPS co-ordinate trail
(breadcrumbs) over the requested period.
3. Click the Play Sound icon to play a sound on a lost device to facilitate location.
Page 71 of 249
Note: Information availability is subject to privacy settings as specified in Configuration >
System Settings > Device > General > Privacy.
Event Log
The Event Log contains a comprehensive log of all interactions between the VSDM and the
device. The administrator can further track device events through the following actions available
from this view:
1. Click Refresh Data to instantly update the Event Log.
2. Type an event keyword into the Search Filter to filter the event log according to a type of
event (for example, security events).
3. Click Export All to export all events as a CSV file. Additionally, the administrator can view
all VSDM and device events in the Administration Event Log, or integrate with Syslog on the
Syslog settings page (located in Configuration > System Settings > Admin > Event Log).
Page 72 of 249
Note the following important Event Log fields:
 Severity - Ranks the event severity level based on the event definition.
 Source - Shows the source of the event (for example, 'Server').
 Event - Provides a brief categorisation/summary of the event. Examples of events include:
o Enrolment Complete.
o Install Profile Requested.
o Security Information Refused.
7.3.2
Remote Actions Menu
With the Remote Actions Menu, administrators can perform any of the listed actions on the
selected device over-the-air.
Device Query
Manually requests that a remote device sends a comprehensive set of MDM information to the
VSDM. This immediate request overrides the timed device check-ins.
Clear Passcode
Clears the passcode on remote devices. This is useful when end-users forget passcodes or
become locked out of devices.
Send Message
Send different types of messages to devices over-the-air:
 Email - Send remote emails to any address on properly configured SMTP settings.
Page 73 of 249
 SMS - Send remote SMS text messages to any phone number with an SMS service account
with CellTrust and properly configured credentials.
 Push Notifications - Push notifications are available for Apple iOS, Android and Windows
Phone 8 devices to provide faster command response time from the VSDM, and migration
from cloud to deprecated device management:
o Send Apple Push Notification messages to iOS device end users that have the VSDM
Agent installed, displaying the message body in the notification.
o Implement Google Cloud To Device Messaging for Android devices enrolled in the
VSDM.
o Send Microsoft Push Notification messages to Windows Phone 8 device end-users
enrolled in the VSDM that have the Company Hub App installed.*
Lock Device
Lock the device, requiring the device user to unlock the device with the appropriate passcode for
continued use.
Enterprise Wipe
Wipes all corporate data from the selected device and removes the device from the VSDM. All of
the enterprise data contained on the device is removed, including VSDM profiles, policies, and
internal applications. The device returns to the state it was in prior to the installation of the VSDM.
Device Wipe
Performs a full wipe of the device. Wiping the device removes all data, email, profiles and VSDM
capabilities and the device returns to factory default settings. Prior to the wipe, a device
ownership confirmation message serves as a security precaution, and a key code is a requirement
for performing the device wipe.
Note: Device Wipe is subject to privacy settings as specified in Configuration > System Settings
> Device > General > Privacy.
Find Device
Makes a set of audible notification tones in iOS and android devices to facilitate device location
by end-users.
Enable/Disable SD Card
Enables or disables the SD card on the device remotely.
Page 74 of 249
Remote View
This provides a remote view of select devices and applications (Windows Mobile with the aid of
the VSDM agent). The capture button takes a screen capture to preserve any error screens or
other issues.
Enforce Device Encryption
Encrypts internal storage in devices without encrypting the removable storage card.*
*New Feature in VSDM Release 3
7.4
Device Search
The latest release of the VSDM Dashboard added many new features as well as upgrades to
existing features to make them more versatile and flexible for administrators.
The Device Screen has been divided into three sections. To find out more about each section of
the screen, click any of the links to access the topics described in the following sections.
7.4.1
Device Search - Left Panel
Location Group - Click the dropdown arrow to view
the devices belonging to that location group and all
child location groups.
Saved Criteria - Click the dropdown arrow to select
the last saved search criteria. This can save you time
when you need to perform the same search on a
Page 75 of 249
frequent basis.
Platform - Tick one or more of the checkboxes to
select the type of device you want to search for in
the grid.
Model - Click the dropdown arrow to select the
Model of the device based on the Platform you
selected. If you choose more than one Platform,
this feature is grayed out and no longer available.
Ownership - Tick any one of the four checkboxes to
define who owns the device. It is best to not to leave
Undefined unchecked, so that other VSDM features
are available to you when managing that device.
Advanced Search - Click Advanced Search and the following window displays:
o Tick one or more of the 13 available checkboxes to custom define an advanced VSDM
search.
o For every checkbox you select, a respective field displays in which you enter search
information, keywords, etc.
o Click Search to find devices that match the advanced search criteria.
Page 76 of 249
The advanced search displays all the devices that match the search criteria entered.
7.4.2
Device Search - Top Panel
The top panel of the screen displays a bar with the features described below:
Management
Hover over the text to display the management dropdown window. Select a line item from the
grid by ticking the checkbox, and then do the following:
 Select Lock Device to completely disable that device.
 Select Enterprise Wipe to remove all corporate data from that device.
Support
Hover over the text to display a Send Message and GPS dropdown window. Select a line item
from the grid by ticking the checkbox, and then do the following:
 Select Send Message to email Technical Support regarding that device.
 Select GPS to find where that device is located. For more information, see Device Details.
Admin
Hover over the text to display a Change Location Group and Delete Device dropdown window.
Select a line item from the grid by ticking the checkbox, and then do the following:
 Select Change Location Group to move that device to a different location group.
 Select Delete Device to remove that device from the VSDM.
Page 77 of 249
Advanced
Hover over the text to display a Warm Boot and Provision Now dropdown window. Select a line
item from the grid by ticking the checkbox, and then do the following:
 Select Warm Boot to remotely reboot that device.
 Select Provision Now to perform a number of configurations for that device.
7.4.3
Device Search - Main Panel
Across the top of the grid, there are 9 column headings that can be used to sort device
information:
 Last Seen.
 Friendly Name.
 User.
 Email.
 Platform.
 OS.
 Model.
 Phone.
 Location Group.
Sort Options - Click any of these headings, as shown in the figure above, and the grid quickly
reorganises device information based on your selection.
Grid Search - Click Grid Search and enter any search words, such as device Friendly Name,
Display Model, etc., as shown below, then press the enter key to filter the device information
that displays in the grid. You can use keywords (e.g., Group) and find all occurrences of line items
in the grid that contain that keyword (e.g., Atlanta Group, or Radiology Group).
7.5
Device Details
View device details to track detailed device information and quickly access user and device
management actions. Use one of the following two ways to view the Device Details:
Page 78 of 249
1. Click the Friendly Name of the device in the device dashboard. When the Device Control
Panel displays, click the name again.
o Use any of the available search tools to search for an individual device:
2. From the search results, click the Friendly Name of the individual device to open up the
Device Details page. Many of the Device Details are identical to the information in the
Device Control Panel. For information on the Security, Profiles, Apps, Certificates or Event
Log views, please reference the section on the Device Control Panel.
3. View details of the specific device by selecting one of the categories listed in the navigation
bar on the left side of the Device Details page. Further information on each of the
categories is provided in the following sections.
7.5.1
Device Information
The Device Information View is shown by default when the Device Details page is first opened.
It can be shown again by selecting the Information tab under Device Details.
Page 79 of 249
Use the left hand navigation bar to access additional device information. iOS and Android devices
offer different tabs in this bar.
General
From this view, administrators can see a number of general statistics about the current device,
including:
 Device Status and Last Seen.
 Phone number (when available and subject to privacy settings as specified in:
Configuration > System Settings > Device > General > Privacy).
 Platform/Model/OS.
 Device Ownership/Device Category/Device Group.
 Location Group/Location.
 Serial Number/UDID/Asset Number.
 Power Status/Storage Capacity/Physical Memory/Virtual Memory.
Apps
The Apps tab shows applications that are currently installed on the device.
Certificates
Identifies device certificates by name and issuer. Additionally this tab provides information about
certificate expiration.
Compliance
Displays the status, policy name, date of the previous and forthcoming compliance check, and
the actions already taken on the device.
Content (iOS)
Provides a configurable view of content, and allows administrators to view content on individual
devices. This tab displays the status, type, name, priority, deployment, last update, and date and
time of views. It also provides a toolbar for administrative actions (install or delete content).
Page 80 of 249
Location
Select the Location tab under Device Details to view current location or location history of a
device.
This shows the GPS co-ordinates of the device (subject to privacy settings as specified in System
Settings > Device > General > Privacy). The default display of Last Known shows the most
recently received co-ordinates.
Use the following steps to view GPS co-ordinates over a select period of time:
1. Select the time period for which you would like to view GPS coordinates from the Period
dropdown menu.
2. Click Search. The search results return the entire available trail (breadcrumbs) of GPS
coordinates over the requested period.
Network
To view the current network status of a device, select the Network tab under Device Details.
Profiles
Displays the profiles on a device.
Device Restrictions (iOS)
To show the Device Restrictions View, select Restrictions under Device Details.
Administrators can see all of the security restrictions that have been placed on the device
through the use of restrictions profiles. This information is organised into four separate views:
Device, Apps, Ratings and Passcode.
Page 81 of 249
Device
The Device tab shows all restrictions in effect for the device from a generic system-wide level.
They are not limited in scope to individual applications or profiles like the other restrictions tabs.
Apps
The Apps tab shows the deployed application restrictions for the device.
 Allow use of YouTube removes the YouTube application from the device so that end
users cannot use it.
 Allow use of iTunes Music Store and Allow explicit music and podcasts limit these
specific features from within the iTunes applications.
 Allows use of Safari, Enable Autofill, Force Fraud Warning, Enable JavaScript, Enable
Plugins, Block pop-ups and Accept Cookies all apply to the Safari Web Browser
Application.
Ratings
The Ratings tab shows all the restrictions that determine content control of Movies, TV Shows
and Apps from iTunes and the App Store. If content filtering is applied, only specific media that
has a lesser age rating is permitted for download.
Passcode
The Passcode tab shows all the current settings of the passcode policy that has been provisioned
to the device.
Security
Shows the security status of the device.
Telecom
The Telecom section provides details about:
 Calls – Total number of minutes used and detailed call logs. Call logs include call time,
duration, direction (incoming or outgoing), phone number, carrier information and roaming
status.
Note: Phone numbers and carrier details are only available in Android devices.
 Data – Total cellular data usage on the mobile device, including daily logs for data
sent/received.
Page 82 of 249
 Messages – Total SMS/MMS messages that are sent and received (Android only) and
detailed message logs.
Note: Information provided is subject to privacy settings as specified in
Configuration > System Settings > Device > General > Privacy.
User
Click this tab to access details about the user of a device as well as the status of the other devices
enrolled to this user.
7.5.2
Device Activity
Alerts
To view all of the alerts that have been triggered by the current device, select Alerts under
Device Activity. From here, administrators can see specific alerting details for Severity, Priority,
Attributes, Values, Duration, Alert Date, and Creation Policy.
7.5.3
Configuration
Attachments
To attach images, documents or links that are relevant to the device, select Attachments under
Configuration.
There are three views in the attachments tab: Images, Documents and Links. These categories
are only used within the Group ID to help administrators organise attachments. Examples of
relevant device information administrators may want to include in this area include:
 Copies of support tickets regarding the device.
 Screen shots from the device.
 Device support documentation.
7.6
Device Details Management
The Device Details Management menu is located underneath the 'Device Friendly' name on the
Device Details page. It provides shortcuts to quickly manage both the device and the user
account associated with the device.
Page 83 of 249
Move your mouse over Query, Management, Support or Admin to see the dropdown menu
management options.
7.6.1
Query
The Query menu allows the administrator to request information from the device. Click the
category to send a query to the device. Select Query All to request all of the categories.
Alternatively, you can send individual queries for the following device information:
 Device information.
 Security.
 Profiles.
 Apps.
 Certificates.
7.6.2
Management
The Management menu allows the administrator to instantly perform the following remote
device actions (please refer to the section on Remote Actions for further explanation of the first
four options):
 Clear Passcode - Clears the passcode on the remote device.
 Lock Device - Locks the device, requiring the end-user to unlock it with a passcode to
resume device use.
 Enterprise Wipe - Removes the device from the VSDM by un-enrolling and selectively
wiping all enterprise data.
 Device Wipe - Performs a full wipe of the device.
 Set Roaming - Enables or disables the voice and data roaming options.
Note: Refer to the section on Remote Actions for further explanation of the first four options.
7.6.3
Support
The Support menu provides options to instantly perform the following remote device actions on
supported devices (please refer to the section on Remote Actions for further explanation of the
first three options):
 Send Message - Allows administrators to send Email, SMS or Push Notifications to devices
over-the-air.
 Find Device - Forces iOS devices to make a set of audible notification tones to help endusers can locate their devices.
Page 84 of 249
 Remote View - Provides a remote view of select BlackBerry and Windows Mobile devices
and applications. The capture button takes screenshots to record any issues and errors.
 Request Device Check In - Sends a message to the device requesting a check in with the
VSDM agent.
 File Manager - Browses the Android device file tree, creates folders and uploads or
downloads files remotely.
 Remote Control - Controls Windows Mobile and Blackberry devices remotely.
Note: Refer to the section on Remote Actions for further explanation of the first three options.
7.6.4
Admin
The Admin menu allows administrators to instantly edit the following device and user settings:
 Change Location Group - Edit the device user’s Location Group.
 Edit Device - Edit the following device settings:
o Friendly Name.
o Device Ownership type.
o Device Group.
o Device Category.
 Delete Device - Deletes a device, as well as any information created for that device, from
the VSDM.
 Enrol - Enrols the device in the VSDM.
7.7
Administration Event Log
The VSDM records all administrative actions taken within it and any device events sent to or
received from devices and stores them in the Event Log. Administrators can view these events by
using the Event Log dashboard, which can be accessed by navigating to: Administration > Event
Log. All events that occur in the VSDM and on managed devices are tracked in the VSDM. Data is
presented on both this primary event log and on the device-specific event log found in the Device
Control Panel.
Administrators can select from the views on the left in order to view Device Events or Console
Events.
Page 85 of 249
From the dashboard, administrators can filter and/or sort events in a number of ways, including:
 Severity.
 Date Range.
 Device Friendly Name.
 Source of event.
 Category.
 Event.
The administrator can further track device events through the following actions available from
this view:
1. Click Refresh Data to instantly update the Event Log.
o With certain even types, administrators can also view more detailed event data by
clicking the Event Data link in the right-hand column.
2. Type an event keyword into the Search Filter to filter the event log according to a type of
event (for example, security events).
o
7.8
Additionally, the administrator can configure Syslog integration on the Syslog
Settings page (located in Configuration > System Settings > Admin > Event Log).
End User Self-Service
The Self-Service Portal (SSP) allows end-users to remotely monitor and manage their smart
devices. The SSP provides administrators with the ability to view relevant device information for
any of their enrolled devices and to perform remote actions such as clear passcode, lock device,
or device wipe.
Page 86 of 249
7.8.1
Enabling the SSP
End-users of iOS and Android devices can access the SSP directly from their device.
 Allowing managed devices to access the SSP simplifies the administrative experience by
allowing end-users to:
o View important compliance information.
o Download optional profiles.
o Manage multiple devices on one device from the SSP.
In order for end-users to access the SSP from their device, the administrator must first deploy a
Web-Clip (iOS) or bookmark (Android) profile containing the SSP web-based application URL.
For Android devices:
1. Navigate to Profiles & Policies > Profiles.
2. Select Add.
3. Enter Basic Profile Information in the General Settings.
o Select the device platform.
o Name the profile, for example: Self-Service Portal Web-Clip for iOS Devices.
o Specify root Location Groups to manage the profile and assign the profile to.
o Optionally specify User Groups to deploy the profile to.
Page 87 of 249
4. Select the Web-Clip (iOS) or Bookmark (Android) on the left sidebar.
5. Enter in the Profile Information.
For iOS devices:
1. Navigate to System Settings > Device > Agent Settings.
2. Tick the Self-Service Enabled box.
3. Complete the following information:
o Label - The text displayed beneath the Web-Clip icon on an end-user’s device.
Page 88 of 249
 For example, 'Self-Service Portal'.
o URL - The URL that the Web-Clip displays.
 For the SSP, use the following URL: http://<VodafoneEnvironment>/mydevice/.
 This field supports lookup values so that the administrator can more easily
configure the custom SSP URL.
o Removable - Tick the box to allow the end-user to remove the SSP-Web-Clip.
o Icon − To add a custom icon, select a graphic file in .gif, .jpg, or .png format.
 For best results provide a square image no larger than 400 pixels on each side and
less than 1 MB in size when uncompressed. The graphic is automatically scaled and
cropped to fit, if necessary and converted to png format. Web-Clip icons are 104 x
104 pixels for devices with a Retina display or 57 x 57 pixels for all other devices.
4. Click Save and Publish to immediately send the profile to all appropriate devices.
Note: Access to information and Remote Actions in the SSP is determined by both Privacy
settings (Configuration > System Settings > Device > General > Privacy) and Role settings
(Users > Admin Accounts). If multiple settings are in place, the strictest policy is enforced.
7.9
Retiring a Device
In the event that a device must be removed from mobile device management, there are several
possible methods to un-enrol the device from different sources.
 Automatic Un-enrolment - The VSDMCompliance Engine can be configured so that
devices with Application or Device compliance policies that are non-compliant, are
automatically un-enrolled from mobile device management.
 Administrative Un-enrolment - Administrators can also un-enrol devices over the air in
one of two ways:
o The administrator may manually perform an Enterprise Wipe from the Device
Dashboard page or the Device Details page.
o Alternatively, an administrator may set up the VSDM to automatically perform an
Enterprise Wipe on the devices of deactivated users. The administrator must first
make sure the Default Action For Inactive Users is set to 'Enterprise Wipe Currently
Enrolled Devices'. This can be done from the Enrolment page (Configuration >
System Settings > Device > General > Enrolment). Once this has been configured:
 The administrator can manually deactivate users by navigating to Administration >
User Accounts, checking the user accounts, and then clicking the Deactivate link at
the top. This un-enrols all devices under that user.
 If AD/LDAP has been integrated with the VSDM, any users that are
deactivated/removed from AD/LDAP reautomatically deactivated from the VSDM,
thus causing their device(s) to be automatically un-enrolled.
 End-User Un-enrolment - If an end-user decides to opt out of corporate mobile device
management, then they can initiate the Un-enrolment process from their own device(s).
Page 89 of 249
Although the process is different for each manageable platform, the general steps involve
removing the administrative privileges of the VSDM and removing any VSDM agents from
the device.
7.10
BYOD Configuration Best Practices
An increasing number of corporations are implementing BYOD programs. It is easy to configure
the VSDM settings to take into account the device ownership type when deploying profiles,
restrictions, compliance policies, and other important settings. The following configurations are
recommended for BYOD deployments.
7.10.1
Assign Profiles and Policies by Ownership Type
Use the Ownership field when specifying the assignment criteria for applications, profiles,
content, and compliance policies to ensure that employee-owned devices receive less
restrictions than corporate-dedicated devices.
7.10.2
Configure Privacy Settings
Configure the VSDM Privacy settings (System Settings > Device > General > Privacy) to protect
the personal data of your employees:
 Configure the VSDM to Not Collect User Information and Telecom Data for personal
devices.
 Disable the ability to issue a full device wipe on personal devices:
Page 90 of 249
7.10.3
Isolate Corporate Content
Use the Vodafone Secure Content Locker (SCL) to isolate and protect corporate content on
personal devices. The following settings enforce maximum restrictions for content:
 Allow Online viewing only.
 Force encryption.
 Disable Open in Email.
 Disable Open in Third Party Application.
Note: This feature is an additional product. Access may vary subject to local market availability.
7.11
Important Device Management Considerations
 Before performing remote actions on a device, take into account the device ownership
type. Refer to BYOD Configuration Best Practices.htm
 The administrator may want to use privacy settings (specified in Configuration > System
Settings > Device >General > Privacy) and role permissions (specified in Accounts >
Administrators > Roles) to restrict lower-tier administrator access to employee-owned
device data.
Page 91 of 249
8
Profile Management
8.1
Overview
Create and deploy configuration profiles that define enterprise settings, policies and restrictions
for devices without requiring user interaction. The VSDM delivers signed, encrypted and locked
configuration profiles over-the-air to ensure they are not altered, shared or removed. A single
deployed profile contains customisable settings called Payloads.
8.2
Profiles Page
The Device Profiles page in the VSDM is the mechanism for managing and pushing profiles to
end-user devices over-the-air.
 Search Bar - Search for a profile based on specific profile attributes.
 Active - See if a profile is available to new devices. Green represents an active and available
profile that is available to new devices. Red represents an inactive and unavailable profile.
 Managed - Managed profiles are associated directly with the VSDM, therefore, managed
profiles are removed from un-enrolled or retired devices. Unmanaged profiles remain on
devices, regardless of the VSDM enrolment status.
 Ownership - Shows device assignment of profiles, specifically to corporate-owned or
employee-owned devices.
 Managed By - The location group that has access to edit, publish or delete a profile.
 Actions - Manage the profile using the following options on the Action menu:
o Edit - Customise an existing profile.
o Copy - Copy an existing profile with a new profile name.
o View Devices - View devices that are available for that profile and if the profile is
currently installed.
o Publish - Push out to devices any profiles matching the profile criteria.
o View XML - View the XML code sent over the air to devices describing the application
or profile.
Page 92 of 249
o Edit Assignment - Change the Location Groups a profile is assigned to without republishing the profile to every assigned user.
Note: In order to change a User Group assignment, select the Edit option.
o Delete - Deletes a profile and removes it from devices.
8.2.1
Toggling Profile Views for Assignment Testing
There are three grid filters at the top right of the profiles page that can be turned on and off as
desired. Click to enable or disable the following filters and options for viewing and testing profile
assignments:
Toggle Filter
Hide or display the grid display filtering options according to various profile criteria:
Toggle Assignment Criteria
Click the Toggle Assignment Criteria grid filter to create 'what if' scenarios for profile
assignments before publishing new profiles or editing profile assignments. Using this filtering
tool, the administrator can see how profile assignments affects devices without requiring the
administrator to enrol test devices.
 Use Device or Any to perform Assignment testing.
 Device - Choose this button to test the assignment for a specific device and display all
profiles assigned to that device. Then, enter the device friendly name. For example, an
administrator might wish to view whether or not a more restrictive profile would be
assigned to a specific executive.
 Any - Choose this button to test the general profile assignment and display all profiles that
would be assigned to devices that match the specified attributes. Fill in the attributes to see
the device matches by Location Group, Platform, OS, Model, Ownership Type and User
Group. For example, an administrator could enter 'Apple iPad, Corporate-Owned' to see
whether or not corporate iPads have all the necessary profiles.
Export All
Click this grid tool to export all profile data as a CSV file for printing or further analysis.
Page 93 of 249
8.3
Creating Profiles
Create and deploy configuration profiles that define enterprise settings, policies and restrictions
for devices without requiring user interaction. A single deployed profile contains customisable
settings, apps, features and restrictions called Payloads.
Use the following steps to deploy profiles to devices using the Device Profiles page in the VSDM:
1. Navigate to: Profiles & Policies > Profiles to open the Device Profiles page.
2. Select Add to create a new profile or click the Actions menu icon to Edit or Copy an
existing profile.
3. Choose the Platform that is associated with the profile.
8.3.1
General Settings
Select any of the profile types to begin creating a profile. The Add New Profile screen displays:
Page 94 of 249
Complete the General Settings for the profile. General Settings are the overall settings that
determine the specifics of the profile deployment:
 Name - Create a profile name that is displayed in the VSDM.
 Description - Provide a brief description of what the profile does for display on managed
devices under Profile Details.
 Platform - Select which platform the profile is deployed to.
 Deployment
o Managed – Remove the profile when the device is unenrolled.
o Manual – Leave the profile installed when the device is unenrolled.
 Model and Minimum Operating System - Specify the model and minimum operating
system as parameters for profile deployment.
 Ownership - Specify ownership groups to limit deployment to the devices within the
particular group. The ownership groups are:
o Corporate-Dedicated.
o Corporate-Shared.
o Employee Owned.
 Importance and Sensitivity - Provide additional details and profile filtering capabilities
within the VSDM, without impacting profile deployment.
 Allow Removal - Specify the process for end-users to remove the specific profile from
their device.
o Always – Allow end-users to remove profiles without entering authorisation codes.
o With Authorisation – Allow end-users to remove profiles by entering the correct
authorisation code created by an Administrator.
o Never – Block end-users from removing profiles on enrolled devices.
Page 95 of 249
 Managed by - Name the Administrator Organisation Group that can edit and delete the
profile. Administrators who manage higher Organisation Groups also have access to profile
management by inheritance.
 Assignment Type - Determine how the profile is pushed out to devices.
o Auto – Pushes the profile to all devices automatically.
o Optional – Pushes the profile to specific devices in the Organisation Groups that are
manually selected in the assignments box.
Note: Optional is the default setting for profiles. This means no devices receive the profile.
Optional profiles require manual assignment to individual devices, or are downloaded by
end-users from the SSP.
o Interactive – Interacts with third-party system(s) before deploying a unique payload to
a device.
o Compliance – Automatically pushes compliance profiles out to a device in violation of
corporate compliance policies.
 Assigned Location Groups - List the Location Groups and all child organisation groups
configured with this profile. Any devices that enrol into these groups or their child groups
receive the profile.
 Assigned User Groups (Optional) - List the User Group(s) that receive the profile in
addition to the specified Location Groups.
 Assigned Areas (Optional) - Name the geofencing area that this profile is active within.
Define under Profiles > Geofencing Areas.
 Assigned Schedule(Optional) - Show the profile's active time schedule. Define under
Profiles > Time Areas.
8.3.2
Create and deploy the profile payloads
1. Select the 'type' from the left navigation pane, and click Configure.
2. Complete the profile specific information as required. The specific fields used to configure
each of the specific profile types are outlined in the section below called Profile Payload
Descriptions (See "Profile Payload Descriptions").
3. Click Save or Save and Publish to complete the profile.
o Save the profile configuration in the VSDM without deploying the profile to devices.
o Save & Publish the profile configuration in the VSDM, and deploy the profile to all
appropriate managed devices.
o Cancel does not save any of the profile configuration, and clears out all changes.
o Test the profile assignment's device impact before publishing by using the Toggle
Assignment Criteria grid filter.
The available profile payloads are listed on the left in the Add a New Profile navigation pane. The
navigation pane also provides a quick summary of profile payload status using the following
indicators:
 Green indicates that the profile fields under that category are complete.
Page 96 of 249
o Example:
 Grey indicates that no profiles of that type have been configured.
o Example:
 Red indicates an error in the profile information fields.
o Example:
 Numbers next to the profile name indicate the number of profiles created for the selected
profile type.
o Example:
Create Multiple Profiles of One Type
VSDM profile management allows the configuration of multiple payloads for many of the profile
payload categories (for example, Wi-Fi, Email Settings or LDAP), all within a single profile.
Use the following steps to create more than one payload for a select profile payload type:
1. Click the profile payload type from the left to open the payload editing window. If
necessary, click Configure to add the initial payload.
2. Add another payload of the same type by clicking the plus sign (+). Delete the selected
profile by clicking the minus sign (-).
3. Scroll through the profiles by clicking the arrows or select a specific page by clicking on the
corresponding circle. Example: Each circle represents a profile page:
Note: Configure each payload separately as an individual profile. Configuring multiple payloads
within one profile, such as an Email payload and a Wi-Fi payload, is not recommended. However,
configuring multiple payloads of a single type such as multiple Web-Clips within one profile, is
suggested when applicable.
Page 97 of 249
8.4
Device Profile Capabilities
Profile capabilities vary according to the device type. The tables below provide a summarised
description of the profile options for the device/Operating System:
Apple
Android
iOS
Windows
Apple
Windows Phone
Mac OS BlackBerry Symbian
Mobile
(WP)/Windows
X
Phone 8*
Passcode
Restrictions
Wi-Fi
VPN
(only WP8)
Email
(only WP8)
Exchange
Active Sync
Exchange
Web
Services
LDAP
(only WP8)
CalDAV
CardDav
Subscribed
Calendars
Web-Clips
Bookmarks
Credentials
Launcher
SCEP
Advanced
Custom
Settings
Application
Control
Global HTTP
Proxy
Single App
Mode
Dock
Device
Telecom
Time
Page 98 of 249
8.4.1
iOS Profiles
Profile Name
Short Description
Passcode
Passcode profiles require end-users to protect their devices with passcodes
each time they return from idle state. This ensures that all sensitive corporate
information on managed devices remains protected. If multiple profiles enforce
separate passcode policies on a single device, the most restrictive policy is
enforced.
Restrictions
Restrictions profiles limit the features available to users of managed devices by
restricting the use of specific features such as YouTube, the iTunes Store, or the
on-device camera.
Wi-Fi
Wi-Fi profiles push corporate Wi-Fi settings directly to managed devices for
instant access. Take note of the iOS 5+ only options.
VPN
VPN profiles push corporate virtual private network settings to corporate
devices so that users can securely access corporate infrastructure from remote
locations.
Email
Allows the administrator to configure IMAP/POP3 email accounts.
Exchange
ActiveSync
Exchange ActiveSync profiles allow end-users to access corporate push-based
email infrastructure. Please note that there are pre-populated look-up value
fields and options that only apply to iOS 5+.
LDAP
LDAP allows configuration with LDAPv3 directory information. The fields in this
section support lookup values. Click the tool tip for values and definitions.
CalDAV
CAlDAV provides configuration options to allow end-users to sync wirelessly
with the enterprise CalDAV server. The fields in this section support lookup
values. Click the tool tip for definitions.
Subscribed
Calendars
Subscribed Calendars provides calendar configuration. The fields in this section
support lookup values. Click the tool tip for definitions.
CardDAV
This section allows for specific configuration of CardDav services. The fields in
this section support lookup values. Click the tool tip for definitions.
Web-Clips
Web-Clip profiles send down clickable hyperlinks to devices in the form of an
icon to provide quick access to common web resources (for example, you could
add the online version of the iPhone User Guide to the home screen).
Credentials
Credentials profiles deploy corporate certificates to managed devices. If the
network supports it, ad-hoc certificate requests can be configured as well.
SCEP
The SCEP payload specifies settings that allow the device to obtain certificates
from a CA using Simple Certificate Enrolment Protocol (SCEP).
Advanced
Advanced profiles allows for advanced access point configuration.
Custom
Settings
Custom Settings allows custom XML profile to be included in the profile
payload.
Global HTTP
Proxy
Manually or automatically configure the proxy server for iOS 6+ Supervised
devices.
App Lock
Locks iOS 6+ devices to a single application by installing an app lock payload.
The home button is disabled, and the device returns to the specified application
automatically upon wake or reboot.
Page 99 of 249
8.4.2
Mac OS Profiles
Profile Name
Short Description
Passcode
Passcode profiles require end-users to protect their devices with passcodes each
time they return from idle state. This ensures that all sensitive corporate
separate passcode policies on a single device, the most restrictive policy is
enforced.
Wi-Fi
instant access. Take note of the iOS 5+ only options.
VPN
VPN profiles push corporate virtual private network settings to corporate devices
so that users can securely access corporate infrastructure from remote
locations.
Email
Allows the administrator to configure IMAP/POP3 email accounts.
Exchange
Web Services
Exchange Web Services profiles allow end-users to access corporate push-based
email infrastructure. The fields in this section support lookup values. Click the
tool tip for values and definitions.
LDAP
LDAP allows configuration with LDAPv3 directory information. The fields in this
section support lookup values. Click the tool tip for values and definitions.
CalDAV
CAlDAV provides configuration options to allow end-users to sync wirelessly
with the enterprise CalDAV server. The fields in this section support lookup
values. Click the tool tip for definitions.
CardDAV
This section allows for specific configuration of CardDav services. The fields in
this section support lookup values. Click the tool tip for definitions.
Web-Clips
Web-Clip profiles send down clickable hyperlinks to devices in the form of an
icon to provide quick access to common web resources (for example, you could
add the online version of the iPhone User Guide to the home screen).
Credentials
SCEP
The SCEP payload specifies settings that allow the device to obtain certificates
from a CA using Simple Certificate Enrolment Protocol (SCEP).
Custom
Settings
Custom Settings allows custom XML profile to be included in the profile
payload.
Dock*
Configure dock size, magnification and position.
8.4.3
Android Profiles
Profile Name Short Description
Passcode
Passcode profiles require end-users to protect their devices with passcodes each
time they return from idle state. This ensures that all sensitive corporate
separate passcode policies on a single device, the most restrictive is enforced.
Restrictions
Restrictions are available for Samsung phones running Ice Cream Sandwich.
These restrictions include device functionality, Sync and Storage, Bluetooth,
Roaming and Tethering restrictions.
Page 100 of 249
Wi-Fi
instant access.
VPN
VPN profiles push corporate virtual private network settings to corporate devices
so that users can securely access corporate infrastructure from remote locations.
Email
Settings
Email profiles send email configurations directly to devices so that end-users
automatically receive email.
Exchange
ActiveSync
Exchange ActiveSync profiles allow end-users to access corporate push-based
email infrastructure. Exchange can now beset up with the native mail client on
Samsung SAFE devices (http://www.samsung.com/us/article/samsungapproved-for-enterprise) and HTC Pro devices (http://www.htcpro.com)
Application
Control
Prevent installation of blacklisted apps, un-installation of whitelisted apps(3LM,
SAFE, LG v 1.0+) and prevent the installation of non-whitelisted apps(SAFE v2+,
3LM).
Launcher
Allows administrators to customise several aspects of a user's device.
Administrators can restrict users to only have access to the apps and settings
they choose.
Bookmarks
Bookmark profiles work in the same manner as Web-Clip profiles. Bookmarks are
customised web shortcuts that are pushed down to the Home screen of the
user’s device. Multiple bookmarks can be added per profile by clicking on the
plus (+) sign in the top right corner of the window.
Credentials
Multiple credential configurations can be added per profile by clicking on the
plus (+) sign in the top right corner of the window.
8.4.4
Blackberry Profiles*
Profile Name Short Description
Device
Device profiles determine various device-specific options such as backlight
brightness, backlight timeout, GPS sampling and GPS sample intervals.
Telecom
Telecom profiles specify various telecom options such as 411 redirections and
SMS sampling options.
Advanced
Advanced allows for custom configuration of BlackBerry Logs.
Custom
Settings
Custom Settings allows custom XML profiles to be included in the profile
payload.
8.4.5
Symbian Profiles
Profile Name
Short Description
Passcode
information on managed devices remains protected. This profile allows for a
reset of an administrator-set passcode.
Wi-Fi
instant access.
Exchange
The administrator has the option of setting the frequency of syncing calendar
Page 101 of 249
ActiveSync
and emails on a mobile device using Microsoft Exchange EAS profiles.
Custom
Settings
Custom Settings allows custom XML profiles to be included in the profile
payload.
VPN*
locations. This is presently supported on devices running on Anna and Belle
operating systems only.
Credentials*
Deploys corporate certificates to managed devices. If the network supports it,
ad-hoc certificate requests can be configured as well.
8.4.6
Windows Mobile
Profile Name
Short Description
Passcode*
Requires end-users to protect their devices with passcodes each time they
return from idle state. This ensures that all sensitive corporate information on
managed devices remains protected.
Restrictions
Restrictions are available for Samsung phones running Ice Cream Sandwich.
These restrictions include device functionality, Sync and Storage, Bluetooth,
Roaming and Tethering restrictions.
Wi-Fi
instant access.
Exchange
ActiveSync
The administrator has the option of setting the frequency of syncing calendar
and emails on a mobile device using Microsoft Exchange EAS profiles.
Credentials
Deploys corporate certificates to managed devices. If the network supports it,
ad-hoc certificate requests can be configured as well.
VPN*
locations.
Launcher*
Allows administrators to customise several aspects of a user's device.
Administrators can restrict users to only have access to the apps and settings
they choose.
Time Sync*
Sync time on devices to a primary and secondary time server.
8.4.7
Windows Phone and Windows Phone 8*
Profile Name
Short Description
Passcode
information on managed devices remains protected.
Email (WP8)*
Configure IMAP/POP3 email accounts, and send email configurations directly
to devices so that end-users automatically receive emails.
Exchange
Active Sync
(WP8)*
Allow end-users to access corporate push-based email infrastructure. The
administrator has the option of setting the frequency of syncing calendar and
emails on a mobile device using Microsoft Exchange EAS profiles.
Credentials*
Deploy corporate certificates to managed devices. If the network supports it,
Page 102 of 249
ad-hoc certificate requests can be configured as well. Deploys both Root and
User certificates. Root certificates contain root, or self-signed certificates. User
certificates contain public key for client certificate. The client certificates are
used by the device client to authenticate itself to enterprise server ( server) for
device management and enterprise app downloading .
Restrictions
(WP8)*
Restrictions profiles limit the features available to users of managed devices
by restricting the use of specific features such as enforcing device encryption
and SD card use
8.5
Profile Payload Descriptions
8.5.1
Passcode
Passcode profiles require end-users to protect their devices with a passcode. The most restrictive
policy is enforced when multiple profiles enforce separate passcode policies on a single device.
 Require passcode on device - Forces a user to set a passcode on the device.
 Allow simple value - Allows 'simple' password values such as '1111' or '1234'.
 Require alphanumeric value - Requires a passcode with letters and numbers and no
spaces or special characters.
 Minimum Passcode length - Sets a minimum required passcode length.
 Minimum number of complex characters - Sets a minimum number of complex
characters.
 Maximum passcode age (days) - Sets the number of days until a password expires.
Page 103 of 249
 Auto-Lock (min) - Sets a timeout for the device to automatically lock, after which a
passcode is required for entry.
 Passcode history - Sets the number of previous passwords that cannot be reused.
 Grace period for device lock (min) - Sets the time period after device lock where
passcode is not required for re-entry.
 Maximum number of failed attempts - Set the number of failed passcode attempts
before the device is wiped.
8.5.2
Restrictions
Restrictions profiles are settings that limit the use of specific device features.
Apple Restrictions
Apple iOS devices include the following restrictions:
Note: Exceptions are noted in the profile fields.
 Device Functionality - Determines what functions a device user can perform.
 Applications - Determines what applications a device user can access.
Page 104 of 249
 iCloud - Determines the backup and document sync settings for iCloud.
 Security and Privacy - Determines advanced security settings including untrusted
certificate acceptance.
 Ratings - Restricts access to Movies, TV Shows, and Apps based on specific ratings.
Android Restrictions
Restriction capabilities for Android OS versions and devices include the categories below:
Note: Compatibility is noted in the VSDM.
Page 105 of 249
 Device Functionality - Determines what functions a device user can perform.
 Sync and Storage - Determines the data backup and storage settings for the device.
 Applications - Determines what applications a device user can access.
 Bluetooth - Enables or disables Bluetooth settings, and customise the availability of
certain Bluetooth features.
 Network - Determines the Wi-Fi networks and security settings for the device, and block
specific Wi-Fi networks.
 Roaming - Determines if data usage, sync and push messages are allowed for roaming
devices.
 Tethering - Allows or disallows tethering functionality.
 Browser - Blocks the device browser, and customises advanced browser settings.
 Location Services - Determines whether or not GPS and other location services are
allowed.
 Phone and Data - Sets custom limits for maximum call, SMS and data usage.
8.5.3
Wi-Fi
Push corporate Wi-Fi settings directly to managed devices for instant access.
 Service Set Identifier - Configures Wi-Fi profiles, selects the appropriate wireless protocols
and security settings for the Wi-Fi network.
 Proxy - Allows the administrator to configure a proxy server.
 Add multiple accounts by clicking the plus (+) button, or create Wi-Fi profiles in bulk by
navigating to Profiles and Policies > Profiles > Bulk Import.
Page 106 of 249
8.5.4
VPN
VPN profiles push Virtual Private Network settings to devices so that users can securely access
corporate infrastructure from remote locations.
 Connection Name - View the name of the connection displayed on the device.
 Connection Type - Choose the type of connection enabled by this profile. Each
connection type enables different capabilities.
 Server - Enter the hostname or IP address of the server being connected to.
8.5.5
Email
Configure IMAP/POP3 email accounts for incoming and outgoing mail.
 Add multiple accounts by clicking the plus (+) button.
Note: Certain iOS email profile features are only available for iOS 5+ devices.
Note: Enhanced Email Settings functionality is available for Android Samsung devices.
Page 107 of 249
8.5.6
Exchange ActiveSync/Web Services
Allows end-users to access corporate push-based email infrastructure.
 Create a profile for an individual user by specifying the domain name, user name, email
address and password. Alternatively, leave the password field blank to prompt the user for
their password. This requires a lookup value for the username field.
 Select one of the two options listed under Certificate Type to validate the ActiveSync
connection with certificates.
Page 108 of 249
 Uploaded Certificate - Requires end users to enter a password before receiving
certificates.
 Certificate Authority - Specifies that the local network's Certificate Authority is the
certificate source.
 Configure multiple Exchange accounts by clicking the Add (+) button.
8.5.7
LDAP
LDAP profiles provide easy configuration with LDAPv3 directory information.
 The fields in this section support lookup values. Click the tool tip
definitions.
for values and
 Add multiple accounts by clicking the plus (+) button.
 Please refer to the section on LDAP integration for more information on LDAP.
8.5.8
CalDAV
Configure to allow users to sync wirelessly with the enterprise CalDAV server.
The fields in this section support lookup values. Click the tool tip
8.5.9
for definitions.
Subscribed Calendars
Subscribed Calendars manages corporate calendar integration and subscriptions.
8.5.10
for definitions.
CardDAV
Configure specific CardDav services.
Page 109 of 249
8.5.11
for definitions.
Web-Clips/Bookmarks
Web-Clip profiles (iOS) and Bookmark profiles (Android) send down clickable hyperlinks in the
form of an icon onto devices for quick access to common web resources. For example, to add the
online version of the iPhone User Guide to the Home screen, specify the Web-Clip URL:
http://help.apple.com/iphone/. Web-Clips and Bookmarks are also used to deploy the Vodafone
App Catalogue and to enable the Self-Service Portal.
 Label - Enter the name that needs to be displayed on the screen.
 URL - Enter the internal or external address that the user is redirected to on the device.
 Removable - Specify whether or not the user has the ability to remove the Web-Clip from
their device (iOS only).
 Icon - Add a custom icon in .gif, .jpg or .png format.
Note: For best results provide a square image no larger than 400 pixels on each
side and less than 1 MB in size when uncompressed. The graphic is automatically
scaled and cropped to fit, if necessary, and converted to png format. Web-Clip
icons are 104 x 104 pixels for devices with a Retina display or 57 x 57 pixels for all
other devices.
 Precomposed Icon - Select to stop the device from adding a shine to the icon (iOS only).
 Full Screen - Specifies that the address is loaded full screen on the device without the
Safari address bar and borders (iOS only).
 Show as web app in the app catalogue* - Enables device users to use Web-Clip profiles
on the app catalogue as web applications (iOS only).
Page 110 of 249
 Add to Homescreen - Select to automatically place the bookmark on the device's
homescreen (Android only).
 Plus - Click to add Multiple Web-Clips or Bookmarks.
8.5.12
Android Launcher Mode
The Launcher profile is an Android-only feature that allows administrators to customise several
aspects of a user's device. An Administrator can restrict users to only have access to the apps and
settings the Administrator chooses. Before utilising the Launcher Profile, the Launcher App must
first be installed on the device. The Launcher profile's settings are discussed in further detail
below.
Background - Configures the following settings:
 A customised background wallpaper image.
 The number of home screens.
 An administrator password to allow access to the VSDM Agent on the device.
Allowed Applications - Configures which applications are allowed on the device.
 Enter each application's friendly name and its unique Application ID in the relevant fields.
 Locate each Application ID by browsing the App Catalogue in the VSDM or by browsing the
Google Play market.
Settings - Select which device settings the user has access to.
Icon Grid Layout - Determine the icon size, layout and rearrangement privilege for the device.
8.5.13
Credentials
Credentials profiles deploy corporate certificates to managed devices.
Page 111 of 249
 The Credentials profile also provides a field for configuring Ad-hoc certificate requests (if
supported by the network).
 Add multiple credentials configurations by clicking on the plus (+) sign.
8.5.14
SCEP
The SCEP payload specifies settings that allow the device to obtain certificates from a CA using
Simple Certificate Enrolment Protocol (SCEP).
For more information on Certificate use and integration, please refer to the section on Certificate
Infrastructure Integration.
8.5.15
Advanced
Advanced profiles allows for advanced Access Point configuration.
8.5.16
Custom Settings
Custom Setting profiles allow for custom XML profiles to be included in the profile payload.
Page 112 of 249
 Custom Setting profiles allow administrators to directly input the XML code deployed to
devices over the air. This defines the settings of a configuration profile in the event that
new device platform capabilities are released before the VSDM profile capabilities are
updated.
 Custom profiles always open and close with the <dict> tags and contain, as a minimum, the
following profile keys:
o PayloadDisplayName - Optional. Name of the profile to be deployed to the device.
o PayloadDescription - Optional. Description of the profile to be deployed to the
device.
o PayloadVersion - The version of the payload to log updates and modifications.
o PayloadIdentifier - A reverse DNS format identifier that is unique to this specific
payload.
o PayloadUUID - A globally unique identifier for the payload.
o PayloadOrganisation - Optional. The organisation that deployed the profile payload.
o PayloadType - The type of payload that is going to be configured. For example, this
defines whether the payload is a passcode payload, Wi-Fi payload, or restrictions
payload.
 A sample of how these keys are deployed in the custom profile is shown below.
<dict>
<key>PayloadDescription</key>
<string>Configures 15-min autolock for iPads</string>
<key>PayloadDisplayName</key>
<string>15min AutoLock</string>
Page 113 of 249
<key>PayloadIdentifier</key>
<string>com.autolock.fifteenmin.passcode1</string>
<key>PayloadOrganisation</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.mobiledevice.passwordpolicy</string>
<key>PayloadUUID</key>
<string>AA3C17A5-5C62-4295-BE30-920405D53F9D</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
 Once a PayloadType is defined, administrators must define specific keys for it. The keys
are all dependent on the type of payload that the administrator is trying to deploy. For iOS
devices, a list of all currently available payload specific property keys can be seen
here:http://developer.apple.com/library/ios/#featuredarticles/iPhoneConfigurationProfil
eRef/Introduction/Introduction.html
 Once these payload specific fields are defined, the profile is ready to deploy. The sample
custom profile shown below will enable 15 minute auto-lock features for an iPad passcode
profile.
<dict>
<key>PayloadDescription</key>
<string>Configures 15-min autolock for iPads</string>
<key>PayloadDisplayName</key>
<string>15min AutoLock</string>
<key>PayloadIdentifier</key>
<string>com.autolock.fifteenmin.passcode1</string>
<key>PayloadOrganisation</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.mobiledevice.passwordpolicy</string>
<key>PayloadUUID</key>
<string>AA3C17A5-5C62-4295-BE30-920405D53F9D</string>
<key>PayloadVersion</key>
<key>forcePIN</key>
<true/>
<key>maxInactivity</key>
Page 114 of 249
</dict>
8.5.17
Global HTTP Proxy
Configure the proxy one of two ways:
Note: This payload is currently only compatible with Apple iOS6 devices in Supervised mode.
With Apple's Configurator program, each device must be set to Supervised mode to be
compatible with the Global HTTP Proxy payload.
Manual - Enter the proxy server address including its port, as well as a username and password.
Including the username and password prevents the end user from entering the credentials
manually.
Auto - Enter the specific Proxy Pac File URL in the field.
8.5.18
App Lock
Single app mode payload provides a way to lock a device into a single application until the
payload is removed. The home button is disabled, and the device returns to the specified
application automatically upon wake or reboot. This payload is currently only compatible
with Apple iOS6 devices in Supervised mode. With Apple's Configurator program, each device
must be set to Supervised mode to be compatible with the App Lock payload.
Page 115 of 249
Each application's bundle ID can be found by locating the app either:

In the VSDM's App Catalogue within the Device Dashboard.
 Within the Compliance setup for whitelisted apps.
 In the iTunes app information.
8.5.19
Dock*
The Dock payload configures the dock size, magnification and position of bulk configuration
dock stations. Administrators can tailor dock settings according to device requirements and
usage. Stage sets of devices with standard Mac apps such as FaceTime, App Store, Garage Band,
and more simultaneously. This payload is currently only compatible with Mac OS devices.
8.5.20
Time Sync*
The Time Sync payload coordinates a device with a primary and secondary time server. This
payload is currently only compatible with Windows Mobile devices.
Page 116 of 249
8.6
Geofencing
The Geofencing page allows you to setup location-based rules to allow or to restrict pushing the
profiles or applications to the device end-users over-the-air. Geofencing is supported on Android
and iOS.
8.6.1
Creating a Geofence Area
From the VSDM you can create a fence or geographical area along with some rules that the
profile or application should implement.
Use the following steps to create a Geofence area for profiles or applications.
1. Navigate to Profiles & Policies > Profiles > Geofencing.
2. Click Add Area to create a new geofence area or click the Actions menu to Edit or Delete
an existing area.
Page 117 of 249
o Address - Enter the address where you want the device to be geofenced within a
specific range. For example, you can enter country, state, or city.
o Area name - Enter the specific area name if required.
o Radius (miles) - Enter radius in miles within which the device needs to be geofenced.
4. Click to Search to see the area location on the map and click Save.
Note: When you want to push a profile or application to the device with geofencing settings, you
need to first select a profile by navigating to Profiles & Policies > Policies > Device Policies.
From the Device Policies page, select a profile and under the General tab select the Enable
Geofencing and install only on devices inside selected areas checkbox as shown in the
image below:
8.7
Time Schedules
Time Schedules allow you to setup the time-based rules for governing profile pushes.
Use the following steps to create a time schedule rule for the profile:
1. Navigate to Profiles & Policies > Profiles > Time Schedules.
Page 118 of 249
2. Click Add Schedule to create a new time schedule, or click Actions menu to Edit or
Delete an existing time schedule.
o Schedule Name - Enter a friendly name for the time schedule. This is a mandatory
field.
o Time Zone - Select the time zone limit from the drop down list.
o Add Schedule - Click to create multiple time schedule rules. Enter a particular day, the
start time, and the end time for the application to be pushed to the device or, tick the
All Day checkbox to implement the time schedule settings the entire day on the
device.
4. Click Save.
Note: When you want to push a profile to the device with time schedule settings, you need to first
select a profile by navigating to Profiles & Policies > Policies > Device Policies. From the
Device Policies page, select a profile and under the General tab select the Enable Scheduling
and install only during selected time periods check box as shown in the below image.
Page 119 of 249
8.8
Creating Wi-Fi Profiles in Bulk
Creating Wi-Fi profiles in bulk allows the administrator to publish Wi-Fi profiles to users according
to their Location Group. The Bulk Import feature provides the same Wi-Fi configuration settings as
the single Wi-Fi profile provisioning except that it is a simultaneous configuration of many profiles
across Location Groups.
8.8.1
Create Bulk Wi-Fi Profiles
Use the following steps to create Wi-Fi profiles in bulk:
2. Click Bulk Import to open the Batch Import Form.
Page 120 of 249
3. Complete the basic information:
o Batch Name - The name of the user or device batch (for reference purposes in the
VSDM).
o Batch Description - A description of the particular user or device batch (for reference
purposes).
o Batch Type - Select WiFi Profiles from the menu.
4. Click the
icon to open the Bulk Import Help Topic Form:
6. Click Open to open the template.
7. Enter in all relevant Wi-Fi profile information for each group (defined by Location Group).
Five sample users have been added to the top of the template as examples of the type of
information to enter in each column. Mandatory fields are designated with a *.
Page 121 of 249
o Column A, Use Case, refers to the profile type (Add, Edit, or Change)
 Change allows the administrator to change the Model (device) and Assigned
Location Group fields for an existing profile.
 Add creates a new profile.
 Edit allows the administrator to edit an existing profile (creates a new Wi-Fi
configuration).
o Column E, Location Group, specifies the location group permissions for editing the WiFi profile. Every administrator placed one level higher than this location group (and
above) is able to edit the designated Wi-Fi profile.
o Column F, Assigned Location Group, designates the location group to which the
profile is deployed.
8. Save the template as a .csv file.
9. Select Browse from the Batch Import Form and select the .csv file that was just created
from the template.
10. Click Save.
8.8.2
Manage Bulk Wi-Fi Profiles
View the status of batch profile imports details and status by selecting Batch Status under
Available Views on the Profiles page.
 Location Group - Names the batch's location group.
 Batch Name - Identifies the batch's name.
 Batch Description - Describes the batch.
 Creation Date/Time - States the date and time of the batch's creation.
 Batch Status - States if the batch has a complete or error status.
Page 122 of 249
8.9
Important Profile Management Considerations
The following tips will help the administrators to more efficiently manage their smart device fleet
through the profile management tools in the VSDM:
 It is recommended that administrators should only include one payload per profile.
o An exception to this recommendation would be when a Credential payload is needed
to accompany another payload (such as Email, VPN or Wi-Fi) in order for the profile to
work correctly (see Utilising Certificates for VSDM).
 Pay close attention to the device ownership type (Corporate-Dedicated, Corporate-Shared
or Employee-Owned) when specifying the profile General Settings.
o For example, the administrator may want to deploy more stringent Restriction profiles
to corporate-owned devices than to employee-owned devices.
 Profile assignments change with location group assignments.
o For example, if you move a user to a new Location Group, the profiles associated with
the original Location Group are removed and the user inherits the profiles associated
with the new Location Group.
 For maximum Email security, use Email profiles in conjunction with the Vodafone Secure
Email Gateway.
 To quickly create multiple profiles with similar deployment settings, use the Copy action
to copy the original profile and then make changes where necessary.
Page 123 of 249
9
Application Management
The VSDM solution enables the administrator to wirelessly distribute and manage internal, public,
and purchased apps to iOS and Android devices across the mobile fleet. Furthermore, the
Enterprise App Catalogue allows the corporation to build secure business applications, which
can be deployed, managed, and secured alongside public apps via a custom app catalogue.
Through the Application management tools in the VSDM administrators can allow users to
effortlessly view, install, and update both internal and public applications.
Note: Any applications listed in this section are used as examples only and should not be seen as
recommended applications by Vodafone.
9.1
Using the Applications Page
The Applications page of the VSDM is the means of managing and pushing applications to enduser devices over-the-air. It provides a detailed list of Internal, public, and purchased applications
that have been created or recommended for the specified location groups or child location
groups. It is the centralised interface by which you can recommend public applications and
deploy internal or purchased applications to your smart device fleet.
To access the Applications page, navigate to Catalogue > Applications:
From here, you can view all the Applications that are being managed in the VSDM. You can
categorise applications within four VSDM groups —Internal, Public, Purchased, and Application
groups, as well as determine how to distribute those applications as described in Advanced
Application Management.
9.1.1
Navigating the Applications Page
There are several ways for you to select, order, identify, find, filter, etc. specific applications within
the VSDM. This section is divided into the following:
 Search Bar.
 Grid.
 Icons.
Page 124 of 249
Search Bar
 Platform - Searches for Applications based on the device platform.
 Status - Searches for Applications based on the activity status of a device. Select All,
Active, Retired, or Inactive for Public and Purchased, with the addition of Retired for
Internal. This is not available in Groups.
 Categories - Searches for Applications only within Internal based on the category assigned
to it by you in the Info screen prior to uploading the Application into the VSDM.
 Type - Searches for Applications only within Application Groups that meet a specific type
defined by you. Select All, Whitelist, Blacklist, or Required.
 Search - Search for a specific Application by name, partial name, or keyword. In the Filter
Grid field enter any keyword and then press Enter. Grid re-sorts and only displays those
devices that contain the keyword(s) you entered.
Multiple Criteria Search Using Only the Search Bar
In the following example, three search criteria have been used:
 Platform - Apple iOS and
 Status - Active and
 Search - abc.
The result for this multiple criteria search is shown in the grid below:
Grid
The grid displays sortable and non-sortable columns within each of the four groups —Internal,
Public, Purchased, and Application Groups. Depending on which group you view, the column(s)
change. Below is a description of the sortable columns in all four groups:
 Assignment - Is the combination of the Device Ownership and Managed By selections
made by you when the application was assigned.
 Comments - Are the comments entered by you in the Comments field when the
Application was assigned.
 Description - Is the description entered by you in the Description field when the
Application was assigned.
 Name - Is the name of the Application entered in the Name field when the Application was
assigned.
Page 125 of 249
 Platform - Is the platform (e.g., Apple) on which the Application runs.
 Platform / OS / Model - Provides information on the platform, the operating system, and
model.
 Status - Indicates whether the Application is Active, Inactive, or Not Assigned.
 Type - Indicates which Applications are Whitelisted, Blacklisted, or Required.
 Uses SDK - Indicates which Applications are using the VSDM Software Developers Kit
(SDK). It is Only available for Internal Applications.
 Version -Is the version entered by you in the Version field when the Application was
assigned. It is Only available for Internal Applications.
Note: Actions, Applications, Category, Icon, Installed/Assigned, Managed By, Rank, and
Reimbursable are not sortable columns.
Icons
There are icons throughout the page that, when either hovered over or clicked on, either provides
more features or perform functions. They are as follows:
Tiles and Lists
Click Tiles
in the upper right corner, the screen displays Application icons in the far left
column, as shown in the example below:
Click List
in the upper right corner and the screen displays all information textually without
any graphical representations, as shown in the example below:
Refresh
Click Refresh , the grid refreshes to display the default Available Columns layout, and all
device data based on any search criteria in the Filter dropdown and Filter Grid field, as shown in
the example below:
Export All
Click the Export All
the example below:
icon, the data in the grid exports into an Excel spreadsheet, as shown in
Page 126 of 249
Actions
Click Actions to manage the Application using the following options listed in the Action menu:
 View - Allows you to view the Application assignment. You can also edit the assignment
from this screen.
 Edit - Allows you to edit information about the existing Application assignment.
 Edit Assignment - Allows you to edit the existing Application assignment.
 View Devices - Shows devices that are available for that Application.
 Publish - Pushes out the Application to devices that match the profile criteria.
 Notify Devices - Allows you to notify the device users about the apps.
 Add Version - Allows you to upload the latest version of the Application.
 Retire - Allows you to remove the previous version of the application from the device and
retires it in the VSDM as Retired.
 Deactivate - Allows you to keep the Application, but deactivates it.
 Activate - Allows you to keep the application active.
 User Ratings - Allows you to view both the admin ratings as well as user ratings.
 Unretire - Allows you to push the already retired application to the device.
 Delete - Deletes the Application and removes it from devices.
9.2
Enabling the App Catalogue
The first step to deploying applications through the VSDM is deploying the Enterprise App
Catalogue in the form of a Web-Clip (iOS) or Bookmark (Android) profile:
2.
Select Add. The Select Platform Form displays.
3. Choose Android or Apple based on the device you would like to configure.
4. Configure the Profile General Settings (See "General Settings").
5. Select Web-Clips for iOS devices or Bookmarks for Android devices from the left profile
list.
6. Click the Configure button and enter all of the Web-Clip/Bookmark profile parameters:
o Label - The name displayed on managed devices for the Web-Clip/Bookmark. For
example, Vodafone App Catalogue could be used.
o URL - The App Catalogue URL is in the format of
https://<Environment>/devicemanagement/AppCatalogue?uid={DeviceUid}
Page 127 of 249
where <Environment> is the URL to your VSDM Server. In a multi-server on-premise
deployment, this URL is your Device Services server URL. If you are in Shared SaaS
environment, use the convention:
https://dsXX.<VodafoneEnvironment>/devicemanagement/Appcatalogue?uid={Devic
eUid}. For example, if you are in the mm.vodafone.com environment, use
https://ds22.<VodafoneEnvironment>/devicemanagement/AppCatalogue?uid={Devi
ceUid}. You can also change the landing page for the App catalogue. Use the
conventions listed below:
 Internal:
https://<VodafoneEnvironment>/devicemanagement/Appcatalogue?uid={Device
Uid}&defaultTab=Internal
 Public:
Uid}&defaultTab=public
 Categories:
Uid}&defaultTab=categories
 Purchased:
Uid}&defaultTab=purchased
 Updates:
Uid}&defaultTab=updates
o Icon − To add a custom icon, select a graphic file in .gif, .jpg, or .png format. For best
results provide a square image no larger than 400 pixels on each side and less than 1
MB in size when uncompressed. The graphic is automatically scaled and cropped to fit,
if necessary and converted to png format. Web-Clip icons are 104 x 104 pixels for
devices with a Retina display or 57 x 57 pixels for all other devices.
o Show as web app in the app catalogue - Enable this option for the device-users to
use Web-Clip profiles in the app catalogue as web applications.
Note: Administrators can assign and manage on-demand web applications in the App catalogue,
which allows the device-users to navigate and install the web applications from App Catalogue.
7. Click Save and Publish to immediately deploy the Web-Based Vodafone App Catalogue to
all appropriate devices.
9.3
Advanced Authentication for App Catalogue**
Administrators can allow use of the App Catalogue by assigning a user name and password.
1. Navigate to System Settings > Applications > App Catalogue.
Page 128 of 249
2. Complete the following sections.
o Authentication:
 Tick the Require Authentication for Application Catalogue checkbox to prompt
the device user to enter the user name and password to authenticate the App
Catalogue.
 Select an option under the Default Tab to make it display as the first tab in App
catalogue.
o App Catalogue without MDM*:
 Tick the App Catalogue without MDM checkbox to prevent the user from enrolling
into MDM. In this case, the user can have access to applications assigned to the
Location Group through a separate App Catalogue.
 Tick the Allow New User Registration checkbox to allow the new users to register
to have access to the App catalogue.
 Enter a title for the App Catalogue Web-Clip.
 Upload an image for the App Catalogue.
3. Click Save.
**New Feature in VSDM Release 2
Page 129 of 249
9.4
Enabling Book Catalogue**
Identical to App Catalogue, the first step to deploy iBooks through VSDM is deploying the
Enterprise Book Catalogue in the form of a Web-Clip (iOS) or Bookmark (Android) profile:
1. Navigate to Profiles & Policies > Profiles. The Device Profiles page displays.
2.
Select Add. The Select Platform form displays.
3. Choose Android or Apple based on the device you would like to configure.
4. Configure the Profile General Settings.
5. Select Web-Clips for iOS devices or Bookmarks for Android devices from the left profile
list.
6. Click the Configure button and enter all of the Web-Clip/Bookmark profile parameters.
o Label- The name displayed on managed devices for the Web-Clip/Bookmark. For
example, Vodafone Book Catalogue could be used.
o URL - The Book Catalogue URL is in the format of
https://<Environment>/devicemanagement/AppCatalogue/BookCatalogue?ui
d={DeviceUid} where <Environment> is the URL to your VSDM Server. In a multi-server
on-premise deployment, this URL is your Device Services server URL.
o Precomposed Icon − To add a custom icon, select a graphic file in .gif, .jpg, or .png
format. For best results provide a square image no larger than 400 pixels on each side
and less than 1 MB in size when uncompressed. The graphic is automatically scaled
and cropped to fit, if necessary and converted to png format. Web-Clip icons are 104 x
104 pixels for devices with a Retina display or 57 x 57 pixels for all other devices.
7. Click Save and Publish to immediately deploy the Web-Based Vodafone Book catalogue
to all appropriate devices.
Page 130 of 249
9.5
Application Categories**
The VSDM allows the administrators to have their own application categories and to filter the
applications by those categories. Administrators can create, view, edit, delete, and assign one or
more categories for both public and internal applications in a selected Location Group. These
categories are also displayed on the App Catalogue allowing the end-users to browse and filter
the applications by category. To create an application category:
1. Navigate to Catalogue > Applications page.
2. Select Application Categories from the Configuration menu on the left.
3. Complete the following fields:
o Name - Name of the category.
o Description - Description of the category.
o Category type - Indicates whether the category is added in the system as seed data
(System type) or added by an admin user (Custom type). Only the custom categories
can be edited.
o Managed By - The location group at which the category is created. By default, the
categories of System type are assigned to all the managed and its lower location
groups.
4. Click Add Category to create a new category that can be assigned for applications for a
selected location group.
5. Complete the Add Category form with all required fields.
o Category Name - Enter the name for the category.
o Category Description - Enter a short description for the category
Page 131 of 249
5. Click Save. The Category is saved as a Custom category.
6. Click the Actions menu located on the right to edit, view, or delete the application
categories.
9.5.1
Assigning Custom Category to Apps**
The administrator can assign or un-assign one or more categories to internal and public apps. To
assign a category:
1. Navigate to Catalogue > Applications page.
2. Select either Internal or Public from the Applications menu on the left.
3. Click Add Application and complete the form with all required fields.
o Categories - While adding a new internal or public application, the system
automatically look into all the existing seeded system categories and selects the one
that matches the application as received from the app store. To add multiple
categories, click the Categories panel where all the categories including System and
Custom are populated. On clicking a match, the category gets added up.
4. Click Save and Assign.
9.6
Recommending Public Applications
Once Vodafone App Catalogue has been successfully deployed to your smart device fleet, you
can begin recommending public applications and distributing corporate applications through the
VSDM.
Use the following steps to recommend public apps to the Vodafone's App Catalogue:
1. Navigate to Catalogue > Applications.
2. Select Public from the Applications menu on the left.
3. Click Add Application. The Add Application form displays.
4. Complete the Add Application Form with all the required fields.
Page 132 of 249
o Managed By - Enter the Location Group with permission to edit the Application.
o Platform - Enter Apple, Android or Windows Phone/Windows Phone 8.*
o Name - Enter the name for the Application as it displays in the App Catalogue.
o Select the text box to automatically Search App Store. The Apple App Store, the
Google Play Store (Android Market) or the Microsoft Windows Phone Store are
searched for the Application, and all app details are populated.
Note: In order to search the Google Play Store, a Google Account must first be integrated with the
VSDM (See "Google Play (Android Market) Integration").
5. Select Next and view the returned search results.
6. Click Select to the right of the desired listing. Most of the application information
automatically populates for Apple iOS, Android, and Windows Mobile devices.
Page 133 of 249
 Info
o URL - The VSDM populates the URL for Android, Apple iOS, and Windows Phone
devices.
o Comments - Enter the comment that displays in 'additional comments' in the App
Catalogue.
o Reimbursable - Designates whether or not a corporation reimburses end-users for the
app purchase. A small icon in the Vodafone App Catalogue indicates if an app is
reimbursable.
o Rating - Enter the app rating with 1-5 stars. This rating is displayed in the App
Catalogue.
Note: Comments and rating capabilities are added from the VSDM for public applications
by the administrators.
Note: Administrators can also view the user ratings on the VSDM for all other apps.
o Categories - Determines the application type which is displayed in the App Catalogue.
 Deployment
o Push Mode - Determines if the application is installed automatically (auto) or
manually (on demand) by the user through the App Catalogue.
o Remove On Unenrol - Determines if the application is removed when a device is
unenrolled.
o Add Exception - Enables customised application deployment by creating specific
exceptions to the options located under the Deployment view.
Note: Add Exception is helpful for deploying the same applications to different groups of users
with unique security and deployment requirements. For example, you may wish to push a certain
Page 134 of 249
application to one group of users as an 'auto' installed application while sending the app to
another group of users as an 'on-demand' application.
Terms of Use
o Select the app specific Terms of Use. When complete, click Save and Assign to
proceed to the application assignment options.
o For more information on Application Terms of Use, refer Terms of Use Notification
under Application Notifications.
9.7
Deploying Internal Enterprise Applications
Once the Vodafone App Catalogue is successfully deployed to the smart device fleet, begin
recommending internal applications and distributing corporate applications through the VSDM.
The following platforms support internal corporate applications:
 Apple iOS.
 Android.
 Symbian.
 Windows Phone 8 (WP8).*
Use the following steps to distribute corporate applications to the App Catalogue from the
VSDM:
1. Navigate to Catalogue > Application.
2. Select Internal from the Applications menu on the left (this is selected by default).
3. Click Add Application. The Add Application form displays.
4. Enter all the general parameters as required. Some of the fields include:
o Managed By - Specifies the Location Group with permission to edit the Application.
o Application File - Specifies the Location of the application file. Apple applications are
uploaded in the form of an .ipa file, Android applications are uploaded in the form of
.apk, .sis, and .sisx file, and WP8 apps are in a .xap file.
Page 135 of 249
Note 1: On the Symbian platform, only internal applications are pushed over-the-air. No other
applications, including public and purchased applications can be pushed. For WP8 both public
and internal applications can be pushed.
Note 2: The .sis and .sisx files are either self-signed or Symbian-signed. Self-signed files generate
a notification and are installed via the device notification tab. Symbian-signed files are installed in
the phone memory without displaying a notification.
Note 3: In certain cases, the application does not get pushed onto the device or show a
notification. For example, when the application is already installed on the device, the app does
not push or display a notification.
5. Select Continue.
6. Go to the Info tab and complete the following:
o Name - The App name which is displayed on the device.
o Managed By - The Location Group where the application is managed.
o Application ID - The information entered in this field changes by platform. For Android
applications, enter the application’s package identifier. For iOS applications, enter the
application’s bundle identifier.
o Version - Update application information when uploading a new version of a managed
app. Logging these changes in the Change Log is optional.
 For more information on deploying different versions of the same application, See
"Application Version Management".
7. Go to the Descriptions tab and complete the following optional details:
Page 136 of 249
o Description/Keywords - Enter a description about the application to be displayed in
the App Catalogue.
o URL - Enter a website address that has more information about the application.
o Support Email/Support Phone - Enter contact information for internal application
support.
o Internal ID/Copyright - Used for internal purposes.
o Developer/Developer Email/Developer Phone - Enter the name of the developer
responsible for developing the application along with Email and contact information.
o Cost Centre - Enter the cost centre that the developer providing the application
belongs to.
o Cost - Enter the cost for developing the application.
o Currency - Enter the currency value.
8. Go to the Images (Optional) tab and upload screenshots. The uploads are displayed on the
application page.
Page 137 of 249
9. Go to the Term of Use (Optional) tab and enter an End User Licence Agreement as a preinstallation application requirement.
o Required EULA - Select the app-specific Terms of Use (EULA).
Note: For more information on Application Terms of Use, refer Terms of Use Notification
under Application Notifications.
10. Go to the Files tab and enter the following:
o Application file/Provisioning profile - Populates automatically when the application
is uploaded.
Page 138 of 249
o Application Supports GCM - Enables the Admin to send push notifications to Android
devices if Yes is selected. Google IDs are required for GCM communication with
devices.
o Google Account/Password - Enter the Google account and password.
11. Go to the Deployment tab.
12. Complete the additional criteria to determine which users/devices receive the application.
o Effective Date/Expiration Date - Set dates for when the app becomes active or
expires.
o Remove on Unenrol - Determines if the application is removed when a device is
unenrolled.
o Select Add Exception to include:
 User Groups(Optional) - Select User Groups if you are leveraging User Groups in
VSDM as an additional assignment filter for the application.
 Device Ownership - Assign the application to devices with a specific ownership
type.
 Push Mode - Determine if the application is installed automatically (auto) or
manually (on demand).
13. Click Save and Assign to proceed to the See "Advanced Application Assignment" options.
9.8
Advanced Application Assignment
Vodafone offers advanced application management techniques for organisations wishing to
further customise application assignment through advanced and facilitated application testing.
Page 139 of 249
After completing the basic deployment and assignment information for either an internal or
public application (See "Deploying Internal Enterprise Applications" or See "Recommending
Public Applications"), there is the option to add more advanced assignment criteria.
Click the Save and Assign at the bottom of the Add Application screen (you can also edit this
advanced information by selecting the Actions menu > Edit Assignment.) or, you can proceed
with assigning the application based only on the information on the Assignment tab by
proceeding to the advanced assignment screen and clicking Next.
Note: If any editing settings are greyed out, that means that full editing permissions are not
permitted at this level (If you believe that you should have editing permissions, please ensure
that Override is selected as the current setting).
9.8.1
Criteria
The criteria window allows you to use the VSDM to determine which device users have access to a
Public application by assigning that app based on factors, such as, Location Groups, Device
Owners, User Groups., and many more options including exclusion options.
Use the following steps to add Criteria:
1. Select the Location Group radio button that applies. If you chose Selected Location
Groups, you can drill down to select which location group(s) has access to that application.
2. Tick the appropriate Ownership checkbox to specify the owner of the devices. You may
tick one or more checkboxes.
3. Choose the User Group radio button that applies. The selection only applies to those
devices within the specified Location Group. For example, if the app is only for iOS devices,
then only iOS devices in that Location Group have access to the application.
4. If required, customise the deployment settings further,
o Click Add Criteria to add Operating System criteria.
Page 140 of 249
o Click Add Criteria to add Model criteria.
o Click Add Include Set to add Location Group criteria. You may click on this as many
times as needed to define an assignment exception to include additional devices down
to a granular level, regardless of any other specified criteria for that Location Group.
o Click Add Exclude Set to exclude Location Group criteria. You may click this as many
times as needed to define an assignment exception to exclude certain devices down to
a granular level, regardless of any other specified criteria for that Location Group.
5. Select the appropriate Child Permission radio button to Inherit only or Inherit or
Override the selections you made.
6. Click Next.
9.8.2
Devices
The screen below displays all the devices that have access to that Public application based on the
selections you made in the previous Criteria screen.
If you review the list of device users and want more or less users to have access to this
application, use the following steps:
1. Click Previous to go back to the previous Criteria page.
2. Modify the Criteria page by making selections that redefines the assignment of the
application.
3. Click Next to view the Devices page.
4. Click Finish to save all changes and close this window.
Page 141 of 249
9.9
Application Version Management
You can use the application management tools in the VSDM to manage different versions of the
same internal application. This feature is especially useful for application testing as you may
wish to upload a 'beta' version of an application update to deploy to specific users for testing
purposes while still deploying the current version of the application to all other users. Once the
testing is complete, you can replace the existing version of all devices with the newest version of
the application.
Use the following steps to manage application versions:
1. Navigate to the internal applications page and select the Actions menu for the application.
Click Add Version. Alternatively upload the new version of the application and the VSDM
will detect that it is a newer version of an existing application. Fill in the version number and
optionally add internal notes in the Change Log.
2. Upload the new application file and specify the settings:
o Tick the checkbox to retire the previous version of the application on the specified
devices and replace it with the newer version.
o Tick the checkbox to copy the application assignment for the previous version.
3. If necessary, enter the new assignment criteria.
4. Click Save or Save and Assign to proceed with publishing or editing the application
assignment.
9.10
Application Notifications
The VSDM allows administrators to notify the end-users about new and updated apps through
messages. The VSDM provides administrators with few in-built message templates and allows
them to send messages via email, SMS or push notifications. A message template can be
customised to include application name, description, image, and version information.
Administrator can edit the message templates to include a lookup value for a URL to the specific
application page of the Application Catalogue. The VSDM also allows the administrator to notify
all devices having the assigned app installed/not installed.
Use the following steps to send an application install notification message:
1. Navigate to Configuration > System settings
2. Select Message Templates from the System menu on the left.
3. Click Add. The Add/Edit Message Template form displays.
Page 142 of 249
4. Complete the required information as follows:
o Name - Name of the template.
o Description - Short description of the template.
o Category - Select the Category as Application.
o Type - Select the type of notification. The types include Purchased Application,
Application Notification, and Application EULA Final Notification.
o Message Type - Enable the type of message that the administrator wants to send. The
options are Email, SMS, and Push.
5. In the Email template, select the Email format and enter the subject and message body for
the template.
6. Enter the lookup values in the message body. The lookup values that are available are
shown in the below image.
Note: If the lookup value is used in the Application Notification template is replaced by the actual
value for the application when the message is delivered.
Page 143 of 249
9.10.1
Notifying Devices
The administrator can select Notify Devices notification to devices that an application has been
assigned to them.
1. Go to the Application page and select the Action menu:
2. Click Notify Devices. The Send Message form displays.
3. Complete all the mandatory fields:
o Message Type - Select the type of the notification that is to be sent to the devices.
o Message Template - Select the template for sending the message.
Page 144 of 249
o Status - Select the status of the device. This includes All, Installed, and Not Installed.
By default, the Status filter on the device list is in Not Installed status.
4. Click Send.
Note: Based on the Status selected, the device list is displayed indicating whether the
notification message is sent to the device(s) or not.
9.10.2
Terms of Use (EULA) Notifications for Apps*
The VSDM allows the administrator to notify end-users about the availability of updated App
Terms of Use. The administrator should send the Terms of Use notifications in the following
cases:
 Notifying end-users when the latest Terms of Use for an installed application has not been
accepted.
 Distributing updated Terms of Use with newer version and prompting the user to accept the
Terms of Use from the App Catalogue each time they log into the App Catalogue.
 Removing the apps when the Terms of Use have not been accepted within the given grace
period and when the Terms of Use have been rejected.
Use the following steps to send or edit Terms of Use
1. Navigate to Catalogue > Application.
2. Select Internal from the Applications menu on the left (this is selected by default).
3. Click Add Application and select the Terms of Use tab.
4. Either create new, or edit Terms of Use as follows:
o
Create a new Terms of Use by clicking Manage Terms then navigating to System
Settings > Terms of Use where a new record can be created.
o Select the existing Terms of Use and click on the Edit icon next to Manage Terms.
This navigates to Terms of Use where the details can be amended.
5. Click Save and Assign.
o When Terms of Use has not been selected, the 'Terms of Use are not defined for this
application' message is displayed.
9.11
Managing User Feedback and Ratings**
The VSDM aids the administrators to view user feedback on internal, public, and purchased
applications published to them. This allows the administrators to make future decisions related to
the specific application(s). For example, redeployment of the application with better capabilities,
rolling out the application to more users, or removing specific features because the users did not
find any value in them. Feedback is in the form of user ratings and comments on individual
applications.
Page 145 of 249
9.11.1
View user ratings and comments
Use the following steps to view user ratings and comments:
1. Navigate to Catalogue > Applications.
2. Click the Internal, Public, or Purchased Application link on the left side of the page.
Note: The count of number of ratings (star icons) indicates the average/effective rating.
The User Rating indicates the number of users who provided the ratings for the app and is
used to calculate the effective rating.
3. Click the hyperlinked User Rating or select the User Rating option on the Action menu
on the right hand side of the page. The User Ratings page displays.
o Average Rating - The average of the total number of user ratings.
User Group - Filters the comments based on a specific User Group.
Note: For the internal apps only, the administrator can filter the comments based on the
Version of the application on the User Ratings page.
9.11.2
Delete the user comments
1. On the User Ratings page, click Delete Rating option provided at the top left corner of
the page to delete a specific rating. Once deleted from the VSDM, the change is reflected in
the App Catalogue.
Note: For the public apps only, the administrator can edit Ratings for the app. To edit, click
the Edit option from the Action menu on the Public application page.
Page 146 of 249
9.12
Google Play (Android Market) Integration
Administrators must configure a connection between the VSDM and the Google Play Store before
they can use the Search App Store feature for Android apps. This feature is for on-premise
customers only.
Use the following steps to add a Google Account:
1.
Navigate to Configuration > System Settings > Device > Android > Android Market
Integration.
2.
Complete the form provided with the following information:
 Username - Google Account username.
 Password - Google Account password.
 Android Device ID - Enter in a valid Android Device ID. Device ID provides the system with
access to all apps in the Google Play Store.
o Click Test after completing the form to see if the system can connect to the Google
Play Store using the supplied credentials.
Note: To find the DeviceID of your Android device, download the Device ID application
from the Google Play Store.
3. Click Save to proceed.
9.13
Customising Application Profiles
The VSDM enables you to customise internal enterprise applications for iOS devices developed
with the SDK in addition to Vodafone applications such as the Secure Content Locker or the
Vodafone Managed Browser. Using these advanced customisation tools available in the VSDM.
You can further enforce corporate branding, compliance policies, and actions, and other
application settings to create a truly unique and secure corporate application experience.
To access the Application Profile settings, navigate to Apps > Applications. Locate the
Application Settings menu on the left-hand side of the screen and select Profiles >
Application/SDK Profiles. Click Add Application Profile to open the application profile
creation window (or, to edit an existing application profile, click the Actions menu next to the
profile and select Edit). Select from the views on the left to edit the associated application area.
General
Page 147 of 249
Complete the general application settings, including the Name and Description of the profile for
reference in the VSDM.
 Configuration Type – For application profiles, the configuration type by default is set to
Application Profile and for the SDK profile it is set to SDK Profile.
 Platform – Select the platform to which the custom application settings are to be
deployed.
 Root Location Group – Select the root location group from which the application profile is
to be managed.
Credentials
 Credential Source – Select None or Upload or Define Certificate Authority.
Authentication
Authentication settings enable you to establish authentication requirements for the application
to further secure internal applications that may contain proprietary corporate data. The three
authentication options are None, Passcode, and Username and Password.
 None –Select None if no authentication is required to access the application.
 Passcode – Select Passcode if you require a user-created passcode to be present on the
application in order to open the app. Complete the Passcode requirement fields to
establish complexity, length, character, age in days, auto-lock, grace period, and history
requirements. All of these additional custom fields are optional.
o Passcode Complexity - Passcode must meet complexity requirement, and this can be
either Simple or Alphanumeric.
o Minimum passcode length - Select the minimum number of characters that a
passcode must contain. You can set a value between 3 and 15 characters.
o Minimum number of complex characters - Select the minimum number of complex
characters that a passcode must contain.
o Maximum number of failed attempts - Select the maximum of failed attempts
allowed and then proceed to customise the action taken if the failed attempts reaches
this threshold.
o Maximum passcode age (days) - This is the maximum time (in days) that a password
can be used for.
o Passcode history - Select the number of unique new passcodes that must be created
before an old passcode can be reused. The value must be between 0 and 10
passcodes.
o Grace Period App Lock (min) - Determines the grace period (in minutes) that the
device gets the app locked.
o Action(s) if maximum number of failed attempts exceeded - Click Add Action to
create custom actions to occur if the number of failed attempts exceeds the specified
limit. The options are to Display Message (you can specify a custom message), Lock
User, Wipe Application (removes the application from the device) or Restrict Access.
Page 148 of 249
o Add as many additional actions as necessary. For example, you may want to both lock
out a user who has exceeded the maximum allowable attempts and display a message
to inform the user that they must contact you for further assistance.
 Username and Password – Select Username and Password from the dropdown menu if
you require the username and password authentication in order to access the application.
o Specify the grace period (in minutes) that the device gets the app locked.
o Tick the checkbox to allow or disallow Single Sign-On.
o Select the maximum number of failed attempts and the custom actions to perform if
this number is exceeded.
Access Control
Select the boxes to allow or disallow Offline Mode (prohibiting offline access allows for more
continuous compliance checking when the application is active) and specify whether or not to
Require VSDM Enrolment in order to access the application.
 You can further restrict offline access by entering the maximum number of offline uses
(when Allow Offline Mode is enabled).
 If Require VSDM Enrolment is enabled, you can specify custom actions to be performed
in order to notify the user or perform actions if the device is not enrolled.
Compliance
Tick the checkboxes to allow or disallow Compromised devices from accessing the application
and to Prevent restoring backup to another device. If either of these compliance options is
enabled, you can specify custom actions to be performed in order to notify the user or perform
actions regarding the device compliance status.
Branding
Customise the application with corporate or other unique colour identifiers. Enter the correlating
Hex codes in the labelled fields to customise application background colours and text.
Analytics
Provides the metrics on how the app is being used and keeps tracks of the important events that
occur within the application.
Geofencing
This allows you to set up location-based rules to allow or to restrict pushing the profiles or
applications to the device over-the-air. For profiles it is available only for the configuration type
SDK Profile.
Custom
Enter (or paste) XML into the box to further customise the application settings.
When you have finished filling out the application profile fields, click Save.
9.14
Managing Apple VPP Applications **
The VSDM offers a robust solution to Apple Volume Purchase Program (VPP) application
management and distribution. The sections below outline how you can combine this new feature
with the capabilities of VSDM mobile device management to easily manage and distribute iOS
application orders to the smart device fleet.
Page 149 of 249
The Apple Volume Purchase Program allows businesses and educational institutions to
purchase publicly available applications or specifically developed third-party applications in
volume for distribution to corporate devices.
Note: The Apple Volume Purchase Program is currently only available in Australia, Canada,
France, Germany, Italy, Japan, New Zealand, Spain, the United Kingdom and the United States.
The process of deploying applications in volume throughout a business or educational institution
with the Volume Purchase Program can be separated into three main components:
1. VPP Enrolment - First, businesses and education institutions must enrol in the program
and verify with Apple that they are a valid business or institution.
o To register for the VPP, navigate to http://www.apple.com/business/vpp for
businesses, or to http://www.apple.com/itunes/education for education
institutions.
o More information regarding the Apple Volume Purchase Program, how it works and
program prerequisites can be found at the links above.
2. App Purchasing - Once enrolled in the Volume Purchase Program, businesses, and
educational institutions can purchase applications in bulk through the Volume Purchase
Program Website at https://vpp.itunes.apple.com/us/store.
o Log in with the VPP Apple ID created during the enrolment process.
o Find applications, define the quantity and purchase with a corporate credit card.
3. App Deployment - Once applications have been purchased, they can be distributed
throughout a smart device fleet through the use of redemption codes. For each
application purchase, there is an associated redemption code for end-users to redeem a
single copy of the application.
o These redemption codes are managed through a Redemption Code Spreadsheet
available at the Volume Purchase Program Website. This spreadsheet contains
details such as the redemption code, redemption status and most importantly, a
redemption URL that an end-user could use to automatically validate the code and
install the program through the App Store.
It is during this final step, App Deployment, that the VSDM can be used to enhance management
and distribution to a corporate smart device fleet. For businesses and educational institutions that
do not have any Mobile Device Management capabilities, Apple provides two solutions to
deploying redemption URL’s to end-users:
 Emailing the redemption URL directly to end-users.
 Posting the redemption codes and URLs directly to a corporate intranet site.
The section below describes how the VSDM can be used to automate and simplify this application
distribution process.
9.14.1
Upload the Apple VPP Redemption Code Spreadsheet to the
VSDM
The first step to manage and deploy VPP Application Orders through VSDM is by uploading the
Apple VPP Redemption Code Spreadsheet to the VSDM.
Use the following steps to upload and deploy VPP Application Orders:
Page 150 of 249
1. Navigate to Apps > Orders to open the Orders Page.
2. Click Add. The Add Order form displays.
3. Select Choose File to upload the CSV that you downloaded from the Apple Portal. The VPP
Application Orders is created.
4. Select the appropriate Apple VPP Redemption Code Spreadsheet.
5. Click Save to continue to the Product Selection Form.
6. Locate the appropriate product and then click Select to finish uploading the spreadsheet. If
the Apple VPP Redemption Code Spreadsheet contains licences for multiple
applications, several products can be listed on this form. Only one can be selected per new
order.
o You are now directed back to the Order Page in the VSDM and your new Order is
shown with a status of New. Orders with a New status are not yet activated for
distribution and redemption to the device fleet.
7. Click Blue Order Number to open the Order Activation Form.
Page 151 of 249
8. Enter in all necessary order information. All mandatory fields are denoted with a red
asterisk:
o Friendly Name - The name of the Order that is displayed on the Order Page within the
VSDM.
o Description - A brief description of the order.
o PO Number - The Purchase Order number
o Department - The corporate department that this application order is deployed to.
o Cost Center - The corporate department responsible for financial information
regarding this application order.
o Total Cost - The total cost of the application order
o Cost Per Licence - The cost per licence purchased for this application order.
9. Click the Licences tab, to view all the other order numbers assigned to this product.
10. Once complete, click Save to add the order for distribution.
9.14.2
Actions
1. Click Actions to manage the Order using the following options listed in the Action menu:
o Delete - Deletes the order from the VSDM.
o Edit Assignment - Allows you to edit the existing Order by assigning it to users or
devices.
Page 152 of 249
9.14.3
Allocating Redemption Codes
Once the Apple VPP Redemption Code Spreadsheet has been uploaded and the order has been
approved for distribution, you can begin allocating the redemption codes for individual
application purchases throughout the device fleet.
Use the following steps to allocate redemption codes:
1. Navigate to Catalogue > Orders to open the Orders page.
2. Locate the specific order to be allocated from the Order List by Order number, friendly
name, product name or order date.
3. Click Edit Assignment
form displays.
under the Actions on the right. The Application Assignment
4. Click Add to allocate licences by Location Groups, User Account. Click Add, or place
them On-Hold.
o To allocate licences by Location Group:
 Type and select the name of the Location Group in the text box shown below.
Page 153 of 249
 Make sure that the All Users radio button is selected.
o To allocate licences by User Accounts:
 Type and select the name of the Location Group that the user accounts are created
at in the text box shown below.
 Check the Selected Users radio button.
 Click on the blue Selected Users Link that displays to open the User Select form.
 Select all specific User Accounts on the left and click Add to provision an individual
redemption code to this specific user.
 Click Ok to return to the Application Assignment Form.
 Enter the number of licences to allocate to the selected users in the Allocated Text
Box.
 To allocate a single licence to each selected user, type the same number that is
shown in the Users Text Box into the Allocated Text Box. If less is allocated, only
the first users to use their redemption code can install the application.
Page 154 of 249
o To save redemption codes for later use, select On Hold:
 Enter the number of redemption codes that you want to place on hold in the OnHold Text Box
o Assignment Type - Select Auto or On Demand option i.e., if the application is
installed automatically (auto) or manually (on demand).
Note: When Assignment type is Auto, Only eligible iOS5 devices receive the App automatically.
Note: Removing an app when a device is un-enrolled does not recover the redeemed license.
When installed, the app is associated to the user's App Store account.
5. Once all the available licences have been allocated, click Save to finish allocating the
redemption codes.
6. Navigate to the Products page.
7. Click the Actions menu and then click Publish to deploy the application. This lets the
device users know about the application deployment on their device.
8. Navigate to the Licence page to view all application licences and manage redemption.
9. Click Make Available option on the Action to receive the application and to redeem it.
Note: You can also delete individual redemption codes or make unavailable.
Page 155 of 249
9.14.4
Create Purchased Application Messages and Notify DeviceUsers
Once the VPP application licences have been allocated, you have the ability to notify deviceusers that their application download is available by using the device notification capabilities of
the VSDM.
By default, the VSDM is configured to send an Email to end-users to notify them that the specific
VPP application is available for download. As an alternative, create custom Purchased Application
Messages, or to enable SMS/Push-based Purchased Application Messages.
Use the following steps:
1. Navigate to Configuration > System Settings.
2. Select System > General > Message Templates from the navigation menu on the left to
open up the Message Template Form.
3. Click Add to open the Add/Edit Message Template Form.
4. Complete all required parameters on the Add/Edit Message Template Form.
o Subject - The subject of the email message, if email is selected as a delivery method.
Page 156 of 249
o Description - A description of the message used internally by the VSDM to describe
this template.
o Category - The message template category. For VPP Application Messages select
Application.
o Type - The type of message to be sent; a subcategory of the message template
category. For VPP Application Messages, select Purchased Application.
o Device Ownership - A parameter to limit the message delivery to only devices
belonging to the specified device ownership category.
o Primary Delivery Method - The main method of message delivery to end-users.
o Alternate Delivery Method - An additional method of message delivery to end-users.
This type of message is also sent in addition to the message specified in the primary
delivery method.
o Effective Date - The start-date in which this message template begins taking
precedence over the default message bodies specified by the VSDM.
o Expiration Date - The date on which this message template stops being delivered to
end-users. The VSDM reverts to default message template, or other currently effective
message template(s).
o Select Language - A parameter to limit the message delivery to only devices
belonging to users who understand the specified languages.
o Email / SMS / Agent Check Boxes - Tick any of these checkboxes to enable message
configuration for each respective message type.
o Message Bodies - The message that is displayed on end-user devices for any of the
respective message types. Use the {ApplicationName} lookup value to dynamically
populate the name of the application for download in the messages displayed on enduser devices.
5. Click Save to complete the custom Purchased Application Message.
Once the custom purchased application messages have been created, or you choose to
use the default purchased application email message template, notifications can be sent
out over-the-air to all end-users.
Use the following steps to send the Purchased Application Messages to end-users:
o Navigate to Catalogue > Applications to open the Purchased page.
o Locate the specific order to be allocated from the Order List by Order number, friendly
name, product name, or order date.
o Go to Actions menu on the right of the selected order and click Notify Devices. The
notification message is sent.
9.14.5
Manage the VPP Application Deployment
Once the VPP Application Orders have been allocated to the device fleet and end-users have
been notified, the VPP Application Deployment is in effect. During this period, you can use the
Orders page in the VSDM to manage and monitor the status of the Application deployment.
From the Orders Page in the VSDM you can:
Page 157 of 249
 View the Order Status:
o
The order has recently been uploaded to the VSDM and is awaiting Approval
before beginning allocation to end-users.
o
The order has been approved, but has not been allocated throughout
the device fleet or end-users notified.
o
The order has been approved by Apple, allocated to the device fleet
and end-users have been notified.
 View the Order Redemption Status:
o See total number of Purchased application vouchers, the number of Redeemed
vouchers that have been used and the number of Remaining vouchers available for
redemption.
o Reallocate licences, Renotify end-users or Delete the VPP Application Order
From the Products View on the Orders Page in the VSDM you can:
 Activate or Deactivate VPP Product Orders for redemption:
o The Green and Red dots in the status category indicate Active and Inactive VPP
Product Orders respectively.
o To toggle between an active and inactive status, click on the dots.
 Renotify end-users
From the Licences View on the Orders page in the VSDM you can:
 View each Individual Licence Status:
The licence has not been used by the end-user but is available for
o
redemption.
o
The licence belongs to a VPP Product Order with an Inactive Status.
The licence information is still in the VSDM and can be set to Active for later
redemption.
Page 158 of 249
o
o
The licence was redeemed by a device that is not under the VSDM.
The licence was redeemed by a managed device through the VSDM.
 View the Licence User and Date Redeemed:
o Licences with a redeemed status have the fields for Assigned To and Date Redeemed
indicating the User Account who purchased the application and the date at which
he/she purchased it.
9.15
Managing Apple VPP iBooks**
Vodafone offers a robust management and distribution solution for Apple Volume Purchase
Program (VPP) for iBooks. The administrators of educational institutions can purchase books as
iBook titles through Apple's VPP program and provide access to these purchased iBook to their
students. The process to automate and simplify the iBook distribution process is the same as the
process involved in distributing applications.
The process of getting an iBook order approved for distribution and its licence for allocation is
same as the process involved for Apple VPP Applications.
Use the following steps to deploy a purchased iBook to the device fleet.
1. Navigate to Catalogue > Applications and select Purchased from the menu on the left.
2. Click Add Order. The Add Order displays.
3. Select the product type as Book. The Add Order form displays asking you to upload an
Order csv file provided by Apple.
Page 159 of 249
Note: The Add Order screen can be launched from the 'Add Order' action on the Purchased
Book screen or the Orders screen.
4. Click Save to save the uploaded file and proceed to the Product Selection form. click
Select.
5. Click Select for the selected product. Now the .CSV file gets validated for the correct iBook,
information such as; description, image thumbnail, price, version, category is pulled using
the search/lookup API for the product purchased through Apple’s VPP program.
6. Click Edit Assignment from the Actions menu on the Orders page
7. Complete the following fields in the form:
o Location Group - Administrators can add one or more Location Groups to which the
purchased books need to be assigned.
o Licences - Enter the number of licenses that need to be allocated.
o Deployment - The deployment can be configured either to Auto or On-Demand
mode.
Note: The total of all allocated licenses across all location groups cannot exceed the total of
licences available.
If the On Demand deployment method is selected and the Selected User option is activated,
the administrator can specify one or more users in the Location Group that the iBook needs to be
assigned to.
9.15.1
Additional Information
 Administrators can upload a CSV file for a new iBook VPP order from Apple and select the
appropriate iBook for assignment to one or more Location Groups.
 Administrators can assign an iBook order across multiple Location Groups using the Auto
deployment mode.
Page 160 of 249
 Administrators can assign an iBook order across multiple Locations Groups using the On
Demand deployment mode and select a set of users for each Location Group to download
the iBook.

To clearly distinguish the products for applications and iBooks and to have the accessibility
to view, edit, and delete iBooks, administrators can use the Books page by navigating to
Catalogue > Books.
o All the Orders associated with iBooks are identified with a unique order type named
'Books'.
o All the Products associated with iBooks are identified with a unique Product type
named 'Books'.
9.16
Application Workflow*
Application workflow simplifies the internal app deployment process for organisations
developing their own applications. It allows organisations to delegate key steps in the process to
administrators who are responsible for individual stages. Some of the key benefits of this feature
include:
 Clear separation of responsibility
 Automated notifications for completed steps
9.16.1
Implementing Application Workflow
To bring the application workflow into effect, four different administrator user accounts have to
be created. Each of the created user accounts must have different administrator workflow
permissions assigned under a specific Location Group. Refer to Admin Accounts for creating
admin/user accounts and assigning permissions/roles.
Roles involved in Application Lifecycle Workflow
There are four major administrator roles participating in the application lifecycle at various
stages. The responsibilities of each of the roles are listed below.
Admin
Role
Description of Responsibility
Developer Is responsible for developing internal applications and revising them based on the
analysis of performance and feedback provided by reviewer, publisher, or sponsor.
Reviewer Is responsible for reviewing a new application created by developer, and assigning it
an appropriate description, screen shots, and Terms of Use. Reviewer also looks at
the change log provided by the developer for the application to determine if the
application is eligible for promoting to assignment or needs rework.
Assigner
Is responsible for assigning the application to location group(s)/User group(s)/Smart
group(s) and promoting it to a full rollout based on whether the application meets
the required criteria. Assigner accordingly makes recommendations to the publisher.
Publisher Is responsible for reviewing the assignment criteria for application configured by the
assigner and determines whether the right set of devices are being provided the
application. Publisher can also republish the application to devices that were
Page 161 of 249
assigned but have not installed the application.
Below is the screen to assign resources to administrator workflow permissions (navigate to
Administrators > Roles and then click Add Roles).
9.16.2
Enabling Application Workflow
Use the following steps to configure workflow in the VSDM:
1. Navigate to System Settings > Application > Application Workflow.
2. Tick the Enable Work Flow for Applications checkbox.
3. Create a separate section for each of the workflow actions to:
Page 162 of 249
o Add Application
o Review Application.
o Assign Application.
o Publish Application.
4. Select the Role selection box to define the admin role that can perform the workflow
action.
5. Select a message template to notify the users within the role when an application becomes
available for performing the workflow action.
9.16.3
Workflow Process
The following sections explain the administrator roles involved in the application workflow
process:
Add Application
The administrators assigned with the Add Application step of the workflow process have access to
the Application page in the VSDM to create and submit an application for review:
 Administrators can add a new application and promote the application to the next workflow
status of In Review by clicking Submit for Review as shown in the below image.
 Clicking the Submit for Review button also sends an email alert to all administrators in the
Location Group having the role assigned to the workflow action of Review Application.
 Clicking the Save button saves the application in the Created status or clicking Cancel
discards the changes made to an application.
Review Application
The administrators assigned with the Review Application step have access to the Application
page in the VSDM to review an application in the workflow process:
 By default the workflow status filter in the VSDM is set to In Review and lists all the
applications available to the Location Group in the In Review workflow status.
 When an administrator clicks on an application from the application list, all the tabs that
show up on the Edit Application screen are displayed. The administrators can modify any of
the fields within each tab and save the information.
o Click the Save button to save the changes made in the session without changing the
workflow status of the application.
o Click the Submit for Assignment button to update the workflow status of the
application to the To be Assigned status An email is sent to alert all administrators in
the Location Group having the role assigned to a workflow action of Assign Application.
o Click the Cancel button to discard any changes made to an application.
Page 163 of 249
Assign Application
The administrators assigned with the Assign Application step have access to the Application
page in the VSDM to assign an application in the workflow process:
 By default, the workflow status filter in the VSDM is set to the To be Assigned and lists all
the applications available to the Location Group in the To be Assigned workflow status. The
administrators can also change the filter to view applications in all workflow statuses.
 An administrator can click on an application to view the Edit Assignment page to edit/add
criteria, include sets and/or exclude sets.
o Click the Save button to save the changes made in the session without changing the
o Click the Cancel button to discard the changes made to the application.
o Click the Next button to navigate to the next tab (Devices) where the devices for the
Location Group satisfying the criteria are displayed.
 Clicking the Previous button takes the user back to the criteria tab.
 Clicking the Save button saves the changes in the session without changing the
 Clicking the Submit for Publishing button updates the workflow status of the
application to the To be Published. Clicking this button sends an email alert to all
administrators in the Location Group that belong to the role assigned to workflow
action of Publish Application.
 Clicking the Cancel button discards any changes made to the application.
Publish Application
The administrators assigned with the Publish Application role have access to the Application
page in the VSDM to publish an application in the workflow process:
 By default, the workflow status filter in the VSDM is set to the To be Published and displays
all the applications available to the Location Group in the To be Published workflow status.
The administrators can also change the filter to view applications in all workflow statuses.
 The administrator can click on an application to view the Publish page shown below.
Clicking the View Assignment button takes the user to the smart groups
configuration.
Clicking the Save button saves the changes made without changing the
Clicking the Publish button updates the workflow status of the application to
Published status.
Clicking the Cancel button discards any changes made to the application in the
session.
Page 164 of 249
9.17
Recommended Applications
The following applications are recommended in order to take full advantage of the VSDM
environment. All of these apps have been designed to work directly with the VSDM Agent and
give you additional control and 'settings' options for managing your device fleet. These are all
available for download from the iTunes, App Store, or the Google Play Store.
Page 165 of 249
9.17.1
The Vodafone Secure Content Locker
(Available for iOS devices)
For more information on the Secure Content Locker, see the See "Content
Management" section.
Note: The Vodafone Secure Content Locker is an Optional Product.
Availability may vary according to local market conditions.
9.17.2
Vodafone Managed Browser
(Available for iOS and Android devices)
Vodafone Managed Browser provides a secure alternative to open internet
browsing. There are two modes of operation for Vodafone Managed
Browser.
 Restricted mode - Depending on how you have chosen to
configure this feature, theVodafone Managed Browser may operate
very much like a standard internet browser, or it may be more
restricted. Typical restrictions might include:
o Whitelist - Administrator may limit browsing to a list of allowed
websites. Attempts to navigate to a website that is not
whitelisted fails.
o Blacklist - Alternatively, there may be a list of blacklisted
websites. In this case, surfing is permitted anywhere except to a
blacklisted website.
 Kiosk mode - In this mode, the browser defaults to a specified
home screen after a period of inactivity (determined by
administrators).
Additional restrictions may be applied to the Vodafone Managed Browser,
such as limiting the ability to copy/paste or disabling the ability to print a
webpage.
9.17.3
Vodafone Launcher App
(Available for Android Devices)
The Vodafone Launcher App must be installed (and running) on a user's
device in order to use the Launcher Mode Profile.
9.17.4
Vodafone Telecom Service App
(Available for Android Devices)
Vodafone Telecom Service allows you to capture detailed telecom
information from managed Android devices. This includes:
 Call Logs.
Page 166 of 249
 SMS Logs.
 Cellular Data Usage.
Note: In order to collect this data, you must first make sure that the
appropriate data collection settings are enabled. To adjust these settings,
navigate to System Settings > Devices > Android > Agent Settings and
look for the Telecom settings.
9.18
Important Application Management Considerations
 To track public applications on employee devices through the Device Details and Device
Control Panel, ensure that the VSDM Privacy Settings (specified in Configuration >
System Settings > Device > General > Privacy) allow for the collection and display of
application data.
 Some applications may have specific device prerequisites (for example, iCloud settings) in
order to be fully functional. Investigate application requirements before pushing
applications to end-users. Either enable the appropriate settings for end-users, or inform
end-users of any settings requirements.
 Use the SDK for maximum security and functionality in building secure internal business
applications.
 When deploying multiple versions of the same internal application, retire previous versions
of the application (see Application retirement) after the old versions are no longer needed
for testing or backup purposes.
 When creating advanced deployment settings for applications (such as Push Mode) ensure
that the end-user's device supports the specified deployment setting.
Page 167 of 249
10
Content Management
Vodafone’s Mobile Content Management (MCM) solution, the Vodafone Content Locker,
allows administrators to manage document distribution and mobile access to corporate
documents through a web-based console. The Vodafone Content Locker application enables
your employees to securely access corporate resources, including direct links to SharePoint
documents, on-the-go from their mobile devices. Whether your company is looking to distribute
annual reports to shareholders or the latest presentation to the sales force, the Vodafone Secure
Device Manager (VSDM) ensures all corporate information is protected.
Furthermore, below actions can be performed using the Vodafone Content Locker:
Content can be configured to be accessed in online or offline modes and content data is
encrypted on the device. The following document level content is supported in the Content
Locker:
 iWork - Keynote (including Keynote09), Numbers (including Numbers09), Pages (including
Pages09)
 MS Office - Excel, PowerPoint, and Word
 Pictures - jpg, .png
 Videos - MOV (video/quicktime), MP4 (video/mp4)
 Audio - AAC (audio/aac), ALAC (audio/m4a), MP3 (audio/mpeg)
 Other - PDF, XML, Text, Rich Text Format (.rtf), Rich Text Format Dictionary (.rtfd), HTML,
ePUB, and iBooks
Content is managed at the Location Group level using a new Content menu/user interface.
 Similar to profiles and applications, content is created at a Location Group level but can be
assigned to one or many child Location Groups and/or User Groups.
 Additionally, content can be made available to devices/end users based on device
ownership.
 Administrators can enable EIS integration to provide users with direct links to SharePoint
documents.
Page 168 of 249
11
Managing and Distributing Content
Management of the Vodafone Content Locker is centralised on the Content page in the VSDM.
11.1
Creating Document Categories
Document categories help organise the content and group the related documents together to
simplify and enhance the end-user experience. As Category is one of the mandatory fields while
uploading a document, the administrator has to create the category before uploading any
document. This prevents the administrator from committing the mistake of uploading a huge
document and then realising there is no category to assign it to.
Use the following steps to create a document category:
1. Navigate to the Categories View from the Content page.
2. Select Add Category to open the Add Category form.
3. Complete all the necessary information:
o Managed By – The location group that can edit, add subcategories, and delete the
category.
o Name – The name of the category.
Note: An example of the naming convention for categories is: cat_parent/cat_child. In this
format, cat_parent represents the Parent category and cat_child represents the Child
category of the Parent category.
o Description – A description of the category.
Page 169 of 249
4. Click Save to save the changes.
Administrators of a managing location group can also create subcategories as follows:
1. Select Add from the Actions menu next to the parent categories name on the Categories
View page. The Add Category page displays:
2. Select the Managed By Location Group.
3. Enter the Name and Description. The Parent Category Name is populated.
11.2
Publishing an Individual Document
Note: You must have created at least one Document Category before you upload documents to
the Secure Content Locker.
To distribute a document over-the-air through the Vodafone Secure Content Locker:
1. Navigate to Content> Content Management.
2. Click Add Content to open up the Add Document Form.
3. The Location Group level that manages the document is selected automatically.
4. Complete one of the following actions:
o Add a Document from a Content Repository - Use the Content Repository
dropdown to import documents from a previously configured Content Repository (see
Using the Content Repository). Search for the desired document and, once found, click
the Select link on the right.
o Add a Local Document - Click Upload and select the document that you want to
distribute from your local file system.
o Add a Document from a Specified Location - Click Upload and select the Link radio
button. Enter in the full path to the desired file.
Note: For acceptable file types, see Content Management .
5. Click Save and Continue. The Add Content form displays the Info tab:
Page 170 of 249
6. Enter in all the basic information:
o Required fields are denoted with *.
o Document Categories are used in the Content Locker application to organise and
group documents. Each document can belong to multiple categories as shown above.
7. Select the Details tab to enter more details if needed.
o No details are required, but they provide additional information about the document
that can be shown in the Secure Content Locker application.
8. Select the Security tab to configure the access control settings.
Page 171 of 249
o Choose whether or not to allow offline viewing of content.
o Select whether to force encryption of this document when it has been downloaded on
the device.
Note: This is recommended for all sensitive corporate material. Only documents that are
considered public-facing should not be encrypted if the administrator wishes to save processing
time on all devices while opening the document.
o Select the appropriate checkboxes to permit documents to be opened in Email or in
third party applications.
o Choose whether or not to allow the users to print the document.
9. Select the Assignment tab to filter the recipients of the document.
Page 172 of 249
o Optionally, select the device ownership category option to only send the document to
devices enrolled under that category.
o Assign the document to be deployed to one or more Location Groups. This is a
mandatory field.
10. Select the Deployment tab to specify advanced deployment options for the document.
o Transfer Method - Select whether the document must be sent to the end-user at any
moment, or only when the device is connect to Wi-Fi.
Page 173 of 249
o Download While Roaming - Enable this option to download the document when the
device is roaming.
o Download Type - Select On-Demand to allow the end-user to download the
document when they want to, or Automatic to send the document to the device as
soon as it enrols and downloads the Secure Content Locker application.
o Download Date - This field displays on selecting Automatic as the download type.
This is the date on which the document is downloaded in the Secure Content Locker.
This is the same as the Effective Date.
o Download Priority - The priority order in which the file is downloaded if queued with
additional documents. For instance, if two documents are waiting to be downloaded
and they have a different download priority, the higher priority document is
downloaded first.
o Effective and Expiration Date - The dates on which the document becomes available
and no longer available in the Secure Content Locker application.
11. Click Save to save the parameters.
11.3
Uploading and Distributing Multiple Documents
Use the following steps to upload and distribute multiple documents:
1. Navigate to Content > Content Management.
2. Select Batch Import to open the Batch Import form.
o Enter the Batch Name and the Batch Description.
o Click
to open the Content Locker Import Help Topic.
3. Download the Content Locker Import Template.
Page 174 of 249
4. Enter all necessary information in the template. Mandatory fields are denoted with a red
asterisk.*
o Name - Enter in a name for the document.
o FilePathType:
 Enter 'filepath' if you plan to enter a file path to a file located on your VSDM server.
 Enter 'http' if the file path is a fully-qualified URL.
o AccessVia:
 Enter None if you are uploading a file located on your VSDM server (FilePathType =
'filepath').
 Enter EIS if you plan to link to a file located on a server that has been configured in EIS
(FilePathType = 'http').
 Enter Direct if you plan to upload a file that is publicly hosted by using a fully-qualified
URL. (FilePathType = 'http').
o Managed By - Enter the Location Group level that manages the document.
o FilePath - Enter a system filepath (filepath) or a fully-qualified URL (http) for the
document.
o Categories - Enter in the appropriate category name(s). Use a semicolon (;) to separate
multiple categories.
o Download Type - Enter either On Demand or Automatic.
o Download Priority - Enter Low, Normal or High.
o Device Ownership - Enter C, E, S or Any.
o Location Groups - Enter the highest Location Group level that receives the document.
The Location Group entered here cannot be higher than the Location Group used in the
Managed By field.
o All remaining columns contain fields that have been explained in the single document
upload process.
5. Save the file as a CSV file and upload it in the Batch Import form.
6. Select Save to save the details.
11.4
Important Content Locker considerations
The Location Group selected must be equal to the Managed Location Group or its child location
group. The Managed Location Group is the location where the document is uploaded and
managed. Once uploaded, the document can also be assigned to its child location group.
Page 175 of 249
The following are some of the points to be followed while completing the Content Locker
Import template for batch import:
 The administrator cannot add a document directly to a Parent category having that has
child categories. For example; a Book is the parent category which has Tech and Info as
child categories and is represented as Book/Tech and Book/Info. The administrator can
add a document either to the Book/Tech or Book/Info child categories but cannot add a
document to the Book (parent) category. Also, the administrator cannot add child
categories to a parent category if it already contains documents.
 In the Managed By and Location Group columns of the template, the administrator must
specify the Group ID and not the Location Group name.
 If the batch file being uploaded contains a CSV file with a line error, the balance of the
batch will upload successfully while the file containing the error will not. If the error is
subsequently corrected and the batch re-uploaded, this will lead to duplication of the files
that had already been successfully uploaded.
 If the administrator uses an http link for the file path, they need to manually replace any
instances of ‘%20’ with spaces to correctly reproduce the URL.

If the priority level is not specified for a document in the template, then the Download
Priority field for that document automatically defaults to Normal.
11.5
Using the Content Repository
The Content Repository allows administrators to link to folders, network drives and even
SharePoint directories containing various documents to upload into the Secure Content Locker.
Use the following steps to create a new Content Repository:
1. Navigate to Content > Content Management.
2. Click the Content Repository link on the left hand navigation.
3. Click Add to display the Add Content Repository form.
Page 176 of 249
4. Complete the fields as required:
 Name - Enter a name relevant to the content directory.
 Type - Enter the type of the content repository.
 Link - Enter the full path to the directory location.
 Location Group - Select the Location Group level that is to have access to this
Content Repository.
 Authentication Type - If login information is required to connect to the content
directory, select User and then provide the login details.
 Access Via EIS - If the file system or SharePoint drive is not accessible from the
VSDM server's domain, tick this checkbox to enable the EIS to connect to the content
directory. This is required for content integration in SaaS deployments, and also for
specific server-hardened on premise deployments. (You must have already
configured EIS to allow a connection from the VSDM in order for this to work).
 Allow Inheritance- Allow child Location Groups to have access to this Content
Repository.
 Enable Sync - This is required to enable sync between Sharepoint and VSDM server.
Page 177 of 249
11.5.1
Navigating Content in Repository Folders
The Show Repositories button on the All Content page allows administrators to view all the
content repositories folders and sub-folders and to navigate to the desired content within the
repository folder. On clicking Show Repositories, all the content repository folders are listed on
the left panel of the page. On clicking a particular content repository folder, all the documents
belonging to that content repository folder are displayed on the right panel of the page.
11.6
Managing Documents
There are several actions on the Content Management page that an administrator can perform
to manage the content of the corporate Secure Content Locker.
Select the Actions menu icon to perform the following actions:
 Edit - Edit any of the details created during the process of adding a new document.
 Add Version - If the document is updated, administrators can add a newer version of the
document. End users are automatically notified if there is a new version of a document.
 View Devices - View a list of the devices that have currently downloaded this document.
 Download - Downloads a local copy of the document to view.
 Delete - Deletes the document from the Secure Content Locker.
Page 178 of 249
12
Content Security and Analytics
The Vodafone Secure Content Locker (SCL) not only isolates, encrypts, and protects corporate
content on iOS devices, but it also enables the administrators to leverage higher levels of security
over and monitoring of, corporate documents. Some of the advanced security capabilities
include:
 Increased access security through two-factor authentication (using Certificates and a PIN).
 Secure transfer of document metadata to prevent 'man-in-the-middle' attacks.
 Administrator-controlled settings to block brute password attempts.
 Monitoring capabilities to view all Secure Content Locker activity on a per-document basis.
12.1
Configure Content Security Settings
The administrator can configure security features for individual documents on the Security tab
when publishing or managing individual documents. There are additional options to specify
general security settings for the SCL.
To view and configure these settings, navigate to:
System Settings > Applications > Secure Content Locker. Administrators can specify the
following settings to further protect the corporate content on end-user devices:
 Maximum allowable number of failed access attempts - Specify a low number of
allowable attempts for increased security.
 Authentication Grace Period - Specify a shorter grace period for increased security.
 Prevent Compromised Devices (Recommended) - Tick this box to check devices for
compromised status and prevent compromised devices from accessing content.
 Require (MDM) Enrolment (Recommended) - Tick this box to check for MDM enrolment
and prevent un-enrolled devices from accessing content.
Page 179 of 249
12.2
Content Analytics
Administrators can view detailed information on activity in the SCL (when the Software Document
Kit (SDK) is used), in addition to viewing activity for other applications using the SDK on the
Application Analytics page. To view the Analytics page, navigate to: Applications > Analytics.
The Analytics page contains a variety of application information. Particularly useful to
administrators are the Event Name and Event Data fields for viewing document activity. For
example, administrators can see when an end-user:
 Authenticates into the SCL.
 Installs a document.
 Opens a document.
 Adds a document to favourites.
12.3
Best Practice
 Create document categories before you begin uploading documents. Categories are
selected during the upload process but must be created separately.
o To create a category, select the Categories setting on the Content Management
page, or navigate to Content Management > Categories.
 Administrators may wish to enable end-users to store and access content locally using
third-party applications.
o If permitted, end-users can download and view a local copy of documents by selecting
the
icon.
 Enable enhanced VSDM functionality through Software Development Kit (SDK)
integration - Integrating the VodafoneContent Locker with the SDK enables the Secure
Content Locker to detect compromised devices and communicate with the corporate
server.
 Encourage end-users to enable GPS tracking - End-users can enable location services in
the Vodafone Content Locker settings to allow administrators to track and access GPS coordinates.
Page 180 of 249
13
Email Management
The Vodafone Secure Device Manager (VSDM) provides administrators with several options for
configuring secure integration with corporate Email services. The most robust and extensible
solution is through the Vodafone Secure Email Gateway (SEG) which allows the administrator
to secure, monitor, and manage both the smart device fleet and corporate Email access, all from
the VSDM.
Vodafone Secure Device Manager simplifies and secures Email management by allowing the
administrator to perform the following tasks:
 Quickly monitor and troubleshoot Email server requests through the Secure Email
Gateway Dashboard.
 Gain visibility and control on top of the existing corporate Email structure to ensure that
corporate Email actions are secure and compliant.
 Create and edit Email Compliance rules, including Blacklist and Whitelist policies.
 Control Email access for both managed devices and unmanaged devices.
o For devices under VSDM management, the data collected from the SEG can be
correlated to the device’s existing record to show you how the managed devices are
interacting with your email server.
o For devices not under VSDM management, the data can be viewed on the dashboard to
help the administrator track rogue devices and gain a more complete picture of the
mobile email deployment.
 Configure integration with a number of corporate Email Services, including (but not limited
to):
o Microsoft Exchange.
o Google Apps for Business.
o Microsoft BPOS.
o Microsoft Office365.
o Lotus.
Page 181 of 249
o Novell Groupwise versions 8.5+.
13.1
Email Compliance Policies
Email compliance policies allow the administrators to block access to corporate email servers for
enhanced email security based on pre-defined compliance policies. You can configure email
compliance policies in either of the two following ways by navigating to:
1. Dashboards > Email Management and then select Email Policies on the left.
2. Profiles & Policies > Compliance, then select Email Policies from the Compliance view
on the left.
13.1.1
Email Policies
Depending upon your Mobile Email Management (MEM) deployment, the Email Policies screen
provides three categories of compliance policies:
 General Email Policies
 Managed Device Policies
 Attachment Security Policies*.
Note: Email Policies can be configured only at the Location Group where MEM is configured. By
default, all child Location Groups inherit the created policies.*
Within each category, there is a list of current compliance policies (shown below):
Page 182 of 249
 The circles under the Active column indicate whether the policy is active (green) or
inactive (red).
 Ticking the Disable Compliance option forces MEM to function in Bypass mode. This
option is applicable for all the MEM configuration models (i.e. for Proxy, PowerShell, and
Google).
Note: In Bypass mode, compliance policy is not applied against the devices.
 To make changes to a policy, hover over the pencil icon under the Actions column and
click Edit Policy.
 If a window opens, click Save to finish editing the policy, or Cancel to return the values to
the last saved state.
13.1.2
General Email Policies
General Email Policies are applicable to MEM deployments involving the Secure Email Gateway
(SEG) and the PowerShell Integration.*
Managed Device
This policy allows you to determine the outcome if an unmanaged device attempts to contact
the corporate email server.
1. Open the policy and specify whether to Allow or Block an unmanaged device.
2. Click Save.
Mail Client
This policy allows you to control email access to a list of mail clients.
1. Open the policy and click Add Rule.
2. Select an option from the Client Type dropdown menu:
Page 183 of 249
o Pre-Defined - The known mail clients stored in the Vodafone database.
o Discovered - The mail clients that connect through the gateway, but are not currently
stored in the Vodafone database.
o Custom - Specified mail clients (i.e. Apple or Android).
3. Select the Mail Client from the dropdown menu or if you chose Custom, enter the mail
client in the field.
4. Choose to either Allow or Block the specified mail client and its type.
5. Specify the default policy (Allow or Block) for all other mail clients not currently listed.
This applies to all known mail clients that are not currently listed in the policy.
6. Specify the default policy (Allow or Block) for all new or discovered mail clients not
currently listed. This applies to all mail clients that are not currently stored in the Vodafone
database.
7. Click Save.
User
This policy allows you to list specific users who are allowed or denied access to the email server
and receive corporate email on their mobile device.
1. Select a User Type from the dropdown menu:
o VSDM User Account - Select a registered device user from the Vodafone database.
o Discovered - Choose the users that connect through the gateway and are not
currently stored in the Vodafone database.
o Custom - Choose the specific users.
2. Select a User Name from the dropdown menu.
3. Make a selection to Allow, Block, or Whitelist the specified user.
4. Specify a default policy (Allow or Block) the default action for all other usernames not
currently listed. This applies to all known usernames that are not currently listed in the
policy.
5. Specify the default policy (Allow or Block) for all new or discovered usernames not
currently listed. This applies to all usernames that are not currently stored in the Vodafone
database.
6. Click Save.
Page 184 of 249
13.1.3
Managed Device Policies
Managed Device Policies are only enforced on devices currently enrolled in the VSDM.
Inactivity
This policy allows you to specify if you allow or deny an inactive device to access the email server.
It specifies the number of days a device can be unmanaged before it is considered inactive.
1. Open the policy and specify whether to Allow or Block inactive devices from connecting
to the email server.
2. Enter the number of days of inactivity before a device is considered inactive.
3.
Click Save.
Device Compromised Compliance
This policy allows you to determine the outcome if a compromised device attempts to contact
the corporate email server.
1. Open the policy and select whether to Allow or Block compromised devices to access the
email server.
2. Click Save.
Encryption Compliance
This policy allows you to determine the outcome if a device does not have data protection turned
'On' while attempting to access the corporate email server.
1. Open the policy and select whether to Allow or Block devices that do not have data
protection enabled.
2. Click Save.
Page 185 of 249
Platform/Model Compliance
This policy allows you to define which platforms and models you want to either access or be
blocked from the corporate email server.
2. Select an option from the Platform and Model dropdown menus.
3. Make a selection to Allow or Block the specified platform and model.
4. Specify the default policy (Allow or Block) for all platforms and models not currently
listed.
5. Click Save.
Operating System Compliance
It may be necessary to block a version of an OS used by a particular mobile device for many
different reasons. For example, an administrator might decide to temporarily block an OS because
it is putting a stress or load on an email server due to a bug or other technical issues, until the
problem is resolved. Another scenario might be to only permit specific platforms and OS ranges
to access the corporate email server, and block all others from receiving their email.
2. Select the type of device from the Platform dropdown menu.
3. Select the minimum and the maximum operating system for the device from the Min OS
and Max OS dropdown menu.
4. Specify the default policy (Allow or Block) for all OS versions not currently listed.
5. Click Save.
Page 186 of 249
13.1.4
Attachment Security Policies*
Attachment Security Policies are used to secure email attachments being downloaded onto
mobile devices. Attachment Security is available for deployments involving the SEG proxy server.
In order to prevent misuse of corporate Email Attachments, Vodafone’s SEG has been enhanced
to encrypt and secure individual attachment files. These security policies ensure that only
compliant devices enabled with the Vodafone Secure Content Locker (SCL) application can
decrypt and view the attachment.
Managed Devices*
Managed Device policies are enforced only on devices that are enrolled in the VSDM. You can
configure the file attachments that need to be encrypted and secured via SCL and set policies
that can be enforced on files that cannot be viewed on the SCL via the VSDM. Select iOS Devices
to configure attachment settings for iOS devices or Other Devices to configure attachment
settings for Android devices.
Attachment Security Policies - iOS Devices*
The screen below illustrates the features available for configuring the ‘email attachment security
policy’ for managed iOS devices.
 Use Recommended Settings - Enabling this option defaults the policy to the VSDM
recommended settings, where pre-defined settings are enforced on devices. You may
choose to customise the policy based on your corporate requirements.
 Actions on Specific file types - Selecting the radio buttons enables the VSDM to
communicate with the SEG, defining the actions that need to be performed on
attachments of specific file types.
o Encrypt & Allow Attachments - The SEG encrypts attachments of specified file
type(s), which can only be decrypted and read via the SCL application on the device.
Page 187 of 249
o Block Attachments - The SEG blocks attachments of the specified file type(s).
o Allow Attachments without Encryption - The SEG allows attachments of the
specified file type without encryption. The attachments can be opened/saved/edited
on the device through the native readers.
Ticking/Unticking the Allow Attachments to be saved in Secure Content Locker
checkbox allows you to decide whether or not to allow the device user to save the
attachment locally in the SCL.
 Select the radio button actions in the Other Files area to update settings for the file types
other than the standard file categories that are currently supported.
o You can exclude specific file types from the VSDM's Email attachment setup, under the
Exclusion section. For example, you can block all other file types while excluding
AUTOCAD files of type .dwg.
o You can also set a message to be displayed in emails on devices for the blocked
attachments file types under Custom Message for Blocked section. For example,
'One or more email attachments have been blocked per Acme's corporate policy'.
Attachment Security Policies - Other Devices*
The screen below illustrates the features available for configuring the Email Attachment Security
policy for other managed Android devices.
Note: With the Encrypt & Allow Attachments option, attachments downloaded on other
managed devices are encrypted, but cannot be viewed on the device. Device users can however
forward these emails with the encrypted attachment from their devices.
Page 188 of 249
Unmanaged Devices*
Unmanaged Device policies are enforced only on devices that are not enrolled but managed in
the VSDM.
 Use Recommended Settings - Enabling this option defaults the policy to VSDM
recommended settings, where pre-defined settings are enforced on devices. You may
choose to customise the policy based on your corporate requirements.
 Actions on Specific file types -Selecting the radio buttons enables the VSDM to
communicate with the SEG defining the actions that need to be performed on attachments
of specific file types.
o Encrypt & Allow Attachments - The SEG encrypts attachments of specified file
type(s), which can only be decrypted and read via the SCL application on the device.
o Block Attachments -The SEG blocks attachments of the specified file type(s).
o Allow Attachments without Encryption - The SEG allows attachments of the
specified file type without encryption. The attachments can be opened/saved/edited
on the device through the native readers.
Page 189 of 249
 You can exclude specific file types from VSDM's Email attachment setup under the
Exclusion section.
 You can also set a message to be displayed in emails on devices for the blocked
attachments file types under Custom Message for Blocked section.
13.1.5
Apply Email Compliance Policies
 After you create or edit Email compliance policies, the policies are automatically applied
when the SEG is refreshed (Configure the refresh interval in System Settings > Email >
Advanced).
 To instantly apply the policy, click the Provision Policy Changes button at the bottom of
the Email Compliance Policies page.
13.2
Email Attachment Control*
Vodafone offers complete email control as an option for all devices accessing corporate email.
This aspect of mobile email access allows organisations to have advanced security settings
otherwise unavailable through native email clients. Beyond simply denying access to sent and
received attachments,the settings offer flexible encryption and access policies based on file type,
including the option to decrypt to open securely in the Vodafone Secure Content Locker. Manage
all of these attachment settings from the VSDM.
13.2.1
Prerequisites
Vodafone's email attachment control features leverage two aspects of MDM. These prerequisites
must be in place:
 Secure Email Gateway (SEG) v6.3 or higher - The SEG allows a secure connection
from internal mail servers and each mobile device. For more information on
establishing an SEG, please review the Vodafone SEG Installation Guide.
 Vodafone Secure Content Locker v1.5 or higher - The Secure Content Locker serves as
the secure area for viewing and managing attachments. Upon receiving an email, the
Secure Content Locker detects attachment presence and immediately sends the content
to the secure viewing area. To get started, purchase Vodafone's Mobile Content
Management module, then deploy the Vodafone Secure Content Locker as a public
managed application.
13.2.2
Accessing Attachment Settings
Once the SEG and Secure Content Locker infrastructure is properly established, manage email
attachment settings alongside all other MDM features and settings in the VSDM. Create
customised email attachment settings for both managed and unmanaged devices by navigating
to Profiles & Policies > Compliance > Email Policies page. Select Edit Policy to the right of
each device type in the Attachment Security Policies area.
Page 190 of 249
For more information on configuring email attachment settings, please refer to the Email
Compliance Policies section.
13.2.3
Accessing Protected Email Attachments
Once Email Attachment Protection has been enabled, end-users are able to access attachments
as established in the VSDM. These options include:
 Allowed & Unencrypted Attachments - Attachments appear normally within the
mailbox.
 Blocked Attachments - Attachments are removed and replaced with a message notifying
the user that the attachments have been blocked.
 Encrypted Attachments - Attachments appear in the mailbox as an encrypted *.awsec file
type that can only be decrypted and read from within the Vodafone Secure Content Locker.
13.2.4
Open Encrypted Email Attachments
To open encrypted email attachments in the Vodafone Secure Content Locker:
1. Select the Email Attachment.
2. Select Open in the Vodafone Secure Content Locker.
3. Authenticate with corporate credentials.
4. Attachment automatically decrypts and opens.
5. The file cannot be opened or transferred outside of Content Locker.
13.3
Email Management Dashboard
Each time a device attempts to connect to your mobile email server through the SEG, the
gateway gathers statistics about the request. This information is presented on a dashboard in the
VSDM and can be used to assess the health of your mobile email deployment.
Use the following steps to access the Email Management dashboard:
1. Navigate to Dashboards > Email Management.
2. Click the Location Group dropdown and select the group that connects to the SEG in your
corporate environment.
3. Click All under Request Time.
Note: The basic Email Management dashboard is available as a 'View' under the main Dashboard,
but it does not contain time interval view options or editing capabilities.
13.3.1
Graphs and Grid
The Email Management dashboard view displays three different graphson the top of the screen
and a grid below the graphs that display the data from the selected graph or data group.
Page 191 of 249
 Device Activity - The total number of devices communicating through the gateway in
addition and the number of blocked and allowed devices.
 Devices - The total number of devices communicating through the gateway and the
number of managed and unmanaged devices.
 Non-Compliant Devices - The number of noncompliant devices communicating through
the gateway according to the compliance criteria as specified in the Email Compliance
Policies.
 Grid - The devices that have accessed the SEG.
13.3.2
Request Time Views
The Request Time view allows the administrator to adjust the dashboard view for all time
periods, or for time intervals throughout the last 24 hours.
 Click All or select a time interval to update the charts and grids with the time selection.
13.3.3
Email Compliance in the Dashboard
To edit email compliance policies, click Email Policies. For further information on creating email
compliance policies, see Email Compliance Policies.
13.3.4
Override an Email Compliance Policy
After email compliance policies are in place for the SEG, the administrator may find the need to
make Blacklist or Whitelist exceptions, or to remove a device from the list of exceptions.
Use the following steps to override a compliance policy:
Page 192 of 249
1. Click Policy Override List to view the current override status for all of the devices that are
communicating through the gateway. This page also provides the ability to add, remove, or
change an override to any of the devices listed in the grid.
2. Select a device from the grid to perform a policy override on that device by ticking the box
on the left. The device selected in the screen is a Whitelisted device.
3. Click any one of the following to override the current policy:
o Whitelist - Allows the device to override email compliance policies.
o Blacklist - Blocks the device regardless of whether there are any policies that allow
(Whitelist) the device.
o Default - Remove the device from the override list and apply the configured email
compliance policies to that device.
13.3.5
Dashboard Test Mode
Test mode allows mobile devices to communicate through the gateway even when restrictive
compliance policies are currently enabled. The dashboard displays the noncompliant reason
code(s) for a device to indicate all applicable restrictions if the test mode was not enabled.
 To enable test mode, tick the Test Mode checkbox in the upper right corner of the
dashboard.
 To disable test mode, untick the Test Mode. The compliance policies are again applied to
each device that communicates through the gateway. The dashboard displays the
noncompliant reason code(s) for a device to indicate all applicable restrictions that are now
being applied.
13.4
Important Email Management Considerations
 Use filter views and search to view devices in the SEG dashboard grid according to
compliance criteria.
o The administrator can filter the devices displayed on the grid based upon override
status. Select a filter to view only Blacklisted, Whitelisted, or All devices.
Page 193 of 249
 The filter functionality provides the ability to search the grid within the displayed results.
o Enter the full or partial search term in the Search box.
Page 194 of 249
14
Telecom Management**
Vodafone’s Telecom Management solution allows administrators to configure and assign
telecommunication plans to devices across the mobile fleet. Using telecom management,
administrators can assign the devices to a telecom plan based on preconfigured criteria (Location
Group, User Group, Model, Platform, Carrier, Country, etc.) and automatically associate plans to
devices matching specific criteria such as SIM number and telephone number. This solution also
allows administrators to proactively track and monitor plan usage, access the plan and device
details, and track the roaming history for the device.
14.1
Enabling Telecom Setting
By default, the Telecom Management module is disabled for each customer location group. To
enable this module, navigate to System Settings > Telecom > General and tick Telecom
Enabled.
If the above setting is disabled, attempting to view the Telecom Management Dashboard
presents the Configuration Warning message below:
14.2
Creating and Managing Telecom Plans
Administrators can create telecom plans, assign plans to both the devices that are enrolled and
to the devices that are not yet enrolled. Additionally, administrators can manage, assign, and
review all current telecom plans.
14.2.1
Create a Telecom Plan
Use the following steps to create a Telecom Plan:
1. Navigate to the Telecom > Telecom Management page.
Page 195 of 249
2. Select Plans from the Configuration menu on the left.
3. Select Add from the Dashboard options to add a new Telecom Plan.
Complete the following Plan information:
o Plan name - Enter the name for a plan.
o Country - Select the country of the carrier.
o Carrier - Enter the name of the company providing the carrier plan.
o Voice/Message/Data limit- Enter the voice, message and data limit for the plan.
o Peak Voice Time Interval - Enter the peak voice time interval. This is typically 6:00 AM
to 9:00 PM. If a peak interval is not defined, then all minutes are applied to the plan
limit.
o Usage Reset - Enter the day after which the plan usage resets.
o Plan Effective Date - Enter the earliest date for the plan to be effective.
4. Click Save or click Save and Assign to assign to the devices.
14.2.2
Dynamic Assignment
Using Dynamic Assignment, an administrator creates a rule for a specified plan and assigns it to a
device that does not have a specified plan. All the criteria in each assignment rule are evaluated
Page 196 of 249
based on the order by designated Rank. The Dynamic Assignment rule performs the following
checks before assigning a specified plan to the device:
 Is the particular phone number already associated with a device, and has plan that has
already been assigned.
o If already assigned, disregard dynamic assignment.
o If no assignment is present, check the dynamic assignment rules for a match of the
highest rank.
14.2.3
Assign a Rule to a Plan
Use the following steps to assign a Rule to a Plan:
1. Navigate to Telecom > Telecom Management.
2. Select Dynamic Assignment from the Configuration menu on the left.
3. Click Add to assign rules to the existing plans.
4. Enter the information in each criteria field as well as the plan for assigning the assignment
rule to the devices.
Note: The minimum criteria by which the devices will be dynamically assigned are
Carrier and Country.
14.2.4
Edit an Assignment
Select Edit Assignment for a particular plan to reconfigure assignment settings.
From the Edit Assignment area, administrators can:
 Add more assets (devices).
 Remove existing assets.
 Reassign assets.
 Change the plan.
Note: Current plan indicates whether the device is already assigned to a plan.
Page 197 of 249
14.3
Dashboard Usage
The Vodafone Secure Device Manager collects telecommunication information from each device
and sorts it out appropriately for viewing on the Telecom Dashboard. Upon completion of plan
creation and assignment, the Telecom Dashboard enables an administrator to proactively:

Monitor telecom usage in relation to plan limits.
 Review compliance to the specified limits.
 Access plan details and device information.
 Review roaming history for the device.
The Telecom Dashboard has two views: Telecom Usage and Telecom Roaming.
14.3.1
Telecom Usage
The Telecom Usage page allows the administrators to track:
 Telecom usage by month.
 Telecom usage by day.
 Plan usage details.
 Roaming details.
To access the Telecom Usage page, navigate to the Telecom Management, details of which are
provided in the following sections.
Click on a specified plan to view plan usage details in the tray view form. The Plan Usage Detail
view provides an overview of all available device and user information, as seen below:
Page 198 of 249
14.3.2
Telecom Roaming
The Telecom Roaming page conveniently displays the collected roaming information. This,
enables administrators to monitor the entire device fleet regardless of the carrier in a single
confined interface.
Page 199 of 249
15
Certificate Management
As digital information exchange evolves and becomes increasingly mobile, the possibilities for
information sharing multiply. Administrators are faced with the challenge of providing employees
with convenient access to enterprise resources while overcoming the ever-expanding security
concerns introduced by mobility and information fluidity. Traditional security technologies and
solutions are not sufficient to meet the stricter requirements for information security and data
loss prevention. In order to meet growing demands for information accessibility and security, an
enterprise needs a multi-faceted and scalable data security solution, and many enterprises have
turned to digital certificates and Public Key Infrastructure (PKI) for a resolution to this security
dilemma.
15.1
Benefits of Using Certificates
There are several key features that make certificates an ideal solution for enterprise security.
 Cross - Platform Scalability - Digital certificates can be leveraged to protect data across
many different mobile platforms. Just as the same message can be transmitted across
email or instant messaging, digital certificates can be used for security across both. The
extensibility of certificate security allows organisations to avoid implementing multiple
inferior single point security solutions that ultimately leave data vulnerable as it moves
from point to point.
 Multifunctional - Once a user or device receives a certificate, it can be utilised across
many different platforms for a variety of purposes.
o Encryption - Certificates can be used to encrypt digital information regardless of the
platform. For example, the S\MIME standard leverages certificates for email
encryption, while the HTTPS protocol utilises SSL to provide web page encryption.
o Message Signing - Enterprises in need of digital message signatures can leverage
certificates in order to prove message integrity and show that the message originates
from an authenticated sender and was not altered by any malicious third party.
o Authentication -Because digital certificates contain identifying information about
both the user and the device that has been certified by a trusted source, certificates
provide secure authentication into a number of systems such as email, Wi-Fi, and VPNs.
 High Security - Digital certificates are much more secure than traditional passwords
because they are not susceptible to common password cracking methods such as brute
force or dictionary attacks.
Innovation and the drive of enterprise-level business requirements have made the VSDM the
industry-leader in mobile certificate management.
15.2
Manage Certificates on the Certificate Dashboard
The VSDM is the centralised location for managing certificate authorities, its integration, and
other certificate management required for managed devices. All of these activities are centralised
on the Certificate Dashboard. To view the Certificate Dashboard, navigate to the Profiles &
Policies > Certificates page.
Page 200 of 249
Once a certificate has been issued to a device, administrators can perform the following actions
from the Certificates Dashboard:
 Manage Certificate Authorities.
 Renew Certificates.
o To renew a certificate, click the Actions menu next to the certificate and select Renew
Certificate.
 Revoke Certificates.
o To revoke a certificate, click the Actions menu next to the certificate and select
Revoke Certificate.
 Send certificate-related messages to devices.
o To send a push notification to all devices with a selected certificate installed, tick the
check box next to the certificate and click Send Message at the top of the Certificates
Dashboard.
o Select the application to which the message (the selected application must be
installed on the device) needs to sent and fill out the message body.
o Click Send.
Additionally, the Certificates Dashboard contains links to upload APNs certificates and set up
certificate integration.
15.3
Certificate Infrastructure Integration
The VSDM integrates with the certificate infrastructure in a way that allows the Enterprise to
distribute certificates for authentication purposes to devices containing corporate data. There are
several options for VSDM certificate infrastructure integration, but each requires detailed
technical information and therefore it is very important that the Certificate Infrastructure
Administrator be involved in this integration.
There are two ways in which VSDM integrates:
 Direct Certificate Authority (CA) integration:
o The VSDM can act as a proxy for certificate distribution.
 Simple Certificate Enrolment Protocol (SCEP) integration:
o The VSDM can act as a proxy for certificate distribution.
Page 201 of 249
o Can be authenticated from the device.
15.3.1
Direct Certificate Authority Integration
To configure VSDM integration with a Direct Certificate Authority (CA) services server, you must
first configure the Certificate Authority.
Configure the Certificate Authority
Use the following steps to Configure the Certificate Authority:
1. Navigate to Configuration > System Settings > Device > General > Certificate
Authorities.
2. Select Add to open up the Certificate Authority Form.
3. Complete the required fields:
o Name - Refers to the actual name of the instance of the CA on the CA server.
o Allow child location groups to use this certificate authority - Tick the check box to
allow inheritance by child location groups.
o Authority Type - The type of certificate authority. For Direct CA integration, choose
one of the following:
 Microsoft AD CS - Supports a Microsoft Certificate Authority on a Windows Server
2003/2008 server.
 Generic SCEP - Supports a VSDM-installed certificate service or Generic CA (which
supports the standard CA protocol). For more information on configuring a SCEP
certificate authority, see SCEP Integration.
 Verisign MPKI - Supports a VeriSign® Managed PKI for SSL Certificate Service.
 Symantec - Supports a Symantec PKI integration.
 OpenTrust - Supports an OpenTrust PKI integration.
Page 202 of 249
 Entrust - Supports an Entrust PKI integration.
o Protocol - Select either ADCS or SCEP as the protocol type.
o Server Hostname/Server URL - The server address of the CA server. The CA server
needs to be in IP or domain name format (mycompany.local.com).
o Enter in any necessary authentication credentials and complete the other remaining
fields as necessary.
4. Use the Test Connection button to check that your settings are correctly configured.
5. Click Save (or Save and Add Template).
Certificate Template Configuration
Refer to the Certificate Template Configuration section to configure the CA Certificate Template.
15.3.2
Simple Certificate Enrolment Protocol (SCEP) Integration
The first step in configuring VSDM integration with a corporate SCEP services server is to
configure the Certificate Authority.
Configure the Certificate Authority
Use the following steps to configure the Certificate Authority:
1. Select Add to open a new Certificate Authority Form (or select Edit from the Actions
menu to edit an existing certificate).
2. Complete the required fields:
o Name - In SCEP integration this field is used by VSDM to distinguish these settings.
o SCEP Provider - The SCEP provider determines the rest of the configuration and what
challenge options are available.
 SCEP Provider: Basic  SCEP Provider: MSCEP Vodafone Secure Device Manager R3 – Admin Guide
Page 203 of 249
 SCEP Provider: VeriSign*
 SCEP Provider: Symantec
 SCEP Provider: OpenTrust
 SCEP Provider: Entrust
SCEP Provider:Basic
Use the Basic option when the provider is not Microsoft, Verisign, Symantec, OpenTrust or
Entrust.
Choose Generic SCEP as the Authority Type and then Basic from the SCEP Provider dropdown.
Selecting the Basic SCEP Provider option requires the following fields:
 SCEP host name - The web address of the certificate enrolment URL. This is usually in the
format of .EXE or .DLL depending on the SCEP provider.
 Challenge Type - Select either No Challenge or Static, depending on the requirements of
the Certificate.
o Static Challenge - Select this option when a singular key or password is required to
authenticate with the certificate enrolment URL. A field displays when Static Challenge
is chosen for you to enter in the password or challenge key provided by SCEP.
o No Challenge - Select this when no challenge is required. This usually involves
unsecured SCEP endpoints and it only applies in rare circumstances.
 Retry Timeout - Enter in the number of minutes for a timeout.
 Max Retries When Pending - Enter the maximum number of attempts a user may make
before the system times out. After a timeout, the user has to wait the number of minutes
specified in the above field before being allowed to log in again.
SCEP Provider: MSCEP
If MSCEP is the SCEP provider, choose Generic SCEP as the Authority Type and then MSCEP from
the SCEP Provider dropdown. The following options display:
 Server URL - The web address of the certificate enrolment URL. This is usually in the
format of .EXE or .DLL depending on the SCEP provider. The Server should be
https://scepserver.mycompany.com/certsrv/mscep/mscep.dll where
'scepserver.mycompany.com' is the web address of the SCEP server.
Page 204 of 249
 Challenge Type - Select either No Challenge or Static, depending on the requirements of
the Certificate.
o Static Challenge - Select this when a singular key or password is required to
authenticate with the certificate enrolment URL. When Static Challenge is chosen a
field displays for you to enter the password or challenge key provided by SCEP..
o Dynamic Challenge - This option pulls a challenge key or password from the SCEP
provider.
 Username Is Required - Tick this check box for the Dynamic Challenge web
address to require user authentication for access.
 Challenge Length - Enter the challenge length provided by the SCEP provider.
 Challenge URL - This field should contain the web address of the challenge URL:
o
o
For MSCEP 2003, the challenge URL is the same as the web enrolment URL.
o
For MSCEP 2008 the challenge URL is typically:
https://scepserver.mycompany.com/certsrv/mscep_admin/ where scepserver.mycompany.com is
the web address of the SCEP server (Note: The trailing / is NOT optional).
No Challenge - Select this when no challenge is required. This usually involves
unsecured SCEP endpoints and it only applies in rare circumstances.
 Username & Password - The username and password is required to authenticate with the
SCEP challenge URL. The username and password need to have the correct permissions for
both the SCEP server and the certificate template being used in order to authenticate.
SCEP Provider: VeriSign*
If VeriSign is the SCEP provider, choose Generic SCEP as the Authority Type and then Verisign
from the SCEP Provider dropdown. The following options display:
format of .EXE or .DLL depending on the SCEP provider. The server should be set to
https://onsiteipsec.verisign.com/cgi-bin/pkiclient.exe.
 Dns Post Fix - Enter the domain used to register the relevant mPKI account. For example, if
the domain was registered with mycompany.com, enter 'mycompany.com' in this field.
 Certificate - Upload a new certificate into the SCEP configuration for authentication with
the VeriSign Cloud.
o Click Upload to upload a new file.
o Enter the certificate password.
Page 205 of 249
 Passcode Post URL - Enter the dynamic challenge URL. The URL should look like this:
https://onsite-admin.verisign.com/OnSiteHome.htm.
 Retry Timeout - Enter the time in minutes to wait between each retry.
 Max Retries When Pending - Enter the maximum number of attempts to retry a request
when authority is pending.
SCEP Provider: Symantec
If Symantec is the SCEP provider, choose Symantec as the Authority Type and then choose SCEP
from the Certificate Retrieval Method radio buttons. The following options are displayed:
 Enter authentication credentials as appropriate. (This could be username/password
combination of client authentication certificates).
SCEP Provider: OpenTrust
If OpenTrust is the SCEP provider, choose OpenTrust as the Authority Type and then choose
SCEP with the Certificate Retrieval Method radio buttons. The following options display:
 Enter authentication credentials as appropriate. (This could be a username/password
SCEP Provider: Entrust
If Entrust is the SCEP provider, choose Entrust as the Authority Type and then choose SCEP with
the Certificate Retrieval Method radio buttons. The following options display:
 Enter authentication credentials as appropriate. (This could be username/password
3. Click Save and continue to Certificate Template Configuration.
15.4
Certificate Template Configuration
Use the following steps to configure a Certificate Template for Direct Certificate Authority
integration:
After the Certificate Authority is configured, configure the Certificate Template so that the VSDM
can request a certificate from the Certificate Authority. To configure a Certificate Template for
Direct Certificate Authority integration:
1. Click Request Templates from the Certificate Authorities page.
Page 206 of 249
2. Click Add to open up the Request Template form.
3. Enter in all required fields.
o Subject - The fully qualified distinguished name of the certificate. This field supports
the lookup values used in the VSDM so that the certificate name can be unique per
user/device in the VSDM (for example, CN={EnrolmentUser}).
 The distinguished name supports both Crypto API and Netscape formats. The only
field required to create a certificate is the Common Name (CN). The distinguished
name should reflect what the certificate will be authenticating against.
o Certificate Authority - Specifies the CA that this template is assigned to in the VSDM.
o Complete the remaining fields as determined by the CA type selected:
 Microsoft Certificate Authority
 Verisign Certificate Authority
 Symantec Certificate Authority
 OpenTrust Certificate Authority
 Entrust Certificate Authority
15.4.1
For a Microsoft Certificate Authority
 Template Name - Enter a template name so this certificate template can be used in the
future. The Template Name is used only within the VSDM.
 Automatic Certificate Renewal - Tick this check box to have the VSDM automatically
renew the certificate. You can specify the number of days or period for auto renewal.
 Use Existing Key - Enable this option to use the existing private key rather than creating a
new one. The CA and Certificate Template must support this option in order for it to work.
 Additional Attributes - This field serves two purposes when configuring the Certificate
Authority. The Additional Attributes field:
Page 207 of 249
o Specifies the Certificate Template on the Certificate Authority. Use CertificateTemplate
to specify which template to use (For example, enter
CertificateTemplate:TemplateName where TemplateName is the name of the
template you would like to use).
o Also allows you to add relevant additional attributes .When you enter the additional
attributes, separate them from the CertificateTemplate with a backslash n (\n). An
example of an additional attribute would be the Subject Alternative Name of the
certificate. In order to specify the Subject Alternative Name, you would set the
Additional Attributes field to: CertificateTemplate:TemplateName\nSAN:Email
Address={EmailAddress}.
 Private Key Length - The private key length should match the length of the private key on
the certificate template being used on the CA.
Compatibility note: Shorter lengths are more compatible with older technology and operating
systems.
 Private Key Type - Determines the type of private key in direct CA integration. The
standard setting is 'Signing & Encryption.
 Use Existing Key - Select this check box to use an existing key.
 Publish Private Key - Select this check box to publish the private key and store it in either
your Active Directory Services or in a Custom Web Service.
 Once you are finished, click Save.
15.4.2
For a Verisign Certificate Authority
 Automatic Certificate Renewal - Tick this check box to automatically renew the
certificate. You can specify the number of days or period for auto renewal.
o Also allows you to add relevant additional attributes. When you enter the additional
 Private Key Length - The private key length should match the length of the private key on
the certificate template being used on the CA.
Page 208 of 249
Compatibility note: Shorter lengths are more compatible with older technology and operating
systems.
 Private Key Type - Determines the type of private key in direct CA integration. The
standard setting is 'Signing & Encryption'.
 Use Existing Key - Tick this check box to use an existing key.
 Publish Private Key - Tick this check box to publish the private key and store it in either
your Active Directory Services or in a Custom Web Service.
15.4.3
For a Symantec Certificate Authority
 Automatic Certificate Renewal - Tick this check box to have the VSDM automatically
renew the certificate. You can specify the number of days for auto renewal.
 Click Retrieve Profiles.
 Select the appropriate profile from the dropdown list. A list of mandatory attributes is made
visible.
 Enter appropriate lookup values for mandatory attributes. For example: mail_id:
{EmailAddress}.
15.4.4
For a OpenTrust Certificate Authority
 Automatic Certificate Renewal - Tick this check box to automatically renew the
certificate. You can specify the number of days for auto renewal.
Page 209 of 249
 Select the appropriate profile from the dropdown list.A list of mandatory attributes is made
visible.
{EmailAddress}.
15.4.5
For a Entrust Certificate Authority
 Automatic Certificate Renewal - Tick this checkbox to automatically renew the
certificate. You can specify the number of days for auto renewal.
 Select the appropriate Managed CA followed by the appropriate profile from dropdown list.
A list of mandatory attributes displays.
Page 210 of 249
{EmailAddress}.
15.5
Utilising Certificates for VSDM
Once the certificate authority and certificate templates have been properly configured,
certificates can be leveraged within VSDM for a number of purposes, as detailed in the following
subsections.
15.5.1
Enterprise Wi-Fi, VPN, and EAS Authentication
Advanced Wi-Fi, VPN, and EAS configurations can now use certificates for authentication,
providing stronger security from unauthorised access than simple passwords. The VSDM can
automatically distribute these authentication certificates down to devices and configure the
device for Wi-Fi, VPN, or EAS access without any user interaction.
An overview of the process is as follows:
 Ensure that the Certificate Authority and Certificate Templates are properly configured,
then create a profile for your appropriate platform (iOS or Android for these capabilities).
o If you are using a static SSL certificate for all devices, you may skip this step and simply
upload the certificate into the VSDM for distribution.
 Complete all general profile settings and then choose either Credentials or SCEP
depending on the type of CA you have previously configured.
 From either page, specify all parameters to select the correct certificate to be used for WiFi, VPN, or EAS authentication.
 On the Credentials profile page perform only the following:
o If you are using a static SSL certificate that does not depend on the user, choose
Upload as the credential source and upload the certificate.
Page 211 of 249
o If you are generating a certificate from a CA for each user or device, ensure that your
credential source is Defined Certificate Authority and choose the correct certificate
template.
 Once you have completed the Credentials or SCEP profile settings, do not Save and
Publish.
 Select another payload in this profile for Wi-Fi, VPN, or EAS, depending on what the
certificate is being used for.
 Specify all settings for the chosen payload. Ensure that the authentication type utilises a
certificate and that the certificate you deployed in the Credentials or SCEP profile is
chosen.
o If authentication to the CA requires a trust (typically for internal certificate authorities),
also ensure that you have uploaded and selected the option to use a CA Root Trust
certificate.
 When complete,Save and Publish.
15.5.2
S/MIME Email Signing and Encryption
Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for public key
encryption and signing which has become the standard for email signing and encryption. The
VSDM can automatically distribute certificates and configure email or Exchange ActiveSync to
utilise S/MIME signing and encryption without user interaction.
An overview of the process is as follows:
 Ensure that the Certificate Authority and Certificate Templates are properly configured,
then create a profile for your appropriate platform (iOS or Android for these capabilities).
o If you are using a static SSL certificate that is used for all devices, you may skip this step
and simply upload the certificate into the VSDM for distribution.
Page 212 of 249
 Complete all general profile settings and then choose either Credentials or SCEP
depending on the type of CA you have previously configured.
 From either page, specify all parameters to select the correct certificate to be used for WiFi, VPN, or EAS authentication.
 From the Credentials profile page perform only the following:
o If you are using a static SSL certificate that does not depend on the user, choose
Upload as the credential source and upload the certificate.
o If you are generating a certificate from a CA for each user or device, ensure that your
credential source is Defined Certificate Authority and choose the proper certificate
template.
 Once you have completed the Credentials or SCEP profile settings, do not Save and
Publish.
 Select another payload in this profile for Email, or EAS, depending on your type of email
infrastructure.
Page 213 of 249
 Specify all settings for the chosen payload and ensure that Use S/MIME is ticked. Also
ensure that the certificate that selected in the credentials or SCEP payload is being used for
either signing or encryption as shown.
 When complete, choose Save and Publish.
For additional information or assistance configuring certificates with Vodafone, contact Vodafone
Support.*
Page 214 of 249
16
Security and Compliance
The VSDM uses a customisable compliance engine to allow for robust compliance policy creation
and enforcement. The compliance capabilities allow administrators to protect proprietary
corporate data from unwanted exposure and to set rules for handling non-compliant activity on
managed devices. These compliance policies are centrally managed from the Compliance page
in the VSDM.
To navigate to the Compliance page, select Profiles & Policies > Compliance. From here, the
administrator can create several different types of compliance policies and establish
enforcement criteria:
 Device Policies - Device policies allow the administrator to create customised compliance
policies based on device criteria such as operating system, compromised status, and
application lists. All enforcement actions are customised in Device Policies.
 Email Compliance Policies - Email compliance policies include general rules for
accessing corporate Email in addition to enhanced Email access policies that are only
applicable to managed devices. For information on Email policies, please refer to Email
Compliance Policies.
Note: Email compliance policies are applicable when the SEG is installed on the device.
 Application Groups - Application policies are created based on custom groups of
blacklisted, whitelisted, and, required applications. In order to configure application
compliance enforcement, first build lists of applications using Application Groups, then
create compliance policies and actions using Device Policies.
16.1
Passcode and Restrictions Profiles Overview
In addition to the compliance engine, passcode and device restrictions provide further protection
to managed devices:
 Passcode compliance polices include the ability to enforce passcodes, set passcode
complexity, and manage auto-lock and passcode history settings.
 Restrictions profiles allow the administrator to prohibit and control the use of devicespecific functionality such as app installation, the device camera, and other similar
functionality.
To set Passcode and Restrictions profiles on individual devices, please refer to the Creating
Profiles.
Page 215 of 249
16.2
Building Device Compliance Policies
Device compliance policies allow administrators to identify device-specific compliance policies
and instruct the VSDM to perform administrative actions on those devices when specific criteria
are met. This might include rules for, a noncompliant operating system, a compromised device or
a SIM card in a device having changed.
Using the compliance actions and escalations available, administrators can construct
customised, robust device policies to enforce corporate security policies.
Use the following steps to create a device compliance policy:
1. Navigate to Profiles & Policies > Compliance.
2. Click Add to create a new policy or click Edit under the Actions menu of an existing policy
to edit. The tabs at the top of the page represent the steps and criteria for creating a
compliance policy. The default view is the Rules tab.
16.2.1
Define Rules
1. Define the Rules.
2. Use the dropdown menu at the top of the page to choose whether to match All or Any of
the compliance rules (default option is All).
3. Choose the compliance area from the dropdown menu. The categories include:
o Application List (to determine if apps are blacklisted, whitelisted, or required, you need
to first configure Application Groups)
o Compromised Status
o Encryption
o Interactive Profile Expiry
Page 216 of 249
o Last Compromised Scan
o Model
o OS Version
o Passcode
o Roaming
o SIM Card Change
4. Choose the appropriate rule statement from the middle dropdown menu (e.g., Contains
blacklisted App, Is Compromised, Is Roaming, etc.)
o Available selections in the middle dropdown are customised to the different
compliance areas; therefore, the dropdown menu options differ depending on the
selected rule compliance area.
5. If a third piece of information is necessary for the given rule (such as the specific operating
system, etc.), select this information from the dropdown menu.
Rule
Statement
Compromised Status
Is Compromised
Application List
Contains
blacklisted App
6. To add a related rule, click Add Rule.
7. Click the Match dropdown and select either match All or Any of the rules you created.
8. Proceed to the Actions tab, by clicking Next at the bottom of the page.
16.2.2
Actions
The VSDM enables the administrator to designate custom actions to perform on the device when
it is detected as noncompliant, and escalation actions if the device continues to be noncompliant.
 On the Actions tab, select the action from the first dropdown menu (Application
Compliance, Command, Notify, or Profile). This would be the first action performed on a
non-compliant device.
Page 217 of 249
 Select the specific action to immediately perform (such as 'Send push notification').
o
If you select an action that involves removing any profiles or applications, those
resources automatically re-installed when the device becomes compliant (no end-user
interaction is required).
o Removal of applications only applies supported devices.
 Complete required information (such as the message template or profile type) from the
final dropdown menu.
o For notifications: Select an existing template, or create a new template in
Configuration > System Settings>System > General > Message Templates.

Click Next to proceed to the Assignment tab,or Add Escalation to create an escalation
policy that defines the next action to take if the user does not comply after the first.
o Customise the time frame and action for each escalation, and add any additional
escalations.
 Click Next when finished.
16.2.3
Assignment
The Assignment tab is used to select to which devices/users the policy can be applied to.
 Select the device and user criteria for the compliance policy.
Page 218 of 249
 Click Next.
Review the Summary
From the Summary tab, the administrator can summarise the compliance policy for reference in
theVSDM (General) and display the number of devices that the policy would affect (Device
Summary).
 Go to Summary tab and enter a name and description for the compliance policy. The
Device Summary displays the status of devices in the selected location or user group.
 The compliance policy is complete.
Page 219 of 249
o To apply the policy, click Finish and Activate.
o To just save the policy, select Finish.
Note: For Application Compliance Policies - Some application compliance policies require the
administrator to define application groups to identify applications that are blacklisted,
whitelisted, and required.
16.3
Application Groups and Policies
Application compliance policies enable administrators to enforce corporate compliance by
restricting access to unauthorised applications and ensuring that required applications are
present on corporate devices. The administrator can designate blacklisted, whitelisted, and
required application lists and perform administrative actions if the VSDM detects a non-compliant
application list. There are several components in the VSDM that enable administrators to build
and enforce application compliance policies:
 Application groups - created to specify blacklisted, whitelisted, and required applications.
 Device Compliance Policies - Built to designate actions for non-compliant applications.
Refer to the Device compliance policies section.
 Application Restriction profiles - Deployed (to supported Android devices) to enforce
application restrictions and requirements.
16.3.1
Define Application Groups
Application policies are created and managed according to groups (lists) of applications.
Use the following steps to create or edit a list of blacklisted, whitelisted, or required application:
1. Go to the Compliance page and select Application Groups from the left sidebar of the
page.
2. Select Add Group to create a new application group or, to edit an existing application
group, select Actions at the end of the row and choose Edit).
Page 220 of 249
3. Select or complete the application information fields on the List and Assignment tabs:
o Type - The type of application compliance policy:
 Blacklist - Applications not allowed on the device.
 Whitelist - Only these applications are allowed to be on the device.
 Required - These applications must be installed on the device.
o Platform - The device platform to which the application compliance policy applies.
Currently, the only platform options available are iOS and Android.
o Name - The name of the policy for reference in the VSDM (for example, 'Apple
Blacklisted Games'.)
o Application Name - The name of the application for which you are creating a
compliance rule.
o Enter the Application ID and optionally enter the application Version.
 Specifying the application ID allows VSDM to more accurately detect devices that
have the blacklisted application installed. It identifies applications by the exact
bundle ID rather than simply searching for the application name as entered in the
Application Name field.
 To specify any version of the app, enter an asterisk (*) in the Version field to act as a
wildcard.
4. Click Add Application to add applications to the list.
5.
Click Next to proceed to the Assignment tab.
6. Select the device and user criteria for the application list (for example, you may wish to
apply stricter application policies to corporate owned devices).
Page 221 of 249
o Device Ownership - Specifying a device ownership type (Corporate-Dedicated,
Corporate-Shared, or Employee Owned) limits deployment to only the devices that
belong to the specified device ownership group. Distinguishing between corporate and
employee owned devices allows for maximum privacy and protection.
o Model - Optionally designate specific device models to which the application group
policy is to be deployed.
o Operating System - Optionally, designate specific operating systems to which the
application group policy is to be deployed.
o Managed By - Select the location group level that manages this Application Group.
o Location Groups - Enter the Location groups to which this application group is
assigned.
o User Groups - Optionally select user groups (if you are leveraging user groups in the
VSDM) as an additional assignment filter for the application group.
7. Click Finish.
You may create additional application groups if needed, then apply the application policies to
devices and users. Refer to the Building Device Compliance Policies and deploying Android
Application Restriction Profiles section.
16.3.2
Android Application Restriction Profiles
There are certain application restrictions for supported Android devices that are enforced through
an application restriction profile. Device compliance policies can be used in addition to these
restrictions, but the profile controls the specific actions defined by these restrictions. The settings
enabled or disabled through the application control profile are:
 Prevent installing (or automatically remove) blacklisted apps on SAFE devices and LGv1.0+
devices.**
Page 222 of 249
 Prevent un-installing required apps on SAFE devices and LGv1.0+ devices.**
 Only allow installation of whitelisted apps on SAFE v2+ devices.**
Use the following steps to enforce these restrictions:
1. Define the application blacklist or required list by creating Application Groups.
2. Create the application control profile by navigating to Profiles > Add Profile > Android >
Application Control.
3. Ensure the appropriate checkboxes are ticked and Save or Save and publish the profile.
16.4
Secure Channel Certificate
The secure channel certificate allows encrypted communication between the VSDM and a device.
Enabling this option allows all information such as device details, device status, and support
information to be communicated in a secure way. This provides an extra layer of security for
corporate data.
Use the following steps to enable this option:
1. Navigate to Configurations > System Settings > System > Advanced. The secure
channel certificate is by default part of the VSDM installation. This certificate is inherited
from Global location group and cannot be edited at any of the child location group levels.
2. Tick the 'Block Non-Secure Channel Device Access' checkbox on the VSDM to activate.
Platforms supported
 iOS.
 Android.
Page 223 of 249
 Symbian.
 Blackberry.
16.5
Privacy Policy
Administrators can set complex privacy policies within the VSDM. These policies apply to specific
device ownership types within Location Groups (ownership types are: 'Corporate - Dedicated',
'Corporate - Shared', 'Employee Owned', and 'Unassigned').
Use the following steps to access and amend privacy policies:
1. Navigate to Configuration > System Settings > Device > General > Privacy.
For each privacy policy, administrators have three options for handling device
information. The policies are defined by a filled circle, half-circle, or an empty
circle top of the screen.
o Collect and Display - The information is collected so that administrators can view the
data in the VSDM.
o Collect - The information is collected by administrators cannot view the data.
o Do Not Collect - The information is not collected.
2. Adjust the privacy policy information settings by moving the mouse over the circle that
matches up with the privacy policy and device ownership type. A small popup menu
displays the privacy setting options:
o Click the appropriate icon to change the setting.
3. Click Save to finish the process and immediately apply the settings.
16.5.1
Commands Privacy
The Commands section at the bottom of the page allows the administrator to restrict certain
commands based on device ownership type.
Page 224 of 249
A full circle indicates that a command is allowed, while an empty circle indicates that the
command is disabled. Currently, the only command that can be allowed or disallowed is Full
Wipe.
1. Click the appropriate circle to choose the desired permissions.
2. Click Save to immediately apply the settings.
Note: The Privacy Settings explained above affect whether or not device and user information is
displayed both on the VSDM and on the Self-Service Portal. Please be aware of the privacy
settings in place when navigating through user and device information (especially the pages
explained in the following sections: Device Information, Device Details, Remote Actions, and
Device Details Management).
Many of the Self-Service Portal and Device Wipe settings are determined by both Privacy settings
and Role settings (Users > Admin Accounts). If multiple settings are in place, the strictest policy is
enforced.
16.6
Important Security and Compliance Considerations
 To provide maximum security and data protection for both end-users and the managing
enterprise, privacy settings work in conjunction with Role Configuration. In order to ensure
that the configured privacy settings are correctly implemented, it is recommended that
you make a note of the following role settings:
o User Role Settings (Users > User Accounts > Roles) control the display of user and
device data in the Self-Service Portal (SSP).
o Administrator Role Settings (Users > Admin Accounts > Roles) control the display
of user and device data in the VSDM as well as the ability to perform a full device wipe.
 Be consistent when deploying multiple compliance or passcode policies. If multiple
policies are in place, the most restrictive policy is enforced.
 Use the Device Compliance Dashboard (Dashboards > Dashboard, then select Device
Compliance from the Available Views) for a top-level view of:
o Device compliance (general).
o Device password compliance.
o Device encryption compliance.
 To more efficiently manage bulk Email accounts, use lookup values whenever possible.
 For maximum Email security, use Email profiles in conjunction with the Vodafone Secure
Email Gateway.
Page 225 of 249
17
Reports and Alerts
17.1
Reports
The VSDM has extensive reporting capabilities that provide administrators with actionable, resultdriven statistics about their device fleets. Administrators can use these pre-defined reports or
create custom reports based on specific devices, user groups, date ranges, or file preferences.
In addition, an administrator can schedule any of these reports for automated distribution to a
group of users and recipients on either a defined schedule or a recurring basis. These features are
all centralised within the VSDM.
To access the Reports page, navigate to Reports & Alerts > Reports. From here, there are
several key pieces of functionality that administrators can use to leverage the VSDM's reporting
capabilities:
17.1.1
Generate Custom Reports
Administrators can create custom reports on the fly through the VSDM.
Use the following steps to generate a custom report:
 Navigate to the Reports page at Reports & Alerts > Reports.
 Select a pre-defined report template from the list, then click the Actions menu on the right
and select View.
 Specify all of the report parameters. Required fields are denoted with a red asterisk*.
 Select View Report.
17.1.2
Add a Report to My Reports
Adding a report to My Reports allows administrators to essentially “bookmark” popular reports
that they find particularly useful.
Use the following steps to add a report to My Reports:
Page 226 of 249
 Select a pre-defined report template from the list, click the Actions menu on the right and
select Add to My Reports.
 Go to My Reports View on the left side of the Reports page to check that the report is now
accessible.
17.1.3
Create Report Subscriptions
Report subscriptions can be used to send custom generated reports to specific recipients at a
scheduled occurrence.
Use the following steps to subscribe to a report:
 Select a pre-defined report template from the list, click Actions menu on the right and
select Subscribe.
 Complete the Report Subscriptions form with all required information.
o General Information - The name of the subscription, the email subject, etc.
o Report Parameters - The parameters defining the scope and options of the report.
o Distribution List - The recipients who receive the custom report whenever the
subscription is executed.
o Execution Schedule - The time and schedule at which the custom report is
generated.
 Click Save.
17.1.4
Additional Reporting Tools
There are also several other additional tools that help administrators utilise the VSDM's reporting
capabilities:
 Search Assistance Tools - The Report Category dropdown and Search box at the top of
the reports page make finding particular reports very simple.
 Report Samples Tool - To view a sample output from a particular report, click Actions
menu on the right and then select Sample.
 Report Export Tool - To export a report in one of several formats, use the Export Bar on a
custom generated report.
17.2
Alerts
Alerts provide administrators with the ability to receive immediate notifications when specific
events occur across the managed smart device fleet. They are comprised of two components:
 A Creation Policy that describes the criteria that must be met to trigger the alert.
Page 227 of 249
 A Routing Policy that describes what devices are being monitored, when the alert should
be sent and who receives it.
17.2.1
Creation Policies
Use the following steps to add a new creation policy:
1. Navigate to Configuration > Alert Setup > Creation Policy. A list of all available creation
policies can be seen.
2. Click Add Creation Policy to open the Add Creation Policy form (or select Edit from left
of and existing policy to edit the details).
3. Enter all the required information.
o Description - The name of the creation policy that is displayed in the VSDM.
o Resource - The type of resource that is going to be monitored. Select Device to
monitor the smart device fleet.
o Attribute - The parameter that is used to determine when an alert should be triggered.
o Comparison Operator - The comparison operator to test whether the attribute
triggers an alert.
o Value - The value that triggers the alert when (Attribute) <Comparison Operator>
(Value) = True.
o Duration - The duration that the alert lasts before stopping.
4. Click Save to complete the process.
17.2.2
Routing Policies
Use the following steps to create a routing policy:
Page 228 of 249
1. Navigate to Configuration > Alert Setup Routing Policy.
2. Click Add Routing Policy to open the Add Routing Policy form.
3. Complete the information in the Criteria tab.
o Creation Policy - The creation policy that triggers the alert.
o Location Group - The location group that contains the devices that are being
monitored for the creation policy criteria.
o Location - The location that contains the devices that are being monitored for the
creation policy criteria. The default is Any.
o Device - Any specific devices that are being monitored for this creation policy. The
default is Any.
o Sample Time and Sample Days - The date and time at which this policy is tested on
the selected devices.
o Severity & Priority - Metrics to organise alerts in terms of priority and several for
administrative purposes.
o Consolidation Window - The consolidation window defines a time period for trigger
consolidation. A single alert is sent in the time period defined, regardless of how many
triggers are generated by a specific creation and routing policy.
4. Select the Preferences tab to configure the recipients of the alerts:
o User Alerting - Select an administrative user or users to receive the alert.
o Role Alerting - Select a location group and subsequent role to receive this alert. To
add additional roles, click Add Role.
5. Click Save to complete this process.
Page 229 of 249
17.2.3
View Alerts
Once alerts have been created, they can be viewed in a several ways:
1. To view alerts received by a user or role, navigate to Reports & Analytics > Alerts and
select My Alerts.
2. To view alerts that were triggered by a particular device, go to the Device Details page or
click Alerts under System Activity
17.3
Important Report and Alert considerations
To enable the highest level of control and security over distribution of report information across
the enterprise, edit role-based access to reports by navigating to Users > User Accounts > Add
Role. Report Access can be enabled or disabled by ticking the checkboxes under Resource
Categories.
17.4
Syslog
Syslog is a client\server protocol used to integrate the event log data from the VSDM on a
separate server in a reliable and secure way. Syslog is used in the VSDM for logging and storing
event records that have occurred in the VSDM and on managed devices. The Syslog protocol
transmits the messages on event notification and alerts across network using UDP/TCP protocol.
Messages are sent by operating system (BSD Unix) to VSDM at the start or end of a process. The
two major reasons for having a centralised Syslog server are:
 For Security - When an administrator wants to keep some of the event logs safely off-site in
a secure location, the Syslog server is used for this purpose.
 For Convenience - In the event of a crashed server, the administrator can check the kernel
error logs on the centralised Syslog server. The Syslog pattern for various dates over an
extended time can also be checked and the log files from the Syslog server can be
matched, searched, and replaced at any time.
17.5
Integrate Syslog
Use the following steps to configure Syslog integration:
1. Navigate to Configuration > System Settings > Admin > Syslog.
Page 230 of 249
o Server URL - Enter the Syslog server URL to store event logs.
o Protocol - Enter the protocol type for the VSDM and the Syslog server to use to
communicate, either UDP or TCP.
o Port - Enter the destination port number that the VSDM server uses to send Syslog data to
the Syslog server. When sending messages using:
 UDP, the destination port is usually 514. This is the default port setting.
 TCP, the destination port is usually 1468.
o Syslog Facility - The Syslog facility lists the type of messages that are to be sent to the
server. Select a Syslog facility from the drop down list.
o Event Types Logged
 Tick the Console checkbox to send console events.
 Tick the Device checkbox to send device events.
o Message Tag - Enter a message tag to help the Syslog server to identify where the
message came from.
o Message Content - Enter the information that should be included in the message.
 Include lookup value helper control with: {EventType}, {Event}, {User}, {EventSource},
{EventModule}, {EventCategory}, {EventData}
o Click Save or click Test Connection to test the connection setup.
Page 231 of 249
17.5.1
Schedule Logging Frequency
Once the integration is complete, the administrator needs to schedule the time frequency limits.
This defines how often the console server has to send Syslog data to the Syslog server.
Use the following steps to define the time frequency limit by using the Scheduler:
1. Navigate to Configuration > System Settings > Device > General > Scheduler. TThe
Scheduler has a built-in task called Syslog Task, where the time frequency is set.
2. Click Edit, the Syslog Task page displays. Administrator has permission to edit this Syslog
Task only at the Global level.
Page 232 of 249
o Recurrence Type - Select a recurrence type and the corresponding frequency to send
Syslog data to the Syslog server. The different recurrence types available are:
 Daily.
 Weekly.
 Monthly.
 Time-Based.
o Range - Enter the start and end date and timings.
4. Click Save, to save the schedule details.
Page 233 of 249
18
Enterprise Integration
The VSDM has extensive capabilities to help corporations easily integrate their VSDM solution
with existing enterprise systems. The integration allows users to authenticate using enterprise
directory service credentials and provides even deeper integration with enterprise systems by
allowing the administrator to leverage AD/LDAP user groups in the VSDM. Furthermore, the use
of device management APIs, which can be integrated into third party or internal applications,
provides a high level of both management and security.
18.1
Lightweight Directory Access Protocol (LDAP) and
Active Directory (AD) Integration
Vodafone integrates with the existing idea of LDAP User Groups to make user enrolment and
management both flexible and intuitive. Lightweight Directory Access Protocol (LDAP) server
assigns User Groups based on pre-existing grouping systems (as defined by corporate Email,
Usernames, or other distinguishing variables). New User Group management capabilities include:
 LDAP Synchronisation - Vodafone adopts the existing organisational identifiers and
regularly syncs with the native database to automatically detect and apply any changes
 Increased user group management capabilities, such as adding profiles and compliance
policies to entire Location Groups and performing device syncs across the Location Groups.
 More application management flexibility: Add or remove applications for an entire Location
Groups.
18.1.1
System Authentication
Integration of the VSDM server with a corporate directory services server provides directory based
account access and enables the administrator to leverage LDAP/AD groups in the VSDM. When
creating user accounts, settings can be identical or different (explained in the next section).
Use the following steps to configure LDAP or AD integration:
1. Navigate to Configuration > System Settings > System > Directory Services. The
Directory Services page displays the fields in the Server tab.
Page 234 of 249
2. Complete the server information in the fields as follows:
o Directory Type - Select the directory type for LDAP. The options include Active
Directory, LDAP, Novell e- Directory, and Lotus Domino.
o Server - Enter the address of the directory services server.
o Encryption Type - Select the type of encryption used for directory services
communication. The default is None.
o Port - Enter the TCP port used to communicate with the directory services server. The
default for unencrypted DS communication is 389. Only SaaS environments allow SSL
encrypted traffic using port 636 (Vodafone SaaS IP range: 205.139.50.0 /23).
o Verify SSL Certificate - Tick this check box to receive SSL errors when the encryption
type is None.
o Protocol Version - Select the version of the LDAP protocol in use. Active Directory
uses LDAP versions 2 or 3.
o Use Service Account Credentials- Tick this to enable EIS user credentials.*
o Bind Authentication Type - Select the type of bind authentication that is used in
order for the VSDM server to communicate with the directory services server.
o Bind Username & Bind Password - Enter the credentials to authenticate with the
directory server. This account allows read access permission on your directory server
and binds the connection when authenticating the users.
Page 235 of 249
o Default Domain - Enter the default domain for any directory based user accounts. If
only one domain is used for all directory user accounts, fill in the field with the domain
so that users are authenticated without explicitly stating their domain.
o Search Subdomains - Select the checkbox to enable subdomain search for the user.
o Use SAML for Authentication - Tick the checkbox to enable SAML as the mode for
authentication. Below list displays:
 SAML 2.0 .
o
Request .
o
Response .
o
Certificate.
SAML 2.0
o Import Identity Provider Settings - This feature allows the administrator to import
SAML metadata obtained from the identity provider. This should be in XML format.
o Service Provider (Vodafone) ID - This value specifies a URI with which Vodafone
identifies itself to the identity provider. This value must match the ID that has been
configured as trusted by the identity provider.
o Identity Provider ID - This value specifies a URI that the identity provider uses to
identify itself. Vodafonechecks authentication responses to verify that the identity
matches the ID provided in this field.
Request
o Request Binding Type - The binding types of the request. The options include
Redirect, POST, and Artifact
o Identity Provider Single Sign On Url - This value specifies the identity provider URL
that Vodafone uses to send requests.
o NameID Format - This value specifies the format in which the identity provider should
send a NameID for an authenticated user. This value is not required as Vodafone
obtains the username from the FriendlyName 'UID' required attribute.
o Authentication Request Security - This value specifies whether or not Vodafone
should sign authentication request messages.
Response
o Response Binding Type - This value determines the binding type of the response.
o Sp Assertion Url - This value specifies the Vodafone URL which should be configured
by the identity provider to direct its authentication responses. “Assertions” regarding
the authenticated user are included in success responses from the identity provider.
o Authentication Response Security - This value specifies whether or not the response
is signed.
Certificate
o Upload the Identity Provider Certificate
Page 236 of 249
o Click Save and proceed to the User tab.
Complete the User information in the fields as follows:
 Base DN - Specify the directory folders/locations for users. For example, the format for
global.mycompany.com might be: 'DC=global, DC=mycompany, DC=com'.
o Search Subdomains - Enable subdomain searching to find nested user groups or
disable this feature for faster searches.
 Click Show Advanced.
o User Object Class - Enter an appropriate Object Class.
o User Search Filter - Enter the search parameter used to associate user accounts with
active directory accounts. The recommended format is
<LDAPUserIdentifier>={EnrolmentUser} where <LDAPUserIdentifier> is the parameter
used on the directory services server to identify the specific user.
 For AD servers, use samAccountName={EnrolmentUser}.
 For LDAP servers, use CN={EnrolmentUser} or UID={EnrolmentUser}.
o User Object Class - Enter in the appropriate Object Class; in most cases this value
should be 'user'.
Sync
The sync settings applied only if you are leveraging user groups in the VSDM.
 Auto Merge - Tick this checkbox to allow user group updates from AD/LDAP to auto-merge
with the associated users and groups in the VSDM.
 Automatically Set Disabled Users to Inactive - Tick this checkbox to deactivate the
associated user in the VSDM when a user is disabled in AD/LDAP.
 Value for Disabled Status - Use this field to specify the bit value that defines a disabled
user in your LDAP system (the standard value is 2) and select from the dropdown menu
whether the value needs to match the individual user-disable flag or the entire status value:
o Flag Bit Match - Choose this value to only determine disabled status by checking the
individual accountdisable flag within the userAccountControl attribute.
Page 237 of 249
o
Value Exact Match - Choose this value if the disabled status is defined by exactly
matching an entire value (the userAccountControl attribute).
Attribute
The Attribute columns show the mapping between the VSDM user attributes and your directory
attributes.
 To edit the values, click the pencil icon next to the Mapping Value and make the
necessary changes.
 Click Save and proceed to the Group tab.
Complete the Group information in the fields as follows:
 Group Base DN - If your users and groups are stored in the same place, this field is the
same as the user Base DN field. If they are not stored in the same location, replace the user
location with the group location.
 Group Object Class - Enter in the appropriate Object Class; in most cases this value should
be 'group'.
 Group Search Filter - Enter the search parameter used to associate user groups with AD
accounts.
 Maximum Allowable Changes - Enter the default value for the maximum number of user
changes allowed to be automatically merged from LDAP/AD.
Note: Administrators with appropriate editing permissions can manually specify
the value for the maximum number of allowable changes when new user groups
are added or by editing the user group settings for an existing user group.
 Auto Sync and Auto Merge Default - Tick these checkboxes to specify the default
settings for automatically syncing user group information with the VSDM and the default
setting for automatically saving detected changes in AD/LDAP in the VSDM.
Note: Administrators with appropriate editing permissions can manually specify
Auto Sync and Auto Merge settings when new user groups are added or by editing
the user group settings for an existing user group.
Page 238 of 249
18.2
User Account & Device Authentication
User accounts help define the association between devices and device end-users. The VSDM
allows several methods of user accounts creations, from a simple username/password
combination, to corporate LDAP integration through the cloud and SAML integration. For more
information please see the user account types section.
For any user account other than basic authentication, the VSDM must first be configured to
properly integrate with the corresponding infrastructure before user accounts can leverage the
respective authentication type. These settings can all be found by navigating to System Settings
> Device > General > Enrolment page under the Authentication tab.
The following sections describe how these user account authentication types can be configured
to enable the use of each security mechanism for enrolment and authentication in the VSDM.
1. Complete the General Enrolment information and settings.
2. Go to the Authentication view.
3. Select the appropriate Authentication Mode (you may select more than one authentication
type).
4. Complete the information for the associated authentication mode.
o Active Directory/LDAP Enrolment Configuration.
o Authentication Proxy Enrolment Configuration.
o SAML 2.0 Enrolment Configuration.
18.2.1
Active Directory / LDAP Enrolment Configuration
Active Directory/LDAP Integration is configured under System Settings > System > Directory
Services, but the settings on this page allow the administrator to further leverage AD/LDAP
integration during the enrolment process. After enabling Directory Services integration, navigate
to this screen and select Directory as the Authentication type, specify the following additional
Enrolment Settings on the Authentication view:
 Tick the Don't Prompt for Group ID check box if you are using AD/LDAP integration to
pre-select the Group ID for the user (based on the Advanced Enrolment Settings).
 Click Save to save your settings.
18.2.2
Authentication Proxy Enrolment Configuration
Use the following steps to enable authentication proxy user accounts for use during enrolment:
 Navigate to the System Settings > Device > General > Enrolment page with the
Authentication tab selected.
 Tick the Authentication Proxy to expand the Authentication Proxy menu.
Page 239 of 249
 Complete the information if the following fields:
o Authentication Proxy URL - The URL of the Authentication Proxy Server that prompts
the user with HTTP or EAS authentication.
o Authentication Method Type - The type of Authentication Proxy endpoint. All types
other than EAS endpoints should select HTTP basic.
18.2.3
SAML 2.0 Enrolment Configuration
Complete the following steps to enable SAML 2.0 User Accounts for use during enrolment:
 Ensure that you are at System Settings > Device > General > Enrolment page with the
Authentication tab selected.
 Tick the SAML 2.0 to expand the SAML 2.0 menu and enter in all appropriate fields.
 Complete all appropriate fields as follows.
o Import Identity Provider Settings - This feature allows the administrator to import
SAML metadata obtained from the Identity Provider. Uploading this XML file sets some
of the configuration options shown in the SAML settings page and most importantly,
this file includes the identity provider’s public key certificate, which is required for the
VSDM to trust the identity provider.
o SAML Binding Type - This value determines the identity provider and exchange
messages. SAML can be configured to allow the intermediate browser to ‘Post’ the
entire message, or it can send just a token known as an artifact, that represents the
data. The identity provider then contacts the sender to obtain the message through a
process called artifact resolution.
o Identity Provider ID - This value specifies a URI that the identity provider uses to
identify itself. The VSDM checks authentication responses to verify that the identity
matches the ID provided in this field.
Page 240 of 249
o Service Provider ID - This value specifies a URI with which the VSDM identifies itself to
the identity provider. This value must match the ID that has been configured as
‘trusted’ by the identity provider.
o IDP SSO Post/Artifact - These values specify the identity provider URLs that the
VSDM uses to send requests for each binding type. This value is set automatically from
the imported metadata.
o IDP Artifact Resolution URL - This value specifies the URL at the identity provider
that the VSDM uses to resolve an artifact response to obtain the actual response
message. This value is set automatically from the imported metadata.
o Service Provider Assertion URL - This value specifies VSDM URL which should be
configured by the identity provider to direct its authentication responses. 'Assertions'
regarding the authenticated user are included in success responses from the identity
provider.
o Service Provider Logout URL - This value specifies a URL to use for single logout.
This feature is not currently supported in VSDM Release 2.
o Service Provider Error URL - This value specifies a URL for displaying an error in the
SAML authentication process. This value can be left blank.
o Identity Provider Logout URL - This value specifies an identity provider’s URL to use
for single logout. This value is set automatically from the imported metadata.
o NameID Format - This value specifies the format in which the identity provider should
send a NameID for an authenticated user. This value is not required as the VSDM
obtains the username from the FriendlyName 'uid' required attribute.
o Ignore SSL Errors - This value specifies whether or not the VSDM server should check
SSL trust for the identity provider. If SSL errors are ignored, the VSDM server
communicates with the identity provider regardless of any SSL trust issues.
o Validate Identity Provider Certificate - This value specifies whether or not VSDM
should check if authentication responses are signed with the expected identity
provider certificate. This value is only required when using 'Post' as the identity
provider may not sign responses using artifact responses.
o Identity Provider Certificate - The identity provider’s public key certificate. This value
is set automatically from the imported metadata.
o Authentication Request Security - This value specifies whether or not the VSDM
should sign authentication request messages. This value must be set in order to
upload a service provider certificate.
o Service Provider Certificate - A private key certificate used by the VSDM to sign SAML
requests and to decrypt responses.
o Export Service Provider Settings - This feature allows VSDM SAML metadata to be
exported and supplied to the identity provider. Similar to the Import Identity Provider
Settings,' this feature allows the identity provider to import VSDM SAML metadata to
build trust.
When you are finished configuring the Authentication settings, proceed to the Location Group,
Role, and Restrictions views to specify the Advanced Enrolment Settings.
Page 241 of 249
18.3
Advanced Enrolment Settings
When Enterprise Integration is enabled in the VSDM (through one of the Authentication Modes
specified in the Enrolment System Settings), administrators have the ability to leverage existing
organisational roles to configure and select Group IDs, Roles, and Restrictions in the VSDM. The
following views allow administrators to customise user roles and other enrolment settings based
on the user information that has been integrated into VSDM.
To access the Enrolment page, navigate to Configuration > System Settings > Device >
General > Enrolment.
18.3.1
Location Group*
The Location Group view, enables the administrator to view and specify basic information
regarding Location Groups and Group IDs for end-users.
 Group ID Assignment Mode - Choose how the VSDM environment assigns users Group
IDs:
o Default - Select this option if users are to be provided with Group ID's to use upon
enrolment. The Group ID used determines what Location Group the user is assigned to.
o Prompt User To Select Group ID - Select this option if the administrator provides
users with a Group ID for them to enter upon enrolment.
 Group ID Assignment - This section lists all of the Location Groups for the
environment and their associated Group IDs.
o Automatically Select the Group ID - Select this option if the VSDM environment has
been integrated with AD/LDAP and users need automatically assigned to Location
Groups based on their AD/LDAP User Groups.
 Group Assignment Settings - This section lists all of the Location Groups for the
environment and their associated AD/LDAP User Groups.
 Click Edit Assignment to modify the Location Group/User Group associations.
Role
On the Role view, administrators can configure end-user roles for access and permissions based
on user group and Active Directory settings.
 The User Group and associated Roles are listed under the Group Assignment Settings
column.*
 Rank - The user group rank is used to determine which user group takes precedence if a
user belongs to multiple user groups. The user receives permissions for the highest-ranked
group to which they belong.
Page 242 of 249
 Click Edit Assignment to edit the user group rankings and to assign enrolment roles to
specific user groups. The available roles are based on the roles configured in User
Accounts > Roles.
18.3.2
Restrictions
The Restrictions view allows the administrator to configure custom enrolment restriction
policies by Location Group and User Group roles. This page contains the tools necessary for
creating and applying enrolment restrictions to user groups:
 Create a Restrictions policy using the Policy Settings.
 Assign the policy to a user group under the Group Assignment Settings.
o Policy Settings
 All of the existing enrolment policies are listed in the Policy Settings section.
o
Click Add Policy to create a new enrolment restriction (or click Actions to edit an existing policy)..
Page 243 of 249
o
o
Specify the platforms that are allowed or denied for each enrolment policy.
o
Indicate whether or not the policy is the default policy for the groups to which the policy applies.
Group Assignment Settings
 The existing enrolment restriction assignments according to user group in the
Group Assignment Settings section.
o
Click Edit Group Policies to assign the existing enrolment policies to certain user groups.
Finish assigning the general enrolment permissions at the bottom of the screen:
 Tick the checkboxes to restrict enrolment to known users only or users that belong to
configured groups.
 Specify whether administrators in child location groups are allowed to create, edit, and
assign restriction policies.
18.4
Email Integration
18.4.1
Email (SMTP)
Email messages sent from the VSDM) are transmitted using the corporate Email gateway defined
in the Email (SMTP) settings menu. Users can receive email notifications for a variety of reasons,
including:
 Enrolment, user and device activation.
 Report subscriptions.
 Device messages.
 Purchased application (VPP) notifications.
18.4.2
Configure Email Settings
Use the following steps to configure email settings:
1. Navigate to Configuration > System Settings > System > Email (SMTP).
Page 244 of 249
o Server - The address of the corporate Email (SMTP) server.
o Enable SSL - If ticked, the corporate Email server securely communicates with the
VSDM server over SSL. The default value is false (un-ticked).
o Port - The port over which the corporate Email server communicates with the VSDM
server. The default port is 25.
o Requires Credentials - If ticked, SMTP traffic for the corporate Email server requires
authorisation. The username and password fields are not required if authorisation is not
enabled.
o Timeout in Seconds - Defined in seconds, this value determines the amount of time
before the connection between the corporate Email server and the VSDM server times
out.
o Sender’s Name - The name of the sender that is displayed on any messages sent from
the VSDM server.
o Sender’s Email Address - The Email address of the sender that is displayed on any
messages sent from the VSDM server.
18.5
Enterprise Integration Service
When using the VSDM in the cloud, all integration to the enterprise systems can be seamlessly
encapsulated in encrypted https traffic relayed by one or more nodes (EIS relay / EIS endpoint).
Page 245 of 249
This includes communications with:
 SMTP (Email Relay)
 Directory Services (LDAP / AD)
 Microsoft Certificate Services (PKI)
 Simple Certificate Enrolment Protocol (SCEP PKI)
 Exchange Powershell (For certain Secure Email Gateways)
 BES (Sync users and mobile device information)
If using the VSDM in the cloud, setting up an EIS endpoint helps to integrate any of the above
systems behind your corporate firewall without the need for VPN tunnels or the need to open
network firewall ports to the desired systems.
18.5.1
Configuring EIS
To configure EIS you need:
 A server reachable from the Vodafone SaaS (allow inbound requests from 205.139.50.0 /23
to port 443).
 Internal access to the systems to integrate (connections configured in the corresponding
System Settings).
 An administrator account for EIS. Ensure the account’s role has the permission to “Allow
Remote Access” located under Remote Services > Security.
For installation, use either the files available for download from the Enterprise Integration page
(navigate to Configuration > System Settings > Enterprise Integration) or files received from
Vodafone support. The Enterprise Integration section of System Settings is automatically
configured during the installation of EIS behind your firewall. Use these settings if you need to
adjust anything after the configuration has been initialised by EIS after installation, or if you
cannot follow this automated process.
Use the following steps to begin EIS configuration:
1. Navigate to Configuration > System Settings > System > Enterprise Integration
2. Tick the Enable Enterprise Integration Service checkbox.
Page 246 of 249
o Authentication - Select either of the following authentication radio buttons:
 Certificate for message-level encryption over https.
 Add HTTP authentication with a username/password that can be set here and
adjusted on the EIS server’s configuration page.
o Go to the Enterprise Services section and Enable or disable the services that the
VSDM should integrate with EIS.
Note: Vodafone SaaS already offers email delivery using SMTP, but you can also enable
EIS to use your own SMTP server (details are entered in System Settings > System >
Email (SMTP)).
o Advanced - Enable or disable the components that the VSDM should integrate with
EIS.
Note: The certificate generated during auto configuration has the thumbprint located
here; it can be cleared and renewed if necessary.
If EIS is unable to connect to the API during installation, you can generate a configuration script
(encrypted) by following these steps:
 Generate the certificate, save the page and click Refresh.
 Export settings for the EIS server (this prompts you to set a password).
 Download the XML file and import it into the EIS configuration (this automatically
configures the EIS server).
18.6
SMS Integration
Similar to Email (SMTP) setup, SMS Integration page enables the SMS messaging capabilities of
the VSDM. However, in order to enable this functionality, administrators must first purchase a
CellTrust Account so that they can provide authentication into the Celltrust SMS Gateway.
18.6.1
Configure SMS Settings
Use the following steps to configure SMS settings:
1. Navigate to Configuration > System Settings > System > SMS.
Page 247 of 249
o Nickname - Is the Celltrust account nickname.
o User Name - Is the Celltrust account username.
o Password - Is the Celltrust account Password.
o Select Save to save the SMS configuration settings.
18.7
Use the VSDM API
The API page establishes the security of your Location Groups to use certificates. Once this is set
up, integrating systems can use the certificate to securely communicate with your environment
through the VSDM API.
The most common example of an integrating system is Vodafone's Secure Email Gateway(SEG).
In order to monitor and control an SEG from a specific Location Group, an API certificate is
required during the installation process.
Use the following steps to generate an API certificate for your environment:
1. Navigate to Configuration > System Settings > System > General > API > Soap API.*
2. Enter the password into the New Certificate Password field.
3. Select the Generate Client Certificate button. The API certificate is now available for use.
4. Export the API certificate for use in an integrating system (such as the SEG):
5. Re-enter the certificate password.
6. Select the Export Client Certificate button. The certificate is now ready and can be used
on your computer and in the integrating system.
Page 248 of 249
* New Feature in VSDM Release 3
18.8
Important Enterprise Integration Considerations
 As part of the initial VSDM setup, administrators must configure several core system
settings (in the System Settings page of the VSDM) that enable integration between the
VSDM server and corporate infrastructure. These settings should not be changed once they
are configured.
 If you are leveraging user group integration, ensure that Directory Services (and EIS, if
enabled) integration is configured at the same level as the root location group to which the
user groups belong. . When user group integration is enabled, directory users can only be
managed at the level of the Directory Services settings; you should only add new users at
this level to ensure full management permissions.
Page 249 of 249

Admin Guide

Transcription

Similar documents

PDF version

The Vodafone Code of Conduct

V5102102467_VAH Caf Form_AL_V3.indd

Certificate of Registration Williamston Products, Inc.

Vodafone At Home connection application form

Parent Info 28 January 2016 Issue 271

Sustainability Report

Vodafone Mobile Broadband ReadMe

The Admin Express - Amazon Web Services

Special Olympics Rhode Island

César E. Chávez

Charles “Tripp” Francis Charles “Tripp” Francis

Report #13-11-1441 - Halifax Regional School Board

PDF Version