7/31/2019 Mob_Man_7_2_MR_1_QSG_v721

1/16

Symantec Mobile

Management 7.2MR1Quick-start Guide

7/31/2019 Mob_Man_7_2_MR_1_QSG_v721

2/16

Symantec Mobile Management 7.2 MR1 Quick-startGuide

Thesoftwaredescribed in this book is furnishedunder a license agreement and maybe usedonly in accordance with the terms of the agreement.

Documentation version: 7.2.1

Legal NoticeCopyright 2012 Symantec Corporation. All rights reserved.

Symantec and the Symantec Logo are trademarks or registered trademarks of SymantecCorporationor itsaffiliates in theU.S. andother countries. Other names maybe trademarksof their respective owners.

This Symantec product may contain third party software for which Symantec is requiredto provide attribution to the third party ( Third Party Programs ). Some of the Third PartyPrograms areavailableunder open sourceor free software licenses.The License Agreementaccompanying the Software does not alter any rights or obligations you may have underthose opensourceor freesoftware licenses. Please seethe Third Party Legal NoticeAppendixto this Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THEDOCUMENTATIONISPROVIDED"ASIS" ANDALL EXPRESSORIMPLIED CONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOT BELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

TheLicensedSoftwareand Documentation are deemed to be commercial computer softwareas defined in FAR12.212 andsubject to restricted rights as defined in FARSection 52.227-19

"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance,display or disclosure of theLicensedSoftware andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.

7/31/2019 Mob_Man_7_2_MR_1_QSG_v721

3/16

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.comPrinted in the United States of America.

10 9 8 7 6 5 4 3 2 1

http://www.symantec.com/http://www.symantec.com/

7/31/2019 Mob_Man_7_2_MR_1_QSG_v721

4/16

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport s primary role is to respond to specific queries about product featuresandfunctionality. The Technical Support group also createscontent for ouronlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion.Forexample, theTechnicalSupportgroupworkswith Product EngineeringandSymantec Security Response to provide alerting services andvirus definitionupdates.

Symantec s support offerings include the following:

A range of support options that give you the flexibility to select the right

amount of service for any size organization Telephone and/or Web-based support that provides rapid response and

up-to-the-minute information

Upgrade assurance that delivers software upgrades

Global support purchased on a regional business hours or 24 hours a day, 7days a week basis

Premium service offerings that include Account Management Services

For information about Symantec s support offerings, you can visit our Web siteat the following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.

Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:

www.symantec.com/business/support/

Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat thecomputer onwhich theproblem occurred, in case it is necessaryto replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

Product release level

http://www.symantec.com/business/support/http://www.symantec.com/business/support/http://www.symantec.com/business/support/http://www.symantec.com/business/support/

7/31/2019 Mob_Man_7_2_MR_1_QSG_v721

5/16

Hardware information

Available memory, disk space, and NIC information

Operating system Version and patch level

Network topology

Router, gateway, and IP address information

Problem description:

Error messages and log files

Troubleshooting that was performed before contacting Symantec

Recent software configuration changes and network changes

Licensing and registrationIf your Symantecproduct requires registrationora license key, accessourtechnicalsupport Web page at the following URL:

www.symantec.com/business/support/

Customer serviceCustomer service information is available at the following URL:

www.symantec.com/business/support/

Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:

Questions regarding product licensing or serialization

Product registration updates, such as address or name changes

General product information (features, language availability, local dealers)

Latest information about product updates and upgrades

Information about upgrade assurance and support contracts

Information about the Symantec Buying Programs Advice about Symantec's technical support options

Nontechnical presales questions

Issues that are related to CD-ROMs, DVDs, or manuals

http://www.symantec.com/business/support/http://www.symantec.com/business/support/http://www.symantec.com/business/support/http://www.symantec.com/business/support/

7/31/2019 Mob_Man_7_2_MR_1_QSG_v721

6/16

Support agreement resourcesIf youwant to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:

customercare_apac@symantec.comAsia-Pacific and Japan

semea@symantec.comEurope, Middle-East, and Africa

supportsolutions@symantec.comNorth America and Latin America

mailto:customercare_apac@symantec.commailto:semea@symantec.commailto:supportsolutions@symantec.commailto:supportsolutions@symantec.commailto:semea@symantec.commailto:customercare_apac@symantec.com

7/31/2019 Mob_Man_7_2_MR_1_QSG_v721

7/16

Getting started withSymantec Mobile

Management 7.2This document includes the following topics:

Before you begin

Running the Symantec Mobile Management Prerequisite Check Utility

Downloading and installing Symantec Mobile Management 7.2

Rolling out and configuring the site server Downloading the Mobile Management agent to a mobile device

Enrolling a mobile device

Managing a mobile device

Before you beginThis Quick-start Guide provides basic instructions for setting up an instance of

the Symantec Mobile Management solution. The Symantec Mobile Management 7.2 Implementation Guide provides detailed instructions to help you install,configure, and manage mobile devices with Symantec Mobile Management 7.2.The latest version of the guide is available at www.symantec.com/docs/DOC5662

This document may be updated to improve quality and accuracy. For the latestversion of this document, go to http://www.symantec.com/docs/DOC5665

This guide makes the following assumptions:

http://www.symantec.com/docs/DOC5662http://www.symantec.com/docs/DOC5665http://www.symantec.com/docs/DOC5665http://www.symantec.com/docs/DOC5662

7/31/2019 Mob_Man_7_2_MR_1_QSG_v721

8/16

You have a working instance of Symantec Management Platform installed onqualified equipment.For more information about the system requirements and other installation

topics for Symantec Management Platform, see the Symantec Management Platform Installation Guide at http://www.symantec.com/docs/DOC4798 .

Your instance of the platform includes Microsoft .NET 3.5.

Note: The prerequisite checker for Mobile Management 7.2 requires .NET 3.5.

You have either a commercial certificate authority or a self-administeredcertificate authority available to generate the necessary trust certificates.Formore information, see SymantecMobile Managementcertificatedistribution

in the Symantec Mobile Management 7.2 Implementation Guide athttp://www.symantec.com/docs/DOC3493 .

Note: Root certificates are only required when you use a non-commercialcertificate authority. If you choose to use SSL, you must have the ServerAuthentication Certificate or root certificate installed.

The following table lists the trust certificates that are required for eachcomponent.

CertificatesComponent

Certificate Authority: Server Authentication (SSL) Certificate Root certificate

Profile Security: Signing Certificate with public and private keys. Encryption Certificate with public keys.

Apple Push Notification Service (APNS). For moreinformation about APNS, see the Apple Developersarticle, Apple Push Notification System at

http://developer.apple.com/library/mac/#documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/ApplePushService/ApplePushService.html

Symantec MobileManagement Server

Certificate Authority: Root certificateSymantec ManagementPlatform Server

Getting started with Symantec Mobile Management 7.2Before you begin

8

http://www.symantec.com/docs/DOC4798http://www.symantec.com/docs/DOC3493http://developer.apple.com/library/mac/#documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/ApplePushService/ApplePushService.htmlhttp://developer.apple.com/library/mac/#documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/ApplePushService/ApplePushService.htmlhttp://developer.apple.com/library/mac/#documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/ApplePushService/ApplePushService.htmlhttp://developer.apple.com/library/mac/#documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/ApplePushService/ApplePushService.htmlhttp://developer.apple.com/library/mac/#documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/ApplePushService/ApplePushService.htmlhttp://developer.apple.com/library/mac/#documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/ApplePushService/ApplePushService.htmlhttp://developer.apple.com/library/mac/#documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/ApplePushService/ApplePushService.htmlhttp://developer.apple.com/library/mac/#documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/ApplePushService/ApplePushService.htmlhttp://developer.apple.com/library/mac/#documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/ApplePushService/ApplePushService.htmlhttp://developer.apple.com/library/mac/#documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/ApplePushService/ApplePushService.htmlhttp://www.symantec.com/docs/DOC3493http://www.symantec.com/docs/DOC4798

7/31/2019 Mob_Man_7_2_MR_1_QSG_v721

9/16

CertificatesComponent

Certificate Authority: Server Authentication (SSL) Certificate Root certificate

Profile Security: Signing Certificate with public and private keys. Encryption Certificate with public keys.

Note: Symantec Mobile Management Server andSymantec Management Platform Server provide thetickets.

iOS Devices

The SCEP server instance is configured to provide the Network Device

Enrollment Service (NDES) role or Symantec MPKI.Make sure that your network conforms to the following additionalrequirements:

The server is joined to an Active Directory domain and the domain has aCertificate Authority available.

Youhave reconfiguredtheserverrole tousetheNetworkDeviceEnrollmentService (NDES) role (and not the Certificate Authority role service).

You have installed IIS, which is required for the NDES.

The NDES user account is established in the local IIS_IUSERS group.Establishing this account is a prerequisite for making the NDES accountassignment.

You restart the server after you make the configuration changes.For instructions to set up SCEP for use by Symantec Mobile Management, seethe Symantec Knowledge Base article How to set up a SCEP Server for use by Mobile Management Solution 7.1 athttp://www.symantec.com/docs/HOWTO64210 .For more information about implementing NDES/SCEP on Windows Server2008 R2, see the Microsoft SCEP Implementation Whitepaper athttp://www.microsoft.com/download/en/details.aspx?id=1607 .

To manage iOS 5 devices, you have SSL configured in your environment andhave set up a Mobile Device Management Certificate.Observe the following additional requirements:

Youcanusea commercial certificate (CA) ora certificate generatedin-house.You must use a CA server to generate an in-house certificate.

Getting started with Symantec Mobile Management 7.2Before you begin

http://www.symantec.com/docs/HOWTO64210http://www.microsoft.com/download/en/details.aspx?id=1607http://www.microsoft.com/download/en/details.aspx?id=1607http://www.symantec.com/docs/HOWTO64210

7/31/2019 Mob_Man_7_2_MR_1_QSG_v721

10/16

The name of the certificate must match the URL that the iOS device usesfor communication.

For more information, see the following articles:

Enrolling iOS5 with Symantec Mobile Management using SSL athttp://www.symantec.com/docs/HOWTO74478

Generating a Certificate Signing Request (CSR) athttp://www.symantec.com/docs/TECH180137

Running the Symantec Mobile ManagementPrerequisite Check Utility

The Symantec Mobile Management Prerequisite Check Utility verifies that thesystem requirements and other prerequisites are met before the application isinstalled.

The prerequisite checker requires Microsoft .NET 3.5, which is usually part of your SymantecManagement Platforminstance.Make sure that .NET 3.5is installedbefore you attempt to download and install the check utility.

To run the Symantec Mobile Management Prerequisite Check Utility

1 Navigate to http://www.symantec.com/docs/HOWTO77182 and downloadPrerequisiteVerification.ZIP .

2 Follow the on-screen instructions to run the checker.3 Correct any flagged requirements or configuration upgrades.

Downloading and installing Symantec MobileManagement 7.2

You downloadthe SymantecMobile Management software through the SymantecInstallation Manager. The installation manager is provided with SymantecManagement Platform.

To download and install Symantec Mobile Management 7.2

1 Start the Symantec Installation Manager ( Start> All Programs > Symantec> Symantec Installation Manager )

2 On the Install New Products page, set the view filters to Suites and then inthe Available products list, select Symantec Mobile Management7.2 .

Getting started with Symantec Mobile Management 7.2Running the Symantec Mobile Management Prerequisite Check Utility

10

http://www.symantec.com/docs/HOWTO74478http://www.symantec.com/docs/TECH180137http://www.symantec.com/docs/TECH180137http://www.symantec.com/docs/HOWTO74478

7/31/2019 Mob_Man_7_2_MR_1_QSG_v721

11/16

3 Accept the terms of the license agreement and click Next .

4 Follow the instructions that are provided in the wizard to complete theinstallation.

Rolling out and configuring the site serverThese procedures establish the site server for Mobile Security.

Roll out the site server

1 In SymantecManagementConsole, navigate to Home>MobileManagement> Settings > Mobile Management Server Settings .

2 Under Site Server Rollout andSettings , on the toolbar, click New .

3 Enter the name and IP address of the site server computer, and then clickSave changes .

Note: Site server computers must have the Symantec Management Agentinstalled and have Microsoft Message Queuing (MSMQ) services enabled.

4 Highlight the server you added in Step 3, and in the Mobile ManagementServer Settings pane select the options you require, as follows:

Enable Authentication Check . If you check this option, you must enter

your server information. The server information is used to validate theuser name and password from the agent s enrollment page. If you do notcheck this option, users without credentials can enroll their device andaccess content and information in the Mobile Management Agent.You can also enter a list of Allowed Groups. The allowed groups are ADor LDAP groups. If you enter a list of groups in this field, only users inthose groups can enroll. Enter the groups with a pipe character betweenthem; for example, Sales|Engineering|Marketing.

Allow Jailbroken Devices . If you check this option, any device that failsthe jailbreak test during enrollment is not managed. Jailbroken devices

can enroll, but they cannot see content in the Mobile Library. Require EULA acceptance . If you check this option, any user who does

not accept the End User Licensing Agreement (EULA) is not enrolled.Therefore, the server does not manage that user.

Minimum OS Version . Devices with operating system versions that areearlier than the values in the fields on this page are not allowed to enroll.These fieldsdefault to the earliestOSversion ofeachOS that are supportedby Mobile Management. You can only set a single value for all devices of

Getting started with Symantec Mobile Management 7.2Rolling out and configuring the site server

7/31/2019 Mob_Man_7_2_MR_1_QSG_v721

12/16

7/31/2019 Mob_Man_7_2_MR_1_QSG_v721

13/16

Configure iOS MDM enrollment

1 In SymantecManagementConsole, navigate to Home>MobileManagement> Settings > iOS MDM Enrollment Configuration .

2 In the Push Certificate Subject field, enter the subject of the Apple PushNotification Service certificate that is used for MDM.

For more information, see the Apple MDM integration document, Deploying iPhone and iPad Mobile Device Management athttp://images.apple.com/ipad/business/docs/iOS_MDM_Mar12.pdf . If youuse a development MDM Certificate and not a production certificate, selectthe Use Development APNS Server .

Warning: The state of the checkbox must match the state of the checkbox for

Use DevelopmentAPNS on the APNS tab of the Mobile Management serversettings.

3 In the Cryptographic credentialused for authentication field, choose theSCEP credential for Mobile Management.

4 Under AdditionalConfiguration Profiles to include , click the yellow starand add the Root CA certificate.

5 Click Save changes .

Downloading the Mobile Management agent to amobile device

You download the Mobile Management Agent app to your mobile device from theapp venue that is appropriate for the mobile device. After the app is installed, itis used to enroll the device so that it can accept and enact management policeson the mobile device.

Download the app from one of the following locations:

iOS- Apple App Store

Android - Android Market

Windows - Windows Phone Marketplace

Getting started with Symantec Mobile Management 7.2Downloading the Mobile Management agent to a mobile device

http://images.apple.com/ipad/business/docs/iOS_MDM_Mar12.pdfhttp://images.apple.com/ipad/business/docs/iOS_MDM_Mar12.pdf

7/31/2019 Mob_Man_7_2_MR_1_QSG_v721

14/16

To download the Mobile Management agent to a mobile device

1 For Android devices only, first set your device's app installation settings toAllow Installation of nonMarket Applications and to allow Unknown

Sources .

2 Go to the app store for your device and download the Symantec MobileManagment Agent app.

Note: Search for Symantec MGMT or Symantec Mobile Agent

3 Follow the procedure for your mobile device to install the app.

Enrolling a mobile deviceManaging mobile devices with Symantec Mobile Managment requires that theyare enrolled with the Symantec Mobile Managment server.

To enroll a mobile device

1 On your mobile device, start the Symantec Mobile Management Agent app.

2 On the enrollment screen, provide the following information:

The URL of the management server.

For Android, go to: [server] /MobileEnrollment/SYMC-androidenroll.aspx

For iOS, go to: [server] /Mobile Enrollment/SYMC-iOSenroll.aspx

For Windows Phone, go to: [server] /MobileEnrollment/SYMC-WPenroll.aspx

Where [server] is the name of the site server computer that you want thedevice to enroll with.

Your domain user name and password.

Note: URLs are not case sensitive.

3 Tap Enroll to complete the enrollment process.

The agent app indicates the status of the connection to the server. If the serveris not available, a message appears to indicate a failed server connection andprompts you to try again at a later time.

Getting started with Symantec Mobile Management 7.2Enrolling a mobile device

14

7/31/2019 Mob_Man_7_2_MR_1_QSG_v721

15/16

You can also set up DNS to allow iOS users to enter an email address instead of the URL.

Android users canenter thedomainname for the Mobile Management server. For

example, if the URL for your installation is mobileserver.yourcorp.com , then theuser can enter yourcorp .

Managing a mobile deviceWhen a mobiledevice enrollswith theMoblie Management server, a default policyis provided to the device to establish the default management profile.

Youcreatenewpoliciesor edit existingpoliciestoachieve your devicemanagementgoals.

Refer to the Symantec Mobile Management 7.2 Implementation Guide forcormprehensive information about managing mobile devices, policies, and theSymantec Mobile Management infrastructure. The latest version of the guide isavailable at www.symantec.com/docs/DOC5662

Getting started with Symantec Mobile Management 7.2Managing a mobile device

http://www.symantec.com/docs/DOC5662http://www.symantec.com/docs/DOC5662

7/31/2019 Mob_Man_7_2_MR_1_QSG_v721

16/16

Getting started with Symantec Mobile Management 7.2Managing a mobile device

16