enterprise mobility manager™software.a1.net/misc/emm_admin_guide_3.0.pdfenterprise mobility...

Mobile Security Management:

Enabling Device Security Using Mobile Device Management

Matthew Bancroft

Chief Marketing Officer

Mformation Technologies Inc.

343 Thornall Street

Edison, New Jersey 08837

USA

T: +1 732 692 6200

www.mformation.com

Enterprise Mobility Manager™

Version 3.3 R4/14 Administration User Guide

Issue 3.0

EMM 3.3 ADMIN USER GUIDE Issue 3.0

Mformation Software Technologies, LLC. Confidential and Proprietary. Page i

Copyright 2014, MFORMATION SOFTWARE TECHNOLOGIES LLC, all rights reserved.

Mformation Software Technologies LLC

581 Main Street

Suite 640

Woodbridge, New Jersey 07095

USA

T: +1 732 692 6200

www.mformation.com

Proprietary Statement

The Programs (which include both the software and documentation) contain proprietary information of

Mformation Software Technologies, LLC; they are provided under a license agreement containing

restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual

and industrial property laws. Reverse engineering, disassembly, or decompilation of the Programs is

prohibited.

Trademarks

Mformation Software Technologies, LLC trademarks and registered trademarks include but are not

limited to “Mformation”, the Mformation logo, “Mformation SERVICE MANAGER” and “Mformation

ENTERPRISE MANAGER”.

All other brands, product names, and company names mentioned herein may be registered

trademarks or trademarks of their respective holders.


Mformation Software Technologies, LLC. Confidential and Proprietary. Page ii

DOCUMENT HISTORY

Revision Description of Change Issue Date

2.0 Added EMM 3.3 (R4/14) Features: Service Packages,

Reports, iOS 7 Managed Applications.

March 4, 2014

2.1 Added Section 9.3.2.1 describing Google

requirements for URL for an external App. Added

section 9.3.2.2 for Apple iTunes URL.

March 5, 2014

2.2 Update service package screenshots. March 6, 2014

2.3 Incorporate review comments from QA. March 12, 2014

2.4 Update Device Details Edit function description to

include change group. Updated Device Details

screens. Added description of a disabled “blacklisted”

function (Section 1.3) by a Service Package

March 14, 2014

2.5 Updated Figure 3 March 17, 2014

2.6 Added comments to address customer feedback:

Sections 2.2, 4.2, 4.3, 4.4, 4.4.1, 4.4.2 and 4.4.3.

March 27, 2014

2.7 Updated Sections 2.1.2, 2.1.3, 9.1, 9.2 and associated

figures.

April 1, 2014

2.8 Updated Section 8.1.5 to add more detail about

Recent Actions and the use of the command “Monitor

SW Inventory”

April 4, 2014

2.9 Added note identifying PC requirement for the AD

Utility

April 9, 2014

3.0 Updated document to use official PlayStore and

iTunes name for Android client: “Mformation

Enterprise Manager”. Added note to clarify use of

Vital Signs indicators in Section 8.1.3

April 15, 2014


Mformation Software Technologies, LLC. Confidential and Proprietary. Page iii

TABLE OF CONTENTS ENTERPRISE MOBILITY MANAGER™ ............................................................................................... 1

VERSION 3.3 R4/14................................................................................................................................ 1

ADMINISTRATION USER GUIDE ................................................................................................................ 1 ISSUE 3.0 .............................................................................................................................................. 1 ABOUT THIS GUIDE ................................................................................................................................ 1 AUDIENCE ............................................................................................................................................. 1 ENTERPRISE CUSTOMER FEATURES ....................................................................................................... 1 SUPPORTED ROLES ............................................................................................................................... 2 EMPLOYEE ROLE ................................................................................................................................... 3 ORGANIZATION ...................................................................................................................................... 4 TYPOGRAPHICAL CONVENTIONS ............................................................................................................. 5 ABOUT CUSTOMIZING THE UI .................................................................................................................. 5 ADMIN’S COMPUTER REQUIREMENTS ...................................................................................................... 5

1 NAVIGATING THE USER INTERFACE ......................................................................................... 6

1.1 UI OVERVIEW .................................................................................................................................. 6 1.2 IT DASHBOARD ................................................................................................................................ 6

1.2.1 Navigation Bar ........................................................................................................................ 7 1.2.2 Status Charts .......................................................................................................................... 7 1.2.3 Quick Links.............................................................................................................................. 7 1.2.4 Key Functions ......................................................................................................................... 7 1.2.5 Advanced Filters ..................................................................................................................... 8 1.2.6 Report Files ............................................................................................................................. 9 1.2.7 Detail Drill-down ...................................................................................................................... 9 1.2.8 Modal Windows and Icons ...................................................................................................... 9

1.3 DISABLED FUNCTIONS ...................................................................................................................... 9 1.4 LOGGING IN AND OUT OF EMM ....................................................................................................... 10

1.4.1 Logging In to EMM ................................................................................................................ 10 1.4.2 Forgotten Password .............................................................................................................. 11 1.4.3 Logging Out of EMM ............................................................................................................. 11

1.5 ACCOUNT SETTINGS....................................................................................................................... 11 1.6 HELP ............................................................................................................................................. 12

2 USING THE DASHBOARD ........................................................................................................... 13

2.1 USING CHARTS .............................................................................................................................. 13 2.1.1 Bar Charts ............................................................................................................................. 13 2.1.2 Line Chart.............................................................................................................................. 14 2.1.3 Pie Charts ............................................................................................................................. 14

2.2 VIEWING THE ACTIVITY LOG ............................................................................................................ 15 2.3 VIEWING THE SYSTEM OVERVIEW ................................................................................................... 15 2.4 USING QUICKLINKS ........................................................................................................................ 15

2.4.1 Add User ............................................................................................................................... 15 2.4.2 Add Device ............................................................................................................................ 15 2.4.3 Add App ................................................................................................................................ 16 2.4.4 Edit Policy ............................................................................................................................. 16 2.4.5 Run Scan .............................................................................................................................. 16

2.5 MSP DASHBOARD .......................................................................................................................... 16 2.5.1 MSP Admin Unique Functions .............................................................................................. 17

3 MANAGING GROUPS .................................................................................................................. 18

3.1 USING THE GROUP LIST PAGE ........................................................................................................ 18


Mformation Software Technologies, LLC. Confidential and Proprietary. Page iv

3.1.1 Using Download Report ........................................................................................................ 19 3.1.2 Viewing Group Details .......................................................................................................... 19 3.1.3 Using Group Actions ............................................................................................................. 20

3.1.3.1 MSP Group Actions ....................................................................................................................20 3.2 ADDING A GROUP ........................................................................................................................... 21

3.2.1 Enterprise SubGroup ............................................................................................................ 21 3.2.2 Adding an Enterprise Group ................................................................................................. 21 3.2.3 Editing a Group ..................................................................................................................... 24

4 MANAGING POLICIES ................................................................................................................. 26

4.1 VIEWING SECURITY AND SETTINGS POLICIES ................................................................................... 27 4.2 MANAGING SECURITY POLICIES ...................................................................................................... 28 4.3 MANAGING SETTINGS POLICIES ...................................................................................................... 29 4.4 MANAGING APP POLICIES ............................................................................................................... 29

4.4.1 Adding an Application Blacklist or Whitelist .......................................................................... 30 4.4.2 Modifying an Application Whitelist or Blacklist ...................................................................... 32 4.4.3 Specifying Required Applications ......................................................................................... 33

5 MANAGING USERS ...................................................................................................................... 34

5.1 USING THE USER LIST PAGE ........................................................................................................... 34 5.1.1 User Summary ...................................................................................................................... 34 5.1.2 User List ................................................................................................................................ 34

5.2 ADDING USERS .............................................................................................................................. 35 5.2.1 Adding a Single User ............................................................................................................ 35

5.3 USER LIST ACTIONS ....................................................................................................................... 36 5.3.1 Edit User ............................................................................................................................... 36 5.3.2 List Devices ........................................................................................................................... 37

6 MANAGING DEVICES .................................................................................................................. 38

6.1 USING THE DEVICE LIST PAGE ........................................................................................................ 38 6.2 ADDING A DEVICE .......................................................................................................................... 39 6.3 USING DEVICE STATUS ................................................................................................................... 39

7 ENROLLING DEVICES ................................................................................................................. 41

7.1 ENROLLING A SINGLE DEVICE ......................................................................................................... 43 7.2 BULK UPLOAD ENROLLMENT ........................................................................................................... 45 7.3 STAGED ENROLLMENT .................................................................................................................... 46 7.4 ENROLLMENT WITH THE ENTERPRISE’S ACTIVE DIRECTORY ............................................................. 47 7.5 ENROLLMENT USING THE GOOGLE PLAYSTORE OR THE APPLE APP STORE ...................................... 48

8 MANAGING DEVICE DETAILS .................................................................................................... 50

8.1 USING THE DEVICE DETAILS PAGE .................................................................................................. 50 8.1.1 Device Information ................................................................................................................ 51 8.1.2 Device Quick Links ............................................................................................................... 52

8.1.2.1 Send Message ...........................................................................................................................53 8.1.3 Device Vital Signs ................................................................................................................. 53 8.1.4 Device Compliance Indicators .............................................................................................. 55 8.1.5 Recent Actions ...................................................................................................................... 55

8.2 USING THE APPS TAB ..................................................................................................................... 56 8.2.1 Installing an App ................................................................................................................... 56 8.2.2 Retrieving and sending iOS 7 App Configurations ............................................................... 57

8.3 USING THE SECURITY TAB .............................................................................................................. 60 8.3.1 Locking or Unlocking a Device.............................................................................................. 61 8.3.2 Wiping or Selective Wiping a Device .................................................................................... 61

8.3.2.1 Selective Wipe ...........................................................................................................................61


Mformation Software Technologies, LLC. Confidential and Proprietary. Page v

8.3.3 Implementing Apple iOS Security ......................................................................................... 62 8.3.4 Viewing Apple Device Security Status and Restrictions ....................................................... 63

8.4 USING THE LOCATION TAB .............................................................................................................. 64 8.4.1 Viewing Location Information ................................................................................................ 64

9 MANAGING APPS AND DOCUMENTS ....................................................................................... 65

9.1 USING THE APPLICATION CATALOG ................................................................................................. 65 9.2 USING THE DOCUMENT LIBRARY ..................................................................................................... 67 9.3 ADDING AN APPLICATION OR DOCUMENT ......................................................................................... 67

9.3.1 Adding an Enterprise App ..................................................................................................... 68 9.3.2 Adding an External App ........................................................................................................ 69

9.3.2.1 Android External App URL Requirements ..................................................................................70 9.3.2.2 Apple iTunes External App URL Requirements .........................................................................71 9.3.2.3 Editing Application Metadata ......................................................................................................71

9.3.3 Adding a Document .............................................................................................................. 72 9.4 APPLE IOS 7 MANAGED APP CONFIGURATION ................................................................................. 73

9.4.1 Configuring an IOS7 Managed Application ........................................................................... 73

10 SCHEDULING REPORTS ......................................................................................................... 76

10.1.1 Available Reports ................................................................................................................ 77 10.1.1.1 Audit History Report ...............................................................................................................77 10.1.1.2 Application Inventory report ....................................................................................................79 10.1.1.3 Command Activity Report .......................................................................................................79 10.1.1.4 Command Summary Report ...................................................................................................80 10.1.1.5 Device Detail Report ..............................................................................................................80

10.1.2 Creating a Report ................................................................................................................ 80 10.1.3 Downloading Reports .......................................................................................................... 82 10.1.4 Deleting a Report Schedule ................................................................................................ 83

11 USING SERVICE PACKAGES .................................................................................................. 85

11.1 ADDING OR MODIFYING A SERVICE PACKAGE ................................................................................ 86 11.1.1 Using the Package Page .................................................................................................... 87

11.2 ATTACHING AND DETACHING SERVICE PACKAGES ......................................................................... 89

FIGURES Figure 1: Possible Enterprise Group Structure ....................................................................................... 2

Figure 2: Employee Landing Page .......................................................................................................... 4

Figure 3: Employee Options .................................................................................................................... 4

Figure 4: IT Admin Landing Page ........................................................................................................... 7

Figure 5: Quick Links Toolbar ................................................................................................................. 7

Figure 6: Devices Tab ............................................................................................................................. 8

Figure 7: Advanced Filter for Devices ..................................................................................................... 8

Figure 8: Device Details Page ................................................................................................................. 9


Mformation Software Technologies, LLC. Confidential and Proprietary. Page vi

Figure 9: Disabled Control Color ........................................................................................................... 10

Figure 10: Login Page ........................................................................................................................... 10

Figure 11: Forgot your Password? ........................................................................................................ 11

Figure 12: Reset Password ................................................................................................................... 11

Figure 13: Dashboard Charts Section ................................................................................................... 13

Figure 14: Dashboard Charts View of Devices ..................................................................................... 15

Figure 15: Quick links ............................................................................................................................ 15

Figure 16: MSP Dashboard ................................................................................................................... 16

Figure 17: Groups Page - IT Admin ...................................................................................................... 19

Figure 18: Download Report and Add Group Tiles ............................................................................... 19

Figure 19: Group Actions - IT Admin ..................................................................................................... 19

Figure 20: Group Actions - MSP Admin ................................................................................................ 20

Figure 21: Adding an Enterprise Child Group ....................................................................................... 21

Figure 22: Adding an Enterprise Group ................................................................................................ 22

Figure 23: LDAP/AD Authentication Setup ........................................................................................... 23

Figure 24: Group Details ....................................................................................................................... 24

Figure 25: Group Customization Fields ................................................................................................. 25

Figure 26: Group List with Policy Tooltip............................................................................................... 27

Figure 27: Security Policy Page ............................................................................................................ 28

Figure 28: Application Policy Page ....................................................................................................... 31

Figure 29: Modify Application Policy Page ............................................................................................ 33

Figure 30: Required App Selection ....................................................................................................... 33

Figure 31: Users List Page .................................................................................................................... 34

Figure 32: Users Page Toolbar ............................................................................................................. 35

Figure 33: Add User Page ..................................................................................................................... 35

Figure 34: User Details Page ................................................................................................................ 37

Figure 35: List Devices for a User ......................................................................................................... 37

Figure 36: Devices Tab ......................................................................................................................... 38

Figure 37: Enrollment Options .............................................................................................................. 41


Mformation Software Technologies, LLC. Confidential and Proprietary. Page vii

Figure 38: Enrollment Options .............................................................................................................. 42

Figure 39: Email Enrollment Message .................................................................................................. 42

Figure 40: Add Single Device Enrollment ............................................................................................. 43

Figure 41: Add User Window ................................................................................................................ 44

Figure 42: Single Device Enrollment via Email ..................................................................................... 44

Figure 43: Bulk Enrollment Request ..................................................................................................... 45

Figure 44: Bulk Upload Enrollment ....................................................................................................... 46

Figure 45: Staged Enrollment Page ...................................................................................................... 47

Figure 46: Staged Enrollment User Page ............................................................................................. 47

Figure 47: Android Device Registration Page ....................................................................................... 49

Figure 48: Android Device Registration Completion ............................................................................. 49

Figure 49: Detail Details Page-Upper Portion ....................................................................................... 50

Figure 50: Device Information Pane ...................................................................................................... 51

Figure 51: Device Details Commands ................................................................................................... 52

Figure 52: Send Message Modal .......................................................................................................... 53

Figure 53: Device Vital Signs ................................................................................................................ 54

Figure 54 : Compliance Indicators ........................................................................................................ 55

Figure 55: Device Details-Apps Tab ..................................................................................................... 56

Figure 56: Install App Window .............................................................................................................. 57

Figure 57: Device Application Tab-Configure App ................................................................................ 58

Figure 58: Retrieving the App Configuration from the Device .............................................................. 58

Figure 59: Retrieve App Configuration in Progress .............................................................................. 59

Figure 60: Send Default App Configuration to the Device .................................................................... 59

Figure 61: Send Default App Configuration in Progress ....................................................................... 60

Figure 62: Device Details-Security Tab ................................................................................................. 60

Figure 63: Lock Window ........................................................................................................................ 61

Figure 64: Wipe Window ....................................................................................................................... 61

Figure 65: Location Page ...................................................................................................................... 64

Figure 66: Apps List Page ..................................................................................................................... 65


Mformation Software Technologies, LLC. Confidential and Proprietary. Page viii

Figure 67: App Action Icons .................................................................................................................. 66

Figure 68: Document Library Page ....................................................................................................... 67

Figure 69: Add App Tile ........................................................................................................................ 68

Figure 70: Add App/Upload Document Window ................................................................................... 68

Figure 71: Add Enterprise App .............................................................................................................. 69

Figure 72: Add External App ................................................................................................................. 70

Figure 73: Editing Application Data ....................................................................................................... 72

Figure 74: Add Document Page ............................................................................................................ 72

Figure 75: Configure App Icon .............................................................................................................. 74

Figure 76: Application Configuration Modal .......................................................................................... 74

Figure 77: App Configuration Save Request Confirmation ................................................................... 75

Figure 78: Report Icon........................................................................................................................... 81

Figure 79: Reports Page ....................................................................................................................... 81

Figure 80: Add Report Icon ................................................................................................................... 81

Figure 81: Creating a Report Schedule................................................................................................. 82

Figure 82: View Generated Reports Filter............................................................................................. 82

Figure 83: View Generated Reports Page ............................................................................................ 83

Figure 84: Delete Report Icon ............................................................................................................... 83

Figure 85: Delete Report Confirmation ................................................................................................. 84

Figure 86: Group List with Package Tooltip .......................................................................................... 87

Figure 87: Package Page ...................................................................................................................... 87

Figure 88: Service Package Display ..................................................................................................... 88

Figure 89: New Service Package Modal ............................................................................................... 88

Figure 90: Group with “Detach” Package Icon ...................................................................................... 89

Figure 91: Group with “Attach” Package Icon ....................................................................................... 90

Figure 92: Choose a Service Package Modal ....................................................................................... 90

Figure 93: Service Package "Attach" Confirmation ............................................................................... 91


Mformation Software Technologies, LLC. Confidential and Proprietary. Page ix

TABLES Table 1: Administrator UI Pages for Different Roles ............................................................................... 3

Table 2: EMM User Access ................................................................................................................... 18

Table 3: Device Information Fields ........................................................................................................ 52

Table 4: Device Vital Signs ................................................................................................................... 54

Table 5: Apple iPhone/iPad Security Information ................................................................................. 63

Table 6: Google URL Formats for Android Apps .................................................................................. 71

Table 7: Audit Objects and Actions ....................................................................................................... 77

Table 8: IT Admin Restricted Commands/Actions ................................................................................ 85

Table 9: Employee Restricted Commands/Actions ............................................................................... 86


MFORMATION CONFIDENTIAL AND PROPRIETARY Page 1

About This Guide The Admin User Guide describes how administrators can enroll devices and manage users,

applications and policies for Enterprise Accounts using the Enterprise Mobility Management features

of the Mformation Enterprise Mobility Manager™ (EMM).

This preface provides you with information on the following:

Audience

Enterprise Customer Features

Organization

Typographical Conventions

Audience

This User Guide was developed for Administrators and these roles are provided:

The IT Administrator: a role that is responsible for Enterprise Mobility Management for their

company. The IT Admin can define users and groups, assign devices, send policies and

applications to employees, enroll devices and perform all the management tasks necessary

for the efficient management of a company’s wireless device inventory.

The Managed Service Provider- MSP Administrator: Managed Service Providers who offer

Enterprise Mobility Management services to enterprises are provided with a role that gives

them visibility of all the enterprises receiving their services. A MSP Admin can perform any of

the functions of an IT Admin for each enterprise consistent with their service offering. When a

MSP Admin is present, this role can create Enterprise groups and users with the IT Admin

role.

The Top-Admin: this is an optional role that can perform all the functions of an IT Admin for

any of the enterprises present on the system. The Top-Admin is created by the System

Security Officer (SSO).

Enterprise Customer Features

This release includes new features to support the needs of businesses that need to manage an

inventory of wireless devices provided to their employees. An “Enterprise Customer” is concerned

with the management of an inventory of mobile devices used by their employees. EMM features can

be provided to the Enterprise either through a stand-alone system owned by the Enterprise or by a

Managed Service Provider (MSP).

The devices can be Smartphones or Tablets. Smartphones include Android and Apple devices.

Tablets can be Apple iPads and Android tablets. Although these devices have wireless connectivity,

they can rely on CDMA, GPRS or Wi-Fi for that wireless link. Some devices will have a phone

number, some will be reachable only by an email address and some will have both.

To manage these devices by the enterprise the new role of IT Administrator (IT_ADMIN) has been

created and a new, specialized interface is provided to support this administrator. To reduce the



burden on IT a self-enrollment portal is also provided to permit enterprise employees to enroll, setup

and manage their own devices and the role of EMPLOYEE has also been created.

The Enterprise Account is also provided in this release. An Enterprise Account is a group type that

uses the roles of Enterprise Administrator (IT_ADMIN) and Enterprise Employee (EMPLOYEE).

Managed Service Providers (MSP) who offer device management services to businesses can add an

Enterprise Group as an Enterprise Account for each enterprise. Subgroups of an Enterprise Account

group can also be created and inherit the same roles and capabilities of the parent Enterprise

Account.

A possible group structure for an MSP offering services to enterprises is shown in this figure:

MSP

Enterprise 2

Enterprise 2 IT Admin

Enterprise 3Enterprise 1


Group: Cust Grroup


Devices Supported:

Phones: Android, Apple

Android Tablets

iPad Tablets

Group: Enterprise Account

MSP:

MSP Admin

Figure 1: Possible Enterprise Group Structure

Additional groups can be defined below the Enterprise Account Group based on the needs of each

business: HR, Sales, Engineering, Enterprise-US, Enterprise-UK, etc. A unique UI style can be

defined for each enterprise.

Supported Roles

In EMM these roles are supported; one of these roles is assigned to each user on the system:

Top Admin (TOP_ADMIN) (optional)

MSP Admin (CUST_ADMIN)

IT Admin (IT_ADMIN)

Employee (EMPLOYEE)



Each of the Administrator roles uses the new UI with differences reflecting the breadth of responsibility

of each role:

A Top Admin has visibility to all Enterprise accounts on the system.

A MSP Admin has visibility to only Enterprise accounts owned by the MSP.

An IT Admin has visibility to only his/her Enterprise account.

This table identifies the UI Pages that are provided to each role.

Table 1: Administrator UI Pages for Different Roles

UI Page Top Admin MSP Admin IT Admin

Administration

MSP Dashboard

Provided- (this is the Landing Page)

Provided-(this is the Landing Page)

No

IT Admin Dashboard

Provided Provided Provided- (this is the Landing Page)

Groups Provided (A Top Admin is able to modify all Groups Expiration Dates)

Provided (A MSP Admin is able to modify their MSP Group’s Expiration Dates)

Provided (An IT Admin cannot modify Group Expiration Dates)

Users Provided Provided Provided

Devices Provided Provided Provided

Apps Provided Provided Provided

Device Details

Apps Provided Provided Provided

Security Provided Provided Provided

Location Provided* Provided* Provided*

* Location tab is hidden when local law requires it.

Employee Role The Employee role has limited access to functions associated with his/her enrolled devices.

The Employee role has a unique landing page and has these functions available:

Add Apps: an Employee can add Apps from the Apps Catalog to their device.



Lock Device: an Employee can Lock or Unlock their device.

Locate Device: for an Android device, an Employee can see their device’s location.

Restore Policy: an Employee can request that Settings and Security Policies be sent to their device.

Enrollment: an Employee can Self-Enroll their device.

The Employee Landing Page looks like this figure. All the devices enrolled for the user are listed.

This example shows four devices for this user.

Figure 2: Employee Landing Page

When an employee selects a device these options are presented.

Figure 3: Employee Options

Organization

This document is organized into 11 chapters as follows:

1 Navigating the User Interface

2 Using the Dashboard

3 Managing Groups

4 Managing Policies

5 Managing Users

6 Managing Devices



7 Enrolling Devices

8 Managing Device Details

9 Managing Applications and Documents

10 Scheduling Reports

11 Using Service Packages

Typographical Conventions

This document uses the typographical conventions described in the following table.

Bold Tabs, Page names, Fields, Buttons as follows:

User tab

User Details page

Password field

OK button

Italics Notes and Book Titles as follows:

NOTES: This is important information.

MEM Device User Guide

About Customizing the UI

For each Enterprise the customer’s logo can be displayed. The colors displayed can be customized

for the Enterprise. When the Enterprise group is defined, these can be specified.

Admin’s Computer Requirements

The computer used by either Admin role (IT_ADMIN or CUST_ADMIN) should meet these requirements:

Browser: IE 10 or later (Windows OS only), Firefox 25 or later, Chrome 30 or later

Internet Connection

LDAP Active Directory Requirement: Windows XP and subsequent Windows platforms

The convention of… Shows…



1 NAVIGATING THE USER INTERFACE

EMM has a graphical user interface (GUI), which enables you, as an Administrator, to set up and use

the features of the system.

This chapter describes how to log into and navigate within the EMM GUI.

1.1 UI Overview

The User Interface presented to any of the Administrator roles has these objectives:

Provide a state-of-the-art, modern look and feel for the UI with simpler navigation features.

Simplify the steps to execute a task by bringing to one page all the steps to accomplish them.

Incorporate Dashboards to provide “at-a-glance” status for an administrator.

Incorporate the new device enrollment options into the UI.

Facilitate a Self-Enrollment option enabling a new Enterprise to trial the system.

1.2 IT Dashboard

The IT Dashboard is illustrative of the new design.



Figure 4: IT Admin Landing Page

1.2.1 Navigation Bar

The Navigation bar at the top of the page shows the Admin login name and provides access to Account Settings, Help and Log out features. If a license to use expiration date has been defined for the Enterprise, the number of remaining days on that license is shown and a Subscribe link for ecommerce trial customers to extend their license.

When an Enterprise license expires, the Enterprise user’s logins are suspended and IT Admin and Employee users cannot log into the server. A MSP can update the expiration date using the Edit Group page.

1.2.2 Status Charts

The Dashboard includes a set of charts that alert the Admin to issues that may require his/her attention. Scroll left and right buttons are provided to access all the charts. Summaries of groups, enrolled devices, users and apps are provided. Recent Activity and News and Updates are also displayed.

1.2.3 Quick Links Every UI page also has a set of Quick Link actions at the bottom of the page for frequently used functions; these links can be shown or hidden using the button provided on the lower right corner of the page; Section 2.4 explains the use of these links:

1. Add a User

2. Add a Device

3. Add an Application

4. Add a Policy

5. Run Scan

Figure 5: Quick Links Toolbar

1.2.4 Key Functions All key functions incorporated into five tiles: Dashboard, Groups, Users, Devices and Apps. Selecting any of the tabs other than the Dashboard tab displays a tab with this format. (This is the Devices tab).



Figure 6: Devices Tab

1.2.5 Advanced Filters

Some tabs include an Advanced Filter to filter the list presented and search functions. Selecting options defines the filtering to be done.

Figure 7: Advanced Filter for Devices



1.2.6 Report Files

The ability to download a report file with the contents of a page in CSV (Comma Separated Variable) or PDF format is provided on some pages. A Report Scheduler is also provided to generate daily, weekly, monthly and real-time reports. Functions such as obtaining Status information are denoted with a standard set of icons used throughout the UI.

1.2.7 Detail Drill-down

Selecting one of the entries on a tab page expands to provide a page enabling the Admin to modify the entry. In the case of a device the page provides details of a specific device.

Figure 8: Device Details Page

1.2.8 Modal Windows and Icons

Extensive use of pop-up Modal Windows is implemented for many functions. Extensive use of iconography and colors are also present. Hovering over an item on a page provides a definition and/or status pertaining to the item.

A Modal Window is a secondary window that opens inside the main window. You must interact with it before returning to the main window. Modal windows are used in the EMM UI to display alerts, required settings and important dialogs.

In this document Modals for simplicity are sometimes called “window” or “secondary window”.

1.3 Disabled Functions

A MSP Administrator can disable specific buttons on the IT Administrator or Employee UI. This is

done using the Service Package feature. If a function has been disabled, the button’s color is

changed to a blue/grey as shown in this figure.



Figure 9: Disabled Control Color

1.4 Logging In and Out of EMM

The following sections describe how to log into and out of EMM.

1.4.1 Logging In to EMM

To access EMM, use the following steps:

1. Open your browser and enter the assigned web address. The web address can be

customized for each enterprise. The EMM Login page is displayed.

Figure 10: Login Page

2. Enter your user name or email address in the Login Id field and your corresponding

password in the Password field.

NOTE: Passwords must be alphanumeric from 6 to 14 characters, cannot consist of 3 or more

consecutive characters or numbers, and must be changed after 45 days to a new password,



which cannot repeat any of the three passwords previously used. Email addresses must be

of a valid form e.g. [email protected] (one character domain names are not permitted).

Click on the Log On button. The Dashboard page is displayed,

NOTE: If a user attempts to access EMM and enters an incorrect password 3 times, access to the

system is locked for 120 minutes. An IT Administrator or System Security Officer (SSO) can unlock

an account within the 120 minute timeframe.

1.4.2 Forgotten Password

If a user has entered an incorrect password, the user is given the option to select “Forgot your

Password?”

Figure 11: Forgot your Password?

If the user has an email address, the user will be asked to enter their enterprise email address and

instruction to reset the password is sent to the user.

Figure 12: Reset Password

1.4.3 Logging Out of EMM

To exit the EMM system, click on the Logout option, which is located in the upper right hand corner of

all pages within the EMM system.

1.5 Account Settings

Selecting the Account Settings link enables the user to modify some personal account parameters.

mailto:[email protected]



1.6 Help

Selecting Help presents the Help Center which contains

Videos to demonstrate using EMM.

A list of Frequently Asked Questions and Answers.

A Glossary of Terms.

A suite of User Guides which can be downloaded.



2 USING THE DASHBOARD

The IT Admin Dashboard provides an entry point to all Admin functions, a Chart of Issues that need Admin attention and summaries of System Activity.

2.1 Using Charts

The Dashboard Charts section provides a set of charts that summarize the devices being managed

and bar charts that identify devices requiring attention.

Figure 13: Dashboard Charts Section

2.1.1 Bar Charts

Examples of items needing attention include devices that have not yet enrolled or devices that are not compliant with existing Policies. Each red bar represents an issue requiring action and the length of the bar indicates the percentage of devices with the issue:

Not Enrolled: Devices which have not completed enrollment.

Security Policy Non-Compliant: Devices which are not compliant with the Security Policy in effect.

Settings Policy Non-Compliant: Devices which are not compliant with the Settings Policy in effect.

Apps Blacklisted: Devices with blacklisted Apps present.

Compromised: Android Devices that have been “rooted”: the device’s OS has been modified. (Detection of modified Apple devices (i.e. “Jailbreaked”) is not supported; Apple devices are always recorded as NOT being compromised).

Security Breach: Apple iOS devices that have the MDM (Mobile Device Management profile) removed and also iOS and Android devices that have not contacted the EMM server in the last 30 days are identified as “Security Breach”.

By hovering over the bar for an issue possible actions are displayed: the possible actions vary by bar:

Not Enrolled

o List Devices: displays a list of all affected devices.

o Sends Enrollment



Security Policy

o List Devices

o Send Security Policy

Settings Policy

o List Devices

o Send Settings Policy

Blacklisted Apps Found

o List Devices

o Uninstall Blacklisted Apps: (1) For Android devices an Uninstall App command is sent; (2) For iOS devices an email notification to remove the App is sent.

Required Apps Missing

o List Devices

o Install required Apps

Compromised

o List Devices

o Notify Users: “We have detected that your device has been Compromised. Please contact your IT Admin”.

Security Breach

o MDM Removed: List Devices

o MDM Removed: Notify Users: “We have detected that your device has the MDM Profile removed. Please contact your IT Admin”.

o No contact in Last 30 Days: List Devices

o No contact in Last 30 Days: Run Scan

NOTE: An IT Admin will be allowed to take an Action on the group of devices that are out of

compliance (i.e.: Send Enrollment). However, when the IT Admin clicks on the action again, the

system will check to see if the action is still in progress. An action is in progress if there are still

commands that have not reached the SENT status for that batch.

In this case the following error pop-ups on a secondary window – “This action is in progress, please

try again later”

EXCEPTION: There is a possibility that an IT Admin may take an action at the enterprise group level

and another IT Admin at a sub-group also takes the same action. For this case no checks are made.

This is a rare scenario.

2.1.2 Line Chart

The Line Chart displays historical data and historical data for 12 months is present:

Total Users added each month

Total Devices added each month

Total Apps that were installed from EMM onto devices each month.

2.1.3 Pie Charts

Pie charts are also provided to show other views of the devices being managed:



Devices by Platform: Android, iOS, Android CDMA, Unknown

Devices by Type: Phone, Tablet

Figure 14: Dashboard Charts View of Devices

Using the scroll arrows on the left or right side of the Charts section slides the alternative summaries

into view.

2.2 Viewing the Activity Log

This section displays the list of actions executed from the Bar Chart hover functions (section 2.1.1). It

displays the activity for the last 60 days.

NOTE: Commands and actions initiated from the Device Details page (Figure 8) for a specific device

are not recorded in the Activity Log.

2.3 Viewing the System Overview

The System Overview provides a total of the Groups, Devices, Users and Apps being managed by the

Admin. The number of Apps represents total number of Apps that have been downloaded to devices.

(For example if an Enterprise has 100 users and 4 unique Apps have been downloaded to all 100

devices, the App figure would be 400).

2.4 Using Quicklinks

Quicklinks are present along the bottom margin of the page. They provide easy actions to important

functions.

Figure 15: Quick links

2.4.1 Add User

This link goes to the User Add page; see Section 5.2.

2.4.2 Add Device

This link goes to the Device Add page to enroll a device; see Section 7.



2.4.3 Add App

This link goes to the Add App page to upload an App; see Section 9.3.

2.4.4 Edit Policy

This link goes to the Add/Edit Policy page where the details of the Settings or Security Policies in

effect for the group can be viewed and edited; see Section 4.

2.4.5 Run Scan

Running a Scan initiates a check of all enrolled devices and the system database and only updates the Apps Inventory information. The Apps Inventory consists of updating the EMM server with the current list of applications on each device and the Application Policy status of blacklisted/whitelisted and required Apps present on devices. When an Admin clicks on the Scan button, the system will check to see if there is a Scan already in progress. A Scan is in progress when the commands triggered by the Scan are still in the queue to be completed. Once all the commands go to SENT state, then it will indicate that the Scan is done and the IT Admin will be able to send a Scan again. If the Scan is still in progress, a window should pop up and display the message "Scan already in progress, please try later"

2.5 MSP Dashboard

A MSP Admin (or Top Admin) can also view the IT Admin Dashboard for each Enterprise group but in

addition a MSP Dashboard is provided with an additional chart that summarizes activity in each of the

Enterprise groups. A MSP Admin can view the details of all the Enterprise’s that he/she has created.

The MSP Dashboard lists each Enterprise and the date it was created. For each Enterprise the

current count of Users, Enrolled Devices and Apps are shown.

Each Enterprise group has a license expiration date governing the use of their access to EMM. A Top

Admin or a MSP Admin can modify the expiration date of the Enterprise groups for which they are

responsible. When the license expires, user logins for the Enterprise group are suspended.

However, enrolled devices can continue to use EMM Client features.

Figure 16: MSP Dashboard

Selecting an Enterprise name presents the IT Admin Dashboard for that Enterprise to the MSP Admin.



Status indicators quickly alert the MSP Admin to an issue that may be present in any of the Enterprises. Two status indicators are provided:

This status means that the Enterprise is “Fully Compliant” and none of the Bar Chart issues (in Section 2.1.1) for that Enterprise are Red.

This status means that the Enterprise is “Non-Compliant” because at least one of the Bar Chart issues for that Enterprise is Red.

Summary line graphs show the total number of users and devices that the MSP is managing.

2.5.1 MSP Admin Unique Functions

A few functions throughout the UI can only be performed by a MSP Admin. These functions include

Creating an Enterprise Group (section 3.2.2).

Managing Service Packages (section 11).

Specifying or editing an Enterprise Group License Expiry Date (section 3.2.2).

These functions are explained in the sections identified.



3 MANAGING GROUPS

Groups organize Users into one or more related categories. Subgroups can be created within related

categories (or Groups), creating a hierarchy. The top level of any Group is referred to as the “parent”.

A subgroup is referred to as a “child” or “offspring”. Each Enterprise has an Enterprise Group created

for it. An Admin can create child groups if required for the enterprise.

Users, Devices, Apps, Documents and Policies are all associated with a group. They are not

accessible by users in other groups.

Table 2: EMM User Access

Function Description

Enterprise

Group

An Enterprise Group allows only the use of the Roles of IT Admin and Employee. The IT

Admin is provided with a unique, streamlined set of functions to manage devices for a

business which offers an inventory of devices and applications to their employees. The

Employee role is provided for self-enrollment and management of devices such as phones

and tablets by an employee of the business. Child groups can be created by an IT Admin and

they inherit the roles and all of the parameters of the Enterprise group and are identified as

“Subgroup”. Application, Security and Settings Policies are not inherited by subgroups;

unique Policies for each group can be defined.

Roles Identifies functions allowed to users within a selected Group. Every user in EMM is assigned

a role. The roles of IT_ADMIN and EMPLOYEE are pre-defined for an Enterprise group.

3.1 Using the Group List Page

The Groups List page is reached by selecting the Groups Tile:

The Groups List presents a list of all the groups that have been created for the Enterprise for which

the Admin is responsible. For each group a list of actions is provided. A ‘Download Report’ tile and

an ‘Add Group’ tile are both provided.

The Groups page is shown in this figure.



Figure 17: Groups Page - IT Admin

The count of groups, users and devices associated with the enterprise is displayed.

3.1.1 Using Download Report

The Download Report tile sends a CSV file of the Group details on the page to the user’s computer. The Add Group tile is used to add a child group.

Figure 18: Download Report and Add Group Tiles

If child groups have been created, they are also listed.

3.1.2 Viewing Group Details

For each group this information is provided:

Name

Description

Date the Group was created

Number of Users assigned to the group

Number of Devices associated with the group

Group Type: Enterprise, Subgroup

A set of Action icons

Figure 19: Group Actions - IT Admin



3.1.3 Using Group Actions

The Actions column displays via icons a series of actions that are used to modify group parameters and to list the users and devices associated with a group. They include Edit Group, List Users, List Devices, Edit Security Policy, Edit Settings Policy and List Apps. Hovering over an icon explains its function and clicking on an icon navigates to a page to perform that function.

Edit Group : this navigates to the Edit Group page where the description of the group and other parameters can be modified.

List Users : this navigates to the User List page which lists all the users assigned to the group.

List Devices : this navigates to the Device List page which lists all the devices assigned to the group.

Edit Policy : hovering on this icon displays three tooltips for Settings, Security and Application Policies. Selecting a tooltip navigates to the selected Policy page (Settings, Security or Application) which is used to add or modify the parameters of the Policy that is in effect.

View Reports : this navigates to the Reports page which is used to schedule Reports for the group.

3.1.3.1 MSP Group Actions

The MSP (CUST_ADMIN) role has an additional action appearing on the action toolbar. This action is

used to manage Service Packages.

Figure 20: Group Actions - MSP Admin



Hovering over the Service Package Icon displays a tooltip which when selected navigates to the Service Package page.

3.2 Adding a Group

3.2.1 Enterprise SubGroup

An IT Admin can only add a new SubGroup to their parent Enterprise Group. The SubGroup inherits

all the parameters (except Policy settings) of the parent group (e.g. Messages, Logos, Domain name,

etc. as shown in Section 3.2.2). The group is added by performing these actions:

1. Login to EMM as an IT Admin.

2. Select the Groups Tile

3. Select Add Group tile; the Add Group page is displayed.

Figure 21: Adding an Enterprise Child Group

4. Select the Parent Group (if more than one is available).

5. Enter the Group Name (alphanumeric, maximum length 15 characters).

6. Enter a short Description for the group.

7. Select Add to enter the group; the group appears in the Group List. The Policy Page is

displayed for setup of Application, Security or Settings Policies if required. Alternatively, at a

later time, Group Actions (See Section 3.1.3) can be accessed to customize the Application,

Security and Settings Policy (See Section 4) parameters for the child group.

3.2.2 Adding an Enterprise Group

A MSP Admin (or a Top-Admin) can add a new Enterprise Group. The definition of an Enterprise

Group requires additional parameters. The Enterprise Group is added by performing these actions.

1. Login as an MSP Admin.

2. Select the Groups Tile.

3. Select Add Group tile; the Add Group page is displayed.



4. Select the Enterprise Group box and the additional parameters are displayed.

Figure 22: Adding an Enterprise Group

5. Enter the Group Name (alphanumeric, maximum length 15 characters).

6. Enter a short Description for the group.

7. Enter the Support Email Address. This is the email to which support requests and

notifications are sent for the Enterprise.

8. Enter the Expiration Date for the Enterprise’s Licenses to use the EMM service.

9. Enter the domain name of the customer (e.g. enterprise.com). This is appended to

notification messages and is used to verify email addresses of users to ensure they are

associated with the enterprise.

10. If iOS devices are to be managed, an Apple APNS Certificate must be uploaded. When the

APNS Certificate was obtained, a password was assigned and it must also be entered. After

the certificate is uploaded the Expiry Date and the APNS Topic are displayed. The Topic is a

string provided by Apple when the Enterprise is registered for MDM and is used in APNS

push actions.



11. An option for LDAP Authentication is provided. For a company that utilizes the Lightweight

Directory Access Protocol (LDAP) to access its Active Directory of employees, authentication

of a user can be verified using the credentials in the enterprise’s Active Directory. When

“LDAP Authentication” is enabled, EMM verifies the user by accessing the company’s

directory. This eliminates the need to maintain user credentials on EMM. It enables an

enterprise’s users to use the same domain password that they use to access their company’s

email and other resources.

An Enterprise Active Directory Connector (EADC) application is provided which can be downloaded to the Admin’s desktop. EADC implements the interface between the Active Directory and EMM. If required for your use, please contact your EMM support team to obtain the EADC application.

a. When LDAP Authentication is enabled the Password and Confirm Password fields on

the Add User and Edit user pages are disabled since the password that is used is the

password maintained in the Active Directory. Passwords are not maintained in the

EMM database and users cannot use the Account Settings to modify their passwords.

b. The EADC adapter is installed on the Admin’s desktop. LDAP/AD Authentication is

enabled by selected the check (tick) box and a valid EMM Username (email address)

and Password with access to the enterprise group must be entered. (A separate user

guide for EADC is provided).

Figure 23: LDAP/AD Authentication Setup

NOTE 1: the Username entered must be the full email address: e.g. [email protected] not

“joesmith”.

NOTE 2: Unselecting the check (tick) box disables LDAP/AD Authentication. When LDAP/AD is

disabled, all users created while LDAP was in use cannot log into EMM until you provide them with a

password.

12. If required, customization of the user interface for the enterprise can be done.

a. A .PNG file of the Enterprise’s logo can be uploaded; it appears on each UI page.

The current logo (if present) is shown. A pixel size is 60x230 with 36 DPI (Dots per

inch) is a good size.

b. The color palettes can be used to change the Toolbar background color, the Toolbar

Text Color and the Toolbar Button Color.

13. Three notification messages are provided and the text can be edited if required. The

messages contain fields that are automatically inserted such as #LOGIN_LINK#,

#USERNAME#, ${PIN}, ${phoneticPin} etc.; these fields should NOT be removed. Link

breaks “<br>” are also present and should be retained for proper formatting.




a. PIN Message: this message is sent with a PIN to a device user who is self-enrolling

a device to confirm a user’s identity. It is sent to the user’s email address and the

user must enter it to complete enrollment.

b. Enrollment Message: this message is sent as the enrollment request to a user. It

contains links that the user accesses to complete the enrollment.

c. Welcome Message: this message is sent after the user has enrolled. It provides

details that the user can use to login and access the EMPLOYEE role features.

14. Select Add to enter the group; the group appears in the Group List. The Policy Page is

displayed for setup of Application, Security or Settings Policies if required. Alternatively, at a

later time the Group Actions (See Section 3.1.3) should be accessed to enter Policy

parameters (See Section 4) for the group. An IT Admin should also be defined for each

Enterprise Group (See Section 5.2).

3.2.3 Editing a Group

Some parameters of a group can be edited.

1. Login as an MSP Admin.

2. Select the Groups Tile.

3. Locate the group to be edited and select the Edit Group icon in the Actions section.

4. The Group Details are displayed.

Figure 24: Group Details

You can also update the page customization: logo and colors:



Figure 25: Group Customization Fields

5. Save the changes when completed.



4 MANAGING POLICIES

A Policy is a set of configuration settings, security restrictions or application rules that can be applied

to all devices in a group. A group can have ONLY ONE active Policy of each type. Policies are not

inherited by subgroups. These Policies are provided:

Settings Policy a set of required configuration settings

Security Policy a set of device restrictions and Passcode rules

Application Policy a set of permitted and/or not permitted applications

NOTE: You are not required to define Policies. If no Policies are specified, the default device Settings

and Security Policies defined by the device vendor apply and no Application Policy is in effect.

The features described in this section enable an Administrator to specify the settings and restrictions

to be applied to all similar devices in a group. EMM automatically applies them to all the applicable

devices in the group and reports the compliance to each policy for each device. Device Platforms are

provided for similar device types such as Android or Apple devices. Using Policies simplifies the

Admin’s management tasks by eliminating the need to send individual settings to each device or

setting up tasks to send them to a group of devices.

When a Policy is added, modified or deleted, EMM automatically applies the Policy change to all

applicable devices by scheduling action to effect the Policy change. The ability to modify or delete a

Policy already applied to a device is limited by the capabilities of the device; some devices do not

support the deletion or overwriting of a setting. If the devices either were Compliant to an existing

Policy or had No applicable Policy in effect, the applicable devices become Non-Compliant until the

Policy change is implemented.

For applications the Administrator can specify a set of applications that an Enterprise does not allow on their user’s devices. Notifications can be sent to the device user automatically when an application is detected on a device that is not compliant with an Enterprise’s policies. The Admin can also specify a set of Required Applications which EMM downloads to the device when it is enrolled. The administration of Application Policies is discussed in Section 4.4.

On an Android device with the EMM Client installed, a heartbeat is automatically initiated by the client after it receives either a Security or Settings Policy. At a minimum frequency of once a day the EMM Client reports to the server the compliance status of the device. This report is sent to https://server/ipservlet/ip . For Apple iOS devices a Security or Setting Policy cannot be modified on the device; as long as MDM management is present on the device, the device is in compliance with defined Security and Settings Policies. Whenever a Scan of an Apple device is executed, compliance or non-compliance with an Application Policy is reported.

EMM provides sets of Policy templates for various device platforms, the Admin can edit them and apply them to a group. A description of the fields in the Settings and Security Policy templates is found in the document Mformation Policy Definitions available from Mformation.

NOTE: Some parameters are specified in the templates as Personal Parameters (denoted by “P” next to the parameter). These parameters can be setup so the device user can enter the parameter. It is most often used for parameters such as a Password, Login Name and Email address. When setting up a Personal Parameter the option “No Prompt” should ALWAYS be selected.

https://server/ipservlet/ip



4.1 Viewing Security and Settings Policies

The Security, Settings and Application Policy functions are combined in a single Policy icon with a “+”

tooltip present. Hovering over the icon presents a tooltip with the three Policy types which can each

be selected. For MSP Admin use a new icon for Service Packages is created with a tooltip for

functions associated with packages.

This figure illustrates the “tooltip” for Policies. The Policy icon has a tooltip to select the type of policy.

Figure 26: Group List with Policy Tooltip

The Policies applicable to a group can be viewed using this steps.


2. Select the Groups Tile, the Groups List page is displayed.

3. For the group of interest in the set of Action icons, select the Policy icon and the Edit Security

Policy tooltip to view the Security Policy for the group, select the Edit Settings Policy tooltip to

view the Settings Policy for the group or select Edit App Policy tooltip to view the Application

Policy for the group. A Policy is specific to the device platform (Android, Apple, etc.) and a

drop-down is provided to select the platform. Figure 27 shows the example of a Security

Policy for the Android platform.



Figure 27: Security Policy Page

4. All the parameters associated with the Policy are shown.

5. Often the parameters are grouped and the “+” icon is used to expand the collection.

4.2 Managing Security Policies

A Security Policy controls the PassCode settings, Restrictions and Encryption parameters of a device

platform. A Security Policy is specific to the platform. It is important to note that not every device may

support all the components of a Policy: for example, not all Android devices support encryption.

However EMM and the EMM Client are designed to ignore unsupported features on a device.

PassCode settings are those which determine the characteristics of the PassCode used on a device.

PassCode minimum length, PassCode age before requiring a change and the minimum number of

complex characters are typical PassCode restrictions.

Restrictions vary by device and refer to controls that determine which features are allowed to be used

on a device. Allowing camera use, roaming, and game use are all typical Restrictions on a device.

Encryption settings determine if encryption is to be used and the characteristics of the encryption.

Before adding or modifying a Security Policy it is important to review its parameters and determine the

appropriate values of each for the enterprise.

To Add or Modify a Security Policy follow these steps.



3. For the group of interest in the set of Action icons, select the Policy icon and the Edit

Security Policy tooltip.

4. If the Policy is new, the parameters must be specified. If the Policy is being modified, the

parameter changes can be made.



5. When the additions or changes are completed, select Save to activate the Policy. Policies

are not inherited by subgroups; you must add or modify a policy for each group.

6. A Delete option is present: selecting it removes the Security Policy for the group. A Cancel

option is also available to terminate the modification.

4.3 Managing Settings Policies

A Settings Policy controls a device’s configuration settings that control the services that are present

on the device. Services such as email, activesync, and web access all require parameters that are

unique to the enterprise. A Settings Policy is specific to the platform. It is important to note that not

every device may support all the components of a Policy.

Before adding or modifying a Settings Policy it is important to review its parameters and determine the

appropriate values of each for the enterprise. Values for settings are often very specific to each

enterprise and the IT organization is a good source of information.

To Add or Modify a Settings Policy follow these steps.



3. For the group of interest in the set of Action icons, select the Policy icon and the Edit Settings

Policy tooltip.

4. If the Policy is new, the parameters must be specified. If the Policy is being modified, the

parameter changes can be made.

5. When the additions or changes are completed, select Save to activate the Policy. Policies

are not inherited by subgroups; you must add or modify a policy for each group.

6. A Delete option is present: selecting it removes the Settings Policy for the group. A Cancel

option is also available to terminate the modification.

4.4 Managing App Policies

This feature provides the ability for an Admin to define an Application Policy for devices. Many

Enterprises want to exercise control over the applications their employees install on their devices.

Some Enterprises also allow employee-owned devices used for company business (known as

“BYOD” devices) and the Enterprise needs to identify if a device is a Personal BYOD device.

To create an Application Policy, the Admin can specify for a group either a Blacklist or a Whitelist as

the preference.

For a group there can be EITHER one Blacklist OR one Whitelist. If Blacklist is the preference, a Whitelist is not allowed and vice versa.

A “Blacklist” is a set of Applications that is not allowed to be on the device by Enterprise policy.

A “Whitelist” is a set of Applications that ONLY can be on the device by Enterprise policy. All Applications that are detected and inventoried from the device and are not on the Whitelist are treated as Blacklisted Applications.



Only applications that are installed by the user are checked to determine if they are on a Blacklist or Whitelist. Applications downloaded from EMM are assumed to be allowed on the device and are not included in a Whitelist or Blacklist.

If a Blacklist Application is detected on a device, a message can be defined to automatically be sent to the device to inform the user that he/she is not compliant with company policy.

A device that is owned by the user can be designated as a “Personal” device; no Applications are identified as a Blacklist application on a Personal device.

When entering a name e.g. “AppName” for a blacklist or Whitelist, wildcard entries are supported and the entry is not case sensitive.

AppName is matched by *AppName* (the entry contains AppName), *AppName (the entry ends with AppName or AppName* (the entry starts with AppName).

Example: for a blacklisted or whitelisted App, *Facebook should match any of these: MyFacebook, myfacebook, Thefacebook, etc.).

If a Blacklist is defined, EMM uses the AppName with wildcard filters and case insensitivity when checking the software inventory on a device to determine if a Blacklist App is present on the device.

If a Whitelist is defined, EMM uses the AppName with wildcard filters and case insensitivity when checking the software inventory on a device to determine if any other Apps are present on the device. If any other Apps are present, they are classified as Blacklist Apps.

A Required Application component is also provided. An Admin can identify required applications that are automatically installed when the device is enrolled. This feature replaces the Authorize/Unauthorized Software feature and the Auto-Install Software pages.

When EMM retrieves a software inventory from a device, a check for Blacklist and Required Applications is made.

If a Blacklist App is found, the option is provided to notify the device user.

4.4.1 Adding an Application Blacklist or Whitelist

Either an Application Blacklist or Whitelist can be added by following these steps.



3. For the group of interest in the set of Action icons, select the Policy icon and the Edit

Application Policy tootltip.

4. The Application Policy landing page is displayed.



Figure 28: Application Policy Page

5. Select the group to which the Application Policy applies from the drop-down. Policies are not

inherited by subgroups; you must add or modify a policy for each group.

6. Select EITHER Blacklist Apps OR Whitelist Apps for the list to be created using the radio

buttons.

a. A Blacklist is a list of user installed Applications that are not permitted on the device.

b. A Whitelist is a list of the ONLY user installed Applications that are permitted on the

device. Any other user installed applications are not allowed and considered

Blacklisted.

c. Applications that have been downloaded from EMM to a device or are a Required

Application are always Allowed applications.

7. Create the list of Applications by entering the Application Name into the App Name: field and

select the Add button to add the application.

a. Application names can take multiple formats for different devices and a wildcard filter

using the asterisk (*) character has been provided to make it easier to capture the

variations in App Names. For example *Facebook matches MyFacebook,

myfacebook, facebook, faceBook, etc. Any of those variations are included on the list

of applications for the list.

b. The Application appears in the list of Applications. The icon next to each

Application can be used to remove applications from the list.



8. Select the checkbox Apply to Personal devices (BYOD) if the check for Blacklist

Applications is to be applied to user owned devices. A check for Blacklist applications is not

made for a BYOD device unless this checkbox is selected.

9. Select the checkbox Notify Users to have a message sent to the device user when a

Blacklist Application is detected.

10. The Text box contains the notification message that is sent; a default message is provided.

The text to be sent can be edited and is retained when the list is saved.

11. Required Apps can also be specified by moving an App to the right from the list on the left in

the Bulk Required Apps section.

12. Select Submit to activate the list. A Cancel button is also available to delete the entries.

When the list is saved, the radio button for the list type that was not selected is grayed out.

4.4.2 Modifying an Application Whitelist or Blacklist

An existing Application Policy can be modified by adding or deleting applications by following these

steps.



3. For the group of interest in the set of Action icons, select the Edit Application Policy icon.

4. The Application Policy landing page is displayed.

5. The Application Policy page refreshes with the details for the Whitelist or Blacklist that has

been defined.



Figure 29: Modify Application Policy Page

6. Add Applications by entering the Application Name into the App Name: field and select the

+ button to add the application.

7. The Application appears in the list of Applications. The icon next to each Application

can be used to remove applications from the list. As required, select or deselect the other

options and/or edit the Notify Users text.

8. Select Submit to activate the list. A Cancel button is also available to ignore the entries and

retain the existing entries. Policies are not inherited by subgroups; you must add or modify a

policy for each group.

4.4.3 Specifying Required Applications

Applications that have been uploaded to the Catalog can be identified as Required Applications. All

Required Applications are downloaded to the devices in the group when the devices are enrolled.

NOTE: If a Required Application is added to a group, it is not downloaded to the devices in the group

that are already enrolled. The Required Application must be pushed to each device on the Device

Details page (Section 8.2).

1. From the Setup drop-down select Policies and from the drop-down select Application

Policy. The Application Policy landing page is displayed.

2. Select the group to which the Application Policy applies from the drop-down. The Required

Apps selection appears on the lower portion of the page.

Figure 30: Required App Selection

3. The right arrows (>) move Apps from the Available Apps column to the Required Apps

column. The left arrows (<) move tasks from the Required Apps column to the Available

Apps column. To select more than one application, hold down the CTRL key, and then make your selections. No specification of device platform is required for specifying a Required App; selecting a Required App makes it a Required App for all applicable device platforms.

4. Select Submit to activate the list. A Cancel button is also available.



5 MANAGING USERS

As the Administrator, you can search for, add, modify, and delete Users.

Users can be identified either with a username or their email address. For an Enterprise, the

minimum set of required information is an assigned Group, First Name and email address. If a login

and/or password are not specified for an Enterprise user, EMM generates them and sends them to the

Email address provided in a Welcome Message.

A User can either be an Employee or an Admin. When enrolling devices, a user or set of users are

specified and EMM enrolls the devices to the designated users.

5.1 Using the User List Page

The Users List Page is accessed by selecting the Users tile:

The User List page is used to manage Users. It lists all the users in the Enterprise and enables you to

Add, Modify or Delete Users. The User List page looks like this figure.

Figure 31: Users List Page

5.1.1 User Summary

The page provides a summary of the users in the group with these counts provided:

Number of Users.

Total number of devices assigned to users.

5.1.2 User List

For each user in the list this information is displayed:

Name

Login Username

Email Address



Group to which the User is assigned

Role (Employee, IT Admin)

Date/time the User was created

Last Login: Date/Time the user last accessed EMM

5.2 Adding Users

Users can be added individually

Figure 32: Users Page Toolbar

5.2.1 Adding a Single User

To Add a Single User follow these steps:


2. Select the Users Tile, the Users List page is displayed.

3. Select the Add User Tile, the User Add page is displayed.

Figure 33: Add User Page

4. These parameters are present.

a. First Name, Middle Initial and Last Name. First name is required.



b. Enterprise Email Address of the user: e.g. [email protected]. Required.

c. Time Zone for the user used to display times on the user’s UI. (If none is specified,

the time zone of the EMM server is used).

d. Username: the user’s login identifier (i.e. corporate username) in their company’s

records: e.g. [email protected] or juser.

e. Certificate: if a personal security certificate is used, it can be uploaded using Upload.

f. Group: used to select the group to which the user should be assigned.

g. Role: used to select the role of the user: EMPLOYEE or IT ADMIN.

h. Login: used to specify the login name of the user on the EMM system. If left blank,

EMM automatically uses the email address as the login.

i. Password: the password of the user on the EMM system. If left blank, EMM

generates a random password.

5. Select Save to complete the entry.

5.3 User List Actions

Two User Actions are available: Edit User and List Devices.

Edit User : this navigates to the User Details page where the details of the user are listed and can be modified.

List Devices : this navigates to the Device List page which lists all the devices assigned to the user are shown.

5.3.1 Edit User

To edit User Details follow these steps.



3. For the user to be edited, select the Edit Details icon, the User Details page is displayed.





Figure 34: User Details Page

4. If the user is locked for inactivity, you can unlock the user. You can also lock the user from

EMM access if required.

5. Beginning in EMM 3.3 and later releases, the Group field is a drop down. If other groups are

available, the drop-down can be used to move the user and all devices associated with the

user to another group. All Policies associated with the new group then become applicable to

the user and his/her devices.

6. Modify the parameters as needed and select Save to record the changes.

5.3.2 List Devices

List Devices provides a list of devices assigned to the user. To show the devices assigned to a User

follow these steps:



3. Select the List Devices icon, the User Device Details page is displayed.

Figure 35: List Devices for a User

4. The details of each device can be viewed. See Section 6.3.



6 MANAGING DEVICES

As an administrator you can view, enroll or delete devices. A device that has been assigned to a user and setup for management by EMM is ”enrolled”. For each device information about the device is provided.

6.1 Using the Device List page

The Device List page is accessed by selecting the Devices Tile which displays the list of devices

already defined in the system:

This page is accessed by following these steps.


2. Select the Devices tile, the Device List page is displayed.

Figure 36: Devices Tab

A count of the Total Number of devices that have been defined on the system and the number of

enrolled and non-enrolled devices is also provided.

In addition to details pertaining to each device in the groups for which the Admin is responsible, a set

of Status icons is provided. Hovering over the icon provides a definition of the icon. The status

information displayed include whether the device is enrolled, has security and settings policies

defined, has white-listed or blacklisted Apps, is compromised and has the Mformation EMM Client

installed. A ‘Download Report’ link is provided.



In addition for the Status icons, this information is provided for each device:

Phone Number or ID: If the device has a phone number, it is shown. If the device does not have a phone number, the EMM Internal ID is shown (e.g. “ID-3”)

User: the user’s name assigned to the device.

Email: the email address of the user.

Serial Number: the serial number of the device.

Model: the Model Name of the device (e.g. “iPhone5”)

Type: the type of device: Phone, Tablet.

Platform: Apple, Android, Blackberry, Unknown.

Group: the group to which the device is assigned.

Ownership: specifies whether the device is Personal or Corporate owned.

Last Updated: the last update (e.g. command sent, app downloaded, etc.) made to the device

6.2 Adding A Device

Selecting Add Device displays a page to enroll a new managed device in EMM. Multiple options are

displayed:

Adding a Single Device

Mass Enrollment of Devices

Bulk enrollment of devices using an imported file of users and devices.

Enrollment of users using information from an enterprise’s Active Directory (AD).

Instructions for enrolling from the Google Playstore and Apple App Store are provided.

Details of each of these methods for device enrollment are provided in Section 7.

6.3 Using Device Status

For each device a set of status icons are available:

In the order they are displayed, these indicators provide this information:

Mformation Enrolled: if green, indicates if the EMM Client is installed on an Android device or the MDM profile on an Apple device. A red indicator indicates that the EMM Client is not installed. A grey indicator means no status is available.

Security: if green, indicates if the device is compliant with an active Security Policy. A red indicator indicates that the device is not compliant with the Policy. A grey indicator means no status is available or no Policy is in effect.

Settings: if green, indicates if the device is compliant with an active Settings Policy. A red indicator indicates that the device is not compliant with the Policy. A grey indicator means no status is available or no Policy is in effect.

Required Apps: if green, indicates if Required Apps are installed on the device. A red indicator indicates that the device is missing Required Apps. A grey indicator means no status is available.



Blacklisted Apps: if green, indicates that no blacklisted Apps are present on the device. A red indicator indicates that the device has Blacklisted Apps installed. A grey indicator means no status is available.

Compromised: if green, indicates that the device is not compromised. A compromised device is an Android device for which its OS has been modified. A red indicator means the device is compromised. A grey indicator means no status is available.

Security Breach: if green, indicates that a Security Breach is not present on the device. A Security Breach occurs on an Apple device for which the MDM Profile is removed or that the device that has not communicated with the server in the last 30 days. A red indicator means the device has a Security Breach. A grey indicator means no status is available.



7 ENROLLING DEVICES

Enrollment is the process by which a device is setup to be managed by EMM. Android devices are

managed with the installation of an Mformation device client on the device and Apple devices are

managed with EMM using the Apple Push Notification Service (APNS).

For Android and Apple devices, the need to specify the make and model of a device is not required;

EMM determines the specific make and model. Enrollment focuses on the device user and once the

user is identified to EMM either by an email address or a phone number, enrollment proceeds with a

minimum of Admin actions.

This figure illustrates all the enrollment options.

Figure 37: Enrollment Options

Each enrollment option is present on the Enroll Device page.



Figure 38: Enrollment Options

The enrollment options available are

1. Enroll a Single Device

2. Enroll Multiple Devices via a Bulk Upload

3. Staged Enrollment for Multiple Devices assigned to one user.

4. Enroll users obtained from the Enterprise’s Active Directory using the AD Utility.

5. Optionally, Self-Enrollment via the Google PlayStore or the Apple App Store. (If this is not

offered for an enterprise’s users, it can be hidden).

The device user is sent either an email or an SMS to initiate the enrollment process. If email is used, a

message with an Enrollment URL and a QR code is sent; either can be used to link to the server and

initiate the enrollment process. The QR code can be displayed on the user’s desktop or laptop and

scanned by the device with a QR reader to initiate an enrollment. The enrollment URL can also be

sent via SMS if that is the preferred method of the provider and the device is SMS capable. Another

option is for an Enterprise user to self-enroll by downloading the client from the Google PlayStore or

the Apple App Store. (In the case of the App Store, the “Client” is an App that is downloaded).

The email message that is received by the device user for enrollment is of this form.

Figure 39: Email Enrollment Message

The Welcome Message shown on this page can be customized. If the message was sent via SMS

the QR code is not present.

NOTE on QR Readers: Many free QR Readers are available but not all will work. Some readers do

not use the browser on the device and do not support the enrollment process.



The i-nigma QR Reader is recommended; it is free. i-nigma which is available on the Apple Store:

https://itunes.apple.com/us/app/i-nigma-qr-code-data-matrix/id388923203?mt=8

Or from the Google Play Store:

https://play.google.com/store/apps/details?id=com.threegvision.products.inigma.Android&hl=en

7.1 Enrolling a Single Device

Enrollment of a single device can be initiated by the IT Admin by selecting Add Device and then the

Single Device enrollment option which displays a page similar to this one.

Figure 40: Add Single Device Enrollment

Follow these steps to enroll the device.

1. Login as an IT Admin and select the Devices Tile; select the Add Devices Tile.

2. Select Add Single Device; Figure 40 is displayed.

3. The group and username must be specified and an optional phone number if the device is

cellular capable.

4. The communication method of either Email or SMS must be selected. A phone number is

required for SMS and the device must support SMS.

5. The radio buttons Corporate or Personal are used to identify if the device is Enterprise or

Personal owned respectively.

6. If the User is not already defined in the system, Add User can be selected to add the user. An

Enterprise domain name is one of the group parameters and the message returned from the

device user must use that domain name or an allowed variant.

https://itunes.apple.com/us/app/i-nigma-qr-code-data-matrix/id388923203?mt=8

https://play.google.com/store/apps/details?id=com.threegvision.products.inigma.Android&hl=en



Figure 41: Add User Window

7. The Send Request button is used to provide an option for an Admin to “stage” the device for

a user:

a. If the device user is to complete the enrollment of the device, the Send Request

button should be selected. This results in the Notification Message as shown in

Figure 39 with a QR code to be sent to the user.

b. If the Admin wishes to enroll the device for a user, the Send Request should not be

selected. In this case the Notification Message appears on the Admin’s desktop and

the Admin can complete the enrollment for the device user. This use is appropriate

when the Admin is responsible for “staging” devices for users.

8. When Enroll is selected the process begins and the enrollment message shown in Figure 39

is sent. The following figures summarize the process for either email or SMS depending on

the option selected by the Admin.

Figure 42: Single Device Enrollment via Email



7.2 Bulk Upload Enrollment

Enrollment of a collection of users can be initiated using the upload of a CSV delimited file with these

formats:

Email,[First Name],[Last Name],[Username],[Phone Number] where fields in [ ] are optional. This form is used create a device for an existing user.

Email,First Name,Last Name,[Username],[Phone Number] where fields in [ ] are optional. This form is used to create a new user and enroll the device to that user.

Email is always required. The First and Last Names are optional if the user already exists. If the User

does not exist, a user entry is created. The Username and Phone Number are always optional.

The maximum number of records that can be uploaded is 5K and the upload is rejected if this is

exceeded. The system also enrolls the device and user if they do not exist. The file must have a

“.csv” file extension.

To execute a Bulk Upload enrollment, follow these steps.

1. Login as an IT Admin and select the Devices Tile; select the Add Devices Tile.

2. Select Bulk Upload Enrollment; the Bulk Upload page is displayed.

Figure 43: Bulk Enrollment Request

3. Create an upload file off-line. It must conform to the file format

a. Email,[First Name],[Last Name],[Username],[Phone Number] where fields in [ ] are

optional. This form is used create a device for an existing user.

b. Email,First Name,Last Name,[Username],[Phone Number] where fields in [ ] are

optional. This form is used to create a new user and enroll the device to that user.

4. When Bulk Upload is selected, this page is displayed. Select (1) the group to which the

devices are to be assigned, (2) the communication method (Email or SMS) and browse to

locate the file of users.



Figure 44: Bulk Upload Enrollment

5. Select Upload to upload the file and begin the enrollment process.

6. The user interface provides the status of each upload, the total number of users that were in

the file and the number of successful enrollments.

7. If a format error in the file was detected, an error is shown and an error file describing the

error is provided: click on “Error File”

An option to support SMS is provided; in that case the record must contain a phone number. The SMS option is only displayed if the system is configured to support a SMSC.

If SMS is not used, EMM sends an email message to each user as shown in Figure 39 to enroll their

device.

7.3 Staged Enrollment

This feature addresses a unique use case. In this use case the Admin is enrolling a set of devices

against one user. The user receives a QR code on a laptop or desktop which is scanned by each

device to initiate the enrollment.

Alternatively, for iOS devices the Apple Configurator that can be used to pass the enrollment

information to the EMM server for a collection of devices. Some enterprises use this method to mass

enroll Apple devices.

There are several possible applications for this use case; here are some examples:

A classroom has a set of tablets that are used by students in class. The students take the tablet from a rack, use it in class and return it to the rack. The individual students are not identified as users in EMM.

A hotel provides a smartphone to guests to use to access hotel guest services. The guests are not identified as users in EMM.

To execute a Staged Enrollment, follow these steps.

1. Login as an Admin and select the Devices Tile; select the Add Devices Tile.



2. Select Staging; The Staged Enrollment page (Figure 45) is displayed.

Figure 45: Staged Enrollment Page

3. Using this page requires the entry of a group, a user and an expiration time for the URL to be

sent. The process flow looks like this:

o An Enrollment URL is generated when ‘Get URL’ is selected and has an expiration (Expiry) time in hours (maximum 24 hours).

o The Enrollment URL is assigned to one designated user only.

o The Enrollment URL is displayed on the user’s laptop/desktop.

o The Enrollment URL is displayed as a QR code image.

o The user uses the QR code to enroll the set of devices.

4. The enrolling user receives a message similar to this one; a QR code is present.

Figure 46: Staged Enrollment User Page

5. Using the QR code provided, the assigned user can complete the enrollment of each device.

7.4 Enrollment with the Enterprise’s Active Directory

This option enrolls devices using a set of users with their email addresses obtained from the

Enterprise’s Active Directory (AD) of employees.



Mformation has provided an AD Utility which this option will download. The AD Utility is a Microsoft

Windows based application; it enables the IT Admin to access their Enterprise Active Directory and

select a set of users for which devices are to be enrolled. The IT Admin can initiate the enrollment

which creates the devices and users in EMM. An enrollment message as shown in Figure 39 is sent.

When this option is selected, the Admin is prompted to download the AD Utility1 which leads the

Admin through the setup and user selection steps. The AD Utility imports the selected file of users

and a Bulk Enrollment of these users can be initiated.

7.5 Enrollment Using the Google Playstore or the Apple App Store

Mformation will install the Android EMM Client on PlayStore and an App on the Apple App Store (i.e.

iTunes). This enables the user to download the client/app to their device by searching for the name

“Mformation Enterprise Manager”. The enrollment follows the steps of a Single Device enrollment

(Section 7.1) but the device user must first enter information to establish identity.

Use of this feature is a customer option and it may not be present for all enterprise customers.

NOTE: The EMM Client for Android devices is available on Google PlayStore under the name

Mformation Enterprise Manager. Each deployment of EMM can have Mformation’s EMM client

branded to their specific needs and then place this branded client on Google PlayStore. In order

for the new branded client to be installed and operating correctly on the device, it is required

that the existing Mformation Management Client BE DELETED from the device. If this is not done,

then there will be two management authorities on the device, which can lead to malfunction of

EMM functions.

Selecting the App Store option for Add Devices provides a description of the process. Here is the

user experience for an Android Device.

1. After downloading the client the user is presented with this page.

1 The Mformation Enterprise Active Directory Utility Guide is available to describe the installation,

configuration and use of this tool.



Figure 47: Android Device Registration Page

2. The registration continues; the PIN sent to the user via email must be entered.

Figure 48: Android Device Registration Completion

The device user completes the entry of personal details; EMM receives the information and verifies

the email domain name to be associated with a valid Enterprise on EMM and sends a confirmation

PIN to the email address. Returning a correct PIN completes the enrollment.



8 MANAGING DEVICE DETAILS

EMM provides the capability to monitor the details of each device. The Device Details page provides information about the characteristics of each device, the recent commands that have been executed for the device. Commands are provided to update the device, edit details of the device user or to delete the device. Tabs are provided to manage the Apps and Documents on the device, modify Security settings, and view the Location of the device.

The Device Details page for a device is reached from the Device List page. By selecting the phone number or ID which appears in the Phone Number column, you navigate to the Device Details page for the device.

If the device is enrolled, information about the device and the features activated on it are displayed. If the device is not enrolled, some basic information about the device is displayed.

8.1 Using the Device Details Page

To navigate to the Device Details page for a specific device follow these steps.


2. Select the Devices tile,

the Device List page is displayed.

3. Select the device by clicking on the value in the Phone Number field for the device, the

Device Details page for the device is displayed. Here is an example of the upper portion of

the page.

Figure 49: Detail Details Page-Upper Portion



The lower portion of the page consists of up to three Tabs:

Apps: used for managing Apps on the device.

Security: used for managing Lock and Wipe and to enable/disable features.

Location: used to display the location of the device (if supported by the device).

The upper portion has these components:

Device Information

Device Quicklinks

Device Vital Signs

Device Compliance

Recent Actions

8.1.1 Device Information

The Device Information pane contains information about the device and its user. The presence of

some information depends on whether the device is enrolled since information is retrieved from the

device. A front and back image of the device may also be displayed.

Figure 50: Device Information Pane

The following table describes each of the fields that may be present in the device information section;

the appearance of fields varies by device type.



Table 3: Device Information Fields

Field Description

Device Displays the phone number or the internal Identifier associated with

the device. An internal EMM identifier is used for Wi-Fi only

devices such as an IPad which do not support cellular service and

do not have a phone number. It is of the form “ID=nn” and is in

place of the phone number.

User User name of the enrolled device user.

Last contact Date and time of the last contact with the device.

Make Specifies the manufacturer of the device.

Model Indicates model of the device.

Platform Android, Apple, Blackberry, Unknown

Type Phone, Tablet

Identifier The serial number of the device, the MAC address, IMEI or the

internal serial number for iOS devices.

Network The cellular network currently associated with the device (if

applicable).

Ownership Personal or Corporate

EMM Client If present, the EMM Client version.

8.1.2 Device Quick Links

Three buttons are present for updating device information.

Figure 51: Device Details Commands

Selecting each command initiates these actions:



Scan: initiates a request to the device to retrieve device information. This includes device vital signs, device information, application inventory, location information (if supported) and all policy compliance icons.

Edit: used to change the user assigned to the device. It can also be used to change the group of the user and his/her device. If the group is changed and the user remains the same, after saving the change a message “This action will move the user and all devices belonging to this user to the selected group. Do you wish to continue?”

Delete: used to delete the device from the system

Message used to send a message to the device.

8.1.2.1 Send Message

A message of 200 characters or less can be sent. The default is via email but if the device is cellular

capable, a SMS text message can be sent. The Subject of the message is “Enterprise Name

Message” where the “Enterprise Name” is the Group Description of the Enterprise Group. The sender

is the email address of the IT Admin who sent the message.

This is the Modal that is provided for Send Message. A count of the number of characters used is

provided as the message is typed.

Figure 52: Send Message Modal

NOTE: The option to select SMS is only displayed if the device is cellular capable and the server is configured for SMS.

8.1.3 Device Vital Signs

A set of icons are present to indicate whether features on the device are enabled (or in-use) or not.

The set of icons varies depending on the device type and platform. These icons reflect controls that

are set via a Settings or Security Policy sent to the device. Depending on the setting the icon and its

color may change.

NOTE: The information displayed for Camera, Bluetooth, Wi-Fi, Data Roaming and GPS can have a

dual meaning depending on the device and is often confusing; this is a limitation of the device. If the

device supports controlling these features, the ability to enable/disable them is controlled by the

Security Policy defined by an Admin and sent to the device. If the feature has been disabled by a

Policy, a RED icon is displayed and cannot be changed by the device user. However, if the feature

has not been disabled by a Policy AND is not in use or turned off by the device user, a RED icon is

also displayed.



Figure 53: Device Vital Signs

Table 4: Device Vital Signs

Field Description

Coverage Specifies the type of coverage: GPRS, CDMA.

Signal Displays the signal strength (RSSI)

Battery Displays the battery strength in percentages.

Free Memory Shows the remaining capacity of memory in megabytes.

Access

Technology

Specifies the Access Technology used: HSPA, LTE etc.

Additional Android and Blackberry Device Capabilities: For EMM Client equipped

devices the status of these features are displayed:

For Android EMM Client equipped devices this information may be displayed:

Bluetooth Control: Enabled, Disabled

Camera Control: Enabled, Disabled

Wi-Fi Control: Enabled, Disabled

Data Roaming Status: On, Off

GPS Status: On, Off

For Blackberry EMM Client equipped devices this information may be displayed:

Wi-Fi Control: On Off

GPS Status: On, Off

NOTE: Green means the feature is available for use on the device. Red means the

feature is disabled for use. Grey means the status is unknown.



8.1.4 Device Compliance Indicators

A set of icons provide a color indication of whether the device is in compliance with these items.

Green indicates compliance, Red indicates non-compliance and Grey indicates unknown.

EMM Client: Devices which have enrolled with the EMM Client.

Security Policy Compliance: Device status compliance with the Security Policy in effect.

Settings Policy Compliance: Device status compliance with the Settings Policy in effect.

Apps Blacklisted: Device status with blacklisted Apps.

Required Apps: Device status with required Apps.

Compromised: Android Devices that have been “rooted”: the device’s OS has been modified. (Detection of modified Apple devices (i.e. “Jailbreaked”) is not supported; Apple devices are always recorded as NOT being compromised).

Security Breach: Apple iOS devices that have MDM (Mobile Device Management profile) removed and also iOS and Android devices that have not contacted the EMM server in the last 30 days.

Figure 54 : Compliance Indicators

Executing the Scan command (Section 8.1.2) updates the status of these compliance indicators by querying the device.

Android devices with the EMM client active initiates a “heartbeat” response to the server which occurs minimally once a day; this updates Security and Settings Policy compliance indicators for the device.

8.1.5 Recent Actions

The last five commands sent to the device and their status is displayed along with the date and time.

These states are used to describe the status for a command:

Pending command has been issued and is in queue.

Sent command has been sent and response is awaited from a device.

Success command has been accepted and processed successfully.

Failed command has not succeeded; the command failed at the device or timed out.

Most the commands that appear in the Recent Actions list are reasonably self-explanatory: e.g. “Get Device Details”, “Get Vital Signs”, etc.; these commands reflect actions taken to retrieve information from the device.

“Monitor SW Update” is one command that is less intuitive; whenever an application is installed or uninstalled on the device, this command is sent to retrieve a current application inventory from the device and the updated inventory is displayed on the Apps tab. This command also appears during the enrollment process and is used to instruct the EMM client on the device to report the software inventory on the device back to the EMM server.



8.2 Using the Apps Tab

The Apps Tab provides a view of the Applications that are installed on the device and access to the

Apps Catalog of applications that are available for installation on the device.

1. To access the Apps tab, Login to EMM as an IT Admin.



3. Select the device by clicking on the value in the phone number field for the device, the Device

Details page for the device is displayed.

4. Select the Apps Tab and if Apps are installed on the device, they are displayed.

Figure 55: Device Details-Apps Tab

5. The Tab lists all the Apps installed on the device. The software version, the category

assigned to the App (games, productivity, etc.), the App size in KB and the Actions available

for the App are shown. If the device allows the App to be uninstalled, an uninstall icon is

provided. An icon for the App is also displayed. If the Tag icon is Green, the App is a

Required App; if the Tag icon is Red, the App is a Blacklisted App or if the Tag icon is Yellow,

the App has not been designated as neither Required nor Blacklisted (i.e. Optional). A Grey

tag indicates the App designation is unknown.

8.2.1 Installing an App

An App from the Catalog can be installed on the device.

1. Select the Install Apps tile and the Install App window is displayed.



Figure 56: Install App Window

2. The Apps shown in the left column are Apps available for installation. By dragging them to

the right hand column and selecting Install the App is installed on the device.

3. If the device allows an installed App can be removed using the – icon. (Apple devices do not

allow Apps to be removed).

8.2.2 Retrieving and sending iOS 7 App Configurations

It is also possible to retrieve the key/value pairs for an iOS managed application from a device or to

send the default key/value pair values for a single device. (The default key/value pairs are those

which have been specified using the Application Configuration that was saved for an Application in

Section 9.4.1).

1. This capability is provided on the Application Tab of the Device Details page for the iOS 7

device.



Figure 57: Device Application Tab-Configure App

2. Selecting the Configure App icon displays the Application Configuration Modal. Two tabs are present:

a. Tab to retrieve the App Configuration present on the device.

b. Tab to display the default configuration for the application.

Figure 58: Retrieving the App Configuration from the Device

3. Selecting “Retrieve App Config” queries the device and obtains the current key/values pairs

on the device. An in-progress message is displayed.



Figure 59: Retrieve App Configuration in Progress

4. Selecting the Default Configuration tab displays the default key/value pairs stored in EMM. The option to Send that configuration to the device and replace the ones on the device is provided.

Figure 60: Send Default App Configuration to the Device

5. An in progress message is provided to confirm the action.



Figure 61: Send Default App Configuration in Progress

8.3 Using the Security Tab

The Security Tab is used to Lock, Unlock and Wipe a device. Lock prevents a device user from

accessing the device and Wipe removes the EMM Client or the MDM profile and all customer data

from the device. A selective Wipe is also provided.

1. To access the Security tab, Login to EMM as an IT Admin.



3. Select the device by clicking on the value in the phone number field for the device, the Device

Details page for the device is displayed.

4. Select the Security Tab.

Figure 62: Device Details-Security Tab



8.3.1 Locking or Unlocking a Device

Buttons are provided to Lock or Unlock a device. You are asked to confirm the Lock or Unlock. A secondary window is provided to provide a lock message and for those devices that support it, the option to have the device “scream” (i.e. initiate a sound tone).

Figure 63: Lock Window

8.3.2 Wiping or Selective Wiping a Device

A Wipe button is provided to initiate a Wipe of the device. Depending on the device a Wipe removes most personal data: (messages, text, contacts, etc.) and a Selective Wipe option is provided. You are asked to confirm the Wipe.

Figure 64: Wipe Window

8.3.2.1 Selective Wipe

A Selective Wipe option is provided for the use case when an employee having a personal device (BYOD) used for company business terminates relations with the enterprise. In this case it is desired to remove company Policies, Profiles and Applications or Documents that have been installed on the device while retaining the user’s information on the device. The Security tab on the Device Details page has the option to select a Full Wipe or a Selective Wipe when the Wipe command is selected.

When an Admin selects Selective Wipe for an Android device, EMM issues a “Remove Device

Management” command which has these effects:

Removes the last successful Settings Policy applied on the device.

Removes the last successful Security Policy applied on the device.

Deletes any documents downloaded via the Document Viewer.



Deletes an Apps installed on the device via EMM. For non-Samsung SAFE devices a user

prompt is required to uninstall applications and EMM provides a reminder of all the

applications that must be uninstalled.

When an acknowledgement of the command is received, (1) EMM marks the device as “NOT

ENROLLED” and (2) the device is not reported as a “SECURITY BREACH”. If LDAP

Authentication is not enabled, (3) the user’s password on EMM is blanked out, (4) the device

is assigned to the user issuing the command and the device’s group is moved to the group of

the user initiating the command.

Selective Wipe has already been available on iOS devices when a “Remove Device Management”

command is issued; it is available using the Security tab for the iOS device. When Selective Wipe is

selected for an iOS device, EMM issues a “Remove Device Management” command which has these

effects:

Removes MDM Profile on the device which removes all Profiles (Settings and Security

Policies) pushed to the device.

Deletes all Applications pushed to the device if the option “Remove App when MDM

Removed” id enabled.

Deletes any documents downloaded via the Document Viewer.

When an acknowledgement of the command is received, (1) EMM marks the device as “NOT ENROLLED” and (2) the device is not reported as a “SECURITY BREACH”. If LDAP Authentication is not enabled, (3) the user’s password on EMM is blanked out; (4) the device is assigned to the user issuing the command and (5) the device’s group is moved to the group of the user initiating the command.

8.3.3 Implementing Apple iOS Security

Apple iPhone and iPad devices support the remote management of security features through

protocols native to the device. These security features allow devices to be locked, unlocked, and

wiped without the presence of an EMM Client. The following sections describe how to use these

security features.

The implementation of security features with iPhone is limited by the capabilities of the device:

Mobile Device Management must be implemented on the device; a MDM profile must be

installed.

If the device does not have the native Passcode client activated, you must first send a

Security Policy containing a Passcode configuration by sending a Passcode configuration

profile to the device. The Passcode profile is not activated until the device user creates a

Passcode on the device. After the Passcode profile is downloaded, the device user is

prompted to create a Passcode.

If the native Passcode client has been activated by the subscriber after a policy sent by EMM

is downloaded, the subscriber can unlock the device if they know the existing Passcode.



Lock and Unlock are implemented by these actions:

o The lock function is implemented by EMM by sending a LockRequest sent to the iOS

MDM Profile. The device is locked. Outgoing calls, including those to Customer Care,

cannot be made; however, emergency calls and incoming calls are allowed.

o The unlock function is implemented by EMM by removing the Passcode profile from

the device.

Wipe on an Apple Device has this effect. When an iPhone or iPad is wiped, it is restored to its factory settings, removing all media and data from the device. Some data may be able to be restored by the device user by syncing with the appropriate systems such as iTunes, Exchange, etc.

o NOTE: If the user succeeds in restoring the MDM profile on the device, EMM rejects

the device as unknown (by sending a 401 HTTP status); the device then removes

the profile containing the MDM payload. This occurs each time restoration of the

MDM profile is attempted by the device user.

8.3.4 Viewing Apple Device Security Status and Restrictions

Security settings, device and profile restrictions can be retrieved from the device and are displayed. To retrieve current security information from the device, follow these steps.

1. Log into EMM.

2. Access the device to manage.

3. Select the Security tab.

4. The retrieved information consists of Security Information, Global Restrictions and Profile

Restrictions. The definitions of the information returned are specified by Apple.

Table 5: Apple iPhone/iPad Security Information

NOTE: Apple iOS documentation should be consulted if there are questions about these features.

Setting Description

Block-level

Encryption Enabled

If ‘Yes’, indicates that Block-level encryption is enabled on the device.

Protection Enabled If ‘Yes”, indicates that Passcode, Block-Level Encryption and File-level Encryption are all

enabled on the device.

File-level

Encryption enabled

If ‘Yes’, indicates that File-level encryption is enabled on the device.

Passcode

Compliant

If ‘Yes’, indicates that the device Passcode is compliant with all requirements on the

device including the password requirements of Exchange (if present) and other accounts

requiring a password on the device.



Setting Description

Password

Compliant with

Profiles

If ‘Yes’, indicates that the device Passcode is compliant with the requirements of profiles

including the Passcode profile downloaded to the device.

Password

Protected

If ‘Yes’, indicates that the device Passcode is enabled on the device.

8.4 Using the Location Tab

This tab displays the GPS location on a map for GPS equipped Android devices using the EMM Client. (Apple devices do not support this feature). The device’s Longitude and Latitude and time-of-fix are provided. The position is displayed on a Google map. Position information is not automatically updated; the page is updated whenever a Scan is selected. The Last Reported Time is

displayed in the Local Time of the user and tells you when the last position was obtained.

This tab is only present when device location information is provided by the device to EMM and if the legal jurisdiction allows the display.

8.4.1 Viewing Location Information

To access GPS location information for the device, follow these steps.

1. Log into EMM.

2. Select the device to be viewed

3. Select the Location tab. The Location page displays. If the Location tab is not present and

the GPS Status indicator is “On”, do a Scan to retrieve the position information; if the GPS

Status indicator is “Off”, location information cannot be obtained.

Figure 65: Location Page



9 MANAGING APPS AND DOCUMENTS

As the Administrator, you can upload Applications for installation on devices and view Applications that are available for installation onto devices. These Apps form an Enterprise App Store which is available on a device for users.

Apps can be tagged as Required Apps or Apps to be Blacklisted. Either a Blacklist or a Whitelist of Apps can be defined.

Documents can also be uploaded to the Document Library and provided to devices.

9.1 Using the Application Catalog

The Application Catalog page lists all the Apps installed on EMM.

The Catalog tab lists all the Apps installed on the system.

The Documents tab lists all the Documents installed on the system

A count of the Total Apps installed on devices and Total Devices enrolled on the server.

To access the Apps and Documents Lists follow these steps.

1. Login as Admin to EMM

2. Select the Apps Tile:

3. The Apps List Catalog page is displayed.

Figure 66: Apps List Page



4. For each App in the list this information is provided:

a. A tag indicating (if Green) that the App is a Required App, (if Grey) the App is

Unknown (No designation assigned), (if Yellow) the App is Optional. A Red tag

indicates a blacklisted App.

b. An Icon for the item.

c. Name of the item.

d. Platform (Android, Apple, etc.) to which the App or Document applies.

e. Version of the App

f. Category to which the App has been assigned. Categories such as “Games”,

“Productivity”, etc. are predefined in the system.

g. Size of the App or Document.

h. Date and time installed.

5. A set of icons is provided for actions that can be performed on the App.

Edit is used to modify App metadata.

Install is used to install the App on all applicable devices in the group.

Configure App is used to configure an iOS7 (or later) App.

Figure 67: App Action Icons



9.2 Using the Document Library

Selecting Documents displays a similar page for Documents.

Figure 68: Document Library Page

1. For each Document in the list this information is provided:

a. The Group assigned to the document

b. An Icon for the document.

c. Name of the document.

d. Date the document was added to the library.

e. Size of the Document.

f. The number of downloads of the document to devices.

g. An indication of whether the document can be installed on devices that are Wi-Fi

enabled.

h. An icon “X” to delete the document from the library.

9.3 Adding an Application or Document

To install an Application or a Document on the EMM server, follow these steps.

2. Login to EMM as Admin.

3. Navigate to the Apps page.



4. Select the Add App tile.

Figure 69: Add App Tile

5. The Add App/Upload Document window is displayed. The form of this window differs slightly

based on the platform selected. An App to be installed on an Apple device has two options;

these are not present for Android devices.

a. Prevent App Backup: prevents the App to be backed up to iCloud.

b. Remove App when MDM Removed: removes the App when the Mobile Device

Management Profile is removed.

Figure 70: Add App/Upload Document Window

6. From this page an Enterprise App, and External App or a Document can be installed.

9.3.1 Adding an Enterprise App

An Enterprise App is an App that is unique to the Enterprise. To add an Enterprise App to the

Catalog, follow these steps.

NOTE: Apple prohibits an App from their iTunes App Store to download another App Store App.

Consequently an Enterprise App is not shown on the EMM Client App Store interface on the iOS

device. EMM will push an Enterprise App to an iOS device. This restiction is not the case for Android

devices.

1. Login as EMM Admin.

2. Navigate to the Add App/Upload Document window.

3. Select Enterprise App, the page refreshes with the parameters needed for the App.



Figure 71: Add Enterprise App

4. Select the group to which the App applies.

5. Select the Platform: Android, Apple, etc.

6. Select the Device Type: Phone, Tablet, All. This indicates the device types to which the App

applies.

7. Select the Category from the drop-down.

8. Choose the icon file to be displayed for the App. (30X30 pixels is the minimum size; the

Format is .PNG. Typically an Android App’s .apk includes the icon but Apple Apps usually

require the icon .PNG to be uploaded separately).

9. Enter a description for the App (< 500 characters)

10. Select the File where the App is to be found. Android Apps require an .apk file and Apple

devices require an .ipa file.

11. Select Save to complete the entry and the App will be uploaded.

9.3.2 Adding an External App

An External App is one that resides on the Google PlayStore, the Apple App Store, or some other

server. The Enterprise requires that the App becomes part of the Catalog. To add an External App

to the Catalog, follow these steps.



3. Select External App, the page refreshes with the parameters needed for the App.



Figure 72: Add External App

4. Select the group to which the App applies.

5. Select the Platform: Android, Apple, etc.

6. Select the Device Type: Phone, Tablet, All.

7. Select the Category from the drop-down.

8. Choose the icon file for the App. (30X30 pixels is the minimum size; Format is .PNG.

Typically an Android App’s .apk includes the icon but Apple Apps usually require the icon

.PNG to be uploaded separately).

9. Enter a description for the App (< 500 characters)

10. Enter the Version ID and URL that points to the App.

11. Select Save to complete the entry and the App will be uploaded.

9.3.2.1 Android External App URL Requirements

The URL format used for an external App to be installed on an Android device must conform to

formats specified by Google. Details of this format can be found using this Google link

https://developer.android.com/distribute/googleplay/promote/linking.html#UriSummary

This summary and Table 6 is a subset of Google’s information on the URL formats allowed; please

use the link above to ensure that you have the most current information.

Google defines two general formats for links that are accessible to users on an Android device. The two formats trigger slightly different behaviors on the device:

market:// Launches the Play Store app to load the target page. Not used with EMM.

https://developer.android.com/distribute/googleplay/promote/linking.html#UriSummary



http:// Allows the user choose whether to launch the Play Store app or the browser to

handle the request. If the browser handles the request, it loads the target page on the

Google Play web site.

You should use http:// format.

Table 6: Google URL Formats for Android Apps

This is the only supported format used with EMM.

For this result Web Page Link

Show the product details page for a specific app

http://play.google.com/store/apps/details?

id=<package_name>

9.3.2.2 Apple iTunes External App URL Requirements

The easiest way to find your App Store URL is by opening iTunes and copying the information directly from the App Store. The steps included below outline how you can find your App URL.

1. Open iTunes.

2. Search for your app.

3. Click your app's name and copy the URL (right-click for PC users).

Apple App Store URL’s will be in the following format:

http://itunes.apple.com/[country]/app/[App –Name]/id[App-ID]?mt=8

Note: A custom Enterprise App must have approved certificates as per Apple’s requirements.

This link provided by Apple provides details of their proper URL format.

https://developer.apple.com/library/ios/qa/qa1633/_index.html

9.3.2.3 Editing Application Metadata

The Application Metadata of an Application including a new application file can be updated. Follow

these steps.


2. Navigate to the App Lists page.

3. Select the Edit App icon and the Application Metadata is displayed.

4. Modify or update the desired parameters. Upload a new icon or App file if required.

5. Select Save to update the Application data.

https://developer.apple.com/library/ios/qa/qa1633/_index.html



Figure 73: Editing Application Data

9.3.3 Adding a Document

Documents can be uploaded to EMM and made available on devices in the Document Library. To

upload documents follow these steps.



3. Select Document, the Upload Document secondary window is displayed.

Figure 74: Add Document Page

4. Select the group for which the document is to be available.

5. Choose the file to be uploaded.

6. Select if Wi-Fi is to be allowed when downloading the document from a device.



7. Select Upload to complete the entry and the document will be uploaded.

9.4 Apple iOS 7 Managed App Configuration

Apple iOS 7 introduced the ability to configure a Managed Application and the ability to retrieve a

configuration from a Managed Application. A Managed Application is an application provided for an

Apple iOS 7 device that includes features that can be selected by the device user and/or specified by

the IT Admin. This could be a custom managed application that is developed by an enterprise for use

by their Apple device users or third-party managed applications from the Apple App Store.

Support for a Managed Application is a customer option beginning in EMM 3.3. (A Service Package

control “Disallow iOS Managed App” is provided to suppress access to this feature).

EMM can provide a configuration dictionary to third-party managed Apps and can read data from a

feedback dictionary provided by a third-party Managed App on the device. The configuration

dictionary can be used to specify features enabled or disabled on the App and the feedback dictionary

can be used to provide status of the enabled features back to the server from the App.

The managed parameters are configured as key-value pairs per Apple’s definition. The key-value

pairs are specified by each Managed Application vendor. If you send a key-value pair not recognized

by the application, an error is returned. Examples of a managed application parameter might be a

date-time when the application should begin to collect data or a parameter that enables/disables a

particular feature of the application.

To support this feature EMM has enhancements to the Applications List page to add an App

Configuration which navigates to a new App Configuration page to configure required parameters for

a Managed App. These enhancements are only displayed for applications that can support App

Configuration and only on the IOS Platform.

For a Managed Application the Device Details Apps page is also enhanced to include an App Config

icon which when selected displays the App Configuration on the device and on the EMM server. You

are able to retrieve, update and send the server App configuration to the selected Apple device.

9.4.1 Configuring an IOS7 Managed Application

A new Icon is present only for an iOS 7 Managed Application to enable the application’s key/value

pairs to be configured. To configure the managed application follow these steps.

1. Navigate to the Apps List page.

2. Locate the application that supports iOS 7 App Management.



Figure 75: Configure App Icon

3. Selecting the “Configure App” icon (i.e. the gear) displays the Application Configuration Modal.

Figure 76: Application Configuration Modal

4. This modal is used to change or add key/value pairs for the Managed Application. A key/value pair can be deleted using the “-“ icon and a new key/value pair can be added with the “+” icon. The Added/Modified App Configuration can be saved; an App Configuration can be deleted.

5. The keys and the allowed key values must be obtained from the third-party application specification; they are defined by the third-party vendor.



6. A confirmation request is required for any save or deletion request.

Figure 77: App Configuration Save Request Confirmation



10 SCHEDULING REPORTS

A facility to schedule and manage reports is introduced in this release. A suite of tabular reports can be requested and exported in CSV or PDF format. Reports are not viewable on the EMM UI. Real-time (i.e. Ad-Hoc), daily, weekly and monthly report formats are supported. Reports can be defined and exported either from the UI or via Rest API.

Command Activity Report (real-time, daily, weekly, monthly)

Command Summary Report (daily, weekly, monthly)

Device Detail Report (daily, weekly, monthly)

Audit History Report (daily, weekly, monthly)

App Inventory Report (daily, weekly, monthly)

The report generator is an extensible facility; additional reports can be added as required in future releases.

A Weekly Report picks up records of the previous week beginning Monday.

Report scheduled on Tuesday, Sept 3rd shall run pick up records of previous week beginning Monday (26th August - 1st September). The next instance of the report shall run on Tuesday, Sept 10th and shall pick up records from 2nd September - 8th September.)

A Monthly Report shall pick up records of the previous month.

Report scheduled on Sept 3rd shall run pick up records of previous month beginning 1st August - 31st August. The next instance of the report shall run on Oct 3rd, and shall pick up records of previous month (1st September - 31st September)

Report scheduled on Aug 31st shall run at the end of each month, and shall pick up records of previous month (1st July - 31st July). The next instance of the report shall run on Sept 30th, and shall pick up records of previous month (1st August - 31st August).

A Daily Report picks up records of the date specified.

It generates a report from midnight to 23:59 of the previous day.

The start date of a new Daily Report must be a future time from the current time when creating the report schedule.

A Real-time (ad-hoc) report captures the current information available for the report; the report collects data from midnight of the Start Date to 23:59:59 of the End Date; it returns results immediately.

Once a scheduled report is created it continues to be generated until the schedule is deleted: i.e. a daily report will be created every day until the schedule is deleted.



10.1.1 Available Reports

In this release these reports are provided. All are in tabular format. The date and time of the report

creation is included in the report.

10.1.1.1 Audit History Report

This report can be scheduled Daily, Weekly or Monthly. In columnar format this report displays:

Group

Audit Object Name

Audit Action Name

User

Date

Detail

The generation date of the report is also provided.

This Audit Objects and Actions are recorded. For each action (Add, Edit, Delete or Send) the

message responses are shown.

Table 7: Audit Objects and Actions

Audit Object Audit Action

Object Add Edit Delete Send

Device Added Device to User “Firstname Lastname”

None Deleted Device with Phone Number “blah”

MassEnrollment Mass Enrollment URL Generated against Group “blah” and user “blah”

None None

User Added user with Email = “blah”

Modified GROUPS/ROLES for user with Email = “blah” <br>Previous GROUPS/ROLES = blah<br>New Groups/Roles = blah2

Deleted user with Email = “blah”





Group Added Group “blah”

Modified Group “blah”

Application Added Application with name “blah”

Application Modified name “blah”

Deleted Application with name “blah”

AppsPolicy App Policy Enabled for group “blah”

App Policy Modified for group “blah

App Policy Removed for group “blah

SettingsPolicy Settings Policy Enabled for group “blah”

Settings Policy Modified for group “blah

Settings Policy Removed for group “blah”

SecurityPolicy Security Policy Enabled for group “blah”

Security Policy Modified for group “blah

Security Policy Removed for group “blah”

Documents Added Document with Filename “blah”

None Deleted Document with Filename “blah”

Service Package Added Service Package “blah”

Modified Service Package “blah”

Deleted Service Package “blah”

Commands

PhoneNumber: “nnnn” Command: “blah” Commands to be Audited

1. Scan

2. Lock

3. Unlock

4. Wipe





5. Selective Wipe

6. Settings Policy

7. Security Policy

8. Install Software

9. Uninstall Software

10. Send Message

10.1.1.2 Application Inventory report


Group

Tag (Blacklisted/Whitelisted/Required/Optional/Unknown)

App Name

Platform

Version

Installed (number of devices on which the App is installed)

This report contains all the data from subgroups as well. It does not contain Apps for BYOD devices.

10.1.1.3 Command Activity Report

This report can be scheduled Ad-Hoc, Daily, Weekly or Monthly. In columnar format this report

displays:

Group

Phone



Serial Number

Device command

Status

Initiated

Updated

User

10.1.1.4 Command Summary Report


Group

Command

Total submitted

# Failed

10.1.1.5 Device Detail Report


Group

Make

Model

Type

Platform

Serial #

Phone #

Enrolled (Y/N)

10.1.2 Creating a Report

Reports are managed on a per-group basis. A new icon is present on the Group List page to manage

reports. To add a new report schedule follow these steps

1. Navigate to the Group List page by selecting the Groups Tile.

2. Select the Reports icon for the group of interest.



Figure 78: Report Icon

Selecting the Report Icon displays the Reports page. This page lists all the report types in columns based on whether they are available as Daily, Weekly, Monthly and Ad-Hoc (real-time). If a report is available, the report symbol is green and the number of reports created with a schedule is shown; if none are available, the symbol is grey. Some reports are not available as Ad-Hoc reports and for those the symbol in the Ad-Hoc column is grey.

Figure 79: Reports Page

3. To add a report schedule the “+” icon next to the required report is selected if it is present. Only one active schedule can be in effect for each report type.

Figure 80: Add Report Icon

4. This opens a page where the schedule for the report can be defined. You give a report a name and specify its start date and time. All dates must be IN THE FUTURE; EMM does not maintain a treasure trove of report data unless requested. Ad-Hoc reports ask for an end time as well.



Figure 81: Creating a Report Schedule

5. After entering all the report parameters, save the report request and you receive a confirmation.

10.1.3 Downloading Reports

After a report has been generated, it can be downloaded to your computer. To download a report you

follow these steps.

1. Navigate to the Groups List page and select the Reports icon for the group of interest. The

Reports page (Figure 79) is displayed

2. If generated reports are available, they are shown with a Green report symbol; a Grey symbol indicates that no reports are available or scheduled. Selecting the symbol displays a list of the reports generated with that schedule. A search capability is also provided on the page.

Figure 82: View Generated Reports Filter

3. For each report a download option of PDF or CSV file is provided. Selecting one will download an available report to your computer.

4. A Delete icon (i.e. Trash Can) is also provided to delete each report.



Figure 83: View Generated Reports Page

10.1.4 Deleting a Report Schedule

Reports can be deleted by selecting the “-“symbol.

Figure 84: Delete Report Icon

1. Navigate to the Groups List page and select the Reports Icon for the group of interest.

2. Select the “-“ symbol for the report schedule to be deleted.

3. You are asked if you wish to delete the report schedule. This deletes the selected report schedule.



Figure 85: Delete Report Confirmation



11 USING SERVICE PACKAGES

An optional feature for a MSP Provider is using Service Packages. The management of Service Packages is available only to the MSP Admin (CUST_ADMIN).

A Service Package restricts access to commands to a user for each of the two enterprise roles (IT_ADMIN and EMPLOYEE) in an enterprise. Service Packages can be defined either via the Group List page UI or by REST API. Packages can be assigned to enterprise groups and sub-groups only by the MSP Admin (CUST_ADMIN). If a new sub-group is created, it inherits the same package as its parent group. A different package can be created for a sub-group. When a package is deleted, the MSP Admin is prompted if the package should be deleted for one group or for all groups; deleting the package for all groups removes the package from all groups belonging to the selected enterprise.

If required, an MSP Admin can create several service packages for an Enterprise. The concept of

attaching and detaching service packages to a group is also provided. Only one service package can

be attached to an Enterprise Group. If a new subgroup is created, it inherits the service package of

the parent group. If the service package is detached from the parent group, the subgroup inheritance

of the service package is also detached. If a service package is attached to a parent group, it is

inherited by any subgroups. However a MSP Admin can attach a different service package to a

subgroup if required.

This example illustrates the functionality.

1. The MSP Admin has previously created an Enterprise Group and two subgroups “A” and “B”.

2. The MSP Admin adds a service package “X” to the Enterprise Group (none existed).

3. Both subgroups inherit the service package “X”.

4. The MSM Admin creates a second service package “Y” and attaches it to Subgroup A.

5. Subgroup “B” still is attached to service package “X”.

6. The MSP Admin modifies service package “X” for the enterprise group.

7. Subgroup “B” inherits the changes to the service package “X”. Subgroup “A” is still attached

to service package “Y”.

This table lists the commands and actions that can be restricted for IT Admins.

Table 8: IT Admin Restricted Commands/Actions

IT Admin

Scan Device

Install Application

Uninstall Application

Send Message

Send Policy

Lock Device

Unlock Device

Wipe Device



IT Admin

Add Group

Modify Group

Add User Modify User

Delete User

Add Software

Modify Software

Delete Software

Insert Document

Remove Documents

Add Reports

Edit Reports

Delete Reports

Add (Single) Device

Bulk Upload (Devices)

Staging (Devices)

Delete Device

Delete Generated Report

Add Report Schedule

Delete Report Schedule

Add Device via App Store

iOS Managed App

These Employee role commands/actions can be restricted.

Table 9: Employee Restricted Commands/Actions

Employee

Modify User Install Application

Lock Device Unlock Device

Send Policy Locate Device

11.1 Adding or Modifying a Service Package

Follow these steps to Add or Modify a Service Package.

1. From the MSP dashboard navigate to the enterprise for which the service package is to be

added.

2. Navigate to the Groups List page.

3. Select the group for which the service package is to be added and hover over the Packages

icon. A tooltip “Manage Packages” appears and should be selected.



Figure 86: Group List with Package Tooltip

11.1.1 Using the Package Page

Selecting the tooltip brings up the Package page. The page includes an “Add Package” button, a “Select Package” drop-down which lists all the pre-existing packages.

Figure 87: Package Page

1. If a package is selected, the disabled (i.e. “blacklisted) items are listed with the disable button “on”. Scrolling is provided to view the entire list. An existing package can be modified by selecting or deselecting commands and then selecting Save. You can also Delete the

Package entirely.



Figure 88: Service Package Display

2. Selecting the “Add Package” button is used to create a new package.

3. This brings up a MODAL to create a new service package.

Figure 89: New Service Package Modal

The modal lists all the items that can be disabled and you select the items. A name is also given to the service package. The package is also ATTACHED to the group that you selected earlier and you can choose not attach the package to the group. If you choose to not attach the package to this group, use the button provided to de-select the attachment.

When the selections are complete, select Save.



11.2 Attaching and Detaching Service Packages

If a Service Package is not associated with one of the enterprise groups, it can be “Attached” to the

group by following these steps. Similarly if a Service Package is to be disassociated with a group, it

can be “Detached” from the group.

To Detach a Service Package the MSP Admin follows these steps.

1. MSP Admin navigates to the required enterprise and selects the Groups List page for the enterprise.

2. Locate the required group and select the Detach Package icon.

Figure 90: Group with “Detach” Package Icon

To Attach a Service Package the MSP Admin follows these steps.

1. MSP Admin navigates to the required enterprise and selects the Groups List page for the enterprise.

2. Locate the required group and select the Attach Package icon.

3. Groups are shown with an Attach Package icon which can be used to attach a package to the group ONLY IF no package is attached to the group



Figure 91: Group with “Attach” Package Icon

4. Selecting the icon displays a Modal to choose a service package for the group.

Figure 92: Choose a Service Package Modal

5. An existing service package can be selected from the drop-down and attached to the group. You are asked to confirm the selection.



Figure 93: Service Package "Attach" Confirmation