MaaS360 MDM for iOS, Android & Windows Phone 7 MaaS360 e-Learning Portal – Course 2

Agenda – MaaS360 MDM for iOS, Android & WP7 iOS Basics Requirements, APNS, Enrollment Process Communication Workflow Device View – iOS Attributes & Actions Android Basics Requirements, Enrollment Options & Process Device View – Android Attributes & Actions WP7 Basics Device View – WP7 Attributes & Actions Troubleshooting Basics

MaaS360 MDM for iOS

iOS MDM Requirements iOS Operating System Version: 4.x and higher APNS Certificate APNS - Apple Push Notification Service APNS Certificate (MaaS360 helps automate this process): Authentication by Apple Provider can send notifications One Time Activity – one certificate for all iOS devices Port 5223 Port 5223 Provider Notification APNS Cloud Notification

MaaS360 APNS Certificate Creation Workflow Generate a new APNS certificate: Enter your Corporate Apple ID: Do not use your personal ID. Download the CSR (signed by Fiberlink). You will get an email as well.

MaaS360 APNS Certificate Creation Workflow Sign into Apple Push Cert Website: Accept Terms, upload CSR, download certificate(.pem), logout: Upload certificate, enter password and complete the APNS Process:

Manual APNS Certificate Creation Mac OS X workstation or Windows Server with Administrative permissions. Prepare a Certificate Signing Request Sign the CSR with MaaS360 Upload prepared CSR to Apple Push Cert Website Export the signed certificate Complete the CSR Request Export the APNS Certificate with a Password Upload to MaaS360 Reference: APNS_Certificate_Guide_Detailed.pdf

iOS Device Enrollments - Options Over-The-Air (OTA) Session Based Enrollment: One Time Passcode based authentication: Unique Enrollment URL & Password for each request URL Format : (http://m.dm/<CorpID>/<Random>) 7 day shelf live, supports de-activation Bulk Enrollment Option Available Active Directory Requires Cloud Extender (Microsoft AD / LDAP support) Same Self Enrollment URL URL Format : (http://m.dm/<CorpID>) Two Factor Authentication (2FA) Combination of both Passcode and AD. Corporate ID: Defaults to Account Number (7 digits) Customizable (Manage >> Configure Device Enrollment Settings) One Word, all lower case (preferably) Enrollment URL is case sensitive

iOS Device Enrollments - Workflow Device Enrollment Process Device initiates enrollment using Web Browser (Safari) Enrollment URL: Sent via email, SMS (can be sent to separate email if corp is not configured on the device yet) Enrollment Passcode: Sent for Passcode authentication / 2FA Passcode only in email, not SMS’ed (Security Reasons) Enrollment Steps Authentication License Agreement MaaS360 Standard Customer Agreement (Optional, if configured) MDM Profile Configuration MaaS360 App for iOS Installation (from iTunes App Store)

iOS Device Enrollment Process in Action SMS E-mail Steps Auth EULA Profile Install

iOS Device Enrollment Process in Action Profile Description Profile install Prompt Profile Capabilities - Warning Key Pair Generation Profile Install Completed

iOS App (MaaS360 for iOS) MaaS360 for iOS App: Not required for enrollment, but does drive key features App Functionality: Jailbreak detection Last Known Location Action Document Management Send Message Action Mobile Expense Management Device Attribute & Log Collection MaaS360 for iOS installation: Part of enrollments, app distribution is best practise User will install (iTunes access/account required) User will run MaaS360 Accept location services & notifications

iOS Communication Flow Notification APNS Cloud MaaS360 Admin Notification HTTPs TCP Port 443 Customer Devices APNS TCP Port 5223 Port 443: Device Policy Delivery Device Action Delivery Device Attribute Collection Device Heartbeat Apps & Docs Port 5223: (need to be opened on Corp FW & Proxy) iOS Device Notification Wake up message Device reports back to MaaS360 to download action commands.

iOS Device Attributes Summary Hardware Inventory Network Information Summary of Hardware, OS & Compliance Information Hardware Inventory Detailed Hardware Inventory, Custom Attributes Network Information Location Information Location History can be enabled from here (global) Security & Compliance Certificates Identity certificate generated during enrollment Software Installed App Distributions Documents Downloaded Mobile Data Usage(if Mobile Exp Mgmt is enabled) In Network and Roaming Usage Change History Service Activations, Custom Attribute changes Action History Audit history for all actions on the device

iOS Actions Refresh Device Information Last Known Location (requires app) Send Message (requires app) Lock Device Reset Device Passcode Selective Wipe (Restrict Device) Removes wifi, vpn, email profiles if pushed through policy Device can still be managed Normally setup as an automated action on compliance failure Wipe Device Change iOS Policy Change Plan (if MEM is enabled) Distribute App Remove iOS Control (Removes overall management) Hide Device Record ** To be used as last resort ** Change Rule Set

MaaS360 MDM for Android

Android Requirements Android OS Version : 2.2 or higher Gmail account: MaaS360 App for Android access on Google Play C2DM (Cloud to Device Messaging) access Similar to APNS Notifications in the iOS world On enrollment, MaaS360 App tries to register for C2DM

Android Device Enrollments - Options Agent Based Enrollment: One Time Passcode based authentication: Unique Enrollment URL & Password for each request URL Format : (http://m.dm/<CorpID>/<Random>) 7 day shelf live, supports de-activation Bulk Enrollment Option Available Active Directory Requires Cloud Extender (Microsoft AD / LDAP support) Same Self Enrollment URL URL Format : (http://m.dm/<CorpID>) Two Factor Authentication (2FA) Combination of both Passcode and AD. Corporate ID: Defaults to Account Number (7 digits) Customizable (Manage >> Configure Device Enrollment Settings) One Word, all lower case (preferably) Enrollment URL is case sensitive

Android Device Enrollments - Workflow Device Enrollment Process Device initiates enrollment using Web Browser Enrollment URL: Sent via email, SMS (can be sent to separate email if corp is not configured on the device yet) Enrollment Passcode: Sent for Passcode authentication / 2FA Passcode only in email, not SMS’ed (Security Reasons) Enrollment Steps Download Agent from Google Play Authentication License Agreement MaaS360 Standard Customer Agreement (Optional, if configured) Accept as Device Administrator

Android Enrollment Process in Action Web Enrollment E-mail Steps Auth Install from Google Play

Android Enrollment Process in Action Enrolled EULA Activate Device Administrator

Android Communication Flow Notification C2DM Cloud MaaS360 Admin Notification HTTPs TCP Port 443 Customer Devices C2DM TCP Port 5228, 80,443 Port 443: Device Policy Delivery Device Action Delivery Device Attribute Collection Device Heartbeat Apps & Docs Port 5228: (need to be opened on Corp FW & Proxy) Used to download the App from Google Play

Android Device Attributes Summary Summary of Hardware, OS & Compliance Information Hardware Inventory Operating System Network Information Location Information Location History can be enabled from here (global) Security & Compliance Software Installed Running Services List of open running services App Distributions Documents Accessed Mobile Data Usage(if Mobile Exp. Mgmt. is enabled) In Network and Roaming Usage MaaS360 Services Agent Version, Client ID Change History Service Activations, Custom Attribute changes Action History Audit history for all actions on the device

Android Actions Refresh Device Information Locate Device Send Message Lock Device Reset Device Passcode Selective Wipe (Restrict Device) Removes wifi, vpn, email profiles if pushed through policy Device can still be managed Normally setup as an automated action on compliance failure Wipe Device Change Android Policy Change Plan (if MEM is enabled) Distribute App Remove Android Control Removes overall management Hide Device Record ** To be used as last resort ** Change Rule Set

MaaS360 MDM for WP7

Windows Phone 7 (WP7) MDM Requirements Agent Based MDM for Window Phone 7.5 (Mango) Microsoft Push Notification Service (MPNS): Client registers for MPNS Return URI to MaaS360 Actions via MPNS

WP7 Device Enrollments - Options Over-The-Air (OTA) Session Based Enrollment: One Time Passcode based authentication: Unique Enrollment URL & Password for each request URL Format : (http://m.dm/<CorpID>/<Random>) 7 day shelf live, supports de-activation Bulk Enrollment Option Available Active Directory Requires Cloud Extender (Microsoft AD / LDAP support) Same Self Enrollment URL URL Format : (http://m.dm/<CorpID>) Two Factor Authentication (2FA) Combination of both Passcode and AD. Corporate ID: Defaults to Account Number (7 digits) Customizable (Manage >> Configure Device Enrollment Settings) One Word, all lower case (preferably) Enrollment URL is case sensitive

WP7 Device Enrollments - Workflow Device Enrollment Process Device initiates enrollment using Web Browser Enrollment URL: Sent via email, SMS Enrollment Passcode: Sent for Passcode authentication / 2FA Passcode only in email, not SMS’ed (Security Reasons) Enrollment Steps Download Agent from Microsoft App Marketplace Authentication License Agreement MaaS360 Standard Customer Agreement (Optional, if configured) Allow Location Detection & MS Push Notification

WP7 Device Enrollment Process in Action E-mail Start Download Auth EULA Steps

WP7 Device Enrollment Process in Action Allow Location Detection Allow MS Push Notifications Enrolled

WP7 Communication Flow MaaS360 Port 443: Customer Devices Notification MPNS Cloud MaaS360 Admin Notification HTTPs TCP Port 443 Customer Devices TCP Port 443 Port 443: Device Policy Delivery Device Action Delivery Device Attribute Collection Device Heartbeat Apps & Docs WP7 Device Notification

WP7 Device Attributes Summary Hardware Inventory Network Information Summary of Hardware, OS & Network Information Hardware Inventory Basic Hardware Inventory, Custom Attributes Network Information Carrier Information Location Information Location History can be enabled from here (global) MaaS360 Services Agent Version, MS Push Notification Status Change History Service Activations, Custom Attribute changes Action History Audit history for all actions on the device

WP7 Actions Supports App Management MDM ActiveSync Refresh Device Information Send Message App Specific Message, not SMS Last Known Location Remove WP7 Control Removes overall management Hide Device Record ** To be used as last resort ** Change Rule Set ActiveSync ActiveSync for Policy Management Merged record for Block, Remote Wipe Supports App Management

Troubleshooting Basics

Troubleshooting Basics Common problem areas / questions from customers. Cause of issue Resolution / Work-around

Common Questions/Problems/Resolutions Enrollment Request SMS does not reach the device Possible Reasons and Resolutions Device is not allowed to receive SMS / SMS service is off for the device tariff. (Roaming?) Enable SMS for the tariff or on the device No Network Make sure you ask if device got mobile coverage Is Voice Roaming allowed? Note: SMS is not required for enrollment, passcode will always be in email

Common Questions/Problems/Resolutions Enrollment URL cannot be accessed from the device Possible Reasons and Resolutions URL IS CASE SENSITIVE Http(s) is blocked with current network connection Device is connected to wifi and internet connection is in some way restricted (proxy, filtering ?) Device is connected via private APN with restrictions applied Check if you can reach other URLs from the device Try another network connection Safari must be used for iOS Accept Cookies must be set to “From Visited” under Settings -> Safari on the device The enrollment will will inform the user if cookies are off

Common Questions/Problems/Resolutions Enrollment Authentication Fails Possible Reasons and Resolutions Typo in the One Time Passcode Make sure user got the correct one time passcode Make sure the one time passcode is not expired AD Authentication Error Typo/Wrong Domain Cloud Extender setup needs to be checked Combined AD and One Time Passcode Start with making sure OTP is correctly typed in. Second step is to check Cloud Extender setup. Check Manage -> Manage Enrollment Requests for errors as well

Common Questions/Problems/Resolutions Cannot find/download Android App in the Market Possible Reasons and Resolution Country is blocking the market or device has a custom ROM with no Market installed Install the market Verify the device is on Android version 2.2 or higher We have restrictions on the app to not be found if under 2.2 Some generic tablets run a 1.6 which cannot be enrolled Ensure you can access the market from the device Ensure you can find other apps

Common Questions/Problems/Resolutions Enrollment fails after successful Authentication This is usually seen on iOS if the main MDM profile comes down but none of the policy payloads Possible Reasons and Resolutions For iOS/Android port is blocked (TCP 5223)/ (TCP 5228) Make sure your network connection allows this communication to the internet. Wireless routers may block this traffic Internal Proxy servers can also block it Try another connection with the device (3G internet, other DSL based WIFI or free WIFI. HTTPs communication to the internet is blocked. Can be the same reasons as above. Try to disable Wireless if the device is connected to a wifi connection in parallel.

Common Questions/Problems/Resolutions Most of the Problems will happen during the initial setup of a customer account and enrolment (~90%) There are still issues that may come up during operation like: Actions are not applied Possible Reasons Network communication errors (see earlier slides) Try to disable WIFI if the device is connected to a wifi connection in parallel.

Thank You Questions ?