enterprise mobility manager™software.a1.net/misc/emm_admin_guide_3.0.pdfenterprise mobility...
TRANSCRIPT
Mobile Security Management:
Enabling Device Security Using Mobile Device Management
Matthew Bancroft
Chief Marketing Officer
Mformation Technologies Inc.
343 Thornall Street
Edison, New Jersey 08837
USA
T: +1 732 692 6200
www.mformation.com
Enterprise Mobility Manager™
Version 3.3 R4/14 Administration User Guide
Issue 3.0
EMM 3.3 ADMIN USER GUIDE Issue 3.0
Mformation Software Technologies, LLC. Confidential and Proprietary. Page i
Copyright 2014, MFORMATION SOFTWARE TECHNOLOGIES LLC, all rights reserved.
Mformation Software Technologies LLC
581 Main Street
Suite 640
Woodbridge, New Jersey 07095
USA
T: +1 732 692 6200
www.mformation.com
Proprietary Statement
The Programs (which include both the software and documentation) contain proprietary information of
Mformation Software Technologies, LLC; they are provided under a license agreement containing
restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual
and industrial property laws. Reverse engineering, disassembly, or decompilation of the Programs is
prohibited.
Trademarks
Mformation Software Technologies, LLC trademarks and registered trademarks include but are not
limited to “Mformation”, the Mformation logo, “Mformation SERVICE MANAGER” and “Mformation
ENTERPRISE MANAGER”.
All other brands, product names, and company names mentioned herein may be registered
trademarks or trademarks of their respective holders.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
Mformation Software Technologies, LLC. Confidential and Proprietary. Page ii
DOCUMENT HISTORY
Revision Description of Change Issue Date
2.0 Added EMM 3.3 (R4/14) Features: Service Packages,
Reports, iOS 7 Managed Applications.
March 4, 2014
2.1 Added Section 9.3.2.1 describing Google
requirements for URL for an external App. Added
section 9.3.2.2 for Apple iTunes URL.
March 5, 2014
2.2 Update service package screenshots. March 6, 2014
2.3 Incorporate review comments from QA. March 12, 2014
2.4 Update Device Details Edit function description to
include change group. Updated Device Details
screens. Added description of a disabled “blacklisted”
function (Section 1.3) by a Service Package
March 14, 2014
2.5 Updated Figure 3 March 17, 2014
2.6 Added comments to address customer feedback:
Sections 2.2, 4.2, 4.3, 4.4, 4.4.1, 4.4.2 and 4.4.3.
March 27, 2014
2.7 Updated Sections 2.1.2, 2.1.3, 9.1, 9.2 and associated
figures.
April 1, 2014
2.8 Updated Section 8.1.5 to add more detail about
Recent Actions and the use of the command “Monitor
SW Inventory”
April 4, 2014
2.9 Added note identifying PC requirement for the AD
Utility
April 9, 2014
3.0 Updated document to use official PlayStore and
iTunes name for Android client: “Mformation
Enterprise Manager”. Added note to clarify use of
Vital Signs indicators in Section 8.1.3
April 15, 2014
EMM 3.3 ADMIN USER GUIDE Issue 3.0
Mformation Software Technologies, LLC. Confidential and Proprietary. Page iii
TABLE OF CONTENTS ENTERPRISE MOBILITY MANAGER™ ............................................................................................... 1
VERSION 3.3 R4/14................................................................................................................................ 1
ADMINISTRATION USER GUIDE ................................................................................................................ 1 ISSUE 3.0 .............................................................................................................................................. 1 ABOUT THIS GUIDE ................................................................................................................................ 1 AUDIENCE ............................................................................................................................................. 1 ENTERPRISE CUSTOMER FEATURES ....................................................................................................... 1 SUPPORTED ROLES ............................................................................................................................... 2 EMPLOYEE ROLE ................................................................................................................................... 3 ORGANIZATION ...................................................................................................................................... 4 TYPOGRAPHICAL CONVENTIONS ............................................................................................................. 5 ABOUT CUSTOMIZING THE UI .................................................................................................................. 5 ADMIN’S COMPUTER REQUIREMENTS ...................................................................................................... 5
1 NAVIGATING THE USER INTERFACE ......................................................................................... 6
1.1 UI OVERVIEW .................................................................................................................................. 6 1.2 IT DASHBOARD ................................................................................................................................ 6
1.2.1 Navigation Bar ........................................................................................................................ 7 1.2.2 Status Charts .......................................................................................................................... 7 1.2.3 Quick Links.............................................................................................................................. 7 1.2.4 Key Functions ......................................................................................................................... 7 1.2.5 Advanced Filters ..................................................................................................................... 8 1.2.6 Report Files ............................................................................................................................. 9 1.2.7 Detail Drill-down ...................................................................................................................... 9 1.2.8 Modal Windows and Icons ...................................................................................................... 9
1.3 DISABLED FUNCTIONS ...................................................................................................................... 9 1.4 LOGGING IN AND OUT OF EMM ....................................................................................................... 10
1.4.1 Logging In to EMM ................................................................................................................ 10 1.4.2 Forgotten Password .............................................................................................................. 11 1.4.3 Logging Out of EMM ............................................................................................................. 11
1.5 ACCOUNT SETTINGS....................................................................................................................... 11 1.6 HELP ............................................................................................................................................. 12
2 USING THE DASHBOARD ........................................................................................................... 13
2.1 USING CHARTS .............................................................................................................................. 13 2.1.1 Bar Charts ............................................................................................................................. 13 2.1.2 Line Chart.............................................................................................................................. 14 2.1.3 Pie Charts ............................................................................................................................. 14
2.2 VIEWING THE ACTIVITY LOG ............................................................................................................ 15 2.3 VIEWING THE SYSTEM OVERVIEW ................................................................................................... 15 2.4 USING QUICKLINKS ........................................................................................................................ 15
2.4.1 Add User ............................................................................................................................... 15 2.4.2 Add Device ............................................................................................................................ 15 2.4.3 Add App ................................................................................................................................ 16 2.4.4 Edit Policy ............................................................................................................................. 16 2.4.5 Run Scan .............................................................................................................................. 16
2.5 MSP DASHBOARD .......................................................................................................................... 16 2.5.1 MSP Admin Unique Functions .............................................................................................. 17
3 MANAGING GROUPS .................................................................................................................. 18
3.1 USING THE GROUP LIST PAGE ........................................................................................................ 18
EMM 3.3 ADMIN USER GUIDE Issue 3.0
Mformation Software Technologies, LLC. Confidential and Proprietary. Page iv
3.1.1 Using Download Report ........................................................................................................ 19 3.1.2 Viewing Group Details .......................................................................................................... 19 3.1.3 Using Group Actions ............................................................................................................. 20
3.1.3.1 MSP Group Actions ....................................................................................................................20 3.2 ADDING A GROUP ........................................................................................................................... 21
3.2.1 Enterprise SubGroup ............................................................................................................ 21 3.2.2 Adding an Enterprise Group ................................................................................................. 21 3.2.3 Editing a Group ..................................................................................................................... 24
4 MANAGING POLICIES ................................................................................................................. 26
4.1 VIEWING SECURITY AND SETTINGS POLICIES ................................................................................... 27 4.2 MANAGING SECURITY POLICIES ...................................................................................................... 28 4.3 MANAGING SETTINGS POLICIES ...................................................................................................... 29 4.4 MANAGING APP POLICIES ............................................................................................................... 29
4.4.1 Adding an Application Blacklist or Whitelist .......................................................................... 30 4.4.2 Modifying an Application Whitelist or Blacklist ...................................................................... 32 4.4.3 Specifying Required Applications ......................................................................................... 33
5 MANAGING USERS ...................................................................................................................... 34
5.1 USING THE USER LIST PAGE ........................................................................................................... 34 5.1.1 User Summary ...................................................................................................................... 34 5.1.2 User List ................................................................................................................................ 34
5.2 ADDING USERS .............................................................................................................................. 35 5.2.1 Adding a Single User ............................................................................................................ 35
5.3 USER LIST ACTIONS ....................................................................................................................... 36 5.3.1 Edit User ............................................................................................................................... 36 5.3.2 List Devices ........................................................................................................................... 37
6 MANAGING DEVICES .................................................................................................................. 38
6.1 USING THE DEVICE LIST PAGE ........................................................................................................ 38 6.2 ADDING A DEVICE .......................................................................................................................... 39 6.3 USING DEVICE STATUS ................................................................................................................... 39
7 ENROLLING DEVICES ................................................................................................................. 41
7.1 ENROLLING A SINGLE DEVICE ......................................................................................................... 43 7.2 BULK UPLOAD ENROLLMENT ........................................................................................................... 45 7.3 STAGED ENROLLMENT .................................................................................................................... 46 7.4 ENROLLMENT WITH THE ENTERPRISE’S ACTIVE DIRECTORY ............................................................. 47 7.5 ENROLLMENT USING THE GOOGLE PLAYSTORE OR THE APPLE APP STORE ...................................... 48
8 MANAGING DEVICE DETAILS .................................................................................................... 50
8.1 USING THE DEVICE DETAILS PAGE .................................................................................................. 50 8.1.1 Device Information ................................................................................................................ 51 8.1.2 Device Quick Links ............................................................................................................... 52
8.1.2.1 Send Message ...........................................................................................................................53 8.1.3 Device Vital Signs ................................................................................................................. 53 8.1.4 Device Compliance Indicators .............................................................................................. 55 8.1.5 Recent Actions ...................................................................................................................... 55
8.2 USING THE APPS TAB ..................................................................................................................... 56 8.2.1 Installing an App ................................................................................................................... 56 8.2.2 Retrieving and sending iOS 7 App Configurations ............................................................... 57
8.3 USING THE SECURITY TAB .............................................................................................................. 60 8.3.1 Locking or Unlocking a Device.............................................................................................. 61 8.3.2 Wiping or Selective Wiping a Device .................................................................................... 61
8.3.2.1 Selective Wipe ...........................................................................................................................61
EMM 3.3 ADMIN USER GUIDE Issue 3.0
Mformation Software Technologies, LLC. Confidential and Proprietary. Page v
8.3.3 Implementing Apple iOS Security ......................................................................................... 62 8.3.4 Viewing Apple Device Security Status and Restrictions ....................................................... 63
8.4 USING THE LOCATION TAB .............................................................................................................. 64 8.4.1 Viewing Location Information ................................................................................................ 64
9 MANAGING APPS AND DOCUMENTS ....................................................................................... 65
9.1 USING THE APPLICATION CATALOG ................................................................................................. 65 9.2 USING THE DOCUMENT LIBRARY ..................................................................................................... 67 9.3 ADDING AN APPLICATION OR DOCUMENT ......................................................................................... 67
9.3.1 Adding an Enterprise App ..................................................................................................... 68 9.3.2 Adding an External App ........................................................................................................ 69
9.3.2.1 Android External App URL Requirements ..................................................................................70 9.3.2.2 Apple iTunes External App URL Requirements .........................................................................71 9.3.2.3 Editing Application Metadata ......................................................................................................71
9.3.3 Adding a Document .............................................................................................................. 72 9.4 APPLE IOS 7 MANAGED APP CONFIGURATION ................................................................................. 73
9.4.1 Configuring an IOS7 Managed Application ........................................................................... 73
10 SCHEDULING REPORTS ......................................................................................................... 76
10.1.1 Available Reports ................................................................................................................ 77 10.1.1.1 Audit History Report ...............................................................................................................77 10.1.1.2 Application Inventory report ....................................................................................................79 10.1.1.3 Command Activity Report .......................................................................................................79 10.1.1.4 Command Summary Report ...................................................................................................80 10.1.1.5 Device Detail Report ..............................................................................................................80
10.1.2 Creating a Report ................................................................................................................ 80 10.1.3 Downloading Reports .......................................................................................................... 82 10.1.4 Deleting a Report Schedule ................................................................................................ 83
11 USING SERVICE PACKAGES .................................................................................................. 85
11.1 ADDING OR MODIFYING A SERVICE PACKAGE ................................................................................ 86 11.1.1 Using the Package Page .................................................................................................... 87
11.2 ATTACHING AND DETACHING SERVICE PACKAGES ......................................................................... 89
FIGURES Figure 1: Possible Enterprise Group Structure ....................................................................................... 2
Figure 2: Employee Landing Page .......................................................................................................... 4
Figure 3: Employee Options .................................................................................................................... 4
Figure 4: IT Admin Landing Page ........................................................................................................... 7
Figure 5: Quick Links Toolbar ................................................................................................................. 7
Figure 6: Devices Tab ............................................................................................................................. 8
Figure 7: Advanced Filter for Devices ..................................................................................................... 8
Figure 8: Device Details Page ................................................................................................................. 9
EMM 3.3 ADMIN USER GUIDE Issue 3.0
Mformation Software Technologies, LLC. Confidential and Proprietary. Page vi
Figure 9: Disabled Control Color ........................................................................................................... 10
Figure 10: Login Page ........................................................................................................................... 10
Figure 11: Forgot your Password? ........................................................................................................ 11
Figure 12: Reset Password ................................................................................................................... 11
Figure 13: Dashboard Charts Section ................................................................................................... 13
Figure 14: Dashboard Charts View of Devices ..................................................................................... 15
Figure 15: Quick links ............................................................................................................................ 15
Figure 16: MSP Dashboard ................................................................................................................... 16
Figure 17: Groups Page - IT Admin ...................................................................................................... 19
Figure 18: Download Report and Add Group Tiles ............................................................................... 19
Figure 19: Group Actions - IT Admin ..................................................................................................... 19
Figure 20: Group Actions - MSP Admin ................................................................................................ 20
Figure 21: Adding an Enterprise Child Group ....................................................................................... 21
Figure 22: Adding an Enterprise Group ................................................................................................ 22
Figure 23: LDAP/AD Authentication Setup ........................................................................................... 23
Figure 24: Group Details ....................................................................................................................... 24
Figure 25: Group Customization Fields ................................................................................................. 25
Figure 26: Group List with Policy Tooltip............................................................................................... 27
Figure 27: Security Policy Page ............................................................................................................ 28
Figure 28: Application Policy Page ....................................................................................................... 31
Figure 29: Modify Application Policy Page ............................................................................................ 33
Figure 30: Required App Selection ....................................................................................................... 33
Figure 31: Users List Page .................................................................................................................... 34
Figure 32: Users Page Toolbar ............................................................................................................. 35
Figure 33: Add User Page ..................................................................................................................... 35
Figure 34: User Details Page ................................................................................................................ 37
Figure 35: List Devices for a User ......................................................................................................... 37
Figure 36: Devices Tab ......................................................................................................................... 38
Figure 37: Enrollment Options .............................................................................................................. 41
EMM 3.3 ADMIN USER GUIDE Issue 3.0
Mformation Software Technologies, LLC. Confidential and Proprietary. Page vii
Figure 38: Enrollment Options .............................................................................................................. 42
Figure 39: Email Enrollment Message .................................................................................................. 42
Figure 40: Add Single Device Enrollment ............................................................................................. 43
Figure 41: Add User Window ................................................................................................................ 44
Figure 42: Single Device Enrollment via Email ..................................................................................... 44
Figure 43: Bulk Enrollment Request ..................................................................................................... 45
Figure 44: Bulk Upload Enrollment ....................................................................................................... 46
Figure 45: Staged Enrollment Page ...................................................................................................... 47
Figure 46: Staged Enrollment User Page ............................................................................................. 47
Figure 47: Android Device Registration Page ....................................................................................... 49
Figure 48: Android Device Registration Completion ............................................................................. 49
Figure 49: Detail Details Page-Upper Portion ....................................................................................... 50
Figure 50: Device Information Pane ...................................................................................................... 51
Figure 51: Device Details Commands ................................................................................................... 52
Figure 52: Send Message Modal .......................................................................................................... 53
Figure 53: Device Vital Signs ................................................................................................................ 54
Figure 54 : Compliance Indicators ........................................................................................................ 55
Figure 55: Device Details-Apps Tab ..................................................................................................... 56
Figure 56: Install App Window .............................................................................................................. 57
Figure 57: Device Application Tab-Configure App ................................................................................ 58
Figure 58: Retrieving the App Configuration from the Device .............................................................. 58
Figure 59: Retrieve App Configuration in Progress .............................................................................. 59
Figure 60: Send Default App Configuration to the Device .................................................................... 59
Figure 61: Send Default App Configuration in Progress ....................................................................... 60
Figure 62: Device Details-Security Tab ................................................................................................. 60
Figure 63: Lock Window ........................................................................................................................ 61
Figure 64: Wipe Window ....................................................................................................................... 61
Figure 65: Location Page ...................................................................................................................... 64
Figure 66: Apps List Page ..................................................................................................................... 65
EMM 3.3 ADMIN USER GUIDE Issue 3.0
Mformation Software Technologies, LLC. Confidential and Proprietary. Page viii
Figure 67: App Action Icons .................................................................................................................. 66
Figure 68: Document Library Page ....................................................................................................... 67
Figure 69: Add App Tile ........................................................................................................................ 68
Figure 70: Add App/Upload Document Window ................................................................................... 68
Figure 71: Add Enterprise App .............................................................................................................. 69
Figure 72: Add External App ................................................................................................................. 70
Figure 73: Editing Application Data ....................................................................................................... 72
Figure 74: Add Document Page ............................................................................................................ 72
Figure 75: Configure App Icon .............................................................................................................. 74
Figure 76: Application Configuration Modal .......................................................................................... 74
Figure 77: App Configuration Save Request Confirmation ................................................................... 75
Figure 78: Report Icon........................................................................................................................... 81
Figure 79: Reports Page ....................................................................................................................... 81
Figure 80: Add Report Icon ................................................................................................................... 81
Figure 81: Creating a Report Schedule................................................................................................. 82
Figure 82: View Generated Reports Filter............................................................................................. 82
Figure 83: View Generated Reports Page ............................................................................................ 83
Figure 84: Delete Report Icon ............................................................................................................... 83
Figure 85: Delete Report Confirmation ................................................................................................. 84
Figure 86: Group List with Package Tooltip .......................................................................................... 87
Figure 87: Package Page ...................................................................................................................... 87
Figure 88: Service Package Display ..................................................................................................... 88
Figure 89: New Service Package Modal ............................................................................................... 88
Figure 90: Group with “Detach” Package Icon ...................................................................................... 89
Figure 91: Group with “Attach” Package Icon ....................................................................................... 90
Figure 92: Choose a Service Package Modal ....................................................................................... 90
Figure 93: Service Package "Attach" Confirmation ............................................................................... 91
EMM 3.3 ADMIN USER GUIDE Issue 3.0
Mformation Software Technologies, LLC. Confidential and Proprietary. Page ix
TABLES Table 1: Administrator UI Pages for Different Roles ............................................................................... 3
Table 2: EMM User Access ................................................................................................................... 18
Table 3: Device Information Fields ........................................................................................................ 52
Table 4: Device Vital Signs ................................................................................................................... 54
Table 5: Apple iPhone/iPad Security Information ................................................................................. 63
Table 6: Google URL Formats for Android Apps .................................................................................. 71
Table 7: Audit Objects and Actions ....................................................................................................... 77
Table 8: IT Admin Restricted Commands/Actions ................................................................................ 85
Table 9: Employee Restricted Commands/Actions ............................................................................... 86
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 1
About This Guide The Admin User Guide describes how administrators can enroll devices and manage users,
applications and policies for Enterprise Accounts using the Enterprise Mobility Management features
of the Mformation Enterprise Mobility Manager™ (EMM).
This preface provides you with information on the following:
Audience
Enterprise Customer Features
Organization
Typographical Conventions
Audience
This User Guide was developed for Administrators and these roles are provided:
The IT Administrator: a role that is responsible for Enterprise Mobility Management for their
company. The IT Admin can define users and groups, assign devices, send policies and
applications to employees, enroll devices and perform all the management tasks necessary
for the efficient management of a company’s wireless device inventory.
The Managed Service Provider- MSP Administrator: Managed Service Providers who offer
Enterprise Mobility Management services to enterprises are provided with a role that gives
them visibility of all the enterprises receiving their services. A MSP Admin can perform any of
the functions of an IT Admin for each enterprise consistent with their service offering. When a
MSP Admin is present, this role can create Enterprise groups and users with the IT Admin
role.
The Top-Admin: this is an optional role that can perform all the functions of an IT Admin for
any of the enterprises present on the system. The Top-Admin is created by the System
Security Officer (SSO).
Enterprise Customer Features
This release includes new features to support the needs of businesses that need to manage an
inventory of wireless devices provided to their employees. An “Enterprise Customer” is concerned
with the management of an inventory of mobile devices used by their employees. EMM features can
be provided to the Enterprise either through a stand-alone system owned by the Enterprise or by a
Managed Service Provider (MSP).
The devices can be Smartphones or Tablets. Smartphones include Android and Apple devices.
Tablets can be Apple iPads and Android tablets. Although these devices have wireless connectivity,
they can rely on CDMA, GPRS or Wi-Fi for that wireless link. Some devices will have a phone
number, some will be reachable only by an email address and some will have both.
To manage these devices by the enterprise the new role of IT Administrator (IT_ADMIN) has been
created and a new, specialized interface is provided to support this administrator. To reduce the
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 2
burden on IT a self-enrollment portal is also provided to permit enterprise employees to enroll, setup
and manage their own devices and the role of EMPLOYEE has also been created.
The Enterprise Account is also provided in this release. An Enterprise Account is a group type that
uses the roles of Enterprise Administrator (IT_ADMIN) and Enterprise Employee (EMPLOYEE).
Managed Service Providers (MSP) who offer device management services to businesses can add an
Enterprise Group as an Enterprise Account for each enterprise. Subgroups of an Enterprise Account
group can also be created and inherit the same roles and capabilities of the parent Enterprise
Account.
A possible group structure for an MSP offering services to enterprises is shown in this figure:
MSP
Enterprise 2
Enterprise 2 IT Admin
Enterprise 3Enterprise 1
Enterprise 3 IT Admin
Group: Cust Grroup
Enterprise 1 IT Admin
Devices Supported:
Phones: Android, Apple
Android Tablets
iPad Tablets
Group: Enterprise Account
MSP:
MSP Admin
Figure 1: Possible Enterprise Group Structure
Additional groups can be defined below the Enterprise Account Group based on the needs of each
business: HR, Sales, Engineering, Enterprise-US, Enterprise-UK, etc. A unique UI style can be
defined for each enterprise.
Supported Roles
In EMM these roles are supported; one of these roles is assigned to each user on the system:
Top Admin (TOP_ADMIN) (optional)
MSP Admin (CUST_ADMIN)
IT Admin (IT_ADMIN)
Employee (EMPLOYEE)
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 3
Each of the Administrator roles uses the new UI with differences reflecting the breadth of responsibility
of each role:
A Top Admin has visibility to all Enterprise accounts on the system.
A MSP Admin has visibility to only Enterprise accounts owned by the MSP.
An IT Admin has visibility to only his/her Enterprise account.
This table identifies the UI Pages that are provided to each role.
Table 1: Administrator UI Pages for Different Roles
UI Page Top Admin MSP Admin IT Admin
Administration
MSP Dashboard
Provided- (this is the Landing Page)
Provided-(this is the Landing Page)
No
IT Admin Dashboard
Provided Provided Provided- (this is the Landing Page)
Groups Provided (A Top Admin is able to modify all Groups Expiration Dates)
Provided (A MSP Admin is able to modify their MSP Group’s Expiration Dates)
Provided (An IT Admin cannot modify Group Expiration Dates)
Users Provided Provided Provided
Devices Provided Provided Provided
Apps Provided Provided Provided
Device Details
Apps Provided Provided Provided
Security Provided Provided Provided
Location Provided* Provided* Provided*
* Location tab is hidden when local law requires it.
Employee Role The Employee role has limited access to functions associated with his/her enrolled devices.
The Employee role has a unique landing page and has these functions available:
Add Apps: an Employee can add Apps from the Apps Catalog to their device.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 4
Lock Device: an Employee can Lock or Unlock their device.
Locate Device: for an Android device, an Employee can see their device’s location.
Restore Policy: an Employee can request that Settings and Security Policies be sent to their device.
Enrollment: an Employee can Self-Enroll their device.
The Employee Landing Page looks like this figure. All the devices enrolled for the user are listed.
This example shows four devices for this user.
Figure 2: Employee Landing Page
When an employee selects a device these options are presented.
Figure 3: Employee Options
Organization
This document is organized into 11 chapters as follows:
1 Navigating the User Interface
2 Using the Dashboard
3 Managing Groups
4 Managing Policies
5 Managing Users
6 Managing Devices
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 5
7 Enrolling Devices
8 Managing Device Details
9 Managing Applications and Documents
10 Scheduling Reports
11 Using Service Packages
Typographical Conventions
This document uses the typographical conventions described in the following table.
Bold Tabs, Page names, Fields, Buttons as follows:
User tab
User Details page
Password field
OK button
Italics Notes and Book Titles as follows:
NOTES: This is important information.
MEM Device User Guide
About Customizing the UI
For each Enterprise the customer’s logo can be displayed. The colors displayed can be customized
for the Enterprise. When the Enterprise group is defined, these can be specified.
Admin’s Computer Requirements
The computer used by either Admin role (IT_ADMIN or CUST_ADMIN) should meet these requirements:
Browser: IE 10 or later (Windows OS only), Firefox 25 or later, Chrome 30 or later
Internet Connection
LDAP Active Directory Requirement: Windows XP and subsequent Windows platforms
The convention of… Shows…
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 6
1 NAVIGATING THE USER INTERFACE
EMM has a graphical user interface (GUI), which enables you, as an Administrator, to set up and use
the features of the system.
This chapter describes how to log into and navigate within the EMM GUI.
1.1 UI Overview
The User Interface presented to any of the Administrator roles has these objectives:
Provide a state-of-the-art, modern look and feel for the UI with simpler navigation features.
Simplify the steps to execute a task by bringing to one page all the steps to accomplish them.
Incorporate Dashboards to provide “at-a-glance” status for an administrator.
Incorporate the new device enrollment options into the UI.
Facilitate a Self-Enrollment option enabling a new Enterprise to trial the system.
1.2 IT Dashboard
The IT Dashboard is illustrative of the new design.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 7
Figure 4: IT Admin Landing Page
1.2.1 Navigation Bar
The Navigation bar at the top of the page shows the Admin login name and provides access to Account Settings, Help and Log out features. If a license to use expiration date has been defined for the Enterprise, the number of remaining days on that license is shown and a Subscribe link for ecommerce trial customers to extend their license.
When an Enterprise license expires, the Enterprise user’s logins are suspended and IT Admin and Employee users cannot log into the server. A MSP can update the expiration date using the Edit Group page.
1.2.2 Status Charts
The Dashboard includes a set of charts that alert the Admin to issues that may require his/her attention. Scroll left and right buttons are provided to access all the charts. Summaries of groups, enrolled devices, users and apps are provided. Recent Activity and News and Updates are also displayed.
1.2.3 Quick Links Every UI page also has a set of Quick Link actions at the bottom of the page for frequently used functions; these links can be shown or hidden using the button provided on the lower right corner of the page; Section 2.4 explains the use of these links:
1. Add a User
2. Add a Device
3. Add an Application
4. Add a Policy
5. Run Scan
Figure 5: Quick Links Toolbar
1.2.4 Key Functions All key functions incorporated into five tiles: Dashboard, Groups, Users, Devices and Apps. Selecting any of the tabs other than the Dashboard tab displays a tab with this format. (This is the Devices tab).
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 8
Figure 6: Devices Tab
1.2.5 Advanced Filters
Some tabs include an Advanced Filter to filter the list presented and search functions. Selecting options defines the filtering to be done.
Figure 7: Advanced Filter for Devices
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 9
1.2.6 Report Files
The ability to download a report file with the contents of a page in CSV (Comma Separated Variable) or PDF format is provided on some pages. A Report Scheduler is also provided to generate daily, weekly, monthly and real-time reports. Functions such as obtaining Status information are denoted with a standard set of icons used throughout the UI.
1.2.7 Detail Drill-down
Selecting one of the entries on a tab page expands to provide a page enabling the Admin to modify the entry. In the case of a device the page provides details of a specific device.
Figure 8: Device Details Page
1.2.8 Modal Windows and Icons
Extensive use of pop-up Modal Windows is implemented for many functions. Extensive use of iconography and colors are also present. Hovering over an item on a page provides a definition and/or status pertaining to the item.
A Modal Window is a secondary window that opens inside the main window. You must interact with it before returning to the main window. Modal windows are used in the EMM UI to display alerts, required settings and important dialogs.
In this document Modals for simplicity are sometimes called “window” or “secondary window”.
1.3 Disabled Functions
A MSP Administrator can disable specific buttons on the IT Administrator or Employee UI. This is
done using the Service Package feature. If a function has been disabled, the button’s color is
changed to a blue/grey as shown in this figure.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 10
Figure 9: Disabled Control Color
1.4 Logging In and Out of EMM
The following sections describe how to log into and out of EMM.
1.4.1 Logging In to EMM
To access EMM, use the following steps:
1. Open your browser and enter the assigned web address. The web address can be
customized for each enterprise. The EMM Login page is displayed.
Figure 10: Login Page
2. Enter your user name or email address in the Login Id field and your corresponding
password in the Password field.
NOTE: Passwords must be alphanumeric from 6 to 14 characters, cannot consist of 3 or more
consecutive characters or numbers, and must be changed after 45 days to a new password,
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 11
which cannot repeat any of the three passwords previously used. Email addresses must be
of a valid form e.g. [email protected] (one character domain names are not permitted).
Click on the Log On button. The Dashboard page is displayed,
NOTE: If a user attempts to access EMM and enters an incorrect password 3 times, access to the
system is locked for 120 minutes. An IT Administrator or System Security Officer (SSO) can unlock
an account within the 120 minute timeframe.
1.4.2 Forgotten Password
If a user has entered an incorrect password, the user is given the option to select “Forgot your
Password?”
Figure 11: Forgot your Password?
If the user has an email address, the user will be asked to enter their enterprise email address and
instruction to reset the password is sent to the user.
Figure 12: Reset Password
1.4.3 Logging Out of EMM
To exit the EMM system, click on the Logout option, which is located in the upper right hand corner of
all pages within the EMM system.
1.5 Account Settings
Selecting the Account Settings link enables the user to modify some personal account parameters.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 12
1.6 Help
Selecting Help presents the Help Center which contains
Videos to demonstrate using EMM.
A list of Frequently Asked Questions and Answers.
A Glossary of Terms.
A suite of User Guides which can be downloaded.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 13
2 USING THE DASHBOARD
The IT Admin Dashboard provides an entry point to all Admin functions, a Chart of Issues that need Admin attention and summaries of System Activity.
2.1 Using Charts
The Dashboard Charts section provides a set of charts that summarize the devices being managed
and bar charts that identify devices requiring attention.
Figure 13: Dashboard Charts Section
2.1.1 Bar Charts
Examples of items needing attention include devices that have not yet enrolled or devices that are not compliant with existing Policies. Each red bar represents an issue requiring action and the length of the bar indicates the percentage of devices with the issue:
Not Enrolled: Devices which have not completed enrollment.
Security Policy Non-Compliant: Devices which are not compliant with the Security Policy in effect.
Settings Policy Non-Compliant: Devices which are not compliant with the Settings Policy in effect.
Apps Blacklisted: Devices with blacklisted Apps present.
Compromised: Android Devices that have been “rooted”: the device’s OS has been modified. (Detection of modified Apple devices (i.e. “Jailbreaked”) is not supported; Apple devices are always recorded as NOT being compromised).
Security Breach: Apple iOS devices that have the MDM (Mobile Device Management profile) removed and also iOS and Android devices that have not contacted the EMM server in the last 30 days are identified as “Security Breach”.
By hovering over the bar for an issue possible actions are displayed: the possible actions vary by bar:
Not Enrolled
o List Devices: displays a list of all affected devices.
o Sends Enrollment
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 14
Security Policy
o List Devices
o Send Security Policy
Settings Policy
o List Devices
o Send Settings Policy
Blacklisted Apps Found
o List Devices
o Uninstall Blacklisted Apps: (1) For Android devices an Uninstall App command is sent; (2) For iOS devices an email notification to remove the App is sent.
Required Apps Missing
o List Devices
o Install required Apps
Compromised
o List Devices
o Notify Users: “We have detected that your device has been Compromised. Please contact your IT Admin”.
Security Breach
o MDM Removed: List Devices
o MDM Removed: Notify Users: “We have detected that your device has the MDM Profile removed. Please contact your IT Admin”.
o No contact in Last 30 Days: List Devices
o No contact in Last 30 Days: Run Scan
NOTE: An IT Admin will be allowed to take an Action on the group of devices that are out of
compliance (i.e.: Send Enrollment). However, when the IT Admin clicks on the action again, the
system will check to see if the action is still in progress. An action is in progress if there are still
commands that have not reached the SENT status for that batch.
In this case the following error pop-ups on a secondary window – “This action is in progress, please
try again later”
EXCEPTION: There is a possibility that an IT Admin may take an action at the enterprise group level
and another IT Admin at a sub-group also takes the same action. For this case no checks are made.
This is a rare scenario.
2.1.2 Line Chart
The Line Chart displays historical data and historical data for 12 months is present:
Total Users added each month
Total Devices added each month
Total Apps that were installed from EMM onto devices each month.
2.1.3 Pie Charts
Pie charts are also provided to show other views of the devices being managed:
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 15
Devices by Platform: Android, iOS, Android CDMA, Unknown
Devices by Type: Phone, Tablet
Figure 14: Dashboard Charts View of Devices
Using the scroll arrows on the left or right side of the Charts section slides the alternative summaries
into view.
2.2 Viewing the Activity Log
This section displays the list of actions executed from the Bar Chart hover functions (section 2.1.1). It
displays the activity for the last 60 days.
NOTE: Commands and actions initiated from the Device Details page (Figure 8) for a specific device
are not recorded in the Activity Log.
2.3 Viewing the System Overview
The System Overview provides a total of the Groups, Devices, Users and Apps being managed by the
Admin. The number of Apps represents total number of Apps that have been downloaded to devices.
(For example if an Enterprise has 100 users and 4 unique Apps have been downloaded to all 100
devices, the App figure would be 400).
2.4 Using Quicklinks
Quicklinks are present along the bottom margin of the page. They provide easy actions to important
functions.
Figure 15: Quick links
2.4.1 Add User
This link goes to the User Add page; see Section 5.2.
2.4.2 Add Device
This link goes to the Device Add page to enroll a device; see Section 7.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 16
2.4.3 Add App
This link goes to the Add App page to upload an App; see Section 9.3.
2.4.4 Edit Policy
This link goes to the Add/Edit Policy page where the details of the Settings or Security Policies in
effect for the group can be viewed and edited; see Section 4.
2.4.5 Run Scan
Running a Scan initiates a check of all enrolled devices and the system database and only updates the Apps Inventory information. The Apps Inventory consists of updating the EMM server with the current list of applications on each device and the Application Policy status of blacklisted/whitelisted and required Apps present on devices. When an Admin clicks on the Scan button, the system will check to see if there is a Scan already in progress. A Scan is in progress when the commands triggered by the Scan are still in the queue to be completed. Once all the commands go to SENT state, then it will indicate that the Scan is done and the IT Admin will be able to send a Scan again. If the Scan is still in progress, a window should pop up and display the message "Scan already in progress, please try later"
2.5 MSP Dashboard
A MSP Admin (or Top Admin) can also view the IT Admin Dashboard for each Enterprise group but in
addition a MSP Dashboard is provided with an additional chart that summarizes activity in each of the
Enterprise groups. A MSP Admin can view the details of all the Enterprise’s that he/she has created.
The MSP Dashboard lists each Enterprise and the date it was created. For each Enterprise the
current count of Users, Enrolled Devices and Apps are shown.
Each Enterprise group has a license expiration date governing the use of their access to EMM. A Top
Admin or a MSP Admin can modify the expiration date of the Enterprise groups for which they are
responsible. When the license expires, user logins for the Enterprise group are suspended.
However, enrolled devices can continue to use EMM Client features.
Figure 16: MSP Dashboard
Selecting an Enterprise name presents the IT Admin Dashboard for that Enterprise to the MSP Admin.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 17
Status indicators quickly alert the MSP Admin to an issue that may be present in any of the Enterprises. Two status indicators are provided:
This status means that the Enterprise is “Fully Compliant” and none of the Bar Chart issues (in Section 2.1.1) for that Enterprise are Red.
This status means that the Enterprise is “Non-Compliant” because at least one of the Bar Chart issues for that Enterprise is Red.
Summary line graphs show the total number of users and devices that the MSP is managing.
2.5.1 MSP Admin Unique Functions
A few functions throughout the UI can only be performed by a MSP Admin. These functions include
Creating an Enterprise Group (section 3.2.2).
Managing Service Packages (section 11).
Specifying or editing an Enterprise Group License Expiry Date (section 3.2.2).
These functions are explained in the sections identified.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 18
3 MANAGING GROUPS
Groups organize Users into one or more related categories. Subgroups can be created within related
categories (or Groups), creating a hierarchy. The top level of any Group is referred to as the “parent”.
A subgroup is referred to as a “child” or “offspring”. Each Enterprise has an Enterprise Group created
for it. An Admin can create child groups if required for the enterprise.
Users, Devices, Apps, Documents and Policies are all associated with a group. They are not
accessible by users in other groups.
Table 2: EMM User Access
Function Description
Enterprise
Group
An Enterprise Group allows only the use of the Roles of IT Admin and Employee. The IT
Admin is provided with a unique, streamlined set of functions to manage devices for a
business which offers an inventory of devices and applications to their employees. The
Employee role is provided for self-enrollment and management of devices such as phones
and tablets by an employee of the business. Child groups can be created by an IT Admin and
they inherit the roles and all of the parameters of the Enterprise group and are identified as
“Subgroup”. Application, Security and Settings Policies are not inherited by subgroups;
unique Policies for each group can be defined.
Roles Identifies functions allowed to users within a selected Group. Every user in EMM is assigned
a role. The roles of IT_ADMIN and EMPLOYEE are pre-defined for an Enterprise group.
3.1 Using the Group List Page
The Groups List page is reached by selecting the Groups Tile:
The Groups List presents a list of all the groups that have been created for the Enterprise for which
the Admin is responsible. For each group a list of actions is provided. A ‘Download Report’ tile and
an ‘Add Group’ tile are both provided.
The Groups page is shown in this figure.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 19
Figure 17: Groups Page - IT Admin
The count of groups, users and devices associated with the enterprise is displayed.
3.1.1 Using Download Report
The Download Report tile sends a CSV file of the Group details on the page to the user’s computer. The Add Group tile is used to add a child group.
Figure 18: Download Report and Add Group Tiles
If child groups have been created, they are also listed.
3.1.2 Viewing Group Details
For each group this information is provided:
Name
Description
Date the Group was created
Number of Users assigned to the group
Number of Devices associated with the group
Group Type: Enterprise, Subgroup
A set of Action icons
Figure 19: Group Actions - IT Admin
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 20
3.1.3 Using Group Actions
The Actions column displays via icons a series of actions that are used to modify group parameters and to list the users and devices associated with a group. They include Edit Group, List Users, List Devices, Edit Security Policy, Edit Settings Policy and List Apps. Hovering over an icon explains its function and clicking on an icon navigates to a page to perform that function.
Edit Group : this navigates to the Edit Group page where the description of the group and other parameters can be modified.
List Users : this navigates to the User List page which lists all the users assigned to the group.
List Devices : this navigates to the Device List page which lists all the devices assigned to the group.
Edit Policy : hovering on this icon displays three tooltips for Settings, Security and Application Policies. Selecting a tooltip navigates to the selected Policy page (Settings, Security or Application) which is used to add or modify the parameters of the Policy that is in effect.
View Reports : this navigates to the Reports page which is used to schedule Reports for the group.
3.1.3.1 MSP Group Actions
The MSP (CUST_ADMIN) role has an additional action appearing on the action toolbar. This action is
used to manage Service Packages.
Figure 20: Group Actions - MSP Admin
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 21
Hovering over the Service Package Icon displays a tooltip which when selected navigates to the Service Package page.
3.2 Adding a Group
3.2.1 Enterprise SubGroup
An IT Admin can only add a new SubGroup to their parent Enterprise Group. The SubGroup inherits
all the parameters (except Policy settings) of the parent group (e.g. Messages, Logos, Domain name,
etc. as shown in Section 3.2.2). The group is added by performing these actions:
1. Login to EMM as an IT Admin.
2. Select the Groups Tile
3. Select Add Group tile; the Add Group page is displayed.
Figure 21: Adding an Enterprise Child Group
4. Select the Parent Group (if more than one is available).
5. Enter the Group Name (alphanumeric, maximum length 15 characters).
6. Enter a short Description for the group.
7. Select Add to enter the group; the group appears in the Group List. The Policy Page is
displayed for setup of Application, Security or Settings Policies if required. Alternatively, at a
later time, Group Actions (See Section 3.1.3) can be accessed to customize the Application,
Security and Settings Policy (See Section 4) parameters for the child group.
3.2.2 Adding an Enterprise Group
A MSP Admin (or a Top-Admin) can add a new Enterprise Group. The definition of an Enterprise
Group requires additional parameters. The Enterprise Group is added by performing these actions.
1. Login as an MSP Admin.
2. Select the Groups Tile.
3. Select Add Group tile; the Add Group page is displayed.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 22
4. Select the Enterprise Group box and the additional parameters are displayed.
Figure 22: Adding an Enterprise Group
5. Enter the Group Name (alphanumeric, maximum length 15 characters).
6. Enter a short Description for the group.
7. Enter the Support Email Address. This is the email to which support requests and
notifications are sent for the Enterprise.
8. Enter the Expiration Date for the Enterprise’s Licenses to use the EMM service.
9. Enter the domain name of the customer (e.g. enterprise.com). This is appended to
notification messages and is used to verify email addresses of users to ensure they are
associated with the enterprise.
10. If iOS devices are to be managed, an Apple APNS Certificate must be uploaded. When the
APNS Certificate was obtained, a password was assigned and it must also be entered. After
the certificate is uploaded the Expiry Date and the APNS Topic are displayed. The Topic is a
string provided by Apple when the Enterprise is registered for MDM and is used in APNS
push actions.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 23
11. An option for LDAP Authentication is provided. For a company that utilizes the Lightweight
Directory Access Protocol (LDAP) to access its Active Directory of employees, authentication
of a user can be verified using the credentials in the enterprise’s Active Directory. When
“LDAP Authentication” is enabled, EMM verifies the user by accessing the company’s
directory. This eliminates the need to maintain user credentials on EMM. It enables an
enterprise’s users to use the same domain password that they use to access their company’s
email and other resources.
An Enterprise Active Directory Connector (EADC) application is provided which can be downloaded to the Admin’s desktop. EADC implements the interface between the Active Directory and EMM. If required for your use, please contact your EMM support team to obtain the EADC application.
a. When LDAP Authentication is enabled the Password and Confirm Password fields on
the Add User and Edit user pages are disabled since the password that is used is the
password maintained in the Active Directory. Passwords are not maintained in the
EMM database and users cannot use the Account Settings to modify their passwords.
b. The EADC adapter is installed on the Admin’s desktop. LDAP/AD Authentication is
enabled by selected the check (tick) box and a valid EMM Username (email address)
and Password with access to the enterprise group must be entered. (A separate user
guide for EADC is provided).
Figure 23: LDAP/AD Authentication Setup
NOTE 1: the Username entered must be the full email address: e.g. [email protected] not
“joesmith”.
NOTE 2: Unselecting the check (tick) box disables LDAP/AD Authentication. When LDAP/AD is
disabled, all users created while LDAP was in use cannot log into EMM until you provide them with a
password.
12. If required, customization of the user interface for the enterprise can be done.
a. A .PNG file of the Enterprise’s logo can be uploaded; it appears on each UI page.
The current logo (if present) is shown. A pixel size is 60x230 with 36 DPI (Dots per
inch) is a good size.
b. The color palettes can be used to change the Toolbar background color, the Toolbar
Text Color and the Toolbar Button Color.
13. Three notification messages are provided and the text can be edited if required. The
messages contain fields that are automatically inserted such as #LOGIN_LINK#,
#USERNAME#, ${PIN}, ${phoneticPin} etc.; these fields should NOT be removed. Link
breaks “<br>” are also present and should be retained for proper formatting.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 24
a. PIN Message: this message is sent with a PIN to a device user who is self-enrolling
a device to confirm a user’s identity. It is sent to the user’s email address and the
user must enter it to complete enrollment.
b. Enrollment Message: this message is sent as the enrollment request to a user. It
contains links that the user accesses to complete the enrollment.
c. Welcome Message: this message is sent after the user has enrolled. It provides
details that the user can use to login and access the EMPLOYEE role features.
14. Select Add to enter the group; the group appears in the Group List. The Policy Page is
displayed for setup of Application, Security or Settings Policies if required. Alternatively, at a
later time the Group Actions (See Section 3.1.3) should be accessed to enter Policy
parameters (See Section 4) for the group. An IT Admin should also be defined for each
Enterprise Group (See Section 5.2).
3.2.3 Editing a Group
Some parameters of a group can be edited.
1. Login as an MSP Admin.
2. Select the Groups Tile.
3. Locate the group to be edited and select the Edit Group icon in the Actions section.
4. The Group Details are displayed.
Figure 24: Group Details
You can also update the page customization: logo and colors:
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 25
Figure 25: Group Customization Fields
5. Save the changes when completed.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 26
4 MANAGING POLICIES
A Policy is a set of configuration settings, security restrictions or application rules that can be applied
to all devices in a group. A group can have ONLY ONE active Policy of each type. Policies are not
inherited by subgroups. These Policies are provided:
Settings Policy a set of required configuration settings
Security Policy a set of device restrictions and Passcode rules
Application Policy a set of permitted and/or not permitted applications
NOTE: You are not required to define Policies. If no Policies are specified, the default device Settings
and Security Policies defined by the device vendor apply and no Application Policy is in effect.
The features described in this section enable an Administrator to specify the settings and restrictions
to be applied to all similar devices in a group. EMM automatically applies them to all the applicable
devices in the group and reports the compliance to each policy for each device. Device Platforms are
provided for similar device types such as Android or Apple devices. Using Policies simplifies the
Admin’s management tasks by eliminating the need to send individual settings to each device or
setting up tasks to send them to a group of devices.
When a Policy is added, modified or deleted, EMM automatically applies the Policy change to all
applicable devices by scheduling action to effect the Policy change. The ability to modify or delete a
Policy already applied to a device is limited by the capabilities of the device; some devices do not
support the deletion or overwriting of a setting. If the devices either were Compliant to an existing
Policy or had No applicable Policy in effect, the applicable devices become Non-Compliant until the
Policy change is implemented.
For applications the Administrator can specify a set of applications that an Enterprise does not allow on their user’s devices. Notifications can be sent to the device user automatically when an application is detected on a device that is not compliant with an Enterprise’s policies. The Admin can also specify a set of Required Applications which EMM downloads to the device when it is enrolled. The administration of Application Policies is discussed in Section 4.4.
On an Android device with the EMM Client installed, a heartbeat is automatically initiated by the client after it receives either a Security or Settings Policy. At a minimum frequency of once a day the EMM Client reports to the server the compliance status of the device. This report is sent to https://server/ipservlet/ip . For Apple iOS devices a Security or Setting Policy cannot be modified on the device; as long as MDM management is present on the device, the device is in compliance with defined Security and Settings Policies. Whenever a Scan of an Apple device is executed, compliance or non-compliance with an Application Policy is reported.
EMM provides sets of Policy templates for various device platforms, the Admin can edit them and apply them to a group. A description of the fields in the Settings and Security Policy templates is found in the document Mformation Policy Definitions available from Mformation.
NOTE: Some parameters are specified in the templates as Personal Parameters (denoted by “P” next to the parameter). These parameters can be setup so the device user can enter the parameter. It is most often used for parameters such as a Password, Login Name and Email address. When setting up a Personal Parameter the option “No Prompt” should ALWAYS be selected.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 27
4.1 Viewing Security and Settings Policies
The Security, Settings and Application Policy functions are combined in a single Policy icon with a “+”
tooltip present. Hovering over the icon presents a tooltip with the three Policy types which can each
be selected. For MSP Admin use a new icon for Service Packages is created with a tooltip for
functions associated with packages.
This figure illustrates the “tooltip” for Policies. The Policy icon has a tooltip to select the type of policy.
Figure 26: Group List with Policy Tooltip
The Policies applicable to a group can be viewed using this steps.
1. Login to EMM as an IT Admin.
2. Select the Groups Tile, the Groups List page is displayed.
3. For the group of interest in the set of Action icons, select the Policy icon and the Edit Security
Policy tooltip to view the Security Policy for the group, select the Edit Settings Policy tooltip to
view the Settings Policy for the group or select Edit App Policy tooltip to view the Application
Policy for the group. A Policy is specific to the device platform (Android, Apple, etc.) and a
drop-down is provided to select the platform. Figure 27 shows the example of a Security
Policy for the Android platform.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 28
Figure 27: Security Policy Page
4. All the parameters associated with the Policy are shown.
5. Often the parameters are grouped and the “+” icon is used to expand the collection.
4.2 Managing Security Policies
A Security Policy controls the PassCode settings, Restrictions and Encryption parameters of a device
platform. A Security Policy is specific to the platform. It is important to note that not every device may
support all the components of a Policy: for example, not all Android devices support encryption.
However EMM and the EMM Client are designed to ignore unsupported features on a device.
PassCode settings are those which determine the characteristics of the PassCode used on a device.
PassCode minimum length, PassCode age before requiring a change and the minimum number of
complex characters are typical PassCode restrictions.
Restrictions vary by device and refer to controls that determine which features are allowed to be used
on a device. Allowing camera use, roaming, and game use are all typical Restrictions on a device.
Encryption settings determine if encryption is to be used and the characteristics of the encryption.
Before adding or modifying a Security Policy it is important to review its parameters and determine the
appropriate values of each for the enterprise.
To Add or Modify a Security Policy follow these steps.
1. Login to EMM as an IT Admin.
2. Select the Groups Tile, the Groups List page is displayed.
3. For the group of interest in the set of Action icons, select the Policy icon and the Edit
Security Policy tooltip.
4. If the Policy is new, the parameters must be specified. If the Policy is being modified, the
parameter changes can be made.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 29
5. When the additions or changes are completed, select Save to activate the Policy. Policies
are not inherited by subgroups; you must add or modify a policy for each group.
6. A Delete option is present: selecting it removes the Security Policy for the group. A Cancel
option is also available to terminate the modification.
4.3 Managing Settings Policies
A Settings Policy controls a device’s configuration settings that control the services that are present
on the device. Services such as email, activesync, and web access all require parameters that are
unique to the enterprise. A Settings Policy is specific to the platform. It is important to note that not
every device may support all the components of a Policy.
Before adding or modifying a Settings Policy it is important to review its parameters and determine the
appropriate values of each for the enterprise. Values for settings are often very specific to each
enterprise and the IT organization is a good source of information.
To Add or Modify a Settings Policy follow these steps.
1. Login to EMM as an IT Admin.
2. Select the Groups Tile, the Groups List page is displayed.
3. For the group of interest in the set of Action icons, select the Policy icon and the Edit Settings
Policy tooltip.
4. If the Policy is new, the parameters must be specified. If the Policy is being modified, the
parameter changes can be made.
5. When the additions or changes are completed, select Save to activate the Policy. Policies
are not inherited by subgroups; you must add or modify a policy for each group.
6. A Delete option is present: selecting it removes the Settings Policy for the group. A Cancel
option is also available to terminate the modification.
4.4 Managing App Policies
This feature provides the ability for an Admin to define an Application Policy for devices. Many
Enterprises want to exercise control over the applications their employees install on their devices.
Some Enterprises also allow employee-owned devices used for company business (known as
“BYOD” devices) and the Enterprise needs to identify if a device is a Personal BYOD device.
To create an Application Policy, the Admin can specify for a group either a Blacklist or a Whitelist as
the preference.
For a group there can be EITHER one Blacklist OR one Whitelist. If Blacklist is the preference, a Whitelist is not allowed and vice versa.
A “Blacklist” is a set of Applications that is not allowed to be on the device by Enterprise policy.
A “Whitelist” is a set of Applications that ONLY can be on the device by Enterprise policy. All Applications that are detected and inventoried from the device and are not on the Whitelist are treated as Blacklisted Applications.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 30
Only applications that are installed by the user are checked to determine if they are on a Blacklist or Whitelist. Applications downloaded from EMM are assumed to be allowed on the device and are not included in a Whitelist or Blacklist.
If a Blacklist Application is detected on a device, a message can be defined to automatically be sent to the device to inform the user that he/she is not compliant with company policy.
A device that is owned by the user can be designated as a “Personal” device; no Applications are identified as a Blacklist application on a Personal device.
When entering a name e.g. “AppName” for a blacklist or Whitelist, wildcard entries are supported and the entry is not case sensitive.
AppName is matched by *AppName* (the entry contains AppName), *AppName (the entry ends with AppName or AppName* (the entry starts with AppName).
Example: for a blacklisted or whitelisted App, *Facebook should match any of these: MyFacebook, myfacebook, Thefacebook, etc.).
If a Blacklist is defined, EMM uses the AppName with wildcard filters and case insensitivity when checking the software inventory on a device to determine if a Blacklist App is present on the device.
If a Whitelist is defined, EMM uses the AppName with wildcard filters and case insensitivity when checking the software inventory on a device to determine if any other Apps are present on the device. If any other Apps are present, they are classified as Blacklist Apps.
A Required Application component is also provided. An Admin can identify required applications that are automatically installed when the device is enrolled. This feature replaces the Authorize/Unauthorized Software feature and the Auto-Install Software pages.
When EMM retrieves a software inventory from a device, a check for Blacklist and Required Applications is made.
If a Blacklist App is found, the option is provided to notify the device user.
4.4.1 Adding an Application Blacklist or Whitelist
Either an Application Blacklist or Whitelist can be added by following these steps.
1. Login to EMM as an IT Admin.
2. Select the Groups Tile, the Groups List page is displayed.
3. For the group of interest in the set of Action icons, select the Policy icon and the Edit
Application Policy tootltip.
4. The Application Policy landing page is displayed.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 31
Figure 28: Application Policy Page
5. Select the group to which the Application Policy applies from the drop-down. Policies are not
inherited by subgroups; you must add or modify a policy for each group.
6. Select EITHER Blacklist Apps OR Whitelist Apps for the list to be created using the radio
buttons.
a. A Blacklist is a list of user installed Applications that are not permitted on the device.
b. A Whitelist is a list of the ONLY user installed Applications that are permitted on the
device. Any other user installed applications are not allowed and considered
Blacklisted.
c. Applications that have been downloaded from EMM to a device or are a Required
Application are always Allowed applications.
7. Create the list of Applications by entering the Application Name into the App Name: field and
select the Add button to add the application.
a. Application names can take multiple formats for different devices and a wildcard filter
using the asterisk (*) character has been provided to make it easier to capture the
variations in App Names. For example *Facebook matches MyFacebook,
myfacebook, facebook, faceBook, etc. Any of those variations are included on the list
of applications for the list.
b. The Application appears in the list of Applications. The icon next to each
Application can be used to remove applications from the list.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 32
8. Select the checkbox Apply to Personal devices (BYOD) if the check for Blacklist
Applications is to be applied to user owned devices. A check for Blacklist applications is not
made for a BYOD device unless this checkbox is selected.
9. Select the checkbox Notify Users to have a message sent to the device user when a
Blacklist Application is detected.
10. The Text box contains the notification message that is sent; a default message is provided.
The text to be sent can be edited and is retained when the list is saved.
11. Required Apps can also be specified by moving an App to the right from the list on the left in
the Bulk Required Apps section.
12. Select Submit to activate the list. A Cancel button is also available to delete the entries.
When the list is saved, the radio button for the list type that was not selected is grayed out.
4.4.2 Modifying an Application Whitelist or Blacklist
An existing Application Policy can be modified by adding or deleting applications by following these
steps.
1. Login to EMM as an IT Admin.
2. Select the Groups Tile, the Groups List page is displayed.
3. For the group of interest in the set of Action icons, select the Edit Application Policy icon.
4. The Application Policy landing page is displayed.
5. The Application Policy page refreshes with the details for the Whitelist or Blacklist that has
been defined.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 33
Figure 29: Modify Application Policy Page
6. Add Applications by entering the Application Name into the App Name: field and select the
+ button to add the application.
7. The Application appears in the list of Applications. The icon next to each Application
can be used to remove applications from the list. As required, select or deselect the other
options and/or edit the Notify Users text.
8. Select Submit to activate the list. A Cancel button is also available to ignore the entries and
retain the existing entries. Policies are not inherited by subgroups; you must add or modify a
policy for each group.
4.4.3 Specifying Required Applications
Applications that have been uploaded to the Catalog can be identified as Required Applications. All
Required Applications are downloaded to the devices in the group when the devices are enrolled.
NOTE: If a Required Application is added to a group, it is not downloaded to the devices in the group
that are already enrolled. The Required Application must be pushed to each device on the Device
Details page (Section 8.2).
1. From the Setup drop-down select Policies and from the drop-down select Application
Policy. The Application Policy landing page is displayed.
2. Select the group to which the Application Policy applies from the drop-down. The Required
Apps selection appears on the lower portion of the page.
Figure 30: Required App Selection
3. The right arrows (>) move Apps from the Available Apps column to the Required Apps
column. The left arrows (<) move tasks from the Required Apps column to the Available
Apps column. To select more than one application, hold down the CTRL key, and then make your selections. No specification of device platform is required for specifying a Required App; selecting a Required App makes it a Required App for all applicable device platforms.
4. Select Submit to activate the list. A Cancel button is also available.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 34
5 MANAGING USERS
As the Administrator, you can search for, add, modify, and delete Users.
Users can be identified either with a username or their email address. For an Enterprise, the
minimum set of required information is an assigned Group, First Name and email address. If a login
and/or password are not specified for an Enterprise user, EMM generates them and sends them to the
Email address provided in a Welcome Message.
A User can either be an Employee or an Admin. When enrolling devices, a user or set of users are
specified and EMM enrolls the devices to the designated users.
5.1 Using the User List Page
The Users List Page is accessed by selecting the Users tile:
The User List page is used to manage Users. It lists all the users in the Enterprise and enables you to
Add, Modify or Delete Users. The User List page looks like this figure.
Figure 31: Users List Page
5.1.1 User Summary
The page provides a summary of the users in the group with these counts provided:
Number of Users.
Total number of devices assigned to users.
5.1.2 User List
For each user in the list this information is displayed:
Name
Login Username
Email Address
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 35
Group to which the User is assigned
Role (Employee, IT Admin)
Date/time the User was created
Last Login: Date/Time the user last accessed EMM
5.2 Adding Users
Users can be added individually
Figure 32: Users Page Toolbar
5.2.1 Adding a Single User
To Add a Single User follow these steps:
1. Login to EMM as an IT Admin.
2. Select the Users Tile, the Users List page is displayed.
3. Select the Add User Tile, the User Add page is displayed.
Figure 33: Add User Page
4. These parameters are present.
a. First Name, Middle Initial and Last Name. First name is required.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 36
b. Enterprise Email Address of the user: e.g. [email protected]. Required.
c. Time Zone for the user used to display times on the user’s UI. (If none is specified,
the time zone of the EMM server is used).
d. Username: the user’s login identifier (i.e. corporate username) in their company’s
records: e.g. [email protected] or juser.
e. Certificate: if a personal security certificate is used, it can be uploaded using Upload.
f. Group: used to select the group to which the user should be assigned.
g. Role: used to select the role of the user: EMPLOYEE or IT ADMIN.
h. Login: used to specify the login name of the user on the EMM system. If left blank,
EMM automatically uses the email address as the login.
i. Password: the password of the user on the EMM system. If left blank, EMM
generates a random password.
5. Select Save to complete the entry.
5.3 User List Actions
Two User Actions are available: Edit User and List Devices.
Edit User : this navigates to the User Details page where the details of the user are listed and can be modified.
List Devices : this navigates to the Device List page which lists all the devices assigned to the user are shown.
5.3.1 Edit User
To edit User Details follow these steps.
1. Login to EMM as an IT Admin.
2. Select the Users Tile, the Users List page is displayed.
3. For the user to be edited, select the Edit Details icon, the User Details page is displayed.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 37
Figure 34: User Details Page
4. If the user is locked for inactivity, you can unlock the user. You can also lock the user from
EMM access if required.
5. Beginning in EMM 3.3 and later releases, the Group field is a drop down. If other groups are
available, the drop-down can be used to move the user and all devices associated with the
user to another group. All Policies associated with the new group then become applicable to
the user and his/her devices.
6. Modify the parameters as needed and select Save to record the changes.
5.3.2 List Devices
List Devices provides a list of devices assigned to the user. To show the devices assigned to a User
follow these steps:
1. Login to EMM as an IT Admin.
2. Select the Users Tile, the Users List page is displayed.
3. Select the List Devices icon, the User Device Details page is displayed.
Figure 35: List Devices for a User
4. The details of each device can be viewed. See Section 6.3.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 38
6 MANAGING DEVICES
As an administrator you can view, enroll or delete devices. A device that has been assigned to a user and setup for management by EMM is ”enrolled”. For each device information about the device is provided.
6.1 Using the Device List page
The Device List page is accessed by selecting the Devices Tile which displays the list of devices
already defined in the system:
This page is accessed by following these steps.
1. Login to EMM as an IT Admin.
2. Select the Devices tile, the Device List page is displayed.
Figure 36: Devices Tab
A count of the Total Number of devices that have been defined on the system and the number of
enrolled and non-enrolled devices is also provided.
In addition to details pertaining to each device in the groups for which the Admin is responsible, a set
of Status icons is provided. Hovering over the icon provides a definition of the icon. The status
information displayed include whether the device is enrolled, has security and settings policies
defined, has white-listed or blacklisted Apps, is compromised and has the Mformation EMM Client
installed. A ‘Download Report’ link is provided.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 39
In addition for the Status icons, this information is provided for each device:
Phone Number or ID: If the device has a phone number, it is shown. If the device does not have a phone number, the EMM Internal ID is shown (e.g. “ID-3”)
User: the user’s name assigned to the device.
Email: the email address of the user.
Serial Number: the serial number of the device.
Model: the Model Name of the device (e.g. “iPhone5”)
Type: the type of device: Phone, Tablet.
Platform: Apple, Android, Blackberry, Unknown.
Group: the group to which the device is assigned.
Ownership: specifies whether the device is Personal or Corporate owned.
Last Updated: the last update (e.g. command sent, app downloaded, etc.) made to the device
6.2 Adding A Device
Selecting Add Device displays a page to enroll a new managed device in EMM. Multiple options are
displayed:
Adding a Single Device
Mass Enrollment of Devices
Bulk enrollment of devices using an imported file of users and devices.
Enrollment of users using information from an enterprise’s Active Directory (AD).
Instructions for enrolling from the Google Playstore and Apple App Store are provided.
Details of each of these methods for device enrollment are provided in Section 7.
6.3 Using Device Status
For each device a set of status icons are available:
In the order they are displayed, these indicators provide this information:
Mformation Enrolled: if green, indicates if the EMM Client is installed on an Android device or the MDM profile on an Apple device. A red indicator indicates that the EMM Client is not installed. A grey indicator means no status is available.
Security: if green, indicates if the device is compliant with an active Security Policy. A red indicator indicates that the device is not compliant with the Policy. A grey indicator means no status is available or no Policy is in effect.
Settings: if green, indicates if the device is compliant with an active Settings Policy. A red indicator indicates that the device is not compliant with the Policy. A grey indicator means no status is available or no Policy is in effect.
Required Apps: if green, indicates if Required Apps are installed on the device. A red indicator indicates that the device is missing Required Apps. A grey indicator means no status is available.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 40
Blacklisted Apps: if green, indicates that no blacklisted Apps are present on the device. A red indicator indicates that the device has Blacklisted Apps installed. A grey indicator means no status is available.
Compromised: if green, indicates that the device is not compromised. A compromised device is an Android device for which its OS has been modified. A red indicator means the device is compromised. A grey indicator means no status is available.
Security Breach: if green, indicates that a Security Breach is not present on the device. A Security Breach occurs on an Apple device for which the MDM Profile is removed or that the device that has not communicated with the server in the last 30 days. A red indicator means the device has a Security Breach. A grey indicator means no status is available.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 41
7 ENROLLING DEVICES
Enrollment is the process by which a device is setup to be managed by EMM. Android devices are
managed with the installation of an Mformation device client on the device and Apple devices are
managed with EMM using the Apple Push Notification Service (APNS).
For Android and Apple devices, the need to specify the make and model of a device is not required;
EMM determines the specific make and model. Enrollment focuses on the device user and once the
user is identified to EMM either by an email address or a phone number, enrollment proceeds with a
minimum of Admin actions.
This figure illustrates all the enrollment options.
Figure 37: Enrollment Options
Each enrollment option is present on the Enroll Device page.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 42
Figure 38: Enrollment Options
The enrollment options available are
1. Enroll a Single Device
2. Enroll Multiple Devices via a Bulk Upload
3. Staged Enrollment for Multiple Devices assigned to one user.
4. Enroll users obtained from the Enterprise’s Active Directory using the AD Utility.
5. Optionally, Self-Enrollment via the Google PlayStore or the Apple App Store. (If this is not
offered for an enterprise’s users, it can be hidden).
The device user is sent either an email or an SMS to initiate the enrollment process. If email is used, a
message with an Enrollment URL and a QR code is sent; either can be used to link to the server and
initiate the enrollment process. The QR code can be displayed on the user’s desktop or laptop and
scanned by the device with a QR reader to initiate an enrollment. The enrollment URL can also be
sent via SMS if that is the preferred method of the provider and the device is SMS capable. Another
option is for an Enterprise user to self-enroll by downloading the client from the Google PlayStore or
the Apple App Store. (In the case of the App Store, the “Client” is an App that is downloaded).
The email message that is received by the device user for enrollment is of this form.
Figure 39: Email Enrollment Message
The Welcome Message shown on this page can be customized. If the message was sent via SMS
the QR code is not present.
NOTE on QR Readers: Many free QR Readers are available but not all will work. Some readers do
not use the browser on the device and do not support the enrollment process.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 43
The i-nigma QR Reader is recommended; it is free. i-nigma which is available on the Apple Store:
https://itunes.apple.com/us/app/i-nigma-qr-code-data-matrix/id388923203?mt=8
Or from the Google Play Store:
https://play.google.com/store/apps/details?id=com.threegvision.products.inigma.Android&hl=en
7.1 Enrolling a Single Device
Enrollment of a single device can be initiated by the IT Admin by selecting Add Device and then the
Single Device enrollment option which displays a page similar to this one.
Figure 40: Add Single Device Enrollment
Follow these steps to enroll the device.
1. Login as an IT Admin and select the Devices Tile; select the Add Devices Tile.
2. Select Add Single Device; Figure 40 is displayed.
3. The group and username must be specified and an optional phone number if the device is
cellular capable.
4. The communication method of either Email or SMS must be selected. A phone number is
required for SMS and the device must support SMS.
5. The radio buttons Corporate or Personal are used to identify if the device is Enterprise or
Personal owned respectively.
6. If the User is not already defined in the system, Add User can be selected to add the user. An
Enterprise domain name is one of the group parameters and the message returned from the
device user must use that domain name or an allowed variant.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 44
Figure 41: Add User Window
7. The Send Request button is used to provide an option for an Admin to “stage” the device for
a user:
a. If the device user is to complete the enrollment of the device, the Send Request
button should be selected. This results in the Notification Message as shown in
Figure 39 with a QR code to be sent to the user.
b. If the Admin wishes to enroll the device for a user, the Send Request should not be
selected. In this case the Notification Message appears on the Admin’s desktop and
the Admin can complete the enrollment for the device user. This use is appropriate
when the Admin is responsible for “staging” devices for users.
8. When Enroll is selected the process begins and the enrollment message shown in Figure 39
is sent. The following figures summarize the process for either email or SMS depending on
the option selected by the Admin.
Figure 42: Single Device Enrollment via Email
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 45
7.2 Bulk Upload Enrollment
Enrollment of a collection of users can be initiated using the upload of a CSV delimited file with these
formats:
Email,[First Name],[Last Name],[Username],[Phone Number] where fields in [ ] are optional. This form is used create a device for an existing user.
Email,First Name,Last Name,[Username],[Phone Number] where fields in [ ] are optional. This form is used to create a new user and enroll the device to that user.
Email is always required. The First and Last Names are optional if the user already exists. If the User
does not exist, a user entry is created. The Username and Phone Number are always optional.
The maximum number of records that can be uploaded is 5K and the upload is rejected if this is
exceeded. The system also enrolls the device and user if they do not exist. The file must have a
“.csv” file extension.
To execute a Bulk Upload enrollment, follow these steps.
1. Login as an IT Admin and select the Devices Tile; select the Add Devices Tile.
2. Select Bulk Upload Enrollment; the Bulk Upload page is displayed.
Figure 43: Bulk Enrollment Request
3. Create an upload file off-line. It must conform to the file format
a. Email,[First Name],[Last Name],[Username],[Phone Number] where fields in [ ] are
optional. This form is used create a device for an existing user.
b. Email,First Name,Last Name,[Username],[Phone Number] where fields in [ ] are
optional. This form is used to create a new user and enroll the device to that user.
4. When Bulk Upload is selected, this page is displayed. Select (1) the group to which the
devices are to be assigned, (2) the communication method (Email or SMS) and browse to
locate the file of users.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 46
Figure 44: Bulk Upload Enrollment
5. Select Upload to upload the file and begin the enrollment process.
6. The user interface provides the status of each upload, the total number of users that were in
the file and the number of successful enrollments.
7. If a format error in the file was detected, an error is shown and an error file describing the
error is provided: click on “Error File”
An option to support SMS is provided; in that case the record must contain a phone number. The SMS option is only displayed if the system is configured to support a SMSC.
If SMS is not used, EMM sends an email message to each user as shown in Figure 39 to enroll their
device.
7.3 Staged Enrollment
This feature addresses a unique use case. In this use case the Admin is enrolling a set of devices
against one user. The user receives a QR code on a laptop or desktop which is scanned by each
device to initiate the enrollment.
Alternatively, for iOS devices the Apple Configurator that can be used to pass the enrollment
information to the EMM server for a collection of devices. Some enterprises use this method to mass
enroll Apple devices.
There are several possible applications for this use case; here are some examples:
A classroom has a set of tablets that are used by students in class. The students take the tablet from a rack, use it in class and return it to the rack. The individual students are not identified as users in EMM.
A hotel provides a smartphone to guests to use to access hotel guest services. The guests are not identified as users in EMM.
To execute a Staged Enrollment, follow these steps.
1. Login as an Admin and select the Devices Tile; select the Add Devices Tile.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 47
2. Select Staging; The Staged Enrollment page (Figure 45) is displayed.
Figure 45: Staged Enrollment Page
3. Using this page requires the entry of a group, a user and an expiration time for the URL to be
sent. The process flow looks like this:
o An Enrollment URL is generated when ‘Get URL’ is selected and has an expiration (Expiry) time in hours (maximum 24 hours).
o The Enrollment URL is assigned to one designated user only.
o The Enrollment URL is displayed on the user’s laptop/desktop.
o The Enrollment URL is displayed as a QR code image.
o The user uses the QR code to enroll the set of devices.
4. The enrolling user receives a message similar to this one; a QR code is present.
Figure 46: Staged Enrollment User Page
5. Using the QR code provided, the assigned user can complete the enrollment of each device.
7.4 Enrollment with the Enterprise’s Active Directory
This option enrolls devices using a set of users with their email addresses obtained from the
Enterprise’s Active Directory (AD) of employees.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 48
Mformation has provided an AD Utility which this option will download. The AD Utility is a Microsoft
Windows based application; it enables the IT Admin to access their Enterprise Active Directory and
select a set of users for which devices are to be enrolled. The IT Admin can initiate the enrollment
which creates the devices and users in EMM. An enrollment message as shown in Figure 39 is sent.
When this option is selected, the Admin is prompted to download the AD Utility1 which leads the
Admin through the setup and user selection steps. The AD Utility imports the selected file of users
and a Bulk Enrollment of these users can be initiated.
7.5 Enrollment Using the Google Playstore or the Apple App Store
Mformation will install the Android EMM Client on PlayStore and an App on the Apple App Store (i.e.
iTunes). This enables the user to download the client/app to their device by searching for the name
“Mformation Enterprise Manager”. The enrollment follows the steps of a Single Device enrollment
(Section 7.1) but the device user must first enter information to establish identity.
Use of this feature is a customer option and it may not be present for all enterprise customers.
NOTE: The EMM Client for Android devices is available on Google PlayStore under the name
Mformation Enterprise Manager. Each deployment of EMM can have Mformation’s EMM client
branded to their specific needs and then place this branded client on Google PlayStore. In order
for the new branded client to be installed and operating correctly on the device, it is required
that the existing Mformation Management Client BE DELETED from the device. If this is not done,
then there will be two management authorities on the device, which can lead to malfunction of
EMM functions.
Selecting the App Store option for Add Devices provides a description of the process. Here is the
user experience for an Android Device.
1. After downloading the client the user is presented with this page.
1 The Mformation Enterprise Active Directory Utility Guide is available to describe the installation,
configuration and use of this tool.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 49
Figure 47: Android Device Registration Page
2. The registration continues; the PIN sent to the user via email must be entered.
Figure 48: Android Device Registration Completion
The device user completes the entry of personal details; EMM receives the information and verifies
the email domain name to be associated with a valid Enterprise on EMM and sends a confirmation
PIN to the email address. Returning a correct PIN completes the enrollment.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 50
8 MANAGING DEVICE DETAILS
EMM provides the capability to monitor the details of each device. The Device Details page provides information about the characteristics of each device, the recent commands that have been executed for the device. Commands are provided to update the device, edit details of the device user or to delete the device. Tabs are provided to manage the Apps and Documents on the device, modify Security settings, and view the Location of the device.
The Device Details page for a device is reached from the Device List page. By selecting the phone number or ID which appears in the Phone Number column, you navigate to the Device Details page for the device.
If the device is enrolled, information about the device and the features activated on it are displayed. If the device is not enrolled, some basic information about the device is displayed.
8.1 Using the Device Details Page
To navigate to the Device Details page for a specific device follow these steps.
1. Login to EMM as an IT Admin.
2. Select the Devices tile,
the Device List page is displayed.
3. Select the device by clicking on the value in the Phone Number field for the device, the
Device Details page for the device is displayed. Here is an example of the upper portion of
the page.
Figure 49: Detail Details Page-Upper Portion
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 51
The lower portion of the page consists of up to three Tabs:
Apps: used for managing Apps on the device.
Security: used for managing Lock and Wipe and to enable/disable features.
Location: used to display the location of the device (if supported by the device).
The upper portion has these components:
Device Information
Device Quicklinks
Device Vital Signs
Device Compliance
Recent Actions
8.1.1 Device Information
The Device Information pane contains information about the device and its user. The presence of
some information depends on whether the device is enrolled since information is retrieved from the
device. A front and back image of the device may also be displayed.
Figure 50: Device Information Pane
The following table describes each of the fields that may be present in the device information section;
the appearance of fields varies by device type.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 52
Table 3: Device Information Fields
Field Description
Device Displays the phone number or the internal Identifier associated with
the device. An internal EMM identifier is used for Wi-Fi only
devices such as an IPad which do not support cellular service and
do not have a phone number. It is of the form “ID=nn” and is in
place of the phone number.
User User name of the enrolled device user.
Last contact Date and time of the last contact with the device.
Make Specifies the manufacturer of the device.
Model Indicates model of the device.
Platform Android, Apple, Blackberry, Unknown
Type Phone, Tablet
Identifier The serial number of the device, the MAC address, IMEI or the
internal serial number for iOS devices.
Network The cellular network currently associated with the device (if
applicable).
Ownership Personal or Corporate
EMM Client If present, the EMM Client version.
8.1.2 Device Quick Links
Three buttons are present for updating device information.
Figure 51: Device Details Commands
Selecting each command initiates these actions:
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 53
Scan: initiates a request to the device to retrieve device information. This includes device vital signs, device information, application inventory, location information (if supported) and all policy compliance icons.
Edit: used to change the user assigned to the device. It can also be used to change the group of the user and his/her device. If the group is changed and the user remains the same, after saving the change a message “This action will move the user and all devices belonging to this user to the selected group. Do you wish to continue?”
Delete: used to delete the device from the system
Message used to send a message to the device.
8.1.2.1 Send Message
A message of 200 characters or less can be sent. The default is via email but if the device is cellular
capable, a SMS text message can be sent. The Subject of the message is “Enterprise Name
Message” where the “Enterprise Name” is the Group Description of the Enterprise Group. The sender
is the email address of the IT Admin who sent the message.
This is the Modal that is provided for Send Message. A count of the number of characters used is
provided as the message is typed.
Figure 52: Send Message Modal
NOTE: The option to select SMS is only displayed if the device is cellular capable and the server is configured for SMS.
8.1.3 Device Vital Signs
A set of icons are present to indicate whether features on the device are enabled (or in-use) or not.
The set of icons varies depending on the device type and platform. These icons reflect controls that
are set via a Settings or Security Policy sent to the device. Depending on the setting the icon and its
color may change.
NOTE: The information displayed for Camera, Bluetooth, Wi-Fi, Data Roaming and GPS can have a
dual meaning depending on the device and is often confusing; this is a limitation of the device. If the
device supports controlling these features, the ability to enable/disable them is controlled by the
Security Policy defined by an Admin and sent to the device. If the feature has been disabled by a
Policy, a RED icon is displayed and cannot be changed by the device user. However, if the feature
has not been disabled by a Policy AND is not in use or turned off by the device user, a RED icon is
also displayed.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 54
Figure 53: Device Vital Signs
Table 4: Device Vital Signs
Field Description
Coverage Specifies the type of coverage: GPRS, CDMA.
Signal Displays the signal strength (RSSI)
Battery Displays the battery strength in percentages.
Free Memory Shows the remaining capacity of memory in megabytes.
Access
Technology
Specifies the Access Technology used: HSPA, LTE etc.
Additional Android and Blackberry Device Capabilities: For EMM Client equipped
devices the status of these features are displayed:
For Android EMM Client equipped devices this information may be displayed:
Bluetooth Control: Enabled, Disabled
Camera Control: Enabled, Disabled
Wi-Fi Control: Enabled, Disabled
Data Roaming Status: On, Off
GPS Status: On, Off
For Blackberry EMM Client equipped devices this information may be displayed:
Wi-Fi Control: On Off
GPS Status: On, Off
NOTE: Green means the feature is available for use on the device. Red means the
feature is disabled for use. Grey means the status is unknown.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 55
8.1.4 Device Compliance Indicators
A set of icons provide a color indication of whether the device is in compliance with these items.
Green indicates compliance, Red indicates non-compliance and Grey indicates unknown.
EMM Client: Devices which have enrolled with the EMM Client.
Security Policy Compliance: Device status compliance with the Security Policy in effect.
Settings Policy Compliance: Device status compliance with the Settings Policy in effect.
Apps Blacklisted: Device status with blacklisted Apps.
Required Apps: Device status with required Apps.
Compromised: Android Devices that have been “rooted”: the device’s OS has been modified. (Detection of modified Apple devices (i.e. “Jailbreaked”) is not supported; Apple devices are always recorded as NOT being compromised).
Security Breach: Apple iOS devices that have MDM (Mobile Device Management profile) removed and also iOS and Android devices that have not contacted the EMM server in the last 30 days.
Figure 54 : Compliance Indicators
Executing the Scan command (Section 8.1.2) updates the status of these compliance indicators by querying the device.
Android devices with the EMM client active initiates a “heartbeat” response to the server which occurs minimally once a day; this updates Security and Settings Policy compliance indicators for the device.
8.1.5 Recent Actions
The last five commands sent to the device and their status is displayed along with the date and time.
These states are used to describe the status for a command:
Pending command has been issued and is in queue.
Sent command has been sent and response is awaited from a device.
Success command has been accepted and processed successfully.
Failed command has not succeeded; the command failed at the device or timed out.
Most the commands that appear in the Recent Actions list are reasonably self-explanatory: e.g. “Get Device Details”, “Get Vital Signs”, etc.; these commands reflect actions taken to retrieve information from the device.
“Monitor SW Update” is one command that is less intuitive; whenever an application is installed or uninstalled on the device, this command is sent to retrieve a current application inventory from the device and the updated inventory is displayed on the Apps tab. This command also appears during the enrollment process and is used to instruct the EMM client on the device to report the software inventory on the device back to the EMM server.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 56
8.2 Using the Apps Tab
The Apps Tab provides a view of the Applications that are installed on the device and access to the
Apps Catalog of applications that are available for installation on the device.
1. To access the Apps tab, Login to EMM as an IT Admin.
2. Select the Devices tile,
the Device List page is displayed.
3. Select the device by clicking on the value in the phone number field for the device, the Device
Details page for the device is displayed.
4. Select the Apps Tab and if Apps are installed on the device, they are displayed.
Figure 55: Device Details-Apps Tab
5. The Tab lists all the Apps installed on the device. The software version, the category
assigned to the App (games, productivity, etc.), the App size in KB and the Actions available
for the App are shown. If the device allows the App to be uninstalled, an uninstall icon is
provided. An icon for the App is also displayed. If the Tag icon is Green, the App is a
Required App; if the Tag icon is Red, the App is a Blacklisted App or if the Tag icon is Yellow,
the App has not been designated as neither Required nor Blacklisted (i.e. Optional). A Grey
tag indicates the App designation is unknown.
8.2.1 Installing an App
An App from the Catalog can be installed on the device.
1. Select the Install Apps tile and the Install App window is displayed.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 57
Figure 56: Install App Window
2. The Apps shown in the left column are Apps available for installation. By dragging them to
the right hand column and selecting Install the App is installed on the device.
3. If the device allows an installed App can be removed using the – icon. (Apple devices do not
allow Apps to be removed).
8.2.2 Retrieving and sending iOS 7 App Configurations
It is also possible to retrieve the key/value pairs for an iOS managed application from a device or to
send the default key/value pair values for a single device. (The default key/value pairs are those
which have been specified using the Application Configuration that was saved for an Application in
Section 9.4.1).
1. This capability is provided on the Application Tab of the Device Details page for the iOS 7
device.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 58
Figure 57: Device Application Tab-Configure App
2. Selecting the Configure App icon displays the Application Configuration Modal. Two tabs are present:
a. Tab to retrieve the App Configuration present on the device.
b. Tab to display the default configuration for the application.
Figure 58: Retrieving the App Configuration from the Device
3. Selecting “Retrieve App Config” queries the device and obtains the current key/values pairs
on the device. An in-progress message is displayed.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 59
Figure 59: Retrieve App Configuration in Progress
4. Selecting the Default Configuration tab displays the default key/value pairs stored in EMM. The option to Send that configuration to the device and replace the ones on the device is provided.
Figure 60: Send Default App Configuration to the Device
5. An in progress message is provided to confirm the action.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 60
Figure 61: Send Default App Configuration in Progress
8.3 Using the Security Tab
The Security Tab is used to Lock, Unlock and Wipe a device. Lock prevents a device user from
accessing the device and Wipe removes the EMM Client or the MDM profile and all customer data
from the device. A selective Wipe is also provided.
1. To access the Security tab, Login to EMM as an IT Admin.
2. Select the Devices tile,
the Device List page is displayed.
3. Select the device by clicking on the value in the phone number field for the device, the Device
Details page for the device is displayed.
4. Select the Security Tab.
Figure 62: Device Details-Security Tab
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 61
8.3.1 Locking or Unlocking a Device
Buttons are provided to Lock or Unlock a device. You are asked to confirm the Lock or Unlock. A secondary window is provided to provide a lock message and for those devices that support it, the option to have the device “scream” (i.e. initiate a sound tone).
Figure 63: Lock Window
8.3.2 Wiping or Selective Wiping a Device
A Wipe button is provided to initiate a Wipe of the device. Depending on the device a Wipe removes most personal data: (messages, text, contacts, etc.) and a Selective Wipe option is provided. You are asked to confirm the Wipe.
Figure 64: Wipe Window
8.3.2.1 Selective Wipe
A Selective Wipe option is provided for the use case when an employee having a personal device (BYOD) used for company business terminates relations with the enterprise. In this case it is desired to remove company Policies, Profiles and Applications or Documents that have been installed on the device while retaining the user’s information on the device. The Security tab on the Device Details page has the option to select a Full Wipe or a Selective Wipe when the Wipe command is selected.
When an Admin selects Selective Wipe for an Android device, EMM issues a “Remove Device
Management” command which has these effects:
Removes the last successful Settings Policy applied on the device.
Removes the last successful Security Policy applied on the device.
Deletes any documents downloaded via the Document Viewer.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 62
Deletes an Apps installed on the device via EMM. For non-Samsung SAFE devices a user
prompt is required to uninstall applications and EMM provides a reminder of all the
applications that must be uninstalled.
When an acknowledgement of the command is received, (1) EMM marks the device as “NOT
ENROLLED” and (2) the device is not reported as a “SECURITY BREACH”. If LDAP
Authentication is not enabled, (3) the user’s password on EMM is blanked out, (4) the device
is assigned to the user issuing the command and the device’s group is moved to the group of
the user initiating the command.
Selective Wipe has already been available on iOS devices when a “Remove Device Management”
command is issued; it is available using the Security tab for the iOS device. When Selective Wipe is
selected for an iOS device, EMM issues a “Remove Device Management” command which has these
effects:
Removes MDM Profile on the device which removes all Profiles (Settings and Security
Policies) pushed to the device.
Deletes all Applications pushed to the device if the option “Remove App when MDM
Removed” id enabled.
Deletes any documents downloaded via the Document Viewer.
When an acknowledgement of the command is received, (1) EMM marks the device as “NOT ENROLLED” and (2) the device is not reported as a “SECURITY BREACH”. If LDAP Authentication is not enabled, (3) the user’s password on EMM is blanked out; (4) the device is assigned to the user issuing the command and (5) the device’s group is moved to the group of the user initiating the command.
8.3.3 Implementing Apple iOS Security
Apple iPhone and iPad devices support the remote management of security features through
protocols native to the device. These security features allow devices to be locked, unlocked, and
wiped without the presence of an EMM Client. The following sections describe how to use these
security features.
The implementation of security features with iPhone is limited by the capabilities of the device:
Mobile Device Management must be implemented on the device; a MDM profile must be
installed.
If the device does not have the native Passcode client activated, you must first send a
Security Policy containing a Passcode configuration by sending a Passcode configuration
profile to the device. The Passcode profile is not activated until the device user creates a
Passcode on the device. After the Passcode profile is downloaded, the device user is
prompted to create a Passcode.
If the native Passcode client has been activated by the subscriber after a policy sent by EMM
is downloaded, the subscriber can unlock the device if they know the existing Passcode.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 63
Lock and Unlock are implemented by these actions:
o The lock function is implemented by EMM by sending a LockRequest sent to the iOS
MDM Profile. The device is locked. Outgoing calls, including those to Customer Care,
cannot be made; however, emergency calls and incoming calls are allowed.
o The unlock function is implemented by EMM by removing the Passcode profile from
the device.
Wipe on an Apple Device has this effect. When an iPhone or iPad is wiped, it is restored to its factory settings, removing all media and data from the device. Some data may be able to be restored by the device user by syncing with the appropriate systems such as iTunes, Exchange, etc.
o NOTE: If the user succeeds in restoring the MDM profile on the device, EMM rejects
the device as unknown (by sending a 401 HTTP status); the device then removes
the profile containing the MDM payload. This occurs each time restoration of the
MDM profile is attempted by the device user.
8.3.4 Viewing Apple Device Security Status and Restrictions
Security settings, device and profile restrictions can be retrieved from the device and are displayed. To retrieve current security information from the device, follow these steps.
1. Log into EMM.
2. Access the device to manage.
3. Select the Security tab.
4. The retrieved information consists of Security Information, Global Restrictions and Profile
Restrictions. The definitions of the information returned are specified by Apple.
Table 5: Apple iPhone/iPad Security Information
NOTE: Apple iOS documentation should be consulted if there are questions about these features.
Setting Description
Block-level
Encryption Enabled
If ‘Yes’, indicates that Block-level encryption is enabled on the device.
Protection Enabled If ‘Yes”, indicates that Passcode, Block-Level Encryption and File-level Encryption are all
enabled on the device.
File-level
Encryption enabled
If ‘Yes’, indicates that File-level encryption is enabled on the device.
Passcode
Compliant
If ‘Yes’, indicates that the device Passcode is compliant with all requirements on the
device including the password requirements of Exchange (if present) and other accounts
requiring a password on the device.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 64
Setting Description
Password
Compliant with
Profiles
If ‘Yes’, indicates that the device Passcode is compliant with the requirements of profiles
including the Passcode profile downloaded to the device.
Password
Protected
If ‘Yes’, indicates that the device Passcode is enabled on the device.
8.4 Using the Location Tab
This tab displays the GPS location on a map for GPS equipped Android devices using the EMM Client. (Apple devices do not support this feature). The device’s Longitude and Latitude and time-of-fix are provided. The position is displayed on a Google map. Position information is not automatically updated; the page is updated whenever a Scan is selected. The Last Reported Time is
displayed in the Local Time of the user and tells you when the last position was obtained.
This tab is only present when device location information is provided by the device to EMM and if the legal jurisdiction allows the display.
8.4.1 Viewing Location Information
To access GPS location information for the device, follow these steps.
1. Log into EMM.
2. Select the device to be viewed
3. Select the Location tab. The Location page displays. If the Location tab is not present and
the GPS Status indicator is “On”, do a Scan to retrieve the position information; if the GPS
Status indicator is “Off”, location information cannot be obtained.
Figure 65: Location Page
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 65
9 MANAGING APPS AND DOCUMENTS
As the Administrator, you can upload Applications for installation on devices and view Applications that are available for installation onto devices. These Apps form an Enterprise App Store which is available on a device for users.
Apps can be tagged as Required Apps or Apps to be Blacklisted. Either a Blacklist or a Whitelist of Apps can be defined.
Documents can also be uploaded to the Document Library and provided to devices.
9.1 Using the Application Catalog
The Application Catalog page lists all the Apps installed on EMM.
The Catalog tab lists all the Apps installed on the system.
The Documents tab lists all the Documents installed on the system
A count of the Total Apps installed on devices and Total Devices enrolled on the server.
To access the Apps and Documents Lists follow these steps.
1. Login as Admin to EMM
2. Select the Apps Tile:
3. The Apps List Catalog page is displayed.
Figure 66: Apps List Page
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 66
4. For each App in the list this information is provided:
a. A tag indicating (if Green) that the App is a Required App, (if Grey) the App is
Unknown (No designation assigned), (if Yellow) the App is Optional. A Red tag
indicates a blacklisted App.
b. An Icon for the item.
c. Name of the item.
d. Platform (Android, Apple, etc.) to which the App or Document applies.
e. Version of the App
f. Category to which the App has been assigned. Categories such as “Games”,
“Productivity”, etc. are predefined in the system.
g. Size of the App or Document.
h. Date and time installed.
5. A set of icons is provided for actions that can be performed on the App.
Edit is used to modify App metadata.
Install is used to install the App on all applicable devices in the group.
Configure App is used to configure an iOS7 (or later) App.
Figure 67: App Action Icons
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 67
9.2 Using the Document Library
Selecting Documents displays a similar page for Documents.
Figure 68: Document Library Page
1. For each Document in the list this information is provided:
a. The Group assigned to the document
b. An Icon for the document.
c. Name of the document.
d. Date the document was added to the library.
e. Size of the Document.
f. The number of downloads of the document to devices.
g. An indication of whether the document can be installed on devices that are Wi-Fi
enabled.
h. An icon “X” to delete the document from the library.
9.3 Adding an Application or Document
To install an Application or a Document on the EMM server, follow these steps.
2. Login to EMM as Admin.
3. Navigate to the Apps page.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 68
4. Select the Add App tile.
Figure 69: Add App Tile
5. The Add App/Upload Document window is displayed. The form of this window differs slightly
based on the platform selected. An App to be installed on an Apple device has two options;
these are not present for Android devices.
a. Prevent App Backup: prevents the App to be backed up to iCloud.
b. Remove App when MDM Removed: removes the App when the Mobile Device
Management Profile is removed.
Figure 70: Add App/Upload Document Window
6. From this page an Enterprise App, and External App or a Document can be installed.
9.3.1 Adding an Enterprise App
An Enterprise App is an App that is unique to the Enterprise. To add an Enterprise App to the
Catalog, follow these steps.
NOTE: Apple prohibits an App from their iTunes App Store to download another App Store App.
Consequently an Enterprise App is not shown on the EMM Client App Store interface on the iOS
device. EMM will push an Enterprise App to an iOS device. This restiction is not the case for Android
devices.
1. Login as EMM Admin.
2. Navigate to the Add App/Upload Document window.
3. Select Enterprise App, the page refreshes with the parameters needed for the App.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 69
Figure 71: Add Enterprise App
4. Select the group to which the App applies.
5. Select the Platform: Android, Apple, etc.
6. Select the Device Type: Phone, Tablet, All. This indicates the device types to which the App
applies.
7. Select the Category from the drop-down.
8. Choose the icon file to be displayed for the App. (30X30 pixels is the minimum size; the
Format is .PNG. Typically an Android App’s .apk includes the icon but Apple Apps usually
require the icon .PNG to be uploaded separately).
9. Enter a description for the App (< 500 characters)
10. Select the File where the App is to be found. Android Apps require an .apk file and Apple
devices require an .ipa file.
11. Select Save to complete the entry and the App will be uploaded.
9.3.2 Adding an External App
An External App is one that resides on the Google PlayStore, the Apple App Store, or some other
server. The Enterprise requires that the App becomes part of the Catalog. To add an External App
to the Catalog, follow these steps.
1. Login as EMM Admin.
2. Navigate to the Add App/Upload Document window.
3. Select External App, the page refreshes with the parameters needed for the App.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 70
Figure 72: Add External App
4. Select the group to which the App applies.
5. Select the Platform: Android, Apple, etc.
6. Select the Device Type: Phone, Tablet, All.
7. Select the Category from the drop-down.
8. Choose the icon file for the App. (30X30 pixels is the minimum size; Format is .PNG.
Typically an Android App’s .apk includes the icon but Apple Apps usually require the icon
.PNG to be uploaded separately).
9. Enter a description for the App (< 500 characters)
10. Enter the Version ID and URL that points to the App.
11. Select Save to complete the entry and the App will be uploaded.
9.3.2.1 Android External App URL Requirements
The URL format used for an external App to be installed on an Android device must conform to
formats specified by Google. Details of this format can be found using this Google link
https://developer.android.com/distribute/googleplay/promote/linking.html#UriSummary
This summary and Table 6 is a subset of Google’s information on the URL formats allowed; please
use the link above to ensure that you have the most current information.
Google defines two general formats for links that are accessible to users on an Android device. The two formats trigger slightly different behaviors on the device:
market:// Launches the Play Store app to load the target page. Not used with EMM.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 71
http:// Allows the user choose whether to launch the Play Store app or the browser to
handle the request. If the browser handles the request, it loads the target page on the
Google Play web site.
You should use http:// format.
Table 6: Google URL Formats for Android Apps
This is the only supported format used with EMM.
For this result Web Page Link
Show the product details page for a specific app
http://play.google.com/store/apps/details?
id=<package_name>
9.3.2.2 Apple iTunes External App URL Requirements
The easiest way to find your App Store URL is by opening iTunes and copying the information directly from the App Store. The steps included below outline how you can find your App URL.
1. Open iTunes.
2. Search for your app.
3. Click your app's name and copy the URL (right-click for PC users).
Apple App Store URL’s will be in the following format:
http://itunes.apple.com/[country]/app/[App –Name]/id[App-ID]?mt=8
Note: A custom Enterprise App must have approved certificates as per Apple’s requirements.
This link provided by Apple provides details of their proper URL format.
https://developer.apple.com/library/ios/qa/qa1633/_index.html
9.3.2.3 Editing Application Metadata
The Application Metadata of an Application including a new application file can be updated. Follow
these steps.
1. Login as EMM Admin.
2. Navigate to the App Lists page.
3. Select the Edit App icon and the Application Metadata is displayed.
4. Modify or update the desired parameters. Upload a new icon or App file if required.
5. Select Save to update the Application data.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 72
Figure 73: Editing Application Data
9.3.3 Adding a Document
Documents can be uploaded to EMM and made available on devices in the Document Library. To
upload documents follow these steps.
1. Login as EMM Admin.
2. Navigate to the Add App/Upload Document window.
3. Select Document, the Upload Document secondary window is displayed.
Figure 74: Add Document Page
4. Select the group for which the document is to be available.
5. Choose the file to be uploaded.
6. Select if Wi-Fi is to be allowed when downloading the document from a device.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 73
7. Select Upload to complete the entry and the document will be uploaded.
9.4 Apple iOS 7 Managed App Configuration
Apple iOS 7 introduced the ability to configure a Managed Application and the ability to retrieve a
configuration from a Managed Application. A Managed Application is an application provided for an
Apple iOS 7 device that includes features that can be selected by the device user and/or specified by
the IT Admin. This could be a custom managed application that is developed by an enterprise for use
by their Apple device users or third-party managed applications from the Apple App Store.
Support for a Managed Application is a customer option beginning in EMM 3.3. (A Service Package
control “Disallow iOS Managed App” is provided to suppress access to this feature).
EMM can provide a configuration dictionary to third-party managed Apps and can read data from a
feedback dictionary provided by a third-party Managed App on the device. The configuration
dictionary can be used to specify features enabled or disabled on the App and the feedback dictionary
can be used to provide status of the enabled features back to the server from the App.
The managed parameters are configured as key-value pairs per Apple’s definition. The key-value
pairs are specified by each Managed Application vendor. If you send a key-value pair not recognized
by the application, an error is returned. Examples of a managed application parameter might be a
date-time when the application should begin to collect data or a parameter that enables/disables a
particular feature of the application.
To support this feature EMM has enhancements to the Applications List page to add an App
Configuration which navigates to a new App Configuration page to configure required parameters for
a Managed App. These enhancements are only displayed for applications that can support App
Configuration and only on the IOS Platform.
For a Managed Application the Device Details Apps page is also enhanced to include an App Config
icon which when selected displays the App Configuration on the device and on the EMM server. You
are able to retrieve, update and send the server App configuration to the selected Apple device.
9.4.1 Configuring an IOS7 Managed Application
A new Icon is present only for an iOS 7 Managed Application to enable the application’s key/value
pairs to be configured. To configure the managed application follow these steps.
1. Navigate to the Apps List page.
2. Locate the application that supports iOS 7 App Management.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 74
Figure 75: Configure App Icon
3. Selecting the “Configure App” icon (i.e. the gear) displays the Application Configuration Modal.
Figure 76: Application Configuration Modal
4. This modal is used to change or add key/value pairs for the Managed Application. A key/value pair can be deleted using the “-“ icon and a new key/value pair can be added with the “+” icon. The Added/Modified App Configuration can be saved; an App Configuration can be deleted.
5. The keys and the allowed key values must be obtained from the third-party application specification; they are defined by the third-party vendor.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 75
6. A confirmation request is required for any save or deletion request.
Figure 77: App Configuration Save Request Confirmation
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 76
10 SCHEDULING REPORTS
A facility to schedule and manage reports is introduced in this release. A suite of tabular reports can be requested and exported in CSV or PDF format. Reports are not viewable on the EMM UI. Real-time (i.e. Ad-Hoc), daily, weekly and monthly report formats are supported. Reports can be defined and exported either from the UI or via Rest API.
Command Activity Report (real-time, daily, weekly, monthly)
Command Summary Report (daily, weekly, monthly)
Device Detail Report (daily, weekly, monthly)
Audit History Report (daily, weekly, monthly)
App Inventory Report (daily, weekly, monthly)
The report generator is an extensible facility; additional reports can be added as required in future releases.
A Weekly Report picks up records of the previous week beginning Monday.
Report scheduled on Tuesday, Sept 3rd shall run pick up records of previous week beginning Monday (26th August - 1st September). The next instance of the report shall run on Tuesday, Sept 10th and shall pick up records from 2nd September - 8th September.)
A Monthly Report shall pick up records of the previous month.
Report scheduled on Sept 3rd shall run pick up records of previous month beginning 1st August - 31st August. The next instance of the report shall run on Oct 3rd, and shall pick up records of previous month (1st September - 31st September)
Report scheduled on Aug 31st shall run at the end of each month, and shall pick up records of previous month (1st July - 31st July). The next instance of the report shall run on Sept 30th, and shall pick up records of previous month (1st August - 31st August).
A Daily Report picks up records of the date specified.
It generates a report from midnight to 23:59 of the previous day.
The start date of a new Daily Report must be a future time from the current time when creating the report schedule.
A Real-time (ad-hoc) report captures the current information available for the report; the report collects data from midnight of the Start Date to 23:59:59 of the End Date; it returns results immediately.
Once a scheduled report is created it continues to be generated until the schedule is deleted: i.e. a daily report will be created every day until the schedule is deleted.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 77
10.1.1 Available Reports
In this release these reports are provided. All are in tabular format. The date and time of the report
creation is included in the report.
10.1.1.1 Audit History Report
This report can be scheduled Daily, Weekly or Monthly. In columnar format this report displays:
Group
Audit Object Name
Audit Action Name
User
Date
Detail
The generation date of the report is also provided.
This Audit Objects and Actions are recorded. For each action (Add, Edit, Delete or Send) the
message responses are shown.
Table 7: Audit Objects and Actions
Audit Object Audit Action
Object Add Edit Delete Send
Device Added Device to User “Firstname Lastname”
None Deleted Device with Phone Number “blah”
MassEnrollment Mass Enrollment URL Generated against Group “blah” and user “blah”
None None
User Added user with Email = “blah”
Modified GROUPS/ROLES for user with Email = “blah” <br>Previous GROUPS/ROLES = blah<br>New Groups/Roles = blah2
Deleted user with Email = “blah”
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 78
Audit Object Audit Action
Object Add Edit Delete Send
Group Added Group “blah”
Modified Group “blah”
Application Added Application with name “blah”
Application Modified name “blah”
Deleted Application with name “blah”
AppsPolicy App Policy Enabled for group “blah”
App Policy Modified for group “blah
App Policy Removed for group “blah
SettingsPolicy Settings Policy Enabled for group “blah”
Settings Policy Modified for group “blah
Settings Policy Removed for group “blah”
SecurityPolicy Security Policy Enabled for group “blah”
Security Policy Modified for group “blah
Security Policy Removed for group “blah”
Documents Added Document with Filename “blah”
None Deleted Document with Filename “blah”
Service Package Added Service Package “blah”
Modified Service Package “blah”
Deleted Service Package “blah”
Commands
PhoneNumber: “nnnn” Command: “blah” Commands to be Audited
1. Scan
2. Lock
3. Unlock
4. Wipe
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 79
Audit Object Audit Action
Object Add Edit Delete Send
5. Selective Wipe
6. Settings Policy
7. Security Policy
8. Install Software
9. Uninstall Software
10. Send Message
10.1.1.2 Application Inventory report
This report can be scheduled Daily, Weekly or Monthly. In columnar format this report displays:
Group
Tag (Blacklisted/Whitelisted/Required/Optional/Unknown)
App Name
Platform
Version
Installed (number of devices on which the App is installed)
This report contains all the data from subgroups as well. It does not contain Apps for BYOD devices.
10.1.1.3 Command Activity Report
This report can be scheduled Ad-Hoc, Daily, Weekly or Monthly. In columnar format this report
displays:
Group
Phone
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 80
Serial Number
Device command
Status
Initiated
Updated
User
10.1.1.4 Command Summary Report
This report can be scheduled Daily, Weekly or Monthly. In columnar format this report displays:
Group
Command
Total submitted
# Failed
10.1.1.5 Device Detail Report
This report can be scheduled Daily, Weekly or Monthly. In columnar format this report displays:
Group
Make
Model
Type
Platform
Serial #
Phone #
Enrolled (Y/N)
10.1.2 Creating a Report
Reports are managed on a per-group basis. A new icon is present on the Group List page to manage
reports. To add a new report schedule follow these steps
1. Navigate to the Group List page by selecting the Groups Tile.
2. Select the Reports icon for the group of interest.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 81
Figure 78: Report Icon
Selecting the Report Icon displays the Reports page. This page lists all the report types in columns based on whether they are available as Daily, Weekly, Monthly and Ad-Hoc (real-time). If a report is available, the report symbol is green and the number of reports created with a schedule is shown; if none are available, the symbol is grey. Some reports are not available as Ad-Hoc reports and for those the symbol in the Ad-Hoc column is grey.
Figure 79: Reports Page
3. To add a report schedule the “+” icon next to the required report is selected if it is present. Only one active schedule can be in effect for each report type.
Figure 80: Add Report Icon
4. This opens a page where the schedule for the report can be defined. You give a report a name and specify its start date and time. All dates must be IN THE FUTURE; EMM does not maintain a treasure trove of report data unless requested. Ad-Hoc reports ask for an end time as well.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 82
Figure 81: Creating a Report Schedule
5. After entering all the report parameters, save the report request and you receive a confirmation.
10.1.3 Downloading Reports
After a report has been generated, it can be downloaded to your computer. To download a report you
follow these steps.
1. Navigate to the Groups List page and select the Reports icon for the group of interest. The
Reports page (Figure 79) is displayed
2. If generated reports are available, they are shown with a Green report symbol; a Grey symbol indicates that no reports are available or scheduled. Selecting the symbol displays a list of the reports generated with that schedule. A search capability is also provided on the page.
Figure 82: View Generated Reports Filter
3. For each report a download option of PDF or CSV file is provided. Selecting one will download an available report to your computer.
4. A Delete icon (i.e. Trash Can) is also provided to delete each report.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 83
Figure 83: View Generated Reports Page
10.1.4 Deleting a Report Schedule
Reports can be deleted by selecting the “-“symbol.
Figure 84: Delete Report Icon
1. Navigate to the Groups List page and select the Reports Icon for the group of interest.
2. Select the “-“ symbol for the report schedule to be deleted.
3. You are asked if you wish to delete the report schedule. This deletes the selected report schedule.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 84
Figure 85: Delete Report Confirmation
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 85
11 USING SERVICE PACKAGES
An optional feature for a MSP Provider is using Service Packages. The management of Service Packages is available only to the MSP Admin (CUST_ADMIN).
A Service Package restricts access to commands to a user for each of the two enterprise roles (IT_ADMIN and EMPLOYEE) in an enterprise. Service Packages can be defined either via the Group List page UI or by REST API. Packages can be assigned to enterprise groups and sub-groups only by the MSP Admin (CUST_ADMIN). If a new sub-group is created, it inherits the same package as its parent group. A different package can be created for a sub-group. When a package is deleted, the MSP Admin is prompted if the package should be deleted for one group or for all groups; deleting the package for all groups removes the package from all groups belonging to the selected enterprise.
If required, an MSP Admin can create several service packages for an Enterprise. The concept of
attaching and detaching service packages to a group is also provided. Only one service package can
be attached to an Enterprise Group. If a new subgroup is created, it inherits the service package of
the parent group. If the service package is detached from the parent group, the subgroup inheritance
of the service package is also detached. If a service package is attached to a parent group, it is
inherited by any subgroups. However a MSP Admin can attach a different service package to a
subgroup if required.
This example illustrates the functionality.
1. The MSP Admin has previously created an Enterprise Group and two subgroups “A” and “B”.
2. The MSP Admin adds a service package “X” to the Enterprise Group (none existed).
3. Both subgroups inherit the service package “X”.
4. The MSM Admin creates a second service package “Y” and attaches it to Subgroup A.
5. Subgroup “B” still is attached to service package “X”.
6. The MSP Admin modifies service package “X” for the enterprise group.
7. Subgroup “B” inherits the changes to the service package “X”. Subgroup “A” is still attached
to service package “Y”.
This table lists the commands and actions that can be restricted for IT Admins.
Table 8: IT Admin Restricted Commands/Actions
IT Admin
Scan Device
Install Application
Uninstall Application
Send Message
Send Policy
Lock Device
Unlock Device
Wipe Device
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 86
IT Admin
Add Group
Modify Group
Add User Modify User
Delete User
Add Software
Modify Software
Delete Software
Insert Document
Remove Documents
Add Reports
Edit Reports
Delete Reports
Add (Single) Device
Bulk Upload (Devices)
Staging (Devices)
Delete Device
Delete Generated Report
Add Report Schedule
Delete Report Schedule
Add Device via App Store
iOS Managed App
These Employee role commands/actions can be restricted.
Table 9: Employee Restricted Commands/Actions
Employee
Modify User Install Application
Lock Device Unlock Device
Send Policy Locate Device
11.1 Adding or Modifying a Service Package
Follow these steps to Add or Modify a Service Package.
1. From the MSP dashboard navigate to the enterprise for which the service package is to be
added.
2. Navigate to the Groups List page.
3. Select the group for which the service package is to be added and hover over the Packages
icon. A tooltip “Manage Packages” appears and should be selected.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 87
Figure 86: Group List with Package Tooltip
11.1.1 Using the Package Page
Selecting the tooltip brings up the Package page. The page includes an “Add Package” button, a “Select Package” drop-down which lists all the pre-existing packages.
Figure 87: Package Page
1. If a package is selected, the disabled (i.e. “blacklisted) items are listed with the disable button “on”. Scrolling is provided to view the entire list. An existing package can be modified by selecting or deselecting commands and then selecting Save. You can also Delete the
Package entirely.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 88
Figure 88: Service Package Display
2. Selecting the “Add Package” button is used to create a new package.
3. This brings up a MODAL to create a new service package.
Figure 89: New Service Package Modal
The modal lists all the items that can be disabled and you select the items. A name is also given to the service package. The package is also ATTACHED to the group that you selected earlier and you can choose not attach the package to the group. If you choose to not attach the package to this group, use the button provided to de-select the attachment.
When the selections are complete, select Save.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 89
11.2 Attaching and Detaching Service Packages
If a Service Package is not associated with one of the enterprise groups, it can be “Attached” to the
group by following these steps. Similarly if a Service Package is to be disassociated with a group, it
can be “Detached” from the group.
To Detach a Service Package the MSP Admin follows these steps.
1. MSP Admin navigates to the required enterprise and selects the Groups List page for the enterprise.
2. Locate the required group and select the Detach Package icon.
Figure 90: Group with “Detach” Package Icon
To Attach a Service Package the MSP Admin follows these steps.
1. MSP Admin navigates to the required enterprise and selects the Groups List page for the enterprise.
2. Locate the required group and select the Attach Package icon.
3. Groups are shown with an Attach Package icon which can be used to attach a package to the group ONLY IF no package is attached to the group
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 90
Figure 91: Group with “Attach” Package Icon
4. Selecting the icon displays a Modal to choose a service package for the group.
Figure 92: Choose a Service Package Modal
5. An existing service package can be selected from the drop-down and attached to the group. You are asked to confirm the selection.
EMM 3.3 ADMIN USER GUIDE Issue 3.0
MFORMATION CONFIDENTIAL AND PROPRIETARY Page 91
Figure 93: Service Package "Attach" Confirmation