Sophos Mobile Control Installation guide

Sophos Mobile ControlInstallation guide

5Product version:April 2015Document date:

Contents

1 Introduction...............................................................................................................................3

1.1 Sophos Mobile Control licenses ................................................................................3

2 Set up Sophos Mobile Control..................................................................................................5

2.1 Databases...................................................................................................................5

2.2 Request an SSL certificate for Sophos Mobile Control..............................................5

2.3 Install and set up the Sophos Mobile Control Server..................................................7

3 Initial configuration of the Sophos Mobile Control Server.......................................................20

3.1 Configuration wizard.................................................................................................20

4 External EAS Proxy server.....................................................................................................22

4.1 Download external EAS Proxy installer....................................................................25

4.2 Install external EAS Proxy server.............................................................................25

5 Running the Sophos Mobile Control Service as a limited user..............................................32

6 Updating Sophos Mobile Control ...........................................................................................33

7 Apple Push Notification service .............................................................................................34

7.1 Requirements...........................................................................................................34

7.2 Create and upload an APNs certificate ...................................................................34

8 Technical support....................................................................................................................37

9 Legal notices..........................................................................................................................38

2

1 IntroductionSophos Mobile Control is a device management solution for mobile devices like smartphonesand tablets. Sophos Mobile Control helps to keep corporate data safe by managing apps andsecurity.

The Sophos Mobile Control system consists of a server and a client component which communicatethrough data connections.

The Sophos Mobile Control client is easily installed and managed with over-the air setup andconfiguration through the Sophos Mobile Control web console.

With the Sophos Mobile Control Self Service Portal for your users, you can reduce IT efforts byallowing users to register their own devices and carry out other tasks without having to contactthe helpdesk.

This guide describes:

■ How to request a trial license for evaluating Sophos Mobile Control, see Trial licenses (page4).

■ How to request an SSL certificate for Sophos Mobile Control with the SSL Certificate Wizard,see Request an SSL certificate for Sophos Mobile Control (page 5).

■ How to install and set up the Sophos Mobile Control server, see Set up Sophos Mobile Control(page 5).

■ How to install the external EAS Proxy server, see External EAS Proxy server (page 22).

■ How to run the Sophos Mobile Control Service as a limited user, see Running the SophosMobile Control Service as a limited user (page 32).

■ How to update Sophos Mobile Control, see Updating Sophos Mobile Control (page 33).

■ How to create and upload an APNs certificate, see Apple Push Notification service (page 34).

Note: All steps have to be executed as an administrator of Microsoft Windows Server or as auser of the relevant group. The database user needs sysadmin rights.

1.1 Sophos Mobile Control licensesSophos Mobile Control offers two types of license:

■ Standard license

■ SMC Advanced license

An SMC Advanced license adds functionality by enabling you to manage Sophos MobileSecurity and Sophos Secure Workspace.

■ Sophos Mobile Security is a security app for Android phones and tablets.The app protectsyour Android device and your privacy without impacting performance or battery life. Usingup-to-the-minute intelligence from SophosLabs, your apps will be automatically scannedas you install them.This anti-virus functionality protects you from malicious software which

3

Installation guide

can lead to data loss and unexpected costs. Moreover, if your device is lost or stolen, aremote lock or wipe will shield your personal information from prying eyes.

■ Sophos Secure Workspace is an app for iOS and Android phones that provides a secureworkspace for your important documents: Browse, manage, edit, share, encrypt and decryptdocuments from various storage providers or distributed by your company. It is designedto prevent any data loss even when your device gets stolen or you send a document to anunintended source.

Files can be decrypted and viewed in a seamless way. Encrypted files can be handed overby other apps and uploaded to one of the supported cloud storage providers. Alternativelythe documents can be stored locally within the app.

With Sophos Secure Workspace you can read files encrypted by SafeGuard Cloud Storageor SafeGuard Data Exchange. Both are modules of SafeGuard Enterprise or one of itsdifferent editions. They allow you to encrypt files using a local key. These local keys arederived from a passphrase that is entered by a user.You can only decrypt a file when youknow the passphrase that was used to encrypt the file.

For details of the SafeGuard Cloud Storage and SafeGuard Data Exchange modules pleaserefer to the SafeGuard Enterprise 7.0 documentation on www.sophos.com.

Note: You can activate your licenses in the Sophos Mobile Control configuration wizard. Thewizard is launched automatically when you log in to the Sophos Mobile Control web consolefor the first time after installation.

1.1.1 Trial licenses

Sophos offers a free trial for Sophos Mobile Control.You can register for the trial on the Sophoswebsite: http://www.sophos.com/en-us/products/free-trials/mobile-control.aspx.

A trial license allows you to manage up to five users and is valid for 45 days.

All you will need when you set up Sophos Mobile Control for evaluation is the email address youused to register when downloading the installer.

1.1.2 Upgrading trial licenses to full licenses

For upgrading trial licenses to full licenses you only have to enter your full license key in theSophos Mobile Control web console. For further information, see the Sophos Mobile Controladministrator help.

1.1.3 Updating licenses

For updating you licenses you only have to enter the new license key in the Sophos Mobile Controlweb console. For further information, see the Sophos Mobile Control super administrator guide.

4

Sophos Mobile Control

http://www.sophos.com/en-us/support/documentation/safeguard-enterprise.aspx

http://www.sophos.com/en-us/products/free-trials/mobile-control.aspx

2 Set up Sophos Mobile ControlThe key steps are:

■ Request an SSL Certificate

■ Execute the Sophos Mobile Control installer.

■ If you want to configure the EAS Proxy server separately, execute the Sophos Mobile ControlEAS Proxy installer, see External EAS Proxy server (page 22).

■ Log in to the Sophos Mobile Control web console as a super administrator. For furtherinformation see Sophos Mobile Control super administrator guide.

Before you can use the Sophos Mobile Control web console you need to configure certainserver settings. Sophos Mobile Control provides a configuration wizard to guide you throughthis. The wizard is launched automatically when you log in to the Sophos Mobile Control webconsole for the first time after installation.You need to provide:

■ HTTP proxy credentials (optional)

■ A Standard license key and/or an Advanced license key

■ SMTP credentials

2.1 DatabasesSophos Mobile Control allows you to install Microsoft SQL Server 2014 Express during installation.

If you want to use existing database you will need the corresponding logon credentials duringinstallation.

2.2 Request an SSL certificate for Sophos Mobile ControlFor setting up Sophos Mobile Control, you need an SSL webserver certificate. In the setup process,you can select between creating a self-signed certificate and using a PKCS12 with certificate,private key and certificate chain. For further information, see Install and set up the Sophos MobileControl Server (page 7).Your Sophos product delivery includes an SSL Certificate Wizard inthe %MDM_HOME%\tools\Wizard folder which you can use to request your certificate or you candownload the wizard from MySophos.

Note: If you plan to manage Windows Phone 8 devices, you need to use an official SSL certificate.Otherwise you need to install the self-signed certificate manually on the devices.

To request your SSL certificate:

1. Start the SSL Certificate Wizard by double-clicking the file Sophos Mobile Control SSLCertificate Wizard.exe.

The Certificate Wizard welcome dialog is displayed.

5

Installation guide

2. Click Next.

The License Agreement dialog is displayed.

3. Click I Agree.

The Create Certificate Signing Request dialog is displayed.

4. Enter the Server Name (FQDN), the Company, City, State and Country code (for exampleUS or UK). These fields are mandatory.

5. Click Next.

The Upload CSR dialog is displayed.

6. In this step, you upload the Certificate Signing Request to the Certificate Authority (CA) forsigning. Follow the instructions in the dialog:

a) Go to the website of your Certificate Authority and log in.

b) Upload the file ServerCertificateSigningRequest.csr from the folder indicated on the UploadCSR dialog of the SSL Certificate Wizard.

Note: If your certificate vendor supports copy and paste, you can open the .csr file withthe Open CSR button in the Upload CSR dialog.

c) Save the certificate issued by the CA in Base 64 format (*.pem, *cer, *crt) in the folderindicated in the Upload CSR dialog.

d) Download the certificate chain and CA certificate of your certificate authority.

e) Click Next in the Upload CSR dialog.

The Import Certificate Files dialog is displayed.

7. In the Import Certificate Files dialog, you import the intermediate certificates file (dependingon your CA vendor) and the downloaded CA certificate.You also need to define a passwordfor the server certificate (PKCS12) that is to be created:

a) In the Select intermediate certificates file, field browse for the intermediate certificate.

b) In the Select CA certificate file field, browse for the downloaded CA certificate.

c) In the Password for private key field, enter a password for the server certificate to becreated. Confirm the password.

d) Click Next.

The Certificate created dialog is displayed.

8. In the Certificate created dialog, the location of the certificate created is shown.You canuse it when setting up Sophos Mobile Control, see Install and set up the Sophos Mobile ControlServer (page 7).

Note: Create a backup of the folder containing the certificate files.

Click Next.

The Sophos Mobile Control - SSL Certificate Wizard finished dialog is displayed.

9. Click Finish.

6


2.3 Install and set up the Sophos Mobile Control ServerPrerequisites:

■ If the database is not held locally, you need access to the TCP Port 3306 for MySQL and 1433for Microsoft SQL Server. In addition, you need an admin account that can log in from theSophos Mobile Control Server.

1. Execute the Sophos Mobile Control installer as administrator, review and agree to the LicenseAgreement.

The System Property Checks dialog is displayed.

To check that the system environment fulfills all necessary requirements for Sophos MobileControl installation, click Check. If you want to generate a system check report after the checkhas been run, click Report.

7

Installation guide

2. If all requirements are fulfilled, click Next.

The Choose Install Location dialog is displayed.

Choose the destination folder and click Install to start installation.

3. After the installation process the Sophos Mobile Control Configuration Wizard welcome dialogis displayed. Click Next.

The Database selection dialog is displayed.

4. In the Database selection select the database you want to use:

■ Install and use Microsoft SQL Server 2014 Express:Will immediately install SQL Server2014 Express and configure it to be used with Sophos Mobile Control

8


■ Use existing Microsoft SQL database■ Use existing MySQL

9

Installation guide

5. Click Next to specify database server information and logon credentials in the DatabaseSettings dialog. This dialog offers the required options according to the option you haveselected.

■ If you have selected install and use Microsoft SQL Server 2014 Express in the Databaseselection dialog, the Database Settings dialog offers the following options.

Select Use SQL Server Authentication with the following password , enter a passwordand confirm it.

The installation of SQL Server 2014 Express starts.

10


■ If you have selected Use existing Microsoft SQL database in the Database selectiondialog, the Database Settings dialog offers the following options:

To use the user credentials specified during SQL server installation, select Use SQL ServerAuthentication with the following credentials and enter the required user name andpassword. Click Next.

■ If you have selected, Use existing MySQL database in the Database selection dialog,the Database Settings dialog offers the following options:

Under Authentication, enter the required user name and password and click Next.

11

Installation guide

6. In the next step, you create the database. In the Database Selection dialog, select Create anew database named, enter a name (for example SMCDB) and click Next.

The Database Configuration dialog is displayed. It shows the relevant progress messages.After the database has been successfully created and populated, click Next.

12


7. In the next step, you create a super administrator account.The super administrator has specificrights and tasks and is primarily used for customer management. In Sophos Mobile Control,customers are the tenants that manage the devices of their users. The super administratorlogs in to a super administrator customer and can, for example, predefine settings for newcustomers and push settings and configurations to existing customers. For further information,refer to the Sophos Mobile Control super administrator guide.

Note: These credentials are required for the first log in to the Sophos Mobile Control webconsole.

The super administrator should not be used in productive operation, but only for administrativepurposes. The super administrator is primarily intended for customer management.

In the Configure super admin account dialog, enter the Super admin customer (the customerthe super administrator will log on to), the Super admin login (the super administrator loginname) and a Super admin password. Confirm the password and click Next.

Note: After installation additional super administrators can be added in the Sophos MobileControl web console.

13

Installation guide

8. In the next step enter a client resolvable SMC server name (for example smc.mycompany.com)and click Next.

14


9. In the next step, a certificate for the secure (HTTPS) access to the web server needs to becreated or imported.

Note: Your Sophos product delivery includes an SSL Certificate Wizard that you can use torequest your SSL certificate for Sophos Mobile Control. For further information, see Requestan SSL certificate for Sophos Mobile Control (page 5).

■ If you do not have a trusted certificate yet, select Create self-signed certificate, click Nextand continue with step 10.

■ If you have a trusted certificate, click Import a certificate from a trusted issuer, selectPKCS12 with certificate, private key and certificate chain (intermediate and CA) fromthe drop-down list, click Next and continue with step 11.You can also select Separatefiles for certificate, private key, intermediate and CA certificate from the drop-downlist, click Next and continue with step 12.

15

Installation guide

10. If you have selected Create self-signed Certificate, the following dialog is shown. Enter theappropriate certificate information.

After you have entered all necessary information click Next.

11. If you have selected PKCS12 with certificate, private key and certificate chain (intermediateand CA) under Import a certificate from a trusted issuer, the following dialog is shown.Select the appropriate file and enter the password.

Click Next.

16


12. If you have selected Separate files for certificate, private key, intermediate and CAcertificate under Import a certificate from a trusted issuer, the following dialog is shown.Select the appropriate files and enter the password for the private key.

Click Next.

13. In the next step, you verify the server information.

Click Next to confirm the server and configuration process.

14. Configuration is now complete.

17

Installation guide

15. After installation has finished, the Sophos Mobile Control - Installation finished dialog isdisplayed. Make sure that the check box Start Sophos Mobile Control server now is selectedand click Finish to start the Sophos Mobile Control server for the first time.

If you have selected SQL server authentication during installation, the SMCSVC service isstarted automatically and the Sophos Mobile Control server is executed. If you have selectedWindows authentication, you first have to enter logon details in the service and start itafterwards.

Note: After the service has been started it can take a few minutes before the web interfaceis available.

Note: If a different language than English is used for the SQL login, an error occurs and anerror message is displayed. To solve this problem, first stop the SMCSVC service. Then openSQL Management Studio on the server and select Security followed by Logins. Edit theproperties of the user that is used to start the SMC server and set the Default language forthis acccount to English. Click OK and start the SMCSVC service again.

18


Continue with the following configuration steps:

■ Log in to the Sophos Mobile Control web console and complete the first steps wizard. Theconfiguration wizard is launched automatically when you log in to the Sophos Mobile Controlweb console for the first time after installation.You need to provide:




■ During Installation you have created a super administrator for customer management.Thissetup does not support the LDAP connection to a directory service such as Active Directoryand the self-registration of end users with the Self Service Portal. To support thesefeatures, a customer must be created by the super administrator. For further information,refer to the Sophos Mobile Control super administrator guide.

■ If you have selected to configure the EAS Proxy server separately, configure the EAS Proxynow, see External EAS Proxy server (page 22).

19

Installation guide

3 Initial configuration of the Sophos MobileControl ServerBefore you can use the Sophos Mobile Control web console you need to configure certain serversettings. Sophos Mobile Control provides a fist steps configuration wizard to guide you throughthis.

The wizard is launched automatically when you log in to the Sophos Mobile Control web consolefor the first time after installation.

You need to provide:




Note: You can request a trial license when the configuration wizard is run.

3.1 Configuration wizardNote: As a super administrator you can change these settings in the Sophos Mobile Control webconsole at any time after initial configuration.

1. After you have logged in to the Sophos Mobile Control web console the welcome dialog isdisplayed. Click Next.

2. If you use a HTTP proxy, enter the relevant server details in the HTTP proxy view:

■ Select Proxy enabled.

■ Enter the Proxy host.

■ Enter the Proxy port.

3. Click Next.

20


4. In the License view, enter your Sophos Mobile Control Standard license key or request a triallicense:

■ Sophos Mobile Control Standard license key:

When you enter the Sophos Mobile Control Standard license key and click Activate, youare given the option to enter a Sophos Mobile Control Advanced license key. If you havepurchased Advanced licenses, enter the key in the Advanced license key field.

■ Request a trial license:

If you are evaluating Sophos Mobile Control, see Trial licenses (page 4), click Requesttrial and enter the email address that you used during the registration process of your freetrial, and then click Request trial again.

Note: You can change the license settings at any time in the Sophos Mobile Control webconsole. If you do not enter an Advanced license key here, you can do it in the web consolelater on.

Click Next.

5. SMTP has to be configured to enable emails to be sent to new users, providing them withlogon credentials. It also needs to be configured to enable enrollment via email. In the SMTPview, enter SMTP information and logon credentials:

■ SMTP host

■ Connection Type (SSL, TSL or plain)

■ SMTP user

■ SMTP password

■ Email originator

■ Send error emails: Select this option if you want error mails to be sent, for example incase of an expired APNs certificate.

■ Email recipients: Enter the recipients of error emails here.

Note: To check sending of emails, click the Send test email button.

6. Click Finish

21

Installation guide

4 External EAS Proxy serverWith Sophos Mobile Control you can set up an external EAS Proxy server with several instances.Sophos Mobile Control offers a separate EAS Proxy.You can download the installer from theSophos Mobile Control web console. For further information, see Download external EAS Proxyinstaller (page 25).

FeaturesBesides the features of the internal EAS Proxy, the external EAS Proxy offers the followingfeatures:

■ Lotus Traveler client support (which is not ActiveSync)

■ Support for multiple Microsoft Exchange and Lotus Traveler servers (one instance per mailserver, one TCP port per instance)

Usage scenariosNote: For Sophos Mobile Control as a Service, the following scenarios do not apply. In thisscenario, the EAS Proxy server is suitable for installation in your own environment because theEAS Proxy communicates through HTTPS with the Sophos Mobile Control Server. For furtherinformation on Sophos Mobile Control as a Service, refer to the Sophos Mobile Control as aService startup guide.

An external EAS Proxy server should be used for the following scenarios:

■ You use Lotus Traveler for non-iOS devices.

The internal EAS Proxy cannot handle this scenario as Active Sync is not used here.

The internal EAS Proxy supports iOS devices for Lotus Traveler as Traveler supports ActiveSyncfor iOS only. So for iOS devices you do not need to use the external EAS Proxy.

For other platforms (for example, Android), Lotus Notes Traveler is supported by the externalEAS Proxy. For these platforms, a dedicated Traveler client software is required. This softwareis available through <traveler-server>/servlet/traveler or the Traveler file system. SophosMobile Control can install and uninstall the client software. Configuration has to be donemanually.

22


■ You want to support multiple backend servers.

With the external EAS Proxy you can set up multiple instances of backend mail systems. Eachinstance needs an incoming TCP port. Each port can connect to a different backend.You needone URL per EAS instance.

23

Installation guide

■ You want to set up load balancing for EAS

For this scenario an existing load balancer for http is required.You set up the external EASProxy on different machines.

SetupThe following applies to installation and setup:

■ The external EAS Proxy can be installed on the same server, but needs to listen on differentports.

24


■ Each instance is secured by an automatically generated certificate that needs to be uploadedto the SMC server.

■ The external EAS Proxy can run on different (virtual and physical) machines.

■ Simple Windows setup

4.1 Download external EAS Proxy installer1. Log on to the Sophos Mobile Control web console as a super administrator.

2. In the web console, under SYSTEM, click Setup and then click System setup.

The System setup view is displayed.

3. Go to the EAS proxy tab and click the download link in the External section.

4.2 Install external EAS Proxy serverPrerequisite:

■ Sophos Mobile Control has been installed and set up, see Install and set up the Sophos MobileControl Server (page 7).

To configure the EAS Proxy server separately:

1. Execute the Sophos Mobile Control EAS Proxy Setup.exe.

The Sophos Mobile Control EAS Proxy Setup welcome dialog is displayed. Click Next.

2. In the License Agreement dialog, review the license terms and click I Agree.

3. In the Choose Install Location dialog, choose the destination folder and click Install to startinstallation.

25

Installation guide

4. After Sophos Mobile Control EAS Proxy has been installed, the EAS Proxy ConfigurationWizard welcome dialog is displayed. Click Next.

5. In the SMC Server configuration dialog, select the SMC Server to be used. Optionally, selectUse SSL for incoming connections (Clients to EAS Proxy). If you do not select this option,continue with step 10.

Click Next.

26


6. In the next step, a certificate for the secure (HTTPS) access to the EAS Proxy needs to becreated or imported.

Note: Your Sophos product delivery includes an SSL Certificate Wizard that you can use torequest your SSL certificate for Sophos Mobile Control EAS Proxy. For further information,see Request an SSL certificate for Sophos Mobile Control (page 5).

■ If you do not have a trusted certificate yet, select Create self signed certificate, click Nextand continue with step 7.

■ If you have a trusted certificate, click Import a certificate from a trusted issuer, selectPKCS12 with certificate, private key and certificate chain (intermediate and CA) fromthe dropdown list, click Next and continue with step 8.You can also select Separate filesfor certificate, private key, intermediate and CA certificate from the dropdown list, clickNext and continue with step 9.

27

Installation guide

7. If you have selected Create self-signed Certificate, the following dialog is shown. Enter theappropriate certificate information.

After you have entered all necessary information click Next.

8. If you have selected PKCS12 with certificate, private key and certificate chain (intermediateand CA) under Import a certificate from a trusted issuer, the following dialog is shown.Select the appropriate file and enter the password.

Click Next.

28


9. If you have selected Separate files for certificate, private key, intermediate and CAcertificate under Import a certificate from a trusted issuer, the following dialog is shown.Select the appropriate files and enter the password for the private key.

Click Next.

29

Installation guide

10. In the next step, you configure the EAS Proxy instances. In the EAS Proxy instance setupdialog, enter an Instance name, the relevant Server port (incoming traffic) and the ActiveSyncserver (target). Select Enable traveler client access to enable Lotus Traveler client access.After entering the instance information, click Add to add the instance to the Instances list.

After you have added an instance a message like the following is displayed:

Click OK.

A window with the certificate that needs to be uploaded to Sophos Mobile Control opens.

11. In the next step, you need to upload the certificate in the Sophos Mobile Control web consoleas a super administrator. For further information on Sophos Mobile Control super administrators,see the Sophos Mobile Control super administrator guide.

a) Log in to the Sophos Mobile Control web console as a super administrator.

b) In the web console under SYSTEM, click Setup and then click System setup.

c) Go to the EAS proxy tab.

d) On the EAS Proxy tab, in the External section, click Upload a file.browse for the certificateand click Upload.

e) Browse for the certificate, select it and click Open.

30


The certificate is uploaded and shown in the EAS Proxy tab.

f) Click the Save button.

Note: Upload the certificate before you start the EAS proxy server. If the certificate is notavailable at startup, Sophos Mobile Control rejects the server and the service will not be started.

12. In the EAS Proxy instance setup dialog of the EAS Proxy Configuration Wizard, click Next.

The server port you entered is checked and an Inbound Rule for the Windows Firewall isconfigured. Then the Sophos Mobile Control EAS Proxy - Configuration Wizard finisheddialog is displayed.

13. Configuration is now complete. Click Finish to close the Configuration Wizard.

14. After installation has finished, the Sophos Mobile Control EAS Proxy Installation finisheddialog is displayed. Make sure that the check box Start Sophos Mobile Control EAS Proxyserver now is selected and click Finish to start the Sophos Mobile Control EAS Proxy serverfor the first time.

The Sophos Mobile Control EAS Proxy server has been installed and configured.

Note: Every day a new EAS Proxy log file will be created. The old file is renamed(EASProxy.log.yyyy-mm--ttt). Old EAS Proxy log files are not deleted automatically. To preventproblems, delete or backup these files manually or by using a script.

31

Installation guide

5 Running the Sophos Mobile ControlService as a limited userFor security reasons, you may want to run the SMC service as a limited user instead of anadministrator.

Note: If you use Windows Authentication for database access, you only have to carry out step3 of the following description.

1. On the computer, on which Sophos Mobile Control is running, create a local, “regular”Windowsuser account with a password that does not expire.

2. Remove this user account from all groups. (By default, the user is in the “users” group.)

3. Grant this user account full access to the Sophos Mobile Control installation directory(C:\Programs\Sophos\Sophos Mobile Control) including all subdirectories.

4. In the SMCSVC service properties, change the user to this user account with the relevantpassword.

32


6 Updating Sophos Mobile ControlSophos Mobile Control server installations can be directly updated from version 4 to 5.

Older versions need to be updated to version 4 beforehand. Please see your Sophos MobileControl 4 documentation for details.

Updating from version 4 to version 5Note: Before you update make sure that all you devices have the Sophos Mobile Control 5.0app installed.You cannot manage devices with lower version with Sophos Mobile Control 5.

To update your Sophos Mobile Control server installation to version 5, execute the Sophos MobileControl 5 installer and follow the instructions.

The installer automatically detects that an existing installation is to be updated to version 5 andperforms an update check:

■ Information on decommissioned features is displayed.You must accept to update SophosMobile Control.

■ The update check displays issues that you may want to resolve before the actual update isperformed. A link for guidelines to do so is provided.

Note: Please check the highlighted issues carefully. For example, if some of your deviceshave Sophos Mobile Control apps lower than 5.0 installed, you cannot manage them with thenew version of the Sophos Mobile Control server,

After the update check is completed installation of the new version starts with a system propertycheck. If all checks are passed installation starts.

Note: You will need the administrator user credentials of your database.

33

Installation guide

7 Apple Push Notification serviceTo use the built-in Mobile Device Management (MDM) protocol of devices running Apple iOS 4(or higher), Sophos Mobile Control must use Apples Push Notification service (APNs) to triggerthe iOS devices. The following sections describe the requirements that have to be fulfilled andthe steps you must take to get access to the APNs servers with your own client certificate. SophosMobile Control offers an APNs Certificate Wizard for creating your APNs certificate. The wizardis included in your product delivery. It is also available for download in the web console.

Note: Do NOT use the Internet Explorer for any Apple websites. Apple recommends their ownSafari browser, but Mozilla Firefox, Opera or Google Chrome also work.

7.1 RequirementsFor silent operations all devices must have at least iOS version 4 installed.

To notify iOS devices, the Sophos Mobile Control server needs to connect to the Apple PushNotification service. The notifications are sent SSL-encrypted to

■ gateway.push.apple.com:2195 TCP (17.0.0.0/8) but not to the iOS devices directly.

■ iOs devices itself need a connection to Apple via port 5233 since Apple forwards the notification.

Note: iOS devices with Wi-Fi only need access to APNs as usually in corporate networks onlyhttp and https are accepted. This has to be enabled in the company Wi-Fi network.

■ Wi-Fi iOS device -> *.push.apple.com:5223 TCP (17.0.0.0/8)

7.2 Create and upload an APNs certificatePrerequisites:

■ You can use the APNs Certificate Wizard to create an APNs certificate.The wizard is includedin your product delivery. It is also available for download in the web console. In the web consolemenu bar, under SYSTEM, click Setup and then System setup,and go to the iOS APNS tab.To download the wizard, click the download link available under APNS.

To start the APNs Certificate Wizard:

1. Double-click the file Sophos Mobile Control APNs Certificate Wizard.exe.

The APNs Certificate Wizard welcome dialog is displayed.

2. Click Next.

The License Agreement dialog is displayed.

3. Click I Agree.

The Create Certificate Signing Request dialog is displayed.

34


4. Enter your Company Name and your Country code (for example US or UK).These fields aremandatory.

Note: Below these fields, the dialog shows where all data of the process is stored. Make anote of this information.

5. Click Next.

The Upload PLIST dialog is displayed.

6. In this step, you upload the Certificate Signing Request to Apple. Follow the instructions in thedialog:

a) Open the Apple site indicated in the dialog in your browser.

Note: Do not use Internet Explorer to open the Apple site as this may cause problems.Use Firefox, Chrome or Safari instead. We recommend that you use the latest browserversions.

b) Log in with your Apple ID. If you do not have an Apple ID, create one.

We recommend you create a Corporate Apple ID and not a personal one.

c) In the first dialog of the Apple Push Certificates Portal, click Create a Certificate.

d) Accept the terms and conditions.

e) Browse for your Certificate Signing Request (*.plist) and click Upload.

You find the file name and the path in the Upload PLIST dialog of the Sophos APNsCertificate Wizard.

Your APNs certificate is created.

f) Download and save the certificate file (*.pem) in the directory indicated in the Upload PLISTdialog.

7. Click Next.

The Create P12 dialog is displayed.

8. In this step, you create your APNs certificate for Sophos Mobile Control. Enter a password forthe APNs certificate.You need this password later, when you upload the .P12 certificate fileto Sophos Mobile Control.

Note: The Create P12 dialog shows the directory the certificate will be stored in. Make a noteof this information. We recommend that you create a backup of the folder that contains thecertificate files.

9. Click Next.

The Sophos Mobile Control APNs Certificate Wizard finished dialog is displayed.

10. Click Finish.

11. In the web console return to the iOS APNs tab.

12. Click on Upload a file. Browse for the .p12 certificate file you have created and enter yourpassword. Optionally you can enter your Apple ID for future reference.

After the file has been uploaded successfully, a confirmation message is displayed and theTopic, Type and Expiry date information of your APNs certificate is shown.

35

Installation guide

13. Click Save.

36


8 Technical supportYou can find technical support for Sophos products in any of these ways:

■ Visit the SophosTalk community at http://community.sophos.com/ and search for other userswho are experiencing the same problem.

■ Visit the Sophos support knowledgebase at http://www.sophos.com/en-us/support.aspx.

■ Download the product documentation athttp://www.sophos.com/en-us/support/documentation.aspx.

■ Send an email to [email protected], including your Sophos software version number(s),operating system(s) and patch level(s), and the text of any error messages.

37

Installation guide

http://community.sophos.com/

http://www.sophos.com/en-us/support.aspx

http://www.sophos.com/en-us/support/documentation.aspx

mailto:[email protected]

9 Legal noticesCopyright © 2011 - 2014 Sophos Ltd. All rights reserved.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in anyform or by any means, electronic, mechanical, photocopying, recording or otherwise unless youare either a valid licensee where the documentation can be reproduced in accordance with thelicense terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos is a registered trademark of Sophos Ltd. All other product and company names mentionedare trademarks or registered trademarks of their respective owners.

38


Documents

Sophos Mobile Control Installation guide