Sophos Mobile Control Installation guide

Sophos Mobile Control Installation guide
Sophos Mobile Control
Installation guide
Product version: 3.5
Document date: July 2013
Contents
1 Introduction..............................................................................................................................................3
2 The Sophos Mobile Control server .........................................................................................................4
3 Set up Sophos Mobile Control...............................................................................................................10
4 External EAS Proxy server......................................................................................................................29
5 Running the Sophos Mobile Control Service as a limited user............................................................37
6 Updating Sophos Mobile Control .........................................................................................................38
7 Apple Push Notification service ............................................................................................................39
8 Technical support....................................................................................................................................42
9 Legal notices............................................................................................................................................43
2
Installation guide
1 Introduction
Sophos Mobile Control is a device management solution for mobile devices like smartphones and
tablets. Sophos Mobile Control helps to keep corporate data safe by managing apps and security.
The Sophos Mobile Control system consists of a server and a client component which communicate
through data connections and text messages.
The Sophos Mobile Control client is easily installed and managed with over-the air setup and
configuration through the Sophos Mobile Control web console.
With the Sophos Mobile Control Self Service Portal for your users, you can reduce IT efforts by
allowing users to register their own devices and carry out other tasks without having to contact
the helpdesk.
This guide describes:
■
How to carry out preparatory measures for the Sophos Mobile Control Server
■
How to request an SSL certificate for Sophos Mobile Control with the SSL Certificate Wizard
■
How to install and set up the Sophos Mobile Control server (SMC server)
■
How to install the external EAS Proxy server
■
How to run the Sophos Mobile Control Service as a limited user
■
How to update Sophos Mobile Control
■
How to create and upload an APNs certificate
1.1 Access data
The access data for the system is saved in a database that can be extended later on. All steps have
to be executed as an administrator of Microsoft Windows Server or as a user of the relevant group.
The database user needs sysadmin rights.
1.2 Licenses
To use Sophos Mobile Control you need a valid license. After purchasing the software, you receive
a license file named license.sql. You must place this file in the same directory as the setup file
during installation.
3
Sophos Mobile Control
2 The Sophos Mobile Control server
The SMC server is a dispersed system that consists of the following components:
■
JBoss
■
SQL database server
■
MSQL
■
SMC server provided as Java-Enterprise-Archive inside JBoss
■
Directory Service
■
Redistributable package
The individual components communicate either through the database or through the
J2EE-standard-designated interfaces. In this case, no further exchange files are necessary.
It is required, that the server scripts and property data are configured and that they work with the
single server operation. If changes are necessary, the single setting parameters have to be modified.
Note: The zipped server log files are not cleared automatically and can become very extensive.
To prevent problems caused by this, delete the log files manually.
2.1 Install the operating system
One possible server operating system is Microsoft Windows Server 2008 R2. For installation, refer
to the relevant documentation.
In addition, you have to install the following packages manually:
■
Microsoft SQL Server:
Choose one of the following packages: Microsoft SQL 2008, Microsoft SQL 2008 R2, Microsoft
SQL 2012, Microsoft SQL 2012 Express or MSQL
■
Java JDK (including JRE):
Version 7u21 or higher
■
MySQL 5.5 with InnoDB support
If JDK is not contained in the installation package, you may have to download it.
4
Installation guide
2.2 Install the database server Microsoft SQL Server
We recommend Microsoft SQL Server 2012 Express Edition for Windows with installer. The
following description shows the installation process for Microsoft SQL Server .
1. Execute the installer and select New SQL Server stand-alone installation or add features to
an existing installation.
2. If any problems occur, the Setup Support Rules dialog is displayed. Here problems that might
occur when you install SQL Server Setup support files are identified.
If problems have occurred, make the necessary changes to solve them and click Next.
3. In the License Terms dialog, select I accept the license terms and click Next.
4. If any updates are available, the Product Updates dialog is displayed. If you select Include SQL
Server product updates in this dialog, updates will be installed automtically after you click
Next.
5. In the Feature Selection dialog, select Database Engine Service. If necessary, modify the
installation directory.
Note: If you have downloaded the setup including the management tools, the tools should
also be installed. To do so, select Management Tools - Basic.
Click Next.
6. In the Instance Configuration dialog, change the instance name, if necessary. Click Next.
7. In the Server Configuration dialog, select NT_AUTHORITY\System for SQL Server Database
Engine and click Next.
8. In the Database Engine Configuration dialog, select Mixed Mode (SQL Server authentication
and Windows authentication). Define a strong password for the system administrator account
and click Next.
9. SQL Server 2012 R2 installation is now complete. In the Complete dialog, click Close to close
the Setup wizard.
You can also close the SQL Server Installation Center now.
5
Sophos Mobile Control
10. Before Sophos Mobile Control can be installed, the TCP/IP Protocol for the SQL Server needs
to be enabled and the TCP port needs to be set to 1433. Open the Start menu, select All
Programs > Microsoft SQL Server 2012 R2 > Configuration Tools and click SQL Server
Configuration Manager. In the SQL Server Configuration Manager, go to to Protocols for
SQLEXPRESS and double-click TCP/IP.
6
Installation guide
11. In the Protocol tab of the TCP/IP Properties dialog, set Enabled to Yes and click the IP
Addresses tab.
7
Sophos Mobile Control
12. In the IP Addresses tab of the TCP/IP Properties dialog, click TCP Dynamic Ports and make
sure that the field is empty to disable this function. Now click TCP Port, enter 1433 and click
OK to apply your settings.
13. For the new settings to take effect, the server needs to be restarted. Click SQL Server Services,
right-click SQL Server (SQLEXPRESS) and select Restart.
2.3 Install Java JDK7
When you install Java JDK7, source code does not have to be installed. Install Java JRE in its
complete version.
Note: When you update Sophos Mobile Control from an older version, you may need to update
Java, if you still use JDK 1.6. To do so, uninstall the old Java version and install the new one. You
also need to manually adjust the environment variables.
2.4 Install MySQL Server
To install MySQL Server by using MSI Windows installer for MySQL Community Server 5.5x:
1. Double-click the installer and install MYSQL Server 5.5x.
After the installation has been completed the MySQL Server Instance Configuration Wizard
is started.
8
Installation guide
2. Follow the wizard steps and and select the following options in the individual dialogs:
a) Select Detailed Configuration.
b) Select Server Machine.
c) Select Multifunctional Database.
d) Select the standard installation path.
e) Select Decision Support (DSS)/OLAP.
f) Make sure that Enable TCP/IP Networking is selected and port 3306 is selected in the Port
Number field. Make sure that the Enable Strict Mode field is selected. Click Next.
g) Select Best Support For Multilingualism.
h) Select Install As Windows Service. Make sure that Launch the MySQL Server automatically
is selected. Select Include Bin Directory in Windows PATH.
i) Make sure that Modify Security Settings is selected and define a strong root password.
j) Install the MySQL GUI Tools. Use Custom installation.
Note: You do not have to install the Workbench Migration Toolkit.
3. Add the following line to the my.ini file: wait_timeout=86400.
4. Restart the MySQL service.
9
Sophos Mobile Control
3 Set up Sophos Mobile Control
The key steps are:
■
Request an SSL Certificate
■
Execute the Sophos Mobile Control installer.
■
Carry out the configuration steps in the Sophos Mobile Control Configuration Wizard.
■
If you want to configure the EAS Proxy server separately, execute the Sophos Mobile Control
EAS Proxy installer, see External EAS Proxy server (section 4).
■
As a super administrator create a customer (a tenant for which devices are managed) in the
Sophos Mobile Control administration web console. For further information on this setup
step, refer to the Sophos Mobile Control super administrator guide.
3.1 Request an SSL certificate for Sophos Mobile Control
For setting up Sophos Mobile Control, you need an SSL webserver certificate. In the setup process,
you can select between creating a self-signed certificate and using a PKCS12 with certificate, private
key and certificate chain. For further information, see Install and set up the Sophos Mobile Control
Server (section 3.2). Your Sophos product delivery includes an SSL Certificate Wizard that you
can use to request your certificate for Sophos Mobile Control.
To request your SSL certificate:
1. Start the SSL Certificate Wizard by double-clicking the file Sophos Mobile Control SSL Certificate
Wizard.exe.
The Certificate Wizard welcome dialog is displayed.
2. Click Next.
The License Agreement dialog is displayed.
3. Click I Agree.
The Create Certificate Signing Request dialog is displayed.
4. Enter the Server Name (FQDN), the Company, City, State and Country code (for example
US or UK). These fields are mandatory.
5. Click Next.
The Upload CSR dialog is displayed.
10
Installation guide
6. In this step, you upload the Certificate Signing Request to the Certificate Authority (CA) for
signing. Follow the instructions in the dialog:
a) Go to the website of your Certificate Authority and log in.
b) Upload the file ServerCertificateSigningRequest.csr from the folder indicated on the Upload
CSR dialog of the SSL Certificate Wizard.
Note: If your certificate vendor supports copy and paste, you can open the .csr file with the
Open CSR button in the Upload CSR dialog.
c) Save the certificate issued by the CA in Base 64 format (*.pem, *cer, *crt) in the folder
indicated in the Upload CSR dialog.
d) Download the certificate chain and CA certificate of your certificate authority.
e) Click Next in the Upload CSR dialog.
The Import Certificate Files dialog is displayed.
7. In the Import Certificate Files dialog, you import the intermediate certificates file (depending
on your CA vendor???) and the downloaded CA certificate. You also need to define a password
for the server certificate (PKCS12) that is to be created :
a) In the Select intermediate certificates file, field browse for the intermediate certificate.
b) In the Select CA certificate file field, browse for the downloaded CA certificate.
c) In the Password for private key field, enter a password for the server certificate to be created.
Confirm the password.
d) Click Next.
The Certificate created dialog is displayed.
8. In the Certificate created dialog, the location of the certificate created is shown. You can use
it when setting up Sophos Mobile Control, see Install and set up the Sophos Mobile Control
Server (section 3.2).
Note: Create a backup of the folder containing the certificate files.
Click Next.
The Sophos Mobile Control - SSL Certificate Wizard finished dialog is displayed.
9. Click Finish.
3.2 Install and set up the Sophos Mobile Control Server
Prerequisites:
■
Before you execute the Sophos Mobile Control installer, put the license file license.sql for the
operation of the Sophos Mobile Control Server in the directory where the setup file is located.
11
Sophos Mobile Control
■
If you want to use the database type MySQL, the MySQL JDBC driver is required. Download
this driver from http://www.mysql.com/downloads/connector/j/ and save it on the server. You
need to select it during Sophos Mobile Control configuration.
■
If the database is not held locally, you need access to the TCP Port 3306. In addition, you need
an admin account that can log in from the Sophos Mobile Control Server.
1. Execute the Sophos Mobile Control installer, review and agree to the License Agreement.
The System Property Checks dialog is displayed.
To check that the system environment fulfills all necessary requirements for Sophos Mobile
Control installation, click Check. If you want to generate a system check report after the check
has been run, click Report.
12
Installation guide
2. If all requirements are fulfilled, click Next.
The Choose Install Location dialog is displayed.
Choose the destination folder and click Install to start installation.
3. After the installation process the Sophos Mobile Control Configuration Wizard welcome dialog
is displayed. Click Next.
4. In the Database selection dialog you can select:
■
Use Microsoft SQL Server
■ Use MySQL
For this option, the MySQL JDBC driver is required. Select Use MySQL and browse for the
driver you have downloaded.
13
Sophos Mobile Control
Click Next to specify server information and logon credentials in the Database Settings dialog.
This dialog offers the required options according to the database type you have selected.
5. If you have selected Use Microsoft SQL Server in the Database selection dialog, the Database
Settings dialog offers the following options.
To use the user credentials specified during SQL server installation, select Use SQL Server
Authentication with the following credentials and enter the required user name and password.
Click Next to continue.
14
Installation guide
6. If you have selected, Use MySQL in the Database selection dialog, the Database Settings dialog
offers the following options:
Select Use MySQL Authentication with the following credentials and enter the required user
name and password. Click Next to continue.
7. In the next step, you create the database. In the Database Selection dialog, select Create a new
database named, enter a name (for example SMCDB) and click Next.
The Database Configuration dialog is displayed. It shows the relevant progress messages. After
the database has been successfully created and populated, click Next.
15
Sophos Mobile Control
8. In the next step, you can select optional setup steps in the Choose setup steps dialog. Setup
steps that are mandatory for initial configuration are preselected and greyed out.
You can select the following optional steps:
■
Configure user interface access IP range
In this step, you can configure an IP range white list to manage access to the Sophos Mobile
Control web console and the Self Service Portal.
■
Configure Exchange ActiveSync Proxy
This step is preselected, but you can deactivate it. With this step you set up the standard
embedded EAS Proxy. If you want to set up EAS Proxy separately with several instances
(for example for load balancing), run the separate EAS Proxy setup. For further information,
see External EAS Proxy server (section 4).
Note: The EAS Proxy configuration step is necessary for configuring compliance check
settings. If you run the separate EAS Proxy setup and need to configure compliance check
settings, leave this step selected.
■
Configure HTTP proxy
If you use a corporate HTTP proxy, select this option to enter the relevant server details
and configure Sophos Mobile Control accordingly.
■
Enable SCEP (Simple Certificate Enrollment Protocol for iOS devices)
Select this option to enable SCEP support for iOS devices. By configuring SCEP support
you allow devices to obtain certificates from a Certificate Authority by using SCEP. All
required settings for SCEP can be configured by a super administrator in the Sophos Mobile
16
Installation guide
Control web console. For further information, see the Sophos Mobile Control super
administrator guide.
Select the required optional steps and click Next.
9. In the next step, you configure a super administrator account. The super administrator you
create in this dialog has specific rights and tasks and is primarily used for customer management.
In Sophos Mobile Control, customers are the tenants that manage the devices of their users.
The super administrator logs on to a super administrator customer and can, for example,
predefine settings for new customers and push settings and configurationssuper to existing
customers. For further information, refer to the Sophos Mobile Control super administrator
guide. In the Configure super admin account dialog, enter the Super admin customer (the
customer the super administrator will log on to), the Super admin login (the super administrator
login name) and a Super admin password. Confirm the password and click Next.
Note: These credentials are required for logging on to the Sophos Mobile Control web console.
Note: The super administrator should not be used in productive operation, but only for
administrative purposes. The super administrator is primarily intended for customer
management.
17
Sophos Mobile Control
10. If you have selected the optional setup step Configure user interface access IP range in Choose
setup steps, you can configure an IP range white list for user interface access in the next step.
■
In Administration Interface, enter the white list for the Sophos Mobile Control
administrator web console.
■
In Self Service Portal, enter the white list for the Sophos Mobile Control Self Service Portal.
Follow the instructions for entering IP addresses shown in the dialog. After you have entered
all required information, click Next.
18
Installation guide
11. In the next step, you enter SMTP information and logon credentials.
Note: This is required to enable emails to be sent to new users to provide them with logon
credentials.
In the Configure SMTP dialog under Enter SMTP server information, enter the SMTP
information and click Next.
Under Enter Sophos Mobile Control server email information, enter the email information
for exception and report mails (for example for an expired APNs certificate).
19
Sophos Mobile Control
12. If you have left the option Configure Exchange ActiveSync Proxy in the Choose setup steps
dialog selected, you configure the Exchange Active Sync (EAS) Proxy information in the next
step.
Note: The EAS Proxy configuration step is necessary for configuring compliance check settings
in the next step. If you run the separate EAS Proxy setup (for example for load balancing),
enter non-applicable information here.
Note: If you want to use Lotus Traveler and connect Android devices to Traveler, you need
to set up an external EAS Proxy server.
For further information on how to set up an external EAS Proxy server, see Install external EAS
Proxy server (section 4.1).
Note: EAS Proxy log files are not cleared automatically and can become very extensive. To
prevent problems caused by this, delete the log files manually.
Enter the relevant EAS-Proxy information and select Use SSL, if required. Under Default mail
access for new devices under management, specify how email access should be checked and
handled:
20
■
Select Compliance check controlled email access for an ongoing automatic check if devices
comply with your corporate rules for mobile access. If devices are not compliant, further
email access through EAS proxy may be denied depending on the compliance settings
specified in the Sophos Mobile Control web interface.
■
Select Allow email access if all new managed devices are to be granted email access through
EAS proxy. The administrator has to deny access individually.
■
Select Deny email access to deny new managed devices email access through EAS proxy.
The administrator has to grant access individually.
Installation guide
Click Next.
13. If you have configured the EAS Proxy setup in the last step you can configure the compliance
check in the next step.
For compliance check, you can configure the following:
■
In the Compliance check interval (in minutes) field, enter the time interval in which the
check is to be performed.
■
In the Device sync interval (in minutes) field, enter the time interval after which the device
synchronizes with the server.
Note: The value you set in this field only applies to iOS devices. For Android and Windows
Mobile devices a default of 24 hours applies. To define a different interval for these device
types, use the command package Set MDM Sync Interval (in minutes).
Click Next.
21
Sophos Mobile Control
14. In the next step, a certificate for the secure (HTTPS) access to the web server needs to be created
or imported.
Note: Your Sophos product delivery includes an SSL Certificate Wizard that you can use to
request your SSL certificate for Sophos Mobile Control. For further information, see Request
an SSL certificate for Sophos Mobile Control (section 3.1).
22
■
If you do not have a trusted certificate yet, select Create self signed certificate, click Next
and continue with step 15.
■
If you have a trusted certificate, click Import a certificate from a trusted issuer, select
PKCS12 with certificate, private key and certificate chain (intermediate and CA) from
the dropdown list, click Next and continue with step 16. You can also select Separate files
for certificate, private key, intermediate and CA from the dropdown list, click Next and
continue with step 17.
Installation guide
15. If you have selected Create self signed Certificate, the following dialog is shown. Enter the
appropriate certificate information.
After you have entered all necessary information click Next to review and confirm the creation.
16. If you have selected PKCS12 with certificate, private key and certificate chain (intermediate
and CA) under Import a certificate from a trusted issuer, the following dialog is shown. Select
the appropriate file and enter the password.
Click Next to review and confirm the import.
23
Sophos Mobile Control
17. If you have selected Separate files for certificate, private key, intermediate and CA under
Import a certificate from a trusted issuer, the following dialog is shown. Select the appropriate
files and enter the password for the private key.
Click Next to review and confirm the import.
24
Installation guide
18. If you have selected the optional setup step Configure HTTP proxy in Choose setup steps,
you can enter your HTTP proxy configuration details in the next step. In the HTTP Proxy
Setup dialog, enter your Proxy Host and Proxy Port.
Note: If proxy is defined in Windows Internet Explorer, the information automatically
transferred to the HTTP Proxy Setup dialog.
19. In the next step, you verify the license information.
Click Next to confirm the licensing and configuration process.
25
Sophos Mobile Control
20. Configuration is now complete.
26
Installation guide
21. After installation has finished, the Sophos Mobile Control - Installation finished dialog is
displayed. Make sure that the check box Start Sophos Mobile Control server now is selected
and click Finish to start the Sophos Mobile Control server for the first time.
Note: If you have used MS authentication, do not select the checkbox Start the Sophos Mobile
Control server now.
If you have selected SQL server authentication during installation, the SMCSVC service is
started automatically and the Sophos Mobile Control server is executed. If you have selected
Windows authentication, you first have to enter logon details in the service and start it
afterwards.
Note: After the service has been started it can take a few minutes before the web interface is
available.
Note: If a different language than English is used for the SQL login, an error occurs and an
error message is displayed. To solve this problem, first stop the SMCSVC service. Then open
SQL Management Studio on the server and select Security followed by Logins. Edit the
properties of the user that is used to start the SMC server and set the Default language for this
acccount to English. Click OK and start the SMCSVC service again.
27
Sophos Mobile Control
Continue with the following configuration steps:
28
■
In the Configuration Wizard, you have now created a super administrator and a super
administrator customer. This setup does not support the LDAP connection to a directory
service such as Active Directory and the self-registration of end users with the Self Service
Portal. To support these features, a customer must be created by the super administrator.
For further information, refer to the Sophos Mobile Control super administrator guide.
■
If you have selected to configure the EAS Proxy server separately, configure the EAS Proxy
now, see External EAS Proxy server (section 4).
Installation guide
4 External EAS Proxy server
With Sophos Mobile Control you can set up an external EAS Proxy server with several instances.
Sophos Mobile Control offers a separate EAS Proxy installer for this purpose.
Features
Besides the features of the internal EAS Proxy, the external EAS Proxy offers the following features:
■
Lotus Traveler client support (which is not ActiveSync)
■
Support for multiple Microsoft Exchange and Lotus Traveler servers (one instance per mail
server, one TCP port per instance)
Usage scenarios
Note: For Sophos Mobile Control as a Service, the following scenarios do not apply. In this
scenario, the EAS Proxy server is suitable for installation in your own environment because the
EAS Proxy communicates through HTTPS with the Sophos Mobile Control Server.
An external EAS Proxy server should be used for the following scenarios:
■
You use Lotus Traveler for non-iOS devices.
The internal EAS Proxy cannot handle this scenario as Active Sync is not used here.
The internal EAS Proxy supports iOS devices for Lotus Traveler as Traveler supports ActiveSync
for iOS. So for iOS devices you do not need to use the external EAS Proxy.
For other platforms (for example, Android or Windows Mobile), Lotus Notes Traveler is
supported by the external EAS Proxy. For these platforms, a dedicated Traveler client software
is required. This software is available through <traveler-server>/servlet/traveler or the Traveler
file system. Sophos Mobile Control can install and uninstall the client software. Configuration
has to be done manually.
29
Sophos Mobile Control
■
You want to support multiple backend servers.
With the external EAS Proxy you can set up multiple instances of backend mail systems. Each
instance needs an incoming TCP port. Each port can connect to a different backend. You need
one URL per EAS instance.
30
Installation guide
■
You want to set up load balancing for EAS
For this scenario an existing load balancer for http is required. You set up the external EAS
Proxy on different machines.
Setup
The following applies to installation and setup:
■
The external EAS Proxy can be installed on the same server, but needs to listen on different
ports.
31
Sophos Mobile Control
■
The external EAS Proxy can run on different (virtual and physical) machines.
■
Simple Windows setup
4.1 Install external EAS Proxy server
Prerequisite:
■
Sophos Mobile Control has been installed and set up, see Install and set up the Sophos Mobile
Control Server (section 3.2).
■
If the EAS Proxy is to be installed on a separate machine, Java JRE needs to be installed.
To configure the EAS Proxy server separately:
1. Execute the Sophos Mobile Control EAS Proxy Setup.exe.
The Sophos Mobile Control EAS Proxy Setup welcome dialog is displayed. Click Next.
2. In the License Agreement dialog, review the license terms and click I Agree.
3. In the Choose Install Location dialog, choose the destination folder and click Install to start
installation.
4. After Sophos Mobile Control EAS Proxy has been installed, the EAS Proxy Configuration
Wizard welcome dialog is displayed. Click Next.
32
Installation guide
5. In the SMC Server configuration dialog, select the SMC Server to be used. Optionally, select
Use SSL for incoming connections (Clients to EAS Proxy).
Click Next.
6. If you have selected Use SSL for incoming connections (Clients to EAS Proxy), the Import
Certificate Files dialog is displayed. Select the appropriate files and enter the password for the
private key.
Click Next.
33
Sophos Mobile Control
7. In the next step, you configure the EAS Proxy instances. In the EAS Proxy instance setup
dialog, enter an Instance name, the relevant Server port (incoming traffic) and the ActiveSync
Server (target). Select Enable traveler client access to enable Lotus Traveler client access. After
entering the instance information, click Add to add the instance to the Instances list.
After you have added the instance the following message is displayed:
Click OK.
A window with the certificate that needs to be uploaded to Sophos Mobile Control opens.
8. In the next step, you need to upload the certificate in the Sophos Mobile Control web console
as a super administrator. For further information on Sophos Mobile Control super
administrators, see the Sophos Mobile Control super administrator guide.
a) Log on to the Sophos Mobile Control web console as a super administrator.
b) In the web console menu bar, go to Settings and click System setup.
c) In the EAS Proxy tab, browse for the certificate and click Upload.
34
Installation guide
The certificate is uploaded and shown in the EAS Proxy tab.
d) Click the Save button.
Note: The certificate needs to be uploaded before the server is started. Otherwise Sophos
Mobile Control rejects the server and the service will not be started.
9. In the EAS Proxy instance setup dialog of the EAS Proxy Configuration Wizard, click Next.
The server port you entered is checked and the Sophos Mobile Control EAS Proxy
Configuration Wizard finished dialog is displayed.
10. Configuration is now complete. Click Finish to close the Configuration Wizard.
The Sophos Mobile Control EAS Proxy server is installed.
35
Sophos Mobile Control
11. After installation has finished, the Sophos Mobile Control EAS Proxy Installation finished
dialog is displayed. Make sure that the check box Start Sophos Mobile Control EAS Proxy
server now is selected and click Finish to start the Sophos Mobile Control EAS Proxy server
for the first time.
The Sophos Mobile Control EAS Proxy server has been installed and configured.
Note: EAS Proxy log files are not cleared automatically and can become very extensive. To prevent
problems caused by this, delete the log files manually.
36
Installation guide
5 Running the Sophos Mobile Control Service as a limited
user
For security reasons, you may want to run the SMC service as a limited user instead of an
administrator.
Note: If you use Windows Authentication for database access, you only have to carry out step 3
of the following description.
1. On the computer, on which Sophos Mobile Control is running, create a local, “regular”
Windows user account with a password that does not expire.
2. Remove this user account from all groups. (By default, the user is in the “users” group.)
3. Grant this user account full access to the Sophos Mobile Control installation directory
(C:\Programs\Sophos\Sophos Mobile Control) including all subdirectories.
4. In the SMCSVC service properties, change the user to this user account with the relevant
password.
37
Sophos Mobile Control
6 Updating Sophos Mobile Control
Note: When you update Sophos Mobile Control from an older version, you may need to update
Java, if you still use JDK 1.6. To do so, uninstall the old Java version and install the new one. You
also need to manually adjust the environment variables.
6.1 Updating from version 1.x to 3.5
SMC Server installations version 1.x cannot be updated directly to version 3.5. Version 1.0 has to
be updated to version 1.1 and then to version 2.5 first.
6.2 Updating from version 2.5 or 3.0 to 3.5
To update your SMC Server installation to version 3.5, execute the Sophos Mobile Control 3.5
installer.
The installer automatically detects that an existing installation is to be updated to version 3.5. The
administrator is asked whether the service should be stopped.
The database is updated automatically.
If you use SQL authentication, you have to specify the super administrator account when you
upgrade to change the existing SQL users and passwords.
38
Installation guide
7 Apple Push Notification service
To use the built-in Mobile Device Management (MDM) protocol of devices running Apple iOS
4 (or higher), Sophos Mobile Control must use Apple’s Push Notification service (APNs) to trigger
the iOS devices. The following sections describe the requirements that have to be fulfilled and the
steps you must take to get access to the APNs servers with your own client certificate. Sophos
Mobile Control offers an APNs Certificate Wizard for creating your APNs certificate. The wizard
is included in your product delivery. It is also available for download in the web console.
Note: Do NOT use the Internet Explorer for any Apple websites. Apple recommends their own
Safari browser, but Mozilla Firefox, Opera or Google Chrome also work.
7.1 Requirements
For silent operations all devices must have at least iOS version 4 installed. A free update is available
from Apple for
■
iPhone 3G, 3GS, 4
■
iPad
■
iPod touch, 3rd or 4th generation
To notify iOS devices, the Sophos Mobile Control server needs to connect to the Apple Push
Notification service. The notifications are sent SSL-encrypted to
■
gateway.push.apple.com:2195 TCP (17.0.0.0/8)
■
iOS devices with Wifi only need a connection to the APNs
■
Wifi iOS device -> *.push.apple.com:5223 TCP (17.0.0.0/8)
7.2 Create and upload an APNs certificate
To create an APNs certificate, you use the APNs Certificate Wizard. The wizard is included in
your product delivery. It is also available for download in the web console. In the web console
menu bar, go to Settings click System Setup and go to the iOS APNS tab. To download the wizard,
click the available download link.
1. Start the APNs Certificate Wizard by doubleclicking the file APNs Certificate Wizard.exe.
The APNs Certificate Wizard welcome dialog is shown.
2. Click Next.
The Create CSR dialog is shown.
39
Sophos Mobile Control
3. Enter your Company Name and your Country code (for example US). These fields are
mandatory.
Note: Below these fields, the dialog shows where all data of the process is stored. Make a note
of this information.
4. Click Next.
The Upload PLIST dialog is displayed.
5. In this step, you upload the Certificate Signing Request to Apple. Follow the instructions in
the dialog:
a) Open the Apple site indicated in the dialog in your browser.
Note: Do not use Internet Explorer to open the Apple site as this may cause problems. Use
Firefox, Chrome or Safari instead. We recommend to use the latest browser versions.
b) Log in with your Apple ID. If you do not have an Apple ID, create one.
c) In the first dialog of the Apple Push Certificates Portal, click Create a Certificate.
d) Accept the terms and conditions.
e) Browse for your Certificate Signing Request (*.plist) and click Upload.
You find the file name and the path in the Upload PLIST dialog of the Sophos APNs
Certificate Wizard.
Your Apple push certificate is created.
f) Save the certificate file (*.pem) in the directory indicated in the Upload PLIST dialog.
6. Click Next.
The Create P12 dialog is displayed.
7. In this step, you create your APNs certificate for Sophos Mobile Control. Enter a password for
the APNs certificate. You need this password later, when you upload the .P12 certificate file to
Sophos Mobile Control.
Note: The Create P12 dialog shows the directory the certificate will be stored in. Make a note
of this information. We recommend that you create a backup of the folder that contains the
certificate files.
8. Click Next.
The Sophos Mobile Control APNs Certificate Wizard finished dialog is displayed.
9. Click Finish.
10. In the Sophos Mobile Control web console, click the Settings button and go to the iOS APNS
tab.
40
Installation guide
11. Browse for the .p12 certificate file you have created, enter your password and click Upload.
After the file has been uploaded successfully, a confirmation message is displayed.
12. Click Save.
7.3 Migrating APNs certificates from the iOS Developer Enterprise
Program
Certificates created with the iOS Developer Enterprise Program (iDEP) cannot be renewed from
within the iDEP anymore. If you have created your MDM APNs certificates with iDEP and they
are about to expire, you have to migrate them to the new method described in Create and upload
an APNs certificate (section 7.2).
To renew a certificate:
1. Go to https://identity.apple.com/pushcert/ and log in with your iDEP Apple ID that you used
to create your existing APNs certificate.
2. Carry out the following steps. For details on individual steps, see Create and upload an APNs
certificate (section 7.2).
a) Create a CSR.
b) Let Sophos sign the CSR.
c) Click the Renew button and upload the signed CSR.
d) Download the certificate.
e) Convert the APNs Certificate for Sophos Mobile Control.
41
Sophos Mobile Control
8 Technical support
You can find technical support for Sophos products in any of these ways:
42
■
Visit the SophosTalk community at http://community.sophos.com/ and search for other users
who are experiencing the same problem.
■
Visit the Sophos support knowledgebase at http://www.sophos.com/en-us/support.aspx.
■
Download the product documentation at
http://www.sophos.com/en-us/support/documentation.aspx.
■
Send an email to support@sophos.com, including your Sophos software version number(s),
operating system(s) and patch level(s), and the text of any error messages.
Installation guide
9 Legal notices
Copyright © 2011 - 2013 Sophos Ltd. All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any
form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you
are either a valid licensee where the documentation can be reproduced in accordance with the
license terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos is a registered trademark of Sophos Ltd. All other product and company names mentioned
are trademarks or registered trademarks of their respective owners.
43
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising