Embed Size (px)
Citation preview
Contents 1 Introduction ..................................................................................................................................... 2
1.1 Requirements ......................................................................................................................... 2
1.2 Architecture ............................................................................................................................ 3
1.3 Feature List ............................................................................................................................. 4
1.3.1 Device Compliance status .................................................................................................. 4
1.3.2 Auto grouping for devices .................................................................................................. 5
1.3.3 Auto grouping for applications........................................................................................... 5
1.3.4 Other AirWatch Compliance Policy and actions ................................................................ 6
1.4 Basic Deployment ................................................................................................................... 6
1.4.1 Prepare AirWatch account ................................................................................................. 6
1.4.2 TMMS Server Setting .......................................................................................................... 9
1.4.3 Deploy Android agent ...................................................................................................... 11
1.4.4 Deploy IOS agent .............................................................................................................. 20
1.5 Feature Configuration ................................................................................................................. 24
1.5.1 Set AirWatch compliance status and send email .................................................................. 24
1 Introduction
There are 2 important functions in TMMS. One part is mobile device management related features;
the other is security scan related features.
• TMMS security scan features can integrate with 3rd party MDM vendors. The latest 9.7
version can integrate with AirWatch and MobileIron.
• VMware AirWatch is an Atlanta-based provider of Mobile Device Management (MDM)
software and standalone management systems for devices, content, applications and email.
1.1 Requirements
The following requirements/conditions should be met before proceeding:
• Mobile Security for Enterprise 9.7 version or later
• The communication server is configured to either Local Communication server or Cloud
Communication Server.
• AirWatch version 8.4
• AirWatch account
1.2 Architecture
• MARS
Mobile App Reputation is a cloud-based technology that automatically identifies mobile threats based
on app behavior, Crawl & collect huge number of Android apps from various Android Markets,
Identifies existing and brand new mobile malware, Identifies apps that may abuse privacy / device
resources, World’s first automatic mobile app evaluation service
• SPN
The Trend Micro Smart Protection Network delivers proactive global threat intelligence against zero-
hour threats to ensure that you are always protected. We use our up-to-the-second threat intelligence
to immediately stamp out attacks before they can harm you. Powering all of our products and services.
1.3 Feature List
1.3.1 Device Compliance status
The AirWatch Console provides a list of enrolled devices, showing the device’s compliance status.
Users of non-compliant devices will get an email notification.
1.3.2 Auto grouping for devices
Mobile Security uses a prefix to create three (3) classes (Malware, Vulnerability, and Privacy), and tags
the risk devices as follows:
• PREDEFINEDPREFIX_Dangerous
• PREDEFINEDPREFIX _Risky
• PREDEFINEDPREFIX _NO_TMMS
The prefix is predefined by the Administrator. When TMMS finds a malicious application, it will
automatically change the device’s Smart Group (e.g. if TMMS found that a device has a malware, it
will be automatically move to PREDEFINEDPREFIX _Dangerous group).
1.3.3 Auto grouping for applications
The risk applications are grouped together under App Groups respectively, and include apps with tag
and category added as prefix to their names, this is automatically procedure.
• PREDEFINEDPREFIX _Malware_App_Android
• PREDEFINEDPREFIX _Privacy_App_Android
• PREDEFINEDPREFIX _Vulnerability_App_Android PREDEFINEDPREFIX
_Malware_App_iOS
1.3.4 Other AirWatch Compliance Policy and actions
The administrator can set AirWatch Compliance Policy to AirWatch Blacklist (e.g. Block/Remove
Managed Apps while the device is in XXXX_malware_app_Android Group). There are many actions,
commands, and email provided by AirWatch.
1.4 Basic Deployment
1.4.1 Prepare AirWatch account
We need to have an AirWatch account to be used for the communication between the TMMS server
and AirWatch. The user will need to configure the permissions on AirWatch. Do any of the following
options:
Option 1: Create an AirWatch Administrator for the communication
The created account may need to call the REST API to collect information, and some configuration in the AirWatch console is needed.
Option 2: Create a user with API ONLY with all REST API permission
This option needs configuration from the TMMS web console and the AirWatch console.
Option 3: Create a user with API ONLY with customized REST API
permission
This option allows the administrator to select specific REST APIs to be used.
The table below shows the specific REST APIs that TMMS use, and should be enabled:
Category Name
Admin User Management Search Admin User
WTag Management
Create Tag
Search Tag
Add Devices to the Tag
Remove Devices from Tag
Retrieve Devices with Specific Tag
Smart Group Management
Create Smart Group
Search Smart Groups
Delete Smart Groups
Application Group Management
Create Application Group
Search Application Group
Retrieve Application Group Details
Add Application to an Application Group
Delete Application from the Application Group
Application Management
Internal Application Install : Upload Application Chunks (iOS and Android)
Internal Application Install : Begin Internal Application Install
Device Management
Retrieve Device Information
Device Extensive Search
Device Count Info
The AirWatch REST permission settings page does not have permission for each API, but provides a lot of API Series (e.g. Admin API, APPs API, etc.). End-users will need consult with AirWatch regarding what REST API permission need to be enabled in the settings page.
1.4.2 TMMS Server Setting
1. Log on to the Mobile Security Administration web console.
2. Click Administration > Communication Server Settings on the menu bar, and make sure the
Communication Server settings are configured. If the settings are not configured, refer to the
topic Configuring Communication Server Settings in the Installation and Deployment Guide
for the configuration steps.
3. Click Administration > Deployment Settings.
4. Under the Server tab, select Security Scan, and then select AirWatch as the MDM Solution
from the drop down list.
5. Under Register Service, configure the following AirWatch settings:
• API URL
• API KEY
• Account
• The account used in the integration feature should have “AirWatch
Administrator” role privilege. Please refer KB
https://success.trendmicro.com/solution/1115966
• Password
6. Click Verify Settings to make sure Mobile Security can connect to the AirWatch server.
7. Under Data Synchronization Settings section, configure the following: • Security Category
Prefix
The Security Category Prefix will be added while TMMS create Smart Groups and App Groups.
Like XXXX_Malware_App_Android
1.4.3 Deploy Android agent
TMMS has two Android agent versions. AirWatch Administrator need to choose one of the following
versions:
Version Pros and Cons
Google play version
Administrator need to send an email to end-user with QR code or
Enrollment Key. End-users need to open TMMS agent and scan the QR
code or manually enter the Enrollment Key to register their device to
server.
Agent can be updated automatically.
TMMS server version
Administrator need to send an email to end-user ask them to launch
TMMS Agent, after end-user launch TMMS Agent, TMMS agent will
register to TMMS server
While TMMS agent has new version, end-user need to type the upgrade button in the notification bar
AirWatch agent can help to launch TMMS agent in backend; So,
Administrator can deploy TMMS to devices automatically.
*SAMSUNG Device Only*
Google Play build
1. Log on to AirWatch web console, and navigate to Apps & Books > List View > Public > Add
Application.
2. On the Add Application screen, configure the following fields:
a. Managed By: Type Trend Micro.
b. Platform: Select Android from the drop-down list.
c. Source: Select Search App Store.
d. Name: Type “ent security” to search the app store.
3. Click Next.
4. From the search results, select Enterprise Mobile Security.
5. On the Add Application screen, click the Assignment tab, and select the assigned groups from
the Assigned Groups field. This assignment will let TMMS install on the Assigned group.
6. Click Save & Publish.
7. Click Upload to upload it to AirWatch.
Local Server build
1. Tick Use preset Enrollment Key.
2. In the TMMS for Enterprise web console, go to Administration > Deployment Settings > Android
Agent.
3. Choose Download from TMMS Server.
4. Tick Auto Enrollment.
5. Click Upload.
6. The application will now show in the AirWatch console.
Automatically Enroll SAMSUNG Devices
Requirements:
• Only supports Local Server build.
• Finished all steps in Local Server build part first
• All devices are SAMSUNG Devices
1. Configure the Files/Actions from the AirWatch console. Do the following:
a. From the AirWatch console, go to Devices > Staging & Provisioning > Components >
Files/Actions.
b. Click Add > Android.
c. In the General tab, provide the information for the Name and Description fields.
d. Go to the Manifest tab, then click Add Action, located under the Install Manifest section.
e. In the Add Manifest options, provide the following information, then click Save:
• Action(s) to Perform: Run Intent
• Command Line and Arguments to run:
mode=explicit,broadcast=false,action=android.intent.action.MAIN,package=
com.trendmicro.tmmssuite.enterprise,class=com.trendmicro.tmmssuite.ent
erprise.ui.TmmsEnterpriseSplashScreen
• TimeOut: [any]
f. In the Add Files/Actions page, click Save.
2. Configuring the Product. Follow the steps below:
a. From the AirWatch console, go to Devices > Staging & Provisioning > Product List View.
b. Click Add Product > Android.
c. In the General tab, provide the information for the Name, Description, and Assigned
Groups fields.
d. Go to the Manifest tab, then click Add, to add the manifest.
e. In the Add Manifest options, provide the following information, then click Save:
• Action(s) to Perform: Install Files/Actions
• Files/Actions: TestLauncher
f. In the Add Product page, click Save.
3. Configuring the Application. Do the steps below:
a. Assign the TMMS Agent to a smart group.
b. Set the Push Mode to Auto.
1.4.4 Deploy IOS agent
1. Login to the AirWatch Admin console, then go to Apps & Books > Applications > List View.
2. Under the Public tab, click Add Application.
3. Provide the following information:
• Organization Group: Trend Micro
• Platform: Apple iOS
• Source: Search App Store
• Name: ENT Security
4. Click Next.
5. Click Select for enterprise mobile security.
6. In the Add Application page, click save and assign
7. In the Assignment tab, click “Add Assignment”
8. Set Select Assignment Group to the device group you want to management, set App Delivery
Method to Auto
9. Set Application Configuration to Enable
Note: In this page, the value of EK, ServerUrl, and ServerPort should be provided
following the real environment. This information can be found in the TMMS Admin
console > Administration > Deployment Settings > iOS Agent tab > Step 2.
10. Click Save & Publish.
11. Click Publish.
1.5 Feature Configuration
1.5.1 Set AirWatch compliance status and send email
After the integration, the administrator can create more useful compliance policies in the
AirWatch admin console.
1. From the Airwatch Admin Console, go to Devices > Compliance Policies > List View.
2. Click Add, select the Platform (Android or Apple iOS), then select the rules.
3. Click Next.
4. Under the Actions tab, do the following:
• Tick the Mark as Not Compliant box.
• Choose Notify.
• Select Send Email to User
5. Go to Assignment tab, select the Assigned Groups, then click Next.
6. Under the Summary tab, provide the Name, and Description, then click Finish and Activate.
7. Then, when a malware is finding in TMMS, the app will be put into the blacklist, then the
device will be set as un-compliance, and the policy will be triggered. All this is down
automatically.
