Guide to SysAid Mobile Device Management (MDM)

 

Table of Contents

 

    Introduction
    Enabling SSL Access to Your SysAid Server
    Enabling SysAid MDM for iOS
    Creating Device Policies
    Enrolling Mobile Devices
    Managing Mobile Devices
    Unenrolling Mobile Devices
    End User Resources
    Contact Us

 

 

Introduction

 

One of the fastest moving trends in technology today is the drive towards increased mobility. Computing has traditionally been performed from desktop computers that, for the most part, stay in one place. Laptops have grown in popularity in recent years, adding a new twist to IT inventory management, but their bulky size and heavy power requirements means that they have limited mobility. Couple this with their traditional OSes, and managing laptops is similar in many ways to managing desktops. However, the last couple of years has seen a tremendous push towards lightweight mobile devices such as smartphones and tablets. These non-traditional computing devices travel almost everywhere with their owners, and have their own unique operating systems. This makes effective IT management a challenge, and when you add in the fact that these devices are used for storing and processing confidential and sometimes critical company information, the importance of managing these devices becomes apparent.

 

In order to help you effectively manage your mobile device assets, SysAid includes Mobile Device Management (MDM) capabilities. Using SysAid MDM, your users can quickly and easily enroll their Android or iOS mobile devices. Once enrolled, you and your users will enjoy the following benefits:

 

This guide will walk you through the process of creating management policies for your mobile devices, enrolling the mobile devices, and then managing them.

 

SysAid MDM security

 

All SysAid MDM communications between mobile devices and the SysAid Server are fully secured. To ensure this, SysAid MDM functions only in environments configured as follows:

 

If you are using SysAid In-House Edition, you can start using SysAid MDM as soon as you complete these security configurations.

If you are using SysAid Cloud Edition, SSL access over the internet is already provided, and you need only generate the APNs certificate.

 

Upgrading to Tomcat 7

 

If you have been using SysAid since version 8.0 or earlier, you must upgrade the Tomcat on your SysAid Server to Tomcat 7.0.19 or above. Please contact SysAid Support for instructions for upgrading your Tomcat version. If you first installed SysAid with version 8.5 or above, you should already have Tomcat 7.0.19.

 

You may check which version of Tomcat you're using from within SysAid, by clicking on your user name in the top right corner, choose About and check the Application Server entry.

 

Note about MDM terminology in SysAid

 

MDM allows you to manage your mobile devices using SysAid. In SysAid, each mobile device is an asset with Type Smartphone or Type Tablet. (Type is a field on the Asset form.) In this guide, the term mobile device is used to refer to either of these two asset types.

 

Permissions for MDM

 

In order to manage SysAid MDM, an administrator must have the Manage Mobile Devices permission. Permissions may be modified under Tools > User Management > Administrators > (choose an individual administrator profile) > Permissions (tab).

 

The portions of MDM that are available only to admins with the Manage Mobile Devices permission include:

 

Admins without these permissions may still view and edit mobile device assets as they would any other assets.

 

 

 

Enabling SSL Access to Your SysAid Server (In-House Edition Only)

 

Your SysAid Server must be accessible from the internet by SSL in order to use SysAid MDM.

 

For instructions for enabling SSL on your SysAid Server, please go here.

 

Note: The SSL certificate used to enable SSL must be signed by an official certification authority (e.g. VeriSign, GoDaddy, Comodo).

 

 

 

Enabling SysAid MDM for iOS

 

In order for SysAid MDM to manage iOS based devices, you must first create an Apple Push Certificate for SysAid MDM. To do so, go to Settings > Asset Management > MDM Settings and follow the instructions for Enabling Mobile Device Management for iOS.

 

 

This step is not needed to manage Android based devices.

 

Important! (for SysAid In-House Edition) Make sure that the SysAid Server has access to the internet, and to Apple's push notification server

over TCP port 2195: gateway.push.apple.com

 

Showing verification for your SysAid iOS profile (SysAid In-House Edition only)

 

If you would like SysAid's iOS profile to appear as verified when users download it to their iOS devices, there is one additional step you must take:

 

Note: This process is only relevant for PFX Certificates.

 

  1. Create a file named mdm.properties in the directory ..\SysAidServer\root\WEB-INF\conf\.
  2. The file should contain:

    Filename=C:\\Path\\to\\SSL\\certificate\\Certificate.pfx
    Key=CertificatePassword

    Where Filename is that path to the SSL certificate for the SysAid Server and Key is the password for the certificate. Note that the path to the certificate must contain double backslashes (\\).
  3. Save this file.
  4. Restart the SysAid Server service.

 

 Installing a verified MDM profile

 

Troubleshooting tip for users of SysAid In-House Edition

 

In some network configurations, iPhone users may receive the error "The SCEP server returned an invalid response" when they are attempting to apply the SysAid MDM profile. If this happens, there is a simple solution:

 

  1. Log into the machine that hosts the SysAid Server.
  2. Open the file ..\SysAidServer\tomcat\conf\server.xml.
  3. Find the section:

    <Connector executor="tomcatThreadPool" port="8080" protocol="HTTP/1.1" 
                   connectionTimeout="20000" 
                   redirectPort="8443" />

  4. Change it to:

    <Connector executor="tomcatThreadPool" port="8080" protocol="HTTP/1.1" 
                   connectionTimeout="20000" maxHttpHeaderSize="8192"
                   redirectPort="8443" />

  5. Save the server.xml file.
  6. Restart the SysAid Server service.

 

This should fix the SCEP error.

 

 

 

Creating Mobile Device Policies

 

In SysAid MDM, all mobile device security, Wi-Fi, and email settings are defined in policies. Each mobile device is then assigned a policy. You can create as many policies as you need, giving you tremendous flexibility in managing your mobile devices.

 

Contents of a mobile device policy

 

Each policy contains:

 

Creating mobile device policies

 

To create a new mobile device policies, go to Settings > Asset Management > Mobile Device Policies and click . Detailed instructions for creating a device policy can be found here.

 

Create as many policies as you need for your mobile devices. Remember that each mobile device is attached to only one policy at any given time.

 

Modifying mobile device policies

 

From Settings > Asset Management > Mobile Device Policies, click on any policy in the list to modify it. Note that as soon as you modify a device policy, it is automatically applied to all mobile devices using that policy.

 

 

 

Enrolling Mobile Devices

 

Now that you've created policies for your mobile devices, you need to ensure that all of your users enroll their mobile devices. Whether you enroll only company owned devices or both company and employee owned devices is determined by your company policy.

 

Choosing enrollment defaults

 

Before you start enrolling devices, you should choose the default settings for newly enrolled devices. Go to Settings > Asset Management > MDM Settings. Choose the default policy, default asset group, and default ownership that are assigned to all newly enrolled mobile devices. A description of each of these options can be found here.

 

Sending a device enrollment notification

 

The next step is to send an enrollment notification to each of your users, asking them to enroll to SysAid MDM. The enrollment notification includes a link to enroll in SysAid MDM directly from the user's mobile device. The notification can be sent via email or SMS.

 

 Sending an enrollment request via email

 

You can launch an enrollment notification from several places, as described in the following table:

Location How to send the notification
Settings > Network Discovery > MDM Click the prominently displayed link to send a customized enrollment notification. You may choose the users and/or user groups who will receive the notification.
Tools > User Management > Administrators/End Users Select one or more users and choose Enroll to MDM from the list actions. This sends the default enrollment notification with no option to edit it before sending.
Tools > User Management > Administrators/End Users > Individual admin/end user profile > Assets (tab) Click from the list of the user's associated assets.
Assets > Asset Management > Asset List > Individual asset profile > Information (tab) If the asset is not already enrolled in MDM, click Send Device Enrollment Request next to the Status field. You may choose the user who receives the notification. The status field only appears if the currently viewed asset is a mobile device.

 

Some of these locations allow you to customize the enrollment notification before you send it. Otherwise, the default notification is used. The next section explains how to customize the default enrollment notification.

 

End user enrollment

 

Once the end user receives the device enrollment notification, they must complete enrollment. For Android, this is done by installing the mobile device management app. For iOS, this is done by applying a device profile that's pushed from the SysAid Server. End User instructions for enrollment can be found in the End User Resources section, below.

 

Customizing the default enrollment notification

 

SysAid includes a default enrollment notification so that you can start enrolling your end users immediately. If you would like, you can edit the default notification to suit your company's needs.

 

To customize the default notification:

  1. Go to Settings > Customize > Notifications.
  2. From the Notification drop-down list, choose the desired notification: Email subject for device enrollment request, Email body for device enrollment request, or SMS message for device enrollment request.
  3. Edit the notification as desired and click Save.

 

 Customizing the email enrollment notification

 

Any time you send an enrollment notification (whether SMS or email), your customized notification will be used.

 

 

Managing Mobile Devices

 

Once you've created your different device policies and your users have enrolled, you can begin to use MDM to manage your mobile devices.

 

Assigning policies to your mobile devices

 

Whenever a user enrolls to MDM, their device is assigned the default device policy specified under Settings > Asset Management > MDM Settings. It's likely that some of your users need to be assigned different device policies, depending upon their roles in the company and whether the device they have is employee-owned or company-owned. Therefore, the next thing to do is to assign the correct policy to each mobile device.

 

You can assign devices to policies in the following ways:

 

Per Policy

This allows you to assign multiple devices to a single policy. To do so:

  1. Go to Settings > Asset Management > Mobile Device Policies > (choose an individual policy) > Attached Assets (tab).
  2. Click . This opens the Select Asset page.
  3. Using the tickboxes, select all mobile devices to assign to this policy.


     
  4. Click Select. This closes the Select Asset page and assigns the selected mobile devices to the policy.

 

Per Device

This allows you to update the policy for a single device. To do so:

  1. Go to Assets > Asset Management > Asset List > (choose an individual asset).
  2. From the Policies drop-down list, select the desired policy. This drop-down list only appears if the currently viewed asset is a mobile device.


     
  3. Click OK/Apply.

 

As soon as you assign a mobile device to a policy, the details of the policy are sent to that mobile device.

 

Information captured by MDM

 

In addition to propagating the policies that you created above, SysAid MDM collects information about your enrolled mobile devices. The following mobile-device-specific information is collected:

 

Field

Description

Current Carrier The carrier currently being used by a mobile device.
Home Carrier The primary service provider for a mobile device.
ICC The unique identification number for the SIM card currently inserted into a mobile device.
IMEI The unique hardware identification number for a mobile device.
MAC Address The MAC address of the device + IP address in brackets if available,
Name The name of the mobile device.
Ownership Indicates whether a mobile device is owned by your company or by your employee. You must manually enter this information if it is different than the default specified under Settings > Asset Management > MDM Settings.
Phone Number The phone number of a mobile device. Not all mobile devices have phone numbers.
Serial The asset serial number. For computers, this is the motherboard serial number.
Source The type and version of the MDM agent installed, e.g. Source= iOS Agent (version 9.0)

 

Other information, such as installed software and OS version, is also collected. All of these fields and more can be viewed on the Asset form under Assets > Asset Management > Asset List > (choose an individual mobile device).

 

Mobile device actions

 

In addition to applying your selected device policies and collecting data, SysAid MDM gives you several remote management options for your mobile devices:

 

 

Wipe Device
Erases all data on the mobile device, restoring all settings to their factory defaults. This process unenrolls the device from SysAid MDM. Wipe Device is typically used if a device is lost or stolen.
Lock Device
Locks the mobile device. Once locked, the user must reenter the device passcode in order to resume using the device. (This is only applicable if the device has a passcode enabled.)
Reset Device Passcode
Resets the passcode for the mobile device. This allows the mobile device to be accessed without a passcode. If the device policy requires a passcode, the user is prompted to immediately enter a new one.

Mobile device actions can be accessed from the Asset form under Assets > Asset Management > Asset List > (choose an individual mobile device).

 

An administrator must have the Manage mobile devices permission in order to perform these actions.

 

 

Unenrolling Mobile Devices

 

There will be times that you need to unenroll a mobile device, such as when retiring a device, or when an employee who was using a personal device leaves the company. Unenrolling a mobile device removes the assigned device policy and removes the associated MDM profile (iOS) or management app device administrator privileges (Android).

 

You may unenroll a mobile device in the following ways:

 

Administrator unenrolls device

An administrator may remotely unenroll a device. To do so:

  1. Go to Assets > Asset Management > Asset List > (choose an individual mobile device). This opens the Asset form.
  2. From the Status field, click Remove MDM Control.

 

The mobile device is unenrolled. The Status of the mobile device is changed to Revoked by Admin. In iOS, the MDM profile is removed. In Android, the management app remains, but without device administrator privileges, and may be uninstalled manually by the user.

 

End user unenrolls device

There may be times when it's necessary for end users to unenroll their own devices. This is done differently depending upon the phone OS.

 

Instructions for unenrolling a mobile device can be found in the PDFs located below, under End User Resources.

 

After an end user completes unenrollment, the Status of the mobile device in SysAid changes to Revoked by End User. This is seen on the Asset form for the device under Assets > Asset Management > Asset List > (open an individual asset) > Information (tab).

 

 

 

End User Resources

 

The following guides explain to the end user how to enroll and unenroll a mobile device from SysAid MDM. There is one guide for Android users and one guide for iOS users. For Android, enrollment involves installing the SysAid MDM management app. For iOS, enrollment involves applying a device policy using a simple wizard.

 

 

 

 

Contact Us

 

SysAid welcomes your questions and suggestions. We can be reached via phone and email:

Toll Free phone center (U.S): 800-686-7047

Tel (U.S): +1 617-231-0124

Fax (U.S): +1 617 507 2559

Tel (Israel): +972 3 533 3675

Fax (Israel): +972 3 761 7205

Email: helpdesk@sysaid.com

SysAid community: http://www.sysaid.com/Sysforums/forums/home.page

You can also view our full support page at http://www.sysaid.com/contact_support.htm.