Managing Users and Resources

Managing Users and User Resources
This guide provides information on . . .
. . . The User/Device Grid
. . . The User/Device Profile
. . . Categorizing Users into Local Groups
. . . Managing Applications
. . . Managing Corporate Resources
. . . Managing Data Plans
. . . Managing the File Share List
. . . Group Notifications and Emailing
. . . Activity Monitor, Alerts, and Reporting
NotifyMDM Version 3.x
Accessing the Dashboard  1
Managing Users and User Resources
Table of Contents
Accessing the Dashboard
4
Managing Smart Devices and Users
6
The User/Device Grid............................................................................................ 6
Customizing the User/Device Grid ............................................................. 7
Assigning Settings and Res ourc es to Groups/Folders from the Grid ........... 10
The Device Panel ................................................................................... 12
The Administration Panel ........................................................................ 14
Export Data from the Us er/Device Grid..................................................... 15
Adding / Removing / Disabling Users ....................................................... 15
The Apple DEP User/Device Grid ............................................................ 16
The Discovered Devices Grid .................................................................. 17
The Device P rofile .............................................................................................. 19
User Information ..................................................................................... 19
Device Administration ............................................................................. 25
Corporate Resource Assignments............................................................ 41
Device Summary .................................................................................... 49
Local Groups
50
Managing Local Groups ...................................................................................... 51
Add a Group and Assign Users ................................................................ 52
Edit a Group Name or Change Group Membership ................................... 52
Prioritizing Groups .................................................................................. 53
Configure the Group Settings .................................................................. 54
Remove a Group .................................................................................... 55
Application Management
56
Application Categories ........................................................................................ 57
Creating, Editing, or Removing Cat egories ............................................... 57
Associating an Application with a Category ............................................... 57
View Managed Apps by Category ............................................................ 58
Assigning a Category to LDAP Groups/Folders or Local Groups ................ 58
Managed Apps ................................................................................................... 60
Adding and Managing Apps for Android Devices ....................................... 61
Adding and Managing Apps for iOS Devices............................................. 68
Adding Managed Apps for BlackBerry Devices ......................................... 84
Whitelists/Blacklists............................................................................................. 86
Corporate Resource Management
89
Resource Configurations ..................................................................................... 91
Assigning Resources to LDAP Groups and Folders ............................................... 97
Assigning Resources to Local Groups .................................................................. 98
NotifyMDM Version 3.x
Accessing the Dashboard  2
Simple Certificat e Enrollment Prot ocol (SCEP ) Servers ....................................... 100
Tracking Data Usage
103
Define a Dat a Plan............................................................................................ 103
Assigning Devices to a Data Plan ...................................................................... 106
Assign Devic es to a Data Plan ............................................................... 106
Remove Devices from a Data Plan ........................................................ 108
File Share
109
Group Notifications
112
Send Group Notifications................................................................................... 112
Send Group E-mail ........................................................................................... 114
Search Group E-mail ........................................................................................ 115
The Activity Monitor and Alerts
116
User and Device Reports
123
Using the Reports ............................................................................................. 124
Sample Reports ................................................................................................ 125
NotifyMDM Version 3.x
Accessing the Dashboard  3
Accessing the Dashboard
Access the Dashboard
NotifyMDM Dashboard requirements:

Microsoft Internet Explorer, Firefox, or Safari

Adobe Flash Player 10.1.0

Minimum screen resolution: 1024 x 768

Desktop computer running Windows OS
In your web browser, enter the server address of the NotifyMDM server followed by /dashboard
Example: https://my.notifymdm.server/dashboard
On-Demand users enter: https://ondemand.notifymdm.com/dashboard
Standard Login
Log in to the NotifyMDM dashboard using your administrative login credentials in one of the following formats:

Locally authenticated logins enter:
email address and password

LDAP authenticated logins enter:
domain\LDAP username and LDAP password
You can create additional logins to the dashboard with system administrator, organization administrator, or
support administrator privileges. See the System Administration Guide for details.
NotifyMDM Version 3.x
Accessing the Dashboard  4
OpenID Login
Use your OpenID credentials to log in.
1.
At the NotifyMDM login screen, enter the Zone Name, an easy to remember name NotifyMDM uses
to redirect you to the OpenID provider portal. If your provider requires it, enter your OpenID
Username as well.
2.
At the provider site, enter your OpenID credentials.
Note: If this is the first time you have logged in to NotifyMDM with an OpenID or your OpenID
information has changed, you will be prompted for a PIN code before entering the NotifyMDM
dashboard.
Zone Name and new PIN codes are emailed to you from the NotifyMDM server.
NotifyMDM Version 3.x
Accessing the Dashboard  5
Managing Smart Devices and
Users
The User/Device Grid
The Smart Devices and Users view displays a list of all users currently in the NotifyMDM organization.
From this page, you can add a user, remove a user, email a user, move to a profile view with a greater level
of detail, and issue remote security commands to a user’s device.
You can also customize the user list view or export data from the list.
NotifyMDM Version 3.x
Managing Smart Devices and Users  6
Customizing the User/Device Grid
Customize the User/Device Grid by:

Rearranging columns

Sorting columns

Choosing the visible columns

Searching for and displaying a distinct category of users

Limiting the list to members of an LDAP folder or group
Rearrange columns. Drag and drop column headings to reorder the columns. The Dashboard saves the
order in which you arrange the columns.
Sort columns. Click the heading of any column to sort the list by the information in that column. Sort in
ascending or descending order.
NotifyMDM Version 3.x
Managing Smart Devices and Users  7
Choose the visible columns. Click the Choose Visible Columns button in the bottom left corner of the User
Grid. Using the forward arrow, move items from the Available Columns list to the Displayed Columns list so
that they will appear in the User Grid. In the Displayed Columns list, use the up/down arrows to arrange the
columns in the order you want them to appear. The Dashboard saves the columns you choose to view.
Available Columns
Activation Date
Activation Lock Status
Active
ActiveSync Authorization Failures (User)
ActiveSync User Agent
ActiveSync Version
Apple DEP Device
Battery Level
Charging Status
Device Connection Schedule
Device GMT Offset
Device IMEI
Device Model
Device Name
Device Platform
Device Time Zone
Device UID
DeviceSAKey
Domain
Email Address
Expiration Date
First Name
Free Memory
IMSI Number
iOS Installed Profiles
iOS Managed Profiles
Jailbroken
KNOX Status
KNOX Workspace Status
Last ActiveSync Sync (Server Local)
Last APN Check-In (Server Local)
NotifyMDM Version 3.x
Last APN Sent (Server Local)
Last NotifyMDM Sync (Server Local)
Last Name
Liability
Linked Identifier
Memory Capacity
Network Type
NotifyMDM App Language
NotifyMDM App Version
NotifyMDM Authorization Failures (user)
OS Language
OS Version
Ownership
Pending remove
Phone Number
Plan Type
Policy Suite
Roaming
SD Card Free Memory
SD Card Installed
SD Card Memory
Shared
Signal Strength
SIM Removed or Changed
Suspended
TouchDown Enrolled
User Name
UserSAKey
Violation Status
VPP Association Status
Managing Smart Devices and Users  8
Search for and display a single user or category of users. Use the search criteria in the drop-down
Search column to search for users by user name, phone number, policy suite, device platform, or custom
column name and value. The string entered in the search field returns users that contain the string anywhere
in the user name.
Display by User Categories. Limit the display of users in the grid to those in a specific category. There are
three major user categories: Users by LDAP, Users by Local Group, and Uncategorized Users. Browse the
user category directory and select a local group or LDAP group/folder. The users listed in the grid will contain
only the users belonging to the group or folder you chose.
To refresh the grid so that it displays the entire list of users, click the group again, click the refresh button
or click the Reset button in the Search option.
NotifyMDM Version 3.x
,
Managing Smart Devices and Users  9
Assigning Settings and Resources to Groups/Folders from the Grid
Settings such as Policy Suite, Connection Schedule, and Liability can be assigned to a local group or LDPA
group/folder directly from the user grid. In addition, Android and iOS resources can be assigned to LDAP
group/folder directly from the grid.
1.
Expand the Display by User Categories option on the left panel and navigate to an LDAP group or
folder, under Users by LDAP, or to a local group under Users by Local Group. Right-click on the
group or folder.
2.
From the pop-up, select the Group (Folder) Policy option and choose the Policy Suite, Device
Connection Schedule and Liability assignments for the group/folder. Click Save.
Standard Policy Enforcement
Schedule-Based Policy Enforcement
NotifyMDM Version 3.x
Managing Smart Devices and Users  10
3.
Right click on an LDAP group/folder and select the Assign Resources option to assign resources.

Select a device platform from the drop-down: Android or iOS

Mark the checkbox next to the resource you want to assign to the group/folder.

Mark the checkbox labeled Use credentials from LDAP Server to assign the resource to the
users associated with the group/folder.
Or, leave the option disabled to assign the resource to a single User Name from the group or
folder.
Android Resource Assignments
NotifyMDM Version 3.x
iOS Resource Assignments
Managing Smart Devices and Users  11
The Device Panel
Select a user/device from the grid. A panel for that user appears in a column to the right of the list. Only
administration options that apply to the device platform will appear in the panel.
Device Panel Content
Quick Device Stats - Displays last sync time, device
platform, ownership, and phone number
Data Plan Statistics - Displays the plan name and limit.
Also displays data used by device, data used by other
devices on the plan, and remaining data for the current
billing period.
Popup Views - Provides the following links to popup
views:
o
See Most Recent Location - Location statistics
o
E-mail User - Compose and send an email
o
Send Notification – Compose and send a
notification to an Android or iOS device (160
character limit).
o
View Device Report - Device statistics
Device Compliance – Allows the administrator to clear a
violation restriction or view device violation details and
clear a User Exception for a violation. See Device
Compliance.
Sample Device Panel
NotifyMDM Version 3.x
Managing Smart Devices and Users  12
Monitoring Device Compliance from the Device Panel
If you have implemented the Compliance Manager to monitor and restrict devices or users who are noncompliant with corporate policies, you may want to display the Violation Status column in the Smart Devices
and Users grid. Use the following options in the Device Panel to view details about the restriction or release a
user from the restriction.
Administrative
Action
Description
Result
Clear NotifyMDM
Authorization Failures
A device passes invalid
credentials for the NotifyMDM
account of a known user to the
server a number of times that
exceeds the set limit.
This Clear button releases the device from
restrictions imposed by this violation. The counter for
the Failed login attempt limit is reset to zero.
A device passes invalid
credentials for the ActiveSync
account of a known user to the
server a number of times that
exceeds the set limit.
This Clear button releases the device from
restrictions imposed by this violation. The counter for
the Failed login attempt limit is reset to zero.
Clear SIM Card
Removed or Changed
Violations
A user has removed or changed
the SIM card in a device and is in
violation of the Restrict if SIM
Card is Removed or Changed
access restriction.
This Clear button releases the device from
restrictions imposed by this violation.
Clear Data Usage
Statistics Reset by
User Violation
A user has rest the data usage
statistics on the device and is in
violation of the Restrict if data
usage statistics reset by user
access restriction.
This Clear button releases the device from
restrictions imposed by this violation.
View Device Violation
Details
An administrator can view
violations and use the Clear
Selected Violations button to
release a device from restrictions.
Administrator can select and clear a violation listed in
the pop-up dialog box. The device is released from
restrictions imposed by violations. An exception is
created for the user, which prevents the device from
being restricted again due to this violation.
Clear ActiveSync
Authorization Failures
NotifyMDM Version 3.x
A User Exception is not created, so if the device’s
NotifyMDM connections continue to fail, the device
will be in violation again.
A user exception is not created, so if the device’s
ActiveSync connections continue to fail, the device
will be in violation again.
A user exception is not created, so if the SIM card is
removed or changed again, the device will be in
violation.
A user exception is not created, so if the user resets
the data usage statistics again, the device will be in
violation.
Managing Smart Devices and Users  13
Violation Details Pop-up
The Administration Panel
Administration Panel Content
Administration – Security commands and administrative
actions can be performed quickly. Only options that apply
to the device platform will appear. Administrative actions
can also be issued through the User Self Administration
Portal.

Security Commands - Gives quick access to reactive
security commands, such as Full Wipe. See a list of
Remote Security Commands.

Send VPP Invitation - Send an invitation to an iOS
7.0.3+ user to join the Apple Volume Purchase
Program if they have not yet been invited or have not
yet accepted an invitation. Check user’s status in the
VPP Association Status column of the User Grid.

Send Welcome Letter - Send the Welcome Letter
email to the user

Reset for Enrollment - Used for troubleshooting
enrollment issues. Clears server data that prevents a
user from re-enrolling a device or reloading iOS
profiles when a device experiences enrollment issues.

Reboot – Reboots the device. Applicable for
Samsung KNOX devices only.

Power Off – Turns the device off. Applicable for
Samsung KNOX devices only.

Unblock Password Entry – unblocks the password
entry on a device blocked due to a password policy
violation. Applicable for Samsung KNOX devices only.
Sample Administration Panel
NotifyMDM Version 3.x
Managing Smart Devices and Users  14
Export Data from the User/Device Grid
Export data from the list to a Comma Separated Values (CSV) or Excel (XLS) file. Use the Export Format,
button to choose format, then click the Export Data Grid button to save the current grid to a file.
Adding / Removing / Disabling Users
The Add User button launches a window that allows the manual addition of individual users or addition of
users via batch import methods (.CSV file or an LDAP server).
Users imported in a batch are assigned the same policy suite, device connection schedule, ActiveSync server
(if defined), LDAP server (if defined), and carrier (if desired).
For more documentation on adding users, see the System Configuration: Adding Users, Enrolling Devices
guide.
The Remove User button deletes the user from the NotifyMDM server. A user can also be temporarily
disabled by using the Disable Device option on the user detail panel. This prevents the device from
synchronizing with the NotifyMDM and ActiveSync servers, but retains the user account.
Note: Shared Users can only be removed when status is Not Enrolled (no devices have been enrolled
with the shared user credentials) or all devices enrolled with the shared user credentials have been
wiped. The Remove User button will be disabled under any other condition.
Any DEP devices assigned to the shared user will be unassigned when the shared user is removed.
The Disable Device option can be used when you want to disable
device synchronization, but not remove the user from the system.
Initiate the command from the Device Panel or from the Security
option in the Device Profile Administration view.
NotifyMDM Version 3.x
Managing Smart Devices and Users  15
The Apple DEP User/Device Grid
If your organization has deployed devices through the Apple Device Enrollment Program (DEP) you can view
these devices on a grid separate from the standard User/Device Grid.
Note: For more information on using the DEP device grid and managing DEP devices, see the
Supervised iOS Devices guide.
From the dashboard, select the Smart Devices and Users view. Click the Apple DEP Devices button in the
upper right corner of the User/Device Grid page. This flips the view to a list of the DEP devices. Devices that
have already been enrolled with user credentials, appear on the standard User/Device Grid as well.
Apple DEP User/Device Grid
NotifyMDM Version 3.x
Managing Smart Devices and Users  16
The Discovered Devices Grid
If you have imported device, user, and policy information from an ActiveS ync server using PowerShell
capabilities, the information discovered during the retrieval process is displayed in the Discovered Devices
grid.
Note: For more information on retrieving information from an ActiveSync server, see the PowerShell
Configuration Guide.
From the dashboard, select the Smart Devices and Users view. Click the Discovered Devices button
located in the right corner above the User/Device Grid. This flips the view to a list of the devices discovered
on the ActiveSync server. Devices that have already enrolled the NotifyMDM application appear on the
standard User/Device Grid as well.
Discovered Devices User/Device Grid
Discovered Devices Grid Information
Information unique to the Discovered Devices grid will help you monitor who has not yet enrolled with the
NotifyMDM server.
Grid Columns
Description
Access State
A mobile device that is connecting to Exchange ActiveSync can be in one of several
“access states” at any given tim e. The states m ost often seen in the grid are:
 Allowed – a state in which the device is synchronizing email, calendar, and tasks as
long as it is compliant with the ActiveSync mailbox policy.
 Quarantined – the state in which a device is placed when it has reached the
quarantine date without enrolling with the MDM server.
MDM Status
 Discovered – the device information has been imported from an ActiveSync server
 Enrolled – the device information has been imported from an ActiveSync server and it
has enrolled with the MDM server.
ActiveSync Server Name
The ActiveSync server from which device information was retrieved.
ActiveSync User Agent
The ActiveSync device client on the device.
NotifyMDM Version 3.x
Managing Smart Devices and Users  17
Discovered Devices Grid: Search
The Search option can be used to filter the discovered devices by Username, Device Platform, or Phone
Number.
Discovered Devices Grid: Administration Panel
The Administration Panel to the left of the grid displays several device management options.
Administration Panel
Description
Devices Statistics
Displays device platform and phone number.
Hide Device
Removes a device from the grid display. Although the device is not removed from the
ActiveSync server, it will not appear in the grid again when subsequent requests for
information are made on the ActiveSync server. Should the device eventually enroll with
MDM, it will appear on the standard Device/User grid.
E-mail User
Compose and send an email
Allow Quarantined
Device
The device was not enrolled during the grace period and has been den ied access to email.
This clear button releases the device from restrictions imposed by this violation.
Note: If the organization is configured to restrict ActiveSync connections
(via Compliance Manager) when a device is out of compliance, the device
cannot be released from quarantine.
Show Recovery
Password
If a device has the capability to issue a request for a temporary recovery password, this is
where you can retrieve the unlock password that has been generated. A user can also view
it from the NotifyMDM Self-Administration portal. See Enab ling Password Recovery
Discovered Devices Grid: Device Profile
Select a device and click the device profile button in the action bar above the grid. The profile will display user
information and device statistics, along with security actions available for the device type. If the discovered
device is enrolled with MDM, the profile will show the same information that is available on a standard user
profile.
NotifyMDM Version 3.x
Managing Smart Devices and Users  18
The Device Profile
Select a user from the list and click the Device Profile button on the action bar above the grid (or double-click
the user). There are several views to select from in the menu panel to the left.
User Information
Select User Information from the left panel of the Device Profile. There are four tabs that display the following
user information:

Configuration

Certificates

Custom Column Values

Local Groups
User Information: Configuration
(return to User Information menu)
Select the Configuration tab to display basic user information that can be edited.
In addition, server address information obtained by ActiveSync Autodiscover displays for users interfacing
with servers using ActiveSync protocol version 12.0 or higher. This information does not display if NotifyMDM
does not resolve a server address via Autodiscover. Failure to resolve might occur if the ActiveSync server is
not configured for Autodiscover, if the DNS is not configured for the correct Autodiscover address, or if
general network issues occur.
You can also override the organization default setting for Maximum Number of Devices Per User by
removing the checkmark from the Auto box and defining the maximum number of devices this user can enroll.
If the user is a shared user, the configurations permitted on devices enrolled with the user’s credentials are
displayed and can be edited.
NotifyMDM Version 3.x
Managing Smart Devices and Users  19
User Information: Custom Column Values
(return to User Information menu)
If custom columns have been configured for users, they will be displayed here. Select this tab to view, add, or
edit custom column values for this user.
Custom Columns may also be configured at the device level. See Device Administration: Custom Column
Values
User Information: Certificates
(return to User Information menu)
Select the Certificate tab to upload a client authentication certificate for the user or view any NotifyMDM
generated enterprise certificate authority (CA) certificates.
Uploaded Certificates
A certificate can be uploaded to the NotifyMDM server from the Dashboard by an administrator or via the
NotifyMDM Desktop User Self-Administration portal by a user. Users can then install the certificate on the
device using the NotifyMDM Mobile User Self-Administration portal.
It is possible to upload more than one certificate to the user’s profile; however, only one certificate at a time
can be used. One certificate can be used on multiple devices associated with a single user.
The NotifyMDM server supports .cer, .pfx, or .p12 format certificates. Functionality of these certificate file
formats is dependent upon the device platform or operating system (see the table below listing tested device
operating systems). Certificates obtained from VeriSignTM have been tested and verified as functional.
Certificates obtained from other certificate authorities can be functional if the device platform recognizes the
certificate authority as trusted.
Test Certificate Validity. Use the Test Now button to test the validity of the client certificate. Initiating the
test verifies whether the certificate is in a format that can be read, and it verifies the certificate name and
expiration date.
Tests initiated for a.pfx format certificate will require the certificate’s assigned password.
When the NotifyMDM server is behind your corporate firewall. In this scenario, users must have a client
authentication certificate to access your network, but must first acquire the certificate via the NotifyMDM
server, which sits behind the network’s corporate firewall.
Use one of the following methods to make the certificate accessible to the user:
NotifyMDM Version 3.x
Managing Smart Devices and Users  20

Instruct users to install the certificate, while using Wi-Fi in the corporate setting.

Locate the NotifyMDM Desktop and Mobile User Self-Administration portals outside the corporate
firewall.
o
Assign a second address to the NotifyMDM server for the User Self-Administration Portal,
allowing access to only these user portals.

Desktop User Self-Administration Portal: <serveraddress>

Mobile User Self-Administration Portal: <serveraddress>/mobile
o
Create a second web server (mirroring the NotifyMDM server) where only the User SelfAdministration Portals are available
o
Create a firewall rule that allows the user to access the User Self-Administration Portal URLs
without a certificate.
Upload the Certificate. When you have obtained a client certificate, upload it to the user’s profile. You must
have access to the certificate file itself and know any password associated with i t.
Alternatively, you can have a user upload the certificate himself using the NotifyMDM Desktop User SelfAdministration Portal. The user must have access to the certificate file and know any password associated
with it.
To upload a certificate file:
1.
Access the Smart Devices and Users view of the dashboard. Select a user from the grids and click
Device Profile.
2.
Select User Information from the left panel, then select the Certificates tab.
3.
Select the Add New Certificate button to browse and select the certificate file. The certificate will
appear in the Uploaded Certificates section of the page.
4.
Check the box Accessible By User to designate this as the active certificate. It is possible to upload
more than one certificate to the user’s profile, however, only one certificate at a time can be active.
One certificate can be used on multiple devices associated with a single user.
5.
If the certificate is protected by a password, enter the Password and confirm it.
6.
Click Save Changes.
NotifyMDM Version 3.x
Managing Smart Devices and Users  21
Instruct the User to Install the Certificate. When the certificate has been uploaded and associated with a
user account, instruct the user to install the certificate on the device via the NotifyMDM Mobile User SelfAdministration Portal. An example of the installation process for eac h device type is available in Appendix A
of every NotifyMDM device user guide.
Certificate Formats Supported on Various Device Platforms
.cer
Android
BlackBerry
.pfx / .p12
OS 2.1 update 1
OS 2.2
OS 2.2
OS 2.3
OS 2.3
OS 2.3.4
OS 2.3.4
OS 4.5
OS 4.6
OS 5.0
iOS
OS 6.0
OS 6.0
OS 7.0
OS 7.0
iOS 6+
iOS 6+
NotifyMDM Generated Enterprise CA Certificates
The lower half of the Certificates page lists any NotifyMDM generated enterprise certificate authority (CA)
certificates. A certificate of this type can be re-issued or revoked from this page.
For more information on managing enterprise CA certificates, see the Certificate Management Guide.
These certificates provide:

Authentication of users with Android KNOX and iOS devices accessing ActiveSync mail servers when NotifyMDM is configured so that it does not proxy ActiveSync traffic.

Authentication of users with Android and iOS devices for Wi-Fi access.
NotifyMDM Version 3.x
Managing Smart Devices and Users  22
Revoke a Certificate
Certificates issued from the organization’s certificate server via NotifyMDM can be revoked from the user’s
profile or from the Certificate Grid (Organization Management > Certificate Management > Certificates).
Once the Certificate Authority publishes a certificate revocation list, any resource (ActiveSync email, Wi-Fi,
etc.) that uses the certificate for authentication will be inaccessible. Please note that in most cases, this does
not occur immediately after an administrator has revoked the certificate. A user may still have access to
resources for a short time after a certificate has been revoked.
1.
Select a certificate and click the Revoke Certificate button.
2.
Select a Revocation Reason.
CA Compromised
Cease of Operation
Certificate Hold
Change of Affiliation
Key Compromised
None
Superseded
3.
Certificate authority (CA) that issued the certificate has been compromised
Client no longer qualifies for the certificate
Certificate has been placed on hold
Subject value associated with the certificate has been modified
Certificate’s key has been compromised
No reason specified
Certificate is no longer valid for the intended purpose or has been superseded
by another certificate
Click OK to confirm the revocation.
Re-Issue a Certificate
Certificates issued from the organization’s certificate server via NotifyMDM can be re-issued from the user’s
profile or from the Certificate Grid (Organization Management > Certificate Management > Certificates).
When a certificate is re-issued it is valid for the number of days specified on the template from which the
certificate was generated.
1.
Select a certificate and click the Re-Issue Certificate button.
2.
Click OK to confirm the action.
User Information: Local Groups
(return to User Information menu)
NotifyMDM Version 3.x
Managing Smart Devices and Users  23
Select the Local Groups tab to view the local groups with which the user is associated.
You can add or remove local group assignments for the user, as well. Changes to a user’s group association
will update the user’s policy suite, connection schedule, and liability settings accordingly.
NotifyMDM Version 3.x
Managing Smart Devices and Users  24
Device Administration
The user’s devices are listed in the selection panel. Select a device and expand the menu underneath it.
Choose Administration and choose from tabs to view information about the device.

Device Information

Location

Configuration

Phone Calls and Texts

Custom Column Values

Viewing Logs

Security

File List
Device Administration: Device Information
(return to Device Administration menu)
Select the Device Information tab to view device statistics from the latest synchronization. The information
available varies by device platform. If a device does not report a statistic, N/A (not available) is displayed. See
the document, Device Platform Comparison: Device Statistics for detailed information.
Device Information for iOS devices will also list the iOS Installed Profiles. The device periodically sends a list
of all configuration profiles assigned to the device which can be viewed here.
NotifyMDM Version 3.x
Managing Smart Devices and Users  25
Device Administration: Configuration
(return to Device Administration menu)
Select the Configuration tab to view the Policy Suite, Device Connection Schedule, Liability, and
NotifyWork space settings for the device. The source from which each setting originated is displayed in
parentheses below the drop down box. When the Auto check boxes are marked, the device is assigned the
setting based upon local group membership, LDAP group/folder membership, or organization defaults.
Changes made to local group settings, LDAP group/folder settings, or organization defaults will automatically
update the user’s assignments.
If you wish to override the automatic assignments, remove the checkmark and select a new setting from the
drop-down list. These direct assignments take precedence over all other provisioning sources and will not
change as a result of updates to the groups or defaults.
Ownership, Plan Type, Carrier, and Data Plan are displayed and can be edited. The Blacklist or Whitelist
associated with the user’s policy suite can be viewed by clicking the symbol next to the Policy Suite field.
NotifyMDM Version 3.x
Managing Smart Devices and Users  26
Device Administration: Custom Column Values
(return to Device Administration menu)
If custom columns have been configured for devices, they will be displayed here. Select this tab to view, add,
or edit custom column values for this device.
Custom Columns may also be configured at the user level. See User Information: Custom Column Values
Device Administration: Security
(return to Device Administration menu)
The Security tab provides the remote security commands available for the user’s device platform. Not all
remote security commands are supported on every device type. The functionality of the action might also vary
slightly, based on what the device platform supports or even device model. See the table below for specific
device functionality.
How Security Commands are Issued
Full Wipe - The Full Wipe command is issued via ActiveSync. It is issued immediately if the user device is
configured in a Direct Push mode. When the user’s device is in a scheduled push mode, the device receives
the command during the next scheduled device connection session. Apple MDM functionality makes it
possible to apply the Full Wipe command immediately to iOS devices
Selective Wipe, Wipe Storage Card, and Lock Device - These commands are issued via NotifyMDM. They
are issued immediately if the NotifyMDM Device Connection Schedule has Direct Push enabled. When the
NotifyMDM Device Connection Schedule has Direct Push disabled, the device gets the command during the
next scheduled device connection session. Apple MDM functionality makes it possible to apply Selective
Wipe and Lock Device immediately to iOS devices; however, the device is capable of postponing the action.
NotifyMDM Version 3.x
Managing Smart Devices and Users  27
Security Action Confirmation Emails
The administrator issuing the security command has the option to send a confirmation email to the user.
Remote Security Commands: Functionality by Device
The table below documents which device types support the security commands and any variation in
functionality across device platforms.
Anrd
TD/A
Android devices
Android devices with TouchDown
NS/BB
NotifySync
iOS
iOS devices w ith multitasking
capabilities
TD/iOS
iOS devices w ith TouchDown
Action
Full Wipe
TM
for BlackBerry
TM
Windows
Window s devices w/ OS 8.1/10
w OS
w ebOS devices
WP7
Window s Phone 7 devices
BB10
BlackBerry 10 devices
Description
Devices
Supported
Administrators can issue a full wipe command. Once the wipe is completed, the
device is removed from the dashboard User/Device Grid. Functionality varies by
device.
Android w/ native ActiveSync account (requires OS v2.2 or greater): Device
returns to factory settings. All data and applications are deleted from the device.
Does not erase SD card.
NotifyMDM app:
Anrd, NS/BB, iOS,
TD/iOS, TD/A
ActiveSync only:
BB10, w OS, WP7
Window s 8.1+
Android w/TouchDown (requires OS v2.2 or greater): Device returns to factory
settings. This entails deleting all data and applications from the device. The
device returns to the state it was in when purchased. Does not erase SD card.
Android w/TouchDown using OS v2.0 or 2.1: Full Wipe not available – use the
Selective Wipe option to wipe the data associated with TouchDown.
BlackBerry: Removes all mail and PIM data associated with the NotifySync
application and removes the NotifySync/NotifyMDM accounts. Locks the device
if Require Password is enabled. Erases NotifySync data from the SD card.
iOS: Device returns to factory settings. This entails deleting all data and
applications from the device. The device returns to the state it was in when
purchased. Full wipe is applied immediately.
iOS 7.0.3+ devices enrolled in the Volume Purchase Program : VPP licenses
are reclaimed and the user is retired from the program when it is the last iOS
7.0.3+ device associated with the user.
web OS and WP7: Device returns to factory settings. This entails deleting all
data and applications from the device. The device returns to the state it was in
when purchased.
Windows 8.1+: the device is unenrolled and returns to factory settings removing
all internally stored data and device settings.
NotifyMDM Version 3.x
Managing Smart Devices and Users  28
Selective Wipe
Un-enrolls the device. Un-enrollment selectively wipes the device, removing
mail/PIM associated with the mail application; clears the NotifyMDM account;
and deletes the device from the grid.
Android (native): Devices with native mail app only wipe the NotifyMDM
account. Mail/PIM is not wiped.
iOS: Additionally removes managed iOS profiles, thus removing corporate
resources and managed apps designated to be removed when the APN profile
is removed. (Manually created mail profiles and user-installed apps are not
removed.)
NotifyMDM app:
Anrd, NS/BB, iOS,
TD/iOS, TD/A
Window s 8.1+
iOS 7.0.3+ devices enrolled in the Volume Purchase Program : VPP licenses
are reclaimed and the user is retired from the program when it is the last iOS
7.0.3+ device associated with the user.
Remove User
Windows 8.1+: device is unenrolled and configured policies, apps, etc. are
automatically removed.
Stops managing all devices associated with the user and subsequently
removes the user account and all device records from the NotifyMDM server
and dashboard grid.
NotifyMDM app:
Anrd, NS/BB, iOS,
TD/iOS, TD/A
Note: Shared Users can only be removed when status is Not Enrolled or all
devices enrolled with the shared user credentials have been wiped. Any DEP
devices assigned to the shared user will be unassigned when the shared user is
removed.
iOS 7.0.3+ devices enrolled in the Volume Purchase Program : VPP licenses
are reclaimed and the user is retired from the program.
ActiveSync only:
BB10, w OS, WP7
Wipe Storage
Card
Remotely wipes all data from the device’s storage card.
NotifyMDM app:
Anrd, NS/BB, TD/A
Lock Device
Remotely locks the device, requiring a password to be entered before the
device can be used.
NotifyMDM app:
Anrd, NS/BB, TD/A,
iOS, TD/iOS
iOS: Lock Device is applied immediately to iOS devices.
Window s 8.1+
Windows 8.1+: Lock is initiated only if the device has a device security
password enabled and only when device syncs with the server; Not supported
in Windows 10 Desktop.
Windows 10 Phones: Locking the phone generates a new unlock PIN and gives
the administrator an opportunity to email it to the user. See also, Email Unlock
PIN below. Not supported for Windows 10 Desktop or tablets.
Disable / Enable
Device
Device is unmanaged while disabled and thus blocked from all communication
with the server. It does not occupy a license seat in this state.
NotifyMDM app:
Anrd, NS/BB, iOS,
TD/iOS, TD/A
ActiveSync only:
BB10, w OS, WP7
Disown Device
Disown Device should only be used if you want to permanently remove an
Apple DEP device from the grid and notify the Apple servers that your
organization no longer owns the device. Once a device is disowned, it cannot
be reassigned to the server as an Apple DEP device. Disowning removes the
DEP profile from the device.
iOS DEP devices
Note: Issue a Selective Wipe prior to disowning a device. (In a future release,
disowning a device will initiate a Selective Wipe automatically, as well as
remove the DEP profile from the device.)
Suspend/Resume
Device
Show Recovery
Password
Device is managed (it can be wiped and continues to send statistics) w hile
suspended, but blocked from corporate resources. User cannot access the
application’s Config, Managed Apps, and File Share options and must enter a
password to gain full functionality when suspension is lifted.
NotifyMDM app:
Anrd, NS/BB, iOS,
TD/iOS, TD/A
If a device has the capability to issue a request for a temporary recovery
password, this is where you can retrieve the unlock password that has been
NotifyMDM app:
NS/BB, TD/A,
TD/iOS
NotifyMDM Version 3.x
ActiveSync only:
BB10, w OS, WP7
Managing Smart Devices and Users  29
generated. A user can also view it from the NotifyMDM Self-Administration
portal. See Enab ling Password Recovery
Clear Passcode
The iOS device passcode is cleared. If passcode is required by the user’s
policy, the user is prompted to enter a new passcode.
NotifyMDM app:
iOS, TD/iOS
Trigger APN
Immediately sends an APN to an iOS device causing it to check the server and
retrieve any pending commands. This can be used to remedy a situation in
which Apple Push Notifications are not synchronizing. A list of pending iOS
MDM device commands accompanies this option. Verify that the device is
unlocked before issuing this command.
NotifyMDM app:
iOS, TD/iOS
Trigger GCM
Immediately sends a notification to an Android device causing it to check the
server and retrieve any pending commands. This can be used to remedy a
situation in which GCM notifications are not synchronizing, allowing the
administrator to get the latest stats and location for the device.
NotifyMDM app:
Anrd, TD/A
Reset to Shared
Profile
If a user is signed in to a shared device, issuing this command signs the
user out, removes all the user’s profiles, and configures the device with
the shared profile settings. The device remains in a managed state.
NotifyMDM app:
Anrd, iOS, TD/iOS,
TD/A
This action will audibly ring the device to assist in location, even if it is set to
vibrate or silent.
Window s 8.1+
Resets the PIN that unlocks a device and transmits a new PIN to the server.
The new PIN can be viewed on the server via the Desktop User SelfAdministration Portal.
Window s 8.1+
phones
Remote Ring
Reset PIN
Only supported for Windows 8.1/10 phones.
Email Unlock PIN
Sends an email to the user with the unlock PIN from the most recent lock
action.
Window s 10
phones
Only supported for Windows 10 phones.
Enabling Password Recovery
Password Recovery must be enabled on the NotifyMDM server to function. By default, this feature is enabled
in the policy suite. The option can only be enabled if Require Password is enabled. To verify that both Require
Password and Enable Recovery Password are enabled:
1.
Select Organization Management > Policy Suites > (select a policy) > Security Settings
2.
Select Yes for the Enable password recovery option.
Once enabled, users with devices that support the feature can generate a temporary recovery password if
they forget the unlock password. The recovery password can be viewed by the user via the NotifyMDM SelfAdministration Portal. An administrator can also view the recovery password from the NotifyMDM Dashboard.
Viewing the Recovered Password in Outlook Web Access (OWA)
If Enable Recovery Password is also turned on in Exchange, users can view the recovery password through
OWA in addition to the NotifyMDM Dashboard or Self-Administration Portal.
Password Recovery is supported with Exchange 2007 or 2010. It requires ActiveSync protocol 12.0 and 12.1.
To enable in Exchange, from the Exchange Management Console, select the Client Access node under
Organization Configuration in the navigation tree. Right-click on the policy and choose the Properties tab.
Select the Enable Password Recovery option.
NotifyMDM Version 3.x
Managing Smart Devices and Users  30
Device Administration: Location
(return to Device Administration menu)
Select the Location tab to view the location of the device, reported by the GPS or triangulation on the device.
Information is displayed using Google Maps. Select the date and up to ten times that you want to view.
Map viewing options include:
Choosing the Map Type – Roadmap, Satellite, Terrain, or Hybrid
Adjusting the Zoom Level
On the action bar, click the Get Most Recent Data button to refresh the location data.
Click the Locate on Google Maps button to view a Google Map and the location address.
NotifyMDM Version 3.x
Managing Smart Devices and Users  31
Device Administration: Phone Calls and Texts
(return to Device Administration menu)
Select Phone Calls tab to view phone call logs synchronized from the device. Select the day you want to
view.
You can search the phone call log by date, To/From phone number, call origination, call status, roaming
status, or call duration. The search results can be exported to a CSV or XLS file.
NotifyMDM Version 3.x
Managing Smart Devices and Users  32
Select Texts tab to view text message logs synchronized from the device. Select the day you want to view.
Double-click a text message record to view the body of text in the message with any attachments that were
sent or received.
You can search the text message log by date, To/From phone number, message origination, message type,
message status, or roaming status. The search results can be exported to a CSV or XLS file.
NotifyMDM Version 3.x
Managing Smart Devices and Users  33
Device Administration: Viewing Logs
(return to Device Administration menu)
User level logs assist administrators with diagnosing problems and in understandi ng the communications
between devices and the server. Both server and device logging options are available.
Select the Logs tab to view the logs associated with a user’s device. Choose one of the logs from the Log
Type drop-down list.

ActiveSync Log - View events logged during connections between the NotifyMDM server and
the ActiveSync server and between the device’s ActiveSync client and the NotifyMDM server.

GCM Log – View successful events logged during connections between the NotifyMDM server
and the Google Cloud Messaging (GCM) server, and between the NotifyMDM server and Android
devices using GCM service.

iOS MDM Sync Log - View successful events logged during connections between the
NotifyMDM server and the Apple iOS MDM server and between the NotifyMDM server and the
device’s iOS MDM functions. Unsuccessful events (errors) are logged in the Error Chain Log.
(iOS device specific).

NotifyMDM Sync Log - View events logged during connections between the device’s NotifyMDM
app and the NotifyMDM server.

Configuration/Feedback Log – View results of a request to see managed iOS application
configuration and feedback information.

Device Log - Request and view a log from a device running the NotifyMDM application.

Error Chain Log - View detailed messages for errors logged in the iOS MDM Sync log. (iOS
device specific)

Shared User Log – View a list of sign in and sign out events for a shared device.
Use the Reset button on the Logs page to reset the date/time range to the last hour and the Log Type to
ActiveSync Log.
NotifyMDM Version 3.x
Managing Smart Devices and Users  34
Configuration/Feedback Log
The Configuration/Feedback Log shows the results of a request to see managed iOS application configuration
and feedback information. Request the information by clicking the Request Config/Feedback button on the
Device Profile Managed Apps grid.
The log displays:

App Name – Name of the application

Time Requested – Date and time the request for information was made

Requester – Username of the person who made the request

Received – Whether the configuration/feedback

Time Received – Date and time information was received
Select Configuration/Feedback Log from the drop-down list.
Set a date/time range, then click the Search button.
When the configuration/feedback log has populated, it can be sorted by any of the grid columns and data can
be exported to a .CSV or .XLS file.
Sample Configuration/Feedb ack Log Grid
NotifyMDM Version 3.x
Managing Smart Devices and Users  35
Synchronization Logs
Synchronization logs give administrators the ability to view events associated with a particular device that
have been logged during connections between servers and between the device and servers. There are three
logs of this type.
The ActiveSync Log logs events that occur during connections between the NotifyMDM server and the
ActiveSync server and between the device’s ActiveSync client and the NotifyMDM server.
The GCM Log logs successful events that occur during connections between the NotifyMDM server and the
Google Cloud Messaging server, and between the NotifyMDM server and Android devices using GCM
service.
The iOS MDM Sync Log logs successful events that occur during connections between the NotifyMDM
server and the Apple iOS MDM server and between the NotifyMDM server and the device’s iOS MDM
functions. Unsuccessful events (errors) are logged in the Error Chain Log. (iOS device specific)
The NotifyMDM Sync Log logs events that occur during connections between the device’s NotifyMDM app
and the NotifyMDM server.
The logs display:

Log code – Code number associated with the logged event

Description – Description of the log event

Function Name – Displays a returned error; blank when log event is successful

Details – Description or reason for the error; blank when log event is successful

Timestamp – Date and time of the log event
Select ActiveSync Log, NotifyMDM Sync Log, GCM Log, or iOS MDM Sync Log from the drop-down list.
Set the Log Level (Normal or Verbose) and a date/time range, then click the Search button.
When the server log has populated, it can be sorted by any of the grid columns and data can be exported to a
.CSV or .XLS file.
Sample Synchronization Log Grid
NotifyMDM Version 3.x
Managing Smart Devices and Users  36
Device Logs
The device logging option can be used to request a log from any device running the NotifyMDM application.
Administrators should instruct users to turn on the logging feature of the device, so they can obtain the log.
Device Type
Device Requirements / Behavior
Android
The device sends only the logcat log to the Dashboard. NotifyMDM logging must be
enabled on the device (Log Settings). The NotifyMDM log is written to the SD card.
BlackBerry
(with NotifySync)
BlackBerry devices must have logging enabled on the device (Log Settings) and must
have an SD card.
iOS
No special requirements. Logging is always enabled on iOS devices.
Select Device Log from the drop-down list.
Set a date/time range, then click the Search button.
Click the Request button. The screen displays a Log Request Pending message until the device sends the
log the next time it connects to the NotifyMDM server.
The dashboard grid does not display log records, but gives information on whether a log has been received.
The grid displays:

Time Requested and Requester

Received – whether or not log has been received

Time Received – date and time a response was received

Error – error message if log could not be obtained
Device Log Grid
When the log has been received, select the log file and click the Download Log button. Save the log file on
the Desktop or in another designated folder. The file can be viewed in the .txt format.
Edit the date and time filters in order to access logs you previously requested. Click Search. This filters the
timestamp of the logs, not the records in the log. When you edit the date/time filter, the system maintains the
changes as preferred settings for all user level log views until you change the settings or log out of the
Dashboard.
NotifyMDM Version 3.x
Managing Smart Devices and Users  37
Error Chain Log (iOS device specific)
The error chain log provides a view of messages detailing errors logged in the iOS MDM Sync log.
The log displays:

Error Code – Code number associated with the error

Error Domain – Contains internal codes used by Apple useful for diagnostics (may change between
Apple releases)

Localized Description – Description of codes

Timestamp – Date and time the error occurred
Select Error Chain Log from the drop-down list.
Set a date/time range, then click the Search button.
When the error chain log has populated, it can be sorted by any of the grid columns and data can be exported
to a .CSV or .XLS file.
Error Chain Log Grid
NotifyMDM Version 3.x
Managing Smart Devices and Users  38
Shared User Log
The Shared User Log shows a list of sign in and sign out events for a shared device.
The log displays:

Event Type – The event that occurred was a Sign-In or a Sign-Out

User – Username of the individual that signed in/out

Timestamp – Date and time of the Sign-In/Sign-Out
Select Shared User Log from the Log Type drop-down list.
Set a date/time range, then click the Search button.
When the Shared User Log has populated, it can be sorted by any of the grid columns and data can be
exported to a .CSV or .XLS file.
Shared User Log
NotifyMDM Version 3.x
Managing Smart Devices and Users  39
Device Administration: File List
(return to Device Administration menu)
Select the File List tab to view the file list sent up from the device.
The Archive device file list policy rule must be enabled in the policy suite to which the user belongs. When
the rule is enabled, the device periodically sends a list of all folders and files stored on the device and the SD
card, to the server. Administrators can view the list here.
The Archive device file list policy rule is located in the Audit Track ing category of each policy suite. You can
enable file archiving here and specify how often devices send the file list.
The device file directory is displayed in the Device Profile.
NotifyMDM Version 3.x
Managing Smart Devices and Users  40
Corporate Resource Assignments
Corporate Resources are a collection of servers, networks, and other resources that you can make available
to users. From an iOS user’s profile you can manage apps, associate a device with servers or networks in the
enterprise system, and configure user account settings to push out to the device. You can also push out
resources such as Provisioning Profiles, Subscribed Calendars, Web Clips, and an Access Point Name.
For Android devices, you can manage apps and assign a Wi-Fi network or VPN connection. Managed Apps,
Wi-Fi, and VPN are the only supported resources for Android devices at this time.
Notes: Configuration of these resources is done from the Organization Management view. See the
Organization Administration Guide. Reference the sections, Corporate Resource Management and
Application Management.
Removal of a resource that has been assigned via LDAP group or folder is temporary, since LDAP
periodic updates will keep reassigning the resource.
Access Point Names. Assign a new Access Point Name to a user only when necessary. The Access Point
Name (APN) identifies the external network a phone accesses for data. When you assign a new APN, it must
have the correct settings for the carrier and account provisioning. Incorrect settings c an result in a loss of
functionality or additional charges. See Organization Administration Guide: Resource Configurations .
CalDAV or CardDAV Servers. Associate the user with a CalDAV/CardDAV server and configure contact
account settings (username, password and principa address) to push out to the user’s device.
Exchange Servers*. Associate the user with an Exchange server or a server utilizing the Exchange
ActiveSync protocol and configure ActiveSync account settings to push out to the user’s device.
LDAP Servers. Associate the user with an LDAP server and configure LDAP settings so the user can access
corporate directory information via the device.
Mail Servers*. Associate the user with a mail server and configure email account settings to push out to the
user’s device.
Managed Apps. View a list of installed and/or managed apps on Android, BlackBerry, and iOS devices.
Assign an app to an Android or iOS device from lists of managed applications.
Provisioning Profiles. Associate an iOS device user with a provisioning profile in order to enable him/her to
install an in-house iOS app.
SCEP Server. Associate the user with a SCEP server in order to issue digital certificates to devices using an
automatic enrollment technique. This provides a method of delivering encrypted configuration profiles to iOS
devices.
Subscribed Calendars. Associate the user with Subscribed Calendars to push out to the user’s device.
When the device synchronizes, the Subscribed Calendar account is automatically set up on the device.
VPN. Associate an iOS or Android user with a VPN Network and define the network credentials to push out to
the user’s device.
Web Clips. Assign Web Clips to be pushed out to the user’s device. When the device synchronizes, the web clip is
automatically added to the user’s device Home screen.
Wi-Fi Networks. Associate an iOS or Android user with a Wi-Fi Network and define the wireless network
credentials to push out to the user’s device.
NotifyMDM Version 3.x
Managing Smart Devices and Users  41
*Mail Servers and Exchange Servers have two options that can be enabled/disabled to govern how the mail
account can be used by an iOS user. If they are set when the resource is created, however, they cannot be
changed at the user level.

Allow Move – When disabled, this option prevents an iOS device user from moving messages from
corporate mail account folders to folders associated with other mailbox accounts. For example, a user
could not move a message from the corporate mail account Inbox to a folder as sociated with his or
her personal mail account.

Use Only in Mail – When enabled, this option prevents an iOS device user from setting the corporate
mail account as the default. The corporate mail account can then only be used in conjunction with the
device’s Mail application.
This prevents messages created outside of the device’s native Mail application from being sent from
the corporate account. For example, if the user sends a photo from the device Photo application, it is
not be sent from the corporate mail account; nor can the user send an attached contact file from the
device’s Contacts application using the corporate mail account.
Corporate Resources: Servers, Networks, etc.
1.
To assign resources, expand the Corporate Resources option on the left panel of the Device Profile.
Click the type of resource you want to assign.
2.
Select a resource from the grid and enter any required user information or credentials.
Sample iOS Resource Assignment
NotifyMDM Version 3.x
Managing Smart Devices and Users  42
Corporate Resources: Managed Apps
Assigning Managed Apps to a Device
1.
To make an app assignment to an individual device, expand the Corporate Resources option on the
left panel of the Device Profile. Select Managed Apps.
2.
Use the Assign Managed Apps button to make an app assignment at the user level.
3.
A pop-up grid appears listing all apps available for the user’s device type. Check boxes for apps that
have already been assigned to the user via an LDAP Group/Folder or Local Group will be grayed out
and cannot be edited. An administrator can check any box that is not grayed out to make a new app
assignment for the user. Subsequently, the administrator can remove any assignment made at the
user level (check boxes not grayed out).
Assign apps that have not already b een assigned
4.
Remove only the apps assigned at the user level
Click Update Resources when you have finished making a selection from the grid.
Assignments made at the user level are not affected by changes in app assignments associated with LDAP
Groups/Folders or Local Groups.
NotifyMDM Version 3.x
Managing Smart Devices and Users  43
The App Grids: Policies that Control Application Reporting and Management
Expand the Corporate Resources option on the left panel of the Device Profile and select Managed Apps to
view the lists of applications on the device. For Android, BlackBerry, and iOS devices, you can view Managed
Apps and/or Installed Apps.
Certain policies must be enabled in order for app information to be reported in the grids.
ANDROID POLICIES
A policy rule must be enabled in the policy suite to which the user belongs in order for an Android devic e to
send application lists.
In the Audit Tracking > General category of each policy suite, enable one of the following policy rules:

Record Installed Applications – to require devices to send data usage statistics for all apps on the
device.

Record Managed Applications – to require devices to send app information for only managed apps.
Turning this off will disable Managed App functionality for Android devices.
IOS P OLICIES
Two policy rules must be enabled in the policy suite to which the user belongs in order for an iOS device to
send application lists and for the administrator to be able to manage the apps from the server.
The Record installed applications and Allow app management policy rules are located in the iOS
Devices: Applications category of each policy suite. Changes to these access rights will require iOS device
users to reload a new APN profile.
NotifyMDM Version 3.x
Managing Smart Devices and Users  44
The App Grids: Managed Apps
The Managed Apps grid lists all applications available to an Android or iOS user.
When administrators add applications to the Android or iOS managed app list, a user can access the list on
the device and conveniently install apps from the list. If the policy suite also has the Allow app management
policy enabled, an administrator can install, reinstall, or uninstall an app on the user’s device, using the option
buttons below the Managed Apps grid. Administrators can also remove, from an iOS device, an invalid
Redemption Code for a Volume Purchase Program (VPP) app.
For Android devices, any app can be managed.
For iOS devices, a managed app is one that has been installed on the device through MDM by either an
administrator, the user, or by a forced push of the application. Applications that are not installed through MDM
appear on the Installed Apps list and cannot be managed. If the server detects that an app published as
managed is already installed on the device as unmanaged, it issues a command that changes the app’s state
from unmanaged to managed. This happens automatically on supervised devices without input from the user.
On unsupervised devices, users must acknowledge the change if it involves a non-VPP app.
IOS MANAGED APPS GRID
Information in the iOS Managed Apps Grid
Status
The most common status messages include:

Managed – Indicates that the app is installed on the device

Not Installed via MDM –
o
Indicates that the app is available through NotifyMDM, but is not
required and has not been installed by NotifyMDM.
OR
o
Indicates the app was installed prior to the device being enrolled with
MDM or prior to the app being designated as a managed app. MDM
is not able to manage it unless the user removes the app and
then re-installs it through MDM.

Managed, b ut Uninstalled – Indicates an app that is not installed; possibly
because it was removed by the user or is not required.
Other status messages give additional information about apps on the device.
Rejection Reason
NotifyMDM Version 3.x
If the app is not installed, look here to see if installation of the app was attempted and
why it was rejected.
Managing Smart Devices and Users  45
Remove with MDM
Whether this app is removed, along with its data, if the MDM profile is removed.
Prevent Backup
Whether the user is prevented from backing up this app via iTunes.
Redemption Code
The redemption code associated with a Volume Purchase Program (VPP) app.
Has Configuration
Whether the app has a server-provided configuration.
Has Feedback
Whether the configured app has feedback for the server.
Timestamp
Last update of the app’s status.
Install App button
Issues a command that prompts the user to install the app.
Reinstall App button
Issues a command that prompts the user to reinstall the app.
Uninstall App button
Issues a command that prompts the user to uninstall the app. The Force Push option
should be disabled first, so that the app does not get pushed back to the de vice after the
user uninstalls it.
Remove Redemption
Code button
Remove an unused redemption code so that it can be reused. A redemption code is
sent with volume purchase apps, however, if it is not, it can be reclaimed in this way.
Request
Config/Feedback
button
If an app in the Managed Apps list has a server-provided configuration or feedback, click
this button to request information about whether the app received the configuration file.
View
Config/Feedback
button
Links to the Logs tab so that you can view the information the app received via the
configuration file and any available feedback information.
NotifyMDM Version 3.x
Managing Smart Devices and Users  46
ANDROID MANAGED APPS GRID
Information in the Android Managed Apps Grid
Status
Status messages include:
 Not Installed – Application is not installed
 Pending Install – Server has issued an install command for the app
 Attempting Install – Server has sent the install command to the device
 Managed – Application is installed and managed
 Pending Uninstall – Server has issued an uninstall command for the app
 Attempting Uninstall – Server has sent the uninstall command to the device
Remove with MDM
Whether this app is removed, along with its data, if the MDM profile is removed.
Required
Whether the application is one that has been Force Pushed to the device.
Timestamp
Date and time of the last update of the app’s status.
Last Attempted
Install
Date and time of the last attempted installation of the app.
Last Attempted
Uninstall
Date and time of the last attempted removal of the app.
Install App button
Issues a command that prompts the user to install the app.
Reinstall App button
Issues a command that prompts the user to reinstall the app.
Uninstall App button
Issues a command that prompts the user to uninstall the app. The Force Push option
should be disabled first, so that the app does not get pushed back to the device after
the user uninstalls it.
NotifyMDM Version 3.x
Managing Smart Devices and Users  47
The App Grids: Installed Apps
For iOS, the Installed Apps grid lists all non-system applications that have been installed on a device.
For Android, the Installed Apps grid lists all non-system and system applications that have been installed on a
device.

An iOS device will only report its applications if the Record Installed Applications policy rule is
enabled on the policy suite with which the user is associated.

An Android device will only report its applications if the Record Installed Application and Record
Managed Applications policy rules are enabled on the policy suite with which the user is associated.
The Installed Apps grid is updated each time the device connects with the server.
IOS I NSTALLED APPS GRID
ANDROID INSTALLED APPS GRID
NotifyMDM Version 3.x
Managing Smart Devices and Users  48
Device Summary
Select All Devices Summary from the Device Profile panel to see a list of the devices the user has enrolled.
The columns displayed in the grid can be rearranged and the data can be exported to a .CSV or .XLS file.
NotifyMDM Version 3.x
Managing Smart Devices and Users  49
Local Groups
Local Groups are groups created on the NotifyMDM server for the purpose of categorizing users. Users with
similar roles, functions, hierarchical levels, etc. can be assigned the same policy suite, device connection
schedule, and liability through their group membership.
The functionality of Local Groups is similar to that of LDAP Folders/Groups. Organizations that utilize an
LDAP server can leverage LDAP information and the LDAP folder and group structure to provision categories
of NotifyMDM users. Groups created locally on the NotifyMDM server give similar functionality to
organizations that do not use an LDAP server. See the Organization Configuration Guide for information
LDAP Folders/Groups.
A user may belong to multiple groups. The groups can be prioritized to determine the order in which the
settings are inherited. See Prioritizing Groups below,
NotifyMDM Version 3.x
Local Groups  50
Managing Local Groups
Add or edit local groups from the dashboard’s Organization Management view.
Select Organization Management > Organization Control > Local Groups. Use this page to:

add groups

assign group membership

configure a group with Policy Suite, Device Connection Schedule, and Liability settings

prioritize groups (necessary only when users belong to multiple groups)

change group membership or a group name

remove a group
NotifyMDM Version 3.x
Local Groups  51
Add a Group and Assign Users
1.
To add a group and assign
users to it, click the Add Group
button.
2.
Enter a name for the group.
3.
Select user names from the List
of available users on the left.
Click the right arrow to move
your selections to the List of
assigned users.
4.
Click the Add Group button.
Edit a Group Name or Change Group Membership
1.
To edit the name of a group or
change the members of the
group, click the Edit Group
button.
2.
Edit the name of the group if
necessary or change the group
members by using the arrows to
move users to/from the
available and assigned user
columns.
3.
Click the Update Group button.
Changes to a user’s group
association will update the
user’s policy suite, connection
schedule, and liability settings
accordingly.
NotifyMDM Version 3.x
Local Groups  52
Prioritizing Groups
A user may belong to multiple groups. The groups can be prioritized to determine the order of inheritance.
The group with the highest priority will determine the user’s policy suite, device connection schedule, and
liability settings.
A user’s assignments can be pulled from several sources. The sources are consulted in t he following order:
1.
Direct assignments applied to the user’s record by an administrator (Group updates do not affect
these assignments.)
2.
The group(s) to which the user belongs – the user’s highest priority group is consulted first
3.
Organization defaults
Note: If a user is a member of an LDAP group as well as a local group, local group assignments will take
precedence over LDAP group assignments.
A Prioritization Example
John belongs to the SalesTeam group and the Management group. The Management group has a higher
priority, thus any policy suite, device connection schedule, or liability, setting associated with the Management
group will be assigned to John. If any of these assignments are not defined for the Management group, John
will get assignments from those defined for the SalesTeam group. If an assignment is not defined in either of
the groups, it can then be pulled from the organization defaults. An administrator can also override all these
prioritized assignments by manually making direct assignments to John’s record.
NotifyMDM Version 3.x
Local Groups  53
Configure the Group Settings
1.
Select a group from the grid.
2.
Below the grid, select the settings for the group: Policy Suite(s), Device Connection Schedule,
Liability, and NotifyWork space assignments.
You can view the Whitelist/Blacklist permissions associated with a policy suite by clicking the symbol
next to the Policy Suite field.
3.
Click Save Changes.
4.
Use the Reset All button if you need to clear all the settings.
Standard Policy Enforcement
Schedule-Based Policy Enforcement
NotifyMDM Version 3.x
Local Groups  54
Remove a Group
1.
To remove a group, select a group from the
grid and click the Remove Group button.
2.
At the confirmation prompt, click Yes.
NotifyMDM Version 3.x
Local Groups  55
Application Management
Application Management is located in the
Organization Management view of the
dashboard.
The Manage Categories option allows you to
create application categories so that apps can be
grouped and assigned in bundles to LDAP
groups/folders or local groups.
The Managed Apps option gives you the ability to
make available to users a list of recommended
applications. Android and iOS applications can
be designated as mandatory so that users are
automatically prompted to install them. In
addition, Android and iOS apps can be assigned
to the LDAP groups/folders or local groups to
which users belong.
Whitelists/Blacklists gives you the ability to
restrict a user based on the applications he or
she has installed on the device. Users’ access to
email, shared files, app lists, or other
organization resources can be blocked when
they are not in compliance with restrictions.
NotifyMDM Version 3.x
Application Management  56
Application Categories
Managed Android and iOS applications can be grouped into categories so that multipl e apps can be assigned
in bundles to LDAP groups/folders or local groups.
You can create your own categories or use the categories in the Manage Categories grid. The existing
categories in the grid reflect categories used by App Stores. They can be removed from the list, but not
edited. You can sort the list by clicking on either of the column headings.
Creating, Editing, or Removing Categories
From the dashboard, navigate to Organization Management > Application Management > Manage
Categories. A list of categories displays. The list initially consists of App Store Categories, however, you can
create additional ones. You can edit the categories that you create, but the App Store categories cannot be
edited. Click on the column headers to sort the list of categories.

Add a category: Enter a name that describes a group of applications in the Category Name field.
Click Add.

Edit a category name: Select a category that you created (App Store category names cannot be
edited) and click Edit. Type a revised category name in the text box and click OK.

Remove a category: Select a category and click Remove. Confirm the removal.
Associating an Application with a Category
You can associate an Android or iOS app with a category when you add the app to your managed app l ist.
When adding an iOS application, you can apply the categories used by iTunes or you can choose the
category(ies) yourself.
Choosing a Category for an Android App
Choosing a Category for an iOS App
NotifyMDM Version 3.x
Application Management  57
View Managed Apps by Category
The Managed Apps grid can be sorted by application categories.
From the dashboard, navigate to Organization Management > Application Management > Managed
Apps.
From the View drop-down, select Category to view the managed apps by their associated categories. Since
an app can be assigned to multiple categories, some apps may be listed under more than one category.
Assigning a Category to LDAP Groups/Folders or Local Groups
You can assign a category of applications to all members of an LDAP group/folder or local group.
1.
From the dashboard, navigate to Organization Management > Application Management >
Manage Categories.
2.
From the Manage Categories grid, select a category to assign to groups.
3.
Click the Assign to Groups/Folders button on the action bar at the top of the page.
4.
From the App Categories drop-down, select a category to assign.
5.
If you are assigning a category to an LDAP group or folder, select a server from the LDAP Server
drop-down.
NotifyMDM Version 3.x
Application Management  58
6.
In the table, select the LDAP Groups, LDAP Folders, or Local Groups tab.
7.
In the group list, locate the group to which you are assigning the category and mark the check box.
You must make this selection for corporate device and personal device users separately.
8.
Click Save Assignment before you assign another category.
Click Save Assignment & Close when you are finished.
NotifyMDM Version 3.x
Application Management  59
Managed Apps
Managed Apps enables the administrator to create a recommended list of applications to be made available
to users with devices that have installed a NotifyMDM device application. This includes Android, Black Berry
4.5-7.1, and iOS.
When an administrator creates an app list for each supported device platform, users can access the
recommended applications from the NotifyMDM device agent. For Android and iOS users, the managed apps
list can be customized by grouping users via an LDAP group/folder or local group and specifying which apps
will appear on the group’s list.
Enforced application management is supported for the Android and iOS device platforms. Administrators
can force push Android and iOS applications on the Managed App list to devices. Users are automatically
prompted to install the required applications.

For iOS devices, MDM functionality makes it possible to add and enforce free App Store apps,
enterprise apps, and apps that have been pre-purchased through the Apple Volume Purchase
Program (VPP).

For Android devices, MDM functionality makes it possible to add and enforce free Google Play Store
apps and enterprise apps.
If Managed Apps are accessed by users in different countries or regions, read this Knowledge Base article.
Accessing Managed Apps on a Device
Users can access the recommended applications from the NotifyMDM device agent:

Android users select Managed Apps from the NotifyMDM main screen.

BlackBerry (with NotifySync) users select Managed Apps from the NotifySync pop-up menu.

iOS device users select the Managed Apps icon from the NotifyMDM main screen.
In this section you will find information on:
Adding and Managing Apps for Android Devices
Kiosk Mode Apps
Adding and Managing Apps for iOS Devices
Adding Managed Apps for BlackBerry Devices
NotifyMDM Version 3.x
Application Management  60
Adding and Managing Apps for Android Devices
Basic Android application management functionality includes:

Installing/reinstalling/uninstalling apps at the user level

Force pushing an app so that all users associated with an LDAP group/folder or local group are
automatically prompted to install

Adding Enterprise (in-house) apps to the list
In this section:
Permission for Managed Android Apps
Adding Google Play Store Apps
Adding an Android Enterprise App
Updating Android Apps
Assigning Android Apps to LDAP Groups/Folders or Local Groups
Android Kiosk Mode Apps
Permission for Managed Android Apps
The following policy suite rule must be enabled for Managed Android App functionality.
Select Organization Management > Policy Management > Policy Suites > (select policy suite).
Choose the policy suite category Audit Tracking and verify that the following option is enabled:

Record managed applications – required for Force Push and administrator-initiated app
installations.
NotifyMDM Version 3.x
Application Management  61
Adding Google Play Store Apps
1.
Select Organization Management > Application Management > Managed Apps.
2.
Select Android from the left panel, then click Add Managed App.
3.
Choose Google Play Store as the Method
to add the app.
4.
Enter the App Name, Version, and
Description for the app. What you enter
displays on the device.
5.
Enter the Play Store URL in the Link to
App field.
6.
Browse your image files at the Icon File
field and select an icon to associate with
the application.
7.
Select Remove With MDM if you want the
app to be deleted from the device when the
MDM configuration profile is removed.
8.
Enter the Download Limit if you want to
track downloads of a managed app
purchased in bulk. Users can no longer
download the app once the limit has been
reached.
Download Limit and Download Count are
shown in the Managed Apps grid and a
compliance alert can be set for when
availability is low.
9.
If you want to assign the app to an
application category, click the Add button
next to the Categories field. Mark check
boxes to assign categories. Click Submit.
10. Click Add Android App to add the App to
the Android Managed App list.
Adding an Android Enterprise App
An enterprise (or in-house) app is one that has been created by an organization using Android API
development tools.
1.
Select Organization Management > Application Management > Managed Apps.
2.
Select Android from the left panel, then click Add Managed App.
3.
Choose File or Link as the Method to add
the app. Apps can be added as a link to the
download page where the user can obtain
the app, or as an actual app file that the
NotifyMDM Version 3.x
Application Management  62
user can install.
4.
Enter the App Name, Version, and
Description for the app. What you enter
displays on the device.
5.
For Link s, provide a URL for the application
in the Link to App field.
For Files, browse to select an .apk file at
the App File field.
6.
Enter the Package Name for the app. This
is the unique identifier associated with the
app. It must be accurate.
Note: When Force Push is on, NotifyMDM
uses this to verify whether the app is
installed on the device. If entered
incorrectly, it will try to verify by comparing
the value in the App Name field with the
actual application name sent from the
device. If Force Push fails to verify that the
app is installed, the user will be continually
prompted to install.
7.
Browse your image files at the Icon File field and select an icon to associate with the application.
8.
Select Remove With MDM if you want the app to be deleted from the device when the MDM
configuration profile is removed.
9.
Enter the Download Limit if you want to track downloads of a managed app purchased in bulk.
Users can no longer download the app once the limit has been reached.
Download Limit and Download Count are shown in the Managed Apps grid and a compliance
alert can be set for when availability is low.
10. If you want to assign the app to an application
category, click the Add button next to the
Categories field. Mark check boxes to assign
categories. Click Submit.
11. Click Add Android App to add the App to the
Android Managed App list.
NotifyMDM Version 3.x
Application Management  63
Updating Android Apps
Edit Android App Information
Select an app from the grid and click the Edit
Managed App button. Edit the original app
information and click Update Android App.
Update Android App Versions
Select an app from the grid and click the Update App on Devices button above the grid to push the latest
version of the app from Google Play Store to devices. Users will be prompted to update the app.
NotifyMDM Version 3.x
Application Management  64
Assigning Android Apps to Members of LDAP Groups/Folders or Local Groups
You can assign Android managed apps to all members of an LDAP group/folder or local group.
Note: You can also assign Android managed apps to individual user devices. See Corporate
Resources: Managed Apps.
To assign Android apps to all members of an LDAP group/folder or local group:
1.
From the Managed Apps data grid, select an app to assign to groups or use CTRL+click to select
multiple apps.
2.
Click the Assign to Groups/Folders button on the action bar at the top of the page.
3.
From the Managed App drop-down, select an app to assign or select All to assign all apps selected
from the Managed Apps data grid.
4.
If you are assigning apps to an LDAP group or folder, select a server from the LDAP Server dropdown.
5.
In the table, select the LDAP Groups, LDAP Folders, or Local Groups tab. You can search the
groups by entering a value in the search box and clicking the Search button. The group Name column
can be sorted by clicking the column header.
NotifyMDM Version 3.x
Application Management  65
6.
In the group list, locate the group to which you are assigning the app(s) and determine whether or not
the app(s) will be required on user devices.

Check the Recommend box to make the app(s) available to users in this group.
Or check the Recommend box in the header to make the app(s) available to users in all
groups.

Check the Force box to force push the app(s) to devices. Users will be required to install the
app(s). Checking this box will automatically mark the Recommend box as well.
Or check the Force box in the header to force push the app(s) to devices of all groups.
You must make this selection for corporate device and personal device users separately.
7.
Click Save Assignment before you make assignments for another group.
Click Save Assignment & Close when you are finished.
Android Kiosk Mode Apps
Kiosk Mode provides a way for administrators to specify a single application to which KNOX (Samsung SAFE)
devices will be locked. The device returns to the specified app upon wake or reboot and blocks device
features that permit navigation and task management.
There can only be one kiosk app named at a time. Since device navigation buttons are disabled, the kiosk
app should be one that is completely navigable from within the app.
To Define a Kiosk Mode App
1.
Add the app to the Android Managed Apps list. It must contain a Pack age Name. Select
Organization Management > Application Management > Managed Apps.
2.
From the dashboard, select Organization Management > Policy Management > Policy Suites.
3.
From the panel, select Samsung KNOX Device Policies.
4.
Select an app by clicking the blue plus symbol.
NotifyMDM Version 3.x
Application Management  66
5.
Select an app from the pop-up and click the Update Assignment button.
The App name and Pack age name will populate the Kiosk Mode fields.
To Remove the Kiosk Mode App
1.
From the dashboard, select Organization Management > Policy Management > Policy Suites.
2.
From the panel, select Samsung KNOX Device Policies.
3.
Select an app by clicking the red x symbol.
4.
Click Yes to confirm the deletion of the Kiosk Mode app.
NotifyMDM Version 3.x
Application Management  67
Adding and Managing Apps for iOS Devices
Apple MDM functionality makes it possible for an administrator to manage the iOS applications in the
Managed App list.
Management functionality includes:

Installing/reinstalling/uninstalling apps at the user level

Force pushing an app so that all users associated with a policy are automatically prompted to install

Adding Enterprise (in-house) apps to the list

Managing redemption codes associated with volume-purchased App Store applications.
In this section:
Permissions for iOS Managed Apps
Volume Purchase Program Apps
Adding iOS App Store Apps
Managing Volume Purchase Program Licenses
Adding an iOS Enterprise App
Managing Volume Purchase Program
Redemption Codes
Assigning Apps to Individual Users
Assigning iOS Apps to LDAP Groups/Folders or
Local Groups
Web Clips
Configuration File Management
Updating iOS Apps
NotifyMDM Version 3.x
Application Management  68
Permissions for iOS Managed Apps
Several policy suite rules must be enabled for Managed iOS App functionality.
Select Organization Management > Policy Management > Policy Suites > (select policy suite).
1.
2.
Choose the policy suite category iOS Devices > Applications and enable the following option:

Allow app management – required for Force Push and administrator-initiated app
installations.

Allow managed applications installation – required for Force Push and administratorinitiated app installations.

Allow iTunes – required for Force Push and administrator-initiated App Store app
installations.
If you want to use a Configuration File to configure a third party iOS application, verify that the
following policy is enabled
Select Organization Management > Policy Management > Policy Suites > (select policy suite) >
iOS Devices > Management. Enable:

Allow Management of Settings
NotifyMDM Version 3.x
Application Management  69
Adding iOS App Store Apps
If Managed Apps are available to users in different countries or regions, read this Knowledge Base article.
1.
Select Organization Management > Application Management > Managed Apps.
2.
Select iOS from the left panel, then click Add Managed App.
3.
Choose App Store as the mobile app Type.
4.
Choose Search iTunes or Input Manually as the Method by which to add the app.
If searching iTunes, enter a string
to search on and the region in
which the app is available. Select
iPad Only if you need to search
exclusively for iPad applications,
then click Search.
If adding the app manually,
enter an App Name, Version,
and Description for the app.
What you enter is displayed on
the device in the managed app
list.
Enter the App Store URL.
(The app URL can be obtained
on iTunes by clicking the dropdown arrow below the app icon
and selecting Copy Link .)
At the Icon File field, browse
your image files and select an
icon to associate with the
application. This also displays
on the device in the managed
app list.
NotifyMDM Version 3.x
Application Management  70
5.
Select Remove With MDM if you want the app to be deleted from the device when the MDM
configuration profile is removed.
6.
Select Prevent Backup if you want a user to be able to save the app via iTunes.
7.
Enter the Download Limit if you want to track downloads of a managed app purchased in bulk.
Users can no longer download the app once the limit has been reached.
Download Limit and Download Count are shown in the Managed Apps grid and a compliance
alert can be set for when availability or VPP licenses/redemption codes are low.
8.
If you want to assign the app to an application category, click the Add button next to the
Categories field.
If you want the app to inherit the categories
in which it is found in iTunes, select Yes at
the iTunes Category prompt and the
categories will be pre-selected for you.
Select No to mark the categories yourself.
9.
Click Add iOS App to add the App to the iOS Managed App list.
Adding an iOS Enterprise App
An enterprise (or in-house) app is one that has been created by an organization using development tools
available through the Apple Developer Enterprise Program (iDEP).
1.
Select Organization Management > Application Management > Managed Apps.
2.
Select iOS from the left panel, then click Add Managed App.
3.
Choose Enterprise App as the mobile app Type.
4.
Fill out the required fields of information, based on the location of the enterprise app.
Location of the Enterprise App
Manifest File Field
App File Field
Other Required Fields
Manifest and app files are on the
NotifyMDM server
Select Upload File
Upload the appropriate
.plist file
Select Upload File
Upload the
appropriate .ipa file
Description
The Manifest file is on the
NotifyMDM server and the app file is
contained within the manifest.
Select Upload File
Upload the appropriate
.plist file
Select Read from
Manifest
Description, Icon File
Manifest and app files are hosted
remotely
Select Provide URL
Enter the Manifest URL
Not Applicable
App Name, Version,
Description, Icon File
NotifyMDM Version 3.x
Application Management  71
5.
If an Icon File is required, browse your
image files to select an icon to associate
with the application.
6.
Select Remove With MDM if you want
the app to be deleted from the device
when the MDM configuration profile is
removed.
7.
Select Prevent Backup if you want a
user to be able to save the app via
iTunes.
8.
Enter the Download Limit if you want to
track downloads of a managed app
purchased in bulk. Users can no longer
download the app once the limit has
been reached.
Download Limit and Download Count are
shown in the Managed Apps grid and a
compliance alert can be set for when
availability or VPP licenses/redemption
codes are low.
9.
If you want to assign the app to an
application category, click the Add button
next to the Categories field. Mark the
check boxes to assign categories. Click
Submit.
10. Click Add iOS App to add the App to the
iOS Managed App list.
NotifyMDM Version 3.x
Application Management  72
Assigning iOS Apps to Individual Users
Assign apps to an individual at the user level. From the
dashboard, navigate to Smart Devices and Users > (select
a user) > Device Profile > Corporate Resources > Managed
App. Click the Assign Managed Apps button.
Assigning iOS Apps to Members of LDAP Groups/Folders or Local Groups
You can assign iOS managed apps to all members of an LDAP group/folder or local group.
To assign iOS apps to all membe rs of an LDAP group/folder or local group:
1.
From the Managed Apps data grid, select an app to assign to groups or use CTRL+click to select
multiple apps.
2.
Click the Assign to Groups/Folders button on the action bar at the top of the page.
3.
From the Managed App drop-down, select an app to assign or select All to assign all apps selected
from the Managed Apps data grid.
4.
If you are assigning apps to an LDAP group or folder, select a server from the LDAP Server dropdown.
NotifyMDM Version 3.x
Application Management  73
5.
In the table, select the LDAP Groups, LDAP Folders, or Local Groups tab. You can search the
groups by entering a value in the search box and clicking the Search button. The group Name column
can be sorted by clicking the column header.
6.
In the group list, locate the group to which you are assigning the app(s) and determine whether or not
the app(s) will be required on user devices.

Check the Recommend box to make the app(s) available to users in this group.
Or check the Recommend box in the header to make the app(s) available to users in all
groups.

Check the Force box to force push the app(s) to devices. Users will be required to install the
app(s). Checking this box will automatically mark the Recommend box as well.
Or check the Force box in the header to force push the app(s) to devices of all groups.
You must make this selection for corporate device and personal device users separately.
7.
Click Save Assignment before you make assignments for another group.
Click Save Assignment & Close when you are finished.
NotifyMDM Version 3.x
Application Management  74
Updating iOS Apps
Edit iOS App Information
Select an app from the grid and click the Edit
Managed App button. Edit the original app
information and click Update iOS App.
Update iOS App Versions
Select an app from the grid and click the Update App on Devices button above the grid to push the latest
version of the app from the App Store to devices. Users will be prompted to update the app.
NotifyMDM Version 3.x
Application Management  75
Volume Purchase Program Apps
Apple’s Volume Purchase Program (VPP), available in over 25 countries/regions, enables organizations to
purchase applications in bulk. NotifyMDM provides an efficient way to distribute and manage those
applications.
Enroll in the Apple VPP at:
https://deploy.apple.com
Other helpful VPP websites:
http://www.apple.com/business/vpp/
http://www.apple.com/education/it/vpp/
Once you are enrolled in the program, Apple will issue your organization a VPP token. When this token is
uploaded to the NotifyMDM server, all apps associated with the token populate the Managed Apps data grid
and users with a qualifying device (running iOS 7.0.3 or higher) who have been assigned the apps, receive an
invitation to join the Volume Purchase Program. Once the invitation has been accepted, the application(s) are
pushed out to the device.
VPP apps have a status of Yes in the VPP column on the Managed Apps grid (Organization Management >
Application Management > Managed Apps). The grid also displays the number of Available Licenses for each
app.
VPP Token Upload
An APNs certificate must be uploaded on the Organization Settings page before managing the VPP token.
The VPP token will be deleted if the APNs certificate is removed.
1.
Select Organization Management > Application Management > Managed Apps.
2.
Select iOS from the left panel, then click the Upload button beside VPP Token.
NotifyMDM Version 3.x
Application Management  76
3.
Assuming you have already signed in to Apple’s web portal and downloaded your VPP token,
click Browse to navigate to the location where the token is stored and select it.
4.
Enter an E-mail address for communications about your VPP account.
5.
Click Submit. Apps associated with the token are retrieved from the Apple server and the
Managed Apps grid will begin to populate. Qualifying users are invited to join the VPP.
6.
The VPP Settings appear after the token has been uploaded.
a.
Configure NotifyMDM to poll the App Store for version updates to the VPP apps at a set
interval. Enter a value in hours at Check for Updates Every:
b.
If you want devices to be automatically updated when a new version is available for any
VPP app, enable Auto Update All VPP Apps on Devices.
If you leave this disabled, you can use the Auto Update on Devices button, located
under VPP App Settings, to automatically update individual apps.
NotifyMDM Version 3.x
Application Management  77
Managing the VPP Token
Upload/Edit
Click the Upload button to
upload the VPP token issued
by Apple. Apps associated
with the token are retrieved
from the Apple server and
qualifying users are invited to
join the VPP.
Click Edit to upload a new
token or edit/add the E-mail
address associated with the
VPP account.
Remove
Removes the token from the
server. Apps remain intact in
the Managed Apps grid and
on user devices. License
count and automatic
discovery of apps, however,
no longer function.
Sync Now
Initiates a connection with
the Apple server to retrieve
the latest information about
apps associated with the
VPP token. An automatic
check is done each time the
token is uploaded or edited
and each time the Managed
Apps grid (iOS section) is
accessed.
Invite
Users
Resends the invitation to join
VPP to all qualifying users
(iOS 7.0.3 or higher) that
have not yet enrolled.
Once a user accepts the
VPP invitation, the
application will be pushed
out to the device.
Note: From the User/Device
Grid, you can invite an
individual user. Select the
user, then, on the left panel,
click Send VPP Invitation.
NotifyMDM Version 3.x
On the User/Device Grid, check the VPP Association Status
column to determine the status of the user’s association with
the program: New (not yet invited), Invited (invitation sent, but
not yet accepted), or Associated (user enrolled in the
program).
Application Management  78
Managing Volume Purchase Program Licenses
VPP licenses are supported for iOS devices operating on version 7.0.3 or higher. VPP redemption codes can
still be used for devices with older iOS versions. (Users running iOS versions less than 7.0.3 will consume
one redemption code when assigned a VPP app.)
VPP apps can be differentiated from other apps on the Managed Apps grid by the available licenses listed for
the app and by looking at the app’s status (Yes) in the column labeled VPP.
VPP App Licenses can be Reclaimed and Reused. While the user has the app, one license seat is
occupied. When VPP app assignments are removed from the user device (given it is the last iOS 7.0.3+
device associated with the user), they are also removed from the user’s iTunes account and the VPP app
license is reclaimed for reuse. This is the advantage of the VPP license model over the VPP redem ption code
model.
Note: Licenses will not show as reclaimed on the NotifyMDM server until the information has been
processed and reported by the Apple server.
Note: The Application Ratings policy must be configured so that users can install VPP apps without
having to enter their Apple ID credentials. From the Policy Suite, navigate to iOS Devices > Ratings
> Application Ratings and select Allow All.
To View VPP License Counts:
1.
Select the app and click Manage Volume
Purchase.
2.
Select the View Licenses tab.
The number of Licenses Purchased and
Licenses Available are displayed. Users to which
the licenses have been assigned are listed in the
grid.
Note: Changes in the license count
information will not show until the information
has been processed and reported by the
Apple server.
To Synchronize VPP Applications:
The MDM server automatically connects to the Apple server to retrieve the list of licenses associated with the
VPP token when: a VPP token is added to the MDM server, a VPP token is edited, and each time you access
the iOS section of Managed Apps.
You can also initiate this synchronization by clicking the Sync Now button under the VPP Settings section.
A message pops up on the screen while the retrieval is in progress:
NotifyMDM Version 3.x
Application Management  79
Managing Volume Purchase Program Redemption Codes
For applications obtained through the Volume Purchase Program that carry redemption codes, add the
redemption codes to the server. There is one redemption code for every copy of the app purchased.
Apple’s Volume Purchase Program is available in over 25 countries/regions. Redemption codes are different
for each country, so you must add multiple sets of codes if you have purchased apps for users in more than
one country.
When assigned a VPP app, users with devices running iOS versions less than 7.0.3 will consume one
redemption code. Users running iOS 7.0.3 or higher will occupy a VPP app license.
To Add Redemption Codes:
1.
Add the app to the iOS Managed App list.
2.
Select the app, and click Manage Volume Purchase.
3.
Select the Add Redemption Codes tab.
4.
Select Manual or XLS
(for XLS proceed to step 6).
If you are entering each code
individually, choose Manual.
Enter each code on a new line.
5.
Click the Add Redemption Codes
button.
6.
Select XLS if you are entering multiple
codes from a spreadsheet.
Browse to select the .xls file containing
the redemption codes. The number of
codes detected in the file displays.
There are volume purchase details at
the top of the spreadsheet. Specify the
column and row where the actual
redemption codes begin.
7.
Click the Add Redemption Codes
button.
NotifyMDM Version 3.x
Application Management  80
To View or Remove Redemption Codes:
1.
Select an app from the iOS Managed
App list, and then click Manage Volume
Purchase.
2.
Select the View Redemption Codes
tab.
3.
Choose to view either the Unused or
Redeemed codes.
4.
You can remove unused redemption
codes from the list if necessary. Select
one or more codes and click the
Removed Selected button or click
Remove All to delete all unused codes
from the list.
NotifyMDM Version 3.x
Application Management  81
Web Clips
Managed Apps can be pushed to iOS devices via a web c lip. A web clip icon appears next to the NotifyMDM
application on the device Home screen. Users access the recommended app list when they tap the icon.
Required apps do not appear on the list.
Note: Users can also access the managed app list by opening the NotifyMDM application and tapping
the Apps icon at the bottom of the screen. This list will include both required and recommended
apps.
Web Clip Label
Label which appears bellows the web clip icon on users’ devices.
Web Clip Icon
Browse to select your own icon for the web clip.
Removable
Determines whether or not users will be permitted to remove the icon.
Use Pre-composed Icon
Use the pre-composed web clip icon (NotifyMDM logo) instead of selecting your own.
Launch in Full Screen
Determines whether the Managed App list will launch in full screen mode.
Push Web Clip to Devices
This must be enabled in order to push the web clip to devices. The web clip is only
pushed to users who have been assigned recommended apps.
NotifyMDM Version 3.x
Application Management  82
Configuration File Management
Format
If you are using a Configuration File to configure a third party app, the file should follow the general format
displayed here:
General Format
<dict>
Example
<dict>
<key>key1</key>
<string>value1</string>
<key>key2</key>
<string>value2</string>
</dict>
<key>username</key>
<string>username</string>
<key>password</key>
<string>password</string>
</dict>
Since tags and values will be specific to each app, you should contact the app developer for a suitable file.
Applying the Configuration File
If you are using a configuration file to configure a third party iOS app, select an app from the Managed Apps
grid and click the Manage Configuration File button on the action bar at the top of the page.
Click the Browse button and select your configuration file.
NotifyMDM Version 3.x
Application Management  83
Adding Managed Apps for BlackBerry Devices
1.
Select Organization Management > Application Management > Managed Apps.
2.
Select BlackBerry from the left panel, then click Add Managed App.
Add Apps for BlackBerry
3.
Enter the Name, Version, and Description for the app. What you enter displays on the device.
4.
Browse your image files in the Icon File field to associate an icon with the application. This also
displays on the device.
5.
Provide the application store URL in the Link to App field.
6.
Click the Add BlackBerry App button.
In the dashboard, there is an app list grid for each device type. Select the device type from the left panel to
view the list to which the app was added.
You can select an individual app from a grid and click the Edit Managed App or Remove Managed App
button to edit or delete an app.
NotifyMDM Version 3.x
Application Management  84
Assigning BlackBerry Apps to Members of LDAP Groups/Folders or Local Groups
You can assign BlackBerry managed apps to all members of an LDAP group/folder or local group.
1.
From the Managed Apps data grid, select an app to assign to groups or use CTRL+click to select
multiple apps.
2.
Click the Assign to Groups/Folders button on the action bar at the top of the page.
3.
From the Managed App drop-down, select an app to assign or select All to assign all apps selected
from the Managed Apps data grid.
4.
If you are assigning apps to an LDAP group or folder, select a server from the LDAP Server dropdown.
5.
In the table, select the LDAP Groups, LDAP Folders, or Local Groups tab.
NotifyMDM Version 3.x
Application Management  85
6.
In the group list, locate the group to which you are assigning the app(s) and determine whether the
app(s) will be recommended for Corporate or Individual owned devices or both.
7.
Click Save Assignment before you make assignments for another group.
Click Save Assignment & Close when you are finished.
Whitelists/Blacklists
Blacklists enable the administrator to create a list of character strings that filter blacklisted applications on
Android and iOS devices. When one or more blacklisted applications are installed on a device, a user’s
access to email, shared files, app lists, or other organization resources can be blocked. You will specify these
restrictions using the Compliance Manager.
Whitelists enable the administrator to create a list of strings that filter applications on Android and iOS
devices. When one or more applications are installed on a device that are not on the whitelist a user’s access
to email, shared files, app lists, or other organization resources can be blocked. You will specify these
restrictions using the Compliance Manager.
Applications that are added to the Managed Apps list are automatically skipped when checking for Whitelist
compliance.
Android KNOX Devices. On Android KNOX devices, Blacklist/Whitelist restrictions will prevent apps that do not meet the
criteria from being installed on the device.
On Android KNOX Workspace devices, Blacklist/Whitelist restrictions will prevent apps that do not meet the criteria from
being installed in the Workspace container. Workspace devices require KNOX v2.0.
Apps installed on a device, prior to restrictions being applied, cannot be restricted.
So that they are informed about which apps should not be installed, users can view the blacklist and whitelist
filters via the NotifyMDM app on their device or the Self-Administration portals.
Add Strings to the Blacklist/Whitelist
First, create the list of strings. Select Organization Management > Application Management >
Whitelists/Blacklists > Blacklists or Whitelists.
Choose to add a filter string that will match against App Names or App Identifiers. App Identifier is the ID
the application’s developer has assigned to the app.
Choose containing or exactly matching from the drop-down list, then enter a string and click the Add button.
Note: An exact match of the app identifier must be provided for apps to be restricted on Android
KNOX compatible devices.
NotifyMDM Version 3.x
Application Management  86
Add iOS Apps to the Blacklist/Whitelist via an iTunes Search
You can also select iOS apps for the list by searching and selecting from iTunes. Click the Add by iTunes
Search button. Enter a string to search on and the region in which the app is available. Select iPad Only if
you need to search exclusively for iPad applications, then click Search. Apps added in this way are matched
against their App Identifier.
Activating a Blacklist or Whitelist
Blacklists or Whitelists will not affect users until the Restricted App Permissions and the Blacklist or Whitelist
Compliance Restriction option have been enabled.
Enable the Whitelists/Blacklists Permissions. Once the list is created, enable the Black list Permissions in
the policy suite(s). Select Organization Management > Policy Management > Policy Suites > (expand a policy
suite) > Whitelists/Blacklists Permissions. Enable either the Blacklist or Whitelist permissions. You cannot
enable the Blacklist and Whitelist simultaneously.
Note: When you enable either the blacklist or the whitelist permission, the Record installed
applications option (under the policy suite category Audit Track ing) is automatically enabled. This
option must remain enabled in order to monitor application usage.
NotifyMDM Version 3.x
Application Management  87
Enable the Blacklist or Whitelist Restriction Compliance Option. Set the blacklist restrictions using the
Compliance Manager. Select Organization Management > Compliance Manager > Access Restrictions >
Restriction Options. Under Access Restrictions, enable the Restrict when Blacklist App detected option or
the Restrict when non-Whitelist App detected and select the restrictions.
or
NotifyMDM Version 3.x
Application Management  88
Corporate Resource Management
Corporate Resources refer to servers, networks, and other resources which are available to iOS and
Android users. They include resources such as, LDAP and mail servers, Wi-Fi and VPN networks,
Provisioning Profiles, Subscribed Calendars, or Web Clips.
Use the resource tools in the dashboard’s Organization Management view to define credentials for the
server and network resources. Then use the resources in the Device Profile to associate iOS or Android
device users with a resource and configure user account settings to push out to devices.
You can also make resource assignments to members of LDAP groups or folders from these options. User
credentials are obtained from the LDAP server, thus saving the administrator from having to make resource
assignments per individual user.
Android devices currently support only VPN and Wi-Fi Network resources.
Android Corporate Resources
iOS Corporate Resources
NotifyMDM Version 3.x
Corporate Resource Management  89
Assigning Corporate Resources to Users
Corporate resources can be assigned to individual devices through the Device Profile. See Corporate
Resource Assignments.
You can also assign corporate resources via an LDAP group or folder. Choose the resources for a group or
folder. Users are then assigned resources based on their LDAP group/folder associati on. This can be
accomplished from the User/Device Grid or from the resource management pages.
iOS Resource Expiration (iOS 6+ devices)
Any iOS resource (with the exception of SCEP Servers) can be configured to expire on a given date or after
an interval of time. A user whose iOS 6+ device has been assigned the resource can access it only until it
expires.

Date expirations occur at the beginning of the designated day (12:00 a.m.).

Interval expirations occur at the end of the day (11:59 p.m.) after the interval has elapsed. For
example, a resource available for 5 days will expire at 11:59 p.m. on the fifth day.
If you update the expiration of a resource and save the changes, you can choose to reload the existing
installed resources, which will reset the expiration date on devices.
Connection Testing
Use the Test Now button on the server screens to test the general connectivity of the server after you initially
add it or if you suspect there is a connection problem. These servers are accessed by devices, not the
NotifyMDM server, so these tests merely verify that the server has a port open to authorized users.
Server
Tests:
Credentials entered for the test
Mail Servers
-General connectivity;
-Accessibility by an authorized user
User name and Password of an active user on
the mail server
Exchange
Servers
-General connectivity;
-Accessibility by an authorized user;
-Autodiscover
A set of active user credentials in the format
required by the Exchange server.
LDAP Servers
-General connectivity;
-Accessibility by an authorized user
User name and Password of an active user on
the LDAP server
SCEP Servers
-General connectivity
None
CalDAV Servers
-General connectivity;
-Accessibility by an authorized user
User name, Password, and Principal Address of
an active user on the CalDAV server
CardDAV Servers
-General connectivity;
-Accessibility by an authorized user
User name, Password, and Principal Address of
an active user on the CardDAV server
Subscribed
Calendars
-General connectivity;
-Accessibility by an authorized user
User name and Password of an active user of
Subscribed Calendars
NotifyMDM Version 3.x
Corporate Resource Management  90
Resource Configurations
You can define the following servers, networks, and other resources:
Resource
Access Point
Names (APN)
Description
Supporting
Devices
The Access Point Name identifies the external cellular network a phone accesses
for data. When you configure a new APN, you must have the correct settings for
the carrier and type of account provisioning. Incorrect settings can result in a loss
of functionality or additional charges.
iOS
Reasons you may need to assign a new APN:
 The APN settings are incorrect and user is getting error messages.
 You are assigning a different carrier’s APN to a user with an unlocked phone.
 A user is traveling outside of the wireless provider's service area and needs a
different APN to avoid data roaming charges.
CalDAV Servers
Define your corporate CalDAV servers. Then associate a user with the server and
configure calendar account settings to push out to the user’s device.
CardDAV Servers
Define your corporate CardDAV servers. Then associate a user with the server and
configure contact account settings to push out to the user’s device.
Exchange Servers
Define your corporate Exchange server or server utilizing the Exchange
ActiveSync protocol servers. Then associate a user with the server and configure
ActiveSync account settings to push out to the user’s device.
LDAP Servers
Define your corporate LDAP servers. Then associate a user with the server and
configure LDAP settings to push out to the device so the user can access
corporate directory information via the device.
iOS
iOS
iOS
iOS
LDAP searches can be added to limit the number of users pulled from the LDAP
server. Specify the Base DN and s earch scope, so that only users belonging to a
specified group are queried.
Mail Servers
Define your corporate mail servers. Then associate a user with the server and
configure email account settings to push out to the user’s device.
Provisioning
Profiles
Define and upload provisioning profiles that enable iOS device users to install in house iOS apps. You can push out a provisioning profile to individual users or
check Apply to Organization to assign to all iOS device users in the organization.
SCEP Servers
Define your Simple Certificate Enrollment Protocol (SCEP) servers. Then
associate a user with a SCEP server in order to issue digital certificates to
devices using an automatic enrollment technique. This provides a method
of delivering encrypted configuration profiles to iOS devices. See also
SCEP Servers.
SSO Configurations
Define the Single Sign On configuration. From the Device Profile page,
assign the configuration to a user so that it is pushed to the device during
enrollment.
iOS
iOS
iOS
iOS
Single Sign On (SSO) is a session/user authentication process that
permits a user to enter one name and password in order to access
multiple applications. The process authenticates the user for all the
applications they have been given rights to and eliminates further prompts
when they switch applications during a particular session.
Subscribed
Calendars
Define the subscribed calendars you want to push out to iOS devices. These are
read-only calendars that use the iCalendar (.ics) format. Calendars are obtained
from calendar-based services that support calendar subscriptions, including iCloud,
Yahoo, Google, and the Mac OS x iCal application.
NotifyMDM Version 3.x
iOS
Corporate Resource Management  91
VPNs (Android)
Android
(OS 4.0+)
Define your VPN networks.
Instruct users to download and install the third party app, available through the
Google Play Store (or add to your Managed Apps list), required for the VPN
connection type. Then associate a user with the VPN network and define the
wireless network credentials to push out to the user’s device.
Supported connection types are:

Cisco AnyConnect

F5 SSL
Note: Users installing Cisco AnyConnect should enable External Control in the
app’s settings prior to receiving a VPN assignment from the NotifyMDM server.
If enabled after the assignment is sent, they must use the VPN Settings in the
NotifyMDM settings to establish the connection.
VPNs (iOS)
iOS
Define your VPN networks.
Instruct users to download and install the third party app, available through the App
Store or iTunes (or add to your Managed Apps list), required for the VPN
connection type. Then associate a user with the VPN network and define the
wireless network credentials to push out to the user’s device.
Supported connection types are:

IPSec (Cisco)

Cisco AnyConnect

Juniper SSL

F5 SSL

SonicWALL Mobile Connect

Aruba VIA

Checkpoint Mobile VPN

OpenVPN
Note: IPSec does not require a device application.
Web Clips
Define shortcuts to a specific web application or web page that can be pushed to
users’ device Home screen. When a user taps the web clip, the web browser
automatically launches and takes the user to that application or page.
Wi-Fi Networks
Define your Wi-Fi networks using various levels of security, including WEP, WPA,
and WPA2. Then associate a user with the Wi-Fi network and define the wireless
network credentials to push out to the user’s device. Enterprise certificate authority
certificates can be associated with these resources.
NotifyMDM Version 3.x
iOS
iOS,
Android
Corporate Resource Management  92
Configure Server Settings
The credentials for each server are defined using a wizard:
Mail Servers
Exchange Servers
LDAP Servers
CalDAV Servers
CardDAV Servers
-Email Server Type
-Exchange Server Name
-LDAP Display Name
-Display Name
-Display Name
-Account Name
-Exchange Server
Address
-LDAP Server
Address
-Server Address
-Server Address
-Server Port
-Server Port
-Exchange Port
-LDAP Port
-Use SSL
-Use SSL
-Use SSL
-Use SSL
-Expiration (iOS 6+)
-Expiration (iOS 6+)
-Use S/MIME
-LDAP Searches
-Allow Move
-Expiration (iOS 6+)
-Server Address
-Server Port
-Use SSL
-Allow Move
-Account Type
-IMAP Path Prefix
-Use Only in Mail
-Authentication Type
-Allow Recent Address
Syncing (iOS 6+)
-Expiration (iOS 6+)
-Expiration (iOS 6+)
Sample Add New Server Wizard
Mail Servers and Exchange Servers have settings that can be enabled/disabled to govern how the mail
account can be used by an iOS user. If they are set when the resource is created, they cannot be changed at
the user level.

Allow Move – When disabled, this option prevents an iOS device user from moving messages from
corporate mail account folders to folders associated with other mailbox accounts. For example, a user
could not move a message from the corporate mail account Inbox to a folder associated with his or
her personal mail account.

Use Only in Mail – When enabled, this option prevents an iOS device user from setting the corporate
mail account as the default. The corporate mail account can then only be used in conjunction with the
device’s Mail application.
This prevents messages created outside of the device’s native Mail application from being sent from
the corporate account. For example, if the user sends a photo from the device Photo application, it is
not sent from the corporate mail account; nor can the user send an attached contact file from the
device’s Contacts application using the corporate mail account.
NotifyMDM Version 3.x
Corporate Resource Management  93

Allow Recent Address Syncing (iOS 6+) – When enabled, recently used email addresses are
stored on the device. They will then appear in a selection list if the user begins to type the address in
a subsequent email.
Configure Network Settings
The credentials for each network are defined using a wizard:
Wi-Fi Networks
(iOS)
-Resource Name
-SSID
VPNs (iOS)
-EAP-FAST
Settings vary based on
connection type
Wi-Fi Networks
(Android)
-Resource Name
-Allow Trust
Exceptions
-Display Name
-SSID
-Connection Type
-Hidden Network
-User Authentication
-Security Type
-Remote Address
-WPA/WPA2 Password
-Proxy Type
-WEP Key
-Expiration (iOS 6+)
-EAP Method
-Auto Join
-Inner Identity
-Hidden Network
-Proxy Type
-Security Type
-Proxy Address, Port,
Username,
Password
-Password
-Password Per
Connection
-Accepted EAP
Types
-Expiration (iOS 6+)
-Phase2 Authentication
-Certificate Authority
-Certificate Authority
-Certificate Template
-Certificate Template
VPNs
(Android 4.0+)
Cisco AnyConnect,
or F5 SSL
-Display Name
-Connection Type
-Remote Address
Sample Add New Network Wizard
NotifyMDM Version 3.x
Corporate Resource Management  94
Configure Other Resources
Access Point
Names
-Access Point Name
-Proxy
Provisioning Profiles
SSO Configurations
-Display Name
-Name
-Provisioning Profile
-Apply to Organization
-Proxy Port
-Expiration (iOS 6+)
-Expiration (iOS 6+)
-Realm
-URL Prefix Matches
-App Identifier Matches
-Expiration (iOS 6+)
Subscribed
Calendars
Web Clips
-Label
-Display Name
-Host Name
-URL
-Icon
-Use SSL
-Removable
-Expiration (iOS
6+)
-Use Precomposed Icon
-Launch in Full Screen
-Expiration (iOS 6+)
Provisioning Profile
Access Point Name Wizard
Sub scrib ed Calendar Wizard
Web Clip Wizard
NotifyMDM Version 3.x
Corporate Resource Management  95
SSO Configuration
NotifyMDM Version 3.x
Corporate Resource Management  96
Assigning Resources to LDAP Groups and Folders
When the Administrative LDAP server is fully configured, corporate resources can be assigned to users via
the LDAP group or folder to which they belong. User credentials are obtained from the LDAP server, thus
saving the administrator from having to make resource assignments per individual user.
You can also assign resources directly from the User/Device Grid. See Assigning Resources to LDAP
Groups/Folders from the Grid.
Note: These methods cannot be used to assign the SCEP server resource to users, because of the
unique challenge code required for each user.
From the Organization Management view, select a resource from the Android or iOS Corporate Resource
drop-down menu option. Click the option, Assign to LDAP Groups/Folders.
1.
Select an LDAP Server from the drop-down list.
2.
Some resources have an option to Use
credentials from the LDAP Server.

Keep the option checked to use credentials
from LDAP.

Disable this option and enter the user
authentication token(s) necessary for your
Enterprise setup. Acceptable entries may
include {domain}, {username}, or
{emailaddress} or a combination of tokens
such as, {domain}\{username}.

Disable this option to assign a resource to a
group email address, then enter the shared
User Name or shared User Name and Email
Address. The assignment is made to that
mail account only.
3.
Click the Groups or Folders tab and navigate
through the LDAP directory to select the groups
of folders to which you will assign the resource.
4.
Click the Update Assignments button.
NotifyMDM Version 3.x
Corporate Resource Management  97
Assigning Resources to Local Groups
Several resources can be assigned to users via the local group to which they belong. For network resources
(Wi-Fi networks and VPNs), user credentials are obtained from the NotifyMDM server, thus saving the
administrator from having to make resource assignments per individual user.
The following resources can be assigned to local groups:

Android Wi-Fi

iOS Wi-Fi

iOS VPNs

iOS Web Clips
To Assign Android or iOS Wi-Fi Resources
Note: Wi-Fi network resources that have an enterprise security type cannot be assigned to a local
group.
1.
From the Organization Management view, select the Wi-Fi resource from the either the Android or
iOS Corporate Resource option. Click the option, Assign to Local Groups.
2.
Click to select a local group from the Available
column.
3.
Click the right arrow to move that group to the
Assigned column. Groups in this column will be
assigned the resource.
4.
Click the Update Assignments button.
NotifyMDM Version 3.x
Corporate Resource Management  98
To Assign iOS VPN or iOS Web Clip Resources
1.
From the Organization Management view, select the VPN or Web Clips resource from the iOS
Corporate Resource option. Click the option, Assign to Groups/Folders.
2.
If you are assigning a VPNs, check the box
to Use credentials from the MDM server
or enter an individual user in the User
Name field.
3.
Select the Local Groups tab.
4.
Check the box beside each group to which
you are assigning the resource.
5.
Click Save Assignment & Close.
NotifyMDM Version 3.x
Corporate Resource Management  99
Simple Certificate Enrollment Protocol (SCEP) Servers
What is SCEP?
Simple Certificate Enrollment Protocol (SCEP) is a PKI communication protocol allowing administrators to
securely issue certificates to large numbers of devices using an automatic enrollment technique. Devices
must be SCEP-enabled and pre-registered to certification authority (CA) domain before they can request
certificates. Devices use this protocol to send a certificate request to the CA.
Benefits of a SCEP Server in your Environment
A SCEP server provides a way for you to deliver encrypted configuration profiles to iOS devices in your
network. The encryption of the configuration profile is unique for each device. Only the device to which it is
sent can read it. This provides another layer of security, in addition to SSL encryption, for sensitive corporate
information included in iOS profiles. SCEP is supported only on Enterprise or Datacenter versions of Windows
2008, 2008 R2, or 2012. One of these versions must be used on the SCEP server.
SCEP Limitations
SCEP offers a convenient and efficient method of issuing authentication certificates to users and devices;
however, there are limitations inherent to the overall SCEP model. The NotifyMDM server delivers the SCEP
challenge and SCEP server address to the device securely using an iOS profile. Although the SCEP
challenge can only be used one time, the SCEP challenge does not uniquely identify the user/device for
which it was intended and NotifyMDM has no means to control what is done with the information once it is
received by the device. If it is compromised, the challenge can be used even though it was only intended to
be used by the device user, because the SCEP server accepts the challenge with no user authentication.
SCEP was originally designed for use in a completely internal environment, but with external devices
connecting to an external SCEP server to obtain a certificate there are potential inroads.
If you use NotifyMDM to deliver challenge passwords to devices, ensure that the level of trust given to these
certificates is appropriate.
If SCEP limitations pose too great a risk, you should deploy client authentication certificates directly from the
NotifyMDM server. Each user is issued a unique certificate that can only be obtained by using NotifyMDM
credentials.
SCEP Servers and the NotifyMDM System
When there is a SCEP server in an environment where NotifyMDM has been implemented, administrators
can use NotifyMDM to efficiently provide digital certificates to users with iOS devices. The process is
automated and requires very little user input.
Administrators can define the SCEP servers via the Organization Management view and then associate a
user with the SCEP server and configure settings that allow devices to enroll automatically.
The initial configuration profile that the user accepts contains the address of the SCEP server. The device
connects with both the NotifyMDM and SCEP servers to complete several configuration steps:
 The device loads the SCEP profile from NotifyMDM.
 The device obtains a certificate from the SCEP server.
 The device obtains a uniquely encrypted configuration profile from NotifyMDM, which can be read
exclusively by the device.
NotifyMDM Version 3.x
Corporate Resource Management  100
Define a SCEP Server
From the dashboard, select Organization Management > iOS Corporate Resources > SCEP Servers.
Click the Add New SCEP Server tab and fill in the server credentials to define a server.
Display Name (required)
Name identifying the SCEP server.
SCEP Name (required)
Common Name of the Certificate Authority
URL (required)
The base URL of the SCEP server. Must be accessible from the device
browser. The server portion of the address may need to be changed to
either the internal IP (Wi-Fi) or the external server address (cellular) in
order for SCEP to work.
Subject
The CommonName (CN) and Organization (O) that you used when setting
up the SCEP.
EX: CN=iPhoneSCEP,O=YourCompany
Use Subject Alternative Name
Determines whether an alternative name is used.
Subject Alternative Name Type
Select the type of subject name alternative from the drop-down: RFC-822
Name, DNS Name, or Uniform Resource Identifier
Subject Alternative Name
Supply the alternate name for the SCEP server. Valid entries are an email
address (RFC-822), the DNS name of the server, or the server’s fullyqualified URL.
NT Principal Name
NT principal to be used in the request.
Key Size in Bits
The size of the key to be used: 1024 or 2048.
Use as Digital Signature
Select the box to use the key as a digital signature.
Use for Key Encipherment
Select the box if the certificate uses a protocol that encrypts keys.
Fingerprint
Hex string to be used as a fingerprint. Can be left blank.
Now, use the Corporate Resource option in the Device Profile to associate users with a SCEP server.
NotifyMDM Version 3.x
Corporate Resource Management  101
Associating a User with a SCEP Server
From the dashboard, select the Smart Devices and Users view and select a user to view his or her profile.
Expand the menu under the user’s device and select Corporate Resources. Choose the SCEP Server option
and click Assign New SCEP Server.
Select a SCEP server for the user from the drop-down list.
To obtain a challenge password, browse to the SCEP URL. Enter the authentication credentials (by default
Integrated Windows Authentication). Copy the Enrollment Challenge Password and paste it into the
Challenge field.
NotifyMDM Version 3.x
Corporate Resource Management  102
Tracking Data Usage
NotifyMDM can be configured to track usage of carrier data plans and assign data plan limits to users sharing
a data plan. The NotifyMDM application gathers data usage statistics from the device and sends it to the
server. Based on settings defined in the data plan assigned to the user, a notification alerting the user about
the usage limit can be sent to the device when the data usage threshold has been reached.
Other features of the NotifyMDM data plan tracking system include:

Reallocation of available data when a device is removed from a shared plan.

Data usage report of each device in the data plan to assist administrators in choosing the correct plan
for users.

Alerts when tampering of data usage metrics is detected along with a subsequent compliance
restriction.

Assigned data plan and statistics visible from the Devices Grid.

Graphic display of data usage statistics for the user through the NotifyMDM app and the User SelfAdministration Portals.
Define a Data Plan
Define the data plans that have been procured by your organization for devices. After a data plan has been
defined you can assign it to devices for usage tracking.
To Add a Data Plan:
1.
From the dashboard, navigate to Organization Management > Organization Control > Data Plans.
2.
Click the Add Data Plan button located in the action bar.
3.
Enter an identifying Name for the data plan.
NotifyMDM Version 3.x
Tracking Data Usage  103
4.
Enter the data limit in the Total Data in Plan (MB) field. The default is 1000 MB.
5.
Enter additional information about the plan:
6.
Quota Reset Day of the
Month
The day on which the data plan is reset each month. The
default is the 15th day of the month.
Plan Type
Choose Domestic, International, Unknown, Domestic Roaming,
International Roaming
Carrier
Select a carrier from the drop-down list.
Shared Plan
Check this box if the data plan is shared by multiple users. If
the plan is not shared, it can be associated with only one user.
Warn at Usage Limit (%)
When data usage reaches this percentage of the total limit, an
alert is sent to the device(s) and an email is sent to the email
address designated to receive alerts. The default is 80%. Email
address and message content can be defined once the plan is
added.
Alert Increments (%)
Once the warning usage limit has been reached, alerts will be
sent as usage percentage increases at increment designated
here. The default is 10%, i.e. if an alert is initially sent at 80%, it
repeats at 90% and 100% usage.
Alert Devices
Check this box if you want devices, in addition to an
administrator, alerted when data usage reaches a percentage
of the total limit.
Click Add to save the data plan entry.
NotifyMDM Version 3.x
Tracking Data Usage  104
7.
Once the plan has been added, you can designate the following:

Email address to which alerts are sent.

Subject for the email sent.

Content for the email message.

Content for the notification sent to the device(s).
NotifyMDM Version 3.x
Tracking Data Usage  105
Assigning Devices to a Data Plan
Once a data plan has been defined, you can add a device (or devices for shared plans). On shared plans,
when no specific limits are assigned, devices can consume any amount of data.
Adding a device or removing a device can be done from the Data Plan page or from the Device Profile.
Adding or changing limits must be done from the Data Plan page.
Assign Devices to a Data Plan
1.
From the dashboard, navigate to Organization Management > Organization Control > Data Plans.
2.
Click the Assign Devices to a Data Plan button located in the action bar.
3.
Add devices to the Available Devices column.

Add a batch of devices using a .CSV file (2 columns labeled and listed in this order: Phone
Number, IMEI)

Add a single device manually – enter the device phone number

Search for an available device on the NotifyMDM Device Grid – enter a string of characters
from the username, phone number, or IMEI number associated with the device
NotifyMDM Version 3.x
Tracking Data Usage  106
4.
Select one or more devices from the Available Devices column (CTRL+Click or SHIFT+Click for
multiple device selection) and click the right arrow to move them to the Assigned Devices column.
5.
Click Next to allocate data usage limits.
6.
Select an allocation type:
a.
No specific limits – devices sharing a plan have no specific limits assigned to them and can
consume any amount of data up to the plan total
b.
Equally distributed data – the data is equally distributed among all devices sharing the plan
7.
Click Finish to save the data plan assignment.
8.
The devices associated with the plan will display in a grid on the Data Plan main page.
NotifyMDM Version 3.x
Tracking Data Usage  107
Remove Devices from a Data Plan
When a device with allocated limits is removed from a shared plan, the data allocated to the removed device
is evenly distributed among the remaining devices. The device’s unused data for the current billing cycle is
distributed immediately and the full allocated amount is distributed evenly in subsequent billing cycles.
Devices can be manually removed from a plan via the Assigned Devices grid on the Data Plan page or from
the Device Profile. They are also automatically removed when a full or selective wipe is issued.
To Manually Remove a Device from a Data Plan:
1.
From the dashboard, navigate to Organization Management > Organization Control > Data Plans.
2.
Select a data plan from the left panel.
3.
Select a device from the grid at the bottom of the page and click the Remove button.
4.
Click Yes to confirm the removal.
NotifyMDM Version 3.x
Tracking Data Usage  108
File Share
File Share enables the administrator to create a directory of folders and files to be made available to users
with devices that have installed a NotifyMDM device app. This includes Android, BlackBerry 4.5-7.1, and iOS
devices.
The first step is to create folders and add files to them. Each folder can be enable or disabled via the policy
suites.
Next, enable the permissions in the policy suite. The file directories are not available to users until you enable
the File Share Permissions for each folder you add to the list.
The user can then access the files from the NotifyMDM application on the device.

Android users select File Share from the NotifyMDM main screen.

BlackBerry 4.5-7.1 device users select Files from the NotifyMDM / NotifySync pop-up menu.

iOS device users select the Files icon from the NotifyMDM main screen.
Add Folders and Files to the Directory
To manage the file directory, select Organization Management. From the drop-down menu, select
Organization Control > File Share.
Add Folders
The parent folder for the directory is named, File
Share Folders by default. You can add subfolders to
this parent folder to categorize the files you add.
1.
In the left panel, highlight the parent folder to
which you are adding a subfolder.
2.
Click the Add Folder button.
3.
Enter a name for the new folder.
4.
Click Create Folder.
NotifyMDM Version 3.x
File Share  109
You can edit a folder label by highlighting a folder
and clicking the Change Folder Name button.
If you want, highlight the new folder and add a
description or notes about the purpose or content of
the folder.
Add Files
1.
In the left panel, highlight the folder to which
you are adding files.
2.
Click Add Files to Folder.
3.
A window for browsing and selecting a file
pops up. Select a file or files and click Open.
The Upload Status shows the number of files that
added successfully.
The addition of folders and files results in a directory tree. The tree is duplicated in the File Share
Permissions, where you can allow or disallow access folder by folder.
NotifyMDM Version 3.x
File Share  110
Enable the File Share Permissions
Make sure that you have enabled the File Share Permissions in the policy suites. From the NotifyMDM
dashboard, select Organization Management > Policy Management > Policy Suites > (select policy
suites) > File Share Permissions.
NotifyMDM Version 3.x
File Share  111
Group Notifications
Group Notifications gives the administrator the ability to select groups of users by criteria in order to send
them an email or a message notification pushed via APN/GCM services.
Administrators can also search sent group emails to view the message body and the date, time, subject and
who sender of the email (administrator login associated with the email).
Send Group Notifications
Administrators can send a notification to all or a selected group of iOS and/or Android devices via the
APN/GCM push services.
Google Cloud Messaging must be enabled and Android users must be running OS 4.0.4+ or have a Gmail
account registered on the device to receive messages.
Administrators can select a group of users with one or any combination of the following criteria:

Device Platform

Device Connection Schedule

Liability

ActiveSync Server

Ownership

Policy Suite
Notification messages are limited to 160 characters or less.
1.
To send a group notification, select Organization Management. From the drop-down menu,
select Organization Control > Group Notifications.
2.
Select Send Group Notifications from the left panel.
3.
Select the recipient criteria, compose your notification message (160 characters or less), and
click Send.
NotifyMDM Version 3.x
Group Notifications  112
NotifyMDM Version 3.x
Group Notifications  113
Send Group E-mail
Administrators can select a group of the organization’s users to email using one or any combination of the
following criteria:

Device Platform

Device Connection Schedule

Liability

ActiveSync Server

Ownership

Policy Suite
The sender can also elect to copy the organization contact and the organization administrators.
1.
To send a group email, select Organization Management. From the drop-down menu, select
Organization Control > Group Notifications.
2.
Select Send Group E-mail from the left panel.
3.
Select the recipient criteria, compose your e-mail, and click Send.
NotifyMDM Version 3.x
Group Notifications  114
Search Group E-mail
The administrator can search the Group E-mail log by date, subject, or text in the message body. Results of
the search are displayed in a list. Double-clicking on an email in the list reveals the message body and a list
of users who failed to receive the email.
1.
To search group email, select Organization Management. From the drop-down menu, select
Organization Control > Group Notifications.
2.
Select Search Group E-mails from the left panel.
3.
Select a range of dates and click Search.
NotifyMDM Version 3.x
Group Notifications  115
The Activity Monitor and Alerts
The NotifyMDM Activity Monitor provides snapshots of information regarding the wireless devices and users
in the enterprise network. Pie charts, bar graphs, and tables display statistics at a glance. In addition, the view
can be flipped to display a log of warnings and alerts.
The Activity Monitor is the default view for all logins; however, another view in the dashboard can be
designated as the default by editing the login credentials. (See System Management > Organization
Administrators)
The Activity Monitor always displays six graphs at a time.
You can choose which six to display from the following:
Configuration
Activation/De-Activation History
Bar chart showing the number of devices activated and
deactivated in the past seven days.
Active/Inactive Devices
Pie chart showing the percentage of active devices versus
disabled devices.
Devices by Carrier
Pie chart showing the percentage of devices using a particular
carrier.
Devices by Connection Schedule
Pie chart showing the percentage of devices operating under
each device connection schedule.
Devices by Domain
Pie chart showing the percentage of devices operating under a
particular domain.
Devices by Liability
Pie chart showing the percentage of devices designated as
corporate liable vs. individual liable. (Liability refers to ownership
of the data on the device.)
Devices By Ownership
Pie chart showing the percentage of devices owned by the
company vs. the percentage of devices personally owned by
individuals.
Devices by Plan Type
Pie chart showing the percentage of devices operating on an
international vs. a domestic plan type.
Devices by Policy Suite
Pie chart showing the percentage of devices operating under
each policy suite.
Connectivity
ActiveSync Authorization Failures
NotifyMDM Version 3.x
Pie chart showing the percentage of devices passing invalid
credentials for the ActiveSync accounts of known users to the
server.
The Activity Monitor and Alerts  116
ActiveSync Version
Pie chart showing the percentage of devices operating with
various ActiveSync protocol versions.
Device App Authorization Failures
Pie chart showing the percentage of devices passing invalid
credentials for the NotifyMDM account of known users to the
server.
Device App Language
Pie chart showing the percentage of devices by their language
setting.
Device App Version
Pie chart showing the percentage of devices by the version of
NotifyMDM app installed.
Statistics
Devices by Battery Level
Pie chart showing the percentage of devices that have battery
levels at 0-20%, 21-40%, 41-60%, 61-80%, or 81-100%.
Devices by Battery Status
Pie chart showing the percentage of devices in various statuses
of battery health: charging, not charging – battery health good,
etc.
Devices by Free Memory
Bar chart showing the number of devices with 0-20%, 21-40%,
41-60%, 61-80%, or 81-100% free memory.
Devices by Memory
Pie chart showing the percentage of devices that have memory
capacity of 256 MB, 512 MB, etc.
Devices by Network Type
Pie chart showing the percentage of devices operating under a
particular carrier network.
Devices by Platform > OS > Model
Pie chart showing the percentage of each device platform in use.
Click a Platform wedge to show platform by device operating
system version. Click an OS wedge to show operating system
version by model. Click the back arrow to return to the previous
view.
Devices by SD Card Free Memory
Bar chart showing the number of devices with 0-20%, 21-40%,
41-60%, 61-80%, or 81-100% free SD card memory.
Devices by SD Card Installed
Pie chart showing the percentage of devices with an SD card
installed versus those that do not have an SD card installed.
Devices by SD Card Memory
Pie chart showing the percentage of devices that have SD card
memory capacity of 256 MB, 512 MB, etc.
Devices by SIM Card
Removed/Changed
Pie chart showing the percentage of devices on which the SD
card has been changed or removed versus those that have had
no change in the SD card status.
Devices by Timezone
Pie chart showing the percentage of devices by the time zone in
which they are used.
Devices by TouchDown Registered
Pie chart showing the percentage of Android devices that have
registered the TouchDown app versus those that do not have
TouchDown.
Devices by Violation
Pie chart showing the percentage of devices that are restricted
versus those that are not restricted.
Jailbroken/Not Jailbroken
Pie chart showing the percentages of jailbroken devices vs. those
that are not jailbroken. This includes jailbroken iOS devices as
NotifyMDM Version 3.x
The Activity Monitor and Alerts  117
well as rooted Android devices.
Roaming/Not Roaming
Pie chart showing the percentages of roaming devices vs. those
that are not roaming.
Texts/Minutes Usage
Table listing top consumers in regard to text and minutes usage
in the last 30 days.
Trends
Trend of Changing Carriers
Line graph showing the number of users who have changed
carriers over a week’s time.
Trend of Changing Device Models
Line graph showing the number of users who have changed
device model’s over a week’s time.
Trend of Changing Ownership
Line graph showing the number of users whose device ownership
has changed over a week’s time.
Trend of Changing Platforms
Line graph showing the number of users who have changed
device platforms over a week’s time.
Select Graphs. Click the Choose Visible Charts button at the bottom left corner of the Activity Monitor screen.
Select the six graphs you want to display on the grid.
The graphs you select and the grid arrangement are maintained for your dashboard login credentials.
NotifyMDM Version 3.x
The Activity Monitor and Alerts  118
When making or hovering over a selection, a preview of the chart appears. The information in the preview
chart is sample data.
The Activity Monitor grid always displays six graphs. If fewer are chosen, the most recently deselected graphs
will display along with your choices. You cannot select more than six graphs. You mus t deselect a graph
before you can choose a different graph.
Click the Choose Visible Charts button when your selections are complete.
Chart Group Presets. You can choose a preset group of charts.
Connectivity displays . . .
Configuration displays . . .
Device Statistics displays . . .
Network Statistics displays . . .
ActiveSync Authorization
Failures
Devices by Connection
Schedule
Device by Free Memory
Devices by Netw ork Type
ActiveSync Version
Devices by Domain
Devices by SD Card Free Memory
Devices by Timezone
Device App Authorization
Failures
Devices by Liability
Devices by TouchDow n
Registered
Roaming/Not Roaming
Device App Language
Devices by Ow nership
Devices by Violation
Text/Minutes Usage
Device App Version
Devices by Policy Suite
Jailbroken/Not Jailbroken
Devices by SIM Card
Removed/Changed
Devices by Netw ork Type
Devices by Plan Type
Devices by Battery level
Devices by Carrier
NotifyMDM Version 3.x
The Activity Monitor and Alerts  119
Rearrange Panels. You can rearrange the panels in the view by selecting a block and dragging it and
dropping it where you prefer.
View Details. You can see detail of the statistics by mousing over a section of a graph or chart.
NotifyMDM Version 3.x
The Activity Monitor and Alerts  120
Zoom on a Panel. You can enlarge a panel to full view with full details by double-clicking it. Double-click on
the enlarged view to return to the Activity Monitor view.
Refresh the View. You can refresh the Activity Monitor view with the most recent data by selecting Get Most
Recent Data in the gray option bar.
NotifyMDM Version 3.x
The Activity Monitor and Alerts  121
Flip to the View Alerts Grid. You can flip the Activity Monitor view to a table of alerts listed by user. Select
View Alerts in the option bar. Select View Info Charts to return to the Activity Monitor view.
For an alert to trigger, Alert Settings in the Compliance Manager must be enabled. Alerts report violations of
device access restrictions. They also monitor and report on device resource levels, connectivity, and
administrator or user initiated events. For information on enabling the Alerts Settings, see Compliance
Manager: Managing Alert Settings.
The total number of alerts is displayed at the bottom of the grid. An icon in the top right corner of the
NotifyMDM dashboard gives the number of unread alerts in the grid. Unread alerts are display ed in red text.
Alerts that have been read are displayed in black text. Only unread alerts display when you select Hide Read
Alerts.
Search the Alert Grid. Search the View Alerts grid by:

Date Range

User Name

Keyword(s)

Priority
Snooze Alerts – You can select one or more alerts in the grid and click the Snooze Alerts button. This
temporarily stops the alert from repeating, at the set interval, until you have had an opportunity to investigate.
Choose to snooze for 1-60 Minutes, 1-24 Hours, or 1-60 Days.
Disable Alerts – You can select one or more alerts in the grid and click the Disable Alerts button. This
disables the Alert Setting. All alerts of this type cease to trigger. They no longer report on the View Alerts grid
and do not send email and SMS notifications to designated administrators.
NotifyMDM Version 3.x
The Activity Monitor and Alerts  122
User and Device Reports
The User and Device Reporting view provides statistical reports regarding devices, data usage, compliance
rules, and administrator roles.
The reports are as follows:
Device Reports
Compliance Reports

Devices by Liability

Access Restriction Violations

Devices by Network Type

Device Platform Restrictions by User

Device by OS Version and Model

Exceptions by User

Device by OS Version and Platform

Resource Restrictions by User

Devices by Platform

User by Exceptions

Devices by Platform and Model

Devices by Policy Suite

Organization Administrators

Data Usage by Data Plan

Organization Roles

System Administrators

System Roles
User Reports

Users by Carrier

Users by Ownership

Users by Expiration Date
iOS Resource Reports
Administrative Roles Reports
App Reports

App Assignment

App Statistics

Resource by Assignment

App Assigned to Users

Resource by Expiration Date

App Statistics by Category
NotifyMDM Version 3.x
User and Device Reports  123
Using the Reports
Sort Report Columns. Most reports are initially sorted by user email address (or administrator/role) within
each category mentioned in the report title. You can, however, click other column headings to change the
order of the users within each main category.
By clicking multiple column headings you can create a nested sort. For example: Device Platform (the main
category), sorted by Carrier Name (first sorting category), sorted by Phone Number (second sorting category).
Rearrange Report Columns. The columns can be rearranged by clicking and dragging a column heading to
a new position. Column width can be adjusted by clicking and dragging a column’s left dividing line at the
header position.
Export Report Data. Export data from the report to a Comma Separated Values (CSV) or Excel (XLS) file.
Choose the Export Format, then click the Export Report button to save the current report to a file.
NotifyMDM Version 3.x
User and Device Reports  124
Sample Reports
Sample Device/User Reports
Information included in most Device and User reports:

User Name

Device Model

AS Version

Email Address

Carrier Name

Policy Suite

Domain

Ownership

Device Connection Schedule

Phone Number

Liability

Activation Date

Device Platform

OS Version
The reports listed below also include discovered devices and display these addition columns: MDM Status
(Discovered/Enrolled) and ActiveSync Server Name.

Devices by OS Version and Model

Devices by OS Version and Platform

Devices by Platform and Model

Devices by Platform
The Data Usage by Data Plan report includes the following information:

Plan Name

Data Used (MB)

IMEI

Total Limit (MB)

Data Used (%)

Removed

User Name

Phone Number
NotifyMDM Version 3.x
User and Device Reports  125
Sample iOS Resource Report
Information included in iOS Resource reports:

Resource Name

Domain

User Name

Expiration Dates
Sample Compliance Report
Information included in Compliance reports:

User Name

Domain

Device (platform

Policy Suite
NotifyMDM Version 3.x
User and Device Reports  126
Sample Administrative Roles Report
Information included in Administrative Roles reports:

Administrator Name

Administrative Role Name

Permissions
NotifyMDM Version 3.x
User and Device Reports  127
Sample App Reports
Information included in the App Assignment report:

Name

Carrier Name

Policy Suite

Email Address

Ownership

Device Connection Schedule

Domain

Liability

Activation Date

Phone Number

OS Version

Container ID

Device Model

AS Version
Information included in the App Statistics report:
NotifyMDM Version 3.x

Name

Bundle ID

Download Count

App Store ID

Download Limit

Package Name

Categories

Available Redemption Codes

Version

Available Licenses

VPP
User and Device Reports  128
Information included in the App Assigned to Users report:

Name

Rejection Reas on

Version

Last Attempted Install

Status

Container ID

Required
Information included in the App Statistics By Category report:
NotifyMDM Version 3.x

Name

Bundle ID

Download Count

App Store ID

Download Limit

Package Name

Categories

Available Redemption Codes

Version

Available Licenses

VPP
User and Device Reports  129