Good™ Mobile Messaging Good™ Mobile Control for IBM Lotus

Good™ Mobile Messaging Good™ Mobile Control for IBM Lotus
Good Mobile Messaging
Good Mobile Control
for IBM Lotus Domino
™
™
®
®
Wireless Enterprise Messaging and Data Access System
Administrator’s Guide
Good Mobile Control 1.3.5
Good Mobile Messaging 6.4.2
Good for Enterprise Administrator’s Guide
Last revised 04/25/12
Documentation complies with Good Mobile Control version 1.3.5, Good Mobile Messaging Server
version 6.4.2.
Legal Notice
This document, as well as all accompanying documents for this product, is published
by Visto Corporation dba Good Technology ("Good"). Good may have patents or
pending patent applications, trademarks, copyrights, and other intellectual property
rights covering the subject matter in these documents. The furnishing of this, or any
other document, does not in any way imply any license to these or other intellectual
properties, except as expressly provided in written license agreements with Good. This
document is for the use of licensed or authorized users only. No part of this document
may be used, sold, reproduced, stored in a database or retrieval system or transmitted
in any form or by any means, electronic or physical, for any purpose, other than the
purchaser's authorized use without the express written permission of Good. Any
unauthorized copying, distribution or disclosure of information is a violation of
copyright laws.
While every effort has been made to ensure technical accuracy, information in this
document is subject to change without notice and does not represent a commitment on
the part of Good. The software described in this document is furnished under a license
agreement or nondisclosure agreement. The software may be used or copied only in
accordance with the terms of those written agreements.
The documentation provided is subject to change at Good's sole discretion without
notice. It is your responsibility to utilize the most current documentation available.
Good assumes no duty to update you, and therefore Good recommends that you check
frequently for new versions. This documentation is provided "as is" and Good assumes
no liability for the accuracy or completeness of the content. The content of this
document may contain information regarding Good's future plans, including
roadmaps and feature sets not yet available. It is stressed that this information is nonbinding and Good creates no contractual obligation to deliver the features and
functionality described herein, and expressly disclaims all theories of contract,
detrimental reliance and/or promissory estoppel or similar theories.
Patents, Legal Information & Trademarks
©Copyright 2012. All rights reserved. Good Technology, Good, the Good logo, Good
for Enterprise, Good For You, and Good Mobile Messaging, are either trademarks or
registered trademarks of Good. All third-party trademarks, trade names, or service
marks may be claimed as the property of their respective owners and are used only to
refer to the goods or services identified by those third-party marks. Good's technology
is protected by U.S. Patents 6,085,192; 5,968,131; 6,023,708; 5,961,590; 6,131,116;
6,151,606; 6,233,341; 6,131,096, 6,708,221 and 6,766,454 along with numerous other U.S.
and foreign patents and applications pending.
Good Technology, Inc.
430 N. Mary Avenue, Suite 200
Sunnyvale, CA 94085
Be Good. Be Safe.
Please do not use while driving or engaged in any
other activity that requires your full attention.
ii
Good Mobile Messaging Administrator’s Guide
Contents
1
Quick Installation
1
Prerequisites 1
Scalability 7
Preparing for SQL Server Use 8
Lotus Domino configuration requirements
Pre-installation
13
Installing Good Messaging
Setting Up the Handheld
2
Overview
11
14
15
17
Wireless Synchronization
18
Good Security 19
Good System Security Architecture 19
Good Secure OTA Architecture 22
Managing an Account
24
Multiple Lotus Domino and Good Mobile Messaging
Servers 25
Installation Concepts 27
Access Control List (ACL) 27
Good Mobile Control Server and Console 28
Good Mobile Messaging Server 30
Handheld Setup 30
Wireless Handheld Management
Good Mobile Messaging Administrator’s Guide
31
iii
Wireless Handheld Setup 32
Wireless Policy Synchronization 32
Wireless Handheld Software Upgrades 33
Custom Software for Wireless Distribution 33
3
Pre-installation
35
Checking Prerequisites and System Requirements
Scalability 40
Preparing for SQL Server Use 41
Lotus Domino configuration requirements 44
35
Good Secure WiFi: Prerequisites and System
Requirements 46
4
Installation
49
Installing Good Mobile Control Server
50
Installing Good Mobile Messaging Server 74
Enable detailed calendar reminder notifications
Configuring the Good Mobile Control Console
Importing a Certificate 93
Understanding Console Filters 96
91
92
Setting Up Role-Based Administration 96
Setting Software Download Defaults
5
Preparing New Handhelds
103
105
Preparing for Handheld Setup 106
Wireless Setup Preparation 107
Setting Up the Handheld 109
OTA Setup Process 113
OTA Setup Process - iOS/Android
Completing the Setup Process
113
115
Setting Up Handhelds for Multiple Users (OTA)
Adding Custom Software (OTA)
iv
117
119
Good Mobile Messaging Administrator’s Guide
Interaction with WiFi
6
119
Managing the Handhelds
121
Maintaining Roles 122
The Superuser 122
Creating, Configuring, and Customizing Roles
Adding and Removing Role Members 127
Exporting Rights 128
123
Creating and Changing Handheld Policy Sets and
Templates 129
Understanding Policy Templates 134
General policies 136
Application Policies 154
Plugin Policies 175
User Agents 200
Completing Policy Configuration 209
Managing Wireless Software Deployment 210
Managing Software Policies 211
Restricting Handheld Platform OTA Setup 215
Generating New User PINs 216
Customizing the OTA Setup Email Message 217
Custom Applications: Adding to and Deleting from the
Software Package 219
“Managed” Applications
226
Resetting a Password Remotely (iOS, Android)
Providing a Temporary Unlock Password
Enabling/Disabling Data Roaming
226
227
228
Suspending Handheld Messaging 228
Locking Out a User
229
Erasing Handheld Data
Enabling FIPS Testing
230
232
Removing a Handheld from Good Mobile Messaging
Server 233
Good Mobile Messaging Administrator’s Guide
v
Transferring a Handheld to a New User
234
Viewing and Using Handheld Information 234
Handheld Info Link 236
Enabling Detailed Logging for Handhelds 238
Security Link 239
Network Status Link 240
Software Link 241
Applications Link 244
OTA Link 245
Messaging Link 246
Using the Good Monitoring Portal Dashboard 249
Using the Good Online License Portal 252
Inactive Handhelds 252
Displaying a Paused Handhelds Report 253
Running Handheld Diagnostics 253
Exporting Handheld Statistics to a File 254
Generating (Exporting) a List of Users
256
Exporting Software Information to a File
257
Changing a User’s Good Mobile Control Server, Good
Mobile Messaging Server, Domino Server, or User
Name 257
Changing a User’s Display Name, Alias, or Email
Address 258
Moving a Handheld to a Different Domino Server 258
Moving a Handheld to a Different Good Mobile Messaging
Server 259
Exchanging a User’s Handheld 260
Data Storage and Aging
261
Notes on Synchronization 261
7
Managing Good Mobile Messaging Server
263
Moving Good Mobile Messaging Server and Good Mobile
Control Server to a New Host 264
Preparing to Move Good Mobile Control Server 265
vi
Good Mobile Messaging Administrator’s Guide
Preparing to Move Good Mobile Messaging Server 268
Installing Good Mobile Control Server on the New
Host 271
Installing Good Mobile Messaging Server on the New
Host 276
Monitoring Good Mobile Messaging Servers 282
Good Monitoring Portal Server Dashboard 282
Displaying the Server List 287
Displaying Server Information 287
IP Ranges 291
Server Logging 291
Using Performance Monitor 294
Error Messages
Troubleshooting
296
297
Best Practices 297
Deployment 297
Redundancy 297
Anti-virus and Backup Software 298
Backing up and Restoring the Good Mobile Control
Database 298
Disaster Recovery 305
8
Utilities
307
Installing the Utilities
GoodLinkAddUser
GoodLinkDeleteUser
308
308
311
GoodLinkQueryUser 313
XML file format 315
nGMMTool
317
UserProfilechkTool
GoodLinkEraseData
322
326
GoodLinkRegenOTAPIN
327
Good Mobile Messaging Administrator’s Guide
vii
GoodLinkUpdateUser
gmexportstats
GdGLSConnect
uploadLog
334
337
Diagnostic Log Files
9
328
330
338
Using Standby Good Mobile Messaging Servers
341
How the Microsoft Clustering Service Works 342
Hardware Requirements 343
Operating System Requirements 343
Network Requirements 344
Shared Disk Requirements 344
Other Mandatory Service Requirements and Software
Requirements 345
Good Mobile Control and Good Mobile Messaging Server in
a Clustered Environment 346
Installing the Domino Server, Good Mobile Control Server,
and Good Mobile Messaging Server on a Cluster Node 347
Installing Domino on the First Node 349
Configuring Domino on the First Node 351
Notes on INI and Domino Service Configuration 353
Verifying the Domino Server Functionality 354
Installing and Configuring Domino on the Second
Node 355
Installing Primary and Standby Good Mobile Control Server
on Cluster Nodes 363
Installing the Standby Good Mobile Control Server 368
Installing Good Mobile Control Cluster Tools and
Configuring Cluster Services 374
Installing Primary and Standby Good Mobile Messaging
Server on Cluster Nodes 379
Verifying the Good Mobile Messaging Server
Functionality 385
viii
Good Mobile Messaging Administrator’s Guide
Installing Standby Good Messaging on the Second Cluster
Node 386
Installing Good Mobile Messaging Server Cluster Tools
and Configuring Cluster Services 395
Good Mobile Messaging Server and Good Mobile Control
Server Cluster Resources 401
GoodLink Server Resource 402
GoodLink Cache Lock Resource 402
Disk Q Resource 402
GMC Server Resource 402
GMC SQLServer Resource 402
GMC Cache Lock Resource 403
Uninstalling Good Messaging and Good Mobile Control
Server from Cluster Servers 403
Cold Failover 405
Installing Good Mobile Control as a Primary Server 406
Installing Good Mobile Control as a Standby Server 419
Setting Up a Standby Good Mobile Messaging Server 424
Using the Standby Good Mobile Messaging Server 424
Changing or Updating a Primary or Standby Good Mobile
Messaging Server 425
Returning Use to the Primary Server 426
10
Uninstalling Good Messaging
427
Uninstalling Good Mobile Messaging Server
Uninstalling Good Mobile Control Server
Uninstalling SQL Server
A
427
428
430
Using the GMC Web Service
431
Working with the GMC Web Service 432
About the BulkServiceResult array 432
Integrating with the GMC Web Service 433
Web Service Authentication 433
Good Mobile Messaging Administrator’s Guide
ix
GMC Web Service Example
433
Summary of the GMC Web Service Functions 451
Role Functions 452
Policy Set Function 453
Handheld Functions 453
Server Functions 456
Miscellaneous Functions 457
B
Mobile Device Management
1
Configuring MDM 2
iOS Configuration 2
Android Configuration 19
Compliance Management 22
Application Management 22
Setting Up (Provisioning) Mobile Devices with MDM
Using MDM 28
Asset Management
C
28
28
Good Mobile Control Performance and
Scalability 41
Scalability Improvements 41
Supportability Guidelines
Monitoring Guidelines
Index
x
42
43
45
Good Mobile Messaging Administrator’s Guide
1 Quick Installation
Welcome to Good for Enterprise, the behind-the-firewall, wireless
corporate email and data system from Good Technology, Inc.
Good for Enterprise installation is simple and straightforward. An
experienced IBM® Lotus® Domino® administrator should be able to
complete the process in less than an hour.
This chapter outlines the installation process. Chapter 2 provides an
overview of the Good for Enterprise system. Chapters 3 through 6
provide detailed installation instructions, should you need them.
Prerequisites
You will be installing an additional IBM Lotus Domino server in your
production Domino domain, on the machine to host the new Good
Mobile Messaging Server. You’ll install this new Domino server with
the “Primary Domino Directory (recommended)” option. This
Domino server should have the ability to connect to other Domino
servers in your Domino domain(s); required connection documents
from this Good Messaging Domino server to the other servers must
be set up. Your production Domino servers can be installed on any
operating system, but the Domino server on which Good for
Enterprise is to be installed must be running Microsoft Windows.
Good for Enterprise Administrator’s GuideGood for Enterprise Administra-
Quick Installation
Then you will be installing:
• A Good Mobile Control (Good Mobile Control) Server, which
provides facilities for managing Good Messaging users and their
handhelds. You’ll install this server first.
• Good Mobile Messaging Servers, which synchronize user
handhelds with their Lotus Domino accounts.
Ensure that the Good Mobile Messaging Server and Good Mobile
Control Server host machines, and your Domino server, conform to
the following prerequisites. For environments serving more than
1,000 handhelds, we recommend installing the Good Mobile Control
Server on a separate host machine; otherwise, a Good Mobile
Messaging Server and Good Mobile Control Server can share the
same host machine. (Refer to “Scalability” on page 7.)
The Good Mobile Messaging Server should be close to the Domino
Servers it communicates with (low latency, good bandwidth). The
Good Mobile Control Server should be close to its SQL database (the
database can exist prior to installation and be local or remote, or will
be installed along with Good Mobile Control)(less than 1 ms latency).
The Good Mobile Control SQL server should not be burdened with
other work.
Good Mobile Messaging Server minimum host system requirements:
• Hard drive space free for each Good Mobile Messaging Server:
- 65MB system installation (50MB in Good program files; 15MB
in IBM program files)
- 3GB logs
- 40MB/device cache (leave room for growth)
- 2.5MB/device SQL database (“Preparing for SQL Server Use”
on page 8)
These space requirements do not include those for Good Mobile
Control Server if it is on the same machine.
• For 32-bit: Dual-core Intel® Xeon® processor (2GHz or greater),
4GB RAM, Windows 2003.
2 Good for Enterprise Administrator’s GuideGood for Enterprise Administra-
Prerequisites
For 64-bit: Intel Pentium IV quad-core processor (2GHz or
greater), 8GB RAM, Windows 2008 R2 SP1.
For scalability information, refer to “Scalability” on page 7.
If a virtual machine session is used for Good Messaging, the free
drive space and RAM requirements also apply.
• Good Messaging is an I/O intensive application; consider this fact
when deciding which other applications are to run on the same
host machine.
• Good Mobile Messaging Server is supported as Guest on VMware
ESX 3.0.1, 3.5, 4.0 and 4.1. Good Mobile Control is supported as a
Guest on VMware ESX 3.5, 4.0, or 4.1. If Good Mobile Control is
installed in the same Guest as another Good product, then
VMware ESX 3.5, 4.0, or 4.1 is required. Good Mobile Messaging
Server and Good Mobile Control are supported as Guests on a
Windows 2008 64-bit SP2/R2 SP1 and R2 64 Bit Hyper-V Host.
• Required minimum LAN speed for the servers: 100Mbps Note:
With the Good Messaging Domino server connection to other
Domino servers in your Domino domain, the speed of the
network connection must sustain a minimum rate of at least
100Mbps. Slower network connections between the Domino
server on which Good Messaging runs and other Domino servers
will cause increased message latency.
• Lotus Notes client must not be installed on the Good Messaging
host machines.
• SMTP Service should not be enabled on the Domino instance
running on the Good Mobile Messaging Server.
Good Mobile Control Server minimum host requirements:
• Hard drive space free for each Good Mobile Control Server:
- 300MB system installation
- 250MB logs
- 38KB/device SQL server database (“Preparing for SQL Server
Use” on page 8)
Good for Enterprise Administrator’s Guide
3
Quick Installation
These space requirements do not include those for Good Mobile
Messaging Server if it is on the same machine.
• Dual-core Intel® Xeon® processor (2GHz or greater), 1.5GB RAM;
for increased number of users: Intel Pentium IV dual processor
(2GHz or greater), 2GB RAM. We recommend multicore
processors; inhouse testing is performed using four cores. We
recommend 4GM of RAM; configure Good Mobile Control to use
more RAM: -Xms1080m -Xmx1080m.
• A single Good Mobile Control Server can handle up to 10,000
users spread over multiple Good Mobile Messaging Servers.
• Good Mobile Control supports up to 10 devices per user.
• Microsoft Internet Explorer 7/8/9, Firefox 3.5/8/9/10, and
Google Chrome 10/11 are supported.
Additional Good Mobile Messaging Server and Good Mobile Control
Server requirements:
Good Mobile Control Server requires Windows 2003 with Service
Pack 2, or Windows 64-bit 2008 Standard and Enterprise with
Service Pack 2 or R2 SP1 64-bit. Windows 2000 is not supported.
• Good Mobile Messaging Server and Good Mobile Control Server
host machines must have Internet access. They should be able to
connect to http port 443 (secure https). To check this, use a
browser on the host machine to connect to a secure remote
location. If you’ll be using a proxy server, you’ll enter the
necessary information for that server during the installation
process.
4 Good for Enterprise Administrator’s GuideGood for Enterprise Administra-
Prerequisites
If you limit outbound HTTP and HTTPS on your firewall, you
should open outbound ports 80 and 443 for IP ranges
216.136.156.64/27 and 198.76.161.0/24 for Good Messaging to
work properly. (Version 5 required that you open outbound ports
80 and 443 for IP address 198.76.161.28 for Good Messaging to
work properly. Version 6 requires, in addition, IP address
198.76.161.29 for use by Good Mobile Control.) Do not put the
Good Mobile Messaging Server and Good Mobile Control Server
in the DMZ zone or block any LAN ports. The Good Mobile
Messaging Server and operating system calls have many port
dependencies for interfacing with Domino mail servers and AD,
especially TCP 1433 (Database) and 1352 (NRPC). The Windows
firewall is not supported for use with Good Mobile Control. Note
that in Windows 2008, the Windows firewall is turned on by
default. If currently on, turn off the firewall in Windows 2003 or
2008.
Outbound network hostnames for Good Operations Center:
• www.good.com HTTPS 443 216.136.156.64/27
• upl01.good.com HTTPS 443 216.136.156.64/27
• xml28.good.com HTTPS 443 198.76.161.0/24
• xml29.good.com HTTPS 443 198.76.161.0/24
• xml30.good.com HTTPS 443 198.76.161.0/24
• gti01.good.com HTTPS 443 198.76.161.0/24
• Good Mobile Control Server requires port 19005 to be open for
communication with Good Mobile Messaging Server and for web
services. Good Mobile Messaging Server requires ports 10009 and
10010 to be open for communication with Good Mobile Control
Server and other uses.
• In order to receive new message notifications while using the
Good client for iOS devices on wifi networks, the following IP
range and port need to be open:
TCP port 5223 incoming/outgoing
Good for Enterprise Administrator’s Guide
5
Quick Installation
The firewall needs to accept traffic from 17.0.0.0/8 port 5223. This
is the external IP range of the Apple Push Notification Service
servers, which provide the message notifications for the Good
email service on the iOS devices.
• The host machine should not have an MSDE or SQL Server
installed on it, unless you choose to create a database on an
existing Microsoft SQL 2005 or 2008 Server for use with Good for
Enterprise.
• Windows Installer 3.0 is required for installation of Good Mobile
Messaging Server. Windows Server 2003 with Service Pack 1 (SP1)
includes Windows Installer 3.0.
• Before installing Good Mobile Messaging Servers and Good
Mobile Control Servers, ensure that the host machines’ time and
date are set to your network's correct time and date. Otherwise,
errors such as a Security Alert regarding a problem with the site's
security certificate may occur.
• Don’t share hardware resources with other processes/virtual
machines. If the Good Server is on a physical machine, don’t run
other processes on the same machine. Good Mobile Control and
Good Mobile Messaging should be on separate machines for all
but small installations. If on a virtual machine, treat the situation
as the same as for a physical machine, adding the fact that the
virtual machine should have dedicated CPUs and RAM. For more,
refer to “Good Mobile Control Performance and Scalability” on
page 41.
• “Local administrator” privileges are required for Good Mobile
Control Server installation. The GoodAdmin account can be used
for Good Mobile Control Server installation but is not required.
SQL Server, .NET Framework, and Console requirements (links
subject to change) (note these requirements if you plan to use an SQL
6 Good for Enterprise Administrator’s GuideGood for Enterprise Administra-
Prerequisites
server of your own; otherwise, Good Mobile Control will install SQL
Express for you. SQL Express supports up to 4GB databases only.):
• Microsoft SQL Server 2005 Express Edition Service Pack 3:
http://www.microsoft.com/downloads/
details.aspx?familyid=3181842A-4090-4431-ACDD9A1C832E65A6&displaylang=en
http://www.microsoft.com/sql/editions/express/sysreqs.mspx
• Microsoft SQL Server Management Studio Express Service Pack 2:
http://www.microsoft.com/downloads/
details.aspx?FamilyID=6053c6f8-82c8-479c-b25b9aca13141c9e&DisplayLang=en#Requirements
• Microsoft .NET Framework 2.0 Service Pack 1 (x86):
http://www.microsoft.com/downloads/
details.aspx?familyid=79BC3B77-E02C-4AD3-AACFA7633F706BA5&displaylang=en#Requirements
Scalability
Good Mobile Messaging Server has been certified to handle 800
devices (64-bit version) or 650 devices (32-bit version) while
accommodating HTML and GMA Secure Browser traffic. This
performance was attained on the following server configurations:
32-bit version
• Good Messaging Server build 6.3.1.74
• Windows 2003 SP2
• 4GB of RAM, dual-core processor
64-bit version
• Good Messaging Server build 6.3.1.74
• Windows 2008 R2
• 8GB of RAM, quad-core processor
Good for Enterprise Administrator’s Guide
7
Quick Installation
This assumes that 20% of devices are currently actively using GMA
Secure Browser and 100% are using the HTML email feature. This
assumes a mix of 25% Windows Mobile/Android devices and 75%
iOS devices. If HTML and Secure Browser are not enabled, 1,000
devices are supported in the 64-bit version.
Note that these are the minimum requirements to attain this
performance. If you are running older configurations, do not scale to
this number; remain at the devices/server guideline that was
communicated to you upon sale.
A single Good Mobile Control Server can handle up to 10,000 users
spread over multiple Good Mobile Messaging Servers, subject to the
machine and operating-system requirements provided above. For
details, refer to “Good Mobile Control Performance and Scalability”
on page 41.
Preparing for SQL Server Use
Good Mobile Control and Good Mobile Messaging Servers require
access to a Microsoft SQL server (the same or different servers). You
can use an existing Enterprise or Standard Microsoft SQL Server
2005, 2008, 2008 R2, or 2008 ENT, or SQL server instance available
within the organization. Good Mobile Control Server and Good
Mobile Messaging Server can connect to a remote SQL server/
instance. If you don’t have an SQL server that you want to use, a
(non-remote) server will be installed along with it.
Multiple Good Mobile Control and Good Mobile Messaging
Servers can share an SQL instance but must use separate databases
within that instance. If two Good Mobile Control Servers attach to
the same database, data loss may occur. An SQL instance is defined
as a copy of SQL running on a computer.
Multiple Good Mobile Messaging Servers can also share an SQL
instance but must use separate databases within that instance. If
two Good Mobile Messaging Servers attach to the same database,
8 Good for Enterprise Administrator’s GuideGood for Enterprise Administra-
Prerequisites
the database maybe become corrupted, resulting in devices being
disconnected from the Server and other unexpected issues. An SQL
instance is defined as a copy of SQL running on a computer.
Note: SQL Server 2005 Cluster and SQL Server 2008 SP2 Cluster are
supported.
Good Mobile Control requires ~38KB/device of SQL Server database
space.
Good Mobile Messaging requires 2.5MB/device of SQL Server
database space.
Some knowledge of SQL installation, configuration, and maintenance
will be useful if you plan to use an existing database.
You’ll need the name of the service account you will use to run the
Good Mobile Control Service.
SQL Servers enforce their own authentication and authorization. If
you encounter an SQL error during the installation process, you’ll
need to confirm that your SQL configuration information was
entered correctly. If you will be using your own previously
installed SQL Server instance, gather the following information in
advance. You’ll be required to provide it during Good Mobile
Control and Good Mobile Messaging Server installation.
• The fully qualified machine name of your SQL Server instance
• Method of connection to your existing SQL Server instance (static
port, named instance (dynamic port), or connected to it as the
default instance)
• If static port, the port number
• If named instance, the instance name
• Authentication mode used to connect to your SQL Server instance
(Windows authentication/SQL Server authentication)
Good for Enterprise Administrator’s Guide
9
Quick Installation
• If Windows authentication, the service account name entered
above must already have a login to SQL Server, or, if not, add a
login for the service account name to your SQL Server instance,
granting it at least the Server-Level Role of “dbcreator.”
• If SQL Server authentication, the SQL Server login name you
use to connect to SQL Server with, and the password for this
SQL Server login. You will be prompted for the login and
password during the Good Mobile Control installation. The
SQL Server login must be a member of the “dbcreator” security
role. If not, add the login to the dbcreator security role so that
the Good Mobile Control install can create its own database
and table within the SQL Server instance.
• If your existing database is remote, ensure that TCP/IP is enabled
for “Local and Remote connections” on your SQL Server instance.
Remote SQL
To use remote access, the IT administrator should configure the
remote SQL server to accept the necessary connections from Good
Mobile Control Server and Good Mobile Messaging Server. This
includes but is not limited to:
• Allowing connections via TCP/IP
• Allowing connections via a preconfigured port
• Opening any necessary port in any firewall between Good Servers
and the SQL server
• Creating or obtaining a valid SQL Server user name and password
to connect to the remote SQL server during installation or the
ability to log in as admin “sa.”
The SQL Server username should have db_owner rights to its
database. If db_owner is not to be granted to an application all the
time due to security practices, we recommend that db_datareader,
db_datawriter, and db_ddladmin be granted for every day
operations. A successful uninstall of Good Mobile Messaging
requires the username to have db_owner rights.
10
Good for Enterprise Administrator’s GuideGood for Enterprise Adminis-
Prerequisites
We recommend testing remote database SQL server connectivity
before beginning an installation.
For remote Good SQL databases, Good recommends that you use
your current corporate maintenance procedures and practices for
remote SQL databases. Periodic backup of the database is required.
Before performing any offline database maintenance, shut down the
Good services that rely on that database.
Related articles from Microsoft:
• To Configure using TCP/IP - http://support.microsoft.com/kb/
914277
• To configure using static Port - http://support.microsoft.com/kb/
823938
• Installing SQL Server 2005 SP3 (complete process) - http://
technet.microsoft.com/en-us/library/ms143516(SQL.90).aspx
• SQL Server Installation (SQL Server 2008 R2) - http://
msdn.microsoft.com/en-us/library/bb500469.aspx
Lotus Domino configuration requirements
Lotus® Domino configuration requirements:
• Lotus Domino Primary Messaging Server 7.0.2 or higher. Server
versions 8.0/8.5/8.5.1 are recommended, and are required for
servers on Mobile Messaging machines, to take full advantage of
Mobile Messaging’s performance features. (With Windows 64-bit,
we support the Domino 32-bit version.)
-
Domino 7 supports a 32-bit OS
Domino 8 supports 32- or 64-bit OS.
Domino 8.5.1 FP4, 8.5.2 FP1, 8.5.2 FP2, and 8.5.3 are supported.
Windows 2003 supports a 32-bit processor
Windows 2008 supports 32-bit and 64 bit processors.
• Install the Domino server as a Domino Messaging server.
Good for Enterprise Administrator’s Guide
11
Quick Installation
• The Domino server on which Good Mobile Messaging Server is to
be installed should be installed as a Windows service and should
be configured to run as a Windows service and not as a regular
application
• The Domino server on which Good Messaging runs must be
installed with the “Primary Domino Directory (recommended)”
option.
• If the Domino server hosting mailboxes is in a 64bit Domino
environment, the Good Mobile Messaging Server must be
installed against a 8.x Domino server in a 32bit Domino
environment.
• The Domino server on which Good Messaging is to be installed
should not be installed as a “partitioned server.” Good Messaging
does not support and cannot be installed on a partitioned Domino
server.
• The Domino server on which Good Messaging runs must have
read/write access with “Delete Documents” privileges on every
user mail file in your organization. Usually the
“LocalDomainServers” group has these required rights. You may
not need to alter the Access Control List as long as this Domino
server (on which Good Messaging is being installed) is listed in
the “LocalDomainServers” group.
• If the Domino server on which Good Messaging runs does not
have any rights to the users’ mail files and you are setting up the
ACL, this server requires Manager access with the following
rights:
- Delete documents
- Replicate or copy documents
• Good Mobile Messaging Server uses the Lotus Domino server ID
while instantiating the Lotus Domino APIs and accessing Domino
mail databases on other servers in your Domino domain(s). It is
recommended that the server ID have the Server ID property
“Don't prompt for a password from other Notes-based programs”
checked/enabled.
12
Good for Enterprise Administrator’s GuideGood for Enterprise Adminis-
Pre-installation
• If your Domino infrastructure has multiple domains:
- The Domino server on which Good Messaging runs must have
“Directory Assistance“ enabled for every Domino domain in
your organization.
- The Domino server on which Good Messaging runs must have
connection documents to the Domino servers in the other
Domino domains. The Good Messaging Domino server should
be a member of “LocalDomainServers” group in every Domino
domain.
- The necessary Cross certification, either per-server or perorganization level, must be established between the Domino
server on which you are installing Good Messaging and the
mail and directory servers in other domains to which this
Domino server connects.
Pre-installation
Note the following:
• Microsoft SQL Express will be installed and configured during the
installation of your initial Good Mobile Messaging Server unless
you specify a different SQL database to be used. (SQL Express
supports up to 4GB databases only.)
• Windows Installer 3.0 is required for installation of Good Mobile
Messaging Server. Windows Server 2003 with Service Pack 1 (SP1)
includes Windows Installer 3.0.
• The host machine should not have an MSDE or SQL server
installed on it.
To uninstall SQL Server if present, refer to “Uninstalling SQL
Server” on page 430.
• In order to install the Good Mobile Messaging Server, you must
log in as a Windows Domain user listed as a member of the
Administrators group on that machine.
Good for Enterprise Administrator’s Guide
13
Quick Installation
We recommend that you create a new Windows Active Directory
(AD) account for installing and running Good Messaging services
(Good Messaging Domino directory service, Good for Enterprise
service, Good server Domino directory service, Good Mobile
Control service). After creating the AD account, assign it “Local
Administrator” privileges, then log on as the new AD user and
proceed with the installation. For this release, use Active Directory
(ADSI) authentication when installing Good Mobile Control.
Installing Good Messaging
We recommend against running BlackBerryTM Enterprise Server on
the same machine as a Good Mobile Messaging Server or Good
Mobile Control Server, when both are present.
1.
Download Good Messaging software as directed by your
authorized sales representative (typically, from http://
www.good.com/download), and after unpacking it, run setup.exe.
You use this utility for the Messaging Server, Good Mobile Control
Server, and Good Messaging client software installations.
2.
Install the Good Mobile Control Server first and then install one or
more Good Mobile Messaging Servers.
3.
Run Good Mobile Control Console and create roles for use of the
console on different machines. Roles for service administrator,
administrator, and helpdesk are packaged with the console. Note:
First Console access must be by the Superuser specified during
Good Mobile Control Server installation. Launch the Console
using https://servername:8443 or http://servername:8080, where
servername is the name of the machine on which Good Mobile
Control Server is installed. You cannot access the console from a
browser on the Good Mobile Control machine. Use your Windows
username and password to log in.
Note: The Good Mobile Control session in your browser will time
out after one hour of no activity. The timeout is not configurable.
4.
14
Set up user handhelds as described in the following section.
Good for Enterprise Administrator’s GuideGood for Enterprise Adminis-
Setting Up the Handheld
5.
Create policies and assign them to handhelds as described in
“Creating and Changing Handheld Policy Sets and Templates” on
page 129.
Setting Up the Handheld
You set up handhelds wirelessly (Over The Air or “OTA” distributed deployment model).
For details, refer to “Preparing New Handhelds” on page 105.
To set up the handheld:
1.
Confirm with your service or sales representative that the Treo or
Pocket PC is a supported device type (visit http://
www.good.com/index.php/products_platforms_devices.html for
more information. It must have an active, supported network data
service, as well as Good Messaging service. Some supported data
services may not support roaming. In such cases, Good
Messaging, like the handheld’s browser, will not work outside
service areas. Visit http://www.good.com for more information.
2.
Handhelds should have the following available memory:
• Palm OS: 14.5MB
• Pocket PC: 12MB (14MB for Treo 700WX)
• Smartphone: 12MB
Contact your authorized service representative for additional
information on memory requirements.
Note that Palm is not supported by version 6.0 Client software,
but earlier software versions do support Palm.
3.
The handheld battery should be fully charged (an alert will be
displayed if the battery is below 25%).
4.
Use Good Mobile Control Console to set up and activate user
handhelds wirelessly:
a.
On the Console Home page, click the “Add handhelds” link.
Good for Enterprise Administrator’s Guide
15
Quick Installation
b.
Select the user who will be assigned the handheld.
c.
Specify a policy and group for the handheld.
d.
When finished, an email is sent to the user's Lotus Notes
account. The email contains a PIN and URL. The handheld
user connects to the URL and enters the PIN and from the site,
Good downloads the OTA Setup application. OTA Setup is a
wizard-like application that leads the user through a set of
steps to authenticate the user, download and install Good Messaging Client software, and connect to Good Mobile Messaging
Server to wirelessly synchronize the user's Lotus Notes
account. You can set policies for PIN expiration and reuse, as
described in “Preparing New Handhelds” on page 105. You
can display the PIN and URL information at the Console by
going to the OTA page for the handheld on the Handhelds tab.
You can quickly check the connection status between Good Mobile
Messaging Servers and the Good Network Operations Center, and
between the Servers and the handhelds they service, using the Good
Monitoring Portal located at www.good.com/gmp. Like the Good
Mobile Control Console, the Good Monitoring Portal provides
information about users, their handheld types and service carriers,
and much more.
16
Good for Enterprise Administrator’s GuideGood for Enterprise Adminis-
2 Overview
Good Messaging, a component of Good for Enterprise, provides
mobile users with a wirelessly synchronized connection to their
company servers, so they can instantly access up-to-date corporate
email, attachments, contacts, calendar, journal, to-dos, and critical
enterprise data when away from their desks.
Good Messaging‘s enterprise-class solutions are now available on a
variety of handhelds. Good Messaging is a complete, encrypted wireless
system for accessing corporate messaging and data from behind the
firewall on the mobile handheld.
The Good Messaging system includes:
• The Good Messaging Client, supporting a growing number of
handhelds
• The Good Mobile Messaging Server, an easy-to-install enterpriseclass application allowing for elegant fleet management/global
policy control and remote security enforcement of wireless
synchronization.
• The Good Mobile Control (GMC) Server and Console and the
Good Monitoring Portal, used to monitor and manage user
handhelds. Good for Enterprise acts as aplugin to Good Mobile
Control.
Good Mobile Messaging Administrator’s Guide
17
Overview
Note: If you’re upgrading from an earlier version of Good for
Enterprise, refer to Good for Enterprise Upgrade Note for instructions
and a list of differences in this version.
Wireless Synchronization
Good Mobile Messaging Server software provides automatic
synchronization of email, calendar, contacts, journal entries, and todo entries between the user’s Lotus Notes account and handheld.
FIGURE 1. Synchronizing Lotus Notes account and handheld
As shown in Figure 1, Good Mobile Messaging Server software
monitors the user’s mail database and forwards all account activity
18
Good Mobile Messaging Administrator’s Guide
Good Security
to the user’s handheld via the Network Operations Center and your
wireless network. Similarly, changes made at the handheld travel
over the wireless network, and are returned from the Network
Operations Center to Lotus Domino via Good Mobile Messaging
Server. The email arrives at both the user’s desktop and handheld,
available to be read, forwarded, and replied to from either location.
No inbound ports need be opened in the corporate firewall.
Good Security
A complete discussion of Good’s extensive security features is
beyond the scope of this overview. For details, refer to the Good
Technology white papers. For more, contact your account
representative.
Good security can be divided into two areas:
• Good System Security architecture
• Good Secure OTA architecture
Good System Security Architecture
The Good System has been specifically designed to meet the security
needs of even the largest, most security-sensitive corporations. It
provides an end-to-end system designed to protect corporate
information at all times—while it is being transmitted over the
wireless network and while it resides on the handheld. The Good
System uses today’s up-to-date security technologies. Installation of
Good applications does not require any modifications to the
customer’s firewall, and allows you to leverage your existing
network security infrastructure.
Network Perimeter Security
Connections from the Good Mobile Messaging Server to the Good
Network Operations Center use HTTP and are protected by the
Secure Sockets Layer (SSL). Since the connection is established in the
Good Mobile Messaging Administrator’s Guide
19
Overview
outbound direction, there is no need to create an inbound opening in
the corporate firewall. Most corporate security policies allow this
type of traffic through port 443 without reconfiguring the firewall.
Connections to the Good Network Operations Center are used only
for sending data to and receiving data from handheld devices.
Perimeter security includes:
• End-to-end encryption
• AES
• FIPS 140-2 validation
• Reliable message delivery
Handheld Security
The handheld device can be configured with a password. When the
handheld device is locked, Good applications will not display any of
the user’s data. Access can be restored only by entering the correct
password. If an unauthorized user tries to guess the password too
many times, the Good client software will delete all Good application
data stored on the handheld device.
The IT administrator can specify policies for the password provided
by the user. These policies are applied wirelessly.
If a user’s handheld device is lost or stolen, the IT administrator can
use the Good Mobile Control Console to remotely disable access to
Good on the device and remove all Good application data. If a
handheld device is recovered, it can be set up again as described in
“Preparing New Handhelds” on page 105.
Handheld Authentication
The Good System provides a number of safeguards against
unauthorized access. The Good Mobile Messaging Server resides
behind a corporate firewall, and any handheld device attempting to
contact it requires a three-step authentication process among
20
Good Mobile Messaging Administrator’s Guide
Good Security
• the Good Network Operations Center and the Good Mobile
Messaging Server
• the handheld and the Good Network Operations Center
• the handheld and the Good Mobile Messaging Server
Administrative Security
The Good System offers Role-Based-Administration (RBA) features
that allow system-administration permissions to be customized
according to the needs and qualifications of each user. By controlling
users’ access according to their roles and the associated permissions,
RBA provides a tool for managing IT assets and increasing security.
Routine tasks—such as adding a new user or loading software—can
be delegated to a wider group of IT managers across multiple
locations. More sensitive permissions, such as those required for
setting global policy, can be restricted to a smaller group, increasing
the overall security of the system. RBA also encourages the most
efficient use of IT resources, since permissions can be based on skill
and job function.
Email Security
Preventing the spread of viruses is of increasing concern for IT
departments and end users. Viruses commonly infect a user’s system
by delivering executable code, such as .EXE files or Visual Basic
scripts, via an e-mail or an e-mail attachment, and getting the user to
run the code inadvertently. The Good Messaging application will not
run executable code within an e-mail or attachment and thus is less
vulnerable to viruses from e-mail. Good Messaging users can use
their handhelds to read e-mails or attachments without worrying
about viruses. If the user suspects an e-mail to be malicious, he/she
can safely delete that e-mail from their Good Messaging device rather
than risk opening it from the laptop or desktop.
Additionally, using Good Messaging’s ability to distribute handheld
software OTA (refer to section on Secure OTA Architecture),
enterprises can enhance corporate compliance by ensuring that
Good Mobile Messaging Administrator’s Guide
21
Overview
employees are running the latest mobile security applications such as
Symantec AntiVirus for Handhelds.
Good Messaging also incorporates VeriSign® technology for digitalID-signed e-mail, which serves as an electronic substitute for sealed
envelopes and handwritten signatures. This security feature enables
Good Messaging users to read messages which have been digitally
signed, even if the message body was not sent in clear text.
Good Secure OTA Architecture
OTA Deployment Security Considerations
Beginning with Good Messaging 4.0, Good provides Secure OverThe-Air (OTA) setup of Good Messaging, without ever giving the
handheld to IT. Good Secure OTA capability encompasses several
features, including deploying and upgrading Good Messaging,
installation of any handheld software, and handheld policy updates.
The high-level process flow for Good Secure OTA setup of handhelds
is detailed in the Good security white paper.
IT administrators must explicitly give permission for users to
provision OTA. Permission may be given for a group of users
selected from the Windows Directory. If the IT administrator has not
given permission for a user to provision OTA, the Good Network
Operations Center will prevent Good OTA Setup from
communicating with the Good Mobile Messaging Server behind the
firewall.
As described previously, the Good System does not require any
inbound connections through the enterprise firewall. This advantage
is maintained for Good Secure OTA. All communications between
Good OTA Setup and the Good Mobile Messaging Server run
through the same outbound connection that Good Messaging
normally uses.
22
Good Mobile Messaging Administrator’s Guide
Good Security
Good’s comprehensive OTA setup authentication is explained in
detail in the security white paper.
In order to protect all traffic between Good OTA Setup and the Good
Mobile Messaging Servers, all communication during the
provisioning process runs over HTTP/SSL. The package of
provisioning information is further encrypted using an AES key
derived from the user’s OTA PIN. After the client receives the
package of provisioning information, it begins to use the normal endto-end encryption capabilities that Good Messaging uses after
provisioning a handheld at the GMC Console.
OTA Software Installation Security Considerations
The Good OTA software distribution system supports distribution of
three classes of software: Good applications and custom applications
provided by a customer’s internal IT department. Security is
maintained via the following:
• Digital Signatures - Good software are digitally signed using
X.509v3 certificates.
• Encryption - Before the custom software package is uploaded, it is
encrypted using a key generated by the GMC Console using
Microsoft’s CryptoAPI.
• Software Versions - The GMC Console provides a policy for IT to
specify the version of client software which will be installed.
• Mandatory Installation - IT can mark software packages as
mandatory or optional.
• Off-Peak Downloads - When IT initiates a Good Messaging
upgrade or distribution of other handheld software, the Good
Messaging client will begin the download at a random time
overnight.
Good Mobile Messaging Administrator’s Guide
23
Overview
Managing an Account
In order to monitor and update the Lotus Domino accounts of
handheld users, Good Mobile Messaging Server utilizes the
following services under Windows: Good for Enterprise service,
Good Mobile Control service, Good Messaging Domino directory
service, and Good server Domino directory service.
Communications between the Lotus Domino server and Good
Mobile Messaging Server uses the NRPC (Notes Remote Procedure
Calls).
FIGURE 2. Monitoring the user’s account
24
Good Mobile Messaging Administrator’s Guide
Multiple Lotus Domino and Good Mobile Messaging Servers
As shown in Figure 2, Good Mobile Messaging Server monitors
activity in the handheld user’s email, calendar, contacts, to-do
entries, journal entries, and other folders and relays all changes to the
Network Operations Center, where they are queued up and delivered
to the handheld. In the same way, handheld activity is passed along
to the Lotus Domino account. Synchronization is dynamic and realtime, not scheduled. The messages cannot be viewed by anyone
along the way because they are encrypted. Data can be viewed only
from the Lotus Notes client and on the handheld.
You can quickly check the connection status between Good Mobile
Messaging Servers and the Good Network Operations Center, and
between the Servers and the handhelds they service, using the Good
Monitoring Portal located at www.good.com/gmp. Like the GMC
console, the Good Monitoring Portal provides information about
users, their handheld types and service carriers, and much more.
Multiple Lotus Domino and Good Mobile
Messaging Servers
Good Mobile Messaging Server can manage synchronization for
accounts on multiple Lotus Domino servers in an organization.
Good Mobile Messaging Server is installed on a host machine. A
GMC Server is also required. A GMC Console is available via
standard browser. For large installations, the Messaging and GMC
Server hosts will typically be different machines. The Messaging
Servers will reside close to the Domino Servers they communicate
Good Mobile Messaging Administrator’s Guide
25
Overview
with. The Good Mobile Control will reside close to the SQL database
that it uses.
FIGURE 3. Handheld users on multiple Domino servers and
Domino Domains
Figure 3 shows Good Mobile Messaging Server maintaining user
accounts on multiple Lotus Domino servers. GMC Server uses the
Public Address Book (PAB) to list, monitor, and manage handheld
users across sites. The console is used to assign handhelds to users
and to monitor and manage Good Mobile Messaging Servers.
If you have thousands of handheld users, you may need to install
additional Good Mobile Messaging Servers to handle the
synchronization tasks. Each new Good Mobile Messaging Server will
need to be installed on a separate machine. When configuring Good
Mobile Messaging Server to connect with a Lotus Domino server, the
speed of the network connection must sustain a minimum rate of at
26
Good Mobile Messaging Administrator’s Guide
Installation Concepts
least 100Mb/s. One GMC Server can handle up to ten Good Mobile
Messaging Servers.
Installation Concepts
This section provides an overview of the installation process. For an
outline of the installation steps, see “Installing Good Messaging” on
page 14..
You will install one or more Good Mobile Messaging Servers on host
computers. Each Good Mobile Messaging Server will manage a set of
user accounts and handhelds that you specify. The accounts can be
located on any Lotus Domino servers in the Domino Organization, as
long as they appear in the Public Address Book and the Messaging
Servers have the necessary permissions to connect and access mail
files on the Domino mail servers in the organization. You will assign
users to a Messaging Server according to the organization scheme
most convenient to you and according to your capacity planning. No
special configuration is necessary to have multiple Messaging
Servers manage handhelds on multiple Lotus Domino servers.
You will also install a GMC Server, which will communicate with the
Good Mobile Messaging Servers and assist you in managing user
handhelds via a web-based console.
Access Control List (ACL)
Each Good Mobile Messaging Server utilizes the following services:
Good for Enterprise service, Good Mobile Control service, Good
Messaging Domino directory service, and Good server Domino
directory service. Typically, every user mail file lists the
LocalDomainServers (Server Group) as Manager. The Lotus Domino
server on which Good Mobile Messaging Server runs is listed in
LocalDomainServers group. If the ACL on every user mail file does
not contain the LocalDomainServers group, the Lotus Domino server
on which Good Mobile Messaging Server runs must be listed in any
Good Mobile Messaging Administrator’s Guide
27
Overview
other group (preferred) which has read/write/delete document
privileges on every user mail file, or can be listed separately per mail
file (not recommended) with read/write/delete access.
Good Mobile Control Server and Console
Good Mobile Control (GMC) Console communicates with Good
Mobile Control (GMC) Server. There must be at least one GMC Server
installed. A GMC Console can communicate with any GMC Server; a
Console menu item allows you to specify which.
To access the Console, administrators enter a URL to the Server.
Console use is controlled by the roles that you assign to the
administrators who use it.
You will use GMC Console to assign handhelds to users, to set up,
monitor, and manage the handhelds, and to manage the Good Mobile
Messaging Servers.
28
Good Mobile Messaging Administrator’s Guide
Installation Concepts
Most of the handheld management tasks are initiated from the
Console’s Handhelds, Policies, and Servers pages. Figure 4 displays
the Console’s home page.
FIGURE 4. Good Mobile Control Console handheld management
You can use the Console to set up OTA installation of Good
Messaging software on a handheld, display ongoing handheld
activity, erase data and disable the handheld, and otherwise manage
it.
You will use the Good Messaging setup program to install the GMC
Server. The Console is web-based. You can limit access to Good
Messaging management facilities using role-based administration in
the Console.
Good Mobile Messaging Administrator’s Guide
29
Overview
Good Mobile Messaging Server
With the proper ACL setup (see “Access Control List (ACL)” on
page 27), you are ready to install Good Mobile Control Server and
Good Mobile Messaging Servers. Installation consists of:
• Checking system prerequisites
• Installing GMC Server and Good Mobile Messaging Servers
• Assigning usage roles for GMC Console
Handheld Setup
Handheld setup consists of adding the handheld to a Good Mobile
Messaging Server and downloading Good Messaging and Custom
applications onto it.
Good Messaging software is made available to you from Good
Technology via your Good Messaging setup.
Use GMC Console to add handhelds to a Good Mobile Messaging
Server and to configure which software is to be downloaded to the
handhelds, wirelessly.
Wireless download begins with the GMC Console sending email to
the user whose handheld is to be set up. The email contains a PIN
and URL that the user will need to initiate the download and setup.
The user downloads OTA Setup from the URL site and runs it to
install the software, entering the PIN when prompted. You can set
policies for PIN expiration and reuse (refer to “Provisioning” on
page 148).
As prerequisites to setup, the handheld must have the proper amount
of available memory and have established phone and data services
running on it.
30
Good Mobile Messaging Administrator’s Guide
Wireless Handheld Management
Wireless Handheld Management
Good Messaging allows supported handhelds to be set up and
managed wirelessly. This feature is referred to as OTA (Over The Air)
functionality.
Good applications and Custom applications can be downloaded to
and updated on user handhelds. Good applications are developed
and distributed by Good Technology. Custom applications are
applications that are owned by customers or licensed to them.
Policies governing security, synchronization, and software
applications can be set and grouped into policy sets at the GMC
Console. These policies are synchronized continuously. Each
handheld must have one of these policy sets assigned to it.
Good Mobile Messaging Administrator’s Guide
31
Overview
FIGURE 5. Data Flow
Wireless Handheld Setup
Wireless setup of a handheld comprises the following general steps.
Refer to Figure 5 for a view of the interrelationship of the system
components involved.
• At the GMC Console, enable the user/handheld for OTA Setup.
This configures the user's Lotus Domino account and authorizes
the user for OTA setup in the Good Network Operations Center.
• An OTA Setup email message is sent to the user. With the
information and PIN it contains, the user downloads the OTA
Setup application from the Network Operations Center.
• An OTA Setup email message is sent to the user (if the OTA policy
has been set to do so). With the information and PIN it contains,
the user navigates to App Store (iOS), Android Market, or
downloads the OTA Setup application from the Network
Operations Center (Windows Mobile, Nokia, Palm).
• The user follows the installation or OTA Setup prompts. With
installation and validation via PIN complete, Good for Enterprise
starts and synchronizes the handheld with the user’s Outlook
account.
Wireless Policy Synchronization
The OTA feature provides continuous wireless synchronization of
policies and implements policy changes as soon as they are made:
• Configure or reconfigure policy sets and then use filtering in the
GMC Console to display the handhelds affected by these changes.
Add or remove handhelds using the policy set as needed.
• Good Mobile Messaging Server monitors the handhelds and
forwards your policy changes to them when you make and save
the changes.
• The policy changes are then applied to the handhelds.
32
Good Mobile Messaging Administrator’s Guide
Wireless Handheld Management
Wireless Handheld Software Upgrades
When you update the Good Messaging software policies in a policy
set, your changes are implemented wirelessly for all affected
handhelds, just as with other policy changes. The software policies
determine which versions of Good Messaging Client and custom
applications are to be downloaded to the handhelds using the policy
set:
• Use GMC Console to set and change software policies.
• Policy changes are applied to each user/handheld by the Console.
• Good Mobile Messaging Server forwards any software policy
changes to the handheld via the path shown in the figure above.
• On the handhelds, Good Messaging Client receives these policies
and schedules required software downloads or notifies the user of
the available new software applications that can be downloaded.
• Good Messaging Client downloads the application from the Good
Network Operations Center.
• With the application downloaded, the software is verified with the
software certificates for Good applications or decrypted for
Custom applications.
• The software application is then installed on the handheld.
Custom Software for Wireless Distribution
Wireless handheld software upgrades can include custom
applications for a specific handheld type. Custom applications are
applications that you have appropriate licenses for and want to
distribute OTA. These can be made available to users on a specific
Good Mobile Messaging Server. Custom applications must first be
added to the specific Good Mobile Messaging Server and then
appropriately enabled as a software policy for the users.
• The GMC Console is used to add custom applications for a
specific Good Mobile Messaging Server.
Good Mobile Messaging Administrator’s Guide
33
Overview
• An application is added by entering information about the
application (e.g., the name, version, and description of the
application) and then uploading the application to the Good
Network Operations Center.
• The uploaded application then appears as a Custom application
for the handheld type, and can be made available to users in
encrypted form through the normal wireless handheld software
upgrade process.
34
Good Mobile Messaging Administrator’s Guide
3 Pre-installation
Before doing the installation, you will need to perform the following
tasks. Each task is explained in detail in the following sections.
• Check prerequisites; perform initial Good Mobile Messaging
Server and Good Mobile Control Server host configuration
• Install a new IBM Lotus Domino server in your production
Domino domain, on the machine to host Good Mobile Messaging
Server.
Checking Prerequisites and System
Requirements
Ensure that the Good Mobile Messaging Server and Good Mobile
Control Server host machines, and your Domino server, conform to
the following prerequisites. For environments serving more than
1,000 handhelds, we recommend installing the Good Mobile Control
Server on a separate host machine; otherwise, a Good Mobile
Messaging Server and Good Mobile Control Server can share the
same host machine. (Refer to “Scalability” on page 40.)
The Good Mobile Messaging Server should be close to the Exchange
Servers it communicates with (low latency, good bandwidth). The
Good Mobile Control Server should be close to its SQL database (the
database can exist prior to installation and be local or remote, or will
be installed along with Good Mobile Control)(less than 1 ms latency).
Good Mobile Messaging Administrator’s Guide
35
Pre-installation
The Good Mobile Control SQL server should not be burdened with
other work.
Good Mobile Messaging Server minimum host system requirements:
• Hard drive space free for each Good Mobile Messaging Server:
- 65MB system installation (50MB in Good program files; 15MB
in IBM program files)
- 3GB logs
- 40MB/device cache (leave room for growth)
- 2.5MB/device SQL database (“Preparing for SQL Server Use”
on page 41)
These space requirements do not include those for Good Mobile
Control Server if it is on the same machine.
• For 650 devices: Dual-core Intel® Xeon® processor (2GHz or
greater), 4GB RAM, 32-bit, Windows 2003.
For 800 devices: quad-core processor (2GHz or greater), 8GB
RAM, 64-bit, Windows 2008 R2 SP1.
If a virtual machine session is used for Good Messaging, the free
drive space and RAM requirements also apply.
For scalability information, refer to “Scalability” on page 40.
• Good Messaging is an I/O intensive application; consider this fact
when deciding which other applications are to run on the same
host machine.
• Good Mobile Messaging Server is supported as Guests on
VMware ESX 3.0.1, 3.5, 4.0, and 4.1. Good Mobile Control is
supported as a Guest on VMware ESX 3.5, 4.0, or 4.1. If Good
Mobile Control is installed in the same Guest as another Good
product, then VMware ESX 3.5 or 4.0 is required. Good Mobile
Messaging Server and Good Mobile Control are supported as
Guests on a Windows 2008 SP2 64 Bit Hyper-V Host.
• Required minimum LAN speed for the servers: 100Mbps Note:
With the Good Messaging Domino server connection to other
Domino servers in your Domino domain, the speed of the
36
Good Mobile Messaging Administrator’s Guide
Checking Prerequisites and System Requirements
network connection must sustain a minimum rate of at least
100Mbps. Slower network connections between the Domino
server on which Good Messaging runs and other Domino servers
will cause increased message latency.
• Lotus Notes client must not be installed on the Good Messaging
host machines.
• SMTP Service should not be enabled on the Domino instance
running on the Good Mobile Messaging Server.
Good Mobile Control Server minimum host requirements:
• Hard drive space free for each Good Mobile Control Server:
- 300MB system installation
- 250MB logs
- 38KB/device SQL server database (“Preparing for SQL Server
Use” on page 41)
These space requirements do not include those for Good Mobile
Messaging Server if it is on the same machine.
• Dual-core Intel® Xeon® processor (2GHz or greater), 1.5GB RAM;
for increased number of users: Intel Pentium IV dual processor
(2GHz or greater), 2GB RAM. We recommend multicore
processors; inhouse testing is performed using four cores. We
recommend 4GM of RAM; configure Good Mobile Control to use
more RAM: -Xms1080m -Xmx1080m.
• Good Mobile Control supports up to 10 devices per user.
• Microsoft Internet Explorer 7/8/9, Firefox 3.5/8/9/10, and
Google Chrome 10/11 are supported.
Additional Good Mobile Messaging Server and Good Mobile Control
Server requirements:
• Good Mobile Control Server requires Windows 2003 with Service
Pack 2, or Windows 64-bit 2008 Standard and Enterprise with
Service Pack 2 or R2 SP1 64-bit. Windows 2000 is not supported.
Good Mobile Messaging Administrator’s Guide
37
Pre-installation
• Good Mobile Messaging and Good Mobile Control Servers
require a Domino instance on them (“Lotus Domino configuration
requirements” on page 44.).
• Good Mobile Messaging Server and Good Mobile Control Server
host machines must have Internet access. They should be able to
connect to http port 443 (secure https). To check this, use a
browser on the host machine to connect to a secure remote
location. If you’ll be using a proxy server, you’ll enter the
necessary information for that server during the installation
process.
If you limit outbound HTTP and HTTPS on your firewall, you
should open outbound ports 80 and 443 for IP ranges
216.136.156.64/27 and 198.76.161.0/24 for Good Messaging to
work properly. (Version 5 required that you open outbound ports
80 and 443 for IP address 198.76.161.28 for Good Messaging to
work properly. Version 6 requires, in addition, IP address
198.76.161.29 for use by Good Mobile Control.) Do not put the
Good Mobile Messaging Server and Good Mobile Control Server
in the DMZ zone or block any LAN ports. The Good Mobile
Messaging Server and operating system calls have many port
dependencies for interfacing with Domino mail servers and AD,
especially TCP 1433 (Database) and 1352 (NRPC).
Outbound network hostnames for Good Operations Center:
• www.good.com HTTPS 443 216.136.156.64/27
• upl01.good.com HTTPS 443 216.136.156.64/27
• xml28.good.com HTTPS 443 198.76.161.0/24
• xml29.good.com HTTPS 443 198.76.161.0/24
• xml30.good.com HTTPS 443 198.76.161.0/24
• gti01.good.com HTTPS 443 198.76.161.0/24
The Windows firewall is not supported for use with Good Mobile
Control. Note that in Windows 2008, the Windows firewall is
turned on by default. If currently on, turn off the firewall in
Windows 2003 or 2008.
38
Good Mobile Messaging Administrator’s Guide
Checking Prerequisites and System Requirements
• Good Mobile Control Server requires port 19005 to be open for
communication with Good Mobile Messaging Server and for web
services. Good Mobile Messaging Server requires ports 10009 and
10010 to be open for communication with Good Mobile Control
Server and other uses.
• In order to receive new message notifications while using the
Good client for iOS devices on wifi networks, the following IP
range and port need to be open:
TCP port 5223 incoming/outgoing
The firewall needs to accept traffic from 17.0.0.0/8 port 5223. This
is the external IP range of the Apple Push Notification Service
servers, which provide the message notifications for the Good
email service on the iOS devices.
• The host machine should not have an MSDE or SQL server
installed on it, unless you choose to create a database on an
existing Microsoft SQL 2005 server for use with Good for
Enterprise. To uninstall SQL if present, refer to “Uninstalling SQL
Server” on page 430.
• Windows Installer 3.0 is required for installation of Good Mobile
Messaging Server. Windows Server 2003 with Service Pack 1 (SP1)
includes Windows Installer 3.0.
• Before installing Good Mobile Messaging Servers and Good
Mobile Control Servers, ensure that the host machines’ time and
date are set to your network's correct time and date. Otherwise,
errors such as a Security Alert regarding a problem with the site's
security certificate may occur. For more, refer to “Good Mobile
Control Performance and Scalability” on page 41.
• Don’t share hardware resources with other processes/virtual
machines. If the Good Server is on a physical machine, don’t run
other processes on the same machine. Good Mobile Control and
Good Mobile Messaging should be on separate machines for all
but small installations. If on a virtual machine, treat the situation
as the same as for a physical machine, adding the fact that the
virtual machine should have dedicated CPUs and RAM.
Good Mobile Messaging Administrator’s Guide
39
Pre-installation
• “Local administrator” privileges are required for Good Mobile
Control installation. The GoodAdmin account can be used for
Good Mobile Control installation but is not required.
SQL Server, .NET Framework, and Console requirements (links
subject to change) (note these requirements if you plan to use an SQL
server of your own; otherwise, Good Mobile Control will install SQL
Express for you. SQL Express supports up to 4GB databases only.):
• Microsoft .NET Framework 2.0 Service Pack 1 (x86):
http://www.microsoft.com/downloads/
details.aspx?familyid=79BC3B77-E02C-4AD3-AACFA7633F706BA5&displaylang=en#Requirements
• Microsoft SQL Server 2005 Express Edition Service Pack 3:
http://www.microsoft.com/downloads/
details.aspx?familyid=3181842A-4090-4431-ACDD9A1C832E65A6&displaylang=en
http://www.microsoft.com/sql/editions/express/sysreqs.mspx
• Microsoft SQL Server Management Studio Express Service Pack 2:
http://www.microsoft.com/downloads/
details.aspx?FamilyID=6053c6f8-82c8-479c-b25b9aca13141c9e&DisplayLang=en#Requirements
Scalability
Good Mobile Messaging Server has been certified to handle 800
devices (64-bit version) or 650 devices (32-bit version) while
accommodating HTML and GMA Secure Browser traffic. This
performance was attained on the following server configurations:
32-bit version
• Good Messaging Server build 6.3.1.74
• Windows 2003 SP2
• 4GB of RAM
40
Good Mobile Messaging Administrator’s Guide
Checking Prerequisites and System Requirements
64-bit version
• Good Messaging Server build 6.3.1.74
• Windows 2008 R2
• 8GB of RAM, quad-core processor
This assumes that 20% of devices are currently actively using GMA
Secure Browser and 100% are using the HTML email feature. This
assumes a mix of 25% Windows Mobile/Android devices and 75%
iOS devices. If HTML and Secure Browser are not enabled, 1,000
devices are supported in the 64-bit version.
Note that these are the minimum requirements to attain this
performance. If you are running older configurations, do not scale to
this number; remain at the devices/server guideline that was
communicated to you upon sale.
A single Good Mobile Control Server can handle up to 10,000 users
spread over multiple Good Mobile Messaging Servers, subject to the
machine and operating-system requirements provided above. For
details, refer to “Good Mobile Control Performance and Scalability”
on page 41.
Preparing for SQL Server Use
Good Mobile Control and Good Mobile Messaging Servers require
access to a Microsoft SQL server (the same or different servers). You
can use an existing Enterprise or Standard Microsoft SQL Server
2005, 2008, 2008 R2, or 2008 ENT, or SQL server instance available
within the organization. Good Mobile Control Server and Good
Mobile Messaging Server can connect to a remote SQL server/
instance. If you don’t have an SQL server that you want to use, a
(non-remote) server will be installed along with it.
Multiple Good Mobile Control and Good Mobile Messaging
Servers can share an SQL instance but must use separate databases
Good Mobile Messaging Administrator’s Guide
41
Pre-installation
within that instance. If two Good Mobile Control servers attach to
the same database, data loss may occur.
Multiple Good Mobile Messaging Servers can also share an SQL
instance but must use separate databases within that instance. If
two Good Mobile Messaging Servers attach to the same database,
the database maybe become corrupted, resulting in devices being
disconnected from the Server and other unexpected issues. An SQL
instance is defined as a copy of SQL running on a computer.
Note: SQL Server 2005 Cluster and SQL Server 2008 SP2 Cluster are
supported.
Some knowledge of SQL installation, configuration, and maintenance
will be useful if you plan to use an existing database.
You’ll need the name of the service account you will use to run the
Good Mobile Control Service.
Good Mobile Control requires ~38KB/device of SQL Server database
space.
Good Mobile Messaging requires 2.5MB/device of SQL Server
database space.
SQL Servers enforce their own authentication and authorization. If
you encounter an SQL error during the installation process, you’ll
need to confirm that your SQL configuration information was
entered correctly. If you will be using your own previously
installed SQL Server instance, gather the following information in
advance. You’ll be required to provide it during Good Mobile
Control and Good Mobile Messaging Server installation.
• The fully qualified machine name of your SQL Server instance
• Method of connection to your existing SQL Server instance (static
port, named instance (dynamic port), or connected to it as the
default instance)
42
Good Mobile Messaging Administrator’s Guide
Checking Prerequisites and System Requirements
• If static port, the port number
• If named instance, the instance name
• Authentication mode used to connect to your SQL Server instance
(Windows authentication/SQL Server authentication)
• If Windows authentication, the service account name entered
above must already have a login to SQL Server, or, if not, add a
login for the service account name to your SQL Server instance,
granting it at least the Server-Level Role of “dbcreator.”
• If SQL Server authentication, the SQL Server login name you
use to connect to SQL Server with, and the password for this
SQL Server login. You will be prompted for the login and
password during the Good Mobile Control installation. The
SQL Server login must be a member of the “dbcreator” security
role. If not, add the login to the dbcreator security role so that
the Good Mobile Control install can create its own database
and table within the SQL Server instance.
• If your existing database is remote, ensure that TCP/IP is enabled
for “Local and Remote connections” on your SQL Server instance.
Remote SQL
To use remote access, the IT administrator should configure the
remote SQL server to accept the necessary connections from Good
Mobile Control Server. This includes but is not limited to:
• Allowing connections via TCP/IP
• Allowing connections via a preconfigured port
• Opening any necessary port in any firewall between Good Mobile
Control Server and the SQL server
• Creating or obtaining a valid SQL Server user name and password
to connect to the remote SQL server during installation or the
ability to log in as admin “sa.”
We recommend testing remote database SQL server connectivity
before beginning an installation.
Good Mobile Messaging Administrator’s Guide
43
Pre-installation
For remote Good SQL databases, Good recommends that you use
your current corporate maintenance procedures and practices for
remote SQL databases. Periodic backup of the database is required.
Before performing any offline database maintenance, shut down the
Good services that rely on that database.
Related articles from Microsoft:
• To Configure using TCP/IP - http://support.microsoft.com/kb/
914277
• To configure using static Port - http://support.microsoft.com/kb/
823938
• Installing SQL Server 2005 SP3 (complete process) - http://
technet.microsoft.com/en-us/library/ms143516(SQL.90).aspx
• SQL Server Installation (SQL Server 2008 R2) - http://
msdn.microsoft.com/en-us/library/bb500469.aspx
Lotus Domino configuration requirements
Lotus® Domino configuration requirements:
• Lotus Domino Primary Messaging Server 7.0.2 or higher. Server
versions 8.0/8.5/8.5.1 are recommended, and are required for
Secondary servers, to take full advantage of Mobile Messaging’s
performance features. (With Windows 64-bit, we support the
Domino 32-bit version.)
-
Domino 7 supports a 32-bit OS
Domino 8 supports 32- or 64-bit OS.
Domino 8.5.1 FP4, 8.5.2 FP1, 8.5.2 FP2, and 8.5.3 are supported.
Windows 2003 supports a 32-bit processor
Windows 2008 supports 32-bit and 64 bit processors.
• Install the Domino server as a Domino Messaging server.
• In an environment with a 64bit Domino server hosting mailboxes,
the Good Mobile Messaging Server and Good Mobile Control
44
Good Mobile Messaging Administrator’s Guide
Checking Prerequisites and System Requirements
Server must be installed against a secondary 8.x Domino server in
a 32bit Domino environment.
• The secondary Domino server on which Good Mobile Messaging
Server or Good Mobile Control Server is to be installed should be
installed as a Windows service and should be configured to run as
a Windows service and not as a regular application
• The Domino server on which Good Messaging or Good Mobile
Control Server runs must be installed with the “Primary Domino
Directory (recommended)” option.
• The Domino server on which Good Messaging or Good Mobile
Control Server is to be installed should not be installed as a
“partitioned server.” Good Messaging does not support and
cannot be installed on a partitioned Domino server.
• The Domino server on which Good Messaging or Good Mobile
Control Server runs must have read/write access with “Delete
Documents” privileges on every user mail file in your
organization. Usually the “LocalDomainServers” group has these
required rights. You may not need to alter the Access Control List
as long as this Domino server (on which Good Messaging is being
installed) is listed in the “LocalDomainServers” group.
• If the Domino server on which Good Messaging runs does not
have any rights to the users’ mail files and you are setting up the
ACL, this server requires Manager access with the following
rights:
- Delete documents
- Replicate or copy documents
• Good Mobile Messaging Server uses the Lotus Domino server ID
while instantiating the Lotus Domino APIs and accessing Domino
mail databases on other servers in your Domino domain(s). It is
recommended that the server ID have the Server ID property
‘Don't prompt for a password from other Notes-based programs”
checked/enabled.
Good Mobile Messaging Administrator’s Guide
45
Pre-installation
• If your Domino infrastructure has multiple domains:
- The Domino server on which Good Messaging or Good Mobile
Control Server runs must have “Directory Assistance” enabled
for every Domino domain in your organization.
- The Domino server on which Good Messaging or Good Mobile
Control Server runs must have connection documents to the
Domino servers in the other Domino domains. The Good
Messaging Domino or Good Mobile Control server should be a
member of “LocalDomainServers” group in every Domino
domain.
- The necessary Cross certification, either per-server or perorganization level, must be established between the Domino
server on which you are installing Good Messaging and the
mail and directory servers in other domains to which this
Domino server connects.
Good Secure WiFi: Prerequisites and
System Requirements
If you are deploying Good on WiFi-enabled handhelds in your
corporate environment, ensure that your access points conform to the
following guidelines.
Good uses UDP packets to transmit data to Good-enabled handsets.
Some enterprises block UDP packets at the firewall, even if TCP/IP
connections are allowed. In order to use Good over WiFi, the
following destination ports are required to be open:
• UDP Ports 12000 and TCP port 15000 - Used to pass outboundinitiated traffic to Good once the Good client is installed on the
handheld. Do not block UDP Port 12000 inbound “reply” traffic.
There is no requirement to open Inbound “initiated” traffic.
• TCP Port 80 - Used to redirect to secure port 443
46
Good Mobile Messaging Administrator’s Guide
Good Secure WiFi: Prerequisites and System Requirements
• TCP Port 443 - Used for secure access to Good webstore for OTA
distribution and download
• TCP Port 21 - Used to FTP logs to Good Technical Support
(optional, but highly recommended)
• TCP Port 15000 - Used for attachment downloading
UDP security
All connections to Good's NOC are device-initiated only (but require
bidirectional flow). From a security perspective, there are no
significant differences between using TCP and UDP for Good's
traffic. Good uses a sequenced and encrypted protocol over UDP
similar to TCP.
IP addressing
Good requires customers open a range of IP addresses (Class C IP
ranges 216.136.156.64/27 and 198.76.161.0/24.
NAT time-outs
To ensure that Good can remain up-to-date at all times, Good
requires that the NAT time-out be set to 9 minutes or longer. This will
keep users connected to the network while maximizing the battery
life performance on the device.
Server requirements
All provisioning and upgrading of Good on WiFi-only handhelds
will be performed via Good's Secure OTA process.
Good Mobile Messaging Administrator’s Guide
47
Pre-installation
48
Good Mobile Messaging Administrator’s Guide
4 Installation
This chapter provides detailed instructions for installing Good
Mobile Messaging Server and Good Mobile Control (GMC) Server.
Note: If you are upgrading to Good for Enterprise 6.0, refer to the
Good for Enterprise Upgrade Note.
To get your users up and running, you will need to perform the
following tasks. Each task is explained in detail in the following
sections.
• Install Good Mobile Control Server and Good Mobile Messaging
Servers. The GMC Console will then be available via the Internet.
You’ll need to stop the Domino server before installing Good.
• Configure role-based administration (controlling the GMC
Console features available to an individual or group)
• Set default OTA software policy for handheld families
With the installation complete, you will be ready to prepare
handhelds for use, as described in “Preparing New Handhelds” on
page 105.
Rerunning installation media allows you to select the “Repair”
option. Use this option to change installation settings.
Note: If Good Mobile will be operating in a clustered environment,
refer to “Using Standby Good Mobile Messaging Servers” on page
Good Mobile Messaging Administrator’s Guide
49
Installation
341. The local security setting “Act as part of the operating system” is
set automatically during the Good Server installation process. This
setting is required for Windows 2003 clustered environments. If you
are not using Windows 2003 clustering and do not want this setting,
you can change it after Server installation is complete.
If Good Mobile Control server and Good Mobile Messaging server
are installed on the same machine, they must both be upgraded, in
that order, before the Domino server is started.
Installing Good Mobile Control Server
Use the following procedure to install Good Mobile Control (GMC)
Server. The GMC Server host machine must be configured as
described in “Checking Prerequisites and System Requirements” on
page 35. This host should be secure (the machine should be located in
a secure location and the proper permissions should be set to control
access to the machine).
Note: Install GMC Server before installing Good Mobile Messaging
Server.
GMC Server and Good Mobile Messaging Server can be installed on
the same host machine.
If GMC Server is installed on a machine separate from Good Mobile
Messaging Server, the machine requires an installed instance of
Domino on it.
We recommend against running BlackBerryTM Enterprise Server on
the same machine as GMC Server, when both are present.
In the case of Windows 2008, before beginning the installation, stop
the local Domino server:
1.
50
Open the Domino console.
Good Mobile Messaging Administrator’s Guide
Installing Good Mobile Control Server
2.
Connect to the local Domino server.
3.
Select File->Quit Controller; wait for the “Server has been
disconnected...” pop-up.
4.
Select File->Exit.
To install the Good Mobile Console:
1.
Begin by logging on to the machine where the GMC Server is to be
installed. You’ll need “local administrator” privileges for GMC
installation. The GoodAdmin account can be used for GMC
installation but is not required.
2.
Execute setup.exe from the Good distribution media.
An Installation Manager screen is displayed.
Good Mobile Messaging Administrator’s Guide
51
Installation
3.
Click Add/Remove for Good Mobile Control.
The program checks for the presence of required Windows and
Domino components, as listed in “Checking Prerequisites and
System Requirements” on page 35. You may be informed that files
are being updated.
Otherwise, installation files are extracted from the Good
distribution media.
The installation wizard is launched to guide you through the rest
of the setup process.
An initial installation window is displayed.
Click Next to begin the installation.
A License Agreement window opens.
4.
To proceed with the installation, you must accept the terms of the
Good Technology software license agreement by clicking Yes.
5.
Click Next. The installer will check for prerequisite software and
setup. You’ll be prompted if problems exist. Refer to the
52
Good Mobile Messaging Administrator’s Guide
Installing Good Mobile Control Server
Preinstallation chapter if necessary. Click OK at a prompt to
proceed; the installer will rectify the problem when possible.
A Windows NT Account Information screen is displayed.
6.
In the Login field, enter the user name and password to be used
when GMC Server runs. For example: Domain\GoodAdmin. The
name isn’t case sensitive. The current logged-in user and domain
are displayed as the default.
Enter the account password you set up for the GoodAdmin
account. The password is case sensitive. The installation wizard
tests the username and password that you provide. If they don’t
work, you are warned.
7.
Click Next.
Good Mobile Messaging Administrator’s Guide
53
Installation
A GMC Server Installation Location screen is displayed.
8.
Accept the default location for GMC Server software or browse to
select a different location. If the default folder does not exist, the
wizard will ask you if it should be created.
9.
Click Next when done.
54
Good Mobile Messaging Administrator’s Guide
Installing Good Mobile Control Server
A Choose Log Directory screen is displayed.
10. Accept the default
location for the Good Messaging log or browse
to select a different location. If the folder does not exist, the wizard
will ask you if it should be created. This directory should be
secure.
This log file records the administrative tasks performed by GMC
Console. It contains auditing information about when the tasks
were performed and who performed them. Event messages are
recorded in the Windows Event Viewer Application log.
For better performance, you can locate the directory on the fastest
local disk. Click Next when done.
Important: Exclude this directory from anti-virus and backup
software, to prevent file contention and performance issues.
The setup program displays the information you have entered.
11. If
the information is correct, click Next.
Good Mobile Messaging Administrator’s Guide
55
Installation
Next, a Setup Type screen is displayed.
Accept the default standalone option, or, if you’re installing in a
clustered environment, choose the failover option and refer to
“Using Standby Good Mobile Messaging Servers” on page 341 for
an explanation of Good for Enterprise in a clustered environment.
Choose the standalone if you’ll be using cold failover (“Cold
Failover” on page 405).
56
Good Mobile Messaging Administrator’s Guide
Installing Good Mobile Control Server
A screen for selecting the host of the SQL Server is displayed.
12. Select
Local (this current machine) or Remote for the SQL Server
host.
If you select Local, the SQL server need not be present. If you
select Remote, it must exist. You might select Remote if, for
example, your organization maintains a database farm to ensure
protection and scalability of application data.
If you select Remote, enter the host name for the Server in the
format Hostname.domain_name (e.g.,
SQLServerHostName.domain.com).
If you use a local instance of SQL Server 2005 Express, you’ll have
the option of enabling automatic backup of the database.
For information on SQL setup requirements for use with GMC,
refer to “Scalability” on page 40.
Good Mobile Messaging Administrator’s Guide
57
Installation
13. Click
Next.
14. Specify
the type of SQL instance that the GMC database will be
created in. If you select the Named Instance or Port Number radio
button, you must enter a value in the associated field or an error
will be returned.
Warning: Multiple GMC Servers can share an SQL instance but
must use separate databases within that instance. If two GMC
Servers attach to the same database, data loss may occur.
Do not automatically select the default. You must select the
correct field of the three to describe the instance that is to be
used.
Click Default Instance if the SQL database is to be created in the
default instance, local or remote. If it doesn’t exist, it isn’t created;
an error is returned.
58
Good Mobile Messaging Administrator’s Guide
Installing Good Mobile Control Server
Click Named Instance and provide a name for the instance if the
database is to be created in a named instance. If it does not exist
and is local, it will be created; if it does not exist and is remote, an
error is returned. Choose a meaningful name to avoid future
confusion.
Click Port Number and provide a port number if an instance
using a static port number is to be used. If it doesn’t exist, it isn’t
created; an error is returned.
15. Click
Next.
A named database will be created in the SQL Server instance that
you have specified or that is to be created locally. Enter a name of
your choice for the database here. Remember that multiple GMC
Servers can share an instance but must use separate databases.
16. Click
Next.
Good Mobile Messaging Administrator’s Guide
59
Installation
If the SQL database that Good Mobile Control uses is to be created
in an existing instance of an SQL Server and your current logon
username and password are not those required by the Server,
you’ll be prompted for them now.
If you’ve specified that a new instance be created, an
Authentication Mode screen is displayed.
17. Choose
an authentication mode for the SQL Server.
Windows Authentication Mode allows you to access the SQL
database using your logon username and password. Mixed Mode
requires you to specify a password for database access. Use mixed
mode if you want access to the database to be controlled by this
separate password.
For mixed mode, enter and confirm the logon password. Observe
the following rules when choosing a password:
• The password must contain all or part of the account name of
the user. Part of an account name is defined as three or more
consecutive alphanumeric characters delimited on both ends
60
Good Mobile Messaging Administrator’s Guide
Installing Good Mobile Control Server
by white space such as space, tab, and return, or any of the
following characters: comma (,), period (.), hyphen (-),
underscore (_), or number sign (#).
• The password must be at least eight characters long.
• The password must contains characters from three of the
following four categories:
- Latin uppercase letters (A through Z)
- Latin lowercase letters (a through z)
- Base 10 digits (0 through 9)
- Non-alphanumeric characters such as: exclamation point (!),
dollar sign ($), number sign (#), or percent (%).
Passwords can be up to 128 characters long. You should use
passwords that are as long and complex as possible.
18. Click
Next.
At this point, if the local machine doesn't have Microsoft .net 2.0
Framework installed, the setup program will install it. Click OK if
prompted, to initiate the installation.
Good Mobile Messaging Administrator’s Guide
61
Installation
If the local machine doesn't have SQL Server Express installed, the
setup program will next install it. Again, click OK if prompted to
install it.
19. Specify
a location for the database directory by clicking Next to
accept the default or Browse to choose a different location.
If the directory that you specify does not exist, you’ll be prompted
to accept its creation. The destination folder name cannot exceed
50 characters in length.
62
Good Mobile Messaging Administrator’s Guide
Installing Good Mobile Control Server
With the database directory specified, the setup program will
commence installation of the database. A series of progress
screens is displayed.
20.
When the GMC Server Registration Information screen is
displayed, enter your license key, serial number, and a name for
the server.
Note that when obtaining your server license keys, the products
may be labeled as follows: GMM (Good Mobile Messaging Server)
and GMC (Good Mobile Control Server).
Good Mobile Messaging Administrator’s Guide
63
Installation
21. Click
Next.
22. You can use an approved proxy server to communicate with Good
Messaging Network Operations Center if you are unable to grant
access via your firewall. The proxy server can be configured
without granting additional access on the firewall.
Note: HTTP/1.1 is required. HTTP/1.0 is not supported. The
Good Mobile Messaging Servers and GMC Servers have been
tested for use with the Squid 2.4 and 2.7 proxy servers and a
NetCache 3100 proxy server (NetApp Release 5.2.1R2) set with
basic configurations.
Proxy Address is the IP address or name of the proxy server to
use.
Proxy Port is the port of the proxy server to use.
User is the username to use with HTTP/1.1 Basic Authentication for authenticating to the Proxy.
64
Good Mobile Messaging Administrator’s Guide
Installing Good Mobile Control Server
Password is the password to use with HTTP/1.1 Basic Authentication for authenticating to the Proxy.
To correct/change information entered on this screen, run this
setup program and use its “repair” option.
The proxy server must be configured to allow at least 5 minutes of
idle time before timing out Good Mobile Messaging Server or
GMC Server connections.
The usernames and passwords for connecting to the proxy server
must not contain ':', '@' or '/' characters.
23. Click
Next.
24. In
the following Setup Type screen, select Domino Directory and
click Next. This assumes that you are configuring Good for use
with a Domino mail system. Make this selection even if your
organizational configuration supports Active Directory.
Good Mobile Messaging Administrator’s Guide
65
Installation
25. In
the following Database Configuration screen, enter the names
of the domain and server, and database name, and then click Next.
26. Choose
either of the two options on the next screen as the
authentication type. If your organizational configuration supports
Active Directory, make that selection. If your organizational
configuration supports Domino directories, make that selection. If
66
Good Mobile Messaging Administrator’s Guide
Installing Good Mobile Control Server
your organization supports both, selecting Active Directory is
recommended.
a.
If you choose Active Directory, in the following Enter Domain
Information screen, enter the Active Directory domain name to
Good Mobile Messaging Administrator’s Guide
67
Installation
use for directory lookups for Good Mobile users and then click
Next.
In the following Enter Login screen, enter the name of the user
to be the GMC Console Superuser, and then click Next.
There can be only one. The Superuser can later enable other
users to perform a subset of console tasks. Only the Superuser
can access the Console the first time. For more on the Super-
68
Good Mobile Messaging Administrator’s Guide
Installing Good Mobile Control Server
user function, refer to “The Superuser” on page 122.
b.
If you choose Domino Directory, in the following Enter URL
screen, provide the LDAP directory location (generally, the
Good Mobile Messaging Administrator’s Guide
69
Installation
Domino server hosting mailboxes has the LDAP directory for
that domain), and then click Next.
Enter the Domino directory’s administrator (Superuser) name
on the next screen.
Only the administrator can access the Console the first time.
For more on the Superuser function, refer to “The Superuser”
70
Good Mobile Messaging Administrator’s Guide
Installing Good Mobile Control Server
on page 122.
Good Mobile Messaging Administrator’s Guide
71
Installation
27. In
the following Automatic Backup screen, provide the path to a
directory for automatic remote backup of the SQL database that
Good Mobile Control uses and then click Next.
Increment backups occur hourly; a full backup is performed once
a day. This is not configurable. Specify the number of days of
backup copies to keep. The default is 7. To alter backup
parameters, click the check box to disable automatic backup and
use instead the backup facilities of the full version of SQL Server.
For more information about backing up and restoring the SQL
database that Good Mobile Control uses, see “Backing up and
Restoring the Good Mobile Control Database” on page 298.
72
Good Mobile Messaging Administrator’s Guide
Installing Good Mobile Control Server
28. In
the following screen, review the information that you have
entered. If correct, click Next to initiate installation of the Good
Mobile Control Server and Console.
29. When
the installation process is complete, the following screen is
displayed. Make sure that the “Start GMC Server service” check
box is checked. The GMC Server must be up and running in order
Good Mobile Messaging Administrator’s Guide
73
Installation
to install Good Mobile Messaging Server, as described in the
following section.
30. Click
Finish.
Installing Good Mobile Messaging
Server
Use the following procedure to install a Good Mobile Messaging
Server. Repeat the procedure for additional servers as needed. Each
server can manage hundreds of handhelds on multiple Domino
servers. No special preparations are necessary. You assign handhelds
to Good Mobile Messaging Servers according to the organizational
scheme most convenient to you.
The Good Mobile Messaging Server host machine must be
configured as described in “Checking Prerequisites and System
Requirements” on page 35. Use a secure host (the machine should be
74
Good Mobile Messaging Administrator’s Guide
Installing Good Mobile Messaging Server
located in a secure location and the proper permissions should be set
to control access to the machine).
Note the following:
• Good Mobile Messaging Server can service up to 1,000 handhelds
(850 with GMA and HTML enabled for all).
• Install Good Mobile Messaging Server after GMC Server.
• Microsoft SQL Express will be installed and configured during the
installation of the first Good Mobile Messaging Server, unless you
choose to use an existing SQL Express server.
• If you choose to use an existing SQL 2005 server, you’ll need to
create a database on that server. You can use any name (we
recommend goodmobiledb) and any login (SQL username and
password) for the database. You should have “Database Owner”
rights on goodmobiledb or the created database.
• The host machine should not have an MSDE or SQL server
installed on it if you choose to have SQL Express installed. (SQL
Express supports up to 4GB databases only.) To uninstall SQL if
present, refer to “Uninstalling SQL Server” on page 430.
• When using shared storage across multiple computers, via a
solution such as NAS, SMB/CIFS servers, or Windows shared
folders, Windows must see the drive containing the Good cache
files as a block-level storage device, not as a file-level storage
device. The cache files cannot reside on a drive that is mapped as a
network drive. For example, NAS can be used if the cache is
stored in a VMDK and the VMDK resides on a NAS; however, the
cache cannot be stored directly on a shared drive residing on a
NAS using SMB.
• In order to install the Good Mobile Messaging Server, you must
log in as a member of the Administrators group on that machine.
We recommend that you create a new Windows account for
installing and running Good Messaging services (Good for
Enterprise service, Good Mobile Control service, Good Messaging
Domino directory service, Good server Domino directory service).
After creating the Windows account, assign it “Local
Good Mobile Messaging Administrator’s Guide
75
Installation
Administrator” privileges, then log on as the new Windows user
and proceed with the installation. If you do not have a Windows
domain, you can use a local administrative machine account;
however in this case to administer Good Servers you will have to
physically log on to this machine and use the GMC Console on it.
To administer the Good Servers using GMC Console from a
remote machine, the Good Services (Good for Enterprise service,
Good Mobile Control service, Good Messaging Domino directory
service, Good server Domino directory service) must be run as a
Windows Domain user.
• We recommend against running BlackBerryTM Enterprise Server
on the same machine as Good Mobile Messaging Server, when
both are present.
• We recommend against installing the Lotus Notes Client on the
same machine as Good Mobile Messaging Server. If such a client is
present, it must reside on a different drive than the Domino server
on the machine.
In the case of Windows 2008, before beginning the installation, stop
the local Domino server:
1.
Open the Domino console.
2.
Connect to the local Domino server.
3.
Select File->Quit Controller; wait for the “Server has been
disconnected...” pop-up.
4.
Select File->Exit.
To change settings later that you enter during this installation, use the
repair option available in the installation media.
To install Good for Enterprise:
1.
Begin by logging in with any Windows account.
2.
Execute setup.exe from the Good distribution media.
76
Good Mobile Messaging Administrator’s Guide
Installing Good Mobile Messaging Server
An Installation Manager screen is displayed.
3.
Click Add/Remove for Good Mobile Messaging Server.
If an earlier version of Good Mobile Messaging Server is detected,
you will be prompted to upgrade it. If the same version of Good
Mobile Messaging Server is detected, you will be prompted to
delete or repair it (change installation settings).
The program checks for the presence of required Windows and
Domino components, as listed in “Checking Prerequisites and
System Requirements” on page 35. You may be informed that files
are being updated.
Otherwise, installation files are extracted from the Good
distribution media.
Good Mobile Messaging Administrator’s Guide
77
Installation
The installation wizard is launched to guide you through the rest
of the setup process.
An initial installation window is displayed.
4.
Click Next to begin the installation.
A License Agreement window opens.
5.
78
To proceed with the installation, you must accept the terms of the
Good Technology software license agreement by clicking Yes.
Good Mobile Messaging Administrator’s Guide
Installing Good Mobile Messaging Server
A server registration screen is displayed.
6.
Enter the Good Messaging serial number and site license key.
In some cases, both serial number and license key are contained in
email sent to you by your sales representative. Otherwise, follow
this procedure to obtain the key.
Note that when obtaining your server license keys, the products
may be labeled as follows: GMM (Good Mobile Messaging Server)
and GMC (Good Mobile Control Server).
a.
Record the serial number and code number sent to you by
email.
b.
Go to http://www.good.com/gmp (Good Monitoring Portal)
to obtain the license key for your Good Mobile Messaging
Server. If you do not have an existing account, click on the
“New Users” link and follow the steps to create a new one in
order to log in.
Good Mobile Messaging Administrator’s Guide
79
Installation
c.
Log in and click on “Add a server license key” under “Common Tasks.” Enter the serial number (s/n) and code from the
email you received.
Once you've entered the necessary information, Good will register your Good Mobile Messaging Server. The server license
key will be displayed at this time (only) in the Good Service
Center and it will be emailed to the email address you specify.
For more on the Portal, refer to “Using the Good Monitoring
Portal Dashboard” on page 249 and “Using the Good Online
License Portal” on page 252.
d.
7.
When prompted during Server installation, enter this license
key. If you've previously installed and uninstalled Good
Mobile Messaging Server on this machine, the previous values
that you entered are displayed (if you preserved settings when
uninstalling).
Enter a name for Good Mobile Messaging Server (HYDSRV82 in
the example).
This is the name that will appear in GMC Console. The name can
be up to 16 characters long. No spaces allowed. Enter a descriptive
name of your choice.
8.
Click Next.
The installation program contacts the Network Operations Center,
confirming the ability of the host to make the connection, and then
validates the license key and serial number that you have
provided.
80
Good Mobile Messaging Administrator’s Guide
Installing Good Mobile Messaging Server
9.
If you’re installing the Messaging Server on the same machine as
the Mobile Control Server, the following alert is displayed.
Click OK to continue.
A Good Mobile Messaging Server Installation Location screen is
displayed.
10. Accept
the default location for Good Mobile Messaging Server
software or browse to select a different location. If the default
folder does not exist, the wizard will ask you if it should be
created.
11. Click
Next when done.
A Choose Log Directory screen is displayed.
12. Accept the default
location for the Good Messaging log or browse
to select a different location. If the folder does not exist, the wizard
will ask you if it should be created. This directory should be
secure.
This log file records the server’s Domino/handheld
synchronization activity for messages and events.
Synchronization error and event messages are recorded in the
Windows Event Viewer Application log.
For better performance, you can locate the directory on the fastest
local disk. Click Next when done.
Important: Exclude this directory from anti-virus and backup
software, to prevent file contention and performance issues.
A Choose Cache Directory screen is displayed.
Good Mobile Messaging Administrator’s Guide
81
Installation
13. Accept the default location for the Good Mobile Messaging Server
cache or browse to select a different location. If the folder does not
exist, the wizard will ask you if it should be created. For better
performance, you can locate the directory on the fastest local disk.
Specify a local disk, not a network share (such as UNC. Refer to
the bulleted list of requirements at the beginning of this section).
This directory should be secure.
Warning: If you are reinstalling or upgrading, you must specify
the same cache-file directory location that you did for the original
installation. If you specify a different cache-file directory location,
all handhelds will need to be set up again, causing all email/
drafts to be cleared from the handhelds.
Important: Exclude this directory from anti-virus and backup
software, to prevent file contention and performance issues.
14. Choose
which Messaging Server you are installing, primary or
standby (failover).
15. Click
82
Next.
Good Mobile Messaging Administrator’s Guide
Installing Good Mobile Messaging Server
A Server proxy screen is displayed.
You can use an approved proxy server to communicate with Good
Messaging Network Operations Center if you are unable to grant
access via your firewall. The proxy server can be configured
without granting additional access on the firewall.
Note: HTTP/1.1 is required. HTTP/1.0 is not supported. The
Good Mobile Messaging Servers and GMC Servers have been
tested for use with the Squid 2.4 and 2.7 proxy servers and a
NetCache 3100 proxy server (NetApp Release 5.2.1R2) set with
basic configurations.
Proxy Address is the IP address or name of the proxy server to
use.
Proxy Port is the port of the proxy server to use.
User is the username to use with HTTP/1.1 Basic Authentication for authenticating to the Proxy.
Good Mobile Messaging Administrator’s Guide
83
Installation
Password is the password to use with HTTP/1.1 Basic Authentication for authenticating to the Proxy.
If you used the OverrideURL environment variable with pre-4.0
versions of Good Messaging to implement a proxy server, note
that uninstall does not remove or reset it.
To correct/change information entered on this screen, run this
setup program and use its “repair” option.
The proxy server must be configured to allow at least 5 minutes of
idle time before timing out Good Mobile Messaging Server or
GMC Server connections.
The usernames and passwords for connecting to the proxy server
must not contain ':', '@' or '/' characters.
16. Click
Next.
A Windows Account Information screen is displayed.
84
Good Mobile Messaging Administrator’s Guide
Installing Good Mobile Messaging Server
17. In
the Login field, enter the domain and Windows account name.
For example: Domain\username. The name isn’t case sensitive. The
current logged in user and domain are displayed as the default.
Enter the account password. The password is case sensitive. The
installation wizard tests the username and password that you
provide. If they don’t work, you are warned.
18. Click
Next.
19. You
are given an option to choose an existing SQL Server 2005 or
have a new one installed.
If this Good Mobile Messaging Server is being installed on the
same host machine as the Good Mobile Control Server, choose
“Use an existing SQL Server 2005” as shown, since an SQL Server
was designated or installed already during the GMC installation
process. (Default instance name is “GMC.)
Good Mobile Messaging Administrator’s Guide
85
Installation
If this Server is being installed on a different host machine than
the GMC Server, but you want to use an existing SQL Server
2005 instance, such as the remote GMC SQL instance, or some
other remote SQL Server 2005 instance, or an existing instance on
this host machine, choose “Use an existing SQL Server 2005” as
shown. You will need to create a new database in the instance. You
can use any name (we recommend goodmobiledb) and any login
(SQL username and password) for the database. You should have
“Database Owner” rights on goodmobiledb or the created database.
Refer to “Scalability” on page 40 for more on this subject.
Multiple Good Mobile Messaging Servers can share an SQL
instance but must use separate databases within that instance. If
two Good Mobile Messaging Servers attach to the same
database, the database maybe become corrupted, resulting in
users being disconnected from the Server and other unexpected
issues. An SQL instance is defined as a copy of SQL running on
a computer.
If this Server is being installed on a different host machine than
the GMC Server and you want SQL Server 2005 installed on this
machine, select “Install Microsoft SQL Express 2005.”
20. Click
86
Next.
Good Mobile Messaging Administrator’s Guide
Installing Good Mobile Messaging Server
21. Whether
you are using an existing SQL server and database or
having the install program create one for you, you’ll be prompted
for some database information.
Database Address - Enter the database instance name. If the Good
Mobile Messaging Server and Good Mobile Control Server are
installed on the same host machine, enter the name of the instance
assigned when Good Mobile Control Server was installed
previously. (Example: localhost\GMC.) Otherwise, the database
address can be the IP address or the machine name or
machine\instance name, where the instance name is the SQL
instance name on that server.
If the Good Mobile Messaging Server and Good Mobile Control
Server are installed on the same host machine, select
“Dynamically determine port.” Otherwise, enter the port to be
used by the Messaging Server. (Refer to “Scalability” on page 40
for more information.)
Select “Create database” and enter a database name for the new
database (required).
Good Mobile Messaging Administrator’s Guide
87
Installation
Database Authentication Information - If you choose to have SQL
Express 2005 installed, it is installed in dual authentication mode
(SQL and Windows). However, Mobile Messaging will use the
Windows authentication alone.
Otherwise, if the SQL instance login uses Windows NT
Authentication, check “Use Windows NT authentication.” (This is
the most common scenario).
If the SQL installation uses a user name and password to log in to
SQL server instance, enter the user name and password.
22. Click
Next.
23. Enter
the host name of the machine where you installed GMC
Server.
88
Good Mobile Messaging Administrator’s Guide
Installing Good Mobile Messaging Server
If you need to enter a specific GMC Server URL and/or
authorized username, click the Advanced button.
24. Enter
a specific URL and username and password as needed. The
username must be for an account that has Manage Server rights
for the GMC Server or is the Superuser.
Good Mobile Messaging Administrator’s Guide
89
Installation
25. Click
OK.
The setup program displays the information you have entered,
plus the Internet address of the Network Operations Center and
other relevant Good Messaging information.
26. If
90
the information is correct, click Next.
Good Mobile Messaging Administrator’s Guide
Installing Good Mobile Messaging Server
Good Messaging and Domino server software is installed.
With installation complete, the Domino server and Good
Messaging services are started.
27. Click
Finish.
Note that the Good Mobile Messaging Server database is saved
automatically to a \database\data\MSSQL.1\MSSQL\Backup
folder in the server installation directory. A full backup occurs daily
and, following the first full backup, a differential backup is
performed every hour. The line “Good Messaging: Begin full
database backup.” in nGoodLink.log indicates the start time for the
new day, as supplied by Domino. If this time is other than midnight,
system time has changed since Domino installation or is incorrect.
Enable detailed calendar reminder notifications
To add subject/location information to iOS Calendar reminders, set
the registry as follows and restart the GoodLink Server service:
Good Mobile Messaging Administrator’s Guide
91
Installation
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Services\GoodLinkServer\parameters\PushManager]
"SendSubjectLocation"="1"
where
"sendsubjectlocation"="1" ;Send the subject and
location
"sendsubjectlocation" = "0" ; Send the default
generic Event Reminder message.
Note: Only calendar items created after this change will contain
detailed calendar reminders.
Configuring the Good Mobile Control
Console
Access the Good Mobile Control Console Microsoft Internet Explorer
7/8/9, Firefox 3.5/8/9/10, or Google Chrome 10/11. Use the Console
to manage Good Messaging and Good Connection users and
handhelds.
Note: First Console access must be by the Superuser specified during
GMC Server installation.
Launch the Console using https://servername:8443 or http://
servername:8080, where servername is the name of the machine on
which Good Mobile Control Server is installed. You cannot access the
console from a browser on the GMC machine. Use your Windows
username and password to log in. The role that you have been
assigned (“Setting Up Role-Based Administration” on page 96)
determines your Console rights and the actions that you can perform.
You must be member of a role to use the Console. All Good Servers to
be managed through the Good Mobile Control register themselves
with the Center during installation and will be available to you
through the Console.
92
Good Mobile Messaging Administrator’s Guide
Configuring the Good Mobile Control Console
Note: The GMC session in your browser will time out after one hour
of no activity. The timeout is not configurable.
You can disable auto-completion of password entry (remembering
login credentials) on the Console login page. To do so, on the Settings
tab select “Good Mobile Control - User Settings” and check the
“Disable remembering login credentials” checkbox.
Importing a Certificate
To import a certificate for the Console Server:
1.
Open a command prompt.
2.
Go to
C:\Program Files\Good Technology\Good Mobile Control\bin
3.
Run the .bat file
c>importCertificate.bat
4.
Select certificate type - 1 or 2. (Good recommends getting a pcks12
format file.)
5.
Point to the location of the filepath.
6.
Enter the password for the certificate file.
Good Mobile Messaging Administrator’s Guide
93
Installation
7.
Complete the process. Then restart GMC Services for the change
to take effect.
8.
On all workstations where the Console is to be launched using IE
or Firefox, create a permanent trust by importing the certificate
chain of the CA.
Restoring a Certificate into GMC Server
To restore a certificate:
1.
Open a command prompt.
2.
Go to
C:\Program Files\Good Technology\Good Mobile Control\bin
3.
94
Run the .bat file
Good Mobile Messaging Administrator’s Guide
Configuring the Good Mobile Control Console
c>RestoreCertificate.bat
The original certificate is restored.
Importing a Certificate into Internet Explorer
This optional procedure allows you to use your own signed CA.
Follow a similar procedure for Firefox.
The root CA certificate or certificate chain must be imported into IE
or Firefox for workstations used to access the Console. If the
certificate is signed by Verisign or any other industry-standard
certificate authority, IE is preloaded with the certificate and the
following procedure is not required.
1.
Open an IE browser session.
2.
Click on Tools > Internet Options. Tools can be found in the upper
right-hand corner of the browser, just above the border of the web
page you are viewing.
3.
Click on the Content Tab.
4.
Click on Certificates.
5.
Click on Import.
6.
Click Next on "Welcome to the Certificate Import Wizard."
7.
Use Browse or type in the filepath and name of the certificate file.
Good Mobile Messaging Administrator’s Guide
95
Installation
8.
Select the first radio button "Automatically select the certificate
store based on the type of certificate."
9.
Click on Finish.
Understanding Console Filters
You’ll use the Console to display and manage lists of users,
handhelds, and servers and information about them. You can
configure filters to limit the lists to those specific items that you are
interested in. With only items of interest displayed, you can apply
bulk actions, such as applying the same policy settings to all the
handhelds that you choose.
Note to users of earlier versions of Good Messaging: In this version,
filters serve much the same purpose as groups in earlier versions, for
use in applying the same action to more than one user, handheld, or
server at a time.
To configure filtering, use the left panel on the Handheld and Server
pages. You can hide or display this panel on the Handhelds page by
clicking the arrow in the panel’s right border and on the Servers page
by using the Show/Hide Filters button.
On the Handhelds page, the left panel automatically lists all policy
sets, servers, and platforms. Clicking check boxes within a category
limits the handhelds listed to those in the selected items. Clicking
check boxes in more than one category limits the handhelds listed to
only those that are included in at least one selected item in each
category.
Setting Up Role-Based Administration
Note: If you installed GMC with Domino Directory as the
authenticator type, role-base administration is not supported.
96
Good Mobile Messaging Administrator’s Guide
Setting Up Role-Based Administration
When you installed GMC Server, GMC Console and Mobile GMC
Console were made available to you on the Internet.
You’ll be using GMC Console to manage the Good Messaging
handhelds and servers. You can control and limit the tasks performed
by an individual or group using GMC Console. For example, you can
configure the console so that some individuals can use it only to set
up handhelds and not to add or remove users from Good Mobile
Messaging Servers. To do so, you’ll create roles for different users and
for GMC Console. The Console comes with several predefined roles
that you can use (roles for service administrator, administrator, and
helpdesk). You can also create additional roles now. Finally, you can
create, delete, and reassign roles at any later time as needed.
A member of two roles receives the rights of both roles.
Note: The first time you launch the Console, you must be logged on
as the Superuser you specified when installing the GMC Server. For
more on the Superuser function, refer to “The Superuser” on
page 122. You can then use the Console to grant access to other
accounts using the Role Based Administration feature.
The Superuser automatically has all rights and need not be assigned
to a role.
To create new roles and limit access to GMC Console features,
perform the following steps:
1.
Log in to the GMC Console.
Good Mobile Messaging Administrator’s Guide
97
Installation
2.
98
Click the Roles tab.
Good Mobile Messaging Administrator’s Guide
Setting Up Role-Based Administration
A list of all currently defined roles is displayed in the left panel.
Default Roles
Service
Administrator
Default Rights
All rights: Add user for OTA Setup, Delete user,
Erase handheld data and lock out user, View
user OTA setup PIN, Manage servers (Manage
Good Mobile Messaging Server: Clear Server statistics
using the Console; display Server license key in Server
Properties window; Upload custom software;
Configure OTA Setup software download), Manage
Administrator
Help Desk
3.
handheld policy and software, Handheld
authentication, Add and remove custom
software, Manage roles, View only
administration, Add and Remove Custom
Software, Manage OTA Email Templates
Add user for OTA Setup, Delete user, Erase
handheld data and lock out user, Manage
handheld policy and software, Handheld
authentication, Add and remove custom
software, View only administration, Manage
OTA Email Templates
Add user for OTA Setup, Delete user, Erase
handheld data and lock out user
To add a new role, click the Add link above the left panel.
Good Mobile Messaging Administrator’s Guide
99
Installation
The Add Role page opens.
4.
Enter a name for the new role and describe its purpose. For
example, if the role is to provide the IT administrator with full
rights for use of the console, you might name the role Good
Messaging Admin and in Description type “This role grants full
console rights to the IT administrator.”
5.
Click the Add Role button.
By default the new role is assigned View-Only Administrator
rights (view all data except sensitive data such as OTA PINs).
6.
Click on “Change the rights for this role.”
100
Good Mobile Messaging Administrator’s Guide
Setting Up Role-Based Administration
The Change Rights page opens.
7.
Click the All Rights radio button to give this role full rights in the
console (view and edit all data). These are the default rights for
the Service Administrator role.
8.
Click on Custom and click on individual rights to limit this role’s
use of the console.
Good Mobile Messaging Administrator’s Guide
101
Installation
9.
Click the Custom radio button and check the boxes for the desired
rights for the role.
Handheld Rights
• Add handheld for a user - Add first handheld for a user.
• Delete handhelds
• Manage handheld policy and software - Modify inheritance
and customize handheld policy (except Handheld
Authentication policies, unless that role is also checked)
• Handheld authentication - Modify handheld authentication
policies
Handheld Security Rights
• Erase handheld data and lock handheld.
• View OTA setup PIN
Servers Rights
• Manage servers - Manage servers. Includes the ability to check
IP ranges, upload server logs, manage backup settings, and
view complete server information such as license key.
Deployment Rights
• Manage roles - View, create, edit and delete roles. Includes the
ability to manage rights and membership for a role.
• Manage OTA email templates - Create, edit and delete OTA
Email Templates.
• Manage custom software - Upload and remove custom
software.
10. Click
on Update to save your changes.
11. To
remove users from this role, click the check box next to each
user to be removed and click Delete.
12. Click
102
on the Add button under Members to add users to the role.
Good Mobile Messaging Administrator’s Guide
Setting Software Download Defaults
The Add Role Members page opens.
13. Choose
a domain from the dropdown and enter the partial name
of a corporate user to be added to the role. Click Look Now and
then select the desired name(s) in the panel for search results.
14. Click
Add to add this name to the new role.
Setting Software Download Defaults
You can ensure that the desired versions of Good Messaging and
custom third-party software are installed when performing wireless
downloads to handhelds. Use the GMC Console to set the global
policy defaults for wireless download for each handheld family. This
consists of specifying which version of the applications should be
downloaded to handheld types by default.
View and changing these download defaults is explained in
“Application Management” on page 175.
Good Mobile Messaging Administrator’s Guide
103
Installation
104
Good Mobile Messaging Administrator’s Guide
5 Preparing New
Handhelds
As the administrator responsible for the maintenance and
management of Good Messaging handhelds, you will need to set up
handhelds for new users. You can do this for one or more users at a
time.
Each user/handheld is configured for setup and maintenance
wirelessly.
The OTA-only (wireless Over The Air) user will always use OTA to
complete setup of the handheld, and can later upgrade software on
the handheld wirelessly. The method offers IT the fastest and lowestcost means of setting up handhelds. Minimal steps are required by
the user.
If your installation includes WiFi-only handhelds, refer to “Good
Secure WiFi: Prerequisites and System Requirements” on page 46.
Refer to “Scalability” on page 40 for information on the number of
handhelds supported by Good Servers.
Up to ten handhelds per user are supported.
Good Mobile Messaging Administrator’s Guide
105
Preparing New Handhelds
Preparing for Handheld Setup
This section describes how to set up a new handheld wirelessly, using
the Good Mobile Control (GMC) Console. To set up multiple users at
the same time, refer to “Setting Up Handhelds for Multiple Users
(OTA)” on page 117.
Note: A user’s account can be made available on multiple handhelds.
The “Add multiple handhelds to a user” right is necessary to
accomplish this.
Handhelds should have the following available memory:
• Android total memory footprint:
- Application: 16.6MB (compressed download file)
- Runtime footprint: ~22.5 (no data)
- Attachment cache: The larger of (1) 10MB or (2) size of last
attachment downloaded
- File repository: No limit.
• Palm OS: 14.5MB
• Pocket PC: 12MB (14MB for Treo 700WX)
• Smartphone: 12MB
Refer to the iOS and Android release notes for the latest information
on device memory footprints.
Contact your authorized service representative for additional
information on memory requirements.
The handheld battery should be fully charged (an alert will be
displayed if the battery is below 25%).
106
Good Mobile Messaging Administrator’s Guide
Preparing for Handheld Setup
Wireless Setup Preparation
1.
Confirm with your service or sales representative that the
handheld is a supported type.
The handheld must have active, supported voice and network
data services. The user can make a call and browse the web with
the handheld to confirm the presence of these services. Note that
some supported data services may not support roaming; Good
Messaging, like the handheld browser, will not operate outside
the service area in these cases. If calling or browsing fails, contact
your wireless service provider to add the missing service to your
service plan.
Visit http://www.good.com for more information.
An SD card is recommended for handhelds without flash memory,
to be used by the Good Messaging software for backup.
For GPRS devices, a SIM card is required.
2.
Users will be informed automatically by GMC Console when you
perform the wireless handheld setup. The Console will email
instructions to the user’s mail file describing how the user is to
complete the setup wirelessly.
We recommend that you alert users in advance to expect these
Good Messaging email instructions and to fully charge their
handhelds before performing the setup. They will need to be in
radio coverage for the setup to complete successfully.
3.
You can set up more than one handheld per user.
4.
Treo setup: Palm® Desktop is not required for Good Messaging
setup, but if it is present on the user’s computer, the user should
set it to “I have another PIM and/or existing 3rd party
synchronization software I would like to use.” The user should
not set it to synchronize with Palm Desktop. If necessary, the user
should reinstall Palm Desktop with this setting.
Good Mobile Messaging Administrator’s Guide
107
Preparing New Handhelds
Treo handhelds may require a ROM update. For more
information, go to http://www.good.com/gmp. (You’ll be
required to log in to access the site.) Click on Documentation for a
note that explains how to check the Treo’s ROM version and how
to update it. Click on Software Downloads to download the
updater that you need.
Note that Good for Enterprise 6.0 Client does not support Palm;
Good Mobile Control Console does support earlier Client versions
that include Palm support.
5.
Before adding users to Good Mobile Messaging Servers for OTA
setup, the server software download policies must be set up as
explained in “Managing Software Policies” on page 211. This is
true for adding users in GMC Console using the Add handhelds
link, or using the Import facility or the command-line
GoodLinkAddUser utility for download to the handheld of the
default software versions.
6.
You can position the Good Messaging client software on SD cards
or handhelds in advance. Later, when the handheld user
completes the Good Messaging setup, the client software will be
installed from this location.
a.
Set the policy to enable client installation from SD card or
handheld (step 9 on page 214).
b.
Download the client software package from http://
www.good.com/download.
c.
Transfer the client software to a mountable file system on the
handheld, such as a storage card, in the location that you specified when you configured the policy in the Console.
Palm - GLPkgPalm.prc
PPC2003 - GLPackage.cab
SP2003 - Smartphone.cab
PPC2005 - GLPackage2005.cab
SP2005 - Smartphone2005.cab
108
Good Mobile Messaging Administrator’s Guide
Setting Up the Handheld
Setting Up the Handheld
Setting up the handheld for the first time consists of:
• Adding the handheld to the Good Mobile Messaging Servers and
GMC Server
• Installing Good Messaging software wirelessly
• Data exchange between the handheld and Domino
• Generation of an encryption key
• Activation with the Good Messaging Service
• Wireless synchronization of the handheld with the user’s Domino
account
• Downloading optional third-party applications
Note: If a user’s Domino profile changes between roaming and nonroaming, the user’s handheld will have to be set up again. This is, if
the profile changes to roaming, Good Mobile Messaging Server will
use the roaming databases for storage. If the handheld is not set up
again, Good Mobile Messaging Server will incorrectly continue to
synchronize the user’s address book and journal to the iNotes
address book and iNotes journal (in the user’s mail file). If a roaming
user's journal and/or address book cannot be accessed when the
handheld is set up, Good Mobile Messaging Server will synchronize
the address book and/or journal to the iNotes address book and/or
iNotes journal.
Up to ten handhelds per user are supported.
Good Mobile Messaging Administrator’s Guide
109
Preparing New Handhelds
To set up a new handheld Over The Air:
1.
Click the Add handhelds link in the Quick Start box on the GMC
Console home page, or click the Add Handhelds button on the
Handhelds tab.
2.
Enter a full or partial first or last name in the “Find user” field and
click the Look Now button to list matching individuals in your
corporate directory. Click on the user name in the search results to
add a user with handhelds that you want to set up to the user list
on the Handhelds tab (maximum of 75). They’re added in the
“Add new handhelds for” box.
To add multiple users, select them one by one.
(To add multiple users at one time by importing names from a file,
refer to “Setting Up Handhelds for Multiple Users (OTA)” on
page 117.)
3.
Use the pulldowns to the right to assign the user(s) of the
handheld(s) to a Good Mobile Messaging Server and to assign a
policy set to the user(s).
110
Good Mobile Messaging Administrator’s Guide
Setting Up the Handheld
The Good Mobile Messaging Server will manage the handheld’s
synchronization with the user’s Domino mail file.
You can manage a user’s handheld behavior using a variety of
policy settings. The Console maintains a default version of these
settings. You can change the default settings at any time.
To change a policy set or add a new set for use by this handheld,
refer to “Creating and Changing Handheld Policy Sets and
Templates” on page 129 after setup is complete.
Software to be installed: The software to be installed on the
handheld is specified by the settings in the policy set that the
handheld uses.
To change the software package and settings for the policy set
used by the handheld, refer to “Managing Software Policies” on
page 211.
Check this section also if you want to set up the handheld from an
SD card. You’ll be changing a policy set’s software deployment
policies so that the installation source is a storage card.
4.
Click the Add button.
Good Mobile Messaging Administrator’s Guide
111
Preparing New Handhelds
The user(s) are added to the current list of users/handhelds on the
Handhelds tab.
If the user is already set up with a handheld and you’re adding
another handheld for the same Domino account (SMTP email
account), it will be treated as a new user/handheld item, on a
separate line. The user with more than one handheld running his/
her account is displayed in the Console once each for every
handheld. In other words, there is a one-to-one correspondence in
the user list between user and handheld.
User name, email address, group, policy set, and assigned servers
are displayed by default in the row for the handheld. The other
values in the row will be filled in automatically during the setup
process. Use the icon in the far-right column to select which
columns are to be displayed
The handheld is added to the Good Mobile Messaging Server. At
the same time, the wireless handheld setup process, described in
the following section, commences.
112
Good Mobile Messaging Administrator’s Guide
Setting Up the Handheld
OTA Setup Process
The following sequence completes the handheld setup. A detailed
description is provided in the User’s Guide.
Note: For iOS and Android, refer to “OTA Setup Process - iOS/
Android” on page 113.
• The Console sends an email message to the user. The message
contains a PIN and a link to the Good wireless software download
site (https://get.good.com).
You can display the PIN and URL information at the Console by
going to the OTA link in the handheld's properties page. (Click on
the user’s name & go to the OTA link available on the left hand
pane). You can set policies for PIN expiration and reuse (refer to
“Creating and Changing Handheld Policy Sets and Templates” on
page 129). If the PIN has an expiration date/time, that date/time
is included in the email message to the user. The date/time are
also displayed in the OTA link in the handheld's properties page.
• When the user goes to the download site and clicks Download
Now using the handheld browser, the site downloads the OTA
Setup executable to the handheld.
• The user is prompted to save OTA Setup.
• The user launches OTA Setup and follows the prompts to
complete Good Messaging software package installation. The user
enters his/her email address and the PIN during this installation.
Setup is completed automatically, wirelessly, as described in
“Completing the Setup Process” on page 115.
OTA Setup Process - iOS/Android
The following sequence completes the iOS or Android setup.
Detailed descriptions are provided in the Good for Enterprise for iPhone
User’s Guide, Good for Enterprise for iPad User’s Guide, and Good for
Enterprise for Android User’s Guide.
Good Mobile Messaging Administrator’s Guide
113
Preparing New Handhelds
• The Console sends an email message to the user. The default
message contains the email address, a PIN (and expiration date, if
applicable), and a URL address. You can edit this message, create
customized messages for different users or groups of users, or
suppress the message. To do so, refer to “Customizing the OTA
Setup Email Message” on page 217.
1.
The user should make sure that his or her iOS device or Android
is fully charged and its wireless connection is active.
2.
The user employs the device browser to navigate to the URL
address provided in the email sent in the welcome email. The user
selects the download link.
3.
An Apps Store or Android Market page opens on the device.
4.
The Free button transforms into an Install button when tapped.
The user taps the Install button.
5.
The user enters his or her device password when prompted, and
taps OK.
A loading icon appears on the Home screen.
6.
With loading complete, the user can tap the new Good icon and
tap Start on the information screen that is displayed; then tap as
necessary to accept license information.
7.
The user enters his or her email address and PIN. If the PIN has
expired, they must contact you, the administrator.
8.
If you have set a policy requiring a password to access Good for
Enterprise, the user will be prompted to enter and confirm a
password. A message will display any restrictions that you’ve set
on the password (minimum length, special characters, etc.).
The user will be prompted to choose whether to delete the
device’s existing onboard native contacts, replacing them with the
user’s Outlook contacts, or whether to add the Outlook contacts to
the existing contacts on the device. Whichever the user chooses,
once setup is complete, changes to the Outlook and device
contacts will be synchronized.
114
Good Mobile Messaging Administrator’s Guide
Completing the Setup Process
Good for Enterprise now automatically synchronizes the device
with information in the Outlook account. When synchronization
is complete, the “Welcome to Good for Enterprise” message that
was received will appear in the device email Inbox.
Completing the Setup Process
Once started, handheld setup occurs automatically over the air (and
through the App Store for iOS).
During this time:
• The handheld is activated with the Network Operations Center.
To become fully operational, the handheld will send a message
through the wireless network, establishing a connection with the
Good Mobile Messaging Server managing the handheld.
• User policies are downloaded from Good Mobile Messaging
Server, including password restrictions and Good Messaging
software versions to be used. Encryption keys are generated for
wireless communication.
• Good Messaging software is downloaded to the handheld. (If
you’ve set software deployment policies to install from SD card or
a handheld directory, and the required client file is present in that
location, the Good Messaging software is installed from there. If it
isn’t found there, it is installed OTA.)
• Lotus Notes and handheld data are synchronized between PC and
handheld. For initial setup, synchronization consists of importing
the data from the user’s mail file to handheld.
The following are synchronized from the user’s Domino Server
account:
- All contacts in the top level Contacts folder
- Calendar appointments beginning one week in the past, and all
future appointments including recurring events
Good Mobile Messaging Administrator’s Guide
115
Preparing New Handhelds
- All uncompleted tasks. However, recurring tasks are not
supported. Only the first instance of a recurring task appears
on the handheld.
- Email folders, except for Outbox and Drafts. Sent Items
headers are synchronized only if you configure the user policy
to do so. During synchronization, the 100 most recent emails in
the Inbox and in Sent Items are sent to the handheld. For
emails older than 3 days, only the headers are sent.
- All notes (the first 4K of note bodies)
The handheld synchronizes information stored on the Domino
server. It does not synchronize information stored in local folders
on the user’s computer.
During this phase of setup, activity screens are displayed on the
handheld. Setup time varies depending upon the amount of user
data and coverage quality. Typically, handheld setup requires
about twenty minutes.
• The user will be prompted to back up the Good Messaging
applications. The user clicks OK and provides a passcode when
prompted. The passcode must be at least 4 characters. All
characters are allowed.
• Mandatory OTA policies that are set for more than 5 users are
implemented in staggered fashion. The policies themselves are
sent to the handhelds immediately, as soon as there is activity on
the handhelds; however, when the user checks for scheduled time
of download, the time will range between 8 P.M. and 2 A.M.
• When progress messages stop appearing, the handheld is fully
synchronized. Recharge it to full strength if necessary.
• To test the handheld, you can send a message from the handheld
to your administrative account or from your account to the user.
Confirm that you receive the message from the handheld or that
the handheld receives your message to the user.
• Warning: If the user for this handheld employs email filters to
automatically file new email into Inbox subfolders, the user may
want these subfolders also synchronized on the handheld.
116
Good Mobile Messaging Administrator’s Guide
Setting Up Handhelds for Multiple Users (OTA)
To enable subfolder synchronization, so that new email filed to
them will automatically be available on the handheld, select
Preferences | Email Delivery on the handheld. Then bring up the
menu and select Add Folder. To display Inbox subfolders, select
Inbox, bring up the menu, and select Open. Select a subfolder to
be synchronized, bring up the menu, and choose Select.
As during setup, the user does not need cradle or cable to use the
handheld. All email and PIM synchronization occurs wirelessly.
Important: For security reasons, Good does not allow backup of your
Good data to iTunes or iCloud, as doing so could make your
corporate data accessible to unauthorized users. Since this data is not
backed up to iTunes or iCloud, it cannot be restored as part of any
iOS upgrade or restore from backup that you perform. As a result,
you'll need to set up your device again, updating and re-syncing the
Good for Enterprise application; that is, after the iOS upgrade or
backup, you'll be taken to a provisioning screen and be prompted for
your email address and PIN.
Setting Up Handhelds for Multiple
Users (OTA)
You can set up multiple handhelds (one per user) by importing user
names from a list. The handhelds will be set up using the current
default policies and software package.
To set up multiple handhelds:
1.
From the “Select Import/Export Action” dropdown menu in the
Handhelds tab in the GMC Console, select “Import Handhelds
From File.”
Good Mobile Messaging Administrator’s Guide
117
Preparing New Handhelds
An Import window is displayed.
2.
Select or enter the name of a .csv file containing a list of the
handheld users to be added. The list should be in the following
format.
All parameters must be listed in the header.
Display Name,Alias Name,Serial No,Server
Name,Handheld ID,Network ID,Phone,Handheld
Type,Good Intranet Server, PolicySet,DN,Good
Mobile Access, PolicySet GUID,GMM Server GUID,GMI
Server GUID, Handheld GUID
Required fields (the rest can be left blank) for each handheld:
Display Name is the display name of the handheld user. If the
display name has a comma in it, the name should be enclosed in
quotation marks. If no display name is defined, the comma alone
is included in the line.
Alias Name is the mail file name (alias) of the handheld user
Server Name is the name of the Good Mobile Messaging Server that
is to manage synchronization for the user/handheld.
DN - Domino distinguished name.
You can add a # to the beginning of a line to enter a comment line.
Use the Export function on your GMC Console to generate a
sample based on your current Good Messaging setup. You can use
Export or Export Statistics files as Import files.
3.
Click Open.
118
Good Mobile Messaging Administrator’s Guide
Adding Custom Software (OTA)
Handhelds for the users listed in the file are added to the Good
Mobile Messaging Server. The Good Mobile Messaging Server
specified for each user will manage synchronization with Domino for
the user’s handheld when the handheld is set up for use.
If there is an error in user name or Good Mobile Messaging Server
name, the error is logged in the applications portion of the Windows
Event Viewer.
The GMC Console now sets up the handhelds for the listed users
wirelessly, as described in “OTA Setup Process” on page 113.
Adding Custom Software (OTA)
To add or delete custom applications (“Custom”) to/from the
software package for a specific Good Mobile Messaging Server, refer
to “Custom Applications: Adding to and Deleting from the Software
Package” on page 219.
Interaction with WiFi
Depending on the type of networking supported by a handheld,
Good Messaging can use either a standard mobile phone network
(such as GPRS) or WiFi to access the corporate network, synchronize
mail, and more. While standard mobile phone networks have broad
availability, WiFi supports much higher data transfer rates.
For devices that support both standard and WiFi connections:
• Good Messaging stays connected when the user moves from a
standard connection to a WiFi connection.
• Some handhelds automatically switch between WiFi and standard
connections which can impact connection speed and battery life.
Good Mobile Messaging Administrator’s Guide
119
Preparing New Handhelds
The user may not be able to connect using WiFi if:
• The corporate network doesn’t allow users to connect to the
Internet via WiFi.
• The corporate network does not allow UDP connections to the
Internet.
• The access point to the corporate network requires a VPN or other
types of filtering.
Note: If the WiFi connection cannot be activated, the user may need
to turn off the WiFi radio on the handheld and reconnect using a
standard mobile phone network.
For more information, review the WiFi documentation included with
the handheld.
To set policies that control iOS WiFi use, refer to “Network
Communication” on page 146.
120
Good Mobile Messaging Administrator’s Guide
6 Managing the
Handhelds
Once the handheld is activated and in use, you may need to perform
the following tasks to maintain the Good Messaging setup:
• Limiting access to Good Mobile Control (GMC) Console facilities
(Role-Based Administration)
• Changing user handheld policies
• Changing client software policies
• Updating handheld software wirelessly
• Adding and deleting handheld software
• Generating a temporary password for a locked handheld
• Pausing messaging for a handheld
• Locking a user out of his/her handheld
• Clearing (removing all user data from) the handheld
• Viewing current handheld operational status, including a list of
paused user handhelds
• Removing a handheld from Good Mobile Messaging Server
• Viewing, exporting, and clearing handheld statistics
• Generating a list of users, serial numbers, and their Good Mobile
Messaging Servers
• Exporting software and policy information.
Good Mobile Messaging Administrator’s Guide
121
Managing the Handhelds
• Changing a user’s name, Domino server, Good Mobile Messaging
Server, or handheld
Note: OTA Setup functionality described in the following sections
requires GoodLink Client version 5.0 or higher. Much of the security
requires Client version 5.0 or higher. Also, although 5.0 Servers
support the 6.0 Client, the 6.0 Client requires the 6.0 Servers as
described in this guide to fully take advantage of new Client features.
Use the GMC Console in the following procedures. Limit access to
GMC Console facilities by using the procedure described in
“Maintaining Roles.”
Maintaining Roles
You use GMC Console to manage the Good Messaging handhelds
and servers. You can control and limit the tasks performed by an
individual using GMC Console. For example, you can configure the
console so that some individuals can use it only to set up handhelds
and not to add or remove users from Good Mobile Messaging
Servers. To do so, you’ll create roles for different users for GMC
Console. Roles for service administrator, administrator, and helpdesk
are packaged with the Console.
The Superuser
The Superuser is handled differently in the Console from the other
users. The Superuser is granted all rights and can perform some tasks
that no other user can perform. The Superuser does not need to be
assigned to a role. There can be only one Superuser.
You specify a Superuser name during Good Mobile Control Server
installation. You can change this name later on the Settings tab.
The Superuser must run the GMC Console the first time it is
accessed, and can then provide rights/roles for other users.
122
Good Mobile Messaging Administrator’s Guide
Maintaining Roles
The Superuser has all rights, including the following rights
unavailable to all other roles:
• Create new roles
• Enable FIPS for handhelds
• Enable detailed logging for handhelds
• Pausing handhelds
Note: If you change the Superuser, you’ll lose your current Superuser
rights when you exit the Console.
To change the Superuser:
1.
In the GMC Console, click the Settings tab.
2.
Click the Superuser link in the left panel.
3.
Click Change Superuser.
4.
Choose a domain from the dropdown menu and enter the partial
name of a corporate user. Click Look Now and then select the
desired name(s) in the panel for search results.
5.
Click Change Superuser to assign the user as the Superuser.
Creating, Configuring, and Customizing Roles
To create additional roles (if the default roles are not sufficient) to
limit access to GMC Console features:
1.
Log in to the GMC Console.
2.
Select the Roles tab.
Good Mobile Messaging Administrator’s Guide
123
Managing the Handhelds
A list of all currently defined roles is displayed in the left panel.
3.
To add a new role, click the Add link above the left panel.
124
Good Mobile Messaging Administrator’s Guide
Maintaining Roles
The Add Role page opens.
4.
Enter a name for the new role.
5.
Under Description, describe the purpose of the role. For example,
if the role is to provide the IT administrator with full rights for use
of the console, you might name the role Good Messaging Admin
and in the description type “This role grants full console rights to
the IT administrator.”
6.
Click the Add Role button.
By default the new role is assigned View-Only Administrator
rights (view all data except sensitive data such as OTA PINs).
7.
Click on “Change the rights for this role” in the right panel to
assign different rights to any new or existing role.
Good Mobile Messaging Administrator’s Guide
125
Managing the Handhelds
The Change Rights page opens.
8.
Click the All Rights radio button to give this role full rights in the
console (view and edit all data). These are the default rights for
the Service Administrator role.
9.
Click on Custom and click on individual rights to limit this role’s
use of the console.
126
Good Mobile Messaging Administrator’s Guide
Maintaining Roles
Handhelds
• Add handheld for a user - Add first handheld for a user.
• Delete handhelds
• Manage handheld policy and software - Modify inheritance
and customize handheld policy (except Handheld
Authentication policies, unless that role is also checked)
• Handheld authentication - Modify handheld authenication
policies
Handheld Security
• Erase handheld data and lock handheld
• View OTA setup PIN
Servers
• Manage servers - Manage servers. Includes the ability to check
IP ranges, upload server logs, manage backup settings, and
view complete server information such as license key.
Deployment
• Manage roles - View, create, edit and delete roles. Includes the
ability to manage rights and membership for a role.
• Manage OTA email templates - Create, edit and delete OTA
Email Templates.
• Manage custom software - Upload and remove custom
software.
10. Click
Update to save your changes.
Adding and Removing Role Members
To add users to a role:
1.
Choose the role in the left panel to which you want to add users.
2.
Click the Add button under Members to add corporate users to
the Access Control List for the role.
Good Mobile Messaging Administrator’s Guide
127
Managing the Handhelds
The Add Role Members page opens.
3.
Choose a domain from the dropdown and enter the partial name
of a corporate user to be added to the role. Click Look Now and
then select the desired name(s) in the panel for search results.
4.
Click Add to add this name to the new role.
To remove corporate users from the access list for a role:
1.
Choose the role in the left panel that contains the users you want
to remove.
2.
Click the check box next to each user under Members and click the
Delete button.
Exporting Rights
You can export the current rights for all users in a role to a .csv file. To
do so, select the role in the left panel whose rights are to be exported,
and click the Export Rights link at the top of the left panel.
128
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
The rights are listed in this order:
all, addHandheld, deleteHandheld, wipeHandheld,
viewPIN, setHandheldsPolicySet, manageHandheldPolicy, manageSecurityPolicy, manageGroups, manageServers, manageRoles, manageCustomSoftware,
manageEmailTemplates, additionalHandhelds, manageILUsers, viewOnlyAdmin, selfService, addHandheldSelfService, deleteHandheldSelfService,
wipeHandheldSelfService, viewPINSelfService
If a user has the named right, an 'X' will appear in the column. If the
user does not have the named right, the column will be left blank.
If an error is detected when opening the export file, a dialog box will
be displayed immediately with text indicating the cause of the error.
If any errors are detected during the actual export, errors will be
logged to the event log and a dialog box will be displayed at the end
with text indicating the number of errors and where the error
information can be found.
Creating and Changing Handheld Policy
Sets and Templates
Every handheld has a named policy set associated with it. This policy
set comprises a collection of policy settings that allow you to manage
the handheld in an organizational setting. Good Messaging comes
with a default policy set. You can edit the policy settings for this
policy set and you can create new policy sets of your own. The new
policy sets can be created from scratch or can be based on templates
that are included with the Console or that you create.
When you change a policy set’s settings, the changes apply to every
handheld to which that policy set is assigned.
Good Mobile Messaging Administrator’s Guide
129
Managing the Handhelds
For each policy set, there are policy settings available in the following
categories:
General policies:
• Handheld Authentication
• Messaging
• Network Communication
• Provisioning
• Storage Cards
• File Handling
Application Policies:
• Blocked Applications
• Compliance Manager
• Data Encryption
• Application Management
Plugin Policies:
• iOS configuration
• Android configuration
• Good Mobile Access Secure Browser (an integrated browser for
Intranet use)
Software OTA distribution policies are described in “Managing
Wireless Software Deployment” on page 210.
When you first set up a handheld, it will inherit the settings of the last
policy assigned to a handheld, unless you assign a different policy set
to it.
130
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
Note: Not all policy settings apply to all handheld platforms. The
Good Mobile Control console uses icons and tool tips to indicate
which settings are supported for a particular platform.
Warning icon indicates selected, unsupported policy.
Moving cursor over platform icon causes page
to display only info and warning icons for that
platform.
Blue info-icon tool tip lists unsupported platforms.
Move the cursor over a platform icon at the top of the page to display
info
and warning
icons on the page that apply only to the
platform. The tool tips for blue info icons indicate unsupported
platforms for a policy. Selecting an unsupported policy causes the
blue icon to change to a yellow warning triangle.
To change the policy set assigned to a handheld, go to the Handhelds
tab, click the check box next to the user assigned to the handheld in
question, and select a new policy set for the handheld from the
“Assign policy set” dropdown. You can do this for multiple
handhelds by making multiple selections before assigning the new
policy set.
Good Mobile Messaging Administrator’s Guide
131
Managing the Handhelds
To create a new policy set or change a policy set’s settings, perform
the following steps:
1.
In GMC Console, click the Policies tab.
2.
Click Create New to create a new policy set, or click on the name
of an existing policy set whose settings are to be changed.
A name-and-description page is displayed for the new policy set
or a Summary page is displayed for the existing policy set.
For a new policy set:
3.
Enter a name and description for the new policy set and click OK.
Then, click on its name in the list of policy sets.
132
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
For a new or existing policy set:
4.
Use the links in the left panel to set or change policy settings.
Changing the settings for a policy set will affect all handhelds to
which it is assigned. (Recall that you can target which handhelds
are to be assigned a policy through the use of filters, as described
in “Understanding Console Filters” on page 96 and by sorting
handhelds by column in the handheld list.)
Good recommends that you implement setting changes using a
test handheld before implementing policy assignments and
changes for large numbers of handhelds.
Initially, only the default policy set is listed, with its default policy
settings.
Good Mobile Messaging Administrator’s Guide
133
Managing the Handhelds
To delete a policy set, select the policy name in the right panel and
click Delete. To copy a policy set, select the policy name in the right
panel and click Make Copy.
Understanding Policy Templates
You can control Good for Enterprise behavior on user handhelds by
setting policies and applying them to the handhelds. Handheld
policies are grouped into policy sets, which you create and name.
Each handheld must have a policy set assigned to it.
A policy set contains policies of the following types:
• Handheld Authentication
• Messaging
• Network Communication
• Provisioning
• Storage Cards
• File Handling
• Blocked Applications
• Compliance Manager
• Data Encryption
• Application Management
• iOS Configuration
• Android Configuration
• Good Mobile Access Secure Browser
Each type comprises a number of settings. You can create one or more
templates for each type, and use them when creating new policy sets.
A policy set can consist of settings that you specify individually
using the Console, or can use templates for any or all of its setting
types. When a policy set uses a template for a setting type, those
settings are grayed out for the policy set. Changing the template
134
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
settings changes the settings for all the policy sets that are using the
template.
Creating a New Policy Template
To create a new policy template:
1.
In GMC Console, click the Policies tab.
2.
Select Policy Templates in the left panel.
3.
Click Create New in the right panel.
4.
In the window that opens, enter a name and description for the
new template and use the dropdown list to define its policy type.
Click OK.
The new template is entered in the template list.
5.
Click on the link for the new template in the list.
A page of default settings for that template type is displayed. Edit
and save the settings as necessary for the new template. For
information on the policy pages and their default settings, refer to
“General policies” on page 136.
Applying a Policy Template
When you’re configuring policy settings for the first time, or editing
them later, a dropdown list of available policy templates is displayed
at the bottom of the page next to “Policy Template.” To use the
template settings, simply select the desired template from the list.
Editing a Policy Template
To edit a policy template, click the template to be changed in the
template list. On the page of settings that is displayed, make the
desired changes and click Save.
Warning: Any changes to the template will affect all policy sets that
currently use the template.
Good Mobile Messaging Administrator’s Guide
135
Managing the Handhelds
To list the handhelds to be affected by the changes, click the “Applied
To” link for the template in the template list. Good recommends that
you implement setting changes using a test handheld before
implementing policy assignments and changes for large numbers of
handhelds.
General policies
For a table of policy settings, their defaults, and the platforms that
support them, refer to http://www.good.com/faq/18726.html.
Authentication
Use the Handheld Authentication link in the left panel of the Policy
Sets page for a particular policy set to configure locking and
password policies on the handheld.
These policies (along with the encryption, compliance, and
authorization policies available Application-type policies) are
designed to enhance and replace the default OS security. Good
Messaging may conflict with third-party applications that try to
bypass the default OS security.
Types of applications that are most likely to conflict:
• Third-party security applications (any application that provides
password protection and/or encryption).
• Handwriting recognition applications (user handhelds typically
may crash at the lock-out screen).
• Other third-party applications that do not use the default PalmOS,
or Windows Mobile 5.0 or 6.0 OS call, or published PalmOS or
Windows Mobile 5.0 or 6.0 OS APIs. For example, if some
applications access data directly without calling the OS, they may
conflict with Good Defense if that database is protected by
encryption.
136
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
To change handheld password policies for a user:
1.
Click the Policies tab and click the policy name link in the right
panel for the policy set currently applied to the user’s handheld.
2.
Click the Handheld Authentication link in the left panel of the
Policies page.
3.
To require a password on handhelds, click the “Passwordprotected lock screen” radio button as the Handheld
Authentication type.
If a password is already set on the handheld, when the handheld
user starts Good Messaging, a prompt will require that the
password be entered. If restrictions are set on the password (see
below), the current password is checked; if it doesn’t meet the new
restrictions, the user is instructed to enter a new password.
If no password is currently set on the handheld, a prompt will
require that the user enter a new password.
Good Mobile Messaging Administrator’s Guide
137
Managing the Handhelds
4.
For Password Authentication, set the following:
• Expire password after - Causes the password to expire after the
selected number of days (from 1 day to 1 year). The default is 1
day if the check box is checked. If the check box is not checked,
the password never expires. Expiration is calculated from the
date the password is created and saved. This date is not
changed by a policy change. Therefore, imposing or decreasing
an expiration value may cause the password to expire when
the device screen next locks.
• Disallow previously used passwords - Prevents repetition of a
password over the specified number of times (1 to 10). For
example, if 8 is chosen, a new password must differ from the
previous 8 passwords set on the device. The default is No
Restriction (Unchecked).
• Require minimum length of - Requires that the password be at
least the length you specify. The default is No Restriction
(Unchecked).
• Disallow repeated characters after - Limits the number of times
a character can be used, consecutively or non-consecutively.
The default is No Restriction (Unchecked). Applies to
Smartphone’s numeric password as well as the Treo and PPC
alphanumeric passwords.
• Require both letters and numbers (Default is Unchecked)
• Require both upper and lower case (Default is Unchecked)
• Require at least one special character (Default is Unchecked)
• Do not allow sequential numbers (that is, do not allow more
than two consecutive numbers in a row either forwards, such
as 5-6-7-8, or backwards, such as 9-8-7-6) (Default is
Unchecked)
Note: “Do not allow sequential numbers” is not supported on
Nokia 5.1.0.37 clients.
138
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
• Do not allow personal information (personal information
includes variations of user name, email address, and X400
name) (Default is Unchecked)
• Do not allow more than one password change per day (Default
is Unchecked)
5.
For Lock Screen Protection, set the following:
• Require password when idle for longer than - Enter the
maximum allowed time that the handheld can remain idle
before the screen is locked and a password must be entered to
reactivate it. Values range from 1 minute to 1 day. On some
handhelds, the user can change this using the handheld
Preferences application, but only to a value less than the one
you choose here.
Allow handheld user to exceed this value” to allow the user to
exceed the timeout value. The factory default, when password
is required, is one hour.
For iOS, this setting applies only to the Good application. If the
application is running but idle for the specified time, the screen
will lock. The user can tap the Home button to leave the lock
screen. Tapping the Good application icon will return the user
to the lock screen. If the application is not running and the
specified time has passed, the lock screen will be displayed at
Good startup.
• For iOS, always require password on application startup or
when power button is pressed (recommended) - Displays the
lock screen whenever the Good application is run.Check “
• Enable notifications on the lock screen - Allows the user to
track message activity without unlocking the handheld.
Checked by default. (Windows Mobile)
Note that Good Messaging automatically supports push
notifications for email and calendar reminders specific to the
iOS device, with no policy setting necessary.
• Check “Allow access to Good Contacts (numbers only) for
dialing” to allow the user to make calls to Good Contact
Good Mobile Messaging Administrator’s Guide
139
Managing the Handhelds
numbers even when the screen is locked or the user has been
locked out of the handheld by the administrator.
• Select “After n invalid password attempts” to specify the
number of unsuccessful attempts at password entry. Values
range from 3 to 12 attempts. Default is 10. If the number of
attempts is exceeded, specify one of the following actions to
take:
• Select “Lock out handheld user” to lock the user out of the
handheld permanently.
• Select “Erase handheld data” to clear the user data from the
handheld and force the handheld to be set up again.
For new installations, the default is that the user is locked out;
for upgrades from installations that did not have this option,
the default is that the user data is erased.
If the user is locked out, follow the procedure in “Providing a
Temporary Unlock Password” on page 227 to generate a
temporary password to allow access to the handheld again.
Note: “After n invalid password attempts” is not supported on
Nokia 5.1.0.37 clients.
6.
Click Save to save the changes.
Note: The native lock settings on Nokia 5.1.0.37 clients are not
overwritten by less strict settings configured in a GMC policy.
Emergency Calls
In order to make emergency calls when a password is enabled, for
some Windows Mobile handhelds the user must press and hold the
Fn or Option key while dialing the emergency number. For example,
to dial 911, the user must press and hold the Fn or Option key while
dialing 911. Alternatively, the user can press the Fn or Option key
twice and then type 911.
140
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
For Palm Treo Windows Mobile devices, when keyguard is enabled,
users do NOT have to use the Fn or Option key to dial an emergency
number.
This is the same behavior as when Good for Enterprise is not
installed and the native device lock is set to use strong alphanumeric
password type.
Messaging
Use the Messaging link in the left panel of the Policy Sets page to set
policies for:
• Good Mobile News (RSS)
• Email
• Contacts
• Calendar
• Copy and paste
• Sending and receiving/opening attachments
The Superuser can also use this page to suspend synchronization on a
handheld, as described in “Enabling/Disabling Data Roaming” on
page 228.
To set messaging policies:
1.
Click the Messaging link in the left panel of the Policies page.
2.
For Email, click the following check boxes to enable the Email
settings:
• For folders other than the Inbox - Synchronize headers only or
synchronize headers and bodies from email filtered to folders
other than the Inbox. If desktop rules are set to filter messages
to a folder other than the Inbox, this feature determines
whether only the header or both the header and body of the
message are synchronized to the handheld. By default, the
Synchronize headers and body radio button is selected.
Good Mobile Messaging Administrator’s Guide
141
Managing the Handhelds
• Synchronize Sent Items Folder - The desktop and handheld
Sent items folders are synchronized only if this option is
checked. It is checked by default.
Note: Checking the Sync check box will increase radio traffic
and decrease battery life for affected handhelds.
• Enable Domino encrypted email
• Enable email recipient warning for unauthorized email
domains. You can cause a warning dialog to be displayed on
the user’s handheld if he/she attempts to send a message
outside the domains that you specify here as authorized email
domains. (Android and iOS only)
This feature is not supported for addresses and domains
within personal distribution lists.
To specify the domains that you consider “inside” the
enterprise, click the Edit key.
Enter a domain name (e.g., yourcompanyname.com) and click
Add. Note: Calendar meeting requests and domains
embedded in distribution lists are not checked by the handheld
client in this release.
Select names in the list and click Remove to delete them.
Click OK when done.
Edit the Warn message box as desired.
142
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
3.
For Good Mobile News, click the Enable Good Mobile News
(RSS) check box to enable the Good Mobile RSS application on the
handheld. Adds a Good Messaging News icon to the Good for
Enterprise launcher on the handheld. The application hosts a
variety of RSS feeds. By default, the check box is checked.
(Windows Mobile and Symbian only)
4.
For Contacts, click the following check boxes to enable the
Contacts settings:
• Enable access to Good contacts. Allows syncing of handheld
local (native) contacts with Good contacts on the device. The
default is On. To choose which of the fields in Good Contacts
are to be synchronized with the handheld’s local contacts for
use with phone applications (e.g., voice dial), click the Choose
Fields button. In the window that opens, click the check boxes
for the desired fields and click OK. Enable setting in
Preferences on device to synch Good contacts and local
contacts.
Warning: For Windows Phone, syncing with native contacts is
not supported. This setting, when enabled, has no effect;
however, disabling this setting will disable Good Contacts
syncing on the device.
• Enable Domino Public Address List lookup. The default is On.
• Allow SMS (text) messaging from the Good application. The
default is On. (iOS and Android only)
• Allow contact beaming. The default is On. Check Allow
contact beaming to allow Good Messaging to handle incoming
and outgoing beaming of contacts for supported handhelds. If
enabled, Good Messaging replaces native contacts. If disabled,
Good Messaging cannot send or receive contacts via beaming;
beaming of native contacts is unaffected. Enabled by default.
IR radio must be enabled. (Not supported on Android and iOS)
5.
For Calendar, click the following check box to enable the Calendar
setting (Android and iOS only):
• Allow event reminder details over lock screen
Good Mobile Messaging Administrator’s Guide
143
Managing the Handhelds
6.
For Copy and Paste, click the following check boxes to disable
copying and pasting data between Good and other applications
(Android and iOS only):
• Do not allow data to be copied from the Good application
• Do not allow data to be copied into the Good application
7.
For Sending Attachments and Receiving/Opening Attachments,
click the following check boxes to enable the attachment settings.
Note that these settings affect the File Handling import/export
settings, as noted below (see also “File Handling” on page 150).
• Allow handheld to send attachments - When enabled, allows
the user to send Good Messaging emails with attachments. You
can limit the attachments to the size that you specify in the
“Block attachments larger than” pull-down menu. Note that
attachments added to emails directly through Compose on the
handheld come from the Good file repository on the device;
otherwise, they are added via third-party Open In (send
through, or export) facilities.
This policy setting is required to be enabled for sending
attachments as described in File Handling (refer to “File
Handling” on page 150), but also requires that those policies
for importing and/or file repository are enabled.
- Block attachments larger than - Size values range from
25KB to 32MB. Default is 2MB. Default is On.
- Exceptions to sending files:
Block attachments by file extension (blacklist) - Filter
specified types of attachments, such as .PRC, .PDB, and
.EXE files, so that handhelds cannot send them. After
selecting this option, click Edit. In the window that opens,
enter a file type, click Add for each file type to be filtered,
and then click OK. The default is no filtering.
Only allow these file extensions (whitelist) - Filter types of
attachments, so that handhelds can send only those that you
specify here. After selecting this option, click Edit. In the
window that opens, enter a file type, click Add for each file
144
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
type to be allowed, and then click OK. The default is no
filtering.
If the File Handling policy’s “Disable all importing and
exporting” setting is not checked, you can completely
disable the importing of files into the Good secure container
by select ’Only allow these extensions’ and leaving the
extensions list blank.
• Allow handheld to receive/open attachments - Allows
attachment viewing when a capable viewer is present on the
handheld. With this option disabled, simple formatting (i.e.,
stripped view-only text) will be used. Simplified formatting
does not apply to iOS and Android platforms; disallowing this
option will prevent attachment downloads and any importing
from third-party applications for these platforms.
- Block attachments larger than - Size values range from
25KB to 32MB. Default is 2MB. If an attachment exceeds this
size, the user must choose to view the attachment as a text
file. Factory default is 2MB. Default is On.
- Exceptions to receiving/opening files:
Block attachments by file extension (blacklist) - Filter
specified types of attachments, such as .PRC, .PDB, and
.EXE files so that handhelds cannot download them. After
selecting this option, click Edit. In the window that opens,
enter a file type, click Add for each file type to be filtered,
and then click OK. The default is no filtering.
Only allow these file extensions (whitelist) - Filter types of
attachments, so that handhelds can receive/open only those
that you specify here. After selecting this option, click Edit.
In the window that opens, enter a file type, click Add for
each file type to be allowed, and then click OK. The default
is no filtering.
Supported Attachments
iOS Devices
Good Mobile Messaging Administrator’s Guide
145
Managing the Handhelds
• Microsoft Office® (*.doc, *.docx, *.ppt, *.xls, *.xlsx)
• Adobe Acrobat® (*.pdf), HTML (*.htm and .html)
• Image (.png, *.jpg, *.jpeg, *.tif))
• Plain text (*.txt).
Android 1.6.5 and later
• pdf, txt, wav, wma, wpd, htm, html, jsp, xml, bmp, gif, jpg,
png, tif, tiff, xls, xlsx, pps, ppt, pttx, doc, docx, rtf, zip, 3gp,
mp4, mp3
Windows Mobile/Symbian
• Microsoft Office® (*.doc, *.docx, *.ppt, *.pptx, *.xls, *.xlsx)
• Adobe Acrobat® (*.pdf), Word Perfect® (*.wpd), HTML (*.htm
and .html), Rich Text (*.rtf), message (*.msg), sound (.wav,
.mp3, etc.), image (.bmp, .png, etc.), and plain text (*.txt)
Network Communication
Use the Network Communications link in the left panel of the Policy
Sets page to set policies for:
• Infrared
• Bluetooth
• WiFi
Note: Enabling and disabling network communication policies is not
supported on Nokia 5.1.0.37 clients.
To set network communication policies:
1.
Click the Network Communication link in the left panel of the
Policies page.
Note: Changing any of these settings will cause affected Windows
Mobile handhelds to reset.
146
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
2.
Click the following check boxes to enable:
• Enable infrared radio - Default is On. Leave unchecked to
prevent a user's handheld from receiving or sending data via
the infrared (IrDA) port.
• Enable WiFi radio - Default is On. Leave unchecked to prevent
WiFi usage on the device.
• Enable Bluetooth radio - Default is On. Leave unchecked to
prevent a user's handheld from receiving or sending Bluetooth
wireless signals.
• Enable discovery - To disable a handheld’s Bluetooth
discoverability feature, even if currently enabled on the
handheld, leave unchecked “Enable Bluetooth discoverability.”
However, note that any pairing already in force on the
handheld will not be affected; the pairing will continue until
the paired device is reset. Default is On.
3.
Click Show Profiles to display Bluetooth profile settings. Click the
Bluetooth profiles that you want to enable on the handheld.
For more information about Bluetooth technology and Bluetooth
profiles, see:
http://www.bluetooth.com
Notes:
• The profiles listed in the Sub-profile sections are dependant on
the profiles listed in the Base profiles section. For example, the
Basic Imaging Profile, OBEX File Transfer Profile, and Object
Push Profile are Data Transfer Sub-profiles that are dependant
on the Generic Object (Domino) Base Profile. If the Generic
Object (Domino) Base Profile is disabled, then all of its
dependant sub-profiles will not work.
• The Bluetooth Profile Management feature requires Windows
Mobile 6.1 or later on the handheld. Profiles that are not
supported on the handheld will be ignored.
Good Mobile Messaging Administrator’s Guide
147
Managing the Handhelds
Provisioning
Use the Provisioning link in the left panel of the Policies page to set:
• OTA provisioning PIN policy
• Welcome email policies
To set provisioning policies:
1.
Click the Provisioning link in the left panel of the Policies page.
When you enable a user for OTA, the user is sent an email
containing a PIN to use during wireless handheld setup. You can
set OTA PIN policy such that this PIN will expire after a specified
period of time. You can also prevent the PIN from being reused.
2.
To limit the time that a PIN can be used, click the “OTA
Provisioning PIN expires after” check box and from the
dropdown menu select the length of time after which the PIN will
not work. The default is that the PIN never expires because the
check box is not checked. The PIN can remain effective from one
to 60 days, or permanently.
The expiration clock starts when a new OTA user is created or
when a new PIN for the user is generated.
To generate a new PIN for one or more users after their current
PINs have expired, refer to “Generating New User PINs” on
page 216.
3.
To prevent reuse of the PIN, uncheck the “Allow OTA PIN reuse”
check box.
This setting applies to attempts to set up a handheld that has
already been set up successfully. It does not apply to unsuccessful
setup attempts or to ongoing automatic OTA software updates to
the handheld.
4.
To send a different welcome email message to the user, use the
“Welcome email template” dropdown to choose a different
message (in most cases, the product is shipped with a single
default template). To set the importance level for the email
(normal, high, or low), use the Importance dropdown. To create
148
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
new messages or delete or customize existing ones, refer to
“Customizing the OTA Setup Email Message” on page 217.
To suppress welcome email, uncheck the “Send welcome email
when OTA PIN is created” check box.
Storage Cards
To set storage-card policies:
1.
Click the Storage link in the left panel of the Policies page.
2.
Click the following check boxes to enable:
• Erase storage card when erasing data. Default is On.
Wiping a storage card as a defensive action will only work for a
card in the handheld when the option was enabled. A card
inserted later will not be affected by the policy.
• Enable backup to storage card - Deselect the radio button to
remove the Backup option from the Preferences menu on the
user handheld (the preference is not available on all
handhelds). Default is On. You cannot enable backup to a
storage card if the following option is selected (that is, you
cannot enable backup to an encrypted storage card).
• Enable storage card encryption. Default is Off.
Note: The Enable storage card encryption option is not
supported on Nokia 5.1.0.37 clients.
Enable this option to require any storage cards present or
inserted into the handheld to be formatted with a passwordprotected encrypted volume before they can be read from or
written to. The entire card is encrypted.
Given the amount of data that these cards now hold, it is
common for users to use these and share them. For this reason,
encryption is recommended.
Note: Be careful when using this option, as it will require users
to format their storage cards, completely wiping all data from
the card. When this option is set, the user is prompted to
format the card when it is inserted in the handheld; if the user
Good Mobile Messaging Administrator’s Guide
149
Managing the Handhelds
selects Cancel, the card cannot be used (the card is unmounted
and cannot be accessed) unless the user removes and re-inserts
the card and performs a soft reset to reformat the card.
If this option is not set, storage cards can be used as usual. The
password to be set is not affected by the password policies set
for the Mobile Defense password. If the password is lost, the
data on the card cannot be retrieved. Encrypted storage cards
cannot be used for automatic backup. The card can be moved
to a different handheld so long as the current password is
entered on the new handheld. Encourage user backup of the
handheld before enabling this policy.
If this policy is not set, the user can use Good Mobile on the
handheld to encrypt part of the card. Attachments saved to the
card are saved only in the encrypted area.
To prevent an encrypted storage card from being removed and
used in a different handheld, select “Allow encrypted storage
cards to work only with handheld that originally encrypted
them.” Default is Off.
Only email attachments can be saved to the storage card.
3.
Inform users of the following:
If the “Enable storage card encryption” policy is set, the user
will be required to accept a reformat of any storage card upon
initial insertion, completely wiping all data from the card.
Otherwise, the card will not be usable, regardless of the
Security Preferences settings in Good for Enterprise on the
handheld.
Unprotecting a card using Security Preferences removes all
protected (encrypted) data from the card. Information added to
any unprotected portion of the card will be unaffected by
unprotecting the card.
File Handling
Note: File Handling policies work in conjunction with Messaging
policies (“Messaging” on page 141).
150
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
File Transfer Privileges
Use these policy settings to control which attachments in Good email
and the file repository (“File Repository” on page 153) can be
imported from and exported to third-party applications.
If “Default Good Mobile Messaging settings” is selected, the Android
user’s device will open Office files and PDFs inside Good; all other
attachments and repository files will use external applications, if the
attachment or file is supported and a viewer is present. iOS will not
allow transferring with third-part applications; all available
attachment and repository files will be opened within Good.
If “Disable all importing and exporting” is selected, Android will
only open Office files and PDFs securely, inside Good. iOS will not
allow transferring with third-part applications; all available files will
be opened within Good (the same as with the default selection).
Good Mobile Messaging Administrator’s Guide
151
Managing the Handhelds
If “Enable importing/exporting between Good and third-party
applications” is selected, the device user is presented with a list of
applications available on his/her device when opening the
attachment or repository file. For files open in third-party
applications, the user is given the choice of adding the file to a secure
Good email or, for iOS platforms 4.2 or higher, of saving the file to the
Good file repository.
Note that sending an attachment within a Good email requires the
Messaging policy’s Sending Attachments setting to be enabled. You
can restrict which attachments are sent by adding extension types to
that policy’s lists of allowed or blocked extensions.
Also, saving a third-party file to the Good file repository (iOS
platform) requires the Messaging policy’s Receiving/Opening
Attachments setting to be enabled. You can restrict which
attachments are saved by adding extension types to that policy’s lists
of allowed or blocked extensions.
To limit the list of trusted third-party applications, click the
“Exceptions to importing/exporting” check box and select the “Block
these external applications” or “Trust only these external
applications” radio button. Choose the applications to be allowed or
blocked from the list displayed. You build this list in the Settings tab
(refer to “Creating a Third-Party Applications List” on page 208).
Note regarding Good Dynamics (GD) applications
Some GD partner applications (such as Copiun, iAnnotate,
Quickoffice, etc.) interact with Good for Enterprise to share files and
authenticate using Good for Enterprise. In order for this functionality
to work, you must ensure that Good Mobile Control allows file
handling with these applications. If you do not set this correctly, the
user will get the following error when trying to use the partner app
152
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
with Good for Enterprise: "Application not allowed by IT
Administrator.". In GMC, select the appropriate policy and go to the File Handling
tab. As described above, you use this page to grant permission for
other apps to export/import data to/from Good for Enterprise.
Depending on your setting, ensure the following:
• If you enable import and export without exceptions, no further
action is required.
• If you enable import and export with blocked applications, ensure
that the GD applications you are deploying are not in the blocked
list.
• If you enable import and export with trusted applications, make
sure that the GD applications you are deploying are in the trusted
list.
You will need the application ID (for example, the iAnnotate ID is
com.branchfire.iannotate.gd and the Quickoffice ID is
com.quickoffice.proselect.gooddynamics, etc.). As noted above, you
build this list in the Settings tab (refer to “Creating a Third-Party
Applications List” on page 208).
File Repository
File Repository allows you to save email attachments within the
secure Good application. For iOS, you can also allow your users to
save files from trusted third-party applications. In order for these
features to work, check the "Enable file repository" policy setting on
the File Handling page. This setting is disabled by default.
You can prevent certain types of files from being saved to the
repository. For instance, block .zip files from being saved to the file
repository by setting the Receiving/Opening Attachments policy on
the Messaging policy page to enable “Exceptions to receiving/
opening files” and “Block attachments by file extension,” then
editing the list of blocked files to add the .zip extension to it. This will
Good Mobile Messaging Administrator’s Guide
153
Managing the Handhelds
prevent the user from being able to view or save zip files. Similarly,
you can change the "Sending Attachments" policy in "Messaging" to
block sending certain attachment types. You can also use importing
and exporting controls on the File Handling page to allow opening
files with third-party editors, sending files from third-party editors
through the Good for Enterprise email client, and saving third-party
files to the repository (iOS only). Note that importing from and
exporting to third-party applications on iOS devices requires an iOS
version greater than 4.2. (For more information, refer to “File
Handling” on page 150 and “Messaging” on page 141).
The file repository is currently a flat structure and does not support
folders. The data in the file repository is not synced with the user's
desktop. The files in the repository represent data unique to the
device. The user has the option of self-mailing the files as
attachments and receiving them on the desktop. There is no size limit
on the repository.
The repository is not backed up. The files will be retained when the
application is upgraded. However, these files will be deleted if the
application is reinstalled or if you disable the file-repository policy
setting .
Android Client v1.8.0 or higher and iOS Client v1.9.6 or higher are
required.
Application Policies
Application policies include those that regulate:
• Blocked applications
• Compliance Manager
• Data encryption
• Application Management
154
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
Blocked Applications
You can restrict the use of certain applications installed on a user's
handheld. With this feature, these applications (from a list provided
with Good Messaging) can only be launched when unchecked
(unblocked) in GMC Console.
Note: Blocking applications is not supported on Nokia 5.1.0.37
clients.
To restrict user access to the applications on the approved
applications list:
1.
On the Policies page, click the name of a policy set.
2.
Click the Blocked Applications link in the left panel of the Policies
page.
3.
Click a handheld platform in the right panel to expand a list of
blocked applications for that platform.
4.
Select the applications that you want to block from use by
selecting the check box next to each application and clicking the
Block button.
Good Mobile Messaging Administrator’s Guide
155
Managing the Handhelds
“Blocked” appears in the Status column next to applications that
are blocked. An advisory is displayed on the handheld: “The
administrator has blocked the use of this application.”
“Allowed” applications are approved for use.Applications
installed by the user that are not on this list are allowed to launch.
Note: The “Downloads” and “Download Agent” items in the list
for Windows Mobile refer to two Microsoft content utilities.
Clicking the check box next to them prevents the handheld from
running/displaying content downloaded from the desktop using
ActiveSync.
Note: To block an application, select all the related entries for it
listed in the Policy Manager application list. Otherwise the
application may still run. In the same way, to approve an
application, deselect all the application entries. For example, to
approve or block the camera application, you might need to
approve or block a camcorder application as well.
Note that Good applications have their own inherent security.
They will not be listed in this tab.
When the policy is set, a user with a disapproved application on
the handheld will no longer be able to run that application. Trying
to do so will result in an error dialog.
5.
Click the Save button to save the settings.
Compliance Manager
Compliance-management policies cause Good Messaging to check
user handhelds periodically for specified applications. If these
required applications are not present (or, in some cases, present but
not running), Good Messaging will be disabled on the handheld.
156
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
To set Compliance Manager policies:
1.
Click the Compliance Manager link in the left panel for the policy
set.
Use this window to specify which applications must be present on
user handhelds.
Note: This feature is not intended for use with applications
specified using the Application Management policy options, or for
handheld ROM applications. The mandatory option for software
distribution requires the user to download and install Good OTAdistributed software on the handheld when prompted to do so;
the compliance-management option requires the user to have
specified applications on the handheld, regardless of how they are
put there.
2.
If necessary, click a handheld platform in the right panel to
expand the list of rules for onboard applications for that platform.
(Unsupported platforms are not listed.)
Good Mobile Messaging Administrator’s Guide
157
Managing the Handhelds
3.
Application checks occur automatically on a handheld when it is
set up for the first time and whenever Good Messaging starts up
on it and then by default once every 24 hours (as well as when
policy changes are received). To specify more frequent checks for a
particular rule, click the “edit” link for the rule. In the Edit
compliance rule window that opens, choose the desired frequency
from the “Check every” dropdown menu and then click OK.
4.
Some application rules may be listed in the right panel for the
selected handheld type by default. To delete a rule from the list,
click the check box next to the rule and click Delete.
The order that applications appear in this list is the order that
applications will be checked on the handhelds.
The changes you make in the Compliance Manager window do
not take effect until you click the Save button.
The applications listed in this window for a handheld platform are
specified in a rules file for that platform. The file is located in the
console’s database. Creating and editing rules files is described in
the following section.
5.
To add an application rule to the list, click Add Rule. The Add
Compliance Rule page is displayed.
158
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
6.
Select the handheld platform to be checked for onboard
applications from the dropdown menu.
7.
Select the type of rule to be run from the Check to Run dropdown
menu.
a.
Built-in rules:
Built-in rules are available for the following checks. Rules that
are unavailable for a handheld platform are not displayed.
• Client version verification
Specify the minimum allowed version on the device.
• Connectivity verification
Specify how often the device must have connected to your
enterprise (at least once in the last 1 to 365 days). The
handheld user must remove the Good for Enterprise
application and set up the handheld again.
• Hardware model verification
Specify all allowed hardware models.
• Jailbreak/Rooted detection
Hypervigilant mode (Android ) - If the device is detected
connecting via USB cable to an external computer, malware
detection runs continuously.
• OS version verification
Specify all those OS to be allowed on the device. A “Permit
newer (previously unknown) OS versions” check box
permits you to OK future versions in advance, “futureproofing” the device.
b.
Custom rules:
For “Perform checks using”, choose the method of checking for
the application.
• Click the “Executable name” radio button if you want to
enter the name of the application as it appears on the
handheld. This is the default.
Good Mobile Messaging Administrator’s Guide
159
Managing the Handhelds
For Palm, enter the exact Palm database name of the
application (required). Maximum length is 31 characters.
Use a third-party tool or contact the application
manufacturer for information on how to obtain this name.
For PPC and Smartphone, enter the exact executable path
or name (required). Pathnames can begin with %xxx% or \
format. Simple filenames must be at root level on the
handheld (where xxx is PROGRAMFILES,
MYDOCUMENTS, or WINDOWS). Maximum length is 256
characters. Use \ in pathnames. Invalid characters: <>:\”/
\\|?*. Valid characters: ^&’@{}[],$=!-#()%.+~_.
For Android and iOS, the option is not available in this
release.
• To check for an application by more advanced methods (for
example, by process name or registry entry) on a Windows
Mobile or Palm device, click the “Rule file” radio button to
use an XML rule file. Enter the path and filename or browse
for the rule file. This is an optional method.
You can also use such a rule file to cause a disclaimer to be
displayed before the Good Messaging lock screen on
supported devices (“Rule File for Displaying Disclaimer”
on page 162).
For information about creating rules files and their format,
see “Rule Files for Compliance Policies” on page 164.
Default rules files are stored in the console’s
\etc\confs\rule directory, but rules files that you create
should be stored elsewhere, so that they won’t be lost if you
uninstall and reinstall the console.
When you select a rules file by entering its path and name
or by clicking Open after browsing for it, the file is checked
to confirm that its XML is correct and that the basic rules
format is correct in it. The file is also checked to confirm that
its size plus the enabled rules file sizes for the handheld
family don’t exceed 8KB.
160
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
If the file doesn’t pass a check, you’ll be warned and given
an opportunity to edit the file. The warning will remain in
place until you’ve corrected the file in the window
provided, or until you click the Cancel button.
8.
Enter a descriptive application name (required) for the new rule,
built-in or custom.
Windows Mobile: the name can be up to 128 characters in length.
Note that for some platforms, although 128 characters are
allowed, fewer characters can be displayed. The application name
displays under Preferences - Applications for WM devices.
For custom rules that you add for Windows Mobile devices, this
name refers to the file that is listed under Product in the
Application Management window, so you might want to enter
that name or something similar to it. Note that while "custom"
rules are supported for iOS/Android, the custom rules do not
apply to the "Application Management" window.
9.
Enter a description of the application, what will be checked, and
the action that will be taken when a failure is encountered (not
required). This description can be from 0 to 256 characters in
length.
10. From
the Failure Action dropdown, chose the action that the
handheld will take if it is out of compliance with this rule. The
choices, when supported, are to quit Good Messaging, force
download of the missing application to the handheld (when the
rule involves checking for an application), wipe the Good data or
complete device, when supported, or simply send a report (a
report is also sent with any other failure action). (The Send Report
Only option is not available on all platforms.) If you choose to
force download, ensure that the application is available to be
downloaded. To do so, check the Application Management
window for the appropriate platform (“Managing Software
Policies” on page 211).
Note: the “Send Report Only” option adds the failure information
to the Compliance Report available at the Console (refer to
“Compliance Report” on page 167).
Good Mobile Messaging Administrator’s Guide
161
Managing the Handhelds
The Quit option will deny use of Good Messaging until the
handheld is in compliance or the policy is changed. The download
option, when applicable, will take the user to a download screen
to acquire the necessary missing software. Note: The Quit option
will allow the user to reenter Good and will briefly display the
current email list, but will then force an exit.
The Wipe Enterprise Data option, for supported devices, will
remove all Good Messaging data from the device and require
reinstallation of Good Messaging for the application to be used
again. In all cases, Good data is removed. For iOS, you can
configure policy settings to either erase (wipe) Good data only or
erase the device.
11. From the Check Every dropdown, choose how often you want the
compliance rule checked while the handheld is running (from
every minute to once every 24 hours). Frequency may impact
performance and battery life. The rule is also checked at Client
startup and launch.
12. When
finished, click OK to close the Add Compliance Rule
window.
13. Click Save
in the Compliance Manager window. Your changes are
applied to the policy.
Applying the settings may take some time.
Compliance rule errors and messages are also written to the
output file produced using Export Statistics.
In the event of a failure, a Compliance Report link is added in the
left pane of the handheld’s page in the Mobile Control Console.
Rule File for Displaying Disclaimer
You can create a rule file that will cause a disclaimer to be displayed
before the Good for Enterprise lock screen on a handheld. The user
must click the Accept button to continue. The rule file contains the
text of the disclaimer. You can specify English or other supported
language for the message.
162
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
To turn off the disclaimer, disable or delete the rule that you have
created for it.
Example file content:
Default value - A single entry, omitting "lang" attribute. This is the
minimum file content to enable the disclaimer. The default disclaimer
text that you specify will be used for unspecified locales.
<disclaimer><dtext value="your default disclaimer
text"></dtext></disclaimer>
Specifying disclaimer text for English ("en"). Note: default value
must always be available. In this example, your English disclaimer
text will display on English handhelds and your default text will
display on handhelds using all other languages.
<disclaimer><dtext value="your default disclaimer
text"></dtext>
<dtext lang="en" value="your English disclaimer
text"></dtext></disclaimer>
Language specification lines are mandatory if you will be providing
different disclaimer text for GFE-supported languages. Note: default
value must always be available. If you omit the line for a particular
language, the default text will be displayed for handhelds using that
language.
<disclaimer><dtext value="your default disclaimer
text"></dtext>
<dtext lang="en" value="your English disclaimer">
</dtext>
<dtext lang="fr" value="your French disclaimer">
</dtext>
<dtext lang="de" value="your German disclaimer">
</dtext>
<dtext lang="it" value="your Italian disclaimer">
</dtext>
<dtext lang="es" value="your Spanish disclaimer">
</dtext></disclaimer>
Good Mobile Messaging Administrator’s Guide
163
Managing the Handhelds
Rule Files for Compliance Policies
To check for a specifically required application on a particular type of
Windows Mobile or Palm handheld, a rules file is required. Default
rules files are stored in the console’s \etc\confs\rule directory, but
rules files that you create should be stored elsewhere, so that they
won’t be lost if you uninstall and reinstall the console.
The following template rule files are included with GMC Server in
\etc\confs\rule. Several files for specific popular applications are
also included. These files allow you to check for the presence of
applications by filename, process, and/or registry entries. The files
are XML in format.
Template for PPC Handhelds:
<!-Sample Rule File for PocketPC Operating System Handhelds
-->
<?xml version="1.0" ?>
- <rules>
- <files>
<file name="" minsize="" maxsize="" version="" />
</files>
- <registries>
<registry path="" key="" type="" value="" />
</registries>
- <processes>
<process name="" />
</processes>
</rules>
where:
filename - The exact executable path or name (required).
Pathnames can begin with %xxx% or \ format. Simple filenames
must be at root level on the handheld. Maximum length is 256
characters. Use \ in pathnames. Invalid characters: <>:\”/\\|?*.
Valid characters: ^&’@{}[],$=!-#()%.+~_.
164
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
minsize - Minimum allowable size in bytes for the application
(optional)
maxsize - Maximum allowable size in bytes for the application
(optional)
version - Required application version
registry path - Registry path for the application entry
key - Key value for the application registry entry
type - The word Int or string
value - Type value
process name - Name of the application process (e.g., application
name without the extension)
Example using registries:
<!-Sample Rule File to check for Credant(tm) on
PocketPC Operating System Handhelds
-->
- <rules>
- <registries>
<registry path="HKEY_LOCAL_MACHINE\Software\Credant Technologies" key="Active" type="int"
value="1"/>
</registries>
</rules>
Template for Palm Handhelds
<!-Sample Rule File for Palm Operating System Handhelds
-->
<?xml version="1.0" ?>
- <rules>
- <dbs>
<db name="" type="" creator="" version="" minsize="" maxsize="" />
</dbs>
</rules>
Good Mobile Messaging Administrator’s Guide
165
Managing the Handhelds
where:
db name - The exact Palm database name of the application
(required). Maximum length is 31 characters. Use a third-party
tool or contact the application manufacturer for information on
how to obtain this name.
type - 4-character value for required application type. Use a thirdparty tool or contact the application manufacturer to obtain.
creator - 4-character value for required application creator. Use a
third-party tool or contact the application manufacturer to obtain.
version - Required application version.
minsize - Minimum allowable size in bytes for the application
(optional)
maxsize - Maximum allowable size in bytes for the application
(optional)
Example using db name:
- <rules>
- <dbs>
<db name="ShieldLib" type="libr" creator="MGSH" version="" minsize="" maxsize=""/>
</dbs>
</rules>
Template for Smartphone:
<!-Sample Rule File for Windows Mobile Smartphones
-->
<?xml version="1.0" ?>
- <rules>
- <files>
<file name="" minsize="" maxsize="" version=""
/>
</files>
166
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
- <registries>
<registry path="" key="" type="" value="" />
</registries>
- <processes>
<process name="" />
</processes>
</rules>
where:
filename - The exact executable path or name (required).
Pathnames can begin with %xxx% or \ format. Simple filenames
must be at root level on the handheld. Maximum length is 256
characters. Use \ in pathnames. Invalid characters: <>:\”/\\|?*.
Valid characters: ^&’@{}[],$=!-#()%.+~_.
minsize - Minimum allowable size in bytes for the application
(optional)
maxsize - Maximum allowable size in bytes for the application
(optional)
version - Required application version
registry path - Registry path for the application entry
key - Key value for the application registry entry
type - Int (DWORD) or string
value - Type value
process name - Name of the application process (e.g., application
name without the extension)
Compliance Report
The Good Management Console makes it easy for you to track your
devices with respect to their compliance with your policy settings. If
a device’s compliance status changes, Good Mobile Device
Management keeps track of the fact. This section describes how to
access and review your compliance data.
Good Mobile Messaging Administrator’s Guide
167
Managing the Handhelds
For a quick overview of the compliance situation, go to the
Handhelds tab. You can customize the device information view by
clicking on the “Select Columns” icon
and choosing from the
drop-down menu. Device compliance status is tracked in the second
column of the device list.
Compliance status
This second (untitled) column can display three possible compliance
indicators: a blank field, an exclamation point, and a question mark.
A blank field indicates the device is an compliance with respect to its
currently configured policy settings. An exclamation point indicates
that the device is out of compliance with these policies. A question
mark indicates that the compliance check is pending for the device.
This can happen when the device is not connected, is not set up, is
not sync’d, or that the device (e.g., Windows Mobile) is not supported
for this feature, or that the device is running an earlier, unsupported
Client (less than 1.7.3 for Android; less than 1.9.3 for iOS).
168
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
To display only those devices in or out of compliance, use the related
Filter by Compliance filters in the left panel.
On the Handhelds tab, you can run a full compliance report and
export it to an Excel spreadsheet. To do so, select Export Compliance
Report from the Select Import/Export Action pull-down menu.
This generates a report showing all changes in device compliance for
all devices in the current view.
The rows in the report are grouped by device, with a separate row for
each change in the compliance status of the device. The report
provides the changed status, the affected policy setting, the cause for
the change, and any action taken, as specified by the policy.
Out-of-compliance causes can include jailbreak detection,
connectivity verification (device must have connected to Good
within a specified time), OS version verification, hardware model
verification, etc. Out-of-compliance actions can include exiting from
Good Mobile Messaging Administrator’s Guide
169
Managing the Handhelds
the Good Client on the device, deactivating the Client, and creating a
compliance report. (Refer to “Compliance Manager” on page 156.)
For more information about a specific device, click its link on the
Handhelds page to open a detailed view for it. If a device is out of
compliance, a report link is added to the left pane.
Compliance report is added for devices with compliance data available
Click the Compliance Report link to display the report.
170
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
Click Refresh to update the report. The Console will query the device;
device response will depend upon the current device state. The
request for information will persist until the device is available to
answer it. Click Export to create an Excel report based upon the
screen display.*
Data Encryption
You can encrypt selected databases and folders on the handheld.
Databases designated for encryption are encrypted when Good
Messaging locks the handheld. The databases are decrypted when
Good Messaging unlocks the handheld. When more than 1MB of
data is to be decrypted, this process can last several minutes.
There are no utilities that can be used to decrypt an encrypted
database.
Good for Enterprise applications take care of their own encryption.
Good for Enterprise databases are bitwiped (all data erased) when
the handheld is wiped as described in “Erasing Handheld Data” on
page 230.
Good Messaging does not encrypt data on the desktop/laptop, but it
does transfer encrypted data to the desktop; since the data is
encrypted, however, it will not be useful. When the handheld is
unlocked all data reads are seen as authorized by Good Messaging,
including ActiveSync. Good Messaging will decrypt all data before it
is ActiveSynced to the desktop/laptop.
Note: Data encryption is not supported on Nokia 5.1.0.37 clients.
To set Data Encryption policies:
1.
On the Policies page, click the name of a policy set.
Good Mobile Messaging Administrator’s Guide
171
Managing the Handhelds
2.
Click the Data Encryption link in the left panel for the policy set.
3.
If necessary, click a handheld platform in the right panel to
expand the list of databases and folders for that platform.
4.
Click the check box next to the databases and folders you want to
encrypt, and then click the Encrypt button.
Note that Good applications have their own inherent security.
They are not listed in the Data Encryption page.
5.
Click the Save button to save the settings.
Preventing Application Termination When a Handheld Is Locked
In versions previous to 5.0.2, Mobile Messaging terminated all thirdparty applications running on a handheld when it was locked. Now,
all such applications will continue to run when the handheld is
locked, unless folder encryption is enabled.
If one or more folders are listed for encryption, the following
applications will continue to run anyway: Native Windows Music
player, Symantec AV, Blue Fire firewall, McAfee AV, Instant
Messaging, Google Maps, Internet Explorer, Opera, MSP Agent,
172
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
MotoNav. You can create a list of additional applications that will
continue to run when the handheld is locked. All other applications
will be terminated.
The list of applications is contained in a file named
“DevicesAppList.ini.” (The ini file must have this name.) A template
is provided with the Good Messaging Console; it is empty (does not
list any applications) by default. On the handheld, the Good
Messaging Client will consult the DevicesAppList.ini file to
determine which applications should not be terminated when the
device lock is triggered.
Entries in the DevicesAppList.ini file consist of the .exe names of the
applications to remain running. Edit the file using any standard text
editor. In the sample provided, replace [ALLOWED_APP_LIST] with
a device-specific name.
The template provided:
; DevicesAppList.ini (ppc)
;
;This file follows the usual INI file format, and
includes allowed application list for PPC devices.
;
;Sections must be in brackets, starting in column
1 of a line.
;Application name will be used as a key. They must
start in column 1.
;
;Syntax of the section is as follows:
;[<Section_name>]
;---------------------------------------;Syntax of the key is as follows:
;<application_name><whitespace>\n;
;---------------------------------------;
;---------------------------------------;Allowed Application list
;----------------------------------------
Good Mobile Messaging Administrator’s Guide
173
Managing the Handhelds
[ALLOWED_APP_LIST]
MobileCalculator.exe
iexplorer.exe
pxl.exe
ppt.exe
pword.exe
BubbleBreaker.exe
solitare.exe
GoodCalendar.exe
;----------------------------------------
Pushing DeviceAppList to the desired handhelds
DeviceAppList, once created, must be pushed to the handhelds to
take effect. To do so, refer to “Managing Wireless Software
Deployment” on page 210, beginning with the section “Custom
Applications: Adding to and Deleting from the Software Package” on
page 219.
The push process is transparent to the user. No notifications are
provided on the handheld unless it is being upgraded from a pre5.0.4 version.
This feature applies to Pocket PC and SmartPhone handhelds only.
Note: ActiveSync cannot be used to push the file to a handheld.
To check whether DeviceAppList.ini has been successfully installed
on a handheld:
1.
In the Console, select the user.
2.
Select Manage User Groups, Policy, and Software.
3.
Under the Software section, select either “View Current” or “Edit”
for Custom Settings. (This is the “Distribute Software” page.’) You
will see the entry for DevicesAppList.ini and “Success” for the
status.
DeviceAppList.ini file status should be Success.
174
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
To test whether a specified application continues running upon
device lock:
1.
Go to Task manager and confirm that application present in
DeviceAppList.ini file are running and all other applications have
been terminated when the device is locked.
2.
Alternatively, lock the device and provide an async password in
the password box. This will allow you to enable ActiveSync when
the handheld is locked. Go to the process viewer to confirm that
all applications present in DeviceApplist.ini are running during
the lock.
Application Management
For a description of software deployment policy options, refer to
“Managing Wireless Software Deployment” on page 210.
Plugin Policies
Since the GMC Console serves other applications in the Good for
Enterprise, policies for those applications will also be available if they
are installed.
iOS configuration
The iOS configuration feature allows you to set policies for your
enterprise iOS device, utilizing iOS configuration profiles. During
Good for Enterprise setup on the iOS device, Good will create a new
configuration profile with the name you specify in the policy, in
Settings/General/Profiles (the default name is the name of the
policy).
Once you set and save iOS configuration policies in the Good
Management Console, your settings are implemented in the
following way:
• During Good for Enterprise handheld setup, or when a user runs
or is running Good on their handheld, a “Profile Required” dialog
Good Mobile Messaging Administrator’s Guide
175
Managing the Handhelds
is displayed. The user can delay the installation twice, one hour
each time.
• The user accepts this dialog and Good exits, Safari runs, and an
“Install Profile” dialog is displayed.
• The user accepts this dialog, follows the installation prompts,
provides his/her device passcode, and the Good configuration
profile is installed, containing your policy settings.
• The user is returned to Good installation or to the Good for
Enterprise application.
• Whenever configuration settings are changed for the policy in
Good Mobile Console, the process is repeated, unless the MDM
(Mobile Device Manager) option is selected (explained below); if
MDM is selected, configuration settings are updated
automatically on the device.
If the Good profile is removed from the iOS device, Good for
Enterprise is disabled. The user must repeat the procedure to install
the profile for Good for Enterprise to run again.
General Policies
176
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
Enable iOS configuration - Sets up a Good configuration file on the
iOS device (default: unchecked).
Profile name (shown on device) - Default is the policy set name
Organization - Default is an empty field
Enable remote full device wipe - Check to enable this feature on
the Handhelds page (“Erasing Handheld Data” on page 230).
Otherwise, wipe is enabled for Good data only. Default is
unchecked.
Enable MDM profile
If the MDM check box is checked, any changes made and saved to
settings on the iOS Configuration pages (General, Passcode,
Restrictions, WiFi, VPN, Web Clips) will be made to all devices to
which the present policy is applied. The user is not required to
reinstall the configuration file when changes to its settings are
made.
If the MDM check box is checked, two new options are available
on the handheld security page: remote device lock and remote
device password reset. (Requires iOS4.)
Important: The MDM feature requires an Enterprise MDM
Certificate signed by Apple. Using the Generate Certificate
Request button on the Settings > Certificates page, create a
certificate request file and save it to your local drive. Once it is
saved locally, upload it to https://identity.apple.com/pushcert/.
This will generate a signed certificate that you must save; then
return to the Settings > Certificates page to upload it using the
Upload Apple Signed Certificate button. For details on this
procedure, refer to “Obtaining a Mobile Device Management
Certificate Signed by Apple” on page 187.
If you attempt to enable MDM without a certificate, you’ll be
taken to the Settings Certificate page to import one.
If you want to delete the certificate later, you must first uncheck
the MDM feature within all policy sets where it has been selected.
Good Mobile Messaging Administrator’s Guide
177
Managing the Handhelds
Warning: Renew this certificate when it expires, rather than
generating a new one. Generating a new certificate will require
users to manually remove the Good iOS Configuration profile
from General > Settings, relaunch the Good Client, and reinstall
the new Configuration Profile.
Profile Security (available only if MDM check box is not checked)
Allow user to remove profile (the default), or
Require password to remove profile (with field to define the
passcode), or
Do not allow profile to be removed
If the MDM check box is selected, the user always has the option to
remove the MDM profile from the device. If the MDM profile is
present on the device, the Good profile cannot be removed by the
user; if the user removes the MDM profile, he/she can then remove
the Good profile.
If the Good profile is removed from the iOS device, the user will no
longer be able to access Good data. Instead, a prompt to install the
missing profile is displayed at startup.
Passcode Policies
178
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
Allow device lock and passcode removal - This setting grants access
to the Administrator to the Security link for the device on the
Handhelds tab. There the administrator can wipe the device, lock the
device, or select the reset password option, which will clear the
password for the device itself. (See “Erasing Handheld Data” on
page 230, “Locking Out a User” on page 229, and “Resetting a
Password Remotely (iOS, Android)” on page 226 for details.)
Require passcode - Use these policies to control access to the iOS
device through use of a mandatory passcode. (To control access to the
Good application on the iOS device, refer to “Network
Communication” on page 146) If you tighten passcode requirements,
the user is prompted to define a new password and is given an hour
to do so. This check box requires a user to enter a passcode to access
the Good applications (default: checked).
Minimum length of - Specifies the minimum length allowed for the
passcode (1-10 characters) (default: 1 character).
Allow simple value - Allows the use of repeating, ascending, and
descending character sequences in the passcode (default: checked).
Alphanumeric - Requires the passcode to contain at least one letter
and one number (default: unchecked).
Minimum number of complex characters - Requires the passcode to
contain at least this many complex characters, such as @, #. $, or % (1
- 10 characters)(default: unchecked)
Maximum passcode age - Days after which passcode must be
changed (1 day to 730 days) (default: unchecked)
Auto-Lock - Maximum allowed idle time after which device
automatically locks. (1 minute to 1 hour) (default: unchecked)
Passcode history - The number of unique passcodes required before
reuse (1 to 10) (default: unchecked)
Good Mobile Messaging Administrator’s Guide
179
Managing the Handhelds
Grace period - Maximum amount of time device can be locked
without prompting for passcode on unlock (1 minute to 4 hours)
(default: unchecked)
Maximum failed attempts - Wipe device after n attempts (a number
between 4 and 10)(default: unchecked).
Restrictions on the iOS device
Check options to disable the following restrictions on the iOS device.
These restrictions cannot be modified by the user. The restrictions are
disabled by default.
• Allow use of YouTube
• Allow use of iTunes Music Store
• Allow installing apps
• Allow use of camera - Includes suboption to allow FaceTime
• Allow screen capture
• Allow syncing of consumer email accounts while roaming
180
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
• Allow foice fialing when the device is locked
• Allow In-App purchases
• Require iTunes backups to be encrypted
• Allow use of Safari* - Suboptions to enable autofill, javascript,
plugins, pop-ups; and force fraud warning; accept cookies always,
never, or from visited sites.
• Allow explicit music and podcasts - Suboptions to specify allowed
content and applications, ratings region, allowed ratings for
movies, TV shows, and apps (iOS4 required)
*Note: Safari is required to install the iOS Good profile that sets these
restrictions; Safari is also required for any subsequent updates to
these settings. If you disable Safari by unchecking its check box, you
can only disable or change Console policy settings by reinstalling
Good on the iOS device. Also, if you disallow apps installation, you’ll
need to allow it again later if the Good Client is to be updated on the
device.
Important: For security reasons, Good does not allow backup of your
Good data to iTunes or iCloud, as doing so could make your
corporate data accessible to unauthorized users. Since this data is not
backed up to iTunes or iCloud, it cannot be restored as part of any
iOS upgrade or restore from backup that you perform. As a result,
you'll need to set up your device again, updating and re-syncing the
Good for Enterprise application; that is, after the iOS upgrade or
backup, you'll be taken to a provisioning screen and be prompted for
your email address and PIN.
Wireless Networks
Good for Enterprise allows you to set or change wireless-network
connection settings for an iOS user via policy settings for the policy
set applied to the device.
Good Mobile Messaging Administrator’s Guide
181
Managing the Handhelds
To define wireless network settings for the policy set:
1.
Click the WiFi tab.
All wireless connections that you’ve defined so far are listed. Click
the check box next to those whose connection details are to be sent
to iOS devices using this policy set.
2.
To add details for a new connection, click Add Network.
3.
Provide a Network name (SSID). Select a network type and proxy
type. Click the check boxes if desired for Auto Join, and if this is a
182
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
hidden network. You will provide additional specifications
depending upon the network type you select.
Note: You can add a network with a Trusted Root/Expected
Certificate. Available certificates are listed in this connection
parameter window, but only if you import them first into the
Console. To do so, use the Certificate link on the Settings tab.
The Trusted Server Certificate Names field allows multiple names
to be entered, separated by commas.
4.
To change the settings for a network, click the edit link for the
network on the Wireless Connections page.
5.
Click Save and send email update to have the new policy settings
sent to all affected handhelds as an email attachment. Click Save
without updating to save the new policy settings without sending
the changes to any handhelds currently using this policy set. The
changes will take effect for any handhelds assigned this policy set
subsequently.
Good Mobile Messaging Administrator’s Guide
183
Managing the Handhelds
VPN Connections
To set or change VPN connection settings for an iOS user:
1.
Click the VPN tab.
All VPN connections that you’ve defined so far are listed. Click
the check box next to those whose connection details are to be sent
to iOS devices using this policy set.
2.
To add details for a new connection, click Add Connection.
184
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
3.
Provide a connection name and server hostname in the
appropriate fields. From the dropdowns, select connection and
account types.
Selecting a connection type will display additional connection
parameters to be defined.
Note: You can add connections with a Trusted Root/Expected
Certificate. Available certificates are listed in this connection
parameter window, but only if you import them first into the
Console. To do so, use the Certificate link on the Settings tab.
4.
To change the settings for a connection, click the edit link for the
connection on the VPN Connections page. Select the connection
type to display additional fields that can be changed.
5.
Click Save and send email update to have the new policy settings
sent to all affected handhelds as an email attachment. (That is, the
user must open the email on the iOS device.) Click Save without
updating to save the new policy settings without sending the
changes to any handhelds currently using this policy set. The
changes will take effect for any handhelds assigned this policy set
subsequently.
Web Clips
Use the Web Clips tab to add web clips to the Home screen of the
user’s device. Web clips provide links to specified web pages.
Good Mobile Messaging Administrator’s Guide
185
Managing the Handhelds
1.
Click the Web Clip tab.
2.
Click Add.
3.
Enter a label for the web clip. This will be displayed on the user’s
Home screen.
4.
Enter a URL to define the web clip’s link.
Note: The URL you specify must include the prefix http:// or
https://. The URL won’t be accepted without it.
186
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
5.
To give the user the option of removing the clip, check the
Removable box.
6.
To add a custom icon, use the Browse button or enter the path and
file name of a graphic file in gif, jpeg, or png format, 59 x 60 pixels
in size. The image is automatically scaled and cropped to fit, and
converted to png format if necessary. You can specify a
precomposed icon and that the clip be displayed full-screen.
Obtaining a Mobile Device Management Certificate Signed by Apple
To generate the signed certificate required by the iOS MDM policy
feature, follow this procedure:
Generate the file and upload to Apple
1.
Click the Generate Certificate Request button on the Settings >
Certificates page.
2.
Enter the required information and click Next.
3.
Make a note of the Apple URL to which you will upload the
certificate request.
You must log in with your Apple I.D. to https://
identity.apple.com/pushcert/.
4.
Select Generate and save the generated file to your local drive.
The file should end with the extension .plist.
Obtain a signed certificate from Apple
1.
At https://identity.apple.com/pushcert/, sign in to Apple's Push
Certificate Portal with your Apple ID.
2.
Click Create a Certificate.
(Accept the terms and conditions, if you have not already done
so.)
3.
Choose the .plist file that you downloaded and saved, and select
Upload.
You should see a confirmation message with a Download button.
Good Mobile Messaging Administrator’s Guide
187
Managing the Handhelds
4.
Download the file to your local hard drive and return to the Good
Mobile Control Settings > Certificates page.
This file will have the extension: .pem.
* Internet Explorer users, see known issues below.
Upload the signed certificate to Good Mobile Control
1.
Click the Upload Signed Apple Certificate button on the Settings >
Certificates page.
You will be prompted for your password. Enter your Apple ID
password.
2.
Navigate to find the signed .pem file on your local drive.
3.
The signed file should now appear in the certificate list.
* Internet Explorer users
On Internet Explorer, you will need to log out and then log back in
again to see the signed certificate. IE may also create an additional file
prior to the generation of the '.pem' file. This additional file is not
needed, but can be used to check for any possible errors.
{"ErrorCode":*80013,"ErrorMessage":"Invalid Certficate Signing Request","ErrorDescrip:on":"The
Certficate Signing Request you entered appears to
be invalid. Make sure that request file uploaded
is in the <a href="http://www.apple.com/business/
mdm" target="_blank">correct format</a>and not
empty.="}
If this shows up, delete both files and re-try the previous steps until a
clean file is generated. A clean file is an indication that the .plist file
was signed with no errors from Apple.
Renewing a Certificate
Warning: Renew this certificate when it expires, rather than
generating a new one. Generating a new certificate will require
users to manually remove the Good iOS Configuration profile
188
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
from General > Settings, relaunch the Good Client, and reinstall
the new Configuration Profile.
Do not delete the existing MDM certificate; just upload the renewed
version. On upload, the new certificate will override the old.
Scenario 1: You generated the certificate using iOS Developer
Enterprise Program’s (iDEP) Provisioning Portal (older process).
Step 1 – Follow the instructions in “MDM Push Certificate Migration
Information” on page 189 to renew the certificate with Apple. This
older process did not involve Good Technology and is between you
and Apple. If you cannot renew the certificate for any reason, you’ll
no option but to generate a new MDM certificate.
Step 2 – Upload to Good Mobile Control by going to Settings >
Certificates and clicking the Import button. Do not delete the existing
certificate, just upload the renewed one and it will overwrite the old.
Scenario 2: You generated the certificate using Apple Push Certificate
Portal (APCP) (new process).
Step 1 – Go to the APCP website - https://identity.apple.com/
pushcert. Log in using the same Apple ID that was used to generate
the certificate. You will see an option to renew the certificate. Click
that button and download the renewed certificate.
Step 2 – Upload to Good Mobile Control by going to Settings >
Certificates and clicking the Import button. Do not delete existing
certificate, just upload the renewed one and it will overwrite the old.
MDM Push Certificate Migration Information
The information in this section is provided by Apple. It documents
the older processes for creating and managing push certificates.
MDM push certificates created in the iOS Developer Enterprise
Program were migrated to the Apple Push Certificates Portal. This
Good Mobile Messaging Administrator’s Guide
189
Managing the Handhelds
impacted the creation of new MDM push certificates and the
renewal, revocation and downloading of existing MDM push
certificates. It did not impact other (non-MDM) APNS certificates.
If your MDM push certificate was created in the iOS Developer
Enterprise Program:
- It was migrated for you automatically.
- You can renew it in the Apple Push Certificates Portal without
impacting your users (and the topic will not change).
- You’ll still need to use the iOS Developer Enterprise Program to
revoke or download a pre-existing cert.
If none of your MDM push certificates are near expiration, no action
is needed. If you do have an MDM push certificate that is
approaching expiration, have your iOS Developer Program Agent
login to the Apple Push Certificates Portal with their Apple ID.
Renewal of MDM push certificates
To renew an MDM push certificate that was created in the iOS
Developer Enterprise Program, visit Apple Push Certificates Portal
and login with the Apple ID of the Agent on your iOS Developer
Enterprise Program membership. Existing certificates will list
"Migrated" as the Vendor.
Renewal of existing MDM push certificates via the Apple Push
Certificates Portal will ensure the topic of the certificate will not
change. This means users will not need to re-enroll devices and MDM
service will not be impacted by this change. New MDM push
certificates created in the Apple Push Certificates Portal are assigned
a topic automatically and cannot be customized.
To renew an MDM push certificate that was created in the Apple
Push Certificates Portal, visit Apple Push Certificates Portal and
login with your Apple ID.
190
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
Downloading of MDM push certificates
To download an MDM push certificate that was created in the iOS
Developer Enterprise Program, login to the iOS Developer Enterprise
Program and visit the iOS Provisioning Portal.
To download an MDM push certificate that was created in the Apple
Push Certificates Portal, visit Apple Push Certificates Portal and
login with your Apple ID.
Android Configuration
The Android configuration feature provides additional policy
settings for your enterprise Android devices.
General Policies
Enable Android Full-Device Administration - Enables the Android
configuration plugin feature.
Good Mobile Messaging Administrator’s Guide
191
Managing the Handhelds
Enable remote full device wipe
Enable remote full device lock
Enable remote device password reset
Check the check box to enable the feature on the Handhelds page for
a device using the Security link. Otherwise, the wipe, lock and
change-password actions are available only for the Good for
Enterprise application on the device. Default is unchecked.
If you enable these additional settings, Good is added to affected
devices as an administrator in Settings/Location/Security. If the user
should deselect Good via “Select device administrators,” he/she is
locked out of the Good for Enterprise application. Any passcode
settings remain in effect , but the user can change them. The device
can still be wiped or locked if these features are enabled, until the
Good application is removed from the device.
Passcode Policies
Use these policies to control access to the Android device through use
of a mandatory passcode. (To control access to the Good application
192
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
on the Android, refer to “Network Communication” on page 146)
Require passcode - User must enter a passcode to access the Good
applications (default: checked).
Minimum length of - Specifies the minimum length allowed for the
passcode (1-10 characters) (default: 4 characters).
Alphanumeric - Requires the passcode to contain at least one letter
and one number (default: checked).
Auto-Lock - Maximum allowed idle time after which device
automatically locks. (1 minute to 15 minutes) (default: 1 minute)
Maximum failed attempts - Wipe device after n attempts (a number
between 4 and 16)(default: 4). The full device is wiped.
Good Mobile Access (Secure Browser)
Good Mobile Access (Secure Browser) is a Good Messaging plugin
that provides a browser on supported devices for use with your
corporate Intranet. The browser is integrated to the Good Mobile
Messaging Client on the device and provides seamless access to
Intranet sites without need for VPN
Good Mobile Access (Secure Browser) uses Console policies to
determine whether a web page should be loaded on the user’s device
or redirected to the native browser. The secure-browser policy lists all
the Intranet domains, sub-domains, and embedded Internet domains
that you as administrator want to make available on the mobile
device.
The secure browser provides a browser history, which can be cleared.
Naming and editing bookmarks is supported. The browser supports
pinch and zoom, and landscape mode. No special training is
required.
Secure Browser supports HTML 4.
Good Mobile Messaging Administrator’s Guide
193
Managing the Handhelds
Refer to the Secure Browser User’s Guide for additional
information.
Overview
Secure browser provides browsing-only functionality for supported
devices. It does not provide connectivity for other applications to
your Intranet. It utilizes the secure container for browsing, thus
storing all the data in encrypted format. The browser is included with
Good Mobile Messaging Server and does not require additional
server installation. Browser access is at the HTTP level (Application/
Proxy layer) rather than the IP packet level (Network Layer). This
ensures secure and separate corporate data:
• Integration with the Good for Enterprise app
• Encryption of browser cache, bookmarks, history and
downloaded files inside the enterprise container
• Remote wipe of cache, bookmarks, history, downloaded files,
cookies, etc. (For Android, OS 2.2 or 2.3 is required for wipe of
cookies and cache.)
• End-to-end encryption of data over-the-air
• No outbound firewall holes
194
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
• Application password policies
This graphic illustrates the Client communication flow:
• The user enters a URL in the secure browser.
• The Client issues an HTTP proxy connection over GMM server.
The browser supports an HTTPS connection end-to-end from
Client to web server.
• GMM Server resolves the host name of the requested web server,
checks the host names against the domain list defined by the
Secure Browser policy in Good Mobile Control.
• Once the HTTP connection is established, the client does HTTP
transaction (POST/GET). Good Messaging server will simply pass
the data to and fro between the web server and the Client as the
session requires.
Notes on the secure transport:
• Over-the-air transmissions are encrypted from the device to the
Good Messaging Server using AES 192 Bit Encryption.
Good Mobile Messaging Administrator’s Guide
195
Managing the Handhelds
• Good Messaging Server establishes a TCP connection to the web
server based on the URL being requested by the secure browser.
• Good Messaging server relays data between the web server and
the secure browser on the mobile device.
- Data exchanged between the secure browser and web server is
encrypted using HTTPS.
- Good Messaging Server does not store or analyze any of the
data between the secure browser and the web server.
- Access restrictions are applied based on the administrative
policies defined in Good Mobile Control.
The Good Messaging Server logs the server names and ports that
users of Secure Browser attempt to connect to. Since logs age out, this
record of connection attempts is limited by time. If a proxy is used by
the destination server, the proxy server name and port are recorded,
not the actual destination server name and port.
Preparation
Before setting up secure browsers for users, confirm the following:
• Good Messaging Server should be able to connect to the requested
host.
• Good Messaging Server should be able to resolve the host name to
IP address through DNS lookup.
• Good Messaging Server should be able to connect to the resolved
IP address and requested port number
In addition:
• Secure browser requires the Good iOS Client 1.8.2 or higher, or
Good Android Client 1.8.2 or higher. No other iPhone or iPad
preparation is required. For Android, a WebKit download from
the Android Market is required; the first time the user runs Secure
Browser, it will lead the user through WebKit installation. Only
Android 2.2 and 2.3 devices are supported.
196
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
• NTLM v2, and HTTP basic and digest authentication are
supported.
• For connection to a host through a proxy server, refer to “Using a
Proxy with GMA Secure Browser (iOS only)” on page 204.
You can set up a home page for the browsers. You’ll specify it when
setting secure-browser policies. The page can serve as a launching
point to all your internal web-based resource, streamlining Intranet
access and making all its resources easily available to your users.
Enabling Secure Browser
To enable Secure Browser for users via a policy, first go to the Good
Mobile Console Settings tab and click on the Good Mobile Access link
in the left panel. On the Good Mobile Access page that is displayed,
click the “Allow Intranet access from the server” check box.
Good Mobile Messaging Administrator’s Guide
197
Managing the Handhelds
To set policies for Intranet browser use:
1.
Display the Good Mobile Access (Secure Browser) policies page
by clicking on its link in the Plugins portion of the left column of
the Policies tab.
2.
Click the “Enable access to the Intranet” check box to turn on the
browser feature for supported handhelds using this policy (and to
display the full screen above).
Note: Although the policy page uses the word “Intranet,”
enabling access also allows you to specify accessible Internet
domains for the secure browser.
3.
If desired, supply a homepage address for the homepage to be
displayed when the Good secure browser is invoked. If no address
is specified, the browser opens on a blank page.
4.
Enter the specific Intranet or Internet domains that the browser
can access. No other public domains will be allowed. That is, this
list is used as an “allow” list for public IPs: allow hosts with
public IPs whose domain suffix matches an entry in this list.
198
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
Note: Non-fully qualified domain names are supported by
default, with the exception of names such as .com, .net, .gov, and
.edu.
To enter the domains, click the Edit button.
Type in the domains that you will allow, separated by commas.
These can be Intranet or Internet domains. If an Intranet domain
includes embedded Internet domains, such as in links to the
Internet on a page or pictures that are referenced from the
Internet, you’ll want to include those Internet domains in this list
(see Troubleshooting below).
Wildcards are not supported. However, entering “acme.com” will
allow any URLs ending with that string (e.g., “test.acme.com” will
be allowed).
Good Mobile Messaging Administrator’s Guide
199
Managing the Handhelds
Note that if a user enters a non-fully qualified domain name such
as http://info, the browser will connect to it by bypassing the
domain suffix list that you have entered above.
DNS settings on the Good Messaging Server are used to resolve
host names. The Server does not contact DNS providers for the
domains you enter in your allowed list, to resolve host names.”
5.
If you will be using proxy servers (iOS only), enter the IP
Addresses for the HTTP and HTTPS servers. If any IP prefixes/
domains are to bypass the proxy servers, enter the prefixes and
domains, separated by commas, in the field provided, one pair per
line. Refer to “Using a Proxy with GMA Secure Browser (iOS
only)” on page 204 for rules concerning prefix and domain
definitions, and more information on proxy server use.
6.
Click Add to add entries to the list and OK to finish.
Usability
Users may ask why they have to enter their domain credentials so
often to access Intranet sites.
• Good does not cache authentication credentials.
• If a Good Client session has expired or terminated, the user will
need to authenticate the session again.
• Your remote application/server may also have a timeout value.
User Agents
Android
ROM2.3 (Nexus one)
User-agent header: Mozilla/5.0 (Linux; U; Android2.3.6;en-us;Nexus
One Build/GRK39F) AppleWebKit/533.1 (KHTML, like
Gecko)Version/4.0 Mobile Safari/533.1
ROM2.2 (Motorola Droid2 )
User-agent header: Mozilla/5.0 (Linux; U; Android 2.2; en-us;
200
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
MotoA953 Build/MILS2_U6_2.4.18) AppleWebKit/533.1 (KHTML,
likeGecko) Version/4.0 Mobile Safari/533.1
iOS iPhone
User-agent header: Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like
Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B176
iOS iPad
User-agent header: Mozilla/5.0 (iPad; U; CPU OS 4_3_1 like
Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like
Gecko) Mobile/8G4
Good Mobile Messaging Administrator’s Guide
201
Managing the Handhelds
iOS/Android Secure Browser Feature Comparison
Supported OS
versions
Mail server support
HTTP basic
authentication
HTTP digest
authentication
NTLMv2
NTLMv2 session
Kerberos
HTTP 1.1 protocol
HTTPS and SSL
Encryption of cache,
bookmarks, history,
and downloaded
files
Remote wipe of
cache, bookmarks,
history, and
downloaded files
End to end
encryption of data
using AES 192 bit
encryption
Bookmarks
Homepage
History
Full screen mode
202
iOS
iOS 4+
Exchange and
Domino
Yes
Android
Android OS
2.2(Froyo), and
2.3(Gingerbread)
Exchange and
Domino
Yes
Yes
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
HTML5 support
AJAX support
Multiple windows/
Pop-up window
support
Proxy support
Client certificate
support
Flash support
iOS
Android
Most of the HTML5
elements and
javascript are
supported, except
for embeded video
and storage APIs
Yes, however
Yes
synchronous AJAX
requires using iOS 5.
No
No
Yes
No
No
No
No
No
Troubleshooting: Activation
If the secure-browser icon is not displayed on the user’s device:
• Is GMA enabled on the Settings page in Good Mobile Control?
• Is GMA Policy Enabled and added to this handheld?
• Have you waited for the Policy Update Delay to expire?
• Try completely exiting Good Client (kill the background task) and
launching again.
• Restart Good Mobile Messaging and Good Mobile Control
Services.
Troubleshooting: Access
If a user attempts to navigate to a domain that you have allowed, but
receives a “Failed hosts identification” message, use the browser to
navigate to
Good Mobile Messaging Administrator’s Guide
203
Managing the Handhelds
debug://listfailedhosts
Check the domain names that are causing the problem. Confirm that
you have allowed them in the policy. These may include, for
example, embedded Internet sites that are referenced on your
Intranet pages.
If a domain is properly listed in the policy but causing access
problems, confirm the following:
• Can Good Messaging Server connect to the requested host.
• Can Good Messaging Server resolve the host name to an IP
address through DNS lookup?
• Can Good Messaging Server connect to the resolved IP address
and requested port number?
The device screen should be kept on during secure browsing. The
user may encounter an error if the device goes to sleep during
browsing.
Using a Proxy with GMA Secure Browser (iOS only)
You can use an HTTP and/or HTTPS proxy with Secure Browser.
(Requires the Good for Enterprise iOS Client version 1.9.8 or higher.)
• HTTP proxy is used to connect to HTTP sites (non-SSL sites). The
browser requests the page from the proxy by passing a full URLto
it; the proxy checks the URL and fetches the page or sends it from
its cache to the browser. The HTTP proxy will know the URL and
content of pages flowing to and fro between browser and website.
• HTTPS proxy is used to connect to HTTPS sites (SSL sites), setting
up end -to-end SSL connections. In this case, the browser will first
set up an HTTP tunnel connection to the end website through the
proxy server and then perform the SSL negotiation over the HTTP
tunnel connection.
If an HTTP URL is entered, Secure Browser will use the HTTP proxy;
if an HTTP proxy entry is not set, Secure Browser will try to connect
204
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
without a proxy. If an HTTPS URL is entered, Secure Browser will use
the proxy from the HTTPS proxy entry; if an HTTPS proxy entry is
not set, Secure Browser will try to connect directly without using a
proxy.
One HTTP proxy server and one HTTPS proxy server are supported
in this release. Multiple proxy servers using Proxy Auto
Configuration (PAC) files are not supported
Bypass Rules
You can enter exceptions on the Settings > Secure Browser page for
particular hosts of URLs.
URLs entered in the device’s secure browser for pages on these hosts
cannot be reached via proxy. Enter the excepted hosts, separated by
commas, using any of the following:
• Host names or fully qualified host names. Examples: kb, hub,
hub.corp.good.com. Note: Host name and fully qualified host
name will not match with each other; enter both in the exceptions
list if the user might enter either in Secure Browser.
Good Mobile Messaging Administrator’s Guide
205
Managing the Handhelds
• Domain names with wild card. Examples: good.com, *.good.com,
.good.com. Formatting matches Firefox usage. The following
formats are supported:
- domain.com or *domain.com. Example: will exclude http://
test.domain.com, http://domain.com, and http://
test.mydomain.com
- .domain.com or *.domain.com. Example: will exclude http://
test.comain.com, but not http://domain.com or http://
test.mydomain.com.
• IP addresses. Example: 192.168.1.2. If the secure-browser user
enters a URL, Secure Browser will first try to resolve the IP
address of the host using the Good Mobile Messaging Server and
then match the IP address to the IP addresses in the exception list.
If either Secure Browser is not able to resolve the IP or the IP does
not match an IP in exception list, Secure Browser uses the proxy.
Good Messaging Server and Good Mobile Control Server
upgrades to this release are required.
• IP address groups. Example: 192.168.0.0/16.
• allhostswithnodomain – If this keyword is included in the proxy
bypass list, all URLs containing a non-fully qualified name (like
https://testhost, https://hub, instead of https://
testhost.good.com) will be excluded from proxy use.
If a host name is used instead of an IP address in the URL, Secure
Browser matches the host to the list of host names in the allowed list
of hosts sent from the Good Mobile Messaging Server. If the host is
present in the list, Secure Browser will process it; otherwise, the user
will be prompted to open the page in native browser. Note that the
host name in the exception list on the Settings page and the allowed
list on the GMA policy page must match exactly.
If proxies are present, Secure Browser handles host names as follows:
• Matches the host name to the proxy exception list
206
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
• If the host name is matched with an entry in the proxy exception
list, Secure Browser will try to connect without using the HTTP
proxy.
• If the host name is not matched with an entry in the proxy
exception list, but the exception list contains IP addresses, Secure
Browser will first request the Good Mobile Messaging Server to
resolve the IP address of the host name and then match it to the IP
addresses in the exception list. If the IP address cannot be resolved
or the received IP address does not match an entry in the
exception list, Secure Browser will use the HTTP proxy server.
If an IP address is used in the URL, Secure Browser decides whether
to process it or launch the native browser, using the following rules:
• If the IP address is a private IP, it is simply processed using Secure
Browser
• If the IP address is public, it is matched to the allowed host list set
in the Good Mobile Control Console (Plugin Policies > Good
Mobile Access (Secure Browser)); if found, it is processed with
Secure Browser; otherwise, the native browser is launched.
• The IP address is matched with the proxy exception list. If the IP
address is matched with an entry in the exception list, Secure
Browser will connect without using HTTP proxy; otherwise, it
will connect using the HTTP proxy.
Note: If a page host has more than one IP address, all such addresses
should be entered in the proxy exception list. Secure Browser only
matches the first IP address in a list of IPs sent from a host server to
the proxy exception list; entering all the host addresses assures that
the exception will be recognized.
Authentication types supported for proxies
Secure Browser supports the following HTTP/HTTPS proxy
authentications:
• Basic
Good Mobile Messaging Administrator’s Guide
207
Managing the Handhelds
• Digest
• NTLMv2
Good recommends using NTLM, as Basic authentication involves
sending plain passwords to the proxy server. Anyone sniffing data
between Good Mobile Messaging Server and the HTTP proxy
server can discover such a password.
The authentication will be cached in the program memory of the
application and will not prompt the user for subsequent access
until the application is restarted. Every time the application is
restarted (after being killed manually or by OS) the user will be
prompted for credentials when accessing the proxy.
Creating a Third-Party Applications List
Some policy settings can be applied according to your selections from
a third-party application list (refer to “File Handling” on page 150),
which you create.
To create the third-party applications lists:
1.
On the Settings tab, click on the “Third-Party Applications” link.
208
Good Mobile Messaging Administrator’s Guide
Creating and Changing Handheld Policy Sets and Templates
2.
Click Add.
3.
Choose a supported device platform and add the application’s
product ID or package name. This is the internal identifier that the
device's OS knows the application by.
For iOS devices, the Application ID can be found by using iPCU. If
the iOS 4 MDM feature is enabled, it can also be seen for a specific
device in the Handheld Info/Installed Applications App ID
column.
For Android devices, use an application such as Application
Manager to view the package name
4.
Enter an application name and description.
5.
Click Save.
Completing Policy Configuration
As you finish editing a page and click Save, your changes are applied
to the user to which the policy is applied.
Applying the settings may take some time.
Policy changes will be applied OTA.
Good Mobile Messaging Administrator’s Guide
209
Managing the Handhelds
Managing Wireless Software
Deployment
You can update the Good Messaging software package and software
policies wirelessly for all handhelds using a particular policy.
This section describes how to:
• Specify which applications are enabled/disabled for wireless
setup and upgrades (enabling new versions of applications and
disabling old versions)
• Change the software-installation reminder schedule for
handhelds being set up or updated
• Change which applications must be installed by users upon
handheld setup or update (mandatory install)
• Specify which handheld families can be set up using OTA
• Set up installation from a Good Messaging software package on
the handheld itself, or on a storage card
• Enable/disable Certification Revocation List (CRL) use during
software installation or upgrade
• Generate new user PINs using the Handheld Info page from the
Handhelds tab
• Customize the initial email message for setup that is sent to the
user using the Settings tab
• Add custom applications to the software package using the
Settings tab
• For iOS5 devices, push third-party applications to the device and
manage application install/uninstall
Note: The tasks described in this section apply to the applications
present in the Good Mobile Management software package. To set
policies that permit, require, or prohibit other handheld applications,
databases, and folders on the handheld, refer to “Application
Policies” on page 154.
210
Good Mobile Messaging Administrator’s Guide
Managing Wireless Software Deployment
When setting up handhelds, Good Messaging applications cannot be
added to or deleted from the package, but the default settings can be
changed. Custom downloads are accomplished OTA after Good
Messaging is operational on the handheld. Good Messaging clientapplication updates are posted by Good to your GMC Servers
automatically. You can enable/disable custom applications as
necessary.
Changes to the default software package take effect immediately.
However, downloads to handhelds affected by the change will occur
during off-hours. A user can override this download schedule using
Good Messaging Preferences > Applications on the handheld. To
check a handheld’s status with regard to downloads, refer to
“Software Link” on page 241.
Managing Software Policies
To update Good Mobile applications and/or change software policies
on all handhelds using a particular policy:
To manage software policies, use the following procedures.
1.
On the Policies tab, click on the policy set to be edited.
2.
In the left panel for the policy set, click on the Application
Management link under Application Policies.
Good Mobile Messaging Administrator’s Guide
211
Managing the Handhelds
An Application Management screen for the policy set is
displayed.
Applications in the software package are divided into the
following categories:
• Good Software - Developed and distributed by Good
Technology
• Enterprise Applications - Applications that customers own or
license from others.
(This release does not include support for distribution of partner
applications.)
Applications in the first category are included with the product
and cannot be deleted from the package by the customer. They are
added, removed, or updated on your Console remotely by Good
Technology. You can add and delete Custom applications, as
described in “Custom Applications: Adding to and Deleting from
the Software Package” on page 219.
212
Good Mobile Messaging Administrator’s Guide
Managing Wireless Software Deployment
Explanations of the status of applications for a particular
handheld are provided in “Software Link” on page 241.
3.
Click the Check for Updates button to synchronize your Mobile
Messaging Server with the latest software available from Good
Technology. The software catalog displayed on the Application
Management page will be updated. The Server services will not
need to be restarted.
4.
To display and edit the default settings for software deployment,
click the Default Deployment Options button.
The defaults as shipped are shown in the figure. Click the
appropriate check boxes to force software installation. Use the
pull-downs to set the number and frequency of reminders to the
handheld user to complete the download process.
Reminders are pop-up dialogs that appear periodically (according
to your specifications) on the handheld.
“Mandatory” software is downloaded in the handheld
background (during off hours for global changes, staggered from
8 P.M. to 2 A.M. for more than 5 users) without previous
notification to the user. If the user declines to install the software
when reminded, the installation is forced after the specified
number of reminders is completed.
The default for reminders is once a day for three days. The default
for mandatory installation is Good Technology applications.
5.
After selecting the options in the Set Deployment Options dialog
box, click OK.
Good Mobile Messaging Administrator’s Guide
213
Managing the Handhelds
6.
To change the software download options for Good for Enterprise
for a particular handheld platform, click its Edit link in the right
panel.
7.
In the window that opens, choose the version to install from the
dropdown, or click “Do not install on this platform” to prevent
downloading of Good applications to the device type/operation
system.
Note: In the case of the iOS and Android platforms, application
software is available via App Store and Android Market.
8.
To force installation of the Good software and/or to change the
number of reminders and reminder frequency for that installation,
check the ”Override default options” check box. Use the
“Mandatory installation” check box and pulldowns to configure
the changes from the default. At least one reminder is required.
9.
To enable Good Messaging setup on the handheld via a Good
Messaging client package installed previously on a storage card or
on the handheld itself, rather than via Over The Air setup, change
the setting in the “Install From” dropdown.
214
Good Mobile Messaging Administrator’s Guide
Managing Wireless Software Deployment
Client packages for this use are available at http://
www.good.com/download.
If this local setup policy is enabled but the requisite Good
software is not found on the handheld or a storage card during the
setup process, the regular OTA setup process will be followed.
10. Click
Show Details to display details about the application.
11. Click
OK to close the modification window.
The changes you made take effect after you click Save in the
Application Management window.
Handheld users are notified of changes to the package, with
instructions on how to download and install updated applications
wirelessly on the handhelds. Any software policy changes are
employed.
Applications that have been deleted from the software package by
Good Technology are not deleted from the handheld if they have
been previously installed.
Restricting Handheld Platform OTA Setup
You can allow OTA setup for all handheld platforms that use a
particular policy, or you can specify those specific platforms for
which OTA setup is allowed. (Windows Mobile, Palm, Symbian)
To configure this feature:
1.
On the Policies page, click on the policy set to be edited.
2.
In the left panel for the policy set, click on the Application
Management link under Application Policies.
Good Mobile Messaging Administrator’s Guide
215
Managing the Handhelds
3.
To disallow Good for Enterprise download for a particular
handheld platform, click its Edit link.
4.
Click the “Do not install on this platform” radio button.
5.
Click OK to exit the window.
6.
Click Save to close the Application Management page and cause
your changes to be implemented.
Generating New User PINs
To set up a handheld for the first time wirelessly, users require a PIN
created by Good Messaging and provided to the users via email. You
can set a policy to cause this PIN to expire if it is not used within a
period of time that you specify, and to prevent reuse of the PIN once a
handheld has been set up successfully. Refer to “Provisioning” on
page 148 for details.
To generate a new PIN for a user:
1.
In the GMC Console list of users on the Handhelds tab, select the
users for whom new PINs are to be created.
216
Good Mobile Messaging Administrator’s Guide
Managing Wireless Software Deployment
2.
From the Apply Action drop-down menu, select Regenerate
Provisioning PIN. (An individual PIN can also be regenerated
from the OTA link on the handheld’s information page.
If the menu item is grayed out for a user, the user logged into the
GMC Console does not have the “Add User for OTA Setup” or
“View User OTA Setup PIN” role rights.
3.
Click OK when prompted.
The new PINs are generated.
Customizing the OTA Setup Email Message
You can edit the default OTA Setup email message that is sent to
users, and create additional messages to be used with different users.
The default message provides information about the wireless setup
process, together with the PIN to be used when downloading the
software and the URL of the download site. The template to be used
is specified by the policy set that a handheld uses.
To view the name of the template used to send the current welcome
email message specified by a particular policy set, go to the
Provisioning link for the policy set.
To edit this message and/or create new messages to be listed in the
template dropdown:
1.
Click the Settings tab in the GMC Console.
Good Mobile Messaging Administrator’s Guide
217
Managing the Handhelds
2.
Click the OTA Provisioning link in the left panel.
3.
To create a new template based on an existing one, click the “Make
a copy” link in the OTA Settings page. To edit an existing
template, click the name of an existing message.
4.
Change the name and description of the message as desired.
218
Good Mobile Messaging Administrator’s Guide
Managing Wireless Software Deployment
5.
Change the subject line and change or add an optional attachment
for the message as desired. There is a limit of one attachment,
maximum size 1MB.
6.
Click Edit to change the body of the message.
7.
Click Save to save the message.
If you delete an existing template, any user to receive that message
will now receive the default message; that is, any policy sets using
the template will now use the default template. The default message
can be renamed but not deleted.
Custom Applications: Adding to and Deleting from the
Software Package
To add and delete custom applications to or from the software
package for a policy set, first ensure that the applications are
available in the Console applications catalog by using the Custom
Software page on the Settings tab to check the list of available
applications for this Console.
Use the instructions in this section to add or delete applications to the
list (catalog) on the Custom Software page on the Settings tab. Then
you can add and delete custom applications to or from the software
package for a policy set on the Application Management page.
Note that if you specify iOS applications by URL, as described below,
you can easily distribute to users direct links to apps in Intranet sites
and the App Store.
Good Mobile Messaging Administrator’s Guide
219
Managing the Handhelds
To add or delete custom applications from the software package:
1.
First, ensure that the desired application is listed in the catalog, or
add it to the catalog. To do so, click the Custom Software link on
the Settings tab.
2.
To add a custom application to the package, click the Add button.
220
Good Mobile Messaging Administrator’s Guide
Managing Wireless Software Deployment
3.
Choose the handheld platform for the application from the dropdown.
4.
Enter the application path and filename or use the Browse button
to navigate to it and select it. (For iOS files, .ipa/
.mobileprovision.)
For iOS files, there is a radio button providing you with the option
of specifying a URL rather than a path and filename for an
application.
5.
Click Continue.
Good Mobile Messaging Administrator’s Guide
221
Managing the Handhelds
For iOS URL entries:
6.
Enter values for the Name, Version, and Description fields and
then click the Finish button.
The application is added to the package. By default it is disabled.
Restrictions on the custom software:
• Name: 50 characters
• Version: 21 characters
• Description: 256 characters
• Name, Version, and Description fields cannot be empty
• Field properties cannot be changed after upload
• Zero-length files cannot be uploaded
• Single stand-alone applications only can be uploaded
• If the file is greater than 5MB in size, a warning is displayed
but the upload proceeds. You can upload 1,000 files or up to a
total of 150MB of files, whichever comes first. To add more,
you must remove some of the existing files, to get below both
of these limits.
222
Good Mobile Messaging Administrator’s Guide
Managing Wireless Software Deployment
• Android files will be .apk.
• iOS4 applications are uploadable in .ipa form.
• Note: Most Windows Smartphone handhelds have codesigning requirements. Applications that are not signed by
Mobile2Market (or by proprietary carrier certificates) may not
install properly.
For URLs:
Enter application information such as manufacturer, application
ID, version, size, and default icon. You’ll find this information for
iOS apps, for example, at the App Store. (For iOS apps, you’ll get
the application ID from your iTunes account.)
Once you click Finish, the URL link and the information you have
entered will be validated. If your network does not allow the
server to connect to the URL, you’ll get an error message.
7.
If you later want to delete a custom application from the list, click
the check box next to the application and click the Delete button.
Multiple selections are supported.
If the operation is not supported for a particular handheld
platform, no applications will be displayed.
8.
To manage a custom application using a specific policy set, now
add the custom application to the policy set.
a.
On the Policies/Application Policies/Application Management screen, under Enterprise Applications click Add Application. Choose an OS Platform from the dropdown.
Good Mobile Messaging Administrator’s Guide
223
Managing the Handhelds
Choose the desired application from the list (which reflects the
custom applications added using Settings/Custom Software).
For supported, “managed,” applications, select the Set as Managed check box to allow installation/uninstallation of the
application on all or individual devices from the Console.
Select “Disable syncing to iTunes/iCloud” and/or “Auto-uninstall if MDM removed” to enable these automatic device-management policy functions.
Click Continue when done.
9.
To enable the application for a policy set, click the check box next
to it.
10. To
remove the application from the software package later, click
the check box next to it and click the Remove button.
224
Good Mobile Messaging Administrator’s Guide
Managing Wireless Software Deployment
For supported (iOS5), managed applications, you are given the
option of either just removing the application from the package, or
removing it from the package and deleting it from all affected
handhelds. To remove the application from the package and from
selected handhelds only, choose to remove it only from the
package here and then uninstall it from each handheld using the
Actions Uninstall link in Applications for the handheld on the
Handhelds tab. Note that the application does not ever appear in
the user’s application catalog.
All handheld users for the affected Good Mobile Messaging Servers
are notified when additions to the package are enabled using the
Application Management option, with instructions on how to
download and install the applications wirelessly on their handhelds.
To view information about the new software, click the name of the
application in the Custom Software list on the Settings tab. For
example, the following information is displayed for an application
named “Call Tracker”.
Deleted applications are not deleted from handhelds that already
have them installed.
Good Mobile Messaging Administrator’s Guide
225
Managing the Handhelds
“Managed” Applications
Some platforms (iOS5 in this release) provide the following added
management features for third-party applications. You can enable/
disable them when adding an application to the package and later on
the Policies/Application Management page.
• Install/uninstall
For supported applications, you are given the option of removing
the application from the software package, or removing it from
the package and deleting it from all affected handhelds. To
remove the application from the package and from selected
handhelds only, choose to remove it only from the package using
Policies/Application Management/Remove, and then uninstall it
from each desired handheld using Handhelds/Applications/
Actions/Uninstall.
• Automatic uninstall if MDM profile is removed from the device.
Use the check box provided to enable/disable (enabled by
default).
• Disable syncing to iTunes/iCloud. Use the check box provided to
enable/disable (enabled by default).
Resetting a Password Remotely (iOS,
Android)
Good for Enterprise allows you to remove a device password from
the Console. The device user is then prompted to enter a new
password within a specified amount of time. You’ll need to do this if
you have locked a user out of his/her handheld (“Locking Out a
User” on page 229) or if a user forgets his/her password.
To reset a device password, select the device on the Handhelds page,
click the Security link in the right-hand panel, and click the Reset
Password button. Click OK when prompted. The device password is
removed and the user is prompted to enter a new one. For the Reset
226
Good Mobile Messaging Administrator’s Guide
Providing a Temporary Unlock Password
Password button to be active, the option must be enabled on the iOS
Configuration General page (“iOS configuration” on page 175) or the
Android Configuration General page (“Android Configuration” on
page 191).
Providing a Temporary Unlock
Password
Good Messaging allows you to generate a temporary unlock
password remotely for a user. The password can be used once, with
no time limit. You’ll need to do this if you have locked a user out of
his/her handheld (“Enabling/Disabling Data Roaming” on
page 228) or if a user forgets his/her password.
Note: A temporary unlock password is not supported on Nokia
5.1.0.37 clients.
To generate a temporary unlock password:
1.
Obtain the Good Defense ID for the handheld. To do so, have the
user click the button marked Use Temporary Password on his or
her main Good Messaging lockout screen. The ID will be
displayed.
2.
In the GMC Console, click the name of the handheld listed on the
Handhelds tab.
3.
Click the Security link in the left pane.
4.
Click the Reset Password button.
Good Mobile Messaging Administrator’s Guide
227
Managing the Handhelds
5.
Enter the ID Number generated by the user handheld in the text
box.
6.
Click OK.
The generated temporary password is displayed.
7.
Give the user the password. Note that it is not case-sensitive.
If the user later needs another password, repeat the procedure, since
the password can be used only once.
Enabling/Disabling Data Roaming
You can enable or disable data roaming for supported handhelds. To
do so for multiple handhelds, select the action from the Apply Action
drop-down menu on the Handhelds page. To do so for a specific
handheld, navigate to its Handheld Info page and from the
information list on the page, use the enable/disable drop-down
menu for data roaming.
Suspending Handheld Messaging
You can use the GMC Console to suspend all synchronization on a
handheld.
This feature requires Superuser rights.
To suspend messaging on a handheld:
1.
In the GMC Console, click the Handhelds tab.
2.
Click the name of the handheld listed on the Handhelds page.
3.
Click the Messaging link in the left pane.
4.
Click the Suspend button and then click OK to confirm.
228
Good Mobile Messaging Administrator’s Guide
Locking Out a User
The button is visible only if you are logged on as Superuser. The
button is grayed-out if the handheld is not set up with the Good
Client.
To cause synchronization to resume, click the Resume button and
then click OK to confirm.
Suspended handhelds continue to synchronize policy changes and
can be wiped and otherwise managed as usual.
Locking Out a User
From the Good Mobile Console, you can lock the Good application
on a user’s device or lock the entire device. (Locking the Good
application is not supported for all clients in this release. If not
supported, the option will be grayed out or absent for the device.)
For iOS and Android, the option to lock the entire device must be
enabled using the iOS or Android configuration locking policy
option (“iOS configuration” on page 175 and “Android
Configuration” on page 191).
To lock the Good application or entire device:
1.
In the Good Mobile Control Console, click the Handhelds tab.
2.
Click the name of the handheld listed on the Handhelds page.
3.
Click the Security link in the left pane.
4.
Click the desired button.
A warning dialog informs you that this command sends a request
over the air to lock out the user.
To unlock the Good application, you will need the ID from the
handheld’s lock screen to generate a temporary password. The user
must enter this password in the lock screen. Refer to “Providing a
Temporary Unlock Password” on page 227.
Good Mobile Messaging Administrator’s Guide
229
Managing the Handhelds
The iOS or Android user can unlock the entire device by entering the
current device password.
Erasing Handheld Data
You can erase all Good data or all data from a device, using the Good
Mobile Control Console. Erasing all data hard-resets the device,
removing all data and returning the device to its factory defaults.
Erasing Good data removes all email, contacts, and calendar data.
To be used again, the handheld must be set up wirelessly as
described in “Setting Up the Handheld” on page 109.
If the “Enable access to Good Contacts” policy is enabled and Good
contacts have been added to a handheld's native contacts, these
contacts will be deleted.
Note: To erase the entire iOS or Android device remotely, the option
to do so must be enabled in the iOS or Android Configuration
portion of the policy set applied to the device. Refer to the General
section of either “iOS configuration” on page 175 or “Android
Configuration” on page 191. If only the Good application is erased, it
is left in place, but cannot be accessed again without a reinstallation
of Good for Enterprise on the handheld. You cannot set it up again
simply by regenerating a PIN; you must rename and set up the
device again from the beginning.
For Windows Mobile devices, the entire device is wiped, including
any SD card present, if that policy option is enabled.
To erase the Good data or all data on a handheld wirelessly:
1.
In the GMC Console, click the Handhelds tab.
2.
Click the name of the handheld listed on the Handhelds page.
3.
Click the Security link in the left pane.
4.
Click the Erase Data button for Good data or the entire device.
230
Good Mobile Messaging Administrator’s Guide
Erasing Handheld Data
5.
Click OK to confirm you want to erase the handheld.
To erase (wipe) multiple handhelds :
1.
In the Good Mobile Control Console, click the Handhelds tab.
2.
Click the check box by those handhelds listed on the Handhelds
page that are to be wiped.
3.
Click the Apply Action drop-down menu.
4.
Select the wipe option (or the desired wipe option, when more
than one option is present).
If the corresponding policy is set for iOS and/or Androids, you’ll
have the choice of wiping the entire device or just its Enterprise
data. If you select multiple devices and some of them only support
wiping of the entire device while others only support wiping the
Good data, both options will be grayed out. If you select multiple
devices and some support both options while others support only
one of the two options, only that option will be available.
5.
Click OK to confirm you want to wipe the handheld.
For Good data erasure, an alert such as the following is displayed:
"This command sends a request over the air to erase the handheld.
The user will have to download Good Software again and
reprovision."
The following rules apply:
• The device and its radio must be turned on and in network
coverage to be completely erased. For Android devices, Good for
Enterprise must also be running in the foreground or background;
this is not necessary for iOS devices.
• For only the Good app to be wiped, it must be running in the
foreground for iOS or Android, or in the background for Android.
• If a wipe command is issued when the device is turned off or is
out of coverage, the command will wait for the device to be
turned on and to be in network coverage, and will then be sent to
the device.
Good Mobile Messaging Administrator’s Guide
231
Managing the Handhelds
• If there is a device password, it need not be entered for an iOS
device to be completely erased. It need not be entered for an
Android device to be erased only if Good is already running on
the device (behind an idle device lock screen).
• If a password is set on the Good app and the app is not running in
the background, the password must be entered before the Good
app is wiped.
• The Erase message is carried out by the handheld in the order
received (that is, messages sent to the handheld before the Erase
message are received by the handheld first).
When the erase operation is completed successfully, an audit
message is written to the Windows Event Viewer Application log.
Note: Confirm the erasure in the Good Mobile Control Console’s
Erase State field for the handheld. Display this via the Security link
on the handheld’s page, on the Handhelds tab.
Note: If the user is unavailable via Domino, if the user is paused on
the Domino server, or if the user is suspended on the Good for
Enterprise Console, the remote wipe will not reach the device until
the mailbox is available. In the case of lost and stolen devices, wipe
the device before taking any other action. Confirm the erasure as
noted above.
Enabling FIPS Testing
The client-side device cryptographic modules for Good for Enterprise
run in a mode that conforms to the FIPS 140-2 Level 1 standard. You
can set a policy to enable the handheld to run a suite of FIPS tests
each time that Good Messaging starts up. Default is Disabled.
To enable FIPS testing:
1.
In the GMC Console, click the Handhelds tab.
2.
Click the name of the handheld listed on the Handhelds page.
232
Good Mobile Messaging Administrator’s Guide
Removing a Handheld from Good Mobile Messaging Server
3.
Click the Handheld Info link in the left pane.
4.
Click the Enable FIPS Tests button.
With the policy in effect, the handheld will run a suite of tests
relating to FIPS when Good Messaging starts up. If a test fails,
Good will not run. If the policy takes effect while Good Messaging
is already running, and the testing fails, Good Messaging will stop
running.
Removing a Handheld from Good
Mobile Messaging Server
“Removing a user from Good” is equivalent to removing all the
user’s handhelds from Good using the Good Mobile Control
Console.
Removing a handheld from Good automatically clears the user’s
Good data from the handheld. You are advised of this when you
delete the handheld.
You would remove a handheld from Good Mobile Messaging Server
and then add it again when an owner’s email address changes.
To remove a handheld from Good Mobile Messaging Server:
1.
In GMC Console, click the Handhelds tab.
2.
Select the user(s) to be deleted and select “Delete handheld(s)”
from the Apply Action dropdown menu.
You will be warned that the handheld will be disabled and
removed from the network, and that it will no longer be able to
send or receive messages.
3.
Click OK to remove the handheld.
To remove more than one user at a time, click the check boxes by
multiple users before selecting “Delete handheld(s).” You will be
prompted once to confirm the multiple deletions.
Good Mobile Messaging Administrator’s Guide
233
Managing the Handhelds
Important: You must remove a user from Good Mobile Messaging
Server using GMC Console before the user is disabled, expired, or
removed from Active Directory and/or the Global Address List. If a
user is not removed from GMC Console and the user’s mail file still
exists, messages can still be sent to and from the handheld.
If a user is deleted from the Domino directory, the Good Messaging
directory cache is refreshed automatically (provided the replication
connection document is set up correctly between the Domino server
on which Good Messaging runs and any main/HUB server), and the
users will be automatically deleted from the Good Messaging system.
Transferring a Handheld to a New User
To transfer a handheld to a new user:
• Retrieve the handheld from the former user.
• Clear the handheld as described in “Enabling/Disabling Data
Roaming” on page 228.
• Remove the handheld from Good Mobile Messaging Server, as
described in “Enabling FIPS Testing” on page 232.
For the new user:
• Prepare the handheld as described in “Preparing New
Handhelds” on page 105.
Viewing and Using Handheld
Information
Use the Handhelds tab on the console to display a list of handhelds
and their owners, as well as detailed information about each
handheld. Information available includes handheld connection status
to the Good Mobile Messaging Server.
234
Good Mobile Messaging Administrator’s Guide
Viewing and Using Handheld Information
Note: Some information is not available on all clients.
Note: To display an iOS device’s Alternate Identifier (its IMEI or
hardware model) in the Console, you must enable the iOS
configuration profile on the device, with the profile installed.
To view and use handheld information:
1.
In the GMC Console, click the Handhelds tab.
The Handhelds page displays information such as the name of
each device, the email account associated with it, its phone
number, status, platform, device model, the policy set currently
applied to it, its Good Mobile Messaging Server, its current Client
version, S/MIME status, and so on (the columns are configurable).
The second (untitled) column provides compliance indicators. A
blank field indicates current device compliance with respect to its
currently configured policy settings. An exclamation point
indicates that the device is out of compliance with these policies.
A question mark indicates that the device is not set up and sync’d,
or that the device (e.g., Windows Mobile) is not supported for this
feature, or that the device is running an earlier, unsupported
Client (less than 1.7.3 for Android; less than 1.9.3 for iOS). For
more information on compliance issues with the device, click on
the device and check the list of reports for it in the left pane on the
device’s Handheld Details page.
2.
Use the left panel of filters to display subsets of the complete list,
according to Good Messaging Server, compliance, device
platform, carrier, and department
3.
Click the name of the handheld listed on the Handhelds page.
4.
Click the various links in the left pane to display handheld
information and to run diagnostic tests and configure logging. For
more information, see the following sections.
Note that the link for a compliance report is displayed only if a
supported device has failed one or more compliance tests.
Good Mobile Messaging Administrator’s Guide
235
Managing the Handhelds
You can also use the Good Monitoring Portal to help monitor and
manage the handhelds (“Enabling Detailed Logging for Handhelds”
on page 238 and “Using the Good Online License Portal” on
page 252).
Use the Home tab to display a report on currently paused handhelds
(“Inactive Handhelds” on page 252).
Handheld Info Link
The Handheld Info link in the left panel for a handheld displays a
great variety of information, including but not limited to the
following:
• Name - User’s Active Directory display name
• Email - User’s email address for the account sync’d to this
handheld
• Serial number - Handheld’s serial number
• Department - User’s Active Directory department
• Directory status - Current Active Directory status
236
Good Mobile Messaging Administrator’s Guide
Viewing and Using Handheld Information
• Status - Current handheld status (blank (active) or “Inactive”). The
amount of inactivity that qualifies the device for an Inactive
setting is specified on the Policy Settings page in the Settings tab.
• Status Message - Never provisioned, Running, Disabled, Failed,
Client disconnect, Console disconnect, User not enabled, Failed to
recover, Out of sync
• Policy Set - Policy set assigned to handheld
• Policy Status - “Enabled Applications Status” on page 241 and
“Enabled Applications Status Details” on page 242.
• Firmware version
• Handheld OS
• Handheld OS version
• Handheld OS language
• Good Messaging Client Language
• Device type
• System Identifier - Unique GMC Server ID number for the
handheld
• ROM version
For supported devices with MDM enabled (“iOS configuration” on
page 175), lists of installed applications, certificates, and provisioning
profiles are included.
Click Refresh Data to update the handheld information (iOS MDM).
The Console sends a query to the handheld and retrieves data from it.
The button is grayed out if the handheld family is not supported, or if
the handheld is unavailable due to OS version or policy settings. If
the handheld is turned off or is out of its service area, the request will
persist until the handheld is able to respond.
To enable FIPS, refer to “Enabling FIPS Testing” on page 232.
Good Mobile Messaging Administrator’s Guide
237
Managing the Handhelds
Enabling Detailed Logging for Handhelds
Every handheld maintains logged data for use by your authorized
service representative. If you are asked to send this data to Good, use
the “Send Logs to Good” button on the Logging and Statistics page.
In some cases, your service representative may ask you to confirm
that detailed logging is enabled, for troubleshooting purposes.
Detailed logging is enabled by default for new handhelds.
To enable detailed logging, your account must have Superuser rights.
You can enable detailed logging for:
• Existing handhelds
• All newly added handhelds
To enable detailed logging for existing handhelds:
1.
In the GMC Console, click the Handhelds tab.
2.
On the Handhelds page, select the name of one or more
handhelds.
3.
Select Enabled Detailed Logging from the Apply Action dropdown menu.
4.
Click OK to confirm.
Note: You can also click the name of a handheld on the Handhelds
page, click the Enabled Detailed Logging button, and then click OK
to confirm.
To enable detailed logging for all newly added handhelds:
1.
In the GMC Console, click the Settings tab.
2.
In the Detailed Handheld Logging section, select “Automatically
enable detailed handheld logging (applies to newly added
handhelds only)”. This setting is enabled by default.
3.
Click OK to confirm.
238
Good Mobile Messaging Administrator’s Guide
Viewing and Using Handheld Information
To send normal and detailed handheld logs to Good:
1.
In the GMC Console, click the Handhelds tab.
2.
Click the name of a handheld on the Handhelds page.
3.
Click the Send Logs to Good button on the Handheld Info page.
4.
Click OK in the dialog box that specifies the email address.
Security Link
The Security link in the left panel for a handheld displays the
following information:
• Erase state Actions on the Security page:
• Lock Handheld - Refer to “Locking Out a User” on page 229.
• Erase Data - Refer to “Erasing Handheld Data” on page 230.
• Create Unlock Password - Refer to “Providing a Temporary
Unlock Password” on page 227.
Good Mobile Messaging Administrator’s Guide
239
Managing the Handhelds
Network Status Link
The Network Status link in the left panel for a handheld displays the
following information:
• Network status - The state of the connection between Mobile
Messaging Server and the Network Operations Center (IN, OUT,
Connection error, Not queried, Not OK (IP address range check
failed), Unreachable)
• Pending messages - Messages waiting to be sent to the handheld
from the Good Mobile Messaging Server
• Network ID - Identifier for the current carrier for the handheld
service
• Network name - Identifier for the current carrier for the handheld
service
• Coverage - Color-coded status-bar graphs of the last 24 and 4
hours
• Last 24 Hours - Color-coded status bar
• Last 4 hours - Color-coded status bar
240
Good Mobile Messaging Administrator’s Guide
Viewing and Using Handheld Information
For more information, click the link at the bottom of the page to
access the Good Portal and its handheld information, described in
“Using the Good Monitoring Portal Dashboard” on page 249:
View coverage and pending message status in the
Good Monitoring Portal (GMP)
Software Link
The Software link in the left panel for a handheld displays the
following information for Windows Mobile, Symbian, and Palm
devices:
• Software policy from - The policy set currently assigned to the
handheld.
• Total products - Number of packages downloaded OTA
• Total size - Total size of software downloaded OTA
• Details for each downloaded package: product name, version,
platform, size, status, status detail, status time, message, low level
error
Enabled Applications Status
The status column in this view provides a general summary of the
state of the application policy at the present time for the user’s
handheld. Each status includes several possible states, with details
available by selecting the state and selecting Status Details in the
Good Mobile Messaging Administrator’s Guide
241
Managing the Handhelds
Application Management window. Following are possible values for
those states:
• Blank Status - The policy is in the process of being enabled and
will be committed when the OK button is selected.
• Not Applied - The policy has been set but has not been applied to
the user’s handheld because the user has not yet completed
provisioning of the Good Messaging software on the handheld or
has not yet upgraded to 4.0 or higher.
• In Progress - The policy has been received by the handheld and is
being processed by it.
• Waiting on User - The policy has been received by the handheld
but is waiting for the user to take some action (e.g., freeing up
memory or pressing Install).
• Success - The policy has been applied to the handheld.
• Failed - There was an error which prevented processing of the
policy by the handheld.
Enabled Applications Status Details
More detailed information about an application status is displayed in
the Status Detail column. Each general status summary can have
several different detailed statuses. Policy status is always timestamped with the change to the current state. Following are possible
detailed statuses, grouped by general status:
Not Applied
• User not connected - The user has not connected to the Good
Mobile Messaging Server by setting up a handheld with the Good
Messaging software.
• User has not upgraded GoodLink Software to 4.0 (or higher)
version - The user needs to upgrade his/her handheld to
GoodLink Software version 4.0 (or higher).
242
Good Mobile Messaging Administrator’s Guide
Viewing and Using Handheld Information
In Progress
• Pending notification to handheld - The policy is waiting for the
Good Mobile Messaging Server to process the policy and notify
the handheld.
• Notified handheld. Pending response from handheld. - Good
Mobile Messaging Server has notified the handheld of the policy
and is waiting for status update responses from the handheld.
• Download in progress - The handheld is currently downloading
the application from Good’s operation center.
• File verification in progress - The handheld is verifying the
integrity of the downloaded application.
• Install in progress - The handheld is currently installing the
application on the handheld.
• Scheduled for download - The policy is scheduled for download
by the handheld at a later time. Policies that are globally applied
have this status.
Waiting on User
• Waiting for user to download or accept policy - The policy has
been received by the handheld and the handheld is waiting for the
user to choose to download or accept the policy. Policies that are
Optional will have this state.
• Download deferred - The user has deferred the application
download.
• Waiting for user to install - The application has been downloaded
and is ready to be installed. The handheld is waiting for the user
to install the application.
• Install deferred - The application has been downloaded and is
ready to be installed. The user has deferred installation.
• Waiting for user to free memory - The user needs to free up
memory on the handheld for the policy to continue to be
processed.
Good Mobile Messaging Administrator’s Guide
243
Managing the Handhelds
Failed
• Codesign verification failure - A problem occurred during the
verification of the application that was signed by Good
Technology.
• Decryption failure - A problem occurred trying to decrypt the
downloaded application.
• Insufficient handheld disk space - The handheld does not have
enough space to process the application policy.
• Download failure - A problem occurred when attempting to
download the application from the Good Webstore.
• Install failure - A problem occurred when attempting to install
the downloaded application.
• Insufficient handheld memory - The handheld does not have
enough memory to process the application policy.
• User cancelled - The user cancelled the processing of the policy.
• File not found in Webstore - The policy being processed could
not be found on the Good Webstore.
• Webstore determined that this application policy is
incompatible for the user's handheld type - The Good Webstore
prevented the download of the application because the
application is incompatible with the user’s handheld type.
Applications Link
The Applications link lists the package name, version, size, type,
source, status, and, for “Managed” devices, actions (install, uninstall)
for every software package installed on the device. If the iOS device
is to be managed (take advantage of MDM policy settings, the device
must contain an enabled MDM profile (refer to “iOS configuration”
on page 175).
Click the Export button and choose an application such as Excel, to
export the information on-screen into a file.
244
Good Mobile Messaging Administrator’s Guide
Viewing and Using Handheld Information
For managed devices, click the install/uninstall link in the Actions
column to add or removed the custom software to or from the de
vice.
OTA Link
The OTA page provides the following information:
• OTA state - Unknown, Enabled, Provisioning_Failed,
Provisioning_Denied, Provisioned, Erase_Data_Issued,
Erase_Data_Confirmed, Erase_Data_Error
• OTA PIN
• OTA PIN (12 key)
• OTA PIN state*
• OTA PIN expire time
• EMail - Email address for the handheld
• Last provisioned - Date and time
• OTA download URL - Source for application download
Good Mobile Messaging Administrator’s Guide
245
Managing the Handhelds
*For “OTA PIN state,” the following values are possible:
Status
Valid
Expired
Description
PIN is valid and can be used.
PIN has expired. IT must generate a new PIN for any
new OTA setup.
Reuse exceeded At least one OTA setup has taken place on the handheld.
The PIN cannot be reused until it has been regenerated.
(Applicable if the “Disallow PIN after first-time use”
check box is checked on the OTA PIN policy tab.)
Expired and
The PIN has expired. The PIN cannot be reused until it
reuse exceeded has been regenerated.
Refer to “Provisioning” on page 148 for more on PIN expiration and
reuse.
Messaging Link
246
Good Mobile Messaging Administrator’s Guide
Viewing and Using Handheld Information
The Messaging page provides the following information:
• Service status - This field serves as a collective indicator for the
health or problems of the service details displayed at the bottom
of the page.
• Status message
• Paused
• Paused reason
• Suspend state
• Flow controlled
• Good Mobile Messaging Server
• Good Mobile Messaging Server version
• Good Mobile Messaging Server language
• Good Messaging handheld version
• Email server type
• Email server
• Email server version
• SMTP address
• Mailbox address (DN)
• Alias
• Email signature
• Enabled time
• Last key rotate time
Messaging Statistics
• Total messages sent to and received from the handheld by Good
Mobile Messaging Server (messages can be any type, including
control)
Good Mobile Messaging Administrator’s Guide
247
Managing the Handhelds
• Date of last messages sent to and received from the handheld by
Good Mobile Messaging Server (messages can be any type,
including control)
• Total Email, Calendar, Contacts (Address Book), Journal, and
ToDo messages sent to and received from the handheld by Good
Mobile Messaging Server (messages can be any type, including
control)
• Date of last Email, Calendar, Contacts (Address Book), Journal,
and ToDo messages sent to and received from the handheld by
Good Mobile Messaging Server (messages can be any type,
including control)
• Total filtered (blocked) email for the handheld
Note that all statistics are accumulated by the server.
Since messages can be sent in batches, undisplayed messages (e.g.,
“Mark Read”) and control messages between handheld and server
are included in the statistics, these totals are useful mostly to
determine general activity levels.
Click the Refresh button to update. Click Clear Stats to return all
cumulative values to zero or to default. Click Export to write the
statistics to a file.
Service Details
Connection State: For each handheld, there are two Good Mobile
Messaging Server connection states (“Connected” or “Not
Connected”) for each service type:
• Email
• Attachments (Email Attachments)
• Calendar
• Contacts
248
Good Mobile Messaging Administrator’s Guide
Viewing and Using Handheld Information
• Journal
• Admin
• ToDo
• GAL (Global Address List Lookup)
Connected - A user's Service Type will show as “Connected” if:
• The user is Good Messaging-enabled for this service type.
• The user is provisioned for this service type.
Not Connected - A user's service type will show as “Not Connected”
if:
• The user is not Good Messaging-enabled for this service type.
• The user is not set up for this service type.
For detailed information, go to http://www.good.com/faq/
17222.html.
Flow Control Status: Flow Control is a process used by Good Mobile
Messaging Server to adjust data flow to the device, to ensure that the
device can handle the amount of incoming traffic. Flow Control may
be used when the device is not able to handle the incoming flow of
messages/data all at once, such as when a user is out of data
coverage or in slow or marginal coverage for a long time. If a user’s
status is “Yes” for Flow Controlled, the Good Mobile Messaging
Server is holding off outgoing traffic until the device has caught up.
All messages will then be delivered to the handheld.
Using the Good Monitoring Portal Dashboard
To quickly list and check the connection status of user handhelds, log
in to the Good Monitoring Portal at http://www.good.com/gmp.
Good Mobile Messaging Administrator’s Guide
249
Managing the Handhelds
When you log in, the Good Monitoring Portal (GMP) home page is
displayed.
If the Good Server you are interested in isn’t displayed in the
dashboard, refer to “Adding a Server to the Dashboard” on page 285.
The dashboard displays the number of users/handhelds currently
added to the Server. To display a list of the users, together with
250
Good Mobile Messaging Administrator’s Guide
Viewing and Using Handheld Information
information about their handhelds, click on the value displayed in
the Users column.
A user list with the following information for the user handheld is
displayed:
• Email address
• Handheld type
• Serial number
• Man/Phone number
• Network Carrier
• ROM Type
• Connection status - In Coverage, Idle Coverage, Marginal
Coverage, Out of Coverage
Search the list using the search bar at the top of the list. Sort the list by
clicking on the column headings. Export the list to a text file using the
Export Entire Dataset button at the bottom of the page.
Good Mobile Messaging Administrator’s Guide
251
Managing the Handhelds
Using the Good Online License Portal
Used in conjunction with the Good Monitoring Portal, the Good
License Portal allows you to quickly and effectively manage, track,
and monitor server licenses for Good software products and services.
Whenever you register for a Good server evaluation or purchase, you
receive an email with instructions on installing the server software
through the Good Portal. You can then use the Good License Portal to
monitor the status of your server licenses and also automatically
assign newly provisioned handhelds to a specific server license. In
those cases where particular data plans are required by a device
carrier, the License Portal will display which handhelds require such
plans.
Inactive Handhelds
Define “inactive” using the Policy page on the Settings tab.
If a handheld has been inactive for the time that you specify, an alert
will be displayed at the top of the device’s Handheld Info page on the
Handhelds tab. In addition, the handheld’s status will be displayed
as inactive in the Status column on the Handhelds tab.
252
Good Mobile Messaging Administrator’s Guide
Viewing and Using Handheld Information
Displaying a Paused Handhelds Report
To display a list of handhelds that have been paused with respect to
Good Mobile Messaging Server synchronization, click the “View
Paused Handhelds report” link on the Home tab.
Paused Reason: The Good Mobile Messaging Server can pause a
handheld for a variety of reasons. This is normally a temporary
condition that arises when the Server is having trouble
communicating with the handheld user's mail file. When a handheld
is Paused, it will not receive incoming data. Pause intervals can be
anywhere from 5 to 60 minutes depending upon the situation. After
the first Pause interval, the Good Mobile Messaging Server will reattempt communication. If the situation persists, it will pause the
handheld for another 5 to 60 minutes, and continue the pauses until
the situation is resolved. Then the handheld's incoming data should
flow with no messages lost. For detailed information on the reason
for the pause, go to http://www.good.com/faq/17221.html.
To export the report to a csv file, select “Export Paused Handhelds
Report” from the Import/Export dropdown on the Handhelds tab.
Running Handheld Diagnostics
When a Good Messaging user/handheld is added, Good Mobile
Control Server tests access to the user’s mailbox by simulating Good
Good Mobile Messaging Administrator’s Guide
253
Managing the Handhelds
Mobile Messaging Server actions. However, your environment may
have changed since that user was added. You can run these tests
again by doing the following:
1.
On the Good Mobile Control Console Handhelds tab, select the
user/handheld to be tested.
2.
Select Run Mailbox Diagnostics from the Apply Action dropdown
menu.
3.
Click OK to start the mailbox diagnostics.
The user mailbox is opened to check if Good for Enterprise can access
the users mail database and has proper ACL permissions.
Any failure returns an error dialog on the Console. If the test
succeeds, a message is displayed:
Mailbox diagnostics passed for selected user(s)
Exporting Handheld Statistics to a File
You can generate a file containing all of the handheld statistics of all
of the users listed in the GMC Console.
To generate the file:
1.
From the “Select Import/Export Action” dropdown menu in the
Handhelds tab in the GMC Console, select “Export Statistics.”
A csv file will be generated containing a list with the following
header, followed by data in order for all users (whether displayed
in a filtered list or not). You’ll be prompted for file name and
location if your browser is configured to do so.
Display Name,Alias Name,Serial No,Server
Name,Handheld ID,Network ID,Phone,Handheld
Type,Good Intranet Server,PolicySet,DN,Good Mobile
Access,PolicySet GUID,GMM Server GUID,GMI Server
GUID,Handheld GUID,Good Messaging Client Version,Last message received,Last message sent,Email
messages sent,Email messages received,Last email
254
Good Mobile Messaging Administrator’s Guide
Viewing and Using Handheld Information
message received,Last email message sent,Filtered
email,Calendar messages sent,Calendar messages
received,Last Calendar message received,Last Calendar message sent,Address Book messages
sent,Address Book messages received,Last Address
Book message received,Last Address Book message
sent,Note messages sent,Note messages
received,Last Note message received,Last Note message sent,Task messages sent,Task messages
received,Last Task message received,Last Task message sent,Messages sent,Messages received,Handheld
Policy State,Exchange Server,Exchange Server Version,Good Mobile Messaging Server Version,Handheld
OS Version,Handheld ROM Version,Network Name,Firmware Version,Good Messaging Enabled Time,Good Messaging Provisioned Time,Provisioning state,OTA PIN
State,OTA PIN Expire Time,Compliance Rule
Error,Compliance Rule ErrorMsg,Good Messaging Client Language,Handheld OS Language,Department,Handheld Logging
You can use this file later if necessary to import users.
You can also export handheld user information to a file in CSV format
using the command-line utility gmexportstats, installed with
Good Messaging, for backup and audit use. You can use Windows
Scheduler to run the utility on an automated basis. You can export the
following information:
• User list
• User statistics
• User software policy settings and status
Note that ROM version is exported as a number. For more
information on the ROM and handheld, refer to Supported Devices
in the Good Monitoring Portal (“Enabling Detailed Logging for
Handhelds” on page 238).
Good Mobile Messaging Administrator’s Guide
255
Managing the Handhelds
To export user information to a file from the command line, refer to
“gmexportstats” on page 330.
Generating (Exporting) a List of Users
You can generate a file containing a list of all the handheld users in
the Domino site, together with their handheld serial numbers and the
name of the Good Mobile Messaging Server to which each handheld
has been added.
You can use this file with the Import command to add users to a
Good Mobile Messaging Server later. The file is also Excel-friendly.
To generate the file:
1.
From the “Select Import/Export Action” dropdown menu in the
Handhelds tab in the GMC Console, select “Export Handhelds to
File.”
Display Name,Alias Name,Serial No,Server
Name,Handheld ID,Network ID,Phone,Handheld
Type,Good Intranet Server, PolicySet,DN,Good
Mobile Access, PolicySet GUID,GMM Server GUID,GMI
Server GUID, Handheld GUID
Display Name is the display name of the handheld user. If the
display name has a comma in it, the name will be enclosed in
quotation marks. If no display name is defined, the comma alone
is included in the line.
Alias Name is the mailbox name (alias) of the handheld user
Serial No is the electronic serial number of the handheld.
Server name is the name of the Good Mobile Messaging Server that
is to manage synchronization for the user/handheld.
Handheld ID is a value filled in during the setup process and used
by the Network Operations Center.
256
Good Mobile Messaging Administrator’s Guide
Exporting Software Information to a File
Network ID is a value filled in during the setup process and used
by the Network Operations Center.
Phone is the handheld’s phone number.
Handheld Type is Treo, PPC.
DN - Domino distinguished name.
You can add a # to the beginning of a line to enter a comment line.
Exporting Software Information to a File
To export software information for all handhelds, select “Export
Software” from the “Select Import/Export Action” dropdown menu
in the Handhelds tab in the GMC Console. You’ll be prompted for file
name and location if your browser is configured to do so.
The file contains the following line of information for each handheld.
Server Name,CurGLSServerVersion,Display Name,Alias
Name,DN,Serial No,Handheld Type,Handheld Type Family,Type,Enabled,Handheld Family,Application
ID,GUID,Application Name,Version,Status Time,Status,Low Level Error,Message,Installation Mandatory,Launch after Download
Changing a User’s Good Mobile Control
Server, Good Mobile Messaging Server,
Domino Server, or User Name
A user’s email name, short name, or address may change. In
addition, the user’s mail file may move to a different Domino server,
within the current Domino site or outside of it. Finally, you might
need to assign the handheld to a different Good Mobile Messaging
Server. The following sections describe how to manage these
changes.
Good Mobile Messaging Administrator’s Guide
257
Managing the Handhelds
Changing a User’s Display Name, Alias, or Email Address
If the display name for a mail file is changed in Domino, you do not
need to update Good Mobile Messaging Server to reflect the change.
Good Mobile Messaging Server will update automatically.
Set up replication connection documents to reflect any directory
changes to the Domino Server on which Good Messaging runs.
Replication frequency will determine when the changes will be
reflected in Good Messaging.
If a user mail file is deleted and recreated, remove the handheld from
Good Mobile Messaging Server, stop and restart the Server, and set
up the handheld again.
If the primary SMTP address changes, synchronization will continue.
However, if you need to set up the handheld again OTA after the user
is already set up, you will need to delete the handheld from Good
Mobile Console and re-add it again first.
Moving a Handheld to a Different Domino Server
If a user mail file is moved to a different Domino server within the
same Domino domain, no changes are necessary to maintain
handheld synchronization.
If a user mail file is moved to a Domino server in a different Domino
domain, create the necessary cross certifications between the Domino
server on the Good Messaging host and the Domino server in the
different domain.
In both the cases, necessary replication connection documents with
scheduled replication (between the Domino server on which Good
Messaging runs and your main/HUB Domino server) must exist.
Good Mobile Messaging Server looks into the local Domino directory.
Until the changes are replicated to the Domino server on which Good
Messaging runs, the Good Mobile Messaging Server uses the
258
Good Mobile Messaging Administrator’s Guide
Changing a User’s Good Mobile Control Server, Good Mobile Messaging
outdated information. This might result in errors and new messages
may not be delivered to the user’s device.
Moving a Handheld to a Different Good Mobile Messaging
Server
To change the Good Mobile Messaging Server that will manage a
handheld, the following prerequisites are required:
• All Server software must be version 6.1 or higher; Client software
must be version 5.x or higher.
• The handheld’s mailbox must not be over quota.
• The administrator must have Add, Delete, and Create User rights.
• The source and destination Servers must both be functioning.
• Both Servers must be visible in the GMC Console, sharing the
same GoodAdmin account.
To move the handheld, follow this procedure:
1.
In the GMC Console list of users on the Handhelds tab, select the
handheld(s) to be moved.
2.
From the Apply Action drop-down menu, choose “Change
Messaging Server.”
3.
Choose the new Good Mobile Messaging Server to manage the
selected user handhelds.
4.
Click OK.
Good Mobile Messaging Administrator’s Guide
259
Managing the Handhelds
The handhelds are transferred to the new Server. Each handheld
will be paused and cease synchronization until its move is
complete. A dialog will display the progress of the moves,
handheld by handheld.
During the moves, GMC Console functions for the handhelds
(such as changing to a different Server, regenerating the OTA PIN,
sending handheld logs, locking out the handheld user, erasing the
handheld, or enabling/disabling Good Messaging Intranet) will
be blocked.
GMC Console status display for the handheld may not be up-todate. To check handheld status, display the Paused User list. Once
a move is complete, the handheld resumes synchronization and is
removed from the Paused list.
Note that the Good Mobile Messaging Server will take up to 15
minutes to synchronize the changes to a user’s Domino directory
entry (username, email, etc.) and up to 30 minutes to resume
synchronization with the handheld once a user has been moved
from one Domino server to another.
If the operational status of the destination Server is anything other
than “Running,” a warning dialog is displayed and the move is
cancelled. Retry the operation when the Server is operational
again.
If an error is encountered and only one handheld is being
transferred, the error will be displayed. If multiple handhelds are
being transferred, any errors are written to a log file; a warning
dialog provides a link to the file. Use the Move Handhelds link on
the Settings page to display this information.
Exchanging a User’s Handheld
To provide a user with a handheld previously assigned to a different
user, follow the procedure described in “Transferring a Handheld to a
New User” on page 234.
260
Good Mobile Messaging Administrator’s Guide
Data Storage and Aging
Data Storage and Aging
Information and email on the user’s handheld are subject to removal
according to the aging and data-accumulation rules, and space
requirements, in effect for that handheld’s particular platform. Refer
to the Good Knowledge Base for details.
Notes on Synchronization
The following are exceptions to synchronization between the email
server account and handheld:
• Items removed from the handheld via aging to save space are not
deleted from the email server account.
• Items in the Sent folder are not synchronized unless you explicitly
enable this synchronization using the GMC Console’s Policy
feature.
• New mail received on the handheld in folders other than Inbox
(set up by the user using Preferences | Email Delivery) will
include only the header or the header and body of the message,
depending upon which of these two options you have enabled for
the handheld using the GMC Console Policy feature. If only the
header is delivered, the body of the message is synchronized only
if the user chooses to display it.
• Items in the Drafts folder are not synchronized between handheld
and PC.
• Items originally filtered into an unsynchronized email server
folder are synchronized if moved or copied to a synchronized
folder, subject to the rules in the following item.
• For email messages older than three days that have built up while the
handheld was turned off (when the user was on vacation and out of
coverage, for example), only headers are sent to the handheld. The
body of the message is synchronized only if the user chooses to
display it. Email messages older than a month are not synchronized.
Good Mobile Messaging Administrator’s Guide
261
Managing the Handhelds
• Email recipients in the To: field are limited to 32.
Resynchronization or reprovisioning of a handheld can occur under
these conditions:
1.
2.
The user's cache directory on the Messaging Server is not present.
a.
User's cache directory was deleted by administrator.
b.
Disk containing the user's cache/db file is corrupted or damaged.
c.
The directory specified in the registry does not contain the
cache directory
The device was not able to initialize one of the services.
In the first case, when the client attempts to send a message to the
server, the server will send out a disconnect message to the device
indicating the user's service does not exist on the server. The client
will detect the disconnect reason and attempt to reconnect to the
server.
In the second case, when the client starts up, the client is not able to
initialize one of the services and automatically sends out a disconnect
to the server. The client will attempt to re-establish the connection.
262
Good Mobile Messaging Administrator’s Guide
7 Managing Good Mobile
Messaging Server
In addition to setting up and maintaining handhelds, you will want
to monitor Good Mobile Messaging Server to ensure that handheld
synchronization is occurring normally.
Use the following resources to manage Good Mobile Messaging
Server and handheld synchronization:
• Good Monitoring Portal
• Good Mobile Messaging Server properties and statistics
• User/handheld properties and statistics
• Good Messaging logs
• Error messages
• Troubleshooting
• Best Practices - Deployment, redundancy, backup, and recovery
Information about these resources is provided in the following
sections.
This chapter also describes how to move Good Mobile Messaging
Servers and Good Mobile Control (GMC) Servers to a new host.
Good Mobile Messaging Administrator’s Guide
263
Managing Good Mobile Messaging Server
Moving Good Mobile Messaging Server
and Good Mobile Control Server to a
New Host
This following procedure allows you to move GMC Server and Good
Mobile Messaging Server to a new host machine without
disconnecting all provisioned handheld.
This procedure assumes:
• You want to move both GMC Server and Good Mobile Messaging
Server to a new host machine.
• You have the standard default installation of GMC Server and
Good Mobile Messaging Server services (Good for Enterprise
service, Good Mobile Control service, Good Messaging Domino
directory service, Good server Domino directory service) on a
single Windows server. This includes SQL Server express which is
installed with Good Messaging. If your installation is different,
contact Good Technology Support for advanced set up questions.
Important: Moving Good Mobile Control Server and Good Mobile
Messaging Server to a new host machine that has a different host
name than the original host is not recommended in Good Mobile
Messaging Server version 6.x and higher. For local SQL installs on the
Good Server, it must have the same host name and fully qualified
domain name (FQDN) as the original host machine. To achieve this,
your IT administrator may have to completely isolate the old
machine from the network before bringing up the new machine to
avoid network conflicts.
Follow these general steps to move GMC Server and Good Mobile
Messaging Server to a new host:
1.
Start the new machine with the same host name as of the old host
machine.
2.
Move GMC Server to the new machine. This includes moving the
SQL database.
264
Good Mobile Messaging Administrator’s Guide
Moving Good Mobile Messaging Server and Good Mobile Control Server to a
3.
Move Good Mobile Messaging Server to the new machine.
4.
Start up the Good Messaging services on the new host machine
and do a check.
Preparing to Move Good Mobile Control Server
To prepare to move GMC Server:
1.
On the original host machine, stop the Good Mobile Messaging
Server services and GMC Server services (Good for Enterprise
service, Good Mobile Control service, Good Messaging Domino
directory service, Good server Domino directory service).
2.
After the services stop, set the services to Disabled.
Note: The GoodAdmin account needs to have DBO or SA
permissions to create, edit and read the database.
3.
Make a copy of the SQL database files by performing these steps:
a.
Open the SQL Management Studio: Start > Programs > Microsoft SQL Server 2005 > SQL Server Management Studio
Express.
Note: SQL Management Studio Express is installed during initial set up of GMC Server. If you did not install SQL Management Studio Express, you must install SQL Management
Studio Express (2005) now or use SQL Management Studio
Express already available in your organization to connect to
the database.
b.
Log in by selecting <YOUR_MACHINE>\GMC as the Server
Name and choosing Authentication as Windows Authentication.
Good Mobile Messaging Administrator’s Guide
265
Managing Good Mobile Messaging Server
c.
Right click on the database and then choose Tasks > Detach.
d.
Click OK on the next screen.
e.
Complete the procedure.
4.
Copy GMCdb.mdf and GMCdb_log.LDF from C:\Program
Files\Good Technology\database\MSSQL.1\MSSQL\Data to a
safe location for future use. These files will be attached again
when the new host machine is setup.
5.
Repeat the above procedure to detach dominodirdb and copy
dominodirdb.mdf and dominodirdb_log.LDF from C:\Program
Files\Good Technology\database\MSSQL.1\MSSQL\Data to a
safe location for future use. These files will be attached again
when the new host machine is setup.
6.
If there are any custom settings made as a part of GMC Server
configuration, copy the following files and keep it for future use:
• Copy config.props from C:\Program Files\Good
Technology\GMC Server\original
• Copy config.props, config.props.bak, logdriver and
spring.cfg.xml from C:\Program Files\Good
Technology\GMC Server
266
Good Mobile Messaging Administrator’s Guide
Moving Good Mobile Messaging Server and Good Mobile Control Server to a
7.
Open the registry and write down the License Key, Serial Number
Instance Name, and Database name for the GMC Server. These
parameters are located in the registry under:
HKEY_LOCAL_MACHINE\SOFTWARE\Good Technology\EMF
Server
Note: Do not install the full registry keys. Not all information in
the keys is needed. The information needed from the keys is
detailed throughout the process.
For example, the following screen shot assumes a default
installation and your system may be different:
8.
On the original host machine, stop the Good Mobile Control
Server service. After the service stops, set it to Disabled. Note: Do
not uninstall the GMC or restart the service if you have
previously enabled iOS MDM. If you need to uninstall the GMC
in this case, contact Support for steps on its manual removal.
Good Mobile Messaging Administrator’s Guide
267
Managing Good Mobile Messaging Server
Preparing to Move Good Mobile Messaging Server
To prepare to move Good Mobile Messaging Server:
1.
On the original host machine, open the registry and write down
the Server Name, Serial Number, License Key, Mailbox Name,
Cache Directory, Windows logged-on user name
(domain\username), and Domino Server Name where the Good
Messaging mailbox resides. (The Good Mobile Messaging Server
name is usually the same as the computer name.)
These parameters are located in the registry under:
HKEY_LOCAL_MACHINE/SOFTWARE/GoodTechnology/GoodLink Install Parameters/
If this is a Windows 2008 x64 bit system, the registry path will be
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Good Technology
Note down all parameters . Also import this registry and save it as
a .reg file.
2.
Make a copy of the SQL database files by performing these steps:
a.
Open the SQL Management Studio: Start > Programs > Microsoft SQL Server 2005 > SQL Server Management Studio
Express.
Note: SQL Management Studio Express is installed during initial set up of GMC Server. If you did not install SQL Management Studio Express, you must install SQL Management
Studio Express (2005) now or use SQL Management Studio
Express already available in your organization to connect to
the database.
b.
268
Log in by selecting <YOUR_MACHINE>\GMC as the Server
Name and choosing Authentication as Windows Authentication.
Good Mobile Messaging Administrator’s Guide
Moving Good Mobile Messaging Server and Good Mobile Control Server to a
c.
Right click on the database and then choose Tasks > Detach.
d.
Click OK on the next screen.
e.
Complete the procedure.
3.
Copy goodlink.mdf and goodlink_log.LDF from C:\Program
Files\Good Technology\database\MSSQL.1\MSSQL\Data to a
safe location for future use. These files will be attached again
when the new host machine is setup
4.
Uninstall Good Mobile Messaging Server by choosing Custom
Uninstall and selecting the Retain Users option. (See “Uninstalling
Good Mobile Messaging Administrator’s Guide
269
Managing Good Mobile Messaging Server
Good Mobile Messaging Server” on page 427.)
5.
Complete the uninstallation of Good Mobile Messaging Server.
270
Good Mobile Messaging Administrator’s Guide
Moving Good Mobile Messaging Server and Good Mobile Control Server to a
6.
Copy the complete Cache folder to a new location for future use.
7.
Shut down the original host and completely isolate it from the
network. We recommend disconnecting the network cable.
Installing Good Mobile Control Server on the New Host
To install GMC Server on the new host:
1.
Start the new host machine using the same host name of the
original machine.
Note: Before starting the new host machine, be sure to shut down
and isolate the original machine from the network.
2.
After the new host machine boots up, set the necessary account
permissions and install the required pre-requisites. (See “Preinstallation” on page 35 and “Installation” on page 49.)
3.
Install GMC Server using the same License Key, Serial Number,
Database Instance Name, and Database Name as the original host.
4.
Start the GMC Server services.
5.
After verifying the GMC Server is running, stop the GMC Server
service and set it to Disabled.
6.
Follow these steps to detach the new database and attach the
database copied from original host:
a.
Open the SQL Management Studio: Start > Programs > Microsoft SQL Server 2005 > SQL Server Management Studio
Express.
b.
Log in by selecting <YOUR_MACHINE>\GMC as the Server
Name and choosing Authentication as Windows Authentication.
Good Mobile Messaging Administrator’s Guide
271
Managing Good Mobile Messaging Server
c.
272
Right click on the database and then choose Tasks > Detach.
Good Mobile Messaging Administrator’s Guide
Moving Good Mobile Messaging Server and Good Mobile Control Server to a
d.
Click OK on the next screen.
e.
Complete the procedure.
f.
Copy GMCdb.mdf, GMCdb_log.LDF, dominodirdb.mdf, and
dominodirdb_log.LDF from the original host to the following
folder on the new host, overwriting the existing files:
C:\Program Files\Good Technology\database\MSSQL.1\MSSQL\Data
Good Mobile Messaging Administrator’s Guide
273
Managing Good Mobile Messaging Server
g.
274
In SQL Management Studio, right click on the database and
then choose Tasks > Attach.
Good Mobile Messaging Administrator’s Guide
Moving Good Mobile Messaging Server and Good Mobile Control Server to a
h.
Navigate to the GMCdb.mdf and GMCDB.LDF files and click
Add.
The database is now attached to SQL server.
7.
Repeat the above procedure to attach dominodirdb.mdf and
dominodirdb_log.mdf.
8.
Set the GMC Server service to Automatic and start the GMC
Server service.
9.
Access the GMC Console make sure it is working properly:
http://<servername>:8080
This procedure is now complete. The GMC Server is now running on
the new host.
Good Mobile Messaging Administrator’s Guide
275
Managing Good Mobile Messaging Server
Installing Good Mobile Messaging Server on the New Host
To install Good Mobile Messaging Server on the new host:
1.
Log in to the new host machine using the Windows logged-on
user name (domain\username) for the Good Mobile Messaging
Server. You wrote this down for the original host machine. (See
“Preparing to Move Good Mobile Messaging Server” on
page 268.)
Import the registry hierarchy on the new machine. Create the
registry hierarchy exactly as on the old server.
Note : If this is a Windows 2008 x64 bit system then the registry
path will be
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Good Technology
2.
Copy the contents of the cache folder that you saved from the
original host machine to the same folder location on the new host
machine.
Important: The cache folder must be located in the same path as
on the original host machine. For example:
276
Good Mobile Messaging Administrator’s Guide
Moving Good Mobile Messaging Server and Good Mobile Control Server to a
C:\Program Files\Good Technology\Good Mobile Messaging Server\cache\UMASERVER1
3.
After copying the files, delete the “dbfiles.lck” file from the cache
folder.
Important: Do not delete any other files.
4.
Install Good Mobile Messaging Server using the same License
Key, Serial Number and host name you wrote down for the
original host. (See “Pre-installation” on page 35 and “Installation”
on page 49.)
5.
When the Installation program prompts you for the cache folder
location, specify the location on the new host machine where you
copied the cache files.
6.
Follow these steps to detach the new database and attach the
database copied from original host:
Good Mobile Messaging Administrator’s Guide
277
Managing Good Mobile Messaging Server
a.
Open the SQL Management Studio: Start > Programs > Microsoft SQL Server 2005 > SQL Server Management Studio
Express.
b.
Log in by selecting <YOUR_MACHINE>\GMC as the Server
Name and choosing Authentication as Windows Authentication.
c.
Right click on the database and then choose Tasks > Detach.
278
Good Mobile Messaging Administrator’s Guide
Moving Good Mobile Messaging Server and Good Mobile Control Server to a
d.
Click OK on the next screen.
e.
Complete the procedure.
f.
Copy goodlinkdb.mdf and goodlinkdb_log.LDF files from the
original host to the following folder on the new host, overwriting the existing files:
C:\Program Files\Good Technology\database\MSSQL.1\MSSQL\Data
Good Mobile Messaging Administrator’s Guide
279
Managing Good Mobile Messaging Server
g.
280
In SQL Management Studio, right click on the database and
then choose Tasks > Attach.
Good Mobile Messaging Administrator’s Guide
Moving Good Mobile Messaging Server and Good Mobile Control Server to a
h.
Navigate to the goodlinkdb.mdf and goodlinkdb_log.LDF files
and click Add.
The database is now attached to SQL server.
7.
Open the SQL Management Studio: Start > Programs > Microsoft
SQL Server 2005 > SQL Server Management Studio Express. Open
dbo.servers in GMCdb. Copy the “server_guid” and “password”
values.
8.
Open registry and navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GoodLinkServer\parameters
9.
Paste the “server_guid” value in “GMMGUID” and the
“password” value in “GMMEMFKey”.
10. Restart
Good Messaging service.
11. After
a few minutes, verify that the Good Mobile Messaging
Server is operating.
Good Mobile Messaging Administrator’s Guide
281
Managing Good Mobile Messaging Server
Note: After this procedure, the GMC Console may indicate that
Good Mobile Messaging Server is disconnected. After
approximately 15 minutes, the status should change to Connected.
Monitoring Good Mobile Messaging
Servers
Good Messaging software provides tools that allow you to monitor
Good Mobile Messaging Server using Good Monitoring Portal, GMC
Console, and Microsoft Windows 2000 on the server machines. You
can display information in the following categories:
• Server Dashboard - Server status, users, and pending messages
• Server Information
• Server Statistics
• IP Ranges
• Server Logging
• User Performance Monitor
Good Monitoring Portal Server Dashboard
To quickly check the operating status of your Good Servers, along
with information about Server users and handheld message flow, log
in to the Good Monitoring Portal at http:http://www.good.com/
gmp.
282
Good Mobile Messaging Administrator’s Guide
Monitoring Good Mobile Messaging Servers
When you log in, the Good Monitoring Portal (GMP) home page is
displayed.
If the Good Server you are interested in isn’t displayed in the
dashboard, refer to “Adding a Server to the Dashboard” on page 285.
The Dashboard section displays current status information for each
Good Server:
• Status - Connection status for the Server to the Good Network
Operations Center (IN, OUT, Connection error, Not queried, Not
OK [IP address range check failed], Unreachable). Use, for
example, for problems that result because of lapsed entitlements,
such as unauthorized STS grants.
• # Users - All users currently added to this Server
• Pending Msgs - Number of messages (emails, calendar events,
etc.) that are waiting for transmission from the handheld to the
Server or vice versa. This should be zero or close to it. If the Server
is disconnected from the Network Operations Center, the number
will grow because messages are not being processed. If a
handheld is out of coverage, it's queue of undelivered messages
Good Mobile Messaging Administrator’s Guide
283
Managing Good Mobile Messaging Server
on the Server will grow as emails sent to the handheld are not
delivered.
For more information on a Server’s current status, click the Server
name in the Dashboard section. A Server details screen is displayed.
The page contains:
• Server Information - Server name, Server version, product and
edition, number of users
• Server License Information - Serial number, license key
• Server Connection - Status of connection to the Network
Operations Center, IP address, last connection time, pending
messages
• Connection History - Two histograms of the Server's recent
connection history with the Network Operations Center. The first
284
Good Mobile Messaging Administrator’s Guide
Monitoring Good Mobile Messaging Servers
histogram covers the Server's connection history over the last 24
hours, and the second histogram shows the Server's connection
history over the last 4 hours. Red sections indicate times when the
Server was not connected, and green sections indicate when the
Server was connected. When operating normally, the histograms
should be green.
For more information on displaying handheld/user status in the
Good Monitoring Portal, refer to “Enabling Detailed Logging for
Handhelds” on page 238.
Adding a Server to the Dashboard
If the Server you want to check isn’t listed on the dashboard, do the
following to add it:
1.
Click the “Monitor Servers” link in the sidebar of the Good
Monitoring Portal.
The Monitor Servers window appears.
2.
Click the Add External Servers button.
Good Mobile Messaging Administrator’s Guide
285
Managing Good Mobile Messaging Server
A page is displayed which allows you to specify the Server that
you want added to the dashboard.
3.
Enter the name you assigned to the Server when installing it.
4.
Enter the serial number and license key that you obtained at the
time of purchase.
If you don’t have the serial number or license key available, click
“Server Licenses” in the sidebar to display them. You can also
display the values for these items in the Properties page for the
Server in the GMC Console.
5.
Click Add.
The Server is added to the dashboard.
286
Good Mobile Messaging Administrator’s Guide
Monitoring Good Mobile Messaging Servers
Displaying the Server List
To list the Good Mobile Messaging Servers in the Domino site:
1.
In the GMC Console, click the Servers tab.
Current Mobility Suite Servers are listed, along with their product
type, version, number of handhelds added to the server, service
status, network status (NOC), and pending messages (NOC).
# of Handhelds: Shows current number of handhelds. Service
status: OK, Unreachable, Stopped, or Running
Type: For disaster-recovery, high-availability environments, the
server is shown as primary or standby.
Network status: IN, OUT, Connection error, Not queried, Not OK
(IP address range check failed), Unreachable, Unknown.
Pending messages: Shows the number of messages pending for
the handhelds listed for the Server.
2.
Click Refresh List to update the server list.
Displaying Server Information
To display the properties of a Good Mobile Messaging Server:
1.
Click the Servers tab in the Console.
Good Mobile Messaging Administrator’s Guide
287
Managing Good Mobile Messaging Server
2.
Click on the Good Mobile Messaging Server name in the list of
servers on the Servers tab.
The following window displays information about the selected
Good Mobile Messaging Server.
The Server Information section displays the following:
• Name - Good Mobile Messaging Server name
• Serial number
• System Identifier
• License key
• Product - GMM
• Version - Good Mobile Messaging Server version
• Handhelds - Number of handhelds
• Service status - Unreachable, stopped, or running
• Network status (NOC)
• Pending messages (NOC)
• Good Messaging host address - URL for the Network
Operations Center
• Server setup time - Date the server was installed
288
Good Mobile Messaging Administrator’s Guide
Monitoring Good Mobile Messaging Servers
• Installed on machine - Name of the computer on which the
server is installed
• Windows logon account
• MAPI profile name
• Log Upload URL - URL for the site that will receive any
diagnostic logs that you upload to your authorized support
representative.
3.
To display statistics for the selected Good Mobile Messaging
Server, click Statistics in the left panel of the window.
The Statistics section displays the following:
• Email messages sent to handhelds - Total Email messages sent
to all handhelds from Good Mobile Messaging Server
• Email messages received from handhelds - Total Email
messages received from all handhelds by Good Mobile
Messaging Server
• Filtered Email for handhelds - Number of messages not sent to
handhelds due to filters set on handhelds (using the Blocked
Senders email option)
• Messages sent to handhelds - Total Email, Calendar, Contact,
Note, and Task messages sent to all handhelds by Good Mobile
Messaging Server (includes control messages)
• Messages received from handhelds - Total Email, Calendar,
Contact, Note, and Task messages received from all handhelds
by Good Mobile Messaging Server (includes control messages)
• Last Email message received from handhelds - Date and time
received by Good Mobile Messaging Server
• Last message received from handhelds - Date and time
received by Good Mobile Messaging Server
• Last Email message sent to handhelds - Date and time sent by
Good Mobile Messaging Server
Good Mobile Messaging Administrator’s Guide
289
Managing Good Mobile Messaging Server
• Last message sent to handhelds - Date and time sent by Good
Mobile Messaging Server
Statistics are accumulated by Good Mobile Messaging Server.
Since messages can be sent in batches, and undisplayed messages
(e.g., “Mark Read”) are included in the statistics, these totals are
useful mostly to determine general current activity levels.
Click the Refresh button to update the page. Click Clear to reset all
counts to 0 except dates, which are retained. The date when the
statistics were last cleared is displayed at the bottom of the
window. Click Export to export the statistics in a file.
4.
To display the status of IP ranges for the selected Good Mobile
Messaging Server, click IP ranges in the left panel of the window.
For information on the IP addresses portion of this page, refer to
“IP Ranges” on page 291.
Notes:
• You can also display server information by clicking the Settings
tab. The information about the server appears in the “About Good
Administrator Center” page.
• To display information about the Directories for handheld
enablement and console users authentication, click the Settings
tab and then click the Directory link in the left panel. The
handheld-enablement directory is the source for the data/
information on the Handhelds tab relating to adding/enabling
user devices. The users authentication directory is the source for
data/information relating to the console log-in page and the Roles
tab.
• The “Check for New Services” button on the Server Information
page on the Settings tab will not return any information in this
release.
290
Good Mobile Messaging Administrator’s Guide
Monitoring Good Mobile Messaging Servers
IP Ranges
If you limit outbound HTTP and HTTPS on your firewall, you should
open outbound ports 80 and 443 for IP ranges 216.136.156.64/27 and
198.76.161.0/24 for Good Messaging to work properly. (Version 5
required that you open outbound ports 80 and 443 for IP address
198.76.161.28 for Good Messaging to work properly. Version 6
requires, in addition, IP address 198.76.161.29 for use by Good Mobile
Control.) Do not put the Good Mobile Messaging Server and GMC
Server in the DMZ zone or block any LAN ports. The Good Mobile
Messaging Server and operating system calls have many port
dependencies for interfacing with Domino mail servers and AD,
especially TCP 1433 (Database) and 1352 (NRPC).
Good Messaging checks for proper access to the Good Network
Operations Center periodically. Open ranges are displayed on the IP
Addresses tab with a status of “0.” The proxy column can be “Yes” or
“No.” If an error condition occurs, a description will appear in the
Description column.
Any other entries on this tab indicate error conditions. If other entries
are displayed, open the ranges given above and check the tab again.
Work with your customer service representative when error
conditions persist.
Server Logging
To monitor synchronization, Domino-Good Messaging issues, and
error conditions, use the Windows Event Viewer Application log and
Good Mobile Messaging Server log. Diagnostic logs are maintained
Good Mobile Messaging Administrator’s Guide
291
Managing Good Mobile Messaging Server
by Good Mobile Messaging and Good Mobile Control Servers; these
encrypted logs are for use by your authorized support representative.
To upload the Good Mobile Messaging diagnostic log to your
authorized support representative, do the following. To use a
command-line utility for the upload, refer to “uploadLog” on
page 337.
1.
In the GMC Console, click the Servers tab.
2.
In the Name column for the list of Servers, click the name of the
Server whose log you want to upload.
3.
Click the Upload Logs tab.
An upload screen is displayed.
4.
Specify the date range of the log data that you want uploaded.
5.
To include the System Event log and the Application Event log,
click the corresponding check boxes.
6.
Click OK.
The log data for the specified date range is uploaded to the URL
listed for “Log Upload URL” in the Server Info page for the Server
you clicked.
To upload the Good Mobile Control diagnostic log to your
authorized support representative, do the following.
1.
In the Good Mobile Control Console, click the Settings tab.
2.
Click the Upload Server Logs button.
292
Good Mobile Messaging Administrator’s Guide
Monitoring Good Mobile Messaging Servers
An upload screen is displayed.
3.
Specify the date range of the log data that you want uploaded.
4.
To include the System Event log and the Application Event log,
click the corresponding check boxes.
5.
Click OK.
Windows Event Viewer Application Log
The Windows Event Viewer Application log displays successful and
unsuccessful server actions and provides information about the
success or failure.
Good Mobile Messaging Server Log
Every Good Mobile Messaging Server maintains a log containing a
separate line for every email message and event exchanged between
mail file and handheld via that server. Use the file to check account
use.
The log is named servername.access and is located in the logs
directory for the server installation.
Each line in the server log includes the following entries, separated
by tabs:
• Time - Date and time of the transaction
mm/dd/yyyy hh:mm:ss time_zone
• Msg_id - The session ID of the message or event
ID_string
• App - Service or application that sent or is receiving the message
or event. For example, note, task, admin.
application_name
• Cmd - Command used by the issuing or receiving service or
application
Good Mobile Messaging Administrator’s Guide
293
Managing Good Mobile Messaging Server
command
• IP - IP address of Good Mobile Messaging Server. Allows
concatenation of server log files.
nn.nn.nn.nn
• Mail file- Display name of the mail file involved in the transaction
name
• Direction - Transaction direction (INBOUND = towards Domino)
INBOUND | OUTBOUND
• Dest_conn_id - For use by Customer Service
nnnnnnnnnn
• Num_byte - Size of the transaction, read or written
nnnn
• Status - 0 = OK. Any other number or string indicates an error
condition, but is used by Customer Service only.
n
Good Messaging Diagnostic Log
Good Mobile Messaging Server maintains encrypted diagnostic logs.
These logs are turned on by default. 700MB of space is required. The
information in the logs is for use by your authorized support
representative. Good Mobile Control Server maintains encrypted
diagnostic logs as well, turned on by default. 100MB of space is
required.
To upload logs to your support representative, refer to “Server
Logging” on page 291.
Using Performance Monitor
You can use the Windows Performance Monitor to display Good
Mobile Messaging Server dynamic statistics. These are the statistics
294
Good Mobile Messaging Administrator’s Guide
Monitoring Good Mobile Messaging Servers
described in “Displaying Server Information” on page 287.
For example, to view server statistics using the Performance Monitor
in Windows 2003:
1.
From the Start menu on the server host, select Programs >
Administrative Tools> Performance.
2.
Click the Add Counters button.
The Add Counters window is displayed.
mmmmmmmmp
3.
From the Performance dropdown list, select the entry for Good.
4.
Click Add all counters.
5.
Click Close.
Good Mobile Messaging Administrator’s Guide
295
Managing Good Mobile Messaging Server
The Good Mobile Messaging Server statistics are displayed
dynamically on the chart.
6.
If the Server will be stopped for an extended period of time, notify
handheld users that synchronization will cease during the
stoppage.
7.
Open the Windows Control Panel.
8.
Open Administrative Tools.
9.
Open Services.
10. Select
and open GoodLink Server Service.
11. In
the Properties window, on the General tab, click the Stop
button.
Error Messages
Errors are returned in the following ways:
• Written to Windows Event Viewer Application log
• Displayed as dialog windows in GMC Console
296
Good Mobile Messaging Administrator’s Guide
Troubleshooting
• Displayed as dialogs during installation.
Troubleshooting
Support is available by contacting Good Support at http://
www.good.com/support.
Best Practices
As with any mission-critical application, you will want to make
provisions for optimal deployment, redundancy, backup, and
disaster recovery for Good Messaging. This section describes or
references procedures and rules for doing so.
Deployment
The following rules and generalizations apply to deployment of
Good Messaging:
• We recommend against running BlackBerryTM Enterprise Server
on the same machine as Good Mobile Messaging Server, when
both are present.
• We recommend against installing the Lotus Notes Client on the
same machine as Good Mobile Messaging Server. If such a client is
present, it must reside on a different drive than the Domino server
on the machine.
Redundancy
Application redundancy is important in configuring Good
Messaging to maintain services in the event of server failure. Contact
your authorized service representative for information on using
Microsoft clustering with Good Messaging, and refer to “Using
Standby Good Mobile Messaging Servers” on page 341.
Good Mobile Messaging Administrator’s Guide
297
Managing Good Mobile Messaging Server
Anti-virus and Backup Software
Exclude the log and cache directories from anti-virus and backup
software, to prevent file contention and performance issues.
Backing up and Restoring the Good Mobile Control
Database
The SQL database that Good Mobile Control uses contains
configuration information related to routing and provisioning of
Good servers and handhelds. Good Mobile Messaging Servers find
out how to connect to Good for Enterprise enabled handhelds by
synchronizing with Good Mobile Control Server.
Backing up the Good Mobile Control Database
To back up the GMC database:
1.
Click the Settings tab in the GMC Console.
2.
Click the Backup link in the left panel.
The Backup Settings page appears.
298
Good Mobile Messaging Administrator’s Guide
Best Practices
3.
Select Enable automatic backup of this GMC Server to enable
automatic backup. Increment backups occur hourly; a full backup
is performed once a day. This is not configurable.
4.
Specify the Backup directory to store the backup files and the
number of days of backup copies to keep. The default is 7.
5.
To do a manual full backup immediately, click Start Full Backup
Now. To do a manual incremental backup immediately, click Start
Incremental Backup Now.
6.
Click Save to save the changes.
Restoring the Good Mobile Control Database
The restore process consists of two steps in the following order:
1.
Restore a full back up
2.
Restore an incremental back up
In order to restore the correct database state, you must restore both
the full and incremental backups in sequential order. Choose the
most recent full daily backup file and the most recent incremental
hourly back up files.
For more information, refer to the “How to: Restore a Database
Backup (SQL Server Management Studio)”:
http://msdn.microsoft.com/en-us/library/ms177429.aspx
To restore the GMC database:
1.
Stop the GMC Service.
2.
Open the SQL Management Studio: Start > Programs > Microsoft
SQL Server 2005 > SQL Server Management Studio Express.
Note: SQL Management Studio Express is installed during initial
set up of GMC Server. If you did not install SQL Management
Studio Express, you must install SQL Management Studio Express
(2005) now or use SQL Management Studio Express already
available in your organization to connect to the database.
Good Mobile Messaging Administrator’s Guide
299
Managing Good Mobile Messaging Server
3.
Log in by selecting <YOUR_MACHINE>\GMC as the Server
Name and choosing Authentication as Windows Authentication.
4.
Right click on the database and then choose Tasks > Restore >
Database.
300
Good Mobile Messaging Administrator’s Guide
Best Practices
5.
Select From Device under Source for Restore in the Restore
Database dialog box.
Good Mobile Messaging Administrator’s Guide
301
Managing Good Mobile Messaging Server
6.
Navigate to the folder where the full backup file is located, select
the file, and then click OK.
7.
In the left panel of the Restore Database dialog box, click Options
and select the middle option “Leave the database non-operational
and do not roll back uncommitted transactions. Additional
302
Good Mobile Messaging Administrator’s Guide
Best Practices
transaction logs can be restored (RESTORE WITH
NORECOVERY)”.
8.
Click OK.
After a few minutes, the full database is restored.
9.
Restore the incremental database by repeating the steps and
choosing the incremental database:
a.
Right click on the database and choose Tasks > Restore > Database.
b.
Select From Device under Source for Restore in the Restore
Database dialog box.
c.
Navigate to the folder where the incremental backup file is
located, select the file, and then click OK.
Good Mobile Messaging Administrator’s Guide
303
Managing Good Mobile Messaging Server
d.
In the left panel of the Restore Database dialog box, click
Options and select the first option “Leave the database ready to
use by rolling back uncommitted transactions. Additional
transaction logs cannot be restored. RESTORE WITH RECOVERY”.
e.
Click OK.
10. Exit
11.
SQL Server Management Studio Express.
Start the GMC Service and verify that GMC Console rolls back
changes prior to the hourly incremental backup time.
The restore procedure is now complete.
304
Good Mobile Messaging Administrator’s Guide
Best Practices
Disaster Recovery
Disaster recovery for GMC and Good Mobile Messaging Servers
requires you to restore the configuration information in the GMC
database to a consistent state to allow the system to work properly.
The reconciliation process resets handheld provisioning information
so that the handhelds may be added back to the system. This is a
mechanism for cleaning up inconsistent records for all Good servers.
Good Mobile Control, Good for Enterprise and the handheld client
are all part of the same system. To work properly, all the parts of the
system must know about the same handhelds in the system.
Reconciliation helps identify and remove inconsistent entries in the
system.
Note: There are some data loss scenarios that the following
reconciliation procedure may not be able to remediate. If you are
unable to reconcile configuration inconsistencies, contact your
authorized support representative.
Reconciling configuration inconsistencies
If you restore the GMC database from a backup to a previous state,
the configuration information that was added to the GMC database
after the backup was performed is lost. Any handhelds that were
configured and thus added to the GMC database after the backup
was performed must be reset in order for you to be able to administer
those handhelds again. Before the handhelds can be reset, they must
first be identified through a reconciliation process.
During each startup, GMC checks whether the GMC database was
restored and for any configuration inconsistencies. If necessary, the
GMC Server runs a handheld consistency check in a reconciliation
mode. While in the reconciliation mode, the GMC Server is not
accessible to other servers. Web services to and from Good for
Enterprise Servers are shut down until you resolve the reconciliation
items and exit reconciliation mode.
To resolve the reconciliation items and exit reconciliation mode:
Good Mobile Messaging Administrator’s Guide
305
Managing Good Mobile Messaging Server
1.
Login as service administrator or Superuser.
2.
On the Reconciliation Panel that appears, select the reconciliation
items and click Remove as necessary.
3.
Click Finished on the Reconciliation Panel to exit reconciliation
mode.
The GMC Server is now accessible to other servers.
Manually running a reconciliation consistency check
If the GMC Server starts up normally but you suspect there are
configuration inconsistencies, you can manually run the
reconciliation consistency check.
To manually run the reconciliation consistency check:
1.
On the Settings tab, click Run Consistency Check.
If no inconsistencies are detected or if GMC cannot connect with
GMM to perform the consistency check, the message “No
inconsistencies found.” is displayed.
If an inconsistency is detected, the Reconciliation Panel appears.
2.
If the Reconciliation Panel appears, select the reconciliation items
and click Remove as necessary.
Note: To resolve inconsistencies, you must have the Manage
Servers right or the Superuser right.
3.
Click Finished on the Reconciliation Panel to exit reconciliation
mode.
306
Good Mobile Messaging Administrator’s Guide
8 Utilities
This chapter describes some of the Domino console commands, Good
Messaging utilities, and diagnostic logs available for use in Good
Messaging administration and troubleshooting. For more
information, contact your authorized Good Messaging service
representative.
Good Messaging utilities include:
• GoodLinkAddUser - Adds a new user to Good Mobile Messaging
Server.
• GoodLinkDeleteUser - Deletes a user from Good Mobile
Messaging Server.
• GoodLinkQueryUser - Provides essential information about
existing users.
• nGMMTool - Tests Good Mobile Message connectivity with the
Domino server hosting mailboxes and reports the time taken for
the Good Domino NRPC calls from the GMM server to a specific
Domino server (Primary servers).
• UserProfilechkTool - UserProfilechkTool tests for user profile
availability. It also displays active profile type (Roaming or Inotes)
with complete profile details.
• GoodLinkEraseData - Issues an Erase Data command to a
GoodLink handheld to wipe all data on the handheld.
Good Mobile Messaging Administrator’s Guide
307
Utilities
• GoodLinkRegenOTAPIN - Generates a new OTA PIN for the
specified user.
• GoodLinkUpdateUser - Enables/disables Good Intranet once a
user is already GoodLink enabled. Changes the GMM server for
the user. Changes the policy set.
Troubleshooting Utilities
• gmexportstats - Exports handheld user statistics, user software
policy settings and status information, and server software policy
information to a file in CSV format, for backup and audit use.
• GdGLSConnect - Tests connectivity from the server that it is
running on to the Good Data Center.
• uploadLog - Allows Good Messaging diagnostic files to be easily
uploaded to a Good Network Operations Center server.
Diagnostic logs are described in “Diagnostic Log Files” on page 338.
Installing the Utilities
The command-line utilities described here are included with the
Good Messaging download media in a zip file labeled gmccli_n.n.n.nn.zip, where the n values are defined by the GMC version
that you download (e.g., gmc-cli_1.0.3.36.zip). Unzip the files and
copy them to C:\Program Files\Good Technology\Good Mobile
Control\jre\bin\.
GoodLinkAddUser
GoodLinkAddUser adds a user to Good Mobile Messaging Server.
The utility is available on machines with Good Mobile Control
(GMC) Server installed on them.
308
Good Mobile Messaging Administrator’s Guide
GoodLinkAddUser
Run the utility from the installed Server bin directory.
The user or thread/process/CGI that launches this utility must have
Administrator rights in Console > Roles > Rights or must have “Add
user for OTA Setup Provisioning” rights for Good Messaging to add
an OTA Setup user. (To test, log on as the user with the necessary
rights and attempt to add a user from the Console). To add a user,
you must know at least the user’s abbreviated and short name, or
know the user’s canonical name.
Syntax:
GoodLinkAddUser
-URL=username:[email protected]://MachineName:19005
-GLS=Good Mobile Messaging Server Name
[-UserDisplayName=User Domino Abbreviated Name]
[-UserAlias=User Short Name]
-UserDN=User Cannonical Name
-LogFile=Log File Path
username:password The user must have a role assigned for the GMC Server.
@MachineName:po https://MachineName:19005 points to the
rtnumber
webservice secure endpoint, port 19005.
Good Mobile
Name of the Good Mobile Messaging Server to add the
Messaging Server user. If -GAS is included in the command line, this
Name
value cannot be empty.
User Domino
Display name of the user as specified in the Person
Abbreviated Name document of the user in the Domino Directory.
Example: Julia Herlihy/Sales/East/Home/US.
User Short Name
ShortName or UserID of the user: The ShortName field
from the Person Document of the user in the Domino
Directory.
Good Mobile Messaging Administrator’s Guide
309
Utilities
User Canonical
Name
User Canonical name is the UUID (the users “User
Name” or the FullName field from the Person
Document of the user listed in the Domino Directory).
Example: CN=Julia Herlihy/OU=Sales/OU=East/
O=Home/C=US. This is required.
Common name (CN) - Corresponds to a user's name or
a server's name. All names must include a common
name component.
Organizational unit (OU) - Identifies the location of the
user or server in the organization. Domino allows for a
maximum of four organizational units in a hierarchical
name. Organizational units are optional.
Organization (O) - Identifies the organization to which
a user or server belongs. Every name must include an
organization component.
Log File Path
Country (C) - Identifies the country in which the
organization exists. The country is optional.
Errors and warnings are appended to this file. The file
will not be overwritten. A valid pathname is required.
The path cannot be a network path; it must be on the
local machine.
Example1:
GoodLinkAddUser -Url=username:[email protected]://
localhost:19005 -GLS=GLS1 -UserDN=/o=Dev Eng Good
Technology/ou=Site1/cn=Recipients/cn=test -UserDisplayName="" -UserAlias="" -PolicySet="Test Policy" -LogFile=GoodLinkAddUser.log
Example2:
GoodLinkAddUser -Url=username:[email protected]://
localhost:19005 -GLS=GLS1 -UserDN=/o=Dev Eng Good
Technology/ou=Site1/cn=Recipients/cn=test -UserDisplayName="" -UserAlias="" -PolicySet="Test Policy" -LogFile=GoodLinkAddUser.log
310
Good Mobile Messaging Administrator’s Guide
GoodLinkDeleteUser
Example3:
GoodLinkAddUser -Url=username:[email protected]://
localhost:19005 -GLS=GLS1 -UserDN=/o=Dev Eng Good
Technology/ou=Site1/cn=Recipients/cn=test -UserDisplayName="" -UserAlias="" -PolicySet='Default
Policy'-LogFile=GoodLinkAddUser.log
Example4:
GoodLinkAddUser -Url=username:[email protected]://
localhost:19005 -GLS=GLS1 -UserDN=/o=Dev Eng Good
Technology/ou=Site1/cn=Recipients/cn=test -UserDisplayName="" -PolicySet="Test Policy" -LogFile=GoodLinkAddUser.log
Example5:
GoodLinkAddUser -Url=username:[email protected]://
localhost:19005 -GLS=GLS1 -GIS=GIS1 -UserDN=/
o=Dev Eng Good Technology/ou=Site1/cn=Recipients/
cn=test -UserDisplayName="" -PolicySet="Test Policy" -AdditionalHH=true -LogFile=GoodLinkAddUser.log
GoodLinkDeleteUser
This program deletes a user that was Good Messaging-enabled. All
errors are logged into a file. On successful completion, the program
will remove the user from the GMC Console, and the handheld will
receive a disconnect message.
The command-line machine must have GMC Server installed on it.
Run the utility from the installed Server bin directory.
The user or thread/process/CGI that launches this utility must have
“Delete User” rights for Good Messaging (to test, attempt to add a
user from the Console).
Good Mobile Messaging Administrator’s Guide
311
Utilities
Syntax:
GoodLinkDeleteUser
-URL=username:[email protected]://MachineName:19005
[-UserDisplayName=User Domino Abbreviated Name]
[-UserAlias=User Short Name]
[-UserDN=User's Cannonical Name]
-LogFile=Log File Path
All parameters are case insensitive. All parameters must be specified
even if they are empty.
user:[email protected]
URL:portnumber
User Domino
Abbreviated Name
User Short Name
312
The user must have a role assigned for the GMC Server.
URL:19005 points to the webservice secure endpoint,
port 19005).
Abbreviated name of the user as specified in the Person
document of the user in the Domino Directory. Example:
Julia Herlihy/Sales/East/Home/US.
ShortName or UserID of the user: The ShortName field
from the Person Document of the user in the Domino
Directory.
Good Mobile Messaging Administrator’s Guide
GoodLinkQueryUser
User Canonical
Name
User Canonical name is the UUID (the users “User
Name” or the FullName field from the Person
Document of the user listed in the Domino Directory).
Example: CN=Julia Herlihy/OU=Sales/OU=East/
O=Home/C=US
Common name (CN) - Corresponds to a user's name or a
server's name. All names must include a common name
component.
Organizational unit (OU) - Identifies the location of the
user or server in the organization. Domino allows for a
maximum of four organizational units in a hierarchical
name. Organizational units are optional.
Organization (O) - Identifies the organization to which a
user or server belongs. Every name must include an
organization component.
Log File Path
Country (C) - Identifies the country in which the
organization exists. The country is optional.
Errors and warnings are appended to this file. The file
will not be overwritten.
Example 1:
GoodLinkDeleteUser -Url=username:[email protected]://
localhost:19005 -UserDN=/o=Dev Eng Good Technology/ou=Site1/cn=Recipients/cn=test -LogFile=GoodLinkDeleteUser.log
Example 2:
GoodLinkDeleteUser -Url=username:[email protected]://
localhost:19005 -GUID=4DC18D5E-F30D-4A01-8210AD5615B0C9C1 -LogFile=GoodLinkDeleteUser.log
GoodLinkQueryUser
GoodLinkQueryUser takes an existing user's identity and outputs the
essential attributes for that user into a simple XML file.
Good Mobile Messaging Administrator’s Guide
313
Utilities
The command-line machine must have GMC Server installed on it.
Run the utility from the installed Server bin directory.
The user or thread/process/CGI that launches this utility must have,
at the minimum, “View only Administration” rights for Good
Messaging.
Running the command-line tool without any options prints its usage.
Syntax:
GoodLinkQueryUser
-URL=username:[email protected]://MachineName:19005
[-UserDisplayName=User Domino Abbreviated Name]
[-UserAlias=User Short Name]
-UserDN=User's Cannonical Name
-EncodeString=0 or 1. Format in HTML
-XMLOutFile=XML Output File Path
-LogFile=Log File Path (all errors logged)
-UserDisplayName, -GUID, -UserDM, or -HHSS1No must be
provided.
If the HHSlNO parameter is specified with a value, to specify a
handheld serial number instead of user parameters, then -GUID,
-UserDisplayName, -UserAlias, and -UserDN must be set to empty.
The -EncodeString option (if set to 1) escapes non-alphanumeric
characters with % sign (e.g., %20 for the space character) as in the
HTML specification for string values in the output XML file. This
option can be used based on the type of XML parser that you will use.
We recommend setting this to 0.
If the program is run against a non-Good Messaging-enabled user,
the program terminates with an error
GDLINK_ERR_USER_NOT_GL_ENABLED code (error code
0x80040951).
314
Good Mobile Messaging Administrator’s Guide
GoodLinkQueryUser
XML file format
The format is simple, with a set of user properties under <user> tag.
The file can be parsed by the simplest XML parser.
Each property has a name, data type, and value. The data type is set
to "string."
Following is a sample output XML file for a user/handheld enabled
for OTA but not yet set up. -EncodeString is set to 0.
<?xml version="1.0" ?>
<user>
<UserDisplayName type="string">bhattreo650</User
DisplayName>
<UserAlias type="string">BhatTreo650</UserAlias>
<UserDN type="string">/o=Dev Eng Good Technology/
ou=Site1/cn=Recipients/cn=BhatTreo650</UserDN>
<UserEmail
type="string">[email protected]
</UserEmail>
<OTAEnabled type="string">1</OTAEnabled>
<OTAPin type="string">blb26lh1j37km2b</OTAPin>
<OTAURL type="string">https://good.com/ota</
OTAURL>
<GoodLinkServerName type="string">SBHATXP</
GoodLinkServerName>
<GoodLinkServerVersion type="string">4.5.0.0</
GoodLinkServerVersion>
<HHSlNo type="string"></HHSlNo>
<HHType type="string"></HHType>
<HHPhoneNo type="string"></HHPhoneNo>
<HHNetworkName type="string"></HHNetworkName>
<GoodLinkClientVersion type="string"></GoodLink
ClientVersion>
<UserDepartment type="string"></UserDepartment>
Good Mobile Messaging Administrator’s Guide
315
Utilities
<GoodAccessServerName type="string">GA-SBHATXP</
GoodAccessServerName>
</user>
Notes:
• If the -EncodeString is set to 1, the string value will be encoded
with HTML escaping rules. For example, in the above case, the
UUID of
/o=Dev Eng Good Technology/ou=Site1/cn=Recipients/
cn=BhatTreo650
will look like
%2Fo%3DDev%20Eng%20Good%20Technology%2Fou%3DSite1
%2Fcn%3DRecipients%2Fcn%3DBhatTreo650
• OTAEnabled specifies whether the user is OTA enabled. If it is 1,
then the user is enabled. 0 means not enabled.
• OTAPin is the setup PIN. If the Windows user that executes the
utility does not have “View user provisioning credentials” rights
in GMC->Roles->Rights, this field will be empty.
• OTAURL is the location from which the Good Messaging OTA
setup stub can be downloaded.
• The HHxxxx properties are handheld properties. They will be
available once the handheld is fully set up.
• EraseDataRequested can be 0=False or 1=True.
• EraseDataState is a string that shows the EraseData transaction
state. This state value is valid only if EraseDataRequested is True.
The following strings are possible:
"Erase requested" - A request to EraseData is made by GMC
Server to the Good Mobile Messaging Server.
"Erase sent to handheld" - Good Mobile Messaging Server sent a
wireless request to the handheld.
"Erase Confirmed by handheld" - Handheld received the request
and erased the data on the handheld.
316
Good Mobile Messaging Administrator’s Guide
nGMMTool
"Error" - There was an error processing this request.
Example:
GoodLinkQueryUser -Url=username:[email protected]://
localhost:19005 -GLS=GLS1 -UserDisplayName="Test
User" -UserAlias=tuser -UserDN="/o=OrgRoot/
ou=Site1/cn=Recipients/cn=tuser" -XMLOutFile=tuser.xml -EncodeString=0 -LogFile=GoodLinkQueryUser.log
nGMMTool
nGMMTool tests Good Mobile Message connectivity with the
Domino server hosting mailboxes and reports the time taken for the
Good Domino NRPC calls from the GMM server to a specific Domino
server (Primary servers).
Run the utility from the installed Server bin directory.
Syntax:
nGMMTool.exe -s Domino server name [-d dbname.nsf]
[-t n]
Optional switches are not case sensitive and can be entered in any
order or combination.
-s Domino server name - System IP address or fully qualified domain
name of the Domino server machine. The switch is not case sensitive.
-d - Checks accessibility to the User Notes file database dbname.nsf.
Default is log.nsf. Use the mail-file directory name, as shown in the
example below.
-t n - Reports access timings for NRPC calls to the database. n = 0 or 1.
0 disables the display NRPC call timings; 1 enables the display of
NRPC call timings.
Good Mobile Messaging Administrator’s Guide
317
Utilities
Example:
nGMMTool.exe -s 172.27.65.85 -d mail/log.nsf -t 1
For help and usage details, run the command without parameters.
Usage Scenarios
Scenario 1: Using the tool without optional parameters to obtain
connectivity and Domino server availability status.
Syntax:
nGMMTool.exe -s Domino server Id
Example:
nGMMTool.exe -s 172.27.65.85
318
Good Mobile Messaging Administrator’s Guide
nGMMTool
172.27.65.85 - IP address of the server where Primary Domino Server
is running or name of the server (FQDN).
Scenario 2: Using the tool with optional parameter(s) to check the
User Notes database file availability.
Syntax:
nGMMTool.exe -s Domino server name/IP [-d
dbname.nsf]
Example:
nGMMTool.exe -s 172.27.65.85 -d log.nsf
The switch is not case sensitive.
Good Mobile Messaging Administrator’s Guide
319
Utilities
log.nsf is used to check the Log database file. For example, to check
for a user with short name user105, replace "log.nsf" with
"mail/user105.nsf"
Scenario 3: Using the tool with the optional parameter -t to check for
response time.
Syntax:
nGMMTool.exe -s Domino server name [-t n]
Example:
nGMMTool.exe -s 172.27.65.85 -d mail/user105.nsf
-t 1
320
Good Mobile Messaging Administrator’s Guide
nGMMTool
The switch is not case sensitive.
Scenario 4: Changing the combination/order of optional parameters.
nGMMTool.exe -s 172.27.65.85 -t 1 -d mail/
user105.nsf
or
nGMMTool.exe -s 172.27.65.85 -d mail/user105.nsf t 1
Good Mobile Messaging Administrator’s Guide
321
Utilities
Notes
If the Domino Primary is not accessible, the tool displays the
following message.
Possible Reasons: Domino primary server is down or path not found.
If the Domino Secondary server in down, the tool prompts for the
Primary Domino Server Admin Password.
UserProfilechkTool
UserProfilechkTool tests for user profile availability. It also displays
active profile type (Roaming or Inotes) with complete profile details.
It tests Journal/Contacts accessibility for both types. If more than one
user exists with the same short name (across Organizational Units)
under a domain, all such user details are reported.
322
Good Mobile Messaging Administrator’s Guide
UserProfilechkTool
Run the utility from the installed Server bin directory.
Syntax:
userProfilechkTool.exe -s Domino server IP address
-u user short name
Both parameters are mandatory. They can be used in any order.
-s Domino server name - System IP address or fully qualified domain
name of the Domino server machine. The switch is not case sensitive.
-u user short name - User short name as saved in the Domino server
user profile. The switch is not case sensitive.
Example:
UserProfileCheckTool -s 172.16.8.32 -u nk
For help and usage details, run the command without parameters.
Good Mobile Messaging Administrator’s Guide
323
Utilities
Usage Scenarios
Scenario 1: Displaying user profile details
In this example, an iNotes user with short name nk.
Scenario 2: Displaying user profile details
In this example, a roaming user with short name rkanth.
324
Good Mobile Messaging Administrator’s Guide
UserProfilechkTool
Scenario 3: More than one users exist with the same name.
If more than one user exists in the server with the same name under a
domain across different OU's, all such user profile details are
displayed.
Notes
If a user doesn't exist, the tool displays the following message.
Good Mobile Messaging Administrator’s Guide
325
Utilities
GoodLinkEraseData
Issues an Erase Data command to a Good Messaging handheld to
wipe all data on the handheld. Erasing and disabling the handheld in
most cases hard resets it, removing all data and returning the device
to its factory defaults. In all cases it erases all Good data from the
handheld. For Windows Mobile devices, any SD card is also erased.
Use GoodLinkQueryUser to query the status of the Erase Data
request (see the EraseDataRequested and EraseDataState
explanations there).
The command-line machine must have GMC Server installed on it.
Run the utility from the installed Server bin directory.
The user or thread/process/CGI that launches this utility must have
either Administrator rights or the “Erase handheld data and lock out
user” right for Good Messaging.
Running the command-line tool without any options prints its usage.
Syntax:
GoodLinkEraseData
-URL=username:[email protected]://MachineName:19005
[-UserDisplayName=User Domino Abbreviated Name]
[-UserAlias=User Domino Alias] [-UserDN=User Domino
UUID] -LogFile=Log File Path
LogFile must be specified; all errors are logged.
Example 1:
GoodLinkEraseData -Url=emfadmin:[email protected]://
localhost:19005 -UserDN=/o=Dev Eng Good Technology/ou=Site1/cn=Recipients/cn=testUser -LogFile=GoodLinkEraseData.log
326
Good Mobile Messaging Administrator’s Guide
GoodLinkRegenOTAPIN
Example 2:
GoodLinkEraseData -Url=emfadmin:[email protected]://
localhost:19005 -GUID=4DC18D5E-F30D-4A01-8210AD5615B0C9C1 -LogFile=GoodLinkEraseData.log
GoodLinkRegenOTAPIN
Issues a new OTA PIN for a user. Analogous to the right-click menu
item Regenerate Provisioning PIN in the GMC Console, when a user
in the user list is selected.
The command-line machine must have GMC Server installed on it.
Run the utility from the installed Server bin directory.
The user or thread/process/CGI that launches this utility must have
“View user OTA Setup PIN” rights for Good Messaging.
Running the command-line tool without any options prints its usage.
Syntax:
GoodLinkRegenOTAPIN
-URL=username:[email protected]://MachineName:19005
-GUID=string [-UserDisplayName=User Domino Abbreviated Name] [-UserAlias=User Domino Alias]
[-UserDN=User Domino UUID] -SendEmail=0|1
-LogFile=Log File Path
SendEmail sends the OTA email with the new PIN to the user.
1=Send, 0=Do not send.
LogFile must be specified; all errors are logged.
Example 1:
GoodLinkRegenOTAPIN -Url=usernanme:[email protected]://localhost:19005 -UserDN=/o=Dev Eng
Good Mobile Messaging Administrator’s Guide
327
Utilities
Good Technology/ou=Site1/cn=Recipients/cn=testUser
-LogFile=GoodLinkRegenOtapin.log
Example 2:
GoodLinkRegenOTAPIN -Url=username:[email protected]:/
/localhost:19005 -GUID=4DC18D5E-F30D-4A01-8210AD5615B0C9C1 -LogFile=GoodLinkRegenOta.log
GoodLinkUpdateUser
Enables/disables Good Intranet once a user is already Good
Messaging-enabled.
The command-line machine must have GMC Server installed on it.
Run the utility from the installed Server bin directory.
The user or thread/process/CGI that launches this utility must have
“Add user for OTA Setup” rights for Good Messaging.
If you run this utility to disable Good Intranet for a user but then
decide to re-enable the user, wait at least ten minutes before running
the utility again to do so.
Running the command-line tool without any options prints its usage.
Syntax:
GoodLinkUpdateUser
-URL=username:[email protected]://MachineName:19005
-GMS=hostname
-UserDisplayName=DisplayName
-UserAlias=Alias
-UserDN=DN
-LogFile=filepath
[-GIS=Good Intranet Server Name | -GMMServer=GMM
Server Name]
328
Good Mobile Messaging Administrator’s Guide
GoodLinkUpdateUser
hostname - The hostname (NetBIOS or Fully Qualified Domain Name)
of the GMC Server. If the GMC Server is local, you can specify "".
DisplayName - User display name in Domino. Parameter must be
specified even if empty.
Alias - User alias in Domino. Parameter must be specified even if
empty.
DN - UUID in Domino. Parameter must be specified even if empty.
Form:
/o=Good/ou=BusDev/cn=Recipients/cn=myalias
Specify -GIS only if it needs to be enabled or disabled. If Good Intranet
Server Name is specified as "", the user will be disabled from Good
Intranet.
Specify -GMMServer to request the GMM system to change user to
the specified GMM Server Name server.
filepath - Errors and status will be logged in this file.
Example: Enabling Good Intranet Server
GoodLinkUpdateUser -Url=username:[email protected]://
localhost:19005 -LogFile=GoodLinkupdate.log GUID=B06A6CD0-759C-4332-9665-729787CFB27E GIS=MyGoodIntranetServer
Example: Disabling Good Intranet Server
GoodLinkUpdateUser -Url=username:[email protected]://
localhost:19005 -LogFile=GoodLinkupdate.log GUID=B06A6CD0-759C-4332-9665-729787CFB27E -GIS=""
Good Mobile Messaging Administrator’s Guide
329
Utilities
Example: Changing to another GMM server
GoodLinkUpdateUser -Url=username:[email protected]://
localhost:19005 -LogFile=GoodLinkupdate.log GUID=B06A6CD0-759C-4332-9665-729787CFB27E GMMServer=GMMSERVER2
Example: Changing the policy set
GoodLinkUpdateUser -Url=username:[email protected]://
localhost:19005 -LogFile=GoodLinkupdate.log GUID=B06A6CD0-759C-4332-9665-729787CFB27E -PolicySet=PolicySet
gmexportstats
You can export handheld user and server information to a file in CSV
format using the command-line utility gmexportstats, installed
with Good Messaging, for backup and audit use. You can use
Windows Scheduler to run the utility on an automated basis. You can
export the following information:
• User list
• User statistics
• User software policy settings and status
To export user or server information to a file:
1.
Open a command shell (CMD.EXE) on a GMC Server or GMC
Console host.
2.
Go to the GMC Server installation \bin directory.
3.
Run gmexportstats using the following syntax:
gmexportstats
-URL=username:[email protected]://MachineName:19005
-[autogenerate=yes|no]
-file=filepath
-clearstat=yes|no
-LogFile=log location
330
Good Mobile Messaging Administrator’s Guide
gmexportstats
[-exporttype=type]
[-gls=Good Mobile Messaging Server name]
user:[email protected]:19005 - The user must have a role assigned
for the GMC Server. URL:19005 points to the webservice secure
endpoint, port 19005).
filepath is the required full file path where the statistics file is to be
created. If the file exists, it will be overwritten. If the autogenerate
parameter is no, a filename must be included in the path; if
autogenerate is yes, the path must not include a filename.
If the required -autogenerate value is specified as “yes,“ a file is
created in the directory specified by filepath. filepath cannot be the
root (C:\). The filename format is 'YYYY-MM-DD.hh-mm-ssmmmm.csv' and is based on local time. If the autogenerate value
is “no,” the filename that you provide in filepath is used.
If the -clearstat value is specified as “yes,” the user statistics
counters will be reset after exporting. This parameter is required if
exporttype is specified as “userstats.” Otherwise, it is ignored.
Possible values for the optional exporttype parameter:
userlist - Exports Good Messaging-enabled user list. This option
outputs minimal user information. Similar to the GMC Console
menu command “Import/Export Actions->Export Handhelds to
file.”
userstats - Exports user statistics.
usersoftware - Exports user software policy information.
The default for exporttype is userstats.
Good Mobile Messaging Server name: For exporttype “usersoftware,”
this optional parameter filters users only on the Good Mobile
Messaging Server specified.
LogFile: Pathname for the log file
Errors are logged with an .ERR extension in the directory where
the CSV file is created.
Good Mobile Messaging Administrator’s Guide
331
Utilities
Column output:
userlist
Display Name,Alias Name,Serial No,Server
Name,Handheld ID,Network ID,Phone,Handheld
Type,Good Intranet Server, PolicySet,DN,Good
Mobile Access, PolicySet GUID,GMM Server GUID,GMI
Server GUID, Handheld GUID
userstats
Display Name,Alias Name,Serial No,Server
Name,Handheld ID,Network ID,Phone,Handheld
Type,Good Intranet Server,PolicySet,DN,Good Mobile
Access,PolicySet GUID,GMM Server GUID,GMI Server
GUID,Handheld GUID,Good Messaging Client Version,Last message received,Last message sent,Email
messages sent,Email messages received,Last email
message received,Last email message sent,Filtered
email,Calendar messages sent,Calendar messages
received,Last Calendar message received,Last Calendar message sent,Address Book messages
sent,Address Book messages received,Last Address
Book message received,Last Address Book message
sent,Note messages sent,Note messages
received,Last Note message received,Last Note message sent,Task messages sent,Task messages
received,Last Task message received,Last Task message sent,Messages sent,Messages received,Handheld
Policy State,Domino Server,Domino Server Version,Good Mobile Messaging Server Version,Handheld
OS Version,Handheld ROM Version,Network Name,Firmware Version,Good Messaging Enabled Time,Good Messaging Provisioned Time,Provisioning state,OTA PIN
State,OTA PIN Expire Time,Compliance Rule
Error,Compliance Rule ErrorMsg,Good Messaging Client Language,Handheld OS Language,Department,Handheld Logging
332
Good Mobile Messaging Administrator’s Guide
gmexportstats
usersoftware
Server Name,CurGLSServerVersion,Display Name,Alias
Name,DN,Serial No,Handheld Type,Handheld Type Family,Type,Enabled,Handheld Family,Application
ID,GUID,Application Name,Version,Status Time,Status,Low Level Error,Message,Installation Mandatory,Launch after Download
Examples:
gmexportStats
-URL=domain\gmcadmin:[email protected]://localhost:19005
-GLS=GLS1
-ExportType=UserStats
-file=c:\GoodLinkUserStats.csv
-LogFile=GMExportStats.log
-clearstat=no
Exports user statistics to the file named GoodLinkUserStats.csv
using the local GMC Server. The user statistics are not cleared
during the export.
gmexportStats
-URL=domain\gmcadmin:[email protected]://localhost:19005
-GLS=GLS1
-ExportType=UserList
-file=c:\GoodLinkUserList.csv
-LogFile=GMExportStats.log
-clearstat=no
Exports a user list to the file named GoodLinkUserList.csv using
the GMC Server on the local host. The user statistics are not
cleared during the export.
gmexportStats
-URL=domain\gmcadmin:[email protected]://localhost:19005
-GLS=GLS1
-ExportType=UserSoftware
-file=c:\GoodLinkUserSoftware.csv
Good Mobile Messaging Administrator’s Guide
333
Utilities
-LogFile=GMExportStats.log
-clearstat=no
Exports user software policy information to the file named
GoodLinkUserSoftware.csv using the GMC Server located on
machine GLS01. The user statistics are not cleared during the
export.
gmexportstats
-URL=domain\gmcadmin:[email protected]://localhost:19005
-autogenerate=yes
-ExportType=usersoftware
-file="C:\SWSettings\GLS01 Software\UserStates"
-GLS=GLS01
-LogFile=GMExportStats.log
-clearstat=no
Exports the user software policy settings and status to the
directory C:\SWSettings\GLS01 Software\UserStates with
an automatically generated name using the GMC Server
located on machine GLS01. Filter only users who are set up
on the Good Mobile Messaging Server named GLS01. The
user statistics are not cleared during the export.
GdGLSConnect
GdGLSConnect tests connectivity from the server that it is running
on to the Good Data Center.
Run this tool from the command line. GdGLSConnect is available
under the util\ folder in the Good Mobile Messaging Server installed
location. To run the utility on a different computer, you must copy all
of the files (including all dll’s) from the util directory.
Syntax:
334
Good Mobile Messaging Administrator’s Guide
GdGLSConnect
GdGLSConnect.exe -k login key -l license_key -s
serial_number [-p product name] [-u ‘<<<url>>>’]
[-n requests] [-w seconds] [-t] [-d] [-g]
where:
-k login key specifies the product login key. The key is stored in the
following registry key on the Good Mobile Messaging Server host
machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Good Technology\GoodLink Install Parameters
or
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GoodLinkServer\parameters
-l license key specifies the product license key.
-s serial number specifies the product serial number in
serialNumber.hostname format
-u ‘<<<url>>>’ optionally specifies the Good Network Operations
Center url (defaults to '<<<https://xml28.good.com/>>>').
-n number of requests optionally specifies the number of times the
request is issued (defaults to 1).
-w seconds between requests optionally specifies the time between
requests in seconds when more than one is issued (defaults to 30).
-t turns on tracing.
-d turns on debugging.
-g checks connectivity to a datacenter using the gdrpc
Good Mobile Messaging Administrator’s Guide
335
Utilities
Example output:
gdglsconnect built Nov 2 2004 at 14:17:12
Will test using
Version 4.8.0.0
URL: https://qa2xml.qa2.good.com/
SerialNumber: QA00000001
LicensKey: ASIA-ASIA-ASIA-ASIA-ASIA-ASIA
Number: 1
Timout: 20
CurDir is C:\Program Files\Good Technology\Good
Mobile Messaging Server\util
SSL dir set to C:\Program Files\Good Technology\Good Mobile Messaging Server\etc\ssl
SSL library databases initialized OK
Attempting first connection to https://
qa2xml.qa2.good.com/
Initial connect to https://qa2xml.qa2.good.com/
okay.
OK (12 ms)
I made 1 operation requests, and all of them succeeded.
PASS
Starting Good Data Center address range check...
We are not using proxy server to get to the Good
Data Center...
checkIPRanges took 1 seconds
protocol:HTTP address:gw1.dev1.good.com port:10000
IPRange:172.18.7.31:172.18.7.32 isproxy:0 error:0
error String:errOk
protocol:HTTP address:gw2.dev1.good.com port:10000
IPRange:172.18.7.31:172.18.7.32 isproxy:0 error:0
error String:errOk
protocol:HTTP address:gw2.dev1.good.com port:10003
IPRange:172.18.7.31:172.18.7.32 isproxy:0
error:65538 error String:errNetConnect
336
Good Mobile Messaging Administrator’s Guide
uploadLog
Good Data Center address range check for 1 out of
3 range *** FAILED ***
===============================================
Testing retrieving device list from Orca.
Deleted device.xml file from previous run.
2005-12-30 11:38:54 -08:00
ING
2005-12-30 11:38:54 -08:00
ISH. Bytes Received: 78473
2005-12-30 11:38:54 -08:00
file.
2005-12-30 11:38:54 -08:00
device file.
getDeviceTable() STARTgetDeviceTable() FINStart saving the device
Finished saving the
Total time to download device table from Orca: 0
seconds.
**** GetDeviceList SUCCESS****
uploadLog
uploadLog allows your Good Mobile Messaging Server diagnostic
files to be easily uploaded to the Good Network Operations Center
server. Use the utility to upload files when instructed to do so by
your authorized service representative.
Run this tool from the command line on the Good Mobile Messaging
Server to be diagnosed. uploadLog is available under the util\ folder
and bin\ folder in the Good Mobile Messaging Server installed
location.
Syntax:
uploadLog.exe
Good Mobile Messaging Administrator’s Guide
337
Utilities
When you run the utility, the following screen is displayed:
You must be running the utility on the host machine for this Server.
Select the range of dates for the data to be included in the uploaded
file. If instructed to do so by your service representative, click the
check boxes to exclude (uncheck) System Event Log and/or
Application Event Log data. The check boxes are checked by default.
Diagnostic Log Files
The diagnostic log files that your service representative may ask you
to upload are created automatically by Good Mobile Messaging
Server and GMC Server during Server operation.
The location of the Good Mobile Messaging Server diagnostic files is
specified under the value "AccessLogDir" inside the registry key
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\GoodLinkServer\\Parameters\\
uploadLog will retrieve the log files from this location.
Good Mobile Messaging Server diagnostic log files are named
338
Good Mobile Messaging Administrator’s Guide
Diagnostic Log Files
servername.diagnosticsmm-dd-yy.hh-mm-ss.
The log files that you specied in the “To” and “From” fields will be
transferred.
All files transferred by default will be compressed in gzip format.
Good Mobile Messaging Administrator’s Guide
339
Utilities
340
Good Mobile Messaging Administrator’s Guide
9 Using Standby Good
Mobile Messaging
Servers
This chapter describes how to install the Good Mobile Control (GMC)
Server and Good Mobile Messaging Server in a cluster environment.
In this chapter, Good Messaging components are referred to by their
former GoodLink names.
Good Mobile Messaging Server can be installed in the Microsoft
Windows 2003 Advanced server Cluster environment.
Two GoodLink Servers can be configured to run in a clustered
environment as Primary and Standby. GoodLink and Good Mobile
Control cluster tools are used to install and configure the integration
of these Servers into the cluster. Good Technology recommends that
the procedure provided in this document be performed by an
administrator experienced with Microsoft Clustering and GoodLink
Servers. When setting up GoodLink Servers to a clustered
environment for the first time, we recommend that administrator first
do a dry run with a few users.
Good Mobile Messaging Server and the associated products are
supported on a two-node Active-Passive Cluster only on Windows
Server 2003 SP1 and above.
Note: When using shared storage across multiple computers, via a
solution such as NAS, SMB/CIFS servers, or Windows shared
folders, Windows must see the drive containing the Good cache files
as a block-level storage device, not as a file-level storage device. The
Good Mobile Messaging Administrator’s Guide
341
Using Standby Good Mobile Messaging Servers
cache files cannot reside on a drive that is mapped as a network
drive. For example, NAS can be used if the cache is stored in a VMDK
and the VMDK resides on a NAS; however, the cache cannot be
stored directly on a shared drive residing on a NAS using SMB.
How the Microsoft Clustering Service
Works
This introduction is based on information provided by Microsoft
about Clustering services available with the Windows 2003
Advanced Server Operating System. For the latest information on
clusters, visit the Microsoft web site and search for information on
“how clustering works” in your environment.
The following links also provide useful information:
http://www.microsoft.com/windowsserver2003/techinfo/
overview/clustering.mspx
http://download.microsoft.com/download/4/d/e/
4de815ef-2904-420a-b726-e57de31ae63a/ClusteringOverview.doc
http://download.microsoft.com/download/0/a/4/
0a4db63c-0488-46e3-8add-28a3c0648855/ServerClustersArchitecture.doc
A server cluster is a group of independent servers running Cluster
service and working collectively as a single system. Server clusters
provide high-availability, scalability, and manageability for resources
and applications by grouping multiple servers running Windows
2003 Advanced Server or Windows 2003 Datacenter Server.
The purpose of server clusters is to preserve client access to
applications and resources during failures and planned outages. If
one of the servers in the cluster is unavailable due to failure or
342
Good Mobile Messaging Administrator’s Guide
How the Microsoft Clustering Service Works
maintenance, resources and applications move to another available
cluster node.
A user guide describing how to configure Cluster services on the
Windows 2003 Server operating system can be downloaded from the
Microsoft site at:
http://www.microsoft.com/downloads/details.aspx?FamilyID=96f76ed7-9634-4300-9159-89638f4b4ef7&displaylang=en
Hardware Requirements
• Two servers (see “Checking Prerequisites and System
Requirements” on page 35), preferably identical in hardware
configuration
- Each with two network cards
- Each with identical SCSI RAID controllers
- The internal disk configuration of each server can be either IDE
or SCSI
• External SCSI disk array with two SCSI ports
We recommend that you purchase a “cluster aware” SCSI disk
array. As always, prior to purchasing hardware that will run
Microsoft system software, be sure to check the Microsoft
Hardware Compatibility List (HCL) (http://
www.microsoft.com/whdc/hcl/default.mspx).
Operating System Requirements
• Windows 2003 Advanced Server Operating System SP1 or later
(32 bit version)
(Windows 2000/2003 Workstation and Windows 2000/2003
Standard Server do not support Microsoft clustering)
• Windows 2008 SP2 Cluster 64-bit
Windows 2008 R2 Cluster 64-bit
Good Mobile Messaging Administrator’s Guide
343
Using Standby Good Mobile Messaging Servers
Network Requirements
• A unique NetBIOS cluster name.
• Five unique, static IP addresses: two for the network adapters on
the private network, two for the network adapters on the public
network, and one for the cluster itself.
• A domain user account for Cluster service (all nodes must be
members of the same domain).
• Each node should have two network adapters—one for the
connection to the public network and the other for the node-tonode private cluster network. If you use only one network adapter
for both connections, your configuration is unsupported. A
separate private network adapter is required for HCL
certification.
Shared Disk Requirements
• All shared disks, including the quorum disk, must be physically
attached to a shared bus. Network drives (or Network Attached
Storage (NAS)) are not supported; this includes NetApp filer,
known also as NetApp Fabric-Attached Storage (FAS), NetApp's
network attached storage (NAS) device. Verify that disks attached
to the shared bus can be seen from all nodes. This can be checked
at the host adapter setup level.
• SCSI devices must be assigned unique SCSI identification
numbers and properly terminated, as per manufacturer's
instructions.
• All shared disks must be configured as basic (not dynamic).
• All partitions on the disks must be formatted as NTFS.
While not required, the use of fault-tolerant RAID configurations is
strongly recommended for all disks. The key concept here is faulttolerant raid configurations—not stripe sets without parity.
344
Good Mobile Messaging Administrator’s Guide
How the Microsoft Clustering Service Works
Other Mandatory Service Requirements and Software
Requirements
The two nodes/machines should be installed and configured for
Microsoft Clustering service as Active-Passive node only.
Good Mobile Messaging Server products 6.x and above uses SQL
Express /SQL database. The following are required to be installed as
pre-requisites for installing SQL server:
• MSXML 6.0 Parser - This can be downloaded from:
http://support.microsoft.com/kb/933579
• Microsoft .net framework 2.0 SP1 and above
Note: During the installation of GMC Server, the setup program will
prompt you to automatically download these components for you.
Note: SQL Server 2005 Cluster and SQL Server 2008 SP2 Cluster are
supported.
Good Mobile Messaging Administrator’s Guide
345
Using Standby Good Mobile Messaging Servers
Good Mobile Control and Good Mobile
Messaging Server in a Clustered
Environment
The following diagram illustrates a standard cluster configuration of
Good Mobile Control Server and Good Mobile Messaging Server:
Here, both Good Mobile Control and GoodLink Servers are installed
on Node 1 and Node 2. The shared disk stores the GoodLink Server
database for the users (the cache directory) and Good Mobile Control
cluster database files.
The Domino server on which Good Mobile Messaging Server or
GMC server runs is clustered as well. The Domino server is clustered
in active-passive configuration; active-active configuration is not
supported by Good Mobile Messaging Server in Domino
environment. A single license of the Domino server is needed for the
Domino clustering required by Good Mobile Messaging Server.
(Active-passive clustering does not require two separate Domino
Server licenses.)
346
Good Mobile Messaging Administrator’s Guide
Installing the Domino Server, Good Mobile Control Server, and Good Mobile
The clustering service ensures that only one node is running the
Good Mobile Control and GoodLink service at a time. If a node fails,
then the Good Mobile Control and GoodLink service is started on the
other node.
There are three possible combinations of Good Mobile Control Server
and Good Mobile Messaging Server in a cluster configuration:
• Good Mobile Control Server in a cluster environment and Good
Mobile Messaging Server in a non-cluster environment on a
separate server. This is called a GMC Type A cluster.
• Good Mobile Messaging Server in a cluster environment and
Good Mobile Control Server in a non-cluster environment on a
separate server. This is called a GMM Type B cluster.
• Both Good Mobile Control Server and Good Mobile Messaging
Server in a cluster environment. This is called a Combo Type C
cluster.
The procedure described in the following sections assumes the
Combo Type C cluster where both Good Mobile Control Server and
Good Mobile Messaging Server are in a Cluster environment. If you
want to configure a GMC Type A cluster or a GMM Type B cluster,
you can do so by carefully choosing the installation environment. The
procedure remains same for individual servers. For Type A and B
installations, one of the servers can be in a non cluster environment.
Installing the Domino Server, Good
Mobile Control Server, and Good Mobile
Messaging Server on a Cluster Node
Note: In addition to the pre-requisites for cluster mentioned in the
following sections, there are other necessary pre-requisites required
for installing Good Mobile Messaging Server and Good Mobile
Control Server. as described in “Checking Prerequisites and System
Requirements” on page 35. After the necessary permissions and set
Good Mobile Messaging Administrator’s Guide
347
Using Standby Good Mobile Messaging Servers
up is done, the cluster environment is ready for you to install Domino
Server, Good Mobile Messaging Server, and Good Mobile Control
Server.
To install the Domino Server, GMC Server, and Good Mobile
Messaging Server on a cluster node:
1.
Ensure that you have installed the Microsoft Cluster Service onto
both nodes, and that the cluster services are running. You should
see a configuration similar to the following when running the
Microsoft Cluster Administrator.
2.
Verify that the resource including the shared drive Q (Quorum
drive) exists within the Cluster Group. (Default is Cluster Group.)
3.
Select one node and designate it as Primary. (In the previous
figure, the example node is SA1).
348
Good Mobile Messaging Administrator’s Guide
Installing the Domino Server, Good Mobile Control Server, and Good Mobile
Installing Domino on the First Node
Make sure that the first node is the owner of the shared disk resource
that you want to use for this installation. You can verify this by
opening My Computer on the first node, which should allow you to
access the shared drive.
To install Domino on the first node:
1.
Insert the Lotus Domino CD-ROM and start the Domino server
installation program as usual.
2.
Read and accept the license terms.
3.
Enter the user registration information.
4.
In the Lotus Domino Installation window, select the program and
data directories to be used for the Domino server. Domino
program files should be installed on a non-shared drive. To allow
the other nodes in the Windows 2003 cluster to access the data
files when the Domino server fails over, the Domino data
directory must be installed on a shared drive.
Good Mobile Messaging Administrator’s Guide
349
Using Standby Good Mobile Messaging Servers
For example, the shared data drive for the Domino server is drive
Q: here:
The following discussion assumes an active-passive configuration
is being installed. Good Messaging does not support active-active
configurations.
A good practice for data directory naming is to install the Domino
data files in the directory \lotus\Domino\data.
5.
Click Next.
6.
Select the type of setup you want by selecting either the Domino
Enterprise Server or the Domino Messaging Server radio button.
This procedure does not combine Domino clustering with MSCS,
so you do not need to install Domino Enterprise Server.
7.
Click Next and complete the Domino Server installation.
350
Good Mobile Messaging Administrator’s Guide
Installing the Domino Server, Good Mobile Control Server, and Good Mobile
Configuring Domino on the First Node
After you have successfully installed the Domino server code, you
need to configure it.
To configure Domino on the first node:
1.
Start the Domino Server; when prompted to start as service or
application, choose the Run as Service radio button and Always as
service check-box option.
Good Mobile Messaging Administrator’s Guide
351
Using Standby Good Mobile Messaging Servers
Make sure that you customize the port settings by disabling all
ports other than TCP/IP, as shown.
2.
Change the Net Address from the local machine host name to the
host name registered for the Domino server in DNS. If the Domino
352
Good Mobile Messaging Administrator’s Guide
Installing the Domino Server, Good Mobile Control Server, and Good Mobile
server name is not registered in DNS, you can enter the explicit IP
address created for the virtual Domino server using Cluster
Administration instead. MSCS supports only the TCP/IP protocol
for failover, so there is no need to define other protocols. In the
preceding figure, test.lab is the DNS to the cluster and not to a
specific machine.
Notes on INI and Domino Service Configuration
• There are at least two IP addresses active on the Windows 2003
server that will run Domino. These are the server's public IP
address and the virtual server's IP address, created as a cluster
resource and reserved for Domino server usage. You must identify
the second one in NOTES.INI to avoid user connections through
an incorrect IP address. If this is not done, and users connect to the
Domino server through the local machines' IP address, those users
cannot fail over to the other node if/when the physical server
fails.
To identify the correct IP address, add the following setting in
NOTES.INI:
TCPIP_TCPIPAddress=0,a.b.c.d:0
where TCPIP is the port name to be defined. The IP address is
represented by a.b.c.d. The last parameter is the Notes IP port
number, which should be left as zero, and equates to the default
port, which is 1352. If you choose to set the port number to
something other than 1352, you need to add the same definition to
each and every Notes client that will connect to the server.
Example:
TCPIP_TCPIPAddress=0,9.24.104.6:0
• As both nodes in the cluster must have access to the same
NOTES.INI file, you should copy the NOTES.INI file from the
Domino program directory on the local drive to the Domino data
directory on the shared drive. You can use the following
command to do this:
Good Mobile Messaging Administrator’s Guide
353
Using Standby Good Mobile Messaging Servers
c:\> copy c:\lotus\domino\notes.ini q:\lotus\domino\data\notes.ini
Also, you should update the Properties for the Lotus Domino
Server icon in the Start menu. The icon is normally located by
selecting Start -> Programs-> Lotus Applications -> Lotus Domino
Server.
Add the following parameter after the executable name:
=<path>\notes.ini
An example of the full command line is:
C:\Lotus\Domino\nserver.exe =q:\lotus\domino\data\notes.ini
• The Domino service parameter ImagePath in the registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\<Domino Service Name> must be updated to reflect the
notes.ini from the shared drive.
Verifying the Domino Server Functionality
When you start Domino, you can check the server's port status by
issuing the following command from the Domino server console:
>show port tcpip
TCP/IP Port Driver
Transport Provider: TCP
Notes Session Local Address Foreign Address
088200019.24.104.6:13529.24.106.246:1121
088300029.24.104.6:1352*:*
354
Good Mobile Messaging Administrator’s Guide
Installing the Domino Server, Good Mobile Control Server, and Good Mobile
The output verifies that the Domino server is listening to the IP
address 9.24.104.6 and has an active session on TCP port 1352 with
foreign address 9.24.106.246, which in this case is the Domino
administration workstation used to run remote commands. If the
local address appears as *.*:1352, you need to check NOTES.INI and
correct any errors.
Installing and Configuring Domino on the Second Node
After you have verified the Domino server functionality on the first
Windows 2003 cluster node, install the Domino program files on the
second cluster node. Follow these steps to install the Domino server
code on the second node:
1.
Stop the Domino server you have just installed.
2.
Move the resource group for the Domino server to the second
node in the cluster using the Cluster Administration tool.
3.
After moving the resource group, including the disk and the IP
address, switch to the second node and install the Domino server
code in exactly the same way that you did for the first node.
Be sure to specify the same directories for the Domino program
and Domino data directories as on the first server. If you fail to do
so, the Domino server cannot fail over from one node to the other.
4.
Because both nodes in the cluster must have access to the same
NOTES.INI file, you should update the Properties for the Lotus
Domino Server icon in the Start menu. The icon is normally
located by selecting Start -> Programs-> Lotus Applications ->
Lotus Domino Server.
5.
Add the following parameter after the executable name:
=<path>\notes.ini
An example of the full command line is:
C:\Lotus\Domino\nserver.exe =q:\lotus\domino\data\notes.ini
Good Mobile Messaging Administrator’s Guide
355
Using Standby Good Mobile Messaging Servers
6.
The Domino service parameter ImagePath in the registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\<Domino Service Name> must be updated to reflect the
notes.ini from the shared drive.
7.
Start the Domino server and test the functionality as described for
the first node.
>show port tcpip
TCP/IP Port Driver
Transport Provider: TCP
Notes Session Local Address Foreign Address
088200019.24.104.6:13529.24.106.246:1121
088300029.24.104.6:1352*:*
The output verifies that the Domino server is listening to the IP
address 9.24.104.6 and has an active session on TCP port 1352 with
foreign address 9.24.106.246, which in this case is the Domino
administration workstation used to run remote commands. If the
local address appears as *.*:1352, you need to check NOTES.INI
and correct any errors.
8.
Add the Domino Server resource definition to the relevant
resource group, to complete the virtual server:
a.
356
Run the Cluster Administration tool and select File -> New ->
Resource from the menu bar.
Good Mobile Messaging Administrator’s Guide
Installing the Domino Server, Good Mobile Control Server, and Good Mobile
b.
Enter the resource name “Domino Server Resource” for the
Domino server that you want to run as a Generic Service in the
Windows 2003 cluster.
c.
Set the resource type to Generic Service from the Resource type
drop-down list and select the correct group from the Group
drop-down list. Click Next.
d.
The Possible Owners dialog box is displayed. Both nodes
should be able to run Domino, which is the default. Click Next.
Good Mobile Messaging Administrator’s Guide
357
Using Standby Good Mobile Messaging Servers
e.
Click Next and the Dependencies window is displayed:
f.
This dialog box allows you to specify those resources that must
be available (that is, active and online) before the Domino
Server itself can be brought online. Select the physical disk,
Cluster Name, and Cluster IP address resources from the
358
Good Mobile Messaging Administrator’s Guide
Installing the Domino Server, Good Mobile Control Server, and Good Mobile
Available resources list and add them to the Resource dependencies list.
g.
Click Next to display the Generic Service Parameters window.
Good Mobile Messaging Administrator’s Guide
359
Using Standby Good Mobile Messaging Servers
h.
Enter the service name for the Domino Server. The service
name must match the name for the Domino service, which can
be found in the Services window (opened by clicking Start ->
Settings ->Control Panel -> Administrative Tools -> Services).
The default name for the Domino service is Lotus Domino
Server, but it can vary, depending on the way you install Domino. If you look through the list of available services, the one
you need will be easy to find.
As we are creating an active-passive configuration, the
NOTES.INI file location is provided as the startup parameter. If
you are configuring a Domino server in an active-active Windows 2003 cluster, you will enter the name of the service for the
Domino server and leave the Start parameters field empty.
9.
i.
Click Next to display the Registry Replication settings. You do
not need to add registry replications for Domino servers.
j.
Click Finish.
Add the GMM Domino Directory service resource definition to
the relevant resource group, to complete the virtual server:
a.
360
Run the Cluster Administration tool and select File -> New ->
Resource from the menu bar.
Good Mobile Messaging Administrator’s Guide
Installing the Domino Server, Good Mobile Control Server, and Good Mobile
b.
Enter the resource name “GMM Domino Directory service” for
the Domino directory service that you want to run as a Generic
Service in the Windows 2003 cluster.
c.
Set the resource type to Generic Service from the Resource type
drop-down list and select the correct group from the Group
drop-down list. Click Next.
d.
The Possible Owners dialog box is displayed. Both nodes
should be able to run Domino, which is the default. Click Next.
Good Mobile Messaging Administrator’s Guide
361
Using Standby Good Mobile Messaging Servers
e.
Click Next and the Dependencies window is displayed:
This dialog box allows you to specify those resources that must
be available (that is, active and online) before the Domino
directory service itself can be brought online.
362
Good Mobile Messaging Administrator’s Guide
Installing Primary and Standby Good Mobile Control Server on Cluster
f.
Click Next to display the Generic Service Parameters window.
g.
Click Next to display the Registry Replication settings. You do
not need to add registry replications for Domino servers.
h.
Click Finish.
Installing Primary and Standby Good
Mobile Control Server on Cluster Nodes
To install the Primary GMC Server on a cluster node:
1.
Use Cluster Administrator to make sure that all of the resources,
such as network drive and shared disk, are owned by this node.
2.
Install the Primary GMC Server according to the instructions in
“Installing Good Mobile Control Server” on page 50.
Good Mobile Messaging Administrator’s Guide
363
Using Standby Good Mobile Messaging Servers
While running the set up program, make sure you select the
following options:
a.
364
Select Yes at the following Installation dialog box to enable this
GMC Server to participate in failover:
Good Mobile Messaging Administrator’s Guide
Installing Primary and Standby Good Mobile Control Server on Cluster
b.
In the following dialog box, select Primary GMC Server
(Default):
c.
Click Yes in the following dialog box:
Good Mobile Messaging Administrator’s Guide
365
Using Standby Good Mobile Messaging Servers
d.
In the following dialog box, choose a folder on the Q - Quorum
Drive. For example, Q:\GMC Server:
e.
Click Next.
366
Good Mobile Messaging Administrator’s Guide
Installing Primary and Standby Good Mobile Control Server on Cluster
f.
In the following dialog box, select License Key, Serial Number
and a Server name:
Note: The node host name can be different than the Server
name entered in this dialog box. The same GMC Server Name
will be entered again during the Standby server installation.
g.
3.
Click Next and complete the installation of the Primary GMC
Server.
After successfully installing the GMC Server, verify that the
administrator can log into the GMC Console.
For the GMC Server URL, we recommend that you use the unique
Netbios cluster name instead of an individual node name. For
example, use http://sacluster.testgood.com:8080 instead of
http://nodename:8080.
Note: The default URL to access the GMC Server Console is
http://clustername:8080 (The default port is 8080.)
Good Mobile Messaging Administrator’s Guide
367
Using Standby Good Mobile Messaging Servers
To log into the GMC Server Console, use the GMC Superuser name
defined during installation. For more on the Superuser function, refer
to “The Superuser” on page 122.
Installing the Standby Good Mobile Control Server
To install the Standby GMC Server:
1.
After installing the Primary GMC Server, quit the Domino Server
and stop the GMC Server services in Windows Services on the
Primary node before installing the Standby GMC Server.
2.
Using the Cluster Administrator, change the group that contains
the resources to Standby GMC Server (the default cluster group).
Make sure that the second node (designated as Standby) is now
the owner of the Network and shared disk resources.
3.
Log into the Standby host machine and make sure the Standby
node is the owner of resources.
4.
Navigate to the directory on the shared Quorum Disk where the
GMC Server is installed.
5.
Delete the file called “emfdbfiles.lck”.
Important: Do not delete any other files. You must manually
delete this file which is created during the startup of the Primary
GMC Server before installing the Standby GMC Server. This file
will be recreated when the Standby GMC Server starts up later.
6.
After manually deleting “emfdbfiles.lck”, install the Standby
GMC Server according to the instructions in “Installing Good
Mobile Control Server” on page 50. During the Standby GMC
Server installation, specify the same license key, serial number,
and name of the Primary GMC Server. Also during installation,
specify the shared files in the same directory as for the Primary
GMC Server (the Q drive location).
The installer comes with default options that are required for the
Standby server. Please verify the details; in most cases no changes
are required.
368
Good Mobile Messaging Administrator’s Guide
Installing Primary and Standby Good Mobile Control Server on Cluster
7.
While running the set up program, make sure you select the
following options:
a.
Select Yes at the following Installation dialog box to enable this
GMC Server to participate in failover:
Good Mobile Messaging Administrator’s Guide
369
Using Standby Good Mobile Messaging Servers
b.
In the following dialog box, select Standby GMC Server:
c.
Click Yes in the following dialog box:
370
Good Mobile Messaging Administrator’s Guide
Installing Primary and Standby Good Mobile Control Server on Cluster
d.
In the following dialog box, choose the same folder on the
Q - Quorum Drive as you specified for the Primary GMC
Server. For example, Q:\GMC Server:
e.
Click Next.
Good Mobile Messaging Administrator’s Guide
371
Using Standby Good Mobile Messaging Servers
f.
In the following dialog box, select the same License Key, Serial
Number and the Server name that you specified for the
Primary GMC Server.
Note: If you specify a different server name, the Standby GMC
Server will not be installed.
372
Good Mobile Messaging Administrator’s Guide
Installing Primary and Standby Good Mobile Control Server on Cluster
g.
If you specified a proxy server during installation of the Primary GMC Server, then you must specify the same proxy
server during the installation of the Standby GMC Server.
Note: If your organization has more than one proxy server, do
not use any other proxy server during the Standby GMC
Server installation. You must use the same proxy server for the
Primary GMC Server and Standby GMC Server.
h.
8.
Click Next and complete the installation of the Standby GMC
Server.
After successfully installing the GMC Server, start the GMC
Server Service and make sure the services are up. Verify that the
administrator can log into the GMC Console.
For the GMC Server URL, we recommend that you use the unique
Netbios cluster name instead of an individual node name. For
Good Mobile Messaging Administrator’s Guide
373
Using Standby Good Mobile Messaging Servers
example, use http://sacluster.testgood.com:8080 instead of
http://nodename:8080.
Note: The default URL to access the GMC Server Console is
http://clustername:8080 (The default port is 8080.)
To log into the GMC Server Console, use the GMC Superuser name
defined during installation. For more on the Superuser function, refer
to “The Superuser” on page 122.
Installing Good Mobile Control Cluster Tools and
Configuring Cluster Services
Before configuring cluster resources and tools, both the Primary and
Standby GMC Servers should be installed on both nodes.
To install GMC cluster tools and configure cluster services:
1.
Log on to the Primary GMC Server node.
2.
Verify the following:
• Both the Primary and Standby nodes are running and there are
no errors displayed in the Cluster Administrator.
• Using Cluster Administrator, confirm the Primary machine is
the owner of the cluster resources. If not, move the cluster
resources ownership from the Standby machine to the Primary
machine.
• GMC Server Services are stopped on both cluster nodes.
3.
Delete the lock file called “dbfiles.lck” from the shared drive Q:\.
Important: Before beginning the Cluster tool installation, you
must manually delete “dbfiles.lck”.
4.
Launch the “Good Mobile Control Cluster Tools” InstallShield
executable file GMCClusterTools-version.exe on the Primary
server. You will find the executable on the distribution media in a
tools directory.
374
Good Mobile Messaging Administrator’s Guide
Installing Primary and Standby Good Mobile Control Server on Cluster
5.
Proceed with installation. Select the path in the Q- Drive (Quorum
drive) when prompted for the location:
6.
Click Next and complete the installation.
The InstallShield program will install cluster script files that are
used to configure the GMC services and add support for
clustering for GMC Server in the Q\GMC Server folder. When the
installation is complete, you will see a shortcut on the desktop
with a name such as “Good Mobile Control Cluster Setup”.
7.
Double-click this icon on the Primary server to integrate the GMC
services into the cluster.
Good Mobile Messaging Administrator’s Guide
375
Using Standby Good Mobile Messaging Servers
A setup script is launched on a window. You will see the following
screen:
376
Good Mobile Messaging Administrator’s Guide
Installing Primary and Standby Good Mobile Control Server on Cluster
8.
Press the ENTER key. After a few seconds, the following screen
will appear if the script ran successfully:
9.
Press the ENTER key to complete the set up.
The script has now configured the GMC Service and GMC SQL
database server services and GMC Cache Lock on the cluster
nodes into the cluster environment.
Good Mobile Messaging Administrator’s Guide
377
Using Standby Good Mobile Messaging Servers
10. Open Cluster Administrator.
You should see the following screen:
11. If
any errors occur while running the script, follow the
instructions to fix the problem and then run the script again.
The installation of Good Mobile Control Server Cluster tool is
complete.
To make sure the services are started on the cluster:
1.
Using the Cluster Administrator, right click on each resource for
the GMC SQLServer Service, GMC Cache Lock, and GMC Server
services and bring them online.
2.
If any resource fails to run, check the Event Log for errors.
Services are installed and configured within the cluster. Using
Move Group, the administrator can change the ownership from
one node to the other.
378
Good Mobile Messaging Administrator’s Guide
Installing Primary and Standby Good Mobile Messaging Server on Cluster
The following screen indicates the services are up and running on
the node:
The cluster setup is now complete.
Installing Primary and Standby Good
Mobile Messaging Server on Cluster
Nodes
Before you begin installing Good Mobile Messaging Server on
Cluster Nodes, make sure the Domino Server service is not running
and the GMC Server Service is up and running. The GMC Server may
be installed on the Cluster itself, or it can be installed on a different
machine. The procedure in this section assumes both GMC Server
and Good Mobile Messaging Server are installed on cluster nodes
(COMBO C Type Cluster). For more information, see “Good Mobile
Control and Good Mobile Messaging Server in a Clustered
Good Mobile Messaging Administrator’s Guide
379
Using Standby Good Mobile Messaging Servers
Environment” on page 346.
To install the Primary and Standby Good Mobile Messaging Server
on Cluster Nodes:
1.
Log into the Primary Node and make sure the Cluster resources
are owned by the Primary node.
2.
Previously, you installed and configured the GMC Server Service
on the Cluster. (See “Installing Primary and Standby Good Mobile
Control Server on Cluster Nodes” on page 363.) Make sure the
GMC Server service is running on the Primary Node.
3.
Install the Primary Good Mobile Messaging Server following the
instructions in “Installing Good Mobile Messaging Server” on
page 74.
4.
During Good Mobile Messaging Server installation, we
recommend that you select the Unique Netbios Cluster Name in
the following screen:
380
Good Mobile Messaging Administrator’s Guide
Installing Primary and Standby Good Mobile Messaging Server on Cluster
5.
During Good Mobile Messaging Server installation, make sure
you select the location for the GoodLink cache files to be on the
shared drive (Q- Quorum drive):
6.
When the Setup program asks you to specify the GMC Server,
enter the Cluster NetBios Name. (Do not specify the individual
Good Mobile Messaging Administrator’s Guide
381
Using Standby Good Mobile Messaging Servers
node name.) In the following example, the cluster name is
SACLUSTER:
7.
At the end of the install, do not choose to start the Domino Server
and click on Finish.
8.
Move the Good Messaging database to the shared disk.
a.
Open the SQL Management Studio by navigating to Start>Programs->Microsoft SQL Server 2005->SQL Server Management Studio Express.
b.
In the Connect to server login dialog, select
<MACHINE_NAME>\GOODLINK as the Server Name and
choose Authentication as Windows Authentication.
382
Good Mobile Messaging Administrator’s Guide
Installing Primary and Standby Good Mobile Messaging Server on Cluster
Note: You should be a local administrator of the machine to
have access to the SQL Express server.
c.
In the Object Explorer pane, expand the Databases node, rightclick goodlinkdb, select Tasks and then Detach.
Good Mobile Messaging Administrator’s Guide
383
Using Standby Good Mobile Messaging Servers
d.
After selecting Detach, select Drop Connections and click OK.
e.
Move goodlinkdb.mdf and goodlinkdb_log.LDF from the
folder Program Files\Good Technology\GoodLink
Server\database\data\MSSQL.1\MSSQL\Data to the shared
cluster drive, e.g. Q:\Program Files\Good Technology\GoodLink Server\database. (You will need to create the folder
“database” before moving the files.)
384
Good Mobile Messaging Administrator’s Guide
Installing Primary and Standby Good Mobile Messaging Server on Cluster
f.
Using the SQL Server Management Studio Express, attach the
moved database back to the SQL Server.
g.
Right click the databases node, choose Attach in the Attach
Databases dialog box, click the Add button, and then choose
the database moved to the shared cluster drive. Click the OK
button. Once the database is attached, make sure that goodlinkdb is listed under the database node.
Verifying the Good Mobile Messaging Server Functionality
Verify that the Primary Good Mobile Messaging Server is working
properly. To do so, confirm that a handheld can send and receive
messages.
Good Mobile Messaging Administrator’s Guide
385
Using Standby Good Mobile Messaging Servers
To verify the Primary Good Mobile Messaging Server is working
properly:
1.
Once the Good Mobile Messaging Server functionality is verified,
shut down the Domino Server.
2.
Navigate to Q Drive and the folder where the GMM Cache
Directory is located.
3.
Delete the “dbfiles.lck file”.
Important: Do not delete any other files.
Installation of the Primary GMM Server is now complete.
Installing Standby Good Messaging on the Second Cluster
Node
To install the Standby Good Messaging on the second cluster node:
1.
Log in to the Standby Node and make sure the Cluster resources
are owned by the Standby node.
2.
Previously, you installed and configured the GMC Server Service
on the Cluster. (See “Installing Primary and Standby Good Mobile
Control Server on Cluster Nodes” on page 363.) Make sure the
GMC Server service is running on the Standby Node.
Note: If the Primary GMC Server is running, move the resource
Group to the Standby node.
3.
Copy the LoginKey and its value found under
HKEY_LOCAL_MACHINE\SOFTWARE\Good
Technology\GoodLink Install Parameters from the registry of
node 1 to node 2. (You will need to create the registry hierarchy on
node 2.)
4.
Delete the lock file dbfiles.lck on the shared file server. By default
the file is found in installation_directory\cache\server_name\.
5.
Install the Standby Good Mobile Messaging Server following the
instructions in “Installing Good Mobile Messaging Server” on
page 74.
386
Good Mobile Messaging Administrator’s Guide
Installing Primary and Standby Good Mobile Messaging Server on Cluster
6.
During the Standby Good Mobile Messaging Server installation,
specify the same license key, serial number, and Server name that
you specified for the Primary Good Mobile Messaging Server. (For
example, SACLUSTER.) The name of the Standby server node can
be different.
Note: If you specify a different server name, the Standby Good
Mobile Messaging Server will not be installed.
Good Mobile Messaging Administrator’s Guide
387
Using Standby Good Mobile Messaging Servers
7.
Also during installation, specify the shared files in the same
directory as for the Primary server (the Q drive location).
8.
If you specified a proxy server during installation of the Primary
Good Mobile Messaging Server, then you must specify the same
388
Good Mobile Messaging Administrator’s Guide
Installing Primary and Standby Good Mobile Messaging Server on Cluster
proxy server during the installation of the Standby Good Mobile
Messaging Server.
Note: If your organization has more than one proxy server, do not
use any other proxy server during the Standby GMC Server
installation. You must use the same proxy server for the Primary
Good Mobile Messaging Server and Standby Good Mobile
Messaging Server.
9.
Click Next.
Good Mobile Messaging Administrator’s Guide
389
Using Standby Good Mobile Messaging Servers
10. Specify
the Cluster name in the following Setup screen:
11. Click Yes in the following Setup screen to install the Standby Good
Mobile Messaging Server:
12. At
the end of the install, do not choose to start the Domino Server.
13. (This
step for Good Mobile Messaging Server version 1.0.3.50
only)
390
Good Mobile Messaging Administrator’s Guide
Installing Primary and Standby Good Mobile Messaging Server on Cluster
a.
After the GMM installation on the Standby Server, set the following registry key's value to match the corresponding value
on the primary server.
[HKEY_LOCAL_MACHINE\SOFTWARE\Good Technology\GoodLink Database] Key [Database]
b.
Use the GMM cluster install tools executable (GMMClusterTools-6.0.3.50.hfix.exe) supplied by the Good Technical Support team rather than the GMM Cluster Install tools
(GMMClusterTools-6.0.3.50.exe) that you have downloaded
from Good.com.
c.
Set the "RetryPeriodOnFailure" for the Cluster resource "Domino Server Resource" to a value equal to the "RestartPeriod"
property. You can use the following procedure:
Execute the following command from a DOS prompt:
cluster <CLUSTER_NAME> res "Domino Server
Resource" /prop
Note the value of" RestartPeriod" property and use that in
place of <TIME_IN_MILLI_SECONDS> in the next line.
Execute the following command from a DOS prompt
cluster <CLUSTER_NAME> res "Domino Server
Resource" /prop RetryPeriodOnFailure=<TIME_IN_MILLI_SECONDS>
14. Attach
the Good Messaging database from the shared disk.
Installing using a remote SQL server is not supported when using
Microsoft clustering. Use local SQL Express.
a.
Open the SQL Management Studio by navigating to Start>Programs->Microsoft SQL Server 2005->SQL Server Management Studio Express.
Good Mobile Messaging Administrator’s Guide
391
Using Standby Good Mobile Messaging Servers
b.
In the Connect to server login dialog, select
<MACHINE_NAME>\GOODLINK as the Server Name and
choose Authentication as Windows Authentication.
Note: You should be a local administrator of the machine to
have access to the SQL Express server.
392
Good Mobile Messaging Administrator’s Guide
Installing Primary and Standby Good Mobile Messaging Server on Cluster
c.
In the Object Explorer pane, expand the Databases node, rightclick goodlinkdb, select Tasks and then Detach.
d.
After selecting Detach, select Drop Connections and click OK.
Good Mobile Messaging Administrator’s Guide
393
Using Standby Good Mobile Messaging Servers
e.
Delete goodlinkdb.mdf and goodlinkdb_log.LDF from the
folder Program Files\Good Technology\GoodLink
Server\database\data\MSSQL.1\MSSQL\Data.
f.
Using the SQL Server Management Studio Express, attach the
moved database back to the SQL Server.
g.
Right click the databases node, choose Attach in the Attach
Databases dialog box, click the Add button, and then choose
the database moved to the shared cluster drive. Click the OK
button. Once the database is attached, make sure that goodlinkdb is listed under the database node.
h.
Start the Domino server on the Standby machine, which should
then start the Good Messaging services.
i.
Verify that the Standby Good Mobile Messaging Server is
working properly. To do so, confirm that a handheld can send
394
Good Mobile Messaging Administrator’s Guide
Installing Primary and Standby Good Mobile Messaging Server on Cluster
and receive messages. For an installation with a large number
of users, this may take some time.
Installing Good Mobile Messaging Server Cluster Tools and
Configuring Cluster Services
To install the Good Mobile Messaging Server Cluster Tools and
Configure Cluster Services:
1.
Log on to the Primary Good Mobile Messaging Server node.
2.
Verify the following:
• Both the Primary and Standby machines are running and there
are no errors displayed in the Cluster Administrator.
• Using Cluster Administrator, confirm the Primary machine is
the owner of the cluster resources. If not, move the cluster
resources ownership from the Standby machine to the Primary
machine.
• Good Mobile Control service is running on the Primary Node.
• Good Mobile Messaging Server Services are Stopped and
Services are set to Manual.
3.
Delete the lock file called “dbfiles.lck” from the shared drive Q:\.
Important: Before beginning the Cluster tool installation, you
must manually delete “dbfiles.lck”.
4.
Launch the “Good Mobile Messaging Server Cluster Tools”
InstallShield executable file GMMClusterTools-version.exe on the
Primary server. You will find the executable on the distribution
media in a tools directory.
Good Mobile Messaging Administrator’s Guide
395
Using Standby Good Mobile Messaging Servers
5.
Select the path in the Q- Drive (Quorum drive) when prompted
for the location:
6.
Click Next and complete the installation.
The InstallShield program will install cluster script files that are
used to configure the Good Mobile Messaging Server services and
add support for clustering for GoodLink server. When the
installation is complete, you will see a shortcut on the desktop
with a name such as “Good Messaging Cluster Setup”.
7.
Double-click this icon on the Primary server to integrate the Good
Mobile Messaging Server services into the cluster.
396
Good Mobile Messaging Administrator’s Guide
Installing Primary and Standby Good Mobile Messaging Server on Cluster
A setup script is launched on a window. You will see the following
screen:
8.
Press the ENTER key. After a few seconds, the following screen
will appear if the script ran successfully:
Good Mobile Messaging Administrator’s Guide
397
Using Standby Good Mobile Messaging Servers
9.
Press the ENTER key to complete the set up.
The script has now configured the GoodLink Server Service and
Goodlink Cache lock on the cluster nodes into the cluster
environment.
10. Open Cluster Administrator.
You should see the following screen:
11. If
any errors occur while running the script, follow the
instructions to fix the problem and then run the script again.
398
Good Mobile Messaging Administrator’s Guide
Installing Primary and Standby Good Mobile Messaging Server on Cluster
12. Double
click the Good Messaging Service in the Dependencies
tab, click the Modify button, and then add Domino Server
Resource and Good Messaging Database as the dependencies.
The installation of Good Mobile Messaging Server Cluster tools
are complete.
To make sure the services are started on the cluster:
1.
Using the Cluster Administrator, right click on GoodLink Server
service and bring it online.
2.
If any resource fails to run, check the Event Log for errors.
Services are installed and configured within the cluster. Using
Move Group, the administrator can change the ownership from
one node to the other.
Good Mobile Messaging Administrator’s Guide
399
Using Standby Good Mobile Messaging Servers
The following screen indicates the services are up and running on
the node for both GMC Server and Good Mobile Messaging
Server:
400
Good Mobile Messaging Administrator’s Guide
Good Mobile Messaging Server and Good Mobile Control Server Cluster
3.
Move to other node manually by right-clicking on Cluster Group
and then choosing Move Group. This will move all services to
Node 2.
Good Mobile Messaging Server and
Good Mobile Control Server Cluster
Resources
The Cluster Tools setup will add the following separate resources to
the cluster under Default Cluster Group. These resources are
GoodLink Server, GoodLink Cache Lock, Disk Q:, GMC Server, GMC
SQLServer, and GMC Cache Lock services.
Good Mobile Messaging Administrator’s Guide
401
Using Standby Good Mobile Messaging Servers
GoodLink Server Resource
The GoodLink Server is added to the cluster as a resource named
“GoodLink Service.” The cluster service monitors this resource and if
the resource fails, the service is either restarted on the same node or
restarted on another node. This resource is dependent on the
“GoodLink Cache Lock” Resource.
GoodLink Cache Lock Resource
Before the GoodLink service resource can be started on either the
Primary or Standby node, the cache lock file must be deleted to allow
the service to start automatically. If the GoodLink cache is on a shared
drive, then this resource is dependent on the shared drive resource.
Disk Q Resource
The setup scripts query the existence of the shared disk Q Drive
(Quorum Drive) for the location of the cache directory and shared
database.
GMC Server Resource
The GMC Server is added to the cluster as a resource named “GMC
Server.” The cluster service monitors this resource and if the resource
fails, the service is either restarted on the same node or restarted on
another node. This resource is dependent on the GMC SQL Server
Resource.
GMC SQLServer Resource
The GMC SQL server database service is added to the cluster as a
resource named “GMC SQLServer Service.” The cluster service
monitors this resource and if the resource fails, the service is either
restarted on the same node or restarted on another node.
402
Good Mobile Messaging Administrator’s Guide
Uninstalling Good Messaging and Good Mobile Control Server from Cluster
GMC Cache Lock Resource
Before the GMC Server service resource can be started on either
Primary or Standby node, the cache lock file must be deleted in order
to allow the service to start automatically. If the GMC cache is on a
shared drive, then this resource is dependent on the shared drive
resource.
Uninstalling Good Messaging and Good
Mobile Control Server from Cluster
Servers
Note: The Standby server must be uninstalled before the Primary.
To uninstall Good Messaging and GMC Server from Cluster Servers:
1.
Using the Microsoft Cluster Administrator, transfer ownership of
the cluster resources to the Standby server.
2.
Select the Cluster Group that contains the GoodLink Service
resource, GMC Server resource, GMC SQLServer Service resource,
and the GMC Cache Lock resource.
3.
Right click on each of the five resources and choose Take off line.
4.
Uninstall the Standby server for both Good Mobile Messaging
Server and GMC server as you would a standalone GoodLink
Server. (See “Uninstalling Good Mobile Messaging Server” on
page 427 and “Uninstalling Good Mobile Control Server” on
page 428.)
5.
After completing the uninstall of the Standby server, from the
Primary server, transfer ownership of the resources by moving the
group back to the Primary server.
6.
Uninstall the Primary server for both Good Mobile Messaging
Server and GMC Server as you would a standalone Good Mobile
Messaging Server and GMC Server. During Good Mobile
Messaging Server uninstall, select Custom Uninstall and Remove
the User Configuration.
Good Mobile Messaging Administrator’s Guide
403
Using Standby Good Mobile Messaging Servers
7.
Delete all of the resources from the Cluster resource groups after
both the Primary and Standby servers are uninstalled:
a.
From the Primary server, launch the Microsoft Cluster Administrator.
b.
Select a group containing a GoodLink resource.
c.
For each GoodLink service (GoodLink service, GoodLink
Cache Lock, GMC SQL Server, GMC SQLServer and GMC
Cache Lock service), right-click the resource and choose
Offline. Then choose Delete.
d.
Repeat a through c until all resources are deleted.
8.
Manually delete any remaining files from the installation
directories of both Good Mobile Messaging Server and GMC
Server, including the Q- Quorum drive location.
9.
Uninstall SQL Server using the Control Panel. Choose Add
Remove Programs and then remove all SQL Server related files.
Typically, there will be the following five files shown below:
404
Good Mobile Messaging Administrator’s Guide
Cold Failover
Cold Failover
When setting up your Good for Enterprise system, you have the
option of installing a standby Good Mobile Messaging Server and
standby Good Mobile Control Server to provide redundancy in case
of hardware failure or software corruption on the computer running
Good for Enterprise.
As shown in the figure, two computers share a redundant disk
subsystem. If the primary computer fails, you start Good Mobile
Messaging Server on the standby computer. Do not use a network
share drive or Network Attached Storage (NAS) for the cache files;
this includes NetApp filer, known also as NetApp Fabric-Attached
Storage (FAS), NetApp's network attached storage (NAS) device.
Good Messaging currently supports SAN and shared external SCSI
drive. The Good Messaging cold failover system requires a shared
storage device that is connected directly to both the primary and
standby servers.
The primary Good Mobile Messaging Server is normally running.
The standby server is used only when the primary server fails and
cannot be brought back online. Synchronization data is stored in the
shared disk. A lock file (dbfiles.lck) in the shared root directory
Good Mobile Messaging Administrator’s Guide
405
Using Standby Good Mobile Messaging Servers
prevents both of the Good Mobile Messaging Servers from accessing
the shared files at the same time.
Note: If the primary Good Mobile Control Server fails, the secondary
Server will be aware of all Good Mobile Messaging Servers via the
shared database. However, if a Good Mobile Messaging Server
subsequently fails, the secondary Good Messaging Server will
attempt to communicate with the primary Good Mobile Control
Server, unless the Primary and Secondary Mobile Control Servers
share the same virtual name.
Installing Good Mobile Control as a Primary Server
Most of the steps below are the same steps as for installing a Good
Mobile Control Server in a standalone configuration. Refer to
“Installing Good Mobile Control Server” on page 50 for details on
those steps.
The steps that are particular to cold standby are indicated by “<cold
standby>” next to them.
Without clustering, Windows does not support two servers accessing
a shared SAN drive. It is a limitation with NTFS files. However,
Good's architecture does not call for two (primary and standby)
servers being online at the same time.
Prior to starting installation of the standby servers, the primary
servers should be shut down so there is no contention for the SAN
drive. During setup of cold failover, the .lck files should be left in the
directory so that the setup will see them and recognize that this
server will be a standby.
1.
Enter the login user name and password of the local system
administrator account that you created for the Good Mobile
406
Good Mobile Messaging Administrator’s Guide
Cold Failover
Control server. The login user name must be entered with its
domain in the form DOMAIN\LOGIN.
2.
Choose the directory for installation of the Good Mobile Control
Server.
Good Mobile Messaging Administrator’s Guide
407
Using Standby Good Mobile Messaging Servers
3.
Choose the directory for the Good Mobile Control server log file.
Primary and secondary servers should share the same log
directory.
408
Good Mobile Messaging Administrator’s Guide
Cold Failover
4.
Select "Yes, This GMC server participates in failover." <cold
standby>
5.
Select "Primary GMC Server (default)." <cold standby>
Good Mobile Messaging Administrator’s Guide
409
Using Standby Good Mobile Messaging Servers
6.
Choose a "Remote SQL Server Host" and enter the host name.
<cold standby>
Note: Using a local database with Good Mobile Control failover is
only supported when using Microsoft Clustering (MSCS). To use
Good Mobile Control failover without MSCS, use a remote SQL
Server database.
SQL instance and database: An instance is an SQL installation, one
per host. An instance can contain multiple databases. Note that
multiple SQL Server named instances can run on the same
Windows Server. Each of these instances can contain multiple user
databases. Multiple GMC Servers can use the same SQL instance
but each GMC Server must use a separate user databases within
that instance. If two GMC Servers attach to the same user database
in the same SQL Server named instance running on a Windows
Server, data loss may occur. An SQL instance is defined as a
separate copy of SQL Server running on the same computer.
7.
Specify the type of SQL instance that the GMC database will be
created in. For Named Instance or Port Number, you must enter a
value in the associated field or an error will be returned.
410
Good Mobile Messaging Administrator’s Guide
Cold Failover
Click Named Instance and provide a name for the instance if the
database is to be created in a named instance. If it does not exist
and is remote, an error is returned. Choose a meaningful name to
avoid future confusion.
Click Port Number and provide a port number if an instance
using a static port number is to be used. If it doesn’t exist, it isn’t
created; an error is returned.
SQL Servers enforce their own authentication and authorization.
If you encounter an error, refer to “Scalability” on page 40 to
recheck your current SQL setup.
8.
A named database will be created in the SQL Server instance that
you have specified. Enter a name of your choice for the database
Good Mobile Messaging Administrator’s Guide
411
Using Standby Good Mobile Messaging Servers
here. Remember that multiple GMC Servers can share an instance
but must use separate databases.
9.
Choose Failover remote directory. <cold standby>
Only two files will be placed in this shared directory, the lock files
emfdbfiles.lck and emfdbsetup.ini.
Specify a non-local file that is reachable by both primary and
secondary Good Mobile Control Servers.
412
Good Mobile Messaging Administrator’s Guide
Cold Failover
The emfdbfiles.lck file plays an important part during a failover
situation.
Good Mobile Messaging Administrator’s Guide
413
Using Standby Good Mobile Messaging Servers
414
Good Mobile Messaging Administrator’s Guide
Cold Failover
10. The
following screenshots are the same as for a standalone install.
Good Mobile Messaging Administrator’s Guide
415
Using Standby Good Mobile Messaging Servers
416
Good Mobile Messaging Administrator’s Guide
Cold Failover
11. Check
the box for "Disable Automatic Backup," since the SQL
Server is on a Remote Host.
Good Mobile Messaging Administrator’s Guide
417
Using Standby Good Mobile Messaging Servers
12. When
install is done, log in to the GMC Console to confirm access
is successful.
13. Make
any changes in the GMC. You will refer to this change later.
<cold standby>
418
Good Mobile Messaging Administrator’s Guide
Cold Failover
Example: Log into GMC > Click on the Policies Tab > create a new
Policy named TestingColdFailover. The reason for this change is to
confirm that your GMC Standby node was installed correctly. We
will confirm this at the end of the standby GMC Server install.
Here we do not assume a Good Mobile Messaging Server is
installed. We are first installing Good Mobile Control Server in a
cold standby configuration.
14. Before
installing on the Standby node, be sure to stop and
disable the Good Mobile Control server service on the primary
node. <cold standby>
Installing Good Mobile Control as a Standby Server
1.
After installing the Primary Good Mobile Control Server, stop the
GMC Server services in Windows Services on the Primary node,
before installing the Standby GMC Server.
2.
Log in using the Good Mobile Control service account.
3.
Install Good Mobile Control on this standby node. Most of the
steps are identical to installing GMC on the Primary node, with
the exceptions noted in this section.
Good Mobile Messaging Administrator’s Guide
419
Using Standby Good Mobile Messaging Servers
4.
Choose "Standby GMC Server." (This is one of the differences
between this being a primary host and standby host.)
5.
The SQL Server Host must be remote in a cold standby
configuration. This remote SQL Server must be the same SQL
server as the one selected for the Primary server.
420
Good Mobile Messaging Administrator’s Guide
Cold Failover
The Named instance must be the same as well.
Good Mobile Messaging Administrator’s Guide
421
Using Standby Good Mobile Messaging Servers
6.
You must name the same database as the one selected for the
Primary Server install.
7.
If the following screen is not displayed, you must cancel the
install.
Choose "Yes".
8.
Important: By default the Server field is populated with the
Netbios name of the host it is being installed on. You must change
this to be exactly the same server name that you specified during
422
Good Mobile Messaging Administrator’s Guide
Cold Failover
the install of your primary server. The License and Serial Number
must also be the same as those for your primary server.
9.
At the end of the installation you will be prompted to start the
Good Mobile Control Server service. Do not start the service at
this point. If you do, it will stop automatically after a few seconds.
10. Navigate
to the Failover Remote Directory (Step 9. above). Delete
emfdbfiles.lck.
11. Start
the Good Mobile Control service on the standby node.
12. Confirm
that the policy set named TestingColdFailover still exists.
You have successfully installed primary and standby Good Mobile
Control Servers.
Repeat the final four steps of this procedure whenever you need to
failover to the primary or standby server.
Good Mobile Messaging Administrator’s Guide
423
Using Standby Good Mobile Messaging Servers
Setting Up a Standby Good Mobile Messaging Server
To set up the standby configuration, do the following:
1.
When installing the standby server, in the “Good Mobile
Messaging Server Registration Information” screen enter the same
license, serial number, server names, and SQL database
information that you entered for the primary server. You’ll be
asked whether you want to install the server as a standby server.
Reply yes. At the end of the installation, Good Mobile Messaging
Server and Good Mobile Control Server services are installed but
set to manual rather than to automatic.
2.
When installing the primary server, in the “Choose Cache
Directory” screen enter a database cache directory path that points
to the shared disk cache files. Do not use a network share drive for
the cache files. In the “Choose Log Directory” screen, the log file
directory path should be the same for primary and secondary
server. Do not use a network share drive for the log files. Enter this
same path for the standby server.
3.
After running the primary server and setting up user handhelds,
test the setup:
a.
Shut down the Good Mobile Messaging Server and Good
Mobile Control Server services on the primary machine.
b.
Manually delete the dbfiles.lck file on the database machine.
c.
Start the Good Mobile Messaging Server and Good Mobile
Control Server services on the standby machine.
d.
Confirm that handhelds are synchronizing correctly. If not, follow the ordinary troubleshooting procedures for the primary
server.
Using the Standby Good Mobile Messaging Server
When Good Mobile Messaging Server starts, it checks to see if it is the
owner of the database lock file (dbfiles.lck). If so, it starts successfully.
Otherwise, it exits and logs a warning to the Event Viewer
424
Good Mobile Messaging Administrator’s Guide
Cold Failover
Applications Log. If the primary server fails and you want to bring
the standby server online, do the following:
1.
If the primary machine is still running, stop the Good Mobile
Messaging Server and Good Mobile Control Server services.
2.
Change the service settings from automatic to manual.
3.
Manually delete the dbfiles.lck file on the database machine.
Warning: Deleting the lock file while the primary or standby
server is running and starting the other server will cause the cache
files to be corrupted. All handhelds will then need to be set up
again.
4.
Start the Good Mobile Messaging Server and Good Mobile Control
Server services on the standby machine.
5.
Change the service settings for these services from manual to
automatic.
Changing or Updating a Primary or Standby Good Mobile
Messaging Server
To change the machine hosting the standby server, simply uninstall
the standby server on the original machine and reinstall it on the new
host machine.
To change the machine hosting the primary server, you must
uninstall and reinstall both primary and standby servers. That is,
uninstall the primary server and then the standby server. Next, install
the primary server on the new machine. Finally, install the standby
server on the machine to host it.
If the host of a primary or standby server has crashed, been stolen, or
is otherwise in a state that doesn’t permit the Good Mobile
Messaging Server software to be uninstalled from it, contact your
service representative.
When installing or updating a Good Mobile Messaging Server, when
prompted to identify the Good Mobile Control Server, use the
Good Mobile Messaging Administrator’s Guide
425
Using Standby Good Mobile Messaging Servers
hostname and URL of the currently functioning Control Server,
whether primary or secondary.
Returning Use to the Primary Server
To return to use of the primary server:
1.
Stop the standby server by stopping the Good Mobile Messaging
Server and Good Mobile Control Server services.
2.
Delete the lock file dbfiles.lck on the shared file server. By default
the file is found in installation_directory\cache\server_name\.
3.
Change the Good Mobile Messaging Server and Good Mobile
Control Serverservices from automatic to manual on the standby
server.
4.
Change the Good Mobile Messaging Server and Good Mobile
Control Server services from manual to automatic on the primary
server.
5.
Reboot the primary Good Mobile Messaging Server or start the
Good Mobile Messaging Server and Good Mobile Control Server
services.
The primary Good Mobile Messaging Server checks the shared cache
files and picks up service to the handhelds where the standby server
left it.
426
Good Mobile Messaging Administrator’s Guide
10 Uninstalling Good
Messaging
Uninstallation of the product consists of stopping the Good services,
removing the Good Mobile Messaging Servers, and then Good
Mobile Control (GMC), from their hosts, and verifying that the
supporting SQL database instance has also been removed.
Uninstalling Good Mobile Messaging
Server
To uninstall Good Mobile Messaging Server software from its host
machine, use the following procedure. Note that the Domino server
used by the Good Mobile Messaging Server must be present on the
host machine for the uninstall to succeed.
1.
If you will be uninstalling the software for all Good Mobile
Messaging Servers in a Domino site, do so before removing the
GMC Server, as described in “Uninstalling Good Mobile Control
Server” on page 428. Do not remove this if any Good Mobile
Messaging Servers are to remain operational in the site.
This step is not necessary if you plan to reinstall the server. If you
choose the “custom” uninstall, you will be given a chance during
uninstallation to retain user configurations (“Retain Users”) for
reinstallation later. If you choose the “typical” uninstall, user
configurations will be retained automatically.
2.
Close all programs before proceeding with the uninstall. Confirm
that no applications are being run remotely (such as PerfMon) by
Good Mobile Messaging Administrator’s Guide
427
Uninstalling Good Messaging
rebooting the server or by going to Start > Programs >
Administrative Tools > Computer Management and
disconnecting any drive/application shares currently in place.
3.
To uninstall the Good Mobile Messaging Server software from a
particular machine, go to the machine’s Control Panel window
and double-click Add/Remove Programs.
4.
From the list of programs, select Good Mobile Messaging Server
and click Add/Remove.
You’ll be given the option to repair or uninstall the Server. Choose
to uninstall it, and when prompted, choose the typical uninstall.
Uninstalling Good Mobile Control
Server
1.
Close all programs before proceeding with the uninstall. Confirm
that no applications are being run remotely (such as PerfMon) by
428
Good Mobile Messaging Administrator’s Guide
Uninstalling Good Mobile Control Server
rebooting the server or by going to Start > Programs >
Administrative Tools > Server Manager and disconnecting any
drive/application shares currently in place.
2.
From the Domino command prompt, type Exit to stop the Domino
service.
3.
Run setup.exe from the Good distribution media. From the
introductory installation screen click Add/Remove for the GMC
Server snap-in.
If GMC Console is detected, the required uninstall files are
unpacked from the Good distribution media.
The Uninstall Wizard prepares to run, and then guides you
through the uninstall process.
4.
Click Next to proceed.
You are prompted to confirm the uninstall.
5.
When prompted, click OK to confirm that you want to remove the
application and all of its components.
You can choose to delete or retain all log files.
6.
Click Next.
A summary screen is displayed.
If the information it contains is correct, click Next to proceed with
the uninstall.
A progress bar is displayed as the console is removed. When the
uninstall is complete, a final screen is displayed.
7.
Click Finish.
GMC Server automatically archives the entire GoodAdmin
mailbox daily at midnight, local time, to an archive file in a
backup directory.
Good Mobile Messaging Administrator’s Guide
429
Uninstalling Good Messaging
Uninstalling SQL Server
After uninstalling GMC, you may want to remove the SQL database
it used. You can uninstall the database using the following procedure.
To uninstall SQL Server:
1.
Close all running programs on the host machine.
2.
From the Windows Control Panel, run Add or Remove Programs.
3.
Select Microsoft SQL Server Management Studio Express and
select Remove.
The program is removed.
4.
Repeat for Microsoft SQL Server 2005.
5.
Repeat for Microsoft .NET Framework 2.0.
Note: The programs must be removed in the order given.
430
Good Mobile Messaging Administrator’s Guide
A Using the GMC Web
Service
This appendix describes an overview of how to use the Good Mobile
Control (GMC) Web Service to integrate your existing automated
work-flow system with the GMC Server. For example, you can have
your work-flow system use the GMC Web Service to automatically
enable or disable handhelds on the GMC Server. The GMC Web
Service allows you to automate many of the same operations you can
do manually with the GMC Console.
Here is a summary of the operations you can automate with the GMC
Web Service:
• Roles:
• Create, assign, list, update, revoke, and delete roles
• List role members, list and update role rights
• Policy Sets:
• List policy sets
• Handhelds:
• Enable, disable, list, and wipe handhelds
• Export handheld list, statistics, or software
• Regenerate Provisioning PINs for handhelds
• Server:
• Export and reset GMC Server statistics
Good Mobile Messaging Administrator’s Guide
431
Using the GMC Web Service
• Miscellaneous:
• Get the directory entries, effective rights, product types
• Returns the GUID for the specified DN of a user
Working with the GMC Web Service
Use the following important guidelines when working with the GMC
Web Service:
• Use a SOAP-based web services client to access the GMC Web
Service.
• The GMC Web Service uses Globally Unique Identifiers (GUIDs),
a uniquely generated string, to identify all handhelds, roles, policy
sets, and GMM and GMA Servers.
About the BulkServiceResult array
BulkServiceResult is an array that is returned for the GMC Web
Service functions that can operate on multiple items at the same time.
For example, enableHandhelds allows you to enable multiple
handhelds at a time. Each request on multiple items is treated
independently. If the request is successful, the function’s result
element is set to a successful object (for example, the
“handheldResult” element is set to a Handheld object). If the request
is not successful (for example, a handheld is not enabled because a
user does not exist), the item’s hardError element is set.
Some BulkServiceResult results are returned as a string such as a
GUID, and other results are returned as objects such as handhelds.
BulkServiceResult results can also be returned as “warnings” or “soft
errors”. For example, if you attempt to disable a handheld that does
not exist, the request is granted but a warning occurs informing you
that the handheld does not exist.
432
Good Mobile Messaging Administrator’s Guide
Working with the GMC Web Service
Integrating with the GMC Web Service
You can find the Web Services Description Language (WSDL) file for
the GMC Web Service at the following URL:
https://<GMCServer>:19005/PublicService?wsdl
where:
<GMCServer> is the machine name of the GMC Server.
To integrate with the GMC Web Service, set your application to read
or import the GMC Web Service WSDL file and discover the
operations that are available on the GMC Server. Your application can
then use SOAP to call one of the operations listed in the GMC Web
Service WSDL.
Web Service Authentication
The GMC Web Service uses HTTP Basic Authentication to
authenticate your application before allowing any operations on the
GMC Server. The username and password for the GMC Web Service
are the same credentials you use to log into the GMC Console. The
application then has the same rights for that account as if you logged
into the GMC Console.
GMC Web Service Example
The GMC Web Service Example is a Java client example that
illustrates how to use the GMC Web Services to perform several
operations on a GMC Server. You can download the GMC Web
Service Example zip file from the Good Technical Support >
Documentation section on http://www.good.com.
The GMC Web Service Example illustrates how to perform these
operations:
• Print all GMM Servers (shows basic querying)
Good Mobile Messaging Administrator’s Guide
433
Using the GMC Web Service
• Select a single GMM Server (shows how a server is identified)
• Enable a single handheld based on a user name that is specified in
the code (shows how to enable a handheld and how it is
identified)
• Enable multiple handhelds (shows how bulk operations are
handled)
• Print all handhelds
• Print the details of the first enabled handheld
• Send the wipe command to a handheld
• Disable a single handheld or multiple handhelds
• Perform authentication
Note: An example username and password are specified in the
source code. If you want to run the example source code, you must
change the user name and password for your GMC Server. (See the
src/gacclientapp/main/Main.java file.) You must also change the
location of the GMC server, which is also specified in the code.
Source Code Files in the GMC Web Service Example
This section contains the following source code files that are in the
GMC Web Service Example:
• Main.java - The starting point for the examples (see “Main.java”
on page 434).
• ExampleClient.java - This client shows off how to make calls to
GMC using JAX-WS (see “ExampleClient.java” on page 436).
• GMCWS.java - Static class for getting a hold of a web service client
for GMC using JAX-WS (see “GMCWS.java” on page 447).
Main.java
/*
* The starting point for this example.
434
Good Mobile Messaging Administrator’s Guide
Working with the GMC Web Service
*/
package gmcclientapp.main;
import java.net.URL;
import java.util.Collection;
import java.util.logging.Level;
import java.util.logging.Logger;
/**
*
* @author cdraper
*/
public class Main {
/**
* @param args the command line arguments
*/
public static void main(String[] args) {
try {
// Put in your own values here:
URL wsdlLocation = new URL("https://cdraperxw4600:19005/PublicService?wsdl");
String username = "de\\gmcadmin";
String password = "password";
String testUserDn100 =
"CN=User_100,OU=Users,OU=QaTest,OU=GMC,DC=de,DC=qagood,DC=
com";
String testUserDn101 =
"CN=User_101,OU=Users,OU=QaTest,OU=GMC,DC=de,DC=qagood,DC=
com";
String testUserDn102 =
"CN=User_102,OU=Users,OU=QaTest,OU=GMC,DC=de,DC=qagood,DC=
com";
ExampleClient client = new
ExampleClient(wsdlLocation, username, password);
client.printAllGMMServers();
Good Mobile Messaging Administrator’s Guide
435
Using the GMC Web Service
// Locate a GMM server to do enablement on.
String gmmServerGuid = client.pickAGMMServer();
String handheldGuid =
client.enableHandheld(gmmServerGuid, testUserDn100);
// An example calling in bulk
Collection<String> handheldGuids =
client.enableHandhelds(gmmServerGuid,
testUserDn101, testUserDn102);
client.printAllHandhelds();
client.printHandheldDetails(handheldGuid);
client.wipeHandheld(handheldGuid);
client.disableHandheld(handheldGuid);
// An example calling in bulk
client.disableHandhelds(handheldGuids);
} catch (Throwable ex) {
Logger.getLogger(Main.class.getName()).log(Level.SEVERE,
null, ex);
}
}
}
ExampleClient.java
/*
* This client shows off how to make calls to GMC using
JAX-WS.
*/
package gmcclientapp.main;
// Note that gmcclientapp.ws.* is generated by JAX-WS, see
README on how to build.
436
Good Mobile Messaging Administrator’s Guide
Working with the GMC Web Service
import gmcclientapp.ws.BulkServiceResult;
import gmcclientapp.ws.BulkServiceResultItem;
import gmcclientapp.ws.EMFException;
import gmcclientapp.ws.EnableHandheld;
import gmcclientapp.ws.EnableHandhelds;
import gmcclientapp.ws.GUIDs;
import gmcclientapp.ws.Handheld;
import gmcclientapp.ws.HandheldAttribute;
import gmcclientapp.ws.HandheldDetails;
import gmcclientapp.ws.HandheldException;
import gmcclientapp.ws.PublicService;
import gmcclientapp.ws.Server;
import gmcclientapp.ws.ServerList;
import gmcclientapp.ws.ServiceResult;
import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
/**
*
* @author cdraper
*/
public class ExampleClient {
private final PublicService port;
public ExampleClient(URL wsdlLocation, String
username, String password) {
port = GMCWS.getPort(wsdlLocation, username,
password);
Good Mobile Messaging Administrator’s Guide
437
Using the GMC Web Service
}
/**
* Print out all handhelds in GMC.
*/
public void printAllHandhelds() {
printAPageOfHandhelds(0, Integer.MAX_VALUE);
}
/**
* Print a "page" of handhelds with a starting spot.
* Page size of 25.
*/
public void printAPageOfHandhelds(int startIndex) {
printAPageOfHandhelds(startIndex, 25);
size of 25
// page
}
public void printAPageOfHandhelds(int startIndex, int
pageSize) {
Boolean sortAscending = Boolean.TRUE;
List<Handheld> result =
port.listAllHandhelds(startIndex, pageSize,
HandheldAttribute.EMAIL, sortAscending);
System.out.println("Found " + result.size() + "
handheld(s)");
for (Handheld handheld : result) {
print(handheld);
}
438
Good Mobile Messaging Administrator’s Guide
Working with the GMC Web Service
}
public int getHandheldCount() {
return port.getNumOfHandhelds();
}
private void print(Handheld handheld) {
System.out.println("Handheld for " +
handheld.getEmailAddress()
+ " GUID " + handheld.getGuid()
+ " state " +
handheld.getProvisioningStatus());
}
public void printAllGMMServers() {
System.out.println("Retrieving all GMM Servers");
ServerList gmmServers =
port.getServersByProductType("GMM");
System.out.println("Found " +
gmmServers.getItems().size() + " GMM server(s)");
for (Server gmmServer : gmmServers.getItems()) {
print(gmmServer);
}
}
private void print(Server server) {
System.out.println(server.getProductType()
+ " server " + server.getHostname()
+ " " + server.getVersion()
+ " GUID " + server.getGuid());
Good Mobile Messaging Administrator’s Guide
439
Using the GMC Web Service
}
public String pickAGMMServer() {
ServerList gmmServers =
port.getServersByProductType("GMM");
List<Server> servers = gmmServers.getItems();
if (servers.isEmpty()) {
throw new RuntimeException("Unable to find any
GMM servers");
}
Server server = servers.get(0);
return server.getGuid();
}
/**
* Enable a handheld for OTAP.
*
* @param directoryDn
the directory.
The DN for the user as found in
*
mailbox DN.)
(This DN is different from the
* @param serverGuid
enable them on.
The GUID for the server to
* @return
handheld
The GUID that identifies this
* @throws EMFException if the handheld could not be
enabled.
*/
public String enableHandheld(String serverGuid, String
directoryDn) throws EMFException {
EnableHandheld params = new EnableHandheld();
params.getServerGUIDs().add(serverGuid);
440
Good Mobile Messaging Administrator’s Guide
Working with the GMC Web Service
params.setUserDN(directoryDn);
String handheldGuid = port.enableHandheld(params);
System.out.println("Enabled handheld with GUID
"+handheldGuid+" for "+directoryDn);
return handheldGuid;
}
public String enableHandheldViaBulk(String serverGuid,
String directoryDn) {
EnableHandhelds params = new EnableHandhelds();
params.getUserDNs().add(directoryDn);
params.getServerGUIDs().add(serverGuid);
BulkServiceResult bsr =
port.enableHandhelds(params);
// Must check BulkServiceResult for error!
// Only 1 result item expected as only 1 handheld
was attempted to be enabled.
// So just get the zeroth element from the
BulkServiceResult.
BulkServiceResultItem bsri = bsr.getItems().get(0);
if (!bsri.getHardError().isEmpty()) {
// There was an error!
throw new RuntimeException("Unable to enable
handheld for '"+directoryDn+"': "+bsri.getHardError());
}
String handheldGuid = bsri.getStringResult();
System.out.println("Enabled handheld with GUID
"+handheldGuid+" for "+directoryDn);
Good Mobile Messaging Administrator’s Guide
441
Using the GMC Web Service
return handheldGuid;
}
/**
* Bulk enabling of handhelds.
in is treated separately;
Each DN (user) passed
* if one fails, the rest are not affected.
*
* @param serverGuid
handhelds on
Which server to put the
* @param directoryDns The users to enable
* @return The handheld GUIDs of the new handhelds in
GMC.
*/
public Collection<String> enableHandhelds(String
serverGuid, String... directoryDns) {
EnableHandhelds params = new EnableHandhelds();
params.getUserDNs().addAll(Arrays.asList(directoryDns));
params.getServerGUIDs().add(serverGuid);
BulkServiceResult bsr =
port.enableHandhelds(params);
// Must check BulkServiceResult for error!
Collection<String> enabledHandheldGuids = new
ArrayList<String>();
for (BulkServiceResultItem bsri : bsr.getItems()) {
if (bsri.getHardError().isEmpty()) {
String handheldGuid =
bsri.getStringResult();
442
Good Mobile Messaging Administrator’s Guide
Working with the GMC Web Service
System.out.println("Enabled handheld with
GUID "+handheldGuid+" for "+bsri.getId());
enabledHandheldGuids.add(handheldGuid);
} else {
// There was an error!
// Note that even if this one hit an error,
the others may have
// succeded.
System.err.println("Unable to enable
handheld for '"+bsri.getId()+"': "+bsri.getHardError());
}
}
return enabledHandheldGuids;
}
/**
* Go get the handheld details and print them out.
*/
public void printHandheldDetails(String handheldGuid)
{
GUIDs params = guidToGuids(handheldGuid);
BulkServiceResult bsr =
port.getHandheldsInfo(params);
// Must check BulkServiceResult for error!
// Only 1 result item expected as only 1 handheld
was attempted to be enabled.
// So just get the zeroth element from the
BulkServiceResult.
Good Mobile Messaging Administrator’s Guide
443
Using the GMC Web Service
BulkServiceResultItem bsri = bsr.getItems().get(0);
if (!bsri.getHardError().isEmpty()) {
// There was an error!
throw new RuntimeException("Unable to enable
handheld for '"+handheldGuid+"': "+bsri.getHardError());
}
HandheldDetails handheldDetailsResult =
bsri.getHandheldDetailsResult();
print(handheldDetailsResult);
}
private void print(HandheldDetails handheld) {
System.out.println("Handheld details for " +
handheld.getEmailAddress()
+ " GUID " + handheld.getGuid()
+ " state " +
handheld.getProvisioningStatus()
+ " PIN " + handheld.getOtaPin());
}
public void disableHandheld(String handheldGuid)
throws EMFException {
port.disableHandheld(handheldGuid);
System.out.println("Disabled handheld with GUID
"+handheldGuid);
}
public void disableHandheldViaBulk(String
handheldGuid) {
GUIDs params = guidToGuids(handheldGuid);
444
Good Mobile Messaging Administrator’s Guide
Working with the GMC Web Service
BulkServiceResult bsr =
port.disableHandhelds(params);
// Must check BulkServiceResult for error!
// Only 1 result item expected as only 1 handheld
was attempted to be disabled.
// So just get the zeroth element from the
BulkServiceResult.
BulkServiceResultItem bsri = bsr.getItems().get(0);
if (!bsri.getHardError().isEmpty()) {
// There was an error!
throw new RuntimeException("Unable to disable
handheld for '"+handheldGuid+"': "+bsri.getHardError());
}
System.out.println("Disabled handheld with GUID
"+handheldGuid);
// Warnings might occur if the handheld was not
found, which is not
// a big deal if we're trying to disable the
handheld. Normally, warnings
// can be ignored.
List<String> warnings = bsri.getSoftErrors();
for (String warningMessage : warnings) {
System.out.println("Warning while disabling
"+handheldGuid+": "+warningMessage);
}
}
public void disableHandhelds(Collection<String>
handheldGuids) {
GUIDs params = new GUIDs();
Good Mobile Messaging Administrator’s Guide
445
Using the GMC Web Service
params.getItems().addAll(handheldGuids);
BulkServiceResult bsr =
port.disableHandhelds(params);
// Must check BulkServiceResult for error!
for (BulkServiceResultItem bsri : bsr.getItems()) {
String handheldGuid = bsri.getId();
if (bsri.getHardError().isEmpty()) {
System.out.println("Disabled handheld with
GUID "+handheldGuid);
} else {
// There was an error!
System.err.println("Unable to disable
handheld for '"+handheldGuid+"': "+bsri.getHardError());
}
// Warnings might occur if the handheld was not
found, which is not
handheld.
// a big deal if we're trying to disable the
Normally, warnings
// can be ignored.
List<String> warnings = bsri.getSoftErrors();
for (String warningMessage : warnings) {
System.out.println("Warning while disabling
"+handheldGuid+": "+warningMessage);
}
}
}
public void wipeHandheld(String handheldGuid) {
Boolean justAppData = true;
446
Good Mobile Messaging Administrator’s Guide
Working with the GMC Web Service
try {
ServiceResult sr =
port.wipeHandheld(handheldGuid, justAppData);
System.out.println("Sent wipe message to
handheld with GUID "+handheldGuid);
// Normally, warnings can be ignored.
List<String> warnings = sr.getSoftErrors();
for (String warningMessage : warnings) {
System.out.println("Warning while wiping
"+handheldGuid+": "+warningMessage);
}
} catch (EMFException ex) {
throw new RuntimeException(ex);
} catch (HandheldException ex) {
throw new RuntimeException(ex);
}
}
private GUIDs guidToGuids(String guid) {
GUIDs params = new GUIDs();
params.getItems().add(guid);
return params;
}
}
GMCWS.java
/*
Good Mobile Messaging Administrator’s Guide
447
Using the GMC Web Service
* Static class for getting ahold of a web service client
for GMC using JAX-WS.
*/
package gmcclientapp.main;
// Note that gmcclientapp.ws.* is generated by JAX-WS, see
README on how to build.
import gmcclientapp.ws.PublicService;
import gmcclientapp.ws.PublicService_Service;
import java.net.URL;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.util.Map;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import javax.xml.namespace.QName;
import javax.xml.ws.BindingProvider;
/**
*
* @author cdraper
*/
public class GMCWS {
private static final QName SERVICE_QNAME = new
QName("http://good.com/emf", "PublicService");
448
Good Mobile Messaging Administrator’s Guide
Working with the GMC Web Service
private static final Integer TIMEOUT = 2 * 60 * 1000;
// in ms
private GMCWS() {}
private static PublicService_Service getService(URL
wsdlLocation) {
makeTrustAllSSLCerts();
return new PublicService_Service(wsdlLocation,
SERVICE_QNAME);
}
public static PublicService getPort(URL wsdlLocation,
String username, String password) {
PublicService_Service service =
getService(wsdlLocation);
PublicService port = service.getPublicService();
BindingProvider bp = (BindingProvider) port;
Map<String, Object> requestContext =
bp.getRequestContext();
// set timeout
requestContext.put("com.sun.xml.ws.connect.timeout",
TIMEOUT);
requestContext.put("com.sun.xml.ws.request.timeout",
TIMEOUT);
// set HTTP Basic Auth username & password
requestContext.put(BindingProvider.USERNAME_PROPERTY,
username);
Good Mobile Messaging Administrator’s Guide
449
Using the GMC Web Service
requestContext.put(BindingProvider.PASSWORD_PROPERTY,
password);
return port;
}
private static void makeTrustAllSSLCerts() {
try {
// The GMC cert is self-signed and so might not
be trusted by this client.
// Create a trust manager that trusts all certs.
Another option (if one
// didn't want to go this way) would be to add
the GMC cert into the keystore).
TrustManager[] trustAllCerts = new
TrustManager[]{new X509TrustManager() {
public java.security.cert.X509Certificate[]
getAcceptedIssuers() {
return null;
}
public void
checkClientTrusted(java.security.cert.X509Certificate[]
certs, String authType) {
}
public void
checkServerTrusted(java.security.cert.X509Certificate[]
certs, String authType) {
}
}};
SSLContext sc = SSLContext.getInstance("SSL");
450
Good Mobile Messaging Administrator’s Guide
Summary of the GMC Web Service Functions
sc.init((KeyManager[]) null, trustAllCerts, new
java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocket
Factory());
// Tell it to trust every host.
HostnameVerifier hv = new HostnameVerifier() {
public boolean verify(String urlHostName,
SSLSession session) {
return true;
}
};
HttpsURLConnection.setDefaultHostnameVerifier(hv);
} catch (NoSuchAlgorithmException ex) {
// We're expecting to have the algorithm for SSL
throw new RuntimeException(ex);
} catch (KeyManagementException ex) {
throw new RuntimeException(ex);
}
}
}
Summary of the GMC Web Service
Functions
This section contains a summary of the GMC Web Service functions.
For more information about each function, see the GMC Web Service
Good Mobile Messaging Administrator’s Guide
451
Using the GMC Web Service
Help file in the Good Technical Support > Documentation section on
http://www.good.com.
Role Functions
• Assigns a role:
List<ConsoleEntity> assignRole(String roleGuid,
List<String> nativeGuid)
• Creates a role
Role createRole(String name, String description,
List<Right> rights)
• Deletes roles:
void deleteRoles(List<String> items)
• Gets effective roles:
List<Role> getEffectiveRoles(String
consoleEntityGuid)
• Lists rights for roles:
List<Right> listRightsForRole(String roleGuid)
• Lists role members:
List<ConsoleEntity> listRoleMembers(String
roleGuid)
• Lists roles:
List<Role> listRoles()
• Lists roles for GMC Console entity:
List<Role> listRolesForConsoleEntity(String
consoleEntityGuid)
• Revokes role:
void revokeRole(String roleGuid, List<String>
consoleEntityGuid)
452
Good Mobile Messaging Administrator’s Guide
Summary of the GMC Web Service Functions
• Updates the name and description of the specified role:
Role updateRole(String roleGuid, String name,
String description, List<Right> rights)
• Updates role rights of the specified role:
Role updateRoleRights(String roleGuid, List<Right>
rights)
• Gets all rights:
List<String> listAllRights()
• Gets effective rights:
List<Right> getEffectiveRights(String
consoleEntityGuid)
Policy Set Function
• Lists all policy sets:
List<PolicySet> listPolicySets()
Handheld Functions
• Disables a handheld from a specified server:
void disableHandheldForProduct(String
handheldGuid, String serverGuid)
• Disables one or more handhelds:
BulkServiceResult disableHandhelds(GUIDs params)
• Disables a single handheld:
ServiceResult disableHandheld (String params)
• Enables a handheld for a specified server for that server’s product:
void enableHandheldForProduct(String handheldGuid,
String serverGuid)
Good Mobile Messaging Administrator’s Guide
453
Using the GMC Web Service
• Enables one or more handhelds by directory (for instance, AD)
DN:
BulkServiceResult enableHandhelds(EnableHandhelds
params)
• Enables a single handheld by directory DN:
String enableHandheld (EnableHandheld params)
• Enables one or more handhelds by GUID:
BulkServiceResult
enableHandheldsByGuids(EnableHandheldsByGuids
params)
• Enables one or more handhelds by mailbox DN:
BulkServiceResult
enableHandheldsByMailboxDn(EnableHandheldsByMailb
oxDn params)
• Lock a handheld:
ServiceResult lockHandheld (String handheldGuid)
• Get a handheld’s temporary unlock code:
ServiceResult getHandheldTemporaryUnlockCode(String
handheldGuid, String deviceId) throws EMFException
• Get detailed information for handheld. Return information via
HandheldDetails such as PIN and device properties.
getHandheldInfo
• Enable handheld detailed logging:
ServiceResult setHandheldDetailedLogging(String
handheldGuid, boolean enabled)throws EMFException
• Export list of handhelds:
List<ExportHandheldItem> exportHandheldList(String
serverGuid)
• Export handheld software:
454
Good Mobile Messaging Administrator’s Guide
Summary of the GMC Web Service Functions
List<ExportHandheldSoftwareItem>
exportHandheldSoftware(String serverGuid)
• Export handheld statistics:
HandheldStatsView exportHandheldStats(String
handheldGuid)
• List the handhelds with the specified GUIDs:
BulkServiceResult getHandheldsInfo(GUIDs
handheldGUIDs)
• Get the number of enabled handhelds:
int getNumOfHandhelds()
• List all handhelds:
List<Handheld> listAllHandhelds(int startIndex,
int maxCount, HandheldAttribute sortByAttribute,
Boolean sortAscending)
• List handhelds that have the specified attribute key and attributevalue substring:
List<Handheld> listHandhelds(HandheldAttribute
searchByAttribute, String searchByValue, int
startIndex, int maxCount, Boolean ascending,
Boolean prefixSearch)
• List all handhelds assigned to the specified policy set:
List<Handheld> listHandheldsForPolicySet(String
policySetGUID)
• Lists all handhelds assigned to the specified server:
List<Handheld> listHandheldsForServer(String
serverGUID)
• Regenerate OTA pins for handhelds that have the specified
GUIDs:
BulkServiceResult regenOTAPin(GUIDs params)
Good Mobile Messaging Administrator’s Guide
455
Using the GMC Web Service
• Resend the OTA email to the user(s) associated with the specified
handheld GUID(s):
BulkServiceResult resendOTAEmail(GUIDs params)
• Reset statistical counters for enabled handhelds on the GMC
server that is specified by the handheld GUID:
void resetHandheldStats(String handheldGuid)
• Set the specified handhelds to use the specified policy set:
BulkServiceResult setHandheldsPolicySet(GUIDs
handheldGUIDs, String policySetGUID)
• Send a “wipe” message to the specified handheld:
ServiceResult wipeHandheld(String guid)
• Start a handheld moving within an EMF
String startIntraMoveHandheld
(StartIntraMoveHandheld req)
• Report on handheld status (how “well” the handheld is):
GetHandheldNocStatusResponse
getHandheldNocStatus(String params)
• Third-party application management for iOS and Android
platforms, if the policies are properly configured. (Get list of
applications on device.)
getAppsForHandheld(String handheldGUID)
• Third-party application management for iOS and Android
platforms, if the policies are properly configured. (Refresh list of
applications on device.)
refreshAppsForDevice(String handheldGUID)
Server Functions
• Exports server statistics:
456
Good Mobile Messaging Administrator’s Guide
Summary of the GMC Web Service Functions
ServerStatsView exportServerStats(String req)
• Gets the server name that has the specified GUID:
String getServerGuidByName(String serverName)
• Gets the list of servers for a specified product type:
ServerList getServersByProductType(String params)
• Gets the list of servers that have the specified GUIDs:
BulkServiceResult getServersInfo(GUIDs
serverGUIDs)
• Gets the list of all servers:
ServerList getAllServers ()
• Resets statistics for the specified GMC server:
void resetServerStats(String serverGuid)
Miscellaneous Functions
• Gets the directory entries:
List<DirectoryEntry>
findDirectoryEntries(DirectorySearch filter,
DirectorySearchAttributeId sortAttrId, Boolean
sortAscending)
• Lists the product types:
List<ProductType> listProductTypes()
• Uploads the SMIME certificate for a specific device, defined by its
GUID.
void uploadSmimeCertificate(String guid, byte[]
encryptionCertificate,
String encryptionCertificateName, byte[]
signatureCertificate,
String signatureCertificateName)
Good Mobile Messaging Administrator’s Guide
457
Using the GMC Web Service
guid = handheld GUID
encryptionCertificate = the certificate to encrypt by
encryptionCertificateName = what name to give i
signatureCertificate = the certificate to use for
digital signatures -- optional, if not given, then
encryptionCertificate will be used
signatureCertificateName = what name to give the
signature certificate -- optional
458
Good Mobile Messaging Administrator’s Guide
B Mobile Device
Management
Good for Enterprise provides an easy, secure, and comprehensive
way to manage mobile devices. By accessing a universal dashboard
through any Web browser, IT administrators can instantly access all
smartphones, tablets and handheld devices in their mobile fleet. This
easy, over-the-air device management tool allows for granular and
consistent mobile security policy enforcement, and end-to-end
visibility for troubleshooting and support. IT can quickly provision
new devices, enforce passwords, enforce device restrictions (like
disable camera), configure device settings (like WiFi, VPN,
Certificates), distribute custom or third-party enterprise applications,
and establish role-based policies—from virtually anywhere, anytime.
Spend less time managing software and more time protecting
business data.
Good for Enterprise manages personally-owned and corporateissued smartphones and tablets, and is instantly compatible with
existing components, servers and mobile devices from most major
device manufacturers.
The Good Mobile Control Console (GMC) serves as your primary
device-management tool. You use the GMC to add users/devices to
the system, configure policies that manage device use, and monitor
the devices after they are set up.
Good Mobile Messaging Administrator’s Guide
1
Mobile Device Management
This appendix includes the following:
Configuring MDM
-
iOS Configuration (page 2)
Android Configuration (page 19)
Compliance Management (page 22)
Application Management (page 22)
Setting Up (Provisioning) Mobile Devices with MDM (page 28)
Using MDM
- Asset Management (page 28)
Configuring MDM
iOS Configuration
As a first step in turning on the iOS MDM feature, you will need to obtain
a Mobile Device Management (MDM) Certificate signed by Apple.
Without the certificate you cannot perform administration tasks
remotely on Apple devices.
Obtaining a Mobile Device Management Certificate Signed by Apple
To generate the signed certificate required by the iOS MDM policy
feature, follow this procedure:
Generate the file and upload to Apple
1.
Click the Generate Certificate Request button on the Settings >
Certificates page.
2.
Enter the required information and click Next.
3.
Make a note of the Apple URL to which you will upload the
certificate request.
2
Good Mobile Messaging Administrator’s Guide
Configuring MDM
You must log in with your Apple I.D. to https://
identity.apple.com/pushcert/.
4.
Select Generate and save the generated file to your local drive.
The file should end with the extension .plist.
Obtain a signed certificate from Apple
1.
At https://identity.apple.com/pushcert/, sign in to Apple's Push
Certificate Portal with your Apple ID.
(Accept the terms and conditions, if you have not already done
so.)
2.
Click Create a Certificate.
3.
Choose the .plist file that you downloaded and saved, and select
Upload.
You should see a confirmation message with a Download button.
4.
Download the file to your local hard drive and return to the Good
Mobile Control Settings > Certificates page.
This file will have the extension: .pem.
* Internet Explorer users, see known issues below.
Upload the signed certificate to Good Mobile Control
1.
Click the Upload Signed Apple Certificate button on the Settings >
Certificates page.
2.
Navigate to find the signed .pem file on your local drive.
3.
The signed file should now appear in the certificate list.
* Internet Explorer users
On Internet Explorer, you will need to log out and then log back in
again to see the signed certificate. IE may also create an additional file
prior to the generation of the '.pem' file. This additional file is not
needed, but can be used to check for any possible errors.
{"ErrorCode":*80013,"ErrorMessage":"Invalid Certficate Signing Request","ErrorDescrip:on":"The
Certficate Signing Request you entered appears to
Good Mobile Messaging Administrator’s Guide
3
Mobile Device Management
be invalid. Make sure that request file uploaded
is in the <a href="http://www.apple.com/business/
mdm" target="_blank">correct format</a>and not
empty.="}
If this shows up, delete both files and re-try the previous steps until a
clean file is generated. A clean file is an indication that the .plist file
was signed with no errors from Apple.
Renewing a Certificate
Warning: Renew this certificate when it expires, rather than
generating a new one. Generating a new certificate will require
users to manually remove the Good iOS Configuration profile
from General > Settings, relaunch the Good Client, and reinstall
the new Configuration Profile.
Do not delete the existing MDM certificate; just upload the renewed
version. On upload, the new certificate will override the old.
Scenario 1: You generated the certificate using iOS Developer
Enterprise Program’s (iDEP) Provisioning Portal (older process).
Step 1 – Follow the instructions in “MDM Push Certificate Migration
Information” on page 5 to renew the certificate with Apple. This
older process did not involve Good Technology and is between you
and Apple. If you cannot renew the certificate for any reason, you’ll
no option but to generate a new MDM certificate.
Step 2 – Upload to Good Mobile Control by going to Settings >
Certificates and clicking the Import button. Do not delete the existing
certificate, just upload the renewed one and it will overwrite the old.
Scenario 2: You generated the certificate using Apple Push Certificate
Portal (APCP) (new process).
Step 1 – Go to the APCP website - https://identity.apple.com/
pushcert. Log in using the same Apple ID that was used to generate
4
Good Mobile Messaging Administrator’s Guide
Configuring MDM
the certificate. You will see an option to renew the certificate. Click
that button and download the renewed certificate.
Step 2 – Upload to Good Mobile Control by going to Settings >
Certificates and clicking the Import button. Do not delete existing
certificate, just upload the renewed one and it will overwrite the old.
MDM Push Certificate Migration Information
The information in this section is provided by Apple. It documents
the older processes for creating and managing push certificates.
MDM push certificates created in the iOS Developer Enterprise
Program were migrated to the Apple Push Certificates Portal. This
impacted the creation of new MDM push certificates and the
renewal, revocation and downloading of existing MDM push
certificates. It did not impact other (non-MDM) APNS certificates.
If your MDM push certificate was created in the iOS Developer
Enterprise Program:
- It was migrated for you automatically.
- You can renew it in the Apple Push Certificates Portal without
impacting your users (and the topic will not change).
- You’ll still need to use the iOS Developer Enterprise Program to
revoke or download a pre-existing cert.
If none of your MDM push certificates are near expiration, no action
is needed. If you do have an MDM push certificate that is
approaching expiration, have your iOS Developer Program Agent
login to the Apple Push Certificates Portal with their Apple ID.
Renewal of MDM push certificates
To renew an MDM push certificate that was created in the iOS
Developer Enterprise Program, visit Apple Push Certificates Portal
Good Mobile Messaging Administrator’s Guide
5
Mobile Device Management
and login with the Apple ID of the Agent on your iOS Developer
Enterprise Program membership. Existing certificates will list
"Migrated" as the Vendor.
Renewal of existing MDM push certificates via the Apple Push
Certificates Portal will ensure the topic of the certificate will not
change. This means users will not need to re-enroll devices and MDM
service will not be impacted by this change. New MDM push
certificates created in the Apple Push Certificates Portal are assigned
a topic automatically and cannot be customized.
To renew an MDM push certificate that was created in the Apple
Push Certificates Portal, visit Apple Push Certificates Portal and
login with your Apple ID.
Downloading of MDM push certificates
To download an MDM push certificate that was created in the iOS
Developer Enterprise Program, login to the iOS Developer Enterprise
Program and visit the iOS Provisioning Portal.
To download an MDM push certificate that was created in the Apple
Push Certificates Portal, visit Apple Push Certificates Portal and
login with your Apple ID.
Setting iOS MDM Policies
The iOS configuration feature allows you to set policies for your
enterprise iOS devices, utilizing iOS configuration profiles. During
Good for Enterprise setup on the iOS device. Good will create a new
configuration profile with the name you specify in the policy, in
Settings/General/Profiles (the default name is the name of the
policy).
6
Good Mobile Messaging Administrator’s Guide
Configuring MDM
Once you set and save iOS configuration policies in the Good
Management Console, your settings are implemented in the
following way:
• During Good for Enterprise handheld setup, or when a user runs
or is running Good on their handheld, a “Profile Required” dialog
is displayed. The user can delay the installation twice, one hour
each time.
• The user accepts this dialog and Good exits, Safari runs, and an
“Install Profile” dialog is displayed.
• The user accepts this dialog, follows the installation prompts,
provides his/her device passcode, and the Good configuration
profile is installed, containing your policy settings.
• The user is returned to Good installation or to the Good for
Enterprise application.
• Whenever configuration settings are changed for the policy in
Good Mobile Console, the process is repeated, unless the MDM
(Mobile Device Manager) option is selected (explained below); if
MDM is selected, configuration settings are updated
automatically on the device.
If the Good profile is removed from the iOS device, Good for
Enterprise is disabled. The user must repeat the procedure to install
the profile for Good for Enterprise to run again.
Good Mobile Messaging Administrator’s Guide
7
Mobile Device Management
General Policies
Enable iOS configuration - Sets up a Good configuration file on the
iOS device (default: unchecked).
Profile name (shown on device) - Default is the policy set name
Organization - Default is an empty field
Enable remote full device wipe - Check to enable this feature on
the Handhelds page (“Erasing Handheld Data” on page 230).
Otherwise, wipe is enabled for Good data only. Default is
unchecked.
Enable MDM profile
If the MDM check box is checked, any changes made and saved to
settings on the iOS Configuration pages (General, Passcode,
Restrictions, WiFi, VPN, Web Clips) will be made to all devices to
which the present policy is applied. The user is not required to
reinstall the configuration file when changes to its settings are
made.
8
Good Mobile Messaging Administrator’s Guide
Configuring MDM
If the MDM check box is checked, two new options are available
on the handheld security page: remote device lock and remote
device password reset. (Requires iOS4.)
Reminder: The MDM feature requires an Enterprise MDM
Certificate signed by Apple. Using the Generate Certificate
Request button on the Settings > Certificates page, create a
certificate request file and save it to your local drive. Once it is
saved locally, upload it to https://identity.apple.com/pushcert/.
This will generate a signed certificate that you must save; then
return to the Settings > Certificates page to upload it using the
Upload Apple Signed Certificate button. For details on this
procedure, refer to “Obtaining a Mobile Device Management
Certificate Signed by Apple” on page 2.
If you attempt to enable MDM without a certificate, you’ll be
taken to the Settings Certificate page to import one.
If you want to delete the certificate later, you must first uncheck
the MDM feature within all policy sets where it has been selected.
Warning: Renew this certificate when it expires, rather than
generating a new one. Generating a new certificate will require
users to reprovision their devices.
Profile Security (available only if MDM check box is not checked)
Allow user to remove profile (the default), or
Require password to remove profile (with field to define the
passcode), or
Do not allow profile to be removed
If the MDM check box is selected, the user always has the option to
remove the MDM profile from the device. If the MDM profile is
present on the device, the Good profile cannot be removed by the
user; if the user removes the MDM profile, he/she can then remove
the Good profile.
Good Mobile Messaging Administrator’s Guide
9
Mobile Device Management
If the Good profile is removed from the iOS device, the user will no
longer be able to access Good data. Instead, a prompt to install the
missing profile is displayed at startup.
Passcode Policies
Use these policies to control access to the iOS device through use of a
mandatory passcode. (To control access to the Good application on
the iOS device, refer to “Supported Attachments” on page 145.) If
you tightened passcode requirements, the user is prompted to define
a new password and given an hour to do so.
Require passcode - User must enter a passcode to access the Good
applications (default: checked).
Minimum length of - Specifies the minimum length allowed for the
passcode (1-10 characters) (default: 1 character).
Allow simple value - Allows the use of repeating, ascending, and
descending character sequences in the passcode (default: checked).
10
Good Mobile Messaging Administrator’s Guide
Configuring MDM
Alphanumeric - Requires the passcode to contain at least one letter
and one number (default: unchecked).
Minimum number of complex characters - Requires the passcode to
contain at least this many complex characters, such as @, #. $, or % (1
- 10 characters)(default: unchecked)
Maximum passcode age - Days after which passcode must be
changed (1 day to 730 days) (default: unchecked)
Auto-Lock - Maximum allowed idle time after which device
automatically locks. (1 minute to 1 hour) (default: unchecked)
Passcode history - The number of unique passcodes required before
reuse (1 to 10) (default: unchecked)
Grace period - Maximum amount of time device can be locked
without prompting for passcode on unlock (1 minute to 4 hours)
(default: unchecked)
Maximum failed attempts - Wipe device after n attempts (a number
between 4 and 10)(default: unchecked). The full device is wiped.
Good Mobile Messaging Administrator’s Guide
11
Mobile Device Management
Restrictions on the iOS device
Check options to disable the restrictions on the iOS device. These
restrictions cannot be modified by the user. The restrictions are
disabled by default.
• Allow use of YouTube
• Allow use of iTunes Music Store
• Allow installing apps
• Allow use of camera - Includes suboption to allow FaceTime
• Allow screen capture
• Allow syncing of consumer email accounts while roaming
• Allow voice dialing when the device is locked
• Allow In-App purchases
• Require iTunes backups to be encrypted
• Allow use of Safari* - Suboptions to enable autofill, javascript,
plugins, pop-ups; and force fraud warning; accept cookies always,
never, or from visited sites.
12
Good Mobile Messaging Administrator’s Guide
Configuring MDM
Note: Safari plugins can be disabled on iOS 3.x only. This policy
does not apply to iOS 4.x and higher
• Allow explicit music and podcasts - Suboptions to specify allowed
content and applications, ratings region, allowed ratings for
movies, TV shows, and apps (iOS4 required)
Note: Safari is required to install the iOS Good profile that sets these
restrictions; Safari is also required for any subsequent updates to
these settings. If you disable Safari by unchecking its check box, you
can only disable or change Console policy settings by reinstalling
Good on the iOS device. Also, if you disallow apps installation, you’ll
need to allow it again later if the Good Client is to be updated on the
device.
Important: For security reasons, Good does not allow backup of your
Good data to iTunes or iCloud, as doing so could make your
corporate data accessible to unauthorized users. Since this data is not
backed up to iTunes or iCloud, it cannot be restored as part of any
iOS upgrade or restore from backup that you perform. As a result,
you'll need to set up your device again, updating and re-syncing the
Good for Enterprise application; that is, after the iOS upgrade or
backup, you'll be taken to a provisioning screen and be prompted for
your email address and PIN.
Wireless Networks
Good for Enterprise allows you to set or change wireless-network
connection settings for an iOS user via policy settings for the policy
set applied to the device.
Good Mobile Messaging Administrator’s Guide
13
Mobile Device Management
To define wireless network settings for the policy set:
1.
Click the WiFi tab.
All wireless connections that you’ve defined so far are listed. Click
the check box next to those whose connection details are to be sent
to iOS devices using this policy set.
2.
To add details for a new connection, click Add Network.
3.
Provide a Network name (SSID). Select a network type and proxy
type. Click the check boxes if desired for Auto Join, and if this is a
14
Good Mobile Messaging Administrator’s Guide
Configuring MDM
hidden network. You will provide additional specifications
depending upon the network type you select.
Selecting a different network type may display additional
connection parameters to be defined.
Note: The network type you select may allow a Trusted Root/
Expected Certificate. Available certificates are listed in this
window, but only if you import them first into the Console. To do
so, use the Certificate link on the Settings tab.
The Trusted Server Certificate Names field allows multiple names
to be entered, separated by commas.
4.
To change the settings for a network, click the edit link for the
network on the Wireless Connections page.
5.
Click Save and send email update to have the new policy settings
sent to all affected handhelds as an email attachment. Click Save
without updating to save the new policy settings without sending
the changes to any handhelds currently using this policy set. The
changes will take effect for any handhelds assigned this policy set
subsequently.
Good Mobile Messaging Administrator’s Guide
15
Mobile Device Management
VPN Connections
To set or change VPN connection settings for an iOS user:
1.
Click the VPN tab.
All VPN connections that you’ve defined so far are listed. Click
the check box next to those whose connection details are to be sent
to iOS devices using this policy set.
2.
16
To add details for a new connection, click Add Connection.
Good Mobile Messaging Administrator’s Guide
Configuring MDM
3.
Provide a connection name and server hostname in the
appropriate fields. From the dropdowns, select a connection type
and account type.
Selecting a connection type will display additional connection
parameters to be defined.
Note: You can add connections with a Trusted Root/Expected
Certificate. Available certificates are listed in this connection
parameter window, but only if you import them first into the
Console. To do so, use the Certificate link on the Settings tab.
4.
To change the settings for a connection, click the edit link for the
connection on the VPN Connections page. Select the connection
type to display additional fields that can be changed.
5.
Click Save and send email update to have the new policy settings
sent to all affected handhelds as an email attachment. (That is, the
user must open the email on the iOS device.) Click Save without
updating to save the new policy settings without sending the
changes to any handhelds currently using this policy set. The
changes will take effect for any handhelds assigned this policy set
subsequently.
Web Clips
Use the Web Clips tab to add web clips to the Home screen of the
user’s device. Web clips provide links to specified web pages.
Good Mobile Messaging Administrator’s Guide
17
Mobile Device Management
1.
Click the Web Clip tab.
2.
Click Add.
3.
Enter a label for the web clip. This will be displayed on the user’s
Home screen.
4.
Enter a URL to define the web clip’s link.
Note: The URL you specify must include the prefix http:// or
https://. The URL won’t be accepted without it.
18
Good Mobile Messaging Administrator’s Guide
Configuring MDM
5.
To give the user the option of removing the clip, check the
Removable box.
6.
To add a custom icon, use the Browse button or enter the path and
file name of a graphic file in gif, jpeg, or png format, 59 x 60 pixels
in size. The image is automatically scaled and cropped to fit, and
converted to png format if necessary. You can specify a
precomposed icon and that the clip be displayed full-screen.
Android Configuration
The Android configuration feature provides additional policy
settings for your enterprise Android devices.
General Policies
Enable Android Full-Device Administration - Enables the Android
configuration plugin feature.
Good Mobile Messaging Administrator’s Guide
19
Mobile Device Management
Enable remote full device wipe
Enable remote full device lock
Enable remote device password reset
Check the check box to enable the feature on the Handhelds page
under Security. Otherwise, the wipe, lock and change-password
actions are available only for the Good for Enterprise application on
the device. Default is unchecked.
If you enable these additional settings, Good is added to affected
devices as an administrator in Settings/Location/Security. If the user
should deselect Good via “Select device administrators,” he/she is
locked out of the Good for Enterprise application. Any passcode
settings remain in effect , but the user can change them. The device
can still be wiped or locked if these features are enabled, until the
Good application is removed from the device. To delete Good from
the device, disable device administration or on the device deselect
Good as a device administrator. To delete Good from the device,
disable device administration or on the device deselect Good as a
device administrator.
20
Good Mobile Messaging Administrator’s Guide
Configuring MDM
Passcode Policies
Use these policies to control access to the Android device through use
of a mandatory passcode. (To control access to the Good application
on the Android, refer to “Supported Attachments” on page 145.)
Require passcode - User must enter a passcode to access the Good
applications (default: checked).
Minimum length of - Specifies the minimum length allowed for the
passcode (1-10 characters) (default: 4 characters).
Alphanumeric - Requires the passcode to contain at least one letter
and one number (default: checked).
Auto-Lock - Maximum allowed idle time after which device
automatically locks. (1 minute to 15 minutes) (default: unchecked)
Maximum failed attempts - Wipe device after n attempts (a number
between 4 and 16)(default: unchecked). The full device is wiped.
Good Mobile Messaging Administrator’s Guide
21
Mobile Device Management
Compliance Management
Compliance management options, including compliance reporting,
are described in “Compliance Manager” on page 156.
Application Management
Adding and Managing Enterprise Applications Using a Policy
To add and delete custom applications to or from the software
package for a policy set, first ensure that the applications are
available in the Console applications catalog by using the Custom
Software page on the Settings tab to check the list of available
applications for this Console.
Use the instructions in this section to add or delete applications to the
list (catalog) on the Custom Software page on the Settings tab. Then
you can add and delete third-party applications to or from the
software package for a policy set on the Application Management
page.
22
Good Mobile Messaging Administrator’s Guide
Configuring MDM
To add or delete custom applications from the software package:
1.
First, ensure that the desired application is listed in the catalog, or
add it to the catalog. To do so, click the Custom Software link on
the Settings tab.
2.
To add a custom application to the package, click the Add button.
3.
Choose the handheld platform for the application from the dropdown. Enter the application path and filename or use the Browse
button to navigate to it and select it. (For iOS files, .ipa/
.mobileprovision.)
Good Mobile Messaging Administrator’s Guide
23
Mobile Device Management
For iOS5 files, you have the option of specifying a URL rather than
a path and filename for an application.
4.
Click Continue.
5.
Enter values for the Name, Version, and Description fields and
then click the Finish button.
Restrictions on the custom software:
• Name: 50 characters
• Version: 21 characters
• Description: 256 characters
• Name, Version, and Description fields cannot be empty
• Field properties cannot be changed after upload
• Zero-length files cannot be uploaded
• Single stand-alone applications only can be uploaded
• If the file is greater than 5MB in size, a warning is displayed
but the upload proceeds. You can upload 1,000 files or up to a
total of 150MB of files, whichever comes first. To add more,
you must remove some of the existing files, to get below both
of these limits.
• Android files will be .apk.
• iOS applications are uploadable in .ipa form.
24
Good Mobile Messaging Administrator’s Guide
Configuring MDM
• Note: Most Windows Smartphone handhelds have codesigning requirements. Applications that are not signed by
Mobile2Market (or by proprietary carrier certificates) may not
install properly.
6.
If you later want to delete a custom application from the list, click
the check box next to the application and click the Delete button.
Multiple selections are supported.
If the operation is not supported for a particular handheld
platform, no applications will be displayed.
7.
To manage a custom application using a specific policy set, now
add the custom application to the policy set.
a.
On the Policies/Application Policies/Application Management screen, under Enterprise Applications click Add Application. Choose an OS Platform from the dropdown.
Choose the desired application from the list (which reflects the
custom applications added using Settings/Custom Software).
For supported, “managed,” applications, select the Set as Managed check box to allow installation/uninstallation of the
application on all or individual devices from the Console.
Good Mobile Messaging Administrator’s Guide
25
Mobile Device Management
Select “Disable syncing to iTunes/iCloud” and/or “Auto-uninstall if MDM removed” to enable these automatic device-management policy functions.
b.
Click Continue when done.
8.
To enable the application for a policy set, click the check box next
to it.
9.
To remove the application from the software package later, click
the check box next to it and click the Remove button.
For supported (iOS5), managed applications, you are given the
option of either just removing the application from the package, or
removing it from the package and deleting it from all affected
handhelds. To remove the application from the package and from
selected handhelds only, choose to remove it only from the
package here and then uninstall it from each handheld using the
Actions Uninstall link in Applications for the handheld on the
Handhelds tab. Note that the application does not ever appear in
the user’s application catalog.
All handheld users for the affected Good Mobile Messaging Servers
are notified when additions to the package are enabled using the
Application Management option, with instructions on how to
download and install the applications wirelessly on their handhelds.
To view information about the new software, click the name of the
application in the Custom Software list on the Settings tab. For
26
Good Mobile Messaging Administrator’s Guide
Configuring MDM
example, the following information is displayed for an application
named “Call Tracker”.
Deleted applications are not deleted from handhelds that already
have them installed.
“Managed” Applications
Some platforms (iOS5 in this release) provide the following added
MDM management features for third-party applications. You can
enable/disable them when adding an application to the package and
later on the Policies/Application Management page.
• Install/uninstall
For supported applications, you are given the option of removing
the application from the software package, or removing it from
the package and deleting it from all affected handhelds. To
remove the application from the package and from selected
handhelds only, choose to remove it only from the package using
Policies/Application Management/Remove, and then uninstall it
from each desired handheld using Handhelds/Applications/
Actions/Uninstall.
Good Mobile Messaging Administrator’s Guide
27
Mobile Device Management
• Automatic uninstall if MDM profile is removed from the device.
Use the check box provided to enable/disable (enabled by
default).
• Disable syncing to iTunes/iCloud. Use the check box provided to
enable/disable (enabled by default).
Handheld users are notified of changes to the package, with
instructions on how to download and install updated applications
wirelessly on the handhelds. Any software policy changes are
employed.
Applications that have been deleted from the software package by
Good Technology are not deleted from the handheld if they have
been previously installed.
Setting Up (Provisioning) Mobile Devices with MDM
The Mobile Device Management features included with the Good For
Enterprise Android and iOS Clients are embedded in the Clients. No
special setup steps are required when setting up a device, as
described in Chapter 5.
Using MDM
Asset Management
Use the Handhelds tab on the console to display a list of handhelds
and their owners, as well as detailed information about each
handheld. Information available includes handheld connection status
to the Good Mobile Messaging Server.
Note: Some information is not available on all clients.
28
Good Mobile Messaging Administrator’s Guide
Using MDM
Note: To display an iOS device’s Alternate Identifier (its IMEI or
hardware model) in the Console, you must enable the iOS
configuration profile on the device, with the profile installed.
To view and use handheld information:
1.
In the Good Mobile Control Console, click the Handhelds tab.
The Handhelds page displays information such as the name of
each device, the email account associated with it, its phone
number, status, platform, device model, the policy set currently
applied to it, its Good Mobile Messaging Server, its current Client
version and so on (the columns are configurable).
The second (untitled) column provides compliance indicators. A
blank field indicates current device compliance with respect to its
currently configured policy settings. An exclamation point
indicates that the device is out of compliance with these policies.
A question mark indicates that the device is not set up and sync’d,
or that the device (e.g., Windows Mobile) is not supported for this
feature, or that the device is running an earlier, unsupported
Client (less than 1.7.3 for Android; less than 1.9.3 for iOS). For
more information on compliance issues with the device, click on
the device and check the list of reports for it in the left pane on the
device’s Handheld Details page. See also “Compliance Report” on
page 35.
2.
Use the left panel of filters to display subsets of the complete list,
according to Good Messaging Server, compliance, device
platform, carrier, and department
3.
Click the name of the handheld listed on the Handhelds page.
4.
Click the various links in the left pane to display handheld
information and to run diagnostic tests and configure logging. For
more information, see the following sections.
5.
For more information about a specific device, click its link on the
Handhelds page to open a Detailed View for it.
6.
You can enable or disable data roaming for supported handhelds.
To do so for multiple handhelds, select the action from the Apply
Good Mobile Messaging Administrator’s Guide
29
Mobile Device Management
Action drop-down menu on the Handhelds page. To do so for a
specific handheld, navigate to its Handheld Info page and from
the information list on the page, use the enable/disable dropdown menu for data roaming.
Note that the link for a compliance report is displayed only if a
supported device has failed one or more compliance tests. (Refer to
“Compliance Report” on page 35.)
You can also use the Good Monitoring Portal to help monitor and
manage the handhelds (“Using the Good Monitoring Portal
Dashboard” on page 249 and “Using the Good Online License Portal”
on page 252).
Use the Home tab to display a report on currently paused handhelds
(“Inactive Handhelds” on page 252).
Viewing Device Information
30
Good Mobile Messaging Administrator’s Guide
Using MDM
The Handheld Info link in the left panel for a handheld displays a
great variety of device information, including but not limited to the
following:
• Name - User’s Active Directory display name
• Email - User’s email address for the account sync’d to this
handheld
• Serial number - Handheld’s serial number
• Department - User’s Active Directory department
• Directory status - Current Active Directory status
• Status - Current handheld status (blank (active) or “Inactive”). The
amount of inactivity that qualifies the device for an Inactive
setting is specified on the Policy Settings page in the Settings tab.
• Status Message - Never provisioned, Running, Disabled, Failed,
Client disconnect, Console disconnect, User not enabled, Failed to
recover, Out of sync
• Policy Set - Policy set assigned to handheld
• Policy Status - “Using the Good Monitoring Portal Dashboard” on
page 249 and “Using the Good Online License Portal” on
page 252.
• Firmware version
• Handheld OS
• Handheld OS version
• Handheld OS language
• Good for Enterprise Client Language
• Device type
• System Identifier - Unique Good Mobile Control Server ID
number for the handheld
• ROM version
Good Mobile Messaging Administrator’s Guide
31
Mobile Device Management
For supported devices with MDM enabled (“iOS Configuration” on
page 2), lists of installed applications, certificates, and provisioning
profiles are included.
Click Refresh Data to update the handheld information (iOS MDM).
The Console sends a query to the handheld and retrieves data from it.
The button is grayed out if the handheld family is not supported, or if
the handheld is unavailable due to OS version or policy settings. If
the handheld is turned off or is out of its service area, the request will
persist until the handheld is able to respond.
Click on a device name to open a Detailed View of device
information.
To enable FIPS, refer to “Enabling FIPS Testing” on page 232.
Performing Device Actions
MDM allows you to lock handhelds and erase handheld data
remotely, as well as create temporary unlock passwords.
32
Good Mobile Messaging Administrator’s Guide
Using MDM
The Security link in the left panel for a handheld displays the
following information:
• Erase state - Not Applicable (no Erase Data issued for this
handheld), Erase Data issued, Erase Data confirmed.
Actions on the Security page:
• Lock Handheld - Refer to “Locking Out a User” on page 229.
• Erase Data - Refer to “Erasing Handheld Data” on page 230.
• Create Unlock Password - Refer to “Resetting a Password
Remotely (iOS, Android)” on page 226.
Managing Device Provisioning
On the OTA page, you can resend OTA messages and create new user
OTA PINs.
The OTA page provides the following information:
• OTA state - Unknown, Enabled, Provisioning_Failed,
Provisioning_Denied, Provisioned, Erase_Data_Issued,
Erase_Data_Confirmed, Erase_Data_Error
Good Mobile Messaging Administrator’s Guide
33
Mobile Device Management
• OTA PIN
• OTA PIN state*
• OTA PIN expire time
• EMail - Email address for the handheld
• Last provisioned - Date and time
• OTA download URL - Source for application download
*For “OTA PIN state,” the following values are possible:
Status
Valid
Expired
Description
PIN is valid and can be used.
PIN has expired. IT must generate a new PIN for any
new OTA setup.
Reuse exceeded At least one OTA setup has taken place on the handheld.
The PIN cannot be reused until it has been regenerated.
(Applicable if the “Disallow PIN after first-time use”
check box is checked on the OTA PIN Policies tab.)
Expired and
The PIN has expired. The PIN cannot be reused until it
reuse exceeded has been regenerated.
Refer to “Provisioning” on page 148 for more on PIN expiration and
reuse.
Actions on the OTA page:
• To resend the OTA welcome email message, click the Resend
Email button.
• To regenerate the OTA PIN, click the Regenerate Provisioning
PIN button. Refer to “Generating New User PINs” on page 216.
34
Good Mobile Messaging Administrator’s Guide
Using MDM
Managing Device Applications
Compliance Report
The Good Management Console makes it easy for you to track your
devices with respect to their compliance with your policy settings. If
a device’s compliance status changes, Good Mobile Device
Management keeps track of the fact. This section describes how to
access and review your compliance data.
If a device is out of compliance with your application policies, you
can lock or erase the device, or in some cases remove the problem
application.
For a quick overview of the compliance situation, go to the
Handhelds tab. You can customize the device information view by
clicking on the “Select Columns” icon
and choosing from the
drop-down menu. Device compliance status is tracked in the second
column of the device list.
Compliance status
Good Mobile Messaging Administrator’s Guide
35
Mobile Device Management
This second (untitled) column can display three possible compliance
indicators: a blank field, an exclamation point, and a question mark.
A blank field indicates the device is an compliance with respect to its
currently configured policy settings. An exclamation point indicates
that the device is out of compliance with these policies. A question
mark indicates that the compliance check is pending for the device.
This can happen when the device is not connected, is not set up, is
not sync’d, or that the device (e.g., Windows Mobile) is not supported
for this feature, or that the device is running an earlier, unsupported
Client (less than 1.7.3 for Android; less than 1.9.3 for iOS).
To display only those devices in or out of compliance, use the related
Filter by Compliance filters in the left panel.
On the Handhelds tab, you can run a full compliance report and
export it to an Excel spreadsheet. To do so, select Export Compliance
Report from the Select Import/Export Action pull-down menu.
36
Good Mobile Messaging Administrator’s Guide
Using MDM
This generates a report showing all changes in device compliance for
all devices in the current view.
The rows in the report are grouped by device, with a separate row for
each change in the compliance status of the device. The report
provides the changed status, the affected policy setting, the cause for
the change, and any action taken, as specified by the policy.
Out-of-compliance causes can include jailbreak detection,
connectivity verification (device must have connected to Good
within a specified time), OS version verification, hardware model
verification, etc. Out-of-compliance actions can include exiting from
the Good Client on the device, deactivating the Client, and creating a
compliance report. (Refer to “Compliance Manager” on page 156.)
Good Mobile Messaging Administrator’s Guide
37
Mobile Device Management
For more information about a specific device, click its link on the
Handhelds page to open a detailed view for it. If a device is out of
compliance, a report link is added to the left pane.
Compliance report is added for devices with compliance data available
Click the Compliance Report link to display the report.
Click Refresh to update the report. The Console will query the device;
device response will depend upon the current device state. The
request for information will persist until the device is available to
38
Good Mobile Messaging Administrator’s Guide
Using MDM
answer it. Click Export to create an Excel report based upon the
screen display.
Installed Applications
The Applications link lists the package name, version, size, type,
source, status, and, for “Managed” devices, actions (install, uninstall)
for every software package installed on the device. If the iOS device
is to be managed (take advantage of MDM policy settings, the device
must contain an enabled MDM profile (refer to “iOS Configuration”
on page 2).
Click the Export button and choose an application such as Excel, to
export the information on-screen into a file.
For managed devices, click the install/uninstall link in the Actions
column to add or removed the custom software to or from the device.
Good Mobile Messaging Administrator’s Guide
39
Mobile Device Management
40
Good Mobile Messaging Administrator’s Guide
C Good Mobile Control
Performance and
Scalability
Several performance and scalability improvements were added in the
v1.3.5 release of Good Mobile Control (GMC). These enhancements
have greatly improved the number of devices that can be managed
on a single GMC server. The focused improvements along with
appropriate server configurations will enable customers to achieve
the higher performance level. The purpose of this appendix is to
share details on changes made and provide guidance on
recommended configuration settings.
Scalability Improvements
The latest release of Good Mobile Control can support up to 10,000
handhelds per instance.
Customers have reported that it took them up to 25-30 times LESS to
perform tasks like running GMC reports or collecting GMC data!.
Several enhancements made in the server code together with specific
environment settings helped us achieve increased performance
levels.
Server code change highlights:
• Better Task Scheduling
- Priority based queue employed for tasks.
- A user task has a higher priority than a background task.
Good Mobile Messaging Administrator’s Guide
41
Good Mobile Control Performance and Scalability
- Priority lowered for background tasks that incur large system
load.
• Improved Process for exporting handheld statistics
- Deployed parallel work processing techniques, yielding a
200% to 300% improvement in performance.
• Removed redundant code and tuned slower queries.
• Moved and sequenced nonessential upgrade activities until after
startup.
• Increased the DB Connection Pool size from 16 to 32.
• Enhanced caching of common queries and increased the caching
duration making the data available much sooner.
• iOS MDM processing improvements
- Employed multi-threaded processes for adding handhelds and
changing iOS configuration policies.
- Dramatically improved database queries which consumed a lot
of CPU, network, memory, and made read locks.
Note: Actual time to bulk process handhelds could vary by
operations or number of devices. The system processing has been
improved to support 10,000 handhelds; however, the actual UI
response time could be up to 20 minutes or more depending on the
task.
Supportability Guidelines
Performance of a Good Mobile Control instance depends on a large
number of factors; including server settings, environment variables,
instance capacity and load. This section provides additional
guidelines for administrators to achieve optimal performance levels.
• Supported Application and Database Server Software
Refer to http://good.com/support/lotus‐domino‐
compatibility.php.
42
Good Mobile Messaging Administrator’s Guide
Monitoring Guidelines
• Capacity Planning Guidelines
You should use these sizing guidelines for initial capacity
planning, perform load testing and use the results to fine tune the
GMC instance and recalculate capacity needed to ensure desirable
performance level.
- Deploy low latency, high bandwidth network between GMC
and its database. The best practice is a latency <= 1 ms. SQL
Server should not be burdened with a lot of additional work.
- Use multicore hardware from the last few years. The test was
performed with 4 cores.
- Don’t share hardware resources with other processes/virtual
machines.
- If on a physical machine, then don’t run other processes on the
same machine.
- GMMS should be on a separate machine.
- If on a virtual machine, the requirements are same as that of a
physical machine. Additionally, the virtual machine should
have dedicated CPUs and RAM.
- Use sufficient RAM per server instance. 4GB or more is
recommended.
- Java VM Heap sizing arguments -XX:MaxPermSize=128m Xms1080m -Xmx1080m
Monitoring Guidelines
Note the following when monitoring Good Mobile Control
performance:
• CPU load should average 80% or less over a 10 minute period;
exceptions include startup right after an upgrade, and changing
iOS MDM policy.
Good Mobile Messaging Administrator’s Guide
43
Good Mobile Control Performance and Scalability
• The new GMC release enhances the current logging process to
bring more “self-awareness.” It empowers system administrators
to find the performance bottlenecks by capturing information
about the most egregious processes. Administrators should
monitor the GMC log file periodically. Grepping for the keyword
“Slow” will reveal system stress points.
Example
What It Might Mean
Slow login time of 7259 ms This is the time spent trying to authenticate the
credentials of the user logging in. To make faster,
examine directory server (Domain Controls for
AD) and the network to them from GMC.
Slow query, 8000ms.
This is the time it took to load the rows for 100
Loading of devices. For handhelds. Check the latency and bandwidth
100 devices
from GMC to SQL Server. Check to make sure
SQL Server is not overburdened.
Slow query, 6000 ms.
This is the query for devices without loading the
criteria: … For 100 devices entire row. Latency and bandwidth should not
matter much to this one. Check to make sure SQL
Server is not overburdened.
Slow home page time of The home page is mostly about showing counts
9000 ms
about the data in the database. This is probably
not a bandwidth problem since the amount of
data retrieved from SQL Server is small. This
likely is not a latency problem as the number of
queries is not too many. Check to make sure SQL
Server is not overburdened.
44
Good Mobile Messaging Administrator’s Guide
Index
A
address, Good Messaging host 288
Android device 113
Android Market 114
application status details 242
applications list, third party 208
applications, installed on
handheld 237, 32
attachments
exceptions to receiving 145
exceptions to sending 144
receiving 145
receiving blacklist 145
receiving size limits 145
receiving whitelist 145
sending 144
sending blacklist 144
sending size limits 144
sending whitelist 144
attachments supported by
Email 145
auto-completion of Console
password entry 93
B
backup
Good Messaging Servers 342
backup Good Mobile Control
(GMC) database
automatic option in installer 72
manual backup and restore 298
beaming contacts 143
blacklist
receiving attachments 145
sending attachments 144
blocking applications 155
Bluetooth radio, enable 147
C
cache directory location 82
card, SD 108
catalog, applications 219, 22
adding/deleting files 220, 23
certificate
importing 93
obtaining a mobile device
management certificate
signed by Apple 187, 2
restoring 94
certificates on handheld 237, 32
changing
handheld user 234
handheld user name 257
iOS VPN connections policies 16
iPhone VPN connections
policies 184
password policies 137
policies 129
policy assigned to a
handheld 131
user’s server 257
Check for New Services button 290
clusters 342, 346
configuring cluster services 374
Good Messaging Servers 341
installing cluster tools 374
installing primary and standby
GMC Server 363
Good Mobile Messaging Administrator’s Guide
45
Index
installing the first clustered
node 349
installing the second clustered
node 355
prerequisites 343
resources 401
shared disks 344
uninstalling 403
collecting handheld data (Refresh
Data button) 237, 32
command-line utilities 307
Compliance Manager
"Check to Run" 159
built-in rules 159
custom rules 159
policies, configuring 156
rules files 164
wiping the iPhone 162
Compliance Report 162, 167, 235, 30
configuration
iOS 2
iOS general policies 8
iOS passcode policies 192, 21
iOS wipe policy 192, 8, 20
iOSgeneral policies 191, 19
iPhone 175
iPhone general policies 176
iPhone passcode policies 178
iPhone setting restrictions 180
iPhone wipe policy 177
Console users authentication,
directory for 290
Console, overview 28
contacts
beaming 143
synchronized 115
custom software, adding and
deleting from the software
package 219, 22
customizing OTA setup
message 217
D
dashboard (Good Monitoring
Server) 282
adding a Server 285
data encryption, enabling 171
data roaming 228
46
database, Good Mobile Control
(GMC)
automatic backup in installer 72
manual backup and restore 298
deployment, Good Messaging
Server 297
detailed calendar reminder
notifications 91
detailed logging, for handhelds 238
DeviceAppList.ini 173
diagnostic log files 294, 338
directory information
Console users authentication 290
handheld enablement 290
disaster recovery, Good Mobile
Control (GMC) 305
disclaimer display rules file 162
discovery, enable 147
Domino server
configuration requirements 11
moving handheld to
different 258
E
email security 21
enabled application status
details 242
encryption of data, enabling 171
error messages 296
errors 313
Windows Event Viewer
Application log 119
event and error message
synchronization 55, 81
exceptions to synchronization 261
exchanging a user’s handheld 260
extensions, Compliance
Manager 156
F
file repository 153
files, rules for application
control 164
flash card 108
G
GdGLSConnect 334
General tab 296
Good Mobile Messaging Administrator’s Guide
getHandheldInfo 454
GMA Secure Browser 193
GMC Web Service
authentication 433
BulkServiceResult array 432
examples 434
functions summary 451
integrating applications with 433
overview of 431
working with 432
gmexportstats 255, 330
userlist output 332
usersoftware output 333
userstats output 332
Good Messaging Domino directory
service 14, 24, 27, 213, 264,
265
Good Messaging Server
clustering resources 401
clusters 341
deployment 297
handheld ID 227
host address 288
host prerequisites 35, 46
host system requirements 2
information, displaying 287
installing 14, 74
introduction 30
license key 79, 288
logging 291
managing 263
moving handheld to
different 259
moving to new host 264
name 79, 288
redundancy 297
serial number 79, 288
server list 287
Server requirements 4
software license agreement 52, 78
standby 342
uninstalling 427
utilities 307
Good Mobile Access Secure
Browser 193
Good Mobile Console
disabling auto-completion of
login credentials 93
Good Mobile Control
performance and scalability 41
Good Mobile Control (GMC)
clustering resources 401
Console filters 96
Console, configuring 92
disaster recovery 305
host requirements 3
manual consistency check 306
moving to new host 264
overview 28
reconciling configuration
inconsistencies 305
Server requirements 4
Server, described 2
Good Mobile Control (GMC)
database
automatic backup in installer 72
manual backup and restore 298
Good Mobile Control service 14, 24,
27, 213, 264, 265
Good Mobile Messaging service 14,
24, 27, 213, 264, 265
Good Mobile Messaging,
overview 17
Good Monitoring Portal 17, 283
adding a Server to dashboard 285
user and handheld status 30
Good Network Operations
Center 19
Good Online License Portal 252
Good server Domino directory
service 14, 24, 27, 213, 264,
265
GoodLinkAddUser 308
GoodLinkDeleteUser 311
GoodLinkQueryUser 313
GoodLinkRegenOTAPIN 327
H
handheld
adding a list to server 117
authentication 20
changing policy assigned to a
handheld 131
changing server or user
name 257
changing user 234
exchanging a user’s 260
exporting statistics 254
Good Mobile Messaging Administrator’s Guide
47
Index
Handheld Authentication
link 137
ID 227
locking out a user 229
logging, enabling detailed 238
management 121
moving to different Domino
server 258
moving to different Good
Messaging Server 259
paused reasons 253
preparation 105
security 20
setup 15, 30, 109
suspending messaging 228
transferring to new user 234
wireless setup 116
handheld enablement, directory
for 290
host address, Good Messaging
Server 288
I
iCloud
disable syncing 224, 26
ID, handheld Good Messaging 227
IMEI 235, 29
import, syntax 118
importing
certificate 93
inactive status 252
infrared radio, enable 147
installation 1, 35, 49
concepts 27
Good Messaging Server 74
Good Messaging Server name 79
license key 79
outline 35, 49
prerequisites 35, 46
serial number 79
steps 35, 49
tasks 35, 49
installed applications 237, 32
intranet browser policies 193
introduction
Good Messaging Server 30
Good Mobile Control (GMC) 28
installation 27
multiple servers 25
48
wireless
synchronization 18
iOS
changing passcode policy 16
configuration 2
general policies 191, 8, 19
IMEI 29
passcode policies 192, 10, 21
restrictions on the device 12
VPN connections 16
web clips 17
WiFi 13
wipe policy 192, 8, 20
iOS configuration
MDM 177, 8
IP
IP addressing 47
IP range 291
iPhone
changing passcode policy 184
configuration 175
general policies 176
IMEI 235
passcode policies 178
setting restrictions 180
VPN connections 184
web clips 185
WiFi 181
wipe policy 177
iTunes
disable syncing 224, 26
K
key, license 79, 288
L
license
agreement 52, 78
key 79, 288
License Portal 252
list of handhelds, adding to Good
Messaging Server 117
location of
cache directory 82
Good Messaging log 55, 81
Good Messaging Server
software 81
lockdown WiFi 147
locking out a user 229
Good Mobile Messaging Administrator’s Guide
log file
diagnostic 294
Windows Event Viewer
Application Log 119
Log Upload tab 292
logging
Good Messaging Server 291
handhelds, enabling detailed
on 238
PIN 16, 30, 113, 216
Over The Air 15, 31, 105, 210
overview
Good Messaging Server 30
Good Mobile Control (GMC) 28
installation 27
multiple servers 25
wireless
synchronization 18
M
mail accounts 27
managed applications 226, 27
managed devices 224, 225, 226, 25,
26, 27
managing
Good Messaging Servers 263
handhelds 121
with Performance Monitor 294
manual consistency check,
GMC 306
Market, Android 114
MDM profile 177, 8
memory card 108
message, customizing OTA
setup 217
messaging link, viewing 246
Microsoft clusters 342
moving handheld
to different Domino server 258
to different Good Messaging
Server 259
multiple mail and Good Messaging
Servers 25
P
passcode policies
iOS 10
password
changing policies 137
temporary unlock 227
password, resetting remotely 227
paused handhelds 253
performance
Good Mobile Control 41
Performance Monitor 294
PIN 16, 30, 113, 216
policies
changing 129
changing iOS VPN
connections 16
changing iPhone VPN
connections 184
changing password 137
changing policy assigned to a
handheld 131
compliance rules 164
Good Mobile Access Secure
Browser 193
user 111
Portal, Good License 252
Pre-installation 13
prerequisites 35
Good Messaging system 1
Provisioning link 148
provisioning profiles on
handheld 237, 32
proxy
standby 388
proxy column 291
proxy screen 83
proxy server
Good Messaging 64
Secure Browser 200, 204
N
name
Good Messaging Server 79, 288
user 257
Network Operations Center 19
network status link, viewing 240
new services check 290
nGMMTool 317
O
OTA 15, 22, 31, 105, 210
customizing setup message 217
link, viewing 245
Good Mobile Messaging Administrator’s Guide
49
Index
standby 373
R
range, IP 291
reconciling configuration
inconsistencies, GMC 305
redundancy, Good Messaging
Server 297
Refresh Data button 237, 32
remembering Console login
credentials 93
report, compliance 162, 167, 235, 30
repository, file 153
require password 137
resetting device password
remotely 227
resources, clusters 401
restore Good Mobile Control (GMC)
database 298
restoring a certificate 94
restrictions
iOS device 12
resynchronization 262
roaming, data 228
role-based administration 97, 122
roles 97, 122
ROM, handheld 255
rules
disclaimer display 162
files for compliance policies 164
for required handheld
applications 164
S
scalability
Good Mobile Control 41
SD card 108
Secure Browser, Good Mobile
Access 193
security
administrative security 21
email 21
handheld 20
handheld authentication 20
overview 19
password 137
Security Link 239
serial number
Good Messaging 288
50
Good Messaging Server 79
server information, displaying 287
server list, Good Messaging
Servers 287
server name (Good Messaging) 79,
288
service
Good Messaging Domino
directory service 14, 24, 27,
213, 264, 265
Good Mobile Control service 14,
24, 27, 213, 264, 265
Good Mobile Messaging
service 14, 24, 27, 213, 264,
265
Good server Domino directory
service 14, 24, 27, 213, 264,
265
setting up the handheld 15, 30, 109
setup
Good Messaging Server 74
Good Messaging Server name 79
handheld 105
license key 79
serial number 79
setup message, customizing
OTA 217
setup time, server 288
wireless (handheld) 116
shared disks for clusters 344
site license key 79
software
download defaults 103
license agreement 52, 78
SQL Server, preparing for use with
GMC 8
standby Good Messaging
Server 342
statistics
exporting handheld statistics 254
Good Messaging Server 287
status
definitions for user OTA
application policies 241
enable applications details 242
inactive 252
storage card 108, 150
Superuser
changing 123
Good Mobile Messaging Administrator’s Guide
defining for first time 68
described 122
support 297
supported attachments 145
suspending handheld
messaging 228
synchronization 18
error and event messages 55, 81
exceptions 261
syntax, import 118
T
tab
General 296
IP range 291
Log Upload 292
range, IP 291
technical support 297
template
OTA Setup email message 217
rule files 164
temporary unlock password 227
third-party applications list 208
time, server setup 288
transferring handheld to new
user 234
U
UDP security 47
uninstalling
Good Messaging Server 427
unlock password, temporary 227
uploadLog 337
user name, changing for
handheld 257
user PIN 16, 30, 113, 216
user policies 111
UserProfilechkTool 322
utilities
diagnostic log files 338
GdGLSConnect 334
gmexportstats 330
Good Messaging 307
GoodLinkAddUser 308
GoodLinkDeleteUser 311
GoodLinkQueryUser 313
GoodLinkRegenOTAPIN 327
nGMMTool 317
uploadLog 337
UserProfilechkTool 322
V
VPN connections 184, 16
changing iOSpolicies 16
changing iPhone policies 184
W
web clips
iOS 17
iPhone 185
Web Service, GMC 431
welcome email, customizing 217
whitelist
receiving attachments 145
sending attachments 144
WiFi
iOS 13
iPhone 181
Wifi
iOS 13
iPhone 181
WiFi connectivity
interaction with 119
NAT time-outs 47
server requirement 47
system requirements 47
WiFi lockdown 147
WiFi-only handhelds 46
network setting requirements 46
Windows Event Viewer Application
Log 119
wireless
handheld management 31
handheld setup 32, 105, 116, 210
overview of 105
synchronization 18, 32
wireless networks
iOS 13
iPhone 181
Good Mobile Messaging Administrator’s Guide
51
Index
52
Good Mobile Messaging Administrator’s Guide
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement