Good™ Mobile Control for iPhone

Good™ Mobile Control for iPhone
Good Mobile Control
for iPhone
™
®
Administrator’s Guide
Good for Enterprise 6.0.1
Good Mobile Control fo iPhone Administrator’s Guide
Last revised 09/25/09
Documentation complies with Good Mobile Control version 1.0.1, Good Mobile Messaging server
and Client software version 6.0.1
Copyright, trademark and patent information
© Good Technology, Inc. 2001-2009. All rights reserved. Good, Good Technology, the
Good logo, Good Mobile Messaging, Good Mobile Intranet, Good Mobile Defense,
Good Mobile Application Services, GoodAccess, GoodInfo, GoodLink, and Powered
by Good are trademarks of Good Technology, Inc. VeriSign(R) is a registered
trademark of VeriSign, Inc. All other trademarks and service marks contained herein
are the property of their respective owners. For example, Microsoft, Windows,
Windows NT, Exchange and Outlook are trademarks of Microsoft Corporation. RIM,
Research in Motion, RIM 950, RIM 957, and BlackBerry are registered trademarks or
trademarks of Research in Motion Limited. Mobitex is a trademark of the Swedish
Telecommunications Administration that may be registered in some jurisdictions.
Datalight is a registered trademark of Datalight, Inc. FlashFX(tm) is a trademark of
Datalight, Inc. Cingular, Cingular Wireless, the Cingular Icon, Xpress Mail, and Xpress
Mail with GoodLink are trademarks of Cingular Wireless, LLC. All rights reserved.
Some or all of the following notices may apply to portions of the software or
documentation provided by Good Technology, Inc.: Outside In®Wireless Export ©
2001 Stellent Chicago, Inc. All rights reserved. Copyright 1993-2001 Datalight, Inc., All
Rights Reserved. U.S. Patent Office 5,860,082. Code written by John Halleck is used
with his permission. This distribution contains executables of the Netscape ® Security
Service (NSS) and Netscape Portable Runtime (NSPR). You may obtain the source code
for these files from www.mozilla.org, which source files are subject to the Mozilla
Public License 1.1. Part of the software embedded in this product is eCos - Embedded
Configurable Operating System, a trademark of Red Hat. Portions created by Red Hat
are Copyright (C) 1998, 1999, 2000 Red Hat, Inc. (http://www.redhat.com/). All Rights
Reserved. THE SOFTWARE IN THIS PRODUCT WAS IN PART PROVIDED BY RED
HAT AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED BY RED HAT. IN NO
EVENT SHALL RED HAT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE. You may obtain a copy of the source code of the
eCos Original Code from http://www.redhat.com. You may obtain a copy of source
code of Good Technology, Inc.'s Modifications that have been publicly released in
Executable form by sending an email to support@good.com. The source code of the
eCos Original Code and Good Technology, Inc.'s Modifications are subject to the Red
Hat eCos Public License Version 1.1 (copy available at http://www.redhat.com/.)
Some or all of the following notices may also apply to portions of the software or
documentation provided by Good Technology, Inc: ScriptEase(tm) Javascript/
ECMAScript interpreter developed by Nombas, Inc. All Rights Reserved. This product
includes software developed by the Apache Software Foundation (http://www.apache.org).
Copyright (c) 2000-2003, The Apache Software Foundation and/or Yves Piguet. All
rights reserved. Neither the name of Yves Piguet nor the names of its contributors may
be used to endorse or promote products derived from this software without specific
prior written permission. Licensed under the Apache License, Version 2.0 (the
“License”); you may not use this file except in compliance with the License. You may
obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0. Unless
required by applicable law or agreed to in writing, software distributed under the
License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR
CONDITIONS OF ANY KIND, either express or implied. See the License for the
ii
Good Mobile Control for iPhone Administrator’s Guide
specific language governing permissions and limitations under the License. Copyright
(c)1999-2001 Dan Adler, 315 E72 St. NY, NY, 10021 USA. mailto: danadler@rcn.com. All
rights reserved. The Jetty Package is Copyright Mort Bay Consulting Pty. Ltd.
(Australia) and others. Individual files in this package may contain additional
copyright notices. The javax.servlet packages are copyright Sun Microsystems Inc.
Copyright (c) 1990-2003 Sleepycat Software. All rights reserved. You may obtain a copy
of the source code for the DB software from http://www.sleepycat.com. You may
obtain a copy of source code of Good Technology, Inc.’s Modifications that have been
publicly released in Executable form by sending an email to support@good.com.
Copyright ©1996-1999 Corporation for National Research Initiatives; All Rights
Reserved. Copyright (c) 1995-2000 by the Hypersonic SQL Group. All rights reserved.
Copyright (c) 2001-2002, The HSQL Development Group. All rights reserved.
Copyright 2002 (C) Nathaniel G. Auvil. All Rights Reserved. Copyright (c) 1998-2000
World Wide Web Consortium (Massachusetts Institute of Technology, Institut National
de Recherche en Informatique et en Automatique, Keio University). All Rights
Reserved. Copyright (c) 2001 MX4J. All rights reserved. Copyright 1994-2004 Sun
Microsystems, Inc. All Rights Reserved. Copyright 1999,2000 Boris Fomitchev
Copyright 1994 Hewlett-Packard Company Copyright 1996, 97 Silicon Graphics
Computer Systems, Inc. Copyright 1997 Moscow Center for SPARC Technology. THIS
SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Good Technology, Inc. may have patents or pending patent applications, trademarks,
copyrights or other intellectual property rights covering this subject matter. The
software and documentation do not give you any license to these patents, trademarks,
copyrights, or other intellectual property rights except as expressly provided in any
written license agreement from Good Technology, Inc. The software and
documentation may be covered by one or more patents as set forth at
http://www.rim.net/patents which have been licensed by Research in Motion, Ltd.
("RIM") to Good. RIM is not affiliated with, nor does RIM endorse the operability of,
the products or services described herein. Such patent license should not be construed
as exhausting RIM's rights to royalties or damages or other compensation or relief or
the grant of any express or implied license: (a) in relation to customer's use of third
party products (except to the extent that use of third party email applications arises as
a direct result of the customer using Good's products or services or the customer uses a
third party wireless personal digital assistant or network carrier services in
conjunction with Good's products or services); or (b) where customer or the supplier of
the wireless personal digital assistant or wireless network services asserts any
intellectual property rights against RIM notwithstanding the terms of clause (a) above,
and RIM has exercised its right to suspend all or a portion of the licenses granted to
Good.
Software from the Unicode project, in its modified form, is being used in the product.
The license terms are as follows. Copyright © 1991-2008 Unicode, Inc. All rights
reserved. Distributed under the Terms of Use in
http://www.unicode.org/copyright.html. Permission is hereby granted, free of charge,
to any person obtaining a copy of the Unicode data files and any associated
Good Mobile Control for iPhone Administrator’s Guide
iii
documentation (the "Data Files") or Unicode software and any associated
documentation (the "Software") to deal in the Data Files or Software without
restriction, including without limitation the rights to use, copy, modify, merge, publish,
distribute, and/or sell copies of the Data Files or Software, and to permit persons to
whom the Data Files or Software are furnished to do so, provided that (a) the above
copyright notice(s) and this permission notice appear with all copies of the Data Files
or Software, (b) both the above copyright notice(s) and this permission notice appear in
associated documentation, and (c) there is clear notice in each modified Data File or in
the Software as well as in the documentation associated with the Data File(s) or
Software that the data or software has been modified.
Disclaimer
No part of this document may be reproduced or transmitted in any form or by any
means, electronic or mechanical, for any purpose, without the express written
permission of Good Technology, Inc. Information in this document is subject to
change without notice. This publication could include technical inaccuracies or
typographical errors. Good Technology may make improvements or changes in the
products or the programs described in this publication at any time.
Good Technology, Inc.
4250 Burton Drive
Santa Clara, CA, 95054
Tel. (408) 327-6000 Fax (408) 327-6001
Web site: http://www.good.com.
Be Good. Be Safe.
Please do not use while driving or engaged in any
other activity that requires your full attention.
iv
Good Mobile Control for iPhone Administrator’s Guide
Contents
1
Overview
1
2
Pre-installation
9
Checking Prerequisites and System Requirements 9
Preparing for SQL server Use 17
Setting Up the Necessary Accounts and Permissions
Creating the GoodAdminGMC Account 21
3
Installation
19
25
Installing Good Mobile Control server
25
Configuring the Good Mobile Control Console
Understanding Console Filters 48
47
Setting Up Role-Based Administration 49
The Superuser 55
4
Managing the iPhone
57
Preparing for iPhone Setup
57
Setting Up the iPhones 58
OTA Setup Process 60
Completing the Setup Process
63
Setting iPhone Policies 64
Adding a Policy Set 64
Setting or Changing Security Policies 66
Good Mobile Control for iPhone Administrator’s Guide
v
Setting or Changing Configuration Policies
Completing Policy Configuration 75
70
Viewing and Using iPhone Information 75
Importing/Exporting iPhone Data 77
Wiping iPhone Data
77
Other Management Tasks 78
Removing a Handheld from Good Mobile Control 78
Transferring a Handheld to a New User 79
Changing a User’s Good Mobile Control server, Exchange
server, or User Name 80
Changing a User’s Display Name, Alias, or Email
Address 80
Changing the Exchange 2007 SP1 ActiveSync Host 81
5
Managing Good Mobile Control Server
83
Moving Good Mobile Control Server to a New Host 83
Preparing to Move Good Mobile Control server 84
Installing Good Mobile Control server on the New
Host 86
Stopping Good Mobile Control Services
Error Messages
91
91
Troubleshooting
91
Backing up and Restoring the Good Mobile Control
Database 91
Disaster Recovery
Index
vi
99
101
Good Mobile Control for iPhone Administrator’s Guide
1 Overview
Good Mobile Control, a component of Good for Enterprise, provides
a central place to manage and secure your entire enterprise mobile
fleet. IT managers can manage mobile device policies and settings.
With robust wireless over-the-air (OTA) management capabilities,
deployment of all device configurations and policies is a snap.
Furthermore, Good Mobile Control is accessed through a single, webbased interface, providing IT access from virtually anywhere.
This release includes integrated support for the iPhone platform,
providing your organization with console features to secure and
manage your iPhones at any time, from any location. As the
administrator responsible for the maintenance and management of
Good Messaging handhelds, you can set up iPhones for ActiveSync
access and manage these devices through Good Mobile Control. You
can do this for one or more users at a time, wirelessly.
In addition to using Good Mobile Control for iPhone, if you plan to
deploy and manage Good Mobile Messaging users, refer to the Good
Mobile Messaging Administrator's Guide in addition to this document.
This guide restricts itself to system setup and use of Good Mobile
Control for iPhone only.
The full Good Messaging system includes:
• The Good Messaging Client, supporting a growing number of
handhelds
Good Mobile Control for iPhone Administrator’s Guide
1
Overview
• The Good Messaging server, an easy-to-install enterprise class
application allowing for elegant fleet management/global policy
control and remote security enforcement of wireless
synchronization.
• The Good Mobile Control server and console and the Good
Monitoring Portal, used to monitor and manage user handhelds.
Good Mobile Messaging and Good Mobile Access act as plugins
to Good Mobile Control server.
Good Mobile Control for iPhone requires installation of only Good
Mobile Control server, not the Good Mobile Messaging or the Good
Mobile Access servers. If you would like to enable these services in
the future, you can simply add the appropriate servers on top of your
existing Good Mobile Control for iPhone deployment. iPhone
support is fully integrated with the Good Mobile Control server and
console.
Good Mobile Control sets up iPhones using Exchange 2007 SP1 and
ActiveSync, with security and configuration policies that you specify
using the Good Mobile Control console. Available policy settings
include:
• Security
- Passcode - Enforce device passcode with specified
characteristics and actions upon incorrect passcode entries.
- Access Restriction - Restrict ActiveSync access to the
provisioned iPhone only, preventing additional devices for the
same user from using this access.
• Configuration
- VPN connections - Specify iPhone VPN connection settings
from Good Mobile Control
- Wireless networks - Specify iPhone WiFi parameter settings
from Good Mobile Control
2
Good Mobile Control for iPhone Administrator’s Guide
As with other supported handhelds, Good Mobile Control will
provision the iPhone over the air and set it up automatically. The
provisioning process is as simple as visiting get.good.com/iPhone
using the native Safari browser on iPhone.
Later changes to security policy settings by you, the administrator,
will be enforced on managed iPhones via the ActiveSync connection;
changes to VPN/WiFi policy settings will be transmitted via email
and the iPhone Setup Portal.
The policies supported in Good Mobile Control for iPhone are a
subset of those supported in the Good Mobile Messaging solution,
because Good Mobile Control for iPhone leverages the native
ActiveSync implementation on iPhone; some of the Good Mobile
Messaging policies cannot be applied to this implementation. The
Good Mobile Control for iPhone Administrator’s Guide
3
Overview
following table summarizes the difference between the two products
in terms of policies supported.
Good Mobile
Control for
iPhone
Good Mobile
Messaging
Password
policy
Available
Available
One
handheld
per user
Available
Available
Remote
Wipe
Available
Available
Messaging
Policy
Not Available
Available
Network
Comm.
Policy
Not Available
Available
Blocker
Applications
Not Available
Available
Compliance
Manager
Not Available
Available
Encryption
Policy
Not Available
Available
Software
Deployment
Not Available
Available
iPhone 3G S hardware offers always-on hardware encryption of all
data on the device. This includes encryption for enterprise data. This
hardware feature also enables the instantaneous wipe of all data on
the device when a remote wipe command is executed from Good
Mobile Control. On older versions of iPhone hardware, the remote
4
Good Mobile Control for iPhone Administrator’s Guide
wipe operation can take as long as two hours, depending on the
amount of memory available in the device.
iPhone management includes the following:
• “Checking Prerequisites and System Requirements” on page 9
• “Setting Up the Necessary Accounts and Permissions” on page 19
• “Installing Good Mobile Control server” on page 25
• “Setting Up Role-Based Administration” on page 49
• “Preparing for iPhone Setup” on page 57
• “Setting Up the iPhones” on page 58
The figure below illustrates the interaction between system
components. Over-the-air provisioning takes place via data exchange
between Good Operations center and the iPhone. Once OTA
provisioning is complete, email, calendar, and contacts data flows
through the ActiveSync channel between the Exchange 2007 server
and the iPhone. The Good Mobile Control server communicates with
the Exchange server regularly in order to monitor and manage this
Good Mobile Control for iPhone Administrator’s Guide
5
Overview
user. Good Mobile Control server also communicates with the SQL
server hosting the databases.
As administrator, you’ll do the following to begin managing user
iPhones:
• Set iPhone policies for device passcode, ActiveSync access control,
VPN configuration, and WiFi configuration. Alternatively, you
can use the default iPhone policy set provided with Good Mobile
Control.
• Add iPhone users to Good Mobile Control and choose the policy
set that you want to apply to them
Good Mobile Control communicates with the Exchange server for
passcode and access policy settings and then with the Good
Operations Center to upload WiFi, VPN, and email configuration
settings. Next, the device downloads the configuration settings from
the Operations Center and inherits the passcode and access policies
via ActiveSync from the Exchange server.
6
Good Mobile Control for iPhone Administrator’s Guide
For more information, see:
• “Setting iPhone Policies” on page 64
• “Viewing and Using iPhone Information” on page 75
• “Wiping iPhone Data” on page 77
• “Other Management Tasks” on page 78
Good Mobile Control console communicates with the Good Mobile
Control server process. To access the console, administrators enter a
URL to the server. Console use is controlled by the roles that you
assign to the administrators who use it.
You will use Good Mobile Control console to assign handhelds to
users, to set up, monitor, and manage the handhelds, to create and
manage policy sets, and, when supported handhelds other than
iPhones are present, to manage the Good Messaging servers. Most of
the handheld management tasks are initiated from the console's
Handhelds, Policies, and servers pages.
Good Mobile Control console Management Tabs
Good Mobile Control for iPhone Administrator’s Guide
7
Overview
You can use these windows to display ongoing handheld activity, set
handheld policies, erase data, and otherwise manage handhelds and
servers.
You can limit access to Good Mobile Control facilities using rolebased administration feature. You can define roles (such as Help
Desk user) and customize the rights for this administrative user. For
example, you can allow Help Desk users to add new users, but not
allow remote wiping of handhelds.
Use Good Mobile Control console to add handhelds to a server and
to configure the policies to be downloaded to the handhelds
wirelessly.
Wireless download begins with the Good Mobile Control console
sending email to the user whose handheld is to be set up (if the OTA
policy has been set to send welcome email). The email contains a PIN
and URL that the user will need to initiate the download and setup.
The user downloads OTA Setup from the URL site and runs it to
complete, entering the PIN when prompted. You can set policies for
PIN expiration and reuse (refer to “Creating and Changing Handheld
Policy Sets and Templates” on page 138).
As prerequisites to setup, the handheld must have the proper amount
of available memory and have established phone and data services
running on it.
8
Good Mobile Control for iPhone Administrator’s Guide
2 Pre-installation
This chapter provides detailed instructions for preparing for
installation of the Good Mobile Control server and console.
If you will be using the full Good Mobile Messaging capabilities
to manage a variety of handheld types, you will also need to install
Good Mobile Messaging servers. For complete instructions, refer to
the Good Mobile Messaging Administrator’s Guide.
Before doing the installation, you will need to perform the following
tasks. Each task is explained in the following sections.
• Check prerequisites; perform initial Good Mobile Control server
host configuration
• Set up the GoodAdminGMC user accounts and permissions
• Set the required GoodAdminGMC local permissions for each
Good Mobile Control server host machine.
Checking Prerequisites and System
Requirements
Ensure that the Good Mobile Control server host machine, and your
Exchange server, conform to the following prerequisites. Good
Mobile Control server cannot run on the same host machine as
Microsoft Exchange server. The Good Mobile Control server should
Good Mobile Control for iPhone Administrator’s Guide
9
Pre-installation
be close to its SQL database (the database can exist prior to
installation and be local or remote, or will be installed along with
Good Mobile Control).
Good Mobile Control server host requirements:
• For 500 users: Intel® Pentium® IV or dual-core Intel® Xeon®
processor (2GHz or greater), 1.5 GB RAM; for 1,000 users: Intel
Pentium IV dual processor (2GHz or greater), 2GB RAM
• Minimum 40 GB hard disk space
Good Mobile Control server requirements:
• If you limit outbound HTTP and HTTPS on your firewall, you
should open outbound ports 80 and 443 for IP ranges
216.136.156.64/27 and 198.76.161.0/24 for Good Messaging to
work properly. (Version 5 required that you open outbound ports
80 and 443 for IP address 198.76.161.28 for Good Messaging to
work properly. Version 6 requires, in addition, IP address
198.76.161.29 for use by Good Mobile Control.) Do not put the
Good Mobile Control server in the DMZ zone or block any LAN
ports.
The Windows firewall is not supported for use with Good Mobile
Control. Note that in Windows 2008, the Windows firewall is
turned on by default. If currently on, turn off the firewall in
Windows 2003 or 2008.
• The host machine should not have an MSDE or SQL server
installed on it, unless you choose to create a database on an
existing Microsoft SQL 2005 server for use with Good Mobile
Messaging (not recommended). To uninstall SQL if present, refer
to “Uninstalling SQL server” on page 306.
• Before installing Good Mobile Control servers, ensure that the
host machines’ time and date are set to your network's correct
time and date. Otherwise, errors such as a Security Alert
regarding a problem with the site's security certificate may occur.
• Windows 2003 server SP1/SP2
10
Good Mobile Control for iPhone Administrator’s Guide
Checking Prerequisites and System Requirements
(Windows 2000 is not supported.)
Windows 2003 SP1
a.
Install MMC 3.0 - Download from http://support.microsoft.com/kb/907265
b.
Install .NET Framework 2.0 - Download from http://
www.microsoft.com/downloads/details.aspx?FamilyId=333325FD-AE52-4E35-B531-508D977D32A6&displaylang=en
c.
Install .NET Framework 2.0 SP1 - Download from http://
www.microsoft.com/downloads/details.aspx?FamilyID=AB99342F-5D1A-413D-8319-81DA479AB0D7&displaylang=en
d.
Windows Power Shell- Download from http://support.microsoft.com/kb/926139
Windows 2003 SP2
a.
Install .NET Framework 2.0 SP1 - Download from http://
www.microsoft.com/downloads/details.aspx?FamilyID=AB99342F-5D1A-413D-8319-81DA479AB0D7&displaylang=en
b.
Install Windows Power shell - Download from http://support.microsoft.com/kb/926139
• Exchange 2007 SP1 with Exchange 2007 Management Tools
Installing the Management Tools
If you have the Exchange 2007 SP1 installation media, you can
install the tools from there. Otherwise, for Exchange 2007 with
SP1, download from http://www.microsoft.com/downloads/
details.aspx?FamilyId=44C66AD6-F185-4A1D-A9AB473C1188954C&displaylang=en
Good Mobile Control for iPhone Administrator’s Guide
11
Pre-installation
12
a.
Open setup.exe. If all -prerequisites are met, the 4th step below
will be highlighted.
b.
Click on Install Microsoft Exchange.
Good Mobile Control for iPhone Administrator’s Guide
Checking Prerequisites and System Requirements
c.
Select Custom and Exchange Management tools. Click Next.
Select Management Tools and click Next to complete the
installation.
• A service Login account (Windows NT Domain account). This
account should have the following permissions/be a member of
the following groups:
- Domain Users
- Exchange Organization Administrators
- Exchange Recipient Administrators
The user for this account should be added to and granted
Administrative privileges in the local Administrator Group on the
server. (If you’ll be using Good Mobile Messaging servers to
support non-iPhone handhelds, those servers will require a
different account.)
• ActiveSync deployment should be done per Microsoft
instructions. Note that ActiveSync requires configuring your
firewall to allow incoming connections on port 443. Refer to
Good Mobile Control for iPhone Administrator’s Guide
13
Pre-installation
Microsoft technical documentation for further instructions on
deploying ActiveSync:
http://technet.microsoft.com/en-us/library/aa995962.aspx
An OWA or other ActiveSync host must be functional for the
Exchange 2007 SP1 servers in the site.
• ActiveSync communication between the iPhone and the Exchange
server requires that the client trust the SSL certificate sent by the
server. If the Exchange server has a self-signed certificate, then it
will not be trusted by the iPhone client and it will require the
enduser to manually accept this certificate during the over-the-air
setup process. If the Exchange server has a certificate signed by a
well-known Certificate Authority (CA), then it will be trusted by
the iPhone client, and the enduser will not be required to accept
the certificate manually.
• At least one Exchange server must accept anonymous SMTP
requests. In addition, if you have rules in place that cause Good
Mobile Control’s STMP anonymous email to be handled by a
receive connector (Good Mobile Control’s IP address falls within
the receive connector’s “Remote IP Addresses”) and that receive
connector requires that the sender be another Exchange server, the
the Good server’s address must be removed from this connector’s
addresses so that the Good server’s email is handled by a different
Exchange server/receive connector that allows anonymous SMTP
requests.
Refer to Good’s knowledge base (http://www.good.com/faq/
18509.html) for more information on changing these settings.
If this requirement is not met, Good welcome email to iPhones,
which initiates the handheld setup process, will not be delivered
properly (and the Good console Resend option for welcome email
will not work).
• GMC uses a PowerShell SMTP client for sending welcome and
update email to iPhone users. Depending on your Exchange
environment configuration, you may need to do the following in
order to ensure these emails are delivered properly:
14
Good Mobile Control for iPhone Administrator’s Guide
Checking Prerequisites and System Requirements
- GMC uses the Unified Principal Name (UPN) as the SMTP
"from" address. Although this looks like an SMTP address it
may not be an actual SMTP address in your enterprise and
your Exchange server may treat this email as SPAM. You can
override GMC's value of the "from" address by adding the
following to GMC's config.props (on one line), then restarting
GMC:
activesync.iphone.email.smtp.sender <valid_SMTP_from_address>
- GMC interrogates Exchange to determine the hosts that can
send SMTP email and uses rules to determine a list of hosts to
use for a user whose SMTP address is "name@domain." The
list of hosts used will appear in the GMC logs when an email is
being sent and can be checked for correctness. If the list of
hosts is wrong, the GMC-determined list can be overridden by
adding the following to GMC's config.props (on one line), then
restarting GMC:
activesync.iphone.email.smtp.hosts
<domain1>=<host1>[,<host2>]...][
<domain2>=<host3>[,<host4>]...]...
As an example:
activesync.iphone.email.smtp.hosts foo.com=MSEX1,MSEX2
sub.foo.com=MSEX3
iPhone requirements:
• We recommend that iPhones have only factory settings.
Any Exchange email configuration on the iPhone must be
removed, using Settings->Email Accounts.
• Every Good Messaging user account must be set up with an SMTP
address (the standard Microsoft Exchange configuration).
• We recommend that you initially disable ActiveSync access for all
users. As users are added to Good Mobile Control, the console
will automatically enable ActiveSync access on a per-user basis
regardless of the prior state of ActiveSync access for these users.
Good Mobile Control for iPhone Administrator’s Guide
15
Pre-installation
As users are removed from Good Mobile Control, the console will
automatically disable ActiveSync access for these users.
To disable ActiveSync access for a mailbox:
a.
Open Exchange Management console.
b.
Pick “Recipient Configuration” -> “Mailbox” from the tree control in the left hand pane.
c.
Highlight the user you want to Manage.
d.
Right click to open a context-sensitive menu and select “Properties” to open the Properties window for the user.
e.
Click the “Mailbox Features” tab.
f.
Select “Exchange ActiveSync” if it shows a status of “Enabled”
and click the “Disable” action.
• The handheld must have active, supported voice and network
data services. The user can make a call and browse the web with
the handheld to confirm the presence of these services.
• The handheld battery should be fully charged (an alert will be
displayed if the battery is below 20% and again at 10%).
• Users will be informed automatically by Good Mobile Control
console when you perform the wireless handheld setup. The
console will email instructions to the user’s email account
describing how the user is to complete the setup wirelessly.
We recommend that you alert users in advance to expect these
Good Messaging email instructions and to fully charge their
handhelds before performing the setup. They will need to be in
radio coverage for the setup to complete successfully.
Good Mobile Control SQL, .NET Framework, and console
requirements (links subject to change) (note these requirements if you
plan to use an SQL server of your own (not recommended);
otherwise, Good Mobile Control will install SQL Express for you):
• Microsoft .NET Framework 2.0 Service Pack 1 (x86):
16
Good Mobile Control for iPhone Administrator’s Guide
Checking Prerequisites and System Requirements
http://www.microsoft.com/downloads/
details.aspx?familyid=79BC3B77-E02C-4AD3-AACFA7633F706BA5&displaylang=en#Requirements
• Good Mobile Control:
Microsoft Internet Explorer 7.0 or Firefox 2.0. Internet Explorer 6.0
is not supported.
• Microsoft SQL server 2005 Express Edition Service Pack 2:
http://www.microsoft.com/downloads/
details.aspx?familyid=D07219B2-1E23-49C8-8F0C63FA18F26D3A&displaylang=en#Requirements
http://www.microsoft.com/sql/editions/express/sysreqs.mspx
• Microsoft SQL server Management Studio Express Service Pack 2:
http://www.microsoft.com/downloads/
details.aspx?FamilyID=6053c6f8-82c8-479c-b25b9aca13141c9e&DisplayLang=en#Requirements
Preparing for SQL server Use
Good Mobile Control requires access to an SQL server. You can use
an existing Enterprise SQL server 2005 or SQL server instance
available within the organization. Good Mobile Control server can
connect to a remote SQL server/instance without problems. If you
don’t have an SQL server that you want to use, a server will be
installed along with the Good Mobile Control.
Multiple Good Mobile Control servers can share an SQL instance
but must use separate databases within that instance. If two Good
Mobile Control servers attach to the same database, data loss may
occur.
Some knowledge of SQL installation, configuration, and maintenance
will be useful if you plan to use an existing database.
You’ll need the name of the service account you will use to run the
Good Mobile Control Service.
Good Mobile Control for iPhone Administrator’s Guide
17
Pre-installation
SQL servers enforce their own authentication and authorization. If
you encounter an SQL error during the installation process, you’ll
need to confirm that your SQL configuration information was
entered correctly. If you will be using your own previously
installed SQL server instance, gather the following information in
advance. You’ll be required to provide it during Good Mobile
Control server installation.
• The fully qualified machine name of your SQL server instance
• Method of connection to your existing SQL server instance (static
port, named instance (dynamic port), or connected to it as the
default instance)
• If static port, the port number
• If named instance, the instance name
• Authentication mode used to connect to your SQL server instance
(Windows authentication/SQL server authentication)
• If Windows authentication, the service account name entered
above must already have a login to SQL server, or, if not, add a
login for the service account name to your SQL server instance,
granting it at least the server-Level Role of “dbcreator.”
• If SQL server authentication, the SQL server login name you
use to connect to SQL server with, and the password for this
SQL server login. You will be prompted for the login and
password during the Good Mobile Control installation. The
SQL server login must be a member of the “dbcreator” security
role. If not, add the login to the dbcreator security role so that
the Good Mobile Control install can create its own database
and table within the SQL server instance.
• If your existing database is remote, ensure that TCP/IP is enabled
for “Local and Remote connections” on your SQL server instance.
18
Good Mobile Control for iPhone Administrator’s Guide
Setting Up the Necessary Accounts and Permissions
Remote SQL
To use remote access, the IT administrator should configure the
remote SQL server to accept the necessary connections from Good
Mobile Control server. This includes but is not limited to:
• Allowing connections via TCP/IP
• Allowing connections via a preconfigured port
• Opening any necessary port in any firewall between Good Mobile
Control server and the SQL server
• Creating or obtaining a valid SQL server user name and password
to connect to the remote SQL server during installation or the
ability to log in as admin "sa."
We recommend testing remote database SQL server connectivity
before beginning an installation.
Related articles from Microsoft:
• To Configure using TCP/IP - http://support.microsoft.com/kb/
914277
• To configure using static Port - http://support.microsoft.com/kb/
823938
• Installing SQL server 2005 (complete process) - http://
technet.microsoft.com/en-us/library/ms143516(SQL.90).aspx
Setting Up the Necessary Accounts and
Permissions
With the Good Mobile Control server host properly configured,
create the user account and permissions that the server needs to
function. You only need to create this account once. The account, with
the proper permissions, can then be used when installing additional
servers.
Good Mobile Control for iPhone Administrator’s Guide
19
Pre-installation
When installed, Good Mobile Control servers use services that run
under Windows domain user accounts. These can be Windows NT
Domain accounts.
If you’re also supporting other handhelds, you’ll need two
accounts (referred to in this guide as GoodAdmin and
GoodAdminGMC); they must be separate because they will require
conflicting permissions.
This section describes how to:
• Create the GoodAdminGMC user accounts
• Assign the required Exchange permissions to the user account
• Assign the necessary local permissions on Good Mobile Control
server host machines
Why are these permissions required? The following tables list the
requirements for the GoodAdminGMC account, local permissions
required by the host machines, and the reasons for them. The user
account permissions that are required vary according to the
Exchange environment. The GoodAdminGMC requirements assume
that Good Mobile Control will be using its iPhone features. Use the
procedures provided in the following sections to grant the proper
permissions; do not try to use this table as a standalone installation
guide.
Domain Requirements
for GoodAdminGMC Account
Domain Users group
Exchange Requirements
for GoodAdminGMC Account
Exchange Organization
Administrators
20
Reasons
Allows Good Mobile Control to log on to
the network to access list of users in active
directory
Reasons
Allows Good Mobile Control to manage
ActiveSync policy settings.
Good Mobile Control for iPhone Administrator’s Guide
Setting Up the Necessary Accounts and Permissions
Exchange Recipient
Administrators
Allows Good Mobile Control to manage
ActiveSync mailbox settings for individual
users.
Local Host Requirements
for Good Mobile Control
server
Reasons
The default local rights that are
needed by the
GoodAdminGMC account on
Good Mobile Control server
are granted by default to
members of the local
Administrators group. Check
to confirm that the following
are present:
Back up files and directories
Necessary for directory and file creation/
deletion
Allow log on locally
Necessary to run the Good Messaging
service
Restore files and directories
Allows creation of the Good Messaging
cache, access, and diagnostic logs
Added local rights:
Log on as a service
The basic permission for a Windows
service. Good Messaging servers run as
services.
Creating the GoodAdminGMC Account
Set only the permissions listed here; this account should not be part
of any other security group, such as the Domain Admin Group or
Enterprise Admin Group. This user should be part of the following
Admin groups only:
• Domain Users
• Exchange Organization Administrators
• Exchange Recipient Administrators
Good Mobile Control for iPhone Administrator’s Guide
21
Pre-installation
Use Active Directory Users and Computers to accomplish these
tasks:
1.
Launch Active Directory Users and Computers.
2.
In the Tree pane of the Active Directory window, select the Users
folder in the Windows domain where you will put the new
account.
3.
From the Action dropdown menu, select New > User.
A New Object - User dialog is displayed.
4.
Fill in the New Object - User dialog.
In the following sections, we refer to this Good Mobile Control
server user as GoodAdminGMC. The name you choose must be
unique in your domain. The name must not contain any special
characters.
5.
Click Next.
The window displays fields for password information.
6.
Enter and confirm a password for the new user.
The password is case sensitive. If checked, uncheck the box "User
Must Change Password at Next Logon." Check the box "Password
Never Expires." Uncheck any other checked box.
7.
Click Next.
8.
Check the Create an Exchange mailbox box and click Next. This is
Optional for this account and may not be needed However, we
recommend creating a mailbox for the account.
A Create Mailbox screen is displayed.
9.
In the Create Mailbox window, confirm or correct the mailbox
alias and mail server for the new mailbox, and the mailbox store.
10. Click
Next.
11. When
prompted, click Finish.
12. Add this user to the following groups (right-click on User - Add to
Group).
• Exchange Organization Administrators
22
Good Mobile Control for iPhone Administrator’s Guide
Setting Up the Necessary Accounts and Permissions
• Exchange Recipient Administrators
Assigning Good Mobile Control server Host Local Permissions
Assign local administrator permissions to the Good Mobile Control
account on each Good Messaging server/Good Mobile Control
server host machine. To do so, add GoodAdminGMC to the local
Administrator group.
Ensure that the Good Mobile Control host machines, and your
Exchange server, conform to the following prerequisites. Good
Messaging server and Good Mobile control server cannot run on the
same host machine as Microsoft Exchange server.
1.
Log on to the server that will host Good Mobile Control server
using an account with administrative privileges.
2.
From the Start menu, select Programs > Administrative Tools >
Computer Management.
3.
Expand Local Users and Groups and select Groups.
4.
Double-click Administrators.
5.
In the Administrators Properties window, click Add.
6.
Click GoodAdminGMC and click Add. If GoodAdminGMC isn't
listed, use the Look In pull-down to select the domain that the
GoodAdminGMC account resides in.
7.
Click OK.
GoodAdminGMC is added to the local Administrators group.
8.
Click OK to close the Administrators Properties window.
9.
Close the Computer Management window.
Good Mobile Control for iPhone Administrator’s Guide
23
Pre-installation
24
Good Mobile Control for iPhone Administrator’s Guide
3 Installation
This chapter provides detailed instructions for installing Good
Mobile Control server.
To get your users up and running, you will need to perform the
following tasks. Each task is explained in detail in the following
sections.
• Install Good Mobile Control server. The Good Mobile Control
console will then be available via the Internet.
• Configure role-based administration (controlling the Good Mobile
Control console features available to an individual or group)
With the installation complete, you will be ready to prepare
handhelds for use, as described in “Managing the iPhone” on page
57.
Rerunning installation media allows you to select the “Repair”
option. Use this option to change installation settings.
Installing Good Mobile Control server
Use the following procedure to install Good Mobile Control server.
The Good Mobile Control server host machine must be configured as
described in “Checking Prerequisites and System Requirements” on
page 9. This host should be secure (the machine should be located in
Good Mobile Control for iPhone Administrator’s Guide
25
Installation
a secure location and the proper permissions should be set to control
access to the machine).
We recommend against running BlackBerryTM Enterprise server on
the same machine as Good Mobile Control server, when both are
present.
1.
Begin by logging on to the machine where the Good Mobile
Control server is to be installed. You’ll need “local administrator”
privileges for Good Mobile Control server installation.
Good Mobile Control server and Good Mobile Messaging
server (used for non-iPhone management) cannot use the same
service account.
2.
26
Execute setup.exe from the Good distribution media.
Good Mobile Control for iPhone Administrator’s Guide
Installing Good Mobile Control server
An Installation Manager screen is displayed.
3.
Click Add/Remove for Good Mobile Control server.
The program checks for the presence of required Windows and
Exchange components, as listed in “Checking Prerequisites and
System Requirements” on page 9. You may be informed that files
are being updated.
Otherwise, installation files are extracted from the Good
distribution media.
Good Mobile Control for iPhone Administrator’s Guide
27
Installation
If an earlier version of Good Mobile Control server is detected,
you will be prompted to upgrade it. If the same version of Good
Mobile Control server is detected, you will be prompted to either
repair or uninstall it.
4.
When the process is complete, click Next.
The installation wizard is launched to guide you through the rest
of the setup process.
An initial installation window is displayed.
5.
Click Next.
A License Agreement window opens.
6.
To proceed with the installation, you must accept the terms of the
Good Technology software license agreement by clicking Yes.
7.
Click Next. The installer will check for prerequisite software and
setup. You’ll be prompted if problems exist. Refer to the Preinstallation chapter if necessary. Click OK at a prompt to proceed;
the installer will rectify the problem when possible.
28
Good Mobile Control for iPhone Administrator’s Guide
Installing Good Mobile Control server
A Windows NT Account Information screen is displayed.
8.
In the Login field, enter the user name and password to be used
when Good Mobile Control server runs. For example:
Domain\GoodAdminGMC. The name isn’t case sensitive. The
current logged-in user and domain are displayed as the default.
Enter the account password you set up for the GoodAdminGMC
account. The password is case sensitive. The installation wizard
tests the username and password that you provide. If they don’t
work, you are warned.
9.
Click Next.
Good Mobile Control for iPhone Administrator’s Guide
29
Installation
A Good Mobile Control server Installation Location screen is
displayed.
10. Accept
the default location for Good Mobile Control server
software or browse to select a different location. If the default
folder does not exist, the wizard will ask you if it should be
created.
11. Click
30
Next when done.
Good Mobile Control for iPhone Administrator’s Guide
Installing Good Mobile Control server
A Choose Log Directory screen is displayed.
12. Accept the default
location for the Good Messaging log or browse
to select a different location. If the folder does not exist, the wizard
will ask you if it should be created. This directory should be
secure.
This log file records the administrative tasks performed by Good
Mobile Control console. It contains auditing information about
when the tasks were performed and who performed them. Event
messages are recorded in the Windows Event Viewer Application
log.
For better performance, you can locate the directory on the fastest
local disk. Click Next when done.
Important: Exclude this directory from anti-virus and backup
software, to prevent file contention and performance issues.
The setup program displays the information you have entered.
13. If
the information is correct, click Next.
Good Mobile Control for iPhone Administrator’s Guide
31
Installation
Next, a Setup Type screen is displayed.
14. Accept
the default standalone option, or, if you’re installing in a
clustered environment, choose the failover option and refer to the
clustering chapter in the Good Mobile Messaging Administrator’s
Guide.
Choose the standalone if you’ll be using cold failover.
32
Good Mobile Control for iPhone Administrator’s Guide
Installing Good Mobile Control server
A screen for selecting the host of the SQL server is displayed.
15. Select
Local SQL server Host (this current machine) or Remote
SQL server Host for the SQL server host. We recommend that you
allow the installation program to create a local instance for your
use.
SQL instance and database: An instance is an SQL installation, one
per host. An instance can contain multiple databases.
Multiple Good Mobile Control servers can share an SQL
instance but must use separate databases within that instance. If
two Good Mobile Control servers attach to the same database,
data loss may occur.
If you select Local SQL server Host, the SQL server need not be
present. If you select Remote SQL server Host, it must exist. You
might select Remote SQL server Host if, for example, your
organization maintains a database farm to ensure protection and
scalability of application data.
If you select Remote SQL server Host, enter the host name for the
server in the format Hostname.domain_name (e.g.,
SQLserverHostName.domain.com).
Good Mobile Control for iPhone Administrator’s Guide
33
Installation
If you use a local instance of SQL server 2005 Express, you’ll have
the option of enabling automatic backup of the database.
For information on SQL setup requirements for use with Good
Mobile Control, refer to “Preparing for SQL server Use” on
page 17.
16. Click
Next.
17. Specify
the type of SQL instance that the Good Mobile Control
database will be created in. If you select the Named Instance or
Port Number radio button, you must enter a value in the
associated field or an error will be returned.
Warning: Multiple Good Mobile Control servers can share an
SQL instance but must use separate databases within that
instance. If two Good Mobile Control servers attach to the same
database, data loss may occur.
Do not automatically select the default. You must select the
correct field of the three to describe the instance that is to be
used.
34
Good Mobile Control for iPhone Administrator’s Guide
Installing Good Mobile Control server
Click Default Instance if the SQL database is to be created in the
default instance, local or remote. If it doesn’t exist, it isn’t created;
an error is returned.
Click Named Instance and provide a name for the instance if the
database is to be created in a named instance. If it does not exist
and is local, it will be created; if it does not exist and is remote, an
error is returned. Choose a meaningful name to avoid future
confusion.
Click Port Number and provide a port number if an instance
using a static port number is to be used. If it doesn’t exist, it isn’t
created; an error is returned.
SQL servers enforce their own authentication and authorization.
If you encounter an error, refer to “Preparing for SQL server
Use” on page 17 to recheck your current SQL setup.
18. Click
Next.
Good Mobile Control for iPhone Administrator’s Guide
35
Installation
A named database will be created in the SQL server instance that
you have specified or that is to be created locally. Enter a name of
your choice for the database here. Remember that multiple Good
Mobile Control servers can share an instance but must use
separate databases.
19. Click
Next.
If the SQL database that Good Mobile Control uses is to be created
in an existing instance of an SQL server and your current logon
username and password are not those required by the server,
you’ll be prompted for them now.
If you’ve specified that a new instance be created, an
Authentication Mode screen is displayed.
20. Choose
an authentication mode for the SQL server.
Windows Authentication Mode allows you to access the SQL
database using your logon username and password. Mixed Mode
requires you to specify a password for database access. Use mixed
mode if you want access to the database to be controlled by this
separate password.
36
Good Mobile Control for iPhone Administrator’s Guide
Installing Good Mobile Control server
For mixed mode, enter and confirm the logon password. Observe
the following rules when choosing a password:
• The password must contain all or part of the account name of
the user. Part of an account name is defined as three or more
consecutive alphanumeric characters delimited on both ends
by white space such as space, tab, and return, or any of the
following characters: comma (,), period (.), hyphen (-),
underscore (_), or number sign (#).
• The password must be at least eight characters long.
• The password must contains characters from three of the
following four categories:
- Latin uppercase letters (A through Z)
- Latin lowercase letters (a through z)
- Base 10 digits (0 through 9)
- Non-alphanumeric characters such as: exclamation point (!),
dollar sign ($), number sign (#), or percent (%).
Passwords can be up to 128 characters long. You should use
passwords that are as long and complex as possible.
21. Click
Next.
At this point, if the local machine doesn't have Microsoft .net 2.0
Framework installed, the setup program will install it. Click OK if
prompted, to initiate the installation.
Good Mobile Control for iPhone Administrator’s Guide
37
Installation
If the local machine doesn't have Microsoft SQL server Express
installed, the setup program will next install it. Again, click OK if
prompted to install it.
22. Specify
a location for the database directory by clicking Next to
accept the default or browse to choose a different location.
If the directory that you specify does not exist, you’ll be prompted
to accept its creation. The destination folder name cannot exceed
50 characters in length.
38
Good Mobile Control for iPhone Administrator’s Guide
Installing Good Mobile Control server
With the database directory specified, the setup program will
commence installation of the database. A series of progress
screens is displayed.
23.
When the Good Mobile Control server Registration Information
screen is displayed, enter your license key, serial number, and a
name for the server.
Good Mobile Control for iPhone Administrator’s Guide
39
Installation
24. Click
Next.
25. You can use an approved proxy server to communicate with Good
Messaging Network Operations Center if you are unable to grant
access via your firewall. The proxy server can be configured
without granting additional access on the firewall.
Note: HTTP/1.1 is required. HTTP/1.0 is not supported. The
Good Messaging servers and Good Mobile Control servers have
been tested for use with the Squid 2.4 proxy server and a
NetCache 3100 proxy server (NetApp Release 5.2.1R2) set with
basic configurations.
Proxy Address is the IP address or name of the proxy server to
use.
Proxy Port is the port of the proxy server to use.
User is the username to use with HTTP/1.1 Basic Authentication for authenticating to the Proxy.
Password is the password to use with HTTP/1.1 Basic Authentication for authenticating to the Proxy.
40
Good Mobile Control for iPhone Administrator’s Guide
Installing Good Mobile Control server
To correct/change information entered on this screen, run this
setup program and use its “repair” option.
The proxy server must be configured to allow at least 5 minutes of
idle time before timing out Good Messaging server or Good
Mobile Control server connections.
The usernames and passwords for connecting to the proxy server
must not contain ':', '@' or '/' characters.
26. Click
Next.
Good Mobile Control for iPhone Administrator’s Guide
41
Installation
27. Select
Active Directory and click Next.
28. If you want to use Good MobileControl support for iPhones in the
console, check the Enable iPhone checkbox.
29. Enter
your company name, to be displayed on the iPhone during
Mobile Control setup.
30. Enter
the Exchange ActiveSync hostname (for example,
OWA.domain_name.com).
31. Click
Next. The installation program will check for necessary
prerequisites for Mobile Control support for iPhones. A reminder
that the service account for the server cannot be the same as for
42
Good Mobile Control for iPhone Administrator’s Guide
Installing Good Mobile Control server
the Good Messaging server, if those will later be present for noniPhone management.
32. Enter
the Active Directory domain name to use for directory
lookups for Good Mobile users.
Good Mobile Control for iPhone Administrator’s Guide
43
Installation
33. Click
Next.
34. Enter
the name of the user to be the Good Mobile Control console
Superuser. There can be only one. The Superuser can later enable
other users to perform a subset of console tasks. Only the
Superuser can access the console the first time. For more on the
Superuser function, refer to “The Superuser” on page 130.
44
Good Mobile Control for iPhone Administrator’s Guide
Installing Good Mobile Control server
35. Click
Next.
36. Provide the path to a directory for automatic remote backup of the
SQL database that Good Mobile Control uses. Increment backups
occur hourly; a full backup is performed once a day. This is not
configurable. Specify the number of days of backup copies to
keep. The default is 7.
To alter backup parameters, click the checkbox to disable
automatic backup and use instead the backup facilities of the full
version of SQL server.
For more information about backing up and restoring the SQL
database that Good Mobile Control uses, see “Backing up and
Restoring the Good Mobile Control Database” on page 91.
Good Mobile Control for iPhone Administrator’s Guide
45
Installation
37. Click
Next.
38. Review
the information that you have entered. If correct, click
Next to initiate installation of the Good Mobile Control server.
46
Good Mobile Control for iPhone Administrator’s Guide
Configuring the Good Mobile Control Console
A screen is displayed indicate installation progress. When the
process is complete, you are notified.
39. Ensure
that the “Start Good Mobile Control server service”
checkbox is checked. The Good Mobile Control server must be up
and running in order to install Good Messaging server, as
described in the following section.
40. Click
Finish.
Configuring the Good Mobile Control
Console
Access the Good Mobile Control console using Firefox 2.0 or Internet
Explorer 7.0. Use the console to manage Good Messaging and Good
Access users and handhelds.
Note: First console access must be by the Superuser specified during
Good Mobile Control server installation.
Good Mobile Control for iPhone Administrator’s Guide
47
Installation
Launch the console using https://servername:8443 or http://
servername:8080, where servername is the name of the machine on
which Good Mobile Control server is installed, or, from that machine
itself, http://localhost:8080. Use your Windows username and
password to log in. The role that you have been assigned (“Setting
Up Role-Based Administration” on page 49) determines your console
rights and the actions that you can perform. You must be member of
a role to use the console. All Good servers to be managed through the
Good Mobile Control server register themselves with the Center
during installation and will be available to you through the console.
Note: The Good Mobile Control session in your browser will time out
after one hour of no activity. The timeout is not configurable.
Understanding Console Filters
You’ll use the console to display and manage lists of users,
handhelds, and servers and information about them. You can
configure filters to limit the lists to those specific items that you are
interested in. With only items of interest displayed, you can apply
bulk actions, such as applying the same policy settings to all the
handhelds that you choose.
To configure filtering, use the left panel on the Handhelds page and
servers page. You can hide or display this panel on the Handhelds
page by clicking the arrow in the panel’s right border and on the
servers page by using the Show/Hide Filters button.
On the Handhelds page, the left panel automatically lists all policy
sets, groups, servers, and platforms. Clicking checkboxes within a
category limits the handhelds listed to those in the selected items.
Clicking checkboxes in more than one category limits the handhelds
listed to only those that are included in at least one selected item in
each category.
48
Good Mobile Control for iPhone Administrator’s Guide
Setting Up Role-Based Administration
Setting Up Role-Based Administration
When you installed Good Mobile Control server, Good Mobile
Control console was made available to you on the Internet.
You can control and limit the tasks performed by an individual or
group using Good Mobile Control console. To do so, you’ll create
roles for different users and groups of users for Good Mobile Control
console. The console comes with several predefined roles that you
can use (roles for service administrator, administrator, and helpdesk).
You can also create additional roles now. Finally, you can create,
delete, and reassign roles at any later time as needed.
A member of two roles receives the rights of both roles.
Note: The first time you launch the console, you must be logged on as
the Superuser you specified when installing the Good Mobile Control
server. For more on the Superuser function, refer to “The Superuser”
on page 130. You can then use the console to grant access to other
accounts using the Role Based Administration feature.
The Superuser automatically has all rights and need not be assigned
to a role.
To create new roles and limit access to Good Mobile Control console
features, perform the following steps:
1.
Log in to the Good Mobile Control console.
Good Mobile Control for iPhone Administrator’s Guide
49
Installation
2.
50
Click the Roles tab.
Good Mobile Control for iPhone Administrator’s Guide
Setting Up Role-Based Administration
A list of all currently defined roles is displayed in the left panel.
Note that some of these roles apply to use of Good Mobile
Messaging servers and management of non-iPhone handhelds.
Default Roles
Service
Administrator
Administrator
Help Desk
3.
Default Rights
All rights: Add handheld for OTA Setup, Delete
handheld, Add additional handhelds for a user,
Manage handheld policy and software,
Handheld authentication, Erase handheld data
and lock out user, View OTA setup PIN, Manage
servers (Manage Good Messaging server: Clear
server statistics using the console; display server
license key in server Properties window; Upload
custom software; Configure OTA Setup software
download), Manage roles, Manage OTA Email
Templates, Manage custom software
Add handheld for OTA Setup, Delete Handheld,
Add additional handhelds for a user, Manage
handheld policy and software, Handheld
authentication, Erase handheld data and lock
out user, View OTA setup PIN, Manage servers*,
Manage OTA Email Templates, Manage custom
software.
Add handheld for OTA Setup, Delete Handheld,
Add additional handhelds for a user, Erase
handheld data and lock out user
To add a new role, click the Add link above the left panel.
Good Mobile Control for iPhone Administrator’s Guide
51
Installation
The Add Role page opens.
4.
Enter a name for the new role and describe its purpose. For
example, if the role is to provide the IT administrator with full
rights for use of the console, you might name the role Good
Messaging Admin and in Description type “This role grants full
console rights to the IT administrator.”
5.
Click the Add Role button.
By default the new role is assigned View-Only Administrator
rights (view all data except sensitive data such as OTA PINs).
6.
52
Click on “Change the rights for this role.”
Good Mobile Control for iPhone Administrator’s Guide
Setting Up Role-Based Administration
The Change Rights page opens.
7.
Click the All Rights radio button to give this role full rights in the
console (view and edit all data). These are the default rights for
the Service Administrator role.
8.
Click on Custom and click on individual rights to limit this role’s
use of the console.
Good Mobile Control for iPhone Administrator’s Guide
53
Installation
9.
Click the Custom radio button and check the boxes for the desired
rights for the role.
Handheld Rights
• Add handheld for a user - Add first handheld for a user.
• Delete handhelds
• Add additional handhelds for a user - Roles with this right can
add more than one handheld for a user. They must have the
'Add handheld for a user' right in addition to this right to add
the first handheld for a user.
• Manage handheld policy and software - Modify inheritance
and customize handheld policy (except Handheld
Authentication policies, unless that role is also checked)
• Handheld authentication - Modify handheld authenication
policies
Handheld Security Rights
• Erase handheld data and lock handheld.
• View OTA setup PIN
Server Rights
• Manage servers - Manage servers. Includes the ability to check
IP ranges, upload server logs, manage backup settings, and
view complete server information such as license key.
Deployment Rights
• Manage roles - View, create, edit and delete roles. Includes the
ability to manage rights and membership for a role.
• Manage OTA email templates - Create, edit and delete OTA
Email Templates.
• Manage custom software - Upload and remove custom
software.
10. Click
on Update to save your changes.
11. To
remove users from this role, click the checkbox next to each
user to be removed and click Delete.
54
Good Mobile Control for iPhone Administrator’s Guide
Setting Up Role-Based Administration
12. Click
on the Add button under Members to add users to the role.
The Add Role Members page opens.
13. Choose
a domain from the dropdown and enter the partial name
of a corporate user to be added to the role. Click Look Now and
then select the desired name(s) in the panel for search results.
14. Click
Add to add this name to the new role.
The Superuser
The Superuser is handled differently in the console from the other
users. The Superuser is granted all rights and can perform some tasks
that no other user can perform. The Superuser does not need to be
assigned to a role. There can be only one Superuser.
You specify a Superuser name during Good Mobile Control server
installation. You can change this name later on the Settings tab.
The Superuser must run the Good Mobile Control console the first
time it is accessed, and can then provide rights/roles for other users.
The Superuser has all rights, including the following rights:
Good Mobile Control for iPhone Administrator’s Guide
55
Installation
• Create new roles
• Enable FIPS for handhelds
• Enable detailed logging for handhelds
• Pausing handhelds
Note: If you change the Superuser, you’ll lose your current Superuser
rights when you exit the console.
To change the Superuser:
1.
In the Good Mobile Control console, click the Settings tab.
2.
Click the Superuser link in the left panel.
3.
Click Change Superuser.
4.
Choose a domain from the dropdown menu and enter the partial
name of a corporate user. Click Look Now and then select the
desired name in the panel for search results.
5.
Click Change Superuser to assign the user as the Superuser.
56
Good Mobile Control for iPhone Administrator’s Guide
4 Managing the iPhone
Preparing for iPhone Setup
This section describes how to prepare to set up new iPhones
wirelessly, using the Good Mobile Control console.
Note: A user’s Good Mobile account cannot be used to manage
multiple iPhones for a single user.
Before setup:
• Under Good Mobile management, Outlook contacts and calendar
will replace personal contacts on the iPhone. Users should move
all contacts and calendar items to Outlook or back them up before
their iPhones are set up for Good Mobile use.
• Users will be informed automatically by Good Mobile Control
console when you perform the wireless handheld setup. The
console will email instructions to the user’s email account
describing how the user is to complete the setup wirelessly.
We recommend that you alert users in advance to expect these
Good Messaging email instructions and to fully charge their
handhelds before performing the setup. They will need to be in
radio coverage for the setup to complete successfully.
Good Mobile Control for iPhone Administrator’s Guide
57
Managing the iPhone
Setting Up the iPhones
Setting up an iPhone for the first time consists of:
• Adding the iPhone/user to Good Mobile Control
• Automatically sending welcome information to the user’s mailbox
• iPhone user accessing the iPhone Setup Portal using the iPhone's
Safari browser and entering the credentials provided in the
welcome email
• Email, VPN, and WiFi settings on iPhone are automatically
configured via installation of a configuration profile, wirelessly
OTA
• Data exchange between the handheld and Exchange server via
ActiveSync
• Enforcement of security policies on the iPhone, wirelessly via
ActiveSync
To set up a new iPhone wirelessly:
1.
58
Click the Add handhelds link in the Quick Start box on the Good
Mobile Control console home page, or click the Add Handhelds
button on the Handhelds tab.
Good Mobile Control for iPhone Administrator’s Guide
Setting Up the iPhones
2.
Click the iPhone radio button.
3.
Enter a full or partial first or last name in the “Find user” field and
click the Look Now button to list matching individuals in your
corporate directory. Click on the user name in the search results to
add a user with handhelds that you want to set up to the user list
on the Handhelds tab (maximum of 75). They’re added in the
“Add new handhelds for” box.
To add multiple users, select them one by one.
4.
Use the pulldown to the right to assign a policy set to the user(s).
You can manage an iPhone’s passcode, WiFi, and VPN settings by
configuring a policy set for it. The console maintains a default
version of these settings. You can change the default settings.
To change a policy set or add a new set for use by this handheld,
refer to “Setting iPhone Policies” on page 64 after setup is
complete.
5.
Click the Add button.
The user(s) are added to the current list of users/handhelds on the
Handhelds tab.
Good Mobile Control for iPhone Administrator’s Guide
59
Managing the iPhone
If the user is already set up with a Good Mobile Messaging
handheld and you’re adding this iPhone for the same Exchange
server account, it will be treated as a new user/handheld item, on
a separate line. The user with more than one handheld running
his/her account is displayed in the console once each for every
handheld. In other words, there is a one-to-one correspondence in
the user list between user and handheld.
Note: Hidden mailboxes are not supported and won’t be
displayed in the list. Do not hide a user’s mailbox while it is active
in Good Messaging. When adding a user to Good Messaging,
users with hidden mailboxes will be listed and can be added;
however, any attempt to complete handheld setup will fail.
User name, email address, and policy set are displayed in the row
for the handheld. Use the icon in the far-right column to select
which columns are to be displayed
The handheld is added to Good Mobile Control. At the same time,
the wireless handheld setup process, described in the following
section, commences.
OTA Setup Process
The following sequence completes the handheld setup.
• The console sends an email message to the user. The default
message contains a PIN and a link to the Good wireless software
download site (http://get.good.com/iPhone). The message
cannot be edited in this release.
You can display the PIN and URL information at the console by
going to the iPhone’s information page. You can set a policy for
PIN expiration and reuse (refer to “Setting or Changing Security
Policies” on page 66). If the PIN has an expiration date, that date is
included in the email message to the user.
• When the user goes to the download site and clicks Download
Now using the handheld browser, the site downloads an iPhone
configuration profile to the handheld.
60
Good Mobile Control for iPhone Administrator’s Guide
Setting Up the iPhones
• The user enters his/her email address and the PIN and clicks the
Authenticate button.
• The user is then prompted to install the configuration profile by
the iPhone OS.
Note that the user must have already removed any Exchange
setups from the iPhone, using Settings->Email Accounts. This
requirement is included in the welcome email.
The user should be alerted to the fact that personal contact and
calendar settings on the iPhone will be replaced by those in the
user’s Outlook account. A warning to this effect is included in the
welcome email.
To view the Welcome email template, click on Settings/Email
Templates.
Click on the welcome email template of interest to display the
welcome message.
Good Mobile Control for iPhone Administrator’s Guide
61
Managing the iPhone
The text is similar to the following:
Before you begin, ensure that you have network
coverage and that your iPhone does not have an
Exchange email account configured. If your device
already has an Exchange email account configured,
remove the configuration before proceeding. You
can remove the configuration on the Mail, Contacts, Calendar screen under Settings.
Once your iPhone is ready, follow these steps:
Step 1: Using your iPhone's mobile Safari browser,
visit http://get.good.com/iphone.
Step 2: Log in with the following information:
Username: jdoe@acme.com
PIN: s02L89
Your PIN will expire in <xyz> days.
Step 3: Your iPhone will prompt you to install a
profile. Press Install, and confirm by pressing
Install Now in the next dialog. Follow the prompts
and enter additional information such as your
account passcodes when asked.
62
Good Mobile Control for iPhone Administrator’s Guide
Completing the Setup Process
Step 4: Press Done after the profile is installed.
Return to the Home screen. Your device is provisioned and you are Good to Go!
For Helpdesk reference, user display name: John
Doe
This template cannot be edited in this release.
Setup is completed automatically, wirelessly, as described in
“Completing the Setup Process” .
Completing the Setup Process
Once started, iPhone setup occurs automatically over the air.
During this time:
• The handheld is activated with the iPhone Setup Portal. To
become fully operational, the handheld will send a message
through ActiveSync, establishing a connection with the Exchange
server and Good Mobile Control managing the handheld.
• Security policies are set up via ActiveSync; WiFi and VPN settings
are set via the configuration profile.
• Exchange and handheld data is synchronized between the user’s
Exchange account and the handheld. For initial setup,
synchronization consists of importing the data from mailbox to
handheld.
• Handheld information is displayed on the handheld’s page in
Good Mobile Control. This information may not be displayed
immediately after set up. Information will be refreshed and
displayed after the next synchronization between Good Mobile
Control and your Exchange 2007 SP1 server.
Good Mobile Control for iPhone Administrator’s Guide
63
Managing the iPhone
Setting iPhone Policies
Each iPhone added to Good Mobile Control must have a policy set
assigned to it. Create policy sets as needed to address the different
management requirements of the iPhones in your organization.
Adding a Policy Set
Use the procedure provided in this section to create and configure
new policy sets for iPhone management.
To create a new policy:
1.
64
Click the Policies tab.
Good Mobile Control for iPhone Administrator’s Guide
Setting iPhone Policies
2.
Click Create New.
3.
Provide a name and description for the new policy set, and click
the iPhone Management radio button for Policy set type.
The Policy Sets page is redisplayed. Click the link for the policy
set to view a Summary page.
4.
Define the new policy set by configuring its policy settings, as
described in “Setting or Changing Security Policies” on page 66
and “Setting or Changing Configuration Policies” on page 70.
Good Mobile Control for iPhone Administrator’s Guide
65
Managing the iPhone
Setting or Changing Security Policies
Security policies allow you to:
• Require an iPhone passcode to be set, and restrict the format of
that passcode
• Cause an iPhone to be wiped if the passcode is entered incorrectly
too many times
• Restrict Exchange/ActiveSync access to the Good Messaging
iPhone only, preventing the user from synchronizing additional
devices through ActiveSync
Set or reconfigure the passcode policies for a particular policy set as
described in the following sections.
Once a security policy is set, the user (on the iPhone) or administrator
(at the console) can increase (tighten) it but not decrease it. To
decrease a security setting, the user must be removed from Good
Mobile Messaging and the Good configuration profile must be
manually removed from the iPhone.
Passcode Policies
Use the Passcode link in the left panel of the Policy Sets page for a
particular iPhone policy set to configure passcode policies on the
handheld.
These policies, along with the Access Control policies, are designed
to permit central security management of enterprise iPhones.
To set or change handheld passcode policies for a policy set:
1.
66
Click the Policies tab and click the policy name link in the right
panel for the policy set to be affected. To define or change the
policies for a user, you would choose the policy set currently
applied to the user’s handheld.
Good Mobile Control for iPhone Administrator’s Guide
Setting iPhone Policies
2.
Click the Passcode link in the left panel of the Policies page.
3.
To require a passcode on iPhones, check the Require passcode
checkbox.
A prompt on the iPhone will require that the user enter a new
passcode. If a passcode is already set on the handheld, the user
will still be required to enter a new passcode if the current
passcode does not meet the requirements in the passcode policy.
The Passcode policy is enforced by ActiveSync and cannot be
modified by the user on the handheld, although the user can make
settings more restrictive using local security.
4.
For Passcode authentication, select the appropriate checkboxes to
set the following:
• Require an alphanumeric passcode with at least one special
character. Default is unchecked.
• Passcode must be reentered after n. Causes the screen to lock
after the specified length of time. Range is 1 minute to 1 hour. If
the checkbox is not checked, the screen never locks. Default is
unchecked.
After an invalid entry, the iPhone incrementally increases the
length of time that is required before allowing another attempt.
Good Mobile Control for iPhone Administrator’s Guide
67
Managing the iPhone
The first six attempts fail in succession; after the seventh, the
user must wait 1 minute, then 5 minutes, then 15 minutes, then
an hour. Then, the phone is permanently disabled until the
user connects it to iTunes to re-activate it. This is a process that
is controlled by the operating system, which the admin cannot
modify.
Note that the auto-wipe feature (see following option) can be a
factor here. For example, if auto-wipe is set to 7 attempts, then
after the seventh attempt, the iPhone will auto-wipe instead of
increasing the time before retry to 15 minutes. This happens
immediately and without warning.
• Wipe handheld after n invalid passcode entries. Specifies the
number of unsuccessful attempts at passcode entry after which
the next attempt (n+1) will cause all data will be removed from
the device. Values range from 4 to 16 attempts, although the
iPhone caps attempts at 10. If the allowed number of attempts
is exceeded, on the next attempt all user data is cleared from
the handheld and Exchange ActiveSync is disabled for the
handheld. The handheld must be set up again. Default is
unchecked.
5.
A minimum passcode length is required. Set the minimumallowed length using the pull-down menu. Range is 1 to 16
characters.
6.
Click Save to save the changes.
The changes are transmitted to affected iPhones via ActiveSync.
To remove a complex password that you've set using a GMM
policy, do the following:
1.
Remove the policy profile from the handheld.
2.
Remove the iPhone passcode.
3.
Download and install a new policy profile to the handheld that
does not require a complex passcode.
68
Good Mobile Control for iPhone Administrator’s Guide
Setting iPhone Policies
Access Policies
This Good Mobile Control policy allows you to lock down
ActiveSync access to the Exchange 2007 SP1 mailbox. If set, only one
iPhone for a given user can access the mailbox through ActiveSync.
Any other phones currently accessing the mailbox via ActiveSync
will be disconnected. Also, any ActiveSync connection requests from
any other phone in the future will be rejected. Of course, you can add
such phones for the user to Good Mobile Control as Good Messaging
devices, for wireless email synchronization.
You can also set an expiration time for the username and passcode
that the user enters when responding to the Good Mobile Control
welcome email which they use to set up the iPhone.
To set or change handheld access policies for a user:
1.
Click the Policies tab and click the policy name link in the right
panel for the policy set currently applied to the user’s handheld.
2.
Click the Access Control link in the left panel of the Policies page.
3.
Leave the Allow only one... checkbox unchecked to allow users to
sync other phones to their mailbox via ActiveSync. Check the box
to shut out all phones but the current iPhone from syncing with
Good Mobile Control for iPhone Administrator’s Guide
69
Managing the iPhone
the mailbox. Note that later, if the handheld is wiped or removed
from Good Mobile Control, neither the iPhone nor any other
handheld will be allowed to use Exchange ActiveSync for the user.
4.
Select the time period within which the user must respond to the
Good Mobile Control welcoming email. The range is one day to
six months. The default is 6 months.
5.
Click Save to save your settings. The settings are sent to affected
iPhones via ActiveSync and cannot be changed by the user.
Removing a Complex Passcode from an iPhone
To remove a complex password that you've set using a GMM policy,
do the following:
1.
Remove the policy profile from the handheld.
2.
Remove the iPhone passcode.
3.
Download and install a new policy profile to the handheld that
does not require a complex passcode.
Setting or Changing Configuration Policies
These policies allow you to register iPhone VPN and WiFi connection
settings for the iPhone from Good Mobile Control. These settings will
overwrite any existing settings for the same connections. Other
connections are permitted and will remain unaffected if present.
VPN Connections
To set or change VPN connection settings for an iPhone user:
1.
70
Click the Policies tab and click the policy name link in the right
panel for the policy set currently to be
Good Mobile Control for iPhone Administrator’s Guide
Setting iPhone Policies
2.
Click the VPN Connections link in the left panel of the Policies
page.
All VPN connections that you’ve defined so far are listed. Click
the checkbox next to those whose connection details are to be sent
to iPhones using this policy set.
3.
To add details for a new connection, click Add Connection.
Good Mobile Control for iPhone Administrator’s Guide
71
Managing the iPhone
4.
Provide a connection name and server hostname in the
appropriate fields. From the dropdown, select a connection type.
Selecting a connection type will display additional connection
parameters to be defined. For example:
Connection types and their parameters include:
• PPTP
- Authentication: passcode or RSA passcode SecurID
- Encryption: Automatic or Maximum (128-bit) or None
- Route all traffic through VPN connection: Checked or
unchecked
• IPSec
- Authentication: Shared Secret or Certificate
Secret Secret: Group name, Shared secret (passcode field),
Use hybrid authentication (default is: disabled)
Certificate: PKCS#12 Certificate or PFX Certificate (file
input),Include user PIN (default is: disabled)
72
Good Mobile Control for iPhone Administrator’s Guide
Setting iPhone Policies
5.
To change the settings for a connection, click the edit link for the
connection on the VPN Connections page. Select the connection
type to display additional fields that can be changed.
6.
Click Save and send email update to have the new policy settings
sent to all affected handhelds as an email attachment. (That is, the
user must open the email on the iPhone.) Click Save without
updating to save the new policy settings without sending the
changes to any handhelds currently using this policy set. The
changes will take effect for any handhelds assigned this policy set
subsequently.
Wireless Networks
Good Mobile Messaging allows you to set or change wirelessnetwork connection settings for an iPhone user via policy settings for
the policy set applied to the device. Good Mobile Messaging
supports WPA2 Enterprise (PEAP) networks. WEP, WPA2 Personal,
and WPA2 (LEAP, TLS, TTLS, EAP-FAST) are not supported.
To define wireless network settings for the policy set:
1.
Click the Policies tab and click the policy name link in the right
panel for the policy set currently to be configured or edited.
Good Mobile Control for iPhone Administrator’s Guide
73
Managing the iPhone
2.
Click the Wireless Networks link in the left panel of the Policies
page.
All wireless connections that you’ve defined so far are listed. Click
the checkbox next to those whose connection details are to be sent
to iPhones using this policy set.
3.
74
To add details for a new connection, click Add Network.
Good Mobile Control for iPhone Administrator’s Guide
Viewing and Using iPhone Information
4.
Provide a Network name (SSID). The network type is WPA2
(PEAP)). Click the checkbox if this is a hidden network.
Selecting a connection type will display additional connection
parameters to be defined. For example:
5.
To change the settings for a network, click the edit link for the
network on the Wireless Connections page.
6.
Click Save and send email update to have the new policy settings
sent to all affected handhelds as an email attachment. Click Save
without updating to save the new policy settings without sending
the changes to any handhelds currently using this policy set. The
changes will take effect for any handhelds assigned this policy set
subsequently.
Completing Policy Configuration
As described in the sections on individual policies, changes to
security settings are applied to affected iPhones immediately via
ActiveSync. Changes to WiFi and VPN settings are sent immediately
to affected iPhones as email attachments if you choose Save and Send
Email Update. All policy changes are applied wirelessly.
Viewing and Using iPhone Information
Use the Handhelds tab on the console to display a list of handhelds
and their owners, as well as information about each handheld.
iPhone information available includes serial number, status, and
other device information. Phone number and IMSI information is not
available for iPhone. You can add a “Serial #” column in the
Handhelds tab in order to see the hardware serial numbers for those
iPhones being managed.
Note that the Good Portal does not provide iPhone information in
this release.
Good Mobile Control for iPhone Administrator’s Guide
75
Managing the iPhone
To view and use handheld information:
1.
In the Good Mobile Control console, click the Handhelds tab.
2.
Click the name of the iPhone listed on the Handhelds page.
A page of information about the device is displayed. Note that
phone number is not displayed.
• Name - User’s Active Directory display name
• Email - User’s email address for the account sync’d to this
handheld
• Department - User’s Active Directory department
• Directory status - Current Active Directory status
• iPhone Setup Portal URL
• iPhone Setup Portal PIN
• Access Control status
• Handheld type
• Serial number - Handheld’s serial number
• Policy Set - Policy set assigned to handheld
76
Good Mobile Control for iPhone Administrator’s Guide
Wiping iPhone Data
• First sync
• Last sync attempt
• Last successful sync
• Last policy update
• System Identifier - Unique Good Mobile Control server ID
number for the handheld
Importing/Exporting iPhone Data
The Import/Export features for Good Mobile Messaging do not
support iPhones in this release.
Wiping iPhone Data
Wiping an iPhone hard-resets it, removing all data and returning the
device to its factory defaults. The process can take up to an hour and
occurs without warning. When the handheld is wiped or removed
from Good Mobile Control, neither the iPhone nor any other
handheld will be allowed to use Exchange ActiveSync for that user.
To be used with Good Mobile Control again, the handheld must be
set up wirelessly again.
To wipe a handheld wirelessly:
1.
In the Good Mobile Control console, click the Handhelds tab.
2.
Click the Wipe link for the desired iPhone.
3.
Click OK to confirm you want to wipe the handheld.
There is also a remote-wipe button on the handheld’s info page.
The handheld and its radio must be turned on and in network
coverage to be wiped. The wipe command is communicated to the
iPhone via ActiveSync. Access to the iPhone and any other handheld
for that user is denied to Exchange via ActiveSync. The remote wipe
Good Mobile Control for iPhone Administrator’s Guide
77
Managing the iPhone
communication to the device may take a few minutes, depending on
ActiveSync connection status.
You can also set a policy to wipe the iPhone after a specified number
of incorrect passcode entry attempts (refer to “Passcode Policies” on
page 66).
Other Management Tasks
Removing a Handheld from Good Mobile Control
You would remove a handheld from Good Mobile Control and then
add it again when, for example, an owner’s email address changes.
Removing a handheld from Good Mobile Control does not clear user
data from the handheld. Before assigning a handheld to a different
user, you can clear it as described in “Wiping iPhone Data” on
page 77.
Note that if the handheld is wiped or removed from Good Mobile
Control, neither the iPhone nor any other handheld will be allowed
to use Exchange ActiveSync for that user. You can restore ActiveSync
for the user via Exchange Management console.
To remove a handheld from Good Mobile Control:
1.
In Good Mobile Control console, click the Handhelds tab.
2.
Select the handheld(s) to be deleted and select “Delete
handheld(s)” from the Apply Action dropdown menu.
You will be warned that the handheld will be disabled and
removed from the network, and that it will no longer be able to
send or receive messages.
3.
Click OK to remove the handheld.
To remove more than one handheld at a time, click the checkboxes
by multiple users before selecting “Delete handheld(s).” You will
be prompted once to confirm the multiple deletions.
78
Good Mobile Control for iPhone Administrator’s Guide
Other Management Tasks
4.
Instruct the user to remove the Good iPhone configuration profile
via Settings |General | Profiles. If there are more than one (the
original profile that the user installs during setup, which contains
the Exchange information, and any subsequent update profiles),
have the user remove them all. This removes the Exchange
account, VPN settings, and WiFi settings from the iPhone.
However, when a handheld is removed from Good Mobile
Control, its current security settings remain in place and cannot be
loosened by the user until the Good profile is deleted. Once the
profile is deleted, the user can change the settings as desired.
If the Exchange account on the iPhone has been set up by Good
Mobile Control, as required when adding the user/iPhone to
Good Mobile Control, the user cannot removed Exchange from
the handheld manually. As mentioned, the Exchange account is
removed from the handheld when the user removes the Good
iPhone configuration profile containing the Exchange
information.
Important: You must remove a user from Good Mobile Control using
Good Mobile Control console before the user is disabled, expired, or
removed from Active Directory and/or the Global Address List. If a
user is not removed from Good Mobile Control console and the
user’s mailbox still exists, messages can still be sent to and from the
handheld.
If a user’s mailbox is removed from Exchange before the user is
removed from Good Mobile Control, select the user’s handheld on
the Handhelds tab and from the Handheld Info page, wipe the
handheld if necessary and then remove the user from Good Mobile
Control.
Transferring a Handheld to a New User
To transfer a handheld to a new user:
• Retrieve the handheld from the former user.
Good Mobile Control for iPhone Administrator’s Guide
79
Managing the iPhone
• Clear the handheld as described in “Wiping iPhone Data” on
page 77.
• Remove the handheld from Good Mobile Control, as described in
“Removing a Handheld from Good Mobile Control” on page 78.
For the new user:
• Prepare the handheld as described in “OTA Setup Process” on
page 122.
Changing a User’s Good Mobile Control server, Exchange
server, or User Name
A user’s email name, alias, or address may change. In addition, the
user’s mailbox may move to a different Exchange server, within the
current Exchange site or outside of it. The following sections describe
how to manage these changes.
Changing a User’s Display Name, Alias, or Email Address
If the display name for a mailbox is changed in Exchange, you do not
need to update Good Mobile Control to reflect the change. Good
Mobile Control will update automatically.
If the primary SMTP address changes, synchronization will continue.
However, if you need to set up the handheld again OTA after the user
is already set up, you will need to regenerate the OTA PIN first.
If a user mailbox is deleted and recreated, remove the handheld from
Good Mobile Control, stop and restart the Good Mobile Control
server, and set up the handheld again.
Moving a Handheld to a Different Exchange server
If a user mailbox is moved to a different Exchange server within the
same Exchange site, no changes are necessary to maintain handheld
synchronization.
80
Good Mobile Control for iPhone Administrator’s Guide
Other Management Tasks
Exchanging a User’s Handheld
To provide a user with a handheld previously assigned to a different
user, follow the procedure described in “Transferring a Handheld to a
New User” on page 79.
Changing the Exchange 2007 SP1 ActiveSync Host
If you are changing the ActiveSync host used by Exchange 2007 SP1
servers that support Good Mobile Control user iPhones, or changing
the host use of SSL, you can register the changes using the following
procedure.
Note that changing the host or SSL setting will cause the iPhones to
stop syncing with their user mailboxes. This connection will need to
be set up again. The iPhones will receive an email informing their
users that they must browse to the Good Operation Center and
download a new configuration file.
To change the ActiveSync host and/or SSL use:
1.
In the Good Mobile Control console, click the Settings tab.
2.
Click the iPhone Management link in the left panel.
3.
Enter the name of the new host
4.
Check or uncheck Use SSL as desired.
5.
Click Save
6.
Delete iPhones from Good Mobile Control, and then re-add.
Good Mobile Control for iPhone Administrator’s Guide
81
Managing the iPhone
82
Good Mobile Control for iPhone Administrator’s Guide
5 Managing Good Mobile
Control Server
In addition to setting up and maintaining handhelds, you will want
to monitor Good Mobile Control server to ensure that iPhone
management is occurring normally.
This chapter also describes how to move Good Mobile Control
servers to a new host.
Moving Good Mobile Control Server to
a New Host
This following procedure allows you to move Good Mobile Control
server to a new host machine without disconnecting all provisioned
handhelds.
This procedure assumes that you have the standard default
installation of Good Mobile Control server service on a single
Windows server. This includes SQL server express which is installed
with Good Messaging. If your installation is different, contact Good
Technology Support for advanced set up questions.
Important: Moving Good Mobile Control server to a new host
machine that has a different host name than the original host is not
recommended. The new host machine must preferably have the same
host name and fully qualified domain name (FQDN) as the original
host machine. To achieve this, your IT administrator may have to
Good Mobile Control for iPhone Administrator’s Guide
83
Managing Good Mobile Control Server
completely isolate the old machine from the network before bringing
up the new machine to avoid network conflicts.
Follow these general steps to move Good Mobile Control server to a
new host:
1.
Start the new machine with the same host name as of the old host
machine.
2.
Move Good Mobile Control server to the new machine. This
includes moving the SQL database.
3.
Start the Good Mobile Control service on the new host machine
and do a check.
Preparing to Move Good Mobile Control server
To prepare to move Good Mobile Control server:
1.
On the original host machine, stop the Good Mobile Control
server service. After the service stops, set the service to Disabled.
2.
Make a copy of the SQL database files by performing these steps:
a.
Open the SQL Management Studio: Start > Programs >
Microsoft SQL server 2005 > SQL server Management Studio
Express.
Note: SQL Management Studio Express is installed during initial set up of Good Mobile Control server. If you did not install
SQL Management Studio Express, you must install SQL Management Studio Express (2005) now or use SQL Management
Studio Express already available in your organization to connect to the database.
b.
84
Log in by selecting <YOUR_MACHINE>\Good Mobile Control as the server Name and choosing Authentication as Windows Authentication.
Good Mobile Control for iPhone Administrator’s Guide
Moving Good Mobile Control Server to a New Host
c.
Right click on the database and then choose Tasks > Detach.
d.
Click OK on the next screen.
Good Mobile Control for iPhone Administrator’s Guide
85
Managing Good Mobile Control Server
e.
Complete the procedure.
3.
Copy Good Mobile Controldb.mdf and Good Mobile
Controldb_log.LDF from C:\Program Files\Good
Technology\database\MSSQL.1\MSSQL\Data to a safe location
for future use. These files will be attached again when the new
host machine is setup.
4.
If there are any custom settings made as a part of Good Mobile
Control server configuration, copy the following files and keep it
for future use:
• Copy config.props from C:\Program Files\Good
Technology\Good Mobile Control server\original
• Copy config.props, config.props.bak, logdriver and
spring.cfg.xml from C:\Program Files\Good
Technology\Good Mobile Control server
5.
Open the registry and write down the License Key, Serial Number
Instance Name, and Database name for the Good Mobile Control
server. These parameters are located in the registry under:
HKEY_LOCAL_MACHINE\SOFTWARE\Good Technology\EMF
server
For example, the following screen shot assumes a default
installation and your system may be different:
6.
Uninstall the Good Mobile Control server. (See “Uninstalling
Good Mobile Control server” on page 305.)
Installing Good Mobile Control server on the New Host
To install Good Mobile Control server on the new host:
1.
Start the new host machine using the same host name of the
original machine.
Note: Before starting the new host machine, be sure to shutdown
and isolate the original machine from the network.
86
Good Mobile Control for iPhone Administrator’s Guide
Moving Good Mobile Control Server to a New Host
2.
After the new host machine boots up, set the necessary account
permissions and install the required pre-requisites. (See “Preinstallation” on page 9 and “Installation” on page 25.)
3.
Install Good Mobile Control server using the same License Key,
Serial Number, Database Instance Name, and Database Name as
the original host.
4.
Start the Good Mobile Control server service.
5.
After verifying the Good Mobile Control server is running, stop
the Good Mobile Control server service and set it to Disabled.
6.
Follow these steps to detach the new database and attach the
database copied from original host:
a.
Open the SQL Management Studio: Start > Programs >
Microsoft SQL server 2005 > SQL server Management Studio
Express.
b.
Log in by selecting <YOUR_MACHINE>\Good Mobile Control as the server Name and choosing Authentication as Windows Authentication.
c.
Right click on the database and then choose Tasks > Detach.
Good Mobile Control for iPhone Administrator’s Guide
87
Managing Good Mobile Control Server
d.
Click OK on the next screen.
e.
Complete the procedure.
f.
Copy Good Mobile Controldb.mdf and Good Mobile
Controldb_log.LDF from the original host to the following
folder on the new host, overwriting the existing files:
C:\Program Files\Good Technology\database\MSSQL.1\MSSQL\Data
88
Good Mobile Control for iPhone Administrator’s Guide
Moving Good Mobile Control Server to a New Host
g.
In SQL Management Studio, right click on the database and
then choose Tasks > Attach.
Good Mobile Control for iPhone Administrator’s Guide
89
Managing Good Mobile Control Server
h.
Navigate to the Good Mobile Controldb.mdf and Good Mobile
ControlDB.LDF files and click Add.
The database is now attached to SQL server.
7.
Set the Good Mobile Control server service to Automatic and start
the Good Mobile Control server service.
8.
Access the Good Mobile Control console make sure it is working
properly:
http://<servername>:8080
This procedure is now complete. The Good Mobile Control server is
now running on the new host.
90
Good Mobile Control for iPhone Administrator’s Guide
Stopping Good Mobile Control Services
Stopping Good Mobile Control Services
To stop a Good Mobile Control server, stop the GoodLink Service. To
do so:
1.
If the server will be stopped for an extended period of time, note
that you will not be able to manage user iPhones, but they will
continue to operate with the current policy settings.
2.
Open the Windows Control Panel.
3.
Open Administrative Tools.
4.
Open Services.
5.
Select and open GoodLink Server Service.
6.
In the Properties window, on the General tab, click the Stop
button.
Error Messages
Errors are returned in the following ways:
• Written to Windows Event Viewer Application log
• Displayed as dialog windows in Good Mobile Control console
• Displayed as dialogs during installation.
Troubleshooting
Support is available by contacting Good Support at http://
www.good.com/support.
Backing up and Restoring the Good
Mobile Control Database
The SQL database that Good Mobile Control uses contains
configuration information related to routing and provisioning of
Good Mobile Control for iPhone Administrator’s Guide
91
Managing Good Mobile Control Server
Good servers and handhelds. Good Mobile Messaging servers find
out how to connect to Good Mobile Messaging enabled handhelds by
synchronizing with Good Mobile Control server.
Backing up the Good Mobile Control Database
To back up the Good Mobile Control database:
1.
Click the Settings tab in the Good Mobile Control console.
2.
Click the Backup link in the left panel.
The Backup Settings page appears.
3.
Select Enable automatic backup of this Good Mobile Control
server to enable automatic backup. Increment backups occur
hourly; a full backup is performed once a day. This is not
configurable.
4.
Specify the Backup directory to store the backup files and the
number of days of backup copies to keep. The default is 7.
5.
To do a manual full backup immediately, click Start Full Backup
Now. To do a manual incremental backup immediately, click Start
Incremental Backup Now.
92
Good Mobile Control for iPhone Administrator’s Guide
Backing up and Restoring the Good Mobile Control Database
6.
Click Save to save the changes.
Restoring the Good Mobile Control Database
The restore process consists of two steps in the following order:
1.
Restore a full back up
2.
Restore an incremental back up
In order to restore the correct database state, you must restore both
the full and incremental backups in sequential order. Choose the
most recent full daily backup file and the most recent incremental
hourly back up files.
For more information, refer to the “How to: Restore a Database
Backup (SQL server Management Studio)”:
http://msdn.microsoft.com/en-us/library/ms177429.aspx
To restore the Good Mobile Control database:
1.
Stop the Good Mobile Control Service.
2.
Open the SQL Management Studio: Start > Programs > Microsoft
SQL server 2005 > SQL server Management Studio Express.
Note: SQL Management Studio Express is installed during initial
set up of Good Mobile Control server. If you did not install SQL
Management Studio Express, you must install SQL Management
Studio Express (2005) now or use SQL Management Studio
Express already available in your organization to connect to the
database.
3.
Log in by selecting <YOUR_MACHINE>\Good Mobile Control
as the server Name and choosing Authentication as Windows
Authentication.
Good Mobile Control for iPhone Administrator’s Guide
93
Managing Good Mobile Control Server
4.
94
Right click on the database and then choose Tasks > Restore >
Database.
Good Mobile Control for iPhone Administrator’s Guide
Backing up and Restoring the Good Mobile Control Database
5.
Select From Device under Source for Restore in the Restore
Database dialog box.
Good Mobile Control for iPhone Administrator’s Guide
95
Managing Good Mobile Control Server
6.
Navigate to the folder where the full backup file is located, select
the file, and then click OK.
7.
In the left panel of the Restore Database dialog box, click Options
and select the middle option “Leave the database non-operational
and do not roll back uncommitted transactions. Additional
96
Good Mobile Control for iPhone Administrator’s Guide
Backing up and Restoring the Good Mobile Control Database
transaction logs can be restored (RESTORE WITH
NORECOVERY)”.
8.
Click OK.
After a few minutes, the full database is restored.
9.
Restore the incremental database by repeating the steps and
choosing the incremental database:
a.
Right click on the database and choose Tasks > Restore > Database.
b.
Select From Device under Source for Restore in the Restore
Database dialog box.
c.
Navigate to the folder where the incremental backup file is
located, select the file, and then click OK.
Good Mobile Control for iPhone Administrator’s Guide
97
Managing Good Mobile Control Server
d.
In the left panel of the Restore Database dialog box, click
Options and select the first option “Leave the database ready to
use by rolling back uncommitted transactions. Additional
transaction logs cannot be restored. RESTORE WITH RECOVERY”.
e.
Click OK.
10. Exit
11.
SQL server Management Studio Express.
Start the Good Mobile Control Service and verify that Good
Mobile Control console rolls back changes prior to the hourly
incremental backup time.
The restore procedure is now complete.
98
Good Mobile Control for iPhone Administrator’s Guide
Disaster Recovery
Disaster Recovery
Refer to the Good Mobile Messaging Administrator’s Guide for
information on this subject.
Good Mobile Control for iPhone Administrator’s Guide
99
Managing Good Mobile Control Server
100
Good Mobile Control for iPhone Administrator’s Guide
Index
A
accounts and permissions
installation 20
setting up 20
B
backup GMC database
automatic option in installer 45
backup GMCdatabase
manual backup and restore 91
C
changing
iPhone passcode policies 66, 69
iPhone user 79
iPhone user alias, display name,
or email address for iPhone
user 80
iPhone user name 80
iPhone user’s server 80
iPhone VPN connections
policies 70
D
database, GMC
automatic backup in installer 45
manual backup and restore 91
deployment, Good Messaging
Server 91
disaster recovery
Good Mobile Control (GMC) 99
E
email address, changing for iPhone
user 80
error messages 91
event and error message
synchronization 31
Exchange server, moving iPhone to
different 80
exchanging a user’s iPhone 81
G
General tab 91
GMC database
automatic backup in installer 45
GMCdatabase
manual backup and restore 91
Good Messaging Server
deployment 91
host prerequisites 9
managing 83
moving to new host 83
redundancy 91
server list 91
software license agreement 28
stopping the service 91
Good Mobile Control (GMC)
Console filters 48
Console, configuring 47
disaster recovery 99
moving to new host 83
Good Mobile Messaging,
overview 1
Good Monitoring Portal 2
Good Mobile Control for iPhone Administrator’s Guide
101
Index
H
Handheld Authentication link
iPhone 67
N
name
iPhone user 80
I
installation 9, 25
accounts and permissions 20
outline 9, 25
prerequisites 9
steps 9, 25
tasks 9, 25
iPhone
changing passcode policy 69, 70
changing server or user name 80
changing user 79
exchanging a user’s 81
Handheld Authentication
link 67, 69
moving to different Exchange
server 80
PIN 60
require passcode 67
setup 58
transferring to new user 79
WiFi 73
iPhone OTA
PIN 60
iPhone passcode
changing policies 66
iPhone policies
changing passcode 66
iPhone security 66, 69
iPhone user alias, changing 80
iPhone user PIN 60
O
OTA
PIN 8
L
license agreement 28
location of
GMC Server software 30
Good Messaging log 31
M
managing
Good Messaging Servers 83
moving iPhone
to different Exchange server 80
102
P
passcode
changing iPhone policies 69
iPhone 66
permissions
installation 20
setting up 20
PIN 8
policies
changing iPhone passcode 69
changing iPhone VPN
connections 70
prerequisites
Good Messaging system 9
installation 9
R
redundancy, Good Messaging
Server 91
require passcode 67
restore GMCdatabase 91
S
security
iPhone passcode 66, 69
server list, Good Messaging
Servers 91
setting up the iPhone 58
software
license agreement 28
stopping the Good Messaging
Service 91
Superuser
changing 56
defining for first time 44
described 55
support 91
synchronization
see also wireless synchronization
error and event messages 31
Good Mobile Control for iPhone Administrator’s Guide
T
tab
General 91
technical support 91
transferring iPhone to new user 79
U
user name, changing for iPhone 80
user PIN 8
V
VPN connections
changing iPhone policies 70
W
WiFi
iPhone 73
wireless networks
iPhone 73
Good Mobile Control for iPhone Administrator’s Guide
103
Index
104
Good Mobile Control for iPhone Administrator’s Guide
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising