Endpoint Manager for Mobile DevicesSetup Guide

���

ii Endpoint Manager for Mobile Devices Setup Guide

Contents

Endpoint Manager for Mobile DevicesSetup Guide . . . . . . . . . . . . . 1Components . . . . . . . . . . . . . . 1Architecture . . . . . . . . . . . . . . 2Key Features . . . . . . . . . . . . . . 2System Requirements . . . . . . . . . . . 2

General . . . . . . . . . . . . . . . 2For Lotus Traveler . . . . . . . . . . . 3For Microsoft Exchange. . . . . . . . . . 3

Configure Management Extenders dashboard . . . 4

Installing and Configuring. . . . . . . . . . 4Activate Required Analyses . . . . . . . . . 6Management Extender for Lotus Traveler . . . . . 6Management Extender for Microsoft Exchange . . . 9Management Extender for iOS . . . . . . . . 9iOS App Setup . . . . . . . . . . . . . 11Android Agent Setup . . . . . . . . . . . 11Warnings . . . . . . . . . . . . . . . 12Support . . . . . . . . . . . . . . . 13Notices . . . . . . . . . . . . . . . . 13

iii

iv Endpoint Manager for Mobile Devices Setup Guide

Endpoint Manager for Mobile Devices Setup Guide

The Endpoint Manager for Mobile Devices (MDM) application manages corporateand employee-owned smartphones and media tablets that access enterpriseresources. The application can be used to manage security controls, software andhardware inventory, and application management.

This Setup Guide provides IT managers and system administrators instruction onhow to install and configure the application and how to set up your mobiledevices to integrate with the application. Specifically, it includes setup instructionsfor iOS, Android, Lotus Traveler, and Microsoft Exchange. This guide also includessystem requirements for each application component, and provides licensing andinstallation instructions to enable you to deploy Mobile Devices in yourenvironment.

For information on how to use Endpoint Manager for Mobile Devices, see theEndpoint Manager for Mobile Devices User’s Guide.

Components

The Mobile Devices application includes the following primary components:

Server – The Endpoint Manager for Mobile Devices server is a database thatcommunicates with the relays and the Tivoli Endpoint Manager console to managethe devices in your deployment.

Relay - Relays are network components designed to distribute the downloadburden from the Tivoli Endpoint Manager server and compile and compress datareceived from clients. In MDM, the relays process information from your mobiledevices and transmit that information to the TEM server.

Management Extenders – Management Extenders allow devices to be managedwithout an agent on the device.

Email Servers – Includes Lotus Traveler and Microsoft Exchange servers.

1

Architecture

The diagram below depicts a visual representation of how Mobile Devices isdesigned to work in your environment.

Key Features

The following is a list of the most important features of Mobile Devices:v Integration with Tivoli Endpoint Manager platformv Support for basic management of devices using email-based managementv Support for advanced management of devices using agent-based managementv Device inventoryv Security and password policy managementv Management commands such as wipe, lock, clear-password, deny email accessv App Managementv Enterprise access configuration including email, WiFi, and VPN

Note: Support for these features varies by device, OS, and management method.

System Requirements

Generalv Tivoli Endpoint Manager version 8.2 or higher must be usedv All management extenders must be installed on a system running Windowsv A TEM relay must already be installed on the system

2 Endpoint Manager for Mobile Devices Setup Guide

Note: Before using this application, select an available port for the iOSManagement Extender. The default is 443. If you want to use a different port,specify that port in the Configure Management Extender dashboard.

For Lotus Traveler

On Traveler Server:v Domino server must run the Traveler, DIIOP and HTTP tasks.v HTTP must be listening on ports 80, 443 or both. The URL http(s)://<server>/

diiop_ior.txt must be publicly accessible.v DIIOP must be listening on ports 63148, 63149 or both. For configurations using

port 63149, the SSL certificate must be valid and current, and a TrustedCerts.classfile must have been generated in the Domino data folder.

v Create an administrative user. The administrative user must have both read andedit permissions in the ACL for LotusTraveler.nsf, and must be able to runrestricted and unrestricted Domino commands.

On Management Extender for Lotus Traveler Server:v The plugin must be able to contact the server in one HTTP and one DIIOP port.

If DIIOP listens exclusively on port 63149, the plugin requires the server-specificTrustedCerts.class in its classpath. To do this, include the TrustedCerts.class in aTrustedCerts.jar file and deploy it through the Configure Management Extenderdashboard.

v The administrative user must have a username and password. Anonymousconnections are not supported.

For Microsoft Exchange

On Exchange Server:v Win 2008 Serverv WS-Management protocolv WinRMv Exchange Server 2007 or 2010

On Management Extender for Exchange Server:v WS-Management protocolv WinRMv Exchange Management Tools (Exchange 2007 only)

Note: If you intend to use this Management Extender to connect to a remote 2007Exchange server, first install Exchange Management Tools on the ManagementExtender so it connects properly to the remote server.

For Androidv Android 2.2+ (Froyo) running on ARM processorsv Ability to connect to a TEM server or relay

Setup Guide 3

Configure Management Extenders dashboard

The Configure Management Extenders dashboard, located in the Setup andConfiguration node of the navigation tree, configures your management extendersto enable them to connect to servers.

Click on one of the extenders in the list to select it. Then click Configure. This willopen the Configure Extender window for Apple iOS, Lotus Traveler, or MicrosoftExchange. In the Configure Extender window, you can set parameters for theconfiguration.

Part Two

Installing and Configuring

Prior to beginning the installation and setup of Mobile Devices, you should befamiliar with the Tivoli Endpoint Manager console and be logged in. For detailedinformation about the console, see the Tivoli Endpoint Manager ConsoleOperator’s Guide.

The Mobile Devices navigation tree in the Tivoli Endpoint Manager console willserve as your central command for all Mobile Devices installation, setup, andmanagement functions. The navigation tree gives you easy access to all reports,wizards, Fixlets, analyses, and tasks related to the management of your devices.Specifically, the primary content is organized into the following nodes and contentcategories: Setup and Configuration, Mobile Device Inventory, Apps Management,Security Policies, Android Settings, Apple iOS Profiles, Mobile Device ActionHistory, and Device Management for Windows Mobile.

4 Endpoint Manager for Mobile Devices Setup Guide

Setting up the application in your deployment involves the following processes,which will be described in this section:v Activate Analysesv Setup relays on systems for extendersv Deploy Fixlets for extendersv Run the dashboard to configure extendersv Set up iOS Appv Set up Android Agentv Warnings

The Setup and Configuration node in the navigation tree displays a list ofpreliminary actions you need to take before using the Mobile Devices application.These include deploying the Management Extender for Microsoft Exchange andLotus Traveler.

Setup Guide 5

The Management Extender provides a mechanism for managing the devices inyour deployment by interacting with your existing management process.

Note: You cannot have more than one management extender deployed on asystem.

Activate Required Analyses

Begin by clicking the Required Analysis node in the navigation tree. Select allanalyses in the list, right click to display the drop down menu, and click Activate.After all analyses are activated, you can begin deploying your managementextenders.

Management Extender for Lotus Traveler

The Management Extender for Lotus Traveler must be installed on the TEM Serveror on a relay. The deploy Fixlet is only relevant for computers with a TEM agentand a relay or server installed.

Deploy the Management Extender Fixlet

Click to expand the Setup and Configuration node in the navigation tree. Thenclick Deploy Management Extenders and select the Deploy Management Extender for

6 Endpoint Manager for Mobile Devices Setup Guide

Lotus Traveler in the list panel on the right. This opens the Fixlet window below.Under the Description tab, click the link in the Actions box to execute the action.

Note: The Management Extenders need to connect to the email servers, but theydo not need to be installed on the same computer.

After entering the required information in all applicable fields, the Take Actiondialog displays. A window displays the results of your completed action.

Configure the Management Extender

Click the Configure Management Extender dashboard located in the Setup andConfiguration node. Click on one of the extenders in the list to select it. Then clickConfigure.

Setup Guide 7

In the Configure Extender window, manually set refresh intervals.

If you are deploying your extender directly onto your Lotus Traveler server, checkthe Use Local Connection checkbox. Otherwise, specify your server and credentials.You may also specify an SSL connection type (HTTP, ORB, none, or both). If youselect ORB or both, you need to provide a TrustedCerts.jar file. This file isgenerated on your Lotus Traveler server.

The TrustedCerts.class file is automatically generated by Lotus Domino when SSLconfiguration is enabled. This file is typically located in the Domino data folderand is regenerated when the Domino server SSL certificates are installed ormodified. A TrustedCerts.class file generated by a server is only valid for thatparticular server. Adding or changing the server certificate will invalidate allprevious TrustedCerts.class files from that server.

A TrustedCerts.class can be converted to a TrustedCerts.jar by using this ANTscript:

8 Endpoint Manager for Mobile Devices Setup Guide

<project name="Convert" default="go" basedir="."><target name="go"><jar destfile="TrustedCerts.jar" basedir="." compress="true"><include name="TrustedCerts.class" /></jar></target></project>

This script should generate a TrustedCerts.jar file that can be deployed in theplugin.

When you have set all parameters, click Configure Traveler Management Extender.This action takes you to the Take Action dialog, where you can select the serverthat you want to configure. Click Ok and this will configure the appropriatesettings on your extender. After the action completes, you can manage devicesenrolled on your Traveler server through the IBM Endpoint Manager.

Management Extender for Microsoft Exchange

The Management Extender for Microsoft Exchange must be installed on the TEMServer or on a relay. The deploy Fixlet is only relevant for computers with a TEMagent and a relay or server installed.

Deploy the Management Extender Fixlet

To deploy the Management Extender for Microsoft Exchange Fixlet, click the link inthe Actions box of the task window and follow the same procedure as LotusTraveler.

Note: Exchange Management Extender supports connections to Exchange 2007servers. As a prerequisite, Exchange Management tools need to be installed on thesystems where the extenders will be deployed.

Configure the Management Extender

Open the Configure Management Extender dashboard and click on the MicrosoftExchange extender. Specify your Exchange server address and your credentials. Ifyou are connecting to an Exchange 2007 server, check the Exchange 2007 checkboxin the Configure Extender dialog.

When you have set all parameters, click Configure Exchange Management Extender.This action takes you to the Take Action dialog, where you can select the serverthat you want to configure. Click Ok and this will configure the appropriatesettings on your extender. After the action completes, you can manage devicesenrolled on your Exchange server through the IBM Endpoint Manager.

Management Extender for iOS

The Management Extender for Apple iOS must be installed on the TEM Server oron a relay. The Deploying the Management Extender Fixlet is only relevant forcomputers with a TEM agent and a relay or server installed.

The Apple iOS devices must be able to connect to the Management Extender(default port 443) at the DNS name/IP address that you specify during installation.

Setup Guide 9

Note: You need to have an Apple ID to complete this process with a valid emailaddress. Create an account that has a non-personal email address to maintainaccess to the Push Certificate portal in the event of a departure.

Setting up the Management Extender involves three basic steps:v Deploying the Management Extender Fixlet

v Obtaining a Certificate

v Configuring the Management Extender

Deploy the Management Extender Fixlet1. Open the Deploy Management Extender for Apple iOS Fixlet. The Fixlet is in

the Setup and Configuration node in the navigation tree.2. Click the button in the Fixlet and select the target computer to deploy the

Management Extender. If the target computers are not relevant, make sure thatthe agent and a relay are installed first.

3. When prompted, use a DNS name (or IP address) that the Apple iOS devicescan reach.

4. Target the computers to install the Management Extender for Apple iOS.5. The installation will create a certificate request that must be signed by both

IBM and Apple before you can manage your Apple iOS devices.

Obtain a Certificate1. Download the CSR file that was generated during the installation by opening

https://<dns or IP address>/csr. Save the file.2. Send an email to iem-mdm-signup@wwpdl.vnet.ibm.com and attach the

push.csr file. Type MDM APNS CSR <organization name> in the subject line.3. IBM will respond via email with a signed certificate request.4. Go to https://identity.apple.com/pushcert/5. Log in with your Apple ID. Consider using a non-personal ID so that other

members of the organization can use the Apple ID in the future.6. Select Create Certificate.7. Read and agree to the Terms and Conditions.8. Follow the instructions to upload the certificate file that you received from

IBM.9. Download the new signed push certificate "MDM_IBM Global Engineering

Solutions_Certificate.pem" file.10. If you open the .pem file in a text editor, you should see a base64 encoded

certificate that starts with BEGIN CERTIFICATE and has several lines ofrandom characters.

11. Rename the file to push.cer and create a backup copy.

Configure the Management Extender1. Open the Configure Management Extender dashboard from the Setup and

Configuration node in the navigation tree.2. Select the Management Extender for Apple iOS and click Configure. There will

be a delay of a few minutes after deploying the management extender before itwill report its configuration information and display in this dashboard.

3. Select the configuration options. It is not common to change the port numbers.The refresh interval controls how often the management extender will send arefresh command to the agents. Using a more frequent refresh interval allows

10 Endpoint Manager for Mobile Devices Setup Guide

you to see updated information from your devices faster, but potentially causesmore data and battery usage on the device.

4. Select the certificate that you received from Apple in the section above. If youhave a push key file (because you generated the CSR and key pair manually),also include that in this section.

5. If you have an HTTPS key and certificate from a trusted source, you caninclude them in this section. This will replace the self-signed HTTPS certificateand prevent the HTTPS warnings on the devices.

Your Managem ent Extender for Apple iOS is now ready to manage iOS devices(listening on port 443). You can test it by opening your browser and visitinghttps://<dns or IP address>.

Note: The iOS Management Extender requires direct connection to the ApplePush Notification Server. This interaction occurs over TCP/IP and cannot beproxied via HTTP proxies.

Back up your Apple Push Notification Private Key

After you deploy the Fixlet, back up one of the files to a secure location. The filewill likely be in the following path on your management extender:

C:\Program Files (x86)\BigFix Enterprise\Management Extender\MDMProvider\private

The file will be called push_key.pem.

This key is tied to your push certificate, in that if you want to deploy multipleextenders with the same certificate, you need to use the same key for each.

iOS App Setup

To set the mobile client on your iPhone, use the following steps:1. From your iPhone, open the App Store.2. Select Search and search for IBM Mobile.

3. Select the IBM Endpoint Manager Mobile Client.

4. Select Free and then Install App.

5. At the Sign In screen, sign in using your existing Apple ID or create a newApple ID. This will install the mobile client to your device.

6. Launch the app from your device.7. Enter server address, work email, and device ownership fields.8. Select Enroll.

Android Agent Setup

To set up your Android agent, use the following steps. You will need aninternet-facing relay for this process.1. Launch the Android market app on your device and search for IBM Endpoint

Manager for Mobile Devices. Select the app and click download. Click Accept andDownload.

2. After the application is installed, select Open.

Setup Guide 11

3. Click Activate.4. Enter the TEM Server address (or internet-facing relay) that you obtained from

your administrator and enter your work email address. Select one of the twoavailable options to indicate if the device is personal or enterprise. Click Enroll.

5. If the connection is successful, the message Successful set up of the Mobile Clientwill display briefly, and service status will indicate that the service is running.

Note: To uninstall the TEM Android agent, unselect the Device Administratoroption under Settings/Location and Security on the device.

Note: To control your device location privacy, deploy the Disable GPS LocationProperties Fixlet under Mobile Device Inventory/Data Configuration.

Warnings

Two possible warning messages will display in the Warnings list panel if they arerelevant to your deployment: Android Agent is not marked as a Device Administratorand Proxy Agent Service not Running.

To mark your Android Agent as Device Administrator, go to Settings on yourAndroid device.

If the Proxy Agent Service is not running on a Management Extender, it will notupdate device information or issue actions to devices. To start the service, clickBES Proxy Agent Service not Running and click in the Actions box to initiate theaction.

Part Three

12 Endpoint Manager for Mobile Devices Setup Guide

Support

Support

To learn, understand, and optimize your use of this product, see the followingresources:v Tivoli Endpoint Manager Support sitev Knowledge Basev Forums and Communitiesv Endpoint Manager for Mobile Devices Wiki

NoticesThis information was developed for products and services offered in the U.S.A.

IBM® may not offer the products, services, or features discussed in this documentin other countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not grant youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.1623-14, Shimotsuruma, Yamato-shiKanagawa 242-8502 Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement may not apply to you.

Setup Guide 13

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subjectto change without notice. Dealer prices may vary.

This information is for planning purposes only. The information herein is subject tochange before the products described become available.

14 Endpoint Manager for Mobile Devices Setup Guide

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. The sampleprograms are provided "AS IS", without warranty of any kind. IBM shall not beliable for any damages arising out of your use of the sample programs.

If you are viewing this information softcopy, the photographs and colorillustrations may not appear.

Trademarks

IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the “Web at Copyright andtrademark information” at www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Setup Guide 15

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in theUnited States, other countries, or both and is used under license therefrom.

Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo aretrademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.

Other company, product, and service names may be trademarks or service marksof others.

16 Endpoint Manager for Mobile Devices Setup Guide