Sophos Mobile Control Installation guide. Product version: 4

Sophos Mobile Control Installation guide Product version: 4 Document date: May 2014 Contents 1 Introduction...........................................
Author: Sylvia Butler
20 downloads 0 Views 982KB Size
Report
Download PDF
Sophos Mobile Control Installation guide

Product version: 4 Document date: May 2014

Contents 1 Introduction..............................................................................................................................................3 2 The Sophos Mobile Control server .........................................................................................................5 3 Set up Sophos Mobile Control...............................................................................................................11 4 External EAS Proxy server......................................................................................................................37 5 Running the Sophos Mobile Control Service as a limited user............................................................49 6 Updating Sophos Mobile Control licenses............................................................................................50 7 Updating Sophos Mobile Control .........................................................................................................51 8 Apple Push Notification service ............................................................................................................52 9 Technical support....................................................................................................................................55 10 Legal notices..........................................................................................................................................56

2

Installation guide

1 Introduction Sophos Mobile Control is a device management solution for mobile devices like smartphones and tablets. Sophos Mobile Control helps to keep corporate data safe by managing apps and security. The Sophos Mobile Control system consists of a server and a client component which communicate through data connections and text messages. The Sophos Mobile Control client is easily installed and managed with over-the air setup and configuration through the Sophos Mobile Control web console. With the Sophos Mobile Control Self Service Portal for your users, you can reduce IT efforts by allowing users to register their own devices and carry out other tasks without having to contact the helpdesk. This guide describes: ■

How to request a trial license for evaluating Sophos Mobile Control (see Trial licenses (section 1.3))



How to carry out preparatory measures for the Sophos Mobile Control Server (see The Sophos Mobile Control server (section 2))



How to request an SSL certificate for Sophos Mobile Control with the SSL Certificate Wizard (see Request an SSL certificate for Sophos Mobile Control (section 3.1))



How to install and set up the Sophos Mobile Control server (see Set up Sophos Mobile Control (section 3))



How to install the external EAS Proxy server (see External EAS Proxy server (section 4))



How to run the Sophos Mobile Control Service as a limited user (see Running the Sophos Mobile Control Service as a limited user (section 5))



How to update Sophos Mobile Control (see Updating Sophos Mobile Control (section 7))



How to create and upload an APNs certificate (see Apple Push Notification service (section 8))

1.1 Access data The access data for the system is saved in a database that can be extended later on. All steps have to be executed as an administrator of Microsoft Windows Server or as a user of the relevant group. The database user needs sysadmin rights.

1.2 Licenses To use Sophos Mobile Control you need a valid license. After purchasing the software, you receive a license key. This license key must be available on the machine that you want to install Sophos Mobile Control Server on. 3

Sophos Mobile Control

For updating licenses, the SMC License Wizard is available. For a description of the upgrade process, see Updating Sophos Mobile Control licenses (section 6).

1.3 Trial licenses Sophos offers a free trial for Sophos Mobile Control. You can register for a free trial on the Sophos website: http://www.sophos.com/en-us/products/free-trials/mobile-control.aspx. For installing and using Sophos Mobile Control for evaluation, you can obtain a trial license that comprises five users and is valid for 45 days. To make evaluation easy, you simply have to enter the email address used when registering during Sophos Mobile Control setup. For further information, see Install and set up the Sophos Mobile Control Server (section 3.2).

1.3.1 Upgrading trial licenses to full licenses For upgrading trial licenses to full licenses the tool SMC License Update.exe is available. For a description of the upgrade process, see Updating Sophos Mobile Control licenses (section 6).

4

Installation guide

2 The Sophos Mobile Control server The SMC server is a dispersed system that consists of the following components: ■

JBoss



SQL database server. You can either use Microsoft SQL (MSSQL) or MySQL.



SMC server provided as Java-Enterprise-Archive inside JBoss



Directory Service



Redistributable package

The individual components communicate either through the database or through the J2EE-standard-designated interfaces. In this case, no further exchange files are necessary. It is required, that the server scripts and property data are configured and that they work with the single server operation. If changes are necessary, the single setting parameters have to be modified. Note: The zipped server log files are not cleared automatically and can become very extensive. To prevent problems caused by this, delete the log files manually.

2.1 Install the operating system One possible server operating system is Microsoft Windows Server 2008 R2. For installation, refer to the relevant documentation. In addition, you have to install the following packages manually: ■

Java JDK (including JRE) Version 7u45 or higher



Microsoft SQL Server Choose one of the following packages: Microsoft SQL 2008, Microsoft SQL 2008 R2, Microsoft SQL 2012, Microsoft SQL 2012 Express or MSQL OR



MySQL 5.5 with InnoDB support

If JDK is not contained in the installation package, you may have to download it.

5

Sophos Mobile Control

2.2 Install the database server Microsoft SQL Server We recommend Microsoft SQL Server 2012 Express Edition for Windows with installer. The following description shows the installation process for Microsoft SQL Server . 1. Execute the installer and select New SQL Server stand-alone installation or add features to an existing installation. 2. If any problems occur, the Setup Support Rules dialog is displayed. Here problems that might occur when you install SQL Server Setup support files are identified. If problems have occurred, make the necessary changes to solve them and click Next. 3. In the License Terms dialog, select I accept the license terms and click Next. 4. If any updates are available, the Product Updates dialog is displayed. If you select Include SQL Server product updates in this dialog, updates will be installed automtically after you click Next. 5. In the Feature Selection dialog, select Database Engine Service. If necessary, modify the installation directory. Note: If you have downloaded the setup including the management tools, the tools should also be installed. To do so, select Management Tools - Basic. Click Next. 6. In the Instance Configuration dialog, change the instance name, if necessary. Click Next. 7. In the Server Configuration dialog, select NT_AUTHORITY\System for SQL Server Database Engine and click Next. 8. In the Database Engine Configuration dialog, select Mixed Mode (SQL Server authentication and Windows authentication). Define a strong password for the system administrator account and click Next. 9. SQL Server 2012 R2 installation is now complete. In the Complete dialog, click Close to close the Setup wizard. You can also close the SQL Server Installation Center now.

6

Installation guide

10. Before Sophos Mobile Control can be installed, the TCP/IP Protocol for the SQL Server needs to be enabled and the TCP port needs to be set to 1433. Open the Start menu, select All Programs > Microsoft SQL Server 2012 R2 > Configuration Tools and click SQL Server Configuration Manager. In the SQL Server Configuration Manager, go to to Protocols for SQLEXPRESS and double-click TCP/IP.

7

Sophos Mobile Control

11. In the Protocol tab of the TCP/IP Properties dialog, set Enabled to Yes and click the IP Addresses tab.

8

Installation guide

12. In the IP Addresses tab of the TCP/IP Properties dialog, click TCP Dynamic Ports and make sure that the field is empty to disable this function. Now click TCP Port, enter 1433 and click OK to apply your settings.

13. For the new settings to take effect, the server needs to be restarted. Click SQL Server Services, right-click SQL Server (SQLEXPRESS) and select Restart.

2.3 Install Java JDK7 When you install Java JDK7or 8, source code does not have to be installed. Install Java JRE in its complete version. Note: When you update Sophos Mobile Control from an older version, you may need to update Java, if you still use JDK 1.6. To do so, uninstall the old Java version and install the new one. You also need to manually adjust the environment variables.

2.4 Install MySQL Server To install MySQL Server by using MSI Windows installer for MySQL Community Server 5.5x: 1. Double-click the installer and install MYSQL Server 5.5x. After the installation has been completed the MySQL Server Instance Configuration Wizard is started.

9

Sophos Mobile Control

2. Follow the wizard steps and and select the following options in the individual dialogs: a) Select Detailed Configuration. b) Select Server Machine. c) Select Multifunctional Database. d) Select the standard installation path. e) Select Decision Support (DSS)/OLAP. f) Make sure that Enable TCP/IP Networking is selected and port 3306 is selected in the Port Number field. Make sure that the Enable Strict Mode field is selected. Click Next. g) Select Best Support For Multilingualism. h) Select Install As Windows Service. Make sure that Launch the MySQL Server automatically is selected. Select Include Bin Directory in Windows PATH. i) Make sure that Modify Security Settings is selected and define a strong root password. j) Install the MySQL GUI Tools. Use Custom installation. Note: You do not have to install the Workbench Migration Toolkit. 3. Add the following line to the my.ini file: wait_timeout=86400. 4. Restart the MySQL service.

10

Installation guide

3 Set up Sophos Mobile Control The key steps are: ■

Request an SSL Certificate



Execute the Sophos Mobile Control installer.



Carry out the configuration steps in the Sophos Mobile Control Configuration Wizard.



If you want to configure the EAS Proxy server separately, execute the Sophos Mobile Control EAS Proxy installer, see External EAS Proxy server (section 4).



As a super administrator create a customer (a tenant for which devices are managed) in the Sophos Mobile Control administration web console. For further information on this setup step, refer to the Sophos Mobile Control super administrator guide.

3.1 Request an SSL certificate for Sophos Mobile Control For setting up Sophos Mobile Control, you need an SSL webserver certificate. In the setup process, you can select between creating a self-signed certificate and using a PKCS12 with certificate, private key and certificate chain. For further information, see Install and set up the Sophos Mobile Control Server (section 3.2). Your Sophos product delivery includes an SSL Certificate Wizard that you can use to request your certificate for Sophos Mobile Control. You can download the wizard from MySophos. Note: If you plan to manage Windows Phone 8 devices, you need to use an official SSL certificate. Otherwise you need to install the self-signed certificate manually on the devices. To request your SSL certificate: 1. Start the SSL Certificate Wizard by double-clicking the file Sophos Mobile Control SSL Certificate Wizard.exe. The Certificate Wizard welcome dialog is displayed. 2. Click Next. The License Agreement dialog is displayed. 3. Click I Agree. The Create Certificate Signing Request dialog is displayed. 4. Enter the Server Name (FQDN), the Company, City, State and Country code (for example US or UK). These fields are mandatory. 5. Click Next. The Upload CSR dialog is displayed.

11

Sophos Mobile Control

6. In this step, you upload the Certificate Signing Request to the Certificate Authority (CA) for signing. Follow the instructions in the dialog: a) Go to the website of your Certificate Authority and log in. b) Upload the file ServerCertificateSigningRequest.csr from the folder indicated on the Upload CSR dialog of the SSL Certificate Wizard. Note: If your certificate vendor supports copy and paste, you can open the .csr file with the Open CSR button in the Upload CSR dialog. c) Save the certificate issued by the CA in Base 64 format (*.pem, *cer, *crt) in the folder indicated in the Upload CSR dialog. d) Download the certificate chain and CA certificate of your certificate authority. e) Click Next in the Upload CSR dialog. The Import Certificate Files dialog is displayed. 7. In the Import Certificate Files dialog, you import the intermediate certificates file (depending on your CA vendor) and the downloaded CA certificate. You also need to define a password for the server certificate (PKCS12) that is to be created: a) In the Select intermediate certificates file, field browse for the intermediate certificate. b) In the Select CA certificate file field, browse for the downloaded CA certificate. c) In the Password for private key field, enter a password for the server certificate to be created. Confirm the password. d) Click Next. The Certificate created dialog is displayed. 8. In the Certificate created dialog, the location of the certificate created is shown. You can use it when setting up Sophos Mobile Control, see Install and set up the Sophos Mobile Control Server (section 3.2). Note: Create a backup of the folder containing the certificate files. Click Next. The Sophos Mobile Control - SSL Certificate Wizard finished dialog is displayed. 9. Click Finish.

12

Installation guide

3.2 Install and set up the Sophos Mobile Control Server Prerequisites: ■

The license key for the operation of the Sophos Mobile Control Server needs to be available on the machine that you want to install the server on. You are prompted to enter the key via copy and paste. Note: If you have registered for a free trial version, you can request a trial license during the setup process. For further information, see Trial licenses (section 1.3).



If you want to use the database type MySQL, the MySQL JDBC driver is required. Download this driver from http://www.mysql.com/downloads/connector/j/ and save it on the server. You need to select it during Sophos Mobile Control configuration.

13

Sophos Mobile Control



If the database is not held locally, you need access to the TCP Port 3306 for MySQL and 1433 for MS SQL. In addition, you need an admin account that can log in from the Sophos Mobile Control Server.

1. Execute the Sophos Mobile Control installer, review and agree to the License Agreement. The System Property Checks dialog is displayed.

To check that the system environment fulfills all necessary requirements for Sophos Mobile Control installation, click Check. If you want to generate a system check report after the check has been run, click Report. 2. If all requirements are fulfilled, click Next. 3. The License dialog is displayed.

14

Installation guide



Enter the client resolvable SMC server name. If you have purchased the software, select Full, copy the license key you received and paste it into the Key field. ■ If you have registered for a free trial version, select Trial and enter the email address you used when registering. ■ For further information, see Trial licenses (section 1.3). ■

The Choose Install Location dialog is displayed.

15

Sophos Mobile Control

Choose the destination folder and click Install to start installation. 4. After the installation process the Sophos Mobile Control Configuration Wizard welcome dialog is displayed. Click Next. 5. In the Database selection dialog you can select: ■ ■

Use Microsoft SQL Server Use MySQL For this option, the MySQL JDBC driver is required. Select Use MySQL and browse for the driver you have downloaded.

16

Installation guide

Click Next to specify server information and logon credentials in the Database Settings dialog. This dialog offers the required options according to the database type you have selected.

17

Sophos Mobile Control

6. If you have selected Use Microsoft SQL Server in the Database selection dialog, the Database Settings dialog offers the following options.

To use the user credentials specified during SQL server installation, select Use SQL Server Authentication with the following credentials and enter the required user name and password. Click Next to continue.

18

Installation guide

7. If you have selected, Use MySQL in the Database selection dialog, the Database Settings dialog offers the following options:

Under Authentication, enter the required user name and password. Click Next to continue.

19

Sophos Mobile Control

8. In the next step, you create the database. In the Database Selection dialog, select Create a new database named, enter a name (for example SMCDB) and click Next.

The Database Configuration dialog is displayed. It shows the relevant progress messages. After the database has been successfully created and populated, click Next.

20

Installation guide

9. In the next step, you can select optional setup steps in the Choose setup steps dialog. Setup steps that are mandatory for initial configuration are preselected and greyed out.

You can select the following optional steps: ■

Configure user interface access IP range In this step, you can configure an IP range white list to manage access to the Sophos Mobile Control web console and the Self Service Portal.



Configure Exchange ActiveSync Proxy This step is preselected, but you can deactivate it. With this step you set up the standard embedded EAS Proxy. If you want to set up EAS Proxy separately with several instances (for example for load balancing), run the separate EAS Proxy setup. For further information, see External EAS Proxy server (section 4). Note: The EAS Proxy configuration step is necessary for configuring compliance check settings. If you run the separate EAS Proxy setup and need to configure compliance check settings, leave this step selected.



Configure HTTP proxy If you use a corporate HTTP proxy, select this option to enter the relevant server details and configure Sophos Mobile Control accordingly.



Enable SCEP (Simple Certificate Enrollment Protocol) for iOS devices Select this option to enable SCEP support for iOS devices. By configuring SCEP support you allow devices to obtain certificates from a Certificate Authority by using SCEP. All required settings for SCEP can be configured by a super administrator in the Sophos Mobile

21

Sophos Mobile Control

Control web console. For further information, see the Sophos Mobile Control super administrator guide. ■

Send error emails Select this option to receive notification emails if Sophos Mobile Control errors occur. For example if a connection to an external servers fails.

Select the required optional steps and click Next. 10. In the next step, you configure a super administrator account. The super administrator you create in this dialog has specific rights and tasks and is primarily used for customer management. In Sophos Mobile Control, customers are the tenants that manage the devices of their users. The super administrator logs on to a super administrator customer and can, for example, predefine settings for new customers and push settings and configurations to existing customers. For further information, refer to the Sophos Mobile Control super administrator guide. In the Configure super admin account dialog, enter the Super admin customer (the customer the super administrator will log on to), the Super admin login (the super administrator login name) and a Super admin password. Confirm the password and click Next. Note: These credentials are required for logging on to the Sophos Mobile Control web console. Note: The super administrator should not be used in productive operation, but only for administrative purposes. The super administrator is primarily intended for customer management.

22

Installation guide

11. If you have selected the optional setup step Configure user interface access IP range in Choose setup steps, you can configure an IP range white list for user interface access in the next step.



In Administration Interface, enter the whitelist for the Sophos Mobile Control administrator web console.



In Self Service Portal, enter the whitelist for the Sophos Mobile Control Self Service Portal.

Follow the instructions for entering IP addresses shown in the dialog. After you have entered all required information, click Next.

23

Sophos Mobile Control

12. In the next step, you enter SMTP information and logon credentials. Note: This is required to enable emails to be sent to new users to provide them with logon credentials. In the Configure SMTP dialog under Enter SMTP server information, enter the SMTP information and click Next. Under Enter Sophos Mobile Control server email information, enter the email information for exception and report mails (for example for an expired APNs certificate).

24

Installation guide

13. If you have left the option Configure Exchange ActiveSync Proxy in the Choose setup steps dialog selected, you configure the Exchange Active Sync (EAS) Proxy information in the next step. Note: The EAS Proxy configuration step is necessary for configuring compliance check settings in the next step. If you run the separate EAS Proxy setup (for example for load balancing), enter non-applicable information here. Note: If you want to use Lotus Traveler and connect Android devices to Traveler, you need to set up an external EAS Proxy server. For further information on how to set up an external EAS Proxy server, see Install external EAS Proxy server (section 4.2). Note: EAS Proxy log files are not cleared automatically and can become very extensive. To prevent problems caused by this, delete the log files manually.

Enter the relevant EAS-Proxy information and select Use SSL, if required. Under Default mail access for new devices under management, specify how email access should be checked and handled: ■

Select Compliance check controlled email access for an ongoing automatic check if devices comply with your corporate rules for mobile access. If devices are not compliant, further email access through EAS proxy may be denied depending on the compliance settings specified in the Sophos Mobile Control web interface.

25

Sophos Mobile Control



Select Allow email access if all new managed devices are to be granted email access through EAS proxy. The administrator has to deny access individually.



Select Deny email access to deny new managed devices email access through EAS proxy. The administrator has to grant access individually.

Click Next.

26

Installation guide

14. If you have configured the EAS Proxy setup in the last step you can configure the compliance check in the next step.

For compliance check, you can configure the following: ■

In the Compliance check interval (in minutes) field, enter the time interval in which the check is to be performed.



In the Device sync interval (in minutes) field, enter the time interval after which the device synchronizes with the server.

Note: The value you set in this field only applies to iOS devices. For Android and Windows Mobile devices a default of 24 hours applies. To define a different interval for these device types, use the command bundle Set MDM Sync Interval (in minutes). The Command Bundles function is disabled by default in the web console. You can activate it in the Personal tab of the General settings view. For further information, see chapter Configure personal settings in the Sophos Mobile Control administrator guide. For Windows Phone 8 devices, you can set the MDM synchronization interval in the Windows Phone client tab of the General settings view in the web console. For further information, see section Configure Windows Phone 8 specific settings in the Sophos Mobile Control administrator guide. Click Next.

27

Sophos Mobile Control

15. In the next step, a certificate for the secure (HTTPS) access to the web server needs to be created or imported. Note: Your Sophos product delivery includes an SSL Certificate Wizard that you can use to request your SSL certificate for Sophos Mobile Control. For further information, see Request an SSL certificate for Sophos Mobile Control (section 3.1).

28



If you do not have a trusted certificate yet, select Create self signed certificate, click Next and continue with step 16.



If you have a trusted certificate, click Import a certificate from a trusted issuer, select PKCS12 with certificate, private key and certificate chain (intermediate and CA) from the dropdown list, click Next and continue with step 17. You can also select Separate files for certificate, private key, intermediate and CA certificate from the dropdown list, click Next and continue with step 18.

Installation guide

16. If you have selected Create self-signed Certificate, the following dialog is shown. Enter the appropriate certificate information.

After you have entered all necessary information click Next.

29

Sophos Mobile Control

17. If you have selected PKCS12 with certificate, private key and certificate chain (intermediate and CA) under Import a certificate from a trusted issuer, the following dialog is shown. Select the appropriate file and enter the password.

Click Next.

30

Installation guide

18. If you have selected Separate files for certificate, private key, intermediate and CA certificate under Import a certificate from a trusted issuer, the following dialog is shown. Select the appropriate files and enter the password for the private key.

Click Next.

31

Sophos Mobile Control

19. If you have selected the optional setup step Configure HTTP proxy in Choose setup steps, you can enter your HTTP proxy configuration details in the next step. In the HTTP Proxy Setup dialog, enter your Proxy Host and Proxy Port and select Enable proxy server.

Note: You can enable or disable the use of the proxy server for the Sophos Mobile Control server any time by running the Configuration Wizard again and selecting or deactivating the Enable proxy server checkbox. Note: If proxy is defined in Windows Internet Explorer, the information is automatically transferred to the HTTP Proxy Setup dialog.

32

Installation guide

20. In the next step, you verify the license information.

Click Next to confirm the licensing and configuration process.

33

Sophos Mobile Control

21. Configuration is now complete.

34

Installation guide

22. After installation has finished, the Sophos Mobile Control - Installation finished dialog is displayed. Make sure that the check box Start Sophos Mobile Control server now is selected and click Finish to start the Sophos Mobile Control server for the first time.

If you have selected SQL server authentication during installation, the SMCSVC service is started automatically and the Sophos Mobile Control server is executed. If you have selected Windows authentication, you first have to enter logon details in the service and start it afterwards. Note: After the service has been started it can take a few minutes before the web interface is available. Note: If a different language than English is used for the SQL login, an error occurs and an error message is displayed. To solve this problem, first stop the SMCSVC service. Then open SQL Management Studio on the server and select Security followed by Logins. Edit the properties of the user that is used to start the SMC server and set the Default language for this acccount to English. Click OK and start the SMCSVC service again.

35

Sophos Mobile Control

Continue with the following configuration steps:

36



In the Configuration Wizard, you have now created a super administrator and a super administrator customer. This setup does not support the LDAP connection to a directory service such as Active Directory and the self-registration of end users with the Self Service Portal. To support these features, a customer must be created by the super administrator. For further information, refer to the Sophos Mobile Control super administrator guide.



If you have selected to configure the EAS Proxy server separately, configure the EAS Proxy now, see External EAS Proxy server (section 4).

Installation guide

4 External EAS Proxy server With Sophos Mobile Control you can set up an external EAS Proxy server with several instances. Sophos Mobile Control offers a separate EAS Proxy. You can download the installer from the Sophos Mobile Control web console. For further information, see Download external EAS Proxy installer (section 4.1).

Features Besides the features of the internal EAS Proxy, the external EAS Proxy offers the following features: ■

Lotus Traveler client support (which is not ActiveSync)



Support for multiple Microsoft Exchange and Lotus Traveler servers (one instance per mail server, one TCP port per instance)

Usage scenarios Note: For Sophos Mobile Control as a Service, the following scenarios do not apply. In this scenario, the EAS Proxy server is suitable for installation in your own environment because the EAS Proxy communicates through HTTPS with the Sophos Mobile Control Server. An external EAS Proxy server should be used for the following scenarios: ■

You use Lotus Traveler for non-iOS devices. The internal EAS Proxy cannot handle this scenario as Active Sync is not used here. The internal EAS Proxy supports iOS devices for Lotus Traveler as Traveler supports ActiveSync for iOS only. So for iOS devices you do not need to use the external EAS Proxy. For other platforms (for example, Android or Windows Mobile), Lotus Notes Traveler is supported by the external EAS Proxy. For these platforms, a dedicated Traveler client software is required. This software is available through /servlet/traveler or the Traveler file system. Sophos Mobile Control can install and uninstall the client software. Configuration has to be done manually.

37

Sophos Mobile Control



You want to support multiple backend servers. With the external EAS Proxy you can set up multiple instances of backend mail systems. Each instance needs an incoming TCP port. Each port can connect to a different backend. You need one URL per EAS instance.

38

Installation guide



You want to set up load balancing for EAS For this scenario an existing load balancer for http is required. You set up the external EAS Proxy on different machines.

Setup The following applies to installation and setup: ■

The external EAS Proxy can be installed on the same server, but needs to listen on different ports.

39

Sophos Mobile Control



Each instance is secured by an automatically generated certificate that needs to be uploaded to the SMC server.



The external EAS Proxy can run on different (virtual and physical) machines.



Simple Windows setup

4.1 Download external EAS Proxy installer 1. Log on to the Sophos Mobile Control web console as a super administrator. 2. In the web console menu bar select Settings and click System setup. The System setup view is displayed. 3. Go to the EAS Proxy tab and click the download link.

4.2 Install external EAS Proxy server Prerequisite: ■

Sophos Mobile Control has been installed and set up, see Install and set up the Sophos Mobile Control Server (section 3.2).



If the EAS Proxy is to be installed on a separate machine, Java JRE needs to be installed.

To configure the EAS Proxy server separately: 1. Execute the Sophos Mobile Control EAS Proxy Setup.exe. The Sophos Mobile Control EAS Proxy Setup welcome dialog is displayed. Click Next. 2. In the License Agreement dialog, review the license terms and click I Agree.

40

Installation guide

3. In the Choose Install Location dialog, choose the destination folder and click Install to start installation.

4. After Sophos Mobile Control EAS Proxy has been installed, the EAS Proxy Configuration Wizard welcome dialog is displayed. Click Next. 5. In the SMC Server configuration dialog, select the SMC Server to be used. Optionally, select Use SSL for incoming connections (Clients to EAS Proxy).

Click Next.

41

Sophos Mobile Control

6. In the next step, a certificate for the secure (HTTPS) access to the web server needs to be created or imported. Note: Your Sophos product delivery includes an SSL Certificate Wizard that you can use to request your SSL certificate for Sophos Mobile Control. For further information, see Request an SSL certificate for Sophos Mobile Control (section 3.1).

42



If you do not have a trusted certificate yet, select Create self signed certificate, click Next and continue with step 7.



If you have a trusted certificate, click Import a certificate from a trusted issuer, select PKCS12 with certificate, private key and certificate chain (intermediate and CA) from the dropdown list, click Next and continue with step 8. You can also select Separate files for certificate, private key, intermediate and CA certificate from the dropdown list, click Next and continue with step 9.

Installation guide

7. If you have selected Create self-signed Certificate, the following dialog is shown. Enter the appropriate certificate information.

After you have entered all necessary information click Next.

43

Sophos Mobile Control

8. If you have selected PKCS12 with certificate, private key and certificate chain (intermediate and CA) under Import a certificate from a trusted issuer, the following dialog is shown. Select the appropriate file and enter the password.

Click Next.

44

Installation guide

9. If you have selected Separate files for certificate, private key, intermediate and CA certificate under Import a certificate from a trusted issuer, the following dialog is shown. Select the appropriate files and enter the password for the private key.

Click Next.

45

Sophos Mobile Control

10. In the next step, you configure the EAS Proxy instances. In the EAS Proxy instance setup dialog, enter an Instance name, the relevant Server port (incoming traffic) and the ActiveSync Server (target). Select Enable traveler client access to enable Lotus Traveler client access. After entering the instance information, click Add to add the instance to the Instances list.

After you have added the instance the following message is displayed:

Click OK. A window with the certificate that needs to be uploaded to Sophos Mobile Control opens. 11. In the next step, you need to upload the certificate in the Sophos Mobile Control web console as a super administrator. For further information on Sophos Mobile Control super administrators, see the Sophos Mobile Control super administrator guide. a) Log on to the Sophos Mobile Control web console as a super administrator. b) In the web console menu bar, go to Settings and click System setup. c) In the EAS Proxy tab, browse for the certificate and click Upload.

46

Installation guide

The certificate is uploaded and shown in the EAS Proxy tab. d) Click the Save button. Note: The certificate needs to be uploaded before the EAS proxy server is started. Otherwise Sophos Mobile Control rejects the server and the service will not be started. 12. In the EAS Proxy instance setup dialog of the EAS Proxy Configuration Wizard, click Next. The server port you entered is checked and the Sophos Mobile Control EAS Proxy Configuration Wizard finished dialog is displayed. 13. Configuration is now complete. Click Finish to close the Configuration Wizard.

47

Sophos Mobile Control

14. After installation has finished, the Sophos Mobile Control EAS Proxy Installation finished dialog is displayed. Make sure that the check box Start Sophos Mobile Control EAS Proxy server now is selected and click Finish to start the Sophos Mobile Control EAS Proxy server for the first time.

The Sophos Mobile Control EAS Proxy server has been installed and configured. Note: EAS Proxy log files are not cleared automatically and can become very extensive. To prevent problems caused by this, delete the log files manually.

48

Installation guide

5 Running the Sophos Mobile Control Service as a limited user For security reasons, you may want to run the SMC service as a limited user instead of an administrator. Note: If you use Windows Authentication for database access, you only have to carry out step 3 of the following description. 1. On the computer, on which Sophos Mobile Control is running, create a local, “regular” Windows user account with a password that does not expire. 2. Remove this user account from all groups. (By default, the user is in the “users” group.) 3. Grant this user account full access to the Sophos Mobile Control installation directory (C:\Programs\Sophos\Sophos Mobile Control) including all subdirectories. 4. In the SMCSVC service properties, change the user to this user account with the relevant password.

49

Sophos Mobile Control

6 Updating Sophos Mobile Control licenses For updating regular Sophos Mobile Control licenses and for upgrading trial licenses to full licenses, the SMC License Wizard is available. You find this tool in the Sophos Mobile Control Start menu entry. 1. Copy the new license key to the clipboard of the machine where Sophos Mobile Control is installed.. 2. Go to the Sophos Mobile Control entry in your Windows Start menu and double-click License Wizard. The Sophos Mobile Control - License Update dialog is displayed. 3. Paste the license key to the input box and click Get license. 4. Click Update. If the license has been updated successfully, a confirmation message is displayed. 5. Restart the SMC service.

50

Installation guide

7 Updating Sophos Mobile Control Note: When you update Sophos Mobile Control from an older version, you may need to update Java, if you still use JDK 1.6. To do so, uninstall the old Java version and install the new one. You also need to manually adjust the following environment variables: ■

JAVA_HOME



Path

7.1 Updating from version 3 to 4 SMC Server installations version 3 cannot be updated directly to version 4. Version 3 needs to be updated to version 3.5 or 3.6 first and then to version 4.

7.2 Updating from version 3.5 or 3.6 to 4 To update your SMC Server installation to version 4, execute the Sophos Mobile Control 4 installer. The installer automatically detects that an existing installation is to be updated to version 4. The administrator is asked whether the service should be stopped. The database is updated automatically. If you use SQL authentication, you may have to specify the "sa" account of the SQL server when you upgrade to change the existing SQL users and passwords.

7.3 Updating the external EAS Proxy server You can update the external EAS Proxy server to its latest version 3.5 from the previous two available versions 2.5 and 3.0. Note: For the upgrade of the external EAS Proxy server to version 3.5 the Sophos Mobile Control Server must be at version 3.0 or 3.5. The external EAS Proxy server 3.5 is only supported as of Sophos Mobile Control Server 3.0 or later. To update the EAS Proxy server, execute the separate EAS Proxy installer version 3.5. You can download the installer from the Sophos Mobile Control web console. For further information, see Download external EAS Proxy installer (section 4.1).

51

Sophos Mobile Control

8 Apple Push Notification service To use the built-in Mobile Device Management (MDM) protocol of devices running Apple iOS 4 (or higher), Sophos Mobile Control must use Apple’s Push Notification service (APNs) to trigger the iOS devices. The following sections describe the requirements that have to be fulfilled and the steps you must take to get access to the APNs servers with your own client certificate. Sophos Mobile Control offers an APNs Certificate Wizard for creating your APNs certificate. The wizard is included in your product delivery. It is also available for download in the web console. Note: Do NOT use the Internet Explorer for any Apple websites. Apple recommends their own Safari browser, but Mozilla Firefox, Opera or Google Chrome also work.

8.1 Requirements For silent operations all devices must have at least iOS version 4 installed. A free update is available from Apple for ■

iPhone 3G, 3GS, 4, 4S, 5C, 5S



iPad



iPod touch, 3rd or 4th generation

To notify iOS devices, the Sophos Mobile Control server needs to connect to the Apple Push Notification service. The notifications are sent SSL-encrypted to ■

gateway.push.apple.com:2195 TCP (17.0.0.0/8)



iOS devices with Wifi only Note: iOS devices with Wifi only need access to APNs as usually in corporate networks only http and https are accepted.



Wifi iOS device -> *.push.apple.com:5223 TCP (17.0.0.0/8)

8.2 Create and upload an APNs certificate To create an APNs certificate, you use the APNs Certificate Wizard. The wizard is included in your product delivery. It is also available for download in the web console. In the web console menu bar, go to Settings, click System Setup and go to the iOS settings tab. To download the wizard, click the available download link. 1. Start the APNs Certificate Wizard by doubleclicking the file APNs Certificate Wizard.exe. The APNs Certificate Wizard welcome dialog is shown. 2. Click Next and accept the license agreement.

52

Installation guide

3. Click Next. The Create Certificate Signing Request dialog is shown. 4. Enter your Company Name and your Country code (for example US). These fields are mandatory. Note: Below these fields, the dialog shows where all data of the process is stored. Make a note of this information. 5. Click Next. The Upload PLIST dialog is displayed. 6. In this step, you upload the Certificate Signing Request to Apple. Follow the instructions in the dialog: a) Open the Apple site indicated in the dialog in your browser. Note: Do not use Internet Explorer to open the Apple site as this may cause problems. Use Firefox, Chrome or Safari instead. We recommend to use the latest browser versions. b) Log in with your Apple ID. If you do not have an Apple ID, create one. c) In the first dialog of the Apple Push Certificates Portal, click Create a Certificate. d) Accept the terms and conditions. e) Browse for your Certificate Signing Request (*.plist) and click Upload. You find the file name and the path in the Upload PLIST dialog of the Sophos APNs Certificate Wizard. Your Apple push certificate is created. f) Save the certificate file (*.pem) in the directory indicated in the Upload PLIST dialog. 7. Click Next. The Create P12 dialog is displayed. 8. In this step, you create your APNs certificate for Sophos Mobile Control. Enter a password for the APNs certificate. You need this password later, when you upload the .P12 certificate file to Sophos Mobile Control. Note: The Create P12 dialog shows the directory the certificate will be stored in. Make a note of this information. We recommend that you create a backup of the folder that contains the certificate files. 9. Click Next. The Sophos Mobile Control - APNs Certificate Wizard finished dialog is displayed. 10. Click Finish.

53

Sophos Mobile Control

11. In the Sophos Mobile Control web console menu bar, go to Settings, select System setup and go to the iOS settings tab. 12. Browse for the .p12 certificate file you have created and enter your password. For future reference (for example when the certificate needs to be updated) you can enter the Apple ID used for creating the certificate. Click Upload. After the file has been uploaded successfully, a confirmation message is displayed. 13. Click Save.

8.3 Migrating APNs certificates from the iOS Developer Enterprise Program Certificates created with the iOS Developer Enterprise Program (iDEP) cannot be renewed from within the iDEP anymore. If you have created your MDM APNs certificates with iDEP and they are about to expire, you have to migrate them to the new method described in Create and upload an APNs certificate (section 8.2). To renew a certificate: 1. Go to https://identity.apple.com/pushcert/ and log in with your iDEP Apple ID that you used to create your existing APNs certificate. 2. Carry out the following steps. For details on individual steps, see Create and upload an APNs certificate (section 8.2). a) Create a CSR. b) Let Sophos sign the CSR. c) Click the Renew button and upload the signed CSR. d) Download the certificate. e) Convert the APNs Certificate for Sophos Mobile Control.

54

Installation guide

9 Technical support You can find technical support for Sophos products in any of these ways: ■

Visit the SophosTalk community at http://community.sophos.com/ and search for other users who are experiencing the same problem.



Visit the Sophos support knowledgebase at http://www.sophos.com/en-us/support.aspx.



Download the product documentation at http://www.sophos.com/en-us/support/documentation.aspx.



Send an email to [email protected], including your Sophos software version number(s), operating system(s) and patch level(s), and the text of any error messages.

55

Sophos Mobile Control

10 Legal notices Copyright © 2011 - 2014 Sophos Ltd. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner. Sophos is a registered trademark of Sophos Ltd. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

56

Suggest Documents

Sophos Mobile Control Installation guide

Sophos Mobile Control Installation guide
Read more
Sophos Mobile Control startup guide. Product version: 6.1

Sophos Mobile Control startup guide. Product version: 6.1
Read more
Sophos Mobile Control server deployment guide. Product version: 6.1

Sophos Mobile Control server deployment guide. Product version: 6.1
Read more
Sophos Mobile Control app groups interface guide. Product version: 7

Sophos Mobile Control app groups interface guide. Product version: 7
Read more
Sophos Mobile Control SaaS startup guide. Product version: 7

Sophos Mobile Control SaaS startup guide. Product version: 7
Read more
Sophos Mobile Control administrator help. Product version: 6.1

Sophos Mobile Control administrator help. Product version: 6.1
Read more
Sophos Mobile Control User guide for Windows Mobile. Product version: 3

Sophos Mobile Control User guide for Windows Mobile. Product version: 3
Read more
Sophos Mobile Control Administratorhilfe

Sophos Mobile Control Administratorhilfe
Read more
Sophos Mobile Control User guide for Android. Product version: 2 Document date: December 2011

Sophos Mobile Control User guide for Android. Product version: 2 Document date: December 2011
Read more
Sophos Mobile Control (in Sophos Central) Administratorhilfe. Produktversion: 7

Sophos Mobile Control (in Sophos Central) Administratorhilfe. Produktversion: 7
Read more
Sophos Mobile Control Benutzerhilfe. Produktversion: 6.1

Sophos Mobile Control Benutzerhilfe. Produktversion: 6.1
Read more
Sophos Anti-Virus for Linux configuration guide. Product version: 9

Sophos Anti-Virus for Linux configuration guide. Product version: 9
Read more
Sophos Mobile Control Schnellstart-Anleitung. Produktversion: 6.1

Sophos Mobile Control Schnellstart-Anleitung. Produktversion: 6.1
Read more
Sophos Mobile Control Administratorhilfe. Produktversion: 7

Sophos Mobile Control Administratorhilfe. Produktversion: 7
Read more
Sophos Mobile Control Administratorhandbuch. Produktversion: 5.1

Sophos Mobile Control Administratorhandbuch. Produktversion: 5.1
Read more
Sophos Anti-Virus for VMware vshield: Sophos Central Edition startup guide. Product version: 2.1

Sophos Anti-Virus for VMware vshield: Sophos Central Edition startup guide. Product version: 2.1
Read more
Sophos Anti-Virus for UNIX and Linux startup guide. Product version: 4

Sophos Anti-Virus for UNIX and Linux startup guide. Product version: 4
Read more
MOTOTRBO MOBILE INSTALLATION GUIDE

MOTOTRBO MOBILE INSTALLATION GUIDE
Read more
Nokia Intellisync Mobile Suite Installation Guide. Version 9.0

Nokia Intellisync Mobile Suite Installation Guide. Version 9.0
Read more
PRODUCT INSTALLATION GUIDE

PRODUCT INSTALLATION GUIDE
Read more
2009) Product Version: 4

2009) Product Version: 4
Read more
INSTALLATION GUIDE. Version 6.3

INSTALLATION GUIDE. Version 6.3
Read more
Installation Guide. Version 2014

Installation Guide. Version 2014
Read more
Version 7.2 Installation Guide

Version 7.2 Installation Guide
Read more