em l01 introduction to mobile hands-on lab · 2016. 7. 4. · em l01 introduction to mobile...

EM L01 Introduction to Mobile Hands-On Lab

Description Mobile Devices are everywhere. See the Symantec Mobile Management portfolio in action. This lab demonstrates common deployment scenarios to enable smartphones and tablets in the enterprise. It will help administrators get acquainted with the functionality around device management, information protection, and secure access. Attendees will learn about the benefits of combined endpoint management as well as the advantages of an end-to-end solution. Common administrative tasks around visibility, provisioning, and policy management are included in this lab.

At the end of this lab, you should be able to

Be familiar with some of the Symantec Mobile Product offerings and strategy.

Understand how Enterprises rely on different types of Mobile technology and how there is no ‘one size fits all ‘ solution.

Be familiar with the EMM Mobile product solutions.

Feel comfortable discussing key differences in products based upon the needs of the Enterprise.

Notes A brief presentation will introduce this lab session and discuss key concepts.

The lab will be directed and provide you with step-by-step walkthroughs of key features.

Feel free to follow the lab using the instructions on the following pages. You can optionally perform this lab at your own pace.

Be sure to ask your instructor any questions you may have.

Thank you for coming to our lab session.

2 of 16

Getting Started

Before you begin, you will need to be sure that the SMM-Exchange and SMM-Server virtual machines have been started (in that order). Once the VM’s have finished loading, you will be ready to begin. Unless otherwise stated, all of the exercises should be done from the SMM-Server virtual machine.

Symantec Mobile Management

Mobile Device Management is the foundation of an enterprise mobile device strategy. Symantec is uniquely positioned to offer a best in class mobile management platform based upon the Symantec Management Platform architecture. This platform extends beyond traditional endpoint management capablilites by including Mobile Management solutions to be installed as stand alone deployments or within an existing ITMS based infrastructure, providing a common platform access point for broad organizational endpoint resource management regardless of device type. With the release of SMM 7.2 SP1, we have expanded upon this platform to include new improvements for Android and iOS native agent based management.

Note: Before beginning this exercise. Due to limitations in our lab environment, please temporarily disable the public network connection on SMM-SERVER for Local Area Connection 2. This will allow the android virtual machine to connect correctly to our lab environment. Once the virtual machine has launched you should re-enable the NIC connection.

Installing the SMM agent

1. Open the AVD Manager from the shortcut on the SMM-Server desktop.

2. In the Android Virtual Device Manager window, Select the Lab_AVD device

3. Click the Start… button on the right hand side.

4. In the Launch Options window, click the Launch button

Note: Android emulator is now launching, this may take a minute or two to open.

5. Once the emulator opens, slide the ‘lock’ icon to the right over the ‘unlock’ icon to open

6. Click the Apps icon in the bottom center.

7. Click on the Downloads icon.

8. Double Click on the MobileMgmt.apk file to launch.

9. Click ‘Install’ to install the agent on the device.

10. Once complete, Click open and begin enrollment.

11. In the server settings used for enrollment type http://smm-server.symmobile.local/MobileEnrollment/SYMC-AndroidEnroll.aspx.

12. De-select the checkbox to Require SSL

13. Click the Submit button

http://smm-server.symmobile.local/MobileEnrollment/SYMC-AndroidEnroll.aspxhttp://smm-server.symmobile.local/MobileEnrollment/SYMC-AndroidEnroll.aspx

3 of 16

14. Click OK to enter credentials

15.

16. In ‘User name’ type your user name.

17. In ‘Password’ type any password. Note: If the agent were setup for authentication then these would be valid Domain username and passwords.

18. Click the checkbox indicating if this is a corporate owned device

19. Click on the Submit button.

20. Accept the EULA and click Submit

21. Host service status will change from ‘Inactive’ to ‘Active’

22. If prompted, respond to the Security notice to Activate Device Adminstrator for the device.

Note: You can activeate this directly in the Security Settings for the device. Use the home Key and navigate to the Device Settings > Security > Device Administrator

23. Click device Home button.

Lets’ explore the SMM 7.2 SP1 console for Mobile Device Management

SMM is installed as a solution to the SMP platform interface. In our lab environment this solution has already been installed and configured. In this exercise we will take a tour of the platform mobile interface to become familiar with mobile device management and configuration options available.

Main dashboard pages

1. On the SMM-Server, open the Symantec Mangement Console from the desktop shortcut.

2. Select Home > Mobile Management

3. Click on the arrow to expand the options in the ‘Overviews and Reports’ tab.

Note: This is a new tab which allows easier access to areas previously contained in the ‘Inventory’ tab as well as in system reports. Creating this tab allows for quicker access to commonly used areas for reporting. Devices by operating system is the default listed dashboard.

4. Click on the arrow to expand the options in the ‘Device Management’ tab.

Note: This area has been redesigned and separated from the former ‘Configuraton’ tab as well and has also added access points accessible from other multi-level selections. This is the main tab used for the majority of device based settings.

5. Select the Manage Mobile Devices tab

6. Click on the arrow to expand the options in the ‘Settings’ tab.

4 of 16

Note: This area has been redesigned and separated from the former ‘Configuraton’ tab.

Looking at new iOS configuration settings

1. Click back on the arrow to expand the options in the ‘Device Management’ tab.

2. Click on ‘Configuraton Editor’

3. In the center column, select the iOS Profiles tab if not opened

Note: A couple of additional profile configurations have been added for supervised devcies using the Apple configurator utility, there are updated changes to support newer iOS functionality.Click on the EAS configuration profile

4. Create a new payload by selecting the yellow asterisk in the right hand column

Note: New email security settings like ‘Allow Move’ and ‘Use Only in Mail’ allow for new increased security options

5. Click Cancel

6. Under iOS Configuration, select the ‘Restrictions’ profile


8. Select the ‘Device’ tab

Note: New settings for control of ‘Siri’ voice control and other increased options

9. Click on the all new ‘Security/Privacy’ tab

Note: New security restrictions available

10. Click on the ‘iCloud’ tab

Note: Important controls for use of iCloud, critical settings for customers.

11. Click on the all new ‘Supervised’ tab

Note: This is new iOS6 functionality supported with SP1

12. Click Cancel

13. Under iOS Configuration, select the ‘W-Fi’ profile


Note: Newer ‘Auto Join’ and ‘Proxy’ configuration settings

15. Under the ‘Proxy’ setting, use the drop down to select ‘Manual’

16. Scroll down to see where additional configuraton entries can be made

17. Click Cancel

5 of 16

Creation of Android Settings and Policies

Like iOS, configuration of Mobile Management Android settings is done in the Symantec Management Console. Android devices are configured using configuration settings, which control specific features of the device. These profiles are composed of Android configuration settings and are delivered to the Android device to configure and manage the device utilizing the available Android APIs by Symantec Mobile Management. Android supports a very small subset of device management options when compared to iOS.

Create Android Passcode Profile

1. Under Android Configuration tab select Passcode.

2. In the right hand pane click on the yellow asterisk at the top New Payload.

3. Input name of new passcode policy called Lab Passcode and a brief description.

4. Set the dropdown under Password Complexity to Alphanumeric.

5. Set ‘Maximum number of failed attempts’ value to 4.

6. Using the dropdown set the value for ‘Minimum Passcode Length’ to 5.

7. Click button to Save Changes.

View Android Device Options Profile

1. Under Android Configuration select Device Options.


Note: As stated, Android supports a very small subset of device options

3. Click Cancel

Exploring further Android Integration with NitroDesk Touchdown

The current release is integrateded with Nitrodesk’s Touchdown email client to enable email setup and selective wipe (Android does not support the former with the native email client). TouchDown runs on your Android phone, and provides you with the ability to receive and send e-mails, manage your contacts, view your appointments from your company's exchange server. It itegrates with SMM and allows for a common platform control for Android device management not available with native API’s.

View Touchdown Policy settings options

Using Touchdown allows for a broader range of device controls than are available with native API’s. In this section we will explore some of those configuration settings so that you may familiarize yourself with some of the optons available.

1. Under Android Configuration select Touchdown Policy.

6 of 16


3. Select the Password tab

Note: This is similar to the previous passcode options, but is configurable via Touchdown and specific to that application.

4. Click on the Device Options tab.

Note: Much greater ability to set and configure device options than what is available natively. Of note are Security and Storage Card Feature settings.

5. Click on the Email tab

Note: Email control options include such settings as ‘Disable ability to copy from or paste to an email’

6. Click Cancel

Mobile Library Content Creation and New Targeting capabilites

The Symantec Mobile Library provides enhanced Enterprise App Store capabilities. The Mobile Library enables companies to deliver content and application listings to their end user Mobile devices via the Mobile Management agent. The Mobile Library is delivered to the agent as a set of RSS feeds. In this exercise we will create Mobile Library content and look at changes in the delivery options within SMM 7.2 SP1

Building a Mobile Library consists of two steps:

1. Building the Mobile Library Feeds.

2. Adding applications and content to a specific Mobile Feed.

Building the Mobile Library Feeds

1. Go to Home > Mobile Management > Device Management > Mobile Library Editor.

2. Click on the New Feed button at the top of the Library feed table.

3. Enter a unique integer in Feed ID field as an identifier such as 001.

4. Change Feed Language to the appropriate language for your device.

5. Add a feed with the title ‘New Sales data’.

6. Enter a brief Feed Description, e.g. Latest product Sales data.

7. Click OK button.

8. Feed will now appear in the list of Mobile Feeds but is not yet published.

Adding Web Content to a specific Mobile Feed

1. Click the ITEMS button at the top of the Mobile Library Editor window.

7 of 16

2. Select ‘New Sales data’ feed using the dropdown at the top left corner.

3. Select ‘New Item’ to create content for the feed.

Note: The agent supports 3 types of Feeds:

Application – A commercial or in House application

Document – Word documents, PDF’s and Excel Spreadsheets

Media – Video links, MP4, photos, MP3, Web links, etc.

File limitations are determined by device capabilities and feed selections will be based upon content created and required usage.

4. Add Item Name ‘Salesforce’.

5. Add Item Version ‘1.1’.

6. Add Item Author ‘your name’ .

7. In Item description add ‘link to Salesforce.com’.

8. Select ‘Media’ in Item Category.

9. Select ‘Other’ in Item Type.

10. Select ‘Android’ in Platform Type.

11. Select ‘Recommended’ in Item Priority.

12. Click on ‘Select Files’ in right pane and browse to c:\Lab Files\Mobile Library Content\salesforce.png.

NOTE: Content added to the Mobile Library requires a 57x57 pixel icon in .png format.

13. Click on ‘Upload Files’ to upload content.

14. Click ‘Close’ when uploading complete. You will now see that the Item Icon path has been automatically created.

15. Enter ‘http://www.salesforce.com/’ in Item Link.

16. Click the ‘Item is Published’ checkbox to distribute the item to agents.

17. Click ‘OK’ button to save changes.

18. Click the FEEDS button at the top of the Mobile Library Editor window.

19. Click Green ‘Edit’ button on right side of the created New Sales Data feed.

20. Click the ‘Feed is Published’ checkbox to publish the feed content.

21. Click the ‘Is Feed Default’ checkbox to set as the default feed for devices.

22. Click ‘OK’ button to save changes.

8 of 16

Create Mobile Configuration Policy and Target delivery of a specific Mobile Feed

SMM 7.2 SP1 includes the ability to target mobile library feeds based upon standard SMP groups. Now that you have created Mobile Configuration Profiles, you will need to target them for deployment to devices using a Mobile Configuration Policy. The Mobile Configuration Management page can be accessed via the new UI Device Management > Go to policy management.

Create New Mobile Device Configuration Policy

1. Right mouse click on the Mobile Configuration Policies folder.

2. Select the New> Mobile Device Configuration Policy.

3. Under Configuration settings, click the yellow asterisk.

4. Select the Lab Passcode Profile.

5. Scroll to the bottom and click ‘OK’.

Profiles selected will now appear in the configuration settings. Now you can use Feed Settings to determine which Mobile library feeds are included with this policy.

1. Under Feed Settings, click the yellow asterisk.

2. Select the lab Mobile Library Feed previously created.

3. Click OK

Feeds selected will now appear in the Feed Settings. Next you must create targeting rules to use to determine which mobile devices will be targeted with the policy and Feed.

1. Click on the arrow button at the right side of the Applied To divider.

2. Click on the Apply To button > Mobile Devices, this will open the select resources dialog box.

3. Click the Add rule button.

4. Select ‘exclude resources NOT in’ from the first dropdown.

5. Select ‘Resource list’ from the second dropdown.

6. Click the ‘Browse’ button to search for a device to target with this policy.

7. When the Select Resources page opens use drop down to select ‘Mobile’ group.

8. Choose the device to target for this policy or search for device name.

9. Use arrow to move selection to the right side ‘Selected resources’ box.

10. Click ‘OK’ button at bottom.

11. Click the ‘Update results’ button to verify which devices are targeted.

12. Click ‘OK’ button again to save selection.

9 of 16

13. Click ‘Save Changes’ at bottom of screen.

14. At top of Policy Rules/Actions screen toggle red ‘Off’ button to green ‘On' to enable Policy for distribution.

15. Click ‘Save Changes’ at bottom of screen.

Viewing Detailed Device Data

The Mobile Management Server stores detailed information about managed devices that can be viewed using a new right click action Resource Manager. Examples of the information stored are device status, history, and specific iOS or Android content data should it be required. In this exercise we will look at some of these attributes.

1. In the Symantec Management Console navigate to Device Managment > Manage Mobile Devices.

2. In the Manage Mobile Devices pane right click on the user1_Acer A100 mobile device.

3. After the menu loads select Device Management >View Device Information toward the bottom.

4. A new page will open showing a new and more user friendly device based overview.

Note: This is a new device view page added with the recent SP1 release. View gives an overview of Device Detail, Inventory and Action based information in an easily viewable format.

Symantec Mobile Security

With the newest release of Symantec Mobile Security we bring Android agent based security protection to the familiar Symantec Mangement Platform console. Integration of the this solution will allow a common interface for both MDM and Security device based administration. The Android OS, being an open platform allows a greater potential for mobile based threats and allows for greater opportunity for agent based protection.

Installing the SMS agent

1. On your Android virtual device, go back to the downloads folder.

2. Double Click on the MobileSecurity.apk file to launch.

3. Open your download package

4. Click ‘Install’ and agent app will install on the device.

5. Once complete, Click open to open and begin enrollment.

6. In the server settings used for enrollment type SMM-Server.Symmobile.local and any username or password.

7. Click the Enroll button

10 of 16

8. Click Activate to activate device administrator functionality

9. In the agent, click on the Scan button to initiate a device scan

10. When the scan completes you will see that a suspicious file has been found and the user will have the option to remove the file. Click Remove to remove the file.

11. Click Close.

12. Open the SMS management console and click on the Device Overview Report to see the updated device information.

Lets’ explore the SMS 7.2 console for Mobile Security Management

SMS is installed as a solution to the SMP platform interface. In our lab environment this solution has already been installed and configured. In this exercise we will take a brief tour of the platform mobile interface to become familiar with mobile device management and configuration options available.

Main dashboard pages

1. On the SMM-Server, open the Symantec Mangement Console from the desktop shortcut.

2. Select Home > Mobile Security

3. Click on the arrow to expand the options in the ‘Overviews and Reports’ tab.

Note: Like the dashboard pages in SMM, this area has been designed to give quick and easy access to the most frequently used areas for device administrators.

The Threat Overview dashboard provides quick reference for the latest threat updates and snapshot view of top threats. Target warning badges will alert administrators when acceptable threat thresholds have been surpassed.

4. Click on the Device Overview link

Device Overview Dashboard provides a overview of Non-Compliant Devices and snapshot category view of causes. Corrective actions can be taken based upon Enterprise policy.

5. Click on the arrow to expand the options in the ‘Device Management’ tab.

Note: This is the main tab used for the majority of device based settings.

6. Click on the Default Android Security Policy link

7. Policy Settings page is opened with default Security tab displayed.

This is the default policy configuration area where various settings are enabled to be delivered to enrolled devices.

8. Scroll down to see the Applied to section, by default this policy is targeted to all Android devices not targeted by another Android Security policy.

9. Click on the App Control tab

Note: Settings in this tab allow for the configuration of blacklisted apps to be blocked from running on the protected device.

11 of 16

10. Click on the LiveUpdate tab which shows the setting connection information for the LiveUpdate server URL.

11. Click on the Communications tab to explore server based communication settings.

12. Click on the arrow to expand the options in the ‘Settings’ tab.

This area allows you to configure the global settings used in how the Symantec Mobile Security console functions. Default Management Server Settings page allows for management of threadhold warning levels for threats, licensing and policy targeting.

13. Click on the Android Configuraton link to view Device enrollment settings

14. Click on the Android Purge Schedule link

This is a useful area of configuration that allows for ease of database maintenance to purge older Android devices based upon administrator controlled criteria.

Symantec App Center

App Center focuses on securing apps and its data on a per app basis so the headache of having corporate and personal data on devices becomes a non-issue. While employed, corporate and personal data is kept separate and secure. If an employee leaves the company, all the encrypted corporate apps and content can be revoked without touching any personal data. One of the great things about App Center is that it can be a compliment to MDM solutions like Symantec Mobile Management.

Accessing the App Center Console

The App Center securely serves up apps to mobile devices and implements remote device management services. Today, we will view app policies and add users. It’s worth noting that mobile users will never access this web site. They will do everything from their phone, tablet, or iPad.

1. There are 24 (2-25) App Centers provisioned for this lab, each with the naming

convention symc-demo##.appcenterhq.com

For example:

https://symc-demo02.appcenterhq.com




…


2. Open a browser, select an App Center and enter the following credentials:

Username: admin

Password: Symantec1!

12 of 16

Adding Apps from an External App Store

Administrators can publish web apps, secure web apps, private apps, and external store apps for their users. Additionally, apps can be published in multiple states such as Production, Beta, and Development. Furthermore, apps can be assigned to specific user groups, based on need for access allowing for greater flexibility in sharing certain types of apps with end users, beta testers, and developers.

1. Click the Apps tab in the navigation column on the left

2. Click the Add App button at the top of the second column and a new window will open. This window is where we can add new applications to the App Center App Store. App Center supports most major mobile operating systems including iOS, Android, and Blackberry apps.

13 of 16

3. Click the radio button next to External Store App

4. Click the Android Marketplace hyperlink to open the Google Play website in your web browser (https://play.google.com/store

5. In the search box, type the app you wish to search for, such as “Adobe Reader”

6. Click on the app icon to browse to the app’s URL

7. Copy the URL into the App Center and click Verify Store URL

https://play.google.com/store

14 of 16

8. After verification, App Center will automatically download the description and screenshots of the app. You can configure who can install the app from this page (you can set this later as well).

9. Click Save on the bottom right

10. You will be returned to the Apps tab

Viewing App Policies

1. Click the App Policy tab on the left column.

2. Click the Sample App Policy and click the Edit button

3. Note the options that are available for both iOS and Android. Check the boxes next to User Authentication required, Encryption required, and Block inter-app document sharing. This will require the user log in using their App Store account whenever they want to use the app, will encrypt all data in the app, and will prevent the user from sharing documents from the app.

4. Click Cancel to close the policy.

15 of 16

Add Content

The App Center can also be used to publish policy-enforced content to users.

1. Right-click on the virtual machine’s desktop and select New > Text Document.

2. Add some content to the text file and save it with the format yourfirstname_yourlastname.txt.

3. Click Content in the left column on the console

4. Click the Add Content button in the top-middle of the screen

5. Browse to the virtual machine’s desktop and select the file you just saved.

6. Note that you can configure the category, policy, version, and content expiry, in addition to setting a description and who can download the content.

7. Click Save to return to the previous screen.

View Content Policies

1. Click Content Policy in the left column on the left of the console

2. Click the New Content Policy button

3. Create a new Content policy called Lab Policy.

4. De-select the Encryption required checkbox.

5. De-select the Allow content preview checkbox.

6. Note the various options available for content policies.

7. Click Save to return to the previous screen.

16 of 16

Apply the Content Policy

1. Click the Content tab in the first column on the left

2. Select your text file from the list and click the Edit button in the upper-right corner.

3. Choose Lab Policy from the dropdown next to Policy: and click Save.

App Center Agent Demonstration – Instructor Led

In this exercise we will take a look at a brief demonstration of the application policy wrapping capabilities in App Center from a user perspective on a mobile device. Due to limitations in our lab environment, this exercise will be an instructor led demonstration

em l01 introduction to mobile hands-on lab · 2016. 7. 4. · em l01 introduction to mobile...

Documents