Admin Guide
Transcription
Admin Guide
Vodafone Secure Device Manager Admin Guide March 2013 © 2013 Vodafone Group Services Ltd. All rights reserved. This document comprises proprietary and confidential information and copyright material belonging to Vodafone Ltd. It must not be reproduced, used, published, or disclosed to third parties without the prior written consent of Vodafone Ltd. The information in this document is subject to change without notice. All trademarks acknowledged. Contents 1 Systems Overview ......................................................................................................................................................... 9 1.1 Vodafone Solution Overview ................................................................................................................................................... 9 1.2 System Requirements ............................................................................................................................................................... 9 1.2.1 Supported Browsers ..................................................................................................................................................... 10 1.2.2 Supported Devices ....................................................................................................................................................... 10 1.2.3 Technical Requirements ............................................................................................................................................ 10 1.3 Vodafone Secure Device Manager Overview .................................................................................................................. 10 1.3.1 Log in to the VSDM ....................................................................................................................................................... 10 1.3.2 VSDM Overview .............................................................................................................................................................. 11 1.3.3 Navigation Overview .................................................................................................................................................... 11 2 Setting Up Your VSDM.................................................................................................................................................18 2.1 Overview ...................................................................................................................................................................................... 18 2.2 Introducing the Getting Started Wizard ............................................................................................................................ 18 2.2.1 Prerequisites ................................................................................................................................................................... 18 2.2.2 Using the Getting Started Wizard ............................................................................................................................ 19 2.2.3 Use the Setup Checklist ............................................................................................................................................. 20 2.3 3 Enabling iOS MDM Support ................................................................................................................................................... 22 Location Groups and User Groups Overview .......................................................................................................23 3.1.1 Location Groups ............................................................................................................................................................ 23 3.1.2 Create a New Location Group ................................................................................................................................... 23 3.1.3 Modify and Delete a Location Group...................................................................................................................... 25 3.1.4 Additional Location Group Details .......................................................................................................................... 26 3.2 User Groups ................................................................................................................................................................................ 27 3.2.1 Transitioning to User Groups .................................................................................................................................... 27 3.2.2 Set Up User Groups in the VSDM ............................................................................................................................. 28 3.2.3 Edit User Group Settings and Management Permissions ............................................................................... 29 3.2.4 User Information Actions and Updates ................................................................................................................. 30 3.2.5 Edit User Group Permissions ..................................................................................................................................... 31 3.2.6 Assign Resources to User Groups ........................................................................................................................... 32 4 5 3.3 Migrate Basic Users to Directory Users ............................................................................................................................. 32 3.4 Bulk Import User Groups ........................................................................................................................................................ 33 VSDM Best Practice ......................................................................................................................................................34 4.1 Location Groups ........................................................................................................................................................................ 34 4.2 User Groups ................................................................................................................................................................................ 34 4.3 Transition Options for Best Practices................................................................................................................................. 34 4.4 User Management Changes for Directory Users ........................................................................................................... 35 4.5 User Storage in the VSDM ...................................................................................................................................................... 35 Administrative Accounts ...........................................................................................................................................36 Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 2 of 249 5.1 Create an Admin Account Manually .................................................................................................................................. 36 5.1.1 Import an admin user from Active Directory ....................................................................................................... 37 5.1.2 Create Admin Account Roles.................................................................................................................................... 37 5.1.3 Create Administrators in Bulk ................................................................................................................................... 38 6 User Accounts ...............................................................................................................................................................41 6.1.1 User Account Security Types.................................................................................................................................... 41 6.1.2 Creating (Single) End Users ....................................................................................................................................... 44 6.1.3 Create End Users in Bulk ............................................................................................................................................ 47 6.2 Device Registration .................................................................................................................................................................. 48 6.2.1 Administrator Registers a Single Device ............................................................................................................... 49 6.2.2 Administrator Registers a List of Devices ............................................................................................................. 50 6.2.3 Invites Users to Register ............................................................................................................................................. 52 6.2.4 End User Registration .................................................................................................................................................. 53 6.3 Device Staging ........................................................................................................................................................................... 55 6.4 Language Management ......................................................................................................................................................... 56 6.4.1 Activating Language Packs........................................................................................................................................ 56 6.4.2 Selecting and Changing Language......................................................................................................................... 57 6.4.3 Localisation Editor ........................................................................................................................................................ 58 6.5 7 Important VSDM Setup considerations............................................................................................................................. 59 Device Management ....................................................................................................................................................60 7.1 Overview ...................................................................................................................................................................................... 60 7.2 Dashboard Navigation ............................................................................................................................................................. 60 7.2.1 Location Group Sidebar .............................................................................................................................................. 60 7.2.2 Dashboard Views ........................................................................................................................................................... 61 7.2.3 Advanced Views ............................................................................................................................................................. 61 7.2.4 Graphical Portlets ......................................................................................................................................................... 62 7.2.5 Dynamic Device List ..................................................................................................................................................... 63 7.3 Device Control Panel ............................................................................................................................................................... 66 7.3.1 Device Information Menu .......................................................................................................................................... 66 7.3.2 Remote Actions Menu................................................................................................................................................. 73 7.4 Device Search............................................................................................................................................................................. 75 7.4.1 Device Search - Left Panel ......................................................................................................................................... 75 7.4.2 Device Search - Top Panel ......................................................................................................................................... 77 7.4.3 Device Search - Main Panel ....................................................................................................................................... 78 7.5 Device Details............................................................................................................................................................................. 78 7.5.1 Device Information ....................................................................................................................................................... 79 7.5.2 Device Activity................................................................................................................................................................ 83 7.5.3 Configuration.................................................................................................................................................................. 83 7.6 Device Details Management ................................................................................................................................................. 83 7.6.1 Query ................................................................................................................................................................................. 84 7.6.2 Management .................................................................................................................................................................. 84 7.6.3 Support ............................................................................................................................................................................. 84 7.6.4 Admin ................................................................................................................................................................................ 85 7.7 Administration Event Log ...................................................................................................................................................... 85 7.8 End User Self-Service .............................................................................................................................................................. 86 7.8.1 Enabling the SSP ........................................................................................................................................................... 87 Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 3 of 249 7.9 Retiring a Device ....................................................................................................................................................................... 89 7.10 BYOD Configuration Best Practices .................................................................................................................................... 90 7.10.1 Assign Profiles and Policies by Ownership Type ................................................................................................ 90 7.10.2 Configure Privacy Settings......................................................................................................................................... 90 7.10.3 Isolate Corporate Content ......................................................................................................................................... 91 7.11 Important Device Management Considerations............................................................................................................ 91 8 Profile Management ....................................................................................................................................................92 8.1 Overview ...................................................................................................................................................................................... 92 8.2 Profiles Page ............................................................................................................................................................................... 92 8.2.1 Toggling Profile Views for Assignment Testing.................................................................................................. 93 8.3 Creating Profiles ........................................................................................................................................................................ 94 8.3.1 General Settings ............................................................................................................................................................ 94 8.3.2 Create and deploy the profile payloads ................................................................................................................ 96 8.4 Device Profile Capabilities ..................................................................................................................................................... 98 8.4.1 iOS Profiles ...................................................................................................................................................................... 99 8.4.2 Mac OS Profiles ............................................................................................................................................................100 8.4.3 Android Profiles ...........................................................................................................................................................100 8.4.4 Blackberry Profiles* ....................................................................................................................................................101 8.4.5 Symbian Profiles..........................................................................................................................................................101 8.4.6 Windows Mobile...........................................................................................................................................................102 8.4.7 Windows Phone and Windows Phone 8* ............................................................................................................102 8.5 Profile Payload Descriptions ...............................................................................................................................................103 8.5.1 Passcode ........................................................................................................................................................................103 8.5.2 Restrictions ...................................................................................................................................................................104 8.5.3 Wi-Fi..................................................................................................................................................................................106 8.5.4 VPN...................................................................................................................................................................................107 8.5.5 Email ................................................................................................................................................................................107 8.5.6 Exchange ActiveSync/Web Services ....................................................................................................................108 8.5.7 LDAP ................................................................................................................................................................................109 8.5.8 CalDAV ............................................................................................................................................................................109 8.5.9 Subscribed Calendars ................................................................................................................................................109 8.5.10 CardDAV .........................................................................................................................................................................109 8.5.11 Web-Clips/Bookmarks ..............................................................................................................................................110 8.5.12 Android Launcher Mode ...........................................................................................................................................111 8.5.13 Credentials ....................................................................................................................................................................111 8.5.14 SCEP.................................................................................................................................................................................112 8.5.15 Advanced .......................................................................................................................................................................112 8.5.16 Custom Settings ..........................................................................................................................................................112 8.5.17 Global HTTP Proxy ......................................................................................................................................................115 8.5.18 App Lock.........................................................................................................................................................................115 8.5.19 Dock* ...............................................................................................................................................................................116 8.5.20 Time Sync* ....................................................................................................................................................................116 8.6 Geofencing................................................................................................................................................................................117 8.6.1 Creating a Geofence Area ........................................................................................................................................117 8.7 Time Schedules .......................................................................................................................................................................118 8.8 Creating Wi-Fi Profiles in Bulk .............................................................................................................................................120 8.8.1 Create Bulk Wi-Fi Profiles..........................................................................................................................................120 8.8.2 Manage Bulk Wi-Fi Profiles .......................................................................................................................................122 Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 4 of 249 8.9 9 Important Profile Management Considerations ..........................................................................................................123 Application Management........................................................................................................................................ 124 9.1 Using the Applications Page ...............................................................................................................................................124 9.1.1 Navigating the Applications Page .........................................................................................................................124 9.2 Enabling the App Catalogue ...............................................................................................................................................127 9.3 Advanced Authentication for App Catalogue** ...........................................................................................................128 9.4 Enabling Book Catalogue** ................................................................................................................................................130 9.5 Application Categories** .....................................................................................................................................................131 9.5.1 Assigning Custom Category to Apps**................................................................................................................132 9.6 Recommending Public Applications ...............................................................................................................................132 9.7 Deploying Internal Enterprise Applications ..................................................................................................................135 9.8 Advanced Application Assignment ..................................................................................................................................139 9.8.1 Criteria .............................................................................................................................................................................140 9.8.2 Devices............................................................................................................................................................................141 9.9 Application Version Management ....................................................................................................................................142 9.10 Application Notifications......................................................................................................................................................142 9.10.1 Notifying Devices ........................................................................................................................................................144 9.10.2 Terms of Use (EULA) Notifications for Apps* ....................................................................................................145 9.11 Managing User Feedback and Ratings** ........................................................................................................................145 9.11.1 View user ratings and comments ..........................................................................................................................146 9.11.2 Delete the user comments......................................................................................................................................146 9.12 Google Play (Android Market) Integration .....................................................................................................................147 9.13 Customising Application Profiles ......................................................................................................................................147 9.14 Managing Apple VPP Applications **...............................................................................................................................149 9.14.1 Upload the Apple VPP Redemption Code Spreadsheet to the VSDM ......................................................150 9.14.2 Actions ............................................................................................................................................................................152 9.14.3 Allocating Redemption Codes ...............................................................................................................................153 9.14.4 Create Purchased Application Messages and Notify Device-Users...........................................................156 9.14.5 Manage the VPP Application Deployment.........................................................................................................157 9.15 Managing Apple VPP iBooks** ...........................................................................................................................................159 9.15.1 Additional Information ..............................................................................................................................................160 9.16 Application Workflow* ..........................................................................................................................................................161 9.16.1 Implementing Application Workflow ...................................................................................................................161 9.16.2 Enabling Application Workflow ..............................................................................................................................162 9.16.3 Workflow Process ........................................................................................................................................................163 9.17 Recommended Applications ..............................................................................................................................................165 9.17.1 The Vodafone Secure Content Locker ................................................................................................................166 9.17.2 Vodafone Managed Browser ...................................................................................................................................166 9.17.3 Vodafone Launcher App ...........................................................................................................................................166 9.17.4 Vodafone Telecom Service App.............................................................................................................................166 9.18 Important Application Management Considerations ................................................................................................ 167 10 Content Management .............................................................................................................................................. 168 11 Managing and Distributing Content..................................................................................................................... 169 Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 5 of 249 11.1 Creating Document Categories .........................................................................................................................................169 11.2 Publishing an Individual Document .................................................................................................................................170 11.3 Uploading and Distributing Multiple Documents .......................................................................................................174 11.4 Important Content Locker considerations ....................................................................................................................175 11.5 Using the Content Repository............................................................................................................................................176 11.5.1 Navigating Content in Repository Folders .........................................................................................................178 11.6 Managing Documents ...........................................................................................................................................................178 12 Content Security and Analytics ............................................................................................................................ 179 12.1 Configure Content Security Settings ...............................................................................................................................179 12.2 Content Analytics ...................................................................................................................................................................180 12.3 Best Practice .............................................................................................................................................................................180 13 Email Management................................................................................................................................................... 181 13.1 Email Compliance Policies ..................................................................................................................................................182 13.1.1 Email Policies ...............................................................................................................................................................182 13.1.2 General Email Policies ...............................................................................................................................................183 13.1.3 Managed Device Policies..........................................................................................................................................185 13.1.4 Attachment Security Policies* ...............................................................................................................................187 13.1.5 Apply Email Compliance Policies ..........................................................................................................................190 13.2 Email Attachment Control* ................................................................................................................................................190 13.2.1 Prerequisites .................................................................................................................................................................190 13.2.2 Accessing Attachment Settings ............................................................................................................................190 13.2.3 Accessing Protected Email Attachments ...........................................................................................................191 13.2.4 Open Encrypted Email Attachments ...................................................................................................................191 13.3 Email Management Dashboard .........................................................................................................................................191 13.3.1 Graphs and Grid............................................................................................................................................................191 13.3.2 Request Time Views ...................................................................................................................................................192 13.3.3 Email Compliance in the Dashboard ....................................................................................................................192 13.3.4 Override an Email Compliance Policy ..................................................................................................................192 13.3.5 Dashboard Test Mode................................................................................................................................................193 13.4 Important Email Management Considerations ............................................................................................................193 14 Telecom Management** ......................................................................................................................................... 195 14.1 Enabling Telecom Setting ...................................................................................................................................................195 14.2 Creating and Managing Telecom Plans ..........................................................................................................................195 14.2.1 Create a Telecom Plan ..............................................................................................................................................195 14.2.2 Dynamic Assignment.................................................................................................................................................196 14.2.3 Assign a Rule to a Plan ..............................................................................................................................................197 14.2.4 Edit an Assignment.....................................................................................................................................................197 14.3 Dashboard Usage ....................................................................................................................................................................198 14.3.1 Telecom Usage ............................................................................................................................................................198 14.3.2 Telecom Roaming ......................................................................................................................................................199 15 Certificate Management .......................................................................................................................................... 200 15.1 Benefits of Using Certificates .............................................................................................................................................200 15.2 Manage Certificates on the Certificate Dashboard .....................................................................................................200 Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 6 of 249 15.3 Certificate Infrastructure Integration...............................................................................................................................201 15.3.1 Direct Certificate Authority Integration ..............................................................................................................202 15.3.2 Simple Certificate Enrolment Protocol (SCEP) Integration..........................................................................203 15.4 Certificate Template Configuration .................................................................................................................................206 15.4.1 For a Microsoft Certificate Authority ....................................................................................................................207 15.4.2 For a Verisign Certificate Authority .......................................................................................................................208 15.4.3 For a Symantec Certificate Authority ...................................................................................................................209 15.4.4 For a OpenTrust Certificate Authority ..................................................................................................................209 15.4.5 For a Entrust Certificate Authority ........................................................................................................................210 15.5 Utilising Certificates for VSDM ...........................................................................................................................................211 15.5.1 Enterprise Wi-Fi, VPN, and EAS Authentication.................................................................................................211 15.5.2 S/MIME Email Signing and Encryption................................................................................................................212 16 Security and Compliance ........................................................................................................................................ 215 16.1 Passcode and Restrictions Profiles Overview ...............................................................................................................215 16.2 Building Device Compliance Policies ..............................................................................................................................216 16.2.1 Define Rules ..................................................................................................................................................................216 16.2.2 Actions ............................................................................................................................................................................217 16.2.3 Assignment ...................................................................................................................................................................218 16.3 Application Groups and Policies ........................................................................................................................................220 16.3.1 Define Application Groups .......................................................................................................................................220 16.3.2 Android Application Restriction Profiles .............................................................................................................222 16.4 Secure Channel Certificate .................................................................................................................................................223 16.5 Privacy Policy ...........................................................................................................................................................................224 16.5.1 Commands Privacy .....................................................................................................................................................224 16.6 Important Security and Compliance Considerations .................................................................................................225 17 Reports and Alerts .................................................................................................................................................... 226 17.1 Reports .......................................................................................................................................................................................226 17.1.1 Generate Custom Reports .......................................................................................................................................226 17.1.2 Add a Report to My Reports ....................................................................................................................................226 17.1.3 Create Report Subscriptions ...................................................................................................................................227 17.1.4 Additional Reporting Tools......................................................................................................................................227 17.2 Alerts ...........................................................................................................................................................................................227 17.2.1 Creation Policies..........................................................................................................................................................228 17.2.2 Routing Policies...........................................................................................................................................................228 17.2.3 View Alerts .....................................................................................................................................................................230 17.3 Important Report and Alert considerations...................................................................................................................230 17.4 Syslog .........................................................................................................................................................................................230 17.5 Integrate Syslog ......................................................................................................................................................................230 17.5.1 Schedule Logging Frequency.................................................................................................................................232 18 Enterprise Integration ............................................................................................................................................. 234 18.1 Lightweight Directory Access Protocol (LDAP) and Active Directory (AD) Integration ..................................234 18.1.1 System Authentication .............................................................................................................................................234 18.2 User Account & Device Authentication ..........................................................................................................................239 18.2.1 Active Directory / LDAP Enrolment Configuration .........................................................................................239 Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 7 of 249 18.2.2 18.2.3 Authentication Proxy Enrolment Configuration ..............................................................................................239 SAML 2.0 Enrolment Configuration......................................................................................................................240 18.3 Advanced Enrolment Settings ...........................................................................................................................................242 18.3.1 Location Group* ..........................................................................................................................................................242 18.3.2 Restrictions ...................................................................................................................................................................243 18.4 Email Integration ....................................................................................................................................................................244 18.4.1 Email (SMTP) .................................................................................................................................................................244 18.4.2 Configure Email Settings..........................................................................................................................................244 18.5 Enterprise Integration Service............................................................................................................................................245 18.5.1 Configuring EIS ............................................................................................................................................................246 18.6 SMS Integration .......................................................................................................................................................................247 18.6.1 Configure SMS Settings ............................................................................................................................................247 18.7 Use the VSDM API ...................................................................................................................................................................248 18.8 Important Enterprise Integration Considerations .......................................................................................................249 Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 8 of 249 1 Systems Overview 1.1 Vodafone Solution Overview Vodafone offers complete mobility management, enabling organisations to easily use and secure the latest mobile device technology by providing a comprehensive cross-platform solution for mobile device management. The Vodafone Secure Device Manager (VSDM) provides a central location for administrators to manage smart device fleets regardless of operating system, carrier, network or location. From the VSDM, administrators can manage any mobile device from anywhere in the world. 1.2 System Requirements The following system requirements should be met before using the VSDM solution. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 9 of 249 1.2.1 Supported Browsers VSDM is certified to run on the following web browsers: Internet Explorer 8+. Firefox 3.x+. Google Chrome 11+. Safari 5.x. Comprehensive platform testing has been performed to ensure functionality while using these Web browsers. The VSDM may still function in non-certified browsers. 1.2.2 Supported Devices Vodafone currently supports the following devices: Android versions 2.2 and above. Blackberry versions 5 and above. iOS versions 4.0 and above. Mac OSX 10.7+. Symbian OS ^3 and S60. Windows Mobile 5/6 and Windows CE 4/5. Windows Phone 7 and 7.5 Mango. Windows Phone 8. Note: Limited support may be available for other devices/Operating Systems. Contact Vodafone Support for more information. 1.2.3 Technical Requirements Technical requirements vary depending on whether you are using Vodafone’s SaaS or OnPremise solutions. For more details on technical requirements, please refer to the VSDM Requirements documents for installation and deployment. 1.3 Vodafone Secure Device Manager Overview 1.3.1 Log in to the VSDM Vodafone provides administrators with a VSDM URL, username, and password. If you do not have this information, please contact Vodafone support. Once you have the appropriate credentials, log into the VSDM by: 1. Navigating to the provided URL. 2. Entering in the provided username and password. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 10 of 249 1.3.2 VSDM Overview Manage, monitor, and secure your Enterprise's devices in the VSDM. Menu Use the Menu for comprehensive access to all VSDM features. Hover over the Menu dropdown located in the upper left-hand corner of the VSDM for a top-level view of all available pages. The VSDM pages are categorised according to their specific device management purpose. 1.3.3 Navigation Overview Smart device management with Vodafone is centralised in VSDM. Here, administrators have the ability to manage, monitor, and secure their devices through any browser, anywhere in the world without having to download or install any additional software. Add To the right of the Menu dropdown, is the Add dropdown. Hovering over it, displays five selections that allow you to quickly access options needed to add applications, policy, content, Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 11 of 249 profile, or device. All of these options are available from the Menu dropdown. This dropdown gives you single-click access to those frequently used options. My Favorites Use the My Favorites section to create bookmarks within VSDM to your most frequently used Menu items. Dashboard The Dashboard page is used to manage and monitor devices from top-level groups down to individual devices. Reports and Alerts The Reports page allows administrators to: Generate custom reports about the status of their smart device fleet. Configure automatic report subscriptions. Store common reports for future usage. Administrators can also create unique alert policies to provide immediate notification when a device is compromised or enters an unfavourable status. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 12 of 249 Profiles and Policies: Profiles The Profiles page allows administrators to create, edit, and remove all of the corporate profiles that are sent over-the-air to their smart device fleet. These profiles allow devices to automatically receive corporate data such as: Wi-Fi connections. Passcode and restrictions policies. Corporate email and calendars. The Vodafone App Catalogue. Other custom data. Profiles and Policies: Compliance The Compliance page is where administrators can designate security policies for their device fleet so that specific actions take place when devices fail to meet compliance rules. There are many types of compliance rules that can be selected, but the rules can be divided into three categories: Application Rules. Device Rules. Email Rules. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 13 of 249 Profiles and Policies: Certificates The Certificates page is where administrators can: View a list of all certificates available to devices managed by the VSDM. Determine the status of a certificate. Determine when a certificate expires. Revoke a certificate. Profiles and Policies: WinMo Provisioning The WinMo Provisioning page is where administrators can provision and create custom variables used to manage Windows Mobile devices from the VSDM. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 14 of 249 Apps The Applications page provides a centralised interface for administrators to: Recommend public applications and deploy internal applications to their smart device fleet. View Volume Purchase Program (VPP) purchases and licences. Create Software Development Kit (SDK) profiles for applications. Gather analytics on all applications managed in the VSDM. Currently, the VPP and SDK are only available on iOS devices. Content The Content management pages allow administrators to upload and manage content for secure deployment to the smart device fleet using the Secure Content Locker (SCL). Currently, the SCL is only available on iOS and Android devices. Administration - User and Admin Accounts The User Accounts and Administrator Accounts pages provide tools for developing a smart device fleet that is managed by the VSDM. The User Account page is used to add, modify, or delete device users. The Admin Account page is used to add, modify, or delete Vodafone administrators who use the VSDM to manage the device fleet. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 15 of 249 Administration Event Log The Event Log pages allow administrators to view logs that are generated by devices and the VSDM. The Event Log tracks all history of device and VSDM activity. Use the dropdown menus at the top of the page to sort logs based on date, severity, category types, and VSDM modules. Device Search The Device Search and Bulk Management pages allow you to quickly locate one or more devices or manage groups of devices by name, platform, group, or other criteria. Device Search also provides the administrator with features such as Warm Boot, finding a device using GPS, Device Wipe, etc. Configuration - Locations and Groups Use the Location Group Configuration page to create an organisational hierarchy for managing your devices. From this page, add, delete, or modify the device grouping structure as needed, as well as add Child Location Groups. Configuration - System Settings The System Settings page provides a centralised location for all of the configurable settings for initial environment setup and for ongoing customisation for end-users and for the VSDM. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 16 of 249 Advanced The Advanced page gives the administrator the ability to edit advanced options, including: Language settings. Custom field definitions. Device groups. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 17 of 249 2 Setting Up Your VSDM 2.1 Overview There are a few administrative actions to perform before the end-users can enrol their devices under VSDM. The Administrator must first establish the organisational hierarchy for the device fleet by creating three things: Location Groups to define the different areas of your corporate hierarchy that manages and utilises VSDM. Admin Accounts to provide VSDM access to all of the administrators of the smart device fleet. User Accounts to associate corporate users with their managed devices. A collection of useful links for setting up your VSDM can be found on the VSDM by navigating to Configuration > System Settings > Installation > Getting Started. From here, you will find links to the following sections within the VSDM: Device Enrolment/Authentication Settings. SMS/Email Message Settings. Location Groups Setup. User Accounts Settings. Enrolment Messaging Settings. Terms of Use Settings. VSDM Branding Settings. APNs Certificate Settings. Device Scheduler Information. 2.2 Introducing the Getting Started Wizard The Getting Started Wizard displays a customised welcome page the first time you log in to the VSDM. This walks you through the entire mobile device lifecycle process from deployment to security, monitoring, management, and support. At the end of the process you are able to install and manage your smart device fleet. 2.2.1 Prerequisites In most cases, there are no prerequisites required to use the Getting Started Wizard, by default this is enabled for all SaaS customers. However, if you are On-Premise and you want the Welcome page to display the first time you log in, then you need to enable the wizard from the System Settings page. Navigate to System Settings > Getting Started and select the Show Welcome Page option. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 18 of 249 2.2.2 Using the Getting Started Wizard Once you have the appropriate VSDM URL and credentials, login as follows: 1. Select the VSDM URL link provided. 2. Enter the provided Username and Password. 3. The Getting Started Wizard starts automatically when you log in to the VSDM for the first time. In addition, you can access the Welcome page to view the Getting Started options. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 19 of 249 2.2.3 Use the Setup Checklist If you are a first-time user, it is recommended that you follow the guidelines listed in the Setup Checklist. If you are an advanced user, simply select Skip Getting Started. On the Welcome page, click Use Setup Checklist to configure the VSDM settings. Note: You are sequentially guided through each section from beginning to end to complete the process. Each section contains a series of questionnaire and your answers precede the wizard to automatically configure your VSDM by navigating to specific pages. Setup You can manage your Apple devices using VSDM by generating an Apple Push Notification service (APNs) certificate. You can also define different system settings such as Terms of Service and/or Privacy Policies. Enrol You can configure settings such as the general settings, authentication settings, and restrictions on the device. Secure You can define policies and restrictions for your devices. Furthermore, you can assign security policies to your device so that specific actions can take place when devices fail to meet compliance rules. Configure You can create and deploy the corporate profiles based on the platform. Manage You are directed to the Dashboard page. Here, you can manage and monitor devices from toplevel groups down to individual devices. Note: The entire setup status is shown by the progress indicator in the left panel. Click Next Steps, to configure other advanced settings and also edit more options for your device in the VSDM. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 20 of 249 Customisation You can customise the look of the VSDM as per your organisation's need. Advanced Device Settings You can configure settings for device enrolment, device restrictions, and privacy. In addition, you can add name to a device to recognise it easily, including language settings, custom field definitions for the look up fields and device groups in the Advanced pages. Enterprise Integration The VSDM securely integrates with AD/LDAP, Certificate Authorities, Email infrastructures, and other enterprise systems. This is automatically configured during the EIS installation behind your firewall. You can still modify anything on this page such as certificates for access to corporate Email, Wi-Fi, VPN networks, and more when the configuration has been initialised by EIS after installation. App Management You can view, manage, push, recommend the public applications, and deploy internal or purchased applications to your device over-the-air. Content Management You can configure the content so that it can be accessed in online or offline modes based on the device ownership, location groups. Enable EIS integration to provide users with direct links to folders, network drives, or even SharePoint directories containing various documents to upload into the Secure Content Locker. Currently, Content Management is an additional product. Availability may vary, depending on your local market. Email Management You can restrict corporate Email access for both managed and unmanaged devices. You can also troubleshoot Email server requests through the Secure Email Gateway Dashboard. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 21 of 249 The initial configuration is now complete. Once you have finished setting up, click Menu and begin using the VSDM. 2.3 Enabling iOS MDM Support The Apple Push Notification service (APNs) is used to allow Vodafone or any other MDM vendor to securely communicate to your devices over-the-air (OTA). Each organisation needs their own APNs certificate to ensure a secure mechanism for their devices to communicate across Apple’s push notification network. Vodafone uses your APNs certificate to send notifications to your devices when the Administrator requests information or during a defined monitoring schedule. Run this wizard by navigating to System Settings > Device > iOS > APNs for MDM. For additional help, see the Generating an APNs Certificate for MDM in v6.1 SP1 and Greater document. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 22 of 249 3 Location Groups and User Groups Overview VSDM offers organisations several options to manage and organise their users: Location Groups – With Location Groups, users can be organised into hierarchical units that may represent physical location divisions and/or organisational structures. User Groups – User Groups are tied directly to an organisation's existing Active Directory structure. You can assign resources and manage the permissions of users based on their assigned Directory User Groups. When used conjunctionally, Location Groups and User Groups can allow administrators to fully optimise and leverage their VSDM. Note: User Groups can only be used if your organisation is currently using LDAP/Active Directory. 3.1.1 Location Groups Within large enterprises, IT departments have to meet the requirements of different users across functional, organisational, or geographical groups. One of VSDM's solutions to this requirement for multi-tenancy is Location Groups. You can create rich location group structures that align with the corporate hierarchical structure to provide customised and scalable MDM solutions for corporate users. Note: If your organisation is currently using Active Directory to manage its employees on the network, you should look to leverage User Groups integration (See "User Groups") in conjunction with Location Groups. This maximises the control over your VSDM setup (See "VSDM Best Practice"). With an evolving corporate structure comes the need to create additional location groups and locations. The steps below outline the process of creating a location group and associated location. 3.1.2 Create a New Location Group Complete the following steps to create a location group: Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 23 of 249 1. Navigate to Configuration > Locations & Groups. 2. Select a Parent Location Group from the list. o The parent location group is the location group that is one hierarchical level up from the one that is being added. Once complete, the new group is listed a level below the parent group. 3. Select Add Child Location Group to open the new location group form. Once complete, the new group is listed a level below the parent group. 4. Complete the required location group information. o Location Group Name - The display name for the location group that is shown in the VSDM. o Group ID - The activation code used by a device to enrol into this location group. This dictates what profiles, applications, and policies are inherited to the device based on what is configured at this location group. The administrator needs to provide end-users with their group ID in order to complete the enrolment process. Administrators can leverage See "User Groups" to automatically assign Group IDs and role based on user group membership. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 24 of 249 To configure the VSDM to automatically select a user's group ID based on user group membership (Directory Services integration must be set up), navigate to the Enrolment page under System Settings and choose Automatically Select under group assignment mode. 5. Select the Add Default Location box and fill in the required default location information: o Display Name - The display name of the location is shown in the VSDM. o Internal Name - The unique name that is internally used to define this location. 6. Click Save. The new location group and location have been created. 3.1.3 Modify and Delete a Location Group Location Group Details provide the ability to modify and delete the location group information including the Group ID. Use the following steps to modify or delete a Location Group: 1. Navigate to Configuration > Locations & Groups. 2. Choose the Location Group you wish to modify or delete. 3. Ensure that you have the Location Group Details tab selected and then modify any of the fields listed below. o Location Group Name - The display name for the location group that is shown in the VSDM. o Group ID - The activation code used by a device to enrol into this location group. This dictates what profiles, applications, and policies are inherited to the device based on what is configured at this location group. The administrator needs to either provide end-users with their group ID or configure the VSDM to automatically select Group ID based on user group role in order to complete the enrolment process. o Location Group Type/Country/Locale - Used for internal classification only. o Default Location - The default location is where devices are automatically assigned when enrolled in the location group. 4. Save to save your modifications. 5. Delete to delete the location group. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 25 of 249 Note: To delete a location group, there must not be any child Location Groups below it. If there are, delete all child groups from the lowest level up, until you are able to delete the original group. 3.1.4 Additional Location Group Details The administrator can also set several additional fields to provide additional information to the location groups. These fields have no effect on the operation of the location groups, but can be used to provide additional detailed information for logging purposes. Locations are an organisational unit into which enrolled devices are placed. By default, each Location Group has at least one Location, known as the Default Location. Note: Without a default location, devices cannot be enrolled at that specific location group. Location types provide the ability to classify Locations based on the corporate structure (for internal use in the VSDM). Location Statuses provide the ability to classify if a Location is active or is in the future (for internal use in the VSDM). Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 26 of 249 3.2 User Groups User Group integration allows you to further streamline the VSDM management by leveraging existing LDAP/AD user groups in VSDM. Once successfully integrated into the VSDM, user groups act as filters (in addition to location groups) for assigning profiles, applications, and policies. After implementing user group integration, you can more easily perform tasks in the following areas: User Management - You can more closely align users in the VSDM with their pre-existing LDAP/AD user associations, making it easier for you to streamline user management. Profile and Policy Assignment - Assign profiles, applications, content, and compliance policies to groups of users according to the existing groups and distribution lists. Integrated Updates - Instruct the VSDM to automatically update assignments based on directory user group changes. You also have the ability to request approval if the number of changes exceeds a specified threshold. User Group Management Permissions - Set advanced management permissions to only allow approved administrators to change VSDM assignments for certain user groups. Enrolment - Allow all users to enrol in the VSDM using the same group ID (Location Group) even though their devices may receive different corporate resources. 3.2.1 Transitioning to User Groups Both new and existing VSDM customers with an LDAP/AD infrastructure can easily leverage their LDAP/AD groups in the VSDM. Prerequisite Before beginning the user group transition process, Directory Services (See "Lightweight Directory Access Protocol (LDAP) and Active Directory (AD) Integration" and Enterprise Integration Services' (EIS), when used) must be enabled in the VSDM at the level of the root location group. For example, if the root location group is Internal and EIS integration is in place, EIS integration should be enabled with the Internal location group selected on the left-hand side of the screen, as shown below. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 27 of 249 Note: It is important to note that the existing assignment is not affected when you import user groups. In order to facilitate the transition process and ensure that your users do not experience any disruption to their current configurations, the administrator must manually apply policies to user groups as needed. 3.2.2 Set Up User Groups in the VSDM Regardless of whether or not you have existing location groups in the VSDM, it is easy to leverage both user groups and location groups. To set up user groups, first ensure that the EIS prerequisites (when EIS is used) are satisfied. User groups can be set up one group at a time or the administrator can use the User Group bulk import feature to add multiple user groups at same time. Use the following steps to set up single user group associations in the VSDM based on AD/LDAP groups: 1. Navigate to Users > User Accounts > User Groups. 2. Go to the Location Group menu on the left and designate an existing location group as the primary root location group from which the administrator manages devices and users. 3. Click Add. The Add Directory form displays. 4. Enter the user group key words in the Search Text field and click Search. 5. Select the desired directory groups from the search results. The Add Directory Group screen displays and you can proceed with mapping your existing LDAP/AD group assignments with your new user groups. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 28 of 249 6. Tick the Auto Sync and Auto Merge Checkboxes - When you initially import user groups, they automatically sync and merge with the existing user group assignments. You should tick these boxes to ensure that your user group assignments are updated on a regular basis. o Auto Sync - The Auto Sync feature collects changes in LDAP group membership (without taking any action on those changes). o Auto Merge - The Auto Merge feature saves any of the changes detected from the Auto Sync process and merges them into user groups. 7. Enter a number in the Maximum Allowable Changes box when you add a directory group to establish the maximum allowable number of group membership changes to be merged into VSDM. You can edit this number in the User Group Settings. 3.2.3 Edit User Group Settings and Management Permissions An additional benefit of user group integration in VSDM is increased management flexibility enabled by user group settings for automatic updates and editing permissions. Edit User Group Settings User group settings can be configured to automatically detect each time a user leaves or joins a group. The administrator can set a maximum allowable number of automatic changes, and any changes that exceed this threshold require administrator approval. Use the following steps to edit User Group Settings: 1. Navigate to Accounts > Users > User Groups. 2. Ensure that the root location group for your device fleet has been selected if management permissions are required. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 29 of 249 3. Select the Actions menu next to the user group and click Edit. The General tab displays by default. 4. Define the following: o Type - By default, Directory is selected. o Group Name - The User Group name. o Distinguished Name - The distinguished name of the User Group. o Relative Distinguished Name - The relative distinguished name of the User Group. o Managed By - The Location Group under which the User Group is added. o Auto Sync With Directory - Auto syncs the users in the group as per addition or deletion of users on the LDAP/AD server. o Auto Merge Changes - Applies the changes to the User Groups without the need for administrator approval. For example, when a user is moved to a different User Group, the Auto merge option reflects this change on the VSDM. o Add Group Members automatically - Allows group members to be extracted from Active Directory automatically for the creation of user accounts. o Group Assignment - Click the link to set the default role, ownership, and action for users . You can also map User Groups to that of the directory. 3.2.4 User Information Actions and Updates The VSDM syncs with the LDAP/AD database on a regular basis to retrieve updates to group membership. The VSDM automatically performs the following actions when changes in user attributes or user group membership are detected: Updates user attributes that are changed in LDAP/AD. Performs an enterprise wipe on the device when a user is deactivated in LDAP/AD. Enforces roles and permissions for administration based on LDAP/AD user group. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 30 of 249 Additionally, the VSDM has the option to automatically assign Group IDs and roles based on user group membership, and the ability to enforce enrolment restrictions by user group. These options further streamline the enrolment process. To configure enrolment restrictions (such as the maximum number devices per user), navigate to: Configuration > System Settings > Device > General > Enrolment. 3.2.5 Edit User Group Permissions User groups allow corporations to re-consider who within the organisation has permission to edit specific groups. For example, if an organisation has a user group for company executives, they may not want lower level administrators to have management permissions for that user group. Use the Permissions page to control who can manage specific user groups and who can assign profiles, compliance policies and applications to user groups. 1. Navigate to Users > User Accounts > User Groups. o If management permissions are required, ensure the root location group for your device fleet has been selected. 2. Select the Actions menu next to the user group you wish to edit. 3. Select the Permissions tab and specify the following permissions: 4. Select the Location Group for which you would like to define permissions. 5. Define the following: o Permissions - Use this option to determine the permissions an administrator can perform on the User Groups. Manage Group (Edit/Delete) - Allows administrators to edit or delete any group. Manage Users Within Group and Allow Enrolment - Allows the administrators to allow enrolment of the users, and edit or delete any user under that group. Use Group for Assignment - Allows the administrator to assign profiles, apps, content, and compliance policies to the User Group. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 31 of 249 o Scope Administrator Only - Applies the above mentioned permissions to only the administrator of this specific Location Group. All Administrators at or below the location - Applies the above mentioned permissions to the administrator of this specific Location Group as well as the child Location Groups. 3.2.6 Assign Resources to User Groups User groups, when integrated with VSDM, provide additional criteria for assigning profiles, compliance policies, applications, and content. User Groups appear as an assignment field for these VSDM resources. The user group name is followed by the @ symbol then the name of the Location group at which the user group was created. Use the following steps to navigate to the appropriate editing page, and then continue to the instructions for assigning the VSDM policy to user groups. 1. Navigate to the appropriate page in the VSDM. You can assign existing resources to user groups by selecting the appropriate policy and selecting the Edit from the Actions menu. If it is a New assignment, create or upload the profile, policy, content, or application and fill in the assignment fields to deploy the resource to a user group. 2. Select the appropriate Location Group field, select the appropriate assigned location group. 3. Select one or more User Groups to receive the resource. 4. Click Save and publish the form. Policy Assignment Notes If the administrator assigns something to both a location group and a user group, the system uses the user group as an additional filter for assigning the profile. Even if you select a very large location group, the system only applies the policy to the users who are a member of the user group and have a device that is in the assigned location group. The administrator may wish to use both location groups and user groups to configure more advanced settings. 3.3 Migrate Basic Users to Directory Users Administrators that have enabled AD/LDAP integration and wish to leverage user groups in the VSDM can easily migrate their existing users from Basic Users to Directory Users. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 32 of 249 Use the following steps to begin the user migration process: 1. Navigate to Accounts > Users. 2. Go to the System Settings view on the left-hand side of the page, select User Migration. 3. Select the Basic users to migrate. 4. Click Migrate. 3.4 Bulk Import User Groups To save time and effort when importing your LDAP/AD User Groups into the Vodafone Secure Device Manager, administrators can upload user groups in bulk through the batch import feature. Use the following steps to upload user groups in bulk: 1. Navigate to Accounts > Users > User Groups. 2. Click Batch Import to open the Batch Import Form. 3. Enter the basic information: o Batch Name - The name of the user group batch for reference in the VSDM. o Batch Description - A description of the particular user group batch for reference. 4. Click to open up the Bulk Import Help Topic Form. 5. Select Download Template to download the Batch Import Template. 6. Save the template as a CSV file. 7. Enter the required user group information in the template. The template information is the same as the fields required when setting up an individual user group. For more information on these user group settings, such as Auto Sync and Auto Merge. 8. Click Browse to upload the CSV file containing your user group information. If the Batch Import does not complete successfully, view, and troubleshoot errors by selecting Batch Status (under System Activity on the User Accounts page). Select Actions>View Errors to view the specific batch import errors. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 33 of 249 4 VSDM Best Practice 4.1 Location Groups When configuring your VSDM, it is recommended that Location Groups be used to define hierarchical organisational units and physical location divisions. Location groups alone in the VSDM control the following capabilities: Asset Tracking - Location groups define which business units the devices live at, so be sure to consider the device groupings you wish to view on the VSDM dashboards. Location Groups are still the primary filter on all pages for all dashboards and views. System Settings - System settings are tied to Location groups. You must define different location groups if you need different system settings, such as Enterprise Integration Server settings, EULAs and/or Privacy Policies. Location Groups can also be used to accomplish the following: Setting Permissions - Use Location Groups to set administration management permissions in the VSDM. Administrators can leverage user groups to automatically assign user and administrator roles in the VSDM. Assigning profiles, policies, content and applications - While it is possible to assign these resources to User Groups, it is also possible to just assign them to Location Groups. 4.2 User Groups When configuring your VSDM, it is recommended that User Groups be used to define Security Groups and/or Business Roles within your organisation. It is also recommended that User Groups be used to assign Profiles, Compliance Policies, Content, and Applications to users/devices. 4.3 Transition Options for Best Practices If you have previously defined Location Groups to represent user Security Groups and are now considering the use of User Groups, one of the following options may help you streamline your VSDM: Reconfigure your system to associate Profiles, Applications and/or Enrolment Restrictions with User Groups: Assign each profile, app, and enrolment restriction to the appropriate User Group(s). Change the Location Group assignment to a Location Group one level up. Add the User Group assignment. You may choose to reconfigure your hierarchy to remove old or unused Location Groups (keep in mind that location groups still serve several purposes in the VSDM): Move devices to a Location Group one level up. Delete the old Location Group(s). You can choose to leave your structure as-is: Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 34 of 249 The Location Group can be considered the 'Primary Security Group' of the device. The User Groups are used for assigning profiles and policies. The old, unused Location Groups can remain for asset tracking purposes. 4.4 User Management Changes for Directory Users In addition to the integration of user groups into the VSDM, there are a few changes to user management for Directory authentication type users. If you currently use Directory Services in the VSDM, please note the following: Directory users can now only be created at the same level as the one where directory services settings are enabled. o In order to delete or edit a user account, you must be at the same level as the directory services settings. o To add a device to an existing VSDM user account, you must be at a lower level than the root location group where Directory Services are enabled. There is now only one location in the VSDM System Settings for Directory Services (called Directory Services). The same directory settings are used for both enrolling and logging into the VSDM. Directory Service settings now allow the administrator to configure custom mapping of user attributes in the VSDM to LDAP user attributes. 4.5 User Storage in the VSDM The addition of user groups also has an impact on where directory users are stored in the VSDM. Once you have completed the transition to user groups, the VSDM performs the following actions: Directory users are moved to the level where directory service settings are in the VSDM. You still see them at the Location Group level where they have a device enrolled, but the users can only be managed at the same level as the directory service settings. After the upgrade to user groups, the VSDM runs a migration process that migrates the Distinguished Name of existing directory users into the VSDM. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 35 of 249 5 Administrative Accounts Management of the smart device fleet often requires several administrators to have access to the VSDM and it may be necessary to add or remove administrative accounts. The VSDM provides an easy way to create and manage multiple administrative accounts. 5.1 Create an Admin Account Manually Use the following steps to create an administrative account manually 1. Navigate to Account > Administrators. 2. Select a Location Group in the upper left-hand corner. This is the default location group for this administrator account. Make sure to select the highest level of access that the administrator needs. Once logged in, they will have access to all child Location Groups that are listed below the one selected. 3. Click Add User. The Add/Edit User form displays: 4. Select Basic to manually create the Admin user or select Directory to import the user info from an Active Directory account. 5. Enter a Username and Password for the admin account. 6. Tick the Require password change at next login checkbox to force the administrator to change their password after the first time they log in. 7. Complete the additional Basic Information fields: a. First Name Last Name and Email - The name and Email address of the administrator. b. Primary Role - The primary role determines the level of permissions that the new administrator holds. For instance, if the administrator is a helpdesk operator, then a Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 36 of 249 Helpdesk role with limited access may be the best fit. The roles are configured separately from the administrative accounts. c. Default Landing Page - The first page that an administrator views after authenticating into the VSDM. To change this field, clear the contents and begin typing the name of any VSDM page. 8. Complete any additional Details or Notes that are visible in the VSDM. 9. Click Save to create the new administrative account. 5.1.1 Import an admin user from Active Directory Before you begin, you must have already configured Directory Services within the VSDM. Use the following steps to create an administrative account by importing an admin user from Active Directory: 1. Navigate to Accounts > Administrator. 2. Select a Location Group in the upper left-hand corner. This is the default location group for this administrator account. Make sure to select the highest level of access that the administrator needs. Once logged in, they will have access to all child Location Groups that are listed below the one selected. 3. Click Add User and complete the required fields. 4. Select Directory to import the user information from an Active Directory account. o Select the appropriate directory. o Enter in the user's username from AD and click Check User. 5. Complete the remaining fields as required. 6. Click Save to create the new administrative account. 5.1.2 Create Admin Account Roles Admin roles allow your business to control the security and permissions of your VSDM administrators by restricting access to components of the VSDM. You can directly control the administrator’s access by creating a new role or editing an existing role. Use the following steps to create admin account roles: 1. Navigate to Accounts > Administrators. 2. Select Roles in the bottom left corner to edit an existing role or create a new one. 3. Click Add Role and complete the form. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 37 of 249 o Name/Description - Choose a descriptive role name so that the role can be easily assigned to a user. o Select Resource Categories to define the level of access that is available for different components of the VSDM. Click the name of the resource category to view a list of resources available for each category on the right. o To quickly locate resources of a specific type, use the search bar in the upper righthand corner. 4. Click Save and the new role is available to assign to administrators. 5.1.3 Create Administrators in Bulk In an effort to streamline the process of importing your administrators into the VSDM, administrators can upload other administrators in bulk using the Admin Accounts batch import feature. Use the following steps to create end-user accounts of any type (Basic, Directory based, or Authentication Proxy) in bulk: 1. Navigate to Accounts > Administrators. 2. Click Batch Import to open the Batch Import Form. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 38 of 249 3. Enter the basic information: o Batch Name - The name of the user/device batch for reference in the VSDM. o Batch Description - A description of the particular user/device batch for the VSDM reference. 4. Click to open up the Bulk Import Help Topic Form. 5. Select the Download Template to download the Batch Import Template. 6. Enter all relevant information for each user in the template. A sample user has been added to the top of the template for reference on what type of information to put into each column. Note: Mandatory fields are designated with *. Also, you can use the Show Time Zone and Show Culture Code on the template download popup to view the available values for these fields. o All of the fields in the template are identical to the fields that are used during the Admin Account Creation process. 7. Save the template as a .CSV file. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 39 of 249 8. Select Browse from the Batch Import Form and select the .csv file that was created. 9. Click Save, to register all listed users and corresponding devices. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 40 of 249 6 User Accounts User accounts are utilised by end-users of the VSDM to associate devices to their respective corporate users. Vodafone recommends that for each end-user, an associated user account is created for full scalability. Therefore, as corporate smart device fleets expand, administrators need to periodically create additional user accounts. Administrators can quickly configure and manage user accounts directly in the VSDM on the Users page. 6.1.1 User Account Security Types User accounts can be configured in a number of different ways depending on your business requirements, deployment model, and enterprise infrastructure. The following section describes the different configurations and further sections detail how to create user accounts of each type. Basic authentication Basic Authentication can be utilised by any VSDM architecture, but offers no integration to existing corporate user accounts. Pros – Can be used for any deployment method, requires no technical integration, requires no enterprise infrastructure Cons – Credentials only exist in VSDM and do not necessarily match existing corporate credentials. Offers no federated security or single sign-on. Vodafone stores all usernames and passwords. Administrators do not benefit from the use of User Groups when setting up their VSDM environment. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 41 of 249 Active Directory / LDAP authentication Active Directory/LDAP authentication is used to integrate user and admin accounts of the VSDM with existing corporate accounts. However, because this requires the VSDM server to be in direct contact with a corporate domain controller, this is typically only recommended for on-premise architectures. Pros - End-users now authenticate with existing corporate credentials. It is a secure method of integrating with LDAP / AD for On-Premise deployments. Standard integration practice. Cons - Requires an AD or other LDAP server. Only used for On-Premise deployments. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 42 of 249 Active Directory / LDAP authentication with Vodafone Enterprise Integration Service Active Directory/LDAP authentication with Enterprise Integration Service provides the same functionality as traditional AD/LDAP authentication, but allows this model to function across the cloud for SaaS deployments. The Enterprise Integration Service also offers a number of other integration capabilities as shown below. Pros –End-users authenticate with existing corporate credentials. Only requires a single firewall port opened between the EIS server and Vodafone SaaS (port 443). Transmission of credentials is encrypted and secure. It also offers secure configuration to other infrastructure such as BES, Microsoft ADCS, SCEP, SMTP servers. Cons –Requires the Enterprise Integration Service to be installed behind the firewall or in a DMZ. Additional configuration is required. Authentication Proxy Authentication Proxy is a unique proprietary solution delivering directory services integration across the cloud or across hardened internal networks. In this model, the VSDM server communicates with a publicly facing web server or an Exchange ActiveSync Server that is able to authenticate users against the domain controller. This method can only be used when organisations have a public-facing web server with hooks into the corporate domain controller. Pros – Offers a secure method to integrate with AD/LDAP across the cloud. End-users can authenticate with existing corporate credentials. Lightweight module that requires minimal configuration. Cons – Requires a public facing web-server or an Exchange ActiveSync server with ties into an AD/LDAP server. Only feasible for specific architecture layouts. Much less robust solution than EIS. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 43 of 249 Note: Authentication Proxy is available for on-premise customers only. SAML 2.0 Authentication SAML 2.0 Authentication is a new solution that offers single sign-on support and federated authentication – Vodafone never receives any corporate credentials. If an organisation has a SAML Identity Provider server, SAML 2.0 integration is recommended. Pros – Offers single-sign on capabilities, authentication with existing corporate credentials and Vodafone never receives corporate credentials in plain-text. Cons – Requires corporate SAML Identity Provider infrastructure. 6.1.2 Creating (Single) End Users Use the following steps to create single End Users: 1. Navigate to Users > Users Accounts. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 44 of 249 2. Select the highest level Location Group under which the user needs to enrol from the dropdown menu in the upper left-hand corner. They are now able to enrol in all location groups listed below this group if the user enters the appropriate Group ID (see Location Groups) during the enrolment process. 3. Click Configuration > Add User. 4. Use the dropdown at the top of the form to select the Security Type. This determines the type of authentication to be used for this particular user. o Basic - The default authentication option that uses a basic username and password combination as determined by this form. o Directory - Authenticate with corporate LDAP or AD credential by validating against a corporate domain controller. o Authentication Proxy - Authenticate with directory based credentials by validating against a proxy server instead of a corporate domain controller. This is the recommended solution for directory based authentication across the cloud for SaaS customers. o SAML - Authenticate using corporate Security Assertion Markup Language (SAML) credentials. 5. Refer to the appropriate sub-section below to complete the remaining fields for the security type selected. Basic Once Basic has been selected as the Security Type, continue to define the following criteria: 1. Enter the User Name & Password - The username and password credentials that the user enters during the enrolment process to enrol their corporate devices. The administrator must provide the end-users with this information. 2. Select whether or not to Enable Device Staging - A user with device staging enabled is able to stage enrolment for other users such that John Doe could enrol himself and then personally enrol Jane Doe and John Smith’s devices for them (See "Device Staging"). 3. Select whether to enable Enrolment Restrictions for users. Once enabled, enter the authorised Location Group. This restricts the user from enrolling to locations not specified in the authorised Location Group. 4. Select a Message Type for the user to receive notifying them that they can now enrol their devices under the VSDM. Typically, this is where administrators provide end-users with the necessary enrolment credentials (Enrolment URL, Group ID, username and password). 5. Click Save to complete the user account, or Save and Add Device to complete the user account and enter in basic details for the user’s device. LDAP/Active Directory Before end-users can be created using LDAP / Active Directory, the VSDM server must be configured and integrated with the LDAP/AD server. To do this, please see User Account & Device Authentication. Once Directory authentication has been configured, administrators can create Directory-Based User Accounts by following the steps above and then: Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 45 of 249 1. Enter the user's username as it displays in Active Directory, and then click Check User. If the user exists in Active Directory, the remainder of the fields appear with values prepopulated from Active Directory. 2. Complete any remaining information as needed. Mandatory fields are designated with a red asterisk *. Complete the Domain field if the user belongs to a domain other than the default domain or if no default domain was specified. Enter the User Principal Name if the User Search Setting described in the Directory Authentication Configuration this does not resolve this user account. By default, these two fields do not need to be configured unless under special circumstances. 3. Select whether or not to Enable Device Staging - A user with device staging enabled is able to stage enrolment for other users such that John Doe could enrol himself and then personally enrol Jane Doe and John Smith’s devices for them. 4. Select a Message Type for the user to receive notifying them that they can now enrol their devices under the VSDM. Typically, this is where administrators provide the end-users with the necessary enrolment credentials (Enrolment URL, Group ID, username and password). 5. Click Save to complete the user account, or Save and Add Device to complete the user account and enter in basic details for the user’s device. Authentication Proxy Before end-users can be created via Authentication Proxy, the VSDM server must be configured and integrated with the public facing web server or EAS server. To do this, please see User Account & Device Authentication. Once Authentication Proxy authentication has been configured, administrators can create Authentication Proxy-Based User Accounts by following the steps above and then: 1. Complete all the basic fields. Mandatory fields are designated with a red asterisk. * 2. Complete the Domain field if the user belongs to a domain other than the default domain, or if no default domain was specified. 3. Select whether to Enable Device Staging - A user with device staging enabled is able to stage enrolment for other users such that John Doe could enrol himself and then personally enrol Jane Doe and John Smith’s devices for them. 4. Select whether to enable Enrolment Restrictions for users. Once enabled, enter the authorised Location Group. This restricts the user from enrolling to locations not specified in the authorised Location Group. 5. Select a Message Type for the user to receive notifying them that they can now enrol their devices under the VSDM. Typically, this is where administrators provide the end-users with the necessary enrolment credentials (Enrolment URL, Group ID, username and password). 6. Click Save to complete the user account, or Save and Add Device to complete the user account and enter in basic details for the user’s device. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 46 of 249 SAML Before end-users can be created using SAML 2.0, the VSDM server must be configured and integrated with the SAML Identity Provider server. To do this, please see User Account & Device Authentication. Once SAML authentication has been configured, administrators can create SAML Secured User Accounts by following the steps above and then: 1. Complete all basic fields. Mandatory fields are designated with a red asterisk. * Complete the Domain field if the user belongs to a domain other than the default domain, or if no default domain was specified. By default, this fields does not need to be configured unless under special circumstances. 2. Select whether to Enable Device Staging - A user with device staging enabled is able to stage enrolment for other users such that John Doe could enrol himself and then personally enrol Jane Doe and John Smith’s devices for them. 3. Select a Message Type for the user to receive notifying them that they can now enrol their devices under the VSDM. Typically, this is where administrators provide end-users with the necessary enrolment credentials (Enrolment URL, Group ID, username and password). 4. Click Save to complete the user account, or Save and Add Device to complete the user account and enter in basic details for the user’s device. 6.1.3 Create End Users in Bulk To save time and effort when importing Mobile Device Management (MDM) end-users into the VSDM, administrators can upload end-users in bulk through end-user batch import. Use the following steps to create end-user accounts of any type (Basic, Directory based, or Authentication Proxy) in bulk: 1. Navigate to Accounts > Users. 2. Click Batch Import to open the Batch Import Form. 3. Enter the basic information: o Batch Name – The name of the user/device batch for reference. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 47 of 249 o Batch Description – A description of the particular user/device batch for reference. 4. Click to open up the Bulk Import Help Topic Form. 5. Select the Download Template to download the Batch Import Template. 6. Enter all the relevant information for each user in the template. Three sample users have been added to the top of the template as an example of the type of information to put into each column. All of the fields in the template are identical to the fields that are used during the User Account Creation process and the individual device registration process. Mandatory fields are designated with a red asterisk. * o Column E, Security Type, is used to determine which type of security (Basic, Directory based, or Authentication Proxy) should be used to create the user account. o To register a device, make sure that Column T, User Only Registration, is set to No. o To register an additional device to the same user account, make sure that all information in Columns A–T are the same. The remaining columns are used to register each additional device. o To store advanced registration information, make sure that Column AA, Store Advanced Device Info, is set to Yes. 8. Save the template as a CSV file. 9. Select Browse from the Batch Import Form and select the .csv file that was just created. 10. Click Save, to register all listed users and corresponding devices. 6.2 Device Registration Device registration allows both administrators and end-users the ability to enter in information about the specific devices that are enrolled under mobile device management. This feature also provides an added level of secure authorisation so that only authorised devices can enrol. There are several ways that registration can be accomplished to accommodate different needs and requirements. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 48 of 249 Administrators can register individual devices to add important device and asset information such as Friendly name (the device name created by the administrator for easy recognition in the VSDM, model, OS, serial number, UDID and asset number. This process can directly follow User Account creation by selecting Save and Add Device. Administrators can register a list of devices (for similar reasons as those listed above) in bulk. This process takes place during Bulk User Account Creation. Administrators can invite end-users to register so that they can enter in details about their devices themselves and initiate device registration from their end. This process takes places on the end-user’s device, in the Self Service Portal. 6.2.1 Administrator Registers a Single Device Use the following steps to register an individual device: 1. Open the Add Device form using one of the methods below: o Navigate to Accounts > Users and select Add Device from the Actions next to the existing user account that you want to associate with the device. The Add Device form displays. o Complete the New User Account Creation Process, and then click Save and Add Device at the end. The Add Device form displays: Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 49 of 249 2. Complete the General information and Message information sections. o Friendly Name - The name of the device to be displayed in the VSDM for easy recognition. o Location Group - Specifies the location that manages the device. o Ownership Type - Specify a device ownership type (Corporate-Dedicated, CorporateShared or Employee Owned) to distinguish between corporate and employee-owned devices. This allows the administrator to customise MDM policies based on ownership type to allow for maximum privacy and protection. o Tick the Show Advanced Device Information Options box to manually enter additional device information to be displayed in the VSDM. UDID - Universal Device Identifier Platform/Model/OS - Specific device information SN/IMEI/SIM/Asset Number - Specific device reference numbers to distinguish this particular device o Message Type - Specify whether the activation message is sent via SMS or Email. o Address/Subject/Message Body - The message text that is sent out to the provided address after the device is registered. This message usually contains the enrolment link and Group ID. 3. Click Save to finish the form and send the specified message to end-users. The end user receives the message and proceeds with enrolment. 6.2.2 Administrator Registers a List of Devices Use the following steps to register a list of devices by batch import: Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 50 of 249 1. Click Batch Import to open the Batch Import Form. 2. Enter the basic information: o Batch Name - The name of the user/device batch for reference in the VSDM. o Batch Description - A description of the particular user/device batch for VSDM reference. 3. Click to open the Bulk Import Help Topic Form. 4. Select the Download Template to download the Batch Import Template. 5. Enter all relevant information for each device in the template. Three sample users have been added to the top of the template as an example of the type of information to put into each column. All of the fields in the template are identical to the fields that are used during the User Account Creation process and the individual device registration process. o To register a device, make sure that column T, User Only Registration, is set to No. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 51 of 249 o To register an additional device to the same user account, make sure that all information in columns A - T is the same. The remaining columns are used to register each additional device. o To store advanced registration information, make sure that column AA, Store Advanced Device Info, is set to Yes. 6. Save the template as a CSV file. 7. Select Browse from the Batch Import Form and select the .CSV file that was just created. 8. Select Save to register all listed users and corresponding devices. 6.2.3 Invites Users to Register If an administrator wishes to have end-users register their own devices, the administrator must notify end-users that they need to complete the registration process and provide them with the appropriate registration URL and credentials (please refer to Creating Basic End Users). Following are the two ways to notify end-users. In either case, the administrator must let the enduser know two things: Where to register - End-users can register by navigating to the Self-Service Portal URL. This url takes the form of https://<VodafoneEnvironment>/MyDevice where http://<VodafoneEnvironment> is the enrolment URL. How to authenticate into the Self Service Portal - This information includes a Location Group (Group ID) and the Username and Password that users should use to register their device. To notify users: 1. Enable Enrolment authentication for either Active Directory or Authentication Proxy (edit these settings in Configuration > System Settings > Device > General > Enrolment> Authentication). 2. Restrict Enrolment To Known Users under Enrolment Restrictions (edit these settings in Configuration > System Settings > Device > General > Enrolment> Restrictions). 3. Send an Email or intranet notification to the entire user group outside of the VSDM with the registration instructions. This method is generally used if administrators do not have any user accounts already created for end-users and they want end users to be able to enrol and register without assistance. For users to be able to enrol and register their devices without administrative efforts. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 52 of 249 Alternatively, administrators can first create user accounts for all of the end-users to register their devices and then send User account activation messages to each user containing the registration instructions. 6.2.4 End User Registration Once the administrator sends the registration notification to the user (if the administrator does not choose to register the devices for the users), end-users need to register the device. Use the following steps to help guide end-users through the registration process. 1. Navigate to the Self-Service Portal URL (either in the device browser or from any internet browser). 2. Enter the provided Group ID, Username, and Password. 3. Click Register Device to open the Device Registration Form. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 53 of 249 , 4. Complete the device information fields: o Expected Friendly Name - The name of the device that is shown in the VSDM (the expected friendly name is also used to track the device registration status). For example, 'John Smith’s iPad'. o Platform / Model / OS - The details of the specific device. o Device Ownership - Select whether or not the device is a personally owned. o Message Type - Select the message format for the end-user registration confirmation. o Email Address / Phone Number - The address or phone number of the recipient of this message. 5. Click Save, to complete the End-User registration process. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 54 of 249 6.3 Device Staging Device staging allows one user (IT Admin User) within a company to enrol a device on behalf of another user (End User). Companies may find this feature useful if they wish to provide employees with pre-enrolled devices, thus saving the employee the trouble of enrolling the device themselves. Before a user can enrol a device on behalf of another user, device staging must first be enabled on their account. Use the following steps to enable Device Staging: 1. Navigate to the User Accounts page. 2. Find the User who needs to enrol the devices (IT Admin User), then click Edit User in the Actions on the right. 3. Scroll down and tick the Show advanced user details. 4. Tick the Enable Device Staging box. 5. Click Save. Now that Device Staging has been enabled, the IT Admin User may proceed to enrolling other Users' devices. Use the following steps to enrol user devices: 1. On the device that is going to the End User, open the browser (or open the VSDM agent) and enter the enrolment URL. 2. Enter the appropriate Group ID for that device (See 'Device Registration' for more information on device enrolment). Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 55 of 249 3. Enter user credentials (for IT Admin User). 4. Go to the Next page and enter the Username of the User that owns this device (End User). 5. Confirm/Update the user's information. 6. Accept the Customer EULA when prompted. 7. Tap Install Now to complete the enrolment process. 6.4 Language Management The VSDM can use a variety of in built display languages. It also has the option to incorporate additional Language Packs and edit phrases that are used in a specific language. The Language option can be changed for a specific individual while leaving the default language unchanged for other users. 6.4.1 Activating Language Packs Use the following steps to incorporate an additional language pack in the VSDM: 1. Navigate to Advanced > Language Management. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 56 of 249 2. Select Language Activation. 3. Choose the language pack you would like to add and click the arrow to add it to the Active Locales list. 4. Click Save to finish and add the language pack to the VSDM language options. Note: This feature is for on-premise customers only. 6.4.2 Selecting and Changing Language The VSDM allows the language to be set both for a specific user and/or a specific location. Use the following steps to change the language for the user: 1. Navigate to Menu > Administrators > Admin Accounts. The Add/Edit user page displays 2. Change the Locale to the desired language. 3. Save the changes. 4. Log off and log back in to display the new language. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 57 of 249 6.4.3 Localisation Editor The Localisation Editor is used to edit specific words or phrases that do not translate properly to the desired language. Use the following steps to customise words or phrases: 1. Navigate to Menu > Language Management. The Localisation Editor is displayed by default. 2. Choose the Locale you wish to edit, and click Search. 3. Find the word or phrase that is incorrect and click the Actions menu. 4. Select Create Override. The Custom Text screen displays. 5. Make the desired changes and click Save to apply the language override. Note: This feature is for on-premise customers only. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 58 of 249 6.5 Important VSDM Setup considerations Pay close attention to Location Group hierarchy when creating and editing administrator accounts. It is important to enable permissions at the highest Location Group needed in order to ensure the administrator has the proper editing capabilities. o The selected Location Group is always displayed in the upper left-hand corner of the VSDM. There are three pieces of information the administrator needs to communicate to endusers: o The VSDM Enrolment URL which is the same URL that you use to access the VSDM. o Group ID to identify the home Location Group (the Group ID is determined in Configuration > Locations & Groups > Location Group Details). o Username and password unique to the end-user (Username and password are defined in Users > User Accounts > Add User or Edit User). Depending on the selected Security Type, the username and password may be created by the administrator (Basic) or integrated with the Directory, Authentication Proxy, or SAML. If your organisation is using device registration and is in need of assistance, contact Vodafone Support. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 59 of 249 7 Device Management 7.1 Overview Smart device management is centralised in the VSDM. From the VSDM, the administrator is able to leverage the following VSDM features: Customise comprehensive asset tracking in the form of real-time device data across the mobile fleet, regardless of device type, carrier or location. Navigate an interactive dashboard of mobile and telecom data to help the organisation make more informed decisions based on actual mobile telecom usage. Perform remote actions on devices. Generate a custom library of reports. Enable proactive alerts for both users and administrators when predetermined thresholds are reached. The following sections describe how administrators can utilize the specific pages within the VSDM to effectively and efficiently manage smart devices. 7.2 Dashboard Navigation The Dashboard page centralises smart device monitoring by giving administrators high-level views of their entire fleet of mobile devices with the ability to drill down to the individual device level. To access the Dashboard page, navigate to: Dashboards > Dashboard. From the Dashboard, administrators can see an overview of graphics and statistics for a particular location group or for an entire device fleet, or they can quickly locate information on a specific device by clicking the Friendly Name highlighted in red. 7.2.1 Location Group Sidebar The Location Group Sidebar on the left of the screen allows administrators to view devices belonging to specific location groups, as well as all of its Children Groups. Administrators can also use the Search field to find specific Location Groups: Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 60 of 249 Expandable Tree Structure - Find location groups and show lineage from parent to children groups. Search Box - Search for specific location groups by name, partial name, or keyword. Expand/Collapse Feature - Fully expand or collapse the Location Group hierarchy. Pin Feature - Pin 7.2.2 the location group sidebar back onto the Dashboard sidebar. Dashboard Views There are also several views available on the Dashboard page, that give administrators the ability to view entire listings of devices based on each of the metrics listed below: Asset Tracking - View devices based on ownership type, platform, and last seen metrics. Device Compliance - View devices based on their device rules compliance status, passcode policy compliance, and data encryption status. Enrolment Status - View devices and track the complete enrolment lifecycle from registration to end-of-life, as well as identify devices that are pending device wipe. Email Management - View devices that attempt to gain corporate email access through the Secure Email Gateway (SEG) and their status. Telecom - Roaming - View devices that have indicated a roaming telecom status. 7.2.3 Advanced Views There are also several Advanced views available that give administrators the ability to view entire listings of devices based on each of the metrics listed below: Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 61 of 249 Device Groups - View all devices, statistics (i.e. total number of devices per group and percent of devices in that group). Location Groups - View the number of inactive and active devices within each Location Group. 7.2.4 Graphical Portlets The Graphical Portlets on the Dashboard page display relevant statistics, as well as providing an easy way to select a group of devices according to a number of categories. The example below is from the Asset Tracking view. The Asset Tracking default screen graphically represents Device Ownership, Platforms, and Last Seen data above the grid. The two icons in the right hand corner of the graphical representation box, when clicked, displays the data graphically or in a textual table. Toggle between graphical and textual representation of data as follows: 1. Click to view the data graphically (pie or bar chart). 2. Click Data Group to view data in a textual table. 3. While in textual mode, click any Data Group and the grid below begins to reload and display the information based on that specific data group. This feature is only available in this mode. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 62 of 249 7.2.5 Dynamic Device List The Dynamic Device List on the Dashboard page contains a flexible list of devices and associated metrics that pertain to each view: There are several ways for an administrator to select, order, identify, find, filter, etc. specific devices from the Dynamic Device List page: Select any of the Device Details. For example, graphical or textual tables shown above the grid. Click any of the Data Groups from the Graphical Portlets. For example, when in textual table format, click any line item to display data. Click any of the Column Categories to re-sort the list. For example, clicking Last Seen resorts the grid to either the oldest or latest seen devices. On the top, right side of the grid, there are four more icons that provide additional sort, search, export, and display tools that perform in the following ways: o Change any one of the three graphical (e.g. pie chart) representations of data (portlets) above the grid from graphical to textual table and the Filter dropdown changes to represent your selection, as shown in the example below: Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 63 of 249 o Enter in the Filter Grid field any keyword(s) and then press Enter. The grid re-sorts and only displays those devices that contain the keyword(s) you entered, as shown in the example below: o Click Refresh , the grid refreshes to display the default Available Columns layout, and all device data based on any search criteria in the Filter dropdown and Filter Grid field, as shown in the example below: o Click Export All example below: , the data in the grid exports into an Excel spreadsheet, as shown in the o Click Hide Chart displays. , to hide all graphical and textual table portlet data so that only the grid o Click Tools (Hammer and Wrench) to display Available Columns which you can use to customise device data that displays in the grid. The example below displays when in the Asset Tracking view. The Available Columns change depending on the Dashboard view selected. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 64 of 249 Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 65 of 249 7.3 Device Control Panel Use the Device Control Panel from the Dashboard page, to view detailed information or perform remote actions on individual devices. To open the Device Control Panel, locate an individual device on the Dashboard page by using any of the available search tools, and select it. The overlaid Device Control Panel window displays: The Device Control Panel contains two primary menus: A Device Information Menu to view detailed information and statistics. A Remote Actions Menu to perform administrative actions over the air. Note: Information and actions in the Device Control Panel are subject to availability according to privacy settings and mobile OS platform compatibility. 7.3.1 Device Information Menu The Device Information Menu shows detailed information related to each of the listed categories. More information about each device information category is shown below. Summary The Summary section shows hardware, MDM, encryption, and passcode compliance, in addition to other general information: Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 66 of 249 Hardware - Displays device hardware information. Security - Shows device compromised and encryption level data. Passcode - Shows if a passcode is present and whether or not it meets the passcode requirements. Network - Shows network information such as SIM Card and roaming status. Profiles - Shows all profiles and profile installation status. Certificates - Shows installed certificates and expiration or near expiration status. Applications - Shows the number of apps currently installed on the device. Content - Shows a configurable view of repositories and content. Compliance The Compliance view shows the compliance status of the device, including the name and level of all the compliance policies in effect. Additionally, the administrator can see the current level of compliance actions and the next level of action that is performed if the device continues to be non-compliant. Profiles The Profiles section shows all of the VSDM profiles that have been sent to the device and the status of each profile. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 67 of 249 Status - Shows the profile installation status: o Installed. o Pending install. o Not installed. o Pending removal. o Removed. o Blocked (due to Compliance Settings). o Failed for latest version. Note: Profile installation is blocked due to Compliance Settings. A failed status is reported when the installed profile is out-of-date. Type - Shows the profile type: automatic, optional or interactive. Location Group - Shows the Location Group to which the profile is assigned. Actions - Provides the ability to remotely install or remove the profile. Apps The Apps section displays all applications that have been installed on the device. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 68 of 249 Following are the field descriptions for apps: Status - Shows the application installation status: o Installed. o Pending install. o Not installed. o Pending removal. o Removed. o Blocked. Type - Shows whether it is an internal or public application. Actions - Provides the ability to install or remove the application. Note: Application installation is blocked due to Compliance Settings. Content The Content section is only applicable to devices equipped with the Secure Content Locker. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 69 of 249 The Content section displays information about the content available in the Secure Content Locker. All Content - Displays information about all available content. o Active - Tap the grey circles to make the document available (left/green) or not available (right/red). o Type - Displays the document format; hover over the icon to display the format type. o Name - Shows the document name as it displays both in the VSDM and in the Secure Content Locker. o Priority - Displays the level of priority of the document. o Deploy - Displays the deployment method. o Actions - Provides the ability to install or delete content. Settings The Settings section displays information on device settings. Categories - Shows the file system for the content. Content Repository - Links to repositories and displays document ownership. User Storage - Shows the amount of storage available to and used by each device. Certificates The Certificates section shows all of the certificates currently stored on the device and provides basic supporting information. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 70 of 249 Note: iOS devices should always show at least one current certificate for the MDM to identity the certificate issued during enrolment. User The User section shows user-specific information including Name, Status, Username, Email, Group, Email Username, Security Type, and Contact Number. It also displays a list of all devices that the user has enrolled. GPS The GPS section shows the GPS co-ordinates of the device. The default display is 'Last Known' which is the most recently received coordinates. To view GPS co-ordinates over a select period of time: Use the following steps to view GPS co-ordinates over a specific period of time: 1. Select the time span to view GPS co-ordinates from the Period dropdown menu. 2. Click Search. The search results return the entire available GPS co-ordinate trail (breadcrumbs) over the requested period. 3. Click the Play Sound icon to play a sound on a lost device to facilitate location. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 71 of 249 Note: Information availability is subject to privacy settings as specified in Configuration > System Settings > Device > General > Privacy. Event Log The Event Log contains a comprehensive log of all interactions between the VSDM and the device. The administrator can further track device events through the following actions available from this view: 1. Click Refresh Data to instantly update the Event Log. 2. Type an event keyword into the Search Filter to filter the event log according to a type of event (for example, security events). 3. Click Export All to export all events as a CSV file. Additionally, the administrator can view all VSDM and device events in the Administration Event Log, or integrate with Syslog on the Syslog settings page (located in Configuration > System Settings > Admin > Event Log). Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 72 of 249 Note the following important Event Log fields: Severity - Ranks the event severity level based on the event definition. Source - Shows the source of the event (for example, 'Server'). Event - Provides a brief categorisation/summary of the event. Examples of events include: o Enrolment Complete. o Install Profile Requested. o Security Information Refused. 7.3.2 Remote Actions Menu With the Remote Actions Menu, administrators can perform any of the listed actions on the selected device over-the-air. Device Query Manually requests that a remote device sends a comprehensive set of MDM information to the VSDM. This immediate request overrides the timed device check-ins. Clear Passcode Clears the passcode on remote devices. This is useful when end-users forget passcodes or become locked out of devices. Send Message Send different types of messages to devices over-the-air: Email - Send remote emails to any address on properly configured SMTP settings. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 73 of 249 SMS - Send remote SMS text messages to any phone number with an SMS service account with CellTrust and properly configured credentials. Push Notifications - Push notifications are available for Apple iOS, Android and Windows Phone 8 devices to provide faster command response time from the VSDM, and migration from cloud to deprecated device management: o Send Apple Push Notification messages to iOS device end users that have the VSDM Agent installed, displaying the message body in the notification. o Implement Google Cloud To Device Messaging for Android devices enrolled in the VSDM. o Send Microsoft Push Notification messages to Windows Phone 8 device end-users enrolled in the VSDM that have the Company Hub App installed.* Lock Device Lock the device, requiring the device user to unlock the device with the appropriate passcode for continued use. Enterprise Wipe Wipes all corporate data from the selected device and removes the device from the VSDM. All of the enterprise data contained on the device is removed, including VSDM profiles, policies, and internal applications. The device returns to the state it was in prior to the installation of the VSDM. Device Wipe Performs a full wipe of the device. Wiping the device removes all data, email, profiles and VSDM capabilities and the device returns to factory default settings. Prior to the wipe, a device ownership confirmation message serves as a security precaution, and a key code is a requirement for performing the device wipe. Note: Device Wipe is subject to privacy settings as specified in Configuration > System Settings > Device > General > Privacy. Find Device Makes a set of audible notification tones in iOS and android devices to facilitate device location by end-users. Enable/Disable SD Card Enables or disables the SD card on the device remotely. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 74 of 249 Remote View This provides a remote view of select devices and applications (Windows Mobile with the aid of the VSDM agent). The capture button takes a screen capture to preserve any error screens or other issues. Enforce Device Encryption Encrypts internal storage in devices without encrypting the removable storage card.* *New Feature in VSDM Release 3 7.4 Device Search The latest release of the VSDM Dashboard added many new features as well as upgrades to existing features to make them more versatile and flexible for administrators. The Device Screen has been divided into three sections. To find out more about each section of the screen, click any of the links to access the topics described in the following sections. 7.4.1 Device Search - Left Panel Location Group - Click the dropdown arrow to view the devices belonging to that location group and all child location groups. Saved Criteria - Click the dropdown arrow to select the last saved search criteria. This can save you time when you need to perform the same search on a Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 75 of 249 frequent basis. Platform - Tick one or more of the checkboxes to select the type of device you want to search for in the grid. Model - Click the dropdown arrow to select the Model of the device based on the Platform you selected. If you choose more than one Platform, this feature is grayed out and no longer available. Ownership - Tick any one of the four checkboxes to define who owns the device. It is best to not to leave Undefined unchecked, so that other VSDM features are available to you when managing that device. Advanced Search - Click Advanced Search and the following window displays: o Tick one or more of the 13 available checkboxes to custom define an advanced VSDM search. o For every checkbox you select, a respective field displays in which you enter search information, keywords, etc. o Click Search to find devices that match the advanced search criteria. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 76 of 249 The advanced search displays all the devices that match the search criteria entered. 7.4.2 Device Search - Top Panel The top panel of the screen displays a bar with the features described below: Management Hover over the text to display the management dropdown window. Select a line item from the grid by ticking the checkbox, and then do the following: Select Lock Device to completely disable that device. Select Enterprise Wipe to remove all corporate data from that device. Support Hover over the text to display a Send Message and GPS dropdown window. Select a line item from the grid by ticking the checkbox, and then do the following: Select Send Message to email Technical Support regarding that device. Select GPS to find where that device is located. For more information, see Device Details. Admin Hover over the text to display a Change Location Group and Delete Device dropdown window. Select a line item from the grid by ticking the checkbox, and then do the following: Select Change Location Group to move that device to a different location group. Select Delete Device to remove that device from the VSDM. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 77 of 249 Advanced Hover over the text to display a Warm Boot and Provision Now dropdown window. Select a line item from the grid by ticking the checkbox, and then do the following: Select Warm Boot to remotely reboot that device. Select Provision Now to perform a number of configurations for that device. 7.4.3 Device Search - Main Panel Across the top of the grid, there are 9 column headings that can be used to sort device information: Last Seen. Friendly Name. User. Email. Platform. OS. Model. Phone. Location Group. Sort Options - Click any of these headings, as shown in the figure above, and the grid quickly reorganises device information based on your selection. Grid Search - Click Grid Search and enter any search words, such as device Friendly Name, Display Model, etc., as shown below, then press the enter key to filter the device information that displays in the grid. You can use keywords (e.g., Group) and find all occurrences of line items in the grid that contain that keyword (e.g., Atlanta Group, or Radiology Group). 7.5 Device Details View device details to track detailed device information and quickly access user and device management actions. Use one of the following two ways to view the Device Details: Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 78 of 249 1. Click the Friendly Name of the device in the device dashboard. When the Device Control Panel displays, click the name again. o Use any of the available search tools to search for an individual device: 2. From the search results, click the Friendly Name of the individual device to open up the Device Details page. Many of the Device Details are identical to the information in the Device Control Panel. For information on the Security, Profiles, Apps, Certificates or Event Log views, please reference the section on the Device Control Panel. 3. View details of the specific device by selecting one of the categories listed in the navigation bar on the left side of the Device Details page. Further information on each of the categories is provided in the following sections. 7.5.1 Device Information The Device Information View is shown by default when the Device Details page is first opened. It can be shown again by selecting the Information tab under Device Details. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 79 of 249 Use the left hand navigation bar to access additional device information. iOS and Android devices offer different tabs in this bar. General From this view, administrators can see a number of general statistics about the current device, including: Device Status and Last Seen. Phone number (when available and subject to privacy settings as specified in: Configuration > System Settings > Device > General > Privacy). Platform/Model/OS. Device Ownership/Device Category/Device Group. Location Group/Location. Serial Number/UDID/Asset Number. Power Status/Storage Capacity/Physical Memory/Virtual Memory. Apps The Apps tab shows applications that are currently installed on the device. Certificates Identifies device certificates by name and issuer. Additionally this tab provides information about certificate expiration. Compliance Displays the status, policy name, date of the previous and forthcoming compliance check, and the actions already taken on the device. Content (iOS) Provides a configurable view of content, and allows administrators to view content on individual devices. This tab displays the status, type, name, priority, deployment, last update, and date and time of views. It also provides a toolbar for administrative actions (install or delete content). Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 80 of 249 Location Select the Location tab under Device Details to view current location or location history of a device. This shows the GPS co-ordinates of the device (subject to privacy settings as specified in System Settings > Device > General > Privacy). The default display of Last Known shows the most recently received co-ordinates. Use the following steps to view GPS co-ordinates over a select period of time: 1. Select the time period for which you would like to view GPS coordinates from the Period dropdown menu. 2. Click Search. The search results return the entire available trail (breadcrumbs) of GPS coordinates over the requested period. Network To view the current network status of a device, select the Network tab under Device Details. Profiles Displays the profiles on a device. Device Restrictions (iOS) To show the Device Restrictions View, select Restrictions under Device Details. Administrators can see all of the security restrictions that have been placed on the device through the use of restrictions profiles. This information is organised into four separate views: Device, Apps, Ratings and Passcode. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 81 of 249 Device The Device tab shows all restrictions in effect for the device from a generic system-wide level. They are not limited in scope to individual applications or profiles like the other restrictions tabs. Apps The Apps tab shows the deployed application restrictions for the device. Allow use of YouTube removes the YouTube application from the device so that end users cannot use it. Allow use of iTunes Music Store and Allow explicit music and podcasts limit these specific features from within the iTunes applications. Allows use of Safari, Enable Autofill, Force Fraud Warning, Enable JavaScript, Enable Plugins, Block pop-ups and Accept Cookies all apply to the Safari Web Browser Application. Ratings The Ratings tab shows all the restrictions that determine content control of Movies, TV Shows and Apps from iTunes and the App Store. If content filtering is applied, only specific media that has a lesser age rating is permitted for download. Passcode The Passcode tab shows all the current settings of the passcode policy that has been provisioned to the device. Security Shows the security status of the device. Telecom The Telecom section provides details about: Calls – Total number of minutes used and detailed call logs. Call logs include call time, duration, direction (incoming or outgoing), phone number, carrier information and roaming status. Note: Phone numbers and carrier details are only available in Android devices. Data – Total cellular data usage on the mobile device, including daily logs for data sent/received. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 82 of 249 Messages – Total SMS/MMS messages that are sent and received (Android only) and detailed message logs. Note: Information provided is subject to privacy settings as specified in Configuration > System Settings > Device > General > Privacy. User Click this tab to access details about the user of a device as well as the status of the other devices enrolled to this user. 7.5.2 Device Activity Alerts To view all of the alerts that have been triggered by the current device, select Alerts under Device Activity. From here, administrators can see specific alerting details for Severity, Priority, Attributes, Values, Duration, Alert Date, and Creation Policy. 7.5.3 Configuration Attachments To attach images, documents or links that are relevant to the device, select Attachments under Configuration. There are three views in the attachments tab: Images, Documents and Links. These categories are only used within the Group ID to help administrators organise attachments. Examples of relevant device information administrators may want to include in this area include: Copies of support tickets regarding the device. Screen shots from the device. Device support documentation. 7.6 Device Details Management The Device Details Management menu is located underneath the 'Device Friendly' name on the Device Details page. It provides shortcuts to quickly manage both the device and the user account associated with the device. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 83 of 249 Move your mouse over Query, Management, Support or Admin to see the dropdown menu management options. 7.6.1 Query The Query menu allows the administrator to request information from the device. Click the category to send a query to the device. Select Query All to request all of the categories. Alternatively, you can send individual queries for the following device information: Device information. Security. Profiles. Apps. Certificates. 7.6.2 Management The Management menu allows the administrator to instantly perform the following remote device actions (please refer to the section on Remote Actions for further explanation of the first four options): Clear Passcode - Clears the passcode on the remote device. Lock Device - Locks the device, requiring the end-user to unlock it with a passcode to resume device use. Enterprise Wipe - Removes the device from the VSDM by un-enrolling and selectively wiping all enterprise data. Device Wipe - Performs a full wipe of the device. Set Roaming - Enables or disables the voice and data roaming options. Note: Refer to the section on Remote Actions for further explanation of the first four options. 7.6.3 Support The Support menu provides options to instantly perform the following remote device actions on supported devices (please refer to the section on Remote Actions for further explanation of the first three options): Send Message - Allows administrators to send Email, SMS or Push Notifications to devices over-the-air. Find Device - Forces iOS devices to make a set of audible notification tones to help endusers can locate their devices. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 84 of 249 Remote View - Provides a remote view of select BlackBerry and Windows Mobile devices and applications. The capture button takes screenshots to record any issues and errors. Request Device Check In - Sends a message to the device requesting a check in with the VSDM agent. File Manager - Browses the Android device file tree, creates folders and uploads or downloads files remotely. Remote Control - Controls Windows Mobile and Blackberry devices remotely. Note: Refer to the section on Remote Actions for further explanation of the first three options. 7.6.4 Admin The Admin menu allows administrators to instantly edit the following device and user settings: Change Location Group - Edit the device user’s Location Group. Edit Device - Edit the following device settings: o Friendly Name. o Device Ownership type. o Device Group. o Device Category. Delete Device - Deletes a device, as well as any information created for that device, from the VSDM. Enrol - Enrols the device in the VSDM. 7.7 Administration Event Log The VSDM records all administrative actions taken within it and any device events sent to or received from devices and stores them in the Event Log. Administrators can view these events by using the Event Log dashboard, which can be accessed by navigating to: Administration > Event Log. All events that occur in the VSDM and on managed devices are tracked in the VSDM. Data is presented on both this primary event log and on the device-specific event log found in the Device Control Panel. Administrators can select from the views on the left in order to view Device Events or Console Events. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 85 of 249 From the dashboard, administrators can filter and/or sort events in a number of ways, including: Severity. Date Range. Device Friendly Name. Source of event. Category. Event. The administrator can further track device events through the following actions available from this view: 1. Click Refresh Data to instantly update the Event Log. o With certain even types, administrators can also view more detailed event data by clicking the Event Data link in the right-hand column. 2. Type an event keyword into the Search Filter to filter the event log according to a type of event (for example, security events). o 7.8 Additionally, the administrator can configure Syslog integration on the Syslog Settings page (located in Configuration > System Settings > Admin > Event Log). End User Self-Service The Self-Service Portal (SSP) allows end-users to remotely monitor and manage their smart devices. The SSP provides administrators with the ability to view relevant device information for any of their enrolled devices and to perform remote actions such as clear passcode, lock device, or device wipe. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 86 of 249 7.8.1 Enabling the SSP End-users of iOS and Android devices can access the SSP directly from their device. Allowing managed devices to access the SSP simplifies the administrative experience by allowing end-users to: o View important compliance information. o Download optional profiles. o Manage multiple devices on one device from the SSP. In order for end-users to access the SSP from their device, the administrator must first deploy a Web-Clip (iOS) or bookmark (Android) profile containing the SSP web-based application URL. For Android devices: 1. Navigate to Profiles & Policies > Profiles. 2. Select Add. 3. Enter Basic Profile Information in the General Settings. o Select the device platform. o Name the profile, for example: Self-Service Portal Web-Clip for iOS Devices. o Specify root Location Groups to manage the profile and assign the profile to. o Optionally specify User Groups to deploy the profile to. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 87 of 249 4. Select the Web-Clip (iOS) or Bookmark (Android) on the left sidebar. 5. Enter in the Profile Information. For iOS devices: 1. Navigate to System Settings > Device > Agent Settings. 2. Tick the Self-Service Enabled box. 3. Complete the following information: o Label - The text displayed beneath the Web-Clip icon on an end-user’s device. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 88 of 249 For example, 'Self-Service Portal'. o URL - The URL that the Web-Clip displays. For the SSP, use the following URL: http://<VodafoneEnvironment>/mydevice/. This field supports lookup values so that the administrator can more easily configure the custom SSP URL. o Removable - Tick the box to allow the end-user to remove the SSP-Web-Clip. o Icon − To add a custom icon, select a graphic file in .gif, .jpg, or .png format. For best results provide a square image no larger than 400 pixels on each side and less than 1 MB in size when uncompressed. The graphic is automatically scaled and cropped to fit, if necessary and converted to png format. Web-Clip icons are 104 x 104 pixels for devices with a Retina display or 57 x 57 pixels for all other devices. 4. Click Save and Publish to immediately send the profile to all appropriate devices. Note: Access to information and Remote Actions in the SSP is determined by both Privacy settings (Configuration > System Settings > Device > General > Privacy) and Role settings (Users > Admin Accounts). If multiple settings are in place, the strictest policy is enforced. 7.9 Retiring a Device In the event that a device must be removed from mobile device management, there are several possible methods to un-enrol the device from different sources. Automatic Un-enrolment - The VSDMCompliance Engine can be configured so that devices with Application or Device compliance policies that are non-compliant, are automatically un-enrolled from mobile device management. Administrative Un-enrolment - Administrators can also un-enrol devices over the air in one of two ways: o The administrator may manually perform an Enterprise Wipe from the Device Dashboard page or the Device Details page. o Alternatively, an administrator may set up the VSDM to automatically perform an Enterprise Wipe on the devices of deactivated users. The administrator must first make sure the Default Action For Inactive Users is set to 'Enterprise Wipe Currently Enrolled Devices'. This can be done from the Enrolment page (Configuration > System Settings > Device > General > Enrolment). Once this has been configured: The administrator can manually deactivate users by navigating to Administration > User Accounts, checking the user accounts, and then clicking the Deactivate link at the top. This un-enrols all devices under that user. If AD/LDAP has been integrated with the VSDM, any users that are deactivated/removed from AD/LDAP reautomatically deactivated from the VSDM, thus causing their device(s) to be automatically un-enrolled. End-User Un-enrolment - If an end-user decides to opt out of corporate mobile device management, then they can initiate the Un-enrolment process from their own device(s). Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 89 of 249 Although the process is different for each manageable platform, the general steps involve removing the administrative privileges of the VSDM and removing any VSDM agents from the device. 7.10 BYOD Configuration Best Practices An increasing number of corporations are implementing BYOD programs. It is easy to configure the VSDM settings to take into account the device ownership type when deploying profiles, restrictions, compliance policies, and other important settings. The following configurations are recommended for BYOD deployments. 7.10.1 Assign Profiles and Policies by Ownership Type Use the Ownership field when specifying the assignment criteria for applications, profiles, content, and compliance policies to ensure that employee-owned devices receive less restrictions than corporate-dedicated devices. 7.10.2 Configure Privacy Settings Configure the VSDM Privacy settings (System Settings > Device > General > Privacy) to protect the personal data of your employees: Configure the VSDM to Not Collect User Information and Telecom Data for personal devices. Disable the ability to issue a full device wipe on personal devices: Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 90 of 249 7.10.3 Isolate Corporate Content Use the Vodafone Secure Content Locker (SCL) to isolate and protect corporate content on personal devices. The following settings enforce maximum restrictions for content: Allow Online viewing only. Force encryption. Disable Open in Email. Disable Open in Third Party Application. Note: This feature is an additional product. Access may vary subject to local market availability. 7.11 Important Device Management Considerations Before performing remote actions on a device, take into account the device ownership type. Refer to BYOD Configuration Best Practices.htm The administrator may want to use privacy settings (specified in Configuration > System Settings > Device >General > Privacy) and role permissions (specified in Accounts > Administrators > Roles) to restrict lower-tier administrator access to employee-owned device data. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 91 of 249 8 Profile Management 8.1 Overview Create and deploy configuration profiles that define enterprise settings, policies and restrictions for devices without requiring user interaction. The VSDM delivers signed, encrypted and locked configuration profiles over-the-air to ensure they are not altered, shared or removed. A single deployed profile contains customisable settings called Payloads. 8.2 Profiles Page The Device Profiles page in the VSDM is the mechanism for managing and pushing profiles to end-user devices over-the-air. Search Bar - Search for a profile based on specific profile attributes. Active - See if a profile is available to new devices. Green represents an active and available profile that is available to new devices. Red represents an inactive and unavailable profile. Managed - Managed profiles are associated directly with the VSDM, therefore, managed profiles are removed from un-enrolled or retired devices. Unmanaged profiles remain on devices, regardless of the VSDM enrolment status. Ownership - Shows device assignment of profiles, specifically to corporate-owned or employee-owned devices. Managed By - The location group that has access to edit, publish or delete a profile. Actions - Manage the profile using the following options on the Action menu: o Edit - Customise an existing profile. o Copy - Copy an existing profile with a new profile name. o View Devices - View devices that are available for that profile and if the profile is currently installed. o Publish - Push out to devices any profiles matching the profile criteria. o View XML - View the XML code sent over the air to devices describing the application or profile. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 92 of 249 o Edit Assignment - Change the Location Groups a profile is assigned to without republishing the profile to every assigned user. Note: In order to change a User Group assignment, select the Edit option. o Delete - Deletes a profile and removes it from devices. 8.2.1 Toggling Profile Views for Assignment Testing There are three grid filters at the top right of the profiles page that can be turned on and off as desired. Click to enable or disable the following filters and options for viewing and testing profile assignments: Toggle Filter Hide or display the grid display filtering options according to various profile criteria: Toggle Assignment Criteria Click the Toggle Assignment Criteria grid filter to create 'what if' scenarios for profile assignments before publishing new profiles or editing profile assignments. Using this filtering tool, the administrator can see how profile assignments affects devices without requiring the administrator to enrol test devices. Use Device or Any to perform Assignment testing. Device - Choose this button to test the assignment for a specific device and display all profiles assigned to that device. Then, enter the device friendly name. For example, an administrator might wish to view whether or not a more restrictive profile would be assigned to a specific executive. Any - Choose this button to test the general profile assignment and display all profiles that would be assigned to devices that match the specified attributes. Fill in the attributes to see the device matches by Location Group, Platform, OS, Model, Ownership Type and User Group. For example, an administrator could enter 'Apple iPad, Corporate-Owned' to see whether or not corporate iPads have all the necessary profiles. Export All Click this grid tool to export all profile data as a CSV file for printing or further analysis. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 93 of 249 8.3 Creating Profiles Create and deploy configuration profiles that define enterprise settings, policies and restrictions for devices without requiring user interaction. A single deployed profile contains customisable settings, apps, features and restrictions called Payloads. Use the following steps to deploy profiles to devices using the Device Profiles page in the VSDM: 1. Navigate to: Profiles & Policies > Profiles to open the Device Profiles page. 2. Select Add to create a new profile or click the Actions menu icon to Edit or Copy an existing profile. 3. Choose the Platform that is associated with the profile. 8.3.1 General Settings Select any of the profile types to begin creating a profile. The Add New Profile screen displays: Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 94 of 249 Complete the General Settings for the profile. General Settings are the overall settings that determine the specifics of the profile deployment: Name - Create a profile name that is displayed in the VSDM. Description - Provide a brief description of what the profile does for display on managed devices under Profile Details. Platform - Select which platform the profile is deployed to. Deployment o Managed – Remove the profile when the device is unenrolled. o Manual – Leave the profile installed when the device is unenrolled. Model and Minimum Operating System - Specify the model and minimum operating system as parameters for profile deployment. Ownership - Specify ownership groups to limit deployment to the devices within the particular group. The ownership groups are: o Corporate-Dedicated. o Corporate-Shared. o Employee Owned. Importance and Sensitivity - Provide additional details and profile filtering capabilities within the VSDM, without impacting profile deployment. Allow Removal - Specify the process for end-users to remove the specific profile from their device. o Always – Allow end-users to remove profiles without entering authorisation codes. o With Authorisation – Allow end-users to remove profiles by entering the correct authorisation code created by an Administrator. o Never – Block end-users from removing profiles on enrolled devices. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 95 of 249 Managed by - Name the Administrator Organisation Group that can edit and delete the profile. Administrators who manage higher Organisation Groups also have access to profile management by inheritance. Assignment Type - Determine how the profile is pushed out to devices. o Auto – Pushes the profile to all devices automatically. o Optional – Pushes the profile to specific devices in the Organisation Groups that are manually selected in the assignments box. Note: Optional is the default setting for profiles. This means no devices receive the profile. Optional profiles require manual assignment to individual devices, or are downloaded by end-users from the SSP. o Interactive – Interacts with third-party system(s) before deploying a unique payload to a device. o Compliance – Automatically pushes compliance profiles out to a device in violation of corporate compliance policies. Assigned Location Groups - List the Location Groups and all child organisation groups configured with this profile. Any devices that enrol into these groups or their child groups receive the profile. Assigned User Groups (Optional) - List the User Group(s) that receive the profile in addition to the specified Location Groups. Assigned Areas (Optional) - Name the geofencing area that this profile is active within. Define under Profiles > Geofencing Areas. Assigned Schedule(Optional) - Show the profile's active time schedule. Define under Profiles > Time Areas. 8.3.2 Create and deploy the profile payloads 1. Select the 'type' from the left navigation pane, and click Configure. 2. Complete the profile specific information as required. The specific fields used to configure each of the specific profile types are outlined in the section below called Profile Payload Descriptions (See "Profile Payload Descriptions"). 3. Click Save or Save and Publish to complete the profile. o Save the profile configuration in the VSDM without deploying the profile to devices. o Save & Publish the profile configuration in the VSDM, and deploy the profile to all appropriate managed devices. o Cancel does not save any of the profile configuration, and clears out all changes. o Test the profile assignment's device impact before publishing by using the Toggle Assignment Criteria grid filter. The available profile payloads are listed on the left in the Add a New Profile navigation pane. The navigation pane also provides a quick summary of profile payload status using the following indicators: Green indicates that the profile fields under that category are complete. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 96 of 249 o Example: Grey indicates that no profiles of that type have been configured. o Example: Red indicates an error in the profile information fields. o Example: Numbers next to the profile name indicate the number of profiles created for the selected profile type. o Example: Create Multiple Profiles of One Type VSDM profile management allows the configuration of multiple payloads for many of the profile payload categories (for example, Wi-Fi, Email Settings or LDAP), all within a single profile. Use the following steps to create more than one payload for a select profile payload type: 1. Click the profile payload type from the left to open the payload editing window. If necessary, click Configure to add the initial payload. 2. Add another payload of the same type by clicking the plus sign (+). Delete the selected profile by clicking the minus sign (-). 3. Scroll through the profiles by clicking the arrows or select a specific page by clicking on the corresponding circle. Example: Each circle represents a profile page: Note: Configure each payload separately as an individual profile. Configuring multiple payloads within one profile, such as an Email payload and a Wi-Fi payload, is not recommended. However, configuring multiple payloads of a single type such as multiple Web-Clips within one profile, is suggested when applicable. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 97 of 249 8.4 Device Profile Capabilities Profile capabilities vary according to the device type. The tables below provide a summarised description of the profile options for the device/Operating System: Apple Android iOS Windows Apple Windows Phone Mac OS BlackBerry Symbian Mobile (WP)/Windows X Phone 8* Passcode Restrictions Wi-Fi VPN (only WP8) Email (only WP8) Exchange Active Sync Exchange Web Services LDAP (only WP8) CalDAV CardDav Subscribed Calendars Web-Clips Bookmarks Credentials Launcher SCEP Advanced Custom Settings Application Control Global HTTP Proxy Single App Mode Dock Device Telecom Time Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 98 of 249 8.4.1 iOS Profiles Profile Name Short Description Passcode Passcode profiles require end-users to protect their devices with passcodes each time they return from idle state. This ensures that all sensitive corporate information on managed devices remains protected. If multiple profiles enforce separate passcode policies on a single device, the most restrictive policy is enforced. Restrictions Restrictions profiles limit the features available to users of managed devices by restricting the use of specific features such as YouTube, the iTunes Store, or the on-device camera. Wi-Fi Wi-Fi profiles push corporate Wi-Fi settings directly to managed devices for instant access. Take note of the iOS 5+ only options. VPN VPN profiles push corporate virtual private network settings to corporate devices so that users can securely access corporate infrastructure from remote locations. Email Allows the administrator to configure IMAP/POP3 email accounts. Exchange ActiveSync Exchange ActiveSync profiles allow end-users to access corporate push-based email infrastructure. Please note that there are pre-populated look-up value fields and options that only apply to iOS 5+. LDAP LDAP allows configuration with LDAPv3 directory information. The fields in this section support lookup values. Click the tool tip for values and definitions. CalDAV CAlDAV provides configuration options to allow end-users to sync wirelessly with the enterprise CalDAV server. The fields in this section support lookup values. Click the tool tip for definitions. Subscribed Calendars Subscribed Calendars provides calendar configuration. The fields in this section support lookup values. Click the tool tip for definitions. CardDAV This section allows for specific configuration of CardDav services. The fields in this section support lookup values. Click the tool tip for definitions. Web-Clips Web-Clip profiles send down clickable hyperlinks to devices in the form of an icon to provide quick access to common web resources (for example, you could add the online version of the iPhone User Guide to the home screen). Credentials Credentials profiles deploy corporate certificates to managed devices. If the network supports it, ad-hoc certificate requests can be configured as well. SCEP The SCEP payload specifies settings that allow the device to obtain certificates from a CA using Simple Certificate Enrolment Protocol (SCEP). Advanced Advanced profiles allows for advanced access point configuration. Custom Settings Custom Settings allows custom XML profile to be included in the profile payload. Global HTTP Proxy Manually or automatically configure the proxy server for iOS 6+ Supervised devices. App Lock Locks iOS 6+ devices to a single application by installing an app lock payload. The home button is disabled, and the device returns to the specified application automatically upon wake or reboot. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 99 of 249 8.4.2 Mac OS Profiles Profile Name Short Description Passcode Passcode profiles require end-users to protect their devices with passcodes each time they return from idle state. This ensures that all sensitive corporate information on managed devices remains protected. If multiple profiles enforce separate passcode policies on a single device, the most restrictive policy is enforced. Wi-Fi Wi-Fi profiles push corporate Wi-Fi settings directly to managed devices for instant access. Take note of the iOS 5+ only options. VPN VPN profiles push corporate virtual private network settings to corporate devices so that users can securely access corporate infrastructure from remote locations. Email Allows the administrator to configure IMAP/POP3 email accounts. Exchange Web Services Exchange Web Services profiles allow end-users to access corporate push-based email infrastructure. The fields in this section support lookup values. Click the tool tip for values and definitions. LDAP LDAP allows configuration with LDAPv3 directory information. The fields in this section support lookup values. Click the tool tip for values and definitions. CalDAV CAlDAV provides configuration options to allow end-users to sync wirelessly with the enterprise CalDAV server. The fields in this section support lookup values. Click the tool tip for definitions. CardDAV This section allows for specific configuration of CardDav services. The fields in this section support lookup values. Click the tool tip for definitions. Web-Clips Web-Clip profiles send down clickable hyperlinks to devices in the form of an icon to provide quick access to common web resources (for example, you could add the online version of the iPhone User Guide to the home screen). Credentials Credentials profiles deploy corporate certificates to managed devices. If the network supports it, ad-hoc certificate requests can be configured as well. SCEP The SCEP payload specifies settings that allow the device to obtain certificates from a CA using Simple Certificate Enrolment Protocol (SCEP). Custom Settings Custom Settings allows custom XML profile to be included in the profile payload. Dock* Configure dock size, magnification and position. 8.4.3 Android Profiles Profile Name Short Description Passcode Passcode profiles require end-users to protect their devices with passcodes each time they return from idle state. This ensures that all sensitive corporate information on managed devices remains protected. If multiple profiles enforce separate passcode policies on a single device, the most restrictive is enforced. Restrictions Restrictions are available for Samsung phones running Ice Cream Sandwich. These restrictions include device functionality, Sync and Storage, Bluetooth, Roaming and Tethering restrictions. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 100 of 249 Wi-Fi Wi-Fi profiles push corporate Wi-Fi settings directly to managed devices for instant access. VPN VPN profiles push corporate virtual private network settings to corporate devices so that users can securely access corporate infrastructure from remote locations. Email Settings Email profiles send email configurations directly to devices so that end-users automatically receive email. Exchange ActiveSync Exchange ActiveSync profiles allow end-users to access corporate push-based email infrastructure. Exchange can now beset up with the native mail client on Samsung SAFE devices (http://www.samsung.com/us/article/samsungapproved-for-enterprise) and HTC Pro devices (http://www.htcpro.com) Application Control Prevent installation of blacklisted apps, un-installation of whitelisted apps(3LM, SAFE, LG v 1.0+) and prevent the installation of non-whitelisted apps(SAFE v2+, 3LM). Launcher Allows administrators to customise several aspects of a user's device. Administrators can restrict users to only have access to the apps and settings they choose. Bookmarks Bookmark profiles work in the same manner as Web-Clip profiles. Bookmarks are customised web shortcuts that are pushed down to the Home screen of the user’s device. Multiple bookmarks can be added per profile by clicking on the plus (+) sign in the top right corner of the window. Credentials Credentials profiles deploy corporate certificates to managed devices. If the network supports it, ad-hoc certificate requests can be configured as well. Multiple credential configurations can be added per profile by clicking on the plus (+) sign in the top right corner of the window. 8.4.4 Blackberry Profiles* Profile Name Short Description Device Device profiles determine various device-specific options such as backlight brightness, backlight timeout, GPS sampling and GPS sample intervals. Telecom Telecom profiles specify various telecom options such as 411 redirections and SMS sampling options. Advanced Advanced allows for custom configuration of BlackBerry Logs. Custom Settings Custom Settings allows custom XML profiles to be included in the profile payload. 8.4.5 Symbian Profiles Profile Name Short Description Passcode Passcode profiles require end-users to protect their devices with passcodes each time they return from idle state. This ensures that all sensitive corporate information on managed devices remains protected. This profile allows for a reset of an administrator-set passcode. Wi-Fi Wi-Fi profiles push corporate Wi-Fi settings directly to managed devices for instant access. Exchange The administrator has the option of setting the frequency of syncing calendar Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 101 of 249 ActiveSync and emails on a mobile device using Microsoft Exchange EAS profiles. Custom Settings Custom Settings allows custom XML profiles to be included in the profile payload. VPN* VPN profiles push corporate virtual private network settings to corporate devices so that users can securely access corporate infrastructure from remote locations. This is presently supported on devices running on Anna and Belle operating systems only. Credentials* Deploys corporate certificates to managed devices. If the network supports it, ad-hoc certificate requests can be configured as well. 8.4.6 Windows Mobile Profile Name Short Description Passcode* Requires end-users to protect their devices with passcodes each time they return from idle state. This ensures that all sensitive corporate information on managed devices remains protected. Restrictions Restrictions are available for Samsung phones running Ice Cream Sandwich. These restrictions include device functionality, Sync and Storage, Bluetooth, Roaming and Tethering restrictions. Wi-Fi Wi-Fi profiles push corporate Wi-Fi settings directly to managed devices for instant access. Exchange ActiveSync The administrator has the option of setting the frequency of syncing calendar and emails on a mobile device using Microsoft Exchange EAS profiles. Credentials Deploys corporate certificates to managed devices. If the network supports it, ad-hoc certificate requests can be configured as well. VPN* VPN profiles push corporate virtual private network settings to corporate devices so that users can securely access corporate infrastructure from remote locations. Launcher* Allows administrators to customise several aspects of a user's device. Administrators can restrict users to only have access to the apps and settings they choose. Time Sync* Sync time on devices to a primary and secondary time server. 8.4.7 Windows Phone and Windows Phone 8* Profile Name Short Description Passcode Passcode profiles require end-users to protect their devices with passcodes each time they return from idle state. This ensures that all sensitive corporate information on managed devices remains protected. Email (WP8)* Configure IMAP/POP3 email accounts, and send email configurations directly to devices so that end-users automatically receive emails. Exchange Active Sync (WP8)* Allow end-users to access corporate push-based email infrastructure. The administrator has the option of setting the frequency of syncing calendar and emails on a mobile device using Microsoft Exchange EAS profiles. Credentials* Deploy corporate certificates to managed devices. If the network supports it, Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 102 of 249 ad-hoc certificate requests can be configured as well. Deploys both Root and User certificates. Root certificates contain root, or self-signed certificates. User certificates contain public key for client certificate. The client certificates are used by the device client to authenticate itself to enterprise server ( server) for device management and enterprise app downloading . Restrictions (WP8)* Restrictions profiles limit the features available to users of managed devices by restricting the use of specific features such as enforcing device encryption and SD card use *New Feature in VSDM Release 3 8.5 Profile Payload Descriptions 8.5.1 Passcode Passcode profiles require end-users to protect their devices with a passcode. The most restrictive policy is enforced when multiple profiles enforce separate passcode policies on a single device. Require passcode on device - Forces a user to set a passcode on the device. Allow simple value - Allows 'simple' password values such as '1111' or '1234'. Require alphanumeric value - Requires a passcode with letters and numbers and no spaces or special characters. Minimum Passcode length - Sets a minimum required passcode length. Minimum number of complex characters - Sets a minimum number of complex characters. Maximum passcode age (days) - Sets the number of days until a password expires. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 103 of 249 Auto-Lock (min) - Sets a timeout for the device to automatically lock, after which a passcode is required for entry. Passcode history - Sets the number of previous passwords that cannot be reused. Grace period for device lock (min) - Sets the time period after device lock where passcode is not required for re-entry. Maximum number of failed attempts - Set the number of failed passcode attempts before the device is wiped. 8.5.2 Restrictions Restrictions profiles are settings that limit the use of specific device features. Apple Restrictions Apple iOS devices include the following restrictions: Note: Exceptions are noted in the profile fields. Device Functionality - Determines what functions a device user can perform. Applications - Determines what applications a device user can access. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 104 of 249 iCloud - Determines the backup and document sync settings for iCloud. Security and Privacy - Determines advanced security settings including untrusted certificate acceptance. Ratings - Restricts access to Movies, TV Shows, and Apps based on specific ratings. Android Restrictions Restriction capabilities for Android OS versions and devices include the categories below: Note: Compatibility is noted in the VSDM. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 105 of 249 Device Functionality - Determines what functions a device user can perform. Sync and Storage - Determines the data backup and storage settings for the device. Applications - Determines what applications a device user can access. Bluetooth - Enables or disables Bluetooth settings, and customise the availability of certain Bluetooth features. Network - Determines the Wi-Fi networks and security settings for the device, and block specific Wi-Fi networks. Roaming - Determines if data usage, sync and push messages are allowed for roaming devices. Tethering - Allows or disallows tethering functionality. Browser - Blocks the device browser, and customises advanced browser settings. Location Services - Determines whether or not GPS and other location services are allowed. Phone and Data - Sets custom limits for maximum call, SMS and data usage. 8.5.3 Wi-Fi Push corporate Wi-Fi settings directly to managed devices for instant access. Service Set Identifier - Configures Wi-Fi profiles, selects the appropriate wireless protocols and security settings for the Wi-Fi network. Proxy - Allows the administrator to configure a proxy server. Add multiple accounts by clicking the plus (+) button, or create Wi-Fi profiles in bulk by navigating to Profiles and Policies > Profiles > Bulk Import. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 106 of 249 8.5.4 VPN VPN profiles push Virtual Private Network settings to devices so that users can securely access corporate infrastructure from remote locations. Connection Name - View the name of the connection displayed on the device. Connection Type - Choose the type of connection enabled by this profile. Each connection type enables different capabilities. Server - Enter the hostname or IP address of the server being connected to. 8.5.5 Email Configure IMAP/POP3 email accounts for incoming and outgoing mail. Add multiple accounts by clicking the plus (+) button. Note: Certain iOS email profile features are only available for iOS 5+ devices. Note: Enhanced Email Settings functionality is available for Android Samsung devices. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 107 of 249 8.5.6 Exchange ActiveSync/Web Services Allows end-users to access corporate push-based email infrastructure. Create a profile for an individual user by specifying the domain name, user name, email address and password. Alternatively, leave the password field blank to prompt the user for their password. This requires a lookup value for the username field. Select one of the two options listed under Certificate Type to validate the ActiveSync connection with certificates. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 108 of 249 Uploaded Certificate - Requires end users to enter a password before receiving certificates. Certificate Authority - Specifies that the local network's Certificate Authority is the certificate source. Configure multiple Exchange accounts by clicking the Add (+) button. 8.5.7 LDAP LDAP profiles provide easy configuration with LDAPv3 directory information. The fields in this section support lookup values. Click the tool tip definitions. for values and Add multiple accounts by clicking the plus (+) button. Please refer to the section on LDAP integration for more information on LDAP. 8.5.8 CalDAV Configure to allow users to sync wirelessly with the enterprise CalDAV server. The fields in this section support lookup values. Click the tool tip 8.5.9 for definitions. Subscribed Calendars Subscribed Calendars manages corporate calendar integration and subscriptions. The fields in this section support lookup values. Click the tool tip 8.5.10 for definitions. CardDAV Configure specific CardDav services. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 109 of 249 The fields in this section support lookup values. Click the tool tip 8.5.11 for definitions. Web-Clips/Bookmarks Web-Clip profiles (iOS) and Bookmark profiles (Android) send down clickable hyperlinks in the form of an icon onto devices for quick access to common web resources. For example, to add the online version of the iPhone User Guide to the Home screen, specify the Web-Clip URL: http://help.apple.com/iphone/. Web-Clips and Bookmarks are also used to deploy the Vodafone App Catalogue and to enable the Self-Service Portal. Label - Enter the name that needs to be displayed on the screen. URL - Enter the internal or external address that the user is redirected to on the device. Removable - Specify whether or not the user has the ability to remove the Web-Clip from their device (iOS only). Icon - Add a custom icon in .gif, .jpg or .png format. Note: For best results provide a square image no larger than 400 pixels on each side and less than 1 MB in size when uncompressed. The graphic is automatically scaled and cropped to fit, if necessary, and converted to png format. Web-Clip icons are 104 x 104 pixels for devices with a Retina display or 57 x 57 pixels for all other devices. Precomposed Icon - Select to stop the device from adding a shine to the icon (iOS only). Full Screen - Specifies that the address is loaded full screen on the device without the Safari address bar and borders (iOS only). Show as web app in the app catalogue* - Enables device users to use Web-Clip profiles on the app catalogue as web applications (iOS only). Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 110 of 249 Add to Homescreen - Select to automatically place the bookmark on the device's homescreen (Android only). Plus - Click to add Multiple Web-Clips or Bookmarks. 8.5.12 Android Launcher Mode The Launcher profile is an Android-only feature that allows administrators to customise several aspects of a user's device. An Administrator can restrict users to only have access to the apps and settings the Administrator chooses. Before utilising the Launcher Profile, the Launcher App must first be installed on the device. The Launcher profile's settings are discussed in further detail below. Background - Configures the following settings: A customised background wallpaper image. The number of home screens. An administrator password to allow access to the VSDM Agent on the device. Allowed Applications - Configures which applications are allowed on the device. Enter each application's friendly name and its unique Application ID in the relevant fields. Locate each Application ID by browsing the App Catalogue in the VSDM or by browsing the Google Play market. Settings - Select which device settings the user has access to. Icon Grid Layout - Determine the icon size, layout and rearrangement privilege for the device. 8.5.13 Credentials Credentials profiles deploy corporate certificates to managed devices. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 111 of 249 The Credentials profile also provides a field for configuring Ad-hoc certificate requests (if supported by the network). Add multiple credentials configurations by clicking on the plus (+) sign. 8.5.14 SCEP The SCEP payload specifies settings that allow the device to obtain certificates from a CA using Simple Certificate Enrolment Protocol (SCEP). For more information on Certificate use and integration, please refer to the section on Certificate Infrastructure Integration. 8.5.15 Advanced Advanced profiles allows for advanced Access Point configuration. 8.5.16 Custom Settings Custom Setting profiles allow for custom XML profiles to be included in the profile payload. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 112 of 249 Custom Setting profiles allow administrators to directly input the XML code deployed to devices over the air. This defines the settings of a configuration profile in the event that new device platform capabilities are released before the VSDM profile capabilities are updated. Custom profiles always open and close with the <dict> tags and contain, as a minimum, the following profile keys: o PayloadDisplayName - Optional. Name of the profile to be deployed to the device. o PayloadDescription - Optional. Description of the profile to be deployed to the device. o PayloadVersion - The version of the payload to log updates and modifications. o PayloadIdentifier - A reverse DNS format identifier that is unique to this specific payload. o PayloadUUID - A globally unique identifier for the payload. o PayloadOrganisation - Optional. The organisation that deployed the profile payload. o PayloadType - The type of payload that is going to be configured. For example, this defines whether the payload is a passcode payload, Wi-Fi payload, or restrictions payload. A sample of how these keys are deployed in the custom profile is shown below. <dict> <key>PayloadDescription</key> <string>Configures 15-min autolock for iPads</string> <key>PayloadDisplayName</key> <string>15min AutoLock</string> Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 113 of 249 <key>PayloadIdentifier</key> <string>com.autolock.fifteenmin.passcode1</string> <key>PayloadOrganisation</key> <string></string> <key>PayloadType</key> <string>com.apple.mobiledevice.passwordpolicy</string> <key>PayloadUUID</key> <string>AA3C17A5-5C62-4295-BE30-920405D53F9D</string> <key>PayloadVersion</key> <integer>1</integer> </dict> Once a PayloadType is defined, administrators must define specific keys for it. The keys are all dependent on the type of payload that the administrator is trying to deploy. For iOS devices, a list of all currently available payload specific property keys can be seen here:http://developer.apple.com/library/ios/#featuredarticles/iPhoneConfigurationProfil eRef/Introduction/Introduction.html Once these payload specific fields are defined, the profile is ready to deploy. The sample custom profile shown below will enable 15 minute auto-lock features for an iPad passcode profile. <dict> <key>PayloadDescription</key> <string>Configures 15-min autolock for iPads</string> <key>PayloadDisplayName</key> <string>15min AutoLock</string> <key>PayloadIdentifier</key> <string>com.autolock.fifteenmin.passcode1</string> <key>PayloadOrganisation</key> <string></string> <key>PayloadType</key> <string>com.apple.mobiledevice.passwordpolicy</string> <key>PayloadUUID</key> <string>AA3C17A5-5C62-4295-BE30-920405D53F9D</string> <key>PayloadVersion</key> <integer>1</integer> <key>forcePIN</key> <true/> <key>maxInactivity</key> <integer>15</integer> Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 114 of 249 </dict> 8.5.17 Global HTTP Proxy Configure the proxy one of two ways: Note: This payload is currently only compatible with Apple iOS6 devices in Supervised mode. With Apple's Configurator program, each device must be set to Supervised mode to be compatible with the Global HTTP Proxy payload. Manual - Enter the proxy server address including its port, as well as a username and password. Including the username and password prevents the end user from entering the credentials manually. Auto - Enter the specific Proxy Pac File URL in the field. 8.5.18 App Lock Single app mode payload provides a way to lock a device into a single application until the payload is removed. The home button is disabled, and the device returns to the specified application automatically upon wake or reboot. This payload is currently only compatible with Apple iOS6 devices in Supervised mode. With Apple's Configurator program, each device must be set to Supervised mode to be compatible with the App Lock payload. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 115 of 249 Each application's bundle ID can be found by locating the app either: In the VSDM's App Catalogue within the Device Dashboard. Within the Compliance setup for whitelisted apps. In the iTunes app information. 8.5.19 Dock* The Dock payload configures the dock size, magnification and position of bulk configuration dock stations. Administrators can tailor dock settings according to device requirements and usage. Stage sets of devices with standard Mac apps such as FaceTime, App Store, Garage Band, and more simultaneously. This payload is currently only compatible with Mac OS devices. 8.5.20 Time Sync* The Time Sync payload coordinates a device with a primary and secondary time server. This payload is currently only compatible with Windows Mobile devices. *New Feature in VSDM Release 3 Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 116 of 249 8.6 Geofencing The Geofencing page allows you to setup location-based rules to allow or to restrict pushing the profiles or applications to the device end-users over-the-air. Geofencing is supported on Android and iOS. 8.6.1 Creating a Geofence Area From the VSDM you can create a fence or geographical area along with some rules that the profile or application should implement. Use the following steps to create a Geofence area for profiles or applications. 1. Navigate to Profiles & Policies > Profiles > Geofencing. 2. Click Add Area to create a new geofence area or click the Actions menu to Edit or Delete an existing area. 3. Complete the following information: Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 117 of 249 o Address - Enter the address where you want the device to be geofenced within a specific range. For example, you can enter country, state, or city. o Area name - Enter the specific area name if required. o Radius (miles) - Enter radius in miles within which the device needs to be geofenced. 4. Click to Search to see the area location on the map and click Save. Note: When you want to push a profile or application to the device with geofencing settings, you need to first select a profile by navigating to Profiles & Policies > Policies > Device Policies. From the Device Policies page, select a profile and under the General tab select the Enable Geofencing and install only on devices inside selected areas checkbox as shown in the image below: 8.7 Time Schedules Time Schedules allow you to setup the time-based rules for governing profile pushes. Use the following steps to create a time schedule rule for the profile: 1. Navigate to Profiles & Policies > Profiles > Time Schedules. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 118 of 249 2. Click Add Schedule to create a new time schedule, or click Actions menu to Edit or Delete an existing time schedule. 3. Complete the following information: o Schedule Name - Enter a friendly name for the time schedule. This is a mandatory field. o Time Zone - Select the time zone limit from the drop down list. o Add Schedule - Click to create multiple time schedule rules. Enter a particular day, the start time, and the end time for the application to be pushed to the device or, tick the All Day checkbox to implement the time schedule settings the entire day on the device. 4. Click Save. Note: When you want to push a profile to the device with time schedule settings, you need to first select a profile by navigating to Profiles & Policies > Policies > Device Policies. From the Device Policies page, select a profile and under the General tab select the Enable Scheduling and install only during selected time periods check box as shown in the below image. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 119 of 249 8.8 Creating Wi-Fi Profiles in Bulk Creating Wi-Fi profiles in bulk allows the administrator to publish Wi-Fi profiles to users according to their Location Group. The Bulk Import feature provides the same Wi-Fi configuration settings as the single Wi-Fi profile provisioning except that it is a simultaneous configuration of many profiles across Location Groups. 8.8.1 Create Bulk Wi-Fi Profiles Use the following steps to create Wi-Fi profiles in bulk: 1. Navigate to Profiles & Policies > Profiles. 2. Click Bulk Import to open the Batch Import Form. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 120 of 249 3. Complete the basic information: o Batch Name - The name of the user or device batch (for reference purposes in the VSDM). o Batch Description - A description of the particular user or device batch (for reference purposes). o Batch Type - Select WiFi Profiles from the menu. 4. Click the icon to open the Bulk Import Help Topic Form: 5. Select the Download Template to download the Batch Import Template. 6. Click Open to open the template. 7. Enter in all relevant Wi-Fi profile information for each group (defined by Location Group). Five sample users have been added to the top of the template as examples of the type of information to enter in each column. Mandatory fields are designated with a *. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 121 of 249 o Column A, Use Case, refers to the profile type (Add, Edit, or Change) Change allows the administrator to change the Model (device) and Assigned Location Group fields for an existing profile. Add creates a new profile. Edit allows the administrator to edit an existing profile (creates a new Wi-Fi configuration). o Column E, Location Group, specifies the location group permissions for editing the WiFi profile. Every administrator placed one level higher than this location group (and above) is able to edit the designated Wi-Fi profile. o Column F, Assigned Location Group, designates the location group to which the profile is deployed. 8. Save the template as a .csv file. 9. Select Browse from the Batch Import Form and select the .csv file that was just created from the template. 10. Click Save. 8.8.2 Manage Bulk Wi-Fi Profiles View the status of batch profile imports details and status by selecting Batch Status under Available Views on the Profiles page. Location Group - Names the batch's location group. Batch Name - Identifies the batch's name. Batch Description - Describes the batch. Creation Date/Time - States the date and time of the batch's creation. Batch Status - States if the batch has a complete or error status. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 122 of 249 8.9 Important Profile Management Considerations The following tips will help the administrators to more efficiently manage their smart device fleet through the profile management tools in the VSDM: It is recommended that administrators should only include one payload per profile. o An exception to this recommendation would be when a Credential payload is needed to accompany another payload (such as Email, VPN or Wi-Fi) in order for the profile to work correctly (see Utilising Certificates for VSDM). Pay close attention to the device ownership type (Corporate-Dedicated, Corporate-Shared or Employee-Owned) when specifying the profile General Settings. o For example, the administrator may want to deploy more stringent Restriction profiles to corporate-owned devices than to employee-owned devices. Profile assignments change with location group assignments. o For example, if you move a user to a new Location Group, the profiles associated with the original Location Group are removed and the user inherits the profiles associated with the new Location Group. For maximum Email security, use Email profiles in conjunction with the Vodafone Secure Email Gateway. To quickly create multiple profiles with similar deployment settings, use the Copy action to copy the original profile and then make changes where necessary. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 123 of 249 9 Application Management The VSDM solution enables the administrator to wirelessly distribute and manage internal, public, and purchased apps to iOS and Android devices across the mobile fleet. Furthermore, the Enterprise App Catalogue allows the corporation to build secure business applications, which can be deployed, managed, and secured alongside public apps via a custom app catalogue. Through the Application management tools in the VSDM administrators can allow users to effortlessly view, install, and update both internal and public applications. Note: Any applications listed in this section are used as examples only and should not be seen as recommended applications by Vodafone. 9.1 Using the Applications Page The Applications page of the VSDM is the means of managing and pushing applications to enduser devices over-the-air. It provides a detailed list of Internal, public, and purchased applications that have been created or recommended for the specified location groups or child location groups. It is the centralised interface by which you can recommend public applications and deploy internal or purchased applications to your smart device fleet. To access the Applications page, navigate to Catalogue > Applications: From here, you can view all the Applications that are being managed in the VSDM. You can categorise applications within four VSDM groups —Internal, Public, Purchased, and Application groups, as well as determine how to distribute those applications as described in Advanced Application Management. 9.1.1 Navigating the Applications Page There are several ways for you to select, order, identify, find, filter, etc. specific applications within the VSDM. This section is divided into the following: Search Bar. Grid. Icons. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 124 of 249 Search Bar Platform - Searches for Applications based on the device platform. Status - Searches for Applications based on the activity status of a device. Select All, Active, Retired, or Inactive for Public and Purchased, with the addition of Retired for Internal. This is not available in Groups. Categories - Searches for Applications only within Internal based on the category assigned to it by you in the Info screen prior to uploading the Application into the VSDM. Type - Searches for Applications only within Application Groups that meet a specific type defined by you. Select All, Whitelist, Blacklist, or Required. Search - Search for a specific Application by name, partial name, or keyword. In the Filter Grid field enter any keyword and then press Enter. Grid re-sorts and only displays those devices that contain the keyword(s) you entered. Multiple Criteria Search Using Only the Search Bar In the following example, three search criteria have been used: Platform - Apple iOS and Status - Active and Search - abc. The result for this multiple criteria search is shown in the grid below: Grid The grid displays sortable and non-sortable columns within each of the four groups —Internal, Public, Purchased, and Application Groups. Depending on which group you view, the column(s) change. Below is a description of the sortable columns in all four groups: Assignment - Is the combination of the Device Ownership and Managed By selections made by you when the application was assigned. Comments - Are the comments entered by you in the Comments field when the Application was assigned. Description - Is the description entered by you in the Description field when the Application was assigned. Name - Is the name of the Application entered in the Name field when the Application was assigned. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 125 of 249 Platform - Is the platform (e.g., Apple) on which the Application runs. Platform / OS / Model - Provides information on the platform, the operating system, and model. Status - Indicates whether the Application is Active, Inactive, or Not Assigned. Type - Indicates which Applications are Whitelisted, Blacklisted, or Required. Uses SDK - Indicates which Applications are using the VSDM Software Developers Kit (SDK). It is Only available for Internal Applications. Version -Is the version entered by you in the Version field when the Application was assigned. It is Only available for Internal Applications. Note: Actions, Applications, Category, Icon, Installed/Assigned, Managed By, Rank, and Reimbursable are not sortable columns. Icons There are icons throughout the page that, when either hovered over or clicked on, either provides more features or perform functions. They are as follows: Tiles and Lists Click Tiles in the upper right corner, the screen displays Application icons in the far left column, as shown in the example below: Click List in the upper right corner and the screen displays all information textually without any graphical representations, as shown in the example below: Refresh Click Refresh , the grid refreshes to display the default Available Columns layout, and all device data based on any search criteria in the Filter dropdown and Filter Grid field, as shown in the example below: Export All Click the Export All the example below: icon, the data in the grid exports into an Excel spreadsheet, as shown in Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 126 of 249 Actions Click Actions to manage the Application using the following options listed in the Action menu: View - Allows you to view the Application assignment. You can also edit the assignment from this screen. Edit - Allows you to edit information about the existing Application assignment. Edit Assignment - Allows you to edit the existing Application assignment. View Devices - Shows devices that are available for that Application. Publish - Pushes out the Application to devices that match the profile criteria. Notify Devices - Allows you to notify the device users about the apps. Add Version - Allows you to upload the latest version of the Application. Retire - Allows you to remove the previous version of the application from the device and retires it in the VSDM as Retired. Deactivate - Allows you to keep the Application, but deactivates it. Activate - Allows you to keep the application active. User Ratings - Allows you to view both the admin ratings as well as user ratings. Unretire - Allows you to push the already retired application to the device. Delete - Deletes the Application and removes it from devices. 9.2 Enabling the App Catalogue The first step to deploying applications through the VSDM is deploying the Enterprise App Catalogue in the form of a Web-Clip (iOS) or Bookmark (Android) profile: 1. Navigate to Profiles & Policies > Profiles. 2. Select Add. The Select Platform Form displays. 3. Choose Android or Apple based on the device you would like to configure. 4. Configure the Profile General Settings (See "General Settings"). 5. Select Web-Clips for iOS devices or Bookmarks for Android devices from the left profile list. 6. Click the Configure button and enter all of the Web-Clip/Bookmark profile parameters: o Label - The name displayed on managed devices for the Web-Clip/Bookmark. For example, Vodafone App Catalogue could be used. o URL - The App Catalogue URL is in the format of https://<Environment>/devicemanagement/AppCatalogue?uid={DeviceUid} Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 127 of 249 where <Environment> is the URL to your VSDM Server. In a multi-server on-premise deployment, this URL is your Device Services server URL. If you are in Shared SaaS environment, use the convention: https://dsXX.<VodafoneEnvironment>/devicemanagement/Appcatalogue?uid={Devic eUid}. For example, if you are in the mm.vodafone.com environment, use https://ds22.<VodafoneEnvironment>/devicemanagement/AppCatalogue?uid={Devi ceUid}. You can also change the landing page for the App catalogue. Use the conventions listed below: Internal: https://<VodafoneEnvironment>/devicemanagement/Appcatalogue?uid={Device Uid}&defaultTab=Internal Public: https://<VodafoneEnvironment>/devicemanagement/Appcatalogue?uid={Device Uid}&defaultTab=public Categories: https://<VodafoneEnvironment>/devicemanagement/Appcatalogue?uid={Device Uid}&defaultTab=categories Purchased: https://<VodafoneEnvironment>/devicemanagement/Appcatalogue?uid={Device Uid}&defaultTab=purchased Updates: https://<VodafoneEnvironment>/devicemanagement/Appcatalogue?uid={Device Uid}&defaultTab=updates o Icon − To add a custom icon, select a graphic file in .gif, .jpg, or .png format. For best results provide a square image no larger than 400 pixels on each side and less than 1 MB in size when uncompressed. The graphic is automatically scaled and cropped to fit, if necessary and converted to png format. Web-Clip icons are 104 x 104 pixels for devices with a Retina display or 57 x 57 pixels for all other devices. o Show as web app in the app catalogue - Enable this option for the device-users to use Web-Clip profiles in the app catalogue as web applications. Note: Administrators can assign and manage on-demand web applications in the App catalogue, which allows the device-users to navigate and install the web applications from App Catalogue. 7. Click Save and Publish to immediately deploy the Web-Based Vodafone App Catalogue to all appropriate devices. 9.3 Advanced Authentication for App Catalogue** Administrators can allow use of the App Catalogue by assigning a user name and password. 1. Navigate to System Settings > Applications > App Catalogue. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 128 of 249 2. Complete the following sections. o Authentication: Tick the Require Authentication for Application Catalogue checkbox to prompt the device user to enter the user name and password to authenticate the App Catalogue. Select an option under the Default Tab to make it display as the first tab in App catalogue. o App Catalogue without MDM*: Tick the App Catalogue without MDM checkbox to prevent the user from enrolling into MDM. In this case, the user can have access to applications assigned to the Location Group through a separate App Catalogue. Tick the Allow New User Registration checkbox to allow the new users to register to have access to the App catalogue. Enter a title for the App Catalogue Web-Clip. Upload an image for the App Catalogue. 3. Click Save. **New Feature in VSDM Release 2 *New Feature in VSDM Release 3 Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 129 of 249 9.4 Enabling Book Catalogue** Identical to App Catalogue, the first step to deploy iBooks through VSDM is deploying the Enterprise Book Catalogue in the form of a Web-Clip (iOS) or Bookmark (Android) profile: 1. Navigate to Profiles & Policies > Profiles. The Device Profiles page displays. 2. Select Add. The Select Platform form displays. 3. Choose Android or Apple based on the device you would like to configure. 4. Configure the Profile General Settings. 5. Select Web-Clips for iOS devices or Bookmarks for Android devices from the left profile list. 6. Click the Configure button and enter all of the Web-Clip/Bookmark profile parameters. o Label- The name displayed on managed devices for the Web-Clip/Bookmark. For example, Vodafone Book Catalogue could be used. o URL - The Book Catalogue URL is in the format of https://<Environment>/devicemanagement/AppCatalogue/BookCatalogue?ui d={DeviceUid} where <Environment> is the URL to your VSDM Server. In a multi-server on-premise deployment, this URL is your Device Services server URL. o Precomposed Icon − To add a custom icon, select a graphic file in .gif, .jpg, or .png format. For best results provide a square image no larger than 400 pixels on each side and less than 1 MB in size when uncompressed. The graphic is automatically scaled and cropped to fit, if necessary and converted to png format. Web-Clip icons are 104 x 104 pixels for devices with a Retina display or 57 x 57 pixels for all other devices. 7. Click Save and Publish to immediately deploy the Web-Based Vodafone Book catalogue to all appropriate devices. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 130 of 249 **New Feature in VSDM Release 2 9.5 Application Categories** The VSDM allows the administrators to have their own application categories and to filter the applications by those categories. Administrators can create, view, edit, delete, and assign one or more categories for both public and internal applications in a selected Location Group. These categories are also displayed on the App Catalogue allowing the end-users to browse and filter the applications by category. To create an application category: 1. Navigate to Catalogue > Applications page. 2. Select Application Categories from the Configuration menu on the left. 3. Complete the following fields: o Name - Name of the category. o Description - Description of the category. o Category type - Indicates whether the category is added in the system as seed data (System type) or added by an admin user (Custom type). Only the custom categories can be edited. o Managed By - The location group at which the category is created. By default, the categories of System type are assigned to all the managed and its lower location groups. 4. Click Add Category to create a new category that can be assigned for applications for a selected location group. 5. Complete the Add Category form with all required fields. o Category Name - Enter the name for the category. o Category Description - Enter a short description for the category Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 131 of 249 5. Click Save. The Category is saved as a Custom category. 6. Click the Actions menu located on the right to edit, view, or delete the application categories. 9.5.1 Assigning Custom Category to Apps** The administrator can assign or un-assign one or more categories to internal and public apps. To assign a category: 1. Navigate to Catalogue > Applications page. 2. Select either Internal or Public from the Applications menu on the left. 3. Click Add Application and complete the form with all required fields. o Categories - While adding a new internal or public application, the system automatically look into all the existing seeded system categories and selects the one that matches the application as received from the app store. To add multiple categories, click the Categories panel where all the categories including System and Custom are populated. On clicking a match, the category gets added up. 4. Click Save and Assign. **New Feature in VSDM Release 2 9.6 Recommending Public Applications Once Vodafone App Catalogue has been successfully deployed to your smart device fleet, you can begin recommending public applications and distributing corporate applications through the VSDM. Use the following steps to recommend public apps to the Vodafone's App Catalogue: 1. Navigate to Catalogue > Applications. 2. Select Public from the Applications menu on the left. 3. Click Add Application. The Add Application form displays. 4. Complete the Add Application Form with all the required fields. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 132 of 249 o Managed By - Enter the Location Group with permission to edit the Application. o Platform - Enter Apple, Android or Windows Phone/Windows Phone 8.* o Name - Enter the name for the Application as it displays in the App Catalogue. o Select the text box to automatically Search App Store. The Apple App Store, the Google Play Store (Android Market) or the Microsoft Windows Phone Store are searched for the Application, and all app details are populated. Note: In order to search the Google Play Store, a Google Account must first be integrated with the VSDM (See "Google Play (Android Market) Integration"). 5. Select Next and view the returned search results. 6. Click Select to the right of the desired listing. Most of the application information automatically populates for Apple iOS, Android, and Windows Mobile devices. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 133 of 249 Info o URL - The VSDM populates the URL for Android, Apple iOS, and Windows Phone devices. o Comments - Enter the comment that displays in 'additional comments' in the App Catalogue. o Reimbursable - Designates whether or not a corporation reimburses end-users for the app purchase. A small icon in the Vodafone App Catalogue indicates if an app is reimbursable. o Rating - Enter the app rating with 1-5 stars. This rating is displayed in the App Catalogue. Note: Comments and rating capabilities are added from the VSDM for public applications by the administrators. Note: Administrators can also view the user ratings on the VSDM for all other apps. o Categories - Determines the application type which is displayed in the App Catalogue. Deployment o Push Mode - Determines if the application is installed automatically (auto) or manually (on demand) by the user through the App Catalogue. o Remove On Unenrol - Determines if the application is removed when a device is unenrolled. o Add Exception - Enables customised application deployment by creating specific exceptions to the options located under the Deployment view. Note: Add Exception is helpful for deploying the same applications to different groups of users with unique security and deployment requirements. For example, you may wish to push a certain Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 134 of 249 application to one group of users as an 'auto' installed application while sending the app to another group of users as an 'on-demand' application. Terms of Use o Select the app specific Terms of Use. When complete, click Save and Assign to proceed to the application assignment options. o For more information on Application Terms of Use, refer Terms of Use Notification under Application Notifications. *New Feature in VSDM Release 3 9.7 Deploying Internal Enterprise Applications Once the Vodafone App Catalogue is successfully deployed to the smart device fleet, begin recommending internal applications and distributing corporate applications through the VSDM. The following platforms support internal corporate applications: Apple iOS. Android. Symbian. Windows Phone 8 (WP8).* Use the following steps to distribute corporate applications to the App Catalogue from the VSDM: 1. Navigate to Catalogue > Application. 2. Select Internal from the Applications menu on the left (this is selected by default). 3. Click Add Application. The Add Application form displays. 4. Enter all the general parameters as required. Some of the fields include: o Managed By - Specifies the Location Group with permission to edit the Application. o Application File - Specifies the Location of the application file. Apple applications are uploaded in the form of an .ipa file, Android applications are uploaded in the form of .apk, .sis, and .sisx file, and WP8 apps are in a .xap file. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 135 of 249 Note 1: On the Symbian platform, only internal applications are pushed over-the-air. No other applications, including public and purchased applications can be pushed. For WP8 both public and internal applications can be pushed. Note 2: The .sis and .sisx files are either self-signed or Symbian-signed. Self-signed files generate a notification and are installed via the device notification tab. Symbian-signed files are installed in the phone memory without displaying a notification. Note 3: In certain cases, the application does not get pushed onto the device or show a notification. For example, when the application is already installed on the device, the app does not push or display a notification. 5. Select Continue. 6. Go to the Info tab and complete the following: o Name - The App name which is displayed on the device. o Managed By - The Location Group where the application is managed. o Application ID - The information entered in this field changes by platform. For Android applications, enter the application’s package identifier. For iOS applications, enter the application’s bundle identifier. o Version - Update application information when uploading a new version of a managed app. Logging these changes in the Change Log is optional. For more information on deploying different versions of the same application, See "Application Version Management". 7. Go to the Descriptions tab and complete the following optional details: Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 136 of 249 o Description/Keywords - Enter a description about the application to be displayed in the App Catalogue. o URL - Enter a website address that has more information about the application. o Support Email/Support Phone - Enter contact information for internal application support. o Internal ID/Copyright - Used for internal purposes. o Developer/Developer Email/Developer Phone - Enter the name of the developer responsible for developing the application along with Email and contact information. o Cost Centre - Enter the cost centre that the developer providing the application belongs to. o Cost - Enter the cost for developing the application. o Currency - Enter the currency value. 8. Go to the Images (Optional) tab and upload screenshots. The uploads are displayed on the application page. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 137 of 249 9. Go to the Term of Use (Optional) tab and enter an End User Licence Agreement as a preinstallation application requirement. o Required EULA - Select the app-specific Terms of Use (EULA). Note: For more information on Application Terms of Use, refer Terms of Use Notification under Application Notifications. 10. Go to the Files tab and enter the following: o Application file/Provisioning profile - Populates automatically when the application is uploaded. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 138 of 249 o Application Supports GCM - Enables the Admin to send push notifications to Android devices if Yes is selected. Google IDs are required for GCM communication with devices. o Google Account/Password - Enter the Google account and password. 11. Go to the Deployment tab. 12. Complete the additional criteria to determine which users/devices receive the application. o Effective Date/Expiration Date - Set dates for when the app becomes active or expires. o Remove on Unenrol - Determines if the application is removed when a device is unenrolled. o Select Add Exception to include: User Groups(Optional) - Select User Groups if you are leveraging User Groups in VSDM as an additional assignment filter for the application. Device Ownership - Assign the application to devices with a specific ownership type. Push Mode - Determine if the application is installed automatically (auto) or manually (on demand). 13. Click Save and Assign to proceed to the See "Advanced Application Assignment" options. *New Feature in VSDM Release 3 9.8 Advanced Application Assignment Vodafone offers advanced application management techniques for organisations wishing to further customise application assignment through advanced and facilitated application testing. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 139 of 249 After completing the basic deployment and assignment information for either an internal or public application (See "Deploying Internal Enterprise Applications" or See "Recommending Public Applications"), there is the option to add more advanced assignment criteria. Click the Save and Assign at the bottom of the Add Application screen (you can also edit this advanced information by selecting the Actions menu > Edit Assignment.) or, you can proceed with assigning the application based only on the information on the Assignment tab by proceeding to the advanced assignment screen and clicking Next. Note: If any editing settings are greyed out, that means that full editing permissions are not permitted at this level (If you believe that you should have editing permissions, please ensure that Override is selected as the current setting). 9.8.1 Criteria The criteria window allows you to use the VSDM to determine which device users have access to a Public application by assigning that app based on factors, such as, Location Groups, Device Owners, User Groups., and many more options including exclusion options. Use the following steps to add Criteria: 1. Select the Location Group radio button that applies. If you chose Selected Location Groups, you can drill down to select which location group(s) has access to that application. 2. Tick the appropriate Ownership checkbox to specify the owner of the devices. You may tick one or more checkboxes. 3. Choose the User Group radio button that applies. The selection only applies to those devices within the specified Location Group. For example, if the app is only for iOS devices, then only iOS devices in that Location Group have access to the application. 4. If required, customise the deployment settings further, o Click Add Criteria to add Operating System criteria. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 140 of 249 o Click Add Criteria to add Model criteria. o Click Add Include Set to add Location Group criteria. You may click on this as many times as needed to define an assignment exception to include additional devices down to a granular level, regardless of any other specified criteria for that Location Group. o Click Add Exclude Set to exclude Location Group criteria. You may click this as many times as needed to define an assignment exception to exclude certain devices down to a granular level, regardless of any other specified criteria for that Location Group. 5. Select the appropriate Child Permission radio button to Inherit only or Inherit or Override the selections you made. 6. Click Next. 9.8.2 Devices The screen below displays all the devices that have access to that Public application based on the selections you made in the previous Criteria screen. If you review the list of device users and want more or less users to have access to this application, use the following steps: 1. Click Previous to go back to the previous Criteria page. 2. Modify the Criteria page by making selections that redefines the assignment of the application. 3. Click Next to view the Devices page. 4. Click Finish to save all changes and close this window. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 141 of 249 9.9 Application Version Management You can use the application management tools in the VSDM to manage different versions of the same internal application. This feature is especially useful for application testing as you may wish to upload a 'beta' version of an application update to deploy to specific users for testing purposes while still deploying the current version of the application to all other users. Once the testing is complete, you can replace the existing version of all devices with the newest version of the application. Use the following steps to manage application versions: 1. Navigate to the internal applications page and select the Actions menu for the application. Click Add Version. Alternatively upload the new version of the application and the VSDM will detect that it is a newer version of an existing application. Fill in the version number and optionally add internal notes in the Change Log. 2. Upload the new application file and specify the settings: o Tick the checkbox to retire the previous version of the application on the specified devices and replace it with the newer version. o Tick the checkbox to copy the application assignment for the previous version. 3. If necessary, enter the new assignment criteria. 4. Click Save or Save and Assign to proceed with publishing or editing the application assignment. 9.10 Application Notifications The VSDM allows administrators to notify the end-users about new and updated apps through messages. The VSDM provides administrators with few in-built message templates and allows them to send messages via email, SMS or push notifications. A message template can be customised to include application name, description, image, and version information. Administrator can edit the message templates to include a lookup value for a URL to the specific application page of the Application Catalogue. The VSDM also allows the administrator to notify all devices having the assigned app installed/not installed. Use the following steps to send an application install notification message: 1. Navigate to Configuration > System settings 2. Select Message Templates from the System menu on the left. 3. Click Add. The Add/Edit Message Template form displays. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 142 of 249 4. Complete the required information as follows: o Name - Name of the template. o Description - Short description of the template. o Category - Select the Category as Application. o Type - Select the type of notification. The types include Purchased Application, Application Notification, and Application EULA Final Notification. o Message Type - Enable the type of message that the administrator wants to send. The options are Email, SMS, and Push. 5. In the Email template, select the Email format and enter the subject and message body for the template. 6. Enter the lookup values in the message body. The lookup values that are available are shown in the below image. Note: If the lookup value is used in the Application Notification template is replaced by the actual value for the application when the message is delivered. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 143 of 249 9.10.1 Notifying Devices The administrator can select Notify Devices notification to devices that an application has been assigned to them. 1. Go to the Application page and select the Action menu: 2. Click Notify Devices. The Send Message form displays. 3. Complete all the mandatory fields: o Message Type - Select the type of the notification that is to be sent to the devices. o Message Template - Select the template for sending the message. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 144 of 249 o Status - Select the status of the device. This includes All, Installed, and Not Installed. By default, the Status filter on the device list is in Not Installed status. 4. Click Send. Note: Based on the Status selected, the device list is displayed indicating whether the notification message is sent to the device(s) or not. 9.10.2 Terms of Use (EULA) Notifications for Apps* The VSDM allows the administrator to notify end-users about the availability of updated App Terms of Use. The administrator should send the Terms of Use notifications in the following cases: Notifying end-users when the latest Terms of Use for an installed application has not been accepted. Distributing updated Terms of Use with newer version and prompting the user to accept the Terms of Use from the App Catalogue each time they log into the App Catalogue. Removing the apps when the Terms of Use have not been accepted within the given grace period and when the Terms of Use have been rejected. Use the following steps to send or edit Terms of Use 1. Navigate to Catalogue > Application. 2. Select Internal from the Applications menu on the left (this is selected by default). 3. Click Add Application and select the Terms of Use tab. 4. Either create new, or edit Terms of Use as follows: o Create a new Terms of Use by clicking Manage Terms then navigating to System Settings > Terms of Use where a new record can be created. o Select the existing Terms of Use and click on the Edit icon next to Manage Terms. This navigates to Terms of Use where the details can be amended. 5. Click Save and Assign. o When Terms of Use has not been selected, the 'Terms of Use are not defined for this application' message is displayed. **New Feature in VSDM Release 2 *New Feature in VSDM Release 3 9.11 Managing User Feedback and Ratings** The VSDM aids the administrators to view user feedback on internal, public, and purchased applications published to them. This allows the administrators to make future decisions related to the specific application(s). For example, redeployment of the application with better capabilities, rolling out the application to more users, or removing specific features because the users did not find any value in them. Feedback is in the form of user ratings and comments on individual applications. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 145 of 249 9.11.1 View user ratings and comments Use the following steps to view user ratings and comments: 1. Navigate to Catalogue > Applications. 2. Click the Internal, Public, or Purchased Application link on the left side of the page. Note: The count of number of ratings (star icons) indicates the average/effective rating. The User Rating indicates the number of users who provided the ratings for the app and is used to calculate the effective rating. 3. Click the hyperlinked User Rating or select the User Rating option on the Action menu on the right hand side of the page. The User Ratings page displays. o Average Rating - The average of the total number of user ratings. User Group - Filters the comments based on a specific User Group. Note: For the internal apps only, the administrator can filter the comments based on the Version of the application on the User Ratings page. 9.11.2 Delete the user comments 1. On the User Ratings page, click Delete Rating option provided at the top left corner of the page to delete a specific rating. Once deleted from the VSDM, the change is reflected in the App Catalogue. Note: For the public apps only, the administrator can edit Ratings for the app. To edit, click the Edit option from the Action menu on the Public application page. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 146 of 249 **New Feature in VSDM Release 2 9.12 Google Play (Android Market) Integration Administrators must configure a connection between the VSDM and the Google Play Store before they can use the Search App Store feature for Android apps. This feature is for on-premise customers only. Use the following steps to add a Google Account: 1. Navigate to Configuration > System Settings > Device > Android > Android Market Integration. 2. Complete the form provided with the following information: Username - Google Account username. Password - Google Account password. Android Device ID - Enter in a valid Android Device ID. Device ID provides the system with access to all apps in the Google Play Store. o Click Test after completing the form to see if the system can connect to the Google Play Store using the supplied credentials. Note: To find the DeviceID of your Android device, download the Device ID application from the Google Play Store. 3. Click Save to proceed. 9.13 Customising Application Profiles The VSDM enables you to customise internal enterprise applications for iOS devices developed with the SDK in addition to Vodafone applications such as the Secure Content Locker or the Vodafone Managed Browser. Using these advanced customisation tools available in the VSDM. You can further enforce corporate branding, compliance policies, and actions, and other application settings to create a truly unique and secure corporate application experience. To access the Application Profile settings, navigate to Apps > Applications. Locate the Application Settings menu on the left-hand side of the screen and select Profiles > Application/SDK Profiles. Click Add Application Profile to open the application profile creation window (or, to edit an existing application profile, click the Actions menu next to the profile and select Edit). Select from the views on the left to edit the associated application area. General Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 147 of 249 Complete the general application settings, including the Name and Description of the profile for reference in the VSDM. Configuration Type – For application profiles, the configuration type by default is set to Application Profile and for the SDK profile it is set to SDK Profile. Platform – Select the platform to which the custom application settings are to be deployed. Root Location Group – Select the root location group from which the application profile is to be managed. Credentials Credential Source – Select None or Upload or Define Certificate Authority. Authentication Authentication settings enable you to establish authentication requirements for the application to further secure internal applications that may contain proprietary corporate data. The three authentication options are None, Passcode, and Username and Password. None –Select None if no authentication is required to access the application. Passcode – Select Passcode if you require a user-created passcode to be present on the application in order to open the app. Complete the Passcode requirement fields to establish complexity, length, character, age in days, auto-lock, grace period, and history requirements. All of these additional custom fields are optional. o Passcode Complexity - Passcode must meet complexity requirement, and this can be either Simple or Alphanumeric. o Minimum passcode length - Select the minimum number of characters that a passcode must contain. You can set a value between 3 and 15 characters. o Minimum number of complex characters - Select the minimum number of complex characters that a passcode must contain. o Maximum number of failed attempts - Select the maximum of failed attempts allowed and then proceed to customise the action taken if the failed attempts reaches this threshold. o Maximum passcode age (days) - This is the maximum time (in days) that a password can be used for. o Passcode history - Select the number of unique new passcodes that must be created before an old passcode can be reused. The value must be between 0 and 10 passcodes. o Grace Period App Lock (min) - Determines the grace period (in minutes) that the device gets the app locked. o Action(s) if maximum number of failed attempts exceeded - Click Add Action to create custom actions to occur if the number of failed attempts exceeds the specified limit. The options are to Display Message (you can specify a custom message), Lock User, Wipe Application (removes the application from the device) or Restrict Access. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 148 of 249 o Add as many additional actions as necessary. For example, you may want to both lock out a user who has exceeded the maximum allowable attempts and display a message to inform the user that they must contact you for further assistance. Username and Password – Select Username and Password from the dropdown menu if you require the username and password authentication in order to access the application. o Specify the grace period (in minutes) that the device gets the app locked. o Tick the checkbox to allow or disallow Single Sign-On. o Select the maximum number of failed attempts and the custom actions to perform if this number is exceeded. Access Control Select the boxes to allow or disallow Offline Mode (prohibiting offline access allows for more continuous compliance checking when the application is active) and specify whether or not to Require VSDM Enrolment in order to access the application. You can further restrict offline access by entering the maximum number of offline uses (when Allow Offline Mode is enabled). If Require VSDM Enrolment is enabled, you can specify custom actions to be performed in order to notify the user or perform actions if the device is not enrolled. Compliance Tick the checkboxes to allow or disallow Compromised devices from accessing the application and to Prevent restoring backup to another device. If either of these compliance options is enabled, you can specify custom actions to be performed in order to notify the user or perform actions regarding the device compliance status. Branding Customise the application with corporate or other unique colour identifiers. Enter the correlating Hex codes in the labelled fields to customise application background colours and text. Analytics Provides the metrics on how the app is being used and keeps tracks of the important events that occur within the application. Geofencing This allows you to set up location-based rules to allow or to restrict pushing the profiles or applications to the device over-the-air. For profiles it is available only for the configuration type SDK Profile. Custom Enter (or paste) XML into the box to further customise the application settings. When you have finished filling out the application profile fields, click Save. 9.14 Managing Apple VPP Applications ** The VSDM offers a robust solution to Apple Volume Purchase Program (VPP) application management and distribution. The sections below outline how you can combine this new feature with the capabilities of VSDM mobile device management to easily manage and distribute iOS application orders to the smart device fleet. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 149 of 249 The Apple Volume Purchase Program allows businesses and educational institutions to purchase publicly available applications or specifically developed third-party applications in volume for distribution to corporate devices. Note: The Apple Volume Purchase Program is currently only available in Australia, Canada, France, Germany, Italy, Japan, New Zealand, Spain, the United Kingdom and the United States. The process of deploying applications in volume throughout a business or educational institution with the Volume Purchase Program can be separated into three main components: 1. VPP Enrolment - First, businesses and education institutions must enrol in the program and verify with Apple that they are a valid business or institution. o To register for the VPP, navigate to http://www.apple.com/business/vpp for businesses, or to http://www.apple.com/itunes/education for education institutions. o More information regarding the Apple Volume Purchase Program, how it works and program prerequisites can be found at the links above. 2. App Purchasing - Once enrolled in the Volume Purchase Program, businesses, and educational institutions can purchase applications in bulk through the Volume Purchase Program Website at https://vpp.itunes.apple.com/us/store. o Log in with the VPP Apple ID created during the enrolment process. o Find applications, define the quantity and purchase with a corporate credit card. 3. App Deployment - Once applications have been purchased, they can be distributed throughout a smart device fleet through the use of redemption codes. For each application purchase, there is an associated redemption code for end-users to redeem a single copy of the application. o These redemption codes are managed through a Redemption Code Spreadsheet available at the Volume Purchase Program Website. This spreadsheet contains details such as the redemption code, redemption status and most importantly, a redemption URL that an end-user could use to automatically validate the code and install the program through the App Store. It is during this final step, App Deployment, that the VSDM can be used to enhance management and distribution to a corporate smart device fleet. For businesses and educational institutions that do not have any Mobile Device Management capabilities, Apple provides two solutions to deploying redemption URL’s to end-users: Emailing the redemption URL directly to end-users. Posting the redemption codes and URLs directly to a corporate intranet site. The section below describes how the VSDM can be used to automate and simplify this application distribution process. 9.14.1 Upload the Apple VPP Redemption Code Spreadsheet to the VSDM The first step to manage and deploy VPP Application Orders through VSDM is by uploading the Apple VPP Redemption Code Spreadsheet to the VSDM. Use the following steps to upload and deploy VPP Application Orders: Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 150 of 249 1. Navigate to Apps > Orders to open the Orders Page. 2. Click Add. The Add Order form displays. 3. Select Choose File to upload the CSV that you downloaded from the Apple Portal. The VPP Application Orders is created. 4. Select the appropriate Apple VPP Redemption Code Spreadsheet. 5. Click Save to continue to the Product Selection Form. 6. Locate the appropriate product and then click Select to finish uploading the spreadsheet. If the Apple VPP Redemption Code Spreadsheet contains licences for multiple applications, several products can be listed on this form. Only one can be selected per new order. o You are now directed back to the Order Page in the VSDM and your new Order is shown with a status of New. Orders with a New status are not yet activated for distribution and redemption to the device fleet. 7. Click Blue Order Number to open the Order Activation Form. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 151 of 249 8. Enter in all necessary order information. All mandatory fields are denoted with a red asterisk: o Friendly Name - The name of the Order that is displayed on the Order Page within the VSDM. o Description - A brief description of the order. o PO Number - The Purchase Order number o Department - The corporate department that this application order is deployed to. o Cost Center - The corporate department responsible for financial information regarding this application order. o Total Cost - The total cost of the application order o Cost Per Licence - The cost per licence purchased for this application order. 9. Click the Licences tab, to view all the other order numbers assigned to this product. 10. Once complete, click Save to add the order for distribution. 9.14.2 Actions 1. Click Actions to manage the Order using the following options listed in the Action menu: o Delete - Deletes the order from the VSDM. o Edit Assignment - Allows you to edit the existing Order by assigning it to users or devices. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 152 of 249 9.14.3 Allocating Redemption Codes Once the Apple VPP Redemption Code Spreadsheet has been uploaded and the order has been approved for distribution, you can begin allocating the redemption codes for individual application purchases throughout the device fleet. Use the following steps to allocate redemption codes: 1. Navigate to Catalogue > Orders to open the Orders page. 2. Locate the specific order to be allocated from the Order List by Order number, friendly name, product name or order date. 3. Click Edit Assignment form displays. under the Actions on the right. The Application Assignment 4. Click Add to allocate licences by Location Groups, User Account. Click Add, or place them On-Hold. o To allocate licences by Location Group: Type and select the name of the Location Group in the text box shown below. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 153 of 249 Make sure that the All Users radio button is selected. o To allocate licences by User Accounts: Type and select the name of the Location Group that the user accounts are created at in the text box shown below. Check the Selected Users radio button. Click on the blue Selected Users Link that displays to open the User Select form. Select all specific User Accounts on the left and click Add to provision an individual redemption code to this specific user. Click Ok to return to the Application Assignment Form. Enter the number of licences to allocate to the selected users in the Allocated Text Box. To allocate a single licence to each selected user, type the same number that is shown in the Users Text Box into the Allocated Text Box. If less is allocated, only the first users to use their redemption code can install the application. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 154 of 249 o To save redemption codes for later use, select On Hold: Enter the number of redemption codes that you want to place on hold in the OnHold Text Box o Assignment Type - Select Auto or On Demand option i.e., if the application is installed automatically (auto) or manually (on demand). Note: When Assignment type is Auto, Only eligible iOS5 devices receive the App automatically. Note: Removing an app when a device is un-enrolled does not recover the redeemed license. When installed, the app is associated to the user's App Store account. 5. Once all the available licences have been allocated, click Save to finish allocating the redemption codes. 6. Navigate to the Products page. 7. Click the Actions menu and then click Publish to deploy the application. This lets the device users know about the application deployment on their device. 8. Navigate to the Licence page to view all application licences and manage redemption. 9. Click Make Available option on the Action to receive the application and to redeem it. Note: You can also delete individual redemption codes or make unavailable. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 155 of 249 9.14.4 Create Purchased Application Messages and Notify DeviceUsers Once the VPP application licences have been allocated, you have the ability to notify deviceusers that their application download is available by using the device notification capabilities of the VSDM. By default, the VSDM is configured to send an Email to end-users to notify them that the specific VPP application is available for download. As an alternative, create custom Purchased Application Messages, or to enable SMS/Push-based Purchased Application Messages. Use the following steps: 1. Navigate to Configuration > System Settings. 2. Select System > General > Message Templates from the navigation menu on the left to open up the Message Template Form. 3. Click Add to open the Add/Edit Message Template Form. 4. Complete all required parameters on the Add/Edit Message Template Form. o Subject - The subject of the email message, if email is selected as a delivery method. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 156 of 249 o Description - A description of the message used internally by the VSDM to describe this template. o Category - The message template category. For VPP Application Messages select Application. o Type - The type of message to be sent; a subcategory of the message template category. For VPP Application Messages, select Purchased Application. o Device Ownership - A parameter to limit the message delivery to only devices belonging to the specified device ownership category. o Primary Delivery Method - The main method of message delivery to end-users. o Alternate Delivery Method - An additional method of message delivery to end-users. This type of message is also sent in addition to the message specified in the primary delivery method. o Effective Date - The start-date in which this message template begins taking precedence over the default message bodies specified by the VSDM. o Expiration Date - The date on which this message template stops being delivered to end-users. The VSDM reverts to default message template, or other currently effective message template(s). o Select Language - A parameter to limit the message delivery to only devices belonging to users who understand the specified languages. o Email / SMS / Agent Check Boxes - Tick any of these checkboxes to enable message configuration for each respective message type. o Message Bodies - The message that is displayed on end-user devices for any of the respective message types. Use the {ApplicationName} lookup value to dynamically populate the name of the application for download in the messages displayed on enduser devices. 5. Click Save to complete the custom Purchased Application Message. Once the custom purchased application messages have been created, or you choose to use the default purchased application email message template, notifications can be sent out over-the-air to all end-users. Use the following steps to send the Purchased Application Messages to end-users: o Navigate to Catalogue > Applications to open the Purchased page. o Locate the specific order to be allocated from the Order List by Order number, friendly name, product name, or order date. o Go to Actions menu on the right of the selected order and click Notify Devices. The notification message is sent. 9.14.5 Manage the VPP Application Deployment Once the VPP Application Orders have been allocated to the device fleet and end-users have been notified, the VPP Application Deployment is in effect. During this period, you can use the Orders page in the VSDM to manage and monitor the status of the Application deployment. From the Orders Page in the VSDM you can: Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 157 of 249 View the Order Status: o The order has recently been uploaded to the VSDM and is awaiting Approval before beginning allocation to end-users. o The order has been approved, but has not been allocated throughout the device fleet or end-users notified. o The order has been approved by Apple, allocated to the device fleet and end-users have been notified. View the Order Redemption Status: o See total number of Purchased application vouchers, the number of Redeemed vouchers that have been used and the number of Remaining vouchers available for redemption. o Reallocate licences, Renotify end-users or Delete the VPP Application Order From the Products View on the Orders Page in the VSDM you can: Activate or Deactivate VPP Product Orders for redemption: o The Green and Red dots in the status category indicate Active and Inactive VPP Product Orders respectively. o To toggle between an active and inactive status, click on the dots. Renotify end-users From the Licences View on the Orders page in the VSDM you can: View each Individual Licence Status: The licence has not been used by the end-user but is available for o redemption. o The licence belongs to a VPP Product Order with an Inactive Status. The licence information is still in the VSDM and can be set to Active for later redemption. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 158 of 249 o o The licence was redeemed by a device that is not under the VSDM. The licence was redeemed by a managed device through the VSDM. View the Licence User and Date Redeemed: o Licences with a redeemed status have the fields for Assigned To and Date Redeemed indicating the User Account who purchased the application and the date at which he/she purchased it. **New Feature in VSDM Release 2 9.15 Managing Apple VPP iBooks** Vodafone offers a robust management and distribution solution for Apple Volume Purchase Program (VPP) for iBooks. The administrators of educational institutions can purchase books as iBook titles through Apple's VPP program and provide access to these purchased iBook to their students. The process to automate and simplify the iBook distribution process is the same as the process involved in distributing applications. The process of getting an iBook order approved for distribution and its licence for allocation is same as the process involved for Apple VPP Applications. Use the following steps to deploy a purchased iBook to the device fleet. 1. Navigate to Catalogue > Applications and select Purchased from the menu on the left. 2. Click Add Order. The Add Order displays. 3. Select the product type as Book. The Add Order form displays asking you to upload an Order csv file provided by Apple. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 159 of 249 Note: The Add Order screen can be launched from the 'Add Order' action on the Purchased Book screen or the Orders screen. 4. Click Save to save the uploaded file and proceed to the Product Selection form. click Select. 5. Click Select for the selected product. Now the .CSV file gets validated for the correct iBook, information such as; description, image thumbnail, price, version, category is pulled using the search/lookup API for the product purchased through Apple’s VPP program. 6. Click Edit Assignment from the Actions menu on the Orders page 7. Complete the following fields in the form: o Location Group - Administrators can add one or more Location Groups to which the purchased books need to be assigned. o Licences - Enter the number of licenses that need to be allocated. o Deployment - The deployment can be configured either to Auto or On-Demand mode. Note: The total of all allocated licenses across all location groups cannot exceed the total of licences available. If the On Demand deployment method is selected and the Selected User option is activated, the administrator can specify one or more users in the Location Group that the iBook needs to be assigned to. 9.15.1 Additional Information Administrators can upload a CSV file for a new iBook VPP order from Apple and select the appropriate iBook for assignment to one or more Location Groups. Administrators can assign an iBook order across multiple Location Groups using the Auto deployment mode. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 160 of 249 Administrators can assign an iBook order across multiple Locations Groups using the On Demand deployment mode and select a set of users for each Location Group to download the iBook. To clearly distinguish the products for applications and iBooks and to have the accessibility to view, edit, and delete iBooks, administrators can use the Books page by navigating to Catalogue > Books. o All the Orders associated with iBooks are identified with a unique order type named 'Books'. o All the Products associated with iBooks are identified with a unique Product type named 'Books'. **New Feature in VSDM Release 2 9.16 Application Workflow* Application workflow simplifies the internal app deployment process for organisations developing their own applications. It allows organisations to delegate key steps in the process to administrators who are responsible for individual stages. Some of the key benefits of this feature include: Clear separation of responsibility Automated notifications for completed steps 9.16.1 Implementing Application Workflow To bring the application workflow into effect, four different administrator user accounts have to be created. Each of the created user accounts must have different administrator workflow permissions assigned under a specific Location Group. Refer to Admin Accounts for creating admin/user accounts and assigning permissions/roles. Roles involved in Application Lifecycle Workflow There are four major administrator roles participating in the application lifecycle at various stages. The responsibilities of each of the roles are listed below. Admin Role Description of Responsibility Developer Is responsible for developing internal applications and revising them based on the analysis of performance and feedback provided by reviewer, publisher, or sponsor. Reviewer Is responsible for reviewing a new application created by developer, and assigning it an appropriate description, screen shots, and Terms of Use. Reviewer also looks at the change log provided by the developer for the application to determine if the application is eligible for promoting to assignment or needs rework. Assigner Is responsible for assigning the application to location group(s)/User group(s)/Smart group(s) and promoting it to a full rollout based on whether the application meets the required criteria. Assigner accordingly makes recommendations to the publisher. Publisher Is responsible for reviewing the assignment criteria for application configured by the assigner and determines whether the right set of devices are being provided the application. Publisher can also republish the application to devices that were Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 161 of 249 assigned but have not installed the application. Below is the screen to assign resources to administrator workflow permissions (navigate to Administrators > Roles and then click Add Roles). 9.16.2 Enabling Application Workflow Use the following steps to configure workflow in the VSDM: 1. Navigate to System Settings > Application > Application Workflow. 2. Tick the Enable Work Flow for Applications checkbox. 3. Create a separate section for each of the workflow actions to: Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 162 of 249 o Add Application o Review Application. o Assign Application. o Publish Application. 4. Select the Role selection box to define the admin role that can perform the workflow action. 5. Select a message template to notify the users within the role when an application becomes available for performing the workflow action. 9.16.3 Workflow Process The following sections explain the administrator roles involved in the application workflow process: Add Application The administrators assigned with the Add Application step of the workflow process have access to the Application page in the VSDM to create and submit an application for review: Administrators can add a new application and promote the application to the next workflow status of In Review by clicking Submit for Review as shown in the below image. Clicking the Submit for Review button also sends an email alert to all administrators in the Location Group having the role assigned to the workflow action of Review Application. Clicking the Save button saves the application in the Created status or clicking Cancel discards the changes made to an application. Review Application The administrators assigned with the Review Application step have access to the Application page in the VSDM to review an application in the workflow process: By default the workflow status filter in the VSDM is set to In Review and lists all the applications available to the Location Group in the In Review workflow status. When an administrator clicks on an application from the application list, all the tabs that show up on the Edit Application screen are displayed. The administrators can modify any of the fields within each tab and save the information. o Click the Save button to save the changes made in the session without changing the workflow status of the application. o Click the Submit for Assignment button to update the workflow status of the application to the To be Assigned status An email is sent to alert all administrators in the Location Group having the role assigned to a workflow action of Assign Application. o Click the Cancel button to discard any changes made to an application. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 163 of 249 Assign Application The administrators assigned with the Assign Application step have access to the Application page in the VSDM to assign an application in the workflow process: By default, the workflow status filter in the VSDM is set to the To be Assigned and lists all the applications available to the Location Group in the To be Assigned workflow status. The administrators can also change the filter to view applications in all workflow statuses. An administrator can click on an application to view the Edit Assignment page to edit/add criteria, include sets and/or exclude sets. o Click the Save button to save the changes made in the session without changing the workflow status of the application. o Click the Cancel button to discard the changes made to the application. o Click the Next button to navigate to the next tab (Devices) where the devices for the Location Group satisfying the criteria are displayed. Clicking the Previous button takes the user back to the criteria tab. Clicking the Save button saves the changes in the session without changing the workflow status of the application. Clicking the Submit for Publishing button updates the workflow status of the application to the To be Published. Clicking this button sends an email alert to all administrators in the Location Group that belong to the role assigned to workflow action of Publish Application. Clicking the Cancel button discards any changes made to the application. Publish Application The administrators assigned with the Publish Application role have access to the Application page in the VSDM to publish an application in the workflow process: By default, the workflow status filter in the VSDM is set to the To be Published and displays all the applications available to the Location Group in the To be Published workflow status. The administrators can also change the filter to view applications in all workflow statuses. The administrator can click on an application to view the Publish page shown below. Clicking the View Assignment button takes the user to the smart groups configuration. Clicking the Save button saves the changes made without changing the workflow status of the application. Clicking the Publish button updates the workflow status of the application to Published status. Clicking the Cancel button discards any changes made to the application in the session. *New Feature in VSDM Release 3 Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 164 of 249 9.17 Recommended Applications The following applications are recommended in order to take full advantage of the VSDM environment. All of these apps have been designed to work directly with the VSDM Agent and give you additional control and 'settings' options for managing your device fleet. These are all available for download from the iTunes, App Store, or the Google Play Store. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 165 of 249 9.17.1 The Vodafone Secure Content Locker (Available for iOS devices) For more information on the Secure Content Locker, see the See "Content Management" section. Note: The Vodafone Secure Content Locker is an Optional Product. Availability may vary according to local market conditions. 9.17.2 Vodafone Managed Browser (Available for iOS and Android devices) Vodafone Managed Browser provides a secure alternative to open internet browsing. There are two modes of operation for Vodafone Managed Browser. Restricted mode - Depending on how you have chosen to configure this feature, theVodafone Managed Browser may operate very much like a standard internet browser, or it may be more restricted. Typical restrictions might include: o Whitelist - Administrator may limit browsing to a list of allowed websites. Attempts to navigate to a website that is not whitelisted fails. o Blacklist - Alternatively, there may be a list of blacklisted websites. In this case, surfing is permitted anywhere except to a blacklisted website. Kiosk mode - In this mode, the browser defaults to a specified home screen after a period of inactivity (determined by administrators). Additional restrictions may be applied to the Vodafone Managed Browser, such as limiting the ability to copy/paste or disabling the ability to print a webpage. 9.17.3 Vodafone Launcher App (Available for Android Devices) The Vodafone Launcher App must be installed (and running) on a user's device in order to use the Launcher Mode Profile. 9.17.4 Vodafone Telecom Service App (Available for Android Devices) Vodafone Telecom Service allows you to capture detailed telecom information from managed Android devices. This includes: Call Logs. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 166 of 249 SMS Logs. Cellular Data Usage. Note: In order to collect this data, you must first make sure that the appropriate data collection settings are enabled. To adjust these settings, navigate to System Settings > Devices > Android > Agent Settings and look for the Telecom settings. 9.18 Important Application Management Considerations To track public applications on employee devices through the Device Details and Device Control Panel, ensure that the VSDM Privacy Settings (specified in Configuration > System Settings > Device > General > Privacy) allow for the collection and display of application data. Some applications may have specific device prerequisites (for example, iCloud settings) in order to be fully functional. Investigate application requirements before pushing applications to end-users. Either enable the appropriate settings for end-users, or inform end-users of any settings requirements. Use the SDK for maximum security and functionality in building secure internal business applications. When deploying multiple versions of the same internal application, retire previous versions of the application (see Application retirement) after the old versions are no longer needed for testing or backup purposes. When creating advanced deployment settings for applications (such as Push Mode) ensure that the end-user's device supports the specified deployment setting. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 167 of 249 10 Content Management Vodafone’s Mobile Content Management (MCM) solution, the Vodafone Content Locker, allows administrators to manage document distribution and mobile access to corporate documents through a web-based console. The Vodafone Content Locker application enables your employees to securely access corporate resources, including direct links to SharePoint documents, on-the-go from their mobile devices. Whether your company is looking to distribute annual reports to shareholders or the latest presentation to the sales force, the Vodafone Secure Device Manager (VSDM) ensures all corporate information is protected. Furthermore, below actions can be performed using the Vodafone Content Locker: Content can be configured to be accessed in online or offline modes and content data is encrypted on the device. The following document level content is supported in the Content Locker: iWork - Keynote (including Keynote09), Numbers (including Numbers09), Pages (including Pages09) MS Office - Excel, PowerPoint, and Word Pictures - jpg, .png Videos - MOV (video/quicktime), MP4 (video/mp4) Audio - AAC (audio/aac), ALAC (audio/m4a), MP3 (audio/mpeg) Other - PDF, XML, Text, Rich Text Format (.rtf), Rich Text Format Dictionary (.rtfd), HTML, ePUB, and iBooks Content is managed at the Location Group level using a new Content menu/user interface. Similar to profiles and applications, content is created at a Location Group level but can be assigned to one or many child Location Groups and/or User Groups. Additionally, content can be made available to devices/end users based on device ownership. Administrators can enable EIS integration to provide users with direct links to SharePoint documents. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 168 of 249 11 Managing and Distributing Content Management of the Vodafone Content Locker is centralised on the Content page in the VSDM. 11.1 Creating Document Categories Document categories help organise the content and group the related documents together to simplify and enhance the end-user experience. As Category is one of the mandatory fields while uploading a document, the administrator has to create the category before uploading any document. This prevents the administrator from committing the mistake of uploading a huge document and then realising there is no category to assign it to. Use the following steps to create a document category: 1. Navigate to the Categories View from the Content page. 2. Select Add Category to open the Add Category form. 3. Complete all the necessary information: o Managed By – The location group that can edit, add subcategories, and delete the category. o Name – The name of the category. Note: An example of the naming convention for categories is: cat_parent/cat_child. In this format, cat_parent represents the Parent category and cat_child represents the Child category of the Parent category. o Description – A description of the category. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 169 of 249 4. Click Save to save the changes. Administrators of a managing location group can also create subcategories as follows: 1. Select Add from the Actions menu next to the parent categories name on the Categories View page. The Add Category page displays: 2. Select the Managed By Location Group. 3. Enter the Name and Description. The Parent Category Name is populated. 4. Click Save to save the changes. 11.2 Publishing an Individual Document Note: You must have created at least one Document Category before you upload documents to the Secure Content Locker. To distribute a document over-the-air through the Vodafone Secure Content Locker: 1. Navigate to Content> Content Management. 2. Click Add Content to open up the Add Document Form. 3. The Location Group level that manages the document is selected automatically. 4. Complete one of the following actions: o Add a Document from a Content Repository - Use the Content Repository dropdown to import documents from a previously configured Content Repository (see Using the Content Repository). Search for the desired document and, once found, click the Select link on the right. o Add a Local Document - Click Upload and select the document that you want to distribute from your local file system. o Add a Document from a Specified Location - Click Upload and select the Link radio button. Enter in the full path to the desired file. Note: For acceptable file types, see Content Management . 5. Click Save and Continue. The Add Content form displays the Info tab: Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 170 of 249 6. Enter in all the basic information: o Required fields are denoted with *. o Document Categories are used in the Content Locker application to organise and group documents. Each document can belong to multiple categories as shown above. 7. Select the Details tab to enter more details if needed. o No details are required, but they provide additional information about the document that can be shown in the Secure Content Locker application. 8. Select the Security tab to configure the access control settings. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 171 of 249 o Choose whether or not to allow offline viewing of content. o Select whether to force encryption of this document when it has been downloaded on the device. Note: This is recommended for all sensitive corporate material. Only documents that are considered public-facing should not be encrypted if the administrator wishes to save processing time on all devices while opening the document. o Select the appropriate checkboxes to permit documents to be opened in Email or in third party applications. o Choose whether or not to allow the users to print the document. 9. Select the Assignment tab to filter the recipients of the document. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 172 of 249 o Optionally, select the device ownership category option to only send the document to devices enrolled under that category. o Assign the document to be deployed to one or more Location Groups. This is a mandatory field. 10. Select the Deployment tab to specify advanced deployment options for the document. o Transfer Method - Select whether the document must be sent to the end-user at any moment, or only when the device is connect to Wi-Fi. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 173 of 249 o Download While Roaming - Enable this option to download the document when the device is roaming. o Download Type - Select On-Demand to allow the end-user to download the document when they want to, or Automatic to send the document to the device as soon as it enrols and downloads the Secure Content Locker application. o Download Date - This field displays on selecting Automatic as the download type. This is the date on which the document is downloaded in the Secure Content Locker. This is the same as the Effective Date. o Download Priority - The priority order in which the file is downloaded if queued with additional documents. For instance, if two documents are waiting to be downloaded and they have a different download priority, the higher priority document is downloaded first. o Effective and Expiration Date - The dates on which the document becomes available and no longer available in the Secure Content Locker application. 11. Click Save to save the parameters. 11.3 Uploading and Distributing Multiple Documents Use the following steps to upload and distribute multiple documents: 1. Navigate to Content > Content Management. 2. Select Batch Import to open the Batch Import form. o Enter the Batch Name and the Batch Description. o Click to open the Content Locker Import Help Topic. 3. Download the Content Locker Import Template. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 174 of 249 4. Enter all necessary information in the template. Mandatory fields are denoted with a red asterisk.* o Name - Enter in a name for the document. o FilePathType: Enter 'filepath' if you plan to enter a file path to a file located on your VSDM server. Enter 'http' if the file path is a fully-qualified URL. o AccessVia: Enter None if you are uploading a file located on your VSDM server (FilePathType = 'filepath'). Enter EIS if you plan to link to a file located on a server that has been configured in EIS (FilePathType = 'http'). Enter Direct if you plan to upload a file that is publicly hosted by using a fully-qualified URL. (FilePathType = 'http'). o Managed By - Enter the Location Group level that manages the document. o FilePath - Enter a system filepath (filepath) or a fully-qualified URL (http) for the document. o Categories - Enter in the appropriate category name(s). Use a semicolon (;) to separate multiple categories. o Download Type - Enter either On Demand or Automatic. o Download Priority - Enter Low, Normal or High. o Device Ownership - Enter C, E, S or Any. o Location Groups - Enter the highest Location Group level that receives the document. The Location Group entered here cannot be higher than the Location Group used in the Managed By field. o All remaining columns contain fields that have been explained in the single document upload process. 5. Save the file as a CSV file and upload it in the Batch Import form. 6. Select Save to save the details. 11.4 Important Content Locker considerations The Location Group selected must be equal to the Managed Location Group or its child location group. The Managed Location Group is the location where the document is uploaded and managed. Once uploaded, the document can also be assigned to its child location group. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 175 of 249 The following are some of the points to be followed while completing the Content Locker Import template for batch import: The administrator cannot add a document directly to a Parent category having that has child categories. For example; a Book is the parent category which has Tech and Info as child categories and is represented as Book/Tech and Book/Info. The administrator can add a document either to the Book/Tech or Book/Info child categories but cannot add a document to the Book (parent) category. Also, the administrator cannot add child categories to a parent category if it already contains documents. In the Managed By and Location Group columns of the template, the administrator must specify the Group ID and not the Location Group name. If the batch file being uploaded contains a CSV file with a line error, the balance of the batch will upload successfully while the file containing the error will not. If the error is subsequently corrected and the batch re-uploaded, this will lead to duplication of the files that had already been successfully uploaded. If the administrator uses an http link for the file path, they need to manually replace any instances of ‘%20’ with spaces to correctly reproduce the URL. If the priority level is not specified for a document in the template, then the Download Priority field for that document automatically defaults to Normal. 11.5 Using the Content Repository The Content Repository allows administrators to link to folders, network drives and even SharePoint directories containing various documents to upload into the Secure Content Locker. Use the following steps to create a new Content Repository: 1. Navigate to Content > Content Management. 2. Click the Content Repository link on the left hand navigation. 3. Click Add to display the Add Content Repository form. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 176 of 249 4. Complete the fields as required: Name - Enter a name relevant to the content directory. Type - Enter the type of the content repository. Link - Enter the full path to the directory location. Location Group - Select the Location Group level that is to have access to this Content Repository. Authentication Type - If login information is required to connect to the content directory, select User and then provide the login details. Access Via EIS - If the file system or SharePoint drive is not accessible from the VSDM server's domain, tick this checkbox to enable the EIS to connect to the content directory. This is required for content integration in SaaS deployments, and also for specific server-hardened on premise deployments. (You must have already configured EIS to allow a connection from the VSDM in order for this to work). Allow Inheritance- Allow child Location Groups to have access to this Content Repository. Enable Sync - This is required to enable sync between Sharepoint and VSDM server. 5. Click Save to save the changes. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 177 of 249 11.5.1 Navigating Content in Repository Folders The Show Repositories button on the All Content page allows administrators to view all the content repositories folders and sub-folders and to navigate to the desired content within the repository folder. On clicking Show Repositories, all the content repository folders are listed on the left panel of the page. On clicking a particular content repository folder, all the documents belonging to that content repository folder are displayed on the right panel of the page. 11.6 Managing Documents There are several actions on the Content Management page that an administrator can perform to manage the content of the corporate Secure Content Locker. Select the Actions menu icon to perform the following actions: Edit - Edit any of the details created during the process of adding a new document. Add Version - If the document is updated, administrators can add a newer version of the document. End users are automatically notified if there is a new version of a document. View Devices - View a list of the devices that have currently downloaded this document. Download - Downloads a local copy of the document to view. Delete - Deletes the document from the Secure Content Locker. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 178 of 249 12 Content Security and Analytics The Vodafone Secure Content Locker (SCL) not only isolates, encrypts, and protects corporate content on iOS devices, but it also enables the administrators to leverage higher levels of security over and monitoring of, corporate documents. Some of the advanced security capabilities include: Increased access security through two-factor authentication (using Certificates and a PIN). Secure transfer of document metadata to prevent 'man-in-the-middle' attacks. Administrator-controlled settings to block brute password attempts. Monitoring capabilities to view all Secure Content Locker activity on a per-document basis. 12.1 Configure Content Security Settings The administrator can configure security features for individual documents on the Security tab when publishing or managing individual documents. There are additional options to specify general security settings for the SCL. To view and configure these settings, navigate to: System Settings > Applications > Secure Content Locker. Administrators can specify the following settings to further protect the corporate content on end-user devices: Maximum allowable number of failed access attempts - Specify a low number of allowable attempts for increased security. Authentication Grace Period - Specify a shorter grace period for increased security. Prevent Compromised Devices (Recommended) - Tick this box to check devices for compromised status and prevent compromised devices from accessing content. Require (MDM) Enrolment (Recommended) - Tick this box to check for MDM enrolment and prevent un-enrolled devices from accessing content. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 179 of 249 12.2 Content Analytics Administrators can view detailed information on activity in the SCL (when the Software Document Kit (SDK) is used), in addition to viewing activity for other applications using the SDK on the Application Analytics page. To view the Analytics page, navigate to: Applications > Analytics. The Analytics page contains a variety of application information. Particularly useful to administrators are the Event Name and Event Data fields for viewing document activity. For example, administrators can see when an end-user: Authenticates into the SCL. Installs a document. Opens a document. Adds a document to favourites. 12.3 Best Practice Create document categories before you begin uploading documents. Categories are selected during the upload process but must be created separately. o To create a category, select the Categories setting on the Content Management page, or navigate to Content Management > Categories. Administrators may wish to enable end-users to store and access content locally using third-party applications. o If permitted, end-users can download and view a local copy of documents by selecting the icon. Enable enhanced VSDM functionality through Software Development Kit (SDK) integration - Integrating the VodafoneContent Locker with the SDK enables the Secure Content Locker to detect compromised devices and communicate with the corporate server. Encourage end-users to enable GPS tracking - End-users can enable location services in the Vodafone Content Locker settings to allow administrators to track and access GPS coordinates. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 180 of 249 13 Email Management The Vodafone Secure Device Manager (VSDM) provides administrators with several options for configuring secure integration with corporate Email services. The most robust and extensible solution is through the Vodafone Secure Email Gateway (SEG) which allows the administrator to secure, monitor, and manage both the smart device fleet and corporate Email access, all from the VSDM. Vodafone Secure Device Manager simplifies and secures Email management by allowing the administrator to perform the following tasks: Quickly monitor and troubleshoot Email server requests through the Secure Email Gateway Dashboard. Gain visibility and control on top of the existing corporate Email structure to ensure that corporate Email actions are secure and compliant. Create and edit Email Compliance rules, including Blacklist and Whitelist policies. Control Email access for both managed devices and unmanaged devices. o For devices under VSDM management, the data collected from the SEG can be correlated to the device’s existing record to show you how the managed devices are interacting with your email server. o For devices not under VSDM management, the data can be viewed on the dashboard to help the administrator track rogue devices and gain a more complete picture of the mobile email deployment. Configure integration with a number of corporate Email Services, including (but not limited to): o Microsoft Exchange. o Google Apps for Business. o Microsoft BPOS. o Microsoft Office365. o Lotus. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 181 of 249 o Novell Groupwise versions 8.5+. 13.1 Email Compliance Policies Email compliance policies allow the administrators to block access to corporate email servers for enhanced email security based on pre-defined compliance policies. You can configure email compliance policies in either of the two following ways by navigating to: 1. Dashboards > Email Management and then select Email Policies on the left. 2. Profiles & Policies > Compliance, then select Email Policies from the Compliance view on the left. 13.1.1 Email Policies Depending upon your Mobile Email Management (MEM) deployment, the Email Policies screen provides three categories of compliance policies: General Email Policies Managed Device Policies Attachment Security Policies*. Note: Email Policies can be configured only at the Location Group where MEM is configured. By default, all child Location Groups inherit the created policies.* Within each category, there is a list of current compliance policies (shown below): Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 182 of 249 The circles under the Active column indicate whether the policy is active (green) or inactive (red). Ticking the Disable Compliance option forces MEM to function in Bypass mode. This option is applicable for all the MEM configuration models (i.e. for Proxy, PowerShell, and Google). Note: In Bypass mode, compliance policy is not applied against the devices. To make changes to a policy, hover over the pencil icon under the Actions column and click Edit Policy. If a window opens, click Save to finish editing the policy, or Cancel to return the values to the last saved state. 13.1.2 General Email Policies General Email Policies are applicable to MEM deployments involving the Secure Email Gateway (SEG) and the PowerShell Integration.* Managed Device This policy allows you to determine the outcome if an unmanaged device attempts to contact the corporate email server. 1. Open the policy and specify whether to Allow or Block an unmanaged device. 2. Click Save. Mail Client This policy allows you to control email access to a list of mail clients. 1. Open the policy and click Add Rule. 2. Select an option from the Client Type dropdown menu: Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 183 of 249 o Pre-Defined - The known mail clients stored in the Vodafone database. o Discovered - The mail clients that connect through the gateway, but are not currently stored in the Vodafone database. o Custom - Specified mail clients (i.e. Apple or Android). 3. Select the Mail Client from the dropdown menu or if you chose Custom, enter the mail client in the field. 4. Choose to either Allow or Block the specified mail client and its type. 5. Specify the default policy (Allow or Block) for all other mail clients not currently listed. This applies to all known mail clients that are not currently listed in the policy. 6. Specify the default policy (Allow or Block) for all new or discovered mail clients not currently listed. This applies to all mail clients that are not currently stored in the Vodafone database. 7. Click Save. User This policy allows you to list specific users who are allowed or denied access to the email server and receive corporate email on their mobile device. 1. Select a User Type from the dropdown menu: o VSDM User Account - Select a registered device user from the Vodafone database. o Discovered - Choose the users that connect through the gateway and are not currently stored in the Vodafone database. o Custom - Choose the specific users. 2. Select a User Name from the dropdown menu. 3. Make a selection to Allow, Block, or Whitelist the specified user. 4. Specify a default policy (Allow or Block) the default action for all other usernames not currently listed. This applies to all known usernames that are not currently listed in the policy. 5. Specify the default policy (Allow or Block) for all new or discovered usernames not currently listed. This applies to all usernames that are not currently stored in the Vodafone database. 6. Click Save. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 184 of 249 13.1.3 Managed Device Policies Managed Device Policies are only enforced on devices currently enrolled in the VSDM. Inactivity This policy allows you to specify if you allow or deny an inactive device to access the email server. It specifies the number of days a device can be unmanaged before it is considered inactive. 1. Open the policy and specify whether to Allow or Block inactive devices from connecting to the email server. 2. Enter the number of days of inactivity before a device is considered inactive. 3. Click Save. Device Compromised Compliance This policy allows you to determine the outcome if a compromised device attempts to contact the corporate email server. 1. Open the policy and select whether to Allow or Block compromised devices to access the email server. 2. Click Save. Encryption Compliance This policy allows you to determine the outcome if a device does not have data protection turned 'On' while attempting to access the corporate email server. 1. Open the policy and select whether to Allow or Block devices that do not have data protection enabled. 2. Click Save. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 185 of 249 Platform/Model Compliance This policy allows you to define which platforms and models you want to either access or be blocked from the corporate email server. 1. Open the policy and click Add Rule. 2. Select an option from the Platform and Model dropdown menus. 3. Make a selection to Allow or Block the specified platform and model. 4. Specify the default policy (Allow or Block) for all platforms and models not currently listed. 5. Click Save. Operating System Compliance It may be necessary to block a version of an OS used by a particular mobile device for many different reasons. For example, an administrator might decide to temporarily block an OS because it is putting a stress or load on an email server due to a bug or other technical issues, until the problem is resolved. Another scenario might be to only permit specific platforms and OS ranges to access the corporate email server, and block all others from receiving their email. 1. Open the policy and click Add Rule. 2. Select the type of device from the Platform dropdown menu. 3. Select the minimum and the maximum operating system for the device from the Min OS and Max OS dropdown menu. 4. Specify the default policy (Allow or Block) for all OS versions not currently listed. 5. Click Save. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 186 of 249 13.1.4 Attachment Security Policies* Attachment Security Policies are used to secure email attachments being downloaded onto mobile devices. Attachment Security is available for deployments involving the SEG proxy server. In order to prevent misuse of corporate Email Attachments, Vodafone’s SEG has been enhanced to encrypt and secure individual attachment files. These security policies ensure that only compliant devices enabled with the Vodafone Secure Content Locker (SCL) application can decrypt and view the attachment. Managed Devices* Managed Device policies are enforced only on devices that are enrolled in the VSDM. You can configure the file attachments that need to be encrypted and secured via SCL and set policies that can be enforced on files that cannot be viewed on the SCL via the VSDM. Select iOS Devices to configure attachment settings for iOS devices or Other Devices to configure attachment settings for Android devices. Attachment Security Policies - iOS Devices* The screen below illustrates the features available for configuring the ‘email attachment security policy’ for managed iOS devices. Use Recommended Settings - Enabling this option defaults the policy to the VSDM recommended settings, where pre-defined settings are enforced on devices. You may choose to customise the policy based on your corporate requirements. Actions on Specific file types - Selecting the radio buttons enables the VSDM to communicate with the SEG, defining the actions that need to be performed on attachments of specific file types. o Encrypt & Allow Attachments - The SEG encrypts attachments of specified file type(s), which can only be decrypted and read via the SCL application on the device. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 187 of 249 o Block Attachments - The SEG blocks attachments of the specified file type(s). o Allow Attachments without Encryption - The SEG allows attachments of the specified file type without encryption. The attachments can be opened/saved/edited on the device through the native readers. Ticking/Unticking the Allow Attachments to be saved in Secure Content Locker checkbox allows you to decide whether or not to allow the device user to save the attachment locally in the SCL. Select the radio button actions in the Other Files area to update settings for the file types other than the standard file categories that are currently supported. o You can exclude specific file types from the VSDM's Email attachment setup, under the Exclusion section. For example, you can block all other file types while excluding AUTOCAD files of type .dwg. o You can also set a message to be displayed in emails on devices for the blocked attachments file types under Custom Message for Blocked section. For example, 'One or more email attachments have been blocked per Acme's corporate policy'. Attachment Security Policies - Other Devices* The screen below illustrates the features available for configuring the Email Attachment Security policy for other managed Android devices. Note: With the Encrypt & Allow Attachments option, attachments downloaded on other managed devices are encrypted, but cannot be viewed on the device. Device users can however forward these emails with the encrypted attachment from their devices. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 188 of 249 Unmanaged Devices* Unmanaged Device policies are enforced only on devices that are not enrolled but managed in the VSDM. Use Recommended Settings - Enabling this option defaults the policy to VSDM recommended settings, where pre-defined settings are enforced on devices. You may choose to customise the policy based on your corporate requirements. Actions on Specific file types -Selecting the radio buttons enables the VSDM to communicate with the SEG defining the actions that need to be performed on attachments of specific file types. o Encrypt & Allow Attachments - The SEG encrypts attachments of specified file type(s), which can only be decrypted and read via the SCL application on the device. o Block Attachments -The SEG blocks attachments of the specified file type(s). o Allow Attachments without Encryption - The SEG allows attachments of the specified file type without encryption. The attachments can be opened/saved/edited on the device through the native readers. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 189 of 249 You can exclude specific file types from VSDM's Email attachment setup under the Exclusion section. You can also set a message to be displayed in emails on devices for the blocked attachments file types under Custom Message for Blocked section. 13.1.5 Apply Email Compliance Policies After you create or edit Email compliance policies, the policies are automatically applied when the SEG is refreshed (Configure the refresh interval in System Settings > Email > Advanced). To instantly apply the policy, click the Provision Policy Changes button at the bottom of the Email Compliance Policies page. *New Feature in VSDM Release 3 13.2 Email Attachment Control* Vodafone offers complete email control as an option for all devices accessing corporate email. This aspect of mobile email access allows organisations to have advanced security settings otherwise unavailable through native email clients. Beyond simply denying access to sent and received attachments,the settings offer flexible encryption and access policies based on file type, including the option to decrypt to open securely in the Vodafone Secure Content Locker. Manage all of these attachment settings from the VSDM. 13.2.1 Prerequisites Vodafone's email attachment control features leverage two aspects of MDM. These prerequisites must be in place: Secure Email Gateway (SEG) v6.3 or higher - The SEG allows a secure connection from internal mail servers and each mobile device. For more information on establishing an SEG, please review the Vodafone SEG Installation Guide. Vodafone Secure Content Locker v1.5 or higher - The Secure Content Locker serves as the secure area for viewing and managing attachments. Upon receiving an email, the Secure Content Locker detects attachment presence and immediately sends the content to the secure viewing area. To get started, purchase Vodafone's Mobile Content Management module, then deploy the Vodafone Secure Content Locker as a public managed application. 13.2.2 Accessing Attachment Settings Once the SEG and Secure Content Locker infrastructure is properly established, manage email attachment settings alongside all other MDM features and settings in the VSDM. Create customised email attachment settings for both managed and unmanaged devices by navigating to Profiles & Policies > Compliance > Email Policies page. Select Edit Policy to the right of each device type in the Attachment Security Policies area. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 190 of 249 For more information on configuring email attachment settings, please refer to the Email Compliance Policies section. 13.2.3 Accessing Protected Email Attachments Once Email Attachment Protection has been enabled, end-users are able to access attachments as established in the VSDM. These options include: Allowed & Unencrypted Attachments - Attachments appear normally within the mailbox. Blocked Attachments - Attachments are removed and replaced with a message notifying the user that the attachments have been blocked. Encrypted Attachments - Attachments appear in the mailbox as an encrypted *.awsec file type that can only be decrypted and read from within the Vodafone Secure Content Locker. 13.2.4 Open Encrypted Email Attachments To open encrypted email attachments in the Vodafone Secure Content Locker: 1. Select the Email Attachment. 2. Select Open in the Vodafone Secure Content Locker. 3. Authenticate with corporate credentials. 4. Attachment automatically decrypts and opens. 5. The file cannot be opened or transferred outside of Content Locker. *New Feature in VSDM Release 3 13.3 Email Management Dashboard Each time a device attempts to connect to your mobile email server through the SEG, the gateway gathers statistics about the request. This information is presented on a dashboard in the VSDM and can be used to assess the health of your mobile email deployment. Use the following steps to access the Email Management dashboard: 1. Navigate to Dashboards > Email Management. 2. Click the Location Group dropdown and select the group that connects to the SEG in your corporate environment. 3. Click All under Request Time. Note: The basic Email Management dashboard is available as a 'View' under the main Dashboard, but it does not contain time interval view options or editing capabilities. 13.3.1 Graphs and Grid The Email Management dashboard view displays three different graphson the top of the screen and a grid below the graphs that display the data from the selected graph or data group. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 191 of 249 Device Activity - The total number of devices communicating through the gateway in addition and the number of blocked and allowed devices. Devices - The total number of devices communicating through the gateway and the number of managed and unmanaged devices. Non-Compliant Devices - The number of noncompliant devices communicating through the gateway according to the compliance criteria as specified in the Email Compliance Policies. Grid - The devices that have accessed the SEG. 13.3.2 Request Time Views The Request Time view allows the administrator to adjust the dashboard view for all time periods, or for time intervals throughout the last 24 hours. Click All or select a time interval to update the charts and grids with the time selection. 13.3.3 Email Compliance in the Dashboard To edit email compliance policies, click Email Policies. For further information on creating email compliance policies, see Email Compliance Policies. 13.3.4 Override an Email Compliance Policy After email compliance policies are in place for the SEG, the administrator may find the need to make Blacklist or Whitelist exceptions, or to remove a device from the list of exceptions. Use the following steps to override a compliance policy: Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 192 of 249 1. Click Policy Override List to view the current override status for all of the devices that are communicating through the gateway. This page also provides the ability to add, remove, or change an override to any of the devices listed in the grid. 2. Select a device from the grid to perform a policy override on that device by ticking the box on the left. The device selected in the screen is a Whitelisted device. 3. Click any one of the following to override the current policy: o Whitelist - Allows the device to override email compliance policies. o Blacklist - Blocks the device regardless of whether there are any policies that allow (Whitelist) the device. o Default - Remove the device from the override list and apply the configured email compliance policies to that device. 13.3.5 Dashboard Test Mode Test mode allows mobile devices to communicate through the gateway even when restrictive compliance policies are currently enabled. The dashboard displays the noncompliant reason code(s) for a device to indicate all applicable restrictions if the test mode was not enabled. To enable test mode, tick the Test Mode checkbox in the upper right corner of the dashboard. To disable test mode, untick the Test Mode. The compliance policies are again applied to each device that communicates through the gateway. The dashboard displays the noncompliant reason code(s) for a device to indicate all applicable restrictions that are now being applied. 13.4 Important Email Management Considerations Use filter views and search to view devices in the SEG dashboard grid according to compliance criteria. o The administrator can filter the devices displayed on the grid based upon override status. Select a filter to view only Blacklisted, Whitelisted, or All devices. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 193 of 249 The filter functionality provides the ability to search the grid within the displayed results. o Enter the full or partial search term in the Search box. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 194 of 249 14 Telecom Management** Vodafone’s Telecom Management solution allows administrators to configure and assign telecommunication plans to devices across the mobile fleet. Using telecom management, administrators can assign the devices to a telecom plan based on preconfigured criteria (Location Group, User Group, Model, Platform, Carrier, Country, etc.) and automatically associate plans to devices matching specific criteria such as SIM number and telephone number. This solution also allows administrators to proactively track and monitor plan usage, access the plan and device details, and track the roaming history for the device. **New Feature in VSDM Release 2 14.1 Enabling Telecom Setting By default, the Telecom Management module is disabled for each customer location group. To enable this module, navigate to System Settings > Telecom > General and tick Telecom Enabled. If the above setting is disabled, attempting to view the Telecom Management Dashboard presents the Configuration Warning message below: 14.2 Creating and Managing Telecom Plans Administrators can create telecom plans, assign plans to both the devices that are enrolled and to the devices that are not yet enrolled. Additionally, administrators can manage, assign, and review all current telecom plans. 14.2.1 Create a Telecom Plan Use the following steps to create a Telecom Plan: 1. Navigate to the Telecom > Telecom Management page. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 195 of 249 2. Select Plans from the Configuration menu on the left. 3. Select Add from the Dashboard options to add a new Telecom Plan. Complete the following Plan information: o Plan name - Enter the name for a plan. o Country - Select the country of the carrier. o Carrier - Enter the name of the company providing the carrier plan. o Voice/Message/Data limit- Enter the voice, message and data limit for the plan. o Peak Voice Time Interval - Enter the peak voice time interval. This is typically 6:00 AM to 9:00 PM. If a peak interval is not defined, then all minutes are applied to the plan limit. o Usage Reset - Enter the day after which the plan usage resets. o Plan Effective Date - Enter the earliest date for the plan to be effective. 4. Click Save or click Save and Assign to assign to the devices. 14.2.2 Dynamic Assignment Using Dynamic Assignment, an administrator creates a rule for a specified plan and assigns it to a device that does not have a specified plan. All the criteria in each assignment rule are evaluated Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 196 of 249 based on the order by designated Rank. The Dynamic Assignment rule performs the following checks before assigning a specified plan to the device: Is the particular phone number already associated with a device, and has plan that has already been assigned. o If already assigned, disregard dynamic assignment. o If no assignment is present, check the dynamic assignment rules for a match of the highest rank. 14.2.3 Assign a Rule to a Plan Use the following steps to assign a Rule to a Plan: 1. Navigate to Telecom > Telecom Management. 2. Select Dynamic Assignment from the Configuration menu on the left. 3. Click Add to assign rules to the existing plans. 4. Enter the information in each criteria field as well as the plan for assigning the assignment rule to the devices. Note: The minimum criteria by which the devices will be dynamically assigned are Carrier and Country. 14.2.4 Edit an Assignment Select Edit Assignment for a particular plan to reconfigure assignment settings. From the Edit Assignment area, administrators can: Add more assets (devices). Remove existing assets. Reassign assets. Change the plan. Note: Current plan indicates whether the device is already assigned to a plan. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 197 of 249 14.3 Dashboard Usage The Vodafone Secure Device Manager collects telecommunication information from each device and sorts it out appropriately for viewing on the Telecom Dashboard. Upon completion of plan creation and assignment, the Telecom Dashboard enables an administrator to proactively: Monitor telecom usage in relation to plan limits. Review compliance to the specified limits. Access plan details and device information. Review roaming history for the device. The Telecom Dashboard has two views: Telecom Usage and Telecom Roaming. 14.3.1 Telecom Usage The Telecom Usage page allows the administrators to track: Telecom usage by month. Telecom usage by day. Plan usage details. Roaming details. To access the Telecom Usage page, navigate to the Telecom Management, details of which are provided in the following sections. Click on a specified plan to view plan usage details in the tray view form. The Plan Usage Detail view provides an overview of all available device and user information, as seen below: Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 198 of 249 14.3.2 Telecom Roaming The Telecom Roaming page conveniently displays the collected roaming information. This, enables administrators to monitor the entire device fleet regardless of the carrier in a single confined interface. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 199 of 249 15 Certificate Management As digital information exchange evolves and becomes increasingly mobile, the possibilities for information sharing multiply. Administrators are faced with the challenge of providing employees with convenient access to enterprise resources while overcoming the ever-expanding security concerns introduced by mobility and information fluidity. Traditional security technologies and solutions are not sufficient to meet the stricter requirements for information security and data loss prevention. In order to meet growing demands for information accessibility and security, an enterprise needs a multi-faceted and scalable data security solution, and many enterprises have turned to digital certificates and Public Key Infrastructure (PKI) for a resolution to this security dilemma. 15.1 Benefits of Using Certificates There are several key features that make certificates an ideal solution for enterprise security. Cross - Platform Scalability - Digital certificates can be leveraged to protect data across many different mobile platforms. Just as the same message can be transmitted across email or instant messaging, digital certificates can be used for security across both. The extensibility of certificate security allows organisations to avoid implementing multiple inferior single point security solutions that ultimately leave data vulnerable as it moves from point to point. Multifunctional - Once a user or device receives a certificate, it can be utilised across many different platforms for a variety of purposes. o Encryption - Certificates can be used to encrypt digital information regardless of the platform. For example, the S\MIME standard leverages certificates for email encryption, while the HTTPS protocol utilises SSL to provide web page encryption. o Message Signing - Enterprises in need of digital message signatures can leverage certificates in order to prove message integrity and show that the message originates from an authenticated sender and was not altered by any malicious third party. o Authentication -Because digital certificates contain identifying information about both the user and the device that has been certified by a trusted source, certificates provide secure authentication into a number of systems such as email, Wi-Fi, and VPNs. High Security - Digital certificates are much more secure than traditional passwords because they are not susceptible to common password cracking methods such as brute force or dictionary attacks. Innovation and the drive of enterprise-level business requirements have made the VSDM the industry-leader in mobile certificate management. 15.2 Manage Certificates on the Certificate Dashboard The VSDM is the centralised location for managing certificate authorities, its integration, and other certificate management required for managed devices. All of these activities are centralised on the Certificate Dashboard. To view the Certificate Dashboard, navigate to the Profiles & Policies > Certificates page. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 200 of 249 Once a certificate has been issued to a device, administrators can perform the following actions from the Certificates Dashboard: Manage Certificate Authorities. Renew Certificates. o To renew a certificate, click the Actions menu next to the certificate and select Renew Certificate. Revoke Certificates. o To revoke a certificate, click the Actions menu next to the certificate and select Revoke Certificate. Send certificate-related messages to devices. o To send a push notification to all devices with a selected certificate installed, tick the check box next to the certificate and click Send Message at the top of the Certificates Dashboard. o Select the application to which the message (the selected application must be installed on the device) needs to sent and fill out the message body. o Click Send. Additionally, the Certificates Dashboard contains links to upload APNs certificates and set up certificate integration. 15.3 Certificate Infrastructure Integration The VSDM integrates with the certificate infrastructure in a way that allows the Enterprise to distribute certificates for authentication purposes to devices containing corporate data. There are several options for VSDM certificate infrastructure integration, but each requires detailed technical information and therefore it is very important that the Certificate Infrastructure Administrator be involved in this integration. There are two ways in which VSDM integrates: Direct Certificate Authority (CA) integration: o The VSDM can act as a proxy for certificate distribution. Simple Certificate Enrolment Protocol (SCEP) integration: o The VSDM can act as a proxy for certificate distribution. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 201 of 249 o Can be authenticated from the device. 15.3.1 Direct Certificate Authority Integration To configure VSDM integration with a Direct Certificate Authority (CA) services server, you must first configure the Certificate Authority. Configure the Certificate Authority Use the following steps to Configure the Certificate Authority: 1. Navigate to Configuration > System Settings > Device > General > Certificate Authorities. 2. Select Add to open up the Certificate Authority Form. 3. Complete the required fields: o Name - Refers to the actual name of the instance of the CA on the CA server. o Allow child location groups to use this certificate authority - Tick the check box to allow inheritance by child location groups. o Authority Type - The type of certificate authority. For Direct CA integration, choose one of the following: Microsoft AD CS - Supports a Microsoft Certificate Authority on a Windows Server 2003/2008 server. Generic SCEP - Supports a VSDM-installed certificate service or Generic CA (which supports the standard CA protocol). For more information on configuring a SCEP certificate authority, see SCEP Integration. Verisign MPKI - Supports a VeriSign® Managed PKI for SSL Certificate Service. Symantec - Supports a Symantec PKI integration. OpenTrust - Supports an OpenTrust PKI integration. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 202 of 249 Entrust - Supports an Entrust PKI integration. o Protocol - Select either ADCS or SCEP as the protocol type. o Server Hostname/Server URL - The server address of the CA server. The CA server needs to be in IP or domain name format (mycompany.local.com). o Enter in any necessary authentication credentials and complete the other remaining fields as necessary. 4. Use the Test Connection button to check that your settings are correctly configured. 5. Click Save (or Save and Add Template). Certificate Template Configuration Refer to the Certificate Template Configuration section to configure the CA Certificate Template. 15.3.2 Simple Certificate Enrolment Protocol (SCEP) Integration The first step in configuring VSDM integration with a corporate SCEP services server is to configure the Certificate Authority. Configure the Certificate Authority Use the following steps to configure the Certificate Authority: 1. Select Add to open a new Certificate Authority Form (or select Edit from the Actions menu to edit an existing certificate). 2. Complete the required fields: o Name - In SCEP integration this field is used by VSDM to distinguish these settings. o SCEP Provider - The SCEP provider determines the rest of the configuration and what challenge options are available. SCEP Provider: Basic SCEP Provider: MSCEP Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 203 of 249 SCEP Provider: VeriSign* SCEP Provider: Symantec SCEP Provider: OpenTrust SCEP Provider: Entrust SCEP Provider:Basic Use the Basic option when the provider is not Microsoft, Verisign, Symantec, OpenTrust or Entrust. Choose Generic SCEP as the Authority Type and then Basic from the SCEP Provider dropdown. Selecting the Basic SCEP Provider option requires the following fields: SCEP host name - The web address of the certificate enrolment URL. This is usually in the format of .EXE or .DLL depending on the SCEP provider. Challenge Type - Select either No Challenge or Static, depending on the requirements of the Certificate. o Static Challenge - Select this option when a singular key or password is required to authenticate with the certificate enrolment URL. A field displays when Static Challenge is chosen for you to enter in the password or challenge key provided by SCEP. o No Challenge - Select this when no challenge is required. This usually involves unsecured SCEP endpoints and it only applies in rare circumstances. Retry Timeout - Enter in the number of minutes for a timeout. Max Retries When Pending - Enter the maximum number of attempts a user may make before the system times out. After a timeout, the user has to wait the number of minutes specified in the above field before being allowed to log in again. SCEP Provider: MSCEP If MSCEP is the SCEP provider, choose Generic SCEP as the Authority Type and then MSCEP from the SCEP Provider dropdown. The following options display: Server URL - The web address of the certificate enrolment URL. This is usually in the format of .EXE or .DLL depending on the SCEP provider. The Server should be https://scepserver.mycompany.com/certsrv/mscep/mscep.dll where 'scepserver.mycompany.com' is the web address of the SCEP server. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 204 of 249 Challenge Type - Select either No Challenge or Static, depending on the requirements of the Certificate. o Static Challenge - Select this when a singular key or password is required to authenticate with the certificate enrolment URL. When Static Challenge is chosen a field displays for you to enter the password or challenge key provided by SCEP.. o Dynamic Challenge - This option pulls a challenge key or password from the SCEP provider. Username Is Required - Tick this check box for the Dynamic Challenge web address to require user authentication for access. Challenge Length - Enter the challenge length provided by the SCEP provider. Challenge URL - This field should contain the web address of the challenge URL: o o For MSCEP 2003, the challenge URL is the same as the web enrolment URL. o For MSCEP 2008 the challenge URL is typically: https://scepserver.mycompany.com/certsrv/mscep_admin/ where scepserver.mycompany.com is the web address of the SCEP server (Note: The trailing / is NOT optional). No Challenge - Select this when no challenge is required. This usually involves unsecured SCEP endpoints and it only applies in rare circumstances. Username & Password - The username and password is required to authenticate with the SCEP challenge URL. The username and password need to have the correct permissions for both the SCEP server and the certificate template being used in order to authenticate. SCEP Provider: VeriSign* If VeriSign is the SCEP provider, choose Generic SCEP as the Authority Type and then Verisign from the SCEP Provider dropdown. The following options display: Server URL - The web address of the certificate enrolment URL. This is usually in the format of .EXE or .DLL depending on the SCEP provider. The server should be set to https://onsiteipsec.verisign.com/cgi-bin/pkiclient.exe. Dns Post Fix - Enter the domain used to register the relevant mPKI account. For example, if the domain was registered with mycompany.com, enter 'mycompany.com' in this field. Certificate - Upload a new certificate into the SCEP configuration for authentication with the VeriSign Cloud. o Click Upload to upload a new file. o Enter the certificate password. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 205 of 249 Passcode Post URL - Enter the dynamic challenge URL. The URL should look like this: https://onsite-admin.verisign.com/OnSiteHome.htm. Retry Timeout - Enter the time in minutes to wait between each retry. Max Retries When Pending - Enter the maximum number of attempts to retry a request when authority is pending. SCEP Provider: Symantec If Symantec is the SCEP provider, choose Symantec as the Authority Type and then choose SCEP from the Certificate Retrieval Method radio buttons. The following options are displayed: Server URL - The web address of the certificate enrolment URL. This is usually in the format of .EXE or .DLL depending on the SCEP provider. Enter authentication credentials as appropriate. (This could be username/password combination of client authentication certificates). SCEP Provider: OpenTrust If OpenTrust is the SCEP provider, choose OpenTrust as the Authority Type and then choose SCEP with the Certificate Retrieval Method radio buttons. The following options display: Server URL - The web address of the certificate enrolment URL. This is usually in the format of .EXE or .DLL depending on the SCEP provider. Enter authentication credentials as appropriate. (This could be a username/password combination of client authentication certificates). SCEP Provider: Entrust If Entrust is the SCEP provider, choose Entrust as the Authority Type and then choose SCEP with the Certificate Retrieval Method radio buttons. The following options display: Server URL - The web address of the certificate enrolment URL. This is usually in the format of .EXE or .DLL depending on the SCEP provider. Enter authentication credentials as appropriate. (This could be username/password combination of client authentication certificates). 3. Click Save and continue to Certificate Template Configuration. *New Feature in VSDM Release 3 15.4 Certificate Template Configuration Use the following steps to configure a Certificate Template for Direct Certificate Authority integration: After the Certificate Authority is configured, configure the Certificate Template so that the VSDM can request a certificate from the Certificate Authority. To configure a Certificate Template for Direct Certificate Authority integration: 1. Click Request Templates from the Certificate Authorities page. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 206 of 249 2. Click Add to open up the Request Template form. 3. Enter in all required fields. o Subject - The fully qualified distinguished name of the certificate. This field supports the lookup values used in the VSDM so that the certificate name can be unique per user/device in the VSDM (for example, CN={EnrolmentUser}). The distinguished name supports both Crypto API and Netscape formats. The only field required to create a certificate is the Common Name (CN). The distinguished name should reflect what the certificate will be authenticating against. o Certificate Authority - Specifies the CA that this template is assigned to in the VSDM. o Complete the remaining fields as determined by the CA type selected: Microsoft Certificate Authority Verisign Certificate Authority Symantec Certificate Authority OpenTrust Certificate Authority Entrust Certificate Authority 15.4.1 For a Microsoft Certificate Authority Template Name - Enter a template name so this certificate template can be used in the future. The Template Name is used only within the VSDM. Automatic Certificate Renewal - Tick this check box to have the VSDM automatically renew the certificate. You can specify the number of days or period for auto renewal. Use Existing Key - Enable this option to use the existing private key rather than creating a new one. The CA and Certificate Template must support this option in order for it to work. Additional Attributes - This field serves two purposes when configuring the Certificate Authority. The Additional Attributes field: Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 207 of 249 o Specifies the Certificate Template on the Certificate Authority. Use CertificateTemplate to specify which template to use (For example, enter CertificateTemplate:TemplateName where TemplateName is the name of the template you would like to use). o Also allows you to add relevant additional attributes .When you enter the additional attributes, separate them from the CertificateTemplate with a backslash n (\n). An example of an additional attribute would be the Subject Alternative Name of the certificate. In order to specify the Subject Alternative Name, you would set the Additional Attributes field to: CertificateTemplate:TemplateName\nSAN:Email Address={EmailAddress}. Private Key Length - The private key length should match the length of the private key on the certificate template being used on the CA. Compatibility note: Shorter lengths are more compatible with older technology and operating systems. Private Key Type - Determines the type of private key in direct CA integration. The standard setting is 'Signing & Encryption. Use Existing Key - Select this check box to use an existing key. Publish Private Key - Select this check box to publish the private key and store it in either your Active Directory Services or in a Custom Web Service. Once you are finished, click Save. 15.4.2 For a Verisign Certificate Authority Template Name - Enter a template name so this certificate template can be used in the future. The Template Name is used only within the VSDM. Automatic Certificate Renewal - Tick this check box to automatically renew the certificate. You can specify the number of days or period for auto renewal. Use Existing Key - Enable this option to use the existing private key rather than creating a new one. The CA and Certificate Template must support this option in order for it to work. Additional Attributes - This field serves two purposes when configuring the Certificate Authority. The Additional Attributes field: o Specifies the Certificate Template on the Certificate Authority. Use CertificateTemplate to specify which template to use (For example, enter CertificateTemplate:TemplateName where TemplateName is the name of the template you would like to use). o Also allows you to add relevant additional attributes. When you enter the additional attributes, separate them from the CertificateTemplate with a backslash n (\n). An example of an additional attribute would be the Subject Alternative Name of the certificate. In order to specify the Subject Alternative Name, you would set the Additional Attributes field to: CertificateTemplate:TemplateName\nSAN:Email Address={EmailAddress}. Private Key Length - The private key length should match the length of the private key on the certificate template being used on the CA. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 208 of 249 Compatibility note: Shorter lengths are more compatible with older technology and operating systems. Private Key Type - Determines the type of private key in direct CA integration. The standard setting is 'Signing & Encryption'. Use Existing Key - Tick this check box to use an existing key. Publish Private Key - Tick this check box to publish the private key and store it in either your Active Directory Services or in a Custom Web Service. Once you are finished, click Save. 15.4.3 For a Symantec Certificate Authority Template Name - Enter a template name so this certificate template can be used in the future. The Template Name is used only within the VSDM. Automatic Certificate Renewal - Tick this check box to have the VSDM automatically renew the certificate. You can specify the number of days for auto renewal. Use Existing Key - Enable this option to use the existing private key rather than creating a new one. The CA and Certificate Template must support this option in order for it to work. Additional Attributes - This field serves two purposes when configuring the Certificate Authority. The Additional Attributes field: o Specifies the Certificate Template on the Certificate Authority. Use CertificateTemplate to specify which template to use (For example, enter CertificateTemplate:TemplateName where TemplateName is the name of the template you would like to use). o Also allows you to add relevant additional attributes. When you enter the additional attributes, separate them from the CertificateTemplate with a backslash n (\n). An example of an additional attribute would be the Subject Alternative Name of the certificate. In order to specify the Subject Alternative Name, you would set the Additional Attributes field to: CertificateTemplate:TemplateName\nSAN:Email Address={EmailAddress}. Click Retrieve Profiles. Select the appropriate profile from the dropdown list. A list of mandatory attributes is made visible. Enter appropriate lookup values for mandatory attributes. For example: mail_id: {EmailAddress}. 15.4.4 For a OpenTrust Certificate Authority Template Name - Enter a template name so this certificate template can be used in the future. The Template Name is used only within the VSDM. Automatic Certificate Renewal - Tick this check box to automatically renew the certificate. You can specify the number of days for auto renewal. Use Existing Key - Enable this option to use the existing private key rather than creating a new one. The CA and Certificate Template must support this option in order for it to work. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 209 of 249 Additional Attributes - This field serves two purposes when configuring the Certificate Authority. The Additional Attributes field: o Specifies the Certificate Template on the Certificate Authority. Use CertificateTemplate to specify which template to use (For example, enter CertificateTemplate:TemplateName where TemplateName is the name of the template you would like to use). o Also allows you to add relevant additional attributes. When you enter the additional attributes, separate them from the CertificateTemplate with a backslash n (\n). An example of an additional attribute would be the Subject Alternative Name of the certificate. In order to specify the Subject Alternative Name, you would set the Additional Attributes field to: CertificateTemplate:TemplateName\nSAN:Email Address={EmailAddress}. Click Retrieve Profiles. Select the appropriate profile from the dropdown list.A list of mandatory attributes is made visible. Enter appropriate lookup values for mandatory attributes. For example: mail_id: {EmailAddress}. Once you are finished, click Save. 15.4.5 For a Entrust Certificate Authority Template Name - Enter a template name so this certificate template can be used in the future. The Template Name is used only within the VSDM. Automatic Certificate Renewal - Tick this checkbox to automatically renew the certificate. You can specify the number of days for auto renewal. Use Existing Key - Enable this option to use the existing private key rather than creating a new one. The CA and Certificate Template must support this option in order for it to work. Additional Attributes - This field serves two purposes when configuring the Certificate Authority. The Additional Attributes field: o Specifies the Certificate Template on the Certificate Authority. Use CertificateTemplate to specify which template to use (For example, enter CertificateTemplate:TemplateName where TemplateName is the name of the template you would like to use). o Also allows you to add relevant additional attributes. When you enter the additional attributes, separate them from the CertificateTemplate with a backslash n (\n). An example of an additional attribute would be the Subject Alternative Name of the certificate. In order to specify the Subject Alternative Name, you would set the Additional Attributes field to: CertificateTemplate:TemplateName\nSAN:Email Address={EmailAddress}. Click Retrieve Profiles. Select the appropriate Managed CA followed by the appropriate profile from dropdown list. A list of mandatory attributes displays. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 210 of 249 Enter appropriate lookup values for mandatory attributes. For example: mail_id: {EmailAddress}. 15.5 Utilising Certificates for VSDM Once the certificate authority and certificate templates have been properly configured, certificates can be leveraged within VSDM for a number of purposes, as detailed in the following subsections. 15.5.1 Enterprise Wi-Fi, VPN, and EAS Authentication Advanced Wi-Fi, VPN, and EAS configurations can now use certificates for authentication, providing stronger security from unauthorised access than simple passwords. The VSDM can automatically distribute these authentication certificates down to devices and configure the device for Wi-Fi, VPN, or EAS access without any user interaction. An overview of the process is as follows: Ensure that the Certificate Authority and Certificate Templates are properly configured, then create a profile for your appropriate platform (iOS or Android for these capabilities). o If you are using a static SSL certificate for all devices, you may skip this step and simply upload the certificate into the VSDM for distribution. Complete all general profile settings and then choose either Credentials or SCEP depending on the type of CA you have previously configured. From either page, specify all parameters to select the correct certificate to be used for WiFi, VPN, or EAS authentication. On the Credentials profile page perform only the following: o If you are using a static SSL certificate that does not depend on the user, choose Upload as the credential source and upload the certificate. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 211 of 249 o If you are generating a certificate from a CA for each user or device, ensure that your credential source is Defined Certificate Authority and choose the correct certificate template. Once you have completed the Credentials or SCEP profile settings, do not Save and Publish. Select another payload in this profile for Wi-Fi, VPN, or EAS, depending on what the certificate is being used for. Specify all settings for the chosen payload. Ensure that the authentication type utilises a certificate and that the certificate you deployed in the Credentials or SCEP profile is chosen. o If authentication to the CA requires a trust (typically for internal certificate authorities), also ensure that you have uploaded and selected the option to use a CA Root Trust certificate. When complete,Save and Publish. 15.5.2 S/MIME Email Signing and Encryption Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for public key encryption and signing which has become the standard for email signing and encryption. The VSDM can automatically distribute certificates and configure email or Exchange ActiveSync to utilise S/MIME signing and encryption without user interaction. An overview of the process is as follows: Ensure that the Certificate Authority and Certificate Templates are properly configured, then create a profile for your appropriate platform (iOS or Android for these capabilities). o If you are using a static SSL certificate that is used for all devices, you may skip this step and simply upload the certificate into the VSDM for distribution. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 212 of 249 Complete all general profile settings and then choose either Credentials or SCEP depending on the type of CA you have previously configured. From either page, specify all parameters to select the correct certificate to be used for WiFi, VPN, or EAS authentication. From the Credentials profile page perform only the following: o If you are using a static SSL certificate that does not depend on the user, choose Upload as the credential source and upload the certificate. o If you are generating a certificate from a CA for each user or device, ensure that your credential source is Defined Certificate Authority and choose the proper certificate template. Once you have completed the Credentials or SCEP profile settings, do not Save and Publish. Select another payload in this profile for Email, or EAS, depending on your type of email infrastructure. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 213 of 249 Specify all settings for the chosen payload and ensure that Use S/MIME is ticked. Also ensure that the certificate that selected in the credentials or SCEP payload is being used for either signing or encryption as shown. When complete, choose Save and Publish. For additional information or assistance configuring certificates with Vodafone, contact Vodafone Support.* *New Feature in VSDM Release 3 Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 214 of 249 16 Security and Compliance The VSDM uses a customisable compliance engine to allow for robust compliance policy creation and enforcement. The compliance capabilities allow administrators to protect proprietary corporate data from unwanted exposure and to set rules for handling non-compliant activity on managed devices. These compliance policies are centrally managed from the Compliance page in the VSDM. To navigate to the Compliance page, select Profiles & Policies > Compliance. From here, the administrator can create several different types of compliance policies and establish enforcement criteria: Device Policies - Device policies allow the administrator to create customised compliance policies based on device criteria such as operating system, compromised status, and application lists. All enforcement actions are customised in Device Policies. Email Compliance Policies - Email compliance policies include general rules for accessing corporate Email in addition to enhanced Email access policies that are only applicable to managed devices. For information on Email policies, please refer to Email Compliance Policies. Note: Email compliance policies are applicable when the SEG is installed on the device. Application Groups - Application policies are created based on custom groups of blacklisted, whitelisted, and, required applications. In order to configure application compliance enforcement, first build lists of applications using Application Groups, then create compliance policies and actions using Device Policies. 16.1 Passcode and Restrictions Profiles Overview In addition to the compliance engine, passcode and device restrictions provide further protection to managed devices: Passcode compliance polices include the ability to enforce passcodes, set passcode complexity, and manage auto-lock and passcode history settings. Restrictions profiles allow the administrator to prohibit and control the use of devicespecific functionality such as app installation, the device camera, and other similar functionality. To set Passcode and Restrictions profiles on individual devices, please refer to the Creating Profiles. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 215 of 249 16.2 Building Device Compliance Policies Device compliance policies allow administrators to identify device-specific compliance policies and instruct the VSDM to perform administrative actions on those devices when specific criteria are met. This might include rules for, a noncompliant operating system, a compromised device or a SIM card in a device having changed. Using the compliance actions and escalations available, administrators can construct customised, robust device policies to enforce corporate security policies. Use the following steps to create a device compliance policy: 1. Navigate to Profiles & Policies > Compliance. 2. Click Add to create a new policy or click Edit under the Actions menu of an existing policy to edit. The tabs at the top of the page represent the steps and criteria for creating a compliance policy. The default view is the Rules tab. 16.2.1 Define Rules 1. Define the Rules. 2. Use the dropdown menu at the top of the page to choose whether to match All or Any of the compliance rules (default option is All). 3. Choose the compliance area from the dropdown menu. The categories include: o Application List (to determine if apps are blacklisted, whitelisted, or required, you need to first configure Application Groups) o Compromised Status o Encryption o Interactive Profile Expiry Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 216 of 249 o Last Compromised Scan o Model o OS Version o Passcode o Roaming o SIM Card Change 4. Choose the appropriate rule statement from the middle dropdown menu (e.g., Contains blacklisted App, Is Compromised, Is Roaming, etc.) o Available selections in the middle dropdown are customised to the different compliance areas; therefore, the dropdown menu options differ depending on the selected rule compliance area. 5. If a third piece of information is necessary for the given rule (such as the specific operating system, etc.), select this information from the dropdown menu. Rule Statement Compromised Status Is Compromised Application List Contains blacklisted App 6. To add a related rule, click Add Rule. 7. Click the Match dropdown and select either match All or Any of the rules you created. 8. Proceed to the Actions tab, by clicking Next at the bottom of the page. 16.2.2 Actions The VSDM enables the administrator to designate custom actions to perform on the device when it is detected as noncompliant, and escalation actions if the device continues to be noncompliant. On the Actions tab, select the action from the first dropdown menu (Application Compliance, Command, Notify, or Profile). This would be the first action performed on a non-compliant device. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 217 of 249 Select the specific action to immediately perform (such as 'Send push notification'). o If you select an action that involves removing any profiles or applications, those resources automatically re-installed when the device becomes compliant (no end-user interaction is required). o Removal of applications only applies supported devices. Complete required information (such as the message template or profile type) from the final dropdown menu. o For notifications: Select an existing template, or create a new template in Configuration > System Settings>System > General > Message Templates. Click Next to proceed to the Assignment tab,or Add Escalation to create an escalation policy that defines the next action to take if the user does not comply after the first. o Customise the time frame and action for each escalation, and add any additional escalations. Click Next when finished. 16.2.3 Assignment The Assignment tab is used to select to which devices/users the policy can be applied to. Select the device and user criteria for the compliance policy. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 218 of 249 Click Next. Review the Summary From the Summary tab, the administrator can summarise the compliance policy for reference in theVSDM (General) and display the number of devices that the policy would affect (Device Summary). Go to Summary tab and enter a name and description for the compliance policy. The Device Summary displays the status of devices in the selected location or user group. The compliance policy is complete. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 219 of 249 o To apply the policy, click Finish and Activate. o To just save the policy, select Finish. Note: For Application Compliance Policies - Some application compliance policies require the administrator to define application groups to identify applications that are blacklisted, whitelisted, and required. 16.3 Application Groups and Policies Application compliance policies enable administrators to enforce corporate compliance by restricting access to unauthorised applications and ensuring that required applications are present on corporate devices. The administrator can designate blacklisted, whitelisted, and required application lists and perform administrative actions if the VSDM detects a non-compliant application list. There are several components in the VSDM that enable administrators to build and enforce application compliance policies: Application groups - created to specify blacklisted, whitelisted, and required applications. Device Compliance Policies - Built to designate actions for non-compliant applications. Refer to the Device compliance policies section. Application Restriction profiles - Deployed (to supported Android devices) to enforce application restrictions and requirements. 16.3.1 Define Application Groups Application policies are created and managed according to groups (lists) of applications. Use the following steps to create or edit a list of blacklisted, whitelisted, or required application: 1. Go to the Compliance page and select Application Groups from the left sidebar of the page. 2. Select Add Group to create a new application group or, to edit an existing application group, select Actions at the end of the row and choose Edit). Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 220 of 249 3. Select or complete the application information fields on the List and Assignment tabs: o Type - The type of application compliance policy: Blacklist - Applications not allowed on the device. Whitelist - Only these applications are allowed to be on the device. Required - These applications must be installed on the device. o Platform - The device platform to which the application compliance policy applies. Currently, the only platform options available are iOS and Android. o Name - The name of the policy for reference in the VSDM (for example, 'Apple Blacklisted Games'.) o Application Name - The name of the application for which you are creating a compliance rule. o Enter the Application ID and optionally enter the application Version. Specifying the application ID allows VSDM to more accurately detect devices that have the blacklisted application installed. It identifies applications by the exact bundle ID rather than simply searching for the application name as entered in the Application Name field. To specify any version of the app, enter an asterisk (*) in the Version field to act as a wildcard. 4. Click Add Application to add applications to the list. 5. Click Next to proceed to the Assignment tab. 6. Select the device and user criteria for the application list (for example, you may wish to apply stricter application policies to corporate owned devices). Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 221 of 249 o Device Ownership - Specifying a device ownership type (Corporate-Dedicated, Corporate-Shared, or Employee Owned) limits deployment to only the devices that belong to the specified device ownership group. Distinguishing between corporate and employee owned devices allows for maximum privacy and protection. o Model - Optionally designate specific device models to which the application group policy is to be deployed. o Operating System - Optionally, designate specific operating systems to which the application group policy is to be deployed. o Managed By - Select the location group level that manages this Application Group. o Location Groups - Enter the Location groups to which this application group is assigned. o User Groups - Optionally select user groups (if you are leveraging user groups in the VSDM) as an additional assignment filter for the application group. 7. Click Finish. You may create additional application groups if needed, then apply the application policies to devices and users. Refer to the Building Device Compliance Policies and deploying Android Application Restriction Profiles section. 16.3.2 Android Application Restriction Profiles There are certain application restrictions for supported Android devices that are enforced through an application restriction profile. Device compliance policies can be used in addition to these restrictions, but the profile controls the specific actions defined by these restrictions. The settings enabled or disabled through the application control profile are: Prevent installing (or automatically remove) blacklisted apps on SAFE devices and LGv1.0+ devices.** Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 222 of 249 Prevent un-installing required apps on SAFE devices and LGv1.0+ devices.** Only allow installation of whitelisted apps on SAFE v2+ devices.** Use the following steps to enforce these restrictions: 1. Define the application blacklist or required list by creating Application Groups. 2. Create the application control profile by navigating to Profiles > Add Profile > Android > Application Control. 3. Ensure the appropriate checkboxes are ticked and Save or Save and publish the profile. **New Feature in VSDM Release 3 16.4 Secure Channel Certificate The secure channel certificate allows encrypted communication between the VSDM and a device. Enabling this option allows all information such as device details, device status, and support information to be communicated in a secure way. This provides an extra layer of security for corporate data. Use the following steps to enable this option: 1. Navigate to Configurations > System Settings > System > Advanced. The secure channel certificate is by default part of the VSDM installation. This certificate is inherited from Global location group and cannot be edited at any of the child location group levels. 2. Tick the 'Block Non-Secure Channel Device Access' checkbox on the VSDM to activate. Platforms supported iOS. Android. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 223 of 249 Symbian. Blackberry. 16.5 Privacy Policy Administrators can set complex privacy policies within the VSDM. These policies apply to specific device ownership types within Location Groups (ownership types are: 'Corporate - Dedicated', 'Corporate - Shared', 'Employee Owned', and 'Unassigned'). Use the following steps to access and amend privacy policies: 1. Navigate to Configuration > System Settings > Device > General > Privacy. For each privacy policy, administrators have three options for handling device information. The policies are defined by a filled circle, half-circle, or an empty circle top of the screen. o Collect and Display - The information is collected so that administrators can view the data in the VSDM. o Collect - The information is collected by administrators cannot view the data. o Do Not Collect - The information is not collected. 2. Adjust the privacy policy information settings by moving the mouse over the circle that matches up with the privacy policy and device ownership type. A small popup menu displays the privacy setting options: o Click the appropriate icon to change the setting. 3. Click Save to finish the process and immediately apply the settings. 16.5.1 Commands Privacy The Commands section at the bottom of the page allows the administrator to restrict certain commands based on device ownership type. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 224 of 249 A full circle indicates that a command is allowed, while an empty circle indicates that the command is disabled. Currently, the only command that can be allowed or disallowed is Full Wipe. 1. Click the appropriate circle to choose the desired permissions. 2. Click Save to immediately apply the settings. Note: The Privacy Settings explained above affect whether or not device and user information is displayed both on the VSDM and on the Self-Service Portal. Please be aware of the privacy settings in place when navigating through user and device information (especially the pages explained in the following sections: Device Information, Device Details, Remote Actions, and Device Details Management). Many of the Self-Service Portal and Device Wipe settings are determined by both Privacy settings and Role settings (Users > Admin Accounts). If multiple settings are in place, the strictest policy is enforced. 16.6 Important Security and Compliance Considerations To provide maximum security and data protection for both end-users and the managing enterprise, privacy settings work in conjunction with Role Configuration. In order to ensure that the configured privacy settings are correctly implemented, it is recommended that you make a note of the following role settings: o User Role Settings (Users > User Accounts > Roles) control the display of user and device data in the Self-Service Portal (SSP). o Administrator Role Settings (Users > Admin Accounts > Roles) control the display of user and device data in the VSDM as well as the ability to perform a full device wipe. Be consistent when deploying multiple compliance or passcode policies. If multiple policies are in place, the most restrictive policy is enforced. Use the Device Compliance Dashboard (Dashboards > Dashboard, then select Device Compliance from the Available Views) for a top-level view of: o Device compliance (general). o Device password compliance. o Device encryption compliance. To more efficiently manage bulk Email accounts, use lookup values whenever possible. For maximum Email security, use Email profiles in conjunction with the Vodafone Secure Email Gateway. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 225 of 249 17 Reports and Alerts 17.1 Reports The VSDM has extensive reporting capabilities that provide administrators with actionable, resultdriven statistics about their device fleets. Administrators can use these pre-defined reports or create custom reports based on specific devices, user groups, date ranges, or file preferences. In addition, an administrator can schedule any of these reports for automated distribution to a group of users and recipients on either a defined schedule or a recurring basis. These features are all centralised within the VSDM. To access the Reports page, navigate to Reports & Alerts > Reports. From here, there are several key pieces of functionality that administrators can use to leverage the VSDM's reporting capabilities: 17.1.1 Generate Custom Reports Administrators can create custom reports on the fly through the VSDM. Use the following steps to generate a custom report: Navigate to the Reports page at Reports & Alerts > Reports. Select a pre-defined report template from the list, then click the Actions menu on the right and select View. Specify all of the report parameters. Required fields are denoted with a red asterisk*. Select View Report. 17.1.2 Add a Report to My Reports Adding a report to My Reports allows administrators to essentially “bookmark” popular reports that they find particularly useful. Use the following steps to add a report to My Reports: Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 226 of 249 Navigate to the Reports page at Reports & Alerts > Reports. Select a pre-defined report template from the list, click the Actions menu on the right and select Add to My Reports. Go to My Reports View on the left side of the Reports page to check that the report is now accessible. 17.1.3 Create Report Subscriptions Report subscriptions can be used to send custom generated reports to specific recipients at a scheduled occurrence. Use the following steps to subscribe to a report: Navigate to the Reports page at Reports & Alerts > Reports. Select a pre-defined report template from the list, click Actions menu on the right and select Subscribe. Complete the Report Subscriptions form with all required information. o General Information - The name of the subscription, the email subject, etc. o Report Parameters - The parameters defining the scope and options of the report. o Distribution List - The recipients who receive the custom report whenever the subscription is executed. o Execution Schedule - The time and schedule at which the custom report is generated. Click Save. 17.1.4 Additional Reporting Tools There are also several other additional tools that help administrators utilise the VSDM's reporting capabilities: Search Assistance Tools - The Report Category dropdown and Search box at the top of the reports page make finding particular reports very simple. Report Samples Tool - To view a sample output from a particular report, click Actions menu on the right and then select Sample. Report Export Tool - To export a report in one of several formats, use the Export Bar on a custom generated report. 17.2 Alerts Alerts provide administrators with the ability to receive immediate notifications when specific events occur across the managed smart device fleet. They are comprised of two components: A Creation Policy that describes the criteria that must be met to trigger the alert. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 227 of 249 A Routing Policy that describes what devices are being monitored, when the alert should be sent and who receives it. 17.2.1 Creation Policies Use the following steps to add a new creation policy: 1. Navigate to Configuration > Alert Setup > Creation Policy. A list of all available creation policies can be seen. 2. Click Add Creation Policy to open the Add Creation Policy form (or select Edit from left of and existing policy to edit the details). 3. Enter all the required information. o Description - The name of the creation policy that is displayed in the VSDM. o Resource - The type of resource that is going to be monitored. Select Device to monitor the smart device fleet. o Attribute - The parameter that is used to determine when an alert should be triggered. o Comparison Operator - The comparison operator to test whether the attribute triggers an alert. o Value - The value that triggers the alert when (Attribute) <Comparison Operator> (Value) = True. o Duration - The duration that the alert lasts before stopping. 4. Click Save to complete the process. 17.2.2 Routing Policies Use the following steps to create a routing policy: Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 228 of 249 1. Navigate to Configuration > Alert Setup Routing Policy. 2. Click Add Routing Policy to open the Add Routing Policy form. 3. Complete the information in the Criteria tab. o Creation Policy - The creation policy that triggers the alert. o Location Group - The location group that contains the devices that are being monitored for the creation policy criteria. o Location - The location that contains the devices that are being monitored for the creation policy criteria. The default is Any. o Device - Any specific devices that are being monitored for this creation policy. The default is Any. o Sample Time and Sample Days - The date and time at which this policy is tested on the selected devices. o Severity & Priority - Metrics to organise alerts in terms of priority and several for administrative purposes. o Consolidation Window - The consolidation window defines a time period for trigger consolidation. A single alert is sent in the time period defined, regardless of how many triggers are generated by a specific creation and routing policy. 4. Select the Preferences tab to configure the recipients of the alerts: o User Alerting - Select an administrative user or users to receive the alert. o Role Alerting - Select a location group and subsequent role to receive this alert. To add additional roles, click Add Role. 5. Click Save to complete this process. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 229 of 249 17.2.3 View Alerts Once alerts have been created, they can be viewed in a several ways: 1. To view alerts received by a user or role, navigate to Reports & Analytics > Alerts and select My Alerts. 2. To view alerts that were triggered by a particular device, go to the Device Details page or click Alerts under System Activity 17.3 Important Report and Alert considerations To enable the highest level of control and security over distribution of report information across the enterprise, edit role-based access to reports by navigating to Users > User Accounts > Add Role. Report Access can be enabled or disabled by ticking the checkboxes under Resource Categories. 17.4 Syslog Syslog is a client\server protocol used to integrate the event log data from the VSDM on a separate server in a reliable and secure way. Syslog is used in the VSDM for logging and storing event records that have occurred in the VSDM and on managed devices. The Syslog protocol transmits the messages on event notification and alerts across network using UDP/TCP protocol. Messages are sent by operating system (BSD Unix) to VSDM at the start or end of a process. The two major reasons for having a centralised Syslog server are: For Security - When an administrator wants to keep some of the event logs safely off-site in a secure location, the Syslog server is used for this purpose. For Convenience - In the event of a crashed server, the administrator can check the kernel error logs on the centralised Syslog server. The Syslog pattern for various dates over an extended time can also be checked and the log files from the Syslog server can be matched, searched, and replaced at any time. Note: This feature is for on-premise customers only. 17.5 Integrate Syslog Use the following steps to configure Syslog integration: 1. Navigate to Configuration > System Settings > Admin > Syslog. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 230 of 249 2. Complete the following information: o Server URL - Enter the Syslog server URL to store event logs. o Protocol - Enter the protocol type for the VSDM and the Syslog server to use to communicate, either UDP or TCP. o Port - Enter the destination port number that the VSDM server uses to send Syslog data to the Syslog server. When sending messages using: UDP, the destination port is usually 514. This is the default port setting. TCP, the destination port is usually 1468. o Syslog Facility - The Syslog facility lists the type of messages that are to be sent to the server. Select a Syslog facility from the drop down list. o Event Types Logged Tick the Console checkbox to send console events. Tick the Device checkbox to send device events. o Message Tag - Enter a message tag to help the Syslog server to identify where the message came from. o Message Content - Enter the information that should be included in the message. Include lookup value helper control with: {EventType}, {Event}, {User}, {EventSource}, {EventModule}, {EventCategory}, {EventData} o Click Save or click Test Connection to test the connection setup. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 231 of 249 17.5.1 Schedule Logging Frequency Once the integration is complete, the administrator needs to schedule the time frequency limits. This defines how often the console server has to send Syslog data to the Syslog server. Use the following steps to define the time frequency limit by using the Scheduler: 1. Navigate to Configuration > System Settings > Device > General > Scheduler. TThe Scheduler has a built-in task called Syslog Task, where the time frequency is set. 2. Click Edit, the Syslog Task page displays. Administrator has permission to edit this Syslog Task only at the Global level. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 232 of 249 3. Complete the following information: o Recurrence Type - Select a recurrence type and the corresponding frequency to send Syslog data to the Syslog server. The different recurrence types available are: Daily. Weekly. Monthly. Time-Based. o Range - Enter the start and end date and timings. 4. Click Save, to save the schedule details. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 233 of 249 18 Enterprise Integration The VSDM has extensive capabilities to help corporations easily integrate their VSDM solution with existing enterprise systems. The integration allows users to authenticate using enterprise directory service credentials and provides even deeper integration with enterprise systems by allowing the administrator to leverage AD/LDAP user groups in the VSDM. Furthermore, the use of device management APIs, which can be integrated into third party or internal applications, provides a high level of both management and security. 18.1 Lightweight Directory Access Protocol (LDAP) and Active Directory (AD) Integration Vodafone integrates with the existing idea of LDAP User Groups to make user enrolment and management both flexible and intuitive. Lightweight Directory Access Protocol (LDAP) server assigns User Groups based on pre-existing grouping systems (as defined by corporate Email, Usernames, or other distinguishing variables). New User Group management capabilities include: LDAP Synchronisation - Vodafone adopts the existing organisational identifiers and regularly syncs with the native database to automatically detect and apply any changes Increased user group management capabilities, such as adding profiles and compliance policies to entire Location Groups and performing device syncs across the Location Groups. More application management flexibility: Add or remove applications for an entire Location Groups. 18.1.1 System Authentication Integration of the VSDM server with a corporate directory services server provides directory based account access and enables the administrator to leverage LDAP/AD groups in the VSDM. When creating user accounts, settings can be identical or different (explained in the next section). Use the following steps to configure LDAP or AD integration: 1. Navigate to Configuration > System Settings > System > Directory Services. The Directory Services page displays the fields in the Server tab. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 234 of 249 2. Complete the server information in the fields as follows: o Directory Type - Select the directory type for LDAP. The options include Active Directory, LDAP, Novell e- Directory, and Lotus Domino. o Server - Enter the address of the directory services server. o Encryption Type - Select the type of encryption used for directory services communication. The default is None. o Port - Enter the TCP port used to communicate with the directory services server. The default for unencrypted DS communication is 389. Only SaaS environments allow SSL encrypted traffic using port 636 (Vodafone SaaS IP range: 205.139.50.0 /23). o Verify SSL Certificate - Tick this check box to receive SSL errors when the encryption type is None. o Protocol Version - Select the version of the LDAP protocol in use. Active Directory uses LDAP versions 2 or 3. o Use Service Account Credentials- Tick this to enable EIS user credentials.* o Bind Authentication Type - Select the type of bind authentication that is used in order for the VSDM server to communicate with the directory services server. o Bind Username & Bind Password - Enter the credentials to authenticate with the directory server. This account allows read access permission on your directory server and binds the connection when authenticating the users. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 235 of 249 o Default Domain - Enter the default domain for any directory based user accounts. If only one domain is used for all directory user accounts, fill in the field with the domain so that users are authenticated without explicitly stating their domain. o Search Subdomains - Select the checkbox to enable subdomain search for the user. o Use SAML for Authentication - Tick the checkbox to enable SAML as the mode for authentication. Below list displays: SAML 2.0 . o Request . o Response . o Certificate. SAML 2.0 o Import Identity Provider Settings - This feature allows the administrator to import SAML metadata obtained from the identity provider. This should be in XML format. o Service Provider (Vodafone) ID - This value specifies a URI with which Vodafone identifies itself to the identity provider. This value must match the ID that has been configured as trusted by the identity provider. o Identity Provider ID - This value specifies a URI that the identity provider uses to identify itself. Vodafonechecks authentication responses to verify that the identity matches the ID provided in this field. Request o Request Binding Type - The binding types of the request. The options include Redirect, POST, and Artifact o Identity Provider Single Sign On Url - This value specifies the identity provider URL that Vodafone uses to send requests. o NameID Format - This value specifies the format in which the identity provider should send a NameID for an authenticated user. This value is not required as Vodafone obtains the username from the FriendlyName 'UID' required attribute. o Authentication Request Security - This value specifies whether or not Vodafone should sign authentication request messages. Response o Response Binding Type - This value determines the binding type of the response. o Sp Assertion Url - This value specifies the Vodafone URL which should be configured by the identity provider to direct its authentication responses. “Assertions” regarding the authenticated user are included in success responses from the identity provider. o Authentication Response Security - This value specifies whether or not the response is signed. Certificate o Upload the Identity Provider Certificate Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 236 of 249 o Click Save and proceed to the User tab. Complete the User information in the fields as follows: Base DN - Specify the directory folders/locations for users. For example, the format for global.mycompany.com might be: 'DC=global, DC=mycompany, DC=com'. o Search Subdomains - Enable subdomain searching to find nested user groups or disable this feature for faster searches. Click Show Advanced. o User Object Class - Enter an appropriate Object Class. o User Search Filter - Enter the search parameter used to associate user accounts with active directory accounts. The recommended format is <LDAPUserIdentifier>={EnrolmentUser} where <LDAPUserIdentifier> is the parameter used on the directory services server to identify the specific user. For AD servers, use samAccountName={EnrolmentUser}. For LDAP servers, use CN={EnrolmentUser} or UID={EnrolmentUser}. o User Object Class - Enter in the appropriate Object Class; in most cases this value should be 'user'. Sync The sync settings applied only if you are leveraging user groups in the VSDM. Auto Merge - Tick this checkbox to allow user group updates from AD/LDAP to auto-merge with the associated users and groups in the VSDM. Automatically Set Disabled Users to Inactive - Tick this checkbox to deactivate the associated user in the VSDM when a user is disabled in AD/LDAP. Value for Disabled Status - Use this field to specify the bit value that defines a disabled user in your LDAP system (the standard value is 2) and select from the dropdown menu whether the value needs to match the individual user-disable flag or the entire status value: o Flag Bit Match - Choose this value to only determine disabled status by checking the individual accountdisable flag within the userAccountControl attribute. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 237 of 249 o Value Exact Match - Choose this value if the disabled status is defined by exactly matching an entire value (the userAccountControl attribute). Attribute The Attribute columns show the mapping between the VSDM user attributes and your directory attributes. To edit the values, click the pencil icon next to the Mapping Value and make the necessary changes. Click Save and proceed to the Group tab. Complete the Group information in the fields as follows: Group Base DN - If your users and groups are stored in the same place, this field is the same as the user Base DN field. If they are not stored in the same location, replace the user location with the group location. Group Object Class - Enter in the appropriate Object Class; in most cases this value should be 'group'. Group Search Filter - Enter the search parameter used to associate user groups with AD accounts. Maximum Allowable Changes - Enter the default value for the maximum number of user changes allowed to be automatically merged from LDAP/AD. Note: Administrators with appropriate editing permissions can manually specify the value for the maximum number of allowable changes when new user groups are added or by editing the user group settings for an existing user group. Auto Sync and Auto Merge Default - Tick these checkboxes to specify the default settings for automatically syncing user group information with the VSDM and the default setting for automatically saving detected changes in AD/LDAP in the VSDM. Note: Administrators with appropriate editing permissions can manually specify Auto Sync and Auto Merge settings when new user groups are added or by editing the user group settings for an existing user group. *New Feature in VSDM Release 3 Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 238 of 249 18.2 User Account & Device Authentication User accounts help define the association between devices and device end-users. The VSDM allows several methods of user accounts creations, from a simple username/password combination, to corporate LDAP integration through the cloud and SAML integration. For more information please see the user account types section. For any user account other than basic authentication, the VSDM must first be configured to properly integrate with the corresponding infrastructure before user accounts can leverage the respective authentication type. These settings can all be found by navigating to System Settings > Device > General > Enrolment page under the Authentication tab. The following sections describe how these user account authentication types can be configured to enable the use of each security mechanism for enrolment and authentication in the VSDM. 1. Complete the General Enrolment information and settings. 2. Go to the Authentication view. 3. Select the appropriate Authentication Mode (you may select more than one authentication type). 4. Complete the information for the associated authentication mode. o Active Directory/LDAP Enrolment Configuration. o Authentication Proxy Enrolment Configuration. o SAML 2.0 Enrolment Configuration. 18.2.1 Active Directory / LDAP Enrolment Configuration Active Directory/LDAP Integration is configured under System Settings > System > Directory Services, but the settings on this page allow the administrator to further leverage AD/LDAP integration during the enrolment process. After enabling Directory Services integration, navigate to this screen and select Directory as the Authentication type, specify the following additional Enrolment Settings on the Authentication view: Tick the Don't Prompt for Group ID check box if you are using AD/LDAP integration to pre-select the Group ID for the user (based on the Advanced Enrolment Settings). Click Save to save your settings. 18.2.2 Authentication Proxy Enrolment Configuration Use the following steps to enable authentication proxy user accounts for use during enrolment: Navigate to the System Settings > Device > General > Enrolment page with the Authentication tab selected. Tick the Authentication Proxy to expand the Authentication Proxy menu. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 239 of 249 Complete the information if the following fields: o Authentication Proxy URL - The URL of the Authentication Proxy Server that prompts the user with HTTP or EAS authentication. o Authentication Method Type - The type of Authentication Proxy endpoint. All types other than EAS endpoints should select HTTP basic. Click Save to save your settings. 18.2.3 SAML 2.0 Enrolment Configuration Complete the following steps to enable SAML 2.0 User Accounts for use during enrolment: Ensure that you are at System Settings > Device > General > Enrolment page with the Authentication tab selected. Tick the SAML 2.0 to expand the SAML 2.0 menu and enter in all appropriate fields. Complete all appropriate fields as follows. o Import Identity Provider Settings - This feature allows the administrator to import SAML metadata obtained from the Identity Provider. Uploading this XML file sets some of the configuration options shown in the SAML settings page and most importantly, this file includes the identity provider’s public key certificate, which is required for the VSDM to trust the identity provider. o SAML Binding Type - This value determines the identity provider and exchange messages. SAML can be configured to allow the intermediate browser to ‘Post’ the entire message, or it can send just a token known as an artifact, that represents the data. The identity provider then contacts the sender to obtain the message through a process called artifact resolution. o Identity Provider ID - This value specifies a URI that the identity provider uses to identify itself. The VSDM checks authentication responses to verify that the identity matches the ID provided in this field. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 240 of 249 o Service Provider ID - This value specifies a URI with which the VSDM identifies itself to the identity provider. This value must match the ID that has been configured as ‘trusted’ by the identity provider. o IDP SSO Post/Artifact - These values specify the identity provider URLs that the VSDM uses to send requests for each binding type. This value is set automatically from the imported metadata. o IDP Artifact Resolution URL - This value specifies the URL at the identity provider that the VSDM uses to resolve an artifact response to obtain the actual response message. This value is set automatically from the imported metadata. o Service Provider Assertion URL - This value specifies VSDM URL which should be configured by the identity provider to direct its authentication responses. 'Assertions' regarding the authenticated user are included in success responses from the identity provider. o Service Provider Logout URL - This value specifies a URL to use for single logout. This feature is not currently supported in VSDM Release 2. o Service Provider Error URL - This value specifies a URL for displaying an error in the SAML authentication process. This value can be left blank. o Identity Provider Logout URL - This value specifies an identity provider’s URL to use for single logout. This value is set automatically from the imported metadata. o NameID Format - This value specifies the format in which the identity provider should send a NameID for an authenticated user. This value is not required as the VSDM obtains the username from the FriendlyName 'uid' required attribute. o Ignore SSL Errors - This value specifies whether or not the VSDM server should check SSL trust for the identity provider. If SSL errors are ignored, the VSDM server communicates with the identity provider regardless of any SSL trust issues. o Validate Identity Provider Certificate - This value specifies whether or not VSDM should check if authentication responses are signed with the expected identity provider certificate. This value is only required when using 'Post' as the identity provider may not sign responses using artifact responses. o Identity Provider Certificate - The identity provider’s public key certificate. This value is set automatically from the imported metadata. o Authentication Request Security - This value specifies whether or not the VSDM should sign authentication request messages. This value must be set in order to upload a service provider certificate. o Service Provider Certificate - A private key certificate used by the VSDM to sign SAML requests and to decrypt responses. o Export Service Provider Settings - This feature allows VSDM SAML metadata to be exported and supplied to the identity provider. Similar to the Import Identity Provider Settings,' this feature allows the identity provider to import VSDM SAML metadata to build trust. Click Save to save your settings. When you are finished configuring the Authentication settings, proceed to the Location Group, Role, and Restrictions views to specify the Advanced Enrolment Settings. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 241 of 249 18.3 Advanced Enrolment Settings When Enterprise Integration is enabled in the VSDM (through one of the Authentication Modes specified in the Enrolment System Settings), administrators have the ability to leverage existing organisational roles to configure and select Group IDs, Roles, and Restrictions in the VSDM. The following views allow administrators to customise user roles and other enrolment settings based on the user information that has been integrated into VSDM. To access the Enrolment page, navigate to Configuration > System Settings > Device > General > Enrolment. 18.3.1 Location Group* The Location Group view, enables the administrator to view and specify basic information regarding Location Groups and Group IDs for end-users. Group ID Assignment Mode - Choose how the VSDM environment assigns users Group IDs: o Default - Select this option if users are to be provided with Group ID's to use upon enrolment. The Group ID used determines what Location Group the user is assigned to. o Prompt User To Select Group ID - Select this option if the administrator provides users with a Group ID for them to enter upon enrolment. Group ID Assignment - This section lists all of the Location Groups for the environment and their associated Group IDs. o Automatically Select the Group ID - Select this option if the VSDM environment has been integrated with AD/LDAP and users need automatically assigned to Location Groups based on their AD/LDAP User Groups. Group Assignment Settings - This section lists all of the Location Groups for the environment and their associated AD/LDAP User Groups. Click Edit Assignment to modify the Location Group/User Group associations. Role On the Role view, administrators can configure end-user roles for access and permissions based on user group and Active Directory settings. The User Group and associated Roles are listed under the Group Assignment Settings column.* Rank - The user group rank is used to determine which user group takes precedence if a user belongs to multiple user groups. The user receives permissions for the highest-ranked group to which they belong. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 242 of 249 Click Edit Assignment to edit the user group rankings and to assign enrolment roles to specific user groups. The available roles are based on the roles configured in User Accounts > Roles. 18.3.2 Restrictions The Restrictions view allows the administrator to configure custom enrolment restriction policies by Location Group and User Group roles. This page contains the tools necessary for creating and applying enrolment restrictions to user groups: Create a Restrictions policy using the Policy Settings. Assign the policy to a user group under the Group Assignment Settings. o Policy Settings All of the existing enrolment policies are listed in the Policy Settings section. o Click Add Policy to create a new enrolment restriction (or click Actions to edit an existing policy).. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 243 of 249 o o Specify the platforms that are allowed or denied for each enrolment policy. o Indicate whether or not the policy is the default policy for the groups to which the policy applies. Group Assignment Settings The existing enrolment restriction assignments according to user group in the Group Assignment Settings section. o Click Edit Group Policies to assign the existing enrolment policies to certain user groups. Finish assigning the general enrolment permissions at the bottom of the screen: Tick the checkboxes to restrict enrolment to known users only or users that belong to configured groups. Specify whether administrators in child location groups are allowed to create, edit, and assign restriction policies. *New Feature in VSDM Release 3 18.4 Email Integration 18.4.1 Email (SMTP) Email messages sent from the VSDM) are transmitted using the corporate Email gateway defined in the Email (SMTP) settings menu. Users can receive email notifications for a variety of reasons, including: Enrolment, user and device activation. Report subscriptions. Device messages. Purchased application (VPP) notifications. 18.4.2 Configure Email Settings Use the following steps to configure email settings: 1. Navigate to Configuration > System Settings > System > Email (SMTP). Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 244 of 249 2. Complete the following information: o Server - The address of the corporate Email (SMTP) server. o Enable SSL - If ticked, the corporate Email server securely communicates with the VSDM server over SSL. The default value is false (un-ticked). o Port - The port over which the corporate Email server communicates with the VSDM server. The default port is 25. o Requires Credentials - If ticked, SMTP traffic for the corporate Email server requires authorisation. The username and password fields are not required if authorisation is not enabled. o Timeout in Seconds - Defined in seconds, this value determines the amount of time before the connection between the corporate Email server and the VSDM server times out. o Sender’s Name - The name of the sender that is displayed on any messages sent from the VSDM server. o Sender’s Email Address - The Email address of the sender that is displayed on any messages sent from the VSDM server. 18.5 Enterprise Integration Service When using the VSDM in the cloud, all integration to the enterprise systems can be seamlessly encapsulated in encrypted https traffic relayed by one or more nodes (EIS relay / EIS endpoint). Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 245 of 249 This includes communications with: SMTP (Email Relay) Directory Services (LDAP / AD) Microsoft Certificate Services (PKI) Simple Certificate Enrolment Protocol (SCEP PKI) Exchange Powershell (For certain Secure Email Gateways) BES (Sync users and mobile device information) If using the VSDM in the cloud, setting up an EIS endpoint helps to integrate any of the above systems behind your corporate firewall without the need for VPN tunnels or the need to open network firewall ports to the desired systems. 18.5.1 Configuring EIS To configure EIS you need: A server reachable from the Vodafone SaaS (allow inbound requests from 205.139.50.0 /23 to port 443). Internal access to the systems to integrate (connections configured in the corresponding System Settings). An administrator account for EIS. Ensure the account’s role has the permission to “Allow Remote Access” located under Remote Services > Security. For installation, use either the files available for download from the Enterprise Integration page (navigate to Configuration > System Settings > Enterprise Integration) or files received from Vodafone support. The Enterprise Integration section of System Settings is automatically configured during the installation of EIS behind your firewall. Use these settings if you need to adjust anything after the configuration has been initialised by EIS after installation, or if you cannot follow this automated process. Use the following steps to begin EIS configuration: 1. Navigate to Configuration > System Settings > System > Enterprise Integration 2. Tick the Enable Enterprise Integration Service checkbox. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 246 of 249 o Authentication - Select either of the following authentication radio buttons: Certificate for message-level encryption over https. Add HTTP authentication with a username/password that can be set here and adjusted on the EIS server’s configuration page. o Go to the Enterprise Services section and Enable or disable the services that the VSDM should integrate with EIS. Note: Vodafone SaaS already offers email delivery using SMTP, but you can also enable EIS to use your own SMTP server (details are entered in System Settings > System > Email (SMTP)). o Advanced - Enable or disable the components that the VSDM should integrate with EIS. Note: The certificate generated during auto configuration has the thumbprint located here; it can be cleared and renewed if necessary. If EIS is unable to connect to the API during installation, you can generate a configuration script (encrypted) by following these steps: Generate the certificate, save the page and click Refresh. Export settings for the EIS server (this prompts you to set a password). Download the XML file and import it into the EIS configuration (this automatically configures the EIS server). 18.6 SMS Integration Similar to Email (SMTP) setup, SMS Integration page enables the SMS messaging capabilities of the VSDM. However, in order to enable this functionality, administrators must first purchase a CellTrust Account so that they can provide authentication into the Celltrust SMS Gateway. 18.6.1 Configure SMS Settings Use the following steps to configure SMS settings: 1. Navigate to Configuration > System Settings > System > SMS. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 247 of 249 2. Complete the following information: o Nickname - Is the Celltrust account nickname. o User Name - Is the Celltrust account username. o Password - Is the Celltrust account Password. o Select Save to save the SMS configuration settings. 18.7 Use the VSDM API The API page establishes the security of your Location Groups to use certificates. Once this is set up, integrating systems can use the certificate to securely communicate with your environment through the VSDM API. The most common example of an integrating system is Vodafone's Secure Email Gateway(SEG). In order to monitor and control an SEG from a specific Location Group, an API certificate is required during the installation process. Use the following steps to generate an API certificate for your environment: 1. Navigate to Configuration > System Settings > System > General > API > Soap API.* 2. Enter the password into the New Certificate Password field. 3. Select the Generate Client Certificate button. The API certificate is now available for use. 4. Export the API certificate for use in an integrating system (such as the SEG): 5. Re-enter the certificate password. 6. Select the Export Client Certificate button. The certificate is now ready and can be used on your computer and in the integrating system. Vodafone Secure Device Manager R3 - Admin Guide © 2013 Vodafone Group Services Page 248 of 249 * New Feature in VSDM Release 3 18.8 Important Enterprise Integration Considerations As part of the initial VSDM setup, administrators must configure several core system settings (in the System Settings page of the VSDM) that enable integration between the VSDM server and corporate infrastructure. These settings should not be changed once they are configured. If you are leveraging user group integration, ensure that Directory Services (and EIS, if enabled) integration is configured at the same level as the root location group to which the user groups belong. . When user group integration is enabled, directory users can only be managed at the level of the Directory Services settings; you should only add new users at this level to ensure full management permissions. Vodafone Secure Device Manager R3 – Admin Guide © 2013 Vodafone Group Services Page 249 of 249