System information | Getting Started Guide for TRITON AP-MOBILE

Getting Started Guide for TRITON AP-MOBILE
Getting Started Guide
Integrating Websense ® TRITON ® AP-MOBILE with
A irW a t c h ® Mobile Device Mana geme nt
©2014–2015, Websense Inc.
All rights reserved.
10900 Stonelake Blvd., 3rd Floor, Austin, TX 78759, USA
Published April 13, 2015
Printed in the United States of America and China.
This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic
medium or machine-readable form without prior consent in writing from Websense Inc.
Every effort has been made to ensure the accuracy of this manual. However, Websense Inc., makes no warranties with
respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose.
Websense Inc. shall not be liable for any error or for incidental or consequential damages in connection with the furnishing,
performance, or use of this manual or the examples herein. The information in this documentation is subject to change
without notice.
Trademarks
Websense is a registered trademark of Websense, Inc., in the United States and certain international markets. Websense has
numerous other unregistered trademarks in the United States and internationally. All other trademarks are the property of
their respective owners.
Microsoft, Windows, Windows NT, Windows Server, and Active Directory are either registered trademarks or trademarks
of Microsoft Corporation in the United States and/or other countries.
Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies
and are the sole property of their respective manufacturers.
Contents
Contents
Topic 1
Integrating Websense TRITON AP-MOBILE with AirWatch MDM
Before getting started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Step 1: Log on to the TRITON Manager . . . . . . . . . . . . . . . . . . . . . . . . . 3
Step 2: Synchronize your user directory information. . . . . . . . . . . . . . . . 4
Step 3: Define web security policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Step 4: Log on to the AirWatch Console . . . . . . . . . . . . . . . . . . . . . . . . . 6
Step 5: Connect MDM to the Websense hybrid service. . . . . . . . . . . . . . 7
Step 6: Synchronize your user directory information with MDM . . . . . . 9
Step 7: Enroll a device with AirWatch MDM . . . . . . . . . . . . . . . . . . . . 11
Step 8: Install the VPN profile to devices . . . . . . . . . . . . . . . . . . . . . . . 13
Step 9: Add the TRITON AP-MOBILE app . . . . . . . . . . . . . . . . . . . . . 16
Step 10: Device user installs the TRITON AP-MOBILE app . . . . . . . . 18
Additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Confirm that TRITON AP-MOBILE is enabled. . . . . . . . . . . . . . . . 19
Communications best practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Getting Started Guide

1
Contents
2
TRITON
AP-MOBILE integrated with AirWatch MDM
1
Integrating Websense®
TRITON® AP-MOBILE with
AirWatch® MDM
Getting Started Guide | TRITON AP-MOBILE integrated with AirWatch Mobile Device
Management | TRITON AP-WEB with the Web Hybrid module
Important
If you have purchased a subscription to
TRITON AP-MOBILE, at this time you may use
TRITON AP-MOBILE integrated with AirWatch Mobile
Device Management (MDM), which is available on an
Early Access as is basis, or TRITON Mobile Security. At
the time of purchase, you’ll need to indicate which product
you wish to use, so that the TRITON Manager (cloud or
hybrid) can be set up for that product.
Websense TRITON AP-MOBILE protects your end users’ devices from potential data
loss and the possible theft of intellectual property, plus from mobile malware, web
threats, phishing attacks, spoofing, and more—all of which helps them safely access
corporate resources.
When integrated with AirWatch Mobile Device Management (MDM), you can
provision iOS and Android mobile devices to send traffic to the Websense cloud
service for analysis and policy enforcement. You can also configure and update device
settings over the air, create different policies for corporate versus personal devices,
and secure mobile devices through actions such as locking and wiping them.
TRITON AP-MOBILE requires a subscription to either TRITON AP-WEB with the
Web Cloud module or TRITON AP-WEB with the Web Hybrid module. This guide
explains how to integrate TRITON AP-MOBILE with AirWatch MDM when you are
using TRITON AP-WEB with the Web Hybrid module, also referred to as the hybrid
service. To complete integration, you need access to the TRITON Manager and the
AirWatch Admin Console server (version 7.1 or later).
To get started, go through the following steps in the order recommended below. You
may have already completed some of these steps if you have an account for
TRITON AP-MOBILE with the hybrid service or an AirWatch account, in which
case, skip to the next step:
Step 1: Log on to the TRITON Manager
Step 2: Synchronize your user directory information
Step 3: Define web security policies

1
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM
Step 4: Log on to the AirWatch Console
Step 5: Connect MDM to the Websense hybrid service
Step 6: Synchronize your user directory information with MDM
Step 7: Enroll a device with AirWatch MDM
Step 8: Install the VPN profile to devices
Step 9: Add the TRITON AP-MOBILE app
Step 10: Device user installs the TRITON AP-MOBILE app
Once you’re done, you can update your settings as needed.
Device operating systems
TRITON AP-MOBILE supports the following devices and operating systems:
iOS device users

Apple® iPhone®, iPad®, and iPad mini models running the following operating
systems:

iOS v7.0 and above
Android device users

Android devices that use the official Android operating system and meet version
requirements. Supported operating systems:

Android OS 4.0.2 and above
Note
We recommend initially deploying the Websense solution to a small number of
devices and testing your web security policies before performing a large-scale
deployment.
Before getting started
Getting Started Guide | TRITON AP-MOBILE integrated with AirWatch Mobile Device
Management | TRITON AP-WEB with the Web Hybrid module
Before getting started, to ensure that no corporate firewalls are blocking use of
TRITON AP-MOBILE on your end user devices’ corporate Wi-Fi network, open the
following ports to allow outgoing traffic:

TCP 8081 and 8082 for PAC files

UDP 500 and 4500 for establishing the VPN connection
To install AirWatch MDM on iOS devices, you must also open port 5223 to allow
receipt of an Apple Push Notification (APN) certificate from Apple. TCP port 443 is
used as a fallback on Wi-Fi only, when devices are unable to communicate to APNs on
TRITON AP-MOBILE integrated with AirWatch MDM 
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM
port 5223. See the AirWatch Help for more information on configuring MDM on iOS
devices.
In addition, if you are using Active Directory, open port 2001 to install the AirWatch
Cloud Connector, which supports the use of this directory.
Important
You can access more detailed documentation on how to get
started with AirWatch and how to use all the MDM
features by clicking Help in the upper right corner of the
AirWatch Console on the console’s main landing pages.
To search for additional documentation not included in the
Help, go to http://my.air-watch.com and log on using your
AirWatch ID credentials.
Request an account for TRITON AP-WEB with the hybrid service
TRITON AP-MOBILE is managed through the Web tab of the TRITON Manager.
If you are a customer using TRITON AP-WEB with the hybrid service, you already
have a Websense account with logon credentials to the TRITON Manager. If this is the
case, skip to Request an AirWatch account, page 3.
If you do not have access to the TRITON Manager yet, you must request credentials
through Websense Technical Support. For details about how to log on to the console,
see the TRITON Manager Help.
For a free trial of TRITON AP-WEB with the hybrid service, click here.
Once you have your account, proceed to Request an AirWatch account, page 3.
Request an AirWatch account
AirWatch Mobile Device Management (MDM) is managed through the AirWatch
Admin Console.
If you are an AirWatch customer, you already have an AirWatch account with logon
credentials to the console. If this is the case, skip to Step 1: Log on to the TRITON
Manager, page 3.
If you are new to AirWatch, you must request credentials to the console by contacting
sales@air-watch.com.
For a free trial of AirWatch, go to http://www.air-watch.com/free-trial.
Step 1: Log on to the TRITON Manager
Getting Started Guide | TRITON AP-MOBILE integrated with AirWatch Mobile Device
Management | TRITON AP-WEB with the Web Hybrid module
Getting
Started Guide 3
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM
The TRITON Manager is the Web-based central configuration console used to
manage software configuration and settings for your Websense software modules. To
access the Web tab of the console, go to https://manager-ip:9443/triton, using one of
the following browsers, and the console version you need to use is v7.8.4 or higher:

Microsoft Internet Explorer 8, 9, 10, and 11 (desktop interface only). Do not use
Compatibility View with any version of Internet Explorer.
Note
If you are using Internet Explorer, make sure Enhanced
Security Configuration is switched off.

Mozilla Firefox version 4.4 through 33

Google Chrome 13 through 38
Although it is possible to launch the TRITON Manager using some other browsers,
use the supported browsers to receive full functionality and proper display of the
application.
To use the console, your browser must be Javascript-enabled. For the best user
experience, your browser should also be enabled to accept cookies from the console.
If you are logging on to the TRITON management console for the first time, on the
Pending Licenses page, you are asked to accept the terms and conditions before you
can proceed.
For more information, see the TRITON Manager Help and the Administrator Help
for the Web module.
Once you’re logged on, proceed to Step 2: Synchronize your user directory
information, page 4.
Step 2: Synchronize your user directory information
Getting Started Guide | TRITON AP-MOBILE integrated with AirWatch Mobile Device
Management | TRITON AP-WEB with the Web Hybrid module
The Websense hybrid service offered through TRITON AP-WEB allows you to make
use of existing LDAP directories, such as Active Directory, so you don’t have to
recreate user accounts and groups for your mobile services or manage users and
groups in more than one place. It is a best practice to include all your users in your
directory service, so that they can be synchronized with the hybrid service, enabling
you to assign web security policies to them.
If you are not already a customer using TRITON AP-WEB with the Web Hybrid
module and your organization uses a supported, LDAP-based directory service—
Windows Active Directory (Native Mode), Oracle (Sun Java) Directory Server, or
Novell eDirectory—you can collect user and group data and send it to the hybrid
TRITON AP-MOBILE integrated with AirWatch MDM 
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM
service by going to the Web tab of the TRITON Manager and then the Settings >
Hybrid Configuration > Shared User Data page.
For additional details, see “Send user and group data to the hybrid service” and
“Configure Directory Agent settings for hybrid filtering” in the Administrator Help
for the Web module.
Note
If you add a new user or group of users to your Active Directory server, the amount
of time needed to synchronize your Active Directory server with the Websense
hybrid service depends on the frequency you specified for sending user data to the
service. See Schedule communication with the hybrid service in the Administrator
Help. Note that you can always manually send updated user data to the hybrid
service.
Important
For integration to succeed, you must synchronize your
directory service and your users or user groups with both
the Websense hybrid service and the AirWatch
environment. Step 6 covers synchronization with
AirWatch.
Once you’ve synchronized your user directory information with the hybrid service,
proceed to Step 3: Define web security policies, page 5.
Step 3: Define web security policies
Getting Started Guide | TRITON AP-MOBILE integrated with AirWatch Mobile Device
Management | TRITON AP-WEB with the Web Hybrid module
If you have not done so already, define your web security policies here:

In the Web tab of the TRITON Manager on the Policy Management > Policies
page.
To create a new policy in the console that is customized to your needs, click Add on
the Policies page. Or you can select the default policy. Very restrictive policies are not
recommended for use with TRITON AP-MOBILE, since blocking access to web
categories also blocks app-based web requests associated with those categories. For
your initial deployment, consider relaxing existing policies to block only high-risk
categories such as Gambling, Illegal and Questionable, Militancy and Extremist,
Racism and Hate, Security, Extended Protection, Tasteless, Violence, and Weapons.
Be aware that your policies affect both desktop and mobile-device Internet access
management for the users assigned to the policy.
For more information about policy configuration in the Web tab, see “Working with
policies” in the Administrator Help for the Web module.
Getting
Started Guide 5
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM
Once you’ve created your web policy, proceed to Step 4: Log on to the AirWatch
Console, page 6.
Step 4: Log on to the AirWatch Console
Getting Started Guide | TRITON AP-MOBILE integrated with AirWatch Mobile Device
Management | TRITON AP-WEB with the Web Hybrid module
To manage and configure AirWatch Mobile Device Management (MDM), you use the
AirWatch Admin Console.
To access the console, visit the URL provided to you by AirWatch using one of the
following browsers:

Microsoft Internet Explorer 9 and higher

Mozilla Firefox 3.x and higher

Google Chrome 11and higher

Safari 5.x
Open the AirWatch Console in a separate tab, since you need access to both the
TRITON Manager and the AirWatch Console during the integration process.
If you are logging on for the first time, you must create a password and security
question, and enter a four-digit PIN. Again, refer to the AirWatch Help in the
AirWatch Console for more detailed documentation relating to AirWatch-related
steps.
Obtain API URL and API key
Before moving to Step 5: Connect MDM to the Websense hybrid service, you need to
obtain the following information from within the AirWatch Console, which you will
then enter or paste into the TRITON Manager, as explained in Step 5:
Field
Description
API URL
This is your AirWatch application programming interface URL.
API key
This is your AirWatch application programming interface key.
The API URL is the URL that the Websense hybrid service needs to access the
AirWatch system. To obtain this URL:
1. In the AirWatch Console, go to Groups & Settings > All Settings > System >
Advanced > Site URLs.
2. Copy the URL provided in the REST API URL field. Remove the “/API” from
the end of the URL, so for example, change https://orgname.airwlab.com/API to
https://orgname.airwlab.com.
TRITON AP-MOBILE integrated with AirWatch MDM 
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM
Note that the API URL must be externally accessible from the Internet. In some
cases, this URL may be the same URL as your AirWatch Console URL, which
may not be externally accessible. If the API URL is not externally accessible from
the Internet, use the Device Services URL (located on the Site URLs screen and
minus the “/DeviceServices”) for the AirWatch API URL. For example, change
https://orgname.airwlab.com/DeviceServices to https://orgname.airwlab.com.
To get the API key, in the AirWatch Console:
1. Go to Groups & Settings > All Settings > System > Advanced > API > REST
API.
2. Copy the string provided in the API Key field.
In Step 5: Connect MDM to the Websense hybrid service, be prepared to also enter the
user name and password that you use to log on to the AirWatch Console as an
administrator with permission to access API.
The AirWatch system needs this information to complete integration.
Once you have this information, proceed to Step 5: Connect MDM to the Websense
hybrid service, page 7.
Step 5: Connect MDM to the Websense hybrid service
Getting Started Guide | TRITON AP-MOBILE integrated with AirWatch Mobile Device
Management | TRITON AP-WEB with the Web Hybrid module
To set up your Websense account to integrate with AirWatch MDM:
1. In the Web tab of the TRITON Manager, go to Settings > Hybrid Configuration
> Mobile Integration > Mobile Device Management Account Setup.
2. Select the checkbox Integrate with MDM provider. Do not uncheck this box and
click Save Now or you will disable integration between the Websense solution
and AirWatch MDM once established.
3. Enter the API URL and API key described in Step 4: Log on to the AirWatch
Console, page 6.
Getting
Started Guide 7
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM
For the API URL, remove the “/API” from the end of the URL, so for example,
change https://orgname.airwlab.com/API to https://orgname.airwlab.com.
4. Enter the user name and password that you use to log on to your AirWatch
administrator account.
Important
If the password for the AirWatch administrator account
changes or expires, you must enter the new password on
the Mobile Device Management Account Setup page to
maintain the integration of AirWatch MDM with the
hybrid service.
An alternative to using the administrator account is to
create a service account in Active Directory with the
password set to never expire. Use the logon name and
password for this account instead of the AirWatch
administrator account logon credentials.
5. Click Save Now.
6. After clicking Save Now and the settings are confirmed and saved successfully,
this page then displays a user name and password that have been automatically
generated for your hybrid account, along with a connection URL.
Copy and paste these three items into the VPN connection information section of
the AirWatch Console.
TRITON AP-MOBILE integrated with AirWatch MDM 
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM
Should you need to change the credentials for your hybrid account, for example, if
they’ve been compromised, you can generate a new user name and password by
clicking Advanced Options and then Generate New User Name and Password. .
Important
After clicking Generate New User Name and Password but
before clicking Save Now, you must re-enter the
password that you use to log on to the AirWatch
Console.
You must also enter the new user name and password
generated for your hybrid account into the VPN
connection information section of the AirWatch
Console to maintain the integration of AirWatch MDM
with the hybrid solution.
Once you’ve set up the connection between AirWatch MDM and the hybrid service,
proceed to Step 6: Synchronize your user directory information with MDM, page 9.
Step 6: Synchronize your user directory information with
MDM
Getting Started Guide | TRITON AP-MOBILE integrated with AirWatch Mobile Device
Management | TRITON AP-WEB with the Web Hybrid module
If you are not already an AirWatch customer, you must synchronize your directory
service and your user groups with the AirWatch environment.
AirWatch Cloud Connector
In order to support Active Directory, the AirWatch Cloud Connector (ACC) must be
configured within the AirWatch Console. The Cloud Connector runs in the internal
network, acting as a proxy that securely transmits requests from AirWatch to your
organization’s critical enterprise infrastructure components.
To get to the Cloud Connector:
1. In the Search AirWatch box, enter “Cloud Connector.”
2. Under Settings, click “Cloud Connector.”
3. Select “Enable Cloud Connector.”
4. Click the link “Cloud Connector Guide” to get to the AirWatch Help chapter on
ACC Installation. Follow the instructions in the AirWatch Help.
Getting
Started Guide 9
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM
Another resource is the AirWatch Cloud Connector Guide for SaaS Customers. The
minimum operating system required to install ACC is Windows 2008 Server, R2
(W2K8R2) with the minimum memory and hard disk drive.
Note
To prevent inheriting settings that don’t apply to your group, on the landing page of
the AirWatch Cloud Connector (ACC), be sure the Current Setting is set to
“Override.” If the Current Setting is “Inherit,” the ACC may not work, and you
would need to uninstall the ACC and download and install it again.
Directory Services
In the AirWatch Console, use the Directory Services page to configure the settings
that let you integrate your AirWatch server with your organization's domain controller
(the server hosting your directory services system).
To get to the Directory Services page, in the Search AirWatch box, enter “Directory
Services” and click through to locate the Directory Services landing page under
Enterprise Integration.
1. Click “Skip wizard and configure manually” to manually configure settings in the
three tabs (Server, User, and Group). In the AirWatch Console, in the embedded
Help, see the “Configuring Directory Services” section for additional details.
2. Go to the MDM installation enrollment page by entering “Enrollment” in the
Search AirWatch box, and then clicking on “Display MDM Installation ...
Enrollment.”
3. Next to Authentication Mode(s), make sure that the Directory checkbox is
selected.
4. Click Save.
Note
When selecting the type of bind authentication that is used to enable the AirWatch
server to communicate with the domain controller, if you are unsure of which
Protocol Version to use, we recommend entering GSS-NEGOTIATE in the Bind
Authentication Type field.
Synchronizing user groups
Next, you need to synchronize or import your user groups with AirWatch MDM by
doing the following:
1. In the AirWatch Console, go to Accounts > Users > User Groups, and click
Add.
2. On the Add User Group screen, in the Type field, make sure Directory is
selected.
3. For External type, select either Group or Organizational Unit. These are object
classes used by Active Directory.
TRITON AP-MOBILE integrated with AirWatch MDM 
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM
4. In the Search Text field, enter the name of the group to add. Then, click the
Search button.
5. Accept the values in the remaining pre-populated fields, or adjust them as needed.
6. In the Search results box, select the group to add, and click Save.
7. On the User Groups screen, in the Group Name column, click on the name of the
group that you just selected.
8. On the Edit User Group [your group’s name] screen, check Add Group Members
Automatically. Also, make sure that the checkboxes for Auto Sync with
Directory and Auto Merge Changes are selected. Accept the values in the
remaining pre-populated fields, or adjust them as needed.
9. Click Save.
To check if synchronization succeeded, return to Accounts > Users > User Groups.
The number of members in your group should now be populated with a figure other
than zero. You may need to refresh the screen. In the AirWatch Help, see “Utilizing
User Groups” for more details.
After you’ve completed synchronizing your directory and user groups with the
AirWatch environment, go to Step 7: Enroll a device with AirWatch MDM, page 11.
Step 7: Enroll a device with AirWatch MDM
Getting Started Guide | TRITON AP-MOBILE integrated with AirWatch Mobile Device
Management | TRITON AP-WEB with the Web Hybrid module
If your end user devices are already in the AirWatch MDM system, skip to Step 8:
Install the VPN profile to devices, page 13.
To get your end users’ devices enrolled into the MDM system, send them a link to the
AirWatch Agent, http://www.AWAgent.com. The agent walks them through the
enrollment process.
Important
For iOS devices
Before your device users can enroll their devices with the
AirWatch MDM, you must obtain and install an Apple
Push Notification Service (APNs) certificate from Apple,
which allows AirWatch to securely communicate to iOS
devices and report information back to AirWatch. To do
this, in the AirWatch Console, go to Devices > Devices
Settings > Devices & Users > Apple > APNs For MDM.
Users will not be able to enroll their iOS devices if this
hasn’t been done. For more details, see the “Setting Up
Your Environment” section in the AirWatch Help.
Getting
Started Guide 11
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM
Include the following information in your communication to users, in case AirWatch
cannot identify them as previously configured end-users based on their email address:

Server URL - the URL provided by AirWatch to you for the server that is used to
access the AirWatch Console. For example, https://ds22.airwatchportals.com.

Group ID - the ID that was specified by the AirWatch administrator in the
AirWatch Console on the Organization Group Details page.
If authentication is required and you are using directory synchronization, users will
need to also enter their corporate credentials (username and password).
If authentication is required and you manually created a user, the user will need to
enter the username and password you specified when creating the user.
Here are the steps device users would follow:
1. Navigate to AWAgent.com from the native browser on the device that they are
enrolling. AirWatch auto-detects if the AirWatch Agent is already installed or
redirects to the appropriate mobile app store to download the Agent if needed.
Note
Note that downloading the Agent from public application stores requires either an
Apple ID or a Google Account.
2. Launch the Agent upon download completion or return to their browser session to
continue enrollment.
3. Enter their corporate email address. AirWatch checks if their address has been
previously added to the environment in which case they are already configured as
an end-user and their Organization Group is already assigned. If AirWatch cannot
identify them as a previously configured end-user based on their email address,
enter their server URL, group ID, and credentials when prompted.
4. Follow all remaining prompts to finalize enrollment.
After device users enroll their devices, you can check if enrollment was successful by
doing the following:
1. In the AirWatch Console, go to Devices > List View.
2. Check that the device was added.
3. Click on the name assigned to this device. In the Summary tab, the system tells
you if the device was “Enrolled” or “Unenrolled” with the AirWatch Agent. Note
that the Agent app may be installed on a device but the device not yet enrolled.
4. To check if MDM functions are working, click the Lock button in the upper right
of the screen.
5. Check if the device is now locked.
If you manually create users and add devices, the AirWatch system will automatically
send those users an email with instructions on how to enroll with the AirWatch MDM.
You have the option of customizing the text in this email, for example, to introduce
TRITON AP-MOBILE integrated with AirWatch MDM 
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM
AirWatch and TRITON AP-MOBILE; however, the email retains the AirWatch
branding.
See Communications best practices, page 21, for recommendations on what to say to
employees about how to get TRITON AP-MOBILE with AirWatch MDM.
Proceed to Step 8: Install the VPN profile to devices, page 13.
Step 8: Install the VPN profile to devices
Getting Started Guide | TRITON AP-MOBILE integrated with AirWatch Mobile Device
Management | TRITON AP-WEB with the Web Hybrid module
TRITON AP-MOBILE uses a VPN connection to protect your users’ devices, so you
need to add a Websense VPN profile, which contains information and certificates
required to establish a VPN connection to the Websense hybrid service server.
Important
For iOS devices
Install the VPN profile before you add the
TRITON AP-MOBILE app to user devices to ensure that
all functions of the app are enabled.
Important
For Android devices
Make sure the VPN profile and TRITON AP-MOBILE
app are assigned to the same devices (for example,
corporate-dedicated) before publishing the profile or the
app. This helps ensure devices are protected after users
install the app and all functions of the app are enabled.
For information on how to assign an app to a device or
devices, see the AirWatch Help section on “Deploying
Public Applications.”
To add a Websense VPN profile:
1. In the AirWatch Console, select Devices > Profiles > List View, and then click
Add.
2. Under Add Profile, select a platform by clicking Apple iOS or Android,
depending on which operating system applies to your users’ devices. If you click
Android, you may be asked to select a configuration type comprising either a
Device or a Container. Select Device.
Note that if you need to support both iOS and Android devices, you must add a
profile for each operating system.
Getting
Started Guide 13
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM
3. Under Add a New (Apple iOS or Android) Profile > General, do the following:

Fill in the required field (Name). This is the name you wish to give the
profile.

If you are using version 7.1 or 7.2 of AirWatch, in the Minimum Operating
System field, for iOS devices, select iOS 7.0, so that AirWatch MDM can
help focus only on devices that are supported for use with
TRITON AP-MOBILE.
For Android devices, select 4.0.2 as the minimum operating system.

In the Allow Removal field, you have the option of selecting “Never,” which
prevents end users from removing the VPN profile unless they unenroll their
device. “Always” allows users to temporarily remove the profile, but it will be
re-installed each time AirWatch MDM syncs its service with the device,
which is usually every 12 hours.

If you are using Version 7.1 or 7.2 of AirWatch, you can choose the
Ownership attribute of the device. In the Ownership field, select ownership
restrictions if applicable, such as “Corporate - Dedicated” or “Employee
Owned.”

In version 7.3, the Ownership field has been replaced with Assigned Smart
Groups, which offers Smart Group logic to profile assignment. You must
have a Smart Group assigned to the profile. The Smart Group determines
which devices receive the profile. Click in the "Assigned Smart Groups" box
to see the existing Smart Groups, or click on the "Create New Smart Group"
link within the box to create a new Smart Group.

The default values of the other fields can be left as is. If you are using Version
7.1 or 7.2 of AirWatch, the field for Assigned Organization Groups prepopulates. Add additional assignment criteria if you like. In version 7.3, this
has been replaced with Smart Group assignment.

Do not click Save until you have provided information for at least one
payload that is associated with the profile (payloads are the items listed under
General in the left navigation bar, such as Passcode, Restrictions, or VPN).
The system won’t allow you to save until you have. You’ll provide
information for the VPN connection.
4. In the left navigation bar, click VPN and the Configure button.
5. From the Connection Type field drop-down menu, select “Websense.”
6. For the Server field, enter the Connection URL that was provided in the Web tab
of the TRITON Manager at the bottom of the Mobile Device Management
Account Setup page. To get there, do the following:

In the TRITON console, go to Settings > Hybrid Configuration > Mobile
Integration > Mobile Device Management Account Setup.
TRITON AP-MOBILE integrated with AirWatch MDM 
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM
7. Back in the AirWatch Console VPN section, enter the user name and password for
the Websense administrator’s hybrid account.
Important
If your VPN connection password changes, be sure to
enter your new password in the VPN section to maintain
the integration of AirWatch MDM with the hybrid service.
After entering your updated password, it is a best practice
to then check that the Websense VPN profile is installed on
all devices.
8. Click Test Connection.
9. At this point, we recommend, clicking Save, and then manually pushing the VPN
profile to one device to check that the profile installs successfully.
a. In the AirWatch Console, go to Devices > List View.
b. In the General Info column, click the name of the device to which you
wish to manually push the VPN profile.
c. This brings you to the Details View page containing multiple tabs. Go to
the Profiles tab page. Find the name of the profile you wish to install. To
the far right of the profile name, click the Install Profile icon (a shaded
circle with a downward-pointing arrow). You can also hover over the
icons until you see the icon description “Install Profile.”
Under Status, a green check mark displays when the profile is
successfully installed.
For an iOS device
To check if the profile has been installed and activated on the iOS device to which you
manually pushed it, on the device, go to a website belonging to a category blocked by
your organization. You should be blocked from viewing it.
For an Android device
To check if the profile has been installed on the Android device to which you
manually pushed it, open the AirWatch Agent app on the device, and select Profiles.
The VPN profile should be listed.
Note
For Android devices
The VPN profile is not activated until the TRITON AP-MOBILE app is also
installed.
1. When you’re satisfied that the profile has been installed and activated (for iOS
devices) or installed (for Android devices):
a. Return to Device > Profiles > List View.
b. Click on the name of the profile you created.
Getting
Started Guide 15
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM
c. Click Save & Publish. The VPN profile is now marked as “Published,”
which causes it to be installed on all currently enrolled and eligible
devices, as well as any future devices that enroll and are eligible to
receive this profile.
After you’ve installed the VPN profile, continue to Step 9: Add the
TRITON AP-MOBILE app, page 16.
If SSL decryption is enabled on Android devices
Getting Started Guide | TRITON AP-MOBILE integrated with AirWatch Mobile Device
Management | TRITON AP-WEB with the Web Hybrid module
The following applies to Android devices only:
If you enable SSL decryption for the Android-based solution, you must do the
following:
1. In the TRITON Manager, go Settings > Hybrid Configuration > User Access
page, and select “Use the hybrid SSL certificate to display a notification page for
HTTPS requests when required.”
2. Click the “Hybrid SSL certificate” link to view the certificate, and download it.
3. Upload the certificate to the AirWatch Console. We recommend using the same
profile that you used for your VPN settings. Go to Devices > Profiles > List View
> (the profile used for your VPN configuration) > Credentials, and click the
Configure button and then Upload to upload the hybrid SSL certificate.
4. Click Save and publish.
Depending on their Android device and operating system version, your users may
need to perform certain actions on their device after SSL decryption is enabled. For
example, users may need to create a Lock Screen password if they don’t already have
one, and then, consent to have the root certificate installed. If you deploy
TRITON AP-MOBILE and enable SSL decryption initially for a small group of users,
you can determine what their experience will be for a particular configuration, and
then, include those steps in your communications to device users.
If you enable SSL decryption and the hybrid SSL certificate isn’t installed, an
“untrusted certificate” message displays on the end user’s device every time an
HTTPS request occurs. The user must then click Continue to have the page load.
Note that SSL decryption is automatically enabled for the iOS-based solution.
Step 9: Add the TRITON AP-MOBILE app
Getting Started Guide | TRITON AP-MOBILE integrated with AirWatch Mobile Device
Management | TRITON AP-WEB with the Web Hybrid module
For Android device users, the TRITON AP-MOBILE app is required for
TRITON AP-MOBILE to begin protecting their devices. It also provides additional
TRITON AP-MOBILE integrated with AirWatch MDM 
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM
features, such as diagnostic tools. iOS device users can also take advantage of the
app’s additional features. For more information about the app, see Additional
information, page 18.
To offer this app to your device users, you need to add the app to the MDM system.
1. In the AirWatch Console, in the upper horizontal toolbar, click +Add and then
Public Application.
2. When the Add Application screen displays, select the platform (Apple iOS or
Android). Enter “Websense” as the name of the new app.
3. The “Search App Store” checkbox should be selected by default. Leave that as is.
Note
For Android devices
To search the Google Play Store, a Google Account must first be integrated with the
environment. To begin the integration process, go to Devices > Devices Settings >
Devices & Users > Android > Google Play Integration. Google Play integration
requires that you enter the device ID from the Android device. To get the device ID
that is required, you need to download a special app from the Play Store by going to
https://play.google.com/store/apps/details?id=com.redphx.deviceid.
4. Click Next and Select the desired application from the App Store or Play Store
result page.
5. After selecting an application, complete the Add Application page to configure
assignment and deployment options. Most of the application information fields
automatically populate. See the AirWatch Help section on “Deploying Public
Applications” for more information.
You can have the app pushed out automatically. Under the Deployment tab, in the
Push Mode field, select Auto from the drop-down menu. Automatically
deploying an application immediately prompts users to install the application on
their devices after you click Save & Publish.
6. Fill in the remaining fields in all the four tabs.
For additional details on how to complete these fields, in the AirWatch Help, go to
Application Management > Mobile Application Management Guide > Mobile
Application Management Setup.
Important
The app is meant to be used in conjunction with an active
TRITON AP-MOBILE license. To benefit from all the
app’s features, device users must have
TRITON AP-MOBILE with AirWatch MDM on their
devices.
To confirm that the Websense app has been added to AirWatch MDM, go to Apps &
Books > List View and the Public tab. Select the platform from the Platform dropdown menu to view added apps available on the selected platform. You should see
TRITON AP-MOBILE.
Getting
Started Guide 17
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM
Now, proceed to Step 10: Device user installs the TRITON AP-MOBILE app, page 18.
Step 10: Device user installs the TRITON AP-MOBILE app
Getting Started Guide | TRITON AP-MOBILE integrated with AirWatch Mobile Device
Management | TRITON AP-WEB with the Web Hybrid module
After the Websense app is deployed to end users’ devices, device users receive
various notifications depending on their device platform (iOS or Android).
iOS device users
After the TRITON AP-MOBILE app is deployed to iOS devices, iOS device users
receive a prompt on their devices notifying them that the app is waiting to be installed
and that their iTunes® account will not be charged for this app.

To install the app, users should tap Install.

After installing and opening the app, iOS users can begin benefiting from the
app’s features. See Additional information, page 18.
Android device users
After the app is deployed to Android devices, device users receive a “Websense VPN
configuration” notification.

Tapping the notification displays a second notification that “Websense VPN
configuration is ready.”

Tapping the second notification launches the Websense app.

Device users then receive a request to allow TRITON AP-MOBILE to create a
VPN connection. They should check the box that says, “I trust this application,”
and then click OK.
To confirm that TRITON AP-MOBILE is protecting their device, the app home
screen should show Security as “ON.” If it does not, device users should try
tapping the “Websense VPN configuration is ready” notification again.
See Communications best practices, page 21, for suggested text that describes these
steps to device users.
You have now completed the basic steps for integrating TRITON AP-MOBILE with
AirWatch Mobile Device Management.
Additional information
Getting Started Guide | TRITON AP-MOBILE integrated with AirWatch Mobile Device
Management | TRITON AP-WEB with the Web Hybrid module
TRITON AP-MOBILE integrated with AirWatch MDM 
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM
TRITON AP-MOBILE app
The Websense TRITON AP-MOBILE app offers valuable tools that enhance your
device users’ experience with TRITON AP-MOBILE. For Android device users, the
app is required for TRITON AP-MOBILE to begin protecting their devices. You add
the app in the AirWatch Console, and indicate how you want to deploy it to users’
devices. For more information on how to add the app, see Step 9: Add the
TRITON AP-MOBILE app, page 16. iOS device users can also get the app by going to
the iTunes® Store, and Android device users can get it in the Google Play Store by
searching for TRITON AP-MOBILE.
Important
This app is meant to be used in conjunction with an active
corporate license of Websense TRITON AP-MOBILE. To
benefit from all the app’s features, device users must have
TRITON AP-MOBILE with AirWatch MDM on their
devices.
App Features

Ensures ongoing protection by checking that TRITON AP-MOBILE has a VPN
connection (iOS) or a connection to the Websense cloud service (Android).

Offers easy-to-use diagnostic tools and system information about your users’
devices that helps your IT department address potential issues.

Lets device users analyze a website or IP address in real time before they visit it to
determine potential threat risk, using Websense CSI: ACE Insight.

Keeps users up to date on the latest online threats with direct access to the
Websense Security Labs™ blog—from the leader in global threat intelligence.
This feature is only available on the tablet.
Confirm that TRITON AP-MOBILE is enabled
Getting Started Guide | TRITON AP-MOBILE integrated with AirWatch Mobile Device
Management | TRITON AP-WEB with the Web Hybrid module
Here are ways to confirm that TRITON AP-MOBILE is protecting end user devices:


The TRITON AP-MOBILE app home screen shows if the security solution is
enabled.

For iOS users, the screen displays the VPN as “connected.”

For Android users, Security should display as “ON.” Note that the device
must have an Internet connection for the proper connections to display.
If users browse to a site in a category from the Websense Master Database (or a
custom category that you’ve created) that your organization has blocked, they
should not be able to access the site. These are categories you selected when you
defined your web security policies. For example, if you don’t want them to access
Getting
Started Guide 19
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM
sites that fall under the Gambling category, ask them to try to visit one of those
sites. An “Access Blocked” message should display.

In the AirWatch Console, run a Device Profile Detail report that shows which
profiles are installed on all devices in a particular Organization Group. In the
Search AirWatch box, enter “reports” to locate the List View page that displays
reports. Check that the VPN profile is installed.


For Android devices, remember that you need to check that both the VPN
profile and the TRITON AP-MOBILE app are installed.
In the AirWatch Console, create a compliance rule.

For Android devices, since the Websense app is required to enable the
protection of TRITON AP-MOBILE, you could create a compliance rule that
sends a notification if a required app is not in your applications list. See
Creating a compliance policy rule, page 20. This assumes that the VPN
profile has already been installed.

For iOS devices, if you wish to check that the optional Websense app was
installed, you can create a similar rule.
Creating a compliance policy rule
Getting Started Guide | TRITON AP-MOBILE integrated with AirWatch Mobile Device
Management | TRITON AP-WEB with the Web Hybrid module
Before you create the policy rule, you must first create an app group:
1. In the AirWatch Console, access the wizard that walks you through how to add an
app group by going to Devices > Compliance Policies > App Groups.
2. Click Add Group.
3. Under Type, from the drop-down menu, select Required.
4. Under Platform, from the drop-down menu, select Apple or Android, depending
on your operating system.
5. Under Name, enter the name you wish to call this app group, such as Websense.
6. Under Application Name, enter Websense, then click the magnifying glass to
search the public store for the name you entered.
7. The Websense TRITON AP-MOBILE app should display on the results page.
Click Select. This takes you back to the Add Application Group page and
automatically fills in the Application ID field.
8. Click Next.
9. Complete the remaining fields. We recommend selecting the minimum operating
system supported by TRITON AP-MOBILE.
10. Click Finish.
Now, let’s create a compliance policy rule that sends a notification if a device does not
have the required app on it:
1. In the AirWatch Console, access the compliance policy wizard in the upper
horizontal toolbar by clicking +Add and then Compliance Policy. Select a
platform to start, such as Android or Apple iOS.
TRITON AP-MOBILE integrated with AirWatch MDM 
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM
2. On the Add Compliance Policy page, from the drop-down menus, select:
a. Match All Of The Following Rules.
b. Application List and Does Not Contain Required App(s).
3. Click Next.
4. Under “Immediately perform the following actions,” select Notify.
5. In the next drop-down menu, select the action you would like to take, such as
Send Email to Administrator or Send Push Notification to Device. Enter at
least one email address in the To field.
6. Select the message template you’d like to use or choose the default template.
7. Click Next.
8. Complete the remaining fields, then click Finish And Activate.
Communications best practices
Getting Started Guide | TRITON AP-MOBILE integrated with AirWatch Mobile Device
Management | TRITON AP-WEB with the Web Hybrid module
To help ensure that TRITON AP-MOBILE is installed on your end-users’ devices, we
recommend that you tell device users:

That your organization is using TRITON AP-MOBILE to help protect their
devices.

(iOS devices) To expect a notification on their device that asks them to install the
Websense TRITON AP-MOBILE app.

(Android devices) To expect notifications about Websense VPN configuration and
an attempt to establish a VPN connection.

What the app does.

For iOS device users, it offers tools that enhance the use of
TRITON AP-MOBILE.

For Android device users, the app is required to receive the protection of
TRITON AP-MOBILE, and in addition, offers useful tools.
AirWatch MDM already on the device
Getting Started Guide | TRITON AP-MOBILE integrated with AirWatch Mobile Device
Management | TRITON AP-WEB with the Web Hybrid module
Here is suggested text for devices users who have AirWatch MDM already on their
devices:
iOS device users
[organization’s name] wants you to use Websense® TRITON® AP-MOBILE to help
protect your device from potential data loss and the possible theft of intellectual
property, plus from mobile malware, web threats, phishing attacks, spoofing, and
more—all of which helps you safely access corporate resources.
Getting
Started Guide 21
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM
To begin receiving this protection, you’ll need to do the following:

When you receive a request on your device to install the Websense
TRITON AP-MOBILE app, click Install.
Once installed, the app lets you:

Check that your device has a VPN connection, which TRITON AP-MOBILE uses
to protect your device.

Access easy-to-use diagnostic tools and system information about your device that
help your IT department address potential issues.

Analyze a website or IP address in real time before you visit it to determine
potential threat risk, using Websense CSI: ACE Insight.

Stay up to date on the latest online threats with direct access to the Websense
Security Labs™ blog—from the leader in global threat intelligence. This feature is
available only on the tablet.
Android device users
[organization’s name] wants you to use Websense® TRITON® AP-MOBILE to help
protect your device from potential data loss and the possible theft of intellectual
property, plus from mobile malware, web threats, phishing attacks, spoofing, and
more—all of which helps you safely access corporate resources.
To begin receiving this protection, you’ll need to do the following:

When you receive a notification on your device about Websense VPN
configuration, tap the notification. When you receive a second notification that
“Websense VPN configuration is ready,” tap the notification.

When you see a notification on your device that TRITON AP-MOBILE is
attempting to create a VPN connection, check the box that says, “I trust this
application,” and then click OK.
IMPORTANT: You must install the app and allow the VPN connection to be created
to begin receiving the protection offered by TRITON AP-MOBILE.
Once installed, the app lets you also:

Check that your device is connected to the Websense cloud service, which
TRITON AP-MOBILE uses to protect your device.

Access easy-to-use diagnostic tools and system information about your device that
help your IT department address potential issues.

Analyze a website or IP address in real time before you visit it to determine
potential threat risk, using Websense CSI: ACE Insight.

Stay up to date on the latest online threats with direct access to the Websense
Security Labs™ blog—from the leader in global threat intelligence. This feature is
available only on the tablet.
TRITON AP-MOBILE integrated with AirWatch MDM 
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM
AirWatch MDM not yet on the device
Getting Started Guide | TRITON AP-MOBILE integrated with AirWatch Mobile Device
Management | TRITON AP-WEB with the Web Hybrid module
Here is suggested text for devices users who do not yet have AirWatch MDM on their
devices:
iOS device users
[organization’s name] wants you to use Websense® TRITON® AP-MOBILE to help
protect your device from potential data loss and the possible theft of intellectual
property, plus from mobile malware, web threats, phishing attacks, spoofing, and
more—all of which helps you safely access corporate resources.
To begin receiving this protection, you’ll need to do the following:


Enroll your device with AirWatch Mobile Device Management by going to
awagent.com. You’ll be redirected to your device’s official app store to download
the AirWatch MDM Agent app. Authentication may be required. Your unique
credentials are below:

Server URL: [organization needs to provide the server URL]

Group ID: [organization needs to provide the group ID]

Username: [user’s corporate ID, unless user was created manually in which
case the administrator needs to provide the username]

Password: [user’s corporate password, unless user was created manually in
which case the administrator needs to provide the password]
When you receive a request on your device to install the Websense
TRITON AP-MOBILE app, click Install.
Once installed, the app lets you:

Check that your device has a VPN connection, which TRITON AP-MOBILE uses
to protect your device.

Access easy-to-use diagnostic tools and system information about your device that
help your IT department address potential issues.

Analyze a website or IP address in real time before you visit it to determine
potential threat risk, using Websense CSI: ACE Insight.

Stay up to date on the latest online threats with direct access to the Websense
Security Labs™ blog—from the leader in global threat intelligence. This feature is
available only on the tablet.
Android device users
[organization’s name] wants you to use Websense® TRITON® AP-MOBILE to help
protect your device from potential data loss and the possible theft of intellectual
property, plus from mobile malware, web threats, phishing attacks, spoofing, and
more—all of which helps you safely access corporate resources.
To begin receiving this protection, you’ll need to do the following:
Getting
Started Guide 23
Integrating Websense® TRITON® AP-MOBILE with AirWatch® MDM

Enroll your device with AirWatch Mobile Device Management by going to
awagent.com. You’ll be redirected to your device’s official app store to download
the AirWatch MDM Agent app. Authentication may be required. Your unique
credentials are below:

Server URL: [organization needs to provide the server URL]

Group ID: [organization needs to provide the group ID]

Username: [user’s corporate ID, unless user was created manually in which
case the administrator needs to provide the username]

Password: [user’s corporate password, unless user was created manually in
which case the administrator needs to provide the password]

When you receive a notification on your device about Websense VPN
configuration, tap the notification. When you receive a second notification,
“Websense VPN configuration is ready,” tap the notification.

When you see a notification on your device that TRITON AP-MOBILE is
attempting to create a VPN connection, check the box that says, “I trust this
application,” and then click OK.
IMPORTANT: You must perform all steps to begin receiving the protection offered
by TRITON AP-MOBILE.
Once installed, the app lets you:

Check that your device is connected to Websense cloud service, which
TRITON AP-MOBILE uses to protect your device.

Access easy-to-use diagnostic tools and system information about your device that
help your IT department address potential issues.

Analyze a website or IP address in real time before you visit it to determine
potential threat risk, using Websense CSI: ACE Insight.

Stay up to date on the latest online threats with direct access to the Websense
Security Labs™ blog—from the leader in global threat intelligence. This feature is
available only on the tablet.
TRITON AP-MOBILE integrated with AirWatch MDM 
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising